From 36d787fa4472747903571d7766b205ce7c3ce431 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Nov 2024 19:53:24 +0000 Subject: [PATCH 001/977] feat(abs): add abstraction/webkit. --- apparmor.d/abstractions/webkit | 31 +++++++++++++++++++++++++++++ apparmor.d/groups/browsers/epiphany | 16 +-------------- apparmor.d/profiles-a-f/foliate | 15 +------------- 3 files changed, 33 insertions(+), 29 deletions(-) create mode 100644 apparmor.d/abstractions/webkit diff --git a/apparmor.d/abstractions/webkit b/apparmor.d/abstractions/webkit new file mode 100644 index 000000000..c4410d026 --- /dev/null +++ b/apparmor.d/abstractions/webkit @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal set of rules for webkit UI. + + abi , + + mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info, + + @{bin}/xdg-dbus-proxy rix, + + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, + + owner /bindfile@{rand6} rw, + owner @{att}/.flatpak-info r, + + owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw, + + owner @{run}/user/@{uid}/.flatpak/ w, + owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw, + + owner @{run}/user/@{uid}/webkitgtk/ w, + owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index 98f21f472..b08a6b00f 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -19,6 +19,7 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_override, @@ -28,21 +29,14 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info, - @{exec_path} mr, @{open_path} rPx -> child-open, @{bin}/bwrap rix, - @{bin}/xdg-dbus-proxy rix, - @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKit{Web,Network}Process rix, /usr/share/enchant*/{,**} r, - owner /bindfile@{rand6} rw, - owner @{att}/.flatpak-info r, - owner @{user_config_dirs}/glib-2.0/ w, owner @{user_config_dirs}/glib-2.0/settings/ w, @@ -51,14 +45,6 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { owner @{tmp}/Serialized@{rand9} rw, owner @{tmp}/WebKit-Media-@{rand6} rw, - owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/.flatpak/ w, - owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw, - owner @{run}/user/@{uid}/webkitgtk/ w, - owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, - @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/firmware/acpi/pm_profile r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-org.gnome.Epiphany-@{int}.scope/memory.* r, diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate index b1c485408..f6380d125 100644 --- a/apparmor.d/profiles-a-f/foliate +++ b/apparmor.d/profiles-a-f/foliate @@ -15,6 +15,7 @@ profile foliate @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_override, @@ -30,31 +31,17 @@ profile foliate @{exec_path} flags=(attach_disconnected) { @{bin}/bwrap rix, @{bin}/gjs-console rix, - @{bin}/xdg-dbus-proxy rix, @{bin}/speech-dispatcher rPx, @{open_path} rPx -> child-open-help, - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, - /usr/share/com.github.johnfactotum.Foliate/{,**} r, - owner /bindfile@{rand6} rw, - owner /.flatpak-info r, - owner @{user_books_dirs}/{,**} r, owner @{user_torrents_dirs}/{,**} r, owner @{user_cache_dirs}/com.github.johnfactotum.Foliate/{,**} rwlk, owner @{user_share_dirs}/com.github.johnfactotum.Foliate/{,**} rwlk, - owner @{run}/user/@{uid}/.flatpak/ w, - owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw, - owner @{run}/user/@{uid}/webkitgtk/ w, - owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, - @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-dbus*org.gnome.Nautilus.slice/dbus*org.gnome.Nautilus@*.service/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-com.github.johnfactotum.Foliate-@{int}.scope/memory.* r, From 65f2d21558a20528f4b7b8b77276d5e436c1a391 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Nov 2024 19:53:59 +0000 Subject: [PATCH 002/977] feat(profile): add profile for tecla. --- apparmor.d/groups/gnome/gnome-control-center | 2 +- apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/gnome/tecla | 19 +++++++++++++++++++ 3 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/gnome/tecla diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 00bc15f19..91f49c219 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -55,7 +55,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{bin}/grep rix, @{bin}/locale rix, @{bin}/sed rix, - @{bin}/tecla rix, + @{bin}/tecla rPx, @{bin}/bwrap rCx -> bwrap, @{bin}/gkbd-keyboard-display rPx, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index f52340d41..462733874 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -175,6 +175,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/glib-compile-schemas rPx, @{bin}/ibus-daemon rPx, @{bin}/Xwayland rPx, + @{bin}/tecla rPx, @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/mutter-x11-frames rPx, #aa:exec polkit-agent-helper diff --git a/apparmor.d/groups/gnome/tecla b/apparmor.d/groups/gnome/tecla new file mode 100644 index 000000000..082c6c925 --- /dev/null +++ b/apparmor.d/groups/gnome/tecla @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/tecla +profile tecla @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor From cb86f1c0763af93680e5cd2f9154b5253c7249f5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Nov 2024 20:08:48 +0000 Subject: [PATCH 003/977] feat(profile): general update. --- apparmor.d/groups/freedesktop/geoclue | 1 + .../groups/freedesktop/polkit-agent-helper | 2 +- .../groups/systemd/systemd-sleep-nvidia | 1 + .../groups/virt/containerd-shim-runc-v2 | 1 + apparmor.d/profiles-a-f/aa-notify | 2 +- apparmor.d/profiles-a-f/font-manager | 4 +- apparmor.d/profiles-a-f/fwupd | 2 +- apparmor.d/profiles-g-l/gsettings | 5 +- apparmor.d/profiles-g-l/jami-gnome | 61 ------------------- apparmor.d/profiles-m-r/passimd | 4 +- apparmor.d/profiles-m-r/pidof | 2 +- apparmor.d/profiles-s-z/sudo | 10 +-- apparmor.d/profiles-s-z/udisksd | 3 + apparmor.d/profiles-s-z/virt-manager | 1 + 14 files changed, 17 insertions(+), 82 deletions(-) delete mode 100644 apparmor.d/profiles-g-l/jami-gnome diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 383360ad4..4492c7598 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/geoclue @{lib}/geoclue-2.0/demos/agent profile geoclue @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper index bb6e457ff..7f5ecd107 100644 --- a/apparmor.d/groups/freedesktop/polkit-agent-helper +++ b/apparmor.d/groups/freedesktop/polkit-agent-helper @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] @{exec_path} += @{lib}/polkit-agent-helper-[0-9] -profile polkit-agent-helper @{exec_path} { +profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-sleep-nvidia b/apparmor.d/groups/systemd/systemd-sleep-nvidia index 4ebb4851f..2ca5d7474 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-nvidia +++ b/apparmor.d/groups/systemd/systemd-sleep-nvidia @@ -11,6 +11,7 @@ profile systemd-sleep-nvidia @{exec_path} { include include + capability perfmon, capability sys_admin, capability sys_tty_config, diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 index bff45ca39..4c3707493 100644 --- a/apparmor.d/groups/virt/containerd-shim-runc-v2 +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -50,6 +50,7 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/kubepods/{,**} rw, @{sys}/kernel/mm/hugepages/ r, + @{PROC}/@{pid}/task/@{tid}/mountinfo r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/oom_score_adj rw, diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify index 7e901509f..53c64daf9 100644 --- a/apparmor.d/profiles-a-f/aa-notify +++ b/apparmor.d/profiles-a-f/aa-notify @@ -36,7 +36,7 @@ profile aa-notify @{exec_path} { owner @{HOME}/.inputrc r, owner @{HOME}/.terminfo/@{int}/dumb r, - owner @{tmp}/@{rand8} rw, + owner @{tmp}/@{word8} rw, owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, @{PROC}/ r, diff --git a/apparmor.d/profiles-a-f/font-manager b/apparmor.d/profiles-a-f/font-manager index 81c53aafd..56941f60b 100644 --- a/apparmor.d/profiles-a-f/font-manager +++ b/apparmor.d/profiles-a-f/font-manager @@ -11,11 +11,9 @@ include profile font-manager @{exec_path} { include include + include include - include - include include - include include include diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 45b2ccfb4..aa95a00d5 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -58,7 +58,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{bin}/gpgsm rCx -> gpg, /usr/share/fwupd/{,**} r, - /usr/share/hwdata/*.ids r, + /usr/share/hwdata/* r, /usr/share/mime/mime.cache r, /etc/fwupd/{,**} rw, diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 4ac891769..e2a9ae515 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -7,8 +7,9 @@ abi , include @{exec_path} = @{bin}/gsettings -profile gsettings @{exec_path} { +profile gsettings @{exec_path} flags=(attach_disconnected) { include + include include include @@ -22,8 +23,6 @@ profile gsettings @{exec_path} { owner @{desktop_config_dirs}/dconf/user rw, owner @{DESKTOP_HOME}/greeter-dconf-defaults r, - /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/profiles-g-l/jami-gnome b/apparmor.d/profiles-g-l/jami-gnome deleted file mode 100644 index 3a1e504a8..000000000 --- a/apparmor.d/profiles-g-l/jami-gnome +++ /dev/null @@ -1,61 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/jami-gnome -profile jami-gnome @{exec_path} { - include - include - include - include - include - include - include - include - include - include - include - - network netlink raw, - - @{exec_path} mr, - - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, - - /usr/share/ring/{,**} r, - /usr/share/sounds/jami-gnome/{,**} r, - - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/jami-gnome/ rw, - owner @{user_cache_dirs}/jami-gnome/** rw, - - owner @{user_share_dirs}/jami/ rw, - owner @{user_share_dirs}/jami/** rwkl -> @{user_share_dirs}/jami/, - - owner @{user_config_dirs}/autostart/jami-gnome.desktop w, - - owner @{user_share_dirs}/ r, - owner @{user_share_dirs}/webkitgtk/deviceidhashsalts/1/ r, - owner @{user_share_dirs}/webkitgtk/databases/indexeddb/v0 w, - owner @{user_share_dirs}/webkitgtk/databases/indexeddb/v1/ w, - - @{sys}/firmware/acpi/pm_profile r, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/fs/cgroup/** r, - - owner @{PROC}/@{pid}/statm r, - owner @{PROC}/@{pid}/smaps r, - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/cgroup r, - @{PROC}/zoneinfo r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/passimd b/apparmor.d/profiles-m-r/passimd index 4e64e5fb9..c0aafeaf9 100644 --- a/apparmor.d/profiles-m-r/passimd +++ b/apparmor.d/profiles-m-r/passimd @@ -26,9 +26,7 @@ profile passimd @{exec_path} flags=(attach_disconnected) { /etc/passim.conf r, - /var/lib/passim/{,**} r, - /var/lib/passim/data/{,**} rw, - + owner /var/lib/passim/{,**} rw, owner /var/log/passim/* rw, @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-m-r/pidof b/apparmor.d/profiles-m-r/pidof index 2a7b63038..5da955cba 100644 --- a/apparmor.d/profiles-m-r/pidof +++ b/apparmor.d/profiles-m-r/pidof @@ -28,7 +28,7 @@ profile pidof @{exec_path} { @{PROC}/sys/kernel/osrelease r, @{PROC}/uptime r, - owner /dev/tty@{int} rw, + /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 1e6748235..b2074ba04 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -21,15 +21,9 @@ profile sudo @{exec_path} flags=(attach_disconnected) { network inet dgram, network inet6 dgram, - ptrace (read), + ptrace read, - signal (send,receive) peer=cockpit-bridge, - signal (send) peer=@{p_systemd}, - signal (send) set=(cont,hup,winch) peer=su, - signal (send) set=(winch) peer=child-pager, - signal (send) set=(winch) peer=journalctl, - signal (send) set=(winch) peer=pacman, - signal (send) set=(winch, hup, term) peer=rpm, + signal send set=(winch, hup, term), @{bin}/@{shells} rUx, @{lib}/** PUx, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 9155adf84..909112a70 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -48,6 +48,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { mount options=(rw move) -> @{MOUNTS}/, mount options=(rw move) -> @{MOUNTS}/*/, + mount fstype=vfat -> /boot/efi/, + # Allow mounting on temporary mount point mount -> @{run}/udisks2/temp-mount-*/, mount / -> @{MOUNTS}/*/, @@ -56,6 +58,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { umount @{MOUNTS}/, umount @{MOUNTS}/*/, umount @{run}/udisks2/temp-mount-*/, + umount /boot/efi/, umount /media/cdrom@{int}/, signal receive set=int peer=@{p_systemd}, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index bce236989..0a67b365b 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -89,6 +89,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/net/route r, owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, From 044f80b1db20869b3bf264bd4b86d3986233a954 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Nov 2024 20:59:06 +0000 Subject: [PATCH 004/977] feat(tunable): unify some XDG and user dirs varibale name. --- apparmor.d/abstractions/deny-sensitive-home | 2 +- apparmor.d/groups/virt/virtiofsd | 6 +- apparmor.d/profiles-a-f/browserpass | 4 +- apparmor.d/profiles-g-l/keepassxc | 8 +- apparmor.d/profiles-m-r/pass | 12 +-- apparmor.d/profiles-m-r/pass-import | 2 +- .../profiles-m-r/protonmail-bridge-core | 16 ++-- apparmor.d/tunables/home.d/apparmor.d | 78 ++++++++++--------- .../tunables/xdg-user-dirs.d/apparmor.d | 8 +- docs/configuration.md | 4 +- docs/variables.md | 6 +- 11 files changed, 77 insertions(+), 69 deletions(-) diff --git a/apparmor.d/abstractions/deny-sensitive-home b/apparmor.d/abstractions/deny-sensitive-home index 4291762a4..68c013a51 100644 --- a/apparmor.d/abstractions/deny-sensitive-home +++ b/apparmor.d/abstractions/deny-sensitive-home @@ -34,7 +34,7 @@ deny @{HOME}/@{XDG_SSH_DIR}/{,**} mrwkl, deny @{run}/user/@{uid}/keyring** mrwkl, deny @{user_config_dirs}/*-store/{,**} mrwkl, - deny @{user_password_store_dirs}/{,**} mrwkl, + deny @{user_passwordstore_dirs}/{,**} mrwkl, deny @{user_share_dirs}/kwalletd/{,**} mrwkl, # Privacy violations diff --git a/apparmor.d/groups/virt/virtiofsd b/apparmor.d/groups/virt/virtiofsd index 905e2c170..899ecae04 100644 --- a/apparmor.d/groups/virt/virtiofsd +++ b/apparmor.d/groups/virt/virtiofsd @@ -31,13 +31,13 @@ profile virtiofsd @{exec_path} { mount options=(rw, rbind) -> @{user_publicshare_dirs}/, mount options=(rw, rbind) -> @{user_vm_dirs}/, - mount options=(rw, rbind) -> @{user_vm_shares}/, + mount options=(rw, rbind) -> @{user_vmshare_dirs}/, umount /, pivot_root @{user_publicshare_dirs}/, # TODO: -> pivoted, pivot_root @{user_vm_dirs}/, - pivot_root @{user_vm_shares}/, + pivot_root @{user_vmshare_dirs}/, signal (receive) set=term peer=libvirtd, @@ -50,7 +50,7 @@ profile virtiofsd @{exec_path} { @{user_publicshare_dirs}/{,**} r, @{user_vm_dirs}/{,**} r, - @{user_vm_shares}/{,**} r, + @{user_vmshare_dirs}/{,**} r, owner @{run}/libvirt/qemu/*.pid rw, diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index 86da0e6a7..272000f3f 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -48,8 +48,8 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner @{user_password_store_dirs}/ rw, - owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, + owner @{user_passwordstore_dirs}/ rw, + owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, owner @{user_projects_dirs}/**/*-store/ rw, owner @{user_projects_dirs}/**/*-store/** rwkl -> @{user_projects_dirs}/**/*-store/**, owner @{user_config_dirs}/*-store/ rw, diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index d2dee61aa..de95d3c9f 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -48,10 +48,10 @@ profile keepassxc @{exec_path} { owner @{HOME}/@{XDG_SSH_DIR}/ r, owner @{HOME}/@{XDG_SSH_DIR}/* r, - owner @{user_password_store_dirs}/ r, - owner @{user_password_store_dirs}/*.csv rw, - owner @{user_password_store_dirs}/*.kdbx* rwl -> @{KP_DB}/#@{int}, - owner @{user_password_store_dirs}/#@{int} rw, + owner @{user_passwordstore_dirs}/ r, + owner @{user_passwordstore_dirs}/*.csv rw, + owner @{user_passwordstore_dirs}/*.kdbx* rwl -> @{user_passwordstore_dirs}/#@{int}, + owner @{user_passwordstore_dirs}/#@{int} rw, owner @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, owner @{user_config_dirs}/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 0736f98c4..fe06a346d 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -59,7 +59,7 @@ profile pass @{exec_path} { /usr/share/terminfo/** r, - owner @{user_password_store_dirs}/{,**} rw, + owner @{user_passwordstore_dirs}/{,**} rw, owner /dev/shm/pass.@{rand}/{,*} rw, @{sys}/devices/system/node/ r, @@ -88,7 +88,7 @@ profile pass @{exec_path} { /tmp/ r, - owner @{user_password_store_dirs}/{,**/} r, + owner @{user_passwordstore_dirs}/{,**/} r, owner /dev/shm/pass.@{rand}/{,*} rw, @@ -120,8 +120,8 @@ profile pass @{exec_path} { owner @{HOME}/.gitconfig r, owner @{user_config_dirs}/git/{,*} r, - owner @{user_password_store_dirs}/ rw, - owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, + owner @{user_passwordstore_dirs}/ rw, + owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature owner /dev/shm/pass.@{rand}/.git_vtag_tmp@{rand6} rw, @@ -142,8 +142,8 @@ profile pass @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner @{user_password_store_dirs}/ rw, - owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, + owner @{user_passwordstore_dirs}/ rw, + owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, owner /dev/shm/pass.@{rand}/* rw, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index bb2bc9107..4977bb51a 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -33,7 +33,7 @@ profile pass-import @{exec_path} { /usr/share/file/misc/magic.mgc r, - owner @{user_password_store_dirs}/{,**} rw, + owner @{user_passwordstore_dirs}/{,**} rw, owner @{tmp}/[a-zA-Z0-9]* rw, diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index 4de73d718..da0c5f785 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -5,7 +5,7 @@ # To force the use of the Gnome Keyring or Kwallet secret-service, add the # following lines in your local/protonmail-bridge-core file: # deny @{bin}/pass x, -# deny owner @{user_password_store_dirs}/** r, +# deny owner @{user_passwordstore_dirs}/** r, abi , @@ -30,8 +30,8 @@ profile protonmail-bridge-core @{exec_path} { /etc/lsb-release r, /etc/machine-id r, - owner @{user_password_store_dirs}/docker-credential-helpers/{,**} r, - owner @{user_password_store_dirs}/protonmail-credentials/{,**} r, + owner @{user_passwordstore_dirs}/docker-credential-helpers/{,**} r, + owner @{user_passwordstore_dirs}/protonmail-credentials/{,**} r, owner @{user_cache_dirs}/protonmail/{,**} rwk, owner @{user_config_dirs}/protonmail/{,**} rwk, @@ -48,7 +48,7 @@ profile protonmail-bridge-core @{exec_path} { @{PROC}/sys/net/core/somaxconn r, deny @{bin}/pass x, - deny owner @{user_password_store_dirs}/** r, + deny owner @{user_passwordstore_dirs}/** r, profile pass { include @@ -72,10 +72,10 @@ profile protonmail-bridge-core @{exec_path} { @{bin}/tty rix, @{bin}/which rix, - owner @{user_password_store_dirs}/ r, - owner @{user_password_store_dirs}/.gpg-id r, - owner @{user_password_store_dirs}/protonmail-credentials/{,**} rw, - deny owner @{user_password_store_dirs}/**/ r, + owner @{user_passwordstore_dirs}/ r, + owner @{user_passwordstore_dirs}/.gpg-id r, + owner @{user_passwordstore_dirs}/protonmail-credentials/{,**} rw, + deny owner @{user_passwordstore_dirs}/**/ r, /dev/tty rw, diff --git a/apparmor.d/tunables/home.d/apparmor.d b/apparmor.d/tunables/home.d/apparmor.d index f1be9acbe..c791f5376 100644 --- a/apparmor.d/tunables/home.d/apparmor.d +++ b/apparmor.d/tunables/home.d/apparmor.d @@ -11,30 +11,7 @@ # First part, second part in /etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d -# Extra user personal directories -@{XDG_SCREENSHOTS_DIR}="Pictures/Screenshots" -@{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers" -@{XDG_BOOKS_DIR}="Books" -@{XDG_GAMES_DIR}=".games" -@{XDG_PROJECTS_DIR}="Projects" -@{XDG_WORK_DIR}="Work" -@{XDG_MAIL_DIR}="Mail" ".{m,M}ail" -@{XDG_SYNC_DIR}="Sync" -@{XDG_TORRENTS_DIR}="Torrents" -@{XDG_VM_DIR}=".vm" -@{XDG_VM_SHARES_DIR}="VM_Shares" -@{XDG_IMG_DIR}="images" -@{XDG_GAMESSTUDIO_DIR}="unity3d" - -# User personal keyrings -@{XDG_GPG_DIR}=".gnupg" -@{XDG_SSH_DIR}=".ssh" -@{XDG_PASSWORD_STORE_DIR}=".password-store" - -# User personal private directories -@{XDG_PRIVATE_DIR}=".{p,P}rivate" "{p,P}rivate" - -# Definition of local user configuration directories +# Define the XDG Base Directory @{XDG_CACHE_DIR}=".cache" @{XDG_CONFIG_DIR}=".config" @{XDG_DATA_DIR}=".local/share" @@ -42,28 +19,59 @@ @{XDG_BIN_DIR}=".local/bin" @{XDG_LIB_DIR}=".local/lib" -# Full path of the user configuration directories +# Define extended user directories not defined in the XDG standard but commonly +# used in profiles +@{XDG_SCREENSHOTS_DIR}="Pictures/Screenshots" +@{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers" +@{XDG_BOOKS_DIR}="Books" +@{XDG_GAMES_DIR}="Games" +@{XDG_PROJECTS_DIR}="Projects" +@{XDG_WORK_DIR}="Work" +@{XDG_MAIL_DIR}="Mail" ".{m,M}ail" +@{XDG_SYNC_DIR}="Sync" +@{XDG_TORRENTS_DIR}="Torrents" +@{XDG_GAMESSTUDIO_DIR}="unity3d" + +# Define user directories for virtual machines, shared folders and disk images +@{XDG_VM_DIR}=".vm" +@{XDG_VMSHARE_DIR}=".vmshare" +@{XDG_IMG_DIR}=".img" + +# Define user build directories and artifacts output +@{XDG_BUILD_DIR}=".build" +@{XDG_PKG_DIR}=".pkg" + +# Define user personal keyrings +@{XDG_GPG_DIR}=".gnupg" +@{XDG_SSH_DIR}=".ssh" +@{XDG_PASSWORDSTORE_DIR}=".password-store" + +# Define user personal private directories +@{XDG_PRIVATE_DIR}=".{p,P}rivate" "{p,P}rivate" + +# Full path of the XDG Base Directory @{user_cache_dirs}=@{HOME}/@{XDG_CACHE_DIR} @{user_config_dirs}=@{HOME}/@{XDG_CONFIG_DIR} +@{user_state_dirs}=@{HOME}/@{XDG_STATE_DIR} @{user_bin_dirs}=@{HOME}/@{XDG_BIN_DIR} @{user_lib_dirs}=@{HOME}/@{XDG_LIB_DIR} -@{user_state_dirs}=@{HOME}/@{XDG_STATE_DIR} - -# User build directories and output -@{user_build_dirs}="/tmp/build/" -@{user_pkg_dirs}="/tmp/pkg/" -@{user_img_dirs}=@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR} # Other user directories @{user_books_dirs}=@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR} @{user_games_dirs}=@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR} -@{user_private_dirs}=@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR} -@{user_password_store_dirs}=@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR} +@{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR} @{user_work_dirs}=@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR} @{user_mail_dirs}=@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR} -@{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR} -@{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR} +@{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/@{XDG_SYNC_DIR} @{user_torrents_dirs}=@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR} @{user_vm_dirs}=@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR} +@{user_vmshare_dirs}=@{HOME}/@{XDG_VMSHARE_DIR} @{MOUNTS}/@{XDG_VMSHARE_DIR} +@{user_img_dirs}=@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR} +@{user_build_dirs}=@{HOME}/@{XDG_BUILD_DIR} @{MOUNTS}/@{XDG_BUILD_DIR} +@{user_pkg_dirs}=@{HOME}/@{XDG_PKG_DIR} @{MOUNTS}/@{XDG_PKG_DIR} +@{user_gpg_dirs}=@{HOME}/@{XDG_GPG_DIR} @{MOUNTS}/@{XDG_GPG_DIR} +@{user_ssh_dirs}=@{HOME}/@{XDG_SSH_DIR} @{MOUNTS}/@{XDG_SSH_DIR} +@{user_passwordstore_dirs}=@{HOME}/@{XDG_PASSWORDSTORE_DIR} @{MOUNTS}/@{XDG_PASSWORDSTORE_DIR} +@{user_private_dirs}=@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR} # vim:syntax=apparmor diff --git a/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d b/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d index 00231cbce..52be8b920 100644 --- a/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d +++ b/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d @@ -14,14 +14,14 @@ @{XDG_DOWNLOAD_DIR}+=".tb/tor-browser/Browser/Downloads" # Other user directories -@{user_documents_dirs}=@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR} +@{user_desktop_dirs}=@{HOME}/@{XDG_DESKTOP_DIR} @{MOUNTS}/@{XDG_DESKTOP_DIR} @{user_download_dirs}=@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR} +@{user_templates_dirs}=@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR} +@{user_publicshare_dirs}=@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR} +@{user_documents_dirs}=@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR} @{user_music_dirs}=@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR} @{user_pictures_dirs}=@{HOME}/@{XDG_PICTURES_DIR} @{MOUNTS}/@{XDG_PICTURES_DIR} @{user_videos_dirs}=@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR} -@{user_publicshare_dirs}=@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR} -@{user_templates_dirs}=@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR} -@{user_vm_shares}=@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR} include if exists diff --git a/docs/configuration.md b/docs/configuration.md index e3fbba5ea..c3017c28d 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -143,7 +143,7 @@ Please ensure that all personal directories you are using are well-defined XDG d | Books | `@{user_books_dirs}` | `@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}` | | Games | `@{user_games_dirs}` | `@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR}` | | Private | `@{user_private_dirs}` | `@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR}` | - | Passwords | `@{user_password_store_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | + | Passwords | `@{user_passwordstore_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | | Work | `@{user_work_dirs}` | `@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR}` | | Mail | `@{user_mail_dirs}` | `@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR}` | | Projects | `@{user_projects_dirs}` | `@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}` | @@ -152,7 +152,7 @@ Please ensure that all personal directories you are using are well-defined XDG d | Torrents | `@{user_torrents_dirs}` | `@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}` | | Sync | `@{user_sync_dirs}` | `@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}` | | Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` | - | Vm Shares | `@{user_vm_shares}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` | + | Vm Shares | `@{user_vmshare_dirs}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` | | Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}` | diff --git a/docs/variables.md b/docs/variables.md index ef2533c0f..7dc8e5ff6 100644 --- a/docs/variables.md +++ b/docs/variables.md @@ -29,7 +29,7 @@ title: Variables References | Sync | `@{XDG_SYNC_DIR}` | `Sync` | | Torrents | `@{XDG_TORRENTS_DIR}` | `Torrents` | | Vm | `@{XDG_VM_DIR}` | `.vm` | -| Vm Shares | `@{XDG_VM_SHARES_DIR}` | `VM_Shares` | +| Vm Shares | `@{XDG_VMSHARE_DIR}` | `VM_Shares` | | Disk images | `@{XDG_IMG_DIR}` | `images` | | Games Studio | `@{XDG_GAMESSTUDIO_DIR}` | `.unity3d` | @@ -85,7 +85,7 @@ title: Variables References | Books | `@{user_books_dirs}` | `@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}` | | Games | `@{user_games_dirs}` | `@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR}` | | Private | `@{user_private_dirs}` | `@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR}` | -| Passwords | `@{user_password_store_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | +| Passwords | `@{user_passwordstore_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | | Work | `@{user_work_dirs}` | `@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR}` | | Mail | `@{user_mail_dirs}` | `@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR}` | | Projects | `@{user_projects_dirs}` | `@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}` | @@ -94,7 +94,7 @@ title: Variables References | Torrents | `@{user_torrents_dirs}` | `@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}` | | Sync | `@{user_sync_dirs}` | `@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}` | | Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` | -| Vm Shares | `@{user_vm_shares}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` | +| Vm Shares | `@{user_vmshare_dirs}` | `@{HOME}/@{XDG_VMSHARE_DIR} @{MOUNTS}/@{XDG_VMSHARE_DIR}` | | Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}` | From 8efdc5d8e3fc0161bb49207f6e6a169004cc11ad Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 21 Nov 2024 14:12:02 -0700 Subject: [PATCH 005/977] Add profile for iftop (#604) * Add profile for iftop * iftop: clean up formatting --- apparmor.d/profiles-g-l/iftop | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 apparmor.d/profiles-g-l/iftop diff --git a/apparmor.d/profiles-g-l/iftop b/apparmor.d/profiles-g-l/iftop new file mode 100644 index 000000000..232aff538 --- /dev/null +++ b/apparmor.d/profiles-g-l/iftop @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/iftop +profile iftop @{exec_path} { + include + include + include + + capability net_raw, + + network inet dgram, + network inet6 dgram, + network netlink raw, + network packet raw, + + @{exec_path} mr, + + /usr/share/terminfo/** r, + + owner @{HOME}/.iftoprc r, + + # When running in promiscuous mode + @{sys}/devices/**/net/*/statistics/* r, + + include if exists +} + +# vim:syntax=apparmor From 7acd9079a267cb5ff9f3f5d0e272ff55bc1a5e2d Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 23 Nov 2024 18:44:18 +0100 Subject: [PATCH 006/977] add more lxqt files (#600) * Create abstraction for lxqt desktop group first file for the LXQT 2.0 desktop group * Update lxqt * xdg-desktop abstraction added * removing tabs * Create startlxqt starter file for LXQT Desktop * Create startlxqt * fixing startlxqt I use sddm as display manager I cant remove the other file - only use graphical env., sorry After startlxqt i would add 2 lines to sddm to enable the start of LXQT desktop * Delete apparmor.d/profiles-s-z/startlxqt * indented by 2 spaces (like other entries) * Update sddm Enable sddm to start an lxqt desktop session * Create lxqt-session lxqt-session to be started by startlxqt. Display manager: sddm * Update lxqt-session * Update lxqt-session * removed trailing whitespace * Update kscreen_backend_launcher to support lxqt desktop is needed for several complaints: DENIED kscreen_backend_launcher open owner @{user_config_dirs}/lxqt/lxqt.conf comm=kscreen_backend requested_mask=r denied_mask=r DENIED kscreen_backend_launcher open /usr/share/lxqt/lxqt.conf comm=kscreen_backend requested_mask=r denied_mask=r DENIED kscreen_backend_launcher open owner @{user_config_dirs}/lxqt/session.conf comm=kscreen_backend requested_mask=r denied_mask=r DENIED kscreen_backend_launcher open /usr/share/lxqt/session.conf comm=kscreen_backend requested_mask=r denied_mask=r * Update lxqt-session * Create lxqt-panel * Update lxqt-panel * Update lxqt-panel * Update lxqt-panel * fix conflicting x * Update lxqt-panel add child-open * remove include you think its too permissive to have app-launcher-user here, right? * Update lxqt-panel add needed programs * Update lxqt-panel turning back to layout of corresponding xfce file. * Create lxqt-globalkeysd * Create lxqt-about * Create lxqt-leave * Create lxqt-runner * Update lxqt-leave * Update lxqt-runner * Update lxqt-globalkeysd * remove video in lxqt-about * Update lxqt-about * Update lxqt-runner * remove abstr. in lxqt-globalkeysd * remove abstr. in lxqt-runner * remove abstr. in lxqt-leave --- apparmor.d/groups/lxqt/lxqt-about | 28 +++++++++++++++++ apparmor.d/groups/lxqt/lxqt-globalkeysd | 40 +++++++++++++++++++++++++ apparmor.d/groups/lxqt/lxqt-leave | 24 +++++++++++++++ apparmor.d/groups/lxqt/lxqt-runner | 34 +++++++++++++++++++++ 4 files changed, 126 insertions(+) create mode 100644 apparmor.d/groups/lxqt/lxqt-about create mode 100644 apparmor.d/groups/lxqt/lxqt-globalkeysd create mode 100644 apparmor.d/groups/lxqt/lxqt-leave create mode 100644 apparmor.d/groups/lxqt/lxqt-runner diff --git a/apparmor.d/groups/lxqt/lxqt-about b/apparmor.d/groups/lxqt/lxqt-about new file mode 100644 index 000000000..8f5830453 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-about @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-about +profile lxqt-about @{exec_path} { + include + include + + @{exec_path} mr, + + /usr/share/desktop-directories/{,**} r, + + /etc/xdg/menus/lxqt-applications.menu r, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-globalkeysd b/apparmor.d/groups/lxqt/lxqt-globalkeysd new file mode 100644 index 000000000..8729b1abb --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-globalkeysd @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-globalkeysd +profile lxqt-globalkeysd @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + @{open_path} rPx -> child-open-help, + @{bin}/screengrab rPx, + @{bin}/lxqt-config-brightness rPx, + + /usr/share/lxqt/globalkeyshortcuts.conf rw, + + /var/lib/dbus/machine-id r, + + owner @{user_config_dirs}/lxqt/ r, + owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.lock wrk, + owner @{user_config_dirs}/lxqt/#@{int} wr, + owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-leave b/apparmor.d/groups/lxqt/lxqt-leave new file mode 100644 index 000000000..e76d81f54 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-leave @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-leave +profile lxqt-leave @{exec_path} { + include + include + + @{exec_path} mr, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-runner b/apparmor.d/groups/lxqt/lxqt-runner new file mode 100644 index 000000000..9477c1bda --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-runner @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-runner +profile lxqt-runner @{exec_path} { + include + include + + @{exec_path} mr, + + /usr/share/icons/ r, + /usr/share/desktop-directories/ r, + /usr/share/desktop-directories/{,**} r, + + /etc/xdg/menus/lxqt-applications.menu r, + + owner @{user_config_dirs}/lxqt/lxqt-runner.conf.lock rwk, + owner @{user_config_dirs}/lxqt/#@{int} rw, + owner @{user_config_dirs}/lxqt/lxqt-runner.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor From e5ed979ce10e35ee4908ca1652161f7649782bf7 Mon Sep 17 00:00:00 2001 From: valoq Date: Sat, 23 Nov 2024 22:03:42 +0100 Subject: [PATCH 007/977] add profile for swayimg (#612) * add profile for swayimg * fix exec --- apparmor.d/profiles-s-z/swayimg | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 apparmor.d/profiles-s-z/swayimg diff --git a/apparmor.d/profiles-s-z/swayimg b/apparmor.d/profiles-s-z/swayimg new file mode 100644 index 000000000..a3ed158b1 --- /dev/null +++ b/apparmor.d/profiles-s-z/swayimg @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/swayimg +profile swayimg @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + owner @{user_config_dirs}/swayimg/** r, + + include if exists +} + +# vim:syntax=apparmor From 3cc7f82d300e7a3490bd52a2aeb2b85986ddcffd Mon Sep 17 00:00:00 2001 From: odomingao Date: Sun, 24 Nov 2024 15:23:06 -0300 Subject: [PATCH 008/977] Fix typo --- apparmor.d/tunables/multiarch.d/extensions | 36 +++++++++++----------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/extensions b/apparmor.d/tunables/multiarch.d/extensions index 956e8c253..d3d56934e 100644 --- a/apparmor.d/tunables/multiarch.d/extensions +++ b/apparmor.d/tunables/multiarch.d/extensions @@ -311,24 +311,24 @@ @{video_ext} += 3[gG]2 # 3g2 # Subtitles -@{suntitles_ext} = [aA][qQ][tT] # aqt -@{suntitles_ext} += [aA][sS][sS] # ass -@{suntitles_ext} += [gG][sS][uU][bB] # gsub -@{suntitles_ext} += [uU][sS][fF] # usf -@{suntitles_ext} += [pP][aA][cC] # pac -@{suntitles_ext} += [pP][jJ][sS] # pjs -@{suntitles_ext} += [pP][sS][bB] # psb -@{suntitles_ext} += [rR][tT] # rt -@{suntitles_ext} += [sS][bB][vV] # sbv -@{suntitles_ext} += [sS][mM][iI] # smi -@{suntitles_ext} += [sS][rR][tT] # srt -@{suntitles_ext} += [sS][sS][aA] # ssa -@{suntitles_ext} += [sS][sS][fF] # ssf -@{suntitles_ext} += [sS][tT][lL] # stl -@{suntitles_ext} += [sS][uU][bB] # sub -@{suntitles_ext} += [tT][t][mM][lL] # ttml -@{suntitles_ext} += [tT][t][xX][tT] # ttxt -@{suntitles_ext} += [vV][tT][t] # vtt +@{subtitles_ext} = [aA][qQ][tT] # aqt +@{subtitles_ext} += [aA][sS][sS] # ass +@{subtitles_ext} += [gG][sS][uU][bB] # gsub +@{subtitles_ext} += [uU][sS][fF] # usf +@{subtitles_ext} += [pP][aA][cC] # pac +@{subtitles_ext} += [pP][jJ][sS] # pjs +@{subtitles_ext} += [pP][sS][bB] # psb +@{subtitles_ext} += [rR][tT] # rt +@{subtitles_ext} += [sS][bB][vV] # sbv +@{subtitles_ext} += [sS][mM][iI] # smi +@{subtitles_ext} += [sS][rR][tT] # srt +@{subtitles_ext} += [sS][sS][aA] # ssa +@{subtitles_ext} += [sS][sS][fF] # ssf +@{subtitles_ext} += [sS][tT][lL] # stl +@{subtitles_ext} += [sS][uU][bB] # sub +@{subtitles_ext} += [tT][t][mM][lL] # ttml +@{subtitles_ext} += [tT][t][xX][tT] # ttxt +@{subtitles_ext} += [vV][tT][t] # vtt # Images @{image_ext} = [aA][pP][nN][gG] # apng From 212b8dcf54357974c603c925a1207b591f995a47 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Nov 2024 15:34:10 +0000 Subject: [PATCH 009/977] feat(profile): improve some core profiles. --- apparmor.d/groups/systemd/networkctl | 5 ++-- apparmor.d/profiles-a-f/cgrulesengd | 36 ++++++++++------------------ apparmor.d/profiles-a-f/chsh | 4 +++- 3 files changed, 18 insertions(+), 27 deletions(-) diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index a4bab2be3..ce81686ae 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -27,11 +27,10 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { unix (bind) type=stream addr=@@{udbus}/bus/networkctl/system, #aa:dbus talk bus=system name=org.freedesktop.network1 label=systemd-networkd - # No label available - dbus send bus=system path=/org/freedesktop/network@{int} + dbus send bus=system path=/org/freedesktop/network1{,/**} interface=org.freedesktop.DBus.Properties member=Get - peer=(name=org.freedesktop.network@{int}), + peer=(name=org.freedesktop.network1), @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/cgrulesengd b/apparmor.d/profiles-a-f/cgrulesengd index 08b1d83b5..6f31a43d5 100644 --- a/apparmor.d/profiles-a-f/cgrulesengd +++ b/apparmor.d/profiles-a-f/cgrulesengd @@ -12,19 +12,9 @@ profile cgrulesengd @{exec_path} { include include - # For creating Unix domain sockets/IPC sockets: - # socket(AF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR) = 3 - # ... - # bind(3, {sa_family=AF_NETLINK, nl_pid=13284, nl_groups=0x000001}, 12) = -1 EPERM (Operation - # not permitted) - capability net_admin, - - # To remove the following errors: - # readlink("/proc/12/exe", 0x7ffc9fa85cd0, 4096) = -1 EACCES (Permission denied) - capability sys_ptrace, - - # To be able to read the /proc/ files of all processes in the system. capability dac_read_search, + capability net_admin, + capability sys_ptrace, network netlink dgram, @@ -32,22 +22,22 @@ profile cgrulesengd @{exec_path} { @{exec_path} mr, - @{sys}/fs/cgroup/**/tasks w, + + /etc/cgconfig.conf r, + /etc/cgconfig.d/{,*} r, + + /etc/cgrules.conf r, + /etc/cgrules.d/{,*} r, + + owner @{run}/cgred.socket w, + + @{sys}/fs/cgroup/** rw, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/task/ r, - owner @{PROC}/@{pid}/mounts r, @{PROC}/cgroups r, - - @{sys}/fs/cgroup/unified/cgroup.controllers r, - - owner @{run}/cgred.socket w, - - /etc/cgconfig.conf r, - /etc/cgrules.conf r, - /etc/cgconfig.d/ r, - + owner @{PROC}/@{pid}/mounts r, include if exists } diff --git a/apparmor.d/profiles-a-f/chsh b/apparmor.d/profiles-a-f/chsh index f8a2af5c4..e124e4d19 100644 --- a/apparmor.d/profiles-a-f/chsh +++ b/apparmor.d/profiles-a-f/chsh @@ -26,11 +26,13 @@ profile chsh @{exec_path} { /etc/shells r, + /etc/.chsh.@{rand6} rw, /etc/passwd rw, /etc/passwd- w, - /etc/passwd+ rw, /etc/passwd.@{pid} w, /etc/passwd.lock wl -> /etc/passwd.@{pid}, + /etc/passwd.OLD wl -> /etc/passwd, + /etc/passwd+ rw, /etc/shadow r, From 94bf2495e3805167b73235062d1f0b44ce1ca9b0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Nov 2024 15:41:54 +0000 Subject: [PATCH 010/977] feat(profile): needrestart improve mqueue rule. --- apparmor.d/profiles-m-r/needrestart | 2 +- tests/bats/needrestart.bats | 4 ---- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index f5722ed3d..cc411ef83 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -22,7 +22,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { ptrace (read), - mqueue r type=posix /, + mqueue (r,getattr) type=posix /, @{exec_path} mrix, diff --git a/tests/bats/needrestart.bats b/tests/bats/needrestart.bats index 567f8c773..4676b36af 100644 --- a/tests/bats/needrestart.bats +++ b/tests/bats/needrestart.bats @@ -5,10 +5,6 @@ load common -setup_file() { - skip "mqueue raised despite the rule being present. See https://gitlab.com/apparmor/apparmor/-/issues/362" -} - @test "needrestart: List outdated processes" { needrestart } From 3690a4c327118efd325f05582e4a8d35baca5fb0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Dec 2024 22:54:28 +0100 Subject: [PATCH 011/977] fix: apparmor parser inside snap. --- apparmor.d/profiles-a-f/apparmor_parser | 1 + apparmor.d/profiles-s-z/snap-seccomp | 2 ++ 2 files changed, 3 insertions(+) diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser index 19c0f6902..dc15d48b9 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -17,6 +17,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{lib_dirs}/@{multiarch}/** mr, @{lib_dirs}/snapd/apparmor.d/{,**} r, @{lib_dirs}/snapd/apparmor/{,**} r, diff --git a/apparmor.d/profiles-s-z/snap-seccomp b/apparmor.d/profiles-s-z/snap-seccomp index 6b0917f8a..e7660f7b8 100644 --- a/apparmor.d/profiles-s-z/snap-seccomp +++ b/apparmor.d/profiles-s-z/snap-seccomp @@ -14,6 +14,8 @@ profile snap-seccomp @{exec_path} { include include + capability dac_read_search, + network netlink raw, @{exec_path} mr, From 14e9fea29a28cd4049ba3542e1d38209ed3e5914 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Dec 2024 23:17:27 +0100 Subject: [PATCH 012/977] feat: improve dbus integration for chsh, better handling of generic needrestart. --- .github/local/needrestart | 2 ++ .github/workflows/main.yml | 1 + apparmor.d/profiles-a-f/chsh | 8 +++++++- apparmor.d/profiles-m-r/needrestart | 3 +-- apparmor.d/profiles-s-z/snapd | 1 + 5 files changed, 12 insertions(+), 3 deletions(-) create mode 100644 .github/local/needrestart diff --git a/.github/local/needrestart b/.github/local/needrestart new file mode 100644 index 000000000..33b23e014 --- /dev/null +++ b/.github/local/needrestart @@ -0,0 +1,2 @@ + + /var/lib/waagent/** r, diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c7a76f871..75fa5c051 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -94,6 +94,7 @@ jobs: sudo apt-get install -y \ apparmor-profiles apparmor-utils \ bats bats-support + sudo install -Dm0644 .github/local/needrestart /etc/apparmor.d/local/needrestart - name: Install apparmor.d run: | diff --git a/apparmor.d/profiles-a-f/chsh b/apparmor.d/profiles-a-f/chsh index e124e4d19..bf2b92a98 100644 --- a/apparmor.d/profiles-a-f/chsh +++ b/apparmor.d/profiles-a-f/chsh @@ -10,18 +10,24 @@ include @{exec_path} = @{bin}/chsh profile chsh @{exec_path} { include - include include + include + include include include capability audit_write, capability chown, capability fsetid, + capability net_admin, capability setuid, network netlink raw, + unix type=stream addr=@@{udbus}/bus/chsh/system, + + #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed + @{exec_path} mr, /etc/shells r, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index cc411ef83..56f95b589 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -26,6 +26,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, + @{bin}/* r, @{sh_path} rix, @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, @@ -42,8 +43,6 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{lib}/needrestart/* rPx, /usr/share/debconf/frontend rix, - @{bin}/networkd-dispatcher r, - @{bin}/gettext.sh r, /usr/share/needrestart/{,**} r, /usr/share/unattended-upgrades/unattended-upgrade-shutdown r, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 63a1568b5..fe24ed061 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -93,6 +93,7 @@ profile snapd @{exec_path} { @{lib_dirs}/snapd/snap-update-ns rPx, /usr/share/bash-completion/{,**} r, + /usr/share/dbus-1/{system,session}.d.d/snapd.{system,session}-services.conf* rw, /usr/share/dbus-1/{system,session}.d/{,snapd*} r, /usr/share/dbus-1/services/*snap* r, /usr/share/polkit-1/actions/{,**/} r, From c7030f16a681b8f6272845ee758c4d4ac822c01e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Dec 2024 23:24:14 +0100 Subject: [PATCH 013/977] feat(profile): minor update. --- apparmor.d/groups/network/networkd-dispatcher | 3 ++- apparmor.d/profiles-a-f/flatpak | 7 +++++- apparmor.d/profiles-g-l/iotop | 24 ++++++++----------- 3 files changed, 18 insertions(+), 16 deletions(-) diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher index 632910933..45fbf76aa 100644 --- a/apparmor.d/groups/network/networkd-dispatcher +++ b/apparmor.d/groups/network/networkd-dispatcher @@ -21,8 +21,9 @@ profile networkd-dispatcher @{exec_path} { @{exec_path} mr, @{bin}/ r, - @{bin}/networkctl rPx, + @{bin}/chronyc rPx, @{bin}/ls rix, + @{bin}/networkctl rPx, @{bin}/sed rix, @{lib}/networkd-dispatcher/routable.d/postfix rix, diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/profiles-a-f/flatpak index 7368d7c3b..bc21a583f 100644 --- a/apparmor.d/profiles-a-f/flatpak +++ b/apparmor.d/profiles-a-f/flatpak @@ -62,7 +62,12 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain owner @{HOME}/.var/ w, owner @{HOME}/.var/app/{,**} rw, - owner @{user_documents_dirs}/ rw, + # Can create dotfile directories for any app + owner @{user_cache_dirs}/*/ w, + owner @{user_config_dirs}/*/ w, + owner @{user_share_dirs}/*/ w, + owner @{user_games_dirs}/{,**/} w, + owner @{user_documents_dirs}/ w, owner @{user_cache_dirs}/flatpak/{,**} rw, owner @{user_config_dirs}/pulse/client.conf r, diff --git a/apparmor.d/profiles-g-l/iotop b/apparmor.d/profiles-g-l/iotop index c53b4656d..d85b0244f 100644 --- a/apparmor.d/profiles-g-l/iotop +++ b/apparmor.d/profiles-g-l/iotop @@ -10,32 +10,28 @@ include @{exec_path} = @{bin}/iotop profile iotop @{exec_path} { include - include include + include - # Needed? - audit deny capability net_admin, - - # To set processes' priorities capability sys_nice, - @{exec_path} r, - @{bin}/python3.@{int} r, + network netlink raw, - @{bin}/file rix, + @{exec_path} r, @{bin}/ r, + @{bin}/file rix, + @{bin}/python3.@{int} r, + + /etc/magic r, @{PROC}/ r, - @{PROC}/vmstat r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/task/ r, @{PROC}/sys/kernel/pid_max r, - - # For file - /etc/magic r, + @{PROC}/vmstat r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, include if exists } From c8b1751f37289da85eeaa4d0d5081e07594d7125 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Dec 2024 23:29:44 +0100 Subject: [PATCH 014/977] fix(profile): snap integration with dbus. --- apparmor.d/profiles-s-z/snapd | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index fe24ed061..0a9b332d1 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -93,8 +93,7 @@ profile snapd @{exec_path} { @{lib_dirs}/snapd/snap-update-ns rPx, /usr/share/bash-completion/{,**} r, - /usr/share/dbus-1/{system,session}.d.d/snapd.{system,session}-services.conf* rw, - /usr/share/dbus-1/{system,session}.d/{,snapd*} r, + /usr/share/dbus-1/{system,session}.d/{,snapd*} rw, /usr/share/dbus-1/services/*snap* r, /usr/share/polkit-1/actions/{,**/} r, From 64ed654fdfa79a4c5ceba0454d26d31143f0daeb Mon Sep 17 00:00:00 2001 From: Alex Date: Thu, 12 Dec 2024 18:26:16 +0100 Subject: [PATCH 015/977] fix(profile): cron communication with dbus. --- apparmor.d/groups/cron/cron | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index 4ce618ef7..25549a39c 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -27,6 +27,8 @@ profile cron @{exec_path} flags=(attach_disconnected) { ptrace (read) peer=unconfined, + unix bind type=stream addr=@@{udbus}/bus/cron/system, + @{exec_path} mr, @{sh_path} rix, From c8cbeac9b245290efb1adb97c5240092c43c3df0 Mon Sep 17 00:00:00 2001 From: Alex Date: Thu, 12 Dec 2024 21:34:18 +0000 Subject: [PATCH 016/977] fix(profile): snapd --- apparmor.d/profiles-s-z/snapd | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 0a9b332d1..250005f55 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -68,6 +68,7 @@ profile snapd @{exec_path} { @{sh_path} rix, @{bin}/apparmor_parser rPx, @{bin}/cp rix, + @{bin}/getent rix, @{bin}/gzip rix, @{bin}/journalctl rPx, @{bin}/kmod rPx, From 6dcb6c0362fd6abd5464b637aa9f33b4db8fc5fc Mon Sep 17 00:00:00 2001 From: odomingao Date: Fri, 6 Dec 2024 09:41:35 -0300 Subject: [PATCH 017/977] Add wttrbar --- apparmor.d/profiles-s-z/wttrbar | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 apparmor.d/profiles-s-z/wttrbar diff --git a/apparmor.d/profiles-s-z/wttrbar b/apparmor.d/profiles-s-z/wttrbar new file mode 100644 index 000000000..37933679d --- /dev/null +++ b/apparmor.d/profiles-s-z/wttrbar @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/wttrbar +profile wttrbar @{exec_path} { + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + + @{exec_path} mr, + + owner /tmp/wttrbar--wttr.in.json rw, + + include if exists +} + +# vim:syntax=apparmor From 3721d12a5d2a4bd555f9adea2881e488ff6167f6 Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 13 Dec 2024 18:06:59 +0100 Subject: [PATCH 018/977] more lxqt-files (#613) * Create abstraction for lxqt desktop group first file for the LXQT 2.0 desktop group * Update lxqt * xdg-desktop abstraction added * removing tabs * Create startlxqt starter file for LXQT Desktop * Create startlxqt * fixing startlxqt I use sddm as display manager I cant remove the other file - only use graphical env., sorry After startlxqt i would add 2 lines to sddm to enable the start of LXQT desktop * Delete apparmor.d/profiles-s-z/startlxqt * indented by 2 spaces (like other entries) * Update sddm Enable sddm to start an lxqt desktop session * Create lxqt-session lxqt-session to be started by startlxqt. Display manager: sddm * Update lxqt-session * Update lxqt-session * removed trailing whitespace * Update kscreen_backend_launcher to support lxqt desktop is needed for several complaints: DENIED kscreen_backend_launcher open owner @{user_config_dirs}/lxqt/lxqt.conf comm=kscreen_backend requested_mask=r denied_mask=r DENIED kscreen_backend_launcher open /usr/share/lxqt/lxqt.conf comm=kscreen_backend requested_mask=r denied_mask=r DENIED kscreen_backend_launcher open owner @{user_config_dirs}/lxqt/session.conf comm=kscreen_backend requested_mask=r denied_mask=r DENIED kscreen_backend_launcher open /usr/share/lxqt/session.conf comm=kscreen_backend requested_mask=r denied_mask=r * Update lxqt-session * Create lxqt-panel * Update lxqt-panel * Update lxqt-panel * Update lxqt-panel * fix conflicting x * Update lxqt-panel add child-open * remove include you think its too permissive to have app-launcher-user here, right? * Update lxqt-panel add needed programs * Update lxqt-panel turning back to layout of corresponding xfce file. * Create lxqt-globalkeysd * Create lxqt-about * Create lxqt-leave * Create lxqt-runner * Update lxqt-leave * Update lxqt-runner * Update lxqt-globalkeysd * remove video in lxqt-about * Update lxqt-about * Update lxqt-runner * remove abstr. in lxqt-globalkeysd * remove abstr. in lxqt-runner * remove abstr. in lxqt-leave * Create lxqt-config-notificationd * Create lxqt-config-locale * Create lxqt-config-printer * Create lxqt-config-file-associations * Create lxqt-config-powermanagement * enable wayland-session for lxqt 2.1 startlxqtwayland for starting the session, support for labwc and kwin_wayland * Update lxqt-config-printer * Update lxqt-config-powermanagement * Update sddm * Update sddm * adapt pci-rules ok, havent seen this profile yet. I will change that in lxqt-powermanagement as well and check the other profiles * Update lxqt-config-powermanagement * Update lxqt-config-powermanagement * Update lxqt-config-powermanagement * Update lxqt-config-powermanagement --- apparmor.d/groups/kde/sddm | 4 ++ .../groups/lxqt/lxqt-config-file-associations | 36 ++++++++++++++++ apparmor.d/groups/lxqt/lxqt-config-locale | 40 +++++++++++++++++ .../groups/lxqt/lxqt-config-notificationd | 34 +++++++++++++++ .../groups/lxqt/lxqt-config-powermanagement | 43 +++++++++++++++++++ apparmor.d/groups/lxqt/lxqt-config-printer | 24 +++++++++++ 6 files changed, 181 insertions(+) create mode 100644 apparmor.d/groups/lxqt/lxqt-config-file-associations create mode 100644 apparmor.d/groups/lxqt/lxqt-config-locale create mode 100644 apparmor.d/groups/lxqt/lxqt-config-notificationd create mode 100644 apparmor.d/groups/lxqt/lxqt-config-powermanagement create mode 100644 apparmor.d/groups/lxqt/lxqt-config-printer diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index d8adff564..8e491bb2b 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -40,6 +40,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { ptrace (trace) peer=@{profile_name}, signal (receive) set=(hup) peer=@{p_systemd}, + signal (send) set=(kill, term) peer=labwc, signal (send) set=(kill, term) peer=lxqt-session, signal (send) set=(kill, term) peer=startplasma, signal (send) set=(kill, term) peer=xorg, @@ -47,6 +48,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal (send) set=(term) peer=kwin_wayland, signal (send) set=(term) peer=sddm-greeter, signal (send) set=(term) peer=startplasma-wayland, + signal (send) set=(term) peer=startlxqtwayland, dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} interface=org.freedesktop.DBus.Introspectable @@ -95,7 +97,9 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/kwalletd{5,6} rPx, @{bin}/kwin_wayland rPx, @{bin}/sddm-greeter{,-qt6} rPx, + @{bin}/labwc rPx, @{bin}/startlxqt rPx, + @{bin}/startlxqtwayland rPx, @{bin}/startplasma-wayland rPx, @{bin}/startplasma-x11 rPx, @{bin}/sway rPUx, diff --git a/apparmor.d/groups/lxqt/lxqt-config-file-associations b/apparmor.d/groups/lxqt/lxqt-config-file-associations new file mode 100644 index 000000000..4232f1c70 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-file-associations @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-file-associations +profile lxqt-config-file-associations @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + owner @{user_config_dirs}/ r, + owner @{user_config_dirs}/mimeapps* rwk, + owner @{user_config_dirs}/lxqt-* rwk, + owner @{user_config_dirs}/lxqt/ r, + owner @{user_config_dirs}/lxqt/#@{int} rwk, + owner @{user_config_dirs}/lxqt/lxqt-config-file-associations.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-config-file-associations.conf kl -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/lxqt-config-file-associations.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/#@{int} rwk, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-locale b/apparmor.d/groups/lxqt/lxqt-config-locale new file mode 100644 index 000000000..c7c868c18 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-locale @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-locale +profile lxqt-config-locale @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + owner @{user_config_dirs}/lxqt/* r, + owner @{user_config_dirs}/lxqt/#@{int} rw, + owner @{user_config_dirs}/lxqt/lxqt-config.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/lxqt-config-locale.conf l -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/lxqt-config-locale.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/lxqt-config-locale.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/lxqt-config-locale.conf.lock rwk, + owner @{user_config_dirs}/lxqt/session.conf.lock rwk, + owner @{user_config_dirs}/lxqt/session.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/session.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-notificationd b/apparmor.d/groups/lxqt/lxqt-config-notificationd new file mode 100644 index 000000000..63b2eb673 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-notificationd @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-notificationd +profile lxqt-config-notificationd @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + /var/lib/dbus/machine-id r, + + owner @{user_config_dirs}/lxqt/#@{int} rw, + owner @{user_config_dirs}/lxqt/notifications.conf.lock rwk, + owner @{user_config_dirs}/lxqt/notifications.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/notifications.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/#@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-powermanagement b/apparmor.d/groups/lxqt/lxqt-config-powermanagement new file mode 100644 index 000000000..4b96ccb36 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-powermanagement @@ -0,0 +1,43 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-powermanagement +profile lxqt-config-powermanagement @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + owner @{user_config_dirs}/lxqt/#@{int} rw, + owner @{user_config_dirs}/lxqt/lxqt-powermanagement.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-powermanagement.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/lxqt-powermanagement.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + + @{sys}/class/leds/ r, + @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/backlight/**/brightness rw, + @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/drm/card@{int}/**/brightness rw, + @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-printer b/apparmor.d/groups/lxqt/lxqt-config-printer new file mode 100644 index 000000000..f4c38e94d --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-printer @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-printer +profile lxqt-config-printer @{exec_path} { + include + include + + @{exec_path} mr, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor From 313f2f7f2cace447c8f2420bcdc62bd283e76030 Mon Sep 17 00:00:00 2001 From: nobody43 <15267739+nobody43@users.noreply.github.com> Date: Mon, 18 Nov 2024 23:14:39 +0000 Subject: [PATCH 019/977] Create profile_check.py --- tests/profile_check.py | 463 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 463 insertions(+) create mode 100644 tests/profile_check.py diff --git a/tests/profile_check.py b/tests/profile_check.py new file mode 100644 index 000000000..5cc39d6b9 --- /dev/null +++ b/tests/profile_check.py @@ -0,0 +1,463 @@ +#!/usr/bin/env python3 +# SPDX-License-Identifier: GPL-2.0-only + +# KNOWN ISSUES: +# No guards for file type - expects AppArmor +# Diffirent suggestions for single line are mutually exclusive +# Suggestion could point to changed profile name, based on other suggestion + +import sys +import argparse +import pathlib +import shlex +import json +from copy import deepcopy + +def sanitizeProfileName(name): + + if name.startswith('/') or name.startswith('@{'): + name = pathlib.Path(name).stem + + if ' ' in name: + name = re.sub(r'\s+', '-', name) + + return name + +def makeLocalIdentity(nestingStacker_): + + newStacker = [] + for i in nestingStacker_: + i = sanitizeProfileName(i) + newStacker.append(i) + + identity = '_'.join(newStacker) # separate each (sub)profile identity with underscores + + return identity + +def getCurrentProfile(stacker): + + if stacker: + profile = stacker[-1] + else: + profile = None + + return profile + +def handleFileMessages(l, file, profile, lineNum): + + wholeFileAccessProfiles = ( +# '', + ) + suggestOwner = ( # TODO: switch to AARE + r'^@{HOME}', + r'^/home/\w+/', + r'^/run/user/\d+/', + r'^/tmp/', + r'^/var/tmp/', + r'^/dev/shm/', + ) + + lG = l.groupdict() + reason_ = None + if lG.get('path'): + if lG.get('path').startswith('/**') and profile not in wholeFileAccessProfiles: + severity_ = 'ERROR' + reason_ = 'Whole filesystem access is too broad' + suggestion_ = None + + for r in suggestOwner: + if re.match(r, lG.get('path')) and not lG.get('owner'): + indentRe = re.match(r'^\s+', l.group()) + if indentRe: + indent = indentRe.group() + else: + indent = '' + + severity_ = 'NOTICE' + reason_ = "'owner' is likely required" + suggestion_ = indent + 'owner ' + l.group().lstrip() + break + + elif lG.get('bare_file') and profile not in wholeFileAccessProfiles: + severity_ = 'ERROR' + reason_ = 'Whole filesystem access is too broad' + suggestion_ = None + + if reason_: # something matched + msg = ({'filename': file, + 'profile': profile, + 'severity': severity_, + 'line': lineNum, + 'reason': reason_, + 'suggestion': suggestion_}) + else: + msg = None + + return msg + +def readApparmorFile(fullpath): + '''AA file could contain multiple AA profiles''' + headers = ( + '# AppArmor.d - Full set of apparmor profiles', + '# Copyright (C) ', + '# SPDX-License-Identifier: GPL-2.0-only', + ) + + file_data = {} + fileVars = {} + nestingStacker = [] + duplicateProfilesCounter = [] + localExists = {} + localExists_eol = {} + messages = [] + exceptionMsg = None + line = None + gotAbi = False + gotHeaders = {} + gotAttach = False + isAfterProfileStart = False + try: + with open(fullpath, 'r') as f: + for n,line in enumerate(f, start=1): + if isAfterProfileStart: + isAfterProfileStart = False + expectedIndent = len(nestingStacker) * ' ' + indentRe = re.match(r'^\s+', line) + if indentRe: + indent = indentRe.group() + else: + indent = '' + + if indent != expectedIndent: + spacesCount = len(nestingStacker) * 2 + nesingCount = len(nestingStacker) + messages.append({'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'WARNING', + 'line': n, + 'reason': f"Expected {spacesCount} spaces for {nesingCount} nesting", + 'suggestion': f"{expectedIndent}{line}"}) + + if line.endswith(' \n'): + messages.append({'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'WARNING', + 'line': n, + 'reason': "Redundant trailing whitespace", + 'suggestion': line.rstrip()}) + + if '\t' in line: + messages.append({'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'WARNING', + 'line': n, + 'reason': "Tabs are not allowed", + 'suggestion': line.replace('\t', '')}) + + if len(gotHeaders) < 3 and not nestingStacker: + for nH,i in enumerate(headers): + if line.startswith(i): + gotHeaders[nH] = True + + if RE_ABI.search(line): + gotAbi = line + + elif RE_PROFILE_START.search(line) or RE_PROFILE_HAT_DEF.search(line): + isAfterProfileStart = True + m = parse_profile_start_line(line, fullpath) + if m.get('profile'): + nestingStacker.append(m.get('profile')) # set early + + if m.get('attachment') != '@{exec_path}' and not gotAttach: # can be only singular + gotAttach = True + messages.append({'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'WARNING', + 'line': n, + 'reason': "'@{exec_path}' must be defined as main path attachment", + 'suggestion': None}) + + profileMsg = {'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'WARNING', + 'line': n, + 'reason': "A short named profile must be defined", + 'suggestion': None} + if m.get('plainprofile'): + messages.append(profileMsg) + elif m.get('namedprofile'): + if m.get('namedprofile').startswith('/'): + messages.append(profileMsg) + + if m.get('flags'): + m['flags'] = set(shlex.split(m.pop('flags').replace(',', ''))) + if 'complain' in m['flags']: + messages.append({'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'WARNING', + 'line': n, + 'reason': "'complain' flag must be defined in 'dists/flags'", + 'suggestion': None}) + else: + m['flags'] = set() + + if m.get('profile'): + duplicateProfilesCounter.append(m.get('profile')) + profileIdentity = '//'.join(nestingStacker) + file_data[profileIdentity] = m + + elif RE_PROFILE_VARIABLE.search(line): + lineV = RE_PROFILE_VARIABLE.search(line).groups() + + name = strip_quotes(lineV[0]) + operation = lineV[1] + val = separate_vars(lineV[2]) + if fileVars.get(name): + fileVars[name].update(set(val)) + if operation == '=': + messages.append({'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'DEGRADED', + 'line': n, + 'reason': "Tunable must be appended with '+='", + 'suggestion': None}) + else: + fileVars[name] = set(val) + if operation == '+=': + messages.append({'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'DEGRADED', + 'line': n, + 'reason': "Tunable must be defined with '='", + 'suggestion': None}) + + elif RE_INCLUDE.search(line): + if nestingStacker: + profileIdentity = '//'.join(nestingStacker) + localIdentity = makeLocalIdentity(nestingStacker) + localValue = f'include if exists ' # commented out will also match + if localValue in line: + localExists[profileIdentity] = localValue + + # Handle file entries + elif RE_PROFILE_FILE_ENTRY.search(line): + lineF = RE_PROFILE_FILE_ENTRY.search(line) + fileMsg = handleFileMessages(lineF, fullpath, getCurrentProfile(nestingStacker), n) + if fileMsg: + messages.append(fileMsg) + + elif RE_PROFILE_END.search(line): + if getCurrentProfile(nestingStacker): + if not nestingStacker: + messages.append({'filename': fullpath, + 'profile': None, + 'severity': 'DEGRADED', + 'line': n, + 'reason': "Unbalanced parenthesis?", # not fully covered + 'suggestion': None}) + else: + profileIdentity = '//'.join(nestingStacker) + localExists_eol[profileIdentity] = n + del nestingStacker[-1] # remove last + + except PermissionError: + exceptionMsg = 'Unable to read the file (PermissionError)' + + except UnicodeDecodeError: + exceptionMsg = 'Unable to read the file (UnicodeDecodeError)' + + except FileNotFoundError: + exceptionMsg = 'No such file or directory (FileNotFoundError)' + + if exceptionMsg: + messages.append({'filename': fullpath, + 'profile': None, + 'severity': 'NOTICE', + 'line': None, + 'reason': exceptionMsg, + 'suggestion': None}) + + # Ensure proper header is present + if len(gotHeaders) < 3: + combinedHeader = '\n'.join(headers) + messages.append({'filename': fullpath, + 'profile': None, + 'severity': 'WARNING', + 'line': 1, + 'reason': 'No proper header', + 'suggestion': combinedHeader}) + + # Ensure ABI is present + changeAbi = False + abi = 'abi ,' + if gotAbi: + if gotAbi.strip() != abi: + changeAbi = True + else: + changeAbi = True + + if changeAbi: + messages.append({'filename': fullpath, + 'profile': None, + 'severity': 'WARNING', + 'line': None, + 'reason': 'ABI is required', + 'suggestion': abi}) + + # Ensure trailing vim syntax + if line: + trailingSyntax = '# vim:syntax=apparmor' + if line != trailingSyntax: + messages.append({'filename': fullpath, + 'profile': None, + 'severity': 'WARNING', + 'line': None, + 'reason': 'No trailing syntax hint', + 'suggestion': trailingSyntax}) + + # Assign variables to profile attachments as paths and assign filenames + for p,d in deepcopy(file_data).items(): + file_data[p]['filename'] = fullpath + attachment = d.get('attachment') + if attachment: + if attachment.startswith('@{'): + if fileVars.get(attachment): + file_data[p]['attach_paths'] = fileVars[attachment] # incoming set + else: + messages.append({'filename': fullpath, + 'profile': p, + 'severity': 'ERROR', + 'line': None, + 'reason': f"Unknown global variable as profile attachment: {attachment}", + 'suggestion': None}) + + else: + if isinstance(file_data[p].get('attachment'), set): + raise ValueError("Expecting 'str' or 'None', not 'set'") + file_data[p]['attach_paths'] = {file_data[p]['attachment']} + + # Check if profile block does not have corresponding 'local' include + for p,d in file_data.items(): + if not localExists.get(p): # not found previously + if '//' in p: + identity = p.split('//') + else: + identity = [p] + + localIdentity = makeLocalIdentity(identity) + filename = file_data[p]['filename'] + messages.append({'filename': filename, + 'profile': p, + 'severity': 'WARNING', + 'line': localExists_eol.get(p), # None? Unbalanced parenthesis? + 'reason': "The (sub)profile block does not have expected 'local' include", + 'suggestion': f'include if exists '}) + + # Track multiple definitions inside single file + for profile in duplicateProfilesCounter: + counter = duplicateProfilesCounter.count(profile) + if counter >= 2: + messages.append({'filename': fullpath, + 'profile': profile, + 'severity': 'DEGRADED', + 'line': None, + 'reason': "Profile has been defined {counter} times in the same file", + 'suggestion': None}) + + return (messages, file_data) + +def findAllProfileFilenames(profile_dir): + + profiles = set() + for path in pathlib.Path(profile_dir).iterdir(): + if path.is_file() and not is_skippable_file(path): + profiles.add(path.resolve()) + + # Not default, dig deeper + if not profiles: + nestedDirs = ( + 'groups', + 'profiles-a-f', + 'profiles-g-l', + 'profiles-m-r', + 'profiles-s-z', + ) + for d in nestedDirs: + dirpath = pathlib.Path(pathlib.Path(profile_dir).resolve(), pathlib.Path(d)) + for p in dirpath.rglob("*"): + if p.is_file(): + profiles.add(p) + + return profiles + +def handleArgs(): + """DEGRADED are purposed for fatal errors - when the profile set will fail to load entirely""" + + allSeverities = ['DEBUG', 'NOTICE', 'WARNING', 'ERROR', 'CRITICAL', 'DEGRADED'] + aaRoot = '/etc/apparmor.d' + + parser = argparse.ArgumentParser() + parser.add_argument('-d', '--aa-root-dir', action='store', + default=aaRoot, + help='Target different AppArmor root directory rather than default') + parser.add_argument('-p', '--profile', action='append', + help='Handle only specified profile') +# parser.add_argument('-s', '--severity', action='append', +# choices=allSeverities, +# help='Handle only specified severity event') + + args = parser.parse_args() + +# if not args.severity: +# args.severity = allSeverities + + return args + +def main(argv): + + args = handleArgs() + + messages = [] + + profile_dir = args.aa_root_dir + if not args.profile: + profiles = findAllProfileFilenames(profile_dir) + else: + profiles = set() + for p in args.profile: + absolutePath = pathlib.Path(p).resolve() + profiles.add(absolutePath) + + profile_data = {} + for path in sorted(profiles): + readApparmorFile_Out = readApparmorFile(path) + profilesInFile = readApparmorFile_Out[1] + messages.extend(readApparmorFile_Out[0]) + profile_data.update(profilesInFile) + + for m in messages: + m['filename'] = str(m.get('filename')) + print(json.dumps(m, indent=2)) + + if messages: + sys.exit(1) + + return None + +if __name__ == '__main__': + '''Safeguard errors does NOT cover loosening existing profiles after loading!''' + try: + from apparmor.regex import * + from apparmor.aa import is_skippable_file + from apparmor.rule.file import FileRule, FileRuleset + from apparmor.common import convert_regexp + try: + from apparmor.rule.variable import separate_vars + except ModuleNotFoundError: + from apparmor.aa import separate_vars + + except ModuleNotFoundError: + raise ModuleNotFoundError(f"""Can't find 'python3-apparmor' package! Install with: +$ sudo apt install python3-apparmor""") + + main(sys.argv) From 21b60b4fa3f931bdc19c07e010a0dd3e59d7e1e8 Mon Sep 17 00:00:00 2001 From: nobody43 <15267739+nobody43@users.noreply.github.com> Date: Mon, 18 Nov 2024 23:31:22 +0000 Subject: [PATCH 020/977] Update profile_check.py --- tests/profile_check.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/profile_check.py b/tests/profile_check.py index 5cc39d6b9..00f98ec02 100644 --- a/tests/profile_check.py +++ b/tests/profile_check.py @@ -445,7 +445,7 @@ def main(argv): return None if __name__ == '__main__': - '''Safeguard errors does NOT cover loosening existing profiles after loading!''' + try: from apparmor.regex import * from apparmor.aa import is_skippable_file From 679df325de9d2cd2dbf43083e01598f2285b569c Mon Sep 17 00:00:00 2001 From: nobody43 <15267739+nobody43@users.noreply.github.com> Date: Tue, 19 Nov 2024 18:49:49 +0000 Subject: [PATCH 021/977] polishing --- tests/profile_check.py | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/tests/profile_check.py b/tests/profile_check.py index 00f98ec02..ed4316280 100644 --- a/tests/profile_check.py +++ b/tests/profile_check.py @@ -49,9 +49,11 @@ def handleFileMessages(l, file, profile, lineNum): # '', ) suggestOwner = ( # TODO: switch to AARE - r'^@{HOME}', + r'^@{HOME}/', r'^/home/\w+/', + r'^@{run}/user/@{uid}/', r'^/run/user/\d+/', + r'^@{tmp}/', r'^/tmp/', r'^/var/tmp/', r'^/dev/shm/', @@ -60,7 +62,7 @@ def handleFileMessages(l, file, profile, lineNum): lG = l.groupdict() reason_ = None if lG.get('path'): - if lG.get('path').startswith('/**') and profile not in wholeFileAccessProfiles: + if lG.get('path').startswith('/**') and profile not in wholeFileAccessProfiles: # false positives severity_ = 'ERROR' reason_ = 'Whole filesystem access is too broad' suggestion_ = None @@ -84,12 +86,12 @@ def handleFileMessages(l, file, profile, lineNum): suggestion_ = None if reason_: # something matched - msg = ({'filename': file, - 'profile': profile, - 'severity': severity_, - 'line': lineNum, - 'reason': reason_, - 'suggestion': suggestion_}) + msg = {'filename': file, + 'profile': profile, + 'severity': severity_, + 'line': lineNum, + 'reason': reason_, + 'suggestion': suggestion_} else: msg = None @@ -98,7 +100,7 @@ def handleFileMessages(l, file, profile, lineNum): def readApparmorFile(fullpath): '''AA file could contain multiple AA profiles''' headers = ( - '# AppArmor.d - Full set of apparmor profiles', + '# apparmor.d - Full set of apparmor profiles', '# Copyright (C) ', '# SPDX-License-Identifier: GPL-2.0-only', ) @@ -129,14 +131,14 @@ def readApparmorFile(fullpath): indent = '' if indent != expectedIndent: - spacesCount = len(nestingStacker) * 2 - nesingCount = len(nestingStacker) + spacesCount = len(nestingStacker) * 2 + nestingCount = len(nestingStacker) messages.append({'filename': fullpath, 'profile': getCurrentProfile(nestingStacker), 'severity': 'WARNING', 'line': n, - 'reason': f"Expected {spacesCount} spaces for {nesingCount} nesting", - 'suggestion': f"{expectedIndent}{line}"}) + 'reason': f"Expected {spacesCount} spaces for {nestingCount} nesting", + 'suggestion': f"{expectedIndent}{line.lstrip()}"}) if line.endswith(' \n'): messages.append({'filename': fullpath, @@ -152,7 +154,7 @@ def readApparmorFile(fullpath): 'severity': 'WARNING', 'line': n, 'reason': "Tabs are not allowed", - 'suggestion': line.replace('\t', '')}) + 'suggestion': line.replace('\t', ' ')}) if len(gotHeaders) < 3 and not nestingStacker: for nH,i in enumerate(headers): From 3030c28c05604b4f1b669d80f6df1e10b404a9ff Mon Sep 17 00:00:00 2001 From: nobody43 <15267739+nobody43@users.noreply.github.com> Date: Fri, 22 Nov 2024 19:57:13 +0000 Subject: [PATCH 022/977] Update profile_check.py --- tests/profile_check.py | 36 ++++++++++++++++++++++-------------- 1 file changed, 22 insertions(+), 14 deletions(-) diff --git a/tests/profile_check.py b/tests/profile_check.py index ed4316280..c793543e3 100644 --- a/tests/profile_check.py +++ b/tests/profile_check.py @@ -13,6 +13,21 @@ import shlex import json from copy import deepcopy +try: + from apparmor.regex import * + from apparmor.aa import is_skippable_file + from apparmor.rule.file import FileRule, FileRuleset + from apparmor.common import convert_regexp + try: + from apparmor.rule.variable import separate_vars + except ImportError: + from apparmor.aa import separate_vars + + LIBAPPARMOR = True + +except ImportError: + LIBAPPARMOR = False + def sanitizeProfileName(name): if name.startswith('/') or name.startswith('@{'): @@ -118,6 +133,7 @@ def readApparmorFile(fullpath): gotHeaders = {} gotAttach = False isAfterProfileStart = False + lastLineNum = None try: with open(fullpath, 'r') as f: for n,line in enumerate(f, start=1): @@ -262,6 +278,8 @@ def readApparmorFile(fullpath): localExists_eol[profileIdentity] = n del nestingStacker[-1] # remove last + lastLineNum = n + except PermissionError: exceptionMsg = 'Unable to read the file (PermissionError)' @@ -308,12 +326,12 @@ def readApparmorFile(fullpath): # Ensure trailing vim syntax if line: - trailingSyntax = '# vim:syntax=apparmor' + trailingSyntax = '# vim:syntax=apparmor\n' if line != trailingSyntax: messages.append({'filename': fullpath, 'profile': None, 'severity': 'WARNING', - 'line': None, + 'line': lastLineNum, 'reason': 'No trailing syntax hint', 'suggestion': trailingSyntax}) @@ -448,18 +466,8 @@ def main(argv): if __name__ == '__main__': - try: - from apparmor.regex import * - from apparmor.aa import is_skippable_file - from apparmor.rule.file import FileRule, FileRuleset - from apparmor.common import convert_regexp - try: - from apparmor.rule.variable import separate_vars - except ModuleNotFoundError: - from apparmor.aa import separate_vars - - except ModuleNotFoundError: - raise ModuleNotFoundError(f"""Can't find 'python3-apparmor' package! Install with: + if not LIBAPPARMOR: + raise ImportError(f"""Can't find 'python3-apparmor' package! Install with: $ sudo apt install python3-apparmor""") main(sys.argv) From 8f4b3304075325f09b5d5d199597db1c1660fc0f Mon Sep 17 00:00:00 2001 From: nobody43 <15267739+nobody43@users.noreply.github.com> Date: Sat, 23 Nov 2024 18:35:53 +0000 Subject: [PATCH 023/977] Update profile_check.py --- tests/profile_check.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/profile_check.py b/tests/profile_check.py index c793543e3..90f5b56b2 100644 --- a/tests/profile_check.py +++ b/tests/profile_check.py @@ -456,6 +456,9 @@ def main(argv): profile_data.update(profilesInFile) for m in messages: + if m.get('suggestion'): + if m['suggestion'].endswith('\n'): + m['suggestion'] = m.get('suggestion').removesuffix('\n') m['filename'] = str(m.get('filename')) print(json.dumps(m, indent=2)) From edaa45067abd5f18fa702ca3f08897d93425bbc5 Mon Sep 17 00:00:00 2001 From: nobody43 <15267739+nobody43@users.noreply.github.com> Date: Sat, 23 Nov 2024 19:54:17 +0000 Subject: [PATCH 024/977] fix exec_path bug, ignore skipable files --- tests/profile_check.py | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/tests/profile_check.py b/tests/profile_check.py index 90f5b56b2..9b61e6367 100644 --- a/tests/profile_check.py +++ b/tests/profile_check.py @@ -186,14 +186,8 @@ def readApparmorFile(fullpath): if m.get('profile'): nestingStacker.append(m.get('profile')) # set early - if m.get('attachment') != '@{exec_path}' and not gotAttach: # can be only singular + if m.get('attachment') == '@{exec_path}' and not gotAttach: # can be only singular gotAttach = True - messages.append({'filename': fullpath, - 'profile': getCurrentProfile(nestingStacker), - 'severity': 'WARNING', - 'line': n, - 'reason': "'@{exec_path}' must be defined as main path attachment", - 'suggestion': None}) profileMsg = {'filename': fullpath, 'profile': getCurrentProfile(nestingStacker), @@ -324,6 +318,15 @@ def readApparmorFile(fullpath): 'reason': 'ABI is required', 'suggestion': abi}) + # Ensure singular '@{exec_path}' + if not gotAttach: + messages.append({'filename': fullpath, + 'profile': None, + 'severity': 'WARNING', + 'line': None, + 'reason': "'@{exec_path}' must be defined as main path attachment", + 'suggestion': None}) + # Ensure trailing vim syntax if line: trailingSyntax = '# vim:syntax=apparmor\n' @@ -450,10 +453,11 @@ def main(argv): profile_data = {} for path in sorted(profiles): - readApparmorFile_Out = readApparmorFile(path) - profilesInFile = readApparmorFile_Out[1] - messages.extend(readApparmorFile_Out[0]) - profile_data.update(profilesInFile) + if not is_skippable_file(path): + readApparmorFile_Out = readApparmorFile(path) + profilesInFile = readApparmorFile_Out[1] + messages.extend(readApparmorFile_Out[0]) + profile_data.update(profilesInFile) for m in messages: if m.get('suggestion'): From 7167de932cc3f2678b0b496e9fa9f84bde79b0ba Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 23 Dec 2024 22:17:35 +0100 Subject: [PATCH 025/977] feat(profile): firefox: restric access to /tmp --- apparmor.d/groups/browsers/firefox | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 27eb0d54d..dfaff6064 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -59,9 +59,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw, owner @{tmp}/.xfsm-ICE-@{rand6} rw, - owner @{tmp}/@{rand6}.tmp r, - owner @{tmp}/@{rand8}.txt w, - owner @{tmp}/* w, # file downloads (to anywhere) + owner @{tmp}/@{rand8}.* rw, # file downloads (to anywhere) + owner @{tmp}/@{uuid}.zip{,.tmp} rw, owner @{tmp}/Mozilla@{uuid}-cachePurge-{@{hex15},@{hex16}} rwk, owner @{tmp}/mozilla* rw, owner @{tmp}/mozilla*/ rw, From 01c1562e7cd3fde793b926247d8f0fd910b675b7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 23 Dec 2024 22:19:29 +0100 Subject: [PATCH 026/977] feat(profile): firefox: better naming of possible attachment. --- apparmor.d/groups/browsers/firefox | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index dfaff6064..f7b0e1964 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -7,8 +7,8 @@ abi , include -@{name} = firefox{,.sh,-esr,-bin} -@{lib_dirs} = @{lib}/@{name} /opt/@{name} +@{name} = firefox{,-esr,-bin} +@{lib_dirs} = @{lib}/firefox{,-esr,-beta,-devedition,-nightly} /opt/@{name} @{config_dirs} = @{HOME}/.mozilla/ @{cache_dirs} = @{user_cache_dirs}/mozilla/ From b35c2a0abf72340537c466e6fbdd6a08a2052163 Mon Sep 17 00:00:00 2001 From: Roman Beslik Date: Tue, 17 Dec 2024 20:28:17 +0200 Subject: [PATCH 027/977] non-owner accesses authorized_keys --- apparmor.d/groups/ssh/sshd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index b4ecc068e..825612af0 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -94,7 +94,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { owner @{user_download_dirs}/{,**} rwl, owner @{user_sync_dirs}/{,**} rwl, - owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, + @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, owner @{user_cache_dirs}/{,motd*} rw, @{att}/@{run}/systemd/sessions/@{int}.ref rw, From cf1d7504f4a329d7654cc4afd8d6c2f9e912c91f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 23 Dec 2024 22:48:24 +0100 Subject: [PATCH 028/977] fix(profile): sensors: simplify hwmon access. fix #628 --- apparmor.d/profiles-s-z/sensors | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/apparmor.d/profiles-s-z/sensors b/apparmor.d/profiles-s-z/sensors index fd839099e..e6ae103ae 100644 --- a/apparmor.d/profiles-s-z/sensors +++ b/apparmor.d/profiles-s-z/sensors @@ -18,19 +18,12 @@ profile sensors @{exec_path} { /etc/sensors.d/{,*} r, /etc/sensors3.conf r, + @{sys}/bus/i2c/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/**/hwmon*/{,**/} r, - @{sys}/devices/**/hwmon*/{in[0-9]_label,in[0-9]_min,in[0-9]_max} r, - @{sys}/devices/**/hwmon*/{name,temp*,*_input} r, - @{sys}/devices/**/hwmon*/**/{name,temp*,*_input} r, - @{sys}/devices/**/hwmon/hwmon@{int}/power@{int}_crit r, - @{sys}/devices/**/hwmon/hwmon@{int}/fan@{int}_{label,max,min} r, @{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-@{int}/name r, @{sys}/devices/@{pci}/name r, - @{sys}/devices/platform/**/power_supply/**/hwmon@{int}/curr1_max r, - @{sys}/devices/virtual/hwmon/hwmon@{int}/ r, - @{sys}/devices/virtual/hwmon/hwmon@{int}/{name,temp*} r, + @{sys}/devices/**/hwmon*/** r, # file_inherit deny @{PROC}/@{pid}/net/dev r, From f8fc1aa38743aafbb493132b955c99d9059f9e15 Mon Sep 17 00:00:00 2001 From: Roman Beslik Date: Sun, 15 Dec 2024 19:40:06 +0200 Subject: [PATCH 029/977] systemd user ask-password --- apparmor.d/groups/systemd/systemd-tty-ask-password-agent | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index 3e2129d39..b16577de8 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -24,6 +24,7 @@ profile systemd-tty-ask-password-agent @{exec_path} { @{run}/systemd/ask-password-block/{,*} rw, @{run}/systemd/ask-password/{,*} rw, + @{run}/user/@{uid}/systemd/ask-password/ rw, @{run}/utmp rk, @{PROC}/@{pids}/stat r, From 57ddfd29ced85da5c0de78471a2136053e1e7038 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 24 Dec 2024 23:56:12 +0100 Subject: [PATCH 030/977] fix(profile): pacman-hook-systemd: add systemd-tty-ask-password-agent. fix #632 --- apparmor.d/groups/pacman/pacman-hook-systemd | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index 2c32024a2..59acc34d9 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -45,6 +45,10 @@ profile pacman-hook-systemd @{exec_path} { capability net_admin, + signal send set=term peer=systemd-tty-ask-password-agent, + + @{bin}/systemd-tty-ask-password-agent Px, + include if exists } From 2560e9645ff11d4fd24c69ef8145adf9bc8f817c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 25 Dec 2024 00:05:36 +0100 Subject: [PATCH 031/977] feat(profile): various improvements and update. --- apparmor.d/groups/gnome/gnome-session | 2 ++ apparmor.d/groups/gnome/gnome-software | 1 + apparmor.d/groups/network/mullvad-daemon | 1 + apparmor.d/groups/pacman/pacman-hook-systemd | 1 + apparmor.d/groups/systemd/bootctl | 2 +- apparmor.d/groups/systemd/busctl | 2 +- apparmor.d/groups/systemd/systemd-backlight | 2 +- apparmor.d/groups/systemd/systemd-cryptsetup | 2 +- apparmor.d/groups/systemd/systemd-generator-user-autostart | 2 +- apparmor.d/groups/systemd/systemd-generator-user-environment | 2 +- apparmor.d/groups/systemd/systemd-journald | 2 +- apparmor.d/groups/systemd/systemd-machined | 2 +- apparmor.d/groups/systemd/systemd-random-seed | 2 +- apparmor.d/groups/systemd/systemd-update-done | 2 +- apparmor.d/groups/systemd/systemd-update-utmp | 2 +- apparmor.d/groups/systemd/systemd-user-runtime-dir | 2 +- apparmor.d/groups/systemd/systemd-user-sessions | 2 +- apparmor.d/groups/virt/libvirtd | 1 + apparmor.d/profiles-a-f/flatpak-system-helper | 3 ++- apparmor.d/profiles-a-f/fwupd | 3 +-- 20 files changed, 22 insertions(+), 16 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index 798868271..bec97e7de 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -58,6 +58,8 @@ profile gnome-session @{exec_path} { /etc/X11/xinit/xinputrc r, /etc/X11/Xsession.d/*im-config_launch r, + owner @{HOME}/ r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index a75cfee63..601e6b6df 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -39,6 +39,7 @@ profile gnome-software @{exec_path} { /usr/share/app-info/{,**} r, /usr/share/appdata/{,**} r, + /usr/share/flatpak/remotes.d/ r, /usr/share/metainfo/{,**} r, /usr/share/swcatalog/{,**} r, /usr/share/xml/iso-codes/{,**} r, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index ee98720b6..6c4c41e6c 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -59,6 +59,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { owner @{tmp}/@{uuid} rw, owner @{tmp}/talpid-openvpn-@{uuid} rw, + @{PROC}/sys/net/ipv{4,6}/conf/all/arp_ignore rw, @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index 59acc34d9..6f154269d 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -44,6 +44,7 @@ profile pacman-hook-systemd @{exec_path} { include capability net_admin, + capability sys_resource, signal send set=term peer=systemd-tty-ask-password-agent, diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 05655d308..c7bb7b19f 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/bootctl -profile bootctl @{exec_path} { +profile bootctl @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index 6516a500c..826405d2d 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/busctl -profile busctl @{exec_path} { +profile busctl @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-backlight b/apparmor.d/groups/systemd/systemd-backlight index f67cb301c..374e9c4ae 100644 --- a/apparmor.d/groups/systemd/systemd-backlight +++ b/apparmor.d/groups/systemd/systemd-backlight @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-backlight -profile systemd-backlight @{exec_path} { +profile systemd-backlight @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-cryptsetup b/apparmor.d/groups/systemd/systemd-cryptsetup index f8950c1fe..090412ff5 100644 --- a/apparmor.d/groups/systemd/systemd-cryptsetup +++ b/apparmor.d/groups/systemd/systemd-cryptsetup @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/systemd-cryptsetup @{lib}/systemd/systemd-cryptsetup -profile systemd-cryptsetup @{exec_path} { +profile systemd-cryptsetup @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-generator-user-autostart b/apparmor.d/groups/systemd/systemd-generator-user-autostart index c42548ef5..8e3ebb6b3 100644 --- a/apparmor.d/groups/systemd/systemd-generator-user-autostart +++ b/apparmor.d/groups/systemd/systemd-generator-user-autostart @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/user-generators/systemd-xdg-autostart-generator -profile systemd-generator-user-autostart @{exec_path} { +profile systemd-generator-user-autostart @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-generator-user-environment b/apparmor.d/groups/systemd/systemd-generator-user-environment index db128405f..27db22078 100644 --- a/apparmor.d/groups/systemd/systemd-generator-user-environment +++ b/apparmor.d/groups/systemd/systemd-generator-user-environment @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/user-environment-generators/* -profile systemd-generator-user-environment @{exec_path} { +profile systemd-generator-user-environment @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index cc1f541dd..d63a4211d 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-journald -profile systemd-journald @{exec_path} { +profile systemd-journald @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index 3a111f7f3..b37f2300b 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-machined -profile systemd-machined @{exec_path} { +profile systemd-machined @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-random-seed b/apparmor.d/groups/systemd/systemd-random-seed index be33d39cd..86ea02a0d 100644 --- a/apparmor.d/groups/systemd/systemd-random-seed +++ b/apparmor.d/groups/systemd/systemd-random-seed @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-random-seed -profile systemd-random-seed @{exec_path} { +profile systemd-random-seed @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-update-done b/apparmor.d/groups/systemd/systemd-update-done index c17be7ab2..e7a44d01d 100644 --- a/apparmor.d/groups/systemd/systemd-update-done +++ b/apparmor.d/groups/systemd/systemd-update-done @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-update-done -profile systemd-update-done @{exec_path} { +profile systemd-update-done @{exec_path} flags=(attach_disconnected) { include capability net_admin, diff --git a/apparmor.d/groups/systemd/systemd-update-utmp b/apparmor.d/groups/systemd/systemd-update-utmp index 9d512b495..1a2ff9a31 100644 --- a/apparmor.d/groups/systemd/systemd-update-utmp +++ b/apparmor.d/groups/systemd/systemd-update-utmp @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-update-utmp -profile systemd-update-utmp @{exec_path} { +profile systemd-update-utmp @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index 9c7fe975b..363b9a32d 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-user-runtime-dir -profile systemd-user-runtime-dir @{exec_path} { +profile systemd-user-runtime-dir @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-user-sessions b/apparmor.d/groups/systemd/systemd-user-sessions index 6f16b2f19..8de32dfe2 100644 --- a/apparmor.d/groups/systemd/systemd-user-sessions +++ b/apparmor.d/groups/systemd/systemd-user-sessions @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-user-sessions -profile systemd-user-sessions @{exec_path} { +profile systemd-user-sessions @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index db6d5d377..061866717 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -171,6 +171,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+leds:* r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+platform:* r, + @{run}/udev/data/+power_supply:* r, @{run}/udev/data/+rfkill:* r, @{run}/udev/data/+sound:card@{int} r, # For sound card @{run}/udev/data/+thunderbolt:* r, diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/profiles-a-f/flatpak-system-helper index 2268de064..60c41a6a9 100644 --- a/apparmor.d/profiles-a-f/flatpak-system-helper +++ b/apparmor.d/profiles-a-f/flatpak-system-helper @@ -37,8 +37,9 @@ profile flatpak-system-helper @{exec_path} { /etc/flatpak/{,**} r, /etc/machine-id r, - /usr/share/mime/mime.cache r, + /usr/share/flatpak/remotes.d/ r, /usr/share/flatpak/triggers/ r, + /usr/share/mime/mime.cache r, /var/lib/flatpak/{,**} rwkl, /var/tmp/flatpak-cache-*/{,**} rw, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index aa95a00d5..643bbe96a 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -17,7 +17,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include include - include + include include include @@ -129,7 +129,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /dev/mei@{int} rw, /dev/mem r, /dev/mtd@{int} rw, - /dev/sd[a-z]* r, /dev/tpm@{int} rw, /dev/tpmrm@{int} rw, /dev/wmi/* r, From 6348dafa8e7a41303b6ecd26301247b614dc195f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 9 Jan 2025 22:23:45 +0100 Subject: [PATCH 032/977] fix(profile): gnome on X fix #641 --- apparmor.d/groups/ssh/ssh-agent | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index 72d6618e6..f6732b1cf 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -19,6 +19,7 @@ profile ssh-agent @{exec_path} { @{sh_path} rix, @{bin}/gpg-agent rPx, + @{bin}/im-launch rPx, owner @{HOME}/@{XDG_SSH_DIR}/ rw, owner @{HOME}/@{XDG_SSH_DIR}/* r, From f21006dfd2e37d0673be7faccf25ec0584cb99c6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 9 Jan 2025 22:41:17 +0100 Subject: [PATCH 033/977] fix(profile): xfce-terminal graphics fix #638 --- apparmor.d/groups/xfce/xfce-terminal | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/xfce/xfce-terminal b/apparmor.d/groups/xfce/xfce-terminal index 342ffd3b4..d0d895c5a 100644 --- a/apparmor.d/groups/xfce/xfce-terminal +++ b/apparmor.d/groups/xfce/xfce-terminal @@ -9,8 +9,10 @@ include @{exec_path} = @{bin}/xfce4-terminal profile xfce-terminal @{exec_path} { include + include include include + include include include From 70c06a054744503ffc8fd98133c29e965e942b3d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 9 Jan 2025 22:48:23 +0100 Subject: [PATCH 034/977] fix(profile): set dettached flag on some systemd services. should fix #630 --- dists/flags/main.flags | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index ac4547850..6a1a1b6a7 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -309,7 +309,7 @@ systemd-ask-password complain systemd-binfmt attach_disconnected,complain systemd-cgls complain systemd-cgtop complain -systemd-cryptsetup complain +systemd-cryptsetup attach_disconnected,complain systemd-dissect attach_disconnected,complain systemd-escape complain systemd-generator-bless-boot attach_disconnected,complain @@ -327,8 +327,8 @@ systemd-generator-integritysetup attach_disconnected,complain systemd-generator-ostree attach_disconnected,complain systemd-generator-run attach_disconnected,complain systemd-generator-system-update attach_disconnected,complain -systemd-generator-user-autostart complain -systemd-generator-user-environment complain +systemd-generator-user-autostart attach_disconnected,complain +systemd-generator-user-environment attach_disconnected,complain systemd-generator-veritysetup attach_disconnected,complain systemd-homed attach_disconnected,complain systemd-homework complain @@ -342,7 +342,7 @@ systemd-shutdown complain systemd-sleep-tlp complain systemd-socket-proxyd complain systemd-udevd attach_disconnected,complain -systemd-user-sessions complain +systemd-user-sessions attach_disconnected,complain systemd-userwork attach_disconnected,complain systemsettings complain telegram-desktop complain From fa85d909d70c80d524d320cc2e83f94e18fcf166 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 9 Jan 2025 22:58:53 +0100 Subject: [PATCH 035/977] feat(profile): general update. --- apparmor.d/groups/apt/apt | 1 + apparmor.d/groups/bus/dbus-accessibility | 2 ++ apparmor.d/groups/freedesktop/xorg | 5 +++ apparmor.d/groups/gnome/gdm | 2 +- apparmor.d/groups/gnome/gdm-prime-defaut | 3 ++ apparmor.d/groups/network/NetworkManager | 1 + apparmor.d/groups/network/nm-dispatcher | 2 +- apparmor.d/groups/ssh/sshfs | 15 +++++++++ .../systemd/systemd-tty-ask-password-agent | 1 + apparmor.d/groups/systemd/systemd-udevd | 2 ++ apparmor.d/groups/virt/cockpit-bridge | 2 +- apparmor.d/groups/whonix/anondate | 2 +- apparmor.d/profiles-a-f/bluetoothd | 11 ++----- apparmor.d/profiles-a-f/fwupd | 6 +--- apparmor.d/profiles-g-l/gpu-manager | 1 + apparmor.d/profiles-m-r/mount-cifs | 31 ++++++++++++------- apparmor.d/profiles-s-z/udisksd | 2 +- apparmor.d/profiles-s-z/wireplumber | 2 +- apparmor.d/profiles-s-z/xinit | 1 + 19 files changed, 61 insertions(+), 31 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 369dd3bbd..c0545f2ec 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -130,6 +130,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { /var/lib/update-notifier/dpkg-run-stamp rw, /var/log/apt/{,**} rw, + /var/log/ubuntu-advantage-apt-hook.log w, # For package building @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index e8f0328a2..35a507559 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -26,6 +26,8 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup kill) peer=dbus-session, signal (receive) set=(term hup kill) peer=gdm{,-session-worker}, + unix type=stream addr=none peer=(label=xorg, addr=@/tmp/.X11-unix/X0), + #aa:dbus own bus=accessibility name=org.freedesktop.DBus #aa:dbus own bus=session name=org.a11y.{B,b}us dbus receive bus=accessibility path=/org/freedesktop/DBus diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 0f23d583c..90016a8ee 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -45,6 +45,11 @@ profile xorg @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/login1/session/* + interface=org.freedesktop.login1.Session + member=ReleaseControl + peer=(name=org.freedesktop.login1, label=systemd-logind), + @{exec_path} mrix, @{sh_path} rix, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 6bafb132b..fc7ff4bb1 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -50,7 +50,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{bin}/plymouth rPx, @{bin}/prime-switch rPUx, @{bin}/sleep rix, - @{bin}/systemd-cat rPx, + @{bin}/systemd-cat rix, @{lib}/{,gdm/}gdm-session-worker rPx, /etc/gdm{3,}/PrimeOff/Default rix, diff --git a/apparmor.d/groups/gnome/gdm-prime-defaut b/apparmor.d/groups/gnome/gdm-prime-defaut index 189e166f2..eea0ee3b3 100644 --- a/apparmor.d/groups/gnome/gdm-prime-defaut +++ b/apparmor.d/groups/gnome/gdm-prime-defaut @@ -12,6 +12,9 @@ profile gdm-prime-defaut @{exec_path} flags=(complain) { @{exec_path} mr, + @{sh_path} r, + @{bin}/prime-offload ix, + include if exists } diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index de3a180bb..1bb2de231 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -43,6 +43,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.NetworkManager + #aa:dbus talk bus=system name=fi.w1.wpa_supplicant1 label=wpa-supplicant #aa:dbus talk bus=system name=org.fedoraproject.FirewallD1 label=firewalld #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 40984f7fa..ee2e5274b 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -51,7 +51,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{bin}/run-parts rCx -> run-parts, @{bin}/sed rix, @{bin}/systemctl rCx -> systemctl, - @{bin}/systemd-cat rPx, + @{bin}/systemd-cat rix, @{bin}/tr rix, /usr/share/tlp/tlp-readconfs rPUx, diff --git a/apparmor.d/groups/ssh/sshfs b/apparmor.d/groups/ssh/sshfs index a367b0f7a..173b6602e 100644 --- a/apparmor.d/groups/ssh/sshfs +++ b/apparmor.d/groups/ssh/sshfs @@ -13,6 +13,10 @@ profile sshfs @{exec_path} flags=(complain) { mount fstype=fuse.sshfs -> @{HOME}/*/, mount fstype=fuse.sshfs -> @{HOME}/*/*/, + mount fstype=fuse.sshfs -> @{MOUNTDIRS}/, + mount fstype=fuse.sshfs -> @{MOUNTS}/, + mount fstype=fuse.sshfs -> @{MOUNTS}/*/, + mount fstype=fuse.sshfs -> @{MOUNTS}/*/*/, unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount",addr=none), @@ -33,6 +37,17 @@ profile sshfs @{exec_path} flags=(complain) { mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/, mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/*/, + mount fstype={fuse,fuse.sshfs} -> @{MOUNTDIRS}/, + mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/, + mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/*/, + mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/*/*/, + + umount @{HOME}/*/, + umount @{HOME}/*/*/, + umount @{MOUNTDIRS}/, + umount @{MOUNTS}/, + umount @{MOUNTS}/*/, + umount @{MOUNTS}/*/*/, unix (connect, send, receive) type=stream peer=(label="sshfs",addr=none), diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index b16577de8..4c57d0200 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -13,6 +13,7 @@ profile systemd-tty-ask-password-agent @{exec_path} { include capability dac_override, + capability dac_read_search, capability net_admin, capability sys_resource, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index b8a0c7e4c..f52a2fc6c 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -95,6 +95,8 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{run}/systemd/notify rw, @{run}/systemd/seats/seat@{int} r, + @{att}/@{run}/udev/control rw, + @{run}/udev/ rw, @{run}/udev/** rwk, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index 1766cd2fb..94b185162 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -114,7 +114,7 @@ profile cockpit-bridge @{exec_path} { include include - signal (send receive) set=term peer=cockpit-bridge, + signal (send receive) set=(cont hup term) peer=cockpit-bridge, @{bin}/cockpit-bridge Px, @{lib}/cockpit/cockpit-askpass Px, diff --git a/apparmor.d/groups/whonix/anondate b/apparmor.d/groups/whonix/anondate index d39517569..27e4eb594 100644 --- a/apparmor.d/groups/whonix/anondate +++ b/apparmor.d/groups/whonix/anondate @@ -22,7 +22,7 @@ profile anondate @{exec_path} { @{bin}/grep rix, @{bin}/minimum-unixtime-show rix, @{bin}/rm rix, - @{bin}/systemd-cat rPx, + @{bin}/systemd-cat rix, @{bin}/tee rix, @{bin}/timeout rix, @{bin}/tor-circuit-established-check rix, diff --git a/apparmor.d/profiles-a-f/bluetoothd b/apparmor.d/profiles-a-f/bluetoothd index ee7efdcfd..8ca699aaf 100644 --- a/apparmor.d/profiles-a-f/bluetoothd +++ b/apparmor.d/profiles-a-f/bluetoothd @@ -25,20 +25,15 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.bluez - dbus receive bus=system path=/ + dbus send bus=system path=/{,MediaEndpoint} interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label="{brave,NetworkManager,pulseaudio,upowerd}"), - - dbus send bus=system path=/MediaEndpoint - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label=pulseaudio), + peer=(name=@{busname}), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=InterfacesRemoved - peer=(name=org.freedesktop.DBus, label="{jwupd,NetworkManager,pulseaudio,upowerd}"), + peer=(name=org.freedesktop.DBus), @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 643bbe96a..5abf1d294 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -38,17 +38,13 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { network netlink raw, #aa:dbus own bus=system name=org.freedesktop.fwupd path=/ + #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - dbus send bus=system path=/org/freedesktop/UDisks2/Manager - interface=org.freedesktop.UDisks2.Manager - member=GetBlockDevices - peer=(name=:*, label=udisksd), - @{exec_path} mr, @{lib}/fwupd/fwupd-detect-cet rix, diff --git a/apparmor.d/profiles-g-l/gpu-manager b/apparmor.d/profiles-g-l/gpu-manager index 8cc49acdf..795c92f00 100644 --- a/apparmor.d/profiles-g-l/gpu-manager +++ b/apparmor.d/profiles-g-l/gpu-manager @@ -25,6 +25,7 @@ profile gpu-manager @{exec_path} { /var/lib/ubuntu-drivers-common/* rw, /var/log/gpu-manager.log w, + /var/log/gpu-manager-switch.log w, @{sys}/devices/@{pci}/boot_vga r, @{sys}/module/compression r, diff --git a/apparmor.d/profiles-m-r/mount-cifs b/apparmor.d/profiles-m-r/mount-cifs index 78651ba23..190db34da 100644 --- a/apparmor.d/profiles-m-r/mount-cifs +++ b/apparmor.d/profiles-m-r/mount-cifs @@ -12,16 +12,29 @@ profile mount-cifs @{exec_path} flags=(complain) { include include - # To mount anything. capability sys_admin, - - # (#FIXME#) capability setpcap, + network inet dgram, network inet stream, + network inet6 dgram, network inet6 stream, network netlink raw, + mount fstype=cifs -> @{HOME}/*/, + mount fstype=cifs -> @{HOME}/*/*/, + mount fstype=cifs -> @{MOUNTDIRS}/, + mount fstype=cifs -> @{MOUNTS}/, + mount fstype=cifs -> @{MOUNTS}/*/, + mount fstype=cifs -> @{MOUNTS}/*/*/, + + umount @{HOME}/*/, + umount @{HOME}/*/*/, + umount @{MOUNTDIRS}/, + umount @{MOUNTS}/, + umount @{MOUNTS}/*/, + umount @{MOUNTS}/*/*/, + @{exec_path} mr, @{bin}/systemd-ask-password rPUx, @@ -31,18 +44,12 @@ profile mount-cifs @{exec_path} flags=(complain) { owner @{HOME}/.smbcredentials r, # Mount points + @{HOME}/*/ r, + @{HOME}/*/*/ r, @{MOUNTDIRS}/ r, @{MOUNTS}/ r, @{MOUNTS}/*/ r, - - # Allow to mount smb/cifs disks only under the /media/ dirs - mount fstype=cifs -> @{MOUNTDIRS}/, - mount fstype=cifs -> @{MOUNTS}/, - mount fstype=cifs -> @{MOUNTS}/*/, - - umount @{MOUNTDIRS}/, - umount @{MOUNTS}/, - umount @{MOUNTS}/*/, + @{MOUNTS}/*/*/ r, include if exists } diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 909112a70..90ea63dd2 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -132,7 +132,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{sys}/class/nvme/ r, @{sys}/devices/@{pci}/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w, @{sys}/devices/@{pci}/{ata,usb,mmc}[0-9]/{,**/}remove rw, - @{sys}/devices/@{pci}/uevent r, + @{sys}/devices/@{pci}/uevent rw, @{sys}/devices/**/net/*/ r, @{sys}/devices/**/uevent r, @{sys}/devices/virtual/bdi/**/read_ahead_kb r, diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index 87b4e27ca..cc19872c6 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -24,7 +24,7 @@ profile wireplumber @{exec_path} { network bluetooth stream, network netlink raw, - #aa:dbus own bus=session name=org.freedesktop.ReserveDevice1.Audio0 + #aa:dbus own bus=session name=org.freedesktop.ReserveDevice1.Audio@{int} dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit index 0801ac188..a332bd20b 100644 --- a/apparmor.d/profiles-s-z/xinit +++ b/apparmor.d/profiles-s-z/xinit @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/xinit profile xinit @{exec_path} { include + include include signal (receive) set=(usr1) peer=xorg, From 34913ab0c02b836b71a463fba234663174111dc4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 9 Jan 2025 22:59:42 +0100 Subject: [PATCH 036/977] build: update debian control. --- debian/control | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/debian/control b/debian/control index 3d15800b8..800642d86 100644 --- a/debian/control +++ b/debian/control @@ -9,16 +9,15 @@ Build-Depends: debhelper (>= 13.4), Homepage: https://github.com/roddhjav/apparmor.d Vcs-Browser: https://github.com/roddhjav/apparmor.d Vcs-Git: https://github.com/roddhjav/apparmor.d.git -Standards-Version: 4.5.0 +Standards-Version: 4.6.0 Rules-Requires-Root: no Package: apparmor.d Architecture: any -Depends: - apparmor-profiles, +Depends: apparmor-profiles, ${shlibs:Depends} Conflicts: apparmor-profiles-extra Provides: apparmor-profiles-extra Description: Full set of AppArmor profiles (~ 1500 profiles) - apparmor.d is a set of over 1500 AppArmor profiles whose aim is to confine - most Linux based applications and processes. + apparmor.d is a set of over 1500 AppArmor profiles whose aim is to confine + most Linux based applications and processes. From 0769e42ea22d869f4079076c8d1012c5a5a406cf Mon Sep 17 00:00:00 2001 From: nobody43 Date: Tue, 31 Dec 2024 00:32:12 +0000 Subject: [PATCH 037/977] regression: session names 2 --- apparmor.d/abstractions/app/firefox | 2 +- apparmor.d/groups/gnome/gdm | 2 +- apparmor.d/groups/ssh/sshd | 2 +- apparmor.d/groups/virt/k3s | 2 +- apparmor.d/profiles-a-f/briar-desktop | 2 +- apparmor.d/profiles-g-l/libreoffice | 2 +- apparmor.d/profiles-m-r/mullvad-setup | 2 +- apparmor.d/profiles-m-r/ouch | 2 +- apparmor.d/profiles-s-z/signal-desktop | 4 ++-- apparmor.d/profiles-s-z/virt-manager | 2 +- 10 files changed, 11 insertions(+), 11 deletions(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 87865197e..602651587 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -125,7 +125,7 @@ @{sys}/devices/power/events/energy-* r, @{sys}/devices/power/type r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r, @{PROC}/@{pid}/net/arp r, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index fc7ff4bb1..10d116a6c 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -92,7 +92,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/virtual/tty/tty@{int}/active r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cgroup.events r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cgroup.events r, @{PROC}/@{pid}/cgroup r, @{PROC}/1/environ r, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 825612af0..21892cc47 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -107,7 +107,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { owner @{run}/sshd{,.init}.pid wl, @{sys}/fs/cgroup/*/user/*/@{int}/ rw, - @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-*.scope/ rw, + @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-@{word}.scope/ rw, @{PROC}/@{pids}/fd/ r, @{PROC}/1/environ r, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 96e50ba35..0949e72ee 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -159,7 +159,7 @@ profile k3s @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/ r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user-runtime-dir@@{uid}.service/ r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**/} r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{,**/} r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{,**/} r, @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r, diff --git a/apparmor.d/profiles-a-f/briar-desktop b/apparmor.d/profiles-a-f/briar-desktop index a0b57a38b..24088be3f 100644 --- a/apparmor.d/profiles-a-f/briar-desktop +++ b/apparmor.d/profiles-a-f/briar-desktop @@ -57,7 +57,7 @@ profile briar-desktop @{exec_path} { owner @{tmp}/jna@{u64}.tmp mrw, @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{cpu,memory}.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r, @{sys}/kernel/mm/{hugepages/,transparent_hugepage/enabled} r, @{PROC}/cgroups r, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 63634d788..03dfe9749 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -99,7 +99,7 @@ profile libreoffice @{exec_path} { @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/transparent_hugepage/enabled r, @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{cpu,memory}.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/**/memory.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r, diff --git a/apparmor.d/profiles-m-r/mullvad-setup b/apparmor.d/profiles-m-r/mullvad-setup index b30da1c13..d2bb2eb44 100644 --- a/apparmor.d/profiles-m-r/mullvad-setup +++ b/apparmor.d/profiles-m-r/mullvad-setup @@ -13,7 +13,7 @@ profile mullvad-setup @{exec_path} { @{exec_path} mr, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/cpu.max r, diff --git a/apparmor.d/profiles-m-r/ouch b/apparmor.d/profiles-m-r/ouch index ef3ea4bee..a5b62ca93 100644 --- a/apparmor.d/profiles-m-r/ouch +++ b/apparmor.d/profiles-m-r/ouch @@ -19,7 +19,7 @@ profile ouch @{exec_path} { @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index b905e8f3a..ca9da155c 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -44,8 +44,8 @@ profile signal-desktop @{exec_path} { @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/memory.high r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/memory.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 0a67b365b..052192d8f 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -85,7 +85,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/drm/ttm/uevent r, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, @{PROC}/@{pids}/net/route r, owner @{PROC}/@{pid}/cgroup r, From f66ef4d5ea65c8e911337fb5495ba9b937b39341 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 9 Jan 2025 23:36:42 +0100 Subject: [PATCH 038/977] chore: fix profile styling issue. --- apparmor.d/groups/ssh/sshfs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/ssh/sshfs b/apparmor.d/groups/ssh/sshfs index 173b6602e..f7c635dd4 100644 --- a/apparmor.d/groups/ssh/sshfs +++ b/apparmor.d/groups/ssh/sshfs @@ -41,7 +41,7 @@ profile sshfs @{exec_path} flags=(complain) { mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/, mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/*/, mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/*/*/, - + umount @{HOME}/*/, umount @{HOME}/*/*/, umount @{MOUNTDIRS}/, From bffb837ff3814e416e7ddca6d1db604c29e61ee7 Mon Sep 17 00:00:00 2001 From: EricLin0509 Date: Fri, 3 Jan 2025 11:07:04 +0800 Subject: [PATCH 039/977] Update profile for xray --- apparmor.d/profiles-s-z/xray | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-s-z/xray b/apparmor.d/profiles-s-z/xray index 7e86ada2c..fccd2c569 100644 --- a/apparmor.d/profiles-s-z/xray +++ b/apparmor.d/profiles-s-z/xray @@ -22,6 +22,7 @@ profile xray @{exec_path} flags=(attach_disconnected) { /etc/xray/{,*} r, /usr/share/xray/**.dat r, + /usr/share/v2ray/**.dat r, @{PROC}/sys/net/core/somaxconn r, From 17520a94bf1be89d5025722ab4397b911dcbcd71 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 10 Jan 2025 00:09:24 +0100 Subject: [PATCH 040/977] feat(profile): improve snap & login bus. --- apparmor.d/abstractions/bus/org.freedesktop.login1 | 2 +- apparmor.d/profiles-s-z/snap | 1 + apparmor.d/profiles-s-z/snapd | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1 b/apparmor.d/abstractions/bus/org.freedesktop.login1 index 77271fe23..385c75730 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1 @@ -21,7 +21,7 @@ dbus receive bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager - member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareFor*} + member={SessionNew,SessionRemoved,UserNew,UserRemoved,SeatNew,PrepareFor*} peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1 diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index aa1f6b2b8..cdb01d14a 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -73,6 +73,7 @@ profile snap @{exec_path} { @{run}/mount/utab r, @{run}/snapd.socket rw, + @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/kernel/security/apparmor/features/{,**} r, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 250005f55..4e383b777 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -153,6 +153,7 @@ profile snapd @{exec_path} { @{run}/systemd/private rw, @{sys}/fs/cgroup/{,*/} r, + @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/system.slice/{,**/} r, @{sys}/fs/cgroup/user.slice/ r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r, From b94b11cbee0ea96b7fc7272b68a27b3b21ed5679 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 10 Jan 2025 18:55:37 +0100 Subject: [PATCH 041/977] feat(profile): steam: update web paths. --- apparmor.d/profiles-s-z/steam | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam index 252c89869..9cb5ac86b 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/profiles-s-z/steam @@ -317,6 +317,8 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{share_dirs}/public/** k, @{tmp}/ r, + owner @{tmp}/.com.valvesoftware.Steam.@{rand6} rw, + owner @{tmp}/.com.valvesoftware.Steam.@{rand6}/{,**} rw, owner @{tmp}/#@{int} rw, owner @{tmp}/dumps/ rw, owner @{tmp}/dumps/** rwk, @@ -324,6 +326,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**, owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw, + owner /dev/shm/.com.valvesoftware.Steam.@{rand6} rw, owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw, owner /dev/shm/u@{uid}-Shm_@{hex6} rw, owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, From 078b0de752d302a63b48ba32d5f3da5b4c37823b Mon Sep 17 00:00:00 2001 From: nobody43 <15267739+nobody43@users.noreply.github.com> Date: Fri, 10 Jan 2025 19:42:29 +0000 Subject: [PATCH 042/977] Fix `rand` typo --- apparmor.d/tunables/multiarch.d/system | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index cc4192d28..4e8b1bc11 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -78,7 +78,7 @@ @{rand15}=@{rand8}@{rand4}@{rand2}@{c} @{rand16}=@{rand8}@{rand8} @{rand32}=@{rand16}@{rand16} -@{rand64}=@{rand64}@{rand64} +@{rand64}=@{rand32}@{rand32} # Any x word characters @{word2}=@{w}@{w} From 61939a3bf8732d71088396a7a8b5f73196442b39 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Jan 2025 18:22:39 +0100 Subject: [PATCH 043/977] build: disable dummy upstream profile in favor of ours. --- dists/overwrite | 1 + pkg/prebuild/prepare/overwrite.go | 7 ++++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/dists/overwrite b/dists/overwrite index 767c07312..3ddd83d97 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -13,6 +13,7 @@ flatpak foliate loupe msedge +mullvad nautilus opera plasmashell diff --git a/pkg/prebuild/prepare/overwrite.go b/pkg/prebuild/prepare/overwrite.go index 6f8951161..1bacd446f 100644 --- a/pkg/prebuild/prepare/overwrite.go +++ b/pkg/prebuild/prepare/overwrite.go @@ -49,9 +49,10 @@ func (p Overwrite) Apply() ([]string, error) { if !dest.Exist() && p.OneFile { continue } - if err := origin.Rename(dest); err != nil { - - return res, err + if origin.Exist() { + if err := origin.Rename(dest); err != nil { + return res, err + } } originRel, err := origin.RelFrom(dest) if err != nil { From 88f1821b19d9a298592727898f7b2055bde4102d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Jan 2025 18:23:43 +0100 Subject: [PATCH 044/977] tests: cosmetic. --- tests/bats/chsh.bats | 6 +++--- tests/boxes.yml | 2 +- tests/cmd/main.go | 3 ++- tests/requirements.sh | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/tests/bats/chsh.bats b/tests/bats/chsh.bats index a9f5a6978..81a9f76a6 100644 --- a/tests/bats/chsh.bats +++ b/tests/bats/chsh.bats @@ -5,15 +5,15 @@ load common -@test "chsh: [l]ist available shells" { +@test "chsh: list available shells" { chsh --list-shells || true } -@test "chsh: Set a specific login [s]hell for the current user" { +@test "chsh: Set a specific login shell for the current user" { echo "$PASSWORD" | chsh --shell /usr/bin/bash } # bats test_tags=chsh -@test "chsh: Set a login [s]hell for a specific user" { +@test "chsh: Set a login shell for a specific user" { sudo chsh --shell /usr/bin/sh root } diff --git a/tests/boxes.yml b/tests/boxes.yml index ef037e07f..532c5e18f 100644 --- a/tests/boxes.yml +++ b/tests/boxes.yml @@ -2,7 +2,7 @@ defaults: uefi: true - ram: '4096' + ram: '3072' cpu: '6' boxes: diff --git a/tests/cmd/main.go b/tests/cmd/main.go index eb88de1ec..e7e620b00 100644 --- a/tests/cmd/main.go +++ b/tests/cmd/main.go @@ -88,7 +88,8 @@ func run() error { } logging.Bullet("Bats tests directory: %s", cfg.BatsDir) - logging.Bullet("Number of tests found %d", len(tests)) + logging.Bullet("Number of profiles with tests found %d", len(tests)) + logging.Bullet("Number of programs without profile found %d", len(tests)) return nil } diff --git a/tests/requirements.sh b/tests/requirements.sh index c12f9249c..c22e70108 100644 --- a/tests/requirements.sh +++ b/tests/requirements.sh @@ -19,7 +19,7 @@ arch) ;; debian | ubuntu | whonix) sudo apt-get install -y \ - cpuid dfc systemd-userdbd systemd-homed tlp + cpuid dfc systemd-userdbd systemd-homed tlp network-manager ;; opensuse*) ;; From fc85b9fc58d814c5029c0e377cde5c65c07eff2a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Jan 2025 19:41:47 +0100 Subject: [PATCH 045/977] build: better division of prebuild stages. --- cmd/prebuild/main.go | 1 + pkg/prebuild/cli/cli.go | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index 3f2dd9f43..59eff4912 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -67,5 +67,6 @@ func init() { } func main() { + cli.Configure() cli.Prebuild() } diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 2821d52c2..53f3c5589 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -58,7 +58,7 @@ func init() { flag.StringVar(&file, "file", "", "Only prebuild a given file.") } -func Prebuild() { +func Configure() { flag.Usage = func() { fmt.Printf("%s\n%s\n%s\n%s", usage, prebuild.Help("Prepare", prepare.Tasks), @@ -103,7 +103,9 @@ func Prebuild() { overwrite, _ := prepare.Tasks["overwrite"].(*prepare.Overwrite) overwrite.OneFile = true } +} +func Prebuild() { logging.Step("Building apparmor.d profiles for %s on ABI%d.", prebuild.Distribution, prebuild.ABI) if err := Prepare(); err != nil { logging.Fatal("%s", err.Error()) From f1182b27bb64a3bf44e92a4bafb58178ebfbf5ac Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Jan 2025 20:30:52 +0100 Subject: [PATCH 046/977] build: do not resolve files in local/ --- pkg/prebuild/builder/userspace.go | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/pkg/prebuild/builder/userspace.go b/pkg/prebuild/builder/userspace.go index d62cad522..71c1ce23e 100644 --- a/pkg/prebuild/builder/userspace.go +++ b/pkg/prebuild/builder/userspace.go @@ -33,11 +33,10 @@ func init() { } func (b Userspace) Apply(opt *Option, profile string) (string, error) { - if ok, _ := opt.File.IsInsideDir(prebuild.RootApparmord.Join("abstractions")); ok { - return profile, nil - } - if ok, _ := opt.File.IsInsideDir(prebuild.RootApparmord.Join("tunables")); ok { - return profile, nil + for _, dir := range []string{"abstractions", "tunables", "local"} { + if ok, _ := opt.File.IsInsideDir(prebuild.RootApparmord.Join(dir)); ok { + return profile, nil + } } f := aa.DefaultTunables() From 9953cf1fbd08375c24f4263e18ec28fa1b0b8700 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 14 Jan 2025 23:57:19 +0100 Subject: [PATCH 047/977] build: make synchronise task configurable. Required by downtream repository. --- pkg/prebuild/cli/cli.go | 2 +- pkg/prebuild/prepare/synchronise.go | 47 +++++++++++++++-------------- 2 files changed, 25 insertions(+), 24 deletions(-) diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 53f3c5589..2af5549a1 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -99,7 +99,7 @@ func Configure() { if file != "" { sync, _ := prepare.Tasks["synchronise"].(*prepare.Synchronise) - sync.Path = file + sync.Paths = []string{file} overwrite, _ := prepare.Tasks["overwrite"].(*prepare.Overwrite) overwrite.OneFile = true } diff --git a/pkg/prebuild/prepare/synchronise.go b/pkg/prebuild/prepare/synchronise.go index b272388c7..fe24471d8 100644 --- a/pkg/prebuild/prepare/synchronise.go +++ b/pkg/prebuild/prepare/synchronise.go @@ -11,7 +11,7 @@ import ( type Synchronise struct { prebuild.Base - Path string + Paths []string // File or directory to sync into the build directory. } func init() { @@ -20,38 +20,39 @@ func init() { Keyword: "synchronise", Msg: "Initialize a new clean apparmor.d build directory", }, - Path: "", + Paths: []string{"apparmor.d", "share"}, }) } func (p Synchronise) Apply() ([]string, error) { res := []string{} - dirs := paths.PathList{prebuild.RootApparmord, prebuild.Root.Join("share"), prebuild.Root.Join("systemd")} - for _, dir := range dirs { - if err := dir.RemoveAll(); err != nil { + if err := prebuild.Root.Join("systemd").RemoveAll(); err != nil { + return res, err + } + if err := prebuild.RootApparmord.RemoveAll(); err != nil { + return res, err + } + + for _, name := range p.Paths { + src := paths.New(name) + dst := prebuild.Root.Join(name) + if err := dst.RemoveAll(); err != nil { return res, err } - } - if p.Path == "" { - for _, name := range []string{"apparmor.d", "share"} { - if err := paths.CopyTo(paths.New(name), prebuild.Root.Join(name)); err != nil { + + if src.IsDir() { + if err := paths.CopyTo(src, dst); err != nil { + return res, err + } + } else { + if err := dst.Parent().MkdirAll(); err != nil { + return res, err + } + if err := src.CopyTo(dst); err != nil { return res, err } } - } else { - file := paths.New(p.Path) - destination, err := file.RelFrom(paths.New("apparmor.d")) - if err != nil { - return res, err - } - destination = prebuild.RootApparmord.JoinPath(destination) - if err := destination.Parent().MkdirAll(); err != nil { - return res, err - } - if err := file.CopyTo(destination); err != nil { - return res, err - } - res = append(res, destination.String()) + res = append(res, dst.String()) } return res, nil } From ba067a021472d89714c3ee26814277374d9a223a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 14 Jan 2025 23:58:01 +0100 Subject: [PATCH 048/977] build: naming cosmetic. --- pkg/prebuild/cli/cli.go | 2 +- pkg/prebuild/prepare/overwrite.go | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 2af5549a1..f33296881 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -101,7 +101,7 @@ func Configure() { sync, _ := prepare.Tasks["synchronise"].(*prepare.Synchronise) sync.Paths = []string{file} overwrite, _ := prepare.Tasks["overwrite"].(*prepare.Overwrite) - overwrite.OneFile = true + overwrite.Optional = true } } diff --git a/pkg/prebuild/prepare/overwrite.go b/pkg/prebuild/prepare/overwrite.go index 1bacd446f..530e88690 100644 --- a/pkg/prebuild/prepare/overwrite.go +++ b/pkg/prebuild/prepare/overwrite.go @@ -15,7 +15,7 @@ const ext = ".apparmor.d" type Overwrite struct { prebuild.Base - OneFile bool + Optional bool } func init() { @@ -24,7 +24,7 @@ func init() { Keyword: "overwrite", Msg: "Overwrite dummy upstream profiles", }, - OneFile: false, + Optional: false, }) } @@ -46,7 +46,7 @@ func (p Overwrite) Apply() ([]string, error) { for _, name := range path.MustReadFilteredFileAsLines() { origin := prebuild.RootApparmord.Join(name) dest := prebuild.RootApparmord.Join(name + ext) - if !dest.Exist() && p.OneFile { + if !dest.Exist() && p.Optional { continue } if origin.Exist() { From d20435eb210708b50748732cdb46cbd914abcb24 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 15 Jan 2025 00:08:43 +0100 Subject: [PATCH 049/977] feat(profiles): remove unused user role & mappings - Not enabled, tested. - Will come back under another form later. --- apparmor.d/groups/children/user_confined | 31 ---------- apparmor.d/groups/children/user_default | 32 ---------- apparmor.d/groups/children/user_unconfined | 25 -------- apparmor.d/profiles-m-r/pam/mappings | 72 ---------------------- 4 files changed, 160 deletions(-) delete mode 100644 apparmor.d/groups/children/user_confined delete mode 100644 apparmor.d/groups/children/user_default delete mode 100644 apparmor.d/groups/children/user_unconfined delete mode 100644 apparmor.d/profiles-m-r/pam/mappings diff --git a/apparmor.d/groups/children/user_confined b/apparmor.d/groups/children/user_confined deleted file mode 100644 index c4d3c9fed..000000000 --- a/apparmor.d/groups/children/user_confined +++ /dev/null @@ -1,31 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow confined users to read, write, lock and link to their own files -# anywhere, and execute from some places. - -abi , - -include - -profile user_confined flags=(complain) { - include - include - include - include - - deny capability sys_ptrace, - - @{bin}/** Pixmr, - - owner /** rwkl, - owner @{HOMEDIRS}/bin/** ixmr, - owner @{user_bin_dirs}/** ixmr, - - @{PROC}/** r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/children/user_default b/apparmor.d/groups/children/user_default deleted file mode 100644 index 2853a8deb..000000000 --- a/apparmor.d/groups/children/user_default +++ /dev/null @@ -1,32 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# By default, allow users to read, lock and link to their own files anywhere, -# but only write to files in their home directory. Only allow limited execution -# of files. - -abi , - -include - -profile user_default flags=(complain) { - include - include - include - include - - deny capability sys_ptrace, - - @{bin}/** Pixmr, - - owner /** rkl, - owner @{HOMEDIRS}/ w, - owner @{HOMEDIRS}/** w, - - @{PROC}/** r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/children/user_unconfined b/apparmor.d/groups/children/user_unconfined deleted file mode 100644 index db410d6a2..000000000 --- a/apparmor.d/groups/children/user_unconfined +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -profile user_unconfined flags=(attach_disconnected,mediate_deleted) { - capability, - network, - mount, - remount, - umount, - pivot_root, - ptrace, - signal, - dbus, - unix, - file, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pam/mappings b/apparmor.d/profiles-m-r/pam/mappings deleted file mode 100644 index cbcb539ed..000000000 --- a/apparmor.d/profiles-m-r/pam/mappings +++ /dev/null @@ -1,72 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# See more at: https://gitlab.com/apparmor/apparmor/wikis/Pam_apparmor_example - -# This file contains the mappings from users to roles for the binaries -# confined with AppArmor and configured for use with libpam-apparmor. Users -# without a mapping will not be able to login. -# -# The default hat is a confined user. The hat contains only the permissions -# necessary to transition to the user's login shell. All other permissions have -# been moved into the default_user profile. -^DEFAULT { - include - include - - capability dac_override, - capability setgid, - capability setuid, - - /etc/default/su r, - @{etc_ro}/environment r, - - @{shells_path} rPx -> user_default, - - include if exists -} - -# USER is a confined user. The hat contains only the permissions necessary -# to transition to gray's login shell. All other permissions have been -# moved into the confined_user profile. -^USER { - include - include - - capability dac_override, - capability audit_write, - capability setgid, - capability setuid, - - @{shells_path} rPx -> user_confined, - - /etc/default/su r, - @{etc_ro}/environment r, - - include if exists -} - -# Don't confine members whose primary group is 'admin' who are not specifically -# confined. Systems without this special primary group may want to define an -# unconfined 'root' hat in this manner (depending on site policy). -^root { - include - include - include - - capability dac_override, - capability audit_write, - capability setgid, - capability setuid, - - @{shells_path} rUx, - - /etc/default/su r, - @{etc_ro}/environment r, - - include if exists -} - -# vim:syntax=apparmor From 462a972abc12e834c7ecdd44cf7b1944c3b07645 Mon Sep 17 00:00:00 2001 From: adombeck <18482300+adombeck@users.noreply.github.com> Date: Wed, 15 Jan 2025 18:54:43 +0100 Subject: [PATCH 050/977] docs: Fix typos --- docs/development/integration.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/development/integration.md b/docs/development/integration.md index 1e5878aa0..15f939cdd 100644 --- a/docs/development/integration.md +++ b/docs/development/integration.md @@ -49,7 +49,7 @@ To build a VM image for development purpose, run the following from the `tests` | Debian | Server | `make debian flavor=server` | `debian-server` | | openSUSE | KDE | `make opensuse flavor=kde` | `opensuse-kde` | | Ubuntu | Server | `make ubuntu flavor=server` | `ubuntu-server` | -| Ubuntu | Desktop | `make ubuntu falvor=desktop` | `ubuntu-desktop` | +| Ubuntu | Desktop | `make ubuntu flavor=desktop` | `ubuntu-desktop` | **VM management** @@ -88,7 +88,7 @@ On all images, `aa-update` can be used to rebuild and install the latest version Prepare the test environment: ```sh cd tests -make falvor= +make flavor= AA_INTEGRATION=true vagrant up ``` From e41c5f6055197b3ad0985f5af735b7d272148360 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 17 Jan 2025 00:06:35 +0100 Subject: [PATCH 051/977] build; make the pkgname configurable. --- pkg/prebuild/directories.go | 3 +++ pkg/prebuild/prepare/overwrite.go | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/directories.go b/pkg/prebuild/directories.go index cd5958b72..dcf368f51 100644 --- a/pkg/prebuild/directories.go +++ b/pkg/prebuild/directories.go @@ -10,6 +10,9 @@ var ( // AppArmor ABI version ABI uint = 0 + // Pkgname is the name of the package + Pkgname string = "apparmor.d" + // Root is the root directory for the build (default: .build) Root *paths.Path = paths.New(".build") diff --git a/pkg/prebuild/prepare/overwrite.go b/pkg/prebuild/prepare/overwrite.go index 530e88690..d974b26e4 100644 --- a/pkg/prebuild/prepare/overwrite.go +++ b/pkg/prebuild/prepare/overwrite.go @@ -11,7 +11,7 @@ import ( "github.com/roddhjav/apparmor.d/pkg/prebuild" ) -const ext = ".apparmor.d" +var ext = "." + prebuild.Pkgname type Overwrite struct { prebuild.Base From 693259d8c12eeab2bc996fb5c7a2c78475dea7b3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 20 Jan 2025 21:23:31 +0100 Subject: [PATCH 052/977] feat(profile): general update --- apparmor.d/groups/apt/apt-extracttemplates | 2 +- apparmor.d/groups/apt/dpkg-preconfigure | 1 + apparmor.d/groups/freedesktop/pipewire | 1 + apparmor.d/groups/freedesktop/xdg-dbus-proxy | 1 + apparmor.d/groups/freedesktop/xdg-desktop-portal | 3 +-- apparmor.d/groups/freedesktop/xdg-permission-store | 2 +- apparmor.d/groups/gnome/gdm-session-worker | 1 + apparmor.d/groups/kde/konsole | 7 +++++-- apparmor.d/groups/kde/xembedsniproxy | 2 ++ apparmor.d/groups/pacman/pacman | 2 ++ apparmor.d/groups/pacman/pacman-hook-systemd | 2 +- apparmor.d/groups/ssh/sftp-server | 3 +-- apparmor.d/groups/systemd/systemd-fsck | 2 +- apparmor.d/groups/systemd/systemd-networkd | 2 +- apparmor.d/groups/systemd/systemd-rfkill | 2 +- apparmor.d/groups/virt/cockpit-session | 3 ++- apparmor.d/groups/virt/cockpit-ws | 2 ++ apparmor.d/groups/virt/dockerd | 11 ++++------- apparmor.d/profiles-m-r/mullvad-setup | 6 ++++-- apparmor.d/profiles-m-r/needrestart | 8 ++++++-- apparmor.d/profiles-s-z/update-alternatives | 2 ++ apparmor.d/profiles-s-z/virt-manager | 2 +- 22 files changed, 42 insertions(+), 25 deletions(-) diff --git a/apparmor.d/groups/apt/apt-extracttemplates b/apparmor.d/groups/apt/apt-extracttemplates index 2e41b10bf..beb563f31 100644 --- a/apparmor.d/groups/apt/apt-extracttemplates +++ b/apparmor.d/groups/apt/apt-extracttemplates @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/apt-extracttemplates +@{exec_path} = @{bin}/apt-extracttemplates @{lib}/apt/apt-extracttemplates profile apt-extracttemplates @{exec_path} { include include diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index cf957ab4f..34163333b 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -34,6 +34,7 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/apt-extracttemplates rPx, @{bin}/whiptail rPx, + @{lib}/apt/apt-extracttemplates rPx, /usr/share/debconf/confmodule r, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index e2b1b22d9..da4350d74 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -46,6 +46,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { / r, @{att}/ r, + owner @{att}// r, owner @{att}/.flatpak-info r, owner @{user_config_dirs}/pipewire/{,**} r, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index e51f21e1e..eaaa90769 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -28,6 +28,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + owner @{att}/@{HOME}/.var/app/** r, owner @{HOME}/.var/app/*/.local/share/*/logs/* rw, owner @{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 57b17b655..80fa07ec7 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -77,11 +77,10 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/user-dirs.dirs r, - @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/xdg-desktop-portal/* r, - owner @{tmp}/icon* rw, + owner @{tmp}/icon@{rand6} rw, owner @{run}/user/@{uid}/.flatpak/{,*/*} r, diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 08cfc840c..ceca1e2b1 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -43,7 +43,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/flatpak/db/ rw, owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/flatpak/db/background rw, - owner @{user_share_dirs}/flatpak/db/desktop-used-apps r, + owner @{user_share_dirs}/flatpak/db/desktop-used-apps rw, owner @{user_share_dirs}/flatpak/db/devices rw, owner @{user_share_dirs}/flatpak/db/documents rw, owner @{user_share_dirs}/flatpak/db/notifications rw, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 59e6df788..d98b764df 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -107,6 +107,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/ w, + @{run}/cockpit/active.issue r, @{run}/cockpit/inactive.motd r, owner @{run}/systemd/seats/seat@{int} r, owner @{run}/user/@{uid}/keyring/control rw, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 17ed13f27..8f9ff48dd 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -74,8 +74,11 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/#@{int} rw, owner @{tmp}/konsole.@{rand6} rw, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/stat r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.konsole-@{int}.scope/** rw, + + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/cgroup r, /dev/ptmx rw, diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index 969a82f6c..6cb93163c 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -21,6 +21,8 @@ profile xembedsniproxy @{exec_path} { owner @{tmp}/xauth_@{rand6} r, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, + @{run}/user/@{uid}/xauth_@{rand6} rl, include if exists diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 8215e3f6a..6c0e782fa 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -99,6 +99,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/update-grub rPx, @{bin}/update-mime-database rPx, @{bin}/vercmp rix, + @{bin}/which rix, @{bin}/xmlcatalog rix, @{lib}/systemd/systemd-* rPx, @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} rix, @@ -198,6 +199,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { signal receive set=winch peer=makepkg//sudo, @{pager_path} rPx -> child-pager, + @{bin}/systemd-tty-ask-password-agent rPx, /etc/machine-id r, diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index 6f154269d..0878385c5 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -46,7 +46,7 @@ profile pacman-hook-systemd @{exec_path} { capability net_admin, capability sys_resource, - signal send set=term peer=systemd-tty-ask-password-agent, + signal send set=(cont, term) peer=systemd-tty-ask-password-agent, @{bin}/systemd-tty-ask-password-agent Px, diff --git a/apparmor.d/groups/ssh/sftp-server b/apparmor.d/groups/ssh/sftp-server index 3deddb092..a0fc3e2f8 100644 --- a/apparmor.d/groups/ssh/sftp-server +++ b/apparmor.d/groups/ssh/sftp-server @@ -6,8 +6,7 @@ abi , include -@{exec_path} = @{lib}/openssh/sftp-server -@{exec_path} += @{lib}/ssh/sftp-server +@{exec_path} = @{lib}/{openssh,ssh}/sftp-server profile sftp-server @{exec_path} { include include diff --git a/apparmor.d/groups/systemd/systemd-fsck b/apparmor.d/groups/systemd/systemd-fsck index a7290dc48..0680e0be8 100644 --- a/apparmor.d/groups/systemd/systemd-fsck +++ b/apparmor.d/groups/systemd/systemd-fsck @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-fsck -profile systemd-fsck @{exec_path} { +profile systemd-fsck @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 3eaedfaac..7b271c9de 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -51,12 +51,12 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { /etc/networkd-dispatcher/carrier.d/{,*} r, @{att}/ r, + @{att}/@{run}/systemd/notify rw, owner @{att}/var/lib/systemd/network/ r, @{run}/systemd/network/ r, @{run}/systemd/network/*.network r, - @{run}/systemd/notify rw, owner @{run}/systemd/netif/** rw, @{run}/udev/data/n@{int} r, diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill index ff9e2d540..552bd9996 100644 --- a/apparmor.d/groups/systemd/systemd-rfkill +++ b/apparmor.d/groups/systemd/systemd-rfkill @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-rfkill -profile systemd-rfkill @{exec_path} { +profile systemd-rfkill @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index 67ecd800e..5b67b14d7 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -36,11 +36,12 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { /etc/motd.d/ r, /etc/shells r, + @{att}/@{run}/systemd/sessions/*.ref rw, + @{run}/cockpit/active.motd r, @{run}/cockpit/inactive.motd r, @{run}/faillock/@{user} rwk, @{run}/motd.d/{,*} r, - @{run}/systemd/sessions/*.ref rw, @{run}/utmp rwk, /var/log/btmp rw, diff --git a/apparmor.d/groups/virt/cockpit-ws b/apparmor.d/groups/virt/cockpit-ws index c78f63a63..2a685f04e 100644 --- a/apparmor.d/groups/virt/cockpit-ws +++ b/apparmor.d/groups/virt/cockpit-ws @@ -9,9 +9,11 @@ include @{exec_path} = @{lib}/cockpit/cockpit-ws profile cockpit-ws @{exec_path} { include + include @{exec_path} mr, + @{sh_path} rix, @{lib}/cockpit/cockpit-session rPx, /usr/share/cockpit/{,**} r, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 2ea35f7b9..13f050c7d 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -33,15 +33,9 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { network netlink raw, mount /tmp/containerd-mount@{int}/, - mount /var/lib/docker/buildkit/**/, - mount /var/lib/docker/overlay2/**/, - mount /var/lib/docker/tmp/buildkit-mount@{int}/, - mount fstype=overlay overlay -> /var/lib/docker/rootfs/overlayfs/@{hex64}/, + mount /var/lib/docker/**/, mount options=(rw bind) -> /run/docker/netns/*, - mount options=(rw rbind) -> /var/lib/docker/tmp/docker-builder@{int}/, - mount options=(rw rbind) /var/lib/docker/volumes/**/- -> /var/lib/docker/rootfs/overlayfs/**/, mount options=(rw rprivate) -> /.pivot_root@{int}/, - mount options=(rw rprivate) -> /var/lib/docker/rootfs/overlayfs/@{hex64}/var/lib/buildkit/, mount options=(rw rslave) -> /, remount /tmp/containerd-mount@{int10}/, @@ -90,6 +84,9 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { owner /var/lib/docker/{,**} rwk, owner /var/lib/docker/tmp/qemu-check@{int}/check rix, + /tmp/build/ w, + /tmp/containerd-mount@{int10}/{,**} rw, + owner @{run}/docker/ rw, owner @{run}/docker/** rwlk, owner @{run}/docker.pid rw, diff --git a/apparmor.d/profiles-m-r/mullvad-setup b/apparmor.d/profiles-m-r/mullvad-setup index d2bb2eb44..bc20a0f9a 100644 --- a/apparmor.d/profiles-m-r/mullvad-setup +++ b/apparmor.d/profiles-m-r/mullvad-setup @@ -13,9 +13,11 @@ profile mullvad-setup @{exec_path} { @{exec_path} mr, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 56f95b589..4bc314b0e 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -20,9 +20,9 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { capability kill, capability sys_ptrace, - ptrace (read), + ptrace read, - mqueue (r,getattr) type=posix /, + mqueue r type=posix /, @{exec_path} mrix, @@ -43,6 +43,8 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{lib}/needrestart/* rPx, /usr/share/debconf/frontend rix, + @{att}/@{lib}/python3.@{int}/** r, + /usr/share/needrestart/{,**} r, /usr/share/unattended-upgrades/unattended-upgrade-shutdown r, @@ -60,6 +62,8 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { owner /var/lib/juju/agents/{,**} r, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + /tmp/@{word10}/ rw, + owner @{run}/sshd.pid r, @{PROC}/ r, diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index a83e985d7..8f08b74fa 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -12,6 +12,8 @@ profile update-alternatives @{exec_path} { include include + capability dac_override, + @{exec_path} mr, @{bin}/* w, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 052192d8f..af472b4d5 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -31,7 +31,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{exec_path} rix, @{sh_path} rix, - @{bin}/python3.@{int} r, + @{bin}/python3.@{int} rix, @{lib}/python3.@{int}/site-packages/__pycache__/guestfs.cpython-@{int}.pyc.@{int} w, @{bin}/ r, From 2f98d0817e426ca01bc183d4173250b65f6de37f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 20 Jan 2025 21:26:54 +0100 Subject: [PATCH 053/977] fix(profile): child-open-any See #647 --- apparmor.d/groups/children/child-open-any | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/children/child-open-any b/apparmor.d/groups/children/child-open-any index ea21f8487..b0c0b053e 100644 --- a/apparmor.d/groups/children/child-open-any +++ b/apparmor.d/groups/children/child-open-any @@ -11,11 +11,11 @@ abi , include -profile child-open-any flags=(attach_disconnected) { +profile child-open-any flags=(attach_disconnected,mediate_deleted) { include include - @{open_path} mr, + @{open_path} mrix, @{sh_path} r, @@ -32,6 +32,8 @@ profile child-open-any flags=(attach_disconnected) { /usr/ r, /usr/local/bin/ r, + owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + /dev/tty rw, include if exists From cf254c8021fd76609ffe855a848d3988d4142bdf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 20 Jan 2025 21:31:08 +0100 Subject: [PATCH 054/977] feat(profile): do not use the uname profile directly see #611 --- apparmor.d/groups/gnome/gnome-session | 2 +- apparmor.d/profiles-a-f/amule | 2 +- apparmor.d/profiles-m-r/rustdesk | 2 +- apparmor.d/profiles-s-z/tlp | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index bec97e7de..ce6abe6d9 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -32,7 +32,7 @@ profile gnome-session @{exec_path} { @{bin}/tput rix, @{bin}/tr rix, @{bin}/tty rix, - @{bin}/uname rPx, + @{bin}/uname rix, @{bin}/xargs rix, @{bin}/dpkg-query rpx, diff --git a/apparmor.d/profiles-a-f/amule b/apparmor.d/profiles-a-f/amule index b54e62022..ce600200a 100644 --- a/apparmor.d/profiles-a-f/amule +++ b/apparmor.d/profiles-a-f/amule @@ -27,7 +27,7 @@ profile amule @{exec_path} { # @{open_path} rPx -> child-open, @{exec_path} mr, - @{bin}/uname rPx, + @{bin}/uname rix, @{sh_path} rix, @{system_share_dirs}/amule/{,**} r, owner @{HOME}/.aMule/{,**} rwk, diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk index 004c29d64..2a0f9b391 100644 --- a/apparmor.d/profiles-m-r/rustdesk +++ b/apparmor.d/profiles-m-r/rustdesk @@ -80,7 +80,7 @@ profile rustdesk @{exec_path} { @{sh_path} rix, @{bin}/chmod rix, - @{bin}/uname rPx, + @{bin}/uname rix, /usr/share/rustdesk/files/pynput_service.py rix, /usr/share/[rR]ust[dD]esk/files/{,**} r, diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 153ded880..5d81c0a75 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -49,7 +49,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{bin}/touch rix, @{bin}/tr rix, @{bin}/udevadm rCx -> udevadm, - @{bin}/uname rpx, + @{bin}/uname rix, /usr/share/tlp/tlp-readconfs rix, / r, From f15cbdfc5bbe4e55ce7718360d1eb61e8eab444a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 20 Jan 2025 21:36:52 +0100 Subject: [PATCH 055/977] feat(tunable): add terminal_path fix #656 --- apparmor.d/tunables/multiarch.d/paths | 3 +++ apparmor.d/tunables/multiarch.d/programs | 3 +++ 2 files changed, 6 insertions(+) diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index 83aec3ce3..eedf07033 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -65,4 +65,7 @@ # Help @{help_path} = @{bin}/@{help_names} +# Terminal emulator +@{terminal_path} = @{bin}/@{offices_names} + # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index e8f523b6a..18ba854d5 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -89,4 +89,7 @@ # Help @{help_names} = yelp +# Terminal emulator +@{terminal_name} = kgx terminator konsole + # vim:syntax=apparmor From ef99c81eb1f5f590801932fad51e85598517f80c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 20 Jan 2025 22:40:36 +0100 Subject: [PATCH 056/977] feat(abs): rewrite the app/open abstraction to accomodate kde requirements. See #630 #605 #647 --- apparmor.d/abstractions/app/open | 31 ++++++++++++++++++++--- apparmor.d/groups/children/child-open-any | 10 +------- 2 files changed, 28 insertions(+), 13 deletions(-) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 256eb5a6d..d47c3a4ba 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -3,19 +3,42 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Full set of rules for child-open-* profiles. +# Full set of rules for desktop generic open-* used in child-open-* profiles. abi , include - @{open_path} mrix, + # We cannot use `@{open_path} mrix,` here because it includes: + # @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop + # And `@{multiarch}` as a wildcard that cannot be merged and that will generate + # "has merged rule with conflicting x modifiers" error when used with other + # wilcard over PUx transition. + @{bin}/exo-open mrix, + @{bin}/xdg-open mrix, + @{bin}/gio mrix, + @{bin}/kde-open mrix, + @{bin}/gio-launch-desktop mrix, + @{lib}/gio-launch-desktop mrix, - @{sh_path} r, @{bin}/env rix, - + @{sh_path} r, + /dev/tty rw, + # if @{DE} == kde + + include + include + include + include + include + + owner @{run}/user//@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + + # fi + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/children/child-open-any b/apparmor.d/groups/children/child-open-any index b0c0b053e..1259d7708 100644 --- a/apparmor.d/groups/children/child-open-any +++ b/apparmor.d/groups/children/child-open-any @@ -13,11 +13,7 @@ include profile child-open-any flags=(attach_disconnected,mediate_deleted) { include - include - - @{open_path} mrix, - - @{sh_path} r, + include @{bin}/** PUx, @{lib}/** PUx, @@ -32,10 +28,6 @@ profile child-open-any flags=(attach_disconnected,mediate_deleted) { /usr/ r, /usr/local/bin/ r, - owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, - - /dev/tty rw, - include if exists include if exists } From c6a7879e02eab51a738368e565db34217df8ba87 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 20 Jan 2025 23:00:20 +0100 Subject: [PATCH 057/977] fix: profile linter. --- apparmor.d/abstractions/app/open | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index d47c3a4ba..be4eda72d 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -11,7 +11,7 @@ # We cannot use `@{open_path} mrix,` here because it includes: # @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop - # And `@{multiarch}` as a wildcard that cannot be merged and that will generate + # And `@{multiarch}` as a wildcard that cannot be merged and that will generate # "has merged rule with conflicting x modifiers" error when used with other # wilcard over PUx transition. @{bin}/exo-open mrix, @@ -23,7 +23,7 @@ @{bin}/env rix, @{sh_path} r, - + /dev/tty rw, # if @{DE} == kde @@ -34,7 +34,7 @@ include include - owner @{run}/user//@{uid}/#@{int} rw, + owner @{run}/user//@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, # fi From 0b3c49d26af85211c32c3b6462465fcc74b428e2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 20 Jan 2025 23:29:13 +0100 Subject: [PATCH 058/977] fix(profile): mqueue definition in needrestart. --- apparmor.d/profiles-m-r/needrestart | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 4bc314b0e..1e5ee2f91 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -22,7 +22,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { ptrace read, - mqueue r type=posix /, + mqueue (r,getattr) type=posix /, @{exec_path} mrix, From 044c490f10d26018aa5ccc747464b30db004fefd Mon Sep 17 00:00:00 2001 From: beroal Date: Thu, 23 Jan 2025 00:26:31 +0200 Subject: [PATCH 059/977] `pacat`: a CLI utility for playing and recording audio from the PulseAudio suite (#653) --- apparmor.d/groups/freedesktop/pacat | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 apparmor.d/groups/freedesktop/pacat diff --git a/apparmor.d/groups/freedesktop/pacat b/apparmor.d/groups/freedesktop/pacat new file mode 100644 index 000000000..8329b7924 --- /dev/null +++ b/apparmor.d/groups/freedesktop/pacat @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pacat +profile pacat @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + owner @{user_music_dirs}/{,**} rw, + + include if exists +} + +# vim:syntax=apparmor From 4286b5330ca33335f957501cadfb776d516e3464 Mon Sep 17 00:00:00 2001 From: nobody43 Date: Wed, 22 Jan 2025 22:50:59 +0000 Subject: [PATCH 060/977] xfce, updates --- apparmor.d/groups/apt/dpkg-preconfigure | 7 +++++++ apparmor.d/groups/children/child-dpkg-divert | 1 + apparmor.d/groups/display-manager/lightdm | 11 +++++++++++ .../polkit-gnome-authentication-agent | 8 ++++++++ apparmor.d/groups/freedesktop/polkitd | 1 + apparmor.d/groups/gnome/gnome-system-monitor | 2 +- apparmor.d/groups/grub/grub-mkconfig | 1 + apparmor.d/groups/grub/grub-probe | 1 + apparmor.d/groups/gvfs/gvfsd-computer | 3 +++ apparmor.d/groups/gvfs/gvfsd-wsdd | 3 +++ apparmor.d/groups/network/NetworkManager | 1 + apparmor.d/groups/network/wg | 1 + apparmor.d/groups/network/wg-quick | 1 + apparmor.d/groups/systemd/systemd-hwdb | 4 ++-- apparmor.d/groups/systemd/systemd-udevd | 2 +- apparmor.d/groups/xfce/startxfce | 4 ++++ apparmor.d/groups/xfce/thunar | 9 +++++++++ apparmor.d/groups/xfce/thunar-volman | 2 ++ apparmor.d/groups/xfce/tumblerd | 15 +++++++++++++++ apparmor.d/groups/xfce/xfce-clipman-settings | 4 ++++ apparmor.d/groups/xfce/xfce-notifyd | 5 +++++ apparmor.d/groups/xfce/xfce-panel | 18 +++++++++++++++++- apparmor.d/groups/xfce/xfce-power-manager | 7 +++++++ apparmor.d/groups/xfce/xfce-screensaver | 4 ++++ apparmor.d/groups/xfce/xfce-session | 11 +++++++++++ apparmor.d/groups/xfce/xfce-terminal | 11 +++++++++++ apparmor.d/groups/xfce/xfconfd | 5 ++++- apparmor.d/groups/xfce/xfdesktop | 10 ++++++++++ apparmor.d/groups/xfce/xfsettingsd | 6 ++++++ apparmor.d/groups/xfce/xfwm | 2 ++ apparmor.d/profiles-a-f/blueman | 2 ++ apparmor.d/profiles-a-f/blueman-mechanism | 1 + apparmor.d/profiles-a-f/filezilla | 2 ++ apparmor.d/profiles-g-l/iceauth | 2 +- apparmor.d/profiles-g-l/im-launch | 1 + apparmor.d/profiles-g-l/libreoffice | 9 +++++++-- apparmor.d/profiles-m-r/mkinitramfs | 1 + apparmor.d/profiles-m-r/mount-cifs | 2 ++ apparmor.d/profiles-m-r/nemo | 5 +++++ apparmor.d/profiles-m-r/remmina | 6 ++++++ apparmor.d/profiles-m-r/run-parts | 2 ++ apparmor.d/profiles-s-z/su | 2 ++ .../profiles-s-z/system-config-printer-applet | 3 +++ apparmor.d/profiles-s-z/xarchiver | 1 + 44 files changed, 190 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 34163333b..eb022b3cb 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -30,6 +30,9 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/sort rix, @{bin}/stty rix, @{bin}/tr rix, + @{bin}/head rix, + @{bin}/readlink rix, + @{bin}/realpath rix, @{bin}/dpkg rPx -> child-dpkg, @{bin}/apt-extracttemplates rPx, @@ -37,11 +40,14 @@ profile dpkg-preconfigure @{exec_path} { @{lib}/apt/apt-extracttemplates rPx, /usr/share/debconf/confmodule r, + /usr/share/dictionaries-common/{,*} r, + /etc/cloud/cloud.cfg.d/90_dpkg.cfg r, /etc/debconf.conf r, /etc/default/grub r, /etc/inputrc r, /etc/shadow r, + /etc/X11/Xwrapper.config r, owner @{tmp}/*.template.* rw, owner @{tmp}/*.config.* rwPUx, @@ -54,6 +60,7 @@ profile dpkg-preconfigure @{exec_path} { owner /var/cache/debconf/tmp.ci/*.config.@{rand6} w, owner /var/cache/debconf/tmp.ci/*.passwords.@{rand6} w, owner /var/cache/debconf/tmp.ci/*.template.@{rand6} w, + owner /var/cache/dictionaries-common/flag-wordlist-new w, owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, diff --git a/apparmor.d/groups/children/child-dpkg-divert b/apparmor.d/groups/children/child-dpkg-divert index 6ea41a9e8..ddfff5fc2 100644 --- a/apparmor.d/groups/children/child-dpkg-divert +++ b/apparmor.d/groups/children/child-dpkg-divert @@ -22,6 +22,7 @@ profile child-dpkg-divert { /var/lib/dpkg/arch r, /var/lib/dpkg/status r, /var/lib/dpkg/updates/ r, + /var/lib/dpkg/updates/@{int} r, /var/lib/dpkg/triggers/File r, /var/lib/dpkg/triggers/Unincorp r, /var/lib/dpkg/diversions r, diff --git a/apparmor.d/groups/display-manager/lightdm b/apparmor.d/groups/display-manager/lightdm index 04accbbf0..a70779fc4 100644 --- a/apparmor.d/groups/display-manager/lightdm +++ b/apparmor.d/groups/display-manager/lightdm @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/lightdm profile lightdm @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -36,6 +37,10 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=xfce-session, signal (send) set=(term) peer=xorg, + unix (bind) type=stream addr="@@{hex}/bus/lightdm/system", + + dbus (bind) bus=system name=org.freedesktop.DisplayManager, + @{exec_path} mrix, @{bin}/rm rix, @@ -45,6 +50,7 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { @{bin}/Xorg rPx, @{bin}/plymouth rPx, @{bin}/gnome-keyring-daemon rPx, + @{bin}/lightdm-session rPx, @{lib}/security-misc/* rPx, #aa:only whonix @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, @@ -52,6 +58,10 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { /etc/lightdm/Xsession rPx, /etc/X11/Xsession rPx, + @{sh_path} rix, + @{bin}/{,e,f}grep rix, + @{bin}/df rix, + /usr/share/lightdm/{,**} r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xgreeters/{,**} r, @@ -81,6 +91,7 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/uid_map r, + owner @{PROC}/@{pid}/mountinfo r, /dev/tty@{int} r, diff --git a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent index 94bc7ece6..e488272ca 100644 --- a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent @@ -12,11 +12,19 @@ include @{exec_path} += @{lib}/polkit-gnome/polkit-gnome-authentication-agent-1 profile polkit-gnome-authentication-agent @{exec_path} { include + include + include + include + include include include + signal (send) set=(term) peer=polkit-agent-helper, + @{exec_path} mr, + @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, + @{PROC}/@{pid}/cgroup r, include if exists diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 5e3d3ee78..5b630a15a 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -31,6 +31,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/pkla-check-authorization rPUx, + @{bin}/pkla-admin-identities rPx, /etc/machine-id r, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 92cbd369e..8df82b290 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -36,7 +36,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{bin}/tr rix, /usr/share/gnome-system-monitor/{,**} r, - /usr/share/firefox-esr/browser/chrome/icons/default/*.png r, + /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, / r, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 2a60d69c5..1ff23f1fe 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -65,6 +65,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{lib}/grub/grub-sort-version rPx, @{lib}/libostree/grub[0-9]-@{int}_ostree rix, + /usr/share/desktop-base/*/grub/* r, /usr/share/grub/{,**} r, /usr/share/terminfo/** r, diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index 80d517deb..2e2d9232b 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -27,6 +27,7 @@ profile grub-probe @{exec_path} { / r, /boot/ r, + /boot/grub/ r, /boot/grub/themes/{,**} r, @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer index e756c8440..f72fc17c7 100644 --- a/apparmor.d/groups/gvfs/gvfsd-computer +++ b/apparmor.d/groups/gvfs/gvfsd-computer @@ -10,6 +10,9 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-computer profile gvfsd-computer @{exec_path} { include + include + + dbus (bind) bus=session name=org.gtk.vfs.mountpoint_@{int}, @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index f971b5f6a..1b0dc2cc2 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -9,9 +9,12 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-wsdd profile gvfsd-wsdd @{exec_path} { include + include network netlink raw, + dbus (bind) bus=session name=org.gtk.vfs.mountpoint_wsdd, + @{exec_path} mr, @{bin}/env r, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 1bb2de231..39c68fda9 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -105,6 +105,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { /etc/ r, /etc/iproute2/* r, /etc/machine-id r, + /etc/netplan/90-NM-@{uuid}.yaml w, /etc/network/interfaces r, /etc/network/interfaces.d/{,*} r, /etc/NetworkManager/{,**} r, diff --git a/apparmor.d/groups/network/wg b/apparmor.d/groups/network/wg index 781a52f7a..57e6ec769 100644 --- a/apparmor.d/groups/network/wg +++ b/apparmor.d/groups/network/wg @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/wg profile wg @{exec_path} { include + include capability net_admin, capability net_bind_service, diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick index c7ea6b1bd..5c4a5579b 100644 --- a/apparmor.d/groups/network/wg-quick +++ b/apparmor.d/groups/network/wg-quick @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/wg-quick profile wg-quick @{exec_path} { include + include capability dac_read_search, capability net_admin, diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb index 9b6203e92..ae64274c6 100644 --- a/apparmor.d/groups/systemd/systemd-hwdb +++ b/apparmor.d/groups/systemd/systemd-hwdb @@ -16,10 +16,10 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{exec_path} mr, @{lib}/udev/#@{int} rwl, - @{lib}/udev/.#hwdb.bin@{hex16} wl -> @{lib}/udev/#@{int}, + @{lib}/udev/.#hwdb.bin{@{hex16},@{rand6}} wl -> @{lib}/udev/#@{int}, @{lib}/udev/hwdb.bin w, - /etc/udev/.#hwdb.bin@{hex16} wl -> /etc/udev/#@{int}, + /etc/udev/.#hwdb.bin{@{hex16},@{rand6}} wl -> /etc/udev/#@{int}, /etc/udev/hwdb.bin w, /etc/udev/hwdb.d/{,*} r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index f52a2fc6c..0ba3be209 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -79,7 +79,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { /etc/nfs.conf rk, /etc/udev/{,**} r, - /etc/udev/.#hwdb.bin* rw, + /etc/udev/.#hwdb.bin{@{hex16},@{rand6}} rw, /etc/udev/hwdb.bin rw, /etc/modprobe.d/ r, diff --git a/apparmor.d/groups/xfce/startxfce b/apparmor.d/groups/xfce/startxfce index 8d91581cb..110da187b 100644 --- a/apparmor.d/groups/xfce/startxfce +++ b/apparmor.d/groups/xfce/startxfce @@ -19,6 +19,7 @@ profile startxfce @{exec_path} { @{bin}/mkdir rix, @{bin}/id rix, + @{bin}/xdg-user-dirs-update rPx, @{bin}/xfce4-session rPx, @{bin}/xrdb rPx, @{bin}/systemctl rCx -> systemctl, @@ -27,6 +28,8 @@ profile startxfce @{exec_path} { /etc/X11/xinit/xinitrc.d/{,**} r, /etc/xdg/xfce4/{,**} r, + owner @{HOME}/.Xdefaults r, + profile systemctl flags=(attach_disconnected) { include include @@ -36,6 +39,7 @@ profile startxfce @{exec_path} { profile dbus { include + include @{bin}/dbus-update-activation-environment mr, diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index d8f04d49c..629fc2b4b 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/thunar profile thunar @{exec_path} { include + include + include include include include @@ -17,6 +19,10 @@ profile thunar @{exec_path} { network netlink raw, + dbus (bind) bus=session name=org.xfce.Thunar, + dbus (bind) bus=session name=org.xfce.FileManager, + dbus (bind) bus=session name=org.freedesktop.FileManager1, + @{exec_path} mr, @{bin}/thunar-volman rPx, @@ -30,6 +36,7 @@ profile thunar @{exec_path} { /etc/fstab r, /etc/timezone r, + /etc/xdg/{,xdg-xubuntu/}Thunar/{,**} r, # Full access to user's data / r, @@ -50,6 +57,8 @@ profile thunar @{exec_path} { deny /tmp/.* rw, deny /tmp/.*/{,**} rw, + @{run}/mount/utab r, + owner @{PROC}/@{pid}/mountinfo r, profile dbus { diff --git a/apparmor.d/groups/xfce/thunar-volman b/apparmor.d/groups/xfce/thunar-volman index 350255834..fc73a14c9 100644 --- a/apparmor.d/groups/xfce/thunar-volman +++ b/apparmor.d/groups/xfce/thunar-volman @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/thunar-volman profile thunar-volman @{exec_path} { include + include + include include include diff --git a/apparmor.d/groups/xfce/tumblerd b/apparmor.d/groups/xfce/tumblerd index 99971abb8..db90af4c5 100644 --- a/apparmor.d/groups/xfce/tumblerd +++ b/apparmor.d/groups/xfce/tumblerd @@ -9,18 +9,33 @@ include @{exec_path} = @{lib}/{,@{multiarch}/}tumbler-1/tumblerd profile tumblerd @{exec_path} { include + include + include + include + include + include + include include include include + dbus (bind) bus=session name=org.freedesktop.thumbnails.Cache1, + dbus (bind) bus=session name=org.freedesktop.thumbnails.Manager1, + dbus (bind) bus=session name=org.freedesktop.thumbnails.Thumbnailer1, + @{exec_path} mr, + @{bin}/gdk-pixbuf-thumbnailer rPx, + /usr/share/backgrounds/xfce/{,**} r, /usr/share/thumbnailers/{,**} r, /etc/fstab r, /etc/xdg/tumbler/* r, + owner /tmp/tumbler-@{rand6}.png r, + owner /tmp/tumbler-@{rand6}.??? w, + owner @{PROC}/@{pid}/mountinfo r, /dev/ r, diff --git a/apparmor.d/groups/xfce/xfce-clipman-settings b/apparmor.d/groups/xfce/xfce-clipman-settings index 248d60b7e..2c777a0a1 100644 --- a/apparmor.d/groups/xfce/xfce-clipman-settings +++ b/apparmor.d/groups/xfce/xfce-clipman-settings @@ -9,8 +9,12 @@ include @{exec_path} = @{bin}/xfce4-clipman-settings profile xfce-clipman-settings @{exec_path} { include + include + include include + dbus (bind) bus=session name=org.xfce.clipman.settings, + @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/xfce/xfce-notifyd b/apparmor.d/groups/xfce/xfce-notifyd index f5c80e07c..d8ef2a9e0 100644 --- a/apparmor.d/groups/xfce/xfce-notifyd +++ b/apparmor.d/groups/xfce/xfce-notifyd @@ -10,6 +10,8 @@ include @{exec_path} = @{lib}/{,@{multiarch}/}xfce4/notifyd/xfce4-notifyd profile xfce-notifyd @{exec_path} { include + include + include include include include @@ -22,6 +24,9 @@ profile xfce-notifyd @{exec_path} { network inet6 stream, network netlink raw, + dbus (bind) bus=session name=org.xfce.Notifyd, + dbus (bind) bus=session name=org.freedesktop.Notifications, + @{exec_path} mr, owner @{user_cache_dirs}/xfce4/notifyd/ rw, diff --git a/apparmor.d/groups/xfce/xfce-panel b/apparmor.d/groups/xfce/xfce-panel index 7b192ffc5..d2a9cdbf6 100644 --- a/apparmor.d/groups/xfce/xfce-panel +++ b/apparmor.d/groups/xfce/xfce-panel @@ -9,12 +9,22 @@ include @{exec_path} = @{bin}/xfce4-panel @{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0 profile xfce-panel @{exec_path} { include + include + include + include + include + include include include include include include + ptrace (read) peer=xfce-terminal, + + dbus (bind) bus=session name=org.xfce.Panel, + dbus (bind) bus=session name=org.kde.StatusNotifierWatcher, + @{exec_path} mr, @{bin}/exo-open rix, @@ -26,6 +36,7 @@ profile xfce-panel @{exec_path} { @{bin}/sudo rCx -> root, /usr/share/desktop-directories/{,**} r, + /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, /usr/share/livecheck/** r, /usr/share/xfce4/{,**} r, @@ -33,15 +44,20 @@ profile xfce-panel @{exec_path} { /etc/machine-id r, /etc/timezone r, /etc/xdg/menus/{,**} r, - /etc/xdg/xfce4/{,**} r, + /etc/xdg/{,xdg-xubuntu/}xfce4/{,**} r, owner @{user_cache_dirs}/xfce4/notifyd/icons/ rw, + owner @{user_cache_dirs}/xfce4-indicator-plugin.log w, owner @{user_config_dirs}/xfce4/panel/{,**} rw, + owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} w, + @{PROC}/cmdline r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, + deny @{user_share_dirs}/gvfs-metadata/{,*} r, + profile root { include include diff --git a/apparmor.d/groups/xfce/xfce-power-manager b/apparmor.d/groups/xfce/xfce-power-manager index 1c2a0263d..4f3199a9e 100644 --- a/apparmor.d/groups/xfce/xfce-power-manager +++ b/apparmor.d/groups/xfce/xfce-power-manager @@ -9,9 +9,16 @@ include @{exec_path} = @{bin}/xfce4-power-manager profile xfce-power-manager @{exec_path} flags=(attach_disconnected) { include + include + include + include + include include include + dbus (bind) bus=session name=org.xfce.PowerManager, + dbus (bind) bus=session name=org.freedesktop.PowerManagement, + @{exec_path} mr, @{bin}/xfpm-power-backlight-helper rPx, diff --git a/apparmor.d/groups/xfce/xfce-screensaver b/apparmor.d/groups/xfce/xfce-screensaver index e486ac6d9..911cc1b9f 100644 --- a/apparmor.d/groups/xfce/xfce-screensaver +++ b/apparmor.d/groups/xfce/xfce-screensaver @@ -9,11 +9,15 @@ include @{exec_path} = @{bin}/xfce4-screensaver profile xfce-screensaver @{exec_path} flags=(attach_disconnected) { include + include + include include include include include + dbus (bind) bus=session name=org.xfce.ScreenSaver, + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session index 17007122e..6db8277d7 100644 --- a/apparmor.d/groups/xfce/xfce-session +++ b/apparmor.d/groups/xfce/xfce-session @@ -9,6 +9,10 @@ include @{exec_path} = @{bin}/xfce4-session profile xfce-session @{exec_path} flags=(attach_disconnected) { include + include + include + include + include include include include @@ -16,6 +20,8 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term) peer=lightdm, + dbus (bind) bus=session name=org.xfce.SessionManager, + @{exec_path} mr, @{sh_path} rix, @@ -33,6 +39,7 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { @{lib}/msgcollector/msgdispatcher_xdg_autostart rPx, @{lib}/sdwdate-gui/start-maybe rPx, @{lib}/setup-wizard-dist/setup-dist_check_for_start rPx, + @{lib}/xapps/sn-watcher/xapp-sn-watcher rPUx, /usr/share/kde-power-savings-disable-in-vms/{,**} r, /usr/share/kde-screen-locker-disable-in-vms/{,**} r, @@ -48,11 +55,15 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { /etc/xdg/autostart/*.desktop r, owner @{user_cache_dirs}/sessions/{,**} rw, + owner @{user_config_dirs}/autostart/ r, + owner @{user_config_dirs}/autostart/*.desktop r, owner @{tmp}/.xfsm-ICE-@{rand6} rw, owner @{PROC}/@{pid}/stat r, + @{sys}/class/i2c-adapter/ r, + /dev/tty rw, profile systemctl flags=(attach_disconnected) { diff --git a/apparmor.d/groups/xfce/xfce-terminal b/apparmor.d/groups/xfce/xfce-terminal index d0d895c5a..46a17ca7f 100644 --- a/apparmor.d/groups/xfce/xfce-terminal +++ b/apparmor.d/groups/xfce/xfce-terminal @@ -9,6 +9,9 @@ include @{exec_path} = @{bin}/xfce4-terminal profile xfce-terminal @{exec_path} { include + include + include + include include include include @@ -16,6 +19,10 @@ profile xfce-terminal @{exec_path} { include include + signal (send), + + dbus (bind) bus=session name=org.xfce.Terminal5, + @{exec_path} mr, @{open_path} rPx -> child-open-help, @@ -28,7 +35,10 @@ profile xfce-terminal @{exec_path} { @{bin}/micro rPUx, @{bin}/nvtop rPx, + @{bin}/vim{,.basic} rPUx, + /usr/share/ r, + /usr/share/desktop-base/profiles/xdg-config/ r, /usr/share/xfce4/ r, /usr/share/xfce4/terminal/{,**} r, @@ -36,6 +46,7 @@ profile xfce-terminal @{exec_path} { /etc/xdg/ r, /etc/xdg/xfce4/ r, + owner @{user_config_dirs}/xfce4/ r, owner @{user_config_dirs}/xfce4/terminal/{,**} r, owner @{tmp}/#@{int} rw, diff --git a/apparmor.d/groups/xfce/xfconfd b/apparmor.d/groups/xfce/xfconfd index 0ab17ac5c..de82191a7 100644 --- a/apparmor.d/groups/xfce/xfconfd +++ b/apparmor.d/groups/xfce/xfconfd @@ -10,11 +10,14 @@ include @{exec_path} = @{lib}/{,@{multiarch}/}xfce4/xfconf/xfconfd profile xfconfd @{exec_path} { include + include include + dbus (bind) bus=session name=org.xfce.Xfconf, + @{exec_path} mr, - /etc/xdg/xfce4/xfconf/** r, + /etc/xdg/{,xdg-xubuntu/}xfce4/xfconf/** r, owner @{HOME}/ r, diff --git a/apparmor.d/groups/xfce/xfdesktop b/apparmor.d/groups/xfce/xfdesktop index d19e3de63..ed7d18ddc 100644 --- a/apparmor.d/groups/xfce/xfdesktop +++ b/apparmor.d/groups/xfce/xfdesktop @@ -9,15 +9,25 @@ include @{exec_path} = @{bin}/xfdesktop profile xfdesktop @{exec_path} { include + include + include + include + include include include include include + dbus (bind) bus=session name=org.xfce.xfdesktop, + @{exec_path} mr, @{bin}/xfce4-mime-helper rix, + /etc/xdg/{,xdg-xubuntu/}xfce4/helpers.rc r, + /etc/xdg/menus/{,*.menu} r, + /usr/share/xfce4/helpers/{,*.desktop} r, + /usr/share/desktop-directories/{,*.directory} r, /usr/share/backgrounds/xfce/{,**} r, /etc/fstab r, diff --git a/apparmor.d/groups/xfce/xfsettingsd b/apparmor.d/groups/xfce/xfsettingsd index 3eec3377f..b2f783390 100644 --- a/apparmor.d/groups/xfce/xfsettingsd +++ b/apparmor.d/groups/xfce/xfsettingsd @@ -10,8 +10,14 @@ include profile xfsettingsd @{exec_path} { include include + include + include + include + include include + dbus (bind) bus=session name=org.xfce.SettingsDaemon, + @{exec_path} mr, /etc/xdg/autostart/xfsettingsd.desktop r, diff --git a/apparmor.d/groups/xfce/xfwm b/apparmor.d/groups/xfce/xfwm index d7af2ccb9..7ecd2c8fe 100644 --- a/apparmor.d/groups/xfce/xfwm +++ b/apparmor.d/groups/xfce/xfwm @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/xfwm4 profile xfwm @{exec_path} { include + include + include include include include diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman index 08a553c1d..7a2b4530f 100644 --- a/apparmor.d/profiles-a-f/blueman +++ b/apparmor.d/profiles-a-f/blueman @@ -11,6 +11,7 @@ include profile blueman @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -61,6 +62,7 @@ profile blueman @{exec_path} flags=(attach_disconnected) { /dev/shm/ r, /dev/tty rw, + deny @{lib}/python3/dist-packages/blueman/__pycache__/** w, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists diff --git a/apparmor.d/profiles-a-f/blueman-mechanism b/apparmor.d/profiles-a-f/blueman-mechanism index aae5d53cd..bb6c6cdf7 100644 --- a/apparmor.d/profiles-a-f/blueman-mechanism +++ b/apparmor.d/profiles-a-f/blueman-mechanism @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/blueman-mechanism @{lib}/blueman/blueman-mechanism profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla index be734ed50..4463ac581 100644 --- a/apparmor.d/profiles-a-f/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -29,6 +29,7 @@ profile filezilla @{exec_path} { network netlink raw, signal send set=(term, kill) peer=fzsftp, + signal send set=(term, kill) peer=fzputtygen, @{exec_path} mr, @@ -36,6 +37,7 @@ profile filezilla @{exec_path} { @{bin}/uname rix, @{bin}/fzsftp rPx, # When using SFTP protocol + @{bin}/fzputtygen rPUx, @{bin}/lsb_release rPx -> lsb_release, /usr/share/filezilla/{,**} r, diff --git a/apparmor.d/profiles-g-l/iceauth b/apparmor.d/profiles-g-l/iceauth index 03c8650dd..d46374984 100644 --- a/apparmor.d/profiles-g-l/iceauth +++ b/apparmor.d/profiles-g-l/iceauth @@ -16,7 +16,7 @@ profile iceauth @{exec_path} { owner @{tmp}/.xfsm-ICE-@{rand6} r, owner @{tmp}/user/@{uid}/.xfsm-ICE-@{rand6} r, - owner @{run}/user/@{uid}/ICEauthority rl -> @{run}/user/@{uid}/ICEauthority-n, + owner @{run}/user/@{uid}/ICEauthority rwl -> @{run}/user/@{uid}/ICEauthority-n, owner @{run}/user/@{uid}/ICEauthority-c w, owner @{run}/user/@{uid}/ICEauthority-l wl -> @{run}/user/@{uid}/ICEauthority-c, owner @{run}/user/@{uid}/ICEauthority-n rw, diff --git a/apparmor.d/profiles-g-l/im-launch b/apparmor.d/profiles-g-l/im-launch index c5c4aa276..04abb7e0c 100644 --- a/apparmor.d/profiles-g-l/im-launch +++ b/apparmor.d/profiles-g-l/im-launch @@ -22,6 +22,7 @@ profile im-launch @{exec_path} { @{bin}/sed rix, @{bin}/sleep rix, @{bin}/startplasma-x11 rPx, + @{bin}/startxfce4 rPx, @{bin}/true rix, @{bin}/uim-toolbar-gtk3 rPUx, @{bin}/uim-xim rPUx, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 03dfe9749..11773c911 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -11,6 +11,7 @@ include profile libreoffice @{exec_path} { include include + include include include include @@ -67,11 +68,14 @@ profile libreoffice @{exec_path} { /usr/share/mythes/{,**} r, /usr/share/thumbnailers/{,**} r, - /etc/java{,@{version}}-openjdk/{,**} r, + /etc/java{,-}{,@{version}}-openjdk/{,**} r, /etc/libreoffice/{,**} r, /etc/paperspecs r, + /etc/papersize r, /etc/xdg/* r, + owner /var/spool/libreoffice/uno_packages/cache/stamp.sys w, + owner @{user_cache_dirs}/libreoffice/{,**} rw, owner @{user_config_dirs}/libreoffice/ rw, owner @{user_config_dirs}/libreoffice/** rwk, @@ -90,7 +94,7 @@ profile libreoffice @{exec_path} { owner @{tmp}/*.tmp/{,**} rwk, owner @{tmp}/hsperfdata_@{user}/ rw, owner @{tmp}/hsperfdata_@{user}/@{int} rwk, - owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} w, + owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex32} rw, owner @{run}/user/@{uid}/#@{int} rw, @@ -99,6 +103,7 @@ profile libreoffice @{exec_path} { @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/transparent_hugepage/enabled r, @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/**/memory.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 6585f6382..00fdc5cf0 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -43,6 +43,7 @@ profile mkinitramfs @{exec_path} { @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/readlink rix, + @{bin}/realpath rix, @{bin}/rm rix, @{bin}/rmdir rix, @{bin}/sed rix, diff --git a/apparmor.d/profiles-m-r/mount-cifs b/apparmor.d/profiles-m-r/mount-cifs index 190db34da..6000f6334 100644 --- a/apparmor.d/profiles-m-r/mount-cifs +++ b/apparmor.d/profiles-m-r/mount-cifs @@ -10,10 +10,12 @@ include @{exec_path} = @{bin}/mount.cifs profile mount-cifs @{exec_path} flags=(complain) { include + include include capability sys_admin, capability setpcap, + capability dac_read_search, network inet dgram, network inet stream, diff --git a/apparmor.d/profiles-m-r/nemo b/apparmor.d/profiles-m-r/nemo index e3edb99c3..c7c9160d7 100644 --- a/apparmor.d/profiles-m-r/nemo +++ b/apparmor.d/profiles-m-r/nemo @@ -21,7 +21,12 @@ profile nemo @{exec_path} { @{exec_path} mr, + @{open_path} rPx -> child-open, + + @{bin}/gdk-pixbuf-thumbnailer rPx, + /usr/share/nemo/** r, + /usr/share/thumbnailers/{,*.thumbnailer} r, # Full access to user's data / r, diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index f59880046..44b18cf42 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -22,6 +22,7 @@ profile remmina @{exec_path} { include include include + include include include include @@ -29,6 +30,8 @@ profile remmina @{exec_path} { network inet stream, network inet6 stream, + network inet dgram, + network inet6 dgram, network netlink raw, #aa:dbus own bus=session name=org.remmina.Remmina @@ -58,6 +61,9 @@ profile remmina @{exec_path} { owner @{run}/user/@{uid}/keyring/ssh rw, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/meminfo r, + include if exists } diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index c20b305e1..dca0fbe63 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -247,6 +247,8 @@ profile run-parts @{exec_path} { @{run}/reboot-required w, @{run}/reboot-required.pkgs rw, + @{sys}/module/compression r, + @{PROC}/devices r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index 02a212150..8d717274d 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -27,6 +27,8 @@ profile su @{exec_path} { @{bin}/nologin rPx, @{etc_ro}/default/su r, + /etc/default/locale r, + /etc/environment r, @{HOME}/.xauth@{rand6} rw, diff --git a/apparmor.d/profiles-s-z/system-config-printer-applet b/apparmor.d/profiles-s-z/system-config-printer-applet index 0197e3c3b..99cdbc996 100644 --- a/apparmor.d/profiles-s-z/system-config-printer-applet +++ b/apparmor.d/profiles-s-z/system-config-printer-applet @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/system-config-printer-applet /usr/share/system-config-printer/applet.py profile system-config-printer-applet @{exec_path} { include + include include include @@ -29,6 +30,8 @@ profile system-config-printer-applet @{exec_path} { /dev/tty rw, + deny @{lib}/python3/dist-packages/cupshelpers/__pycache__/** w, + include if exists } diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index 003770008..1e0d75fd0 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -55,6 +55,7 @@ profile xarchiver @{exec_path} { /home/ r, #owner @{HOME}/ r, #owner @{HOME}/** rw, + owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rwl, @{MOUNTS}/ r, @{MOUNTS}/** rw, /tmp/ r, From c04ee92d26ff0846da2e6d7332cb0135eb3bb374 Mon Sep 17 00:00:00 2001 From: nobody43 Date: Wed, 22 Jan 2025 23:06:56 +0000 Subject: [PATCH 061/977] xfce, new profiles --- .../groups/display-manager/lightdm-session | 23 ++++++++++ .../groups/freedesktop/pkla-admin-identities | 20 +++++++++ .../profiles-g-l/gdk-pixbuf-thumbnailer | 15 +++++++ apparmor.d/profiles-s-z/ucf | 45 +++++++++++++++++++ 4 files changed, 103 insertions(+) create mode 100644 apparmor.d/groups/display-manager/lightdm-session create mode 100644 apparmor.d/groups/freedesktop/pkla-admin-identities create mode 100644 apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer create mode 100644 apparmor.d/profiles-s-z/ucf diff --git a/apparmor.d/groups/display-manager/lightdm-session b/apparmor.d/groups/display-manager/lightdm-session new file mode 100644 index 000000000..fda263a8a --- /dev/null +++ b/apparmor.d/groups/display-manager/lightdm-session @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lightdm-session +profile lightdm-session @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/im-launch rPx, + + @{sh_path} rix, + @{bin}/mktemp rix, + @{bin}/expr rix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/pkla-admin-identities b/apparmor.d/groups/freedesktop/pkla-admin-identities new file mode 100644 index 000000000..0fa176db5 --- /dev/null +++ b/apparmor.d/groups/freedesktop/pkla-admin-identities @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pkla-admin-identities +profile pkla-admin-identities @{exec_path} { + include + include + + @{exec_path} mr, + + /etc/polkit-1/localauthority.conf.d/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer new file mode 100644 index 000000000..99ffb6dad --- /dev/null +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/gdk-pixbuf-thumbnailer +profile gdk-pixbuf-thumbnailer @{exec_path} { + include + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf new file mode 100644 index 000000000..52d65e0c5 --- /dev/null +++ b/apparmor.d/profiles-s-z/ucf @@ -0,0 +1,45 @@ +# apparmor.d - Full set of apparmor profiles +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ucf +profile ucf @{bin}/ucf { + include + include + + @{exec_path} mr, + + @{bin}/dpkg-query rPx, + @{bin}/dpkg-divert rPx -> child-dpkg-divert, + /usr/share/debconf/frontend rPx, + + @{sh_path} rix, + @{bin}/perl rix, + @{bin}/basename rix, + @{bin}/dirname rix, + @{bin}/getopt rix, + @{bin}/id rix, + @{bin}/readlink rix, + @{bin}/sed rix, + @{bin}/tr rix, + @{bin}/{,e,f}grep rix, + @{bin}/{,g,m}awk rix, + @{bin}/md5sum rix, + @{bin}/cp rix, + + /etc/ucf.conf r, + /etc/libreoffice/registry/** r, + + /var/lib/ucf/hashfile r, + + /usr/share/debconf/confmodule r, + + owner /tmp/tmp.@{rand10} r, + + include if exists +} + +# vim:syntax=apparmor From bb3bbb492b7fd83af869daa047b1b1a30d9f87c7 Mon Sep 17 00:00:00 2001 From: nobody43 Date: Wed, 22 Jan 2025 23:10:29 +0000 Subject: [PATCH 062/977] xfce, proper abi --- apparmor.d/groups/freedesktop/pkla-admin-identities | 2 +- apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer | 2 +- apparmor.d/profiles-s-z/ucf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/freedesktop/pkla-admin-identities b/apparmor.d/groups/freedesktop/pkla-admin-identities index 0fa176db5..973de2be3 100644 --- a/apparmor.d/groups/freedesktop/pkla-admin-identities +++ b/apparmor.d/groups/freedesktop/pkla-admin-identities @@ -1,7 +1,7 @@ # apparmor.d - Full set of apparmor profiles # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer index 99ffb6dad..1fd7d9e12 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer @@ -1,7 +1,7 @@ # apparmor.d - Full set of apparmor profiles # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 52d65e0c5..5f810269a 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -1,7 +1,7 @@ # apparmor.d - Full set of apparmor profiles # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include From e749145544a52b99d6dedf34610bfea583749778 Mon Sep 17 00:00:00 2001 From: nobody43 Date: Wed, 22 Jan 2025 23:10:50 +0000 Subject: [PATCH 063/977] xfce, flags --- dists/flags/main.flags | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 6a1a1b6a7..27cb94d22 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -113,6 +113,7 @@ flatpak-validate-icon complain fstrim complain fuse-overlayfs complain fusermount complain +gdk-pixbuf-thumbnailer complain gdm-generate-config complain gdm-runtime-config complain gdm-session attach_disconnected,complain @@ -217,6 +218,7 @@ libreoffice complain libvirt-dbus complain libvirtd attach_disconnected,complain lightdm attach_disconnected,complain +lightdm-session complain locale-gen complain localectl complain login attach_disconnected,complain @@ -251,6 +253,7 @@ pam-tmpdir-helper complain passimd attach_disconnected,complain pidof complain pkttyagent complain +pkla-admin-identities complain plank complain plasma_waitforname complain plasma-browser-integration-host complain @@ -348,6 +351,7 @@ systemsettings complain telegram-desktop complain totem attach_disconnected,complain tracker-writeback complain +ucf complain udev-dmi-memory-id complain udisksctl complain udisksd attach_disconnected,complain From 39b38b9ee50c021eadf93dc3162d8d2d05e91752 Mon Sep 17 00:00:00 2001 From: nobody43 Date: Thu, 23 Jan 2025 00:13:29 +0000 Subject: [PATCH 064/977] Adapt to RO root --- apparmor.d/groups/network/NetworkManager | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 39c68fda9..cb2e1c9c7 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -105,11 +105,11 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { /etc/ r, /etc/iproute2/* r, /etc/machine-id r, - /etc/netplan/90-NM-@{uuid}.yaml w, /etc/network/interfaces r, /etc/network/interfaces.d/{,*} r, /etc/NetworkManager/{,**} r, /etc/NetworkManager/system-connections/{,**} w, + @{etc_rw}/netplan/90-NM-@{uuid}.yaml w, @{etc_rw}/resolv.conf rw, @{etc_rw}/resolv.conf.[0-9A-Z]* rw, From 8ce3c02000b10e37c64bb17aa99332cfb2486a71 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 24 Jan 2025 21:47:49 +0100 Subject: [PATCH 065/977] feat(abs): add modern dbus definition in upstream dbus abs. required for compqtibility with profile using upstream abstaction. --- .../abstractions/dbus-accessibility-strict.d/complete | 7 +++++++ apparmor.d/abstractions/dbus-session-strict.d/complete | 7 +++++++ apparmor.d/abstractions/dbus-strict.d/complete | 7 +++++++ 3 files changed, 21 insertions(+) create mode 100644 apparmor.d/abstractions/dbus-accessibility-strict.d/complete create mode 100644 apparmor.d/abstractions/dbus-session-strict.d/complete create mode 100644 apparmor.d/abstractions/dbus-strict.d/complete diff --git a/apparmor.d/abstractions/dbus-accessibility-strict.d/complete b/apparmor.d/abstractions/dbus-accessibility-strict.d/complete new file mode 100644 index 000000000..f71f7d869 --- /dev/null +++ b/apparmor.d/abstractions/dbus-accessibility-strict.d/complete @@ -0,0 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + include + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dbus-session-strict.d/complete b/apparmor.d/abstractions/dbus-session-strict.d/complete new file mode 100644 index 000000000..8d82bd277 --- /dev/null +++ b/apparmor.d/abstractions/dbus-session-strict.d/complete @@ -0,0 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + include + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dbus-strict.d/complete b/apparmor.d/abstractions/dbus-strict.d/complete new file mode 100644 index 000000000..86936b953 --- /dev/null +++ b/apparmor.d/abstractions/dbus-strict.d/complete @@ -0,0 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + include + +# vim:syntax=apparmor From cd8ae6a39128eae759161dd7de45dead9879c2c9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 24 Jan 2025 21:51:44 +0100 Subject: [PATCH 066/977] refraator(test): cloud init source out of packer directory. --- tests/{packer/init => cloud-init}/archlinux-cosmic.user-data.yml | 0 tests/{packer/init => cloud-init}/archlinux-gnome.user-data.yml | 0 tests/{packer/init => cloud-init}/archlinux-kde.user-data.yml | 0 tests/{packer/init => cloud-init}/archlinux-server.user-data.yml | 0 tests/{packer/init => cloud-init}/archlinux-xfce.user-data.yml | 0 tests/{packer/init => cloud-init}/debian-gnome.user-data.yml | 0 tests/{packer/init => cloud-init}/debian-kde.user-data.yml | 0 tests/{packer/init => cloud-init}/debian-server.user-data.yml | 0 tests/{packer/init => cloud-init}/opensuse-gnome.user-data.yml | 0 tests/{packer/init => cloud-init}/opensuse-kde.user-data.yml | 0 tests/{packer/init => cloud-init}/ubuntu22-desktop.user-data.yml | 0 tests/{packer/init => cloud-init}/ubuntu24-desktop.user-data.yml | 0 tests/{packer/init => cloud-init}/ubuntu24-server.user-data.yml | 0 tests/packer/{init => }/clean.sh | 0 tests/packer/{init => }/init.sh | 0 15 files changed, 0 insertions(+), 0 deletions(-) rename tests/{packer/init => cloud-init}/archlinux-cosmic.user-data.yml (100%) rename tests/{packer/init => cloud-init}/archlinux-gnome.user-data.yml (100%) rename tests/{packer/init => cloud-init}/archlinux-kde.user-data.yml (100%) rename tests/{packer/init => cloud-init}/archlinux-server.user-data.yml (100%) rename tests/{packer/init => cloud-init}/archlinux-xfce.user-data.yml (100%) rename tests/{packer/init => cloud-init}/debian-gnome.user-data.yml (100%) rename tests/{packer/init => cloud-init}/debian-kde.user-data.yml (100%) rename tests/{packer/init => cloud-init}/debian-server.user-data.yml (100%) rename tests/{packer/init => cloud-init}/opensuse-gnome.user-data.yml (100%) rename tests/{packer/init => cloud-init}/opensuse-kde.user-data.yml (100%) rename tests/{packer/init => cloud-init}/ubuntu22-desktop.user-data.yml (100%) rename tests/{packer/init => cloud-init}/ubuntu24-desktop.user-data.yml (100%) rename tests/{packer/init => cloud-init}/ubuntu24-server.user-data.yml (100%) rename tests/packer/{init => }/clean.sh (100%) rename tests/packer/{init => }/init.sh (100%) diff --git a/tests/packer/init/archlinux-cosmic.user-data.yml b/tests/cloud-init/archlinux-cosmic.user-data.yml similarity index 100% rename from tests/packer/init/archlinux-cosmic.user-data.yml rename to tests/cloud-init/archlinux-cosmic.user-data.yml diff --git a/tests/packer/init/archlinux-gnome.user-data.yml b/tests/cloud-init/archlinux-gnome.user-data.yml similarity index 100% rename from tests/packer/init/archlinux-gnome.user-data.yml rename to tests/cloud-init/archlinux-gnome.user-data.yml diff --git a/tests/packer/init/archlinux-kde.user-data.yml b/tests/cloud-init/archlinux-kde.user-data.yml similarity index 100% rename from tests/packer/init/archlinux-kde.user-data.yml rename to tests/cloud-init/archlinux-kde.user-data.yml diff --git a/tests/packer/init/archlinux-server.user-data.yml b/tests/cloud-init/archlinux-server.user-data.yml similarity index 100% rename from tests/packer/init/archlinux-server.user-data.yml rename to tests/cloud-init/archlinux-server.user-data.yml diff --git a/tests/packer/init/archlinux-xfce.user-data.yml b/tests/cloud-init/archlinux-xfce.user-data.yml similarity index 100% rename from tests/packer/init/archlinux-xfce.user-data.yml rename to tests/cloud-init/archlinux-xfce.user-data.yml diff --git a/tests/packer/init/debian-gnome.user-data.yml b/tests/cloud-init/debian-gnome.user-data.yml similarity index 100% rename from tests/packer/init/debian-gnome.user-data.yml rename to tests/cloud-init/debian-gnome.user-data.yml diff --git a/tests/packer/init/debian-kde.user-data.yml b/tests/cloud-init/debian-kde.user-data.yml similarity index 100% rename from tests/packer/init/debian-kde.user-data.yml rename to tests/cloud-init/debian-kde.user-data.yml diff --git a/tests/packer/init/debian-server.user-data.yml b/tests/cloud-init/debian-server.user-data.yml similarity index 100% rename from tests/packer/init/debian-server.user-data.yml rename to tests/cloud-init/debian-server.user-data.yml diff --git a/tests/packer/init/opensuse-gnome.user-data.yml b/tests/cloud-init/opensuse-gnome.user-data.yml similarity index 100% rename from tests/packer/init/opensuse-gnome.user-data.yml rename to tests/cloud-init/opensuse-gnome.user-data.yml diff --git a/tests/packer/init/opensuse-kde.user-data.yml b/tests/cloud-init/opensuse-kde.user-data.yml similarity index 100% rename from tests/packer/init/opensuse-kde.user-data.yml rename to tests/cloud-init/opensuse-kde.user-data.yml diff --git a/tests/packer/init/ubuntu22-desktop.user-data.yml b/tests/cloud-init/ubuntu22-desktop.user-data.yml similarity index 100% rename from tests/packer/init/ubuntu22-desktop.user-data.yml rename to tests/cloud-init/ubuntu22-desktop.user-data.yml diff --git a/tests/packer/init/ubuntu24-desktop.user-data.yml b/tests/cloud-init/ubuntu24-desktop.user-data.yml similarity index 100% rename from tests/packer/init/ubuntu24-desktop.user-data.yml rename to tests/cloud-init/ubuntu24-desktop.user-data.yml diff --git a/tests/packer/init/ubuntu24-server.user-data.yml b/tests/cloud-init/ubuntu24-server.user-data.yml similarity index 100% rename from tests/packer/init/ubuntu24-server.user-data.yml rename to tests/cloud-init/ubuntu24-server.user-data.yml diff --git a/tests/packer/init/clean.sh b/tests/packer/clean.sh similarity index 100% rename from tests/packer/init/clean.sh rename to tests/packer/clean.sh diff --git a/tests/packer/init/init.sh b/tests/packer/init.sh similarity index 100% rename from tests/packer/init/init.sh rename to tests/packer/init.sh From 5b9c1a8fea2213c83db14ba853775acf10ddadce Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 24 Jan 2025 21:59:02 +0100 Subject: [PATCH 067/977] test(packer): remove useless definition in cloud-init. --- tests/cloud-init/archlinux-cosmic.user-data.yml | 3 --- tests/cloud-init/archlinux-gnome.user-data.yml | 3 --- tests/cloud-init/archlinux-kde.user-data.yml | 3 --- tests/cloud-init/archlinux-server.user-data.yml | 3 --- tests/cloud-init/archlinux-xfce.user-data.yml | 3 --- tests/cloud-init/debian-gnome.user-data.yml | 3 --- tests/cloud-init/debian-kde.user-data.yml | 3 --- tests/cloud-init/debian-server.user-data.yml | 3 --- tests/cloud-init/opensuse-gnome.user-data.yml | 3 --- tests/cloud-init/opensuse-kde.user-data.yml | 3 --- tests/cloud-init/ubuntu22-desktop.user-data.yml | 3 --- tests/cloud-init/ubuntu24-desktop.user-data.yml | 3 --- tests/cloud-init/ubuntu24-server.user-data.yml | 3 --- 13 files changed, 39 deletions(-) diff --git a/tests/cloud-init/archlinux-cosmic.user-data.yml b/tests/cloud-init/archlinux-cosmic.user-data.yml index 442c32470..d95381b96 100644 --- a/tests/cloud-init/archlinux-cosmic.user-data.yml +++ b/tests/cloud-init/archlinux-cosmic.user-data.yml @@ -1,9 +1,6 @@ #cloud-config hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie ssh_pwauth: true users: diff --git a/tests/cloud-init/archlinux-gnome.user-data.yml b/tests/cloud-init/archlinux-gnome.user-data.yml index c65dfc4dd..a2a3d78b8 100644 --- a/tests/cloud-init/archlinux-gnome.user-data.yml +++ b/tests/cloud-init/archlinux-gnome.user-data.yml @@ -1,9 +1,6 @@ #cloud-config hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie ssh_pwauth: true users: diff --git a/tests/cloud-init/archlinux-kde.user-data.yml b/tests/cloud-init/archlinux-kde.user-data.yml index 97e8ffa7b..eea5df046 100644 --- a/tests/cloud-init/archlinux-kde.user-data.yml +++ b/tests/cloud-init/archlinux-kde.user-data.yml @@ -1,9 +1,6 @@ #cloud-config hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie ssh_pwauth: true users: diff --git a/tests/cloud-init/archlinux-server.user-data.yml b/tests/cloud-init/archlinux-server.user-data.yml index 93fd254a5..4a7f17374 100644 --- a/tests/cloud-init/archlinux-server.user-data.yml +++ b/tests/cloud-init/archlinux-server.user-data.yml @@ -1,9 +1,6 @@ #cloud-config hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie ssh_pwauth: true users: diff --git a/tests/cloud-init/archlinux-xfce.user-data.yml b/tests/cloud-init/archlinux-xfce.user-data.yml index 1cc18f556..07d87364b 100644 --- a/tests/cloud-init/archlinux-xfce.user-data.yml +++ b/tests/cloud-init/archlinux-xfce.user-data.yml @@ -1,9 +1,6 @@ #cloud-config hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie ssh_pwauth: true users: diff --git a/tests/cloud-init/debian-gnome.user-data.yml b/tests/cloud-init/debian-gnome.user-data.yml index 0e2571883..5c95dc231 100644 --- a/tests/cloud-init/debian-gnome.user-data.yml +++ b/tests/cloud-init/debian-gnome.user-data.yml @@ -1,9 +1,6 @@ #cloud-config hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie ssh_pwauth: true users: diff --git a/tests/cloud-init/debian-kde.user-data.yml b/tests/cloud-init/debian-kde.user-data.yml index a608e9b0b..c81ced653 100644 --- a/tests/cloud-init/debian-kde.user-data.yml +++ b/tests/cloud-init/debian-kde.user-data.yml @@ -1,9 +1,6 @@ #cloud-config hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie ssh_pwauth: true users: diff --git a/tests/cloud-init/debian-server.user-data.yml b/tests/cloud-init/debian-server.user-data.yml index 5f4fe526e..47e4d832d 100644 --- a/tests/cloud-init/debian-server.user-data.yml +++ b/tests/cloud-init/debian-server.user-data.yml @@ -1,9 +1,6 @@ #cloud-config hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie ssh_pwauth: true users: diff --git a/tests/cloud-init/opensuse-gnome.user-data.yml b/tests/cloud-init/opensuse-gnome.user-data.yml index b54bb458e..66966bd6d 100644 --- a/tests/cloud-init/opensuse-gnome.user-data.yml +++ b/tests/cloud-init/opensuse-gnome.user-data.yml @@ -1,9 +1,6 @@ #cloud-config hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie ssh_pwauth: true users: diff --git a/tests/cloud-init/opensuse-kde.user-data.yml b/tests/cloud-init/opensuse-kde.user-data.yml index b54bb458e..66966bd6d 100644 --- a/tests/cloud-init/opensuse-kde.user-data.yml +++ b/tests/cloud-init/opensuse-kde.user-data.yml @@ -1,9 +1,6 @@ #cloud-config hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie ssh_pwauth: true users: diff --git a/tests/cloud-init/ubuntu22-desktop.user-data.yml b/tests/cloud-init/ubuntu22-desktop.user-data.yml index 30a82279a..4c6450a6a 100644 --- a/tests/cloud-init/ubuntu22-desktop.user-data.yml +++ b/tests/cloud-init/ubuntu22-desktop.user-data.yml @@ -3,9 +3,6 @@ # Based on https://github.com/canonical/autoinstall-desktop hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie ssh_pwauth: true users: diff --git a/tests/cloud-init/ubuntu24-desktop.user-data.yml b/tests/cloud-init/ubuntu24-desktop.user-data.yml index 3c3807e29..4fa229416 100644 --- a/tests/cloud-init/ubuntu24-desktop.user-data.yml +++ b/tests/cloud-init/ubuntu24-desktop.user-data.yml @@ -5,9 +5,6 @@ # https://github.com/canonical/ubuntu-desktop-provision/blob/main/README.md hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie ssh_pwauth: true users: diff --git a/tests/cloud-init/ubuntu24-server.user-data.yml b/tests/cloud-init/ubuntu24-server.user-data.yml index 5e6d853ba..96318214c 100644 --- a/tests/cloud-init/ubuntu24-server.user-data.yml +++ b/tests/cloud-init/ubuntu24-server.user-data.yml @@ -1,9 +1,6 @@ #cloud-config hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie ssh_pwauth: true users: From 45f5689d6aa62d1fc3a12f3e49587023c6709b06 Mon Sep 17 00:00:00 2001 From: nobody43 Date: Fri, 24 Jan 2025 21:48:31 +0000 Subject: [PATCH 068/977] xfce, fixes --- apparmor.d/groups/display-manager/lightdm | 4 ++-- apparmor.d/groups/gvfs/gvfsd-computer | 2 +- apparmor.d/groups/gvfs/gvfsd-wsdd | 2 +- apparmor.d/groups/xfce/thunar | 6 +++--- apparmor.d/groups/xfce/tumblerd | 9 +++------ apparmor.d/groups/xfce/xfce-clipman-settings | 2 +- apparmor.d/groups/xfce/xfce-notifyd | 4 ++-- apparmor.d/groups/xfce/xfce-panel | 4 ++-- apparmor.d/groups/xfce/xfce-power-manager | 4 ++-- apparmor.d/groups/xfce/xfce-screensaver | 2 +- apparmor.d/groups/xfce/xfce-session | 2 +- apparmor.d/groups/xfce/xfce-terminal | 4 ++-- apparmor.d/groups/xfce/xfconfd | 2 +- apparmor.d/groups/xfce/xfdesktop | 3 +-- apparmor.d/groups/xfce/xfsettingsd | 2 +- apparmor.d/profiles-a-f/blueman | 1 - apparmor.d/profiles-s-z/system-config-printer-applet | 2 -- apparmor.d/profiles-s-z/xarchiver | 1 - 18 files changed, 24 insertions(+), 32 deletions(-) diff --git a/apparmor.d/groups/display-manager/lightdm b/apparmor.d/groups/display-manager/lightdm index a70779fc4..67b789906 100644 --- a/apparmor.d/groups/display-manager/lightdm +++ b/apparmor.d/groups/display-manager/lightdm @@ -37,9 +37,9 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=xfce-session, signal (send) set=(term) peer=xorg, - unix (bind) type=stream addr="@@{hex}/bus/lightdm/system", + unix (bind) type=stream addr="@@{udbus}/bus/lightdm/system", - dbus (bind) bus=system name=org.freedesktop.DisplayManager, + #aa:dbus own bus=system name=org.freedesktop.DisplayManager @{exec_path} mrix, diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer index f72fc17c7..0a520d138 100644 --- a/apparmor.d/groups/gvfs/gvfsd-computer +++ b/apparmor.d/groups/gvfs/gvfsd-computer @@ -12,7 +12,7 @@ profile gvfsd-computer @{exec_path} { include include - dbus (bind) bus=session name=org.gtk.vfs.mountpoint_@{int}, + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 1b0dc2cc2..b88d36b18 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -13,7 +13,7 @@ profile gvfsd-wsdd @{exec_path} { network netlink raw, - dbus (bind) bus=session name=org.gtk.vfs.mountpoint_wsdd, + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_wsdd @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index 629fc2b4b..77379c54f 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -19,9 +19,9 @@ profile thunar @{exec_path} { network netlink raw, - dbus (bind) bus=session name=org.xfce.Thunar, - dbus (bind) bus=session name=org.xfce.FileManager, - dbus (bind) bus=session name=org.freedesktop.FileManager1, + #aa:dbus own bus=session name=org.xfce.Thunar + #aa:dbus own bus=session name=org.xfce.FileManager + #aa:dbus own bus=session name=org.freedesktop.FileManager1 @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/tumblerd b/apparmor.d/groups/xfce/tumblerd index db90af4c5..d47be7e98 100644 --- a/apparmor.d/groups/xfce/tumblerd +++ b/apparmor.d/groups/xfce/tumblerd @@ -12,16 +12,13 @@ profile tumblerd @{exec_path} { include include include - include - include - include include include include - dbus (bind) bus=session name=org.freedesktop.thumbnails.Cache1, - dbus (bind) bus=session name=org.freedesktop.thumbnails.Manager1, - dbus (bind) bus=session name=org.freedesktop.thumbnails.Thumbnailer1, + #aa:dbus own bus=session name=org.freedesktop.thumbnails.Cache1 + #aa:dbus own bus=session name=org.freedesktop.thumbnails.Manager1 + #aa:dbus own bus=session name=org.freedesktop.thumbnails.Thumbnailer1 @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/xfce-clipman-settings b/apparmor.d/groups/xfce/xfce-clipman-settings index 2c777a0a1..9e74d8046 100644 --- a/apparmor.d/groups/xfce/xfce-clipman-settings +++ b/apparmor.d/groups/xfce/xfce-clipman-settings @@ -13,7 +13,7 @@ profile xfce-clipman-settings @{exec_path} { include include - dbus (bind) bus=session name=org.xfce.clipman.settings, + #aa:dbus own bus=session name=org.xfce.clipman.settings @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/xfce-notifyd b/apparmor.d/groups/xfce/xfce-notifyd index d8ef2a9e0..c594b8ed3 100644 --- a/apparmor.d/groups/xfce/xfce-notifyd +++ b/apparmor.d/groups/xfce/xfce-notifyd @@ -24,8 +24,8 @@ profile xfce-notifyd @{exec_path} { network inet6 stream, network netlink raw, - dbus (bind) bus=session name=org.xfce.Notifyd, - dbus (bind) bus=session name=org.freedesktop.Notifications, + #aa:dbus own bus=session name=org.xfce.Notifyd + #aa:dbus own bus=session name=org.freedesktop.Notifications @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/xfce-panel b/apparmor.d/groups/xfce/xfce-panel index d2a9cdbf6..b04ed2eb9 100644 --- a/apparmor.d/groups/xfce/xfce-panel +++ b/apparmor.d/groups/xfce/xfce-panel @@ -22,8 +22,8 @@ profile xfce-panel @{exec_path} { ptrace (read) peer=xfce-terminal, - dbus (bind) bus=session name=org.xfce.Panel, - dbus (bind) bus=session name=org.kde.StatusNotifierWatcher, + #aa:dbus own bus=session name=org.xfce.Panel + #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/xfce-power-manager b/apparmor.d/groups/xfce/xfce-power-manager index 4f3199a9e..91be9eede 100644 --- a/apparmor.d/groups/xfce/xfce-power-manager +++ b/apparmor.d/groups/xfce/xfce-power-manager @@ -16,8 +16,8 @@ profile xfce-power-manager @{exec_path} flags=(attach_disconnected) { include include - dbus (bind) bus=session name=org.xfce.PowerManager, - dbus (bind) bus=session name=org.freedesktop.PowerManagement, + #aa:dbus own bus=session name=org.xfce.PowerManager + #aa:dbus own bus=session name=org.freedesktop.PowerManagement @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/xfce-screensaver b/apparmor.d/groups/xfce/xfce-screensaver index 911cc1b9f..2c0f13bc1 100644 --- a/apparmor.d/groups/xfce/xfce-screensaver +++ b/apparmor.d/groups/xfce/xfce-screensaver @@ -16,7 +16,7 @@ profile xfce-screensaver @{exec_path} flags=(attach_disconnected) { include include - dbus (bind) bus=session name=org.xfce.ScreenSaver, + #aa:dbus own bus=session name=org.xfce.ScreenSaver @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session index 6db8277d7..beddcce1f 100644 --- a/apparmor.d/groups/xfce/xfce-session +++ b/apparmor.d/groups/xfce/xfce-session @@ -20,7 +20,7 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term) peer=lightdm, - dbus (bind) bus=session name=org.xfce.SessionManager, + #aa:dbus own bus=session name=org.xfce.SessionManager @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/xfce-terminal b/apparmor.d/groups/xfce/xfce-terminal index 46a17ca7f..5250814de 100644 --- a/apparmor.d/groups/xfce/xfce-terminal +++ b/apparmor.d/groups/xfce/xfce-terminal @@ -21,7 +21,7 @@ profile xfce-terminal @{exec_path} { signal (send), - dbus (bind) bus=session name=org.xfce.Terminal5, + #aa:dbus own bus=session name=org.xfce.Terminal5 @{exec_path} mr, @@ -35,7 +35,7 @@ profile xfce-terminal @{exec_path} { @{bin}/micro rPUx, @{bin}/nvtop rPx, - @{bin}/vim{,.basic} rPUx, + @{editor_path} rPUx, /usr/share/ r, /usr/share/desktop-base/profiles/xdg-config/ r, diff --git a/apparmor.d/groups/xfce/xfconfd b/apparmor.d/groups/xfce/xfconfd index de82191a7..9cd273544 100644 --- a/apparmor.d/groups/xfce/xfconfd +++ b/apparmor.d/groups/xfce/xfconfd @@ -13,7 +13,7 @@ profile xfconfd @{exec_path} { include include - dbus (bind) bus=session name=org.xfce.Xfconf, + #aa:dbus own bus=session name=org.xfce.Xfconf @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/xfdesktop b/apparmor.d/groups/xfce/xfdesktop index ed7d18ddc..05705332d 100644 --- a/apparmor.d/groups/xfce/xfdesktop +++ b/apparmor.d/groups/xfce/xfdesktop @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfdesktop profile xfdesktop @{exec_path} { include - include include include include @@ -18,7 +17,7 @@ profile xfdesktop @{exec_path} { include include - dbus (bind) bus=session name=org.xfce.xfdesktop, + #aa:dbus own bus=session name=org.xfce.xfdesktop @{exec_path} mr, diff --git a/apparmor.d/groups/xfce/xfsettingsd b/apparmor.d/groups/xfce/xfsettingsd index b2f783390..22db3f80d 100644 --- a/apparmor.d/groups/xfce/xfsettingsd +++ b/apparmor.d/groups/xfce/xfsettingsd @@ -16,7 +16,7 @@ profile xfsettingsd @{exec_path} { include include - dbus (bind) bus=session name=org.xfce.SettingsDaemon, + #aa:dbus own bus=session name=org.xfce.SettingsDaemon @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman index 7a2b4530f..469fb24a0 100644 --- a/apparmor.d/profiles-a-f/blueman +++ b/apparmor.d/profiles-a-f/blueman @@ -62,7 +62,6 @@ profile blueman @{exec_path} flags=(attach_disconnected) { /dev/shm/ r, /dev/tty rw, - deny @{lib}/python3/dist-packages/blueman/__pycache__/** w, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists diff --git a/apparmor.d/profiles-s-z/system-config-printer-applet b/apparmor.d/profiles-s-z/system-config-printer-applet index 99cdbc996..6424ebcc4 100644 --- a/apparmor.d/profiles-s-z/system-config-printer-applet +++ b/apparmor.d/profiles-s-z/system-config-printer-applet @@ -30,8 +30,6 @@ profile system-config-printer-applet @{exec_path} { /dev/tty rw, - deny @{lib}/python3/dist-packages/cupshelpers/__pycache__/** w, - include if exists } diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index 1e0d75fd0..003770008 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -55,7 +55,6 @@ profile xarchiver @{exec_path} { /home/ r, #owner @{HOME}/ r, #owner @{HOME}/** rw, - owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rwl, @{MOUNTS}/ r, @{MOUNTS}/** rw, /tmp/ r, From aae36aa4e02700e5108b1fbddfc9f9327d03dc7b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 24 Jan 2025 23:32:24 +0100 Subject: [PATCH 069/977] test(packer): make image builder simplier. --- tests/Makefile | 5 +- tests/cloud-init/debian-gnome.user-data.yml | 4 +- tests/cloud-init/debian-kde.user-data.yml | 2 +- tests/cloud-init/opensuse-gnome.user-data.yml | 8 +-- tests/cloud-init/opensuse-kde.user-data.yml | 8 +-- .../cloud-init/ubuntu22-desktop.user-data.yml | 11 ++-- .../cloud-init/ubuntu24-desktop.user-data.yml | 11 ++-- tests/packer/archlinux.pkr.hcl | 2 +- tests/packer/builds.pkr.hcl | 55 +++++++------------ tests/packer/clean.sh | 31 ++++------- tests/packer/debian.pkr.hcl | 4 +- tests/packer/init.sh | 11 ++-- tests/packer/opensuse.pkr.hcl | 2 +- tests/packer/ubuntu.pkr.hcl | 8 +-- tests/packer/variables.pkr.hcl | 6 -- 15 files changed, 65 insertions(+), 103 deletions(-) diff --git a/tests/Makefile b/tests/Makefile index 8bf5f6182..3453ecee8 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -12,14 +12,13 @@ flavor ?= disk ?= 10G -VERSION := 0.$(shell git rev-list --count HEAD) -BASE = archlinux debian ubuntu opensuse fedora +BASE = archlinux debian ubuntu22 ubuntu24 opensuse fedora .PHONY: ${BASE} lint $(BASE): @make --directory=../ package dist=${@} - @packer build -force -var version=${VERSION} \ + @packer build -force \ -var disk_size=${disk} -var flavor="${flavor}" \ -only=qemu.${@} packer/ diff --git a/tests/cloud-init/debian-gnome.user-data.yml b/tests/cloud-init/debian-gnome.user-data.yml index 5c95dc231..1c48eb2e9 100644 --- a/tests/cloud-init/debian-gnome.user-data.yml +++ b/tests/cloud-init/debian-gnome.user-data.yml @@ -24,10 +24,10 @@ packages: - devscripts - htop - qemu-guest-agent - - spice-vdagent - rsync - - vim + - spice-vdagent - task-gnome-desktop + - vim runcmd: - apt-get update -y diff --git a/tests/cloud-init/debian-kde.user-data.yml b/tests/cloud-init/debian-kde.user-data.yml index c81ced653..e644414fa 100644 --- a/tests/cloud-init/debian-kde.user-data.yml +++ b/tests/cloud-init/debian-kde.user-data.yml @@ -24,8 +24,8 @@ packages: - devscripts - htop - qemu-guest-agent - - spice-vdagent - rsync + - spice-vdagent - vim - task-kde-desktop diff --git a/tests/cloud-init/opensuse-gnome.user-data.yml b/tests/cloud-init/opensuse-gnome.user-data.yml index 66966bd6d..5e5b197bc 100644 --- a/tests/cloud-init/opensuse-gnome.user-data.yml +++ b/tests/cloud-init/opensuse-gnome.user-data.yml @@ -20,19 +20,15 @@ packages: - bash-completion - distribution-release - git + - go - golang-packaging - htop - make - rpmbuild + - rsync - vim write_files: - # Set some bash aliases - - path: /home/${username}/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - # Setup shared directory - path: /etc/fstab append: true diff --git a/tests/cloud-init/opensuse-kde.user-data.yml b/tests/cloud-init/opensuse-kde.user-data.yml index 66966bd6d..5e5b197bc 100644 --- a/tests/cloud-init/opensuse-kde.user-data.yml +++ b/tests/cloud-init/opensuse-kde.user-data.yml @@ -20,19 +20,15 @@ packages: - bash-completion - distribution-release - git + - go - golang-packaging - htop - make - rpmbuild + - rsync - vim write_files: - # Set some bash aliases - - path: /home/${username}/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - # Setup shared directory - path: /etc/fstab append: true diff --git a/tests/cloud-init/ubuntu22-desktop.user-data.yml b/tests/cloud-init/ubuntu22-desktop.user-data.yml index 4c6450a6a..75dc6349d 100644 --- a/tests/cloud-init/ubuntu22-desktop.user-data.yml +++ b/tests/cloud-init/ubuntu22-desktop.user-data.yml @@ -18,18 +18,19 @@ package_update: true package_upgrade: true package_reboot_if_required: false packages: - - ubuntu-desktop - - linux-generic-hwe-22.04 - - qemu-guest-agent - - spice-vdagent - - terminator - apparmor-profiles - build-essential - config-package-dev - debhelper - devscripts - golang-go + - linux-generic-hwe-22.04 + - qemu-guest-agent - rsync + - spice-vdagent + - terminator + - ubuntu-desktop + - vim snap: commands: diff --git a/tests/cloud-init/ubuntu24-desktop.user-data.yml b/tests/cloud-init/ubuntu24-desktop.user-data.yml index 4fa229416..9f7225367 100644 --- a/tests/cloud-init/ubuntu24-desktop.user-data.yml +++ b/tests/cloud-init/ubuntu24-desktop.user-data.yml @@ -20,18 +20,19 @@ package_update: true package_upgrade: true package_reboot_if_required: false packages: - - ubuntu-desktop - - linux-generic-hwe-24.04 - - qemu-guest-agent - - spice-vdagent - - terminator - apparmor-profiles - build-essential - config-package-dev - debhelper - devscripts - golang-go + - linux-generic-hwe-24.04 + - qemu-guest-agent - rsync + - spice-vdagent + - terminator + - ubuntu-desktop + - vim snap: commands: diff --git a/tests/packer/archlinux.pkr.hcl b/tests/packer/archlinux.pkr.hcl index 41a2627d5..88a5a1cba 100644 --- a/tests/packer/archlinux.pkr.hcl +++ b/tests/packer/archlinux.pkr.hcl @@ -27,7 +27,7 @@ source "qemu" "archlinux" { cd_label = "cidata" cd_content = { "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", + "user-data" = templatefile("${path.cwd}/cloud-init/${source.name}-${var.flavor}.user-data.yml", { username = "${var.username}" password = "${var.password}" diff --git a/tests/packer/builds.pkr.hcl b/tests/packer/builds.pkr.hcl index 1c16a6b84..7071c3983 100644 --- a/tests/packer/builds.pkr.hcl +++ b/tests/packer/builds.pkr.hcl @@ -12,53 +12,38 @@ build { "source.qemu.ubuntu24", ] - # Upload local files + # Upload artifacts provisioner "file" { - destination = "/tmp" - sources = ["${path.cwd}/packer/src"] - } - - provisioner "file" { - only = ["qemu.archlinux"] - destination = "/tmp/src/" + destination = "/tmp/" sources = [ - "${path.cwd}/../.pkg/apparmor.d-${var.version}-1-x86_64.pkg.tar.zst", + "${path.cwd}/packer/src/", + "${path.cwd}/packer/init.sh", + "${path.cwd}/packer/clean.sh", + "${path.cwd}/../.pkg/", ] } - provisioner "file" { - only = ["qemu.opensuse"] - destination = "/tmp/src/" - sources = ["${path.cwd}/../.pkg/apparmor.d-${var.version}-1.x86_64.rpm"] - } - - provisioner "file" { - only = ["qemu.debian", "qemu.ubuntu22", "qemu.ubuntu24"] - destination = "/tmp/src/" - sources = ["${path.cwd}/../.pkg/apparmor.d_${var.version}-1_amd64.deb"] - } - - # Wait for cloud-init to finish + # Full system provisioning provisioner "shell" { execute_command = "echo '${var.password}' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'" inline = [ + # Wait for cloud-init to finish "while [ ! -f /var/lib/cloud/instance/boot-finished ]; do echo 'Waiting for Cloud-Init...'; sleep 20; done", - "cloud-init clean", # Remove logs and artifacts so cloud-init can re-run + + # Ensure cloud-init is successful + "cloud-init status", + + # Remove logs and artifacts so cloud-init can re-run + "cloud-init clean", + + # Install local files and config + "bash /tmp/init.sh", + + # Minimize the image + "bash /tmp/clean.sh", ] } - # Install local files and config - provisioner "shell" { - script = "${path.cwd}/packer/init/init.sh" - execute_command = "echo '${var.password}' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'" - } - - # Minimize the image - provisioner "shell" { - script = "${path.cwd}/packer/init/clean.sh" - execute_command = "echo '${var.password}' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'" - } - post-processor "vagrant" { output = "${var.base_dir}/packer_${var.prefix}${source.name}-${var.flavor}.box" } diff --git a/tests/packer/clean.sh b/tests/packer/clean.sh index 2e1e7b551..8459421a1 100644 --- a/tests/packer/clean.sh +++ b/tests/packer/clean.sh @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -set -u +set -eu -o pipefail # shellcheck source=/dev/null _lsb_release() { @@ -46,23 +46,15 @@ _sshdgenkeys() { _EOF } -clean_debian() { - _msg "Apt clean configuration" - - _msg "Full system upgrade" - apt-get update -y - apt-get -qq -y --no-install-recommends upgrade - apt-get -qq -y --no-install-recommends dist-upgrade - - _msg "Clean the apt cache" +clean_apt() { + _msg "Cleaning the apt cache" apt-get -y autoremove --purge apt-get -y autoclean apt-get -y clean } -clean_arch() { - _msg "Pacman clean configuration" - +clean_pacman() { + _msg "Cleaning pacman cache" pacman -Syu --noconfirm pacman -Qdtq | while IFS='' read -r pkg; do pacman -Rsccn --noconfirm "$pkg" @@ -70,16 +62,15 @@ clean_arch() { pacman -Scc --noconfirm } -clean_opensuse() { - _msg "zypper clean configuration" - +clean_zypper() { + _msg "Cleaning zypper cache" zypper update -y zypper clean -y } # Make the image as impersonal as possible. impersonalize() { - _msg "Make the image as impersonal as possible." + _msg "Making the image as impersonal as possible." # Remove remaining pkg file, docs and caches dirs=( @@ -159,16 +150,16 @@ main() { begin=$(_diskused) case "$DISTRIBUTION" in debian | ubuntu) - clean_debian + clean_apt _sshdgenkeys ;; opensuse*) - clean_opensuse + clean_zypper ;; arch) - clean_arch + clean_pacman ;; esac impersonalize diff --git a/tests/packer/debian.pkr.hcl b/tests/packer/debian.pkr.hcl index 7fd176b6e..d45ed3d37 100644 --- a/tests/packer/debian.pkr.hcl +++ b/tests/packer/debian.pkr.hcl @@ -6,7 +6,7 @@ source "qemu" "debian" { disk_image = true iso_url = "https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/debian-${var.release.debian.version}-genericcloud-amd64.qcow2" iso_checksum = "file:https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/SHA512SUMS" - iso_target_path = "${var.iso_dir}/debian-cloudimg-amd64.img" + iso_target_path = "${var.iso_dir}/debian-${var.release.debian.codename}-cloudimg-amd64.img" cpu_model = "host" cpus = 6 memory = 4096 @@ -28,7 +28,7 @@ source "qemu" "debian" { cd_label = "cidata" cd_content = { "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", + "user-data" = templatefile("${path.cwd}/cloud-init/${source.name}-${var.flavor}.user-data.yml", { username = "${var.username}" password = "${var.password}" diff --git a/tests/packer/init.sh b/tests/packer/init.sh index df300c0c4..be9529666 100644 --- a/tests/packer/init.sh +++ b/tests/packer/init.sh @@ -11,7 +11,7 @@ _lsb_release() { echo "$ID" } DISTRIBUTION="$(_lsb_release)" -readonly SRC=/tmp/src +readonly SRC=/tmp/ readonly DISTRIBUTION main() { @@ -28,23 +28,22 @@ main() { case "$DISTRIBUTION" in arch) pacman --noconfirm -U $SRC/*.pkg.tar.zst - systemctl start apparmor.service ;; debian | ubuntu) - apt-get update -y - apt-get install -y apparmor-profiles build-essential config-package-dev \ - debhelper devscripts htop rsync vim dpkg -i $SRC/*.deb ;; opensuse*) mv "/home/$SUDO_USER/.bash_aliases" "/home/$SUDO_USER/.alias" - zypper install -y bash-completion git go htop make rsync vim rpm -i $SRC/*.rpm ;; esac + + rm -rf /var/cache/apparmor/* + rm -rf /etc/apparmor/earlypolicy/ + systemctl reload apparmor.service } main "$@" diff --git a/tests/packer/opensuse.pkr.hcl b/tests/packer/opensuse.pkr.hcl index 49ba09f70..29649d4bc 100644 --- a/tests/packer/opensuse.pkr.hcl +++ b/tests/packer/opensuse.pkr.hcl @@ -30,7 +30,7 @@ source "qemu" "opensuse" { cd_label = "cidata" cd_content = { "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", + "user-data" = templatefile("${path.cwd}/cloud-init/${source.name}-${var.flavor}.user-data.yml", { username = "${var.username}" password = "${var.password}" diff --git a/tests/packer/ubuntu.pkr.hcl b/tests/packer/ubuntu.pkr.hcl index 052b460da..f69818060 100644 --- a/tests/packer/ubuntu.pkr.hcl +++ b/tests/packer/ubuntu.pkr.hcl @@ -6,7 +6,7 @@ source "qemu" "ubuntu22" { disk_image = true iso_url = "https://cloud-images.ubuntu.com/${var.release.ubuntu22.codename}/current/${var.release.ubuntu22.codename}-server-cloudimg-amd64.img" iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu22.codename}/current/SHA256SUMS" - iso_target_path = "${var.iso_dir}/ubuntu22-cloudimg-amd64.img" + iso_target_path = "${var.iso_dir}/ubuntu-${var.release.ubuntu22.codename}-cloudimg-amd64.img" cpu_model = "host" cpus = 6 memory = 4096 @@ -28,7 +28,7 @@ source "qemu" "ubuntu22" { cd_label = "cidata" cd_content = { "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", + "user-data" = templatefile("${path.cwd}/cloud-init/${source.name}-${var.flavor}.user-data.yml", { username = "${var.username}" password = "${var.password}" @@ -43,7 +43,7 @@ source "qemu" "ubuntu24" { disk_image = true iso_url = "https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/${var.release.ubuntu24.codename}-server-cloudimg-amd64.img" iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/SHA256SUMS" - iso_target_path = "${var.iso_dir}/ubuntu24-cloudimg-amd64.img" + iso_target_path = "${var.iso_dir}/ubuntu-${var.release.ubuntu24.codename}-cloudimg-amd64.img" cpu_model = "host" cpus = 6 memory = 4096 @@ -65,7 +65,7 @@ source "qemu" "ubuntu24" { cd_label = "cidata" cd_content = { "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", + "user-data" = templatefile("${path.cwd}/cloud-init/${source.name}-${var.flavor}.user-data.yml", { username = "${var.username}" password = "${var.password}" diff --git a/tests/packer/variables.pkr.hcl b/tests/packer/variables.pkr.hcl index a37c89bf0..82251f25a 100644 --- a/tests/packer/variables.pkr.hcl +++ b/tests/packer/variables.pkr.hcl @@ -58,12 +58,6 @@ variable "prefix" { default = "aa-" } -variable "version" { - description = "apparmor.d version" - type = string - default = "0.001" -} - variable "flavor" { description = "Distribution flavor to use (server, desktop, gnome, kde...)" type = string From 4e73f7209fcdec7f7a87e8bb0fd6150a5a5dd470 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 24 Jan 2025 23:44:11 +0100 Subject: [PATCH 070/977] test(packer): add cpu & ram internal variable. --- tests/packer/archlinux.pkr.hcl | 4 ++-- tests/packer/debian.pkr.hcl | 4 ++-- tests/packer/opensuse.pkr.hcl | 4 ++-- tests/packer/ubuntu.pkr.hcl | 8 ++++---- tests/packer/variables.pkr.hcl | 12 ++++++++++++ 5 files changed, 22 insertions(+), 10 deletions(-) diff --git a/tests/packer/archlinux.pkr.hcl b/tests/packer/archlinux.pkr.hcl index 88a5a1cba..06f2ad3a7 100644 --- a/tests/packer/archlinux.pkr.hcl +++ b/tests/packer/archlinux.pkr.hcl @@ -8,8 +8,8 @@ source "qemu" "archlinux" { iso_checksum = "file:https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2.SHA256" iso_target_path = "${var.iso_dir}/archlinux-cloudimg-amd64.img" cpu_model = "host" - cpus = 6 - memory = 4096 + cpus = var.cpus + memory = var.ram disk_size = var.disk_size accelerator = "kvm" headless = true diff --git a/tests/packer/debian.pkr.hcl b/tests/packer/debian.pkr.hcl index d45ed3d37..12d4a513c 100644 --- a/tests/packer/debian.pkr.hcl +++ b/tests/packer/debian.pkr.hcl @@ -8,8 +8,8 @@ source "qemu" "debian" { iso_checksum = "file:https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/SHA512SUMS" iso_target_path = "${var.iso_dir}/debian-${var.release.debian.codename}-cloudimg-amd64.img" cpu_model = "host" - cpus = 6 - memory = 4096 + cpus = var.cpus + memory = var.ram disk_size = var.disk_size accelerator = "kvm" headless = true diff --git a/tests/packer/opensuse.pkr.hcl b/tests/packer/opensuse.pkr.hcl index 29649d4bc..46cf4af29 100644 --- a/tests/packer/opensuse.pkr.hcl +++ b/tests/packer/opensuse.pkr.hcl @@ -10,8 +10,8 @@ source "qemu" "opensuse" { iso_checksum = "sha256:223ed62160ef4f1a4f21b69c574f552a07eee6ef66cf66eef2b49c5a7c4864f4" iso_target_path = "${var.base_dir}/base-tumbleweed-gnome.qcow2" cpu_model = "host" - cpus = 6 - memory = 4096 + cpus = var.cpus + memory = var.ram disk_size = var.disk_size accelerator = "kvm" headless = false diff --git a/tests/packer/ubuntu.pkr.hcl b/tests/packer/ubuntu.pkr.hcl index f69818060..3689882ad 100644 --- a/tests/packer/ubuntu.pkr.hcl +++ b/tests/packer/ubuntu.pkr.hcl @@ -8,8 +8,8 @@ source "qemu" "ubuntu22" { iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu22.codename}/current/SHA256SUMS" iso_target_path = "${var.iso_dir}/ubuntu-${var.release.ubuntu22.codename}-cloudimg-amd64.img" cpu_model = "host" - cpus = 6 - memory = 4096 + cpus = var.cpus + memory = var.ram disk_size = var.disk_size accelerator = "kvm" headless = true @@ -45,8 +45,8 @@ source "qemu" "ubuntu24" { iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/SHA256SUMS" iso_target_path = "${var.iso_dir}/ubuntu-${var.release.ubuntu24.codename}-cloudimg-amd64.img" cpu_model = "host" - cpus = 6 - memory = 4096 + cpus = var.cpus + memory = var.ram disk_size = var.disk_size accelerator = "kvm" headless = true diff --git a/tests/packer/variables.pkr.hcl b/tests/packer/variables.pkr.hcl index 82251f25a..0361698d6 100644 --- a/tests/packer/variables.pkr.hcl +++ b/tests/packer/variables.pkr.hcl @@ -22,6 +22,18 @@ variable "ssh_publickey" { default = "~/.ssh/id_ed25519.pub" } +variable "cpus" { + description = "Default CPU of the VM" + type = string + default = "6" +} + +variable "ram" { + description = "Default RAM of the VM" + type = string + default = "4096" +} + variable "disk_size" { description = "Disk size of the VM to build" type = string From 8806030a0a41835c2bf75437c1a7c519f19dc7fc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 25 Jan 2025 22:31:29 +0100 Subject: [PATCH 071/977] feat(profile): more use @{etc_ro} when we know it is needed. --- apparmor.d/groups/_full/systemd | 4 ++-- apparmor.d/groups/apt/unattended-upgrade | 2 +- apparmor.d/groups/cron/crontab | 4 ++-- apparmor.d/groups/display-manager/lightdm | 4 ++-- apparmor.d/groups/gnome/gnome-initial-setup | 4 ++-- apparmor.d/groups/hyprland/hyprlock | 2 +- apparmor.d/groups/kde/kscreenlocker_greet | 9 +++++---- apparmor.d/groups/kde/sddm | 6 +++--- apparmor.d/groups/ubuntu/apport | 2 +- apparmor.d/groups/ubuntu/apport-checkreports | 2 +- apparmor.d/groups/virt/cockpit-bridge | 2 +- apparmor.d/profiles-a-f/agetty | 5 ++--- apparmor.d/profiles-a-f/chage | 2 +- apparmor.d/profiles-a-f/chpasswd | 3 ++- apparmor.d/profiles-a-f/firecfg | 3 ++- apparmor.d/profiles-g-l/gamemoded | 4 ++-- apparmor.d/profiles-g-l/gpasswd | 2 +- apparmor.d/profiles-g-l/groupadd | 2 +- apparmor.d/profiles-g-l/groupdel | 2 +- apparmor.d/profiles-g-l/groupmod | 2 +- apparmor.d/profiles-g-l/grpck | 2 +- apparmor.d/profiles-g-l/lastlog | 3 ++- apparmor.d/profiles-g-l/login | 6 +++--- apparmor.d/profiles-m-r/newgrp | 4 ++-- apparmor.d/profiles-m-r/pwck | 3 ++- apparmor.d/profiles-s-z/snapd | 2 +- apparmor.d/profiles-s-z/useradd | 2 +- apparmor.d/profiles-s-z/userdel | 2 +- apparmor.d/profiles-s-z/usermod | 2 +- apparmor.d/profiles-s-z/vipw-vigr | 2 +- 30 files changed, 49 insertions(+), 45 deletions(-) diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index 9f611cf3d..d71647705 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -181,12 +181,12 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { /var/lib/*/ r, /var/tmp/ r, + @{etc_ro}/environment r, + @{etc_ro}/environment.d/{,**} r, /etc/binfmt.d/{,**} r, /etc/conf.d/{,**} r, /etc/credstore.encrypted/{,**} r, /etc/credstore/{,**} r, - /etc/environment r, - /etc/environment.d/{,**} r, /etc/machine-id r, /etc/modules-load.d/{,**} r, /etc/systemd/{,**} r, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index d0fdad4b7..ead68957a 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -62,6 +62,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /usr/share/distro-info/* r, + @{etc_ro}/security/capability.conf r, /etc/apt/*.list r, /etc/apt/apt.conf.d/{,**} r, /etc/debian_version r, @@ -79,7 +80,6 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/pki/fwupd-metadata/{,**} r, /etc/pki/fwupd/{,**} r, /etc/profile.d/* r, - /etc/security/capability.conf r, /etc/update-manager/{,**} r, /etc/update-motd.d/* r, /etc/vmware-tools/* r, diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index ccc948b01..d240454f5 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -28,10 +28,10 @@ profile crontab @{exec_path} { @{sh_path} rix, @{editor_path} rCx -> editor, + @{etc_ro}/environment r, + @{etc_ro}/security/*.conf r, /etc/cron.{allow,deny} r, - /etc/environment r, /etc/pam.d/* r, - /etc/security/*.conf r, /var/spool/cron/ r, /var/spool/cron/** rw, diff --git a/apparmor.d/groups/display-manager/lightdm b/apparmor.d/groups/display-manager/lightdm index 04accbbf0..112daf091 100644 --- a/apparmor.d/groups/display-manager/lightdm +++ b/apparmor.d/groups/display-manager/lightdm @@ -56,11 +56,11 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xgreeters/{,**} r, + @{etc_ro}/environment r, + @{etc_ro}/security/limits.d/{,*} r, /etc/default/locale r, - /etc/environment r, /etc/lightdm/{,**} r, /etc/machine-id r, - /etc/security/limits.d/{,*} r, /etc/shells r, /var/cache/lightdm/dmrc/*.dmrc* rw, diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index d27ccb8bb..84f6b15c8 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -46,8 +46,8 @@ profile gnome-initial-setup @{exec_path} { /usr/share/gnome-initial-setup/{,**} r, /usr/share/xml/iso-codes/{,**} r, - /etc/security/pwquality.conf r, - /etc/security/pwquality.conf.d/{,**} r, + @{etc_ro}/security/pwquality.conf r, + @{etc_ro}/security/pwquality.conf.d/{,**} r, /etc/timezone r, /etc/gdm{,3}/custom.conf r, diff --git a/apparmor.d/groups/hyprland/hyprlock b/apparmor.d/groups/hyprland/hyprlock index b17c0c66a..996d9f170 100644 --- a/apparmor.d/groups/hyprland/hyprlock +++ b/apparmor.d/groups/hyprland/hyprlock @@ -19,7 +19,7 @@ profile hyprlock @{exec_path} { @{exec_path} mr, - /etc/security/faillock.conf r, + @{etc_ro}/security/faillock.conf r, /etc/shells r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r, diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index 79e2b4c59..a13270c93 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -51,12 +51,13 @@ profile kscreenlocker_greet @{exec_path} { /usr/share/xsessions/{,*.desktop} r, /usr/share/hunspell/* r, - /{usr/,}etc/environment r, - /{usr/,}etc/login.defs r, - /{usr/,}etc/login.defs.d/ r, - /{usr/,}etc/security/*.conf r, + @{etc_ro}/environment r, + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/ r, + @{etc_ro}/security/*.conf r, /etc/fstab r, /etc/machine-id r, + /etc/os-release r, /etc/pam.d/* r, /etc/shells r, /etc/xdg/kscreenlockerrc r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 8e491bb2b..56f0f5820 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -128,9 +128,9 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { /etc/X11/xinit/xinitrc.d/{,*} r, - /{usr/,}etc/environment r, - /{usr/,}etc/security/limits.d/{,*.conf} r, - /{usr/,}etc/X11/Xmodmap r, + @{etc_ro}/environment r, + @{etc_ro}/security/limits.d/{,*.conf} r, + @{etc_ro}/X11/Xmodmap r, /etc/debuginfod/{,*} r, /etc/manpath.config r, /etc/default/locale r, diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 11aad0da3..7c683ae27 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -33,8 +33,8 @@ profile apport @{exec_path} flags=(attach_disconnected) { /usr/share/apport/{,**} r, + @{etc_ro}/login.defs r, /etc/apport/report-ignore/{,**} r, - /etc/login.defs r, /var/lib/dpkg/info/ r, /var/lib/dpkg/info/*.list r, diff --git a/apparmor.d/groups/ubuntu/apport-checkreports b/apparmor.d/groups/ubuntu/apport-checkreports index 665b3eaca..6e1bb05f2 100644 --- a/apparmor.d/groups/ubuntu/apport-checkreports +++ b/apparmor.d/groups/ubuntu/apport-checkreports @@ -20,9 +20,9 @@ profile apport-checkreports @{exec_path} flags=(attach_disconnected) { /usr/share/dpkg/tupletable r, /usr/share/apport/ r, + @{etc_ro}/login.defs r, /etc/apt/apt.conf.d/{,**} r, /etc/default/apport r, - /etc/login.defs r, /var/crash/ r, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index 94b185162..6ca662859 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -67,9 +67,9 @@ profile cockpit-bridge @{exec_path} { /usr/share/file/** r, /usr/share/iproute2/* r, + @{etc_ro}/login.defs r, /etc/cockpit/{,**} r, /etc/httpd/conf/mime.types r, - /etc/login.defs r, /etc/machine-id r, /etc/mime.types r, /etc/motd r, diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/profiles-a-f/agetty index 9e6db414e..4605822e7 100644 --- a/apparmor.d/profiles-a-f/agetty +++ b/apparmor.d/profiles-a-f/agetty @@ -24,15 +24,14 @@ profile agetty @{exec_path} { @{bin}/login rPx, + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, @{etc_rw}/issue r, /{,usr/}lib/os-release r, /{etc,run,lib,usr/lib}/issue r, /{etc,run,lib,usr/lib}/issue.d/{,*} r, /etc/inittab r, - /etc/login.defs r, - /etc/login.defs.d/{,*} r, /etc/os-release r, - /usr/etc/login.defs r, @{run}/credentials/getty@tty@{int}.service/ r, @{run}/credentials/serial-getty@ttyS@{int}.service/ r, diff --git a/apparmor.d/profiles-a-f/chage b/apparmor.d/profiles-a-f/chage index a89e204a8..43f34a703 100644 --- a/apparmor.d/profiles-a-f/chage +++ b/apparmor.d/profiles-a-f/chage @@ -20,7 +20,7 @@ profile chage @{exec_path} { @{exec_path} mr, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,shadow} rw, /etc/{passwd,shadow}.@{pid} w, diff --git a/apparmor.d/profiles-a-f/chpasswd b/apparmor.d/profiles-a-f/chpasswd index fb8438cc1..869ba20ab 100644 --- a/apparmor.d/profiles-a-f/chpasswd +++ b/apparmor.d/profiles-a-f/chpasswd @@ -18,8 +18,9 @@ profile chpasswd @{exec_path} { @{exec_path} mr, + @{etc_ro}/login.defs r, + /etc/.pwd.lock wk, - /etc/login.defs r, /etc/passwd rw, /etc/passwd.@{int} w, /etc/passwd.lock l -> /etc/passwd.@{int}, diff --git a/apparmor.d/profiles-a-f/firecfg b/apparmor.d/profiles-a-f/firecfg index a3aba8af1..02201e78e 100644 --- a/apparmor.d/profiles-a-f/firecfg +++ b/apparmor.d/profiles-a-f/firecfg @@ -21,7 +21,8 @@ profile firecfg @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/apparmor_parser rPx, - /etc/login.defs r, + @{etc_ro}/login.defs r, + /etc/firejail/firejail.users r, /etc/firejail/firecfg.config r, diff --git a/apparmor.d/profiles-g-l/gamemoded b/apparmor.d/profiles-g-l/gamemoded index 8f5067b77..eb2d3fc1e 100644 --- a/apparmor.d/profiles-g-l/gamemoded +++ b/apparmor.d/profiles-g-l/gamemoded @@ -57,8 +57,8 @@ profile gamemoded @{exec_path} flags=(attach_disconnected) { @{lib}/gamemode/gpuclockctl ix, @{lib}/gamemode/procsysctl ix, - /etc/security/limits.d/ r, - /etc/security/limits.d/@{int}-gamemode.conf r, + @{etc_ro}/security/limits.d/ r, + @{etc_ro}/security/limits.d/@{int}-gamemode.conf r, /etc/shells r, @{sys}/devices/@{pci}/power_dpm_force_performance_level rw, diff --git a/apparmor.d/profiles-g-l/gpasswd b/apparmor.d/profiles-g-l/gpasswd index 8afdff8db..ab2d21860 100644 --- a/apparmor.d/profiles-g-l/gpasswd +++ b/apparmor.d/profiles-g-l/gpasswd @@ -29,7 +29,7 @@ profile gpasswd @{exec_path} { owner @{PROC}/@{pid}/loginuid r, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{group,gshadow} rw, /etc/{group,gshadow}.@{pid} w, diff --git a/apparmor.d/profiles-g-l/groupadd b/apparmor.d/profiles-g-l/groupadd index 9450974a1..65e735605 100644 --- a/apparmor.d/profiles-g-l/groupadd +++ b/apparmor.d/profiles-g-l/groupadd @@ -22,7 +22,7 @@ profile groupadd @{exec_path} { @{exec_path} mr, @{bin}/nscd rix, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{group,gshadow} rw, /etc/{group,gshadow}- w, diff --git a/apparmor.d/profiles-g-l/groupdel b/apparmor.d/profiles-g-l/groupdel index 99b7fddaa..734b22463 100644 --- a/apparmor.d/profiles-g-l/groupdel +++ b/apparmor.d/profiles-g-l/groupdel @@ -25,7 +25,7 @@ profile groupdel @{exec_path} { @{exec_path} mr, @{bin}/nscd rix, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{group,gshadow} rw, /etc/{group,gshadow}.@{pid} w, diff --git a/apparmor.d/profiles-g-l/groupmod b/apparmor.d/profiles-g-l/groupmod index 4b9b0446a..01841483e 100644 --- a/apparmor.d/profiles-g-l/groupmod +++ b/apparmor.d/profiles-g-l/groupmod @@ -24,7 +24,7 @@ profile groupmod @{exec_path} { @{exec_path} mr, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,gshadow,group} rw, /etc/{passwd,gshadow,group}.@{pid} w, diff --git a/apparmor.d/profiles-g-l/grpck b/apparmor.d/profiles-g-l/grpck index 5fad8960c..3b820febb 100644 --- a/apparmor.d/profiles-g-l/grpck +++ b/apparmor.d/profiles-g-l/grpck @@ -18,7 +18,7 @@ profile grpck @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{gshadow,group} rw, /etc/{gshadow,group}.@{pid} rw, diff --git a/apparmor.d/profiles-g-l/lastlog b/apparmor.d/profiles-g-l/lastlog index 392aba362..0cb62819f 100644 --- a/apparmor.d/profiles-g-l/lastlog +++ b/apparmor.d/profiles-g-l/lastlog @@ -17,8 +17,9 @@ profile lastlog @{exec_path} { @{exec_path} mr, + @{etc_ro}/login.defs r, + /var/log/lastlog r, - /etc/login.defs r, include if exists } diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login index 9b32614a9..a4d1b8cd2 100644 --- a/apparmor.d/profiles-g-l/login +++ b/apparmor.d/profiles-g-l/login @@ -43,15 +43,15 @@ profile login @{exec_path} flags=(attach_disconnected) { @{bin}/@{shells} rUx, @{etc_ro}/environment r, + @{etc_ro}/security/group.conf r, + @{etc_ro}/security/limits.conf r, @{etc_ro}/security/limits.d/{,*} r, + @{etc_ro}/security/pam_env.conf r, /etc/default/locale r, /etc/legal r, /etc/machine-id r, /etc/motd r, /etc/motd.d/ r, - /etc/security/group.conf r, - /etc/security/limits.conf r, - /etc/security/pam_env.conf r, /etc/shells r, /var/lib/faillock/@{user} rwk, diff --git a/apparmor.d/profiles-m-r/newgrp b/apparmor.d/profiles-m-r/newgrp index ebd15d4b6..1452f34fc 100644 --- a/apparmor.d/profiles-m-r/newgrp +++ b/apparmor.d/profiles-m-r/newgrp @@ -23,9 +23,9 @@ profile newgrp @{exec_path} { @{bin}/@{shells} rUx, - /etc/{passwd,group,shadow,gshadow} r, + @{etc_ro}/login.defs r, - /etc/login.defs r, + /etc/{passwd,group,shadow,gshadow} r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/profiles-m-r/pwck b/apparmor.d/profiles-m-r/pwck index 0c9e1ac0a..6aef4d028 100644 --- a/apparmor.d/profiles-m-r/pwck +++ b/apparmor.d/profiles-m-r/pwck @@ -16,7 +16,8 @@ profile pwck @{exec_path} flags=(attach_disconnected) { @{bin}/nscd rix, - /etc/login.defs r, + @{etc_ro}/login.defs r, + /etc/.pwd.lock wk, /etc/passwd rw, /etc/passwd.@{int} rw, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 4e383b777..2788ed4a3 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -98,9 +98,9 @@ profile snapd @{exec_path} { /usr/share/dbus-1/services/*snap* r, /usr/share/polkit-1/actions/{,**/} r, + @{etc_ro}/environment r, /etc/apparmor.d/*snapd.snap* r, /etc/dbus-1/system.d/{,**/} r, - /etc/environment r, /etc/fstab r, /etc/mime.types r, /etc/modprobe.d/{,**/} r, diff --git a/apparmor.d/profiles-s-z/useradd b/apparmor.d/profiles-s-z/useradd index d27a34207..021ede783 100644 --- a/apparmor.d/profiles-s-z/useradd +++ b/apparmor.d/profiles-s-z/useradd @@ -30,7 +30,7 @@ profile useradd @{exec_path} { @{bin}/pam_tally2 rCx -> pam_tally2, /etc/default/useradd r, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw, /etc/{passwd,shadow,gshadow,group,subuid,subgid}- w, diff --git a/apparmor.d/profiles-s-z/userdel b/apparmor.d/profiles-s-z/userdel index 05df64874..afaa52a03 100644 --- a/apparmor.d/profiles-s-z/userdel +++ b/apparmor.d/profiles-s-z/userdel @@ -26,7 +26,7 @@ profile userdel @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw, /etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w, diff --git a/apparmor.d/profiles-s-z/usermod b/apparmor.d/profiles-s-z/usermod index c0f8f0e45..1e5c6e4eb 100644 --- a/apparmor.d/profiles-s-z/usermod +++ b/apparmor.d/profiles-s-z/usermod @@ -28,7 +28,7 @@ profile usermod @{exec_path} flags=(attach_disconnected) { @{bin}/nscd rix, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/subuid r, /etc/{passwd,shadow,gshadow,group} rw, diff --git a/apparmor.d/profiles-s-z/vipw-vigr b/apparmor.d/profiles-s-z/vipw-vigr index 50ada1d64..396f1e4f8 100644 --- a/apparmor.d/profiles-s-z/vipw-vigr +++ b/apparmor.d/profiles-s-z/vipw-vigr @@ -18,7 +18,7 @@ profile vipw-vigr @{exec_path} { @{sh_path} rix, @{editor_path} rCx -> editor, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,shadow,gshadow,group}{,.edit} rw, /etc/{passwd,shadow,gshadow,group}.@{pid} rw, From de690ab878200fe0727571aeb97ff06d08323a64 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 25 Jan 2025 22:34:15 +0100 Subject: [PATCH 072/977] fix(ci): update path to shellcheck. --- .gitlab-ci.yml | 2 +- Makefile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 960dd2884..a93767d20 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -24,7 +24,7 @@ bash: script: - shellcheck --shell=bash PKGBUILD dists/build.sh dists/docker.sh tests/check.sh - tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh + tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh golangci-lint: stage: lint diff --git a/Makefile b/Makefile index 911bd4027..7de055c9f 100644 --- a/Makefile +++ b/Makefile @@ -104,7 +104,7 @@ lint: @make --directory=tests lint @shellcheck --shell=bash \ PKGBUILD dists/build.sh dists/docker.sh tests/check.sh \ - tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh \ + tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \ debian/${PKGNAME}.postinst debian/${PKGNAME}.postrm .PHONY: check From df8ac22e0cb67aa6e612ac9dba55fb38008d08b7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Jan 2025 12:10:23 +0100 Subject: [PATCH 073/977] test(vagrant): update boxes name. --- tests/boxes.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tests/boxes.yml b/tests/boxes.yml index 532c5e18f..3e15fc304 100644 --- a/tests/boxes.yml +++ b/tests/boxes.yml @@ -26,17 +26,17 @@ boxes: box: aa-archlinux-server uefi: false - - name: ubuntu-desktop - box: aa-ubuntu-desktop + - name: ubuntu22-desktop + box: aa-ubuntu22-desktop - - name: ubuntu-desktop24 - box: aa-ubuntu-desktop24 + - name: ubuntu24-desktop + box: aa-ubuntu24-desktop - - name: ubuntu-server - box: aa-ubuntu-server + - name: ubuntu22-server + box: aa-ubuntu22-server - - name: ubuntu-server24 - box: aa-ubuntu-server24 + - name: ubuntu24-server + box: aa-ubuntu24-server24 - name: debian-server box: aa-debian-server From c427765909c2790e40346b67c8400c9bb342354d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Jan 2025 17:04:11 +0100 Subject: [PATCH 074/977] feat(profile): initial support for gimp 3. see #656 --- apparmor.d/profiles-g-l/gimp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index a9be29bec..83457578f 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -13,6 +13,7 @@ profile gimp @{exec_path} { include include include + include include include @@ -23,7 +24,12 @@ profile gimp @{exec_path} { @{exec_path} mr, + @{bin}/env rix, + @{bin}/gjs-console rix, + @{bin}/lua rix, + @{lib}/gimp/@{version}/extensions/*/* rix, @{lib}/gimp/*/plug-ins/** rix, + @{python_path} rix, @{bin}/xsane-gimp rPx, @{open_path} rPx -> child-open-help, From aefa46359ee66ef22d5da6090fc4684059bcfd82 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sun, 26 Jan 2025 18:36:18 +0100 Subject: [PATCH 075/977] Update firecfg --- apparmor.d/profiles-a-f/firecfg | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-a-f/firecfg b/apparmor.d/profiles-a-f/firecfg index 02201e78e..a54d1c9ac 100644 --- a/apparmor.d/profiles-a-f/firecfg +++ b/apparmor.d/profiles-a-f/firecfg @@ -25,6 +25,7 @@ profile firecfg @{exec_path} flags=(attach_disconnected) { /etc/firejail/firejail.users r, /etc/firejail/firecfg.config r, + /etc/firejail/firecfg.d/{,*} r, /usr/local/bin/ r, /usr/local/bin/* rw, @@ -33,10 +34,14 @@ profile firecfg @{exec_path} flags=(attach_disconnected) { /usr/share/applications/ r, /usr/share/applications/*.desktop r, @{user_share_dirs}/applications/ r, - @{user_share_dirs}/applications/*.desktop rw, - /dev/tty rw, + @{user_config_dirs}/firejail/{,*} r, + + /dev/tty rw, + /dev/tty@{int} rw, + owner /dev/pts/@{int} rw, + include if exists } From 01b173a1daef6d4c47adf6f369e28858020e4b06 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sun, 26 Jan 2025 18:28:42 +0100 Subject: [PATCH 076/977] Update needrestart-vmlinuz-get-version --- apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version index f7e9d76a1..0c3c669a0 100644 --- a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version +++ b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version @@ -14,12 +14,19 @@ profile needrestart-vmlinuz-get-version @{exec_path} { @{exec_path} mr, @{sh_path} rix, + @{bin}/bzip2 rix, @{bin}/grep rix, + @{bin}/gunzip rix, + @{bin}/gzip rix, + @{bin}/lzop rix, @{bin}/mktemp rix, @{bin}/rm rix, + @{bin}/tail rix, @{bin}/tr rix, @{bin}/which{,.debianutils} rix, + @{bin}/xz rix, + /boot/intel-ucode.img r, /boot/vmlinuz* r, owner @{tmp}/tmp.@{rand10} rw, From 54a16eb0559197a1b8d6c582c3e9dbd09d4a40b0 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sun, 26 Jan 2025 18:03:37 +0100 Subject: [PATCH 077/977] Update okular Typo. --- apparmor.d/groups/kde/okular | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index fe1c5d8da..7618a10d4 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -94,7 +94,7 @@ profile okular @{exec_path} { include @{bin}/gpg{,2} mr, - @{bin}/gpgcon mr, + @{bin}/gpgconf mr, @{bin}/gpgsm mr, owner @{HOME}/@{XDG_GPG_DIR}/*.conf r, From 5a1a5418eccbf21b966aa1a9e6528e3d7c7a39e1 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sun, 26 Jan 2025 17:53:34 +0100 Subject: [PATCH 078/977] Update kscreenlocker_greet --- apparmor.d/groups/kde/kscreenlocker_greet | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index a13270c93..c006f354c 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -101,9 +101,11 @@ profile kscreenlocker_greet @{exec_path} { @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, + @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/loginuid r, + @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/loginuid r, From aec02b8f64221d7d22f318d9de4ce1d09ea3d796 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sun, 26 Jan 2025 17:49:11 +0100 Subject: [PATCH 079/977] Update systemd-tmpfiles profile systemd-tmpfiles { @{sys}/devices/system/cpu/cpufreq/ r, @{sys}/devices/system/cpu/cpufreq/policy0/scaling_governor w, @{sys}/devices/system/cpu/cpufreq/policy1/scaling_governor w, @{sys}/devices/system/cpu/cpufreq/policy2/scaling_governor w, @{sys}/devices/system/cpu/cpufreq/policy3/scaling_governor w, @{sys}/devices/system/cpu/cpufreq/policy4/scaling_governor w, @{sys}/devices/system/cpu/cpufreq/policy5/scaling_governor w, @{sys}/devices/system/cpu/cpufreq/policy6/scaling_governor w, @{sys}/devices/system/cpu/cpufreq/policy7/scaling_governor w, @{sys}/module/pcie_aspm/parameters/policy w, } --- apparmor.d/groups/systemd/systemd-tmpfiles | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles index f591ef9f7..e37073f47 100644 --- a/apparmor.d/groups/systemd/systemd-tmpfiles +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -51,7 +51,10 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/security/{,**} rw, @{sys}/class/net/ r, + @{sys}/devices/system/cpu/cpufreq/ r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor w, @{sys}/devices/system/cpu/microcode/reload w, + @{sys}/module/pcie_aspm/parameters/policy w, @{PROC}/@{pid}/net/unix r, @{PROC}/1/cmdline r, From d802bf82f28ac3566c431f7ad7ebbf306ea1b33b Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sun, 26 Jan 2025 17:41:53 +0100 Subject: [PATCH 080/977] Update pacman profile pacman//systemctl { signal send set=(cont term) peer=systemd-tty-ask-password-agent, } --- apparmor.d/groups/pacman/pacman | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 6c0e782fa..16a8171ca 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -196,6 +196,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { capability sys_resource, signal send set=cont peer=child-pager, + signal send set=(cont term) peer=systemd-tty-ask-password-agent, signal receive set=winch peer=makepkg//sudo, @{pager_path} rPx -> child-pager, From 4a978ef9b6d6a846a3a34618b3f978b795399735 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sun, 26 Jan 2025 21:07:44 +0100 Subject: [PATCH 081/977] systemd-journald: adding mediate_deleted (#657) * Update systemd-journald profile systemd-journald flags=(mediate_deleted) { link /var/log/journal/@{hex32}/#42742 , # Failed name lookup - deleted entry link /var/log/journal/@{hex32}/#42744 , # Failed name lookup - deleted entry link /var/log/journal/@{hex32}/.#system@@{hex32}-@{hex16}-@{hex16}.journal@{hex16} -> /var/log/journal/@{hex32}/#42744, link /var/log/journal/@{hex32}/.#user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal@{hex16} -> /var/log/journal/@{hex32}/#42742, } * Update main.flags Adding `systemd-journald attach_disconnected,mediate_deleted` --- apparmor.d/groups/systemd/systemd-journald | 2 +- dists/flags/main.flags | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index d63a4211d..b0a646f66 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-journald -profile systemd-journald @{exec_path} flags=(attach_disconnected) { +profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 6a1a1b6a7..70bbd4a36 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -333,6 +333,7 @@ systemd-generator-veritysetup attach_disconnected,complain systemd-homed attach_disconnected,complain systemd-homework complain systemd-inhibit attach_disconnected,complain +systemd-journald attach_disconnected,mediate_deleted systemd-mount complain systemd-network-generator complain systemd-portabled complain From a68cd26d4103036a50ae64fc67a5512cee5cec4d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Jan 2025 21:10:26 +0100 Subject: [PATCH 082/977] fix(profile): yay: pacman can be used by yay without installing anything ie: without `sudo pacmcan -U ...` see #420 --- apparmor.d/groups/pacman/yay | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/pacman/yay b/apparmor.d/groups/pacman/yay index 52c2de345..42932cc2e 100644 --- a/apparmor.d/groups/pacman/yay +++ b/apparmor.d/groups/pacman/yay @@ -25,6 +25,7 @@ profile yay @{exec_path} { @{bin}/git Cx -> git, @{bin}/gpg{,2} Cx -> gpg, @{bin}/makepkg Px, + @{bin}/pacman Px, @{bin}/pacman-conf Px, @{bin}/sudo Cx -> sudo, From feee34ef7e9fe0baaab6c2680e8ac90c0cec991d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 26 Jan 2025 21:17:18 +0100 Subject: [PATCH 083/977] feat(profile): allow drkonqi to read logs. fix #655 --- apparmor.d/groups/kde/drkonqi | 17 +++++++++++++++++ .../groups/kde/drkonqi-coredump-processor | 1 + 2 files changed, 18 insertions(+) diff --git a/apparmor.d/groups/kde/drkonqi b/apparmor.d/groups/kde/drkonqi index 961c18cfe..83fd07181 100644 --- a/apparmor.d/groups/kde/drkonqi +++ b/apparmor.d/groups/kde/drkonqi @@ -23,18 +23,35 @@ profile drkonqi @{exec_path} { @{exec_path} mr, + @{bin}/plasmashell r, @{bin}/lsb_release rPx -> lsb_release, /usr/share/drkonqi/{,**} r, + /etc/machine-id r, + + / r, + owner @{user_cache_dirs}/drkonqi/ rw, owner @{user_cache_dirs}/drkonqi/** rwlk -> @{user_cache_dirs}/drkonqi/**, owner @{user_cache_dirs}/kcrash-metadata/* w, + owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/drkonqirc r, + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}.journal r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/remote/ r, + /dev/tty r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + include if exists } diff --git a/apparmor.d/groups/kde/drkonqi-coredump-processor b/apparmor.d/groups/kde/drkonqi-coredump-processor index e07a6c1d4..9b1e6c379 100644 --- a/apparmor.d/groups/kde/drkonqi-coredump-processor +++ b/apparmor.d/groups/kde/drkonqi-coredump-processor @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}drkonqi-coredump-processor profile drkonqi-coredump-processor @{exec_path} { include + include include capability dac_override, From c29927ea2ffa0501d9ba6b6a3c90d323241db6ce Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 28 Jan 2025 23:28:11 +0100 Subject: [PATCH 084/977] fix(profile): ensure all child-open* profiles share the same flags. fix #630 --- apparmor.d/groups/children/child-open | 2 +- apparmor.d/groups/children/child-open-browsers | 2 +- apparmor.d/groups/children/child-open-help | 2 +- apparmor.d/groups/children/child-open-strict | 2 +- dists/flags/main.flags | 1 - 5 files changed, 4 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open index 6804326aa..84b1d1ea1 100644 --- a/apparmor.d/groups/children/child-open +++ b/apparmor.d/groups/children/child-open @@ -19,7 +19,7 @@ abi , include -profile child-open flags=(attach_disconnected) { +profile child-open flags=(attach_disconnected,mediate_deleted) { include include include diff --git a/apparmor.d/groups/children/child-open-browsers b/apparmor.d/groups/children/child-open-browsers index 6873ea2fc..473276bff 100644 --- a/apparmor.d/groups/children/child-open-browsers +++ b/apparmor.d/groups/children/child-open-browsers @@ -15,7 +15,7 @@ abi , include -profile child-open-browsers flags=(attach_disconnected) { +profile child-open-browsers flags=(attach_disconnected,mediate_deleted) { include include diff --git a/apparmor.d/groups/children/child-open-help b/apparmor.d/groups/children/child-open-help index d70cd920a..1150d16d3 100644 --- a/apparmor.d/groups/children/child-open-help +++ b/apparmor.d/groups/children/child-open-help @@ -6,7 +6,7 @@ abi , include -profile child-open-help { +profile child-open-help flags=(attach_disconnected,mediate_deleted) { include include diff --git a/apparmor.d/groups/children/child-open-strict b/apparmor.d/groups/children/child-open-strict index 98bbdcdb9..7faf52185 100644 --- a/apparmor.d/groups/children/child-open-strict +++ b/apparmor.d/groups/children/child-open-strict @@ -11,7 +11,7 @@ abi , include -profile child-open-strict { +profile child-open-strict flags=(attach_disconnected,mediate_deleted) { include include diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 70bbd4a36..cf38d2756 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -45,7 +45,6 @@ calibre complain cc-remote-login-helper complain cctk complain child-modprobe-nvidia attach_disconnected,complain -child-open attach_disconnected,complain cockpit-askpass complain cockpit-bridge complain cockpit-certificate-ensure attach_disconnected,complain From 5784ff83cf98c821375d6e9337077e889c3dddd8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 28 Jan 2025 23:30:25 +0100 Subject: [PATCH 085/977] feat(abs): minor improvement to some abstraction. --- apparmor.d/abstractions/app/pgrep | 1 + apparmor.d/abstractions/common/systemd | 1 + apparmor.d/abstractions/dconf.d/complete | 2 +- apparmor.d/abstractions/desktop | 2 +- apparmor.d/abstractions/gnome-strict | 2 +- apparmor.d/abstractions/gnome.d/complete | 2 +- apparmor.d/abstractions/gtk.d/complete | 8 ++++---- apparmor.d/abstractions/kde-open5.d/complete | 2 +- 8 files changed, 11 insertions(+), 9 deletions(-) diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep index 211c2710d..d6b7ba8a7 100644 --- a/apparmor.d/abstractions/app/pgrep +++ b/apparmor.d/abstractions/app/pgrep @@ -21,6 +21,7 @@ @{PROC}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/stat r, @{PROC}/sys/kernel/osrelease r, @{PROC}/uptime r, diff --git a/apparmor.d/abstractions/common/systemd b/apparmor.d/abstractions/common/systemd index df138bf6c..f4a10076e 100644 --- a/apparmor.d/abstractions/common/systemd +++ b/apparmor.d/abstractions/common/systemd @@ -8,6 +8,7 @@ ptrace read peer=@{p_systemd}, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, + @{sys}/fs/cgroup/system.slice/@{profile_name}.service/ r, @{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw, @{PROC}/1/cgroup r, diff --git a/apparmor.d/abstractions/dconf.d/complete b/apparmor.d/abstractions/dconf.d/complete index ed8fa33e6..4f53689d5 100644 --- a/apparmor.d/abstractions/dconf.d/complete +++ b/apparmor.d/abstractions/dconf.d/complete @@ -10,7 +10,7 @@ dbus receive bus=session path=/ca/desrt/dconf/Writer/user interface=ca.desrt.dconf.Writer member=Notify - peer=(name=:*, label=dconf-service), + peer=(name=@{busname}, label=dconf-service), /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 743dfaf2d..78a98a3cf 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -22,7 +22,7 @@ dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), /usr/{local/,}share/ r, /usr/{local/,}share/glib-@{version}/schemas/** r, diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 9862ca5e7..fadaedcbf 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -14,7 +14,7 @@ dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), /usr/share/desktop-base/{,**} r, /usr/share/hwdata/*.ids r, diff --git a/apparmor.d/abstractions/gnome.d/complete b/apparmor.d/abstractions/gnome.d/complete index 90f705ac7..71e76f9da 100644 --- a/apparmor.d/abstractions/gnome.d/complete +++ b/apparmor.d/abstractions/gnome.d/complete @@ -7,7 +7,7 @@ dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index ac702a70f..700e5e305 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -5,7 +5,7 @@ dbus send bus=session interface=org.gtk.Actions member=DescribeAll - peer=(name=:*), + peer=(name=@{busname}), dbus send bus=session interface=org.gtk.Actions member=DescribeAll @@ -14,7 +14,7 @@ dbus receive bus=session interface=org.gtk.Actions member=Changed - peer=(name=:*), + peer=(name=@{busname}), dbus receive bus=session interface=org.gtk.Actions member=Changed @@ -23,11 +23,11 @@ dbus send bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=gsd-xsettings), + peer=(name=@{busname}, label=gsd-xsettings), dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=gsd-xsettings), + peer=(name=@{busname}, label=gsd-xsettings), @{lib}/{,@{multiarch}/}gtk*/** mr, diff --git a/apparmor.d/abstractions/kde-open5.d/complete b/apparmor.d/abstractions/kde-open5.d/complete index 37038b129..adeb9a4bb 100644 --- a/apparmor.d/abstractions/kde-open5.d/complete +++ b/apparmor.d/abstractions/kde-open5.d/complete @@ -6,6 +6,6 @@ owner @{user_config_dirs}/menus/{,**} r, - owner @{run}/user/@{uid}/kioclient*.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, # vim:syntax=apparmor From da68c4f2d9bd65e4d6f7ebb099d4487b62285231 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Feb 2025 00:11:09 +0100 Subject: [PATCH 086/977] feat(profile): general update. --- apparmor.d/groups/apt/dpkg-preconfigure | 3 +++ apparmor.d/groups/bus/dbus-accessibility | 1 + apparmor.d/groups/bus/dbus-session | 3 ++- apparmor.d/groups/freedesktop/polkitd | 2 +- apparmor.d/groups/gnome/gnome-shell | 8 +++----- apparmor.d/groups/gnome/session-migration | 4 +++- apparmor.d/groups/gnome/yelp | 1 + apparmor.d/groups/grub/grub-check-signatures | 4 +++- apparmor.d/groups/grub/grub-install | 12 ++++++++++-- apparmor.d/groups/kde/dolphin | 4 ++++ apparmor.d/groups/kde/kde-powerdevil | 1 + apparmor.d/groups/systemd/systemd-networkd | 7 ++++--- apparmor.d/groups/systemd/systemd-udevd | 1 + apparmor.d/profiles-a-f/boltd | 3 ++- apparmor.d/profiles-a-f/frontend | 5 ++++- apparmor.d/profiles-g-l/libreoffice | 5 +++-- apparmor.d/profiles-s-z/setpci | 1 + apparmor.d/profiles-s-z/snap | 10 ++++++++++ apparmor.d/profiles-s-z/snapd | 9 ++++----- apparmor.d/profiles-s-z/syncthing | 8 ++++---- 20 files changed, 65 insertions(+), 27 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 34163333b..94b7603fa 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -41,8 +41,11 @@ profile dpkg-preconfigure @{exec_path} { /etc/debconf.conf r, /etc/default/grub r, /etc/inputrc r, + /etc/locale.gen r, /etc/shadow r, + /var/lib/locales/supported.d/{,*} r, + owner @{tmp}/*.template.* rw, owner @{tmp}/*.config.* rwPUx, diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index 35a507559..e699d416d 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -76,6 +76,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_score_adj r, diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 014f7afd4..f87e71c81 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -74,8 +74,9 @@ profile dbus-session flags=(attach_disconnected) { @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/oom_score_adj r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/oom_score_adj r, /dev/ptmx rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 5e3d3ee78..9b3db683f 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{lib}/{,polkit-1/}polkitd +@{exec_path} = @{lib}/polkitd @{lib}/polkit-1/polkitd profile polkitd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 462733874..f8888f95b 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -83,15 +83,17 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { # Talk with gnome-shell #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding + #aa:dbus talk bus=session name=org.gnome.* label=gnome-* #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console - #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus # System bus @@ -163,10 +165,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { member=Introspect peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - dbus send bus=session path=/org/gnome/*/SearchProvider - interface=org.gnome.Shell.SearchProvider2 - peer=(name=@{busname}), - @{exec_path} mr, @{bin}/unzip rix, diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index d519dca6e..c2df97896 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -9,12 +9,14 @@ include @{exec_path} = @{bin}/session-migration profile session-migration @{exec_path} { include + include @{exec_path} mr, @{sh_path} rix, + @{python_path} rix, @{bin}/gsettings rPx, - /usr/share/session-migration/scripts/*.sh rix, + /usr/share/session-migration/scripts/* rix, /usr/share/session-migration/{,**} r, diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index f0dd3b46c..f172eac21 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -14,6 +14,7 @@ profile yelp @{exec_path} { network netlink raw, + #aa:dbus own bus=accessibility name=org.gnome.Yelp #aa:dbus own bus=session name=org.gnome.Yelp @{exec_path} mr, diff --git a/apparmor.d/groups/grub/grub-check-signatures b/apparmor.d/groups/grub/grub-check-signatures index 1a1110091..d33b33265 100644 --- a/apparmor.d/groups/grub/grub-check-signatures +++ b/apparmor.d/groups/grub/grub-check-signatures @@ -22,7 +22,9 @@ profile grub-check-signatures @{exec_path} { /usr/share/debconf/confmodule r, - owner @{tmp}/tmp.*/ rw, + owner @{tmp}/tmp.@{rand10}/ rw, + + @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, include if exists } diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index 83e30cbf6..e52e96b8a 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -25,20 +25,28 @@ profile grub-install @{exec_path} flags=(complain) { @{bin}/udevadm rPx, /usr/share/grub/{,**} r, + /usr/share/locale-langpack/{,**} r, /etc/default/grub.d/{,**} r, /etc/default/grub r, - /boot/efi/EFI/ubuntu/* w, - /boot/efi/EFI/BOOT/{,**} rw, + /boot/efi/ r, /boot/EFI/*/grubx*.efi rw, + /boot/efi/EFI/ r, + /boot/efi/EFI/BOOT/{,**} rw, + /boot/efi/EFI/ubuntu/* w, /boot/grub/{,**} rw, + @{sys}/devices/**/hid r, + @{sys}/devices/**/path r, + @{sys}/devices/**/uid r, + @{sys}/firmware/efi/ r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/BootCurrent-@{uuid} r, @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, @{sys}/firmware/efi/efivars/Timeout-@{uuid} r, + @{sys}/firmware/efi/fw_platform_size r, @{sys}/firmware/efi/w_platform_size r, @{PROC}/devices r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 8465da560..d01965bb0 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -40,6 +40,7 @@ profile dolphin @{exec_path} { /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, /usr/share/misc/termcap r, + /usr/share/thumbnailers/{,**} r, /etc/fstab r, /etc/machine-id r, @@ -71,6 +72,7 @@ profile dolphin @{exec_path} { owner @{user_share_dirs}/dolphin/ rw, owner @{user_share_dirs}/dolphin/** rwkl -> @{user_share_dirs}/dolphin/#@{int}, owner @{user_share_dirs}/recently-used.xbel{,.*} rwlk, + owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/dolphinrc rwl -> @{user_config_dirs}/#@{int}, @@ -89,6 +91,8 @@ profile dolphin @{exec_path} { owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk -> @{user_state_dirs}/#@{int}, + owner @{tmp}/dolphin.@{rand6} rwl, + @{run}/issue r, @{run}/mount/utab r, owner @{run}/user/@{uid}/#@{int} rw, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index d37b53ddd..c37ee870b 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -72,6 +72,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{sys}/devices/platform/*/i2c-@{int}/name r, @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, /dev/i2c-@{int} rwk, diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 7b271c9de..0ca507140 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -68,9 +68,10 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/pressure/* r, - @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/@{pid}/cgroup r, + @{PROC}/pressure/* r, + @{PROC}/sys/net/ipv{4,6}/** rw, + owner @{PROC}/@{pid}/fdinfo/@{int} r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index f52a2fc6c..d71ccf1a1 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -95,6 +95,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{run}/systemd/notify rw, @{run}/systemd/seats/seat@{int} r, + @{att}/@{run}/systemd/notify w, @{att}/@{run}/udev/control rw, @{run}/udev/ rw, diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/profiles-a-f/boltd index b70b72088..8f55bb375 100644 --- a/apparmor.d/profiles-a-f/boltd +++ b/apparmor.d/profiles-a-f/boltd @@ -25,7 +25,8 @@ profile boltd @{exec_path} flags=(attach_disconnected) { owner @{run}/boltd/{,**} rw, - @{run}/systemd/notify rw, + @{att}/@{run}/systemd/notify w, + @{run}/udev/data/+thunderbolt:* r, @{sys}/bus/ r, diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend index ac8a6a5a8..3d7ee07f8 100644 --- a/apparmor.d/profiles-a-f/frontend +++ b/apparmor.d/profiles-a-f/frontend @@ -74,9 +74,12 @@ profile frontend @{exec_path} flags=(complain) { /etc/inputrc r, /etc/shadow r, - owner @{tmp}/file* w, owner /var/cache/debconf/* rwk, + owner @{tmp}/file* w, + owner @{tmp}/tmp.@{rand10} rw, + owner @{tmp}/updateppds.@{rand6} rw, + @{HOME}/.Xauthority r, @{run}/user/@{uid}/pk-debconf-socket rw, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 03dfe9749..ac3ee0c26 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -49,11 +49,12 @@ profile libreoffice @{exec_path} { @{bin}/gpgconf rPx, @{bin}/gpgsm rPx, + @{lib}/jvm/java*/bin/java rix, + @{lib}/jvm/java*/lib/** rm, @{lib}/libreoffice/program/javaldx rix, @{lib}/libreoffice/program/oosplash rix, @{lib}/libreoffice/program/soffice.bin rix, - @{lib}/jvm/java*/bin/java rix, - @{lib}/jvm/java*/lib/** rm, + @{lib}/libreoffice/program/xpdfimport rix, @{lib}/libreoffice/{,**} rm, @{lib}/libreoffice/share/uno_packages/cache/stamp.sys w, diff --git a/apparmor.d/profiles-s-z/setpci b/apparmor.d/profiles-s-z/setpci index 72c9b8a93..019e89e23 100644 --- a/apparmor.d/profiles-s-z/setpci +++ b/apparmor.d/profiles-s-z/setpci @@ -16,6 +16,7 @@ profile setpci @{exec_path} flags=(complain) { @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/** r, + @{sys}/devices/@{pci}/config w, include if exists } diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index cdb01d14a..90b2ceef3 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -14,6 +14,7 @@ profile snap @{exec_path} { include include include + include include include include @@ -24,6 +25,8 @@ profile snap @{exec_path} { network netlink raw, + ptrace read peer=snap.snap-store.snap-store, + unix (send, receive) type=stream peer=(label=apt), mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/, @@ -32,6 +35,7 @@ profile snap @{exec_path} { #aa:dbus own bus=session name=io.snapcraft.SessionAgent #aa:dbus own bus=session name=io.snapcraft.Settings + #aa:dbus talk bus=session name=io.snapcraft.PrivilegedDesktopLauncher label=snap.snap-store.snap-store #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" dbus send bus=session path=/org/freedesktop/portal/documents @@ -39,6 +43,11 @@ profile snap @{exec_path} { member=GetMountPoint peer=(name=org.freedesktop.portal.Documents, label="{xdg-document-portal,unconfined}"), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mrix, @{bin}/mount rix, @@ -83,6 +92,7 @@ profile snap @{exec_path} { @{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/seccomp/actions_avail r, @{PROC}/version r, + owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/mounts r, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 2788ed4a3..dc80b17a4 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -47,8 +47,8 @@ profile snapd @{exec_path} { umount /tmp/syscheck-mountpoint-@{int}/, umount /snap/*/*/, - ptrace (read) peer=snap, - ptrace (read) peer=@{p_systemd}, + ptrace read peer=@{p_systemd}, + ptrace read peer=snap{,.*}, unix (bind) type=stream addr=@@{udbus}/bus/systemctl/, @@ -155,16 +155,15 @@ profile snapd @{exec_path} { @{sys}/fs/cgroup/{,*/} r, @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/system.slice/{,**/} r, + @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r, @{sys}/fs/cgroup/user.slice/ r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r, @{sys}/kernel/kexec_loaded r, @{sys}/kernel/security/apparmor/.notify r, @{sys}/kernel/security/apparmor/features/{,**} r, @{sys}/kernel/security/apparmor/profiles r, - @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r, - @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index f668f5a00..d03ece9e4 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/syncthing profile syncthing @{exec_path} { include + include include include @@ -28,15 +29,14 @@ profile syncthing @{exec_path} { /etc/mime.types r, - owner @{HOME}/ r, - owner @{HOME}/@{XDG_DATA_DIR}/syncthing/{,**} rwk, - owner @{user_config_dirs}/syncthing/{,**} rwk, - owner @{user_state_dirs}/syncthing/{,**} rwk, + @{HOME}/ r, + @{HOME}/** rwk, /home/ r, @{user_sync_dirs}/{,**} rw, @{PROC}/@{pids}/net/route r, + @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/net/core/somaxconn r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, From 77eb8c3c11a0b8983567aca7d48f370fb978a073 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Feb 2025 20:26:52 +0100 Subject: [PATCH 087/977] feat(profile): minor update. --- apparmor.d/groups/virt/dockerd | 2 +- apparmor.d/profiles-a-f/fractal | 4 +++- apparmor.d/profiles-m-r/mount-cifs | 1 + 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 13f050c7d..2e2d36355 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -85,7 +85,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { owner /var/lib/docker/tmp/qemu-check@{int}/check rix, /tmp/build/ w, - /tmp/containerd-mount@{int10}/{,**} rw, + /tmp/containerd-mount@{int}/{,**} rw, owner @{run}/docker/ rw, owner @{run}/docker/** rwlk, diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 6dfb84452..9de5761c2 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -33,11 +33,13 @@ profile fractal @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.@{rand6} rw, owner @{tmp}/.goutputstream-@{rand6} rw, - owner @{tmp}/@{rand6} rw, + + owner @{run}/user/@{uid}/fractal/{,**} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, /dev/ r, diff --git a/apparmor.d/profiles-m-r/mount-cifs b/apparmor.d/profiles-m-r/mount-cifs index 190db34da..899ab0801 100644 --- a/apparmor.d/profiles-m-r/mount-cifs +++ b/apparmor.d/profiles-m-r/mount-cifs @@ -40,6 +40,7 @@ profile mount-cifs @{exec_path} flags=(complain) { @{bin}/systemd-ask-password rPUx, /etc/fstab r, + /etc/sync-credentials r, owner @{HOME}/.smbcredentials r, From 63cbf2829b43325a5d77a0f82ce11e2db3b44015 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Feb 2025 20:28:40 +0100 Subject: [PATCH 088/977] feat(tunable): add p_ variables definition for a few core profiles. --- apparmor.d/tunables/multiarch.d/profiles | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index 2d1fccb32..8917c88d8 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -16,4 +16,13 @@ @{p_dbus_session}=dbus-session @{p_dbus_accessibility}=dbus-accessibility +@{p_at_spi2_registryd}=at-spi2-registryd +@{p_colord}=colord +@{p_gnome_shell}=gnome-shell +@{p_packagekitd}=packagekitd +@{p_snap}=snap +@{p_systemd_logind}=systemd-logind +@{p_xdg_desktop_portal}=xdg-desktop-portal + + # vim:syntax=apparmor From 86906d26014bb331f737bd47f68ad62c2116a784 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Feb 2025 20:32:06 +0100 Subject: [PATCH 089/977] feat(profile): add localsearch (renamed from tracker-extract localsearch is the new name of tracker-extract. The profile for tracker-extract is kept as they will differ in the future. --- apparmor.d/groups/gnome/localsearch | 69 +++++++++++++++++++ apparmor.d/groups/gnome/localsearch-control | 21 ++++++ apparmor.d/groups/gnome/localsearch-writeback | 21 ++++++ 3 files changed, 111 insertions(+) create mode 100644 apparmor.d/groups/gnome/localsearch create mode 100644 apparmor.d/groups/gnome/localsearch-control create mode 100644 apparmor.d/groups/gnome/localsearch-writeback diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch new file mode 100644 index 000000000..e6d2bba7c --- /dev/null +++ b/apparmor.d/groups/gnome/localsearch @@ -0,0 +1,69 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/localsearch @{lib}/localsearch-3 +profile localsearch @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + + network netlink raw, + + #aa:dbus own bus=session name=org.freedesktop.LocalSearch3 + + @{exec_path} mr, + + @{lib}/localsearch-extractor-3 ix, # nnp + + /usr/share/localsearch3/{,**} r, + /usr/share/poppler/{,**} r, + + # Allow to search user files + owner @{HOME}/ r, + owner @{HOME}/{,**} r, + owner @{MOUNTS}/{,**} r, + owner @{tmp}/*/{,**} r, + + owner @{user_cache_dirs}/tracker3/ rw, + owner @{user_cache_dirs}/tracker3/files/ rw, + owner @{user_cache_dirs}/tracker3/files/** rwk, + + owner /var/tmp/etilqs_@{hex15} rw, + owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{hex15} rw, + owner @{tmp}/etilqs_@{hex16} rw, + + @{run}/mount/utab r, + + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + + @{PROC}/sys/fs/fanotify/max_user_marks r, + @{PROC}/sys/fs/inotify/max_user_watches r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + /dev/media@{int} rw, + /dev/video@{int} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/localsearch-control b/apparmor.d/groups/gnome/localsearch-control new file mode 100644 index 000000000..354f85009 --- /dev/null +++ b/apparmor.d/groups/gnome/localsearch-control @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/localsearch-control-3 +profile localsearch-control @{exec_path} { + include + include + + #aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Files.Control + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/localsearch-writeback b/apparmor.d/groups/gnome/localsearch-writeback new file mode 100644 index 000000000..7d50726c0 --- /dev/null +++ b/apparmor.d/groups/gnome/localsearch-writeback @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/localsearch-writeback-3 +profile localsearch-writeback @{exec_path} { + include + include + + #aa:dbus own bus=session name=org.freedesktop.LocalSearch3.Writeback + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor From ba5079d95c2b457db9e1758829c0e7db4aafdfee Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Feb 2025 20:33:37 +0100 Subject: [PATCH 090/977] build: update flag manifest. --- dists/flags/main.flags | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index cf38d2756..87c070c56 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -40,11 +40,9 @@ avahi-resolve complain avahi-set-host-name complain baloo complain baloorunner complain -busctl complain calibre complain cc-remote-login-helper complain cctk complain -child-modprobe-nvidia attach_disconnected,complain cockpit-askpass complain cockpit-bridge complain cockpit-certificate-ensure attach_disconnected,complain @@ -218,6 +216,9 @@ libvirtd attach_disconnected,complain lightdm attach_disconnected,complain locale-gen complain localectl complain +localsearch complain +localsearch-control complain +localsearch-writeback complain login attach_disconnected,complain loginctl complain low-memory-monitor attach_disconnected,complain @@ -373,6 +374,7 @@ xdg-dbus-proxy attach_disconnected,complain xdg-desktop-icon complain xdg-desktop-portal-kde complain xdg-desktop-portal-rewrite-launchers complain +xdg-desktop-portal-validate-icon attach_disconnected,complain xdg-user-dirs-gtk-update complain xdm-xsession complain xembedsniproxy complain From ace9a12c95c16e36fb233ddad819e053764eb475 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Feb 2025 20:34:25 +0100 Subject: [PATCH 091/977] feat(profile): add profile for xdg-desktop-portal-validate-icon. --- .../xdg-desktop-portal-validate-icon | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon b/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon new file mode 100644 index 000000000..2c6c37538 --- /dev/null +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/xdg-desktop-portal-validate-icon +profile xdg-desktop-portal-validate-icon @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability dac_override, + + @{exec_path} mrix, + + @{bin}/bwrap ix, + + owner @{tmp}/icon@{rand6} r, + + include if exists +} + +# vim:syntax=apparmor From 5ea339803a4cbf8d0d359a261b9a31fe84dc03cd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Feb 2025 20:39:44 +0100 Subject: [PATCH 092/977] chore: fix typo & cosmetic. --- apparmor.d/abstractions/app/open | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index be4eda72d..2b865457c 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -11,15 +11,15 @@ # We cannot use `@{open_path} mrix,` here because it includes: # @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop - # And `@{multiarch}` as a wildcard that cannot be merged and that will generate + # And `@{multiarch}` has a wildcard that cannot be merged and that will generate # "has merged rule with conflicting x modifiers" error when used with other # wilcard over PUx transition. - @{bin}/exo-open mrix, - @{bin}/xdg-open mrix, - @{bin}/gio mrix, - @{bin}/kde-open mrix, - @{bin}/gio-launch-desktop mrix, - @{lib}/gio-launch-desktop mrix, + @{bin}/exo-open mrix, + @{bin}/xdg-open mrix, + @{bin}/gio mrix, + @{bin}/kde-open mrix, + @{bin}/gio-launch-desktop mrix, + @{lib}/gio-launch-desktop mrix, @{bin}/env rix, @{sh_path} r, From e5aad04be45270297eb709743bf5a5cea47964e7 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sun, 9 Feb 2025 21:07:43 +0100 Subject: [PATCH 093/977] Update dkms (#663) --- apparmor.d/profiles-a-f/dkms | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index ecf1d1c64..75487fbec 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -28,11 +28,14 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{coreutils_path} rix, @{bin}/as rix, @{bin}/bc rix, + @{bin}/clang-@{version} rix, @{bin}/gcc rix, @{bin}/getconf rix, @{bin}/kill rix, @{bin}/kmod rCx -> kmod, @{bin}/ld rix, + @{bin}/ld.lld rix, + @{bin}/llvm-objcopy rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/make rix, @{bin}/objcopy rix, @@ -47,10 +50,14 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{lib}/linux-kbuild-*/scripts/** rix, @{lib}/linux-kbuild-*/tools/objtool/objtool rix, @{lib}/llvm-[0-9]*/bin/clang rix, + @{lib}/modules/*/build/arch/x86/** rix, + @{lib}/modules/*/build/include/** rix, @{lib}/modules/*/build/scripts/** rix, @{lib}/modules/*/build/tools/** rix, + @{lib}/os-release rix, /var/lib/dkms/**/build/* rix, + /var/lib/dkms/vboxhost/*/build/** rw, /var/lib/dkms/**/configure rix, /var/lib/dkms/**/dkms.postbuild rix, @@ -94,9 +101,13 @@ profile dkms @{exec_path} flags=(attach_disconnected) { owner @{tmp}/sh-thd.* rw, owner @{tmp}/tmp.* rw, + @{PROC}/cpuinfo r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/vm/overcommit_memory r, owner @{PROC}/@{pid}/fd/ r, + /dev/pts/@{int} rw, + profile kmod { include include From 9304c9a668e656047aa4ca97ca506f92780b6dfe Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Feb 2025 21:46:10 +0100 Subject: [PATCH 094/977] refractor: moce a lot of profiles inside they own groups. --- .../{profiles-a-f => groups/apparmor}/aa-enabled | 0 .../{profiles-a-f => groups/apparmor}/aa-enforce | 0 apparmor.d/{profiles-a-f => groups/apparmor}/aa-log | 0 apparmor.d/{profiles-a-f => groups/apparmor}/aa-notify | 0 apparmor.d/{profiles-a-f => groups/apparmor}/aa-status | 0 .../{profiles-a-f => groups/apparmor}/aa-teardown | 0 .../{profiles-a-f => groups/apparmor}/aa-unconfined | 0 .../{profiles-a-f => groups/apparmor}/apparmor.systemd | 0 .../{profiles-a-f => groups/apparmor}/apparmor_parser | 0 .../{profiles-a-f => groups/cups}/cups-backend-beh | 0 .../cups}/cups-backend-bluetooth | 0 .../{profiles-a-f => groups/cups}/cups-backend-brf | 0 .../{profiles-a-f => groups/cups}/cups-backend-dnssd | 0 .../{profiles-a-f => groups/cups}/cups-backend-hp | 0 .../cups}/cups-backend-implicitclass | 0 .../{profiles-a-f => groups/cups}/cups-backend-ipp | 0 .../{profiles-a-f => groups/cups}/cups-backend-lpd | 0 .../{profiles-a-f => groups/cups}/cups-backend-mdns | 0 .../cups}/cups-backend-parallel | 0 .../{profiles-a-f => groups/cups}/cups-backend-pdf | 0 .../{profiles-a-f => groups/cups}/cups-backend-serial | 0 .../{profiles-a-f => groups/cups}/cups-backend-snmp | 0 .../{profiles-a-f => groups/cups}/cups-backend-socket | 0 .../{profiles-a-f => groups/cups}/cups-backend-usb | 0 apparmor.d/{profiles-a-f => groups/cups}/cups-browsed | 0 .../{profiles-a-f => groups/cups}/cups-notifier-dbus | 0 .../{profiles-a-f => groups/cups}/cups-notifier-mailto | 0 .../{profiles-a-f => groups/cups}/cups-notifier-rss | 0 .../cups}/cups-pk-helper-mechanism | 0 apparmor.d/{profiles-a-f => groups/cups}/cupsd | 0 apparmor.d/{profiles-a-f => groups/flatpak}/flatpak | 0 .../{profiles-a-f => groups/flatpak}/flatpak-app | 0 .../flatpak}/flatpak-oci-authenticator | 0 .../{profiles-a-f => groups/flatpak}/flatpak-portal | 0 .../flatpak}/flatpak-session-helper | 0 .../flatpak}/flatpak-system-helper | 0 .../flatpak}/flatpak-validate-icon | 0 apparmor.d/{profiles-s-z => groups/snap}/snap | 0 .../{profiles-s-z => groups/snap}/snap-bootstrap | 0 .../{profiles-s-z => groups/snap}/snap-device-helper | 0 .../{profiles-s-z => groups/snap}/snap-discard-ns | 0 apparmor.d/{profiles-s-z => groups/snap}/snap-failure | 0 apparmor.d/{profiles-s-z => groups/snap}/snap-repair | 0 apparmor.d/{profiles-s-z => groups/snap}/snap-seccomp | 0 .../{profiles-s-z => groups/snap}/snap-update-ns | 0 apparmor.d/{profiles-s-z => groups/snap}/snapd | 0 .../snap}/snapd-aa-prompt-listener | 0 .../{profiles-s-z => groups/snap}/snapd-aa-prompt-ui | 0 .../{profiles-s-z => groups/snap}/snapd-apparmor | 0 .../{profiles-s-z => groups/snap}/snapd-core-fixup | 0 apparmor.d/{profiles-s-z => groups/steam}/steam | 0 .../{profiles-s-z => groups/steam}/steam-fossilize | 0 .../{profiles-s-z => groups/steam}/steam-game-native | 0 .../{profiles-s-z => groups/steam}/steam-game-proton | 0 .../{profiles-s-z => groups/steam}/steam-gameoverlayui | 0 apparmor.d/{profiles-s-z => groups/steam}/steam-launch | 0 .../{profiles-s-z => groups/steam}/steam-launcher | 0 .../{profiles-s-z => groups/steam}/steam-runtime | 0 .../steam}/steam-runtime-steam-remote | 0 .../{profiles-s-z => groups/steam}/steamerrorreporter | 0 dists/ignore/main.ignore | 10 +--------- 61 files changed, 1 insertion(+), 9 deletions(-) rename apparmor.d/{profiles-a-f => groups/apparmor}/aa-enabled (100%) rename apparmor.d/{profiles-a-f => groups/apparmor}/aa-enforce (100%) rename apparmor.d/{profiles-a-f => groups/apparmor}/aa-log (100%) rename apparmor.d/{profiles-a-f => groups/apparmor}/aa-notify (100%) rename apparmor.d/{profiles-a-f => groups/apparmor}/aa-status (100%) rename apparmor.d/{profiles-a-f => groups/apparmor}/aa-teardown (100%) rename apparmor.d/{profiles-a-f => groups/apparmor}/aa-unconfined (100%) rename apparmor.d/{profiles-a-f => groups/apparmor}/apparmor.systemd (100%) rename apparmor.d/{profiles-a-f => groups/apparmor}/apparmor_parser (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-beh (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-bluetooth (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-brf (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-dnssd (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-hp (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-implicitclass (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-ipp (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-lpd (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-mdns (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-parallel (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-pdf (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-serial (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-snmp (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-socket (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-backend-usb (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-browsed (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-notifier-dbus (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-notifier-mailto (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-notifier-rss (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cups-pk-helper-mechanism (100%) rename apparmor.d/{profiles-a-f => groups/cups}/cupsd (100%) rename apparmor.d/{profiles-a-f => groups/flatpak}/flatpak (100%) rename apparmor.d/{profiles-a-f => groups/flatpak}/flatpak-app (100%) rename apparmor.d/{profiles-a-f => groups/flatpak}/flatpak-oci-authenticator (100%) rename apparmor.d/{profiles-a-f => groups/flatpak}/flatpak-portal (100%) rename apparmor.d/{profiles-a-f => groups/flatpak}/flatpak-session-helper (100%) rename apparmor.d/{profiles-a-f => groups/flatpak}/flatpak-system-helper (100%) rename apparmor.d/{profiles-a-f => groups/flatpak}/flatpak-validate-icon (100%) rename apparmor.d/{profiles-s-z => groups/snap}/snap (100%) rename apparmor.d/{profiles-s-z => groups/snap}/snap-bootstrap (100%) rename apparmor.d/{profiles-s-z => groups/snap}/snap-device-helper (100%) rename apparmor.d/{profiles-s-z => groups/snap}/snap-discard-ns (100%) rename apparmor.d/{profiles-s-z => groups/snap}/snap-failure (100%) rename apparmor.d/{profiles-s-z => groups/snap}/snap-repair (100%) rename apparmor.d/{profiles-s-z => groups/snap}/snap-seccomp (100%) rename apparmor.d/{profiles-s-z => groups/snap}/snap-update-ns (100%) rename apparmor.d/{profiles-s-z => groups/snap}/snapd (100%) rename apparmor.d/{profiles-s-z => groups/snap}/snapd-aa-prompt-listener (100%) rename apparmor.d/{profiles-s-z => groups/snap}/snapd-aa-prompt-ui (100%) rename apparmor.d/{profiles-s-z => groups/snap}/snapd-apparmor (100%) rename apparmor.d/{profiles-s-z => groups/snap}/snapd-core-fixup (100%) rename apparmor.d/{profiles-s-z => groups/steam}/steam (100%) rename apparmor.d/{profiles-s-z => groups/steam}/steam-fossilize (100%) rename apparmor.d/{profiles-s-z => groups/steam}/steam-game-native (100%) rename apparmor.d/{profiles-s-z => groups/steam}/steam-game-proton (100%) rename apparmor.d/{profiles-s-z => groups/steam}/steam-gameoverlayui (100%) rename apparmor.d/{profiles-s-z => groups/steam}/steam-launch (100%) rename apparmor.d/{profiles-s-z => groups/steam}/steam-launcher (100%) rename apparmor.d/{profiles-s-z => groups/steam}/steam-runtime (100%) rename apparmor.d/{profiles-s-z => groups/steam}/steam-runtime-steam-remote (100%) rename apparmor.d/{profiles-s-z => groups/steam}/steamerrorreporter (100%) diff --git a/apparmor.d/profiles-a-f/aa-enabled b/apparmor.d/groups/apparmor/aa-enabled similarity index 100% rename from apparmor.d/profiles-a-f/aa-enabled rename to apparmor.d/groups/apparmor/aa-enabled diff --git a/apparmor.d/profiles-a-f/aa-enforce b/apparmor.d/groups/apparmor/aa-enforce similarity index 100% rename from apparmor.d/profiles-a-f/aa-enforce rename to apparmor.d/groups/apparmor/aa-enforce diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/groups/apparmor/aa-log similarity index 100% rename from apparmor.d/profiles-a-f/aa-log rename to apparmor.d/groups/apparmor/aa-log diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/groups/apparmor/aa-notify similarity index 100% rename from apparmor.d/profiles-a-f/aa-notify rename to apparmor.d/groups/apparmor/aa-notify diff --git a/apparmor.d/profiles-a-f/aa-status b/apparmor.d/groups/apparmor/aa-status similarity index 100% rename from apparmor.d/profiles-a-f/aa-status rename to apparmor.d/groups/apparmor/aa-status diff --git a/apparmor.d/profiles-a-f/aa-teardown b/apparmor.d/groups/apparmor/aa-teardown similarity index 100% rename from apparmor.d/profiles-a-f/aa-teardown rename to apparmor.d/groups/apparmor/aa-teardown diff --git a/apparmor.d/profiles-a-f/aa-unconfined b/apparmor.d/groups/apparmor/aa-unconfined similarity index 100% rename from apparmor.d/profiles-a-f/aa-unconfined rename to apparmor.d/groups/apparmor/aa-unconfined diff --git a/apparmor.d/profiles-a-f/apparmor.systemd b/apparmor.d/groups/apparmor/apparmor.systemd similarity index 100% rename from apparmor.d/profiles-a-f/apparmor.systemd rename to apparmor.d/groups/apparmor/apparmor.systemd diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/groups/apparmor/apparmor_parser similarity index 100% rename from apparmor.d/profiles-a-f/apparmor_parser rename to apparmor.d/groups/apparmor/apparmor_parser diff --git a/apparmor.d/profiles-a-f/cups-backend-beh b/apparmor.d/groups/cups/cups-backend-beh similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-beh rename to apparmor.d/groups/cups/cups-backend-beh diff --git a/apparmor.d/profiles-a-f/cups-backend-bluetooth b/apparmor.d/groups/cups/cups-backend-bluetooth similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-bluetooth rename to apparmor.d/groups/cups/cups-backend-bluetooth diff --git a/apparmor.d/profiles-a-f/cups-backend-brf b/apparmor.d/groups/cups/cups-backend-brf similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-brf rename to apparmor.d/groups/cups/cups-backend-brf diff --git a/apparmor.d/profiles-a-f/cups-backend-dnssd b/apparmor.d/groups/cups/cups-backend-dnssd similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-dnssd rename to apparmor.d/groups/cups/cups-backend-dnssd diff --git a/apparmor.d/profiles-a-f/cups-backend-hp b/apparmor.d/groups/cups/cups-backend-hp similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-hp rename to apparmor.d/groups/cups/cups-backend-hp diff --git a/apparmor.d/profiles-a-f/cups-backend-implicitclass b/apparmor.d/groups/cups/cups-backend-implicitclass similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-implicitclass rename to apparmor.d/groups/cups/cups-backend-implicitclass diff --git a/apparmor.d/profiles-a-f/cups-backend-ipp b/apparmor.d/groups/cups/cups-backend-ipp similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-ipp rename to apparmor.d/groups/cups/cups-backend-ipp diff --git a/apparmor.d/profiles-a-f/cups-backend-lpd b/apparmor.d/groups/cups/cups-backend-lpd similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-lpd rename to apparmor.d/groups/cups/cups-backend-lpd diff --git a/apparmor.d/profiles-a-f/cups-backend-mdns b/apparmor.d/groups/cups/cups-backend-mdns similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-mdns rename to apparmor.d/groups/cups/cups-backend-mdns diff --git a/apparmor.d/profiles-a-f/cups-backend-parallel b/apparmor.d/groups/cups/cups-backend-parallel similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-parallel rename to apparmor.d/groups/cups/cups-backend-parallel diff --git a/apparmor.d/profiles-a-f/cups-backend-pdf b/apparmor.d/groups/cups/cups-backend-pdf similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-pdf rename to apparmor.d/groups/cups/cups-backend-pdf diff --git a/apparmor.d/profiles-a-f/cups-backend-serial b/apparmor.d/groups/cups/cups-backend-serial similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-serial rename to apparmor.d/groups/cups/cups-backend-serial diff --git a/apparmor.d/profiles-a-f/cups-backend-snmp b/apparmor.d/groups/cups/cups-backend-snmp similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-snmp rename to apparmor.d/groups/cups/cups-backend-snmp diff --git a/apparmor.d/profiles-a-f/cups-backend-socket b/apparmor.d/groups/cups/cups-backend-socket similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-socket rename to apparmor.d/groups/cups/cups-backend-socket diff --git a/apparmor.d/profiles-a-f/cups-backend-usb b/apparmor.d/groups/cups/cups-backend-usb similarity index 100% rename from apparmor.d/profiles-a-f/cups-backend-usb rename to apparmor.d/groups/cups/cups-backend-usb diff --git a/apparmor.d/profiles-a-f/cups-browsed b/apparmor.d/groups/cups/cups-browsed similarity index 100% rename from apparmor.d/profiles-a-f/cups-browsed rename to apparmor.d/groups/cups/cups-browsed diff --git a/apparmor.d/profiles-a-f/cups-notifier-dbus b/apparmor.d/groups/cups/cups-notifier-dbus similarity index 100% rename from apparmor.d/profiles-a-f/cups-notifier-dbus rename to apparmor.d/groups/cups/cups-notifier-dbus diff --git a/apparmor.d/profiles-a-f/cups-notifier-mailto b/apparmor.d/groups/cups/cups-notifier-mailto similarity index 100% rename from apparmor.d/profiles-a-f/cups-notifier-mailto rename to apparmor.d/groups/cups/cups-notifier-mailto diff --git a/apparmor.d/profiles-a-f/cups-notifier-rss b/apparmor.d/groups/cups/cups-notifier-rss similarity index 100% rename from apparmor.d/profiles-a-f/cups-notifier-rss rename to apparmor.d/groups/cups/cups-notifier-rss diff --git a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism b/apparmor.d/groups/cups/cups-pk-helper-mechanism similarity index 100% rename from apparmor.d/profiles-a-f/cups-pk-helper-mechanism rename to apparmor.d/groups/cups/cups-pk-helper-mechanism diff --git a/apparmor.d/profiles-a-f/cupsd b/apparmor.d/groups/cups/cupsd similarity index 100% rename from apparmor.d/profiles-a-f/cupsd rename to apparmor.d/groups/cups/cupsd diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/groups/flatpak/flatpak similarity index 100% rename from apparmor.d/profiles-a-f/flatpak rename to apparmor.d/groups/flatpak/flatpak diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app similarity index 100% rename from apparmor.d/profiles-a-f/flatpak-app rename to apparmor.d/groups/flatpak/flatpak-app diff --git a/apparmor.d/profiles-a-f/flatpak-oci-authenticator b/apparmor.d/groups/flatpak/flatpak-oci-authenticator similarity index 100% rename from apparmor.d/profiles-a-f/flatpak-oci-authenticator rename to apparmor.d/groups/flatpak/flatpak-oci-authenticator diff --git a/apparmor.d/profiles-a-f/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal similarity index 100% rename from apparmor.d/profiles-a-f/flatpak-portal rename to apparmor.d/groups/flatpak/flatpak-portal diff --git a/apparmor.d/profiles-a-f/flatpak-session-helper b/apparmor.d/groups/flatpak/flatpak-session-helper similarity index 100% rename from apparmor.d/profiles-a-f/flatpak-session-helper rename to apparmor.d/groups/flatpak/flatpak-session-helper diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper similarity index 100% rename from apparmor.d/profiles-a-f/flatpak-system-helper rename to apparmor.d/groups/flatpak/flatpak-system-helper diff --git a/apparmor.d/profiles-a-f/flatpak-validate-icon b/apparmor.d/groups/flatpak/flatpak-validate-icon similarity index 100% rename from apparmor.d/profiles-a-f/flatpak-validate-icon rename to apparmor.d/groups/flatpak/flatpak-validate-icon diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/groups/snap/snap similarity index 100% rename from apparmor.d/profiles-s-z/snap rename to apparmor.d/groups/snap/snap diff --git a/apparmor.d/profiles-s-z/snap-bootstrap b/apparmor.d/groups/snap/snap-bootstrap similarity index 100% rename from apparmor.d/profiles-s-z/snap-bootstrap rename to apparmor.d/groups/snap/snap-bootstrap diff --git a/apparmor.d/profiles-s-z/snap-device-helper b/apparmor.d/groups/snap/snap-device-helper similarity index 100% rename from apparmor.d/profiles-s-z/snap-device-helper rename to apparmor.d/groups/snap/snap-device-helper diff --git a/apparmor.d/profiles-s-z/snap-discard-ns b/apparmor.d/groups/snap/snap-discard-ns similarity index 100% rename from apparmor.d/profiles-s-z/snap-discard-ns rename to apparmor.d/groups/snap/snap-discard-ns diff --git a/apparmor.d/profiles-s-z/snap-failure b/apparmor.d/groups/snap/snap-failure similarity index 100% rename from apparmor.d/profiles-s-z/snap-failure rename to apparmor.d/groups/snap/snap-failure diff --git a/apparmor.d/profiles-s-z/snap-repair b/apparmor.d/groups/snap/snap-repair similarity index 100% rename from apparmor.d/profiles-s-z/snap-repair rename to apparmor.d/groups/snap/snap-repair diff --git a/apparmor.d/profiles-s-z/snap-seccomp b/apparmor.d/groups/snap/snap-seccomp similarity index 100% rename from apparmor.d/profiles-s-z/snap-seccomp rename to apparmor.d/groups/snap/snap-seccomp diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns similarity index 100% rename from apparmor.d/profiles-s-z/snap-update-ns rename to apparmor.d/groups/snap/snap-update-ns diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/groups/snap/snapd similarity index 100% rename from apparmor.d/profiles-s-z/snapd rename to apparmor.d/groups/snap/snapd diff --git a/apparmor.d/profiles-s-z/snapd-aa-prompt-listener b/apparmor.d/groups/snap/snapd-aa-prompt-listener similarity index 100% rename from apparmor.d/profiles-s-z/snapd-aa-prompt-listener rename to apparmor.d/groups/snap/snapd-aa-prompt-listener diff --git a/apparmor.d/profiles-s-z/snapd-aa-prompt-ui b/apparmor.d/groups/snap/snapd-aa-prompt-ui similarity index 100% rename from apparmor.d/profiles-s-z/snapd-aa-prompt-ui rename to apparmor.d/groups/snap/snapd-aa-prompt-ui diff --git a/apparmor.d/profiles-s-z/snapd-apparmor b/apparmor.d/groups/snap/snapd-apparmor similarity index 100% rename from apparmor.d/profiles-s-z/snapd-apparmor rename to apparmor.d/groups/snap/snapd-apparmor diff --git a/apparmor.d/profiles-s-z/snapd-core-fixup b/apparmor.d/groups/snap/snapd-core-fixup similarity index 100% rename from apparmor.d/profiles-s-z/snapd-core-fixup rename to apparmor.d/groups/snap/snapd-core-fixup diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/groups/steam/steam similarity index 100% rename from apparmor.d/profiles-s-z/steam rename to apparmor.d/groups/steam/steam diff --git a/apparmor.d/profiles-s-z/steam-fossilize b/apparmor.d/groups/steam/steam-fossilize similarity index 100% rename from apparmor.d/profiles-s-z/steam-fossilize rename to apparmor.d/groups/steam/steam-fossilize diff --git a/apparmor.d/profiles-s-z/steam-game-native b/apparmor.d/groups/steam/steam-game-native similarity index 100% rename from apparmor.d/profiles-s-z/steam-game-native rename to apparmor.d/groups/steam/steam-game-native diff --git a/apparmor.d/profiles-s-z/steam-game-proton b/apparmor.d/groups/steam/steam-game-proton similarity index 100% rename from apparmor.d/profiles-s-z/steam-game-proton rename to apparmor.d/groups/steam/steam-game-proton diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/groups/steam/steam-gameoverlayui similarity index 100% rename from apparmor.d/profiles-s-z/steam-gameoverlayui rename to apparmor.d/groups/steam/steam-gameoverlayui diff --git a/apparmor.d/profiles-s-z/steam-launch b/apparmor.d/groups/steam/steam-launch similarity index 100% rename from apparmor.d/profiles-s-z/steam-launch rename to apparmor.d/groups/steam/steam-launch diff --git a/apparmor.d/profiles-s-z/steam-launcher b/apparmor.d/groups/steam/steam-launcher similarity index 100% rename from apparmor.d/profiles-s-z/steam-launcher rename to apparmor.d/groups/steam/steam-launcher diff --git a/apparmor.d/profiles-s-z/steam-runtime b/apparmor.d/groups/steam/steam-runtime similarity index 100% rename from apparmor.d/profiles-s-z/steam-runtime rename to apparmor.d/groups/steam/steam-runtime diff --git a/apparmor.d/profiles-s-z/steam-runtime-steam-remote b/apparmor.d/groups/steam/steam-runtime-steam-remote similarity index 100% rename from apparmor.d/profiles-s-z/steam-runtime-steam-remote rename to apparmor.d/groups/steam/steam-runtime-steam-remote diff --git a/apparmor.d/profiles-s-z/steamerrorreporter b/apparmor.d/groups/steam/steamerrorreporter similarity index 100% rename from apparmor.d/profiles-s-z/steamerrorreporter rename to apparmor.d/groups/steam/steamerrorreporter diff --git a/dists/ignore/main.ignore b/dists/ignore/main.ignore index 917b117f1..3cccf4c05 100644 --- a/dists/ignore/main.ignore +++ b/dists/ignore/main.ignore @@ -9,14 +9,6 @@ apparmor.d/groups/_full man # Work in progress profiles +apparmor.d/groups/steam dunst plasma-discover -steam -steam-fossilize -steam-game-native -steam-game-proton -steam-gameoverlayui -steam-launch -steam-launcher -steam-runtime -steamerrorreporter From fadc08b1ea0a7a887abef8f49d24c1e023336aed Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Feb 2025 22:16:33 +0100 Subject: [PATCH 095/977] fix(test): update reference path for aa-status. --- pkg/aa/apparmor_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/aa/apparmor_test.go b/pkg/aa/apparmor_test.go index 0cc74d438..9d68596d3 100644 --- a/pkg/aa/apparmor_test.go +++ b/pkg/aa/apparmor_test.go @@ -237,7 +237,7 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { }, }}, }, - want: mustReadProfileFile(intData.Join("profiles-a-f/aa-status")), + want: mustReadProfileFile(intData.Join("groups/apparmor/aa-status")), }, } for _, tt := range tests { From 9d74168be2700f18b031ebd580553c6001caabf6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 10 Feb 2025 00:20:15 +0100 Subject: [PATCH 096/977] refractor: move more profiles to groups. --- apparmor.d/{profiles-a-f => groups/cron}/anacron | 0 apparmor.d/{profiles-g-l => groups/procps}/htop | 0 apparmor.d/{profiles-m-r => groups/procps}/ps | 0 apparmor.d/{profiles-s-z => groups/procps}/sysctl | 0 apparmor.d/{profiles-s-z => groups/procps}/top | 0 apparmor.d/{profiles-s-z => groups/procps}/uptime | 0 apparmor.d/{profiles-s-z => groups/procps}/w | 0 apparmor.d/{profiles-a-f => groups/shadow}/chage | 0 apparmor.d/{profiles-a-f => groups/shadow}/chpasswd | 0 apparmor.d/{profiles-g-l => groups/shadow}/gpasswd | 0 apparmor.d/{profiles-g-l => groups/shadow}/groupadd | 0 apparmor.d/{profiles-g-l => groups/shadow}/groupdel | 0 apparmor.d/{profiles-g-l => groups/shadow}/groupmod | 0 apparmor.d/{profiles-g-l => groups/shadow}/grpck | 0 apparmor.d/{profiles-g-l => groups/shadow}/lastlog | 0 apparmor.d/{profiles-m-r => groups/shadow}/newgidmap | 0 apparmor.d/{profiles-m-r => groups/shadow}/newuidmap | 0 apparmor.d/{profiles-m-r => groups/shadow}/passwd | 0 apparmor.d/{profiles-m-r => groups/shadow}/pwck | 0 apparmor.d/{profiles-s-z => groups/shadow}/useradd | 0 apparmor.d/{profiles-s-z => groups/shadow}/userdel | 0 apparmor.d/{profiles-s-z => groups/shadow}/usermod | 0 apparmor.d/{profiles-a-f => groups/utils}/agetty | 0 apparmor.d/{profiles-a-f => groups/utils}/blkid | 0 apparmor.d/{profiles-a-f => groups/utils}/blockdev | 0 apparmor.d/{profiles-a-f => groups/utils}/chfn | 0 apparmor.d/{profiles-a-f => groups/utils}/chsh | 0 apparmor.d/{profiles-a-f => groups/utils}/df | 0 apparmor.d/{profiles-a-f => groups/utils}/eject | 0 apparmor.d/{profiles-a-f => groups/utils}/findmnt | 0 apparmor.d/{profiles-a-f => groups/utils}/fsck | 0 apparmor.d/{profiles-a-f => groups/utils}/fstrim | 0 apparmor.d/{profiles-g-l => groups/utils}/locale-gen | 0 apparmor.d/{profiles-g-l => groups/utils}/login | 0 apparmor.d/{profiles-g-l => groups/utils}/losetup | 0 apparmor.d/{profiles-g-l => groups/utils}/lsblk | 0 apparmor.d/{profiles-g-l => groups/utils}/lscpu | 0 apparmor.d/{profiles-g-l => groups/utils}/lspci | 0 apparmor.d/{profiles-m-r => groups/utils}/newgrp | 0 apparmor.d/{profiles-m-r => groups/utils}/nologin | 0 apparmor.d/{profiles-m-r => groups/utils}/pstree | 0 apparmor.d/{profiles-s-z => groups/utils}/su | 0 apparmor.d/{profiles-s-z => groups/utils}/sulogin | 0 apparmor.d/{profiles-s-z => groups/utils}/swapon | 0 apparmor.d/{profiles-s-z => groups/utils}/sync | 0 apparmor.d/{profiles-s-z => groups/utils}/uname | 0 apparmor.d/{profiles-s-z => groups/utils}/users | 0 apparmor.d/{profiles-s-z => groups/utils}/uuidd | 0 apparmor.d/{profiles-s-z => groups/utils}/uuidgen | 0 apparmor.d/{profiles-s-z => groups/utils}/who | 0 apparmor.d/groups/{systemd => utils}/zramctl | 0 51 files changed, 0 insertions(+), 0 deletions(-) rename apparmor.d/{profiles-a-f => groups/cron}/anacron (100%) rename apparmor.d/{profiles-g-l => groups/procps}/htop (100%) rename apparmor.d/{profiles-m-r => groups/procps}/ps (100%) rename apparmor.d/{profiles-s-z => groups/procps}/sysctl (100%) rename apparmor.d/{profiles-s-z => groups/procps}/top (100%) rename apparmor.d/{profiles-s-z => groups/procps}/uptime (100%) rename apparmor.d/{profiles-s-z => groups/procps}/w (100%) rename apparmor.d/{profiles-a-f => groups/shadow}/chage (100%) rename apparmor.d/{profiles-a-f => groups/shadow}/chpasswd (100%) rename apparmor.d/{profiles-g-l => groups/shadow}/gpasswd (100%) rename apparmor.d/{profiles-g-l => groups/shadow}/groupadd (100%) rename apparmor.d/{profiles-g-l => groups/shadow}/groupdel (100%) rename apparmor.d/{profiles-g-l => groups/shadow}/groupmod (100%) rename apparmor.d/{profiles-g-l => groups/shadow}/grpck (100%) rename apparmor.d/{profiles-g-l => groups/shadow}/lastlog (100%) rename apparmor.d/{profiles-m-r => groups/shadow}/newgidmap (100%) rename apparmor.d/{profiles-m-r => groups/shadow}/newuidmap (100%) rename apparmor.d/{profiles-m-r => groups/shadow}/passwd (100%) rename apparmor.d/{profiles-m-r => groups/shadow}/pwck (100%) rename apparmor.d/{profiles-s-z => groups/shadow}/useradd (100%) rename apparmor.d/{profiles-s-z => groups/shadow}/userdel (100%) rename apparmor.d/{profiles-s-z => groups/shadow}/usermod (100%) rename apparmor.d/{profiles-a-f => groups/utils}/agetty (100%) rename apparmor.d/{profiles-a-f => groups/utils}/blkid (100%) rename apparmor.d/{profiles-a-f => groups/utils}/blockdev (100%) rename apparmor.d/{profiles-a-f => groups/utils}/chfn (100%) rename apparmor.d/{profiles-a-f => groups/utils}/chsh (100%) rename apparmor.d/{profiles-a-f => groups/utils}/df (100%) rename apparmor.d/{profiles-a-f => groups/utils}/eject (100%) rename apparmor.d/{profiles-a-f => groups/utils}/findmnt (100%) rename apparmor.d/{profiles-a-f => groups/utils}/fsck (100%) rename apparmor.d/{profiles-a-f => groups/utils}/fstrim (100%) rename apparmor.d/{profiles-g-l => groups/utils}/locale-gen (100%) rename apparmor.d/{profiles-g-l => groups/utils}/login (100%) rename apparmor.d/{profiles-g-l => groups/utils}/losetup (100%) rename apparmor.d/{profiles-g-l => groups/utils}/lsblk (100%) rename apparmor.d/{profiles-g-l => groups/utils}/lscpu (100%) rename apparmor.d/{profiles-g-l => groups/utils}/lspci (100%) rename apparmor.d/{profiles-m-r => groups/utils}/newgrp (100%) rename apparmor.d/{profiles-m-r => groups/utils}/nologin (100%) rename apparmor.d/{profiles-m-r => groups/utils}/pstree (100%) rename apparmor.d/{profiles-s-z => groups/utils}/su (100%) rename apparmor.d/{profiles-s-z => groups/utils}/sulogin (100%) rename apparmor.d/{profiles-s-z => groups/utils}/swapon (100%) rename apparmor.d/{profiles-s-z => groups/utils}/sync (100%) rename apparmor.d/{profiles-s-z => groups/utils}/uname (100%) rename apparmor.d/{profiles-s-z => groups/utils}/users (100%) rename apparmor.d/{profiles-s-z => groups/utils}/uuidd (100%) rename apparmor.d/{profiles-s-z => groups/utils}/uuidgen (100%) rename apparmor.d/{profiles-s-z => groups/utils}/who (100%) rename apparmor.d/groups/{systemd => utils}/zramctl (100%) diff --git a/apparmor.d/profiles-a-f/anacron b/apparmor.d/groups/cron/anacron similarity index 100% rename from apparmor.d/profiles-a-f/anacron rename to apparmor.d/groups/cron/anacron diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/groups/procps/htop similarity index 100% rename from apparmor.d/profiles-g-l/htop rename to apparmor.d/groups/procps/htop diff --git a/apparmor.d/profiles-m-r/ps b/apparmor.d/groups/procps/ps similarity index 100% rename from apparmor.d/profiles-m-r/ps rename to apparmor.d/groups/procps/ps diff --git a/apparmor.d/profiles-s-z/sysctl b/apparmor.d/groups/procps/sysctl similarity index 100% rename from apparmor.d/profiles-s-z/sysctl rename to apparmor.d/groups/procps/sysctl diff --git a/apparmor.d/profiles-s-z/top b/apparmor.d/groups/procps/top similarity index 100% rename from apparmor.d/profiles-s-z/top rename to apparmor.d/groups/procps/top diff --git a/apparmor.d/profiles-s-z/uptime b/apparmor.d/groups/procps/uptime similarity index 100% rename from apparmor.d/profiles-s-z/uptime rename to apparmor.d/groups/procps/uptime diff --git a/apparmor.d/profiles-s-z/w b/apparmor.d/groups/procps/w similarity index 100% rename from apparmor.d/profiles-s-z/w rename to apparmor.d/groups/procps/w diff --git a/apparmor.d/profiles-a-f/chage b/apparmor.d/groups/shadow/chage similarity index 100% rename from apparmor.d/profiles-a-f/chage rename to apparmor.d/groups/shadow/chage diff --git a/apparmor.d/profiles-a-f/chpasswd b/apparmor.d/groups/shadow/chpasswd similarity index 100% rename from apparmor.d/profiles-a-f/chpasswd rename to apparmor.d/groups/shadow/chpasswd diff --git a/apparmor.d/profiles-g-l/gpasswd b/apparmor.d/groups/shadow/gpasswd similarity index 100% rename from apparmor.d/profiles-g-l/gpasswd rename to apparmor.d/groups/shadow/gpasswd diff --git a/apparmor.d/profiles-g-l/groupadd b/apparmor.d/groups/shadow/groupadd similarity index 100% rename from apparmor.d/profiles-g-l/groupadd rename to apparmor.d/groups/shadow/groupadd diff --git a/apparmor.d/profiles-g-l/groupdel b/apparmor.d/groups/shadow/groupdel similarity index 100% rename from apparmor.d/profiles-g-l/groupdel rename to apparmor.d/groups/shadow/groupdel diff --git a/apparmor.d/profiles-g-l/groupmod b/apparmor.d/groups/shadow/groupmod similarity index 100% rename from apparmor.d/profiles-g-l/groupmod rename to apparmor.d/groups/shadow/groupmod diff --git a/apparmor.d/profiles-g-l/grpck b/apparmor.d/groups/shadow/grpck similarity index 100% rename from apparmor.d/profiles-g-l/grpck rename to apparmor.d/groups/shadow/grpck diff --git a/apparmor.d/profiles-g-l/lastlog b/apparmor.d/groups/shadow/lastlog similarity index 100% rename from apparmor.d/profiles-g-l/lastlog rename to apparmor.d/groups/shadow/lastlog diff --git a/apparmor.d/profiles-m-r/newgidmap b/apparmor.d/groups/shadow/newgidmap similarity index 100% rename from apparmor.d/profiles-m-r/newgidmap rename to apparmor.d/groups/shadow/newgidmap diff --git a/apparmor.d/profiles-m-r/newuidmap b/apparmor.d/groups/shadow/newuidmap similarity index 100% rename from apparmor.d/profiles-m-r/newuidmap rename to apparmor.d/groups/shadow/newuidmap diff --git a/apparmor.d/profiles-m-r/passwd b/apparmor.d/groups/shadow/passwd similarity index 100% rename from apparmor.d/profiles-m-r/passwd rename to apparmor.d/groups/shadow/passwd diff --git a/apparmor.d/profiles-m-r/pwck b/apparmor.d/groups/shadow/pwck similarity index 100% rename from apparmor.d/profiles-m-r/pwck rename to apparmor.d/groups/shadow/pwck diff --git a/apparmor.d/profiles-s-z/useradd b/apparmor.d/groups/shadow/useradd similarity index 100% rename from apparmor.d/profiles-s-z/useradd rename to apparmor.d/groups/shadow/useradd diff --git a/apparmor.d/profiles-s-z/userdel b/apparmor.d/groups/shadow/userdel similarity index 100% rename from apparmor.d/profiles-s-z/userdel rename to apparmor.d/groups/shadow/userdel diff --git a/apparmor.d/profiles-s-z/usermod b/apparmor.d/groups/shadow/usermod similarity index 100% rename from apparmor.d/profiles-s-z/usermod rename to apparmor.d/groups/shadow/usermod diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/groups/utils/agetty similarity index 100% rename from apparmor.d/profiles-a-f/agetty rename to apparmor.d/groups/utils/agetty diff --git a/apparmor.d/profiles-a-f/blkid b/apparmor.d/groups/utils/blkid similarity index 100% rename from apparmor.d/profiles-a-f/blkid rename to apparmor.d/groups/utils/blkid diff --git a/apparmor.d/profiles-a-f/blockdev b/apparmor.d/groups/utils/blockdev similarity index 100% rename from apparmor.d/profiles-a-f/blockdev rename to apparmor.d/groups/utils/blockdev diff --git a/apparmor.d/profiles-a-f/chfn b/apparmor.d/groups/utils/chfn similarity index 100% rename from apparmor.d/profiles-a-f/chfn rename to apparmor.d/groups/utils/chfn diff --git a/apparmor.d/profiles-a-f/chsh b/apparmor.d/groups/utils/chsh similarity index 100% rename from apparmor.d/profiles-a-f/chsh rename to apparmor.d/groups/utils/chsh diff --git a/apparmor.d/profiles-a-f/df b/apparmor.d/groups/utils/df similarity index 100% rename from apparmor.d/profiles-a-f/df rename to apparmor.d/groups/utils/df diff --git a/apparmor.d/profiles-a-f/eject b/apparmor.d/groups/utils/eject similarity index 100% rename from apparmor.d/profiles-a-f/eject rename to apparmor.d/groups/utils/eject diff --git a/apparmor.d/profiles-a-f/findmnt b/apparmor.d/groups/utils/findmnt similarity index 100% rename from apparmor.d/profiles-a-f/findmnt rename to apparmor.d/groups/utils/findmnt diff --git a/apparmor.d/profiles-a-f/fsck b/apparmor.d/groups/utils/fsck similarity index 100% rename from apparmor.d/profiles-a-f/fsck rename to apparmor.d/groups/utils/fsck diff --git a/apparmor.d/profiles-a-f/fstrim b/apparmor.d/groups/utils/fstrim similarity index 100% rename from apparmor.d/profiles-a-f/fstrim rename to apparmor.d/groups/utils/fstrim diff --git a/apparmor.d/profiles-g-l/locale-gen b/apparmor.d/groups/utils/locale-gen similarity index 100% rename from apparmor.d/profiles-g-l/locale-gen rename to apparmor.d/groups/utils/locale-gen diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/groups/utils/login similarity index 100% rename from apparmor.d/profiles-g-l/login rename to apparmor.d/groups/utils/login diff --git a/apparmor.d/profiles-g-l/losetup b/apparmor.d/groups/utils/losetup similarity index 100% rename from apparmor.d/profiles-g-l/losetup rename to apparmor.d/groups/utils/losetup diff --git a/apparmor.d/profiles-g-l/lsblk b/apparmor.d/groups/utils/lsblk similarity index 100% rename from apparmor.d/profiles-g-l/lsblk rename to apparmor.d/groups/utils/lsblk diff --git a/apparmor.d/profiles-g-l/lscpu b/apparmor.d/groups/utils/lscpu similarity index 100% rename from apparmor.d/profiles-g-l/lscpu rename to apparmor.d/groups/utils/lscpu diff --git a/apparmor.d/profiles-g-l/lspci b/apparmor.d/groups/utils/lspci similarity index 100% rename from apparmor.d/profiles-g-l/lspci rename to apparmor.d/groups/utils/lspci diff --git a/apparmor.d/profiles-m-r/newgrp b/apparmor.d/groups/utils/newgrp similarity index 100% rename from apparmor.d/profiles-m-r/newgrp rename to apparmor.d/groups/utils/newgrp diff --git a/apparmor.d/profiles-m-r/nologin b/apparmor.d/groups/utils/nologin similarity index 100% rename from apparmor.d/profiles-m-r/nologin rename to apparmor.d/groups/utils/nologin diff --git a/apparmor.d/profiles-m-r/pstree b/apparmor.d/groups/utils/pstree similarity index 100% rename from apparmor.d/profiles-m-r/pstree rename to apparmor.d/groups/utils/pstree diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/groups/utils/su similarity index 100% rename from apparmor.d/profiles-s-z/su rename to apparmor.d/groups/utils/su diff --git a/apparmor.d/profiles-s-z/sulogin b/apparmor.d/groups/utils/sulogin similarity index 100% rename from apparmor.d/profiles-s-z/sulogin rename to apparmor.d/groups/utils/sulogin diff --git a/apparmor.d/profiles-s-z/swapon b/apparmor.d/groups/utils/swapon similarity index 100% rename from apparmor.d/profiles-s-z/swapon rename to apparmor.d/groups/utils/swapon diff --git a/apparmor.d/profiles-s-z/sync b/apparmor.d/groups/utils/sync similarity index 100% rename from apparmor.d/profiles-s-z/sync rename to apparmor.d/groups/utils/sync diff --git a/apparmor.d/profiles-s-z/uname b/apparmor.d/groups/utils/uname similarity index 100% rename from apparmor.d/profiles-s-z/uname rename to apparmor.d/groups/utils/uname diff --git a/apparmor.d/profiles-s-z/users b/apparmor.d/groups/utils/users similarity index 100% rename from apparmor.d/profiles-s-z/users rename to apparmor.d/groups/utils/users diff --git a/apparmor.d/profiles-s-z/uuidd b/apparmor.d/groups/utils/uuidd similarity index 100% rename from apparmor.d/profiles-s-z/uuidd rename to apparmor.d/groups/utils/uuidd diff --git a/apparmor.d/profiles-s-z/uuidgen b/apparmor.d/groups/utils/uuidgen similarity index 100% rename from apparmor.d/profiles-s-z/uuidgen rename to apparmor.d/groups/utils/uuidgen diff --git a/apparmor.d/profiles-s-z/who b/apparmor.d/groups/utils/who similarity index 100% rename from apparmor.d/profiles-s-z/who rename to apparmor.d/groups/utils/who diff --git a/apparmor.d/groups/systemd/zramctl b/apparmor.d/groups/utils/zramctl similarity index 100% rename from apparmor.d/groups/systemd/zramctl rename to apparmor.d/groups/utils/zramctl From 33681e14f22c8738d04caa3e89433b643f6932fe Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 13 Feb 2025 19:12:48 +0100 Subject: [PATCH 097/977] refractor: tests/bats -> tests/integration --- .github/workflows/main.yml | 4 ++-- Makefile | 6 +++--- tests/{bats => integration}/aa-enforce.bats | 0 tests/{bats => integration}/aa-status.bats | 0 tests/{bats => integration}/blkid.bats | 0 tests/{bats => integration}/chsh.bats | 0 tests/{bats => integration}/common.bash | 0 tests/{bats => integration}/cpuid.bats | 0 tests/{bats => integration}/df.bats | 0 tests/{bats => integration}/dfc.bats | 0 tests/{bats => integration}/dmesg.bats | 0 tests/{bats => integration}/fc-cache.bats | 0 tests/{bats => integration}/fc-list.bats | 0 tests/{bats => integration}/flatpak.bats | 0 tests/{bats => integration}/fwupdmgr.bats | 0 tests/{bats => integration}/gpgconf.bats | 0 tests/{bats => integration}/groupadd.bats | 0 tests/{bats => integration}/groups.bats | 0 tests/{bats => integration}/homectl.bats | 0 tests/{bats => integration}/hostnamectl.bats | 0 tests/{bats => integration}/id.bats | 0 tests/{bats => integration}/ip.bats | 0 tests/{bats => integration}/lsblk.bats | 0 tests/{bats => integration}/lscpu.bats | 0 tests/{bats => integration}/lspci.bats | 0 tests/{bats => integration}/lsusb.bats | 0 tests/{bats => integration}/needrestart.bats | 0 tests/{bats => integration}/ps.bats | 0 tests/{bats => integration}/pstree.bats | 0 tests/{bats => integration}/snap.bats | 0 tests/{bats => integration}/sync.bats | 0 tests/{bats => integration}/sysctl.bats | 0 tests/{bats => integration}/systemd-ac-power.bats | 0 tests/{bats => integration}/systemd-analyze.bats | 0 tests/{bats => integration}/systemd-cat.bats | 0 tests/{bats => integration}/systemd-cgls.bats | 0 tests/{bats => integration}/systemd-detect-virt.bats | 0 tests/{bats => integration}/systemd-id128.bats | 0 tests/{bats => integration}/systemd-sysusers.bats | 0 tests/{bats => integration}/uname.bats | 0 tests/{bats => integration}/upower.bats | 0 tests/{bats => integration}/uptime.bats | 0 tests/{bats => integration}/useradd.bats | 0 tests/{bats => integration}/userdbctl.bats | 0 tests/{bats => integration}/users.bats | 0 tests/{bats => integration}/uuidd.bats | 0 tests/{bats => integration}/uuidgen.bats | 0 tests/{bats => integration}/w.bats | 0 tests/{bats => integration}/who.bats | 0 49 files changed, 5 insertions(+), 5 deletions(-) rename tests/{bats => integration}/aa-enforce.bats (100%) rename tests/{bats => integration}/aa-status.bats (100%) rename tests/{bats => integration}/blkid.bats (100%) rename tests/{bats => integration}/chsh.bats (100%) rename tests/{bats => integration}/common.bash (100%) rename tests/{bats => integration}/cpuid.bats (100%) rename tests/{bats => integration}/df.bats (100%) rename tests/{bats => integration}/dfc.bats (100%) rename tests/{bats => integration}/dmesg.bats (100%) rename tests/{bats => integration}/fc-cache.bats (100%) rename tests/{bats => integration}/fc-list.bats (100%) rename tests/{bats => integration}/flatpak.bats (100%) rename tests/{bats => integration}/fwupdmgr.bats (100%) rename tests/{bats => integration}/gpgconf.bats (100%) rename tests/{bats => integration}/groupadd.bats (100%) rename tests/{bats => integration}/groups.bats (100%) rename tests/{bats => integration}/homectl.bats (100%) rename tests/{bats => integration}/hostnamectl.bats (100%) rename tests/{bats => integration}/id.bats (100%) rename tests/{bats => integration}/ip.bats (100%) rename tests/{bats => integration}/lsblk.bats (100%) rename tests/{bats => integration}/lscpu.bats (100%) rename tests/{bats => integration}/lspci.bats (100%) rename tests/{bats => integration}/lsusb.bats (100%) rename tests/{bats => integration}/needrestart.bats (100%) rename tests/{bats => integration}/ps.bats (100%) rename tests/{bats => integration}/pstree.bats (100%) rename tests/{bats => integration}/snap.bats (100%) rename tests/{bats => integration}/sync.bats (100%) rename tests/{bats => integration}/sysctl.bats (100%) rename tests/{bats => integration}/systemd-ac-power.bats (100%) rename tests/{bats => integration}/systemd-analyze.bats (100%) rename tests/{bats => integration}/systemd-cat.bats (100%) rename tests/{bats => integration}/systemd-cgls.bats (100%) rename tests/{bats => integration}/systemd-detect-virt.bats (100%) rename tests/{bats => integration}/systemd-id128.bats (100%) rename tests/{bats => integration}/systemd-sysusers.bats (100%) rename tests/{bats => integration}/uname.bats (100%) rename tests/{bats => integration}/upower.bats (100%) rename tests/{bats => integration}/uptime.bats (100%) rename tests/{bats => integration}/useradd.bats (100%) rename tests/{bats => integration}/userdbctl.bats (100%) rename tests/{bats => integration}/users.bats (100%) rename tests/{bats => integration}/uuidd.bats (100%) rename tests/{bats => integration}/uuidgen.bats (100%) rename tests/{bats => integration}/w.bats (100%) rename tests/{bats => integration}/who.bats (100%) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 75fa5c051..c97229256 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -125,9 +125,9 @@ jobs: run: | bash tests/requirements.sh - - name: Run the bats integration tests + - name: Run the integration tests run: | - make bats + make integration - name: Show final AppArmor logs if: always() diff --git a/Makefile b/Makefile index 7de055c9f..90dacd5c0 100644 --- a/Makefile +++ b/Makefile @@ -111,9 +111,9 @@ lint: check: @bash tests/check.sh -.PHONY: bats -bats: - @bats --timing --print-output-on-failure tests/bats/ +.PHONY: integration +integration : + @bats --timing --print-output-on-failure tests/integration/ .PHONY: manual manual: diff --git a/tests/bats/aa-enforce.bats b/tests/integration/aa-enforce.bats similarity index 100% rename from tests/bats/aa-enforce.bats rename to tests/integration/aa-enforce.bats diff --git a/tests/bats/aa-status.bats b/tests/integration/aa-status.bats similarity index 100% rename from tests/bats/aa-status.bats rename to tests/integration/aa-status.bats diff --git a/tests/bats/blkid.bats b/tests/integration/blkid.bats similarity index 100% rename from tests/bats/blkid.bats rename to tests/integration/blkid.bats diff --git a/tests/bats/chsh.bats b/tests/integration/chsh.bats similarity index 100% rename from tests/bats/chsh.bats rename to tests/integration/chsh.bats diff --git a/tests/bats/common.bash b/tests/integration/common.bash similarity index 100% rename from tests/bats/common.bash rename to tests/integration/common.bash diff --git a/tests/bats/cpuid.bats b/tests/integration/cpuid.bats similarity index 100% rename from tests/bats/cpuid.bats rename to tests/integration/cpuid.bats diff --git a/tests/bats/df.bats b/tests/integration/df.bats similarity index 100% rename from tests/bats/df.bats rename to tests/integration/df.bats diff --git a/tests/bats/dfc.bats b/tests/integration/dfc.bats similarity index 100% rename from tests/bats/dfc.bats rename to tests/integration/dfc.bats diff --git a/tests/bats/dmesg.bats b/tests/integration/dmesg.bats similarity index 100% rename from tests/bats/dmesg.bats rename to tests/integration/dmesg.bats diff --git a/tests/bats/fc-cache.bats b/tests/integration/fc-cache.bats similarity index 100% rename from tests/bats/fc-cache.bats rename to tests/integration/fc-cache.bats diff --git a/tests/bats/fc-list.bats b/tests/integration/fc-list.bats similarity index 100% rename from tests/bats/fc-list.bats rename to tests/integration/fc-list.bats diff --git a/tests/bats/flatpak.bats b/tests/integration/flatpak.bats similarity index 100% rename from tests/bats/flatpak.bats rename to tests/integration/flatpak.bats diff --git a/tests/bats/fwupdmgr.bats b/tests/integration/fwupdmgr.bats similarity index 100% rename from tests/bats/fwupdmgr.bats rename to tests/integration/fwupdmgr.bats diff --git a/tests/bats/gpgconf.bats b/tests/integration/gpgconf.bats similarity index 100% rename from tests/bats/gpgconf.bats rename to tests/integration/gpgconf.bats diff --git a/tests/bats/groupadd.bats b/tests/integration/groupadd.bats similarity index 100% rename from tests/bats/groupadd.bats rename to tests/integration/groupadd.bats diff --git a/tests/bats/groups.bats b/tests/integration/groups.bats similarity index 100% rename from tests/bats/groups.bats rename to tests/integration/groups.bats diff --git a/tests/bats/homectl.bats b/tests/integration/homectl.bats similarity index 100% rename from tests/bats/homectl.bats rename to tests/integration/homectl.bats diff --git a/tests/bats/hostnamectl.bats b/tests/integration/hostnamectl.bats similarity index 100% rename from tests/bats/hostnamectl.bats rename to tests/integration/hostnamectl.bats diff --git a/tests/bats/id.bats b/tests/integration/id.bats similarity index 100% rename from tests/bats/id.bats rename to tests/integration/id.bats diff --git a/tests/bats/ip.bats b/tests/integration/ip.bats similarity index 100% rename from tests/bats/ip.bats rename to tests/integration/ip.bats diff --git a/tests/bats/lsblk.bats b/tests/integration/lsblk.bats similarity index 100% rename from tests/bats/lsblk.bats rename to tests/integration/lsblk.bats diff --git a/tests/bats/lscpu.bats b/tests/integration/lscpu.bats similarity index 100% rename from tests/bats/lscpu.bats rename to tests/integration/lscpu.bats diff --git a/tests/bats/lspci.bats b/tests/integration/lspci.bats similarity index 100% rename from tests/bats/lspci.bats rename to tests/integration/lspci.bats diff --git a/tests/bats/lsusb.bats b/tests/integration/lsusb.bats similarity index 100% rename from tests/bats/lsusb.bats rename to tests/integration/lsusb.bats diff --git a/tests/bats/needrestart.bats b/tests/integration/needrestart.bats similarity index 100% rename from tests/bats/needrestart.bats rename to tests/integration/needrestart.bats diff --git a/tests/bats/ps.bats b/tests/integration/ps.bats similarity index 100% rename from tests/bats/ps.bats rename to tests/integration/ps.bats diff --git a/tests/bats/pstree.bats b/tests/integration/pstree.bats similarity index 100% rename from tests/bats/pstree.bats rename to tests/integration/pstree.bats diff --git a/tests/bats/snap.bats b/tests/integration/snap.bats similarity index 100% rename from tests/bats/snap.bats rename to tests/integration/snap.bats diff --git a/tests/bats/sync.bats b/tests/integration/sync.bats similarity index 100% rename from tests/bats/sync.bats rename to tests/integration/sync.bats diff --git a/tests/bats/sysctl.bats b/tests/integration/sysctl.bats similarity index 100% rename from tests/bats/sysctl.bats rename to tests/integration/sysctl.bats diff --git a/tests/bats/systemd-ac-power.bats b/tests/integration/systemd-ac-power.bats similarity index 100% rename from tests/bats/systemd-ac-power.bats rename to tests/integration/systemd-ac-power.bats diff --git a/tests/bats/systemd-analyze.bats b/tests/integration/systemd-analyze.bats similarity index 100% rename from tests/bats/systemd-analyze.bats rename to tests/integration/systemd-analyze.bats diff --git a/tests/bats/systemd-cat.bats b/tests/integration/systemd-cat.bats similarity index 100% rename from tests/bats/systemd-cat.bats rename to tests/integration/systemd-cat.bats diff --git a/tests/bats/systemd-cgls.bats b/tests/integration/systemd-cgls.bats similarity index 100% rename from tests/bats/systemd-cgls.bats rename to tests/integration/systemd-cgls.bats diff --git a/tests/bats/systemd-detect-virt.bats b/tests/integration/systemd-detect-virt.bats similarity index 100% rename from tests/bats/systemd-detect-virt.bats rename to tests/integration/systemd-detect-virt.bats diff --git a/tests/bats/systemd-id128.bats b/tests/integration/systemd-id128.bats similarity index 100% rename from tests/bats/systemd-id128.bats rename to tests/integration/systemd-id128.bats diff --git a/tests/bats/systemd-sysusers.bats b/tests/integration/systemd-sysusers.bats similarity index 100% rename from tests/bats/systemd-sysusers.bats rename to tests/integration/systemd-sysusers.bats diff --git a/tests/bats/uname.bats b/tests/integration/uname.bats similarity index 100% rename from tests/bats/uname.bats rename to tests/integration/uname.bats diff --git a/tests/bats/upower.bats b/tests/integration/upower.bats similarity index 100% rename from tests/bats/upower.bats rename to tests/integration/upower.bats diff --git a/tests/bats/uptime.bats b/tests/integration/uptime.bats similarity index 100% rename from tests/bats/uptime.bats rename to tests/integration/uptime.bats diff --git a/tests/bats/useradd.bats b/tests/integration/useradd.bats similarity index 100% rename from tests/bats/useradd.bats rename to tests/integration/useradd.bats diff --git a/tests/bats/userdbctl.bats b/tests/integration/userdbctl.bats similarity index 100% rename from tests/bats/userdbctl.bats rename to tests/integration/userdbctl.bats diff --git a/tests/bats/users.bats b/tests/integration/users.bats similarity index 100% rename from tests/bats/users.bats rename to tests/integration/users.bats diff --git a/tests/bats/uuidd.bats b/tests/integration/uuidd.bats similarity index 100% rename from tests/bats/uuidd.bats rename to tests/integration/uuidd.bats diff --git a/tests/bats/uuidgen.bats b/tests/integration/uuidgen.bats similarity index 100% rename from tests/bats/uuidgen.bats rename to tests/integration/uuidgen.bats diff --git a/tests/bats/w.bats b/tests/integration/w.bats similarity index 100% rename from tests/bats/w.bats rename to tests/integration/w.bats diff --git a/tests/bats/who.bats b/tests/integration/who.bats similarity index 100% rename from tests/bats/who.bats rename to tests/integration/who.bats From 8ba3dbd90f63758a2b89bffd587d7a6897b741e5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 15 Feb 2025 16:09:52 +0100 Subject: [PATCH 098/977] refractor: move more profiles to groups. --- apparmor.d/{profiles-a-f => groups/bluetooth}/blueman | 0 apparmor.d/{profiles-a-f => groups/bluetooth}/blueman-mechanism | 0 .../{profiles-a-f => groups/bluetooth}/blueman-rfcomm-watcher | 2 +- apparmor.d/{profiles-a-f => groups/bluetooth}/bluemoon | 0 apparmor.d/{profiles-a-f => groups/bluetooth}/bluetoothctl | 0 apparmor.d/{profiles-a-f => groups/bluetooth}/bluetoothd | 0 .../{profiles-m-r => groups/bluetooth}/obex-folder-listing | 0 apparmor.d/{profiles-m-r => groups/bluetooth}/obexautofs | 0 apparmor.d/{profiles-m-r => groups/bluetooth}/obexctl | 0 apparmor.d/{profiles-m-r => groups/bluetooth}/obexd | 0 apparmor.d/{profiles-m-r => groups/bluetooth}/obexfs | 0 apparmor.d/{profiles-m-r => groups/bluetooth}/obexpush-atd | 0 apparmor.d/{profiles-m-r => groups/bluetooth}/obexpushd | 0 apparmor.d/{profiles-m-r => groups/filesystem}/mke2fs | 0 apparmor.d/{profiles-m-r => groups/filesystem}/mkfs-btrfs | 0 apparmor.d/{profiles-m-r => groups/filesystem}/mkfs-fat | 0 apparmor.d/{profiles-m-r => groups/filesystem}/mkntfs | 0 apparmor.d/{profiles-m-r => groups/filesystem}/mkswap | 0 apparmor.d/{profiles-m-r => groups/filesystem}/mount | 0 apparmor.d/{profiles-m-r => groups/filesystem}/mount-cifs | 0 apparmor.d/{profiles-m-r => groups/filesystem}/mount-nfs | 0 apparmor.d/{profiles-m-r => groups/filesystem}/mount-zfs | 0 apparmor.d/{profiles-a-f => groups/firewall}/firewall-applet | 0 apparmor.d/{profiles-a-f => groups/firewall}/firewall-config | 0 apparmor.d/{profiles-a-f => groups/firewall}/firewalld | 0 apparmor.d/{profiles-m-r => groups/firewall}/nft | 0 apparmor.d/{profiles-s-z => groups/firewall}/ufw | 0 apparmor.d/{profiles-a-f => groups/freedesktop}/boltd | 0 apparmor.d/{profiles-s-z => groups/freedesktop}/wireplumber | 0 apparmor.d/{profiles-g-l => groups/usb}/lsusb | 2 +- apparmor.d/{profiles-s-z => groups/usb}/usb-devices | 1 + apparmor.d/{profiles-s-z => groups/usb}/usbguard | 0 apparmor.d/{profiles-s-z => groups/usb}/usbguard-applet-qt | 0 apparmor.d/{profiles-s-z => groups/usb}/usbguard-daemon | 0 apparmor.d/{profiles-s-z => groups/usb}/usbguard-dbus | 0 apparmor.d/{profiles-s-z => groups/usb}/usbguard-notifier | 0 apparmor.d/{profiles-a-f => groups/utils}/dmesg | 0 apparmor.d/{profiles-s-z => groups/utils}/whereis | 0 38 files changed, 3 insertions(+), 2 deletions(-) rename apparmor.d/{profiles-a-f => groups/bluetooth}/blueman (100%) rename apparmor.d/{profiles-a-f => groups/bluetooth}/blueman-mechanism (100%) rename apparmor.d/{profiles-a-f => groups/bluetooth}/blueman-rfcomm-watcher (86%) rename apparmor.d/{profiles-a-f => groups/bluetooth}/bluemoon (100%) rename apparmor.d/{profiles-a-f => groups/bluetooth}/bluetoothctl (100%) rename apparmor.d/{profiles-a-f => groups/bluetooth}/bluetoothd (100%) rename apparmor.d/{profiles-m-r => groups/bluetooth}/obex-folder-listing (100%) rename apparmor.d/{profiles-m-r => groups/bluetooth}/obexautofs (100%) rename apparmor.d/{profiles-m-r => groups/bluetooth}/obexctl (100%) rename apparmor.d/{profiles-m-r => groups/bluetooth}/obexd (100%) rename apparmor.d/{profiles-m-r => groups/bluetooth}/obexfs (100%) rename apparmor.d/{profiles-m-r => groups/bluetooth}/obexpush-atd (100%) rename apparmor.d/{profiles-m-r => groups/bluetooth}/obexpushd (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/mke2fs (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/mkfs-btrfs (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/mkfs-fat (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/mkntfs (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/mkswap (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/mount (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/mount-cifs (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/mount-nfs (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/mount-zfs (100%) rename apparmor.d/{profiles-a-f => groups/firewall}/firewall-applet (100%) rename apparmor.d/{profiles-a-f => groups/firewall}/firewall-config (100%) rename apparmor.d/{profiles-a-f => groups/firewall}/firewalld (100%) rename apparmor.d/{profiles-m-r => groups/firewall}/nft (100%) rename apparmor.d/{profiles-s-z => groups/firewall}/ufw (100%) rename apparmor.d/{profiles-a-f => groups/freedesktop}/boltd (100%) rename apparmor.d/{profiles-s-z => groups/freedesktop}/wireplumber (100%) rename apparmor.d/{profiles-g-l => groups/usb}/lsusb (92%) rename apparmor.d/{profiles-s-z => groups/usb}/usb-devices (96%) rename apparmor.d/{profiles-s-z => groups/usb}/usbguard (100%) rename apparmor.d/{profiles-s-z => groups/usb}/usbguard-applet-qt (100%) rename apparmor.d/{profiles-s-z => groups/usb}/usbguard-daemon (100%) rename apparmor.d/{profiles-s-z => groups/usb}/usbguard-dbus (100%) rename apparmor.d/{profiles-s-z => groups/usb}/usbguard-notifier (100%) rename apparmor.d/{profiles-a-f => groups/utils}/dmesg (100%) rename apparmor.d/{profiles-s-z => groups/utils}/whereis (100%) diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/groups/bluetooth/blueman similarity index 100% rename from apparmor.d/profiles-a-f/blueman rename to apparmor.d/groups/bluetooth/blueman diff --git a/apparmor.d/profiles-a-f/blueman-mechanism b/apparmor.d/groups/bluetooth/blueman-mechanism similarity index 100% rename from apparmor.d/profiles-a-f/blueman-mechanism rename to apparmor.d/groups/bluetooth/blueman-mechanism diff --git a/apparmor.d/profiles-a-f/blueman-rfcomm-watcher b/apparmor.d/groups/bluetooth/blueman-rfcomm-watcher similarity index 86% rename from apparmor.d/profiles-a-f/blueman-rfcomm-watcher rename to apparmor.d/groups/bluetooth/blueman-rfcomm-watcher index 516f14bdd..639e475ac 100644 --- a/apparmor.d/profiles-a-f/blueman-rfcomm-watcher +++ b/apparmor.d/groups/bluetooth/blueman-rfcomm-watcher @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{lib}/blueman-rfcomm-watcher +@{exec_path} = @{lib}/blueman-mechanism @{lib}/blueman/blueman-rfcomm-watcher profile blueman-rfcomm-watcher @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/bluemoon b/apparmor.d/groups/bluetooth/bluemoon similarity index 100% rename from apparmor.d/profiles-a-f/bluemoon rename to apparmor.d/groups/bluetooth/bluemoon diff --git a/apparmor.d/profiles-a-f/bluetoothctl b/apparmor.d/groups/bluetooth/bluetoothctl similarity index 100% rename from apparmor.d/profiles-a-f/bluetoothctl rename to apparmor.d/groups/bluetooth/bluetoothctl diff --git a/apparmor.d/profiles-a-f/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd similarity index 100% rename from apparmor.d/profiles-a-f/bluetoothd rename to apparmor.d/groups/bluetooth/bluetoothd diff --git a/apparmor.d/profiles-m-r/obex-folder-listing b/apparmor.d/groups/bluetooth/obex-folder-listing similarity index 100% rename from apparmor.d/profiles-m-r/obex-folder-listing rename to apparmor.d/groups/bluetooth/obex-folder-listing diff --git a/apparmor.d/profiles-m-r/obexautofs b/apparmor.d/groups/bluetooth/obexautofs similarity index 100% rename from apparmor.d/profiles-m-r/obexautofs rename to apparmor.d/groups/bluetooth/obexautofs diff --git a/apparmor.d/profiles-m-r/obexctl b/apparmor.d/groups/bluetooth/obexctl similarity index 100% rename from apparmor.d/profiles-m-r/obexctl rename to apparmor.d/groups/bluetooth/obexctl diff --git a/apparmor.d/profiles-m-r/obexd b/apparmor.d/groups/bluetooth/obexd similarity index 100% rename from apparmor.d/profiles-m-r/obexd rename to apparmor.d/groups/bluetooth/obexd diff --git a/apparmor.d/profiles-m-r/obexfs b/apparmor.d/groups/bluetooth/obexfs similarity index 100% rename from apparmor.d/profiles-m-r/obexfs rename to apparmor.d/groups/bluetooth/obexfs diff --git a/apparmor.d/profiles-m-r/obexpush-atd b/apparmor.d/groups/bluetooth/obexpush-atd similarity index 100% rename from apparmor.d/profiles-m-r/obexpush-atd rename to apparmor.d/groups/bluetooth/obexpush-atd diff --git a/apparmor.d/profiles-m-r/obexpushd b/apparmor.d/groups/bluetooth/obexpushd similarity index 100% rename from apparmor.d/profiles-m-r/obexpushd rename to apparmor.d/groups/bluetooth/obexpushd diff --git a/apparmor.d/profiles-m-r/mke2fs b/apparmor.d/groups/filesystem/mke2fs similarity index 100% rename from apparmor.d/profiles-m-r/mke2fs rename to apparmor.d/groups/filesystem/mke2fs diff --git a/apparmor.d/profiles-m-r/mkfs-btrfs b/apparmor.d/groups/filesystem/mkfs-btrfs similarity index 100% rename from apparmor.d/profiles-m-r/mkfs-btrfs rename to apparmor.d/groups/filesystem/mkfs-btrfs diff --git a/apparmor.d/profiles-m-r/mkfs-fat b/apparmor.d/groups/filesystem/mkfs-fat similarity index 100% rename from apparmor.d/profiles-m-r/mkfs-fat rename to apparmor.d/groups/filesystem/mkfs-fat diff --git a/apparmor.d/profiles-m-r/mkntfs b/apparmor.d/groups/filesystem/mkntfs similarity index 100% rename from apparmor.d/profiles-m-r/mkntfs rename to apparmor.d/groups/filesystem/mkntfs diff --git a/apparmor.d/profiles-m-r/mkswap b/apparmor.d/groups/filesystem/mkswap similarity index 100% rename from apparmor.d/profiles-m-r/mkswap rename to apparmor.d/groups/filesystem/mkswap diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/groups/filesystem/mount similarity index 100% rename from apparmor.d/profiles-m-r/mount rename to apparmor.d/groups/filesystem/mount diff --git a/apparmor.d/profiles-m-r/mount-cifs b/apparmor.d/groups/filesystem/mount-cifs similarity index 100% rename from apparmor.d/profiles-m-r/mount-cifs rename to apparmor.d/groups/filesystem/mount-cifs diff --git a/apparmor.d/profiles-m-r/mount-nfs b/apparmor.d/groups/filesystem/mount-nfs similarity index 100% rename from apparmor.d/profiles-m-r/mount-nfs rename to apparmor.d/groups/filesystem/mount-nfs diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/groups/filesystem/mount-zfs similarity index 100% rename from apparmor.d/profiles-m-r/mount-zfs rename to apparmor.d/groups/filesystem/mount-zfs diff --git a/apparmor.d/profiles-a-f/firewall-applet b/apparmor.d/groups/firewall/firewall-applet similarity index 100% rename from apparmor.d/profiles-a-f/firewall-applet rename to apparmor.d/groups/firewall/firewall-applet diff --git a/apparmor.d/profiles-a-f/firewall-config b/apparmor.d/groups/firewall/firewall-config similarity index 100% rename from apparmor.d/profiles-a-f/firewall-config rename to apparmor.d/groups/firewall/firewall-config diff --git a/apparmor.d/profiles-a-f/firewalld b/apparmor.d/groups/firewall/firewalld similarity index 100% rename from apparmor.d/profiles-a-f/firewalld rename to apparmor.d/groups/firewall/firewalld diff --git a/apparmor.d/profiles-m-r/nft b/apparmor.d/groups/firewall/nft similarity index 100% rename from apparmor.d/profiles-m-r/nft rename to apparmor.d/groups/firewall/nft diff --git a/apparmor.d/profiles-s-z/ufw b/apparmor.d/groups/firewall/ufw similarity index 100% rename from apparmor.d/profiles-s-z/ufw rename to apparmor.d/groups/firewall/ufw diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/groups/freedesktop/boltd similarity index 100% rename from apparmor.d/profiles-a-f/boltd rename to apparmor.d/groups/freedesktop/boltd diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/groups/freedesktop/wireplumber similarity index 100% rename from apparmor.d/profiles-s-z/wireplumber rename to apparmor.d/groups/freedesktop/wireplumber diff --git a/apparmor.d/profiles-g-l/lsusb b/apparmor.d/groups/usb/lsusb similarity index 92% rename from apparmor.d/profiles-g-l/lsusb rename to apparmor.d/groups/usb/lsusb index 40e902a87..f824343d6 100644 --- a/apparmor.d/profiles-g-l/lsusb +++ b/apparmor.d/groups/usb/lsusb @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/lsusb +@{exec_path} = @{bin}/lsusb @{bin}/lsusb.py profile lsusb @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/usb-devices b/apparmor.d/groups/usb/usb-devices similarity index 96% rename from apparmor.d/profiles-s-z/usb-devices rename to apparmor.d/groups/usb/usb-devices index c67b78faf..59ff12feb 100644 --- a/apparmor.d/profiles-s-z/usb-devices +++ b/apparmor.d/groups/usb/usb-devices @@ -22,6 +22,7 @@ profile usb-devices @{exec_path} { @{bin}/{,e}grep rix, @{bin}/basename rix, @{bin}/cat rix, + @{bin}/sed rix, @{bin}/cut rix, @{bin}/find rix, @{bin}/readlink rix, diff --git a/apparmor.d/profiles-s-z/usbguard b/apparmor.d/groups/usb/usbguard similarity index 100% rename from apparmor.d/profiles-s-z/usbguard rename to apparmor.d/groups/usb/usbguard diff --git a/apparmor.d/profiles-s-z/usbguard-applet-qt b/apparmor.d/groups/usb/usbguard-applet-qt similarity index 100% rename from apparmor.d/profiles-s-z/usbguard-applet-qt rename to apparmor.d/groups/usb/usbguard-applet-qt diff --git a/apparmor.d/profiles-s-z/usbguard-daemon b/apparmor.d/groups/usb/usbguard-daemon similarity index 100% rename from apparmor.d/profiles-s-z/usbguard-daemon rename to apparmor.d/groups/usb/usbguard-daemon diff --git a/apparmor.d/profiles-s-z/usbguard-dbus b/apparmor.d/groups/usb/usbguard-dbus similarity index 100% rename from apparmor.d/profiles-s-z/usbguard-dbus rename to apparmor.d/groups/usb/usbguard-dbus diff --git a/apparmor.d/profiles-s-z/usbguard-notifier b/apparmor.d/groups/usb/usbguard-notifier similarity index 100% rename from apparmor.d/profiles-s-z/usbguard-notifier rename to apparmor.d/groups/usb/usbguard-notifier diff --git a/apparmor.d/profiles-a-f/dmesg b/apparmor.d/groups/utils/dmesg similarity index 100% rename from apparmor.d/profiles-a-f/dmesg rename to apparmor.d/groups/utils/dmesg diff --git a/apparmor.d/profiles-s-z/whereis b/apparmor.d/groups/utils/whereis similarity index 100% rename from apparmor.d/profiles-s-z/whereis rename to apparmor.d/groups/utils/whereis From 5aab9da0308f209c27fc98ca5486c9cd2ee03e49 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 15 Feb 2025 16:38:07 +0100 Subject: [PATCH 099/977] fix(profile): blueman-rfcomm-watcher entrypoint. --- apparmor.d/groups/bluetooth/blueman-rfcomm-watcher | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/bluetooth/blueman-rfcomm-watcher b/apparmor.d/groups/bluetooth/blueman-rfcomm-watcher index 639e475ac..2d52a6e01 100644 --- a/apparmor.d/groups/bluetooth/blueman-rfcomm-watcher +++ b/apparmor.d/groups/bluetooth/blueman-rfcomm-watcher @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{lib}/blueman-mechanism @{lib}/blueman/blueman-rfcomm-watcher +@{exec_path} = @{lib}/blueman-rfcomm-watcher @{lib}/blueman/blueman-rfcomm-watcher profile blueman-rfcomm-watcher @{exec_path} { include include From 5870e1ee4026b28b9ffe0f232b1e1b900857e0bd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 17 Feb 2025 21:04:28 +0100 Subject: [PATCH 100/977] refractor: move more profiles to groups. --- apparmor.d/{profiles-a-f => groups/cap}/filecap | 0 apparmor.d/{profiles-m-r => groups/cap}/netcap | 0 apparmor.d/{profiles-m-r => groups/cap}/pscap | 0 apparmor.d/{profiles-a-f => groups/filesystem}/btrfs | 0 apparmor.d/{profiles-a-f => groups/filesystem}/btrfs-convert | 0 apparmor.d/{profiles-a-f => groups/filesystem}/btrfs-find-root | 0 apparmor.d/{profiles-a-f => groups/filesystem}/btrfs-image | 0 apparmor.d/{profiles-a-f => groups/filesystem}/btrfs-map-logical | 0 apparmor.d/{profiles-a-f => groups/filesystem}/btrfs-select-super | 0 apparmor.d/{profiles-a-f => groups/filesystem}/btrfstune | 0 apparmor.d/{profiles-a-f => groups/filesystem}/fsck.btrfs | 0 apparmor.d/{profiles-a-f => groups/filesystem}/fsck.fat | 0 apparmor.d/{profiles-g-l => groups/filesystem}/lvm | 0 apparmor.d/{profiles-g-l => groups/filesystem}/lvmconfig | 0 apparmor.d/{profiles-g-l => groups/filesystem}/lvmdump | 0 apparmor.d/{profiles-g-l => groups/filesystem}/lvmpolld | 0 apparmor.d/{profiles-m-r => groups/filesystem}/mtools | 0 apparmor.d/{profiles-m-r => groups/filesystem}/nfsdcld | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfs-3g | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfs-3g-probe | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfscat | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfsclone | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfscluster | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfscmp | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfscp | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfsdecrypt | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfsfallocate | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfsfix | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfsinfo | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfslabel | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfsls | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfsmove | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfsrecover | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfsresize | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfssecaudit | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfstruncate | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfsundelete | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfsusermap | 0 apparmor.d/{profiles-m-r => groups/filesystem}/ntfswipe | 0 apparmor.d/{profiles-s-z => groups/filesystem}/udiskie | 0 apparmor.d/{profiles-s-z => groups/filesystem}/udiskie-info | 0 apparmor.d/{profiles-s-z => groups/filesystem}/udiskie-mount | 0 apparmor.d/{profiles-s-z => groups/filesystem}/udiskie-umount | 0 apparmor.d/{profiles-s-z => groups/filesystem}/udisksctl | 0 apparmor.d/{profiles-s-z => groups/filesystem}/udisksd | 0 apparmor.d/{profiles-s-z => groups/filesystem}/umount.udisks2 | 0 apparmor.d/{profiles-s-z => groups/utils}/swaplabel | 0 apparmor.d/{profiles-s-z => groups/utils}/umount | 0 48 files changed, 0 insertions(+), 0 deletions(-) rename apparmor.d/{profiles-a-f => groups/cap}/filecap (100%) rename apparmor.d/{profiles-m-r => groups/cap}/netcap (100%) rename apparmor.d/{profiles-m-r => groups/cap}/pscap (100%) rename apparmor.d/{profiles-a-f => groups/filesystem}/btrfs (100%) rename apparmor.d/{profiles-a-f => groups/filesystem}/btrfs-convert (100%) rename apparmor.d/{profiles-a-f => groups/filesystem}/btrfs-find-root (100%) rename apparmor.d/{profiles-a-f => groups/filesystem}/btrfs-image (100%) rename apparmor.d/{profiles-a-f => groups/filesystem}/btrfs-map-logical (100%) rename apparmor.d/{profiles-a-f => groups/filesystem}/btrfs-select-super (100%) rename apparmor.d/{profiles-a-f => groups/filesystem}/btrfstune (100%) rename apparmor.d/{profiles-a-f => groups/filesystem}/fsck.btrfs (100%) rename apparmor.d/{profiles-a-f => groups/filesystem}/fsck.fat (100%) rename apparmor.d/{profiles-g-l => groups/filesystem}/lvm (100%) rename apparmor.d/{profiles-g-l => groups/filesystem}/lvmconfig (100%) rename apparmor.d/{profiles-g-l => groups/filesystem}/lvmdump (100%) rename apparmor.d/{profiles-g-l => groups/filesystem}/lvmpolld (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/mtools (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/nfsdcld (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfs-3g (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfs-3g-probe (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfscat (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfsclone (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfscluster (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfscmp (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfscp (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfsdecrypt (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfsfallocate (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfsfix (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfsinfo (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfslabel (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfsls (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfsmove (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfsrecover (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfsresize (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfssecaudit (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfstruncate (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfsundelete (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfsusermap (100%) rename apparmor.d/{profiles-m-r => groups/filesystem}/ntfswipe (100%) rename apparmor.d/{profiles-s-z => groups/filesystem}/udiskie (100%) rename apparmor.d/{profiles-s-z => groups/filesystem}/udiskie-info (100%) rename apparmor.d/{profiles-s-z => groups/filesystem}/udiskie-mount (100%) rename apparmor.d/{profiles-s-z => groups/filesystem}/udiskie-umount (100%) rename apparmor.d/{profiles-s-z => groups/filesystem}/udisksctl (100%) rename apparmor.d/{profiles-s-z => groups/filesystem}/udisksd (100%) rename apparmor.d/{profiles-s-z => groups/filesystem}/umount.udisks2 (100%) rename apparmor.d/{profiles-s-z => groups/utils}/swaplabel (100%) rename apparmor.d/{profiles-s-z => groups/utils}/umount (100%) diff --git a/apparmor.d/profiles-a-f/filecap b/apparmor.d/groups/cap/filecap similarity index 100% rename from apparmor.d/profiles-a-f/filecap rename to apparmor.d/groups/cap/filecap diff --git a/apparmor.d/profiles-m-r/netcap b/apparmor.d/groups/cap/netcap similarity index 100% rename from apparmor.d/profiles-m-r/netcap rename to apparmor.d/groups/cap/netcap diff --git a/apparmor.d/profiles-m-r/pscap b/apparmor.d/groups/cap/pscap similarity index 100% rename from apparmor.d/profiles-m-r/pscap rename to apparmor.d/groups/cap/pscap diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/groups/filesystem/btrfs similarity index 100% rename from apparmor.d/profiles-a-f/btrfs rename to apparmor.d/groups/filesystem/btrfs diff --git a/apparmor.d/profiles-a-f/btrfs-convert b/apparmor.d/groups/filesystem/btrfs-convert similarity index 100% rename from apparmor.d/profiles-a-f/btrfs-convert rename to apparmor.d/groups/filesystem/btrfs-convert diff --git a/apparmor.d/profiles-a-f/btrfs-find-root b/apparmor.d/groups/filesystem/btrfs-find-root similarity index 100% rename from apparmor.d/profiles-a-f/btrfs-find-root rename to apparmor.d/groups/filesystem/btrfs-find-root diff --git a/apparmor.d/profiles-a-f/btrfs-image b/apparmor.d/groups/filesystem/btrfs-image similarity index 100% rename from apparmor.d/profiles-a-f/btrfs-image rename to apparmor.d/groups/filesystem/btrfs-image diff --git a/apparmor.d/profiles-a-f/btrfs-map-logical b/apparmor.d/groups/filesystem/btrfs-map-logical similarity index 100% rename from apparmor.d/profiles-a-f/btrfs-map-logical rename to apparmor.d/groups/filesystem/btrfs-map-logical diff --git a/apparmor.d/profiles-a-f/btrfs-select-super b/apparmor.d/groups/filesystem/btrfs-select-super similarity index 100% rename from apparmor.d/profiles-a-f/btrfs-select-super rename to apparmor.d/groups/filesystem/btrfs-select-super diff --git a/apparmor.d/profiles-a-f/btrfstune b/apparmor.d/groups/filesystem/btrfstune similarity index 100% rename from apparmor.d/profiles-a-f/btrfstune rename to apparmor.d/groups/filesystem/btrfstune diff --git a/apparmor.d/profiles-a-f/fsck.btrfs b/apparmor.d/groups/filesystem/fsck.btrfs similarity index 100% rename from apparmor.d/profiles-a-f/fsck.btrfs rename to apparmor.d/groups/filesystem/fsck.btrfs diff --git a/apparmor.d/profiles-a-f/fsck.fat b/apparmor.d/groups/filesystem/fsck.fat similarity index 100% rename from apparmor.d/profiles-a-f/fsck.fat rename to apparmor.d/groups/filesystem/fsck.fat diff --git a/apparmor.d/profiles-g-l/lvm b/apparmor.d/groups/filesystem/lvm similarity index 100% rename from apparmor.d/profiles-g-l/lvm rename to apparmor.d/groups/filesystem/lvm diff --git a/apparmor.d/profiles-g-l/lvmconfig b/apparmor.d/groups/filesystem/lvmconfig similarity index 100% rename from apparmor.d/profiles-g-l/lvmconfig rename to apparmor.d/groups/filesystem/lvmconfig diff --git a/apparmor.d/profiles-g-l/lvmdump b/apparmor.d/groups/filesystem/lvmdump similarity index 100% rename from apparmor.d/profiles-g-l/lvmdump rename to apparmor.d/groups/filesystem/lvmdump diff --git a/apparmor.d/profiles-g-l/lvmpolld b/apparmor.d/groups/filesystem/lvmpolld similarity index 100% rename from apparmor.d/profiles-g-l/lvmpolld rename to apparmor.d/groups/filesystem/lvmpolld diff --git a/apparmor.d/profiles-m-r/mtools b/apparmor.d/groups/filesystem/mtools similarity index 100% rename from apparmor.d/profiles-m-r/mtools rename to apparmor.d/groups/filesystem/mtools diff --git a/apparmor.d/profiles-m-r/nfsdcld b/apparmor.d/groups/filesystem/nfsdcld similarity index 100% rename from apparmor.d/profiles-m-r/nfsdcld rename to apparmor.d/groups/filesystem/nfsdcld diff --git a/apparmor.d/profiles-m-r/ntfs-3g b/apparmor.d/groups/filesystem/ntfs-3g similarity index 100% rename from apparmor.d/profiles-m-r/ntfs-3g rename to apparmor.d/groups/filesystem/ntfs-3g diff --git a/apparmor.d/profiles-m-r/ntfs-3g-probe b/apparmor.d/groups/filesystem/ntfs-3g-probe similarity index 100% rename from apparmor.d/profiles-m-r/ntfs-3g-probe rename to apparmor.d/groups/filesystem/ntfs-3g-probe diff --git a/apparmor.d/profiles-m-r/ntfscat b/apparmor.d/groups/filesystem/ntfscat similarity index 100% rename from apparmor.d/profiles-m-r/ntfscat rename to apparmor.d/groups/filesystem/ntfscat diff --git a/apparmor.d/profiles-m-r/ntfsclone b/apparmor.d/groups/filesystem/ntfsclone similarity index 100% rename from apparmor.d/profiles-m-r/ntfsclone rename to apparmor.d/groups/filesystem/ntfsclone diff --git a/apparmor.d/profiles-m-r/ntfscluster b/apparmor.d/groups/filesystem/ntfscluster similarity index 100% rename from apparmor.d/profiles-m-r/ntfscluster rename to apparmor.d/groups/filesystem/ntfscluster diff --git a/apparmor.d/profiles-m-r/ntfscmp b/apparmor.d/groups/filesystem/ntfscmp similarity index 100% rename from apparmor.d/profiles-m-r/ntfscmp rename to apparmor.d/groups/filesystem/ntfscmp diff --git a/apparmor.d/profiles-m-r/ntfscp b/apparmor.d/groups/filesystem/ntfscp similarity index 100% rename from apparmor.d/profiles-m-r/ntfscp rename to apparmor.d/groups/filesystem/ntfscp diff --git a/apparmor.d/profiles-m-r/ntfsdecrypt b/apparmor.d/groups/filesystem/ntfsdecrypt similarity index 100% rename from apparmor.d/profiles-m-r/ntfsdecrypt rename to apparmor.d/groups/filesystem/ntfsdecrypt diff --git a/apparmor.d/profiles-m-r/ntfsfallocate b/apparmor.d/groups/filesystem/ntfsfallocate similarity index 100% rename from apparmor.d/profiles-m-r/ntfsfallocate rename to apparmor.d/groups/filesystem/ntfsfallocate diff --git a/apparmor.d/profiles-m-r/ntfsfix b/apparmor.d/groups/filesystem/ntfsfix similarity index 100% rename from apparmor.d/profiles-m-r/ntfsfix rename to apparmor.d/groups/filesystem/ntfsfix diff --git a/apparmor.d/profiles-m-r/ntfsinfo b/apparmor.d/groups/filesystem/ntfsinfo similarity index 100% rename from apparmor.d/profiles-m-r/ntfsinfo rename to apparmor.d/groups/filesystem/ntfsinfo diff --git a/apparmor.d/profiles-m-r/ntfslabel b/apparmor.d/groups/filesystem/ntfslabel similarity index 100% rename from apparmor.d/profiles-m-r/ntfslabel rename to apparmor.d/groups/filesystem/ntfslabel diff --git a/apparmor.d/profiles-m-r/ntfsls b/apparmor.d/groups/filesystem/ntfsls similarity index 100% rename from apparmor.d/profiles-m-r/ntfsls rename to apparmor.d/groups/filesystem/ntfsls diff --git a/apparmor.d/profiles-m-r/ntfsmove b/apparmor.d/groups/filesystem/ntfsmove similarity index 100% rename from apparmor.d/profiles-m-r/ntfsmove rename to apparmor.d/groups/filesystem/ntfsmove diff --git a/apparmor.d/profiles-m-r/ntfsrecover b/apparmor.d/groups/filesystem/ntfsrecover similarity index 100% rename from apparmor.d/profiles-m-r/ntfsrecover rename to apparmor.d/groups/filesystem/ntfsrecover diff --git a/apparmor.d/profiles-m-r/ntfsresize b/apparmor.d/groups/filesystem/ntfsresize similarity index 100% rename from apparmor.d/profiles-m-r/ntfsresize rename to apparmor.d/groups/filesystem/ntfsresize diff --git a/apparmor.d/profiles-m-r/ntfssecaudit b/apparmor.d/groups/filesystem/ntfssecaudit similarity index 100% rename from apparmor.d/profiles-m-r/ntfssecaudit rename to apparmor.d/groups/filesystem/ntfssecaudit diff --git a/apparmor.d/profiles-m-r/ntfstruncate b/apparmor.d/groups/filesystem/ntfstruncate similarity index 100% rename from apparmor.d/profiles-m-r/ntfstruncate rename to apparmor.d/groups/filesystem/ntfstruncate diff --git a/apparmor.d/profiles-m-r/ntfsundelete b/apparmor.d/groups/filesystem/ntfsundelete similarity index 100% rename from apparmor.d/profiles-m-r/ntfsundelete rename to apparmor.d/groups/filesystem/ntfsundelete diff --git a/apparmor.d/profiles-m-r/ntfsusermap b/apparmor.d/groups/filesystem/ntfsusermap similarity index 100% rename from apparmor.d/profiles-m-r/ntfsusermap rename to apparmor.d/groups/filesystem/ntfsusermap diff --git a/apparmor.d/profiles-m-r/ntfswipe b/apparmor.d/groups/filesystem/ntfswipe similarity index 100% rename from apparmor.d/profiles-m-r/ntfswipe rename to apparmor.d/groups/filesystem/ntfswipe diff --git a/apparmor.d/profiles-s-z/udiskie b/apparmor.d/groups/filesystem/udiskie similarity index 100% rename from apparmor.d/profiles-s-z/udiskie rename to apparmor.d/groups/filesystem/udiskie diff --git a/apparmor.d/profiles-s-z/udiskie-info b/apparmor.d/groups/filesystem/udiskie-info similarity index 100% rename from apparmor.d/profiles-s-z/udiskie-info rename to apparmor.d/groups/filesystem/udiskie-info diff --git a/apparmor.d/profiles-s-z/udiskie-mount b/apparmor.d/groups/filesystem/udiskie-mount similarity index 100% rename from apparmor.d/profiles-s-z/udiskie-mount rename to apparmor.d/groups/filesystem/udiskie-mount diff --git a/apparmor.d/profiles-s-z/udiskie-umount b/apparmor.d/groups/filesystem/udiskie-umount similarity index 100% rename from apparmor.d/profiles-s-z/udiskie-umount rename to apparmor.d/groups/filesystem/udiskie-umount diff --git a/apparmor.d/profiles-s-z/udisksctl b/apparmor.d/groups/filesystem/udisksctl similarity index 100% rename from apparmor.d/profiles-s-z/udisksctl rename to apparmor.d/groups/filesystem/udisksctl diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/groups/filesystem/udisksd similarity index 100% rename from apparmor.d/profiles-s-z/udisksd rename to apparmor.d/groups/filesystem/udisksd diff --git a/apparmor.d/profiles-s-z/umount.udisks2 b/apparmor.d/groups/filesystem/umount.udisks2 similarity index 100% rename from apparmor.d/profiles-s-z/umount.udisks2 rename to apparmor.d/groups/filesystem/umount.udisks2 diff --git a/apparmor.d/profiles-s-z/swaplabel b/apparmor.d/groups/utils/swaplabel similarity index 100% rename from apparmor.d/profiles-s-z/swaplabel rename to apparmor.d/groups/utils/swaplabel diff --git a/apparmor.d/profiles-s-z/umount b/apparmor.d/groups/utils/umount similarity index 100% rename from apparmor.d/profiles-s-z/umount rename to apparmor.d/groups/utils/umount From af85db9148b17bb37b4d73454e78d4efec4c2db9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 17 Feb 2025 21:28:40 +0100 Subject: [PATCH 101/977] refractor: use @{python_path} in all profiles. --- apparmor.d/groups/apt/apt-listchanges | 2 +- apparmor.d/groups/apt/command-not-found | 4 ++-- apparmor.d/groups/apt/debsecan | 2 +- apparmor.d/groups/apt/debtags | 2 +- apparmor.d/groups/apt/querybts | 2 +- apparmor.d/groups/apt/reportbug | 4 ++-- apparmor.d/groups/apt/unattended-upgrade | 2 +- apparmor.d/groups/apt/update-apt-xapian-index | 2 +- apparmor.d/groups/bus/ibus-engine-table | 2 +- apparmor.d/groups/cups/cupsd | 2 +- apparmor.d/groups/filesystem/udiskie | 2 +- apparmor.d/groups/filesystem/udiskie-info | 2 +- apparmor.d/groups/filesystem/udiskie-mount | 2 +- apparmor.d/groups/filesystem/udiskie-umount | 2 +- apparmor.d/groups/firewall/firewall-applet | 2 +- apparmor.d/groups/firewall/firewalld | 2 +- apparmor.d/groups/firewall/ufw | 2 +- apparmor.d/groups/gnome/gnome-browser-connector-host | 4 ++-- apparmor.d/groups/gnome/gnome-music | 4 ++-- apparmor.d/groups/gnome/gnome-tweaks | 4 ++-- apparmor.d/groups/kde/kconf_update | 2 +- apparmor.d/groups/kde/kded | 2 +- apparmor.d/groups/network/nm-dispatcher | 2 +- apparmor.d/groups/pacman/pacman-hook-code | 2 +- apparmor.d/groups/steam/steam-game-proton | 2 +- apparmor.d/groups/ubuntu/apport-checkreports | 2 +- apparmor.d/groups/ubuntu/check-new-release-gtk | 4 ++-- apparmor.d/groups/ubuntu/list-oem-metapackages | 2 +- apparmor.d/groups/ubuntu/software-properties-dbus | 2 +- apparmor.d/groups/ubuntu/software-properties-gtk | 2 +- apparmor.d/groups/ubuntu/update-manager | 6 +++--- apparmor.d/groups/ubuntu/update-motd-updates-available | 2 +- apparmor.d/groups/ubuntu/update-notifier | 2 +- apparmor.d/groups/virt/cockpit-bridge | 2 +- apparmor.d/groups/whonix/sdwdate-gui | 2 +- apparmor.d/profiles-a-f/alacarte | 4 ++-- apparmor.d/profiles-a-f/arandr | 2 +- apparmor.d/profiles-a-f/borg | 2 +- apparmor.d/profiles-a-f/convertall | 2 +- apparmor.d/profiles-a-f/execute-dcut | 2 +- apparmor.d/profiles-a-f/execute-dput | 2 +- apparmor.d/profiles-a-f/fail2ban-client | 2 +- apparmor.d/profiles-a-f/fail2ban-server | 2 +- apparmor.d/profiles-g-l/gajim | 2 +- apparmor.d/profiles-g-l/ganyremote | 2 +- apparmor.d/profiles-g-l/gpo | 2 +- apparmor.d/profiles-g-l/gpodder | 2 +- apparmor.d/profiles-g-l/gpodder-migrate2tres | 2 +- apparmor.d/profiles-g-l/hardinfo | 2 +- apparmor.d/profiles-g-l/hypnotix | 2 +- apparmor.d/profiles-g-l/install-printerdriver | 2 +- apparmor.d/profiles-g-l/iotop | 2 +- apparmor.d/profiles-g-l/kconfig-hardened-check | 2 +- apparmor.d/profiles-m-r/metadata-cleaner | 2 +- apparmor.d/profiles-m-r/mpsyt | 2 +- apparmor.d/profiles-m-r/needrestart | 4 ++-- apparmor.d/profiles-m-r/obamenu | 2 +- apparmor.d/profiles-m-r/openbox | 2 +- apparmor.d/profiles-m-r/pass | 2 +- apparmor.d/profiles-m-r/pass-import | 2 +- apparmor.d/profiles-m-r/ps-mem | 2 +- apparmor.d/profiles-m-r/qbittorrent | 6 +++--- apparmor.d/profiles-m-r/repo | 2 +- apparmor.d/profiles-m-r/rustdesk | 6 +++--- apparmor.d/profiles-s-z/speedtest | 2 +- apparmor.d/profiles-s-z/system-config-printer | 2 +- apparmor.d/profiles-s-z/system-config-printer-applet | 2 +- apparmor.d/profiles-s-z/terminator | 2 +- apparmor.d/profiles-s-z/update-command-not-found | 2 +- apparmor.d/profiles-s-z/vcsi | 2 +- apparmor.d/profiles-s-z/vidcutter | 2 +- apparmor.d/profiles-s-z/virt-manager | 4 ++-- apparmor.d/profiles-s-z/wsdd | 2 +- apparmor.d/profiles-s-z/youtube-dl | 2 +- apparmor.d/profiles-s-z/yt-dlp | 2 +- apparmor.d/profiles-s-z/ytdl | 2 +- apparmor.d/profiles-s-z/zenmap | 2 +- 77 files changed, 92 insertions(+), 92 deletions(-) diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index 89cf63067..dbbba9d4d 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -17,7 +17,7 @@ profile apt-listchanges @{exec_path} { #capability sys_tty_config, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index e6c0fdee6..1ba7b5cb3 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -18,12 +18,12 @@ profile command-not-found @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/lsb_release rPx -> lsb_release, @{bin}/snap rPUx, - @{lib}/python3/dist-packages/CommandNotFound/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, + @{lib}/@{python_name}/dist-packages/CommandNotFound/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, @{lib}/ r, diff --git a/apparmor.d/groups/apt/debsecan b/apparmor.d/groups/apt/debsecan index ee29b4923..c9448c7fb 100644 --- a/apparmor.d/groups/apt/debsecan +++ b/apparmor.d/groups/apt/debsecan @@ -21,7 +21,7 @@ profile debsecan @{exec_path} { network inet6 stream, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, diff --git a/apparmor.d/groups/apt/debtags b/apparmor.d/groups/apt/debtags index 8bda4efff..3e3fd2ab9 100644 --- a/apparmor.d/groups/apt/debtags +++ b/apparmor.d/groups/apt/debtags @@ -17,7 +17,7 @@ profile debtags @{exec_path} { #capability sys_tty_config, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/groups/apt/querybts b/apparmor.d/groups/apt/querybts index 5c46246a2..85bd2e6c3 100644 --- a/apparmor.d/groups/apt/querybts +++ b/apparmor.d/groups/apt/querybts @@ -26,7 +26,7 @@ profile querybts @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index 8681e46d8..ae2e64e5d 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -28,7 +28,7 @@ profile reportbug @{exec_path} { @{exec_path} r, @{bin}/ r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ldconfig rix, @{bin}/selinuxenabled rix, @@ -57,7 +57,7 @@ profile reportbug @{exec_path} { @{bin}/run-parts rCx -> run-parts, @{open_path} rPx -> child-open, - @{lib}/python3/dist-packages/pylocales/locales.db rk, + @{lib}/@{python_name}/dist-packages/pylocales/locales.db rk, /usr/share/bug/*/{control,presubj} r, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index ead68957a..dbbfb413e 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -43,7 +43,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/ischroot rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/test rix, @{bin}/touch rix, @{bin}/uname rix, diff --git a/apparmor.d/groups/apt/update-apt-xapian-index b/apparmor.d/groups/apt/update-apt-xapian-index index 15af33d88..5da82090f 100644 --- a/apparmor.d/groups/apt/update-apt-xapian-index +++ b/apparmor.d/groups/apt/update-apt-xapian-index @@ -14,7 +14,7 @@ profile update-apt-xapian-index @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/groups/bus/ibus-engine-table b/apparmor.d/groups/bus/ibus-engine-table index 5182b0dca..abe0d22c0 100644 --- a/apparmor.d/groups/bus/ibus-engine-table +++ b/apparmor.d/groups/bus/ibus-engine-table @@ -14,7 +14,7 @@ profile ibus-engine-table @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, /usr/share/ibus-table/engine/{,**} r, /usr/share/ibus-table/tables/ r, diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index f65fc8349..697a307f9 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -57,7 +57,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{bin}/ippfind rix, @{bin}/mktemp rix, @{bin}/printenv rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/rm rix, @{bin}/sed rix, @{bin}/smbspool rPx, diff --git a/apparmor.d/groups/filesystem/udiskie b/apparmor.d/groups/filesystem/udiskie index 014955032..a6a2e2ad3 100644 --- a/apparmor.d/groups/filesystem/udiskie +++ b/apparmor.d/groups/filesystem/udiskie @@ -23,7 +23,7 @@ profile udiskie @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{open_path} rPx -> child-open, diff --git a/apparmor.d/groups/filesystem/udiskie-info b/apparmor.d/groups/filesystem/udiskie-info index 855c5b54c..0b39fd3dc 100644 --- a/apparmor.d/groups/filesystem/udiskie-info +++ b/apparmor.d/groups/filesystem/udiskie-info @@ -13,7 +13,7 @@ profile udiskie-info @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, /usr/bin/ r, diff --git a/apparmor.d/groups/filesystem/udiskie-mount b/apparmor.d/groups/filesystem/udiskie-mount index a57a6091f..0513a8c35 100644 --- a/apparmor.d/groups/filesystem/udiskie-mount +++ b/apparmor.d/groups/filesystem/udiskie-mount @@ -13,7 +13,7 @@ profile udiskie-mount @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, /usr/bin/ r, diff --git a/apparmor.d/groups/filesystem/udiskie-umount b/apparmor.d/groups/filesystem/udiskie-umount index 8fe075f94..cf147b875 100644 --- a/apparmor.d/groups/filesystem/udiskie-umount +++ b/apparmor.d/groups/filesystem/udiskie-umount @@ -13,7 +13,7 @@ profile udiskie-umount @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, /usr/bin/ r, diff --git a/apparmor.d/groups/firewall/firewall-applet b/apparmor.d/groups/firewall/firewall-applet index 17fca1462..280bd9d04 100644 --- a/apparmor.d/groups/firewall/firewall-applet +++ b/apparmor.d/groups/firewall/firewall-applet @@ -17,7 +17,7 @@ profile firewall-applet @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/ r, - @{bin}/python3.@{int} r, + @{python_path} r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld index 142b25cde..123dff77f 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -42,7 +42,7 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{bin}/xtables-legacy-multi rix, @{bin}/xtables-nft-multi rix, - /usr/local/lib/python3.@{int}/dist-packages/ r, + /usr/local/lib/@{python_name}/dist-packages/ r, /usr/share/iproute2/{,**} r, /usr/share/libalternatives/{,**} r, diff --git a/apparmor.d/groups/firewall/ufw b/apparmor.d/groups/firewall/ufw index b7e5f0c79..3b5a1dcc1 100644 --- a/apparmor.d/groups/firewall/ufw +++ b/apparmor.d/groups/firewall/ufw @@ -32,7 +32,7 @@ profile ufw @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{bin}/cat ix, @{bin}/env r, - @{bin}/python3.@{int} ix, + @{python_path} ix, @{bin}/sysctl ix, @{bin}/xtables-legacy-multi ix, @{bin}/xtables-nft-multi ix, diff --git a/apparmor.d/groups/gnome/gnome-browser-connector-host b/apparmor.d/groups/gnome/gnome-browser-connector-host index d31811152..95af09ed6 100644 --- a/apparmor.d/groups/gnome/gnome-browser-connector-host +++ b/apparmor.d/groups/gnome/gnome-browser-connector-host @@ -15,9 +15,9 @@ profile gnome-browser-connector-host @{exec_path} { @{exec_path} mr, @{bin}/env rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, - @{lib}/python3.@{int}/site-packages/gnome_browser_connector/__pycache__/{,**} rw, + @{lib}/@{python_name}/site-packages/gnome_browser_connector/__pycache__/{,**} rw, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 82be211fc..7874e95ff 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -33,8 +33,8 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{bin}/env r, - @{bin}/python3.@{int} rix, - @{lib}/python3.@{int}/site-packages/gnomemusic/__pycache__/{,**} rw, + @{python_path} rix, + @{lib}/@{python_name}/site-packages/gnomemusic/__pycache__/{,**} rw, /usr/share/grilo-plugins/grl-lua-factory/{,*} r, /usr/share/org.gnome.Music/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index d104e75c6..fa94d56e8 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -21,11 +21,11 @@ profile gnome-tweaks @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{bin}/env r, @{bin}/ps rPx, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{open_path} rPx -> child-open-help, - @{lib}/python3.@{int}/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w, + @{lib}/@{python_name}/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w, /etc/xdg/autostart/{,**} r, diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index e152325ed..49da5e3ca 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -25,7 +25,7 @@ profile kconf_update @{exec_path} { @{sh_path} rix, @{bin}/{,p}grep rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/qtpaths rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 0ff08d02f..9efaec4fc 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -54,7 +54,7 @@ profile kded @{exec_path} { @{bin}/kcminit rPx, @{bin}/pgrep rCx -> pgrep, @{bin}/plasma-welcome rPUx, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/setxkbmap rix, @{bin}/xmodmap rPUx, @{bin}/xrdb rPx, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index ee2e5274b..e6150c509 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -45,7 +45,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{bin}/mktemp rix, @{bin}/netconfig rPUx, @{bin}/nmcli rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/readlink rix, @{bin}/rm rix, @{bin}/run-parts rCx -> run-parts, diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code index 3a6bbd7fe..2496d7a9b 100644 --- a/apparmor.d/groups/pacman/pacman-hook-code +++ b/apparmor.d/groups/pacman/pacman-hook-code @@ -16,7 +16,7 @@ profile pacman-hook-code @{exec_path} { @{exec_path} mr, @{bin}/env r, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{lib}/code/product.json rw, diff --git a/apparmor.d/groups/steam/steam-game-proton b/apparmor.d/groups/steam/steam-game-proton index ab82925a5..3c4695e4f 100644 --- a/apparmor.d/groups/steam/steam-game-proton +++ b/apparmor.d/groups/steam/steam-game-proton @@ -41,7 +41,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { @{bin}/gzip rix, @{bin}/ldconfig rix, @{bin}/localedef rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/readlink rix, @{bin}/steam-runtime-launcher-interface-@{int} rix, @{bin}/steam-runtime-system-info rix, diff --git a/apparmor.d/groups/ubuntu/apport-checkreports b/apparmor.d/groups/ubuntu/apport-checkreports index 6e1bb05f2..5e39988fd 100644 --- a/apparmor.d/groups/ubuntu/apport-checkreports +++ b/apparmor.d/groups/ubuntu/apport-checkreports @@ -14,7 +14,7 @@ profile apport-checkreports @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/python3.@{int} r, + @{python_path} r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index b2fe83f6b..1ff6df2ae 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -32,8 +32,8 @@ profile check-new-release-gtk @{exec_path} { @{bin}/ischroot rix, @{bin}/lsb_release rPx -> lsb_release, - @{lib}/python3/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, - @{lib}/python3/dist-packages/gi/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, + @{lib}/@{python_name}/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, + @{lib}/@{python_name}/dist-packages/gi/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, /usr/share/distro-info/{,**} r, /usr/share/ubuntu-release-upgrader/{,**} r, diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages index 0023b48cb..75e4279f2 100644 --- a/apparmor.d/groups/ubuntu/list-oem-metapackages +++ b/apparmor.d/groups/ubuntu/list-oem-metapackages @@ -17,7 +17,7 @@ profile list-oem-metapackages @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/ischroot rix, - @{lib}/python3/dist-packages/UbuntuDrivers/__pycache__/*.cpython-@{int}.pyc.@{int} rw, + @{lib}/@{python_name}/dist-packages/UbuntuDrivers/__pycache__/*.cpython-@{int}.pyc.@{int} rw, /etc/machine-id r, diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index 93fd9ffcc..c4c795649 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -27,7 +27,7 @@ profile software-properties-dbus @{exec_path} { @{exec_path} mr, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/env rix, @{bin}/apt-key rPx, # Changing trusted keys @{bin}/lsb_release rPx -> lsb_release, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 4715f570c..e2bb2dc98 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -28,7 +28,7 @@ profile software-properties-gtk @{exec_path} { @{bin}/ r, @{sh_path} rix, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/aplay rPx, @{bin}/apt-key rPx, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 119ac517c..44e0cc403 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -51,9 +51,9 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { @{bin}/uname rix, @{lib}/apt/methods/http{,s} rPx, - @{lib}/python3/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, - @{lib}/python3/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, - @{lib}/python3/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, + @{lib}/@{python_name}/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, + @{lib}/@{python_name}/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, + @{lib}/@{python_name}/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, /usr/share/distro-info/{,**} r, /usr/share/ubuntu-release-upgrader/{,**} r, diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index b0101504c..776cc9bf8 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -18,7 +18,7 @@ profile update-motd-updates-available @{exec_path} { @{exec_path} mr, - @{bin}/python3.@{int} r, + @{python_path} r, @{sh_path} rix, @{bin}/apt-config rPx, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 4ffaf60e0..d540ed0e8 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -49,7 +49,7 @@ profile update-notifier @{exec_path} { /usr/share/apport/apport-checkreports rPx, /usr/share/apport/apport-gtk rPx, - @{lib}/python3.@{int}/dist-packages/{apt,gi}/**/__pycache__/{,**} rw, + @{lib}/@{python_name}/dist-packages/{apt,gi}/**/__pycache__/{,**} rw, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index 6ca662859..d7b1b45e0 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -39,7 +39,7 @@ profile cockpit-bridge @{exec_path} { @{bin}/date ix, @{bin}/find ix, @{bin}/ip ix, - @{bin}/python3.@{int} ix, + @{python_path} ix, @{bin}/test ix, @{bin}/file ix, diff --git a/apparmor.d/groups/whonix/sdwdate-gui b/apparmor.d/groups/whonix/sdwdate-gui index 23c0a6df4..84a6fb379 100644 --- a/apparmor.d/groups/whonix/sdwdate-gui +++ b/apparmor.d/groups/whonix/sdwdate-gui @@ -28,7 +28,7 @@ profile sdwdate-gui @{exec_path} { @{lib}/sdwdate-gui/log-viewer rix, @{lib}/helper-scripts/* rix, - @{lib}/python3/dist-packages/sdwdate_gui/__pycache__/ rw, + @{lib}/@{python_name}/dist-packages/sdwdate_gui/__pycache__/ rw, @{lib}/sdwdate-gui/ r, diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte index 7ebb3b629..eed67619d 100644 --- a/apparmor.d/profiles-a-f/alacarte +++ b/apparmor.d/profiles-a-f/alacarte @@ -14,9 +14,9 @@ profile alacarte @{exec_path} { include @{exec_path} mr, - @{bin}/python3.@{int} rix, + @{python_path} rix, - @{lib}/python3.@{int}/site-packages/Alacarte/{,**/}__pycache__/*.cpython-@{int}.*.pyc.@{int} w, + @{lib}/@{python_name}/site-packages/Alacarte/{,**/}__pycache__/*.cpython-@{int}.*.pyc.@{int} w, /usr/share/alacarte/{,**} r, /usr/share/desktop-directories/{,**} r, diff --git a/apparmor.d/profiles-a-f/arandr b/apparmor.d/profiles-a-f/arandr index e260321e6..77bf1bf96 100644 --- a/apparmor.d/profiles-a-f/arandr +++ b/apparmor.d/profiles-a-f/arandr @@ -19,7 +19,7 @@ profile arandr @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/xrandr rPx, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index dbf6c228d..a53c135ca 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -27,7 +27,7 @@ profile borg @{exec_path} { @{exec_path} r, @{bin}/ r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/{,@{multiarch}-}ld.bfd rix, @{bin}/cat rix, diff --git a/apparmor.d/profiles-a-f/convertall b/apparmor.d/profiles-a-f/convertall index 8c38f85a3..52e80cc54 100644 --- a/apparmor.d/profiles-a-f/convertall +++ b/apparmor.d/profiles-a-f/convertall @@ -20,7 +20,7 @@ profile convertall @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, /usr/share/convertall/{,**} r, /usr/share/doc/convertall/{,*} r, diff --git a/apparmor.d/profiles-a-f/execute-dcut b/apparmor.d/profiles-a-f/execute-dcut index 41d2324f6..817ba6215 100644 --- a/apparmor.d/profiles-a-f/execute-dcut +++ b/apparmor.d/profiles-a-f/execute-dcut @@ -13,7 +13,7 @@ profile execute-dcut @{exec_path} flags=(complain) { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, include if exists } diff --git a/apparmor.d/profiles-a-f/execute-dput b/apparmor.d/profiles-a-f/execute-dput index 0decde05c..7161c5900 100644 --- a/apparmor.d/profiles-a-f/execute-dput +++ b/apparmor.d/profiles-a-f/execute-dput @@ -15,7 +15,7 @@ profile execute-dput @{exec_path} flags=(complain) { @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{sh_path} rix, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/profiles-a-f/fail2ban-client b/apparmor.d/profiles-a-f/fail2ban-client index 7fae1218c..d432bee94 100644 --- a/apparmor.d/profiles-a-f/fail2ban-client +++ b/apparmor.d/profiles-a-f/fail2ban-client @@ -15,7 +15,7 @@ profile fail2ban-client @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/ r, - @{bin}/python3.@{int} r, + @{python_path} r, /etc/fail2ban/{,**} r, diff --git a/apparmor.d/profiles-a-f/fail2ban-server b/apparmor.d/profiles-a-f/fail2ban-server index e858c2d8e..2506b1db9 100644 --- a/apparmor.d/profiles-a-f/fail2ban-server +++ b/apparmor.d/profiles-a-f/fail2ban-server @@ -24,7 +24,7 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) { @{bin}/iptables rix, @{bin}/ r, - @{bin}/python3.@{int} r, + @{python_path} r, /etc/fail2ban/{,**} r, diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim index 1de493892..e06c49b9d 100644 --- a/apparmor.d/profiles-g-l/gajim +++ b/apparmor.d/profiles-g-l/gajim @@ -86,7 +86,7 @@ profile gajim @{exec_path} { # Silencer deny /usr/share/gajim/** w, - deny /usr/lib/python3/dist-packages/** w, + deny @{lib}/@{python_name}/dist-packages/** w, profile ccache { include diff --git a/apparmor.d/profiles-g-l/ganyremote b/apparmor.d/profiles-g-l/ganyremote index e9f4d4e30..79f8c2fc7 100644 --- a/apparmor.d/profiles-g-l/ganyremote +++ b/apparmor.d/profiles-g-l/ganyremote @@ -22,7 +22,7 @@ profile ganyremote @{exec_path} { network inet6 stream, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, diff --git a/apparmor.d/profiles-g-l/gpo b/apparmor.d/profiles-g-l/gpo index 4088f51fb..562980d35 100644 --- a/apparmor.d/profiles-g-l/gpo +++ b/apparmor.d/profiles-g-l/gpo @@ -22,7 +22,7 @@ profile gpo @{exec_path} { network inet6 stream, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder index ec1adabe4..7ccf428c3 100644 --- a/apparmor.d/profiles-g-l/gpodder +++ b/apparmor.d/profiles-g-l/gpodder @@ -24,7 +24,7 @@ profile gpodder @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, diff --git a/apparmor.d/profiles-g-l/gpodder-migrate2tres b/apparmor.d/profiles-g-l/gpodder-migrate2tres index 11896a26c..55033d107 100644 --- a/apparmor.d/profiles-g-l/gpodder-migrate2tres +++ b/apparmor.d/profiles-g-l/gpodder-migrate2tres @@ -13,7 +13,7 @@ profile gpodder-migrate2tres @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index f91887297..839e0d98a 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -38,7 +38,7 @@ profile hardinfo @{exec_path} { @{bin}/locale rix, @{bin}/make rix, @{bin}/perl rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/route rix, @{bin}/ruby[0-9].@{int} rix, @{bin}/strace rix, diff --git a/apparmor.d/profiles-g-l/hypnotix b/apparmor.d/profiles-g-l/hypnotix index be18726a0..cda55bc59 100644 --- a/apparmor.d/profiles-g-l/hypnotix +++ b/apparmor.d/profiles-g-l/hypnotix @@ -31,7 +31,7 @@ profile hypnotix @{exec_path} { network netlink raw, @{exec_path} rix, - @{bin}/python3.@{int} r, + @{python_path} r, @{sh_path} rix, @{bin}/ldconfig rix, diff --git a/apparmor.d/profiles-g-l/install-printerdriver b/apparmor.d/profiles-g-l/install-printerdriver index 8ea351857..facd2fa3b 100644 --- a/apparmor.d/profiles-g-l/install-printerdriver +++ b/apparmor.d/profiles-g-l/install-printerdriver @@ -16,7 +16,7 @@ profile install-printerdriver @{exec_path} flags=(complain) { @{exec_path} mrix, @{sh_path} rix, - @{bin}/python3.@{int} r, + @{python_path} r, /usr/share/system-config-printer/{,**} r, diff --git a/apparmor.d/profiles-g-l/iotop b/apparmor.d/profiles-g-l/iotop index d85b0244f..8ea787ea6 100644 --- a/apparmor.d/profiles-g-l/iotop +++ b/apparmor.d/profiles-g-l/iotop @@ -21,7 +21,7 @@ profile iotop @{exec_path} { @{bin}/ r, @{bin}/file rix, - @{bin}/python3.@{int} r, + @{python_path} r, /etc/magic r, diff --git a/apparmor.d/profiles-g-l/kconfig-hardened-check b/apparmor.d/profiles-g-l/kconfig-hardened-check index 743da77a1..264e49ebc 100644 --- a/apparmor.d/profiles-g-l/kconfig-hardened-check +++ b/apparmor.d/profiles-g-l/kconfig-hardened-check @@ -13,7 +13,7 @@ profile kconfig-hardened-check @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, diff --git a/apparmor.d/profiles-m-r/metadata-cleaner b/apparmor.d/profiles-m-r/metadata-cleaner index 0de151536..4aa662cd0 100644 --- a/apparmor.d/profiles-m-r/metadata-cleaner +++ b/apparmor.d/profiles-m-r/metadata-cleaner @@ -18,7 +18,7 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { include @{exec_path} mr, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/bwrap rCx -> bwrap, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/profiles-m-r/mpsyt b/apparmor.d/profiles-m-r/mpsyt index 9a138ff50..502f941be 100644 --- a/apparmor.d/profiles-m-r/mpsyt +++ b/apparmor.d/profiles-m-r/mpsyt @@ -24,7 +24,7 @@ profile mpsyt @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/ldconfig rix, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 1e5ee2f91..41d327f93 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -31,7 +31,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, @{bin}/locale rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/sed rix, @{bin}/stty rix, @{bin}/systemctl rCx -> systemctl, @@ -43,7 +43,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{lib}/needrestart/* rPx, /usr/share/debconf/frontend rix, - @{att}/@{lib}/python3.@{int}/** r, + @{att}/@{lib}/@{python_name}/** r, /usr/share/needrestart/{,**} r, /usr/share/unattended-upgrades/unattended-upgrade-shutdown r, diff --git a/apparmor.d/profiles-m-r/obamenu b/apparmor.d/profiles-m-r/obamenu index b0c4d88c6..9d9ed2a94 100644 --- a/apparmor.d/profiles-m-r/obamenu +++ b/apparmor.d/profiles-m-r/obamenu @@ -13,7 +13,7 @@ profile obamenu @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/ r, diff --git a/apparmor.d/profiles-m-r/openbox b/apparmor.d/profiles-m-r/openbox index d136ee08f..15957b348 100644 --- a/apparmor.d/profiles-m-r/openbox +++ b/apparmor.d/profiles-m-r/openbox @@ -75,7 +75,7 @@ profile openbox @{exec_path} { /etc/xdg/autostart/{,*} r, # Silencer - deny @{lib}/python3/** w, + deny @{lib}/@{python_name}/** w, deny owner @{user_lib_dirs}/python*/site-packages/ r, # file_inherit diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index fe06a346d..5ae5df7e6 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -53,7 +53,7 @@ profile pass @{exec_path} { # Pass extensions @{bin}/oathtool ix, # pass-otp - @{bin}/python3.@{int} Px -> pass-import, # pass-import, pass-audit + @{python_path} Px -> pass-import, # pass-import, pass-audit @{bin}/qrencode PUx, # pass-otp @{bin}/tomb PUx, # pass-tomb diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index 4977bb51a..c8fb38e44 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -26,7 +26,7 @@ profile pass-import @{exec_path} { @{bin}/ld rix, @{bin}/ldconfig rix, @{bin}/pass rPx, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{lib}/gcc/**/collect2 rix, @{lib}/python{2.[4-7],3,3.@{int}}/** w, # TODO: Test deny diff --git a/apparmor.d/profiles-m-r/ps-mem b/apparmor.d/profiles-m-r/ps-mem index da5753161..08b286b5a 100644 --- a/apparmor.d/profiles-m-r/ps-mem +++ b/apparmor.d/profiles-m-r/ps-mem @@ -17,7 +17,7 @@ profile ps-mem @{exec_path} { ptrace (read), @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index a5fcbb91e..8c6608e01 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -29,7 +29,7 @@ profile qbittorrent @{exec_path} { include include - signal send set=(term, kill) peer=qbittorrent//python3, + signal send set=(term, kill) peer=qbittorrent//python, network inet dgram, network inet6 dgram, @@ -68,7 +68,7 @@ profile qbittorrent @{exec_path} { @{exec_path} mr, @{open_path} rPx -> child-open, - @{bin}/python3.@{int} rCx -> python, # For "search engine" + @{python_path} rCx -> python, # For "search engine" # Allowed apps to open @{bin}/ebook-viewer rPx, @@ -129,7 +129,7 @@ profile qbittorrent @{exec_path} { network inet6 stream, network netlink raw, - @{bin}/python3.@{int} r, + @{python_path} r, owner @{user_share_dirs}/{,data/}qBittorrent/nova[0-9]/{,**} rw, diff --git a/apparmor.d/profiles-m-r/repo b/apparmor.d/profiles-m-r/repo index a1fd7b3b3..5ad84fb15 100644 --- a/apparmor.d/profiles-m-r/repo +++ b/apparmor.d/profiles-m-r/repo @@ -27,7 +27,7 @@ profile repo @{exec_path} { @{bin}/curl rix, @{bin}/env rix, @{bin}/git rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/uname rix, @{lib}/git{,-core}/git* rix, diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk index 2a0f9b391..acdad5640 100644 --- a/apparmor.d/profiles-m-r/rustdesk +++ b/apparmor.d/profiles-m-r/rustdesk @@ -36,7 +36,7 @@ profile rustdesk @{exec_path} { @{bin}/ls rix, @{bin}/sudo rCx -> sudo, - @{bin}/python3.@{int} rCx -> python, + @{python_path} rCx -> python, @{sh_path} rCx -> shell, /etc/gdm{,3}/custom.conf r, @@ -64,7 +64,7 @@ profile rustdesk @{exec_path} { include @{bin}/rustdesk rPx, - @{bin}/python3.@{int} rPx -> rustdesk//python, + @{python_path} rPx -> rustdesk//python, include if exists } @@ -76,7 +76,7 @@ profile rustdesk @{exec_path} { capability dac_read_search, capability dac_override, - @{bin}/python3.@{int} r, + @{python_path} r, @{sh_path} rix, @{bin}/chmod rix, diff --git a/apparmor.d/profiles-s-z/speedtest b/apparmor.d/profiles-s-z/speedtest index f31818354..7e9728fc9 100644 --- a/apparmor.d/profiles-s-z/speedtest +++ b/apparmor.d/profiles-s-z/speedtest @@ -21,7 +21,7 @@ profile speedtest @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/file rix, diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index 4db5c6f92..84f6d52d3 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -28,7 +28,7 @@ profile system-config-printer @{exec_path} flags=(complain) { @{exec_path} mrix, @{sh_path} rix, - @{bin}/python3.@{int} r, + @{python_path} r, @{lib}/cups/*/* rPUx, /usr/share/hplip/query.py rPUx, diff --git a/apparmor.d/profiles-s-z/system-config-printer-applet b/apparmor.d/profiles-s-z/system-config-printer-applet index 0197e3c3b..de34ea608 100644 --- a/apparmor.d/profiles-s-z/system-config-printer-applet +++ b/apparmor.d/profiles-s-z/system-config-printer-applet @@ -19,7 +19,7 @@ profile system-config-printer-applet @{exec_path} { @{exec_path} mrix, @{sh_path} rix, - @{bin}/python3.@{int} r, + @{python_path} r, /usr/share/system-config-printer/{,**} r, diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index e5a8f80d9..679a0fd32 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -30,7 +30,7 @@ profile terminator @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/ r, - @{bin}/python3.@{int} rix, + @{python_path} rix, # The shell is not confined on purpose. @{bin}/@{shells} rUx, diff --git a/apparmor.d/profiles-s-z/update-command-not-found b/apparmor.d/profiles-s-z/update-command-not-found index f1bf99bf8..9801f8737 100644 --- a/apparmor.d/profiles-s-z/update-command-not-found +++ b/apparmor.d/profiles-s-z/update-command-not-found @@ -20,7 +20,7 @@ profile update-command-not-found @{exec_path} { @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{lib}/ r, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/profiles-s-z/vcsi b/apparmor.d/profiles-s-z/vcsi index 25f4a979f..eaf6ca24b 100644 --- a/apparmor.d/profiles-s-z/vcsi +++ b/apparmor.d/profiles-s-z/vcsi @@ -16,7 +16,7 @@ profile vcsi @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/ffmpeg rPx, diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index 283eab051..1460fb1a7 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -25,7 +25,7 @@ profile vidcutter @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/ldconfig rix, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index af472b4d5..614084c71 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -31,8 +31,8 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{exec_path} rix, @{sh_path} rix, - @{bin}/python3.@{int} rix, - @{lib}/python3.@{int}/site-packages/__pycache__/guestfs.cpython-@{int}.pyc.@{int} w, + @{python_path} rix, + @{lib}/@{python_name}/site-packages/__pycache__/guestfs.cpython-@{int}.pyc.@{int} w, @{bin}/ r, @{bin}/env rix, diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index 22713e3bf..20575b2a8 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -21,7 +21,7 @@ profile wsdd @{exec_path} { @{exec_path} mr, @{bin}/env r, - @{bin}/python3.@{int} rix, + @{python_path} rix, /etc/machine-id r, diff --git a/apparmor.d/profiles-s-z/youtube-dl b/apparmor.d/profiles-s-z/youtube-dl index 781e24768..d618a0db1 100644 --- a/apparmor.d/profiles-s-z/youtube-dl +++ b/apparmor.d/profiles-s-z/youtube-dl @@ -30,7 +30,7 @@ profile youtube-dl @{exec_path} { signal (receive) set=(term, kill), @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ffmpeg rPx, @{bin}/ffprobe rPx, diff --git a/apparmor.d/profiles-s-z/yt-dlp b/apparmor.d/profiles-s-z/yt-dlp index 551a8edf4..ffa78eda3 100644 --- a/apparmor.d/profiles-s-z/yt-dlp +++ b/apparmor.d/profiles-s-z/yt-dlp @@ -24,7 +24,7 @@ profile yt-dlp @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/file rix, diff --git a/apparmor.d/profiles-s-z/ytdl b/apparmor.d/profiles-s-z/ytdl index 81ccfc284..12fd657c3 100644 --- a/apparmor.d/profiles-s-z/ytdl +++ b/apparmor.d/profiles-s-z/ytdl @@ -24,7 +24,7 @@ profile ytdl @{exec_path} { signal (receive) set=(term, kill), @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/ldconfig rix, diff --git a/apparmor.d/profiles-s-z/zenmap b/apparmor.d/profiles-s-z/zenmap index 59a8d772e..f4dc9fc77 100644 --- a/apparmor.d/profiles-s-z/zenmap +++ b/apparmor.d/profiles-s-z/zenmap @@ -20,7 +20,7 @@ profile zenmap @{exec_path} { signal (send) set=(term, kill) peer=nmap, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/nmap rPx, From a53ffeb251da8df49f12676e497c82fb243bd40c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 20 Feb 2025 20:18:44 +0100 Subject: [PATCH 102/977] fix(profile): ensure gsconnect-preferences is part of gnome-extension-gsconnect. --- apparmor.d/groups/gnome/gnome-extension-gsconnect | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 4c4b00c5d..cf5c0a855 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -9,7 +9,7 @@ include @{share_dirs} = /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io @{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io -@{exec_path} = @{share_dirs}/service/daemon.js +@{exec_path} = @{share_dirs}/service/daemon.js @{share_dirs}/gsconnect-preferences profile gnome-extension-gsconnect @{exec_path} { include include From 1f3fb1513a0ae0959b556f294c5c605cf05c9db3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 21 Feb 2025 00:05:36 +0100 Subject: [PATCH 103/977] feat(profile): enforce apparmor.systemd --- apparmor.d/groups/apparmor/apparmor.systemd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/apparmor/apparmor.systemd b/apparmor.d/groups/apparmor/apparmor.systemd index 75394f5de..79b3f1a86 100644 --- a/apparmor.d/groups/apparmor/apparmor.systemd +++ b/apparmor.d/groups/apparmor/apparmor.systemd @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/apparmor/apparmor.systemd -profile apparmor.systemd @{exec_path} flags=(complain) { +profile apparmor.systemd @{exec_path} { include include include From 2ae16a93f4b68aa16a6362557a435134d6ae0cb0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 21 Feb 2025 00:07:08 +0100 Subject: [PATCH 104/977] feat(abs): remove mesa 24.2 fix as it has been fixed upstream. --- apparmor.d/abstractions/base.d/complete | 6 ------ 1 file changed, 6 deletions(-) diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index 3b5ecaf41..230e0c9d5 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -23,12 +23,6 @@ @{etc_rw}/localtime r, /etc/locale.conf r, - # mesa 24.2 introduced a shader disk cache which opens quite a lot of fd. - # They are not closed and get inherited by child programs. Denying it can cause - # crash, so we are allowing it globally while the issue is beeing fixed in mesa. - owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.db rw, - owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.idx rw, - @{sys}/devices/system/cpu/possible r, @{PROC}/sys/kernel/core_pattern r, From c1bea69cbf1c062a1aa501867a0dbf22774681e1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 21 Feb 2025 00:10:08 +0100 Subject: [PATCH 105/977] feat(profile): minor gnome improvments. --- apparmor.d/groups/gnome/gnome-control-center | 4 ++-- apparmor.d/groups/gnome/gnome-extension-gsconnect | 2 +- apparmor.d/groups/gnome/nautilus | 1 + 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 91f49c219..cfb40f5c4 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -90,10 +90,10 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/wallpapers/{,**} r, /usr/share/xml/iso-codes/{,**} r, + @{etc_ro}/security/pwquality.conf r, + @{etc_ro}/security/pwquality.conf.d/{,**} r, /etc/machine-info r, /etc/rygel.conf r, - /etc/security/pwquality.conf r, - /etc/security/pwquality.conf.d/{,**} r, /etc/fstab r, /etc/machine-id r, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index cf5c0a855..7bb34e52f 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -53,7 +53,7 @@ profile gnome-extension-gsconnect @{exec_path} { owner @{user_config_dirs}/mimeapps.list w, owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, - owner @{run}/user/@{uid}/gsconnect/ w, + owner @{run}/user/@{uid}/gsconnect/{,**} rw, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 890e5b34e..7e25ee08c 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -108,6 +108,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/tty rw, From 8912aaf12695b4b2278d471db76cbbe4fcf7e1bf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 21 Feb 2025 00:55:52 +0100 Subject: [PATCH 106/977] feat(profile): general update. --- apparmor.d/groups/gvfs/gvfsd-sftp | 1 + apparmor.d/groups/pacman/mkinitcpio | 1 + apparmor.d/groups/pacman/pacman | 2 +- apparmor.d/groups/procps/htop | 95 +++++++++++------------ apparmor.d/groups/procps/uptime | 2 + apparmor.d/groups/ssh/ssh | 10 ++- apparmor.d/groups/ssh/ssh-sk-helper | 2 +- apparmor.d/groups/systemd/busctl | 6 +- apparmor.d/groups/systemd/systemd-analyze | 1 + apparmor.d/profiles-s-z/spotify | 3 +- apparmor.d/profiles-s-z/transmission | 1 + apparmor.d/profiles-s-z/wpa-cli | 2 +- 12 files changed, 67 insertions(+), 59 deletions(-) diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp index cabee57c2..157af621c 100644 --- a/apparmor.d/groups/gvfs/gvfsd-sftp +++ b/apparmor.d/groups/gvfs/gvfsd-sftp @@ -19,6 +19,7 @@ profile gvfsd-sftp @{exec_path} { @{bin}/ssh rPx, owner @{run}/user/@{uid}/gvfsd-sftp/ rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} w, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index ed91f6c9c..8c92421f1 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -49,6 +49,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{bin}/plymouth rPx, @{bin}/plymouth-set-default-theme rPx, @{bin}/sbctl rPx, + @{bin}/sync rPx, @{lib}/initcpio/busybox rix, @{lib}/initcpio/post/** rix, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 16a8171ca..327af130f 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -135,8 +135,8 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/stat r, - @{PROC}/1/environ r, @{PROC}/sys/kernel/osrelease r, @{PROC}/tty/drivers r, @{PROC}/uptime r, diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index 08b58ebd2..c720929f3 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -20,10 +20,10 @@ profile htop @{exec_path} { network netlink raw, - signal (send), - signal (receive) set=(hup) peer=gnome-terminal-server, + signal send, + signal receive set=hup peer=gnome-terminal-server, - ptrace (read), + ptrace read, @{exec_path} mr, @@ -38,51 +38,6 @@ profile htop @{exec_path} { owner @{user_config_dirs}/htop/ rw, owner @{user_config_dirs}/htop/* rw, - owner @{PROC}/@{pid}/smaps_rollup r, - - @{PROC}/ r, - @{PROC}/diskstats r, - @{PROC}/loadavg r, - @{PROC}/pressure/cpu r, - @{PROC}/pressure/io r, - @{PROC}/pressure/memory r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/pid_max r, - @{PROC}/sys/kernel/sched_autogroup_enabled r, - @{PROC}/tty/drivers r, - @{PROC}/uptime r, - - @{PROC}/@{pids}/ r, - @{PROC}/@{pids}/attr/current r, - @{PROC}/@{pids}/autogroup rw, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/environ r, - @{PROC}/@{pids}/io r, - @{PROC}/@{pids}/mounts r, - @{PROC}/@{pids}/net/dev r, - @{PROC}/@{pids}/oom_{,score_}adj r, - @{PROC}/@{pids}/oom_score r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/statm r, - @{PROC}/@{pids}/wchan r, - - @{PROC}/@{pids}/task/ r, - @{PROC}/@{pids}/task/@{tid}/ r, - @{PROC}/@{pids}/task/@{tid}/attr/current r, - @{PROC}/@{pids}/task/@{tid}/cgroup r, - @{PROC}/@{pids}/task/@{tid}/cmdline r, - @{PROC}/@{pids}/task/@{tid}/comm r, - @{PROC}/@{pids}/task/@{tid}/environ r, - @{PROC}/@{pids}/task/@{tid}/io r, - @{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r, - @{PROC}/@{pids}/task/@{tid}/oom_score r, - @{PROC}/@{pids}/task/@{tid}/stat r, - @{PROC}/@{pids}/task/@{tid}/statm r, - @{PROC}/@{pids}/task/@{tid}/status r, - @{PROC}/@{pids}/task/@{tid}/wchan r, - @{sys}/bus/dax/devices/ r, @{sys}/bus/i2c/devices/ r, @{sys}/bus/soc/devices/ r, @@ -129,8 +84,52 @@ profile htop @{exec_path} { @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r, + @{PROC}/ r, + @{PROC}/diskstats r, + @{PROC}/loadavg r, + @{PROC}/pressure/cpu r, + @{PROC}/pressure/io r, + @{PROC}/pressure/memory r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/sched_autogroup_enabled r, + @{PROC}/tty/drivers r, + @{PROC}/uptime r, + + @{PROC}/@{pids}/ r, + @{PROC}/@{pids}/attr/current r, + @{PROC}/@{pids}/autogroup rw, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/mounts r, + @{PROC}/@{pids}/net/dev r, + @{PROC}/@{pids}/oom_{,score_}adj r, + @{PROC}/@{pids}/oom_score r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/wchan r, + + @{PROC}/@{pids}/task/ r, + @{PROC}/@{pids}/task/@{tid}/ r, + @{PROC}/@{pids}/task/@{tid}/attr/current r, + @{PROC}/@{pids}/task/@{tid}/cgroup r, + @{PROC}/@{pids}/task/@{tid}/cmdline r, + @{PROC}/@{pids}/task/@{tid}/comm r, + @{PROC}/@{pids}/task/@{tid}/environ r, + @{PROC}/@{pids}/task/@{tid}/io r, + @{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r, + @{PROC}/@{pids}/task/@{tid}/oom_score r, + @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/@{pids}/task/@{tid}/statm r, + @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/@{pids}/task/@{tid}/wchan r, + @{PROC}/cmdline r, owner @{PROC}/@{pid}/cpuset r, + owner @{PROC}/@{pid}/smaps_rollup r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/procps/uptime b/apparmor.d/groups/procps/uptime index 904ebe415..3da204a38 100644 --- a/apparmor.d/groups/procps/uptime +++ b/apparmor.d/groups/procps/uptime @@ -15,6 +15,8 @@ profile uptime @{exec_path} { @{exec_path} mr, + @{run}/systemd/sessions/@{int} r, + @{PROC}/uptime r, @{PROC}/loadavg r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 69f594f7a..0c86919b1 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -13,19 +13,20 @@ profile ssh @{exec_path} { include include - signal (receive) set=(term) peer=gnome-keyring-daemon, - network inet stream, network inet6 stream, network inet dgram, network inet6 dgram, network netlink raw, + signal receive set=term peer=gnome-keyring-daemon, + signal send set=hup peer=unconfined, + @{exec_path} mrix, @{bin}/@{shells} rUx, - @{lib}/ssh/ssh-sk-helper rPx -> ssh-sk-helper, + @{lib}/{,ssh/}ssh-sk-helper rPx, @{etc_ro}/ssh/ssh_config r, @{etc_ro}/ssh/ssh_config.d/{,*} r, @@ -42,8 +43,9 @@ profile ssh @{exec_path} { owner @{user_projects_dirs}/**/ssh/{,*} r, owner @{user_projects_dirs}/**/config r, - owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, + audit owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, + owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{hex16} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{hex16}, owner @{run}/user/@{uid}/keyring/ssh rw, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/ssh/ssh-sk-helper b/apparmor.d/groups/ssh/ssh-sk-helper index d913e2a2d..c8c29dbaf 100644 --- a/apparmor.d/groups/ssh/ssh-sk-helper +++ b/apparmor.d/groups/ssh/ssh-sk-helper @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{lib}/ssh/ssh-sk-helper +@{exec_path} = @{lib}/{,ssh/}ssh-sk-helper profile ssh-sk-helper flags=(complain) { include diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index 826405d2d..765758771 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -20,11 +20,11 @@ profile busctl @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, - ptrace (read), + ptrace read, - unix (bind) type=stream addr=@@{udbus}/bus/busctl/busctl, + unix bind type=stream addr=@@{udbus}/bus/busctl/busctl, - signal (send) set=(cont) peer=child-pager, + signal send set=cont peer=child-pager, dbus eavesdrop bus=accessibility, dbus eavesdrop bus=session, diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 039f8dc64..7310586e8 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -61,6 +61,7 @@ profile systemd-analyze @{exec_path} { @{sys}/firmware/efi/efivars/LoaderTimeExecUSec-@{uuid} r, @{PROC}/swaps r, + @{PROC}/sys/fs/nr_open r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 41219a4f8..ef516a7d6 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -44,9 +44,10 @@ profile spotify @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw, - @{PROC}/pressure/* r, @{PROC}/@{pid}/net/unix r, + @{PROC}/pressure/* r, owner @{PROC}/@{pid}/clear_refs w, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission index 2a39981df..ad219f1ab 100644 --- a/apparmor.d/profiles-s-z/transmission +++ b/apparmor.d/profiles-s-z/transmission @@ -59,6 +59,7 @@ profile transmission @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-s-z/wpa-cli b/apparmor.d/profiles-s-z/wpa-cli index c9987fa01..3920a21df 100644 --- a/apparmor.d/profiles-s-z/wpa-cli +++ b/apparmor.d/profiles-s-z/wpa-cli @@ -13,7 +13,7 @@ profile wpa-cli @{exec_path} { @{exec_path} mr, - /{usr/,}{s,}/wpa_action rPx, + @{bin}/wpa_action rPx, /etc/inputrc r, From 360c009a6797a49bd55b4b0eb851400dc3e070e6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 21 Feb 2025 21:17:57 +0100 Subject: [PATCH 107/977] fix: add missing desktop abs to gcr-prompter see #404 --- apparmor.d/groups/gnome/gcr-prompter | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/gnome/gcr-prompter b/apparmor.d/groups/gnome/gcr-prompter index a1e323c87..6bcbd1cc0 100644 --- a/apparmor.d/groups/gnome/gcr-prompter +++ b/apparmor.d/groups/gnome/gcr-prompter @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gcr-prompter profile gcr-prompter @{exec_path} { include + include @{exec_path} mr, From 7c49a45cbb170c4c3dba27dc47dedfbdd0d42734 Mon Sep 17 00:00:00 2001 From: c-jaenicke <72254270+c-jaenicke@users.noreply.github.com> Date: Sat, 22 Feb 2025 14:56:18 +0100 Subject: [PATCH 108/977] fix regex on line 65, missing star --- apparmor.d/groups/pacman/mkinitcpio | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 8c92421f1..f1d4818ef 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -62,7 +62,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /etc/mkinitcpio.conf r, /etc/mkinitcpio.conf.d/{,**} r, /etc/mkinitcpio.d/{,**} r, - /etc/modprobe.d/{,*} r, + /etc/modprobe.d/{,**} r, /etc/os-release r, /etc/plymouth/plymouthd.conf r, /etc/vconsole.conf r, From 6ea379eecde880ce45b5e9d9b8387efbf0b7e959 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 21 Feb 2025 21:30:05 +0100 Subject: [PATCH 109/977] chore: remove deprecated golangci config. --- .golangci.yaml | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 .golangci.yaml diff --git a/.golangci.yaml b/.golangci.yaml deleted file mode 100644 index 7718ccda2..000000000 --- a/.golangci.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -linters-settings: - staticcheck: - checks: ["all", "-SA1019" ] From 898066c76c409852ea57d3b9a383044c09868894 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 22 Feb 2025 22:56:40 +0100 Subject: [PATCH 110/977] refractor: add new polkit group. --- apparmor.d/{profiles-m-r => groups/polkit}/pkexec | 0 apparmor.d/{profiles-m-r => groups/polkit}/pkttyagent | 0 apparmor.d/groups/{freedesktop => polkit}/polkit-agent-helper | 0 apparmor.d/groups/{freedesktop => polkit}/polkitd | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename apparmor.d/{profiles-m-r => groups/polkit}/pkexec (100%) rename apparmor.d/{profiles-m-r => groups/polkit}/pkttyagent (100%) rename apparmor.d/groups/{freedesktop => polkit}/polkit-agent-helper (100%) rename apparmor.d/groups/{freedesktop => polkit}/polkitd (100%) diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/groups/polkit/pkexec similarity index 100% rename from apparmor.d/profiles-m-r/pkexec rename to apparmor.d/groups/polkit/pkexec diff --git a/apparmor.d/profiles-m-r/pkttyagent b/apparmor.d/groups/polkit/pkttyagent similarity index 100% rename from apparmor.d/profiles-m-r/pkttyagent rename to apparmor.d/groups/polkit/pkttyagent diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper similarity index 100% rename from apparmor.d/groups/freedesktop/polkit-agent-helper rename to apparmor.d/groups/polkit/polkit-agent-helper diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/polkit/polkitd similarity index 100% rename from apparmor.d/groups/freedesktop/polkitd rename to apparmor.d/groups/polkit/polkitd From e9b022a9a1711bc94bd531a2c632e7df7e17f347 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Feb 2025 12:47:22 +0100 Subject: [PATCH 111/977] fix: ensure sync is not inherited fix #670 --- apparmor.d/tunables/multiarch.d/programs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index 18ba854d5..97a9446aa 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -22,7 +22,7 @@ @{coreutils} += ln locate logname ls md5sum mkdir mkfifo mknod mktemp mv nice nl nohup nproc numfmt @{coreutils} += od paste pathchk pinky pr printenv printf ptx pwd readlink realpath rm rmdir @{coreutils} += runcon sdiff sed seq sha1sum sha224sum sha256sum sha384sum sha512sum shred shuf sleep -@{coreutils} += sort split stat stdbuf stty sum sync tac tail tee test timeout touch tr true +@{coreutils} += sort split stat stdbuf stty sum tac tail tee test timeout touch tr true @{coreutils} += truncate tsort tty uname unexpand uniq unlink updatedb vdir wc who whoami xargs yes # Python interpreters From 8a381b2f6babcf429ba2edb7dcb25d772d9dbeab Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Feb 2025 18:13:16 +0100 Subject: [PATCH 112/977] feat(profile): various update for ubuntu. --- apparmor.d/groups/apt/apt | 1 + apparmor.d/groups/apt/apt-methods-gpgv | 1 + apparmor.d/groups/apt/dpkg | 1 - apparmor.d/groups/apt/dpkg-preconfigure | 6 ++++++ apparmor.d/groups/filesystem/lvm | 1 + apparmor.d/groups/firewall/firewalld | 2 +- apparmor.d/groups/polkit/polkitd | 1 + apparmor.d/groups/snap/snapd | 2 +- apparmor.d/groups/utils/login | 3 ++- apparmor.d/profiles-g-l/landscape-sysinfo.wrapper | 1 + apparmor.d/profiles-m-r/mkinitramfs | 11 +++++++---- apparmor.d/profiles-m-r/needrestart | 2 +- apparmor.d/profiles-m-r/run-parts | 6 ++++++ 13 files changed, 29 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index c0545f2ec..cbf1c4f9f 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -53,6 +53,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { peer=(name="{:*,org.freedesktop.DBus}"), @{exec_path} mr, + @{python_path} mr, @{bin}/ r, diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index 4b2a15773..f4e77fa4d 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -84,6 +84,7 @@ profile apt-methods-gpgv @{exec_path} { owner @{tmp}/apt-key-gpghome.*/ rw, owner @{tmp}/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, owner @{tmp}/apt.{conf,sig,data}.* rw, + owner @{tmp}/apt.@{rand6}.gpg rw, @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index dd87414bf..6d47e748b 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -37,7 +37,6 @@ profile dpkg @{exec_path} { @{pager_path} rPx -> child-pager, # Package maintainer's scripts - # Move it to a child profile once more transitions will be available /var/lib/dpkg/info/*.{config,templates} rPUx, /var/lib/dpkg/info/*.{preinst,postinst} rPUx, /var/lib/dpkg/info/*.{prerm,postrm} rPUx, diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 94b7603fa..30fc78445 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -23,14 +23,17 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/{,e}grep rix, @{bin}/{,g,m}awk rix, @{bin}/cat rix, + @{bin}/debconf-escape rix, @{bin}/dialog rix, @{bin}/expr rix, @{bin}/locale rix, + @{bin}/readlink rix, @{bin}/sed rix, @{bin}/sort rix, @{bin}/stty rix, @{bin}/tr rix, + @{bin}/findmnt rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/apt-extracttemplates rPx, @{bin}/whiptail rPx, @@ -40,9 +43,12 @@ profile dpkg-preconfigure @{exec_path} { /etc/debconf.conf r, /etc/default/grub r, + /etc/default/mdadm r, /etc/inputrc r, /etc/locale.gen r, + /etc/mdadm/mdadm.conf r, /etc/shadow r, + /etc/ssh/sshd_config r, /var/lib/locales/supported.d/{,*} r, diff --git a/apparmor.d/groups/filesystem/lvm b/apparmor.d/groups/filesystem/lvm index cff4ce186..75cd0de80 100644 --- a/apparmor.d/groups/filesystem/lvm +++ b/apparmor.d/groups/filesystem/lvm @@ -23,6 +23,7 @@ profile lvm @{exec_path} flags=(attach_disconnected) { ptrace (read), + mqueue getattr type=posix /, mqueue r type=posix /, @{exec_path} rm, diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld index 123dff77f..6d84dfe47 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -40,7 +40,7 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{bin}/kmod rix, @{bin}/modprobe rix, @{bin}/xtables-legacy-multi rix, - @{bin}/xtables-nft-multi rix, + @{bin}/xtables-nft-multi rmix, /usr/local/lib/@{python_name}/dist-packages/ r, diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index 9b3db683f..649fe9ceb 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -53,6 +53,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { /var/lib/polkit{,-1}/localauthority/{,**} r, owner /var/lib/polkit{,-1}/.cache/ rw, + @{att}/@{run}/systemd/notify w, @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index dc80b17a4..273b68fc5 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -108,7 +108,7 @@ profile snapd @{exec_path} { /etc/modules-load.d/*snap* rw, /etc/systemd/system/{,**/} r, /etc/systemd/system/snap* rw, - /etc/systemd/user/{,**/} r, + /etc/systemd/user/{,**/} rw, /etc/systemd/user/**/*snap* rw, /etc/systemd/user/*snap* rw, /etc/udev/rules.d/{,*snap*} rw, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index a4d1b8cd2..f83c1687e 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -59,12 +59,13 @@ profile login @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/motd.legal-displayed rw, + @{att}/@{run}/systemd/sessions/@{int}.ref w, + @{run}/credentials/getty@tty@{int}.service/ r, @{run}/dbus/system_bus_socket rw, @{run}/faillock/@{user} rwk, @{run}/motd.d/{,*} r, @{run}/motd.dynamic{,.new} rw, - @{run}/systemd/sessions/*.ref rw, @{PROC}/@{pids}/cgroup r, @{PROC}/1/limits r, diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper index e5c739bd5..fb9b75824 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper +++ b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper @@ -15,6 +15,7 @@ profile landscape-sysinfo.wrapper @{exec_path} { capability fsetid, @{exec_path} mr, + @{python_path} mr, @{sh_path} rix, @{bin}/bc rix, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 6585f6382..c377889c8 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -19,11 +19,10 @@ profile mkinitramfs @{exec_path} { capability fsetid, @{exec_path} r, - @{sh_path} rix, + @{sh_path} rix, - @{bin}/ r, - @{lib}/ r, - @{lib}64/ r, + @{bin}/ r, + @{lib}/ r, @{bin}/{,e}grep rix, @{bin}/basename rix, @@ -43,6 +42,7 @@ profile mkinitramfs @{exec_path} { @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/readlink rix, + @{bin}/realpath rix, @{bin}/rm rix, @{bin}/rmdir rix, @{bin}/sed rix, @@ -60,6 +60,7 @@ profile mkinitramfs @{exec_path} { @{bin}/kmod rCx -> kmod, @{bin}/ldconfig rCx -> ldconfig, @{bin}/ldd rCx -> ldd, + @{lib}/@{multiarch}/ld-linux-*so* rCx -> ldd, @{lib}/ld-linux.so* rCx -> ldd, @{bin}/dpkg rPx -> child-dpkg, @@ -108,6 +109,8 @@ profile mkinitramfs @{exec_path} { include @{bin}/ldd mr, + @{lib}/@{multiarch}/ld-linux-*so* mr, + @{lib}/ld-linux.so* mr, @{sh_path} rix, @{bin}/kmod mr, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 41d327f93..397646c5e 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -84,7 +84,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { capability sys_resource, capability net_admin, - signal send set=term peer=systemd-tty-ask-password-agent, + signal send set=(cont term) peer=systemd-tty-ask-password-agent, @{bin}/systemd-tty-ask-password-agent Px, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index c20b305e1..d0ecbbd9e 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -38,6 +38,7 @@ profile run-parts @{exec_path} { /etc/anacrontab r, /etc/conf.d/snapper{,**} r, /etc/default/* r, + /etc/profile.d/{,**} r, /etc/snapper/configs/root r, # Crontab @@ -159,6 +160,10 @@ profile run-parts @{exec_path} { include include + network inet dgram, + network inet6 dgram, + network netlink raw, + @{sh_path} rix, @{bin}/{e,}grep rix, @{bin}/cat rix, @@ -169,6 +174,7 @@ profile run-parts @{exec_path} { @{bin}/sort rix, @{bin}/tr rix, @{bin}/uname rix, + @{bin}/hostname rPx, @{bin}/snap rPUx, @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx, From d51826542b37e941824a3ccd594e1f85757155c1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Feb 2025 18:13:49 +0100 Subject: [PATCH 113/977] Revert "chore: remove deprecated golangci config." This reverts commit 6ea379eecde880ce45b5e9d9b8387efbf0b7e959. --- .golangci.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .golangci.yaml diff --git a/.golangci.yaml b/.golangci.yaml new file mode 100644 index 000000000..7718ccda2 --- /dev/null +++ b/.golangci.yaml @@ -0,0 +1,5 @@ +--- + +linters-settings: + staticcheck: + checks: ["all", "-SA1019" ] From 2f5637bd6587444f46730b52bcd894dafcbdc606 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Feb 2025 18:16:27 +0100 Subject: [PATCH 114/977] feat(profile): improve makepkg. --- apparmor.d/groups/pacman/makepkg | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg index d5abc07db..b2c043a6e 100644 --- a/apparmor.d/groups/pacman/makepkg +++ b/apparmor.d/groups/pacman/makepkg @@ -28,14 +28,20 @@ profile makepkg @{exec_path} { file, - @{bin}/gpg{,2} Cx -> gpg, - @{bin}/gpgconf Cx -> gpg, - @{bin}/gpgsm Cx -> gpg, - @{bin}/sudo Cx -> sudo, + @{bin}/gpg{,2} Cx -> gpg, + @{bin}/gpgconf Cx -> gpg, + @{bin}/gpgsm Cx -> gpg, + @{bin}/sudo Cx -> sudo, + + deny capability sys_ptrace, + deny ptrace read, profile gpg { include include + include + + network netlink raw, @{bin}/gpg{,2} mr, @{bin}/gpgconf mr, From b10f2df5ecc4229368427732bdb5ae975af4aa35 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Feb 2025 20:10:21 +0100 Subject: [PATCH 115/977] doc: add roadmap and prebuilt pages. --- docs/development/build.md | 152 ++++++++++++++++++++++++++++++++++++ docs/development/roadmap.md | 60 ++++++++++++++ mkdocs.yml | 3 + 3 files changed, 215 insertions(+) create mode 100644 docs/development/build.md create mode 100644 docs/development/roadmap.md diff --git a/docs/development/build.md b/docs/development/build.md new file mode 100644 index 000000000..89bf8e89e --- /dev/null +++ b/docs/development/build.md @@ -0,0 +1,152 @@ +--- +title: Building the profiles +--- + +The profiles in `apparmor.d` must not be used directly. They need to be prebuilt (by running `make`). This page documents all possibles prebuild tasks. It is not intended to be read by end user, and it is only targeted at developers and maintainers. + +The build system is fully configurable, general usage can be seen with: +```sh +go run ./cmd/prebuild -h +``` + +``` +aa-prebuild [-h] [--complain | --enforce] [--full] [--abi 3|4] + + Prebuild apparmor.d profiles for a given distribution and apply + internal built-in directives. + +Options: + -h, --help Show this help message and exit. + -c, --complain Set complain flag on all profiles. + -e, --enforce Set enforce flag on all profiles. + -a, --abi ABI Target apparmor ABI. + -f, --full Set AppArmor for full system policy. + -F, --file Only prebuild a given file. + +Prepare tasks: + configure - Set distribution specificities + setflags - Set flags on some profiles + fsp - Configure AppArmor for full system policy + merge - Merge profiles (from group/, profiles-*-*/) to a unified apparmor.d directory + overwrite - Overwrite dummy upstream profiles + synchronise - Initialize a new clean apparmor.d build directory + ignore - Ignore profiles and files from: + systemd-default - Configure systemd unit drop in files to a profile for some units + systemd-early - Configure systemd unit drop in files to ensure some service start after apparmor + +Build tasks: + abi3 - Convert all profiles from abi 4.0 to abi 3.0 + attach - Re-attach disconnected path + complain - Set complain flag on all profiles + enforce - All profiles have been enforced + fsp - Prevent unconfined transitions in profile rules + hotfix - Temporary fix for #74, #80 & #235 + userspace - Resolve variable in profile attachments + +Directive: + #aa:dbus own bus= name= [interface=AARE] [path=AARE] + #aa:dbus talk bus= name= label= [interface=AARE] [path=AARE] + #aa:exec [P|U|p|u|PU|pu|] profiles... + #aa:only filters... + #aa:exclude filters... + #aa:stack [X] profiles... +``` + +## Prepare Tasks + +### **`synchronise`** + +Initialize a new clean `apparmor.d` build directory in `.build/`. + +*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* + +### **`ignore`** + +Ignore profiles and files as defined in the `dist/ignore` directory. See [workflow](workflow.md#ignore-profiles). + +*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* + +### **`merge`** + +Merge profiles from `apparmor.d/group/`, `apparmor.d/profiles-*-*/` to a unified directory in `.build/apparmor.d` that AppArmor can parse. + +*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* + +### **`configure`** + +Set distribution specificities as defined in [`pkg/prebuild/prepare/configure.go`](https://github.com/roddhjav/apparmor.d/blob/main/pkg/prebuild/prepare/configure.go) + +*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* + +### **`setflags`** + +Set flags on profiles as defined in the [flags manifest](workflow.md#profile-flags). + +*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* + +### **`overwrite`** + +Overwrite (dummy) upstream profiles as defined in `dist/overwrite`. + +*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* + +### **`systemd-default`** + +Install systemd unit drop in files from `systemd/default`. They configure the various dbus daemon to use specific profiles. + +*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* + +### **`systemd-early`** + +Install systemd unit drop in files from `systemd/early` to ensure some services start after AppArmor. THis task will be removed in the future, as it will not be needed any more. + +*Enabled by default. Can be disabled in `pkg/prebuild/cli/cli.go`* + +### **`fsp`** + +Configure AppArmor for full system policy. + +*Enable with the `--full` option in the prebuild command.* + + +## Build Tasks + +### **`abi3`** + +This task will convert all profiles from `abi/4.0` to `abi/3.0`. The rules not supported by `abi/3.0` are commented in the build profiles. + +*Enable with the `--abi 3` option in the prebuild command.* + +### **`complain | enforce`** + +Set or remove the complain flag on all profiles. The `complain` task is enabled by default. When building in enforce mode, it is disabled. Enabling the `enforce` task will enforce **all** profiles including the one set in the [flags manifest](workflow.md#profile-flags). It is intended to be used in specialized system such as CTF or (very) high security VM. + +*Enable with the `--complain` or `--enforce` option in the prebuild command.* + +### **`userspace`** + +Resolve variables in profile attachments. It fixes issues with the userland AppArmor tools (aa-enforce, aa-logprof...) that does not support identical variable in the profiles attachments. + +*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* + +### **`attach`** + +This task reattaches disconnected paths. See [#559](https://github.com/roddhjav/apparmor.d/issues/559): + +- Add the `attach_disconnected.path` flag on all profiles with the `attach_disconnected` flag +- Add the attached/base abstraction in the profile +- For compatibility, non-disconnected profile will have the `@{att}` variable set to `/` + +*Enabled when abi >= 4.0* + +### **`hotfix`** + +Temporary fix for #74, #80 & #235. Only an issue on Gnome, can be disabled on server. + +*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* + +### **`fsp`** + +Prevent unconfined transitions in profile rules. + +*Enable with the `--full` option in the prebuild command.* diff --git a/docs/development/roadmap.md b/docs/development/roadmap.md new file mode 100644 index 000000000..e8a047a03 --- /dev/null +++ b/docs/development/roadmap.md @@ -0,0 +1,60 @@ +--- +title: Roadmap +--- + +## Toward a stable release + +This is the current list of features that must be implemented to get to a stable release + +- [ ] **Play machine** + +- [ ] **[Sub packages](https://github.com/roddhjav/apparmor.d/issues/464)** + - [x] Move most profiles into groups such that + - [ ] New simplified build system to generate the packages with profile dependencies check + +- [ ] **Tests** + - [x] Tests VM for all supported targets (see [tests/vm](vm.md)) + - [ ] Small integration tests for all core profiles (see [tests/integration](integration.md)) + +- [ ] **Documentation** + - [ ] Initial draft of the security model and goal + - [ ] General documentation improvements + +- [ ] **General improvements** + - [ ] Provide a proper fix for #74, #80 & #235 + - [ ] The apt/dpkg profiles needs to be reworked + +## Next features + +- [ ] **Conditions** + - [ ] Integrate the new condition feature in the profiles and restrict them a lot according to the application actually in use. Eg: `Gnome | KDE`, `X11 | Wayland`, etc. + - [ ] Create a new `aa-config` tool, similar to seboolean, to manage various settings, based on conditions. + +- [ ] **User Data** + - [ ] Fully rewrite the way user data is allowed / denied. The current implementation requires too much configuration to be usable by everyone. + - [ ] Add a prompt listener to handle the user data access. + +- [ ] **[Full System Policy](https://github.com/roddhjav/apparmor.d/issues/252)** + - [ ] Debug tool to show the profiles transition tree, and ensure no profile is missing + - [ ] Remove the `default` profile + +## Done + +**Abstractions** + +- [x] New `audio-client` and `audio-server` abstractions +- [x] New desktop agnostic `desktop` abstraction for all common access for any GUI app. +- [x] New `graphics` abstraction, hardware-agnostic. Fully replace and restrict the old `opencl` abstractions +- [x] All new abstractions are documented in the [abstractions](abstractions.md) page + +**Dbus** + +- [x] New `dbus-{system,session,accessibility}` profiles. Works regardless of the dbus implementation in use. +- [x] New talk directive: Allow the application to talk to session services. (send to) +- [x] New own directive: Allow the application to own session services under the given name. (receive, send, bind) +- [x] New `bus-{system,session,accessibility}` abstraction to be used in the profiles + +**Directives** + +- [x] Add directive. See the [directive](directives.md) page + diff --git a/mkdocs.yml b/mkdocs.yml index 9390b3dde..ed14108a8 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -152,6 +152,7 @@ nav: - recovery.md - Development: - development/index.md + - development/roadmap.md - Profiles: - development/workflow.md - development/guidelines.md @@ -160,6 +161,8 @@ nav: - development/directives.md - development/dbus.md - development/recommendations.md + - Packages: + - development/build.md - Tests: - development/tests.md - development/integration.md From 7bc248577ac391fbdcb69cdaf7f758597a0b0223 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Feb 2025 20:13:21 +0100 Subject: [PATCH 116/977] feat(profile): small improvment with systemd. --- apparmor.d/groups/systemd/bootctl | 1 + apparmor.d/groups/systemd/busctl | 15 ++++++++------- apparmor.d/groups/systemd/networkctl | 2 ++ apparmor.d/groups/systemd/systemd-coredump | 1 + apparmor.d/groups/systemd/systemd-logind | 2 ++ apparmor.d/groups/systemd/systemd-networkd | 1 + apparmor.d/groups/systemd/systemd-sulogin-shell | 2 +- .../groups/systemd/systemd-tty-ask-password-agent | 4 ++++ 8 files changed, 20 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index c7bb7b19f..28c2851fa 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -43,6 +43,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected) { @{sys}/class/tpmrm/ r, + @{sys}/devices/pnp@{int}/**/tpm/tpm@{int}/tpm_version_major r, @{sys}/devices/virtual/dmi/id/{board_vendor,bios_vendor} r, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index 765758771..8b32b348f 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -39,13 +39,14 @@ profile busctl @{exec_path} flags=(attach_disconnected) { @{pager_path} rPx -> child-pager, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fdinfo/@{int} r, - owner @{PROC}/@{pid}/loginuid r, - owner @{PROC}/@{pid}/sessionid r, + @{PROC}/@{pid}/attr/current r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/loginuid r, + @{PROC}/@{pid}/sessionid r, + @{PROC}/@{pid}/stat r, include if exists } diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index ce81686ae..0163f2258 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -50,6 +50,8 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { /{run,var}/log/journal/@{hex32}/system.journal* r, /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, + @{att}/@{run}/systemd/netif/io.systemd.Network rw, + @{run}/systemd/netif/leases/@{int} r, @{run}/systemd/netif/links/@{int} r, @{run}/systemd/netif/state r, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 2e841dc51..b26dabae7 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -34,6 +34,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted / r, @{bin}/* r, /opt/** r, + @{user_lib_dirs}/** r, /etc/systemd/coredump.conf r, /etc/systemd/coredump.conf.d/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index f7e0af838..f558e57e7 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -27,6 +27,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { network netlink raw, + mqueue getattr type=posix /, mqueue r type=posix /, unix (bind) type=stream addr=@@{udbus}/bus/systemd-logind/system, @@ -95,6 +96,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{att}/@{run}/systemd/notify w, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, @{run}/systemd/inhibit/ rw, diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 0ca507140..619ca9dbb 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -72,6 +72,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{PROC}/pressure/* r, @{PROC}/sys/net/ipv{4,6}/** rw, owner @{PROC}/@{pid}/fdinfo/@{int} r, + owner @{PROC}/@{pid}/mountinfo r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sulogin-shell b/apparmor.d/groups/systemd/systemd-sulogin-shell index 094366391..d28531e56 100644 --- a/apparmor.d/groups/systemd/systemd-sulogin-shell +++ b/apparmor.d/groups/systemd/systemd-sulogin-shell @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-sulogin-shell -profile systemd-sulogin-shell @{exec_path} { +profile systemd-sulogin-shell @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index 4c57d0200..71c5a1503 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -25,7 +25,11 @@ profile systemd-tty-ask-password-agent @{exec_path} { @{run}/systemd/ask-password-block/{,*} rw, @{run}/systemd/ask-password/{,*} rw, + + @{run}/user/@{uid}/ w, + @{run}/user/@{uid}/systemd/ w, @{run}/user/@{uid}/systemd/ask-password/ rw, + @{run}/utmp rk, @{PROC}/@{pids}/stat r, From 644f6b74aab62c4f20b7101a766e20442bf7668f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Feb 2025 20:15:09 +0100 Subject: [PATCH 117/977] feat(profile): improve some core profiles. --- apparmor.d/groups/utils/blockdev | 2 +- apparmor.d/groups/utils/losetup | 11 ++++++++--- apparmor.d/groups/utils/sulogin | 6 +++--- apparmor.d/groups/virt/virtnodedevd | 9 +++++---- apparmor.d/profiles-a-f/dmsetup | 1 + apparmor.d/profiles-g-l/hostname | 1 + 6 files changed, 19 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/utils/blockdev b/apparmor.d/groups/utils/blockdev index 88059a4c5..96e3ad23f 100644 --- a/apparmor.d/groups/utils/blockdev +++ b/apparmor.d/groups/utils/blockdev @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/blockdev profile blockdev @{exec_path} { include - include + include capability sys_admin, diff --git a/apparmor.d/groups/utils/losetup b/apparmor.d/groups/utils/losetup index fd2472dce..bb0ac6c74 100644 --- a/apparmor.d/groups/utils/losetup +++ b/apparmor.d/groups/utils/losetup @@ -10,18 +10,23 @@ include profile losetup @{exec_path} { include include + include capability dac_override, capability dac_read_search, - unix (receive) type=stream, + unix receive type=stream, @{exec_path} mr, - @{sys}/devices/**/usb[0-9]/{,**} r, + @{user_img_dirs}/** rw, + @{user_vm_dirs}/** rw, + + @{sys}/block/ r, + @{sys}/devices/virtual/block/loop@{int}/{,**} r, /dev/loop-control rw, - /dev/loop[0-9]* rw, + /dev/loop@{int} rw, include if exists } diff --git a/apparmor.d/groups/utils/sulogin b/apparmor.d/groups/utils/sulogin index 556808aeb..ccf7216e0 100644 --- a/apparmor.d/groups/utils/sulogin +++ b/apparmor.d/groups/utils/sulogin @@ -9,9 +9,12 @@ include @{exec_path} = @{bin}/sulogin profile sulogin @{exec_path} { include + include include + capability checkpoint_restore, capability sys_admin, + capability sys_tty_config, @{exec_path} mr, @@ -22,9 +25,6 @@ profile sulogin @{exec_path} { @{PROC}/consoles r, - /dev/ r, - /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index 0b48d63fd..957164e85 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -52,6 +52,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+leds:* r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+platform:* r, + @{run}/udev/data/+power_supply:* r, @{run}/udev/data/+rfkill:* r, @{run}/udev/data/+sound:card@{int} r, # For sound card @{run}/udev/data/+thunderbolt:* r, @@ -73,14 +74,14 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/n@{int} r, @{sys}/**/ r, + @{sys}/devices/@{pci}/net/{,**} r, + @{sys}/devices/@{pci}/numa_node r, + @{sys}/devices/@{pci}/resource r, + @{sys}/devices/@{pci}/sriov_totalvfs r, @{sys}/devices/@{pci}/vpd r, @{sys}/devices/**/{class,revision,subsystem_vendor,subsystem_device} r, @{sys}/devices/**/{config,device,vendor} r, @{sys}/devices/**/uevent r, - @{sys}/devices/@{pci}/net/{,**} r, - @{sys}/devices/@{pci}/net/*/{duplex,address,speed,operstate} r, - @{sys}/devices/@{pci}/numa_node r, - @{sys}/devices/@{pci}/sriov_totalvfs r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/virtual/dmi/id/{product_name,product_serial,product_uuid,sys_vendor,board_vendor,bios_vendor,bios_date,bios_version,product_version} r, diff --git a/apparmor.d/profiles-a-f/dmsetup b/apparmor.d/profiles-a-f/dmsetup index d532bb8cf..b5a1f3ab7 100644 --- a/apparmor.d/profiles-a-f/dmsetup +++ b/apparmor.d/profiles-a-f/dmsetup @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/dmsetup profile dmsetup @{exec_path} { include + include include capability sys_admin, diff --git a/apparmor.d/profiles-g-l/hostname b/apparmor.d/profiles-g-l/hostname index 326d156ef..ac2ceb6e2 100644 --- a/apparmor.d/profiles-g-l/hostname +++ b/apparmor.d/profiles-g-l/hostname @@ -16,6 +16,7 @@ profile hostname @{exec_path} { capability sys_admin, network inet dgram, + network inet6 dgram, # network ip=127.0.0.1:53, TODO: abi 4.0 network netlink raw, From 81ecce1ef7a63de5e9be21fd79f8448abc117ac0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Feb 2025 20:17:49 +0100 Subject: [PATCH 118/977] fix(build): test in directive. --- pkg/prebuild/directive/exec_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/prebuild/directive/exec_test.go b/pkg/prebuild/directive/exec_test.go index 5581d7f2b..255d9a237 100644 --- a/pkg/prebuild/directive/exec_test.go +++ b/pkg/prebuild/directive/exec_test.go @@ -36,7 +36,7 @@ func TestExec_Apply(t *testing.T) { }, { name: "exec-unconfined", - rootApparmord: paths.New("../../../apparmor.d/groups/freedesktop/"), + rootApparmord: paths.New("../../../apparmor.d/groups/polkit/"), opt: &Option{ Name: "exec", ArgMap: map[string]string{"U": "", "polkit-agent-helper": ""}, From 972ae950e41a5091375dcbfff21259e2a279282c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Feb 2025 20:53:49 +0100 Subject: [PATCH 119/977] build: improve the dbus directive. - Support for additional interfaces: += - Restrict the generated dbus rules - Add the required unix bind rule. --- pkg/prebuild/directive/core_test.go | 12 +- pkg/prebuild/directive/dbus.go | 187 ++++++++++++++++++---------- pkg/prebuild/directive/dbus_test.go | 131 ++++++++++--------- 3 files changed, 199 insertions(+), 131 deletions(-) diff --git a/pkg/prebuild/directive/core_test.go b/pkg/prebuild/directive/core_test.go index faf39df4b..229dda630 100644 --- a/pkg/prebuild/directive/core_test.go +++ b/pkg/prebuild/directive/core_test.go @@ -20,7 +20,7 @@ func TestNewOption(t *testing.T) { }{ { name: "dbus", - file: nil, + file: paths.New("dbus"), match: []string{ " #aa:dbus own bus=system name=org.gnome.DisplayManager", "dbus", @@ -34,13 +34,13 @@ func TestNewOption(t *testing.T) { "own": "", }, ArgList: []string{"own", "bus=system", "name=org.gnome.DisplayManager"}, - File: nil, + File: paths.New("dbus"), Raw: " #aa:dbus own bus=system name=org.gnome.DisplayManager", }, }, { name: "only", - file: nil, + file: paths.New("only"), match: []string{ " #aa:only opensuse", "only", @@ -50,7 +50,7 @@ func TestNewOption(t *testing.T) { Name: "only", ArgMap: map[string]string{"opensuse": ""}, ArgList: []string{"opensuse"}, - File: nil, + File: paths.New("only"), Raw: " #aa:only opensuse", }, }, @@ -74,13 +74,13 @@ func TestRun(t *testing.T) { }{ { name: "none", - file: nil, + file: paths.New("dummy"), profile: ` `, want: ` `, }, { name: "present", - file: nil, + file: paths.New("fake-own"), profile: ` #aa:dbus own bus=system name=org.freedesktop.systemd1`, want: dbusOwnSystemd1, }, diff --git a/pkg/prebuild/directive/dbus.go b/pkg/prebuild/directive/dbus.go index a1135d675..4a9030505 100644 --- a/pkg/prebuild/directive/dbus.go +++ b/pkg/prebuild/directive/dbus.go @@ -21,11 +21,6 @@ import ( "github.com/roddhjav/apparmor.d/pkg/prebuild" ) -var defaultInterfaces = []string{ - "org.freedesktop.DBus.Properties", - "org.freedesktop.DBus.ObjectManager", -} - type Dbus struct { prebuild.Base } @@ -43,15 +38,6 @@ func init() { ) } -func setInterfaces(rules map[string]string) []string { - interfaces := []string{rules["name"]} - if _, present := rules["interface"]; present { - interfaces = append(interfaces, rules["interface"]) - } - interfaces = append(interfaces, defaultInterfaces...) - return interfaces -} - func (d Dbus) Apply(opt *Option, profile string) (string, error) { var r aa.Rules @@ -59,11 +45,15 @@ func (d Dbus) Apply(opt *Option, profile string) (string, error) { if err != nil { return "", err } + name := opt.File.Base() + if len(name) > 15 { + name = name[:15] + } switch action { case "own": - r = d.own(opt.ArgMap) + r = d.own(opt.ArgMap, name) case "talk": - r = d.talk(opt.ArgMap) + r = d.talk(opt.ArgMap, name) } aa.IndentationLevel = strings.Count( @@ -103,63 +93,132 @@ func (d Dbus) sanityCheck(opt *Option) (string, error) { return action, nil } -func (d Dbus) own(rules map[string]string) aa.Rules { - interfaces := setInterfaces(rules) - res := aa.Rules{} - res = append(res, &aa.Dbus{ - Access: []string{"bind"}, Bus: rules["bus"], Name: rules["name"], - }) - for _, iface := range interfaces { - res = append(res, &aa.Dbus{ - Access: []string{"receive"}, - Bus: rules["bus"], - Path: rules["path"], - Interface: iface, - PeerName: `":1.@{int}"`, - }) +func getInterfaces(rules map[string]string) []string { + var interfaces []string + if _, present := rules["interface"]; present { + interfaces = []string{rules["interface"]} + } else { + interfaces = []string{rules["name"]} } - for _, iface := range interfaces { - res = append(res, &aa.Dbus{ - Access: []string{"send"}, - Bus: rules["bus"], - Path: rules["path"], - Interface: iface, - PeerName: `"{:1.@{int},org.freedesktop.DBus}"`, - }) + + if _, present := rules["interface+"]; present { + interfaces = append(interfaces, rules["interface+"]) } - res = append(res, &aa.Dbus{ - Access: []string{"receive"}, - Bus: rules["bus"], - Path: rules["path"], - Interface: "org.freedesktop.DBus.Introspectable", - Member: "Introspect", - PeerName: `":1.@{int}"`, - }) + return interfaces +} + +func (d Dbus) own(rules map[string]string, name string) aa.Rules { + interfaces := getInterfaces(rules) + + res := aa.Rules{ + &aa.Unix{ + Access: []string{"bind"}, Type: "stream", + Address: `@@{udbus}/bus/` + name + `/` + rules["bus"], + }, + &aa.Dbus{ + Access: []string{"bind"}, Bus: rules["bus"], Name: rules["name"], + }, + } + + // Interfaces + for _, iface := range interfaces { + res = append(res, + &aa.Dbus{ + Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: iface, + PeerName: `"@{busname}"`, + }, + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: iface, + PeerName: `"{@{busname},org.freedesktop.DBus}"`, + }, + ) + } + + res = append(res, + // DBus.Properties + &aa.Dbus{ + Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Properties", + Member: "{Get,GetAll,Set,PropertiesChanged}", + PeerName: `"{@{busname},org.freedesktop.DBus}"`, + }, + + // DBus.Introspectable + &aa.Dbus{ + Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Introspectable", + Member: "Introspect", + PeerName: `"@{busname}"`, + }, + + // DBus.ObjectManager + &aa.Dbus{ + Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.ObjectManager", + Member: "GetManagedObjects", + PeerName: `"{@{busname},` + rules["name"] + `}"`, + }, + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.ObjectManager", + Member: "{InterfacesAdded,InterfacesRemoved}", + PeerName: `"{@{busname},org.freedesktop.DBus}"`, + }, + ) return res } -func (d Dbus) talk(rules map[string]string) aa.Rules { - interfaces := setInterfaces(rules) - res := aa.Rules{} +func (d Dbus) talk(rules map[string]string, name string) aa.Rules { + interfaces := getInterfaces(rules) + + res := aa.Rules{ + &aa.Unix{ + Access: []string{"bind"}, Type: "stream", + Address: `@@{udbus}/bus/` + name + `/` + rules["bus"], + }, + } + + // Interfaces for _, iface := range interfaces { res = append(res, &aa.Dbus{ - Access: []string{"send"}, - Bus: rules["bus"], - Path: rules["path"], + Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], Interface: iface, - PeerName: `"{:1.@{int},` + rules["name"] + `}"`, - PeerLabel: rules["label"], - }) - } - for _, iface := range interfaces { - res = append(res, &aa.Dbus{ - Access: []string{"receive"}, - Bus: rules["bus"], - Path: rules["path"], - Interface: iface, - PeerName: `"{:1.@{int},` + rules["name"] + `}"`, - PeerLabel: rules["label"], + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], }) } + + res = append(res, + // DBus.Properties + &aa.Dbus{ + Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Properties", + Member: "{Get,GetAll,Set,PropertiesChanged}", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + + // DBus.Introspectable + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Introspectable", + Member: "Introspect", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + + // DBus.ObjectManager + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.ObjectManager", + Member: "GetManagedObjects", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + &aa.Dbus{ + Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.ObjectManager", + Member: "{InterfacesAdded,InterfacesRemoved}", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + ) return res } diff --git a/pkg/prebuild/directive/dbus_test.go b/pkg/prebuild/directive/dbus_test.go index 65e55e785..f2d4997e4 100644 --- a/pkg/prebuild/directive/dbus_test.go +++ b/pkg/prebuild/directive/dbus_test.go @@ -6,31 +6,35 @@ package directive import ( "testing" + + "github.com/roddhjav/apparmor.d/pkg/paths" ) -const dbusOwnSystemd1 = ` dbus bind bus=system name=org.freedesktop.systemd1{,.*}, +const dbusOwnSystemd1 = ` unix bind type=stream addr=@@{udbus}/bus/fake-own/system, + + dbus bind bus=system name=org.freedesktop.systemd1{,.*}, dbus receive bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.systemd1{,.*} - peer=(name=":1.@{int}"), - dbus receive bus=system path=/org/freedesktop/systemd1{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name=":1.@{int}"), - dbus receive bus=system path=/org/freedesktop/systemd1{,/**} - interface=org.freedesktop.DBus.ObjectManager - peer=(name=":1.@{int}"), + peer=(name="@{busname}"), dbus send bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.systemd1{,.*} - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus send bus=system path=/org/freedesktop/systemd1{,/**} + peer=(name="{@{busname},org.freedesktop.DBus}"), + dbus (send receive) bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.DBus.Properties - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus send bus=system path=/org/freedesktop/systemd1{,/**} - interface=org.freedesktop.DBus.ObjectManager - peer=(name="{:1.@{int},org.freedesktop.DBus}"), + member={Get,GetAll,Set,PropertiesChanged} + peer=(name="{@{busname},org.freedesktop.DBus}"), dbus receive bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=":1.@{int}"),` + peer=(name="@{busname}"), + dbus receive bus=system path=/org/freedesktop/systemd1{,/**} + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name="{@{busname},org.freedesktop.systemd1{,.*}}"), + dbus send bus=system path=/org/freedesktop/systemd1{,/**} + interface=org.freedesktop.DBus.ObjectManager + member={InterfacesAdded,InterfacesRemoved} + peer=(name="{@{busname},org.freedesktop.DBus}"),` func TestDbus_Apply(t *testing.T) { tests := []struct { @@ -50,7 +54,7 @@ func TestDbus_Apply(t *testing.T) { "own": "", }, ArgList: []string{"own", "bus=system", "name=org.freedesktop.systemd1"}, - File: nil, + File: paths.New("fake-own"), Raw: " #aa:dbus own bus=system name=org.freedesktop.systemd1", }, profile: " #aa:dbus own bus=system name=org.freedesktop.systemd1", @@ -61,45 +65,47 @@ func TestDbus_Apply(t *testing.T) { opt: &Option{ Name: "dbus", ArgMap: map[string]string{ - "bus": "session", - "name": "com.rastersoft.dingextension", - "interface": "org.gtk.Actions", - "own": "", + "bus": "session", + "name": "com.rastersoft.ding", + "interface+": "org.gtk.Actions", + "own": "", }, - ArgList: []string{"own", "bus=session", "name=com.rastersoft.dingextension", "interface=org.gtk.Actions"}, - File: nil, - Raw: " #aa:dbus own bus=session name=com.rastersoft.dingextension interface=org.gtk.Actions", + ArgList: []string{"own", "bus=session", "name=com.rastersoft.ding", "interface+=org.gtk.Actions"}, + File: paths.New("fake-interface"), + Raw: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", }, - profile: " #aa:dbus own bus=session name=com.rastersoft.dingextension interface=org.gtk.Actions", - want: ` dbus bind bus=session name=com.rastersoft.dingextension{,.*}, - dbus receive bus=session path=/com/rastersoft/dingextension{,/**} - interface=com.rastersoft.dingextension{,.*} - peer=(name=":1.@{int}"), - dbus receive bus=session path=/com/rastersoft/dingextension{,/**} + profile: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", + want: ` unix bind type=stream addr=@@{udbus}/bus/fake-interface/session, + + dbus bind bus=session name=com.rastersoft.ding{,.*}, + dbus receive bus=session path=/com/rastersoft/ding{,/**} + interface=com.rastersoft.ding{,.*} + peer=(name="@{busname}"), + dbus send bus=session path=/com/rastersoft/ding{,/**} + interface=com.rastersoft.ding{,.*} + peer=(name="{@{busname},org.freedesktop.DBus}"), + dbus receive bus=session path=/com/rastersoft/ding{,/**} interface=org.gtk.Actions - peer=(name=":1.@{int}"), - dbus receive bus=session path=/com/rastersoft/dingextension{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name=":1.@{int}"), - dbus receive bus=session path=/com/rastersoft/dingextension{,/**} - interface=org.freedesktop.DBus.ObjectManager - peer=(name=":1.@{int}"), - dbus send bus=session path=/com/rastersoft/dingextension{,/**} - interface=com.rastersoft.dingextension{,.*} - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus send bus=session path=/com/rastersoft/dingextension{,/**} + peer=(name="@{busname}"), + dbus send bus=session path=/com/rastersoft/ding{,/**} interface=org.gtk.Actions - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus send bus=session path=/com/rastersoft/dingextension{,/**} + peer=(name="{@{busname},org.freedesktop.DBus}"), + dbus (send receive) bus=session path=/com/rastersoft/ding{,/**} interface=org.freedesktop.DBus.Properties - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus send bus=session path=/com/rastersoft/dingextension{,/**} - interface=org.freedesktop.DBus.ObjectManager - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus receive bus=session path=/com/rastersoft/dingextension{,/**} + member={Get,GetAll,Set,PropertiesChanged} + peer=(name="{@{busname},org.freedesktop.DBus}"), + dbus receive bus=session path=/com/rastersoft/ding{,/**} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=":1.@{int}"),`, + peer=(name="@{busname}"), + dbus receive bus=session path=/com/rastersoft/ding{,/**} + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name="{@{busname},com.rastersoft.ding{,.*}}"), + dbus send bus=session path=/com/rastersoft/ding{,/**} + interface=org.freedesktop.DBus.ObjectManager + member={InterfacesAdded,InterfacesRemoved} + peer=(name="{@{busname},org.freedesktop.DBus}"),`, }, { name: "talk", @@ -112,28 +118,31 @@ func TestDbus_Apply(t *testing.T) { "talk": "", }, ArgList: []string{"talk", "bus=system", "name=org.freedesktop.Accounts", "label=accounts-daemon"}, - File: nil, + File: paths.New("gdm-session-worker"), Raw: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", }, profile: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", - want: ` dbus send bus=system path=/org/freedesktop/Accounts{,/**} + want: ` unix bind type=stream addr=@@{udbus}/bus/gdm-session-wor/system, + + dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.Accounts{,.*} - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), - dbus send bus=system path=/org/freedesktop/Accounts{,/**} + peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.DBus.Properties - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + member={Get,GetAll,Set,PropertiesChanged} + peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + dbus send bus=system path=/org/freedesktop/Accounts{,/**} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), dbus send bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.DBus.ObjectManager - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), - dbus receive bus=system path=/org/freedesktop/Accounts{,/**} - interface=org.freedesktop.Accounts{,.*} - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), - dbus receive bus=system path=/org/freedesktop/Accounts{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + member=GetManagedObjects + peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), dbus receive bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.DBus.ObjectManager - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon),`, + member={InterfacesAdded,InterfacesRemoved} + peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon),`, }, } for _, tt := range tests { From 6ebbb31589f908ed2e37669104429ef721dd9243 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Feb 2025 21:06:41 +0100 Subject: [PATCH 120/977] feat(profile): dbus directive use the new interface+= --- apparmor.d/groups/gnome/gnome-calculator-search-provider | 2 +- apparmor.d/groups/gnome/gnome-characters | 2 +- apparmor.d/groups/gnome/gnome-extension-ding | 4 ++-- apparmor.d/groups/gnome/gnome-initial-setup | 2 +- apparmor.d/groups/gnome/gnome-terminal-server | 2 +- apparmor.d/groups/gnome/nautilus | 2 +- apparmor.d/groups/gnome/tracker-extract | 2 +- apparmor.d/groups/gvfs/gvfs-afc-volume-monitor | 2 +- apparmor.d/groups/gvfs/gvfs-goa-volume-monitor | 2 +- apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor | 2 +- apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor | 2 +- apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor | 2 +- 12 files changed, 13 insertions(+), 13 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-calculator-search-provider b/apparmor.d/groups/gnome/gnome-calculator-search-provider index 2eaacdefb..da03ed665 100644 --- a/apparmor.d/groups/gnome/gnome-calculator-search-provider +++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider @@ -17,7 +17,7 @@ profile gnome-calculator-search-provider @{exec_path} { signal (send) set=kill peer=unconfined, - #aa:dbus own bus=session name=org.gnome.Calculator.SearchProvider interface=org.gnome.Shell.SearchProvider2 + #aa:dbus own bus=session name=org.gnome.Calculator.SearchProvider interface+=org.gnome.Shell.SearchProvider2 @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 9ae8a7b8a..9511e781f 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -15,7 +15,7 @@ profile gnome-characters @{exec_path} { include include - #aa:dbus own bus=session name=org.gnome.Characters interface=org.gnome.Shell.SearchProvider2 + #aa:dbus own bus=session name=org.gnome.Characters interface+=org.gnome.Shell.SearchProvider2 @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 068469606..72833a065 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -32,8 +32,8 @@ profile gnome-extension-ding @{exec_path} { unix (send,receive) type=stream addr=none peer=(label=gnome-shell), - #aa:dbus own bus=session name=com.rastersoft.ding interface=org.gtk.Actions - #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface=org.gtk.Actions + #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions + #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface+=org.gtk.Actions dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 84f6b15c8..89769477a 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -29,7 +29,7 @@ profile gnome-initial-setup @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.gnome.InitialSetup interface=org.gtk.Actions + #aa:dbus own bus=session name=org.gnome.InitialSetup interface+=org.gtk.Actions @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index d96c20c36..55a7f4687 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -25,7 +25,7 @@ profile gnome-terminal-server @{exec_path} { ptrace (read) peer=htop, ptrace (read) peer=unconfined, - #aa:dbus own bus=session name=org.gnome.Terminal interface=org.gtk.Actions + #aa:dbus own bus=session name=org.gnome.Terminal interface+=org.gtk.Actions dbus receive bus=session path=/org/gnome/Terminal/SearchProvider interface=org.gnome.Shell.SearchProvider2 diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 7e25ee08c..3a7fdd4f4 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -28,7 +28,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { mqueue r type=posix /, - #aa:dbus own bus=session name=org.gnome.Nautilus interface=org.gtk.{Application,Actions} + #aa:dbus own bus=session name=org.gnome.Nautilus interface+=org.gtk.{Application,Actions} #aa:dbus own bus=session name=org.freedesktop.FileManager1 #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 02237d932..40d938a63 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -28,7 +28,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Extract - #aa:dbus talk bus=session name=org.freedesktop.Tracker3 label=tracker-miner interface=org.freedesktop.DBus.Peer + #aa:dbus talk bus=session name=org.freedesktop.Tracker3 label=tracker-miner interface+=org.freedesktop.DBus.Peer dbus send bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index c1058c158..7f50d8b45 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -12,7 +12,7 @@ profile gvfs-afc-volume-monitor @{exec_path} { include include - #aa:dbus own bus=session name=org.gtk.vfs.AfcVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.AfcVolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index 1b5f74ae3..3f2fb0138 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -12,7 +12,7 @@ profile gvfs-goa-volume-monitor @{exec_path} { include include - #aa:dbus own bus=session name=org.gtk.vfs.GoaVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.GoaVolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index f2b534635..dd03254b1 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -16,7 +16,7 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} { network netlink raw, - #aa:dbus own bus=session name=org.gtk.vfs.GPhoto2VolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.GPhoto2VolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index d71b71523..6fbbc6092 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -15,7 +15,7 @@ profile gvfs-mtp-volume-monitor @{exec_path} { network netlink raw, - #aa:dbus own bus=session name=org.gtk.vfs.MTPVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.MTPVolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index ccbe15fd1..4ed214b71 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -29,7 +29,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { ptrace (read), - #aa:dbus own bus=session name=org.gtk.vfs.UDisks2VolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.UDisks2VolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd dbus receive bus=session From a793e711e5789097114bd4b72e85371a472ef05a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Feb 2025 22:18:38 +0100 Subject: [PATCH 121/977] fix(profile): dbus rule malformed. --- apparmor.d/groups/bus/dbus-session | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index f87e71c81..cc6b33f61 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -30,7 +30,7 @@ profile dbus-session flags=(attach_disconnected) { signal (send) set=(term hup kill) peer=dconf-service, signal (send) set=(term hup kill) peer=xdg-*, - #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{d,D}Bus} + #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} dbus receive bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello From 161078ed900493f028e06ffc7efc3c5f816374d6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Mar 2025 13:18:19 +0100 Subject: [PATCH 122/977] tests: move common cloud-init config to a unified file, rename some base distribution. --- .../cloud-init/archlinux-cosmic.user-data.yml | 15 -------- .../cloud-init/archlinux-gnome.user-data.yml | 15 -------- tests/cloud-init/archlinux-kde.user-data.yml | 15 -------- .../cloud-init/archlinux-server.user-data.yml | 15 -------- tests/cloud-init/archlinux-xfce.user-data.yml | 15 -------- tests/cloud-init/common.yml | 17 +++++++++ ...-data.yml => debian12-gnome.user-data.yml} | 15 -------- ...er-data.yml => debian12-kde.user-data.yml} | 15 -------- ...data.yml => debian12-server.user-data.yml} | 15 -------- tests/cloud-init/opensuse-gnome.user-data.yml | 15 -------- tests/cloud-init/opensuse-kde.user-data.yml | 15 -------- .../cloud-init/opensuse-server.user-data.yml | 36 +++++++++++++++++++ .../cloud-init/ubuntu22-desktop.user-data.yml | 15 -------- .../cloud-init/ubuntu24-desktop.user-data.yml | 17 --------- .../cloud-init/ubuntu24-server.user-data.yml | 15 -------- 15 files changed, 53 insertions(+), 197 deletions(-) create mode 100644 tests/cloud-init/common.yml rename tests/cloud-init/{debian-gnome.user-data.yml => debian12-gnome.user-data.yml} (74%) rename tests/cloud-init/{debian-kde.user-data.yml => debian12-kde.user-data.yml} (68%) rename tests/cloud-init/{debian-server.user-data.yml => debian12-server.user-data.yml} (73%) create mode 100644 tests/cloud-init/opensuse-server.user-data.yml diff --git a/tests/cloud-init/archlinux-cosmic.user-data.yml b/tests/cloud-init/archlinux-cosmic.user-data.yml index d95381b96..70d446076 100644 --- a/tests/cloud-init/archlinux-cosmic.user-data.yml +++ b/tests/cloud-init/archlinux-cosmic.user-data.yml @@ -1,20 +1,5 @@ #cloud-config -hostname: ${hostname} - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: # Install core packages - apparmor diff --git a/tests/cloud-init/archlinux-gnome.user-data.yml b/tests/cloud-init/archlinux-gnome.user-data.yml index a2a3d78b8..1fa1c9c1d 100644 --- a/tests/cloud-init/archlinux-gnome.user-data.yml +++ b/tests/cloud-init/archlinux-gnome.user-data.yml @@ -1,20 +1,5 @@ #cloud-config -hostname: ${hostname} - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: # Install core packages - apparmor diff --git a/tests/cloud-init/archlinux-kde.user-data.yml b/tests/cloud-init/archlinux-kde.user-data.yml index eea5df046..5953eab2e 100644 --- a/tests/cloud-init/archlinux-kde.user-data.yml +++ b/tests/cloud-init/archlinux-kde.user-data.yml @@ -1,20 +1,5 @@ #cloud-config -hostname: ${hostname} - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: # Install core packages - apparmor diff --git a/tests/cloud-init/archlinux-server.user-data.yml b/tests/cloud-init/archlinux-server.user-data.yml index 4a7f17374..e0edaca16 100644 --- a/tests/cloud-init/archlinux-server.user-data.yml +++ b/tests/cloud-init/archlinux-server.user-data.yml @@ -1,20 +1,5 @@ #cloud-config -hostname: ${hostname} - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: # Install core packages - apparmor diff --git a/tests/cloud-init/archlinux-xfce.user-data.yml b/tests/cloud-init/archlinux-xfce.user-data.yml index 07d87364b..e9f4a78a6 100644 --- a/tests/cloud-init/archlinux-xfce.user-data.yml +++ b/tests/cloud-init/archlinux-xfce.user-data.yml @@ -1,20 +1,5 @@ #cloud-config -hostname: ${hostname} - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: # Install core packages - apparmor diff --git a/tests/cloud-init/common.yml b/tests/cloud-init/common.yml new file mode 100644 index 000000000..ac619c879 --- /dev/null +++ b/tests/cloud-init/common.yml @@ -0,0 +1,17 @@ +#cloud-config + +hostname: ${hostname} + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false diff --git a/tests/cloud-init/debian-gnome.user-data.yml b/tests/cloud-init/debian12-gnome.user-data.yml similarity index 74% rename from tests/cloud-init/debian-gnome.user-data.yml rename to tests/cloud-init/debian12-gnome.user-data.yml index 1c48eb2e9..5ce6cedf5 100644 --- a/tests/cloud-init/debian-gnome.user-data.yml +++ b/tests/cloud-init/debian12-gnome.user-data.yml @@ -1,20 +1,5 @@ #cloud-config -hostname: ${hostname} - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: - apparmor-profiles - auditd diff --git a/tests/cloud-init/debian-kde.user-data.yml b/tests/cloud-init/debian12-kde.user-data.yml similarity index 68% rename from tests/cloud-init/debian-kde.user-data.yml rename to tests/cloud-init/debian12-kde.user-data.yml index e644414fa..451068db1 100644 --- a/tests/cloud-init/debian-kde.user-data.yml +++ b/tests/cloud-init/debian12-kde.user-data.yml @@ -1,20 +1,5 @@ #cloud-config -hostname: ${hostname} - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: - apparmor-profiles - auditd diff --git a/tests/cloud-init/debian-server.user-data.yml b/tests/cloud-init/debian12-server.user-data.yml similarity index 73% rename from tests/cloud-init/debian-server.user-data.yml rename to tests/cloud-init/debian12-server.user-data.yml index 47e4d832d..aef29f579 100644 --- a/tests/cloud-init/debian-server.user-data.yml +++ b/tests/cloud-init/debian12-server.user-data.yml @@ -1,20 +1,5 @@ #cloud-config -hostname: ${hostname} - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: - apparmor-profiles - auditd diff --git a/tests/cloud-init/opensuse-gnome.user-data.yml b/tests/cloud-init/opensuse-gnome.user-data.yml index 5e5b197bc..406b4445d 100644 --- a/tests/cloud-init/opensuse-gnome.user-data.yml +++ b/tests/cloud-init/opensuse-gnome.user-data.yml @@ -1,20 +1,5 @@ #cloud-config -hostname: ${hostname} - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: - apparmor-profiles - bash-completion diff --git a/tests/cloud-init/opensuse-kde.user-data.yml b/tests/cloud-init/opensuse-kde.user-data.yml index 5e5b197bc..406b4445d 100644 --- a/tests/cloud-init/opensuse-kde.user-data.yml +++ b/tests/cloud-init/opensuse-kde.user-data.yml @@ -1,20 +1,5 @@ #cloud-config -hostname: ${hostname} - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: - apparmor-profiles - bash-completion diff --git a/tests/cloud-init/opensuse-server.user-data.yml b/tests/cloud-init/opensuse-server.user-data.yml new file mode 100644 index 000000000..7699fb074 --- /dev/null +++ b/tests/cloud-init/opensuse-server.user-data.yml @@ -0,0 +1,36 @@ +#cloud-config + +packages: + - apparmor-profiles + - bash-completion + - distribution-release + - git + - go + - golang-packaging + - htop + - make + - rpmbuild + - rsync + - vim + +write_files: + + # Setup shared directory + - path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + + # Network configuration + - path: /etc/systemd/network/20-wired.network + owner: "root:root" + permissions: "0644" + content: | + [Match] + Name=en* + + [Network] + DHCP=yes + + [DHCPv4] + RouteMetric=10 diff --git a/tests/cloud-init/ubuntu22-desktop.user-data.yml b/tests/cloud-init/ubuntu22-desktop.user-data.yml index 75dc6349d..5f4dc69f5 100644 --- a/tests/cloud-init/ubuntu22-desktop.user-data.yml +++ b/tests/cloud-init/ubuntu22-desktop.user-data.yml @@ -2,21 +2,6 @@ # Based on https://github.com/canonical/autoinstall-desktop -hostname: ${hostname} - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: - apparmor-profiles - build-essential diff --git a/tests/cloud-init/ubuntu24-desktop.user-data.yml b/tests/cloud-init/ubuntu24-desktop.user-data.yml index 9f7225367..7a71b0afe 100644 --- a/tests/cloud-init/ubuntu24-desktop.user-data.yml +++ b/tests/cloud-init/ubuntu24-desktop.user-data.yml @@ -2,23 +2,6 @@ # Based on https://github.com/canonical/autoinstall-desktop -# https://github.com/canonical/ubuntu-desktop-provision/blob/main/README.md - -hostname: ${hostname} - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: - apparmor-profiles - build-essential diff --git a/tests/cloud-init/ubuntu24-server.user-data.yml b/tests/cloud-init/ubuntu24-server.user-data.yml index 96318214c..8e9c7bd38 100644 --- a/tests/cloud-init/ubuntu24-server.user-data.yml +++ b/tests/cloud-init/ubuntu24-server.user-data.yml @@ -1,20 +1,5 @@ #cloud-config -hostname: ${hostname} - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: - apparmor-profiles - auditd From d8d4ec11a611c153bae2f68aec69a7aa02c64298 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Mar 2025 14:20:35 +0100 Subject: [PATCH 123/977] feat(profile): systemd-networkd: update cap. --- apparmor.d/groups/systemd/systemd-networkd | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 619ca9dbb..20b396a72 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -14,10 +14,12 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { include include + capability bpf, capability net_admin, capability net_bind_service, capability net_broadcast, capability net_raw, + capability sys_admin, network inet dgram, network inet6 dgram, @@ -61,12 +63,14 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/n@{int} r, + @{sys}/devices/@{pci}/ r, @{sys}/devices/@{pci}/rfkill@{int}/* r, @{sys}/devices/**/net/** r, - @{sys}/devices/@{pci}/ r, @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/fs/cgroup/ r, + @{sys}/kernel/btf/vmlinux r, @{PROC}/@{pid}/cgroup r, @{PROC}/pressure/* r, From 835b73f64e72e8c81542ea4f9ea937cbf54b0b0a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Mar 2025 14:27:55 +0100 Subject: [PATCH 124/977] build: prepare apparmor 4.1 Split upstreamed and non upstreamed tunable so that it easy to ignore the upstreamed version on apparmor 4.1. --- apparmor.d/tunables/multiarch.d/base | 93 ++++++++++++++++++++++++++ apparmor.d/tunables/multiarch.d/system | 92 ------------------------- 2 files changed, 93 insertions(+), 92 deletions(-) create mode 100644 apparmor.d/tunables/multiarch.d/base diff --git a/apparmor.d/tunables/multiarch.d/base b/apparmor.d/tunables/multiarch.d/base new file mode 100644 index 000000000..9661b1e51 --- /dev/null +++ b/apparmor.d/tunables/multiarch.d/base @@ -0,0 +1,93 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Base variables, upstreamed in apparmor 4.1 + +# Any digit +@{d}=[0-9] + +# Any letter +@{l}=[a-zA-Z] + +# Single alphanumeric character +@{c}=[0-9a-zA-Z] + +# Word character: matches any letter, digit or underscore. +@{w}=[a-zA-Z0-9_] + +# Single hexadecimal character +@{h}=[0-9a-fA-F] + +# Integer up to 10 digits (0-9999999999) +@{int}=@{d}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},} + +# hexadecimal, alphanumeric and word up to 64 characters +@{hex}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} +@{rand}=@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},} +@{word}=@{w}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},} + +# Unsigned integer over 8 bits (0...255) +@{u8}=[0-9]{[0-9],} 1[0-9][0-9] 2[0-4][0-9] 25[0-5] + +# Unsigned integer over 16 bits (0...65,535 5 digits) +@{u16}={@{d},[1-9]@{d},[1-9][@{d}@{d},[1-9]@{d}@{d}@{d},[1-6]@{d}@{d}@{d}@{d}} + +# Unsigned integer over 32 bits (0...4,294,967,295 10 digits) +@{u32}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-4]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}} + +# Unsigned integer over 64 bits (0...18,446,744,073,709,551,615 20 digits). +@{u64}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},1@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}} + +# Any x digits characters +@{int2}=@{d}@{d} +@{int4}=@{int2}@{int2} +@{int6}=@{int4}@{int2} +@{int8}=@{int4}@{int4} +@{int9}=@{int8}@{d} +@{int10}=@{int8}@{int2} +@{int12}=@{int8}@{int4} +@{int15}=@{int8}@{int4}@{int2}@{d} +@{int16}=@{int8}@{int8} +@{int32}=@{int16}@{int16} +@{int64}=@{int32}@{int32} + +# Any x hexadecimal characters +@{hex2}=@{h}@{h} +@{hex4}=@{hex2}@{hex2} +@{hex6}=@{hex4}@{hex2} +@{hex8}=@{hex4}@{hex4} +@{hex9}=@{hex8}@{h} +@{hex10}=@{hex8}@{hex2} +@{hex12}=@{hex8}@{hex4} +@{hex15}=@{hex8}@{hex4}@{hex2}@{h} +@{hex16}=@{hex8}@{hex8} +@{hex32}=@{hex16}@{hex16} +@{hex38}=@{hex32}@{hex6} +@{hex64}=@{hex32}@{hex32} + +# Any x alphanumeric characters +@{rand2}=@{c}@{c} +@{rand4}=@{rand2}@{rand2} +@{rand6}=@{rand4}@{rand2} +@{rand8}=@{rand4}@{rand4} +@{rand9}=@{rand8}@{c} +@{rand10}=@{rand8}@{rand2} +@{rand12}=@{rand8}@{rand4} +@{rand15}=@{rand8}@{rand4}@{rand2}@{c} +@{rand16}=@{rand8}@{rand8} +@{rand32}=@{rand16}@{rand16} +@{rand64}=@{rand32}@{rand32} + +# Any x word characters +@{word2}=@{w}@{w} +@{word4}=@{word2}@{word2} +@{word6}=@{word4}@{word2} +@{word8}=@{word4}@{word4} +@{word9}=@{word8}@{w} +@{word10}=@{word8}@{word2} +@{word12}=@{word8}@{word4} +@{word15}=@{word8}@{word4}@{word2}@{w} +@{word16}=@{word8}@{word8} +@{word32}=@{word16}@{word16} +@{word64}=@{word32}@{word32} diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 4e8b1bc11..a2f99a2ec 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -2,98 +2,6 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Base variables -# -------------- - -# Any digit -@{d}=[0-9] - -# Any letter -@{l}=[a-zA-Z] - -# Single alphanumeric character -@{c}=[0-9a-zA-Z] - -# Word character: matches any letter, digit or underscore. -@{w}=[a-zA-Z0-9_] - -# Single hexadecimal character -@{h}=[0-9a-fA-F] - -# Integer up to 10 digits (0-9999999999) -@{int}=@{d}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},} - -# hexadecimal, alphanumeric and word up to 64 characters -@{hex}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} -@{rand}=@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},} -@{word}=@{w}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},} - -# Unsigned integer over 8 bits (0...255) -@{u8}=[0-9]{[0-9],} 1[0-9][0-9] 2[0-4][0-9] 25[0-5] - -# Unsigned integer over 16 bits (0...65,535 5 digits) -@{u16}={@{d},[1-9]@{d},[1-9][@{d}@{d},[1-9]@{d}@{d}@{d},[1-6]@{d}@{d}@{d}@{d}} - -# Unsigned integer over 32 bits (0...4,294,967,295 10 digits) -@{u32}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-4]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}} - -# Unsigned integer over 64 bits (0...18,446,744,073,709,551,615 20 digits). -@{u64}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},1@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}} - -# Any x digits characters -@{int2}=@{d}@{d} -@{int4}=@{int2}@{int2} -@{int6}=@{int4}@{int2} -@{int8}=@{int4}@{int4} -@{int9}=@{int8}@{d} -@{int10}=@{int8}@{int2} -@{int12}=@{int8}@{int4} -@{int15}=@{int8}@{int4}@{int2}@{d} -@{int16}=@{int8}@{int8} -@{int32}=@{int16}@{int16} -@{int64}=@{int32}@{int32} - -# Any x hexadecimal characters -@{hex2}=@{h}@{h} -@{hex4}=@{hex2}@{hex2} -@{hex6}=@{hex4}@{hex2} -@{hex8}=@{hex4}@{hex4} -@{hex9}=@{hex8}@{h} -@{hex10}=@{hex8}@{hex2} -@{hex12}=@{hex8}@{hex4} -@{hex15}=@{hex8}@{hex4}@{hex2}@{h} -@{hex16}=@{hex8}@{hex8} -@{hex32}=@{hex16}@{hex16} -@{hex38}=@{hex32}@{hex6} -@{hex64}=@{hex32}@{hex32} - -# Any x alphanumeric characters -@{rand2}=@{c}@{c} -@{rand4}=@{rand2}@{rand2} -@{rand6}=@{rand4}@{rand2} -@{rand8}=@{rand4}@{rand4} -@{rand9}=@{rand8}@{c} -@{rand10}=@{rand8}@{rand2} -@{rand12}=@{rand8}@{rand4} -@{rand15}=@{rand8}@{rand4}@{rand2}@{c} -@{rand16}=@{rand8}@{rand8} -@{rand32}=@{rand16}@{rand16} -@{rand64}=@{rand32}@{rand32} - -# Any x word characters -@{word2}=@{w}@{w} -@{word4}=@{word2}@{word2} -@{word6}=@{word4}@{word2} -@{word8}=@{word4}@{word4} -@{word9}=@{word8}@{w} -@{word10}=@{word8}@{word2} -@{word12}=@{word8}@{word4} -@{word15}=@{word8}@{word4}@{word2}@{w} -@{word16}=@{word8}@{word8} -@{word32}=@{word16}@{word16} -@{word64}=@{word32}@{word32} - - # System Paths # ------------ From fa6c37a7ab1cdbe94340ee50d857552c5415effd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Mar 2025 16:04:18 +0100 Subject: [PATCH 125/977] doc: update integration tests section. --- docs/development/integration.md | 136 +++----------------------------- docs/development/internal.md | 10 ++- docs/development/tests.md | 38 +++++++-- docs/development/vm.md | 112 ++++++++++++++++++++++++++ mkdocs.yml | 1 + 5 files changed, 161 insertions(+), 136 deletions(-) create mode 100644 docs/development/vm.md diff --git a/docs/development/integration.md b/docs/development/integration.md index 15f939cdd..de60c8c47 100644 --- a/docs/development/integration.md +++ b/docs/development/integration.md @@ -2,147 +2,33 @@ title: Integration Tests --- -!!! danger "Work in Progress" - The purpose of integration testing in apparmor.d is to ensure the profiles are not going to break programs found in Linux distributions and Desktop Environment that we support. +Although the integration test suite is intended to be run in a [Development VM](vm.md), it is also deployed the GitHub Action pipeline. + **Workflow** 1. Create a testing VM -2. Start the VM, do some dev -3. Run the integration tests against the testing VM -4. Ensure no new logs have been raised +2. Run the integration tests against the testing VM +3. Ensure no new logs have been raised - -## Test Virtual Machines - -The test VMs are built using [`cloud-init`][cloud-init] (when available), [`packer`][packer], and [`vagrant`][vagrant] on Qemu/KVM using Libvirt. No other hypervisor will be targeted for these tests. The files that generate these images can be found in the **[tests/packer](https://github.com/roddhjav/apparmor.d/tree/main/tests/packer)** directory. - -[cloud-init]: https://cloud-init.io/ -[packer]: https://www.packer.io/ -[vagrant]: https://www.vagrantup.com/ - -### Requirements - -* docker -* [packer] -* [vagrant] -* vagrant plugin install vagrant-libvirt - -!!! note - - You may need to edit some settings to fit your setup: - - - The libvirt configuration in `tests/Vagrantfile` - - The default ssh key and ISO directory in `tests/packer/variables.pkr.hcl` - -### Build - -**Build an image** - -To build a VM image for development purpose, run the following from the `tests` directory: - -| Distribution | Flavor | Build command | VM name | -|:------------:|:------:|:-------------:|:-------:| -| Arch Linux | Gnome | `make archlinux flavor=gnome` | `arch-gnome` | -| Arch Linux | KDE | `make archlinux flavor=kde` | `arch-kde` | -| Debian | Server | `make debian flavor=server` | `debian-server` | -| openSUSE | KDE | `make opensuse flavor=kde` | `opensuse-kde` | -| Ubuntu | Server | `make ubuntu flavor=server` | `ubuntu-server` | -| Ubuntu | Desktop | `make ubuntu flavor=desktop` | `ubuntu-desktop` | - -**VM management** - -The development workflow is done through vagrant: - -* Star a VM: `vagran up ` -* Shutdown a VM: `vagrant halt ` -* Reboot a VM: `vagrant reload ` - -The available VM `name` is defined in the `tests/boxes.yml` file - - -### Develop - -**Credentials** - -The admin user is: `user`, its password is: `user`. It has passwordless sudo access. Automatic login is **not** enabled on DE. The root user is not locked. - -**Directories** - -All the images come pre-configured with the latest version of `apparmor.d` installed and running in the VM. apparmor.d is mounted as `/home/user/Projects/apparmor.d` - -**Usage** - -On all images, `aa-update` can be used to rebuild and install the latest version of the profiles. `p`, `pf`, and `pu` are two pre-configured aliases of `ps` that show the security status of processes. `htop` is also configured to show this status. - - -## Tests - -!!! warning - - The test suite is expected to be run in a [VM](#test-virtual-machines) - -### Getting started +## Getting started Prepare the test environment: ```sh -cd tests -make flavor= -AA_INTEGRATION=true vagrant up +just img +just vm ``` Run the integration tests on the test VM: ```sh -make integration box= IP= +just integration ``` -### Create integration tests +## Create integration tests -**Test suite usage** +All integration tests are written in [Bats](https://github.com/bats-core/bats-core) and are located in the `tests/integration` directory. The initial tests have been generated using [tldr page](https://tldr.sh/) with the following command: -Initialise the tests with: ```sh -./aa-test --bootstrap -``` - -List the tests scenarios to be run -```sh -./aa-test --list -``` - -Start the tests and collect the results -```sh -./aa-test --run -``` - -**Tests manifest** - -A basic set of test is generated on initialization. More tests can be manually written in yaml file. They must have the following structure: - -```yaml -- name: acpi - profiled: true - root: false - require: [] - arguments: {} - tests: - - dsc: Show battery information - cmd: acpi - stdin: [] - - dsc: Show thermal information - cmd: acpi -t - stdin: [] - - dsc: Show cooling device information - cmd: acpi -c - stdin: [] - - dsc: Show thermal information in Fahrenheit - cmd: acpi -tf - stdin: [] - - dsc: Show all information - cmd: acpi -V - stdin: [] - - dsc: Extract information from `/proc` instead of `/sys` - cmd: acpi -p - stdin: [] +go run ./tests/cmd --bootstrap ``` diff --git a/docs/development/internal.md b/docs/development/internal.md index 459f1ad71..c90391b04 100644 --- a/docs/development/internal.md +++ b/docs/development/internal.md @@ -157,12 +157,14 @@ It is recommended to transition [in a subprofile](abstractions.md#appsystemctl) All common programs are tracked and labelled in the [`apparmor.d/tunables/multiarch.d/programs`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/tunables/multiarch.d/programs) and [`apparmor.d/tunables/multiarch.d/paths`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/tunables/multiarch.d/paths) files. They can be used in a `child-open` profile or directly in a profile. They are useful to allow opening resources using a kind of program (browsers, image viewer, text editor...), instead of allowing a given program path. -## Re-attached path +## Re-attached path + +**[:material-tag-heart-outline: abi/4.0]("Minimum version")** The flag `attach_disconnect` control how disconnected paths are handled. It determines if pathnames resolved to be outside the namespace are attached to the root (ie. have the `/` character prepended). It is a security issue as it allows disconnected paths to alias to other files that exist in the file name. Therefore, it is only provided to work around problems that can arise with sandboxed programs. -AppAmor 4.0 provides the `attach_disconnect.path` flag allowing to reattach this path to a prefix that is not `/`. When used it provide an important security improvement from AppArmor 3.0. +AppAmor 4.0 provides the `attach_disconnect.path` flag allowing to reattach this path to a prefix that is not `/`. When used it provides an important security improvement from AppArmor 3.0. **`apparmor.d`** uses `attach_disconnect.path` by **default and automatically** on all profiles with the `attach_disconnect` flag. The attached path is set to `@{att}` a new dynamically generated variable set at build time in the preamble of all profile to be: @@ -170,7 +172,9 @@ AppAmor 4.0 provides the `attach_disconnect.path` flag allowing to reattach this - `@{att}=/` for other profiles -## User Confinement [:material-police-badge-outline:{ .pg-red }](../full-system-policy.md "Only for Full System Policy (FSP)") +## User Confinement + +[:material-police-badge-outline:{ .pg-red }](../full-system-policy.md "Full System Policy only (FSP)") !!! warning "TODO" diff --git a/docs/development/tests.md b/docs/development/tests.md index 7fcdf1555..652907155 100644 --- a/docs/development/tests.md +++ b/docs/development/tests.md @@ -1,15 +1,37 @@ --- -title: Tests suite +title: Overview --- -A full test suite to ensure compatibility across supported distributions and that software is still considered a work in progress. Here is an overview of the current CI jobs: +Misconfigured AppArmor profiles is one of the most effective ways to break someone's system. This section present the various tests applied to the profiles as well as their current stage of deployment. -**On Gitlab CI** +**Current** -- Packages build for all supported distributions -- Profiles preprocessing verification for all supported distributions -- Go based command linting, coverage, and unit tests +- [x] **[Build:](https://gitlab.com/roddhjav/apparmor.d/-/pipelines)** `make` + - Build the profiles for all supported distributions. + - All CI jobs validate the profiles syntax and ensure they can be safely loaded into a kernel. + - Ensure the profile entry point (`@{exec_path}`) is defined. -**On Github Action** +- [x] **[Checks:](https://github.com/roddhjav/apparmor.d/blob/main/tests/check.sh)** `make check` checks basic style of profiles: + - Ensure apparmor.d header & licence + - Ensure 2 spaces indentation + - Ensure local include for profile and subprofiles + - Ensure abi 4 is used + - Ensure modern profile naming + - Ensure `vim:syntax=apparmor` -- Integration test on the ubuntu-latest VM: run a simple list of tasks with all the rules enabled and ensure no new issue has been raised. Github Action is used as it offers direct access to a VM with AppArmor included. +- [x] **[Integration Tests:](integration.md)** `make integration` + - Run simple CLI commands to ensure no logs are raised. + - Uses the [bats](https://github.com/bats-core/bats-core) test system. + - Run in the Github Action as well as in all local [test VM](vm.md). + +**Plan** + +For more complex software suite, more integration tests need to be done. The plan is to run existing integration suite from these very software in an environment with `apparmor.d` profiles. + +- [ ] Systemd + - They use mkosi to generate a VM image to run their own integration tests. + - See https://www.codethink.co.uk/articles/2024/systemd-integration-testing-part-1/ + +- [ ] Gnome + - They use openQA to run their integration tests. + - See https://gitlab.gnome.org/GNOME/openqa-tests/ diff --git a/docs/development/vm.md b/docs/development/vm.md new file mode 100644 index 000000000..ead82ed0f --- /dev/null +++ b/docs/development/vm.md @@ -0,0 +1,112 @@ +--- +title: Development VM +--- + +To ensure compatibility across distribution, this project ships a wide range of development and tests VM images. + +The test VMs can be built locally using [cloud-init](https://cloud-init.io/), [packer](https://www.packer.io/) on Qemu/KVM using Libvirt. No other hypervisor will be targeted for these tests. The files that generate these images can be found in the **[tests/packer](https://github.com/roddhjav/apparmor.d/tree/main/tests/packer)** directory. +The VMs are fully managed using a [justfile](https://github.com/casey/just) that provide an integration environment helper for `apparmor.d`. + +```sh +$ just +``` + +``` +Integration environment helper for apparmor.d + +Available recipes: + default # Show this help message + package dist # Build the apparmor.d package + img dist flavor # Build the image + vm dist flavor # Create the machine + up dist flavor # Start a machine + halt dist flavor # Stops the machine + destroy dist flavor # Destroy the machine + ssh dist flavor # Connect to the machine + list # List the machines + images # List the machine images + available # List the machine that can be created + integration dist flavor # Run the integration tests on the machine + lint # Run the linters + clean # Remove the machine images + get_ip dist flavor + get_osinfo dist +``` + +## Requirements + +* [docker](https://www.docker.com/) +* [just](https://github.com/casey/just) +* [packer](https://www.packer.io/) +* [libvirt](https://libvirt.org/) +* [qemu](https://www.qemu.org/) + +!!! note + + You may need to edit some settings to fit your setup: + + - The default ssh key and ISO directory in `tests/packer/variables.pkr.hcl` + +## Build + +One can see the available images by running: + +```sh +$ just available +``` + +``` +Distribution Flavor +archlinux gnome +archlinux kde +archlinux server +archlinux xfce +debian12 gnome +debian12 kde +debian12 server +ubuntu24 server +... +``` + +A VM image can be build with: + +```sh +$ just img archlinux gnome +``` + +The image will then be showed in the list of images: + +```sh +$ just images +``` + +``` +Distribution Flavor Size Date +archlinux gnome 3.3G Mar 1 14:49 +``` + +The VM can then be created with: + +```sh +$ just vm archlinux gnome +``` + +And connected to with: + +```sh +$ just ssh archlinux gnome +``` + +## Develop + +**Credentials** + +The admin user is: `user`, its password is: `user`. It has passwordless sudo access. Automatic login is **not** enabled on DE. The root user is not locked. + +**Directories** + +All the images come pre-configured with the latest version of `apparmor.d` installed and running in the VM. The apparmor.d project directory is mounted as `/home/user/Projects/apparmor.d` + +**Usage** + +On all images, `aa-update` can be used to rebuild and install the latest version of the profiles. `p`, `pf`, and `pu` are two pre-configured aliases of `ps` that show the security status of processes. `htop` is also configured to show this status. diff --git a/mkdocs.yml b/mkdocs.yml index ed14108a8..153af0d4e 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -165,4 +165,5 @@ nav: - development/build.md - Tests: - development/tests.md + - development/vm.md - development/integration.md From 6d5a522dcb03f3f51ae5e9fe39dead9d1dbde447 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Mar 2025 16:07:10 +0100 Subject: [PATCH 126/977] test(packer): update sources --- tests/packer/init.sh | 5 ++--- tests/packer/src/aa-clean | 4 ++++ tests/packer/src/aa-log-clean | 4 ---- tests/packer/src/aa-update | 2 +- tests/packer/src/monitors.xml | 23 ----------------------- tests/packer/src/parser.conf | 9 +++++++-- 6 files changed, 14 insertions(+), 33 deletions(-) create mode 100644 tests/packer/src/aa-clean delete mode 100644 tests/packer/src/aa-log-clean delete mode 100644 tests/packer/src/monitors.xml diff --git a/tests/packer/init.sh b/tests/packer/init.sh index be9529666..4a189d176 100644 --- a/tests/packer/init.sh +++ b/tests/packer/init.sh @@ -17,12 +17,11 @@ readonly DISTRIBUTION main() { install -dm0750 -o "$SUDO_USER" -g "$SUDO_USER" "/home/$SUDO_USER/Projects/" "/home/$SUDO_USER/Projects/apparmor.d" "/home/$SUDO_USER/.config/" install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/.bash_aliases "/home/$SUDO_USER/.bash_aliases" - install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/monitors.xml "/home/$SUDO_USER/.config/monitors.xml" install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/htoprc "/home/$SUDO_USER/.config/htop/htoprc" + install -Dm0644 $SRC/parser.conf /etc/apparmor/parser.conf install -Dm0644 $SRC/site.local /etc/apparmor.d/tunables/multiarch.d/site.local install -Dm0755 $SRC/aa-update /usr/bin/aa-update - install -Dm0755 $SRC/aa-log-clean /usr/bin/aa-log-clean - cat $SRC/parser.conf >>/etc/apparmor/parser.conf + install -Dm0755 $SRC/aa-clean /usr/bin/aa-clean chown -R "$SUDO_USER:$SUDO_USER" "/home/$SUDO_USER/.config/" case "$DISTRIBUTION" in diff --git a/tests/packer/src/aa-clean b/tests/packer/src/aa-clean new file mode 100644 index 000000000..a01b9d77e --- /dev/null +++ b/tests/packer/src/aa-clean @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +set -eu -o pipefail +rm -vf /var/log/audit/* /var/log/syslog* +touch /var/log/audit/audit.log /var/log/syslog diff --git a/tests/packer/src/aa-log-clean b/tests/packer/src/aa-log-clean deleted file mode 100644 index 9f3ebd818..000000000 --- a/tests/packer/src/aa-log-clean +++ /dev/null @@ -1,4 +0,0 @@ -#!/usr/bin/env bash -set -eu -rm -rf /var/log/audit/* -touch /var/log/audit/audit.log diff --git a/tests/packer/src/aa-update b/tests/packer/src/aa-update index 9a326305d..48267d2f0 100644 --- a/tests/packer/src/aa-update +++ b/tests/packer/src/aa-update @@ -1,5 +1,5 @@ #!/usr/bin/env bash -set -eu +set -eu -o pipefail export BUILDDIR=/tmp/build/ diff --git a/tests/packer/src/monitors.xml b/tests/packer/src/monitors.xml deleted file mode 100644 index b17136584..000000000 --- a/tests/packer/src/monitors.xml +++ /dev/null @@ -1,23 +0,0 @@ - - - - 0 - 0 - 1 - yes - - - Virtual-1 - RHT - QEMU Monitor - 0x00000000 - - - 1920 - 1080 - 60 - - - - - diff --git a/tests/packer/src/parser.conf b/tests/packer/src/parser.conf index be8c42560..8651efad1 100644 --- a/tests/packer/src/parser.conf +++ b/tests/packer/src/parser.conf @@ -1,4 +1,9 @@ - +# Turn creating/updating of the cache on by default write-cache -cache-loc /etc/apparmor/earlypolicy/ + +# Enable early policy loads to confine systemd, and services that can not depend +# on the apparmor unit. +cache-loc=/etc/apparmor/earlypolicy/ + +# Adjust compression Optimize=compress-fast From 0b029ec42f55946c13f2a360b21cbf7f6dc5d518 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Mar 2025 16:10:09 +0100 Subject: [PATCH 127/977] tests(packer): rewrite the way to build the tests images. --- tests/packer/archlinux.pkr.hcl | 39 ----------------- tests/packer/builds.pkr.hcl | 65 +++++++++++++++++++++------- tests/packer/clean.sh | 7 ---- tests/packer/debian.pkr.hcl | 40 ------------------ tests/packer/init.sh | 10 +++-- tests/packer/main.pkr.hcl | 4 -- tests/packer/opensuse.pkr.hcl | 42 ------------------- tests/packer/ubuntu.pkr.hcl | 77 ---------------------------------- tests/packer/variables.pkr.hcl | 68 ++++++++++++++++++------------ 9 files changed, 98 insertions(+), 254 deletions(-) delete mode 100644 tests/packer/archlinux.pkr.hcl delete mode 100644 tests/packer/debian.pkr.hcl delete mode 100644 tests/packer/opensuse.pkr.hcl delete mode 100644 tests/packer/ubuntu.pkr.hcl diff --git a/tests/packer/archlinux.pkr.hcl b/tests/packer/archlinux.pkr.hcl deleted file mode 100644 index 06f2ad3a7..000000000 --- a/tests/packer/archlinux.pkr.hcl +++ /dev/null @@ -1,39 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -source "qemu" "archlinux" { - disk_image = true - iso_url = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2" - iso_checksum = "file:https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2.SHA256" - iso_target_path = "${var.iso_dir}/archlinux-cloudimg-amd64.img" - cpu_model = "host" - cpus = var.cpus - memory = var.ram - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = var.output - vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" - boot_wait = "10s" - shutdown_command = "echo ${var.password} | sudo -S shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/cloud-init/${source.name}-${var.flavor}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}-${var.flavor}" - } - ) - } -} diff --git a/tests/packer/builds.pkr.hcl b/tests/packer/builds.pkr.hcl index 7071c3983..151df236e 100644 --- a/tests/packer/builds.pkr.hcl +++ b/tests/packer/builds.pkr.hcl @@ -2,24 +2,63 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +locals { + name = "${var.prefix}${var.dist}-${var.flavor}" +} + +source "qemu" "default" { + disk_image = true + iso_url = var.DM[var.dist].img_url + iso_checksum = "file:${var.DM[var.dist].img_checksum}" + iso_target_path = pathexpand("${var.iso_dir}/${basename("${var.DM[var.dist].img_url}")}") + cpu_model = "host" + cpus = var.cpus + memory = var.ram + disk_size = var.disk_size + accelerator = "kvm" + headless = true + ssh_username = var.username + ssh_password = var.password + ssh_port = 22 + ssh_wait_timeout = "1000s" + disk_compression = true + disk_detect_zeroes = "unmap" + disk_discard = "unmap" + output_directory = pathexpand(var.output) + vm_name = "${local.name}.qcow2" + boot_wait = "10s" + firmware = pathexpand(var.firmware) + shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" + cd_label = "cidata" + cd_content = { + "meta-data" = "" + "user-data" = format("%s\n%s", + templatefile("${path.cwd}/tests/cloud-init/common.yml", + { + username = "${var.username}" + password = "${var.password}" + ssh_key = file("${var.ssh_publickey}") + hostname = "${local.name}" + } + ), + file("${path.cwd}/tests/cloud-init/${var.dist}-${var.flavor}.user-data.yml") + ) + } +} + build { sources = [ - "source.qemu.archlinux", - "source.qemu.debian", - "source.qemu.fedora", - "source.qemu.opensuse", - "source.qemu.ubuntu22", - "source.qemu.ubuntu24", + "source.qemu.default", ] # Upload artifacts provisioner "file" { destination = "/tmp/" sources = [ - "${path.cwd}/packer/src/", - "${path.cwd}/packer/init.sh", - "${path.cwd}/packer/clean.sh", - "${path.cwd}/../.pkg/", + "${path.cwd}/tests/packer/src/", + "${path.cwd}/tests/packer/init.sh", + "${path.cwd}/tests/packer/clean.sh", + "${path.cwd}/.pkg/", ] } @@ -44,13 +83,9 @@ build { ] } - post-processor "vagrant" { - output = "${var.base_dir}/packer_${var.prefix}${source.name}-${var.flavor}.box" - } - post-processor "shell-local" { inline = [ - "vagrant box add --force --name ${var.prefix}${source.name}-${var.flavor} ${var.base_dir}/packer_${var.prefix}${source.name}-${var.flavor}.box" + "mv ${var.output}/${local.name}.qcow2 ${var.base_dir}/${local.name}.qcow2", ] } diff --git a/tests/packer/clean.sh b/tests/packer/clean.sh index 8459421a1..b7650a1d5 100644 --- a/tests/packer/clean.sh +++ b/tests/packer/clean.sh @@ -56,9 +56,6 @@ clean_apt() { clean_pacman() { _msg "Cleaning pacman cache" pacman -Syu --noconfirm - pacman -Qdtq | while IFS='' read -r pkg; do - pacman -Rsccn --noconfirm "$pkg" - done pacman -Scc --noconfirm } @@ -136,10 +133,6 @@ trim() { truncate --size=0 /swap/swapfile fi - # _msg "Fill root filesystem with 0 to reduce box size" - # dd if=/dev/zero of=/EMPTY bs=1M || true - # rm -f /EMPTY - # Block until the empty file has been removed, otherwise, Packer will # try to kill the box while the disk is still full and that is bad. sync diff --git a/tests/packer/debian.pkr.hcl b/tests/packer/debian.pkr.hcl deleted file mode 100644 index 12d4a513c..000000000 --- a/tests/packer/debian.pkr.hcl +++ /dev/null @@ -1,40 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -source "qemu" "debian" { - disk_image = true - iso_url = "https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/debian-${var.release.debian.version}-genericcloud-amd64.qcow2" - iso_checksum = "file:https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/SHA512SUMS" - iso_target_path = "${var.iso_dir}/debian-${var.release.debian.codename}-cloudimg-amd64.img" - cpu_model = "host" - cpus = var.cpus - memory = var.ram - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = var.output - vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" - boot_wait = "10s" - firmware = var.firmware - shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/cloud-init/${source.name}-${var.flavor}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} diff --git a/tests/packer/init.sh b/tests/packer/init.sh index 4a189d176..4e4e1ec99 100644 --- a/tests/packer/init.sh +++ b/tests/packer/init.sh @@ -26,6 +26,7 @@ main() { case "$DISTRIBUTION" in arch) + rm -f $SRC/*.sig # Ignore signature files pacman --noconfirm -U $SRC/*.pkg.tar.zst ;; @@ -40,9 +41,12 @@ main() { esac - rm -rf /var/cache/apparmor/* - rm -rf /etc/apparmor/earlypolicy/ - systemctl reload apparmor.service + verb="start" + rm -rf /var/cache/apparmor/* || true + if systemctl is-active -q apparmor; then + verb="reload" + fi + systemctl "$verb" apparmor.service || journalctl -xeu apparmor.service } main "$@" diff --git a/tests/packer/main.pkr.hcl b/tests/packer/main.pkr.hcl index ee13e8f92..d2b1a6dbf 100644 --- a/tests/packer/main.pkr.hcl +++ b/tests/packer/main.pkr.hcl @@ -8,9 +8,5 @@ packer { source = "github.com/hashicorp/qemu" version = "~> 1" } - vagrant = { - source = "github.com/hashicorp/vagrant" - version = "~> 1" - } } } diff --git a/tests/packer/opensuse.pkr.hcl b/tests/packer/opensuse.pkr.hcl deleted file mode 100644 index 46cf4af29..000000000 --- a/tests/packer/opensuse.pkr.hcl +++ /dev/null @@ -1,42 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# TODO: Fully automate the creation of the base image - -source "qemu" "opensuse" { - disk_image = true - iso_url = "${var.base_dir}/base-tumbleweed-gnome.qcow2" - iso_checksum = "sha256:223ed62160ef4f1a4f21b69c574f552a07eee6ef66cf66eef2b49c5a7c4864f4" - iso_target_path = "${var.base_dir}/base-tumbleweed-gnome.qcow2" - cpu_model = "host" - cpus = var.cpus - memory = var.ram - disk_size = var.disk_size - accelerator = "kvm" - headless = false - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = var.output - vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" - boot_wait = "10s" - firmware = var.firmware - shutdown_command = "echo ${var.password} | sudo shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/cloud-init/${source.name}-${var.flavor}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} diff --git a/tests/packer/ubuntu.pkr.hcl b/tests/packer/ubuntu.pkr.hcl deleted file mode 100644 index 3689882ad..000000000 --- a/tests/packer/ubuntu.pkr.hcl +++ /dev/null @@ -1,77 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -source "qemu" "ubuntu22" { - disk_image = true - iso_url = "https://cloud-images.ubuntu.com/${var.release.ubuntu22.codename}/current/${var.release.ubuntu22.codename}-server-cloudimg-amd64.img" - iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu22.codename}/current/SHA256SUMS" - iso_target_path = "${var.iso_dir}/ubuntu-${var.release.ubuntu22.codename}-cloudimg-amd64.img" - cpu_model = "host" - cpus = var.cpus - memory = var.ram - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = var.output - vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" - boot_wait = "10s" - firmware = var.firmware - shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/cloud-init/${source.name}-${var.flavor}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} - -source "qemu" "ubuntu24" { - disk_image = true - iso_url = "https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/${var.release.ubuntu24.codename}-server-cloudimg-amd64.img" - iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/SHA256SUMS" - iso_target_path = "${var.iso_dir}/ubuntu-${var.release.ubuntu24.codename}-cloudimg-amd64.img" - cpu_model = "host" - cpus = var.cpus - memory = var.ram - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = var.output - vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" - boot_wait = "10s" - firmware = var.firmware - shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/cloud-init/${source.name}-${var.flavor}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} diff --git a/tests/packer/variables.pkr.hcl b/tests/packer/variables.pkr.hcl index 0361698d6..de83ac659 100644 --- a/tests/packer/variables.pkr.hcl +++ b/tests/packer/variables.pkr.hcl @@ -16,12 +16,6 @@ variable "password" { default = "user" } -variable "ssh_publickey" { - description = "Path to the ssh public key" - type = string - default = "~/.ssh/id_ed25519.pub" -} - variable "cpus" { description = "Default CPU of the VM" type = string @@ -40,22 +34,28 @@ variable "disk_size" { default = "40G" } +variable "ssh_publickey" { + description = "Path to the ssh public key" + type = string + default = "~/.ssh/id_ed25519.pub" +} + variable "iso_dir" { description = "Original ISO file directory" type = string - default = "/var/lib/libvirt/images" + default = "~/.libvirt/iso" } variable "base_dir" { description = "Final packer image output directory" type = string - default = "/var/lib/libvirt/images" + default = "~/.libvirt/base" } variable "firmware" { description = "Path to the UEFI firmware" type = string - default = "/usr/share/edk2/x64/OVMF_CODE.fd" + default = "/usr/share/edk2/x64/OVMF.4m.fd" } variable "output" { @@ -70,38 +70,52 @@ variable "prefix" { default = "aa-" } +variable "dist" { + description = "Distribution to target" + type = string + default = "ubuntu24" +} + variable "flavor" { description = "Distribution flavor to use (server, desktop, gnome, kde...)" type = string default = "" } -variable "release" { - description = "Distribution metadata to use" +variable "DM" { + description = "Distribution Metadata to use" type = map(object({ - codename = string - version = string + img_url = string + img_checksum = string })) default = { + "archlinux" : { + img_url = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2" + img_checksum = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2.SHA256" + }, + "debian12" : { + img_url = "https://cdimage.debian.org/images/cloud/bookworm/latest/debian-12-genericcloud-amd64.qcow2" + img_checksum = "https://cdimage.debian.org/images/cloud/bookworm/latest/SHA512SUMS" + } + "debian13" : { + img_url = "https://cdimage.debian.org/images/cloud/trixie/daily/latest/debian-13-genericcloud-amd64-daily.qcow2" + img_checksum = "https://cdimage.debian.org/images/cloud/trixie/daily/latest/SHA512SUMS" + } "ubuntu22" : { - codename = "jammy", - version = "22.04.2", + img_url = "https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img" + img_checksum = "https://cloud-images.ubuntu.com/jammy/current/SHA256SUMS" }, "ubuntu24" : { - codename = "noble", - version = "24.04", + img_url = "https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img" + img_checksum = "https://cloud-images.ubuntu.com/noble/current/SHA256SUMS" + }, + "ubuntu25" : { + img_url = "https://cloud-images.ubuntu.com/plucky/current/plucky-server-cloudimg-amd64.img" + img_checksum = "https://cloud-images.ubuntu.com/plucky/current/SHA256SUMS" }, - "debian" : { - codename = "bookworm", - version = "12", - } "opensuse" : { - codename = "tumbleweed", - version = "", - } - "fedora" : { - codename = "40", - version = "1.14", + img_url = "https://download.opensuse.org/tumbleweed/appliances/openSUSE-Tumbleweed-Minimal-VM.x86_64-Cloud.qcow2" + img_checksum = "https://download.opensuse.org/tumbleweed/appliances/openSUSE-Tumbleweed-Minimal-VM.x86_64-Cloud.qcow2.sha256" } } } From 1392b078ab9348d35cd6073761694ef574bd06d1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Mar 2025 16:15:55 +0100 Subject: [PATCH 128/977] tests: add Justile, used as integration environment helper. --- Justfile | 162 ++++++++++++++++++++++++++++++++++++++++++++++ tests/Makefile | 27 -------- tests/Vagrantfile | 62 ------------------ tests/boxes.yml | 51 --------------- 4 files changed, 162 insertions(+), 140 deletions(-) create mode 100644 Justfile delete mode 100644 tests/Makefile delete mode 100644 tests/Vagrantfile delete mode 100644 tests/boxes.yml diff --git a/Justfile b/Justfile new file mode 100644 index 000000000..7b39fb8a6 --- /dev/null +++ b/Justfile @@ -0,0 +1,162 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Integration environment for apparmor.d +# +# Usage: +# just +# just img ubuntu24 server +# just vm ubuntu24 server +# just up ubuntu24 server +# just ssh ubuntu24 server +# just halt ubuntu24 server +# just destroy ubuntu24 server +# just list +# just images +# just available +# just clean + +base_dir := home_dir() / ".libvirt/base" +vm := home_dir() / ".vm" +output := base_dir / "packer" +disk_size := "15G" +prefix := "aa-" +c := "--connect=qemu:///system" +sshopt := "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" + +[doc('Show this help message')] +default: + @echo -e "Integration environment helper for apparmor.d\n" + @just --list --unsorted + @echo -e "\nSee https://apparmor.pujol.io/development/vm/ for more information." + +[doc('Build the apparmor.d package')] +package dist: + #!/usr/bin/env bash + set -eu -o pipefail + dist="{{dist}}" + [[ $dist =~ ubuntu* ]] && dist=ubuntu + [[ $dist =~ debian* ]] && dist=debian + make package dist=$dist + +[doc('Build the image')] +img dist flavor: (package dist) + @mkdir -p {{base_dir}} + packer build -force \ + -var dist={{dist}} \ + -var flavor={{flavor}} \ + -var disk_size={{disk_size}} \ + -var prefix={{prefix}} \ + -var base_dir={{base_dir}} \ + -var output={{output}} \ + tests/packer/ + +[doc('Create the machine')] +vm dist flavor: + @cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 + virt-install {{c}} \ + --import \ + --name {{prefix}}{{dist}}-{{flavor}} \ + --vcpus 6 \ + --ram 4096 \ + --machine q35 \ + --boot uefi \ + --memorybacking source.type=memfd,access.mode=shared \ + --disk path={{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2,format=qcow2,bus=virtio \ + --filesystem "`pwd`,0a31bc478ef8e2461a4b1cc10a24cc4",accessmode=passthrough,driver.type=virtiofs \ + --os-variant "`just get_osinfo {{dist}}`" \ + --graphics spice \ + --audio id=1,type=spice \ + --sound model=ich9 \ + --noautoconsole + +[doc('Start a machine')] +up dist flavor: + @virsh {{c}} start {{prefix}}{{dist}}-{{flavor}} + +[doc('Stops the machine')] +halt dist flavor: + @virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}} + +[doc('Destroy the machine')] +destroy dist flavor: + @virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true + @virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram + @rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 + +[doc('Connect to the machine')] +ssh dist flavor: + @ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` + +[doc('List the machines')] +list: + @echo -e '\033[1m Id Name State\033[0m' + @virsh {{c}} list --all | grep {{prefix}} + +[doc('List the machine images')] +images: + #!/usr/bin/env bash + set -eu -o pipefail + ls -lh {{base_dir}} | awk ' + BEGIN { + printf("\033[1m%-18s %-10s %-5s %s\033[0m\n", "Distribution", "Flavor", "Size", "Date") + } + { + if ($9 ~ /^{{prefix}}.*\.qcow2$/) { + split($9, arr, "-|\\.") + printf("%-18s %-10s %-5s %s %s %s\n", arr[2], arr[3], $5, $6, $7, $8) + } + } + ' + +[doc('List the machine that can be created')] +available: + #!/usr/bin/env bash + set -eu -o pipefail + ls -lh tests/cloud-init | awk ' + BEGIN { + printf("\033[1m%-18s %s\033[0m\n", "Distribution", "Flavor") + } + { + if ($9 ~ /^.*\.user-data.yml$/) { + split($9, arr, "-|\\.") + printf("%-18s %s\n", arr[1], arr[2]) + } + } + ' + +[doc('Run the integration tests on the machine')] +integration dist flavor: + @ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \ + cp -rf /home/user/Projects/apparmor.d/tests/integration/ /home/user/Projects + @ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \ + sudo umount /home/user/Projects/apparmor.d + @ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \ + @bats --recursive --timing --print-output-on-failure Projects/integration/ + +[doc('Run the linters')] +lint: + @packer fmt packer/ + @packer validate --syntax-only packer/ + +[doc('Remove the machine images')] +clean: + @rm -fv {{base_dir}}/{{prefix}}*.qcow2 + +get_ip dist flavor: + @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \ + grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}' + +get_osinfo dist: + #!/usr/bin/env python3 + osinfo = { + "archlinux": "archlinux", + "debian12": "debian12", + "debian13": "debian13", + "ubuntu22": "ubuntu22.04", + "ubuntu24": "ubuntu24.04", + "ubuntu25": "ubuntu25.04", + "opensuse": "opensusetumbleweed", + } + print(osinfo.get("{{dist}}", "{{dist}}")) diff --git a/tests/Makefile b/tests/Makefile deleted file mode 100644 index 3453ecee8..000000000 --- a/tests/Makefile +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/make -f -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Usage: -# make archlinux flavor=gnome -# vagrant up arch-gnome -# vagrant ssh archl-gnome - -# Build variables -flavor ?= -disk ?= 10G - -BASE = archlinux debian ubuntu22 ubuntu24 opensuse fedora - -.PHONY: ${BASE} lint - -$(BASE): - @make --directory=../ package dist=${@} - @packer build -force \ - -var disk_size=${disk} -var flavor="${flavor}" \ - -only=qemu.${@} packer/ - -lint: - @packer fmt --check packer/ - @packer validate --syntax-only packer/ diff --git a/tests/Vagrantfile b/tests/Vagrantfile deleted file mode 100644 index 4bdaac985..000000000 --- a/tests/Vagrantfile +++ /dev/null @@ -1,62 +0,0 @@ -# -*- mode: ruby -*- -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -require 'yaml' - -machines = YAML.load_file(File.join(File.dirname(__FILE__), 'boxes.yml')) -default = machines['defaults'] - -Vagrant.require_version '>= 2.0.0' - -Vagrant.configure("2") do |config| - - config.ssh.keys_only = true - config.ssh.insert_key = false - config.ssh.private_key_path = [ '~/.ssh/id_ed25519' ] - config.ssh.username = 'user' - - machines['boxes'].each do |instance| - - # Configure the VMs per details in boxes.yml - config.vm.define instance['name'] do |srv| - srv.vm.box = instance['box'] - srv.vm.box_check_update = false - srv.vm.post_up_message = instance.to_yaml - srv.vm.synced_folder '.', '/vagrant', disabled: true - if !ENV['AA_INTEGRATION'] - srv.vm.synced_folder '../', '/home/user/Projects/apparmor.d', type: 'virtiofs', mount: false - end - - # Configure Libvirt provider - srv.vm.provider 'libvirt' do |libvirt| - libvirt.driver = 'kvm' - libvirt.default_prefix = 'aa-' - libvirt.connect_via_ssh = false - libvirt.storage_pool_name = 'ssd' - libvirt.memory = instance.fetch('ram', default['ram']) - libvirt.cpus = instance.fetch('cpu', default['cpu']) - libvirt.cpu_mode = 'host-passthrough' - libvirt.machine_type = 'q35' - libvirt.video_type = 'virtio' - libvirt.graphics_type = 'spice' - libvirt.sound_type = 'ich9' - libvirt.tpm_model = 'tpm-crb' - libvirt.tpm_type = 'emulator' - libvirt.tpm_version = '2.0' - libvirt.random model: 'random' - libvirt.memorybacking 'source', type: 'memfd' - libvirt.memorybacking 'access', mode: 'shared' - libvirt.channel type: 'unix', target_name: 'org.qemu.guest_agent.0', target_type: 'virtio' - (1..2).each do - libvirt.redirdev :type => "spicevmc" - end - if instance.fetch('uefi', default['uefi']) - libvirt.loader = '/usr/share/edk2/x64/OVMF_CODE.fd' - end - end - - end - end -end diff --git a/tests/boxes.yml b/tests/boxes.yml deleted file mode 100644 index 3e15fc304..000000000 --- a/tests/boxes.yml +++ /dev/null @@ -1,51 +0,0 @@ ---- - -defaults: - uefi: true - ram: '3072' - cpu: '6' - -boxes: - - name: arch-gnome - box: aa-archlinux-gnome - uefi: false - - - name: arch-kde - box: aa-archlinux-kde - uefi: false - - - name: arch-xfce - box: aa-archlinux-xfce - uefi: false - - - name: arch-cosmic - box: aa-archlinux-cosmic - uefi: false - - - name: arch-server - box: aa-archlinux-server - uefi: false - - - name: ubuntu22-desktop - box: aa-ubuntu22-desktop - - - name: ubuntu24-desktop - box: aa-ubuntu24-desktop - - - name: ubuntu22-server - box: aa-ubuntu22-server - - - name: ubuntu24-server - box: aa-ubuntu24-server24 - - - name: debian-server - box: aa-debian-server - - - name: debian-gnome - box: aa-debian-gnome - - - name: debian-kde - box: aa-debian-kde - - - name: opensuse-kde - box: aa-opensuse-kde From 4dd78c0087f189a8b678faac9bb4bb1086c85363 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Mar 2025 22:06:38 +0100 Subject: [PATCH 129/977] tests: improve justfile. --- Justfile | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Justfile b/Justfile index 7b39fb8a6..79e2c5fd5 100644 --- a/Justfile +++ b/Justfile @@ -20,7 +20,6 @@ base_dir := home_dir() / ".libvirt/base" vm := home_dir() / ".vm" output := base_dir / "packer" -disk_size := "15G" prefix := "aa-" c := "--connect=qemu:///system" sshopt := "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" @@ -46,7 +45,6 @@ img dist flavor: (package dist) packer build -force \ -var dist={{dist}} \ -var flavor={{flavor}} \ - -var disk_size={{disk_size}} \ -var prefix={{prefix}} \ -var base_dir={{base_dir}} \ -var output={{output}} \ @@ -137,8 +135,8 @@ integration dist flavor: [doc('Run the linters')] lint: - @packer fmt packer/ - @packer validate --syntax-only packer/ + @packer fmt tests/packer/ + @packer validate --syntax-only tests/packer/ [doc('Remove the machine images')] clean: @@ -146,6 +144,7 @@ clean: get_ip dist flavor: @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \ + head -1 | \ grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}' get_osinfo dist: From 80e85769ce83098c88a64be3e0cbe1ba4b61a718 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Mar 2025 22:09:19 +0100 Subject: [PATCH 130/977] feat(profile): improve gnome profiles. --- apparmor.d/groups/freedesktop/xorg | 1 + apparmor.d/groups/gnome/deja-dup-monitor | 3 ++- apparmor.d/groups/gnome/gdm-generate-config | 4 ++-- apparmor.d/groups/gnome/gnome-calculator | 2 ++ apparmor.d/groups/gnome/gnome-clocks | 4 ++-- apparmor.d/groups/gnome/gnome-control-center | 2 ++ .../groups/gnome/gnome-extension-gsconnect | 9 ++++++-- apparmor.d/groups/gnome/gnome-initial-setup | 1 + .../groups/gnome/gnome-remote-desktop-daemon | 1 + apparmor.d/groups/gnome/gnome-session-check | 22 +++++++++++++++++++ apparmor.d/groups/gnome/gnome-shell | 3 +++ apparmor.d/groups/gnome/mutter-x11-frames | 2 +- apparmor.d/groups/gnome/nautilus | 2 +- apparmor.d/groups/gnome/session-migration | 1 + apparmor.d/groups/gnome/yelp | 2 +- 15 files changed, 49 insertions(+), 10 deletions(-) create mode 100644 apparmor.d/groups/gnome/gnome-session-check diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 90016a8ee..00e277f1f 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -121,6 +121,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, @{sys}/devices/@{pci}/backlight/**/brightness rw, @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/resource@{int} rw, @{sys}/devices/**/{uevent,name,id,config} r, @{sys}/devices/**/hid r, @{sys}/devices/**/power_supply/**/{type,online} r, diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index b7fc6a5b0..90a5b0f64 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -15,12 +15,13 @@ profile deja-dup-monitor @{exec_path} { include include include + include include network netlink raw, #aa:dbus own bus=session name=org.gnome.DejaDup.Monitor - #aa:dbus talk bus=session name=org.gnome.DejaDup label=deja-dup + #aa:dbus talk bus=session name=org.gnome.DejaDup interface+=org.gtk.Actions label=deja-dup dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index dc11e8169..6d621f18b 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -32,8 +32,7 @@ profile gdm-generate-config @{exec_path} { /usr/share/gdm{3,}/{,**} r, /var/lib/ r, - @{GDM_HOME}/ r, - owner @{GDM_HOME}/ rw, + @{GDM_HOME}/ rw, owner @{GDM_HOME}/greeter-dconf-defaults rw, owner @{GDM_HOME}/greeter-dconf-defaults.@{rand6} rw, @@ -44,6 +43,7 @@ profile gdm-generate-config @{exec_path} { @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/stat r, + @{PROC}/tty/drivers r, @{PROC}/uptime r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 2e553d9f4..3f2290e6a 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -23,6 +23,8 @@ profile gnome-calculator @{exec_path} { @{open_path} rPx -> child-open-help, + owner @{PROC}/@{pid}/stat r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index fd6ded04f..13f161dfd 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -10,7 +10,7 @@ include profile gnome-clocks @{exec_path} { include include - include + include include include include @@ -19,7 +19,7 @@ profile gnome-clocks @{exec_path} { network netlink raw, - #aa:dbus own bus=session name=org.gnome.clocks + #aa:dbus own bus=session name=org.gnome.clocks interface+=org.gtk.Actions @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index cfb40f5c4..74b0cb041 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -38,7 +38,9 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon), #aa:dbus own bus=session name=org.gnome.Settings + #aa:dbus own bus=session name=org.bluez.obex.Agent1 + #aa:dbus talk bus=session name=org.bluez.obex label=obexd #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 7bb34e52f..c0f131dd1 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -36,8 +36,9 @@ profile gnome-extension-gsconnect @{exec_path} { @{bin}/openssl rix, @{bin}/ssh-add rix, - @{bin}/ssh-keygen rPx, - @{bin}/xdg-screensaver rPx, + @{bin}/dconf rPx, + @{bin}/ssh-keygen rPx, + @{bin}/xdg-screensaver rPx, @{lib}/gio/modules/*.so* rm, @{lib}/girepository-1.0/* r, @@ -53,6 +54,10 @@ profile gnome-extension-gsconnect @{exec_path} { owner @{user_config_dirs}/mimeapps.list w, owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, + owner @{HOME}/.mozilla/firefox/firefox-mpris/@{word}.png r, + + owner @{tmp}/.org.chromium.Chromium.@{rand6} r, + owner @{run}/user/@{uid}/gsconnect/{,**} rw, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 89769477a..be73974c8 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -41,6 +41,7 @@ profile gnome-initial-setup @{exec_path} { @{bin}/xrandr rPx, @{lib}/gnome-initial-setup-goa-helper rix, + @{lib}/@{multiarch}/ld-linux-*.so* rix, /usr/share/dconf/profile/gdm r, /usr/share/gnome-initial-setup/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index 19e448b1b..c092f9372 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -15,6 +15,7 @@ profile gnome-remote-desktop-daemon @{exec_path} { include include include + include network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/gnome/gnome-session-check b/apparmor.d/groups/gnome/gnome-session-check new file mode 100644 index 000000000..2a0b4965f --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-session-check @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/gnome-session-check-* +profile gnome-session-check @{exec_path} { + include + include + + @{exec_path} mr, + + @{lib}/gnome-session-check-accelerated-gl-helper ix, + @{lib}/gnome-session-check-accelerated-gles-helper ix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index f8888f95b..f2ff71f03 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -242,6 +242,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{HOME}/.face r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, + owner @{HOME}/.mozilla/native-messaging-hosts/ r, + owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.extensions.gsconnect.json rw, + owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.extensions.gsconnect.json.@{rand6} rw, owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw, owner @{HOME}/.var/app/**.{png,jpg,svg} r, owner @{HOME}/.var/app/**/ r, diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 8a48b97a2..d41ba2c7e 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -28,7 +28,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rw, owner @{gdm_config_dirs}/dconf/user r, @{sys}/devices/@{pci}/boot_vga r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 3a7fdd4f4..016a41bd5 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -28,7 +28,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { mqueue r type=posix /, - #aa:dbus own bus=session name=org.gnome.Nautilus interface+=org.gtk.{Application,Actions} + #aa:dbus own bus=session name=org.gnome.Nautilus interface+="org.gtk.{Application,Actions}" #aa:dbus own bus=session name=org.freedesktop.FileManager1 #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index c2df97896..ac3009fc7 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/session-migration profile session-migration @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index f172eac21..b3f27187b 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -15,7 +15,7 @@ profile yelp @{exec_path} { network netlink raw, #aa:dbus own bus=accessibility name=org.gnome.Yelp - #aa:dbus own bus=session name=org.gnome.Yelp + #aa:dbus own bus=session name=org.gnome.Yelp interface+=org.gtk.Actions @{exec_path} mr, @{open_path} rPx -> child-open-help, From e6752cb4b9761c58a26362891e8bbc29474e9435 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Mar 2025 22:11:06 +0100 Subject: [PATCH 131/977] feat(profile): improve libreoffice, add missing dbus access. --- apparmor.d/profiles-g-l/libreoffice | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index ac3ee0c26..43fe51757 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -11,7 +11,13 @@ include profile libreoffice @{exec_path} { include include + include include + include + include + include + include + include include include include @@ -30,7 +36,7 @@ profile libreoffice @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.libreoffice.LibreOfficeIpc0 + #aa:dbus own bus=session name=org.libreoffice interface+=org.gtk.Actions @{exec_path} mr, From c9d249e5e35613aaf7b474c1a19abea0df07fc45 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Mar 2025 22:44:56 +0100 Subject: [PATCH 132/977] tests(packer): add test images for ubuntu 25.04 & debian 13 --- .../cloud-init/debian13-server.user-data.yml | 36 +++++++++++++++++ .../cloud-init/ubuntu24-desktop.user-data.yml | 39 +++++-------------- ...ata.yml => ubuntu25-desktop.user-data.yml} | 37 +++++------------- 3 files changed, 55 insertions(+), 57 deletions(-) create mode 100644 tests/cloud-init/debian13-server.user-data.yml rename tests/cloud-init/{ubuntu22-desktop.user-data.yml => ubuntu25-desktop.user-data.yml} (53%) diff --git a/tests/cloud-init/debian13-server.user-data.yml b/tests/cloud-init/debian13-server.user-data.yml new file mode 100644 index 000000000..1400584ba --- /dev/null +++ b/tests/cloud-init/debian13-server.user-data.yml @@ -0,0 +1,36 @@ +#cloud-config + +packages: + - apparmor-profiles + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - golang-go + - htop + - qemu-guest-agent + - rsync + - vim + +write_files: + + # Setup shared directory + - path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + + # Network configuration + - path: /etc/systemd/network/20-wired.network + owner: "root:root" + permissions: "0644" + content: | + [Match] + Name=en* + + [Network] + DHCP=yes + + [DHCPv4] + RouteMetric=10 diff --git a/tests/cloud-init/ubuntu24-desktop.user-data.yml b/tests/cloud-init/ubuntu24-desktop.user-data.yml index 7a71b0afe..d1b1f169c 100644 --- a/tests/cloud-init/ubuntu24-desktop.user-data.yml +++ b/tests/cloud-init/ubuntu24-desktop.user-data.yml @@ -17,29 +17,23 @@ packages: - ubuntu-desktop - vim -snap: - commands: - - install firefox - - install gtk-common-themes - - install snap-store - - install snapd-desktop-integration - runcmd: + # Add missing snap packages + - snap install snap-store + - snap install snapd-desktop-integration + # Remove default filesystem and related tools not used with the suggested # storage layout. These may yet be required if different partitioning schemes # are used. - - apt-get -y purge btrfs-progs cryptsetup* lvm2 xfsprogs + - apt-get -y purge btrfs-progs xfsprogs # Remove other packages present by default in Ubuntu Server but not # normally present in Ubuntu Desktop. - # - >- - # apt-get -y purge - # ubuntu-server ubuntu-server-minimal netplan.io cloud-init - # binutils byobu curl dmeventd finalrd gawk - # kpartx mdadm ncurses-term needrestart open-iscsi - # sg3-utils ssh-import-id sssd thin-provisioning-tools tmux - # sosreport screen open-vm-tools motd-news-config lxd-agent-loader - # landscape-common fonts-ubuntu-console ethtool + - >- + apt-get -y purge + byobu dmeventd finalrd gawk kpartx landscape-common lxd-agent-loader + mdadm motd-news-config ncurses-term open-iscsi open-vm-tools + screen sg3-utils sosreport ssh-import-id sssd tmux # Finally, remove things only installed as dependencies of other things # we have already removed. @@ -51,16 +45,3 @@ write_files: append: true content: | 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 diff --git a/tests/cloud-init/ubuntu22-desktop.user-data.yml b/tests/cloud-init/ubuntu25-desktop.user-data.yml similarity index 53% rename from tests/cloud-init/ubuntu22-desktop.user-data.yml rename to tests/cloud-init/ubuntu25-desktop.user-data.yml index 5f4dc69f5..881e9b4e9 100644 --- a/tests/cloud-init/ubuntu22-desktop.user-data.yml +++ b/tests/cloud-init/ubuntu25-desktop.user-data.yml @@ -9,7 +9,7 @@ packages: - debhelper - devscripts - golang-go - - linux-generic-hwe-22.04 + - linux-generic-hwe-24.04 - qemu-guest-agent - rsync - spice-vdagent @@ -17,29 +17,23 @@ packages: - ubuntu-desktop - vim -snap: - commands: - - install firefox - - install gtk-common-themes - - install snap-store - - install snapd-desktop-integration - runcmd: + - snap install snap-store + - snap install snapd-desktop-integration + - snap install --edge desktop-security-center + # Remove default filesystem and related tools not used with the suggested # storage layout. These may yet be required if different partitioning schemes # are used. - - apt-get -y purge btrfs-progs cryptsetup* lvm2 xfsprogs + - apt-get -y purge btrfs-progs xfsprogs # Remove other packages present by default in Ubuntu Server but not # normally present in Ubuntu Desktop. - >- apt-get -y purge - ubuntu-server ubuntu-server-minimal netplan.io cloud-init - binutils byobu curl dmeventd finalrd gawk - kpartx mdadm ncurses-term needrestart open-iscsi - sg3-utils ssh-import-id sssd thin-provisioning-tools tmux - sosreport screen open-vm-tools motd-news-config lxd-agent-loader - landscape-common fonts-ubuntu-console ethtool + byobu dmeventd finalrd gawk kpartx landscape-common lxd-agent-loader + mdadm motd-news-config ncurses-term open-iscsi open-vm-tools + screen sg3-utils sosreport ssh-import-id sssd tmux # Finally, remove things only installed as dependencies of other things # we have already removed. @@ -51,16 +45,3 @@ write_files: append: true content: | 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 From eba7357cb13e51a8a78978d560fc4851f37affc7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 1 Mar 2025 22:48:24 +0100 Subject: [PATCH 133/977] doc: show off our tests a bit. --- README.md | 3 +-- docs/index.md | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 7aed183da..a2ae8d6fb 100644 --- a/README.md +++ b/README.md @@ -35,8 +35,7 @@ * Gnome (GDM) * KDE (SDDM) * XFCE (Lightdm) *(work in progress)* -- Fully tested *(work in progress)* - +- [Fully tested](https://apparmor.pujol.io/development/tests/) > This project is originally based on the work from [Morfikov][upstream] and aims to extend it to more Linux distributions and desktop environments. diff --git a/docs/index.md b/docs/index.md index 8f5696074..6f09983cb 100644 --- a/docs/index.md +++ b/docs/index.md @@ -34,7 +34,7 @@ See the [Concepts](concepts.md)' page for more detail on the architecture. - [x] :material-gnome: Gnome (GDM) - [x] :simple-kde: KDE (SDDM) - [ ] :simple-xfce: XFCE (Lightdm) *(work in progress)* -- Fully tested *(work in progress)* +- [Fully tested](development/tests.md) ### Presentations From 86aba45d67a69c99d2e930c93da9f2616262aadb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 2 Mar 2025 00:00:08 +0100 Subject: [PATCH 134/977] tests(integration): move most test inside groups. --- tests/integration/{ => apparmor}/aa-enforce.bats | 3 +-- tests/integration/{ => apparmor}/aa-status.bats | 2 +- tests/integration/{ => gpg}/gpgconf.bats | 2 +- tests/integration/{ => procps}/ps.bats | 2 +- tests/integration/{ => procps}/sysctl.bats | 3 +-- tests/integration/{ => procps}/w.bats | 7 ++++++- tests/integration/{ => shadow}/groupadd.bats | 2 +- tests/integration/{ => shadow}/groups.bats | 2 +- tests/integration/{ => systemd}/homectl.bats | 2 +- tests/integration/{ => systemd}/hostnamectl.bats | 2 +- tests/integration/{ => systemd}/systemd-ac-power.bats | 2 +- tests/integration/{ => systemd}/systemd-analyze.bats | 4 +--- tests/integration/{ => systemd}/systemd-cat.bats | 2 +- tests/integration/{ => systemd}/systemd-cgls.bats | 3 +-- tests/integration/{ => systemd}/systemd-detect-virt.bats | 5 +---- tests/integration/{ => systemd}/systemd-id128.bats | 2 +- tests/integration/{ => systemd}/systemd-sysusers.bats | 2 +- tests/integration/{ => systemd}/userdbctl.bats | 2 +- tests/integration/{ => usb}/lsusb.bats | 2 +- tests/integration/{ => utils}/blkid.bats | 2 +- tests/integration/{ => utils}/chsh.bats | 2 +- tests/integration/{ => utils}/df.bats | 2 +- tests/integration/{ => utils}/dmesg.bats | 2 +- tests/integration/{ => utils}/lsblk.bats | 2 +- tests/integration/{ => utils}/lscpu.bats | 2 +- tests/integration/{ => utils}/lspci.bats | 2 +- tests/integration/{ => utils}/pstree.bats | 2 +- tests/integration/{ => utils}/sync.bats | 2 +- tests/integration/{ => utils}/users.bats | 2 +- tests/integration/{ => utils}/uuidd.bats | 2 +- tests/integration/{ => utils}/uuidgen.bats | 2 +- tests/integration/{ => utils}/who.bats | 2 +- 32 files changed, 37 insertions(+), 40 deletions(-) rename tests/integration/{ => apparmor}/aa-enforce.bats (94%) rename tests/integration/{ => apparmor}/aa-status.bats (97%) rename tests/integration/{ => gpg}/gpgconf.bats (98%) rename tests/integration/{ => procps}/ps.bats (97%) rename tests/integration/{ => procps}/sysctl.bats (97%) rename tests/integration/{ => procps}/w.bats (68%) rename tests/integration/{ => shadow}/groupadd.bats (97%) rename tests/integration/{ => shadow}/groups.bats (95%) rename tests/integration/{ => systemd}/homectl.bats (98%) rename tests/integration/{ => systemd}/hostnamectl.bats (97%) rename tests/integration/{ => systemd}/systemd-ac-power.bats (96%) rename tests/integration/{ => systemd}/systemd-analyze.bats (97%) rename tests/integration/{ => systemd}/systemd-cat.bats (96%) rename tests/integration/{ => systemd}/systemd-cgls.bats (97%) rename tests/integration/{ => systemd}/systemd-detect-virt.bats (85%) rename tests/integration/{ => systemd}/systemd-id128.bats (97%) rename tests/integration/{ => systemd}/systemd-sysusers.bats (97%) rename tests/integration/{ => systemd}/userdbctl.bats (97%) rename tests/integration/{ => usb}/lsusb.bats (96%) rename tests/integration/{ => utils}/blkid.bats (95%) rename tests/integration/{ => utils}/chsh.bats (96%) rename tests/integration/{ => utils}/df.bats (97%) rename tests/integration/{ => utils}/dmesg.bats (97%) rename tests/integration/{ => utils}/lsblk.bats (98%) rename tests/integration/{ => utils}/lscpu.bats (96%) rename tests/integration/{ => utils}/lspci.bats (97%) rename tests/integration/{ => utils}/pstree.bats (96%) rename tests/integration/{ => utils}/sync.bats (95%) rename tests/integration/{ => utils}/users.bats (95%) rename tests/integration/{ => utils}/uuidd.bats (96%) rename tests/integration/{ => utils}/uuidgen.bats (95%) rename tests/integration/{ => utils}/who.bats (96%) diff --git a/tests/integration/aa-enforce.bats b/tests/integration/apparmor/aa-enforce.bats similarity index 94% rename from tests/integration/aa-enforce.bats rename to tests/integration/apparmor/aa-enforce.bats index d6b549b1e..7bc0e740b 100644 --- a/tests/integration/aa-enforce.bats +++ b/tests/integration/apparmor/aa-enforce.bats @@ -3,10 +3,9 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common setup_file() { - aa_setup skip } diff --git a/tests/integration/aa-status.bats b/tests/integration/apparmor/aa-status.bats similarity index 97% rename from tests/integration/aa-status.bats rename to tests/integration/apparmor/aa-status.bats index fbfb6667d..e7e0fc3d5 100644 --- a/tests/integration/aa-status.bats +++ b/tests/integration/apparmor/aa-status.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "aa-status: Check status" { sudo aa-status diff --git a/tests/integration/gpgconf.bats b/tests/integration/gpg/gpgconf.bats similarity index 98% rename from tests/integration/gpgconf.bats rename to tests/integration/gpg/gpgconf.bats index 7155c5aa9..41627dc67 100644 --- a/tests/integration/gpgconf.bats +++ b/tests/integration/gpg/gpgconf.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "gpgconf: List all components" { gpgconf --list-components diff --git a/tests/integration/ps.bats b/tests/integration/procps/ps.bats similarity index 97% rename from tests/integration/ps.bats rename to tests/integration/procps/ps.bats index bcdfbe1b8..a27bdf98d 100644 --- a/tests/integration/ps.bats +++ b/tests/integration/procps/ps.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "ps: List all running processes" { ps aux diff --git a/tests/integration/sysctl.bats b/tests/integration/procps/sysctl.bats similarity index 97% rename from tests/integration/sysctl.bats rename to tests/integration/procps/sysctl.bats index 171ee98a9..2f284070a 100644 --- a/tests/integration/sysctl.bats +++ b/tests/integration/procps/sysctl.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "sysctl: Show all available variables and their values" { sysctl -a @@ -24,4 +24,3 @@ load common @test "sysctl: Apply changes from `/etc/sysctl.conf`" { sysctl -p } - diff --git a/tests/integration/w.bats b/tests/integration/procps/w.bats similarity index 68% rename from tests/integration/w.bats rename to tests/integration/procps/w.bats index 1b97ba445..3ee1fe218 100644 --- a/tests/integration/w.bats +++ b/tests/integration/procps/w.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "w: Display information about all users who are currently logged in" { w @@ -12,3 +12,8 @@ load common @test "w: Display information about a specific user" { w root } + +@test "w: Display information without including the header, the login, JCPU and PCPU columns" { + w --no-header + w --short +} diff --git a/tests/integration/groupadd.bats b/tests/integration/shadow/groupadd.bats similarity index 97% rename from tests/integration/groupadd.bats rename to tests/integration/shadow/groupadd.bats index d93b1a690..3d07619b2 100644 --- a/tests/integration/groupadd.bats +++ b/tests/integration/shadow/groupadd.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "groupadd: Create a new group" { sudo groupadd user2 diff --git a/tests/integration/groups.bats b/tests/integration/shadow/groups.bats similarity index 95% rename from tests/integration/groups.bats rename to tests/integration/shadow/groups.bats index 60bf6ea45..f932e9129 100644 --- a/tests/integration/groups.bats +++ b/tests/integration/shadow/groups.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "groups: Print group memberships for the current user" { groups diff --git a/tests/integration/homectl.bats b/tests/integration/systemd/homectl.bats similarity index 98% rename from tests/integration/homectl.bats rename to tests/integration/systemd/homectl.bats index 656a3407b..0bdd625c4 100644 --- a/tests/integration/homectl.bats +++ b/tests/integration/systemd/homectl.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common setup_file() { sudo systemctl start systemd-homed diff --git a/tests/integration/hostnamectl.bats b/tests/integration/systemd/hostnamectl.bats similarity index 97% rename from tests/integration/hostnamectl.bats rename to tests/integration/systemd/hostnamectl.bats index 2c15658ad..38924920a 100644 --- a/tests/integration/hostnamectl.bats +++ b/tests/integration/systemd/hostnamectl.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "hostnamectl: Get the hostname of the computer" { hostnamectl diff --git a/tests/integration/systemd-ac-power.bats b/tests/integration/systemd/systemd-ac-power.bats similarity index 96% rename from tests/integration/systemd-ac-power.bats rename to tests/integration/systemd/systemd-ac-power.bats index 30019825a..65779b617 100644 --- a/tests/integration/systemd-ac-power.bats +++ b/tests/integration/systemd/systemd-ac-power.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "systemd-ac-power: Report whether we are connected to an external power source." { systemd-ac-power || true diff --git a/tests/integration/systemd-analyze.bats b/tests/integration/systemd/systemd-analyze.bats similarity index 97% rename from tests/integration/systemd-analyze.bats rename to tests/integration/systemd/systemd-analyze.bats index 6bb275bb6..b36abb62d 100644 --- a/tests/integration/systemd-analyze.bats +++ b/tests/integration/systemd/systemd-analyze.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "systemd-analyze: List all running units, ordered by the time they took to initialize" { systemd-analyze --no-pager blame @@ -16,5 +16,3 @@ load common @test "systemd-analyze: Show security scores of running units" { systemd-analyze --no-pager security } - - diff --git a/tests/integration/systemd-cat.bats b/tests/integration/systemd/systemd-cat.bats similarity index 96% rename from tests/integration/systemd-cat.bats rename to tests/integration/systemd/systemd-cat.bats index da634982a..9d796ff07 100644 --- a/tests/integration/systemd-cat.bats +++ b/tests/integration/systemd/systemd-cat.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "systemd-cat: Write the output of the specified command to the journal (both output streams are captured)" { systemd-cat pwd diff --git a/tests/integration/systemd-cgls.bats b/tests/integration/systemd/systemd-cgls.bats similarity index 97% rename from tests/integration/systemd-cgls.bats rename to tests/integration/systemd/systemd-cgls.bats index dca00b62a..a0822a516 100644 --- a/tests/integration/systemd-cgls.bats +++ b/tests/integration/systemd/systemd-cgls.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "systemd-cgls: Display the whole control group hierarchy on your system" { systemd-cgls --no-pager @@ -16,4 +16,3 @@ load common @test "systemd-cgls: Display the control group hierarchy of one or more systemd units" { systemd-cgls --no-pager --unit systemd-logind } - diff --git a/tests/integration/systemd-detect-virt.bats b/tests/integration/systemd/systemd-detect-virt.bats similarity index 85% rename from tests/integration/systemd-detect-virt.bats rename to tests/integration/systemd/systemd-detect-virt.bats index 41150ef7f..bb2b2a659 100644 --- a/tests/integration/systemd-detect-virt.bats +++ b/tests/integration/systemd/systemd-detect-virt.bats @@ -3,23 +3,20 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "systemd-detect-virt: List detectable virtualization technologies" { systemd-detect-virt --list } -# bats test_tags=systemd-detect-virt @test "systemd-detect-virt: Detect virtualization, print the result and return a zero status code when running in a VM or a container, and a non-zero code otherwise" { systemd-detect-virt || true } -# bats test_tags=systemd-detect-virt @test "systemd-detect-virt: Silently check without printing anything" { systemd-detect-virt --quiet || true } -# bats test_tags=systemd-detect-virt @test "systemd-detect-virt: Only detect hardware virtualization" { systemd-detect-virt --vm || true } diff --git a/tests/integration/systemd-id128.bats b/tests/integration/systemd/systemd-id128.bats similarity index 97% rename from tests/integration/systemd-id128.bats rename to tests/integration/systemd/systemd-id128.bats index 67bf5907d..68e48d9a4 100644 --- a/tests/integration/systemd-id128.bats +++ b/tests/integration/systemd/systemd-id128.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "systemd-id128: Generate a new random identifier" { systemd-id128 new diff --git a/tests/integration/systemd-sysusers.bats b/tests/integration/systemd/systemd-sysusers.bats similarity index 97% rename from tests/integration/systemd-sysusers.bats rename to tests/integration/systemd/systemd-sysusers.bats index 0816fd45e..7fff472ee 100644 --- a/tests/integration/systemd-sysusers.bats +++ b/tests/integration/systemd/systemd-sysusers.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "systemd-sysusers: Print the contents of all configuration files (before each file, its name is printed as a comment)" { systemd-sysusers --cat-config diff --git a/tests/integration/userdbctl.bats b/tests/integration/systemd/userdbctl.bats similarity index 97% rename from tests/integration/userdbctl.bats rename to tests/integration/systemd/userdbctl.bats index 065dba5f5..eda5f5b09 100644 --- a/tests/integration/userdbctl.bats +++ b/tests/integration/systemd/userdbctl.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "userdbctl: List all known user records" { userdbctl --no-pager user diff --git a/tests/integration/lsusb.bats b/tests/integration/usb/lsusb.bats similarity index 96% rename from tests/integration/lsusb.bats rename to tests/integration/usb/lsusb.bats index f5444fced..85bee2fd6 100644 --- a/tests/integration/lsusb.bats +++ b/tests/integration/usb/lsusb.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "lsusb: List all the USB devices available" { lsusb || true diff --git a/tests/integration/blkid.bats b/tests/integration/utils/blkid.bats similarity index 95% rename from tests/integration/blkid.bats rename to tests/integration/utils/blkid.bats index 6dcf4b4d7..625f5f9bb 100644 --- a/tests/integration/blkid.bats +++ b/tests/integration/utils/blkid.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "blkid: List all partitions" { sudo blkid diff --git a/tests/integration/chsh.bats b/tests/integration/utils/chsh.bats similarity index 96% rename from tests/integration/chsh.bats rename to tests/integration/utils/chsh.bats index 81a9f76a6..ccdadc6e3 100644 --- a/tests/integration/chsh.bats +++ b/tests/integration/utils/chsh.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "chsh: list available shells" { chsh --list-shells || true diff --git a/tests/integration/df.bats b/tests/integration/utils/df.bats similarity index 97% rename from tests/integration/df.bats rename to tests/integration/utils/df.bats index a97ad53cb..b0f3430ea 100644 --- a/tests/integration/df.bats +++ b/tests/integration/utils/df.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "df: Display all filesystems and their disk usage" { df diff --git a/tests/integration/dmesg.bats b/tests/integration/utils/dmesg.bats similarity index 97% rename from tests/integration/dmesg.bats rename to tests/integration/utils/dmesg.bats index 722b3204b..f2880666d 100644 --- a/tests/integration/dmesg.bats +++ b/tests/integration/utils/dmesg.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "dmesg: Show kernel messages" { sudo dmesg diff --git a/tests/integration/lsblk.bats b/tests/integration/utils/lsblk.bats similarity index 98% rename from tests/integration/lsblk.bats rename to tests/integration/utils/lsblk.bats index 4dc3e20b7..4093526a9 100644 --- a/tests/integration/lsblk.bats +++ b/tests/integration/utils/lsblk.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "lsblk: List all storage devices in a tree-like format" { lsblk diff --git a/tests/integration/lscpu.bats b/tests/integration/utils/lscpu.bats similarity index 96% rename from tests/integration/lscpu.bats rename to tests/integration/utils/lscpu.bats index d09599065..eb60d890d 100644 --- a/tests/integration/lscpu.bats +++ b/tests/integration/utils/lscpu.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "lscpu: Display information about all CPUs" { lscpu diff --git a/tests/integration/lspci.bats b/tests/integration/utils/lspci.bats similarity index 97% rename from tests/integration/lspci.bats rename to tests/integration/utils/lspci.bats index 021906602..1b86dd41f 100644 --- a/tests/integration/lspci.bats +++ b/tests/integration/utils/lspci.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "lspci: Show a brief list of devices" { lspci diff --git a/tests/integration/pstree.bats b/tests/integration/utils/pstree.bats similarity index 96% rename from tests/integration/pstree.bats rename to tests/integration/utils/pstree.bats index 23094478c..1fc43c76c 100644 --- a/tests/integration/pstree.bats +++ b/tests/integration/utils/pstree.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "pstree: Display a tree of processes" { pstree diff --git a/tests/integration/sync.bats b/tests/integration/utils/sync.bats similarity index 95% rename from tests/integration/sync.bats rename to tests/integration/utils/sync.bats index 9f2e26885..03cc4730f 100644 --- a/tests/integration/sync.bats +++ b/tests/integration/utils/sync.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "sync: Flush all pending write operations on all disks" { sync diff --git a/tests/integration/users.bats b/tests/integration/utils/users.bats similarity index 95% rename from tests/integration/users.bats rename to tests/integration/utils/users.bats index 8f8ad383d..885121a58 100644 --- a/tests/integration/users.bats +++ b/tests/integration/utils/users.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "users: Print logged in usernames" { users diff --git a/tests/integration/uuidd.bats b/tests/integration/utils/uuidd.bats similarity index 96% rename from tests/integration/uuidd.bats rename to tests/integration/utils/uuidd.bats index 9e3ac5ef0..d3ab28cc0 100644 --- a/tests/integration/uuidd.bats +++ b/tests/integration/utils/uuidd.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "uuidd: Generate a random UUID" { uuidd --random diff --git a/tests/integration/uuidgen.bats b/tests/integration/utils/uuidgen.bats similarity index 95% rename from tests/integration/uuidgen.bats rename to tests/integration/utils/uuidgen.bats index eb6465c04..838be5cbc 100644 --- a/tests/integration/uuidgen.bats +++ b/tests/integration/utils/uuidgen.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "uuidgen: Create a random UUIDv4" { uuidgen --random diff --git a/tests/integration/who.bats b/tests/integration/utils/who.bats similarity index 96% rename from tests/integration/who.bats rename to tests/integration/utils/who.bats index c05995d0e..b69fc2dd1 100644 --- a/tests/integration/who.bats +++ b/tests/integration/utils/who.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common @test "who: Display the username, line, and time of all currently logged-in sessions" { who From 189064c9f83ba8b4b4312fe9b833236b5387ef6a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 2 Mar 2025 13:25:30 +0100 Subject: [PATCH 135/977] tests: make the integration tests work recursivelly. --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 90dacd5c0..cef8bd719 100644 --- a/Makefile +++ b/Makefile @@ -112,8 +112,8 @@ check: @bash tests/check.sh .PHONY: integration -integration : - @bats --timing --print-output-on-failure tests/integration/ +integration: + @bats --recursive --timing --print-output-on-failure tests/integration/ .PHONY: manual manual: From 6c284435ae6c47c5f832bcf2b509699f65af3dcb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 2 Mar 2025 13:52:38 +0100 Subject: [PATCH 136/977] feat(profile): improve bluetoothctl fix #671 --- apparmor.d/groups/bluetooth/bluetoothctl | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/apparmor.d/groups/bluetooth/bluetoothctl b/apparmor.d/groups/bluetooth/bluetoothctl index 01565b4ff..e408b94b9 100644 --- a/apparmor.d/groups/bluetooth/bluetoothctl +++ b/apparmor.d/groups/bluetooth/bluetoothctl @@ -10,9 +10,17 @@ include @{exec_path} = @{bin}/bluetoothctl profile bluetoothctl @{exec_path} { include + include + include + + network bluetooth raw, + + #aa:dbus talk bus=system name=org.bluez label=bluetoothd @{exec_path} mr, + /usr/share/terminfo/** r, + /etc/inputrc r, owner @{user_cache_dirs}/ rw, From 3f9fe25fd469123c17022979c91be6fe278b465e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 2 Mar 2025 14:03:38 +0100 Subject: [PATCH 137/977] doc: update aa-log usage. --- cmd/aa-log/main.go | 6 +++--- docs/usage.md | 9 +++++---- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go index 58aee3716..d58089310 100644 --- a/cmd/aa-log/main.go +++ b/cmd/aa-log/main.go @@ -15,15 +15,15 @@ import ( "github.com/roddhjav/apparmor.d/pkg/logs" ) -const usage = `aa-log [-h] [--systemd] [--file file] [--rules | --raw] [profile] +const usage = `aa-log [-h] [--systemd] [--file file] [--rules | --raw] [--since] [profile] Review AppArmor generated messages in a colorful way. It supports logs from auditd, systemd, syslog as well as dbus session events. It can be given an optional profile name to filter the output with. - Default logs are read from '/var/log/audit/audit.log'. Other files in - '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' + Default logs are read from '/var/log/audit/audit.log'. Other files in + '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' Options: -h, --help Show this help message and exit. diff --git a/docs/usage.md b/docs/usage.md index e73439efc..372762998 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -116,15 +116,15 @@ profile dnsmasq { ### Help ``` -aa-log [-h] [--systemd] [--file file] [--rules | --raw] [profile] +aa-log [-h] [--systemd] [--file file] [--rules | --raw] [--since] [profile] - Review AppArmor generated messages in a colorful way. Supports logs from + Review AppArmor generated messages in a colorful way. It supports logs from auditd, systemd, syslog as well as dbus session events. It can be given an optional profile name to filter the output with. - Default logs are read from '/var/log/audit/audit.log'. Other files in - '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' + Default logs are read from '/var/log/audit/audit.log'. Other files in + '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' Options: -h, --help Show this help message and exit. @@ -132,4 +132,5 @@ Options: -s, --systemd Parse systemd logs from journalctl. -r, --rules Convert the log into AppArmor rules. -R, --raw Print the raw log without any formatting. + -S, --since DATE Show entries not older than the specified date. ``` From d49e93523fca55b4fa359e0195c93bb0deeada34 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 4 Mar 2025 22:26:07 +0100 Subject: [PATCH 138/977] feat(profile): restrict the qemu-ga profile. --- apparmor.d/profiles-m-r/qemu-ga | 36 ++++++++++++++------------------- 1 file changed, 15 insertions(+), 21 deletions(-) diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 7e63560ec..b100e4e15 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -7,40 +7,34 @@ abi , include @{exec_path} = @{bin}/qemu-ga -profile qemu-ga @{exec_path} { +profile qemu-ga @{exec_path} flags=(complain) { include - include - - capability mknod, - capability net_admin, - capability sys_ptrace, - - network inet stream, - network inet6 stream, - network netlink raw, - - ptrace (read) peer=@{p_systemd}, - - unix type=stream addr=@@{udbus}/bus/shutdown/system, - - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind @{exec_path} mr, - @{bin}/systemctl rix, + audit @{bin}/systemctl Cx -> systemctl, /etc/qemu/qemu-ga.conf r, - owner @{run}/qga.state* rw, + owner @{run}/qga.state rw, + owner @{run}/qga.state.@{rand6} rw, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, - @{PROC}/sys/vm/max_map_count r, - owner @{PROC}/@{pid}/net/dev r, - /dev/vport@{int}p@{int} rw, + profile systemctl flags=(complain) { + include + include + + unix type=stream addr=@@{udbus}/bus/shutdown/system, + + #aa-dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + + include if exists + } + include if exists } From 334b48749a67f97d2eab517ce8418807965390ea Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 4 Mar 2025 22:33:42 +0100 Subject: [PATCH 139/977] feat(profile): various minor update. --- apparmor.d/groups/bus/dbus-system | 2 ++ apparmor.d/groups/filesystem/lvm | 1 + apparmor.d/groups/gnome/gnome-shell | 2 ++ apparmor.d/groups/shadow/chpasswd | 8 ++++++++ apparmor.d/groups/snap/snapd | 5 +++++ apparmor.d/groups/ssh/ssh | 3 ++- apparmor.d/groups/ssh/sshd | 12 ++++++------ apparmor.d/groups/systemd/systemd-coredump | 2 ++ apparmor.d/groups/systemd/systemd-update-utmp | 2 +- apparmor.d/groups/systemd/systemd-vconsole-setup | 2 +- apparmor.d/groups/ubuntu/release-upgrade-motd | 2 ++ apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot | 2 ++ apparmor.d/groups/utils/login | 1 - apparmor.d/groups/utils/uname | 3 +++ apparmor.d/groups/virt/dockerd | 3 +++ apparmor.d/profiles-a-f/console-setup | 1 + apparmor.d/profiles-a-f/file-roller | 1 + apparmor.d/profiles-a-f/fractal | 2 ++ apparmor.d/profiles-g-l/landscape-sysinfo.wrapper | 2 ++ apparmor.d/profiles-m-r/run-parts | 2 ++ apparmor.d/profiles-s-z/tlp | 3 +++ 21 files changed, 51 insertions(+), 10 deletions(-) diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index 0296a262f..cafaf0570 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -63,6 +63,7 @@ profile dbus-system flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, + @{run}/systemd/notify w, @{run}/systemd/users/@{int} r, @@ -78,6 +79,7 @@ profile dbus-system flags=(attach_disconnected) { @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_score_adj rw, diff --git a/apparmor.d/groups/filesystem/lvm b/apparmor.d/groups/filesystem/lvm index 75cd0de80..a73262d75 100644 --- a/apparmor.d/groups/filesystem/lvm +++ b/apparmor.d/groups/filesystem/lvm @@ -30,6 +30,7 @@ profile lvm @{exec_path} flags=(attach_disconnected) { @{etc_rw}/lvm/** rwkl, /etc/multipath.conf r, + /etc/multipath/* r, @{run}/lock/ rw, @{run}/lock/lvm/ rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index f2ff71f03..ee4bfe33b 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -269,6 +269,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, + owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.GSConnect{,.Preferences}.desktop rw, + owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.GSConnect{,.Preferences}.desktop.@{rand6} w, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r, owner @{user_cache_dirs}/gnome-boxes/*.png r, owner @{user_cache_dirs}/gnome-photos/{,**} r, diff --git a/apparmor.d/groups/shadow/chpasswd b/apparmor.d/groups/shadow/chpasswd index 869ba20ab..4b752a440 100644 --- a/apparmor.d/groups/shadow/chpasswd +++ b/apparmor.d/groups/shadow/chpasswd @@ -9,13 +9,18 @@ include @{exec_path} = @{bin}/chpasswd profile chpasswd @{exec_path} { include + include include include + capability audit_write, capability chown, capability fsetid, + capability net_admin, capability setuid, + network netlink raw, + @{exec_path} mr, @{etc_ro}/login.defs r, @@ -32,6 +37,9 @@ profile chpasswd @{exec_path} { /etc/shadow.lock w, /etc/shadow+ rw, + /etc/pam.d/chpasswd r, + /etc/pam.d/common-* r, + include if exists } diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 273b68fc5..3e6a4460a 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -57,6 +57,11 @@ profile snapd @{exec_path} { member={SetWallMessage,ScheduleShutdown} peer=(name=org.freedesktop.login1, label=systemd-logind), + dbus send bus=system path=/org/freedesktop/timedate1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.timedate1, label=unconfined), + @{exec_path} mrix, @{bin}/adduser rPx, diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 0c86919b1..bdbcf8fa6 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -45,7 +45,8 @@ profile ssh @{exec_path} { audit owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, - owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{hex16} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{hex16}, + owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} wl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, + owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand} wl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, owner @{run}/user/@{uid}/keyring/ssh rw, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 21892cc47..f6638d5d9 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -62,12 +62,12 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/@{shells} rUx, - @{bin}/false rix, - @{bin}/nologin rPx, - @{bin}/passwd rPx, - @{lib}/openssh/sftp-server rPx, - @{lib}/ssh/sshd-session rix, + @{bin}/@{shells} rUx, + @{bin}/false rix, + @{bin}/nologin rPx, + @{bin}/passwd rPx, + @{lib}/{openssh,ssh}/sftp-server rPx, + @{lib}/{openssh,ssh}/sshd-session rix, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index b26dabae7..856bee914 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -39,6 +39,8 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted /etc/systemd/coredump.conf r, /etc/systemd/coredump.conf.d/{,**} r, + owner @{HOME}/**.so r, + /var/lib/systemd/coredump/{,**} rwl, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-update-utmp b/apparmor.d/groups/systemd/systemd-update-utmp index 1a2ff9a31..82025859b 100644 --- a/apparmor.d/groups/systemd/systemd-update-utmp +++ b/apparmor.d/groups/systemd/systemd-update-utmp @@ -17,7 +17,7 @@ profile systemd-update-utmp @{exec_path} flags=(attach_disconnected) { network netlink raw, - unix (bind) type=stream addr=@@{udbus}/bus/systemd-update-/, + unix bind type=stream addr=@@{udbus}/bus/systemd-update-/, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-vconsole-setup b/apparmor.d/groups/systemd/systemd-vconsole-setup index 5f28050c1..8c99d606c 100644 --- a/apparmor.d/groups/systemd/systemd-vconsole-setup +++ b/apparmor.d/groups/systemd/systemd-vconsole-setup @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-vconsole-setup -profile systemd-vconsole-setup @{exec_path} { +profile systemd-vconsole-setup @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/ubuntu/release-upgrade-motd b/apparmor.d/groups/ubuntu/release-upgrade-motd index 08a54df0a..b5d7d2885 100644 --- a/apparmor.d/groups/ubuntu/release-upgrade-motd +++ b/apparmor.d/groups/ubuntu/release-upgrade-motd @@ -22,6 +22,8 @@ profile release-upgrade-motd @{exec_path} { /var/lib/ubuntu-release-upgrader/release-upgrade-available rw, + @{run}/motd.dynamic.new w, + /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot index 86ac61f41..77b24fa27 100644 --- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot +++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot @@ -25,6 +25,8 @@ profile update-motd-fsck-at-reboot @{exec_path} { /var/lib/update-notifier/fsck-at-reboot rw, + @{run}/motd.dynamic.new w, + @{PROC}/uptime r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index f83c1687e..dbf334577 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -62,7 +62,6 @@ profile login @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/sessions/@{int}.ref w, @{run}/credentials/getty@tty@{int}.service/ r, - @{run}/dbus/system_bus_socket rw, @{run}/faillock/@{user} rwk, @{run}/motd.d/{,*} r, @{run}/motd.dynamic{,.new} rw, diff --git a/apparmor.d/groups/utils/uname b/apparmor.d/groups/utils/uname index 45a864c23..6ca8a6370 100644 --- a/apparmor.d/groups/utils/uname +++ b/apparmor.d/groups/utils/uname @@ -14,6 +14,9 @@ profile uname @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{lib}/@{multiarch}/ld-linux-*so* r, + @{lib}/@{multiarch}/libc.so* mr, + @{att}/dev/tty@{int} rw, deny network, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 2e2d36355..b2228ec6f 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -21,6 +21,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { capability kill, capability mknod, capability net_admin, + capability net_raw, capability setfcap, capability sys_admin, capability sys_chroot, @@ -31,6 +32,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network inet6 stream, network netlink raw, + network packet dgram, mount /tmp/containerd-mount@{int}/, mount /var/lib/docker/**/, @@ -91,6 +93,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { owner @{run}/docker/** rwlk, owner @{run}/docker.pid rw, + @{sys}/devices/virtual/net/** r, @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/cpuset.cpus.effective r, @{sys}/fs/cgroup/cpuset.mems.effective r, diff --git a/apparmor.d/profiles-a-f/console-setup b/apparmor.d/profiles-a-f/console-setup index d3aaddf7f..5b867e1eb 100644 --- a/apparmor.d/profiles-a-f/console-setup +++ b/apparmor.d/profiles-a-f/console-setup @@ -15,6 +15,7 @@ profile console-setup @{exec_path} { @{bin}/uname rPx, @{bin}/mkdir rix, + @{run}/console-setup/ rw, @{run}/console-setup/boot_completed w, include if exists diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 0c5a18e83..269a3b02a 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -47,6 +47,7 @@ profile file-roller @{exec_path} { @{run}/mount/utab r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, include if exists } diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 9de5761c2..0895d12eb 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -33,6 +33,8 @@ profile fractal @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.@{rand6} rw, owner @{tmp}/.goutputstream-@{rand6} rw, + owner @{tmp}/@{rand6} rw, + owner @{tmp}/etilqs_@{hex16} rw, owner @{run}/user/@{uid}/fractal/{,**} rw, diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper index fb9b75824..44c7a8ac7 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper +++ b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper @@ -32,6 +32,8 @@ profile landscape-sysinfo.wrapper @{exec_path} { /var/lib/landscape/landscape-sysinfo.cache rw, + @{run}/motd.dynamic.new w, + @{PROC}/loadavg r, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index d0ecbbd9e..f50b23199 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -154,6 +154,8 @@ profile run-parts @{exec_path} { owner @{sys}/class/power_supply/ r, + @{run}/motd.dynamic.new w, + /dev/tty@{int} rw, profile motd { diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 5d81c0a75..04e3b7ffc 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -44,6 +44,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{bin}/mktemp rix, @{bin}/readlink rix, @{bin}/rm rix, + @{bin}/sed rix, @{bin}/sort rix, @{bin}/systemctl rCx -> systemctl, @{bin}/touch rix, @@ -71,7 +72,9 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+platform:* r, @{sys}/bus/pci/devices/ r, + @{sys}/devices/@{pci}/ r, @{sys}/devices/@{pci}/{,**/}power/control w, + @{sys}/devices/@{pci}/class r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw, @{sys}/firmware/acpi/platform_profile* rw, @{sys}/firmware/acpi/pm_profile* rw, From b752ff540c9df45cb560073659088c9a0342fb7b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 4 Mar 2025 22:38:46 +0100 Subject: [PATCH 140/977] build: allow the docker build script to be sourced by downstream repository. --- dists/docker.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dists/docker.sh b/dists/docker.sh index 4dd958759..a99fefaf7 100644 --- a/dists/docker.sh +++ b/dists/docker.sh @@ -14,7 +14,7 @@ readonly VOLUME=/tmp/build readonly BUILDIR=/home/build/tmp readonly OUTDIR=".pkg" readonly OUTPUT="$PWD/$OUTDIR" -readonly COMMAND="$1" +readonly COMMAND="${1:-}" VERSION="0.$(git rev-list --count HEAD)" PACKAGER="$(git config user.name) <$(git config user.email)>" readonly VERSION PACKAGER From e3a1ba5d0d10bb5186f998544a162c029b1bdcf0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Mar 2025 21:15:46 +0100 Subject: [PATCH 141/977] feat(profile): systemd-tty-ask-password-agent: add support for rpm. see #576 --- apparmor.d/groups/systemd/systemd-tty-ask-password-agent | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index 71c5a1503..ecac3e1a8 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -20,6 +20,7 @@ profile systemd-tty-ask-password-agent @{exec_path} { signal (receive) set=(term cont) peer=*//systemctl, signal (receive) set=(term cont) peer=default, signal (receive) set=(term cont) peer=logrotate, + signal (receive) set=(term cont) peer=rpm, @{exec_path} mrix, From 06f2fb46597758ac968779ee06a6b258e52cc3a6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Mar 2025 21:22:57 +0100 Subject: [PATCH 142/977] feat(profile): improve gimp. see #656 --- apparmor.d/profiles-g-l/gimp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index 83457578f..158885375 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -11,8 +11,10 @@ profile gimp @{exec_path} { include include include + include include include + include include include include @@ -38,12 +40,14 @@ profile gimp @{exec_path} { /usr/share/mypaint-data/{,**} r, /usr/share/xml/iso-codes/{,**} r, + /etc/fstab r, /etc/gimp/{,**} r, owner @{user_documents_dirs}/{,**} rw, owner @{user_pictures_dirs}/{,**} rw, owner @{user_work_dirs}/{,**} rw, + owner @{user_cache_dirs}//thumbnails/normal/gimp-thumb* rw, owner @{user_cache_dirs}/babl/{,**} rw, owner @{user_cache_dirs}/gegl-*/{,**} r, owner @{user_cache_dirs}/gegl-*/{,**} r, @@ -58,6 +62,8 @@ profile gimp @{exec_path} { owner @{tmp}/gimp/{,**} rw, + owner @{PROC}/@{pid}/mountinfo r, + include if exists } From 7e1c08b75d1d3eb6e2bb4c0cf64067e2ddd6a7b1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Mar 2025 21:53:41 +0100 Subject: [PATCH 143/977] feat(profile): improve kde profiles. See #676 --- .../groups/freedesktop/xdg-desktop-portal-kde | 4 +++ apparmor.d/groups/kde/dolphin | 32 +++++++++++++++++++ apparmor.d/groups/kde/kioworker | 11 ++++--- apparmor.d/groups/kde/plasmashell | 4 ++- apparmor.d/profiles-s-z/thunderbird | 3 ++ 5 files changed, 49 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index 309248e18..3b02d2b16 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -21,6 +21,8 @@ profile xdg-desktop-portal-kde @{exec_path} { network inet6 stream, network netlink raw, + signal send set=term peer=kioworker, + @{exec_path} mr, #aa:exec kioworker @@ -33,6 +35,8 @@ profile xdg-desktop-portal-kde @{exec_path} { owner @{run}/user/@{uid}/xdg-desktop-portal-kde@{rand6}.*.socket rw, + owner @{PROC}/@{pid}/mountinfo r, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index d01965bb0..b42b37dec 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -21,6 +21,7 @@ profile dolphin @{exec_path} { include include include + include network netlink raw, @@ -98,9 +99,40 @@ profile dolphin @{exec_path} { owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+dmi* r, # for motherboard info + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/+leds:* r, + @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+power_supply* r, + @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+sound:card@{int} r, # for sound card + + @{run}/udev/data/c1:@{int} r, # For RAM disk + @{run}/udev/data/c4:@{int} r, # For TTY devices + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices + @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c13:@{int} r, # For /dev/input/* + @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters + @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* + @{run}/udev/data/c89:@{int} r, # For I2C bus interface + @{run}/udev/data/c202:@{int} r, # CPU model-specific registers + @{run}/udev/data/c203:@{int} r, # CPU CPUID information + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{sys}/bus/ r, @{sys}/bus/*/devices/ r, + @{sys}/class/*/ r, + @{sys}/devices/**/uevent r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 37dd3eeae..e992e09fd 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -26,10 +26,11 @@ profile kioworker @{exec_path} { network netlink raw, network netlink dgram, - signal (receive) set=term peer=dolphin, - signal (receive) set=term peer=firefox-kmozillahelper, - signal (receive) set=term peer=plasma-discover, - signal (receive) set=term peer=plasmashell, + signal receive set=term peer=dolphin, + signal receive set=term peer=firefox-kmozillahelper, + signal receive set=term peer=plasma-discover, + signal receive set=term peer=plasmashell, + signal receive set=term peer=xdg-desktop-portal-kde, @{exec_path} mr, @@ -37,6 +38,7 @@ profile kioworker @{exec_path} { @{lib}/libheif/*.so* rm, @{bin}/wrestool rPUx, + @{bin}/gs rPUx, #aa:exec kio_http_cache_cleaner @@ -91,6 +93,7 @@ profile kioworker @{exec_path} { owner @{run}/user/@{uid}/kio_*.socket rwl -> @{run}/user/@{uid}/#@{int}, owner @{run}/user/@{uid}/kioworker*.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 0d8a5d8cb..f800136e0 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -93,6 +93,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{MOUNTS}/ r, @{HOME}/ r, + owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, owner @{HOME}/.var/app/**.{png,jpg,svg} r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, @@ -137,6 +138,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_config_dirs}/kcookiejarrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kdiff3fileitemactionrc r, + owner @{user_config_dirs}/kiorc r, owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/klaunchrc r, owner @{user_config_dirs}/klipperrc r, @@ -156,7 +158,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw, owner @{user_share_dirs}/kio/servicemenus/{,**} r, - owner @{user_share_dirs}/klipper/{,*} rwl, + owner @{user_share_dirs}/klipper/{,**} rwl, owner @{user_share_dirs}/konsole/ r, owner @{user_share_dirs}/kpeople/persondb rwk, owner @{user_share_dirs}/kpeoplevcard/ r, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 9a50dafa0..594d04b64 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -37,6 +37,9 @@ profile thunderbird @{exec_path} { # Desktop integration @{open_path} rPx -> child-open, + # Extensions + @{bin}/SysTray-X rPUx, + /usr/share/lightning/{,**} r, owner /var/mail/** rwk, From cfce68a5df7fd49042d22258420c75d52a463a9b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Mar 2025 21:59:20 +0100 Subject: [PATCH 144/977] feat(profile): allow to start hyprland from sddm. fix #674 --- apparmor.d/groups/kde/sddm | 1 + apparmor.d/profiles-m-r/pidof | 2 +- apparmor.d/profiles-s-z/waybar | 4 +++- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 56f0f5820..0205dacd7 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -94,6 +94,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/dbus-update-activation-environment rPx -> dbus-session, @{bin}/flatpak rPx, @{bin}/gnome-keyring-daemon rPx, + @{bin}/Hyprland rPx, @{bin}/kwalletd{5,6} rPx, @{bin}/kwin_wayland rPx, @{bin}/sddm-greeter{,-qt6} rPx, diff --git a/apparmor.d/profiles-m-r/pidof b/apparmor.d/profiles-m-r/pidof index 5da955cba..76b9942fb 100644 --- a/apparmor.d/profiles-m-r/pidof +++ b/apparmor.d/profiles-m-r/pidof @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/pidof -profile pidof @{exec_path} { +profile pidof @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/waybar b/apparmor.d/profiles-s-z/waybar index 8499a1ad6..b8d1d5326 100644 --- a/apparmor.d/profiles-s-z/waybar +++ b/apparmor.d/profiles-s-z/waybar @@ -26,11 +26,13 @@ profile waybar @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/waybar/{,**} r, + @{sys}/devices/@{pci}/uevent r, + @{sys}/devices/system/cpu/present r, @{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/system/cpu/present r, + @{sys}/devices/virtual/dmi/id/uevent r, @{PROC}/@{pid}/net/dev r, @{PROC}/spl/kstat/zfs/arcstats r, From f360d12ec19fcc2ade26e330400a56c1d706036d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Mar 2025 22:22:56 +0100 Subject: [PATCH 145/977] feat(profile): improve kde profiles. See #675 --- apparmor.d/groups/kde/baloo | 17 ++++++----------- apparmor.d/groups/kde/kde-powerdevil | 8 ++++++-- apparmor.d/groups/kde/kioworker | 2 +- apparmor.d/groups/kde/kwin_wayland | 17 +++++++++++++++++ apparmor.d/groups/kde/plasmashell | 2 +- apparmor.d/groups/kde/sddm | 2 +- 6 files changed, 32 insertions(+), 16 deletions(-) diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 9a2f4c961..75532a773 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -42,27 +42,22 @@ profile baloo @{exec_path} { owner @{user_share_dirs}/baloo/{,**} rwk, - @{run}/udev/data/+acpi:* r, # for acpi - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+dmi:* r, # For motherboard info - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, - @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/+sound:card@{int} r, # for sound card + @{run}/mount/utab r, + + @{run}/udev/data/+*:* r, @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c4:@{int} r, # For TTY devices + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # For /dev/input/* @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* @{run}/udev/data/c89:@{int} r, # For I2C bus interface + @{run}/udev/data/c99:@{int} r, # For raw parallel ports /dev/parport* @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c202:@{int} r, # CPU model-specific registers + @{run}/udev/data/c203:@{int} r, # CPU CPUID information @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index c37ee870b..0747d1b47 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -27,6 +27,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{bin}/grep rix, @{bin}/kcminit rPx, @{bin}/sed rix, + @{bin}/uname rPx, @{bin}/xargs rix, @{lib}/drkonqi rPx, @@ -45,10 +46,13 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) owner @{user_config_dirs}/powermanagementprofilesrc.lock rwk, owner @{user_config_dirs}/powermanagementprofilesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + + @{run}/mount/utab r, owner @{run}/user/@{uid}kcrash_@{int} rw, + @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** + @{sys}/bus/ r, @{sys}/bus/i2c/devices/ r, @{sys}/class/ r, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index e992e09fd..592e5811e 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -30,7 +30,7 @@ profile kioworker @{exec_path} { signal receive set=term peer=firefox-kmozillahelper, signal receive set=term peer=plasma-discover, signal receive set=term peer=plasmashell, - signal receive set=term peer=xdg-desktop-portal-kde, + signal receive set=term peer=xdg-desktop-portal-kde, @{exec_path} mr, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 24d86bec6..240869a31 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -30,6 +30,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { @{exec_path} mr, /etc/xdg/Xwayland-session.d/00-at-spi Cx -> at-spi, + /etc/xdg/Xwayland-session.d/00-pulseaudio-x11 Cx -> pulseaudio, #aa:exec kscreenlocker_greet /usr/share/color-schemes/*.colors r, @@ -119,6 +120,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+serio:* r, # for touchpad @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/+usb:* r, @@ -137,6 +139,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { profile at-spi { include + include @{sh_path} r, @{bin}/busctl rix, @@ -151,6 +154,20 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { include if exists } + profile pulseaudio { + include + include + + @{sh_path} rix, + @{bin}/pactl Px, + + /etc/xdg/Xwayland-session.d/00-pulseaudio-x11 r, + + owner @{HOME}/ r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index f800136e0..059760bd3 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -158,7 +158,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw, owner @{user_share_dirs}/kio/servicemenus/{,**} r, - owner @{user_share_dirs}/klipper/{,**} rwl, + owner @{user_share_dirs}/klipper/{,**} rwlk, owner @{user_share_dirs}/konsole/ r, owner @{user_share_dirs}/kpeople/persondb rwk, owner @{user_share_dirs}/kpeoplevcard/ r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 0205dacd7..a7525d099 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -97,8 +97,8 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/Hyprland rPx, @{bin}/kwalletd{5,6} rPx, @{bin}/kwin_wayland rPx, - @{bin}/sddm-greeter{,-qt6} rPx, @{bin}/labwc rPx, + @{bin}/sddm-greeter{,-qt6} rPx, @{bin}/startlxqt rPx, @{bin}/startlxqtwayland rPx, @{bin}/startplasma-wayland rPx, From 03406096ceb9b395bb7245eae8f08d606f61e04b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Mar 2025 23:46:49 +0100 Subject: [PATCH 146/977] feat(dbus): simplify the way to provide unix address for dbus. --- apparmor.d/abstractions/bus-session | 4 +--- apparmor.d/abstractions/bus-system | 2 ++ pkg/prebuild/directive/dbus.go | 24 +++++------------------- pkg/prebuild/directive/dbus_test.go | 12 +++--------- 4 files changed, 11 insertions(+), 31 deletions(-) diff --git a/apparmor.d/abstractions/bus-session b/apparmor.d/abstractions/bus-session index 95325d7d3..0c3abd96e 100644 --- a/apparmor.d/abstractions/bus-session +++ b/apparmor.d/abstractions/bus-session @@ -4,9 +4,7 @@ abi , - unix (bind, listen) type=stream addr="@/tmp/dbus-*", - unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*", - unix (connect, send, receive, accept) type=stream peer=(addr="@/tmp/dbus-*"), + unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/session, dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus diff --git a/apparmor.d/abstractions/bus-system b/apparmor.d/abstractions/bus-system index 870443002..24d2cf4c2 100644 --- a/apparmor.d/abstractions/bus-system +++ b/apparmor.d/abstractions/bus-system @@ -4,6 +4,8 @@ abi , + unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/system, + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} diff --git a/pkg/prebuild/directive/dbus.go b/pkg/prebuild/directive/dbus.go index 4a9030505..99a8f6138 100644 --- a/pkg/prebuild/directive/dbus.go +++ b/pkg/prebuild/directive/dbus.go @@ -45,15 +45,11 @@ func (d Dbus) Apply(opt *Option, profile string) (string, error) { if err != nil { return "", err } - name := opt.File.Base() - if len(name) > 15 { - name = name[:15] - } switch action { case "own": - r = d.own(opt.ArgMap, name) + r = d.own(opt.ArgMap) case "talk": - r = d.talk(opt.ArgMap, name) + r = d.talk(opt.ArgMap) } aa.IndentationLevel = strings.Count( @@ -107,14 +103,10 @@ func getInterfaces(rules map[string]string) []string { return interfaces } -func (d Dbus) own(rules map[string]string, name string) aa.Rules { +func (d Dbus) own(rules map[string]string) aa.Rules { interfaces := getInterfaces(rules) res := aa.Rules{ - &aa.Unix{ - Access: []string{"bind"}, Type: "stream", - Address: `@@{udbus}/bus/` + name + `/` + rules["bus"], - }, &aa.Dbus{ Access: []string{"bind"}, Bus: rules["bus"], Name: rules["name"], }, @@ -170,15 +162,9 @@ func (d Dbus) own(rules map[string]string, name string) aa.Rules { return res } -func (d Dbus) talk(rules map[string]string, name string) aa.Rules { +func (d Dbus) talk(rules map[string]string) aa.Rules { interfaces := getInterfaces(rules) - - res := aa.Rules{ - &aa.Unix{ - Access: []string{"bind"}, Type: "stream", - Address: `@@{udbus}/bus/` + name + `/` + rules["bus"], - }, - } + res := aa.Rules{} // Interfaces for _, iface := range interfaces { diff --git a/pkg/prebuild/directive/dbus_test.go b/pkg/prebuild/directive/dbus_test.go index f2d4997e4..5f8d57d10 100644 --- a/pkg/prebuild/directive/dbus_test.go +++ b/pkg/prebuild/directive/dbus_test.go @@ -10,9 +10,7 @@ import ( "github.com/roddhjav/apparmor.d/pkg/paths" ) -const dbusOwnSystemd1 = ` unix bind type=stream addr=@@{udbus}/bus/fake-own/system, - - dbus bind bus=system name=org.freedesktop.systemd1{,.*}, +const dbusOwnSystemd1 = ` dbus bind bus=system name=org.freedesktop.systemd1{,.*}, dbus receive bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.systemd1{,.*} peer=(name="@{busname}"), @@ -75,9 +73,7 @@ func TestDbus_Apply(t *testing.T) { Raw: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", }, profile: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", - want: ` unix bind type=stream addr=@@{udbus}/bus/fake-interface/session, - - dbus bind bus=session name=com.rastersoft.ding{,.*}, + want: ` dbus bind bus=session name=com.rastersoft.ding{,.*}, dbus receive bus=session path=/com/rastersoft/ding{,/**} interface=com.rastersoft.ding{,.*} peer=(name="@{busname}"), @@ -122,9 +118,7 @@ func TestDbus_Apply(t *testing.T) { Raw: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", }, profile: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", - want: ` unix bind type=stream addr=@@{udbus}/bus/gdm-session-wor/system, - - dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} + want: ` dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.Accounts{,.*} peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} From f270809c5f3770cb7645ace2734e1135b8f49e89 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Mar 2025 23:49:55 +0100 Subject: [PATCH 147/977] feat(tunable): set alias // -> / for all install. This is required when the re-attached path feature is enabled. --- apparmor.d/tunables/multiarch.d/system | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index a2f99a2ec..b155b2e36 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -62,6 +62,7 @@ # Attachment path for attach_disconnected.path flag. # Automatically generated and set in profile preamble on ABI4. Disabled on ABI3. @{att}=/ + alias // -> /, # vim:syntax=apparmor From 0d5e363bbca961b87c464cc151ed4580f67aaf4d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Mar 2025 23:50:27 +0100 Subject: [PATCH 148/977] feat(abs): add more base attached files. --- apparmor.d/abstractions/attached/base | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 9a53d1548..4fcfe2665 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -9,6 +9,7 @@ @{att}/@{run}/systemd/journal/dev-log w, @{att}/@{run}/systemd/journal/socket w, + @{att}/@{run}/systemd/journal/stdout rw, deny /apparmor/.null rw, deny @{att}/apparmor/.null rw, From 71632a6456ab3edd82253d6081887c34db1bb085 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Mar 2025 23:58:20 +0100 Subject: [PATCH 149/977] doc: minor improvements --- docs/development/build.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/development/build.md b/docs/development/build.md index 89bf8e89e..5145a8416 100644 --- a/docs/development/build.md +++ b/docs/development/build.md @@ -119,22 +119,22 @@ This task will convert all profiles from `abi/4.0` to `abi/3.0`. The rules not s ### **`complain | enforce`** -Set or remove the complain flag on all profiles. The `complain` task is enabled by default. When building in enforce mode, it is disabled. Enabling the `enforce` task will enforce **all** profiles including the one set in the [flags manifest](workflow.md#profile-flags). It is intended to be used in specialized system such as CTF or (very) high security VM. +Set or remove the complain flag on all profiles. The `complain` task is enabled by default. When building in enforce mode, it is disabled. Enabling the `enforce` task will enforce **all** profiles including the one set in the [flags manifest](workflow.md#profile-flags). It is intended to be used in specialized system such as a CTF challenge or in (very) high security VM. *Enable with the `--complain` or `--enforce` option in the prebuild command.* ### **`userspace`** -Resolve variables in profile attachments. It fixes issues with the userland AppArmor tools (aa-enforce, aa-logprof...) that does not support identical variable in the profiles attachments. +Resolve variables in profile attachments. It fixes issues with the userland AppArmor tools (aa-enforce, aa-logprof...) that do not support identical variable in the profiles attachments. *Enabled by default. Can be disabled in `cmd/prebuild/main.go`* ### **`attach`** -This task reattaches disconnected paths. See [#559](https://github.com/roddhjav/apparmor.d/issues/559): +This task reattaches disconnected paths. See the [Re-attached path](internal.md#re-attached-path) page. It will: - Add the `attach_disconnected.path` flag on all profiles with the `attach_disconnected` flag -- Add the attached/base abstraction in the profile +- Add the `` abstraction in the profile - For compatibility, non-disconnected profile will have the `@{att}` variable set to `/` *Enabled when abi >= 4.0* From da7958a2f9a02e86df049d3b2a5760d99b045d92 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 7 Mar 2025 00:00:24 +0100 Subject: [PATCH 150/977] feat(fsp): improve the base systemd profiles. --- apparmor.d/groups/_full/systemd | 25 +++++++++++++++----- apparmor.d/groups/_full/systemd-service | 5 ++++ apparmor.d/groups/_full/systemd-user | 10 ++++++++ apparmor.d/groups/_full/systemd-user-service | 2 +- 4 files changed, 35 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index d71647705..0206b0189 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -65,14 +65,21 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { mount fstype=autofs systemd-1 -> @{PROC}/sys/fs/binfmt_misc/, mount fstype=autofs systemd-1 -> /efi/, - mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, - mount fstype=proc options=(rw nosuid nodev noexec) proc -> @{run}/systemd/namespace-@{rand6}/, - mount fstype=sysfs options=(rw nosuid nodev noexec) sysfs -> @{run}/systemd/namespace-@{rand6}/, + mount fstype=binfmt_misc options=(rw nodev noexec nosuid) binfmt_misc -> @{PROC}/sys/fs/binfmt_misc/, + mount fstype=configfs options=(rw nodev noexec nosuid) configfs -> @{sys}/kernel/config/, + mount fstype=debugfs options=(rw nodev noexec nosuid) debugfs -> @{sys}/kernel/debug/, + mount fstype=fusectl options=(rw nodev noexec nosuid) fusectl -> @{sys}/fs/fuse/connections/, + mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, + mount fstype=mqueue options=(rw nodev noexec nosuid) mqueue -> /dev/mqueue/, + mount fstype=proc options=(rw nosuid nodev noexec) proc -> @{run}/systemd/namespace-@{rand6}/, + mount fstype=sysfs options=(rw nosuid nodev noexec) sysfs -> @{run}/systemd/namespace-@{rand6}/, mount fstype=tmpfs tmpfs -> /dev/shm/, mount fstype=tmpfs tmpfs -> /tmp/, - mount fstype=tmpfs options=(rw nosuid nodev noexec strictatime) tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/, - mount fstype=tmpfs options=(rw nosuid nodev noexec) tmpfs -> /dev/shm/, - mount fstype=tmpfs options=(rw nosuid noexec strictatime) tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/, + mount fstype=tmpfs options=(rw nosuid nodev noexec strictatime) tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/, + mount fstype=tmpfs options=(rw nosuid nodev noexec) tmpfs -> /dev/shm/, + mount fstype=tmpfs options=(rw nosuid noexec strictatime) tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/, + mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/, + mount fstype=vfat -> /boot/efi/, mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**, mount options=(rw bind) /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**, @@ -157,8 +164,10 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { # Unit services @{bin}/mount ix, + @{bin}/kill ix, # Shell based systemd unit services + # TODO: create unit profile for all of them @{bin}/ldconfig Px -> systemd-service, @{bin}/mandb Px -> systemd-service, @{bin}/savelog Px -> systemd-service, @@ -187,8 +196,10 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { /etc/conf.d/{,**} r, /etc/credstore.encrypted/{,**} r, /etc/credstore/{,**} r, + /etc/default/{,**} r, /etc/machine-id r, /etc/modules-load.d/{,**} r, + /etc/networkd-dispatcher/{,**} r, /etc/systemd/{,**} r, /etc/udev/hwdb.d/{,**} r, @@ -199,6 +210,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { /tmp/systemd-private-*/{,**} rw, @{run}/ rw, + @{run}/*.socket w, @{run}/*/ rw, @{run}/*/* rw, @{run}/auditd.pid r, @@ -263,6 +275,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { /dev/autofs r, /dev/kmsg w, + /dev/tty@{int} rw, owner /dev/console rwk, owner /dev/dri/card@{int} rw, owner /dev/hugepages/ rw, diff --git a/apparmor.d/groups/_full/systemd-service b/apparmor.d/groups/_full/systemd-service index e6c4a4b7b..dfe3000bc 100644 --- a/apparmor.d/groups/_full/systemd-service +++ b/apparmor.d/groups/_full/systemd-service @@ -17,6 +17,7 @@ profile systemd-service flags=(attach_disconnected) { include include + capability dac_read_search, capability chown, capability fsetid, @@ -42,9 +43,13 @@ profile systemd-service flags=(attach_disconnected) { /var/cache/ldconfig/{,**} rw, + / r, + /boot/grub/grubenv rw, /boot/grub/ w, + /var/spool/cron/atjobs/ r, + /var/log/ r, /var/log/dmesg rw, /var/log/dmesg.* rwl -> /var/log/dmesg, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index 919c53457..401e73bd9 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -102,6 +102,9 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{run}/udev/tags/systemd/ r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/**/uevent r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r, @@ -112,6 +115,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/stat r, + @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/pressure/* r, @{PROC}/swaps r, @@ -134,6 +138,12 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { /dev/tty rw, + deny capability bpf, + deny capability mknod, + deny capability net_admin, + deny capability perfmon, + deny capability sys_resource, + profile systemctl { include include diff --git a/apparmor.d/groups/_full/systemd-user-service b/apparmor.d/groups/_full/systemd-user-service index d65846f82..0cb9efa49 100644 --- a/apparmor.d/groups/_full/systemd-user-service +++ b/apparmor.d/groups/_full/systemd-user-service @@ -12,7 +12,7 @@ abi , include -profile systemd-user-service flags=(complain) { +profile systemd-user-service flags=(attach_disconnected) { include include From b623dc4a77ed6919428844ce48aca382d5930a8a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 7 Mar 2025 00:07:11 +0100 Subject: [PATCH 151/977] feat(profile): minor improvements. --- apparmor.d/abstractions/app/sudo | 2 -- apparmor.d/groups/apt/command-not-found | 2 +- apparmor.d/groups/gnome/gnome-logs | 2 ++ apparmor.d/groups/systemd/journalctl | 2 ++ apparmor.d/groups/systemd/loginctl | 4 +++- apparmor.d/groups/systemd/systemd-networkd | 2 +- apparmor.d/groups/systemd/systemd-udevd | 4 ++-- apparmor.d/groups/utils/chsh | 2 -- apparmor.d/groups/utils/login | 2 -- apparmor.d/groups/utils/su | 2 -- apparmor.d/profiles-a-f/console-setup | 1 + apparmor.d/profiles-g-l/hugo | 9 ++++++++- apparmor.d/profiles-m-r/qemu-ga | 4 ++-- 13 files changed, 22 insertions(+), 16 deletions(-) diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index 4c7de6ba5..333cbddbd 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -24,8 +24,6 @@ network netlink raw, # PAM - unix bind type=stream addr=@@{udbus}/bus/sudo/system, - #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index 1ba7b5cb3..ee8e3bcb5 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -21,7 +21,7 @@ profile command-not-found @{exec_path} { @{python_path} r, @{bin}/lsb_release rPx -> lsb_release, - @{bin}/snap rPUx, + @{bin}/snap rPx, @{lib}/@{python_name}/dist-packages/CommandNotFound/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, diff --git a/apparmor.d/groups/gnome/gnome-logs b/apparmor.d/groups/gnome/gnome-logs index 5e3ab03bd..06e66a43b 100644 --- a/apparmor.d/groups/gnome/gnome-logs +++ b/apparmor.d/groups/gnome/gnome-logs @@ -27,6 +27,8 @@ profile gnome-logs @{exec_path} { /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal r, /{run,var}/log/journal/remote/ r, + owner @{PROC}/@{pid}/stat r, + include if exists } diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index 3c5595345..36fbd9e75 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -33,6 +33,8 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { /var/lib/systemd/catalog/database rw, /var/lib/systemd/catalog/.#database* rw, + /var/log/dmesg w, + /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/system.journal* r, diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl index 5386662c0..2892c88c3 100644 --- a/apparmor.d/groups/systemd/loginctl +++ b/apparmor.d/groups/systemd/loginctl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/loginctl -profile loginctl @{exec_path} { +profile loginctl @{exec_path} flags=(attach_disconnected) { include include include @@ -27,6 +27,8 @@ profile loginctl @{exec_path} { @{PROC}/sys/fs/nr_open r, owner @{PROC}/@{pid}/cgroup r, + /dev/rfkill r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 20b396a72..ca5450826 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -29,7 +29,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { network packet dgram, network packet raw, - unix (bind) type=stream addr=@@{udbus}/bus/systemd-network/bus-api-network, + unix bind type=stream addr=@@{udbus}/bus/systemd-network/bus-api-network, #aa:dbus own bus=system name=org.freedesktop.network1 diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index d71ccf1a1..1af847cd4 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -42,7 +42,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{bin}/*-print-pci-ids rix, @{bin}/alsactl rPUx, @{bin}/ddcutil rPx, - @{bin}/dmsetup rPUx, + @{bin}/dmsetup rPx, @{bin}/ethtool rix, @{bin}/issue-generator rPx, @{bin}/kmod rPx, @@ -56,7 +56,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{bin}/perl rix, @{bin}/setfacl rix, @{bin}/sg_inq rix, - @{bin}/snap rPUx, + @{bin}/snap rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-run rix, @{bin}/unshare rix, diff --git a/apparmor.d/groups/utils/chsh b/apparmor.d/groups/utils/chsh index bf2b92a98..73f097a94 100644 --- a/apparmor.d/groups/utils/chsh +++ b/apparmor.d/groups/utils/chsh @@ -24,8 +24,6 @@ profile chsh @{exec_path} { network netlink raw, - unix type=stream addr=@@{udbus}/bus/chsh/system, - #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed @{exec_path} mr, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index dbf334577..c04c4230c 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -32,8 +32,6 @@ profile login @{exec_path} flags=(attach_disconnected) { signal (send) set=(hup term), - unix type=stream addr=@@{udbus}/bus/login/system, - ptrace read, #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind diff --git a/apparmor.d/groups/utils/su b/apparmor.d/groups/utils/su index 02a212150..2615085ab 100644 --- a/apparmor.d/groups/utils/su +++ b/apparmor.d/groups/utils/su @@ -19,8 +19,6 @@ profile su @{exec_path} { signal (receive) set=(int,quit,term), signal (receive) set=(cont,hup) peer=sudo, - unix (bind) type=dgram, - @{exec_path} mr, @{bin}/@{shells} rUx, diff --git a/apparmor.d/profiles-a-f/console-setup b/apparmor.d/profiles-a-f/console-setup index 5b867e1eb..7a11e407f 100644 --- a/apparmor.d/profiles-a-f/console-setup +++ b/apparmor.d/profiles-a-f/console-setup @@ -12,6 +12,7 @@ profile console-setup @{exec_path} { @{exec_path} mr, + @{sh_path} r, @{bin}/uname rPx, @{bin}/mkdir rix, diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index 6bb737ca0..ed62f48f1 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -37,10 +37,17 @@ profile hugo @{exec_path} { owner @{user_cache_dirs}/hugo_cache/{,**} rwkl, + owner @{user_config_dirs}/git/*config r, + owner @{user_config_dirs}/go/telemetry/mode r, + owner @{tmp}/hugo_cache/{,**} rwkl, owner @{tmp}/go-codehost-@{int} rw, - @{PROC}/sys/net/core/somaxconn r, + @{sys}/kernel/mm/hugepages/ r, + + @{PROC}/sys/net/core/somaxconn r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, include if exists } diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index b100e4e15..b6bbf5f73 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/qemu-ga -profile qemu-ga @{exec_path} flags=(complain) { +profile qemu-ga @{exec_path} { include @{exec_path} mr, @@ -24,7 +24,7 @@ profile qemu-ga @{exec_path} flags=(complain) { /dev/vport@{int}p@{int} rw, - profile systemctl flags=(complain) { + profile systemctl { include include From 9e1cc72cc443e8604a747315678e212196a4a698 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 7 Mar 2025 00:08:17 +0100 Subject: [PATCH 152/977] feat(abs): kde: allow to access gtk resources. They are required for gtk based app on KDE. --- apparmor.d/abstractions/kde-strict | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 282ae1974..0f4410a12 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -6,6 +6,7 @@ include include + include include include include From 106921df234b90762c481e97ee390dc3428f7a6f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 8 Mar 2025 14:23:08 +0100 Subject: [PATCH 153/977] fix(build): ensure fsp mode set the systemd profile name correctly. --- pkg/prebuild/prepare/fsp.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/prebuild/prepare/fsp.go b/pkg/prebuild/prepare/fsp.go index 1d38ca294..c216b53eb 100644 --- a/pkg/prebuild/prepare/fsp.go +++ b/pkg/prebuild/prepare/fsp.go @@ -34,7 +34,7 @@ func (p FullSystemPolicy) Apply() ([]string, error) { } // Set systemd profile name - path := prebuild.RootApparmord.Join("tunables/multiarch.d/system") + path := prebuild.RootApparmord.Join("tunables/multiarch.d/profiles") out, err := path.ReadFileAsString() if err != nil { return res, err From 0ef623ed40a36d4653a81f3a1525aa904716ef1f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 8 Mar 2025 21:54:39 +0100 Subject: [PATCH 154/977] fix: ensure pidof use the attach_disconnected and enforce it. see #677 --- dists/flags/main.flags | 1 - 1 file changed, 1 deletion(-) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 87c070c56..d4e7d5a9f 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -249,7 +249,6 @@ os-prober attach_disconnected,complain pam_kwallet_init complain pam-tmpdir-helper complain passimd attach_disconnected,complain -pidof complain pkttyagent complain plank complain plasma_waitforname complain From 7badf80854e6bf008110e56ba839d272f5219beb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Mar 2025 22:58:27 +0100 Subject: [PATCH 155/977] feat(profile): improve dbus abstractions and interopaerability with profiles. --- apparmor.d/abstractions/app/systemctl | 1 + apparmor.d/abstractions/dbus-strict.d/complete | 12 +++++++++++- apparmor.d/abstractions/ibus.d/complete | 5 +++++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/app/systemctl b/apparmor.d/abstractions/app/systemctl index 8489bb275..4ecfbecad 100644 --- a/apparmor.d/abstractions/app/systemctl +++ b/apparmor.d/abstractions/app/systemctl @@ -11,6 +11,7 @@ ptrace read peer=@{p_systemd}, unix bind type=stream addr=@@{udbus}/bus/systemctl/, + unix bind type=stream addr=@@{udbus}/bus/systemctl/system, @{bin}/systemctl mr, diff --git a/apparmor.d/abstractions/dbus-strict.d/complete b/apparmor.d/abstractions/dbus-strict.d/complete index 86936b953..0428c745a 100644 --- a/apparmor.d/abstractions/dbus-strict.d/complete +++ b/apparmor.d/abstractions/dbus-strict.d/complete @@ -2,6 +2,16 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - include + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + @{run}/dbus/system_bus_socket rw, # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/ibus.d/complete b/apparmor.d/abstractions/ibus.d/complete index 33d034b5a..5c53b9fa1 100644 --- a/apparmor.d/abstractions/ibus.d/complete +++ b/apparmor.d/abstractions/ibus.d/complete @@ -21,6 +21,11 @@ type=stream addr="@/home/*/.cache/ibus/dbus-????????", + dbus receive bus=session path=/org/freedesktop/IBus + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=@{busname}, label=ibus-daemon), + owner @{user_cache_dirs}/ibus/dbus-@{rand8} rw, # vim:syntax=apparmor From 47b6e3c616f8b57575436bfc09e57d424cea0fac Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Mar 2025 23:04:32 +0100 Subject: [PATCH 156/977] feat(profile): various core update. --- apparmor.d/groups/filesystem/mke2fs | 2 ++ apparmor.d/groups/firewall/firewalld | 1 + apparmor.d/groups/procps/htop | 1 + apparmor.d/groups/procps/w | 2 +- apparmor.d/groups/systemd/systemd-cryptsetup | 2 ++ apparmor.d/groups/systemd/systemd-generator-ds-identify | 1 + apparmor.d/groups/systemd/systemd-modules-load | 2 +- apparmor.d/groups/systemd/systemd-remount-fs | 4 ++-- apparmor.d/groups/systemd/systemd-tty-ask-password-agent | 9 +++++---- apparmor.d/groups/systemd/zram-generator | 4 ++-- apparmor.d/groups/ubuntu/apt-esm-json-hook | 2 +- apparmor.d/groups/ubuntu/update-notifier | 2 -- apparmor.d/groups/utils/agetty | 2 ++ apparmor.d/groups/utils/login | 4 ++-- apparmor.d/groups/utils/su | 6 +++--- apparmor.d/groups/utils/uname | 3 --- apparmor.d/profiles-a-f/blkdeactivate | 2 ++ apparmor.d/profiles-s-z/YACReader | 2 ++ 18 files changed, 30 insertions(+), 21 deletions(-) diff --git a/apparmor.d/groups/filesystem/mke2fs b/apparmor.d/groups/filesystem/mke2fs index acf88197f..56a223bdd 100644 --- a/apparmor.d/groups/filesystem/mke2fs +++ b/apparmor.d/groups/filesystem/mke2fs @@ -34,6 +34,8 @@ profile mke2fs @{exec_path} { owner @{run}/blkid/blkid.tab{,-@{rand6}} rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, + owner @{tmp}/.guestfs-@{uid}/appliance.d.@{rand8}/@{user} rw, + @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld index 6d84dfe47..003089ca4 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -30,6 +30,7 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.fedoraproject.FirewallD1 @{exec_path} mr, + @{python_path} r, @{bin}/ r, @{bin}/alts rix, diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index c720929f3..5e1079802 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -28,6 +28,7 @@ profile htop @{exec_path} { @{exec_path} mr, @{bin}/lsof rix, + @{bin}/strace rix, /usr/share/terminfo/** r, diff --git a/apparmor.d/groups/procps/w b/apparmor.d/groups/procps/w index b23a7bc23..2445034e9 100644 --- a/apparmor.d/groups/procps/w +++ b/apparmor.d/groups/procps/w @@ -16,7 +16,7 @@ profile w @{exec_path} { capability sys_ptrace, - ptrace (read), + ptrace read, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-cryptsetup b/apparmor.d/groups/systemd/systemd-cryptsetup index 090412ff5..fdddebe03 100644 --- a/apparmor.d/groups/systemd/systemd-cryptsetup +++ b/apparmor.d/groups/systemd/systemd-cryptsetup @@ -31,6 +31,8 @@ profile systemd-cryptsetup @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/bdi/*/read_ahead_kb r, @{sys}/fs/ r, + @{run}/systemd/ask-password/ r, + @{PROC}/devices r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/systemd/systemd-generator-ds-identify b/apparmor.d/groups/systemd/systemd-generator-ds-identify index 6b42e55ed..d9a6639c1 100644 --- a/apparmor.d/groups/systemd/systemd-generator-ds-identify +++ b/apparmor.d/groups/systemd/systemd-generator-ds-identify @@ -18,6 +18,7 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/blkid rPx, + @{bin}/grep rix, @{bin}/systemd-detect-virt rPx, @{bin}/tr rix, @{bin}/uname rix, diff --git a/apparmor.d/groups/systemd/systemd-modules-load b/apparmor.d/groups/systemd/systemd-modules-load index d3527c22b..cc44f385f 100644 --- a/apparmor.d/groups/systemd/systemd-modules-load +++ b/apparmor.d/groups/systemd/systemd-modules-load @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-modules-load -profile systemd-modules-load @{exec_path} { +profile systemd-modules-load @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index 8c63a1d5a..4231f7e7b 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-remount-fs -profile systemd-remount-fs @{exec_path} { +profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) { include include include @@ -17,7 +17,7 @@ profile systemd-remount-fs @{exec_path} { capability sys_resource, mount options=(rw, remount) -> /, - mount options=(rw, remount) -> /proc/, + mount options=(rw, remount) -> @{PROC}/, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index ecac3e1a8..7ab8be35c 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -17,10 +17,11 @@ profile systemd-tty-ask-password-agent @{exec_path} { capability net_admin, capability sys_resource, - signal (receive) set=(term cont) peer=*//systemctl, - signal (receive) set=(term cont) peer=default, - signal (receive) set=(term cont) peer=logrotate, - signal (receive) set=(term cont) peer=rpm, + signal receive set=(term cont) peer=*//systemctl, + signal receive set=(term cont) peer=default, + signal receive set=(term cont) peer=logrotate, + signal receive set=(term cont) peer=role_*, + signal receive set=(term cont) peer=rpm, @{exec_path} mrix, diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator index f6406811d..d156d88a4 100644 --- a/apparmor.d/groups/systemd/zram-generator +++ b/apparmor.d/groups/systemd/zram-generator @@ -27,8 +27,8 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { owner @{run}/systemd/generator/swap.target.wants/{,dev-zram@{int}.swap} rw, owner @{run}/systemd/generator/systemd-zram-setup@zram@{int}.service.d/{,*.conf} rw, - @{sys}/block/zram@{int}/{disksize,reset} rw, - @{sys}/devices/virtual/block/zram@{int}/{disksize,reset,comp_algorithm} rw, + @{sys}/block/zram@{int}/* rw, + @{sys}/devices/virtual/block/zram@{int}/* rw, @{sys}/module/compression r, @{PROC}/crypto r, diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook index 2dcf50743..2edc09970 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-json-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook @@ -22,7 +22,7 @@ profile apt-esm-json-hook @{exec_path} { /var/lib/ubuntu-advantage/apt-esm/{,**} rw, /var/log/ubuntu-advantage-apt-hook.log w, - @{run}/cloud-init/cloud-id-nocloud r, + @{run}/cloud-init/cloud-id-* r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index d540ed0e8..8d1571c1e 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -87,8 +87,6 @@ profile update-notifier @{exec_path} { include include - unix (bind) type=stream addr=@@{udbus}/bus/systemctl/system, - dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=GetUnitFileState diff --git a/apparmor.d/groups/utils/agetty b/apparmor.d/groups/utils/agetty index 4605822e7..3eca54abc 100644 --- a/apparmor.d/groups/utils/agetty +++ b/apparmor.d/groups/utils/agetty @@ -20,6 +20,8 @@ profile agetty @{exec_path} { network netlink raw, + signal receive set=hup peer=@{p_systemd}, + @{exec_path} mr, @{bin}/login rPx, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index c04c4230c..6968be40e 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -30,7 +30,7 @@ profile login @{exec_path} flags=(attach_disconnected) { network netlink raw, - signal (send) set=(hup term), + signal send set=(hup term), ptrace read, @@ -38,7 +38,7 @@ profile login @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/@{shells} rUx, + @{shells_path} rUx, @{etc_ro}/environment r, @{etc_ro}/security/group.conf r, diff --git a/apparmor.d/groups/utils/su b/apparmor.d/groups/utils/su index 2615085ab..aec037e84 100644 --- a/apparmor.d/groups/utils/su +++ b/apparmor.d/groups/utils/su @@ -15,9 +15,9 @@ profile su @{exec_path} { capability chown, # pseudo-terminal - signal (send) set=(term,kill), - signal (receive) set=(int,quit,term), - signal (receive) set=(cont,hup) peer=sudo, + signal send set=(term kill), + signal receive set=(int quit term), + signal receive set=(cont hup) peer=sudo, @{exec_path} mr, diff --git a/apparmor.d/groups/utils/uname b/apparmor.d/groups/utils/uname index 6ca8a6370..45a864c23 100644 --- a/apparmor.d/groups/utils/uname +++ b/apparmor.d/groups/utils/uname @@ -14,9 +14,6 @@ profile uname @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{lib}/@{multiarch}/ld-linux-*so* r, - @{lib}/@{multiarch}/libc.so* mr, - @{att}/dev/tty@{int} rw, deny network, diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate index ad575351f..2cabb639f 100644 --- a/apparmor.d/profiles-a-f/blkdeactivate +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -14,8 +14,10 @@ profile blkdeactivate @{exec_path} flags=(complain) { @{exec_path} rm, + @{sh_path} rix, @{bin}/dmsetup rPUx, @{bin}/grep rix, + @{bin}/touch rix, @{bin}/lsblk rPx, @{bin}/lvm rPx, @{bin}/multipathd rPx, diff --git a/apparmor.d/profiles-s-z/YACReader b/apparmor.d/profiles-s-z/YACReader index de55bf829..3552b6dc0 100644 --- a/apparmor.d/profiles-s-z/YACReader +++ b/apparmor.d/profiles-s-z/YACReader @@ -39,6 +39,8 @@ profile YACReader @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } From ab41d2e0f37c5cf795eaff074d06a288cef8a84d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Mar 2025 23:12:01 +0100 Subject: [PATCH 157/977] feat(fsp): improve the systemd profiles. --- apparmor.d/groups/_full/systemd | 22 ++++++++++++++++------ apparmor.d/groups/_full/systemd-user | 6 ++++++ 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index 0206b0189..c56a0936a 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -108,6 +108,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { remount @{run}/systemd/unit-root/{,**}, remount /, remount /snap/{,**}, + remount options=(ro bind) /boot/efi/, remount options=(ro noexec noatime bind) /var/snap/{,**}, remount options=(ro nosuid bind) /dev/, remount options=(ro nosuid nodev bind) /dev/hugepages/, @@ -127,18 +128,20 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, pivot_root oldroot=@{run}/systemd/unit-root/ @{run}/systemd/unit-root/, + mqueue (read getattr) type=posix /, + change_profile, - signal (receive) set=(rtmin+23) peer=plymouthd, - signal (receive) set=(term, hup, cont), - signal (send), + signal receive set=(rtmin+23) peer=plymouthd, + signal receive set=(term hup cont), + signal send, ptrace (read, readby), - unix (send) type=dgram, + unix send type=dgram, - unix (receive) type=dgram addr=none peer=(label=systemd-timesyncd, addr=none), - unix (send, receive, connect) type=stream addr=none peer=(label=plymouthd, addr=@/org/freedesktop/plymouthd), + unix receive type=dgram peer=(label=systemd-timesyncd), + unix (send, receive, connect) type=stream peer=(label=plymouthd, addr=@/org/freedesktop/plymouthd), #aa:dbus own bus=system name=org.freedesktop.systemd1 @@ -151,6 +154,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{lib}/** Px, /etc/cron.*/* Px, /etc/init.d/* Px, + /etc/update-motd.d/* Px, /usr/share/*/** Px, # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.) @@ -192,6 +196,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{etc_ro}/environment r, @{etc_ro}/environment.d/{,**} r, + /etc/acpi/events/{,**} r, /etc/binfmt.d/{,**} r, /etc/conf.d/{,**} r, /etc/credstore.encrypted/{,**} r, @@ -203,12 +208,16 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { /etc/systemd/{,**} r, /etc/udev/hwdb.d/{,**} r, + /var/log/dmesg rw, /var/lib/systemd/{,**} rw, owner /var/tmp/systemd-private-*/{,**} rw, /tmp/namespace-dev-@{rand6}/{,**} rw, /tmp/systemd-private-*/{,**} rw, + @{att}/@{run}/systemd/journal/socket r, + @{att}/@{run}/systemd/journal/dev-log r, + @{run}/ rw, @{run}/*.socket w, @{run}/*/ rw, @@ -274,6 +283,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/oom_score_adj rw, /dev/autofs r, + /dev/input/ r, /dev/kmsg w, /dev/tty@{int} rw, owner /dev/console rwk, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index 401e73bd9..e3ae3acb4 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -136,18 +136,24 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pids}/fd/ r, owner @{PROC}/@{pids}/oom_score_adj rw, + /dev/kmsg w, /dev/tty rw, deny capability bpf, + deny capability dac_override, + deny capability dac_read_search, deny capability mknod, deny capability net_admin, deny capability perfmon, + deny capability sys_admin, deny capability sys_resource, profile systemctl { include include + deny capability net_admin, + include if exists include if exists } From f8340aa6605e4bb22e75e71257f4e296e51b7fd4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Mar 2025 23:14:53 +0100 Subject: [PATCH 158/977] feat(fsp): add mapping abstractions for use with pam_apparmor. --- apparmor.d/abstractions/mapping/login | 41 +++++++++++++++++++ apparmor.d/abstractions/mapping/shadow | 11 ++++++ apparmor.d/abstractions/mapping/sshd | 55 ++++++++++++++++++++++++++ apparmor.d/abstractions/mapping/sudo | 20 ++++++++++ 4 files changed, 127 insertions(+) create mode 100644 apparmor.d/abstractions/mapping/login create mode 100644 apparmor.d/abstractions/mapping/shadow create mode 100644 apparmor.d/abstractions/mapping/sshd create mode 100644 apparmor.d/abstractions/mapping/sudo diff --git a/apparmor.d/abstractions/mapping/login b/apparmor.d/abstractions/mapping/login new file mode 100644 index 000000000..54a8c1c7f --- /dev/null +++ b/apparmor.d/abstractions/mapping/login @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal set of rules for login based hat mapping. + + abi , + + include + include + include + include + + capability audit_write, + capability chown, + capability fowner, + capability setgid, + capability setuid, + capability fsetid, + + deny capability net_admin, + + network netlink raw, + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member=ReleaseSession + peer=(name=org.freedesktop.login1, label=systemd-logind), + + @{etc_ro}/security/group.conf r, + @{etc_ro}/security/limits.conf r, + @{etc_ro}/security/limits.d/{,*} r, + @{etc_ro}/security/pam_env.conf r, + + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, + @{etc_ro}/security/capability.conf r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mapping/shadow b/apparmor.d/abstractions/mapping/shadow new file mode 100644 index 000000000..5bf542c17 --- /dev/null +++ b/apparmor.d/abstractions/mapping/shadow @@ -0,0 +1,11 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal set of rules for shadow based hat mapping. + + abi , + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mapping/sshd b/apparmor.d/abstractions/mapping/sshd new file mode 100644 index 000000000..d9cf57761 --- /dev/null +++ b/apparmor.d/abstractions/mapping/sshd @@ -0,0 +1,55 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal set of rules for sshd based hat mapping. Similar to sshd-session + + abi , + + include + include + include + include + include + + capability audit_write, + capability chown, + capability dac_read_search, + capability kill, + capability setgid, + capability setuid, + capability sys_resource, + + # sshd doesn't require net_admin. libpam-systemd tries to + # use it if available to set the send/receive buffers size, + # but will fall back to a non-privileged version if it fails. + deny capability net_admin, + + network inet6 stream, + network netlink raw, + network netlink raw, + + signal receive set=exists peer=systemd-journald, + signal receive set=hup peer=@{p_systemd}, + + unix bind type=stream addr=@@{udbus}/bus/sshd/system, + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} + peer=(name=org.freedesktop.login1, label=systemd-logind), + + /etc/motd r, + /etc/locale.conf r, + + @{run}/motd.dynamic rw, + @{run}/motd.dynamic.new rw, + + @{PROC}/1/limits r, + + /dev/ptmx rw, + /dev/pts/@{int} k, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mapping/sudo b/apparmor.d/abstractions/mapping/sudo new file mode 100644 index 000000000..3347a91af --- /dev/null +++ b/apparmor.d/abstractions/mapping/sudo @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal set of rules for su/sudo based hat mapping. + + abi , + + capability audit_write, + capability setgid, + capability setuid, + + network netlink raw, + + @{etc_ro}/login.defs r, + /etc/passwd r, + + include if exists + +# vim:syntax=apparmor From d93db0eca92f7255040ab7ecdd88ef82c7a1610c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Mar 2025 23:43:39 +0100 Subject: [PATCH 159/977] feat(profile): add motd. --- apparmor.d/profiles-m-r/motd | 58 ++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 apparmor.d/profiles-m-r/motd diff --git a/apparmor.d/profiles-m-r/motd b/apparmor.d/profiles-m-r/motd new file mode 100644 index 000000000..414512c89 --- /dev/null +++ b/apparmor.d/profiles-m-r/motd @@ -0,0 +1,58 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/update-motd.d/* +profile motd @{exec_path} { + include + include + + network inet dgram, + network inet6 dgram, + network netlink raw, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{e,}grep rix, + @{bin}/cat rix, + @{bin}/cut rix, + @{bin}/find rix, + @{bin}/head rix, + @{bin}/hostname rPx, + @{bin}/id rix, + @{bin}/snap rPx, + @{bin}/sort rix, + @{bin}/tr rix, + @{bin}/uname rPx, + + @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx, + @{lib}/update-notifier/update-motd-fsck-at-reboot rPx, + @{lib}/update-notifier/update-motd-reboot-required rix, + /usr/share/unattended-upgrades/update-motd-unattended-upgrades rix, + /usr/share/update-notifier/notify-updates-outdated rPx, + + / r, + /etc/default/motd-news r, + /etc/lsb-release r, + /etc/update-motd.d/* r, + + /var/cache/motd-news rw, + /var/lib/update-notifier/updates-available r, + /var/lib/ubuntu-advantage/messages/motd-esm-announce r, + + @{run}/motd.d/{,*} r, + @{run}/motd.dynamic.new rw, + + @{PROC}/@{pids}/mounts r, + + /dev/tty@{int} rw, + + include if exists +} + +# vim:syntax=apparmor From 20699b20b609a033fe683a2d38509df128d32f9a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Mar 2025 23:58:18 +0100 Subject: [PATCH 160/977] fix: minor build issue. --- apparmor.d/groups/_full/systemd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index c56a0936a..a2f5fbd87 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -70,7 +70,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { mount fstype=debugfs options=(rw nodev noexec nosuid) debugfs -> @{sys}/kernel/debug/, mount fstype=fusectl options=(rw nodev noexec nosuid) fusectl -> @{sys}/fs/fuse/connections/, mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, - mount fstype=mqueue options=(rw nodev noexec nosuid) mqueue -> /dev/mqueue/, + mount fstype=mqueue options=(rw nodev noexec nosuid) -> /dev/mqueue/, mount fstype=proc options=(rw nosuid nodev noexec) proc -> @{run}/systemd/namespace-@{rand6}/, mount fstype=sysfs options=(rw nosuid nodev noexec) sysfs -> @{run}/systemd/namespace-@{rand6}/, mount fstype=tmpfs tmpfs -> /dev/shm/, From 404b3d0ce2d2bdfd856db54f0c71bdc98a0bd29e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 10 Mar 2025 00:03:30 +0100 Subject: [PATCH 161/977] ci(github): drop FSP tests in ubtuntu 22.04 --- .github/workflows/main.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c97229256..584b0b75a 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -18,12 +18,13 @@ jobs: needs: check strategy: matrix: - os: - - ubuntu-24.04 - - ubuntu-22.04 - mode: - - default - - full-system-policy + include: + - os: ubuntu-24.04 + mode: default + - os: ubuntu-24.04 + mode: full-system-policy + - os: ubuntu-22.04 + mode: default steps: - name: Check out repository code uses: actions/checkout@v4 From f79f22c06aea2b8cb769d514d5e3cde71ff764b2 Mon Sep 17 00:00:00 2001 From: Yifan Zhu Date: Sun, 9 Mar 2025 21:01:45 -0700 Subject: [PATCH 162/977] docs: fix typo --- docs/configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuration.md b/docs/configuration.md index c3017c28d..dda450a85 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -189,7 +189,7 @@ Common mount points are defined in the `@{MOUNTS}` variable. If you mount a disk If you mount a disk on `/ssd/`, add the following to `/etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d/local`: ```sh -@{MOUNT}+=/ssd/ +@{MOUNTS}+=/ssd/ ``` nOmHc!RJ3FmglyY2dy>^F?u5n@ss1ezyB@ z^>D|_XgyzQUaqDu*j?Cu&kI~UpS}I@(~OOqJG3R1GatBdd&P>}O}teVdN&(q*wwyu z^?PEIBzyeI=VxvwckDSHx6+%zdg-+_S5M@cK9VtcX+DQHzV=qHmA&!#!)Jb1T4$^) z*!((WPKq*D+ntsC7N9BlQ%_F3Ue7Nv^S*b`(&_52t$uF&R`=m|SKOCHV);gHo72vR zy`G}^a=-XzQ{~-jH*S~YW8b;`XTf3P!{Pf+Np^K}ymu|xeRTW&#b4EPtnU0MvHtkL zzDVx*PT88A-Z^LM1@C|INj6w~PE}b`ZE<UuWbld5vXV^ zDoX30v*bY7AJO+qb$zlm+%^_h9nLM@AM^ZP+M2ZRNxQ0dZB00?9oK&MLn6<`PuF@P zjvId6_p?nrF?>>)YLv+IlRr2MpZGVbeO5nl8J6|rz_H~FFBOwwprWr zoa*!UUXvD0l$`@wEAZ4VbMD119;j zPFJ72WUKz(bB;4oUg)~tn7ZWt{t3J9uFcq--NmyzamJ>7+xD!vAz=08gw)PC&!Y-^ zlck1Fdd^IFmR_L-+Q~Oz=6w13&`T?yIKAKut*YJhuHXKm^zLs(3TlE?%TrqKb+*NN zT75WlqO?3)7c_Ep{d{TV|AmR?uO9AKTfgd=_l;i5%;o4A5MZN zeGio%@I2Wvd)I;1(wA)JwKuyzbmdR%*?M+P%9DLFe!KqGw&`v>z#Vep-QC@f-EK|# z=OB7-&$l1m>x)1hS-$Mv3A35t)brCiZtcqr(slbSbl02z+H~t~R(tHpmuC~Y*n;c5 z>)&>4nEj{6n>G5ek<{%@ligl=?$fw-Z#tF(in%%I1_Bk0Tt$L^&1#jx6+h(N{=be- zCi}UAkJ6WOb1aQztJH-6+1@lY;97P8{F4r}xGuxymn%CA(ic-zc4A z#-=-!cXyYD(2Xl)lR91Mj~k0~>~Uyi4cwmhBWQD2(Y8hVUu`}2a-aIVrw&sTzW8P4 z&JDQn_T9^if99^g>Ux9s;-|3q_~V9O^X|Uzy)kvk-)*jQ%~loYtt+0?EfKl%O3=Q; ziQ(sX;+I*A7R-(Lb^fI3**SAg-q70<5Uo#lR>J&OdD+=uLbz1`g2 zd*(x^!m10O_H9XR?<*v9!!wVUqh*6i(g zxWM3s9`_25QP3OfW7k@~f z`f$Cce({9QHX+w6r&j8Aohf!Usxq`owUB$BQI_hqFIYEx^XeW@YkBs+X5LHj&qXXN zGCp(1l(MtLE$|Y3xa*7j=a_Gs=P+e|y+6OE@3Fzl!!xp~mT&3%5m9#H#Fe|37gt)x zYrndbzN|wdyNm1jPy6ZL-=?j*VAm_Q{U2-Gb%ocTzLm;cKe;wv<@18mHs(2fkHzP$ zK52X)MJ8W3FCSVcNIv&|wlh)X?>*O&17_hSZ=_nM3zWglh8EZCJ7fCfs{ye&PzuN0LQkK03HL7nNY5TFIt1b4VXQOX>tmiqcD*N+63LluR zRuxwLz4?9a7W=T_+)ju zYc5)`DH{A^3Q(^g8M-oZKkMu zMb>{_{9U>F>rcTl)t4(>X6GC|ocBYnBjtwau{k-vOMWria5o;{u6T5yjko#Si;IH# zVP=6-Yk&Il+pKaCC2hr+e#bm2>Oeg87g7rfrW&l0AO)_cOQkhu*bsi+q1; z8K_!or>nK7uN6B$Uc(fV2L}Re75V))|9r%jl6C8ks*%ledSqySI@RoQ2ll= zxIcT>oG70q3lFVR;l1=}+S!T6uk}Rj-#sfad{W)y8DSqcyuLKOg8Oiu%7(Mw)>l4b zY!v@+rZN1wyor&rSo+$q)4#X(+brF8gCU$x@8a6co4vWs@+VBZa!tgu{hk}gZpHP{ z_oQssC%rv>b@$WK{6p&|Zc#OKZEs$7sx5Zrm5_x7Z=_roz1y0+KF{KWHaEwfhW4J` ze??F3uQs0k{qcFb>-Otv+n9rt-rN6-C`xU+l3kMaBDV$7nl4Uu=iR=?T`pRAy5Zjy zw-U<(-27FSh1tE?^(3|B@CI$=n-2dE81r-NX;{v;@8gv!Px;=6AdQJDyo4%V+`Rwl z?_qaKjmcLk7kPi)o+DwnXOhWU%|&X-pX8WC3ul-d<4UX4fA{*6`%NeDt{HFaRBLi8 z6-ub>wimnZhJbbWy6wN6P!3x8#i#P+`PcYA~bCm zW7&B*v2WY|&Uw21>DH%z>UPgr+AfwQ#Iqzo$fNN{*_@UM8f8|T0v@H)Q%;xNNsZoS z`uWcFpUG)YCYnrg%Y8QSOXdDJznqsdXS(~(ejl@I{_DKeH{M;#x1YNG%f-IrrM1~p ze_v*Md;8PB?pObhe%iQD>-Ww-Tcba1-glz7H{VLHd6UrcJxOaVnefkqZ~=-sjpseZ|bAKOt7{runaW)m)GGdrq@nJ)R!B z_Qkn4$@b-W7EyQK%IkMey{8s@^?mP>X{XlpD!uUwOWht6W^LwkRO|h*u2=6;Ldw<} z-RujvIdw^T@`dwU#eMr$M8|8q+nzRcYOHnC#;>c`Z#SIE+rKAz)$^*TS(EPm66?Hl z-Q8vZBa{Ax2S;Atjh|fOzW;T7^RZ8M`|_Ieb}a6lYvdNaJ@@*@@9SmET(&)%RJX8v zSKHlBp97xC?oUc@+ja)jn=4FQ$MuzO_cJcTZ``{l*=GCN#y8p3wwA?+Oyt!_wnW@5? zX~!Hxbc9l-=VoPFpSjA;5|_aB;@wvL8EfKCZE;FowTGQw_L}&*eSLF{ypFzlw{}(P zfh{Mm&f-4RYmmNy_jB#~igmZ12~KO9<6W`hxztlD-mf+xmB-gD&)!^ix4vAnM(*yu zxO?Yn*X~Smy|CuYWgTWg978I3DJcV&On-Jj(>MS4+` z)m81?Q~Q<}PX3*v6;f#)S3Y%5lF$DSQ)5@}l2==`N!!z0JnHKj^{@Q94X2*@eSNjA z&fU*1=KkLCtKk5*&(h}IN9~?(YM#2)P}_7yzRT}r|BHW`-m2fwE*spu`0Cw@l3HK< zmT!m->)2TGyteG$k$KHC*L|9{dUqt}?%B4>tv_vkl2^3)Pp#v|XE8hn)cPky$Mf#| z|6cUhHRToYYj0{<_f3hOSb6_;U1it1ebJ%Et24t9Jzp%dJ3dQlVtE-=Fe!zS?v~E_}Aus@=VOyY()c{;c$B zU-2eN^G#pK&8r^S<4`x2>PPz4(5>-7bcRRQrgh zc5+{SEI!^Adh`6%Z_i_2>a5j%@=C7k?A}G$y;Fl6EGC#dwL53c#{c`ERK)a7@zzrWP$?VlwZeDqpTX?c^3?7f7`dT+kfmYvR+S{~na?9;cB z+-vLDZy5=e-EG=eoU)G3TlDiM&!8!hnP%HwO!|8E>$UoScG~?PboZBKTCRR$5wt2I zdd-YWJ4)_q|1Z=2V*7qw^UitxgbW7<7}S4emeKRx>hZp z^qj{a@ao-0#Uj6=5~)WoMaooH?b({Kf7^}n?H3cTpD9V-=jva*?%&kdn->@IEIqX@ z#)y0V?TgpS8dmdj>^Wd!@crhr^)n)?|4$GWy;O7f+DqZ^n6@K>sLHfow`8OB$*Qc($)D!mN)!UWQ>n3}J?l}2F*>m&c1xK`Q{rg=IZ2RNG`Sh)O zpSkE7&nY_Iw&tYM)a`$7t)4QiE<51f{Y?ii_pCT&r}_TzzJsjy{@++3(`!+{gPit!NZJ3#Ke_49n-i(iu@28g3?EgOL z#iu2P%MVRUFJGlO{qpMgnrA)t%%ivGhDTI&o>4d7Hgn0d1h2goK1DB2`AO5*`-r~q^|NIlLznA1*`?Yj>n9AK>p=G%T4sNoscjrIyY*%~iPHmA( zmuB4U+93VrV_)d@f2!|!W@xVXkfc^P`R~>kX0KHn^PRffempC+zj(Oc-gI&KnUtQp zvVPe@Q@G7?53M^>a>RCa?lY-~r@8yzWmV2Hvw4%()0wAvW?lV_sa^XIa&3&iF;!&t zo&RyCp6IiImdnLS-*=&YJb+# z*geXiQZ2dDyf)`SipWvDf4#dKb8oM^`|JC9-KoFNXz#ePdzZDr7cZh$+7AA&ITK6*dYM8&2K-p4(&qpsFo0@pN#K7ce{iC@I#_#sd_idP& z_I=s%UE+FmiJPB1|6bp(={q^4_ovK_jitMvotwEhd`{)9o}1!drFL7-S(eaM#2YR% zmn(7mrml%sH}2W|+63%{Yw>|HyKkS^P+fm((QNKwDWS5n!6zRd*swa`*OO!0rf&b> z*D$kPEkyXnpM2baNnQ5@~=0hUpqVF?}Zbu@|IfGPQABM7L;!$ zU8&10e3Peq_#Gerue$tf=R@mMG?z6WT6gE#`J0yCi}x@$9N<19(r-7*{CmC3m(uTT z-=67;1pR$HUGMU{cYiO}iHjV6w=N(oZ~d&vGiEjYsy& z>{#}12|NF_RGobP@a1K9>!+Vt#Ae2|S?l+bJ^g$CnA%%?j(qw(x8rYS=r`{vuejQHx?Qxn6Nsa!ms;mpRQZ*Vv#BYN8%-8B+2RnoV&Cf@Fg{q|%;`<2|d`>a#%tbV}4FEU?wcI$OsR_&JoJC}zjdkQ#Yd0(xV4HK z$5r3<-=DXsn!R?hjcht|?W5@HFHU})z3l3@d%JRX_wE0F?acb;Z&X&SJk>sTr9fGK z+r2lr*S}nN5>i>c%c{G!Tw0{8f5*$!KUuBb^m6PDTJc6TPO@z3np;=4{V7`aMd1U} z1lRu^cdFR#{ZGzx?An<4JxJE>&g%X9pS-?xd2jrwCpJ-w|9`&1Yd_^uiPxI9Yg9DS z-SY#3c>7o8O0Le8&8b;`U3#W`)TI?`Pa2S!-Do{>GiT+Z7q9_u1e_ z`^T;guQ&d$`0VJ+;klckur|M^8^l zGuhMQc75Aht9SRN24~GZJ@wwokeh3#9M#IVDeyd#-!qb?I%Z zQ*|lc$`2 z!M;@Y{@fjXyl=0^sV?29nE1W(#u{m^;x5OyusN>}{+cyMGwMInIu%#$rLT%IcXlnx zeZzfHPctOsw|3p-fM2^q_8h#X`z?P)m`u>e+r5eQw&jgNc~Q)#Zr!RmD5+nkvgG68 z=5xIHZ*+1deVJ|gdTYi(o4sGYJoi6&c6aIT&6l=IS+BlTVbXf3Hz!!*&9_jqGgCI6 zy#A!MX;!~|+-C9q{IrA4v2&xouk~jCE4EB7u{_%6%hEqgvJ-nFZoZA~FAOVN8-K&M z+jv#zx~ZOO)=9HUAMUFTD=SQ7_qy(A##j(?T-LreM9wbO)M3i;&t@0W_y2Xi`}st2 zaM5kM(!W>MybGHZyEHZO+TnE}Yd)nF_Iz;(sWcB=`RhxWP`pdBo~c)x(c`i$I~szXayd3RjjweFI{*YokaV$SEhniF)p z2E^seal`yE&R{51#*ekRbuCFd$sY# zodp}B|2>dpZ@sH<`~6wn`b!u5pE5Lx&#*GPR~lR`^+i8)zofMF*9{?W?tHjDe^*F* zzs$)$+vfOPz1z6Z+}!8I*`OP`?rU}2?j2e<&oH!-zqB;#`rq7A{@ve~ZQioUV0B{R z^(3vI4>m++wSVK6Ex)&;QQN}d0c+N^o7?^r8Apei#+X#RO7yHsy6g7${rcK)Ior!; zbCyS!Zl88x_R$U5YNAF}haWt9Uz2?0_|;`yuk!XDdS{$DdEKe=xiL3N^?Ps2%9Ndb zGws{e)BDa&l~(w`w3y$-^WAxs+|^Z|L_YDpJ+JM#{qFY-`zp?Uoq4zJ^449}F)z+$ z-B|ml{MwSmYd*=ndUfU9@7u4W%C=W6S}*oY`~HFr+TSk~tU8z&{waO-^Ygzo!gCTb zwx}|-)c&+Pqi?An2O{`>3F=0>HTzodQ6Mz{F(d+~7nt9N?+ zeSbezNnfV1{_ki1=0odZy54c6&Gg>)TmJvndB5NBU)}O%*V6dQ2Yp|+aqOOIfBQ(w z-M?}rp6{97ep}+07|ylPAmQn$?A*Xj-R6JZEIZE9aDcn#>b-BK*~H0| z*)PuMO;P(UtE~^Cr_1qfo-9*VeHWBff!gp3`a;)?VF|U$m61 z?f3+?1#EBgE3Vpm?%Mw<;n0jzNpZb08n5NP%1@77SzZ5i_L-c`%kzFb+#A!``>P&x7g|JGerM?>D^x-%Kd)o?Ik7q9elh`PjjxTtgPN~ zch~>9+9n1@T6-LHZ{7N1=^a<#p7qe*cb2h6L&cQ#V|=+C7fYWv@4xbX@0X*$=05Jr zeDUnozU1~tqVwk)UcKve)GPn1BSTT=?ocDEa;s zoqp=>>bBU`e}1}g?M`#fyZ!0^dhh3%p;oKo**7F@(EWS-)a%5h8>~N^T$3bg`s&m= z8?7nnLDB&?OE=&346e95Z}+L)KJ1u-@zESp_ z?V|m^&rIK1czRpgy5o=S|2ckKwoh`E>WrerJd?lj><(Ken6_cH`}0fdd47K0`hP{l z-L>vFVg;j1s~0vVhObl6m6>~O&;7R(#GHBLZx%e?#JBDYD9aYSU7a8K@Kb&Wzw}X0 zO{rMp+m~w{>i@3P&pbY_miMGi?CtqiH?Gc~{qgvz45$3Phx6`-8{Js;=EF7JS9NbD zIvx)NH<`-IV-LM!E}WKk;(TVp4P8IIhpWWORKtI~T6Xnx-m@+qfr>`Y%Zcp&9mV9< z%(Ggg!#wrux!m)w^#8s7d~5fAhr98=S4!8dP&r$?;EF_*v}oDVQxg~6+_ckc>h{O( z?(bR7PJpci`2Ef=?MAK6wv5cWxcxh2UrCj%HJLo?_^QO~I)4@^zxkhjP7l;fUbk(V z)1=Es^R{iS`sE>Q_jiNJ+RXcF?En8zy;Z+qdEWY+wa58ncmFEun<(X+uY5S~ez|S+ z_Vu#2cDdf&U$-P*mVfH1-IHa@%q#rvpEw_!lX1gW)qiz(+1au-wd(n|ZgI_t1chCR z^t+gAi5KCo#D?X$JQf<<&E>iC8T$m zFeGnTUwii0PyLF-^*i_Ptcu9|vqWUlmfYugf6MN&?fqK1K2UGwp5VIQeX^e3(>mcqnvL#-pPrrv#Y z=itfxIlIztez%wmI)3i|h24c`YrCiI`QSQfe(2lZif)yYOleU32M?u<=H|kar7yo2|LK`NNdU^EV`juYPrQfnM=R^Rag3QX=Y-QQ~sJ2Uxdoq z>(<7&zL3qnvDak3ga2~hUf$h?r$QvG-bDTItG@lI{^=XgR=_gn_mhOD>wk%SeyYav zt3bf3to&g6FLpIogSO^XOqy$VkNac8L*BoK*IgATQ~z+`M8*xF zLr%6cTQ|J^sd#wZov?D58^7Fd?V9R8k)cui#0KBli*&6XKAScz^8M7G8?TCSzB_v0 z_KDdyw4C05ySw`fd;0#YkcH*H`((ZJ|Jx*&tDiXFrJq>-;yTw-hF9;lw%@IJe0bfR zsXs1EjrDx}_>E=$tGL?dj^{WU4sfU3dzd?$Prmw7=JwsK_R~UN-wAkgarK1W3%}3Y z;$6(Qmp^`INb$;demO6;CcWsr*RUZvctUQ?4c+zb>tq73?zx2<(W!|LqeAZOw{7Ew}>`s0!H~0IiiS6b& zcmJ(gStM!_x61=wU=HOJ2Pa} zmo|fg6Vq}QZeLv7JuhZ^V1C`*>?xh=q}-J1jtudDo#czo5<`ok0XeD)nsV|cY#`Abd6rSolZN?IbHHnFW= z9vyJT^yNNx`OEQtpD!=n@I2uD_igWQEKCl&f9%|v#m@w$NF;8bR%(^fX%`%^gqN3Z zchTgfl`9w7#jC!#ceifC>%%e+LA62Lty^5~-=5sh-4xF&UZwkXYSxU})p85JPw%&1 z-2d;rf7bhd%#)U=*L?w13BNZnE;RQEcro( zd;3=2&7*<5S3c_Y`Z8R(|LC)RRpP5%*G2ke-+j*TDeC3jJLycfv#wu8*RSatqK`{9 zZl73{93tcVYVNwk?b^@2yga1z_G8L{<8CJxPfs&j6MVz>v(&atueTi+w%-2uU8;Y9 z3UjHR)CSImU$=K>o;{cBZ~N9!Ge##k`0LU=5wp2?9mPD^Wp`WA~`C?tp(rSipqGnC!jlLOrZ_mqS>G1o1jQcec1honGrTd)NJbq%&6{XzqazZEc)O1;o-5ZqzEwUFyxvebxGf&rA8T?x}ZA zef_R@DDS8dbJ(VB8?0l@*JT*25OP4arFS}$Nd-&blmol~LbImu*vr4(4`~UKpS8`>lJ8f## zJf8Q|+cF9i5|2yE*HorloMha$~3T1zKa>AL+r6|Lf_&s7qBD(J=Bb&21v zZ3(@veMVZs(4A*@ZRAy_RFS!FHfT@(x4HQ0r}M>AK?~g7ad17bkD5d~|4C=$Z#lTJFBKdLQ}E-a@J|CowBgp?c5fc~9kw zw#)NLi`a-&*QcdOCGGr@l5?$IR4jA)=g3`wvzjzRIwuC}zRBzC{I|JajoFc9o&39* zneuZJx3?woq?woPdw8{8r*osN!!<6Z943X?yZ*m%wx7E{^Ym%oZ-*8#H=lkob7tF( zq$_r+RTrYaB%RJy+*>7GoG2gga&A`Q_mwvmofi|!eBZEr1t;(B+WM^z53gH&%y4(q z#YFb|%U7>k6fQr((MOjj<>t@l&;9z=n$LPU_pt7>w62Ak#+L<7FNu8iD}LwRs-0gq z$xExq?_FkjbCXC}`10Z}b1nQUx1Z$Sy|i9@`e(!T*y(HE*lhU9|MkVx52EU0bdc@0}d|F#|u3^aqoi^Xd#r~O-bxvGb(d5IwWV7k{MR5-6?;VSIa8{%? zt0i`NNwHP`Uaou+6-8 zI{!`X+5KUcKDToViJdmyl$u=8Jp0S*8;j&v_g?wbtLGqGWh_UoTj2 zt7C(5^T=_z!FKMc8%8twd)e5@zrp(l1DVIU@cWXT>wg69 zGp*mYIggyJ#By>8O7Ro^QXwLi+)Ya(;8CM`8P;>B5~8?`FuE{St4(#<30hYF|J*rw?^km1-s&4qW4b(pGh_0Z^-Vh{E&3OJ*>0}riw74tSicu;&6o4P(VMr+^4wK_u3|6WubTwQVim>M))#NRmTY_b z-dWzP16Q0|#b>=i>Kn+jv5&J{#SYPuEVrG_&zdK>p*EU;5PF z$OT?Ved+YqX0B?g)|+Rh84HdtIJGYC-J6@=;=ub_0-j&ky}tG=FSnm@#4FBdE8zL=(=w)5D!Hw}h+Cv7dy@}B0jgizX4XljXRc@8t0NPb zF#VeTmubvP`|aQ4eVt<$ZV~2xG)+@Ear=!`>jR=DCmvpR`s>GYSGE7OE(RSecVfjm z-|Y9%8-9FwJ1JIycdn%GBq>|%=&2X9J*D@0`d4p`OLV_-Xve)@t@paT-bWmM*ZeZ4 zc4I-$H;t1%H>U1(ikfhfBk{WE;zP%+!u9{#xPuOEoKX1t)^$6p`je8`Ic!ft!uyi z!?VBA>K1>O{rR^RKX(29zpC?HSLi*HAkWj6D|cz0 z3;Z%+?S|RQmM*k9+#c&0Yk2GS_B*@(7=AMW6&t)Z|L1i3X|n9U`&3`X@QaqlvrUp! z>9b$|_x$$C^dX1!)^iKD@3AhcTy&bN`%BMrHkVs$?XgpD^;ND>d~@rTLUs1#;|TRl84D?!zxuPyXYP zRx1{4cG6#a`qd`uzIQF|$=&-V$SqzwFXZQf5|fIk`xCGH-~E_>_ce3VQo}dX*#GXD zwB<^2dCP{^mz-zWKIffV{x?Ot8dTWNNaM@DUGn3{^f})SJFVY)$S0j={}%IY&4&fd zH%(ouzg4e#F3hiT@HIg`==dijSXJ;c1F#UQ|oT#p4z^zw)pnf z-#1r-(uB#@>btwP>`s1L`q|I+?@qP7RX5J847zPJ(`);#bgeJ%zPNnP6?p#a@ONZd-Nt*tH8AUT3a6zAlSn_pVK!dDs7R`2KzW$v;;?#`x!7uXOW`+MQ-BDMvG{*mps}gYc}61c`_-_JNoO^KTdDI#e6%I z=OcQ`d^xXtS*+Z?J3F(E-e0x0Hy(V^nz3j3?^{v`L6 zZcP3%`^KWv+@H6ech)?Truk;qq#5!eIjdV^Cx1J7#eT=neN(l;fyq$vs`7nB;FSAX znT5L3`(`|OBFVdVQc0b~68n>Huj{PZYig}?ng7%0lIiF5mY&IJjs3hrfZMb+c6#ZF z%iU({_q{cL6A3DsYvVrLzgJuH{-N^er&hbCJ?&n&{h#vUGmD+9KGnJ(k6g9?s>xzwG-Ij{EO@_CP|*4{8ZWW%>R zqQB`~Z}F2!=eESzJq({Xy`(mA-Lz%gB@T+!iPuAUc0bKiRBnl#9(H8jlee?w_f+y% zi#zQ1W?|sjV>YMe9P9iEH}_vJnY&?u$&*)g#?fo1#(7%lKKW{XGEUb2_a-~pd6%F5 zWWBXyS&@D-Putx+YwoiMJGaG7KQ!GsT>t;_g>hU5&bYRUJA~eqef@4$`76ouv)Oj@xX_C@f;?G!Vl;6B7-#35B(Aqoc%dY~D`bj0(?|9}c z%uUX@bm-CMAr56x><}2$>owmCwx+3k5t_hUICLW#mPKHzkTb1?*SkOXl3WwriJ#|nH0Vw=U-FYN*o|MfEY)`2=KXi>Y=1ZRC&xa_ z`vz}fx6`L}=e9-5J$wVI9Rv1X_`R&$Zu@tSs^*#VgI}vIpBF6DZ~DdS(&J#rY+S&v-(Yxq_s5ydzvtIK`Yu*+I_6~k{%QOdYd3Gcs{EyIk^g&#+qTQA zAIWSzu~p@XsL>wzYZaUK#Y8N*`Z7m!lU!M{qoVE=sj|DxvD;L??AiZ&-RJ9v9b7xOpdPTDkGj3n9}L`5v$Q;&n-L+V%Fyd2`t9$sTZ?(c3*pZ@L$^LRifd=WuPcJ;rGJ!d#?Uub@P*dShvPC zC3(EMbTo0#!s{w?C(B%7pZs^$`eXO5O!L~MK6ml!%R6tazvP=K$+vr%hBx=okGo7; zV$HYiPTRjc`>XH%Cu=~%WfLs9;|u>Cs{EW5|9sQ-Yrkexl@?0mznI!(zICs;P=g+?7_5UWv&hZ7sx>0Se z<;y$eF-qU-S8R=6pW;>QJGm}$R>uYHP`=_9YfrP?ecV|m^Zez#l5ZCm%zU^ZTWgz4 zab<4ebLC zSb}r#=by^vUjJ6zTJPg%m^tf;(S4WJxRn;cx2q>HR|Q*GBp#Mov?R2!FVE+B=KBLm zm2HRfI#!;!JnQhflzy}GUiUUXJeMjvM;GMNW$VKCu6p^z^8D{L)qf(^I?KeU&3`g) zudrm5>PrjnujdLJp5IoS*=xJbUM{*Mcg}LY{8if$H%XQ))~@*X;&h)(+1<12?rqxr zRsZXeuY2dHfQ@XOe189jq@^FZri)$qC9!>p#gW8Gc^R``T+sIP)>+>@IdAU~x9N|q zY?sR~`}}pscAl@A3e}0%W1p>b+PS~TH}N`ORY(2q)T_B$WI(ybfYSY>sHxkIt-u^O?ghqz1#LF@9xXo6=**>dtvS-r}ZIoj{n_L;PKv@ zPowa9QT|og!oI57mifxriQ!spvEMJY++~(~^L}^O+CO^kwxAP?C7)mUtQR#&>+i%n z=jF~W)oz<(dHH=-ve}~-|uOSEe`K!-FGyLbGO>>UhO^gr}u7O_b`L~ zf(GYo1_$N0+3}mVSD)+**X!`@^jSao`n976ZBE_s?)HC@UOxFuN?{RGzN6Wn53M|H zv6Hns1I4&&`{ga)MDcj(-Mv%t;_vV9zd7vgRt;{84sk0O`_=rlzL)Uq{^UPLF2)>t zq_RbS_8YJFS2%YED*FDmty{7o`{1_7Rs7|41-IYITxHm#uz`~y<><8EVR!D{z4gmz z`dSHJE1t}KH=@p{>&@9EYVCYwuik`-8=}{|64P?3&rLL+@h)ek@$aWCu?&$;t>O-9 za|`ZS|I=LZQP}9L)LB*CHW$0bVBzaqFU_91LAtxP^!L(R6A!Jst!R4l|Nhjgr}T@y zfI2n~z4OZNS;vVa{i>b3x2Pn1ThRS`oV$)(RsE8t@Mc!bv}K#>?l!pd?M|zT@%*&# z?CQL~y6(CSI**o_GR!PpQ2X}W-}8|LPn(uqQ@H#(MG{0XGQl))p-PGmm>lEKiyR;`H`Nq~y#XLN_-*II+rZwk>Yqvjsm3V!Z z5P$u(%KxXVEvy(*WJTi`f}P5b@A_uhJ*~!iOUrZ5D%Z90H+qdxQ6+Kfm~!v$y4AeyX^uHLPsl(r?gw{=~lGHhZ#SP3*JdJ?|zi-MIJh zoTa%=T6=kUc2Ck43G&RGD*3vNdw1gYNl)^3hppeyw^-mnh*PWhfhm{o?tAy~xt`tI zQ+rA_d8YTOrOsNulqWNJ{=AAkQ}4O8#+J{#6cm5gV%3K1H0{~5CvPuXx9h88p94cM zFUaAyIG@K>Y^?lMy0cIE?bG}{x@V4syvz-_p?l6}y4S_-)7PcSM88G&{oj!KH8;F) z3#f8%Xr5E`u6kbhhr{4>R;z^E#7^wq@n}F5J$TXnrIqbo>2JTU%ne?@s!+ z_VvHp`%VV3HXPt)kSzWbeXp`fUaRK#(|qZ_q8CNhddj)gXUdp;xn}uh)@~=AzRO=1 zb6*iDYi_N6G-sLp+g-(x?C!##TTfCff6V*5jei-}^jUv?T(rC9om}m19UOi2LiF(s z*Ma{vz^&M+9-~1B$xn}?Cs)U>VmR<}# z=^+)2KGk<+UtbeX&-6|^S+Z?OpzqGGoR?3R&b*biLU@YyUc+hA=Cy2)j_njrF??Hn za@OH>ky_Wk^Bup_dfslwBf~xchRdJ?X?)5vf6oWgSH1TOe?}%(?rC>1e3Hd?O7X1x z*)75XWvZT;As?Lf*Tfdz=-qZLrGDejgST&4NHLrd38`Q_qj6XIdd|zbbAR&nGiJ@6 zb@S$=S?-~#1>r);hO_%j&K&gFuF%1si@XMBx#HUDPNjjxUG z;@8|eFp(iaZQ&vAgqiXyS{WEvzI(bjh8(kcIH%h$uw!~u&wIJs#wUh}g*q*POcwHxFn(F@@PxnRFpNV5Lm~6O&@j%b^{l$N8 zJ&rHB^|Uo^rssb9TiJ_OK00Q`ef9Q?sd*{fPqp3_Bwkas|JO~g6h*Z6UEOy#{N>dJ8?xipyqIb{(bqu|3$z5mfM`W2fk^Z=Vi-hy*)Sfd|=(_C-wTNX`2hz$p;T! z1%{oF=iU8|OVoHtujZRsxzk(y%kGx{zJ9Zs;ex!g6vKk9zi+eWRpfnsd0*$u*28MQ zZGXPlW$CeWTgt|ewYp{pY@@O_ERm?O)$+U?bVHXlN_tL3JJ)VC>!fKl&U<&?yZQCP ztKT<@83NX_FfvG7<9r@d(iO7f%ANbB*IqB1stm#~pvbpySc5RT>SrZie zd47J})*9VvPEbR^AWwbowm7|BH>$x^HH^ zEo%LL=huVR|CUsLE?@DA$zkpEC^JTeo_mGs>;LW%oBv;*>(`9k+xz}Y#>Q!c@a|TV z{V1^R-Oc-7*8i^Cox~q44{}<7x%!;qi<+MfrK{9Bd@?w9LfiXyX;#OkC+VKSm;a~C z(E~Nc7A*9uxw|_~(fW_-^m_*DF1!vDTkP{t@vN8KwxzjGn{#5p`#IeAW%qoL zoPJK`wyUMh+l&9#zHXdqpPJ1Cx{cnbI@k8&o$Y`5U4Q#e*I)P1FgEXDcXY9Bd}wrZ zqb~;oOB}-tCObJlo9_qhr`}e-`}ate_l}(1XY_7XW&FPW<;CL4ZIU3@B%HE*yM;T7 z?_b~FwVwag`j2}~+WB_!m#>E!zZl=HFFx+LO$egQ`q_8A8TQ)g|L3d7>itkJx8Jg9 k_F5)}Q81)JAfe=+e(#Q2@o23_pFj@xboFyt=akR{01LcOlK=n! literal 0 HcmV?d00001 diff --git a/docs/index.md b/docs/index.md index 39679d01a..5e6c70c56 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1,52 +1,106 @@ --- title: AppArmor.d +hide: + - toc --- - + + -### Presentations - -Building the largest set of AppArmor profiles: - -- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* -- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* - -### Chat - -A development chat is available on https://matrix.to/#/#apparmor.d:matrix.org +
+
+
+
+ +

apparmor.d

+

Full set of AppArmor policies

+

apparmor.d is a collection of AppArmor profiles designed to restrict the behavior of Linux applications and processes.

+

Its goal is to confine everything, targeting both desktops and servers across all distributions that support AppArmor.

+ + Get started + + + + Demo Server + + +
+
+
+
diff --git a/docs/install.md b/docs/install.md index ff4a1b6bb..a18185fbf 100644 --- a/docs/install.md +++ b/docs/install.md @@ -89,7 +89,7 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf !!! warning - **Beware**: do not install a `.deb` made for Debian on Ubuntu, the packages are different. + **Beware**: do not install a `.deb` made for Debian on Ubuntu as the packages are different. If your distribution is based on Ubuntu, you may want to manually set the target distribution by exporting `DISTRIBUTION=ubuntu`. @@ -125,7 +125,7 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf !!! warning - **Beware**: do not install a `.deb` made for Ubuntu on Debian, the packages are different. + **Beware**: do not install a `.deb` made for Ubuntu on Debian as the packages are different. If your distribution is based on Debian, you may want to manually set the target distribution by exporting `DISTRIBUTION=debian`. diff --git a/docs/overview.md b/docs/overview.md new file mode 100644 index 000000000..fb6712a14 --- /dev/null +++ b/docs/overview.md @@ -0,0 +1,48 @@ +--- +title: Overview +--- + +!!! danger "Help Wanted" + + This project is still in its early development. Help is very welcome; see [Development](development/index.md) + +**AppArmor.d** is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes. + +### Purpose + +- Confine all root processes such as all `systemd` tools, `bluetooth`, `dbus`, `polkit`, `NetworkManager`, `OpenVPN`, `GDM`, `rtkit`, `colord` +- Confine all Desktop environments +- Confine all user services such as `Pipewire`, `Gvfsd`, `dbus`, `xdg`, `xwayland` +- Confine some *"special"* user applications: web browsers, file managers, etc +- Should not break a normal usage of the confined software + +See the [Concepts](concepts.md)' page for more detail on the architecture. + +### Goals + +- Target both desktops and servers +- Support for all distributions that support AppArmor: + * [:material-arch: Arch Linux](install.md#archlinux) + * [:material-ubuntu: Ubuntu 24.04/22.04](install.md#ubuntu) + * [:material-debian: Debian 12/13](install.md#debian) + * [:simple-suse: openSUSE Tumbleweed](install.md#opensuse) +- Support for all major desktop environments: + - [x] :material-gnome: Gnome (GDM) + - [x] :simple-kde: KDE (SDDM) + - [ ] :simple-xfce: XFCE (Lightdm) *(work in progress)* +- [Fully tested](development/tests.md) + +### Demo + +You want to try this project, or you are curious about the advanced usage and security it can provide without installing it on your machine. You can try it online on my AppArmor play machine at https://play.pujol.io/ + +### Presentations + +Building the largest set of AppArmor profiles: + +- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* +- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* + +### Chat + +A development chat is available on https://matrix.to/#/#apparmor.d:matrix.org diff --git a/mkdocs.yml b/mkdocs.yml index 153af0d4e..12783b566 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -138,6 +138,7 @@ nav: - Home: - index.md - Getting Started: + - overview.md - concepts.md - install.md - configuration.md From daa6a1239b810dbc4458869a59a896dca42296df Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 14:20:08 +0200 Subject: [PATCH 394/977] feat(profile): improve protonmail-bridge-core. --- apparmor.d/profiles-m-r/protonmail-bridge-core | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index 92d379724..493199974 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -12,8 +12,9 @@ abi , include @{exec_path} = @{lib}/protonmail/bridge/bridge -profile protonmail-bridge-core @{exec_path} { +profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { include + include include include @@ -25,7 +26,7 @@ profile protonmail-bridge-core @{exec_path} { @{exec_path} mr, - @{bin}/pass rCx -> pass, + @{bin}/pass Cx -> pass, @{lib}/protonmail/bridge/bridge-gui ix, @@ -49,7 +50,6 @@ profile protonmail-bridge-core @{exec_path} { @{PROC}/1/cgroup r, @{PROC}/sys/net/core/somaxconn r, - deny @{bin}/pass x, deny owner @{user_passwordstore_dirs}/** r, profile pass { @@ -76,6 +76,7 @@ profile protonmail-bridge-core @{exec_path} { owner @{user_passwordstore_dirs}/ r, owner @{user_passwordstore_dirs}/.gpg-id r, + owner @{user_passwordstore_dirs}/docker-credential-helpers/{,**} rw, owner @{user_passwordstore_dirs}/protonmail-credentials/{,**} rw, deny owner @{user_passwordstore_dirs}/**/ r, From a46967cb43e643efc925644b234093f249fdc313 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 14:56:51 +0200 Subject: [PATCH 395/977] feat(tunable): add papers to the list of document viewers. --- apparmor.d/tunables/multiarch.d/programs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index 198776f9b..b3e36cae7 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -76,7 +76,7 @@ @{text_editors_names} = code gedit mousepad gnome-text-editor zeditor zedit zed-cli # Document viewers -@{document_viewers_names} = evince okular *{F,f}oliate YACReader +@{document_viewers_names} = evince papers okular *{F,f}oliate YACReader # Image viewers @{image_viewers_names} = eog loupe ristretto From 043dc3fc0589d3c361dd9e4a1cdf543fab8284df Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 15:23:24 +0200 Subject: [PATCH 396/977] feat(profile): add paperspecs to cups backend. --- apparmor.d/groups/cups/cups-backend-beh | 1 + apparmor.d/groups/cups/cups-backend-bluetooth | 1 + apparmor.d/groups/cups/cups-backend-brf | 1 + apparmor.d/groups/cups/cups-backend-dnssd | 1 + apparmor.d/groups/cups/cups-backend-hp | 1 + apparmor.d/groups/cups/cups-backend-implicitclass | 1 + apparmor.d/groups/cups/cups-backend-ipp | 1 + apparmor.d/groups/cups/cups-backend-lpd | 1 + apparmor.d/groups/cups/cups-backend-mdns | 1 + apparmor.d/groups/cups/cups-backend-parallel | 1 + apparmor.d/groups/cups/cups-backend-pdf | 6 ++++-- apparmor.d/groups/cups/cups-backend-serial | 1 + apparmor.d/groups/cups/cups-backend-snmp | 1 + apparmor.d/groups/cups/cups-backend-socket | 1 + apparmor.d/groups/cups/cups-backend-usb | 1 + 15 files changed, 18 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/cups/cups-backend-beh b/apparmor.d/groups/cups/cups-backend-beh index e2dbc1b51..1e9fe5b78 100644 --- a/apparmor.d/groups/cups/cups-backend-beh +++ b/apparmor.d/groups/cups/cups-backend-beh @@ -13,6 +13,7 @@ profile cups-backend-beh @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-bluetooth b/apparmor.d/groups/cups/cups-backend-bluetooth index ada4926ce..78ffbac77 100644 --- a/apparmor.d/groups/cups/cups-backend-bluetooth +++ b/apparmor.d/groups/cups/cups-backend-bluetooth @@ -13,6 +13,7 @@ profile cups-backend-bluetooth @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-brf b/apparmor.d/groups/cups/cups-backend-brf index 27e98efc3..6d50b284f 100644 --- a/apparmor.d/groups/cups/cups-backend-brf +++ b/apparmor.d/groups/cups/cups-backend-brf @@ -15,6 +15,7 @@ profile cups-backend-brf @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-dnssd b/apparmor.d/groups/cups/cups-backend-dnssd index f45b99216..1009a0ef2 100644 --- a/apparmor.d/groups/cups/cups-backend-dnssd +++ b/apparmor.d/groups/cups/cups-backend-dnssd @@ -14,6 +14,7 @@ profile cups-backend-dnssd @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-hp b/apparmor.d/groups/cups/cups-backend-hp index 636121553..cd9af3d7f 100644 --- a/apparmor.d/groups/cups/cups-backend-hp +++ b/apparmor.d/groups/cups/cups-backend-hp @@ -13,6 +13,7 @@ profile cups-backend-hp @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-implicitclass b/apparmor.d/groups/cups/cups-backend-implicitclass index ba85c62fa..c71295f83 100644 --- a/apparmor.d/groups/cups/cups-backend-implicitclass +++ b/apparmor.d/groups/cups/cups-backend-implicitclass @@ -13,6 +13,7 @@ profile cups-backend-implicitclass @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-ipp b/apparmor.d/groups/cups/cups-backend-ipp index b473ecaa3..8d61f4072 100644 --- a/apparmor.d/groups/cups/cups-backend-ipp +++ b/apparmor.d/groups/cups/cups-backend-ipp @@ -13,6 +13,7 @@ profile cups-backend-ipp @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-lpd b/apparmor.d/groups/cups/cups-backend-lpd index af2901be0..89b62b569 100644 --- a/apparmor.d/groups/cups/cups-backend-lpd +++ b/apparmor.d/groups/cups/cups-backend-lpd @@ -13,6 +13,7 @@ profile cups-backend-lpd @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-mdns b/apparmor.d/groups/cups/cups-backend-mdns index 0b9cce0da..9e5dfbe0f 100644 --- a/apparmor.d/groups/cups/cups-backend-mdns +++ b/apparmor.d/groups/cups/cups-backend-mdns @@ -13,6 +13,7 @@ profile cups-backend-mdns @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-parallel b/apparmor.d/groups/cups/cups-backend-parallel index a985e5042..b4340b2ed 100644 --- a/apparmor.d/groups/cups/cups-backend-parallel +++ b/apparmor.d/groups/cups/cups-backend-parallel @@ -13,6 +13,7 @@ profile cups-backend-parallel @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-pdf b/apparmor.d/groups/cups/cups-backend-pdf index 7782ecb11..6f658b064 100644 --- a/apparmor.d/groups/cups/cups-backend-pdf +++ b/apparmor.d/groups/cups/cups-backend-pdf @@ -14,9 +14,10 @@ profile cups-backend-pdf @{exec_path} { include capability chown, + capability dac_override, + capability dac_read_search, capability setgid, capability setuid, - capability dac_override, unix peer=(label=cupsd), @@ -30,10 +31,11 @@ profile cups-backend-pdf @{exec_path} { /usr/share/ghostscript/{,**} r, - /etc/papersize r, /etc/cups/ r, /etc/cups/cups-pdf.conf r, /etc/cups/ppd/*.ppd r, + /etc/papersize r, + /etc/paperspecs r, /var/log/cups/cups-pdf*_log w, /var/spool/cups-pdf/{,**} rw, diff --git a/apparmor.d/groups/cups/cups-backend-serial b/apparmor.d/groups/cups/cups-backend-serial index 3959a091d..26811ab59 100644 --- a/apparmor.d/groups/cups/cups-backend-serial +++ b/apparmor.d/groups/cups/cups-backend-serial @@ -13,6 +13,7 @@ profile cups-backend-serial @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, /dev/ttyS@{int} w, diff --git a/apparmor.d/groups/cups/cups-backend-snmp b/apparmor.d/groups/cups/cups-backend-snmp index 5badd529a..816f6c25b 100644 --- a/apparmor.d/groups/cups/cups-backend-snmp +++ b/apparmor.d/groups/cups/cups-backend-snmp @@ -19,6 +19,7 @@ profile cups-backend-snmp @{exec_path} { /etc/cups/snmp.conf r, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-socket b/apparmor.d/groups/cups/cups-backend-socket index 3efcf183b..f8f36a056 100644 --- a/apparmor.d/groups/cups/cups-backend-socket +++ b/apparmor.d/groups/cups/cups-backend-socket @@ -13,6 +13,7 @@ profile cups-backend-socket @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-usb b/apparmor.d/groups/cups/cups-backend-usb index fa21e0204..7d9dbd237 100644 --- a/apparmor.d/groups/cups/cups-backend-usb +++ b/apparmor.d/groups/cups/cups-backend-usb @@ -21,6 +21,7 @@ profile cups-backend-usb @{exec_path} { /etc/cups/ppd/*.ppd r, /etc/papersize r, + /etc/paperspecs r, include if exists } From 00327dfae17112aac14ab572ddb1ed026797465c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 18:38:48 +0200 Subject: [PATCH 397/977] feat(profile): minor improvements. --- apparmor.d/groups/apt/apt | 2 +- apparmor.d/groups/apt/apt-systemd-daily | 2 +- apparmor.d/groups/apt/aptitude-create-state-bundle | 2 +- apparmor.d/groups/apt/unattended-upgrade | 7 +++++-- apparmor.d/groups/grub/update-grub | 5 +++-- apparmor.d/profiles-a-f/acpi | 1 - apparmor.d/profiles-a-f/evince | 5 +++-- apparmor.d/profiles-g-l/kmod | 14 +++++++++++++- apparmor.d/profiles-m-r/mkinitramfs | 6 ++++++ apparmor.d/profiles-s-z/spice-vdagent | 2 ++ 10 files changed, 35 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 5c33a1866..947dba149 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -177,7 +177,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{sh_path} rix, @{pager_path} rmix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, /root/ r, # For shell pwd diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily index 04907876e..08e1400b2 100644 --- a/apparmor.d/groups/apt/apt-systemd-daily +++ b/apparmor.d/groups/apt/apt-systemd-daily @@ -37,7 +37,7 @@ profile apt-systemd-daily @{exec_path} { @{bin}/touch rix, @{bin}/uniq rix, @{bin}/wc rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/xargs rix, @{bin}/apt-config rPx, diff --git a/apparmor.d/groups/apt/aptitude-create-state-bundle b/apparmor.d/groups/apt/aptitude-create-state-bundle index c700e325f..59f7a54f6 100644 --- a/apparmor.d/groups/apt/aptitude-create-state-bundle +++ b/apparmor.d/groups/apt/aptitude-create-state-bundle @@ -16,7 +16,7 @@ profile aptitude-create-state-bundle @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/tar rix, @{bin}/bzip2 rix, @{bin}/gzip rix, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 3e60798e9..8413d9975 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -10,13 +10,14 @@ include @{exec_path} = @{bin}/unattended-upgrade profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { include - include include include include include + include include include + include include capability chown, @@ -65,7 +66,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{etc_ro}/login.defs r, @{etc_ro}/security/capability.conf r, - /etc/apport/report-ignore/ r, + /etc/apport/report-ignore/{,**} r, /etc/apt/*.list r, /etc/apt/apt.conf.d/{,**} r, /etc/debian_version r, @@ -89,8 +90,10 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/vmware-tools/* r, /var/log/unattended-upgrades/{,**} rw, + /var/crash/*.crash w, /var/lib/apt/periodic/unattended-upgrades-stamp w, + /var/lib/dpkg/info/ r, /var/lib/dpkg/lock rwk, /var/lib/dpkg/lock-frontend rwk, /var/lib/dpkg/updates/ r, diff --git a/apparmor.d/groups/grub/update-grub b/apparmor.d/groups/grub/update-grub index 1996b346b..ff17c160a 100644 --- a/apparmor.d/groups/grub/update-grub +++ b/apparmor.d/groups/grub/update-grub @@ -14,8 +14,9 @@ profile update-grub @{exec_path} { capability dac_read_search, @{exec_path} mr, - @{sh_path} rix, - @{sbin}/grub-mkconfig rPx, + + @{sh_path} rix, + @{sbin}/grub-mkconfig rPx, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-a-f/acpi b/apparmor.d/profiles-a-f/acpi index 2914180e6..3b42be234 100644 --- a/apparmor.d/profiles-a-f/acpi +++ b/apparmor.d/profiles-a-f/acpi @@ -19,7 +19,6 @@ profile acpi @{exec_path} flags=(complain) { @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/virtual/thermal/{,**} r, - include if exists } diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 5ae754138..b7b087309 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -44,13 +44,14 @@ profile evince @{exec_path} { /usr/share/poppler/{,**} r, /usr/share/thumbnailers/{,*} r, - owner @{user_share_dirs}/ r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_config_dirs}/evince/{,*} rw, + owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/*.pdf r, owner @{tmp}/evince-@{int}/{,**} rw, - owner @{tmp}/gtkprint* rw, + owner @{tmp}/gtkprint_@{rand6} rw, + owner @{tmp}/gtkprint@{rand6} rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 0338e3975..ccc8d6913 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -28,7 +28,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{bin}/basename rix, @{bin}/false rix, @{bin}/id rix, - @{sbin}/sysctl rPx, + @{sbin}/sysctl rCx -> sysctl, @{bin}/true rix, @{lib}/modprobe.d/{,*.conf} r, @@ -74,6 +74,18 @@ profile kmod @{exec_path} flags=(attach_disconnected) { deny @{user_share_dirs}/gvfs-metadata/* r, deny unix (receive) type=stream, + profile sysctl { + include + + @{sbin}/sysctl mr, + + /etc/sysctl.conf r, + /etc/sysctl.d/{,**} r, + /usr/lib/sysctl.d/{,**} r, + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index ad626192c..eaf5645f3 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -96,6 +96,12 @@ profile mkinitramfs @{exec_path} { owner /var/tmp/mkinitramfs-@{rand6} rw, owner /var/tmp/mkinitramfs-*_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + @{sys}/devices/platform/ r, @{sys}/devices/platform/**/ r, @{sys}/devices/platform/**/modalias r, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 9562fec75..c73f5f678 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -47,6 +47,8 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/task/@{tid}/comm rw, + /dev/udmabuf rw, + include if exists } From 2bad07f5ffe85486104bb775df646bb5cc5aad6f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 18:44:59 +0200 Subject: [PATCH 398/977] doc: hide the date of revision on the front page. --- docs/index.md | 5 +++++ mkdocs.yml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/index.md b/docs/index.md index 5e6c70c56..9602207d0 100644 --- a/docs/index.md +++ b/docs/index.md @@ -19,6 +19,11 @@ hide: display: none; } + /* Hide the date of revision */ + .md-source-file { + display: none; + } + /* Get started button */ .md-typeset .md-button--primary { color: var(--md-primary-fg-color); diff --git a/mkdocs.yml b/mkdocs.yml index 12783b566..e5244a529 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -15,7 +15,7 @@ repo_url: https://github.com/roddhjav/apparmor.d edit_uri: edit/main/docs/ # Copyright -copyright: Copyright © 2021-2024 Alexandre Pujol +copyright: Copyright © 2021-2025 Alexandre Pujol # Configuration theme: From f9f409716434735336e9de871cad8fcfb329cd4f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:12:24 +0200 Subject: [PATCH 399/977] feat(abs): add the path abstraction. --- apparmor.d/abstractions/app-launcher-root | 7 ++----- apparmor.d/abstractions/app-launcher-user | 10 +++------- apparmor.d/abstractions/common/app | 5 +---- apparmor.d/abstractions/path | 23 +++++++++++++++++++++++ apparmor.d/groups/children/child-open-any | 7 +------ 5 files changed, 30 insertions(+), 22 deletions(-) create mode 100644 apparmor.d/abstractions/path diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root index 0bc7dbeff..7f7e2a673 100644 --- a/apparmor.d/abstractions/app-launcher-root +++ b/apparmor.d/abstractions/app-launcher-root @@ -5,15 +5,12 @@ abi , + include + @{bin}/** PUx, @{sbin}/** PUx, /usr/local/{s,}bin/** PUx, - @{bin}/ r, - / r, - /usr/ r, - /usr/local/{s,}bin/ r, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user index 800de5106..3f35d5882 100644 --- a/apparmor.d/abstractions/app-launcher-user +++ b/apparmor.d/abstractions/app-launcher-user @@ -5,6 +5,8 @@ abi , + include + @{bin}/** PUx, /opt/*/** PUx, /usr/share/** PUx, @@ -18,13 +20,7 @@ @{thunderbird_path} Px, @{offices_path} PUx, - @{bin}/ r, - / r, - /usr/ r, - /usr/local/bin/ r, - - @{user_bin_dirs}/ r, - @{user_bin_dirs}/** PUx, + @{user_bin_dirs}/** PUx, include if exists diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index cc802ef06..0d63b72c8 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -27,6 +27,7 @@ include include include + include include include @@ -39,12 +40,8 @@ /etc/{,**} r, - / r, /.* r, - /*/ r, - @{bin}/ r, @{lib}/ r, - /usr/local/bin/ r, owner /_@{int}_/ w, owner /@{uuid}/ w, owner /var/cache/ldconfig/{,**} rw, diff --git a/apparmor.d/abstractions/path b/apparmor.d/abstractions/path new file mode 100644 index 000000000..dee241b29 --- /dev/null +++ b/apparmor.d/abstractions/path @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Common directories in $PATH, used by launchers and interactive shells. + + abi , + + @{bin}/ r, + @{bin}/*/ r, + @{sbin}/ r, + @{sbin}/*/ r, + + / r, + /usr/ r, + /usr/local/bin/ r, + /usr/local/sbin/ r, + + @{user_bin_dirs}/ r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/children/child-open-any b/apparmor.d/groups/children/child-open-any index 1259d7708..446627e85 100644 --- a/apparmor.d/groups/children/child-open-any +++ b/apparmor.d/groups/children/child-open-any @@ -14,6 +14,7 @@ include profile child-open-any flags=(attach_disconnected,mediate_deleted) { include include + include @{bin}/** PUx, @{lib}/** PUx, @@ -22,12 +23,6 @@ profile child-open-any flags=(attach_disconnected,mediate_deleted) { /usr/local/bin/** PUx, /usr/share/** PUx, - @{bin}/ r, - @{user_bin_dirs}/ r, - / r, - /usr/ r, - /usr/local/bin/ r, - include if exists include if exists } From efba6e164e8dcb99e26856394f924333b302fa60 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:22:00 +0200 Subject: [PATCH 400/977] feat(profile): add initial profile for decibels. --- apparmor.d/groups/gnome/decibels | 37 ++++++++++++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 38 insertions(+) create mode 100644 apparmor.d/groups/gnome/decibels diff --git a/apparmor.d/groups/gnome/decibels b/apparmor.d/groups/gnome/decibels new file mode 100644 index 000000000..88d292b07 --- /dev/null +++ b/apparmor.d/groups/gnome/decibels @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/decibels @{bin}/org.gnome.Decibels +profile decibels @{exec_path} { + include + include + include + include + include + + @{exec_path} mr, + + @{bin}/gjs-console rix, + + @{open_path} rPx -> child-open-help, + + /usr/share/org.gnome.Decibels/{,**} r, + + owner @{user_music_dirs}/{,**} r, + owner @{user_pictures_dirs}/{,**} r, + owner @{user_torrents_dirs}/{,**} r, + owner @{user_videos_dirs}/{,**} r, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index adced30c9..bcebd472d 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -77,6 +77,7 @@ cupsd attach_disconnected,complain ddcutil complain deb-systemd-helper complain deb-systemd-invoke complain +decibels complain dino attach_disconnected,complain discord complain discord-chrome-sandbox complain From 5a448cb39dda25ddf11ce446af10dda253613bc4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:23:35 +0200 Subject: [PATCH 401/977] feat(profile): add initial profile for papers. --- apparmor.d/groups/gnome/papers | 51 ++++++++++++++++++++++++++++++++++ dists/flags/main.flags | 2 +- 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/gnome/papers diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers new file mode 100644 index 000000000..ee829d8f3 --- /dev/null +++ b/apparmor.d/groups/gnome/papers @@ -0,0 +1,51 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/papers +profile papers @{exec_path} { + include + include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + + @{exec_path} mr, + + @{open_path} Cx -> open, + + /usr/share/poppler/{,**} r, + + owner @{user_share_dirs}/gvfs-metadata/{,*} r, + + owner @{tmp}/.goutputstream-@{rand6} rw, + owner @{tmp}/gtkprint_@{rand6} rw, + owner @{tmp}/gtkprint@{rand6} rw, + + @{run}/mount/utab r, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + + profile open { + include + include + + @{browsers_path} Px, + @{help_path} Px, + @{bin}/papers Px, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index bcebd472d..70d484953 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -257,7 +257,7 @@ nvidia-persistenced complain ollama attach_disconnected,complain os-prober attach_disconnected,complain pam_kwallet_init complain -pam-tmpdir-helper complain +papers complain passimd attach_disconnected,complain pkla-admin-identities complain pkla-check-authorization complain From 8d374ed8761dfd518e7d4f09e8ec699261d76b56 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:25:27 +0200 Subject: [PATCH 402/977] feat(fsp): add tunables for the future systemd executor profiles. --- apparmor.d/tunables/multiarch.d/profiles | 2 ++ pkg/prebuild/prepare/fsp.go | 2 ++ 2 files changed, 4 insertions(+) diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index e966623d4..92ab19fc9 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -9,7 +9,9 @@ # Name of the systemd profiles. Can be `unconfined` or `systemd`, `systemd-user` @{p_systemd}=unconfined +@{p_systemd_executor}=unconfined @{p_systemd_user}=unconfined +@{p_systemd_user_executor}=unconfined # Name of the dbus daemon profiles @{p_dbus_accessibility}=dbus-accessibility diff --git a/pkg/prebuild/prepare/fsp.go b/pkg/prebuild/prepare/fsp.go index e46efe0e8..0d4c23076 100644 --- a/pkg/prebuild/prepare/fsp.go +++ b/pkg/prebuild/prepare/fsp.go @@ -40,7 +40,9 @@ func (p FullSystemPolicy) Apply() ([]string, error) { return res, err } out = strings.ReplaceAll(out, "@{p_systemd}=unconfined", "@{p_systemd}=systemd") + out = strings.ReplaceAll(out, "@{p_systemd_executor}=unconfined", "@{p_systemd_executor}=systemd-executor") out = strings.ReplaceAll(out, "@{p_systemd_user}=unconfined", "@{p_systemd_user}=systemd-user") + out = strings.ReplaceAll(out, "@{p_systemd_user_executor}=unconfined", "@{p_systemd_user_executor}=systemd-user-executor") if err := path.WriteFile([]byte(out)); err != nil { return res, err } From dbd0a7d271930f6a85ceda79feab610599b54222 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:25:58 +0200 Subject: [PATCH 403/977] feat(tunable): add the efi variable. --- apparmor.d/tunables/multiarch.d/system | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 3f6e0f890..d7834cc8a 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -22,6 +22,8 @@ # Common places for temporary files @{tmp}=/tmp/ /tmp/user/@{uid}/ +# Common places for EFI +@{efi}=/boot/ /efi/ /boot/efi/ # System Variables # ---------------- From 4beb096532ab6c60c376fb4a3acf070e11e2d56b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:29:33 +0200 Subject: [PATCH 404/977] feat(abs): expand zsh abs to more default locations - Add support for oh-my-zsh - Add support for gitstatus & p10k - Add more zsh config dirctories. --- apparmor.d/abstractions/zsh | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index a22895c91..ff90849c0 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -10,24 +10,40 @@ @{lib}/@{multiarch}/zsh/@{int}/zsh/*.so mr, - /usr/share/zsh/{,**} r, /usr/local/share/zsh/{,**} r, + /usr/share/oh-my-zsh/{,**} r, + /usr/share/zsh/{,**} r, /etc/zsh/* r, - owner @{HOME}/.zshrc r, - owner @{HOME}/.zshenv r, + owner @{HOME}/.zcompdump-* rw, owner @{HOME}/.zsh_history rw, owner @{HOME}/.zsh_history.LOCK rwk, + owner @{HOME}/.zsh_history.new rw, + owner @{HOME}/.zshenv r, + owner @{HOME}/.zshrc r, owner @{HOME}/.oh-my-zsh/{,**} r, owner @{HOME}/.oh-my-zsh/log/update.lock/ w, - owner @{HOME}/.zcompdump-* rw, + owner @{user_cache_dirs}/oh-my-zsh/{,**} r, + owner @{user_cache_dirs}/p10k-@{user}/{,**} rw, + owner @{user_cache_dirs}/p10k-dump-@{user}.zsh{,.*} rw, + owner @{user_cache_dirs}/p10k-instant-prompt-@{user}.zsh{,.*} rw, owner @{user_config_dirs}/zsh/.zcompdump-* rw, owner @{user_config_dirs}/zsh/{,**} r, + owner @{user_share_dirs}/zsh/history rw, + owner @{user_share_dirs}/zsh/history.LOCK rwk, + owner @{user_share_dirs}/zsh/history.new rw, + + owner @{tmp}/gitstatus.POWERLEVEL9K.*.fifo rw, + owner @{tmp}/gitstatus.POWERLEVEL9K.*.lock rwk, + + @{PROC}/version r, + owner @{PROC}/@{pid}/loginuid r, + include if exists # vim:syntax=apparmor From d74a47764665fbdcbfd74ec8d0549b557ab1075e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:33:03 +0200 Subject: [PATCH 405/977] feat(tunable): add @{backup_path}. --- apparmor.d/abstractions/app-open | 7 ++----- apparmor.d/tunables/multiarch.d/paths | 3 +++ apparmor.d/tunables/multiarch.d/programs | 3 +++ 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index 8c74d1f08..27f0c96fc 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -26,6 +26,7 @@ @{image_viewers_path} PUx, @{offices_path} PUx, @{text_editors_path} PUx, + @{backup_path} PUx, # Others @{bin}/amule Px, @@ -41,6 +42,7 @@ @{bin}/gnome-calculator Px, @{bin}/gnome-disk-image-mounter Px, @{bin}/gnome-disks Px, + @{bin}/gnome-session-quit Px, @{bin}/gnome-software Px, @{bin}/gwenview PUx, @{bin}/kgx Px, @@ -57,11 +59,6 @@ #aa:only opensuse @{lib}/YaST2/** PUx, - # Backup - @{lib}/deja-dup/deja-dup-monitor PUx, - - @{bin}/gnome-session-quit rPx, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index 733f8925c..cb889ee19 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -69,4 +69,7 @@ # Terminal emulator @{terminal_path} = @{bin}/@{offices_names} +# Backup +@{backup_path} = @{bin}/@{backup_names} @{lib}/deja-dup/deja-dup-monitor + # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index b3e36cae7..c1eea10b3 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -93,4 +93,7 @@ # Terminal emulator @{terminal_name} = kgx terminator konsole +# Backup +@{backup_names} = deja-dup borg + # vim:syntax=apparmor From 3b1fe1f931337c7e6d9428797866045effe3e0ca Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:41:43 +0200 Subject: [PATCH 406/977] feat(tunable): fix and use terminal_path. --- apparmor.d/abstractions/app-open | 4 ++-- apparmor.d/tunables/multiarch.d/paths | 2 +- apparmor.d/tunables/multiarch.d/programs | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index 27f0c96fc..c7d2a86c8 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -18,6 +18,7 @@ # Labeled programs @{archive_viewers_path} PUx, + @{backup_path} PUx, @{browsers_path} Px, @{document_viewers_path} PUx, @{emails_path} PUx, @@ -25,8 +26,8 @@ @{help_path} Px, @{image_viewers_path} PUx, @{offices_path} PUx, + @{terminal_path} Px, @{text_editors_path} PUx, - @{backup_path} PUx, # Others @{bin}/amule Px, @@ -45,7 +46,6 @@ @{bin}/gnome-session-quit Px, @{bin}/gnome-software Px, @{bin}/gwenview PUx, - @{bin}/kgx Px, @{bin}/qbittorrent Px, @{bin}/qpdfview Px, @{bin}/smplayer Px, diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index cb889ee19..059f337fd 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -67,7 +67,7 @@ @{help_path} = @{bin}/@{help_names} # Terminal emulator -@{terminal_path} = @{bin}/@{offices_names} +@{terminal_path} = @{bin}/@{terminal_names} # Backup @{backup_path} = @{bin}/@{backup_names} @{lib}/deja-dup/deja-dup-monitor diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index c1eea10b3..cddb1a7d2 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -91,7 +91,7 @@ @{help_names} = yelp # Terminal emulator -@{terminal_name} = kgx terminator konsole +@{terminal_names} = kgx terminator konsole ptyxis # Backup @{backup_names} = deja-dup borg From 053ce04c8e040c47095b32468d8e046033a14466 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 13:09:06 +0200 Subject: [PATCH 407/977] feat(tunanle): add the sqlhex variable. --- apparmor.d/abstractions/common/app | 3 ++- apparmor.d/groups/flatpak/flatpak-app | 1 - apparmor.d/groups/gnome/gnome-music | 4 ++-- apparmor.d/groups/gnome/localsearch | 8 ++------ apparmor.d/groups/gnome/tracker-miner | 6 ++---- apparmor.d/profiles-a-f/dropbox | 3 ++- apparmor.d/profiles-a-f/fractal | 2 +- apparmor.d/profiles-a-f/fwupd | 2 +- apparmor.d/profiles-g-l/gpo | 3 ++- apparmor.d/profiles-g-l/gpodder | 3 ++- apparmor.d/profiles-m-r/protonmail-bridge-core | 4 ++-- apparmor.d/profiles-m-r/psi | 2 +- apparmor.d/profiles-m-r/psi-plus | 2 +- apparmor.d/profiles-m-r/quiterss | 3 ++- apparmor.d/profiles-s-z/strawberry | 2 +- apparmor.d/profiles-s-z/wechat-appimage | 6 ++++-- apparmor.d/tunables/multiarch.d/system | 3 +++ 17 files changed, 30 insertions(+), 27 deletions(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 0d63b72c8..99da31590 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -59,9 +59,10 @@ owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, owner @{user_games_dirs}/** rmix, - owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, owner @{tmp}/** rmwk, owner /dev/shm/** rwlk -> /dev/shm/**, + owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, + owner /var/tmp/etilqs_@{sqlhex} rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index 8d35bc8e0..bb824c7cb 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -82,7 +82,6 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/{,**} r, /var/lib/flatpak/exports/** rw, - /var/tmp/etilqs_@{hex16} rw, @{run}/.userns r, @{run}/parent/** r, diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 7874e95ff..511a48987 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -51,8 +51,8 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw, - owner /var/tmp/etilqs_@{hex15} rw, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 263604ba7..1503ba747 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -47,12 +47,8 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/tracker3/files/ rw, owner @{user_cache_dirs}/tracker3/files/** rwk, - owner /var/tmp/etilqs_@{hex15} rw, - owner /var/tmp/etilqs_@{hex16} rw, - owner @{tmp}/etilqs_@{hex12}@{h} rw, - owner @{tmp}/etilqs_@{hex12}@{hex2} rw, - owner @{tmp}/etilqs_@{hex15} rw, - owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index e10d81bb2..d35f6467f 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -63,10 +63,8 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/applications/ r, - owner /var/tmp/etilqs_@{hex15} rw, - owner /var/tmp/etilqs_@{hex16} rw, - owner @{tmp}/etilqs_@{hex15} rw, - owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, # Allow to search user files owner @{HOME}/{,**} r, diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/profiles-a-f/dropbox index eecdb2e6d..b4baf1d0c 100644 --- a/apparmor.d/profiles-a-f/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -61,7 +61,8 @@ profile dropbox @{exec_path} { # Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead owner @{tmp}/dropbox-antifreeze-* rw, owner @{tmp}/#@{int} rw, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index c6746843d..5971764f0 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -34,7 +34,7 @@ profile fractal @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.@{rand6} rw, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, - owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, owner @{run}/user/@{uid}/fractal/{,**} rw, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 75d5197ae..71addde64 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -67,7 +67,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r, /var/lib/flatpak/exports/share/mime/mime.cache r, - /var/tmp/etilqs_@{hex16} rw, + /var/tmp/etilqs_@{sqlhex} rw, owner /var/cache/fwupd/ rw, owner /var/cache/fwupd/** rwk, owner /var/lib/fwupd/ rw, diff --git a/apparmor.d/profiles-g-l/gpo b/apparmor.d/profiles-g-l/gpo index 562980d35..cebfc955f 100644 --- a/apparmor.d/profiles-g-l/gpo +++ b/apparmor.d/profiles-g-l/gpo @@ -36,7 +36,8 @@ profile gpo @{exec_path} { owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder index 7ccf428c3..dd7a20eb7 100644 --- a/apparmor.d/profiles-g-l/gpodder +++ b/apparmor.d/profiles-g-l/gpodder @@ -47,7 +47,8 @@ profile gpodder @{exec_path} { owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index 493199974..ee7adab75 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -43,8 +43,8 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { owner "@{user_config_dirs}/autostart/Proton Mail Bridge.desktop" rw, owner @{tmp}/bridge@{int} rw, - owner @{tmp}/etilqs_@{hex16} rw, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/ r, @{PROC}/1/cgroup r, diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 33435fa8d..24e0c61dd 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -54,7 +54,7 @@ profile psi @{exec_path} { owner @{user_share_dirs}/psi/** rwk, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/Psi.* rwl -> /tmp/#@{int}, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index 32c05e55b..1d3850ba5 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -54,7 +54,7 @@ profile psi-plus @{exec_path} { owner @{user_share_dirs}/psi+/** rwk, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/Psi+.* rwl -> /tmp/#@{int}, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss index 89395f8b5..d1194abf5 100644 --- a/apparmor.d/profiles-m-r/quiterss +++ b/apparmor.d/profiles-m-r/quiterss @@ -47,7 +47,8 @@ profile quiterss @{exec_path} { owner @{tmp}/qtsingleapp-quiter-@{int}-@{int} rw, owner @{tmp}/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index 6a337a66b..84bbcf1f2 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -68,7 +68,7 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/.*/s rw, owner @{tmp}/*= w, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/kdsingleapp-daemonspudguy-strawberry w, owner @{tmp}/kdsingleapp-daemonspudguy-strawberry.lock rwk, owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 67b3cf503..6f4c120a0 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -59,11 +59,13 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { @{tmp}/.mount_wechat@{word6}/ rw, @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} mr, - owner /var/tmp/etilqs_* rw, - @{HOME}/.xwechat/{,**} rwk, + owner @{user_documents_dirs}/xwechat_files/{,**} rwk, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, + /dev/fuse rw, /dev/tty rw, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index d7834cc8a..f1be21e49 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -54,6 +54,9 @@ # System Internal # --------------- +# SQlite temporary files (hexadecimal from 12 to 16 characters) +@{sqlhex}=@{hex12} @{hex12}@{h} @{hex12}@{hex2} @{hex15} @{hex16} + # Shortcut for PCI device @{pci_id}=@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h} @{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h} From 94991165421ca3bc422af6893792bb3aa5dfbd9f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 13:39:32 +0200 Subject: [PATCH 408/977] feat(profile): add initial profile for ptyxis. --- apparmor.d/groups/gnome/ptyxis | 38 +++++++++++++++++++++++ apparmor.d/groups/gnome/ptyxis-agent | 46 ++++++++++++++++++++++++++++ dists/flags/main.flags | 2 ++ 3 files changed, 86 insertions(+) create mode 100644 apparmor.d/groups/gnome/ptyxis create mode 100644 apparmor.d/groups/gnome/ptyxis-agent diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis new file mode 100644 index 000000000..739681eae --- /dev/null +++ b/apparmor.d/groups/gnome/ptyxis @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ptyxis +profile ptyxis @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{lib}/ptyxis-agent Px, + @{open_path} Px -> child-open-help, + + /etc/shells r, + + owner @{user_cache_dirs}/org.gnome.Ptyxis/ rw, + owner @{user_cache_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_cache_dirs}/org.gnome.Ptyxis/**, + + owner @{user_config_dirs}/org.gnome.Ptyxis/ rw, + owner @{user_config_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_config_dirs}/org.gnome.Ptyxis/**, + + owner @{user_share_dirs}/org.gnome.Ptyxis/ rw, + owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**, + + owner @{PROC}/@{pid}/stat r, + + /dev/ptmx rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent new file mode 100644 index 000000000..239993f21 --- /dev/null +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -0,0 +1,46 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/ptyxis-agent +profile ptyxis-agent @{exec_path} { + include + include + include + include + + signal send set=hup peer=unconfined, + + ptrace read, + + @{exec_path} mr, + + @{bin}/podman Px, + @{bin}/systemd-run Cx -> shell, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + owner @{PROC}/@{pid}/cmdline r, + + /dev/ptmx rw, + + profile shell { + include + include + + signal send, + + @{bin}/systemd-run mr, + @{bin}/@{shells} Ux, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 70d484953..2cef12304 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -271,6 +271,8 @@ plymouth complain plymouth-set-default-theme attach_disconnected,complain plymouthd complain polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted +ptyxis complain +ptyxis-agent complain qdbus complain remmina complain run-parts complain From 1fab846875cae905de7c4e194848a043793185c6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 13:47:08 +0200 Subject: [PATCH 409/977] feat(abs): add proc stat to the gnome common abs. --- apparmor.d/abstractions/common/gnome | 1 + apparmor.d/groups/apparmor/aa-notify | 1 - apparmor.d/groups/gnome/decibels | 1 - apparmor.d/groups/gnome/gnome-calculator | 2 -- apparmor.d/groups/gnome/gnome-characters | 1 - apparmor.d/groups/gnome/gnome-extensions-app | 1 - apparmor.d/groups/gnome/gnome-logs | 2 -- apparmor.d/groups/gnome/gnome-maps | 1 - apparmor.d/groups/gnome/gnome-text-editor | 1 - apparmor.d/groups/gnome/gnome-weather | 1 - apparmor.d/groups/gnome/papers | 1 - apparmor.d/groups/gnome/ptyxis | 2 -- apparmor.d/profiles-a-f/file-roller | 1 - apparmor.d/profiles-a-f/foliate | 1 - apparmor.d/profiles-a-f/fractal | 1 - 15 files changed, 1 insertion(+), 17 deletions(-) diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index ccb5de8b3..056f6581b 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -32,6 +32,7 @@ owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify index b64317a57..7cb64af80 100644 --- a/apparmor.d/groups/apparmor/aa-notify +++ b/apparmor.d/groups/apparmor/aa-notify @@ -75,7 +75,6 @@ profile aa-notify @{exec_path} { owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/decibels b/apparmor.d/groups/gnome/decibels index 88d292b07..2bb38dfd5 100644 --- a/apparmor.d/groups/gnome/decibels +++ b/apparmor.d/groups/gnome/decibels @@ -28,7 +28,6 @@ profile decibels @{exec_path} { owner @{user_videos_dirs}/{,**} r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 3f2290e6a..2e553d9f4 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -23,8 +23,6 @@ profile gnome-calculator @{exec_path} { @{open_path} rPx -> child-open-help, - owner @{PROC}/@{pid}/stat r, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 890a54691..7ee0f835e 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -29,7 +29,6 @@ profile gnome-characters @{exec_path} { /usr/share/xml/iso-codes/{,**} r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app index f1e229b59..0a65c95f2 100644 --- a/apparmor.d/groups/gnome/gnome-extensions-app +++ b/apparmor.d/groups/gnome/gnome-extensions-app @@ -22,7 +22,6 @@ profile gnome-extensions-app @{exec_path} { /usr/share/terminfo/** r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/task/@{tid}/stat r, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/gnome-logs b/apparmor.d/groups/gnome/gnome-logs index 06e66a43b..5e3ab03bd 100644 --- a/apparmor.d/groups/gnome/gnome-logs +++ b/apparmor.d/groups/gnome/gnome-logs @@ -27,8 +27,6 @@ profile gnome-logs @{exec_path} { /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal r, /{run,var}/log/journal/remote/ r, - owner @{PROC}/@{pid}/stat r, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-maps b/apparmor.d/groups/gnome/gnome-maps index 294d6229a..705857391 100644 --- a/apparmor.d/groups/gnome/gnome-maps +++ b/apparmor.d/groups/gnome/gnome-maps @@ -45,7 +45,6 @@ profile gnome-maps @{exec_path} { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index 693b1618f..22823753b 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -24,7 +24,6 @@ profile gnome-text-editor @{exec_path} { owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/gnome-weather b/apparmor.d/groups/gnome/gnome-weather index c73ff0a19..fe2bf69b2 100644 --- a/apparmor.d/groups/gnome/gnome-weather +++ b/apparmor.d/groups/gnome/gnome-weather @@ -31,7 +31,6 @@ profile gnome-weather @{exec_path} { @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, deny owner @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index ee829d8f3..87820376c 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -32,7 +32,6 @@ profile papers @{exec_path} { @{run}/mount/utab r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, profile open { include diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index 739681eae..2f7dee368 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -28,8 +28,6 @@ profile ptyxis @{exec_path} { owner @{user_share_dirs}/org.gnome.Ptyxis/ rw, owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**, - owner @{PROC}/@{pid}/stat r, - /dev/ptmx rw, include if exists diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index b8eedb263..24610cd8c 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -48,7 +48,6 @@ profile file-roller @{exec_path} { @{run}/mount/utab r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, include if exists } diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate index f6380d125..a07976ce9 100644 --- a/apparmor.d/profiles-a-f/foliate +++ b/apparmor.d/profiles-a-f/foliate @@ -51,7 +51,6 @@ profile foliate @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/smaps r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 5971764f0..40001da68 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -41,7 +41,6 @@ profile fractal @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, /dev/ r, From 658c054c47a7a0ffc054b5ada18137e62c063354 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 14:46:35 +0200 Subject: [PATCH 410/977] feat(profile): update and enforce a few profiles. --- apparmor.d/groups/filesystem/mke2fs | 1 + apparmor.d/groups/gnome/gnome-session-binary | 1 - apparmor.d/groups/gnome/gnome-software | 14 ++-------- apparmor.d/groups/gnome/gnome-system-monitor | 8 +----- apparmor.d/groups/gnome/gnome-terminal-server | 18 ++++++------ apparmor.d/groups/gnome/gnome-tweaks | 2 +- apparmor.d/groups/gnome/kgx | 16 +++++------ apparmor.d/groups/network/ModemManager | 3 +- apparmor.d/groups/polkit/pkttyagent | 4 +-- apparmor.d/groups/shadow/newgidmap | 2 ++ apparmor.d/groups/shadow/newuidmap | 2 ++ apparmor.d/profiles-a-f/calibre | 28 +++++++++++++------ apparmor.d/profiles-m-r/mdevctl | 1 + apparmor.d/profiles-m-r/metadata-cleaner | 14 +++------- apparmor.d/profiles-s-z/totem | 8 ++++++ apparmor.d/profiles-s-z/xsane-gimp | 18 +++++++----- dists/flags/main.flags | 22 ++------------- 17 files changed, 76 insertions(+), 86 deletions(-) diff --git a/apparmor.d/groups/filesystem/mke2fs b/apparmor.d/groups/filesystem/mke2fs index a3edbeb50..90df8ecb1 100644 --- a/apparmor.d/groups/filesystem/mke2fs +++ b/apparmor.d/groups/filesystem/mke2fs @@ -10,6 +10,7 @@ include @{exec_path} = @{sbin}/mke2fs @{sbin}/mkfs.ext2 @{sbin}/mkfs.ext3 @{sbin}/mkfs.ext4 profile mke2fs @{exec_path} { include + include include include diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 1f17b35a3..027a1ab96 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -103,7 +103,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { profile open flags=(attach_disconnected) { include include - include include @{bin}/env rix, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index dd872c53a..c10261c02 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -9,10 +9,8 @@ include @{exec_path} = @{bin}/gnome-software profile gnome-software @{exec_path} { include - include + include include - include - include include include include @@ -71,15 +69,11 @@ profile gnome-software @{exec_path} { /var/tmp/flatpak-cache-*/** rwkl, /var/tmp/#@{int} rw, - / r, - owner @{HOME}/.var/app/{,**} rw, owner @{user_download_dirs}/*.flatpakref r, owner @{user_cache_dirs}/flatpak/{,**} rwl, - owner @{user_cache_dirs}/gnome-software/ rw, - owner @{user_cache_dirs}/gnome-software/** rwlk -> @{user_cache_dirs}/gnome-software/**, owner @{user_config_dirs}/flatpak/{,**} r, owner @{user_config_dirs}/pulse/*.conf r, @@ -94,7 +88,6 @@ profile gnome-software @{exec_path} { owner @{user_share_dirs}/flatpak/overrides/* r, owner @{user_share_dirs}/flatpak/repo/ rw, owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**, - owner @{user_share_dirs}/gnome-software/{,**} rw, owner @{tmp}/ostree-gpg-@{rand6}/ rw, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, @@ -123,10 +116,7 @@ profile gnome-software @{exec_path} { @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fdinfo/@{int} r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/fuse rw, @@ -166,6 +156,8 @@ profile gnome-software @{exec_path} { include include + capability setuid, + mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 8df82b290..a3d039dea 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -9,10 +9,7 @@ include @{exec_path} = @{bin}/gnome-system-monitor profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { include - include - include - include - include + include include capability sys_ptrace, @@ -35,7 +32,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{bin}/sed rix, @{bin}/tr rix, - /usr/share/gnome-system-monitor/{,**} r, /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, / r, @@ -78,8 +74,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{PROC}/diskstats r, @{PROC}/vmstat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 55a7f4687..837f00f68 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -19,11 +19,11 @@ profile gnome-terminal-server @{exec_path} { include include - signal (send) set=(hup) peer=htop, - signal (send) set=(term hup kill) peer=unconfined, + signal send set=(hup) peer=htop, + signal send set=(term hup kill) peer=unconfined, - ptrace (read) peer=htop, - ptrace (read) peer=unconfined, + ptrace read peer=htop, + ptrace read peer=unconfined, #aa:dbus own bus=session name=org.gnome.Terminal interface+=org.gtk.Actions @@ -39,14 +39,14 @@ profile gnome-terminal-server @{exec_path} { @{exec_path} mr, # The shell is not confined on purpose. - @{bin}/@{shells} rUx, + @{bin}/@{shells} Ux, # Some CLI program can be launched directly from Gnome Shell - @{bin}/htop rPx, - @{bin}/micro rPUx, - @{bin}/nvtop rPx, + @{bin}/htop Px, + @{bin}/micro PUx, + @{bin}/nvtop Px, - @{open_path} rPx -> child-open, + @{open_path} Px -> child-open, /etc/shells r, diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index fa94d56e8..96e83b846 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -32,7 +32,7 @@ profile gnome-tweaks @{exec_path} flags=(attach_disconnected) { owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_config_dirs}/autostart/ rw, - owner @{user_config_dirs}/autostart/*.desktop r, + owner @{user_config_dirs}/autostart/*.desktop rw, owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini* rw, owner @{user_share_dirs}/backgrounds/{,**} r, owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r, diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index c9177de5c..a32a3d8c3 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -17,7 +17,7 @@ profile kgx @{exec_path} { capability sys_ptrace, - ptrace (read), + ptrace read, @{exec_path} mr, @@ -25,14 +25,14 @@ profile kgx @{exec_path} { @{bin}/@{shells} rUx, # Some CLI program can be launched directly from Gnome Shell - @{bin}/btop rPUx, - @{bin}/htop rPx, - @{bin}/micro rPUx, - @{bin}/nvtop rPx, - @{bin}/nvtop rPx, - @{bin}/vim rUx, + @{bin}/btop PUx, + @{bin}/htop Px, + @{bin}/micro PUx, + @{bin}/nvtop Px, + @{bin}/nvtop Px, + @{bin}/vim Ux, - @{open_path} rPx -> child-open-help, + @{open_path} Px -> child-open-help, owner @{tmp}/#@{int} rw, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 1d8987709..59efc3201 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -14,7 +14,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { include include include - include + include capability net_admin, @@ -47,7 +47,6 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/tty/ r, @{sys}/class/wwan/ r, - @{sys}/devices/@{pci}/revision r, @{sys}/devices/**/net/*/ r, @{sys}/devices/**/uevent r, @{sys}/devices/virtual/tty/*/ r, diff --git a/apparmor.d/groups/polkit/pkttyagent b/apparmor.d/groups/polkit/pkttyagent index de0eeef33..436447aef 100644 --- a/apparmor.d/groups/polkit/pkttyagent +++ b/apparmor.d/groups/polkit/pkttyagent @@ -18,8 +18,8 @@ profile pkttyagent @{exec_path} { capability sys_nice, capability audit_write, - ptrace (read), - signal (send,receive), + ptrace read, + signal (send, receive), @{exec_path} mr, diff --git a/apparmor.d/groups/shadow/newgidmap b/apparmor.d/groups/shadow/newgidmap index 4a7196fc2..6fa555504 100644 --- a/apparmor.d/groups/shadow/newgidmap +++ b/apparmor.d/groups/shadow/newgidmap @@ -18,6 +18,8 @@ profile newgidmap @{exec_path} { @{exec_path} mr, + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, /etc/subgid r, @{PROC}/@{pids}/ r, diff --git a/apparmor.d/groups/shadow/newuidmap b/apparmor.d/groups/shadow/newuidmap index 549eb06ef..6a53bf5c1 100644 --- a/apparmor.d/groups/shadow/newuidmap +++ b/apparmor.d/groups/shadow/newuidmap @@ -18,6 +18,8 @@ profile newuidmap @{exec_path} { @{exec_path} mr, + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, /etc/subuid r, @{PROC}/@{pids}/ r, diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre index e3643ab6d..bba3dfedb 100644 --- a/apparmor.d/profiles-a-f/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -15,9 +15,10 @@ profile calibre @{exec_path} { include include include - include include + include include + include include include include @@ -35,11 +36,13 @@ profile calibre @{exec_path} { capability sys_ptrace, + network inet dgram, network inet stream, + network inet6 dgram, network inet6 stream, network netlink raw, - unix (send, receive) type=stream peer=(addr=none, label=xorg), + # unix (send, receive) type=stream peer=(addr=none, label=xorg), unix (bind, listen) type=stream addr="@*-calibre-gui.socket", unix (bind) type=stream addr="@calibre-*", @@ -47,9 +50,10 @@ profile calibre @{exec_path} { @{sh_path} rix, @{python_path} rix, + @{bin}/env r, @{bin}/file rix, - @{sbin}/ldconfig{,.real} rix, @{bin}/uname rix, + @{sbin}/ldconfig{,.real} rix, @{lib}/{,@{multiarch}/}qt{5,6}{,/libexec/}QtWebEngineProcess rix, @{bin}/pdftoppm rPUx, # (#FIXME#) @@ -61,6 +65,7 @@ profile calibre @{exec_path} { /usr/share/calibre/{,**} r, /etc/fstab r, + /etc/httpd/conf/mime.types r, /etc/inputrc r, /etc/magic r, /etc/mime.types r, @@ -68,10 +73,15 @@ profile calibre @{exec_path} { owner @{HOME}/ r, owner "@{HOME}/Calibre Library/{,**}" rw, owner "@{HOME}/Calibre Library/metadata.db" rwk, - owner @{user_documents_dirs}/{,**} rwl, + owner @{user_books_dirs}/{,**} rwl, + owner @{user_books_dirs}/Calibre/** rwk, + owner @{user_documents_dirs}/{,**} rwl, + owner @{user_documents_dirs}/Calibre/** rwk, owner @{user_torrents_dirs}/{,**} rwl, + owner @{user_torrents_dirs}/Calibre/** rwk, owner @{user_work_dirs}/{,**} rwl, + owner @{user_work_dirs}/Calibre/** rwk, owner @{user_config_dirs}/calibre/ rw, owner @{user_config_dirs}/calibre/** rwk, @@ -82,10 +92,11 @@ profile calibre @{exec_path} { owner @{user_cache_dirs}/calibre/ rw, owner @{user_cache_dirs}/calibre/** rwkl -> @{user_cache_dirs}/calibre/**, - owner @{tmp}/calibre_*_tmp_*/{,**} rw, - owner @{tmp}/calibre-*/{,**} rw, - owner @{tmp}/@{int}-*/ rw, - owner @{tmp}/@{int}-*/** rwl, + owner @{tmp}/@{rand8} rw, + audit owner @{tmp}/@{int}-*/ rw, + audit owner @{tmp}/@{int}-*/** rwl, + audit owner @{tmp}/calibre_@{rand8}_tmp_*/{,**} rw, + audit owner @{tmp}/calibre-@{rand8}/{,**} rw, owner /dev/shm/#@{int} rw, @@ -108,6 +119,7 @@ profile calibre @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/status r, + /dev/tty r, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/profiles-m-r/mdevctl b/apparmor.d/profiles-m-r/mdevctl index f1b5034e6..906dcf512 100644 --- a/apparmor.d/profiles-m-r/mdevctl +++ b/apparmor.d/profiles-m-r/mdevctl @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/mdevctl profile mdevctl @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/metadata-cleaner b/apparmor.d/profiles-m-r/metadata-cleaner index 4aa662cd0..808427d85 100644 --- a/apparmor.d/profiles-m-r/metadata-cleaner +++ b/apparmor.d/profiles-m-r/metadata-cleaner @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/metadata-cleaner profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { include - include - include - include + include include include include @@ -20,12 +18,10 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{python_path} rix, - @{bin}/bwrap rCx -> bwrap, - @{open_path} rPx -> child-open-help, + @{bin}/bwrap Cx -> bwrap, + @{open_path} Px -> child-open-help, - /usr/share/metadata-cleaner/{,**} r, /usr/share/metadata-cleaner/src/metadatacleaner/{,*/}__pycache__/ w, - /usr/share/poppler/{,**} r, /etc/httpd/conf/mime.types r, @@ -38,10 +34,8 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { @{run}/mount/utab r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny owner @{user_share_dirs}/gvfs-metadata/* r, deny owner @{user_cache_dirs}/thumbnails/** r, @@ -51,7 +45,7 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { include include - signal (receive) set=(kill) peer=metadata-cleaner, + signal receive set=(kill) peer=metadata-cleaner, @{bin}/bwrap mr, @{bin}/vendor_perl/exiftool rix, diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index 64ab228ba..fc582cae2 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -14,6 +14,7 @@ profile totem @{exec_path} flags=(attach_disconnected) { include include include + include include network netlink raw, @@ -67,6 +68,10 @@ profile totem @{exec_path} flags=(attach_disconnected) { include capability dac_override, + capability sys_ptrace, + + network inet dgram, + network inet6 dgram, @{bin}/bwrap mr, @{bin}/totem-video-thumbnailer rix, @@ -78,8 +83,11 @@ profile totem @{exec_path} flags=(attach_disconnected) { owner @{tmp}/flatpak-seccomp-@{rand6} rw, owner @{tmp}/gnome-desktop-file-to-thumbnail.* rw, owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw, + owner @{tmp}/gnome-desktop-thumbnailer.png rw, @{PROC}/sys/vm/mmap_min_addr r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm w, /dev/ r, diff --git a/apparmor.d/profiles-s-z/xsane-gimp b/apparmor.d/profiles-s-z/xsane-gimp index 41ac0b973..4273e803d 100644 --- a/apparmor.d/profiles-s-z/xsane-gimp +++ b/apparmor.d/profiles-s-z/xsane-gimp @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Roman Beslik +# Copyright (C) 2024-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,27 +11,30 @@ include profile xsane-gimp @{exec_path} { include include - include - - signal (receive) set=(term, kill) peer=gimp, + include network inet dgram, network inet6 dgram, network netlink raw, + signal receive set=(term, kill) peer=gimp, + @{exec_path} mr, + @{system_share_dirs}/gimp/{,**} r, @{system_share_dirs}/sane/xsane/{,**} r, - @{system_share_dirs}/snmp/mibs/{,**} r, # network + @{system_share_dirs}/snmp/mibs/{,**} r, + /etc/sane.d/{,**} r, + owner @{HOME}/.sane/{,**} rw, owner @{tmp}/xsane-*-@{rand6} rw, - @{sys}/devices/@{pci}/{model,type,vendor} r, - @{PROC}/sys/dev/parport/{,parport@{int}/{base-addr,irq}} r, - # SCSI @{sys}/bus/scsi/devices/ r, + @{sys}/devices/@{pci}/{model,type,vendor} r, + @{PROC}/scsi/scsi r, + @{PROC}/sys/dev/parport/{,parport@{int}/{base-addr,irq}} r, include if exists } diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 2cef12304..b710f2d94 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -9,7 +9,6 @@ systemd attach_disconnected,mediate_deleted,complain systemd-service attach_disconnected,complain systemd-user attach_disconnected,mediate_deleted,complain -aa-notify complain akonadi_akonotes_resource complain akonadi_archivemail_agent complain akonadi_birthdays_resource complain @@ -106,7 +105,6 @@ filezilla complain finalrd complain firewall-applet attach_disconnected,complain firewall-config complain -firewalld attach_disconnected,complain flameshot complain flatpak attach_disconnected,mediate_deleted,complain flatpak-app attach_disconnected,mediate_deleted,complain @@ -117,29 +115,20 @@ flatpak-system-helper complain flatpak-validate-icon complain fstrim complain fuse-overlayfs complain -fusermount complain gdk-pixbuf-thumbnailer complain gdm-generate-config complain gdm-runtime-config complain gdm-session attach_disconnected,complain gdm-xsession complain -gimp complain gmenudbusmenuproxy complain gnome-browser-connector-host complain gnome-control-center attach_disconnected,complain gnome-control-center-goa-helper complain gnome-disk-image-mounter complain -gnome-disks complain gnome-extension-gsconnect complain gnome-extension-manager complain gnome-initial-setup complain -gnome-music attach_disconnected,complain -gnome-photos-thumbnailer complain gnome-remote-desktop-daemon complain -gnome-software complain -gnome-system-monitor attach_disconnected,complain -gnome-terminal-server complain -gnome-tweaks complain grub-bios-setup complain grub-editenv complain grub-file complain @@ -173,8 +162,8 @@ gsettings complain gvfsd-dav complain gvfsd-wsdd complain hostnamectl complain -hyprctl complain -hyprlock complain +hyprctl attach_disconnected,complain +hyprlock attach_disconnected,complain hyprpaper attach_disconnected,complain hyprpicker complain hyprpm complain @@ -184,7 +173,6 @@ im-launch complain install-info complain iwctl complain iwd complain -jitterentropy-rngd complain kaccess complain kactivitymanagerd complain kalendarac complain @@ -202,7 +190,6 @@ kded complain kernel-install complain keyboxd complain kglobalacceld complain -kgx complain kio_http_cache_cleaner complain kiod complain kioworker complain @@ -238,9 +225,6 @@ lvmdump complain lvmpolld complain man complain mate-notification-daemon complain -mdevctl complain -metadata-cleaner attach_disconnected,complain -mke2fs complain ModemManager attach_disconnected,complain mount attach_disconnected,complain multipath attach_disconnected,complain @@ -357,7 +341,6 @@ systemd-network-generator complain systemd-nsresourced complain systemd-nsresourcework complain systemd-portabled complain -systemd-remount-fs complain systemd-resolve complain systemd-shutdown complain systemd-sleep-tlp complain @@ -408,6 +391,5 @@ xdm-xsession complain xembedsniproxy complain xfce-session attach_disconnected,complain xsettingsd complain -xwaylandvideobridge complain zpool complain From 21abf59132bc39f72fba96bad60eed1d41a1e5cb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 14:48:33 +0200 Subject: [PATCH 411/977] feat(profile): libvirt: simplify udev access. --- apparmor.d/groups/virt/libvirtd | 31 ++----------------------------- 1 file changed, 2 insertions(+), 29 deletions(-) diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 53dcb0703..94fa568a3 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -162,35 +162,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/notify w, @{run}/utmp rk, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+dmi:* r, # for motherboard info - @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, - @{run}/udev/data/+input:input@{int} r, # For mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, - @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply:* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/+sound:card@{int} r, # For sound card - @{run}/udev/data/+thunderbolt:* r, - @{run}/udev/data/c1:@{int} r, # For RAM disk - @{run}/udev/data/c6:@{int} r, # For parallel printer devices /dev/lp* - @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features - @{run}/udev/data/c13:@{int} r, # For /dev/input/* - @{run}/udev/data/c21:@{int} r, # Generic SCSI access - @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* - @{run}/udev/data/c81:@{int} r, # For video4linux - @{run}/udev/data/c89:@{int} r, # For I2C bus interface - @{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash - @{run}/udev/data/c99:@{int} r, # For raw parallel ports /dev/parport* - @{run}/udev/data/c108:@{int} r, # For /dev/ppp - @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c202:@{int} r, # CPU model-specific registers - @{run}/udev/data/c203:@{int} r, # CPU CPUID information - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{run}/udev/data/+*:* r, + @{run}/udev/data/c@{int}:@{int} r, @{run}/udev/data/n@{int} r, @{sys}/bus/[a-z]*/devices/ r, From 64f02ff6084d5084339211cdcd7f5a468cab5bf2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 14:50:09 +0200 Subject: [PATCH 412/977] feat(profile): snapd: add journalctl subprofile. --- apparmor.d/groups/snap/snapd | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 38d803655..c1b24176e 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -60,7 +60,7 @@ profile snapd @{exec_path} { dbus send bus=system path=/org/freedesktop/timedate1 interface=org.freedesktop.DBus.Properties member=Get - peer=(name=org.freedesktop.timedate1, label=unconfined), + peer=(name=org.freedesktop.timedate1), @{exec_path} mrix, @@ -72,7 +72,7 @@ profile snapd @{exec_path} { @{sbin}/groupadd rPx, @{bin}/gzip rix, @{bin}/hostnamectl rPx, - @{bin}/journalctl rPx, + @{bin}/journalctl rCx -> journalctl, @{bin}/kmod rPx, @{bin}/mount rix, @{sbin}/runuser rCx -> runuser, @@ -199,6 +199,25 @@ profile snapd @{exec_path} { include if exists } + profile journalctl { + include + include + + capability net_admin, + + network netlink raw, + + @{bin}/journalctl mr, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/{,*} r, + + include if exists + } + profile runuser { include From b677d4a0b537ff1c22ab2260f418cbe348df80f5 Mon Sep 17 00:00:00 2001 From: tpaau-17DB Date: Sun, 18 May 2025 18:36:39 +0200 Subject: [PATCH 413/977] Fix hyprland profile. --- apparmor.d/groups/hyprland/hyprland | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index 68356741d..c06671b34 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -31,6 +31,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/hyprland/{,**} rw, owner @{user_config_dirs}/hypr/** r, owner @{user_share_dirs}/hyprpm/** mr, + owner @{user_share_dirs}/hyprland/** rw, owner @{run}/user/@{uid}/gamescope-* rw, owner @{run}/user/@{uid}/.hyprpaper_* rw, From 10ef829d31efe2f4f9de20ef9b52b999852d489d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 19:31:33 +0200 Subject: [PATCH 414/977] fix(profile): more possible id than int for i2c. --- apparmor.d/groups/kde/kde-powerdevil | 10 +++++----- apparmor.d/groups/procps/htop | 6 +++--- apparmor.d/groups/xfce/xfce-sensors | 2 +- apparmor.d/profiles-m-r/monitorix | 2 +- apparmor.d/profiles-s-z/sensors | 2 +- apparmor.d/profiles-s-z/sensors-detect | 2 +- apparmor.d/profiles-s-z/sysstat-sadc | 2 +- 7 files changed, 13 insertions(+), 13 deletions(-) diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index f5ffa6a82..ebb150ed2 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -70,12 +70,12 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{sys}/devices/@{pci}/drm/card@{int}/*/edid r, @{sys}/devices/@{pci}/drm/card@{int}/*/enabled r, @{sys}/devices/@{pci}/drm/card@{int}/*/status r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, - @{sys}/devices/@{pci}/i2c-@{int}/**/dev r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/**/dev r, @{sys}/devices/**/ r, - @{sys}/devices/i2c-@{int}/name r, - @{sys}/devices/platform/**/i2c-@{int}/**/name r, - @{sys}/devices/platform/*/i2c-@{int}/name r, + @{sys}/devices/i2c-*/name r, + @{sys}/devices/platform/**/i2c-*/**/name r, + @{sys}/devices/platform/*/i2c-*/name r, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index 5e1079802..d59fde5e5 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -45,7 +45,7 @@ profile htop @{exec_path} { @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/devices/**/hwmon@{int}/**/ r, @@ -56,8 +56,8 @@ profile htop @{exec_path} { @{sys}/devices/**/hwmon/**/{name,temp*} r, @{sys}/devices/**/power_supply/**/{uevent,type,online} r, @{sys}/devices/*/name r, - @{sys}/devices/i2c-@{int}/name r, - @{sys}/devices/platform/*/i2c-@{int}/name r, + @{sys}/devices/i2c-*/name r, + @{sys}/devices/platform/*/i2c-*/name r, @{sys}/devices/system/cpu/cpu@{int}/** r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_{cur,min,max}_freq r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, diff --git a/apparmor.d/groups/xfce/xfce-sensors b/apparmor.d/groups/xfce/xfce-sensors index e7ee1080b..c1bd98111 100644 --- a/apparmor.d/groups/xfce/xfce-sensors +++ b/apparmor.d/groups/xfce/xfce-sensors @@ -16,7 +16,7 @@ profile xfce-sensors @{exec_path} { @{sys}/class/hwmon/ r, @{sys}/class/power_supply/ r, @{sys}/class/thermal/ r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/devices/**/hwmon@{int}/**/ r, diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix index b640d90fd..c708b587c 100644 --- a/apparmor.d/profiles-m-r/monitorix +++ b/apparmor.d/profiles-m-r/monitorix @@ -95,7 +95,7 @@ profile monitorix @{exec_path} { @{PROC}/@{pids}/io r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/class/hwmon/ r, @{sys}/devices/**/thermal*/{,**} r, @{sys}/devices/**/hwmon*/{,**} r, diff --git a/apparmor.d/profiles-s-z/sensors b/apparmor.d/profiles-s-z/sensors index 4028680a6..ca2d43a65 100644 --- a/apparmor.d/profiles-s-z/sensors +++ b/apparmor.d/profiles-s-z/sensors @@ -21,7 +21,7 @@ profile sensors @{exec_path} { @{sys}/bus/i2c/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-@{int}/name r, + @{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-*/name r, @{sys}/devices/@{pci}/name r, @{sys}/devices/**/hwmon*/{,**} r, diff --git a/apparmor.d/profiles-s-z/sensors-detect b/apparmor.d/profiles-s-z/sensors-detect index 96dc17042..d21cf6f56 100644 --- a/apparmor.d/profiles-s-z/sensors-detect +++ b/apparmor.d/profiles-s-z/sensors-detect @@ -27,7 +27,7 @@ profile sensors-detect @{exec_path} { @{sys}/bus/pci/devices/ r, @{sys}/class/i2c-adapter/ r, @{sys}/devices/@{pci}/{class,vendor,device} r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/devices/@{pci}/modalias r, @{sys}/devices/virtual/dmi/id/board_{version,vendor,name} r, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/profiles-s-z/sysstat-sadc b/apparmor.d/profiles-s-z/sysstat-sadc index e076f313c..9a4b5cebe 100644 --- a/apparmor.d/profiles-s-z/sysstat-sadc +++ b/apparmor.d/profiles-s-z/sysstat-sadc @@ -24,7 +24,7 @@ profile sysstat-sadc @{exec_path} { @{sys}/class/fc_host/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/i2c-@{int}/name r, + @{sys}/devices/@{pci}/i2c-*/name r, @{sys}/devices/@{pci}/net/*/duplex r, @{sys}/devices/**/net/*/duplex r, @{sys}/devices/**/net/*/speed r, From 86afef4920601f4e8babdfaf15d232ac5aed2979 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 19:33:58 +0200 Subject: [PATCH 415/977] build: improve `just install` --- Justfile | 13 ++++++++----- PKGBUILD | 3 ++- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/Justfile b/Justfile index 1e626dc1c..825097a1b 100644 --- a/Justfile +++ b/Justfile @@ -18,7 +18,7 @@ # Build setings destdir := "/" build := ".build" -pkgdest := `pwd` / ".pkg/dist" +pkgdest := `pwd` / ".pkg" pkgname := "apparmor.d" # Admin username @@ -86,13 +86,16 @@ install: #!/usr/bin/env bash set -eu -o pipefail install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log - for file in $(find "{{build}}/share" -type f -not -name "*.md" -printf "%P\n"); do + mapfile -t share < <(find "{{build}}/share" -type f -not -name "*.md" -printf "%P\n") + for file in "${share[@]}"; do install -Dm0644 "{{build}}/share/$file" "{{destdir}}/usr/share/$file" done - for file in $(find "{{build}}/apparmor.d" -type f -printf "%P\n"); do + mapfile -t aa < <(find "{{build}}/apparmor.d" -type f -printf "%P\n") + for file in "${aa[@]}"; do install -Dm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" done - for file in $(find "{{build}}/apparmor.d" -type l -printf "%P\n"); do + mapfile -t links < <(find "{{build}}/apparmor.d" -type l -printf "%P\n") + for file in "${links[@]}"; do mkdir -p "{{destdir}}/etc/apparmor.d/disable" cp -d "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" done @@ -155,7 +158,7 @@ serve: clean: @rm -rf \ debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \ - .pkg/{{pkgname}}* {{build}} coverage.out + {{pkgdest}}/{{pkgname}}* {{build}} coverage.out [doc('Build the package in a clean OCI container')] package dist: diff --git a/PKGBUILD b/PKGBUILD index 58a693d34..b48e55153 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -30,7 +30,8 @@ build() { export CGO_CXXFLAGS="${CXXFLAGS}" export CGO_LDFLAGS="${LDFLAGS}" export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw" - DISTRIBUTION=arch just complain + export DISTRIBUTION=arch + just complain } package() { From 707a5e8beec085376c6bc772352289ace86633d9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 20 May 2025 21:41:52 +0200 Subject: [PATCH 416/977] feat(profile): firewalld move kmod into a subprofile. --- apparmor.d/groups/firewall/firewalld | 36 +++++++++++++++------------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld index ddf0291ee..01f853c26 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -9,7 +9,6 @@ include @{exec_path} = @{sbin}/firewalld profile firewalld @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -21,7 +20,6 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { capability net_admin, capability net_raw, capability setpcap, - capability sys_module, network inet raw, network inet6 raw, @@ -34,15 +32,14 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{sbin}/ r, - @{bin}/alts rix, - @{sbin}/ebtables-legacy rix, - @{sbin}/ebtables-legacy-restore rix, - @{bin}/false rix, - @{sbin}/ipset rix, - @{bin}/kmod rix, - @{sbin}/modprobe rix, - @{sbin}/xtables-legacy-multi rix, - @{sbin}/xtables-nft-multi rmix, + @{bin}/alts ix, + @{bin}/false ix, + @{bin}/kmod Cx -> kmod, + @{sbin}/ebtables-legacy ix, + @{sbin}/ebtables-legacy-restore ix, + @{sbin}/ipset ix, + @{sbin}/xtables-legacy-multi ix, + @{sbin}/xtables-nft-multi mix, /usr/local/lib/@{python_name}/dist-packages/ r, @@ -58,18 +55,25 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { /var/log/firewalld rw, @{run}/firewalld/{,*} rw, - @{run}/modprobe.d/{,*.conf} r, @{run}/xtables.lock rwk, - @{sys}/module/compression r, - @{sys}/module/*/initstate r, - - @{PROC}/sys/kernel/modprobe r, @{PROC}/sys/net/ipv{4,6}/ip_forward rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pids}/net/ip_tables_names r, + profile kmod flags=(attach_disconnected) { + include + include + + capability sys_module, + + @{sys}/module/compression r, + @{sys}/module/nf_*/initstate r, + + include if exists + } + include if exists } From 85d35a4f86ac4a6a9479153a0aaf0b6da8063dae Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 14:30:34 +0200 Subject: [PATCH 417/977] feat(profile): mkinitcpio ensure support for different kernel. fix #749 --- apparmor.d/groups/pacman/mkinitcpio | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 785f4f448..9eafb72a9 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -84,8 +84,9 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { # Manage /boot / r, - /boot/ r, - /{boot,efi}/EFI/{,**} rw, + @{efi}/ r, + @{efi}/EFI/{,**} rw, + @{efi}/@{hex32}/{,**} rw, /boot/initramfs-*.img* rw, /boot/vmlinuz-* r, From facc504ae9769f3053557665d85940027ccd9fd3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 14:32:28 +0200 Subject: [PATCH 418/977] fix(abs): editor: use of neovim as editor. fix #749 --- apparmor.d/abstractions/app/editor | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index 1c0b87e6a..f62e36339 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -10,7 +10,7 @@ include @{sh_path} rix, - @{bin}/nvim mix, + @{bin}/nvim mrix, @{bin}/sensible-editor mr, @{bin}/vim{,.*} mrix, @{bin}/which rix, From 58d677b5f0ba8e3ae60be71dbb0f6fcbf66ff721 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 14:48:54 +0200 Subject: [PATCH 419/977] fix: tweak kde related abs to ensure all common rules are allowed. fix #741 --- apparmor.d/abstractions/app/open | 4 ++++ apparmor.d/abstractions/desktop | 2 +- apparmor.d/abstractions/kde-strict | 4 +++- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 2b865457c..2a43affcf 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -34,9 +34,13 @@ include include + /etc/xdg/menus/ r, + owner @{run}/user//@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + @{PROC}/sys/kernel/random/boot_id r, + # fi include if exists diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 78a98a3cf..181339a12 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -52,7 +52,7 @@ owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*.@{rand6} rwlk, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*={.@{rand6}} rwlk, owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/dolphinrc r, diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 0f4410a12..7439cd9e9 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -28,7 +28,7 @@ owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*.@{rand6} rwlk, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*={.@{rand6}} rwlk, owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/dolphinrc r, @@ -41,6 +41,8 @@ owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/trashrc r, + owner @{user_share_dirs}/#@{int} rw, + include if exists # vim:syntax=apparmor From 222125e593d0931a38650888ef1120091c520eaa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 15:01:21 +0200 Subject: [PATCH 420/977] fix: processing regexs --- apparmor.d/abstractions/desktop | 2 +- apparmor.d/abstractions/kde-strict | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 181339a12..73e533992 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -52,7 +52,7 @@ owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*={.@{rand6}} rwlk, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}* rwlk, owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/dolphinrc r, diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 7439cd9e9..56aa88798 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -28,7 +28,7 @@ owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*={.@{rand6}} rwlk, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}* rwlk, owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/dolphinrc r, From 6495061360d6d8ddbd695e27314ff3acb0cf37cb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 20:27:44 +0200 Subject: [PATCH 421/977] feat(profile): add initial version for dpkg-scripts. --- apparmor.d/groups/apt/dpkg-script-apparmor | 10 +- .../{dpkg-script-udev => dpkg-script-kmod} | 11 +- apparmor.d/groups/apt/dpkg-script-linux | 45 ++++++ apparmor.d/groups/apt/dpkg-script-man | 27 ---- apparmor.d/groups/apt/dpkg-script-systemd | 64 ++++++++ apparmor.d/groups/apt/dpkg-scripts | 141 ++++++++++++++++++ dists/flags/main.flags | 6 +- 7 files changed, 263 insertions(+), 41 deletions(-) rename apparmor.d/groups/apt/{dpkg-script-udev => dpkg-script-kmod} (54%) create mode 100644 apparmor.d/groups/apt/dpkg-script-linux delete mode 100644 apparmor.d/groups/apt/dpkg-script-man create mode 100644 apparmor.d/groups/apt/dpkg-script-systemd create mode 100644 apparmor.d/groups/apt/dpkg-scripts diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 088fff84a..585d9c59d 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -15,12 +15,12 @@ profile dpkg-script-apparmor @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/grep ix, - @{bin}/deb-systemd-helper rPx, - @{bin}/deb-systemd-invoke rPx, - @{bin}/dpkg-divert rix, - @{bin}/systemctl rCx -> systemctl, + @{bin}/deb-systemd-helper Px, + @{bin}/deb-systemd-invoke Px, + @{bin}/dpkg-divert ix, + @{bin}/systemctl Cx -> systemctl, /usr/share/apparmor.d/** rw, diff --git a/apparmor.d/groups/apt/dpkg-script-udev b/apparmor.d/groups/apt/dpkg-script-kmod similarity index 54% rename from apparmor.d/groups/apt/dpkg-script-udev rename to apparmor.d/groups/apt/dpkg-script-kmod index 58840ef39..f900bba17 100644 --- a/apparmor.d/groups/apt/dpkg-script-udev +++ b/apparmor.d/groups/apt/dpkg-script-kmod @@ -6,16 +6,13 @@ abi , include -@{exec_path} = /var/lib/dpkg/info/udev* -profile dpkg-script-udev @{exec_path} { +@{exec_path} = /var/lib/dpkg/info/kmod* +profile dpkg-script-kmod @{exec_path} { include - @{exec_path} mr, + @{exec_path} mrix, - @{bin}/systemd-hwdb rPx, - @{bin}/deb-systemd-invoke rPx, - - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux new file mode 100644 index 000000000..c84d6aa4b --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -0,0 +1,45 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/info/linux* +profile dpkg-script-linux @{exec_path} { + include + include + + @{exec_path} mrix, + + @{sh_path} rix, + @{bin}/cat ix, + @{bin}/locale ix, + @{bin}/mkdir ix, + @{bin}/mkdir ix, + @{bin}/rm ix, + @{bin}/run-parts ix, + @{bin}/stty ix, + + @{bin}/dpkg-trigger Px, + @{bin}/kmod Px, + @{bin}/linux-check-removal Px, + @{bin}/linux-update-symlinks Px, + @{bin}/whiptail Px, + + /usr/share/{update,reboot}-notifier/notify-reboot-required Px, + /etc/kernel/{,header_}postinst.d/* Px, + /etc/kernel/postrm.d/* Px, + /etc/kernel/preinst.d/* Px, + /etc/kernel/prerm.d/* Px, + + /etc/kernel/*.d/ r, + + @{lib}/linux/triggers/* w, + @{lib}/modules/*/.fresh-install w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-man b/apparmor.d/groups/apt/dpkg-script-man deleted file mode 100644 index 63f5c5c78..000000000 --- a/apparmor.d/groups/apt/dpkg-script-man +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /var/lib/dpkg/info/man-db.* -profile dpkg-script-man @{exec_path} { - include - include - include - - capability setgid, - capability setuid, - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/setpriv rix, - @{bin}/mandb rPx, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd new file mode 100644 index 000000000..28f4b6e87 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -0,0 +1,64 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/info/systemd* +profile dpkg-script-systemd @{exec_path} { + include + include + + @{exec_path} mrix, + + @{sh_path} rix, + + @{bin}/deb-systemd-helper Px, + @{bin}/deb-systemd-invoke Px, + @{bin}/dpkg Cx -> dpkg, + @{bin}/dpkg-divert Px, + @{bin}/dpkg-maintscript-helper Px, + @{bin}/journalctl Px, + @{bin}/kernel-install Px, + @{bin}/systemctl Cx -> systemctl, + @{bin}/systemd-machine-id-setup Px, + @{bin}/systemd-sysusers Px, + @{bin}/systemd-tmpfiles Px, + @{lib}/systemd/systemd-sysctl Px, + @{sbin}/pam-auth-update Px, + + /etc/systemd/system/*.wants/ rw, + /etc/systemd/system/*.wants/* rw, + + /var/lib/systemd/{,*} rw, + /var/log/journal/ rw, + + profile dpkg { + include + include + + @{bin}/dpkg mr, + + include if exists + } + + profile systemctl { + include + include + + capability net_admin, + capability sys_resource, + + signal send set=(cont term) peer=systemd-tty-ask-password-agent, + + @{bin}/systemd-tty-ask-password-agent Px, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts new file mode 100644 index 000000000..d644b6c3e --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -0,0 +1,141 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/** +profile dpkg-scripts @{exec_path} { + include + include + include + + capability chown, + capability dac_read_search, + capability fowner, + capability fsetid, + capability setgid, + capability setuid, + + @{exec_path} mrix, + + # Common program found in maintainer scripts + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/run-parts rix, + + @{bin}/setpriv ix, + @{bin}/envsubst ix, + @{bin}/getent ix, + @{bin}/gzip ix, + @{bin}/helpztags ix, + @{bin}/locale ix, + @{bin}/tput ix, + @{bin}/zcat ix, + @{lib}/ubuntu-advantage/cloud-id-shim.sh ix, + @{lib}/ubuntu-advantage/postinst-migrations.sh ix, + + @{bin}/dbus-send Cx -> bus, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/systemctl Cx -> systemctl, + @{sbin}/invoke-rc.d Cx -> rc, + @{sbin}/ldconfig Cx -> ldconfig, + @{sbin}/ldconfig.real Cx -> ldconfig, + @{sbin}/update-rc.d Cx -> rc, + + # Maintainer scripts can legitimately start/restart anything + @{bin}/** Px, + @{sbin}/** Px, + @{lib}/** Px, + /usr/share/** Px, + /etc/init.d/* Px, + + /var/lib/dpkg/info/*.@{dpkg_script_ext} ix, # dpkg-scripts-* + /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, # dpkg-script-tmp + + # Maintainer's scripts can update a lot of files + / r, + /*/ r, + @{bin}/ r, + @{lib}/ r, + /etc/ r, + /etc/** rw, + /usr/share/*/ r, + /usr/share/*/** rw, + /var/** rw, + @{run}/** rw, + @{efi}/grub/* rw, + + /tmp/grub.@{rand10} rw, + /tmp/sed@{rand6} rw, + /tmp/tmp.@{rand10} rw, + + profile bus { + include + include + include + + dbus send bus=system path=/ + interface=org.freedesktop.DBus + member=ReloadConfig + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + include if exists + } + + profile systemctl { + include + include + + capability net_admin, + capability sys_ptrace, + + @{run}/utmp rk, + + include if exists + } + + profile rc { + include + include + + @{sbin}/update-rc.d mr, + @{sbin}/invoke-rc.d mr, + + @{coreutils_path} rix, + @{sh_path} rix, + @{bin}/systemctl rPx -> dpkg-scripts//systemctl, + + /etc/ r, + /etc/init.d/* r, + /etc/rc?.d/ r, + /etc/rc@{int}.d/ r, + /etc/rc@{int}.d/* rw, + /etc/rc@{c}.d/* rw, + + include if exists + } + + profile ldconfig { + include + include + + @{sh_path} rix, + @{sbin}/ldconfig mrix, + @{sbin}/ldconfig.real rix, + + @{lib}/ r, + /usr/local/ r, + /usr/local/lib/ r, + + owner /var/cache/ldconfig/aux-cache* rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index b710f2d94..9aa61f15b 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -88,8 +88,10 @@ dolphin complain downloadhelper complain dpkg-maintscript-helper complain dpkg-script-apparmor complain -dpkg-script-man complain -dpkg-script-udev complain +dpkg-script-kmod complain +dpkg-script-linux complain +dpkg-script-systemd complain +dpkg-scripts complain drkonqi complain drkonqi-coredump-cleanup complain drkonqi-coredump-processor complain From c446c44ded1f9239f065b341b85dec332d1cc157 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 20:32:57 +0200 Subject: [PATCH 422/977] feat(profile): add dpkg-script-tmp. --- apparmor.d/groups/apt/deb-systemd-invoke | 2 +- apparmor.d/groups/apt/dpkg-architecture | 9 ++-- apparmor.d/groups/apt/dpkg-db-backup | 42 +++++++++++++++ apparmor.d/groups/apt/dpkg-maintscript-helper | 6 +-- apparmor.d/groups/apt/dpkg-script-tmp | 53 +++++++++++++++++++ apparmor.d/groups/apt/dpkg-vendor | 1 - dists/flags/main.flags | 2 + 7 files changed, 104 insertions(+), 11 deletions(-) create mode 100644 apparmor.d/groups/apt/dpkg-db-backup create mode 100644 apparmor.d/groups/apt/dpkg-script-tmp diff --git a/apparmor.d/groups/apt/deb-systemd-invoke b/apparmor.d/groups/apt/deb-systemd-invoke index 63dfdaf52..0994006da 100644 --- a/apparmor.d/groups/apt/deb-systemd-invoke +++ b/apparmor.d/groups/apt/deb-systemd-invoke @@ -21,7 +21,7 @@ profile deb-systemd-invoke @{exec_path} { @{sh_path} rix, @{bin}/systemctl rix, - @{bin}/systemd-tty-ask-password-agent rPx, + @{bin}/systemd-tty-ask-password-agent Px, include if exists } diff --git a/apparmor.d/groups/apt/dpkg-architecture b/apparmor.d/groups/apt/dpkg-architecture index a58257271..b1a23f222 100644 --- a/apparmor.d/groups/apt/dpkg-architecture +++ b/apparmor.d/groups/apt/dpkg-architecture @@ -16,10 +16,9 @@ profile dpkg-architecture @{exec_path} { capability dac_read_search, @{exec_path} r, - /usr/bin/perl r, - @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, - @{lib}/llvm-[0-9]*/bin/clang rix, + @{bin}/{,@{multiarch}-}gcc-[0-9]* ix, + @{lib}/llvm-[0-9]*/bin/clang ix, @{bin}/ccache rCx -> ccache, @{bin}/dpkg rPx -> child-dpkg, @@ -28,9 +27,7 @@ profile dpkg-architecture @{exec_path} { /etc/debian_version r, - # file_inherit - owner @{tmp}/* rw, - + audit owner @{tmp}/* rw, profile ccache { include diff --git a/apparmor.d/groups/apt/dpkg-db-backup b/apparmor.d/groups/apt/dpkg-db-backup new file mode 100644 index 000000000..d83bdbb45 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-db-backup @@ -0,0 +1,42 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/dpkg/dpkg-db-backup +profile dpkg-db-backup @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/basename rix, + @{bin}/cmp rix, + @{bin}/cp rix, + @{bin}/date rix, + @{bin}/dirname rix, + @{bin}/gzip rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/savelog rix, + @{bin}/tar rix, + @{bin}/touch rix, + + /usr/share/dpkg/{,**} r, + + /var/lib/dpkg/ r, + /var/lib/dpkg/alternatives/{,*} r, + /var/lib/dpkg/diversions r, + /var/lib/dpkg/statoverride r, + + /var/backups/{,**} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-maintscript-helper b/apparmor.d/groups/apt/dpkg-maintscript-helper index b7d8675e8..dfb881e32 100644 --- a/apparmor.d/groups/apt/dpkg-maintscript-helper +++ b/apparmor.d/groups/apt/dpkg-maintscript-helper @@ -13,9 +13,9 @@ profile dpkg-maintscript-helper @{exec_path} { @{exec_path} mr, - @{sh_path} rix, - @{bin}/basename rix, - @{bin}/dpkg rCx -> dpkg, + @{sh_path} rix, + @{bin}/basename rix, + @{bin}/dpkg rCx -> dpkg, /usr/share/dpkg/sh/* r, diff --git a/apparmor.d/groups/apt/dpkg-script-tmp b/apparmor.d/groups/apt/dpkg-script-tmp new file mode 100644 index 000000000..e6c7fbe44 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-script-tmp @@ -0,0 +1,53 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} +profile dpkg-script-tmp @{exec_path} flags=(attach_disconnected) { + include + include + + @{exec_path} mrix, + + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/run-parts rix, + @{bin}/deb-systemd-invoke Px, + @{bin}/dpkg Px, + @{bin}/dpkg-divert Px, + @{bin}/dpkg-maintscript-helper Px, + @{bin}/kmod Cx -> kmod, + @{bin}/systemctl Cx -> systemctl, + + /etc/kernel/preinst.d/*-microcode ix, + + @{lib}/modules/*/.fresh-install w, + + profile kmod { + include + include + + include if exists + } + + profile systemctl { + include + include + + capability net_admin, + capability sys_ptrace, + capability sys_resource, + + @{bin}/systemd-tty-ask-password-agent Px, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-vendor b/apparmor.d/groups/apt/dpkg-vendor index aee717257..70d2199f2 100644 --- a/apparmor.d/groups/apt/dpkg-vendor +++ b/apparmor.d/groups/apt/dpkg-vendor @@ -13,7 +13,6 @@ profile dpkg-vendor @{exec_path} { include @{exec_path} r, - /usr/bin/perl r, /etc/dpkg/origins/* r, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 9aa61f15b..aa62f9108 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -86,11 +86,13 @@ dmsetup complain dockerd attach_disconnected,complain dolphin complain downloadhelper complain +dpkg-db-backup complain dpkg-maintscript-helper complain dpkg-script-apparmor complain dpkg-script-kmod complain dpkg-script-linux complain dpkg-script-systemd complain +dpkg-script-tmp complain dpkg-scripts complain drkonqi complain drkonqi-coredump-cleanup complain From 9eff482ebf37d218c35cdf4cb9fcd7a3e2f618a5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 20:34:05 +0200 Subject: [PATCH 423/977] feat(profile): update unattended upgrade profiles. --- apparmor.d/groups/apt/unattended-upgrade | 52 +++++++++++-------- .../groups/apt/unattended-upgrade-shutdown | 4 +- apparmor.d/groups/apt/update-apt-xapian-index | 14 +++-- 3 files changed, 37 insertions(+), 33 deletions(-) diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 8413d9975..95b8b2760 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -32,7 +32,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { network netlink raw, - signal (send) peer=apt-methods-http, + signal send peer=apt-methods-http, unix type=stream addr=@@{udbus}/bus/unattended-upgr/system, @@ -41,26 +41,29 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{sh_path} rix, - @{bin}/echo rix, - @{bin}/gdbus rix, - @{bin}/ischroot rix, @{python_path} rix, - @{bin}/test rix, - @{bin}/touch rix, - @{bin}/uname rix, + @{bin}/echo ix, + @{bin}/gdbus ix, + @{bin}/md5sum ix, + @{bin}/tar ix, + @{bin}/test ix, + @{bin}/touch ix, + @{bin}/uname ix, - @{bin}/apt-listchanges rPx, - @{bin}/dpkg rPx, - @{bin}/dpkg-divert rPx, - @{sbin}/dpkg-preconfigure rPx, - @{bin}/etckeeper rPx, - @{bin}/lsb_release rPx -> lsb_release, - @{sbin}/on_ac_power rPx, - @{sbin}/sendmail rPUx, - @{lib}/apt/methods/http{,s} rPx, - @{lib}/needrestart/apt-pinvoke rPx, - @{lib}/update-notifier/update-motd-updates-available rPx, - @{lib}/zsys-system-autosnapshot rPx, + @{bin}/dpkg-deb px, + @{bin}/apt-listchanges Px, + @{bin}/dpkg Px, + @{bin}/dpkg-divert Px, + @{bin}/etckeeper Px, + @{bin}/ischroot Px, + @{bin}/lsb_release Px -> lsb_release, + @{sbin}/dpkg-preconfigure Px, + @{sbin}/on_ac_power Px, + @{sbin}/sendmail Px, + @{lib}/apt/methods/http{,s} Px, + @{lib}/needrestart/apt-pinvoke Px, + @{lib}/update-notifier/update-motd-updates-available Px, + @{lib}/zsys-system-autosnapshot Px, /usr/share/distro-info/* r, @@ -70,8 +73,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/apt/*.list r, /etc/apt/apt.conf.d/{,**} r, /etc/debian_version r, - /etc/default/apport r, - /etc/default/grub.d/* r, + /etc/default/{,**} r, /etc/dpkg/origins/{,debian,ubuntu} r, /etc/fwupd/{,**} r, /etc/grub.d/* r, @@ -85,9 +87,13 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/pki/fwupd-metadata/{,**} r, /etc/pki/fwupd/{,**} r, /etc/profile.d/* r, + /etc/ssh/moduli r, + /etc/ssh/ssh_config r, + /etc/ufw/{,**} r, /etc/update-manager/{,**} r, - /etc/update-motd.d/* r, - /etc/vmware-tools/* r, + /etc/update-motd.d/{,**} r, + /etc/vim/{,**} r, + /etc/vmware-tools/{,**} r, /var/log/unattended-upgrades/{,**} rw, /var/crash/*.crash w, diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index cd35bb5ae..f36505e7a 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -12,15 +12,15 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { include include include + include include include @{exec_path} mr, - @{bin}/ischroot rix, + @{bin}/ischroot Px, /usr/share/unattended-upgrades/{,*} r, - /etc/apt/apt.conf.d/{,*} r, owner /var/log/unattended-upgrades/*.log* rw, diff --git a/apparmor.d/groups/apt/update-apt-xapian-index b/apparmor.d/groups/apt/update-apt-xapian-index index 5da82090f..f829ab3ff 100644 --- a/apparmor.d/groups/apt/update-apt-xapian-index +++ b/apparmor.d/groups/apt/update-apt-xapian-index @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/update-apt-xapian-index profile update-apt-xapian-index @{exec_path} { include + include include include @@ -17,10 +18,13 @@ profile update-apt-xapian-index @{exec_path} { @{python_path} r, @{bin}/ r, - @{bin}/dpkg rPx -> child-dpkg, + @{bin}/dpkg Px -> child-dpkg, /usr/share/apt-xapian-index/{,**} r, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + /var/cache/apt-xapian-index/ rw, /var/cache/apt-xapian-index/** rwk, @@ -30,15 +34,9 @@ profile update-apt-xapian-index @{exec_path} { /var/cache/apt/ r, /var/cache/apt/** rwk, - owner @{PROC}/@{pid}/fd/ r, - /var/lib/debtags/package-tags r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # file_inherit - owner /dev/tty@{int} rw, + owner @{PROC}/@{pid}/fd/ r, include if exists } From 760eb91ac6eed4a72ddcf4a5bf2e7324e9e0591a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:06:21 +0200 Subject: [PATCH 424/977] feat(profile): add profile for t-methods-sq. --- apparmor.d/groups/apt/apt-methods-sqv | 42 +++++++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 43 insertions(+) create mode 100644 apparmor.d/groups/apt/apt-methods-sqv diff --git a/apparmor.d/groups/apt/apt-methods-sqv b/apparmor.d/groups/apt/apt-methods-sqv new file mode 100644 index 000000000..416328cd4 --- /dev/null +++ b/apparmor.d/groups/apt/apt-methods-sqv @@ -0,0 +1,42 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/apt/methods/sqv +profile apt-methods-sqv @{exec_path} { + include + include + include + + # To handle the _apt user + capability setgid, + capability setuid, + + signal receive set=int peer=apt, + + @{exec_path} mr, + + @{bin}/sqv ix, + + /usr/share/apt/default-sequoia.config r, + /usr/share/keyrings/debian-archive-keyring.gpg r, + /usr/share/keyrings/debian-archive-keyring.pgp r, + + owner /var/lib/apt/lists/{,**} r, + + owner /tmp/apt.data.@{rand6} rw, + owner /tmp/apt.sig.@{rand6} rw, + owner /tmp/apt.sqverr.@{rand6} rw, + owner /tmp/apt.sqvout.@{rand6} rw, + + @{PROC}/@{pid}/fd/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index aa62f9108..d2c57b682 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -27,6 +27,7 @@ akonadi_notes_agent complain akonadi_sendlater_agent complain akonadi_unifiedmailbox_agent complain anacron complain +apt-methods-sqv complain at complain atd complain auditctl attach_disconnected,complain From c64901353e095f45e34eccaea31e946168a52693 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:10:48 +0200 Subject: [PATCH 425/977] fix(profile): some fix on the dpkg-scipts profiles. --- apparmor.d/groups/apt/dpkg-script-apparmor | 5 +++-- apparmor.d/groups/apt/dpkg-script-linux | 11 ++++++----- apparmor.d/groups/apt/dpkg-script-systemd | 1 + apparmor.d/groups/apt/dpkg-script-tmp | 4 ++++ apparmor.d/groups/apt/dpkg-scripts | 4 ++-- 5 files changed, 16 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 585d9c59d..5dba3d3cb 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -9,10 +9,10 @@ include @{exec_path} = /var/lib/dpkg/info/apparmor* profile dpkg-script-apparmor @{exec_path} { include + include include - include - @{exec_path} mr, + @{exec_path} mrix, @{sh_path} rix, @{bin}/grep ix, @@ -21,6 +21,7 @@ profile dpkg-script-apparmor @{exec_path} { @{bin}/deb-systemd-invoke Px, @{bin}/dpkg-divert ix, @{bin}/systemctl Cx -> systemctl, + @{sbin}/apparmor_parser Px, /usr/share/apparmor.d/** rw, diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux index c84d6aa4b..8b2470a6c 100644 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -22,11 +22,12 @@ profile dpkg-script-linux @{exec_path} { @{bin}/run-parts ix, @{bin}/stty ix, - @{bin}/dpkg-trigger Px, - @{bin}/kmod Px, - @{bin}/linux-check-removal Px, - @{bin}/linux-update-symlinks Px, - @{bin}/whiptail Px, + @{bin}/dpkg-trigger Px, + @{bin}/kmod Px, + @{bin}/linux-check-removal Px, + @{bin}/linux-update-symlinks Px, + @{bin}/whiptail Px, + @{bin}/dpkg-maintscript-helper Px, /usr/share/{update,reboot}-notifier/notify-reboot-required Px, /etc/kernel/{,header_}postinst.d/* Px, diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index 28f4b6e87..ccaa62a30 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -9,6 +9,7 @@ include @{exec_path} = /var/lib/dpkg/info/systemd* profile dpkg-script-systemd @{exec_path} { include + include include @{exec_path} mrix, diff --git a/apparmor.d/groups/apt/dpkg-script-tmp b/apparmor.d/groups/apt/dpkg-script-tmp index e6c7fbe44..65e63d076 100644 --- a/apparmor.d/groups/apt/dpkg-script-tmp +++ b/apparmor.d/groups/apt/dpkg-script-tmp @@ -10,6 +10,7 @@ include profile dpkg-script-tmp @{exec_path} flags=(attach_disconnected) { include include + include @{exec_path} mrix, @@ -22,6 +23,9 @@ profile dpkg-script-tmp @{exec_path} flags=(attach_disconnected) { @{bin}/dpkg-maintscript-helper Px, @{bin}/kmod Cx -> kmod, @{bin}/systemctl Cx -> systemctl, + /usr/share/debconf/frontend Px, + + /usr/share/debconf/confmodule r, /etc/kernel/preinst.d/*-microcode ix, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index d644b6c3e..dcb6ca379 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -62,8 +62,8 @@ profile dpkg-scripts @{exec_path} { @{lib}/ r, /etc/ r, /etc/** rw, - /usr/share/*/ r, - /usr/share/*/** rw, + /usr/share/*/{,**} rw, + /usr/local/share/*/{,**} rw, /var/** rw, @{run}/** rw, @{efi}/grub/* rw, From 2c880ba22001f5dcfcaa84b67df211d4925c9094 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:16:35 +0200 Subject: [PATCH 426/977] feat(profile): rewrite the apt stack of profiles. --- apparmor.d/groups/apt/apt | 6 ++- apparmor.d/groups/apt/apt-listchanges | 39 ++++---------- apparmor.d/groups/apt/debsums | 16 ++---- apparmor.d/groups/apt/dpkg | 27 +++++----- apparmor.d/groups/apt/dpkg-preconfigure | 68 +++++++++++-------------- apparmor.d/groups/apt/dpkg-statoverride | 18 +++++++ 6 files changed, 78 insertions(+), 96 deletions(-) create mode 100644 apparmor.d/groups/apt/dpkg-statoverride diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 947dba149..e2e9b00f4 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -85,8 +85,8 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/etckeeper rPx, @{bin}/localepurge rPx, @{bin}/ps rPx, - @{bin}/snap rPUx, - @{bin}/systemctl rCx -> systemctl, + @{bin}/snap rPx, + @{bin}/systemctl rCx -> systemctl, @{bin}/update-command-not-found rPx, @{lib}/cnf-update-db rPx, @{lib}/needrestart/apt-pinvoke rPx, @@ -138,6 +138,8 @@ profile apt @{exec_path} flags=(attach_disconnected) { /var/log/apt/{,**} rw, /var/log/ubuntu-advantage-apt-hook.log w, + @{efi}/ r, + # For package building @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index 559e58504..35684feb5 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -14,7 +14,7 @@ profile apt-listchanges @{exec_path} { include include - #capability sys_tty_config, + capability dac_read_search, @{exec_path} r, @{python_path} r, @@ -26,11 +26,11 @@ profile apt-listchanges @{exec_path} { # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - @{bin}/dpkg-deb rpx, - # - @{pager_path} rCx -> pager, - # Send results using email - @{bin}/exim4 rPx, + @{bin}/dpkg-deb px, + + @{pager_path} Cx -> pager, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/exim4 Px, # Send results using email /usr/share/apt-listchanges/{,**} r, @@ -50,31 +50,12 @@ profile apt-listchanges @{exec_path} { /var/cache/apt/archives/ r, - owner @{PROC}/@{pid}/fd/ r, - /tmp/ r, - owner @{tmp}/* rw, - owner @{tmp}/apt-listchanges*/ rw, - owner @{tmp}/apt-listchanges*/**/ rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/changelog.gz rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/changelog.Debian*.gz rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/NEWS.Debian.gz rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog.gz rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog/changelog_to_file rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog/simple_changelog rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/*/*-local/debian/changelog rw, - - # The following is needed when apt-listchanges uses debcconf GUI frontends. - include - include - include - include - capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/hostname rix, - owner @{PROC}/@{pid}/mounts r, - @{HOME}/.Xauthority r, + owner @{tmp}/@{word8} rw, + owner @{tmp}/apt-listchanges@{word8}/ rw, + owner @{tmp}/apt-listchanges@{word8}/** rw, + owner @{PROC}/@{pid}/fd/ r, profile pager { include diff --git a/apparmor.d/groups/apt/debsums b/apparmor.d/groups/apt/debsums index 01e9ac152..6f66426ec 100644 --- a/apparmor.d/groups/apt/debsums +++ b/apparmor.d/groups/apt/debsums @@ -12,28 +12,20 @@ profile debsums @{exec_path} { include include - # Needed to read files owned by other users than root. capability dac_read_search, @{exec_path} r, @{sh_path} rix, - @{bin}/{m,g,}awk rix, + @{bin}/{m,g,}awk ix, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - @{bin}/dpkg-query rpx, + @{bin}/dpkg-query px, # - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/dpkg-divert rPx -> child-dpkg-divert, - - /etc/dpkg/dpkg.cfg.d/{,*} r, - /etc/dpkg/dpkg.cfg r, - - /etc/locale.nopurge r, - - /var/lib/dpkg/info/* r, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/dpkg-divert Px -> child-dpkg-divert, # For shell pwd / r, diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 93f5ebca5..53bebdccf 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -22,24 +22,23 @@ profile dpkg @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/cat rix, - @{bin}/deb-systemd-helper rix, - @{bin}/deb-systemd-invoke rix, - @{bin}/rm rix, + @{bin}/cat ix, + @{bin}/deb-systemd-helper Px, + @{bin}/deb-systemd-invoke Px, + @{bin}/rm ix, - @{bin}/dpkg-deb rpx, - @{bin}/dpkg-query rpx, - @{bin}/dpkg-split rpx, - @{bin}/systemctl rCx -> systemctl, - @{lib}/needrestart/dpkg-status rPx, - /usr/share/debian-security-support/check-support-status.hook rPx, - - @{pager_path} rPx -> child-pager, + @{bin}/dpkg-deb px, + @{bin}/dpkg-query px, + @{bin}/dpkg-split px, + @{bin}/systemctl Cx -> systemctl, + @{lib}/needrestart/dpkg-status Px, + @{pager_path} Px -> child-pager, + /usr/share/debian-security-support/check-support-status.hook Px, # Package maintainer's scripts - /var/lib/dpkg/info/*.@{dpkg_script_ext} rPUx, + /var/lib/dpkg/info/*.@{dpkg_script_ext} Px, /var/lib/dpkg/info/*.control r, - /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} rPUx, + /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, # For shell pwd /root/ r, diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index ef7852863..fd67f930e 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -11,35 +11,36 @@ include profile dpkg-preconfigure @{exec_path} { include include - include include - - #capability sys_tty_config, + include + include @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{,g,m}awk rix, - @{bin}/cat rix, - @{bin}/debconf-escape rix, - @{bin}/dialog rix, - @{bin}/expr rix, - @{bin}/locale rix, - @{bin}/readlink rix, - @{bin}/sed rix, - @{bin}/sort rix, - @{bin}/stty rix, - @{bin}/tr rix, - @{bin}/head rix, - @{bin}/readlink rix, - @{bin}/realpath rix, + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{,g,m}awk ix, + @{bin}/cat ix, + @{bin}/debconf-escape Px, + @{bin}/dialog ix, + @{bin}/expr ix, + @{bin}/find ix, + @{bin}/head ix, + @{bin}/locale ix, + @{bin}/readlink ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/sed ix, + @{bin}/sort ix, + @{bin}/stty ix, + @{bin}/tr ix, + @{bin}/uniq ix, - @{bin}/findmnt rPx, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/apt-extracttemplates rPx, - @{bin}/whiptail rPx, - @{lib}/apt/apt-extracttemplates rPx, + @{bin}/apt-extracttemplates Px, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/findmnt Px, + @{bin}/whiptail Px, + @{lib}/apt/apt-extracttemplates Px, /usr/share/debconf/confmodule r, /usr/share/dictionaries-common/{,*} r, @@ -59,9 +60,6 @@ profile dpkg-preconfigure @{exec_path} { /var/cache/debconf/tmp.ci/ w, - owner @{tmp}/*.template.* rw, - owner @{tmp}/*.config.* rwPUx, - /var/lib/dbus/machine-id r, owner /var/cache/debconf/ rw, owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk, @@ -73,23 +71,15 @@ profile dpkg-preconfigure @{exec_path} { owner /var/cache/dictionaries-common/flag-wordlist-new w, owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + owner @{tmp}/*.template.* rw, + owner @{tmp}/*.config.* rwPUx, + @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, @{run}/user/@{uid}/pk-debconf-socket rw, owner @{PROC}/@{pid}/fd/ r, - # The following is needed when dpkg-preconfigure uses debcconf GUI frontends. - include - include - include - include - capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/hostname rix, - @{HOME}/.Xauthority r, - owner @{PROC}/@{pid}/mounts r, - - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-statoverride b/apparmor.d/groups/apt/dpkg-statoverride new file mode 100644 index 000000000..34d6412c1 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-statoverride @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/dpkg-statoverride +profile dpkg-statoverride @{exec_path} flags=(complain) { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor From f033e698116aa250a14d32a442133d073b54a2d7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:21:23 +0200 Subject: [PATCH 427/977] feat(abs): add the pager app abstaction. --- apparmor.d/abstractions/app/pager | 37 ++++++++++++++++++++++++++ apparmor.d/groups/apt/apt | 13 +-------- apparmor.d/groups/apt/apt-listchanges | 17 +----------- apparmor.d/groups/apt/aptitude | 9 ------- apparmor.d/groups/children/child-pager | 25 +---------------- apparmor.d/profiles-m-r/mutt | 14 +--------- 6 files changed, 41 insertions(+), 74 deletions(-) create mode 100644 apparmor.d/abstractions/app/pager diff --git a/apparmor.d/abstractions/app/pager b/apparmor.d/abstractions/app/pager new file mode 100644 index 000000000..3be45b4dd --- /dev/null +++ b/apparmor.d/abstractions/app/pager @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# Minimal set of rules for pagers. + + abi , + + include + + capability dac_override, + capability dac_read_search, + + signal (receive) set=(stop, cont, term, kill), + + @{bin}/ r, + @{pager_path} mrix, + + @{system_share_dirs}/terminfo/{,**} r, + /usr/share/file/misc/** r, + /usr/share/nvim/{,**} r, + + @{HOME}/.lesshst r, + + owner @{HOME}/ r, + owner @{HOME}/.lesshs* rw, + owner @{HOME}/.terminfo/@{int}/* r, + owner @{user_cache_dirs}/lesshs* rw, + owner @{user_state_dirs}/ r, + owner @{user_state_dirs}/lesshs* rw, + + /dev/tty@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index e2e9b00f4..2b103270d 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -172,18 +172,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { profile pager { include - include - - capability dac_read_search, - - @{bin}/ r, - @{sh_path} rix, - @{pager_path} rmix, - @{bin}/which rix, - - /root/ r, # For shell pwd - - owner @{HOME}/.less* rw, + include owner @{tmp}/apt-changelog-*/ r, owner @{tmp}/apt-changelog-*/*.changelog r, diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index 35684feb5..936d15d42 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -59,23 +59,8 @@ profile apt-listchanges @{exec_path} { profile pager { include - include + include - capability dac_read_search, - #capability sys_tty_config, - - @{pager_path} mrix, - - @{bin}/ r, - @{sh_path} rix, - @{bin}/which rix, - - owner @{HOME}/.less* rw, - - # For shell pwd - /root/ r, - - /tmp/ r, owner @{tmp}/apt-listchanges-tmp*.txt r, include if exists diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index e3a6a794b..e60630efa 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -171,17 +171,8 @@ profile aptitude @{exec_path} flags=(complain) { include include - @{bin}/ r, - @{editor_path} mrix, - @{sh_path} rix, - @{bin}/which rix, - - owner @{HOME}/.less* rw, owner @{tmp}/aptitude-*.@{pid}:*/aptitude-download-* rw, - # For shell pwd - /root/ r, - include if exists } diff --git a/apparmor.d/groups/children/child-pager b/apparmor.d/groups/children/child-pager index e904f96dd..8e60bce47 100644 --- a/apparmor.d/groups/children/child-pager +++ b/apparmor.d/groups/children/child-pager @@ -15,30 +15,7 @@ include profile child-pager flags=(attach_disconnected) { include - include - - capability dac_override, - capability dac_read_search, - - signal (receive) set=(stop, cont, term, kill), - - @{bin}/ r, - @{pager_path} mr, - - @{system_share_dirs}/terminfo/{,**} r, - /usr/share/file/misc/** r, - /usr/share/nvim/{,**} r, - - @{HOME}/.lesshst r, - - owner @{HOME}/ r, - owner @{HOME}/.lesshs* rw, - owner @{HOME}/.terminfo/@{int}/* r, - owner @{user_cache_dirs}/lesshs* rw, - owner @{user_state_dirs}/ r, - owner @{user_state_dirs}/lesshs* rw, - - /dev/tty@{int} rw, + include include if exists } diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt index 28006f479..a91aba241 100644 --- a/apparmor.d/profiles-m-r/mutt +++ b/apparmor.d/profiles-m-r/mutt @@ -115,19 +115,7 @@ profile mutt @{exec_path} { profile pager { include - include - - @{pager_path} mr, - - /usr/share/terminfo/** r, - /usr/share/file/misc/magic.mgc r, - - owner @{HOME}/ r, - owner @{HOME}/.lesshs* rw, - owner @{HOME}/.terminfo/@{int}/* r, - owner @{user_cache_dirs}/lesshs* rw, - owner @{user_state_dirs}/ r, - owner @{user_state_dirs}/lesshs* rw, + include # This is the file that holds the message owner /{var/,}tmp/mutt* rw, From 390cc27ab85e169efccdc6764eebc91123c54cd3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:24:01 +0200 Subject: [PATCH 428/977] feat(abs): add debconf common abs. --- apparmor.d/abstractions/common/debconf | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 apparmor.d/abstractions/common/debconf diff --git a/apparmor.d/abstractions/common/debconf b/apparmor.d/abstractions/common/debconf new file mode 100644 index 000000000..c21974212 --- /dev/null +++ b/apparmor.d/abstractions/common/debconf @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + include + include + include + + /usr/share/debconf/frontend rix, + /usr/share/debconf/confmodule r, + + /etc/debconf.conf r, + + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + + include if exists + +# vim:syntax=apparmor From 49155625a5aaa32d5194f12405f65d48719d3d71 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:31:03 +0200 Subject: [PATCH 429/977] feat(profile): rewrite debconf & add debconf-frontend. --- apparmor.d/groups/apt/aptitude | 2 +- apparmor.d/groups/apt/debconf-apt-progress | 32 +---- apparmor.d/groups/apt/debconf-frontend | 75 ++++++++++ apparmor.d/groups/apt/dpkg-script-apparmor | 2 +- apparmor.d/groups/apt/dpkg-script-linux | 2 +- apparmor.d/groups/apt/dpkg-script-systemd | 2 +- apparmor.d/groups/apt/dpkg-scripts | 2 +- apparmor.d/groups/grub/grub-check-signatures | 10 +- apparmor.d/groups/grub/grub-multi-install | 2 +- apparmor.d/profiles-a-f/frontend | 133 ------------------ apparmor.d/profiles-s-z/tasksel | 49 +------ .../profiles-s-z/update-secureboot-policy | 5 +- 12 files changed, 92 insertions(+), 224 deletions(-) create mode 100644 apparmor.d/groups/apt/debconf-frontend delete mode 100644 apparmor.d/profiles-a-f/frontend diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index e60630efa..9254be27d 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -169,7 +169,7 @@ profile aptitude @{exec_path} flags=(complain) { profile pager { include - include + include owner @{tmp}/aptitude-*.@{pid}:*/aptitude-download-* rw, diff --git a/apparmor.d/groups/apt/debconf-apt-progress b/apparmor.d/groups/apt/debconf-apt-progress index d60668c03..1d88c829b 100644 --- a/apparmor.d/groups/apt/debconf-apt-progress +++ b/apparmor.d/groups/apt/debconf-apt-progress @@ -10,42 +10,12 @@ include @{exec_path} = @{bin}/debconf-apt-progress profile debconf-apt-progress @{exec_path} flags=(complain) { include - include + include @{exec_path} r, @{bin}/apt-get rPx, - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, - - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - - @{bin}/debconf-apt-progress rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - # The following is needed when debconf uses dialog/whiptail frontend. - @{bin}/whiptail rPx, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - /etc/shadow r, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend new file mode 100644 index 000000000..5ec13fcff --- /dev/null +++ b/apparmor.d/groups/apt/debconf-frontend @@ -0,0 +1,75 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/debconf/frontend +profile debconf-frontend @{exec_path} flags=(complain) { + include + include + include + include + include + include + + capability dac_read_search, + + @{exec_path} r, + + @{sh_path} rix, + @{bin}/hostname ix, + @{bin}/locale ix, + @{bin}/lsb_release Px -> lsb_release, + @{bin}/stty ix, + @{sbin}/update-secureboot-policy Px, + + # debconf apps + @{bin}/adequate Px, + @{bin}/debconf-apt-progress Px, + @{bin}/linux-check-removal Px, + @{bin}/ucf Px, + @{bin}/whiptail Px, + @{sbin}/aspell-autobuildhash Px, + @{sbin}/pam-auth-update Px, + @{lib}/tasksel/tasksel-debconf Px -> tasksel, + /usr/share/debian-security-support/check-support-status.hook Px, + + # Grub + @{lib}/grub/grub-multi-install Px, + /usr/share/grub/grub-check-signatures Px, + + # Package maintainer's scripts + /var/lib/dpkg/info/*.@{dpkg_script_ext} Px, + /var/lib/dpkg/info/*.control r, + /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, + + # DKMS scipts + @{lib}/dkms/common.postinst rPUx, + @{lib}/dkms/dkms-* rPUx, + @{lib}/dkms/dkms_* rPUx, + + /usr/share/debconf/{,**} r, + + /etc/inputrc r, + /etc/shadow r, + + owner /var/cache/debconf/* rwk, + + owner @{tmp}/file* w, + owner @{tmp}/tmp.@{rand10} rw, + owner @{tmp}/updateppds.@{rand6} rw, + + @{HOME}/.Xauthority r, + + @{run}/user/@{uid}/pk-debconf-socket rw, + + owner @{PROC}/@{pid}/mounts r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 5dba3d3cb..9de0ce0b4 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -9,7 +9,7 @@ include @{exec_path} = /var/lib/dpkg/info/apparmor* profile dpkg-script-apparmor @{exec_path} { include - include + include include @{exec_path} mrix, diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux index 8b2470a6c..52c74c192 100644 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -9,7 +9,7 @@ include @{exec_path} = /var/lib/dpkg/info/linux* profile dpkg-script-linux @{exec_path} { include - include + include @{exec_path} mrix, diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index ccaa62a30..cb652108d 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -9,7 +9,7 @@ include @{exec_path} = /var/lib/dpkg/info/systemd* profile dpkg-script-systemd @{exec_path} { include - include + include include @{exec_path} mrix, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index dcb6ca379..32063f5c5 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -9,7 +9,7 @@ include @{exec_path} = /var/lib/dpkg/** profile dpkg-scripts @{exec_path} { include - include + include include capability chown, diff --git a/apparmor.d/groups/grub/grub-check-signatures b/apparmor.d/groups/grub/grub-check-signatures index d33b33265..310138595 100644 --- a/apparmor.d/groups/grub/grub-check-signatures +++ b/apparmor.d/groups/grub/grub-check-signatures @@ -9,18 +9,14 @@ include @{exec_path} = /usr/share/grub/grub-check-signatures profile grub-check-signatures @{exec_path} { include - include + include @{exec_path} mr, @{sh_path} rix, @{bin}/{m,g,}awk rix, - @{bin}//mktemp rix, - @{bin}//od rix, - - /usr/share/debconf/frontend rPx, - - /usr/share/debconf/confmodule r, + @{bin}/mktemp rix, + @{bin}/od rix, owner @{tmp}/tmp.@{rand10}/ rw, diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install index d147b94fb..ba7956438 100644 --- a/apparmor.d/groups/grub/grub-multi-install +++ b/apparmor.d/groups/grub/grub-multi-install @@ -24,7 +24,7 @@ profile grub-multi-install @{exec_path} { @{bin}/sort rix, @{bin}/touch rix, @{bin}/udevadm rPx, - /usr/share/debconf/frontend rPx, + /usr/share/debconf/frontend rix, /usr/lib/terminfo/x/xterm-256color r, /usr/share/debconf/confmodule r, diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend deleted file mode 100644 index 6d9502220..000000000 --- a/apparmor.d/profiles-a-f/frontend +++ /dev/null @@ -1,133 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /usr/share/debconf/frontend -profile frontend @{exec_path} flags=(complain) { - include - include - include - include - include - include - include - include - - capability dac_read_search, - - @{exec_path} r, - @{bin}/perl r, - - @{sh_path} rix, - @{bin}/hostname rix, - @{bin}/locale rix, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/stty rix, - @{sbin}/update-secureboot-policy rPx, - - # debconf apps - @{bin}/adequate rPx, - @{sbin}/aspell-autobuildhash rPx, - @{bin}/debconf-apt-progress rPx, - @{bin}/linux-check-removal rPx, - @{sbin}/pam-auth-update rPx, - @{bin}/ucf rPx, - @{bin}/whiptail rPx, - @{lib}/tasksel/tasksel-debconf rPx -> tasksel, - /usr/share/debian-security-support/check-support-status.hook rPx, - - # Grub - @{lib}/grub/grub-multi-install rPx, - /usr/share/grub/grub-check-signatures rPx, - - # Run the package maintainer's scripts - # What to do with it? Maintainer scripts can use lots of tools. (#FIXME#) - #/var/lib/dpkg/info/*.{config,templates} rPUx, - #/var/lib/dpkg/info/*.{preinst,postinst} rPUx, - #/var/lib/dpkg/info/*.{prerm,postrm} rPUx, - /var/lib/dpkg/info/*.control r, - #/var/lib/dpkg/tmp.ci/{config,templates} rPUx, - #/var/lib/dpkg/tmp.ci/{preinst,postinst} rPUx, - #/var/lib/dpkg/tmp.ci/{prerm,postrm} rPUx, - /var/lib/dpkg/tmp.ci/control r, - /var/lib/dpkg/info/*.{config,templates} rCx -> scripts, - /var/lib/dpkg/info/*.{preinst,postinst} rCx -> scripts, - /var/lib/dpkg/info/*.{prerm,postrm} rCx -> scripts, - /var/lib/dpkg/tmp.ci/{config,templates} rCx -> scripts, - /var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts, - /var/lib/dpkg/tmp.ci/{prerm,postrm} rCx -> scripts, - - # DKMS scipts - # What to do with it? (#FIXME#) - @{lib}/dkms/common.postinst rPUx, - @{lib}/dkms/dkms-* rPUx, - @{lib}/dkms/dkms_* rPUx, - - /usr/share/debconf/{,**} r, - - /etc/debconf.conf r, - /etc/inputrc r, - /etc/shadow r, - - owner /var/cache/debconf/* rwk, - - owner @{tmp}/file* w, - owner @{tmp}/tmp.@{rand10} rw, - owner @{tmp}/updateppds.@{rand6} rw, - - @{HOME}/.Xauthority r, - - @{run}/user/@{uid}/pk-debconf-socket rw, - - owner @{PROC}/@{pid}/mounts r, - - profile scripts flags=(complain) { - include - include - - capability dac_read_search, - - /var/lib/dpkg/info/*.config r, - /var/lib/dpkg/info/*.{preinst,postinst} r, - /var/lib/dpkg/info/*.{prerm,postrm} r, - /var/lib/dpkg/tmp.ci/config r, - /var/lib/dpkg/tmp.ci/{preinst,postinst} r, - /var/lib/dpkg/tmp.ci/{prerm,postrm} r, - - / r, - - @{bin}/ r, - @{bin}/* rPUx, - - @{lib}/ r, - @{lib}/** rPUx, - - /usr/share/ r, - /usr/share/** rPUx, - - /etc/init.d/ r, - /etc/init.d/* rPUx, - - /etc/ r, - /etc/** rw, - /var/ r, - /var/** rw, - @{sys}/ r, - @{sys}/**/ r, - @{run}/ r, - @{run}/** rw, - /tmp/ r, - owner @{tmp}/** rw, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tasksel b/apparmor.d/profiles-s-z/tasksel index 64b3ed4ad..f4900f225 100644 --- a/apparmor.d/profiles-s-z/tasksel +++ b/apparmor.d/profiles-s-z/tasksel @@ -10,32 +10,24 @@ include @{exec_path} = @{bin}/tasksel profile tasksel @{exec_path} flags=(complain) { include - include + include @{exec_path} r, @{sh_path} rix, @{bin}/tempfile rix, @{lib}/tasksel/tasksel-debconf rix, - - @{lib}/tasksel/tests/* rCx -> tasksel-tests, - - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, + @{lib}/tasksel/tests/* Cx -> tasksel-tests, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - @{bin}/dpkg-query rpx, + @{bin}/dpkg-query px, # - @{bin}/apt-cache rPx, + @{bin}/apt-cache Px, + @{bin}/debconf-apt-progress Px, - @{bin}/debconf-apt-progress rPx, - - /usr/share/tasksel/** r, - - /usr/share/debconf/confmodule r, + /usr/share/tasksel/{,**} r, owner @{tmp}/file* w, @@ -48,35 +40,6 @@ profile tasksel @{exec_path} flags=(complain) { include if exists } - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - - @{bin}/tasksel rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - # The following is needed when debconf uses dialog/whiptail frontend. - @{bin}/whiptail rPx, - owner @{tmp}/file* w, - - /usr/share/debconf/confmodule r, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - /etc/shadow r, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-s-z/update-secureboot-policy b/apparmor.d/profiles-s-z/update-secureboot-policy index 232c92d0c..f8581f532 100644 --- a/apparmor.d/profiles-s-z/update-secureboot-policy +++ b/apparmor.d/profiles-s-z/update-secureboot-policy @@ -10,7 +10,7 @@ include @{exec_path} = @{sbin}/update-secureboot-policy profile update-secureboot-policy @{exec_path} { include - include + include @{exec_path} rm, @@ -23,12 +23,9 @@ profile update-secureboot-policy @{exec_path} { @{bin}/sort rix, @{bin}/touch rix, @{bin}/wc rix, - /usr/share/debconf/frontend rPx, / r, - /usr/share/debconf/confmodule r, - /var/lib/dkms/ r, /var/lib/shim-signed/dkms-list rw, From 6e0c646d14c17a9f2ce9ba6f4faa3afbf38c115d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:37:37 +0200 Subject: [PATCH 430/977] feat(profile): add profile for ischroot. --- apparmor.d/groups/apt/apt | 4 ++-- apparmor.d/groups/ubuntu/apport-gtk | 2 +- .../groups/ubuntu/check-new-release-gtk | 2 +- apparmor.d/groups/ubuntu/do-release-upgrade | 2 +- .../groups/ubuntu/list-oem-metapackages | 2 +- .../groups/ubuntu/software-properties-gtk | 2 +- apparmor.d/groups/ubuntu/ubuntu-advantage | 3 +-- apparmor.d/groups/ubuntu/update-manager | 2 +- .../ubuntu/update-motd-updates-available | 2 +- apparmor.d/groups/ubuntu/update-notifier | 2 +- apparmor.d/profiles-g-l/ischroot | 21 +++++++++++++++++++ apparmor.d/profiles-m-r/packagekitd | 4 ++-- apparmor.d/profiles-s-z/update-initramfs | 2 +- 13 files changed, 35 insertions(+), 15 deletions(-) create mode 100644 apparmor.d/profiles-g-l/ischroot diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 2b103270d..2a0969156 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -67,7 +67,6 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/id rix, - @{bin}/ischroot rix, @{bin}/test rix, @{bin}/touch rix, @@ -80,14 +79,15 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/df rPx, @{bin}/dmesg rPx, @{bin}/dpkg rPx, - @{sbin}/dpkg-preconfigure rPx, @{bin}/dpkg-source rcx -> dpkg-source, @{bin}/etckeeper rPx, + @{bin}/ischroot rPx, @{bin}/localepurge rPx, @{bin}/ps rPx, @{bin}/snap rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/update-command-not-found rPx, + @{sbin}/dpkg-preconfigure rPx, @{lib}/cnf-update-db rPx, @{lib}/needrestart/apt-pinvoke rPx, @{lib}/zsys-system-autosnapshot rPx, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 1307313d9..bb5cd329c 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -41,7 +41,7 @@ profile apport-gtk @{exec_path} { @{bin}/dpkg-query rpx, @{bin}/gdb rCx -> gdb, @{bin}/gsettings rPx, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/journalctl rPx, @{sbin}/killall5 rix, @{bin}/kmod rPx, diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 1ff6df2ae..bdd2a0f54 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -29,7 +29,7 @@ profile check-new-release-gtk @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, @{lib}/@{python_name}/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade index 86c211f24..e7d6687d2 100644 --- a/apparmor.d/groups/ubuntu/do-release-upgrade +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -26,7 +26,7 @@ profile do-release-upgrade @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, /usr/share/distro-info/*.csv r, diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages index 75e4279f2..91bc4876f 100644 --- a/apparmor.d/groups/ubuntu/list-oem-metapackages +++ b/apparmor.d/groups/ubuntu/list-oem-metapackages @@ -15,7 +15,7 @@ profile list-oem-metapackages @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{lib}/@{python_name}/dist-packages/UbuntuDrivers/__pycache__/*.cpython-@{int}.pyc.@{int} rw, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index e2bb2dc98..d5762a84e 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -32,7 +32,7 @@ profile software-properties-gtk @{exec_path} { @{bin}/aplay rPx, @{bin}/apt-key rPx, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, @{bin}/ubuntu-advantage rPx, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index 7d797bd97..34b697732 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -29,13 +29,12 @@ profile ubuntu-advantage @{exec_path} { @{exec_path} mr, - @{bin}/ischroot rix, - @{bin}/apt rPx, @{bin}/apt-cache rPx, @{bin}/apt-config rPx, @{bin}/apt-get rPx, @{bin}/dpkg rPx -> child-dpkg, + @{bin}/ischroot rPx, @{bin}/ps rPx, @{bin}/snap rPUx, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 44e0cc403..e1636c6d5 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -44,7 +44,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/dpkg rPx -> child-dpkg, @{bin}/hwe-support-status rPx, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, @{bin}/snap rPUx, @{bin}/software-properties-gtk rPx, diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index 776cc9bf8..e6a3e7152 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -26,7 +26,7 @@ profile update-motd-updates-available @{exec_path} { @{bin}/dirname rix, @{bin}/dpkg rPx -> child-dpkg, @{bin}/find rix, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, @{bin}/mktemp rix, @{bin}/mv rix, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 8d1571c1e..ea6318156 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -31,10 +31,10 @@ profile update-notifier @{exec_path} { @{sh_path} rix, @{bin}/ionice rix, - @{bin}/ischroot rix, @{bin}/nice rix, @{bin}/dpkg rPx -> child-dpkg, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, @{bin}/pkexec rCx -> pkexec, @{bin}/snap rPUx, diff --git a/apparmor.d/profiles-g-l/ischroot b/apparmor.d/profiles-g-l/ischroot new file mode 100644 index 000000000..c5b848bab --- /dev/null +++ b/apparmor.d/profiles-g-l/ischroot @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ischroot +profile ischroot @{exec_path} { + include + include + + @{exec_path} mr, + + @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index ca93ade6b..873b4ef7d 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -51,7 +51,6 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/gzip rix, - @{bin}/ischroot rix, @{sbin}/ldconfig rix, @{bin}/repo2solv rix, @{bin}/tar rix, @@ -63,7 +62,8 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/dpkg rPx -> child-dpkg, #aa:only apt @{bin}/fc-cache rPx, @{bin}/glib-compile-schemas rPx, - @{sbin}/install-info rPx, + @{bin}/install-info rPx, + @{bin}/ischroot rPx, @{bin}/rpm rPUx, #aa:only opensuse @{bin}/rpmdb2solv rPUx, #aa:only opensuse @{bin}/systemd-inhibit rPx, diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index 51961efb3..f9e47cb52 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -22,7 +22,6 @@ profile update-initramfs @{exec_path} { @{bin}/cat rix, @{bin}/{m,g,}awk rix, @{bin}/getopt rix, - @{bin}/ischroot rix, @{bin}/ln rix, @{bin}/mv rix, @{bin}/rm rix, @@ -31,6 +30,7 @@ profile update-initramfs @{exec_path} { @{bin}/uname rix, @{bin}/dpkg-trigger rPx, + @{bin}/ischroot rPx, @{bin}/linux-version rPx, @{sbin}/mkinitramfs rPx, From 7a3016724a6a2a97e337d57187416cabb6dcdfb0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:42:34 +0200 Subject: [PATCH 431/977] feat(profile): update linux check scripts. --- apparmor.d/profiles-g-l/linux-check-removal | 40 ++++--------------- apparmor.d/profiles-g-l/linux-update-symlinks | 25 ++++++++++++ dists/flags/main.flags | 2 + 3 files changed, 34 insertions(+), 33 deletions(-) create mode 100644 apparmor.d/profiles-g-l/linux-update-symlinks diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index 1c6ff2f03..2c2a8ba21 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -10,42 +10,16 @@ include @{exec_path} = @{bin}/linux-check-removal profile linux-check-removal @{exec_path} flags=(complain) { include - include - include + include - @{exec_path} r, + @{exec_path} rmix, - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, + @{sh_path} rix, + @{bin}/stty rix, + @{bin}/locale rix, + @{bin}/whiptail rPx, - - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - - @{bin}/linux-check-removal rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - # The following is needed when debconf uses dialog/whiptail frontend. - @{bin}/whiptail rPx, - owner @{tmp}/file* w, - - /usr/share/debconf/confmodule r, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - include if exists - } + audit owner @{tmp}/file* w, include if exists } diff --git a/apparmor.d/profiles-g-l/linux-update-symlinks b/apparmor.d/profiles-g-l/linux-update-symlinks new file mode 100644 index 000000000..b97a0305b --- /dev/null +++ b/apparmor.d/profiles-g-l/linux-update-symlinks @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/linux-update-symlinks +profile linux-update-symlinks @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/kernel-img.conf r, + + @{efi}/ r, + @{efi}/* rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index d2c57b682..edf6789c7 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -216,6 +216,8 @@ libvirt-dbus complain libvirtd attach_disconnected,complain lightdm attach_disconnected,complain lightdm-session complain +linux-check-removal complain +linux-update-symlinks complain locale-gen complain localectl complain localsearch complain From 8755c4a1b7c036ecc0b905bf57a75b42f7c614b1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:51:12 +0200 Subject: [PATCH 432/977] fix(profile): remove sbin on some program path Debian and opensuse do not install the same programs under /usr/sbin. This will have to be tracked by distribution. For now, sbin.list follows debian install. --- apparmor.d/groups/gnome/gnome-initial-setup | 2 +- apparmor.d/groups/kde/systemsettings | 2 +- apparmor.d/groups/pacman/pacman | 2 +- apparmor.d/groups/utils/lspci | 2 +- apparmor.d/profiles-a-f/adequate | 2 +- apparmor.d/profiles-g-l/hardinfo | 2 +- apparmor.d/profiles-g-l/install-info | 2 +- apparmor.d/profiles-g-l/inxi | 2 +- apparmor.d/profiles-s-z/update-alternatives | 2 +- tests/sbin.list | 3 --- 10 files changed, 9 insertions(+), 12 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index cf7dc2506..4063fc473 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -42,7 +42,7 @@ profile gnome-initial-setup @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/locale rix, @{bin}/lscpu rPx, - @{sbin}/lspci rPx, + @{bin}/lspci rPx, @{bin}/xrandr rPx, @{lib}/gnome-initial-setup-goa-helper rix, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index 0d7156502..e68d248b6 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -29,7 +29,7 @@ profile systemsettings @{exec_path} { @{bin}/cat rix, @{bin}/eglinfo rPUx, @{bin}/kcminit rPx, - @{sbin}/lspci rPx, + @{bin}/lspci rPx, @{bin}/openssl rix, @{bin}/pactl rPx, @{bin}/plasma-discover rPx, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 9cf9d6a36..6af9bae96 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -74,7 +74,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/gtk{,4}-update-icon-cache rPx, @{sbin}/iconvconfig rix, @{bin}/install-catalog rPx, - @{sbin}/install-info rPx, + @{bin}/install-info rPx, @{sbin}/iscsi-iname rix, @{bin}/journalctl rPx, @{bin}/killall rix, diff --git a/apparmor.d/groups/utils/lspci b/apparmor.d/groups/utils/lspci index 7fc88e41a..b390346bb 100644 --- a/apparmor.d/groups/utils/lspci +++ b/apparmor.d/groups/utils/lspci @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/lspci +@{exec_path} = @{bin}/lspci profile lspci @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index c4741b09a..6999f5baf 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -34,7 +34,7 @@ profile adequate @{exec_path} flags=(complain) { # shared object file): ignored. @{bin}/dpkg-query rpx, # - @{sbin}/update-alternatives rPx, + @{bin}/update-alternatives rPx, /var/lib/adequate/pending rwk, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index 459efa23e..97fad1f13 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -53,7 +53,7 @@ profile hardinfo @{exec_path} { @{bin}/glxinfo rPx, @{bin}/xdpyinfo rPx, - @{sbin}/lspci rPx, + @{bin}/lspci rPx, @{bin}/lsusb rPx, @{bin}/netstat rPx, @{bin}/qtchooser rPx, diff --git a/apparmor.d/profiles-g-l/install-info b/apparmor.d/profiles-g-l/install-info index e7fdfd95a..f155339b1 100644 --- a/apparmor.d/profiles-g-l/install-info +++ b/apparmor.d/profiles-g-l/install-info @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/install-info +@{exec_path} = @{bin}/install-info profile install-info @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index 01d358fbf..38b2a17a2 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -51,7 +51,7 @@ profile inxi @{exec_path} { @{bin}/glxinfo rPx, @{bin}/hddtemp rPx, @{bin}/lsblk rPx, - @{sbin}/lspci rPx, + @{bin}/lspci rPx, @{bin}/lsusb rPx, @{bin}/openbox rPx, @{bin}/ps rPx, diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index 68ddb97a5..8f08b74fa 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/update-alternatives +@{exec_path} = @{bin}/update-alternatives profile update-alternatives @{exec_path} { include include diff --git a/tests/sbin.list b/tests/sbin.list index 869729543..82596a62a 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -341,7 +341,6 @@ inputattach insmod install_acx100_firmware install_intersil_firmware -install-info install-sgmlcatalog installkernel integritysetup @@ -447,7 +446,6 @@ lpc lpinfo lpmove lsmod -lspci lspcmcia luksformat lvchange @@ -920,7 +918,6 @@ unix_chkpwd unix_update unix2_chkpwd uobjnew -update-alternatives update-bootloader update-ca-certificates update-catalog From a9303e82bb0310336b995210da042bbb21fdc99c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:53:04 +0200 Subject: [PATCH 433/977] fix: linter --- apparmor.d/groups/apt/dpkg-preconfigure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index fd67f930e..8a9ea568e 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -79,7 +79,7 @@ profile dpkg-preconfigure @{exec_path} { owner @{PROC}/@{pid}/fd/ r, - include if exists + include if exists } # vim:syntax=apparmor From 6650f45ee0c25967f5e85cb95c79f7b332d135f2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:54:33 +0200 Subject: [PATCH 434/977] feat(profile): add pycompile. --- apparmor.d/profiles-m-r/pycompile | 54 +++++++++++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 55 insertions(+) create mode 100644 apparmor.d/profiles-m-r/pycompile diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile new file mode 100644 index 000000000..b441d84cd --- /dev/null +++ b/apparmor.d/profiles-m-r/pycompile @@ -0,0 +1,54 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/py{,3}compile @{bin}/py{,3}clean +profile pycompile @{exec_path} flags=(attach_disconnected,complain) { + include + include + include + # include + + capability dac_override, + capability dac_read_search, + + @{exec_path} mr, + @{python_path} rix, + + @{bin}/dpkg rCx -> dpkg, + + @{lib}/@{python_name}/dist-packages/__pycache__/ w, + @{lib}/@{python_name}/dist-packages/__pycache__/*.pyc w, + @{lib}/@{python_name}/dist-packages/__pycache__/*.pyc.* w, + @{lib}/@{python_name}/dist-packages/**/__pycache__/ w, + @{lib}/@{python_name}/dist-packages/**/__pycache__/*.pyc w, + @{lib}/@{python_name}/dist-packages/**/__pycache__/*.pyc.* w, + + /usr/share/python3/{,**} r, + + / r, + + profile dpkg { + include + include + include + + capability dac_read_search, + + @{bin}/dpkg mr, + @{bin}/dpkg-query rpx, + + /etc/dpkg/dpkg.cfg.d/{,*} r, + /etc/dpkg/dpkg.cfg r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index edf6789c7..4332c78d9 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -264,6 +264,7 @@ plymouthd complain polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted ptyxis complain ptyxis-agent complain +pycompile complain qdbus complain remmina complain run-parts complain From 31e90e6c58574d45aac59a91ebd094d6a05f6919 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 19 May 2025 00:00:44 +0200 Subject: [PATCH 435/977] feat(profile): add kernel update/install profiles. --- apparmor.d/profiles-g-l/kdump-config | 60 ++++++++++++++++ apparmor.d/profiles-g-l/kernel | 71 +++++++++++++++++++ apparmor.d/profiles-g-l/kernel-postinst-kdump | 34 +++++++++ dists/flags/main.flags | 3 + 4 files changed, 168 insertions(+) create mode 100644 apparmor.d/profiles-g-l/kdump-config create mode 100644 apparmor.d/profiles-g-l/kernel create mode 100644 apparmor.d/profiles-g-l/kernel-postinst-kdump diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config new file mode 100644 index 000000000..e6ec78f67 --- /dev/null +++ b/apparmor.d/profiles-g-l/kdump-config @@ -0,0 +1,60 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/kdump-config +profile kdump-config @{exec_path} { + include + + ptrace readby peer=systemd-journald, + + @{exec_path} mr, + + @{sh_path} ix, + @{bin}/basename ix, + @{bin}/cut ix, + @{bin}/file ix, + @{bin}/find ix, + @{bin}/grep ix, + @{bin}/hexdump ix, + @{bin}/ln ix, + @{bin}/logger ix, + @{bin}/rev ix, + @{bin}/run-parts ix, + @{bin}/sed ix, + @{sbin}/kexec Cx -> kexec, + @{sbin}/sysctl Cx -> sysctl, + + /etc/kernel/postinst.d/kdump-tools rPx, + + owner /var/lib/kdump/{,**} rw, + + profile sysctl { + include + + @{sbin}/sysctl mr, + + @{PROC}/sys/kernel/panic_on_oops rw, + + include if exists + } + + profile kexec { + include + + capability sys_admin, + capability sys_boot, + + @{sbin}/kexec mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel new file mode 100644 index 000000000..2382ea062 --- /dev/null +++ b/apparmor.d/profiles-g-l/kernel @@ -0,0 +1,71 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/kernel/{,header_}postinst.d/* /etc/kernel/postrm.d/* +@{exec_path} += /etc/kernel/preinst.d/* /etc/kernel/prerm.d/* +profile kernel @{exec_path} { + include + include + include + + capability sys_module, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/{,m,g}awk rix, + @{bin}/cat rix, + @{bin}/chmod rix, + @{bin}/cut rix, + @{bin}/dirname rix, + @{bin}/kmod rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/rmdir rix, + @{bin}/sed rix, + @{bin}/sort rix, + @{bin}/touch rix, + @{bin}/tr rix, + @{bin}/uname rix, + @{bin}/which rix, + + @{bin}/apt-config rPx, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/systemd-detect-virt rPx, + @{bin}/update-alternatives rPx, + @{sbin}/dkms rPx, + @{sbin}/update-grub rPx, + @{sbin}/update-initramfs rPx, + @{lib}/dkms/dkms_autoinstaller rPx, + + @{lib}/modules/*/updates/ w, + @{lib}/modules/*/updates/dkms/ w, + + /etc/kernel/header_postinst.d/* r, + /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r, + + # For shell pwd + / r, + /boot/ r, + + /etc/apt/apt.conf.d/ r, + /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, + /etc/modprobe.d/ r, + /etc/modprobe.d/*.conf r, + + @{run}/reboot-required w, + @{run}/reboot-required.pkgs rw, + + @{PROC}/devices r, + @{PROC}/cmdline r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump new file mode 100644 index 000000000..91af3a842 --- /dev/null +++ b/apparmor.d/profiles-g-l/kernel-postinst-kdump @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/kernel/postinst.d/kdump-tools +profile kernel-postinst-kdump @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/du rix, + @{bin}/find rix, + @{bin}/gawk rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/sync rix, + @{sbin}/mkinitramfs rPx, + + owner /var/lib/kdump/* w, + + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 4332c78d9..5f5d8dc5f 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -192,7 +192,10 @@ kconf_update complain kde-powerdevil attach_disconnected,mediate_deleted,complain kde-systemd-start-condition complain kded complain +kdump-config complain +kernel complain kernel-install complain +kernel-postinst-kdump complain keyboxd complain kglobalacceld complain kio_http_cache_cleaner complain From b90c4073c94f06e83a16677398d338c05f5df395 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 23 May 2025 23:55:01 +0200 Subject: [PATCH 436/977] ci: show full journalctl log on failure. --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f04ac1381..4593fe78c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -55,7 +55,7 @@ jobs: - name: Reload AppArmor run: | sudo systemctl restart apparmor.service || true - sudo systemctl status apparmor.service + sudo journalctl -xeu apparmor.service - name: Ensure compatibility with some AppArmor userspace tools if: matrix.os != 'ubuntu-24.04' From f3ed1a30065065300a0b5dca307f9081f9501025 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 24 May 2025 00:08:57 +0200 Subject: [PATCH 437/977] fix: profile compilation. --- apparmor.d/profiles-g-l/linux-check-removal | 2 +- dists/flags/main.flags | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index 2c2a8ba21..40eb26b93 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/linux-check-removal -profile linux-check-removal @{exec_path} flags=(complain) { +profile linux-check-removal @{exec_path} { include include diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 5f5d8dc5f..d139c7622 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -219,7 +219,7 @@ libvirt-dbus complain libvirtd attach_disconnected,complain lightdm attach_disconnected,complain lightdm-session complain -linux-check-removal complain +linux-check-removal complain linux-update-symlinks complain locale-gen complain localectl complain From 3848838e53a5824417590f97c43ad0135a50e6a1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 24 May 2025 17:35:16 +0200 Subject: [PATCH 438/977] feat(profile): merge dpkg-scripts and dpkg-script-tmp. --- apparmor.d/groups/apt/dpkg-preconfigure | 2 + apparmor.d/groups/apt/dpkg-script-systemd | 2 + apparmor.d/groups/apt/dpkg-script-tmp | 57 ----------------------- apparmor.d/groups/apt/dpkg-scripts | 17 +++++-- dists/flags/main.flags | 1 - 5 files changed, 16 insertions(+), 63 deletions(-) delete mode 100644 apparmor.d/groups/apt/dpkg-script-tmp diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 8a9ea568e..4dbfae0a8 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -15,6 +15,8 @@ profile dpkg-preconfigure @{exec_path} { include include + capability dac_read_search, + @{exec_path} r, @{sh_path} rix, diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index cb652108d..713f2981f 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -16,6 +16,8 @@ profile dpkg-script-systemd @{exec_path} { @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/bootctl Px, @{bin}/deb-systemd-helper Px, @{bin}/deb-systemd-invoke Px, @{bin}/dpkg Cx -> dpkg, diff --git a/apparmor.d/groups/apt/dpkg-script-tmp b/apparmor.d/groups/apt/dpkg-script-tmp deleted file mode 100644 index 65e63d076..000000000 --- a/apparmor.d/groups/apt/dpkg-script-tmp +++ /dev/null @@ -1,57 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} -profile dpkg-script-tmp @{exec_path} flags=(attach_disconnected) { - include - include - include - - @{exec_path} mrix, - - @{sh_path} rix, - @{coreutils_path} rix, - @{bin}/run-parts rix, - @{bin}/deb-systemd-invoke Px, - @{bin}/dpkg Px, - @{bin}/dpkg-divert Px, - @{bin}/dpkg-maintscript-helper Px, - @{bin}/kmod Cx -> kmod, - @{bin}/systemctl Cx -> systemctl, - /usr/share/debconf/frontend Px, - - /usr/share/debconf/confmodule r, - - /etc/kernel/preinst.d/*-microcode ix, - - @{lib}/modules/*/.fresh-install w, - - profile kmod { - include - include - - include if exists - } - - profile systemctl { - include - include - - capability net_admin, - capability sys_ptrace, - capability sys_resource, - - @{bin}/systemd-tty-ask-password-agent Px, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 32063f5c5..e765b334c 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -38,6 +38,7 @@ profile dpkg-scripts @{exec_path} { @{lib}/ubuntu-advantage/postinst-migrations.sh ix, @{bin}/dbus-send Cx -> bus, + @{bin}/kmod Cx -> kmod, @{bin}/dpkg Px -> child-dpkg, @{bin}/systemctl Cx -> systemctl, @{sbin}/invoke-rc.d Cx -> rc, @@ -52,9 +53,6 @@ profile dpkg-scripts @{exec_path} { /usr/share/** Px, /etc/init.d/* Px, - /var/lib/dpkg/info/*.@{dpkg_script_ext} ix, # dpkg-scripts-* - /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, # dpkg-script-tmp - # Maintainer's scripts can update a lot of files / r, /*/ r, @@ -85,12 +83,20 @@ profile dpkg-scripts @{exec_path} { include if exists } + profile kmod { + include + include + + include if exists + } + profile systemctl { include include capability net_admin, capability sys_ptrace, + capability sys_resource, @{run}/utmp rk, @@ -99,6 +105,7 @@ profile dpkg-scripts @{exec_path} { profile rc { include + include include @{sbin}/update-rc.d mr, @@ -110,10 +117,10 @@ profile dpkg-scripts @{exec_path} { /etc/ r, /etc/init.d/* r, - /etc/rc?.d/ r, + /etc/rc@{c}.d/ r, + /etc/rc@{c}.d/* rw, /etc/rc@{int}.d/ r, /etc/rc@{int}.d/* rw, - /etc/rc@{c}.d/* rw, include if exists } diff --git a/dists/flags/main.flags b/dists/flags/main.flags index d139c7622..b1bd2fa0e 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -93,7 +93,6 @@ dpkg-script-apparmor complain dpkg-script-kmod complain dpkg-script-linux complain dpkg-script-systemd complain -dpkg-script-tmp complain dpkg-scripts complain drkonqi complain drkonqi-coredump-cleanup complain From d5926e9411f224cf094506c9cae221b84d740b20 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 24 May 2025 17:48:15 +0200 Subject: [PATCH 439/977] feat(abs): update debconf abs. --- apparmor.d/abstractions/common/debconf | 7 +++ apparmor.d/groups/apt/debconf-frontend | 5 +- apparmor.d/groups/apt/dpkg-script-apparmor | 2 - apparmor.d/groups/apt/dpkg-script-linux | 4 -- apparmor.d/groups/apt/dpkg-script-systemd | 3 -- apparmor.d/groups/apt/dpkg-scripts | 1 - apparmor.d/groups/grub/grub-check-signatures | 7 ++- apparmor.d/profiles-g-l/linux-check-removal | 5 -- apparmor.d/profiles-m-r/needrestart | 9 +++- apparmor.d/profiles-m-r/pam-auth-update | 48 ++----------------- apparmor.d/profiles-s-z/tasksel | 9 ++-- .../profiles-s-z/update-secureboot-policy | 17 ++++--- 12 files changed, 35 insertions(+), 82 deletions(-) diff --git a/apparmor.d/abstractions/common/debconf b/apparmor.d/abstractions/common/debconf index c21974212..1d9a6d145 100644 --- a/apparmor.d/abstractions/common/debconf +++ b/apparmor.d/abstractions/common/debconf @@ -9,11 +9,18 @@ include include + @{sh_path} rix, + @{bin}/locale ix, + @{bin}/whiptail Px, + /usr/share/debconf/frontend rix, /usr/share/debconf/confmodule r, /etc/debconf.conf r, + /var/ r, + /var/cache/ r, + /var/cache/debconf/ r, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, include if exists diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend index 5ec13fcff..a8f7057e7 100644 --- a/apparmor.d/groups/apt/debconf-frontend +++ b/apparmor.d/groups/apt/debconf-frontend @@ -20,9 +20,7 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{exec_path} r, - @{sh_path} rix, @{bin}/hostname ix, - @{bin}/locale ix, @{bin}/lsb_release Px -> lsb_release, @{bin}/stty ix, @{sbin}/update-secureboot-policy Px, @@ -32,7 +30,6 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{bin}/debconf-apt-progress Px, @{bin}/linux-check-removal Px, @{bin}/ucf Px, - @{bin}/whiptail Px, @{sbin}/aspell-autobuildhash Px, @{sbin}/pam-auth-update Px, @{lib}/tasksel/tasksel-debconf Px -> tasksel, @@ -45,7 +42,7 @@ profile debconf-frontend @{exec_path} flags=(complain) { # Package maintainer's scripts /var/lib/dpkg/info/*.@{dpkg_script_ext} Px, /var/lib/dpkg/info/*.control r, - /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, + /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px -> dpkg-scripts, # DKMS scipts @{lib}/dkms/common.postinst rPUx, diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 9de0ce0b4..73b14390a 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -10,11 +10,9 @@ include profile dpkg-script-apparmor @{exec_path} { include include - include @{exec_path} mrix, - @{sh_path} rix, @{bin}/grep ix, @{bin}/deb-systemd-helper Px, diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux index 52c74c192..d6a8db473 100644 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -13,10 +13,7 @@ profile dpkg-script-linux @{exec_path} { @{exec_path} mrix, - @{sh_path} rix, @{bin}/cat ix, - @{bin}/locale ix, - @{bin}/mkdir ix, @{bin}/mkdir ix, @{bin}/rm ix, @{bin}/run-parts ix, @@ -26,7 +23,6 @@ profile dpkg-script-linux @{exec_path} { @{bin}/kmod Px, @{bin}/linux-check-removal Px, @{bin}/linux-update-symlinks Px, - @{bin}/whiptail Px, @{bin}/dpkg-maintscript-helper Px, /usr/share/{update,reboot}-notifier/notify-reboot-required Px, diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index 713f2981f..4acafd139 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -10,12 +10,9 @@ include profile dpkg-script-systemd @{exec_path} { include include - include @{exec_path} mrix, - @{sh_path} rix, - @{coreutils_path} rix, @{bin}/bootctl Px, @{bin}/deb-systemd-helper Px, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index e765b334c..f1c56bd49 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -31,7 +31,6 @@ profile dpkg-scripts @{exec_path} { @{bin}/getent ix, @{bin}/gzip ix, @{bin}/helpztags ix, - @{bin}/locale ix, @{bin}/tput ix, @{bin}/zcat ix, @{lib}/ubuntu-advantage/cloud-id-shim.sh ix, diff --git a/apparmor.d/groups/grub/grub-check-signatures b/apparmor.d/groups/grub/grub-check-signatures index 310138595..f09ba540d 100644 --- a/apparmor.d/groups/grub/grub-check-signatures +++ b/apparmor.d/groups/grub/grub-check-signatures @@ -13,10 +13,9 @@ profile grub-check-signatures @{exec_path} { @{exec_path} mr, - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/mktemp rix, - @{bin}/od rix, + @{bin}/{m,g,}awk ix, + @{bin}/mktemp ix, + @{bin}/od ix, owner @{tmp}/tmp.@{rand10}/ rw, diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index 40eb26b93..04d2f0330 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -14,12 +14,7 @@ profile linux-check-removal @{exec_path} { @{exec_path} rmix, - @{sh_path} rix, @{bin}/stty rix, - @{bin}/locale rix, - @{bin}/whiptail rPx, - - audit owner @{tmp}/file* w, include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index c2bc8b2b6..5d5e76ed5 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -40,7 +40,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{bin}/whiptail rPx, @{bin}/who rix, @{lib}/needrestart/* rPx, - /usr/share/debconf/frontend rix, + /usr/share/debconf/frontend rCx -> debconf, /etc/debconf.conf r, /etc/init.d/* r, @@ -97,6 +97,13 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { include if exists } + profile debconf { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index 655ed9d40..aff011389 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -10,56 +10,18 @@ include @{exec_path} = @{sbin}/pam-auth-update profile pam-auth-update @{exec_path} flags=(complain) { include - include - include + include @{exec_path} mr, - @{bin}/md5sum rix, - @{bin}/cp rix, + @{bin}/md5sum ix, + @{bin}/cp ix, - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, - - /etc/pam.d/* rw, - /var/lib/pam/* rw, /usr/share/pam{,-configs}/{,*} r, + /etc/pam.d/* rw, - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - - @{sbin}/pam-auth-update rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - # The following is needed when debconf uses GUI frontends. - include - include - include - include - capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/hostname rix, - owner @{PROC}/@{pid}/mounts r, - @{HOME}/.Xauthority r, - - /etc/shadow r, - - include if exists - } + /var/lib/pam/* rw, include if exists } diff --git a/apparmor.d/profiles-s-z/tasksel b/apparmor.d/profiles-s-z/tasksel index f4900f225..8a33649a0 100644 --- a/apparmor.d/profiles-s-z/tasksel +++ b/apparmor.d/profiles-s-z/tasksel @@ -14,9 +14,8 @@ profile tasksel @{exec_path} flags=(complain) { @{exec_path} r, - @{sh_path} rix, - @{bin}/tempfile rix, - @{lib}/tasksel/tasksel-debconf rix, + @{bin}/tempfile ix, + @{lib}/tasksel/tasksel-debconf ix, @{lib}/tasksel/tests/* Cx -> tasksel-tests, # Do not strip env to avoid errors like the following: @@ -29,13 +28,11 @@ profile tasksel @{exec_path} flags=(complain) { /usr/share/tasksel/{,**} r, - owner @{tmp}/file* w, - profile tasksel-tests flags=(complain) { include - @{lib}/tasksel/tests/* r, @{sh_path} rix, + @{lib}/tasksel/tests/* r, include if exists } diff --git a/apparmor.d/profiles-s-z/update-secureboot-policy b/apparmor.d/profiles-s-z/update-secureboot-policy index f8581f532..31a03ef7b 100644 --- a/apparmor.d/profiles-s-z/update-secureboot-policy +++ b/apparmor.d/profiles-s-z/update-secureboot-policy @@ -14,15 +14,14 @@ profile update-secureboot-policy @{exec_path} { @{exec_path} rm, - @{sh_path} rix, - @{bin}/{,m,g}awk rix, - @{bin}/dpkg-trigger rPx, - @{bin}/find rix, - @{bin}/id rix, - @{bin}/od rix, - @{bin}/sort rix, - @{bin}/touch rix, - @{bin}/wc rix, + @{bin}/{,m,g}awk ix, + @{bin}/dpkg-trigger Px, + @{bin}/find ix, + @{bin}/id ix, + @{bin}/od ix, + @{bin}/sort ix, + @{bin}/touch ix, + @{bin}/wc ix, / r, From 3e098b715205074cc2eab4b3518658f50b65d464 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 00:47:02 +0200 Subject: [PATCH 440/977] feat(profile): initramfs: add hooks and scripts. --- apparmor.d/profiles-m-r/initramfs-hooks | 86 +++++++++++++++++++++++ apparmor.d/profiles-m-r/initramfs-scripts | 55 +++++++++++++++ apparmor.d/profiles-m-r/mkinitramfs | 10 +-- 3 files changed, 146 insertions(+), 5 deletions(-) create mode 100644 apparmor.d/profiles-m-r/initramfs-hooks create mode 100644 apparmor.d/profiles-m-r/initramfs-scripts diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks new file mode 100644 index 000000000..b4f3ac2f4 --- /dev/null +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -0,0 +1,86 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/initramfs-tools/hooks/** /etc/initramfs-tools/hooks/** +profile initramfs-hooks @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/ischroot Px, + @{bin}/ldd Cx -> ldd, + @{bin}/plymouth Px, + @{bin}/update-alternatives Px, + @{sbin}/blkid Px, + @{lib}/dracut/dracut-install Px, + @{lib}/initramfs-tools/bin/busybox ix, + @{lib}/klibc/bin/fstype ix, + /usr/share/mdadm/mkconf Px, + + @{bin}/* r, + @{sbin}/* r, + @{lib}/ r, + @{lib}/** r, + + /usr/share/initramfs-tools/{,**} r, + /usr/share/plymouth/{,**} r, + /usr/share/cryptsetup/initramfs/{,**} r, + + /etc/console-setup/{,**} r, + /etc/cryptsetup-initramfs/{,**} r, + /etc/crypttab r, + /etc/default/* r, + /etc/fstab r, + /etc/iscsi/*.iscsi r, + /etc/lvm/{,**} r, + /etc/mdadm/mdadm.conf r, + /etc/systemd/network/{,**} r, + /etc/udev/{,**} r, + + / r, + @{efi}/config-* r, + + /var/tmp/ r, + /var/tmp/modules_@{rand6} rw, + owner /var/tmp/mkinitramfs_@{rand6} rw, + owner /var/tmp/mkinitramfs_@{rand6}/ rw, + owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + owner /var/tmp/mkinitramfs-@{rand6} rw, + owner /var/tmp/mkinitramfs-*_@{rand6} rw, + + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + + @{sys}/firmware/efi/efivars/ r, + + @{PROC}/@{pid}/mounts r, + @{PROC}/cmdline r, + @{PROC}/swaps r, + + profile ldd { + include + include + + @{bin}/ldd mr, + @{bin}/* mr, + @{lib}/@{multiarch}/ld-linux-*so* mrix, + @{lib}/ld-linux.so* mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/initramfs-scripts b/apparmor.d/profiles-m-r/initramfs-scripts new file mode 100644 index 000000000..85437017b --- /dev/null +++ b/apparmor.d/profiles-m-r/initramfs-scripts @@ -0,0 +1,55 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/initramfs-tools/scripts/** /etc/initramfs-tools/scripts/** +profile initramfs-scripts @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} rix, + @{coreutils_path} rix, + @{sbin}/blkid Px, + @{bin}/dd ix, + @{bin}/debconf-escape Px, + @{bin}/ischroot Px, + @{bin}/ldd Cx -> ldd, + @{bin}/plymouth Px, + @{bin}/update-alternatives Px, + @{lib}/dracut/dracut-install Px, + @{lib}/initramfs-tools/bin/busybox Px, + /usr/share/mdadm/mkconf Px, + + /usr/share/initramfs-tools/{,**} r, + + /etc/cryptsetup-initramfs/{,**} r, + /etc/crypttab r, + /etc/default/console-setup r, + /etc/fstab r, + /etc/initramfs-tools/{,**} r, + /etc/mdadm/mdadm.conf r, + /etc/udev/rules.d/{,**} r, + + /var/tmp/modules_@{rand6} rw, + owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + + profile ldd { + include + include + + @{bin}/ldd mr, + @{lib}/@{multiarch}/ld-linux-*so* mrix, + @{lib}/ld-linux.so* mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index eaf5645f3..f37029627 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -66,11 +66,10 @@ profile mkinitramfs @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/linux-version rPx, - # What to do with it? (#FIXME#) - /usr/share/initramfs-tools/hooks/* rPUx, - /usr/share/initramfs-tools/scripts/*/* rPUx, - /etc/initramfs-tools/hooks/* rPUx, - /etc/initramfs-tools/scripts/*/* rPUx, + /usr/share/initramfs-tools/hooks/** rPx, + /usr/share/initramfs-tools/scripts/** rPx, + /etc/initramfs-tools/hooks/** rPx, + /etc/initramfs-tools/scripts/** rPx, /usr/share/initramfs-tools/{,**} r, /etc/initramfs-tools/{,**} r, @@ -106,6 +105,7 @@ profile mkinitramfs @{exec_path} { @{sys}/devices/platform/**/ r, @{sys}/devices/platform/**/modalias r, @{sys}/module/compression r, + @{sys}/module/firmware_class/parameters/path r, @{PROC}/cmdline r, @{PROC}/modules r, From c70f9b22fcdfe7ebc718f1144ec8ff5a713ffcb1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 00:50:10 +0200 Subject: [PATCH 441/977] feat(tunable): add more variables for profile name. --- apparmor.d/tunables/multiarch.d/profiles | 44 +++++++++++++++++++++--- 1 file changed, 40 insertions(+), 4 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index 92ab19fc9..ec1eff79c 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -23,14 +23,50 @@ @{p_dbus_system}=dbus-system @{p_dbus_session}=dbus-session +@{p_accounts_daemon}=accounts-daemon +@{p_apt_news}=apt_news @{p_at_spi2_registryd}=at-spi2-registryd +@{p_avahi_daemon}=avahi-daemon +@{p_bluetoothd}=bluetoothd @{p_colord}=colord +@{p_e2scrub_all}=e2scrub_all +@{p_e2scrub}=e2scrub +@{p_file_roller}=file-roller +@{p_fprintd}=fprintd +@{p_fwupd}=fwupd +@{p_fwupdmgr}=fwupdmgr +@{p_geoclue}=geoclue @{p_gnome_shell}=gnome-shell -@{p_packagekitd}=packagekitd -@{p_snap}=snap -@{p_systemd_logind}=systemd-logind -@{p_xdg_desktop_portal}=xdg-desktop-portal @{p_gsd_media_keys}=gsd-media-keys +@{p_irqbalance}=irqbalance +@{p_logrotate}=logrotate +@{p_ModemManager}=ModemManager +@{p_nm_priv_helper}=nm-priv-helper +@{p_packagekitd}=packagekitd +@{p_pcscd}=pcscd +@{p_polkitd}=polkitd +@{p_power_profiles_daemon}=power-profiles-daemon +@{p_rsyslogd}=rsyslogd @{p_rtkit_daemon}=rtkit-daemon +@{p_snap}=snap +@{p_systemd_coredump}=systemd-coredump +@{p_systemd_homed}=systemd-homed +@{p_systemd_hostnamed}=systemd-hostnamed +@{p_systemd_importd}=systemd-importd +@{p_systemd_initctl}=systemd-initctl +@{p_systemd_journal_remote}=systemd-journal-remote +@{p_systemd_journald}=systemd-journald +@{p_systemd_localed}=systemd-localed +@{p_systemd_logind}=systemd-logind +@{p_systemd_networkd}=systemd-networkd +@{p_systemd_oomd}=systemd-oomd +@{p_systemd_resolved}=systemd-resolved +@{p_systemd_rfkill}=systemd-rfkill +@{p_systemd_timedated}=systemd-timedated +@{p_systemd_timesyncd}=systemd-timesyncd +@{p_systemd_userdbd}=systemd-userdbd +@{p_upowerd}=upowerd +@{p_xdg_desktop_portal}=xdg-desktop-portal + # vim:syntax=apparmor From 8b542434bdb1435ca67169bee6fa8911b3d802a7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 00:52:38 +0200 Subject: [PATCH 442/977] feat(profile): update kdump profiles. --- apparmor.d/profiles-g-l/kdump-config | 49 +++++++++++++++++++-- apparmor.d/profiles-g-l/kdump-tools-init | 38 ++++++++++++++++ apparmor.d/profiles-g-l/kdump_mem_estimator | 36 +++++++++++++++ dists/flags/main.flags | 2 + 4 files changed, 122 insertions(+), 3 deletions(-) create mode 100644 apparmor.d/profiles-g-l/kdump-tools-init create mode 100644 apparmor.d/profiles-g-l/kdump_mem_estimator diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config index e6ec78f67..2b3516202 100644 --- a/apparmor.d/profiles-g-l/kdump-config +++ b/apparmor.d/profiles-g-l/kdump-config @@ -7,32 +7,69 @@ abi , include @{exec_path} = @{sbin}/kdump-config -profile kdump-config @{exec_path} { +profile kdump-config @{exec_path} flags=(attach_disconnected) { include - ptrace readby peer=systemd-journald, + capability sys_admin, + + ptrace readby peer=@{p_systemd_journald}, @{exec_path} mr, - @{sh_path} ix, + @{sh_path} rix, @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/cmp ix, + @{bin}/cp ix, @{bin}/cut ix, @{bin}/file ix, @{bin}/find ix, + @{bin}/flock ix, @{bin}/grep ix, @{bin}/hexdump ix, @{bin}/ln ix, @{bin}/logger ix, + @{bin}/plymouth Px, + @{bin}/readlink ix, @{bin}/rev ix, @{bin}/run-parts ix, @{bin}/sed ix, + @{bin}/systemctl Cx -> systemctl, + @{bin}/uname ix, @{sbin}/kexec Cx -> kexec, @{sbin}/sysctl Cx -> sysctl, /etc/kernel/postinst.d/kdump-tools rPx, + /etc/kdump/{,**} r, + /etc/default/kdump-tools r, + /etc/magic r, + + / r, + @{efi}/ r, + + /var/crash/kdump_lock wk, + /var/crash/kexec_cmd w, owner /var/lib/kdump/{,**} rw, + @{sys}/firmware/efi/efivars/ r, + @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, + @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, + @{sys}/kernel/kexec_crash_loaded r, + + @{PROC}/cmdline r, + @{PROC}/iomem r, + + profile systemctl flags=(attach_disconnected) { + include + include + + capability net_admin, + capability sys_ptrace, + + include if exists + } + profile sysctl { include @@ -51,6 +88,12 @@ profile kdump-config @{exec_path} { @{sbin}/kexec mr, + @{efi}/* r, + + owner /var/lib/kdump/* r, + + @{PROC}/iomem r, + include if exists } diff --git a/apparmor.d/profiles-g-l/kdump-tools-init b/apparmor.d/profiles-g-l/kdump-tools-init new file mode 100644 index 000000000..b5af4dcc9 --- /dev/null +++ b/apparmor.d/profiles-g-l/kdump-tools-init @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/init.d/kdump-tools +profile kdump-tools-init @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + @{sh_path} mr, + + @{bin}/cat ix, + @{bin}/plymouth Px, + @{bin}/run-parts ix, + @{bin}/systemctl Cx -> systemctl, + @{sbin}/kdump-config Px, + + /etc/default/kdump-tools r, + + @{PROC}/cmdline r, + + profile systemctl flags=(attach_disconnected) { + include + include + + capability net_admin, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kdump_mem_estimator b/apparmor.d/profiles-g-l/kdump_mem_estimator new file mode 100644 index 000000000..b80a89343 --- /dev/null +++ b/apparmor.d/profiles-g-l/kdump_mem_estimator @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/kdump-tools/kdump_mem_estimator +profile kdump_mem_estimator @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/cat ix, + @{bin}/mkdir ix, + @{bin}/uname ix, + @{bin}/systemctl Cx -> systemctl, + @{bin}/uname ix, + + owner /var/lib/kdump/mem* w, + + profile systemctl { + include + include + + capability net_admin, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index b1bd2fa0e..9faad80f9 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -191,7 +191,9 @@ kconf_update complain kde-powerdevil attach_disconnected,mediate_deleted,complain kde-systemd-start-condition complain kded complain +kdump_mem_estimator complain kdump-config complain +kdump-tools-init complain,attach_disconnected kernel complain kernel-install complain kernel-postinst-kdump complain From c03bcbef7a800d3d4523d4d21b41563d598358d5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:00:08 +0200 Subject: [PATCH 443/977] feat(profile): rewrite the needrestart profiles. --- apparmor.d/profiles-m-r/needrestart | 37 ++++++++++--------- apparmor.d/profiles-m-r/needrestart-hook | 25 +++++++++++++ .../needrestart-iucode-scan-versions | 4 +- apparmor.d/profiles-m-r/needrestart-notify | 32 ++++++++++++++++ apparmor.d/profiles-m-r/needrestart-restart | 32 ++++++++++++++++ .../needrestart-vmlinuz-get-version | 2 +- dists/flags/main.flags | 3 ++ 7 files changed, 115 insertions(+), 20 deletions(-) create mode 100644 apparmor.d/profiles-m-r/needrestart-hook create mode 100644 apparmor.d/profiles-m-r/needrestart-notify create mode 100644 apparmor.d/profiles-m-r/needrestart-restart diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 5d5e76ed5..13838902e 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -22,35 +22,34 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { ptrace read, - mqueue (r,getattr) type=posix /, - @{exec_path} mrix, @{sh_path} rix, @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, - @{bin}/locale rix, - @{python_path} rix, @{bin}/sed rix, @{bin}/stty rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/udevadm rCx -> udevadm, - @{sbin}/unix_chkpwd rPx, - @{bin}/whiptail rPx, @{bin}/who rix, @{lib}/needrestart/* rPx, + @{python_path} rix, + @{sbin}/unix_chkpwd rPx, + /usr/share/debconf/frontend rCx -> debconf, - /etc/debconf.conf r, + /etc/needrestart/hook.d/* rPx, + /etc/needrestart/notify.d/* rPx, + /etc/needrestart/restart.d/* rPx, + /etc/init.d/* r, /etc/needrestart/{,**} r, - /etc/needrestart/*.d/* rix, /etc/shadow r, / r, - /boot/ r, - /boot/* r, + @{efi}/ r, + @{efi}/* r, /opt/*/** r, @{bin}/* r, @{lib}/** r, @@ -59,23 +58,23 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { /usr/share/** r, /var/lib/*/** r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + @{run}/systemd/sessions/* r, /tmp/@{word10}/ rw, - owner @{run}/sshd.pid r, - @{PROC}/ r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/environ r, - @{PROC}/@{pids}/maps r, - @{PROC}/@{pids}/stat r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/maps r, + @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, /dev/ r, /dev/**/ r, + deny mqueue type=posix /, + profile systemctl { include include @@ -101,6 +100,8 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { include include + @{sbin}/needrestart Px, + include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart-hook b/apparmor.d/profiles-m-r/needrestart-hook new file mode 100644 index 000000000..fa77834e8 --- /dev/null +++ b/apparmor.d/profiles-m-r/needrestart-hook @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/needrestart/hook.d/* +profile needrestart-hook @{exec_path} { + include + include + include + + @{exec_path} mr, + @{sh_path} rix, + + @{bin}/dpkg-query px, + + /tmp/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index 3484ea298..d75301fc6 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -12,19 +12,21 @@ profile needrestart-iucode-scan-versions @{exec_path} { @{exec_path} mr, - @{sbin}/iucode_tool rix, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/bsdtar rix, @{bin}/cat rix, + @{sbin}/iucode_tool rix, /usr/share/misc/ r, + /usr/share/misc/amd64-microcode* r, /usr/share/misc/intel-microcode* r, /etc/default/amd64-microcode r, /etc/default/intel-microcode r, /etc/needrestart/iucode.sh r, + /boot/amd64-ucode.img r, /boot/intel-ucode.img r, /boot/early_ucode.cpio r, diff --git a/apparmor.d/profiles-m-r/needrestart-notify b/apparmor.d/profiles-m-r/needrestart-notify new file mode 100644 index 000000000..dc4a30c69 --- /dev/null +++ b/apparmor.d/profiles-m-r/needrestart-notify @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/needrestart/notify.d/* +profile needrestart-notify @{exec_path} { + include + + capability dac_read_search, + capability sys_ptrace, + + ptrace read peer=unconfined, + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/gettext.sh r, + @{bin}/sed ix, + + /etc/needrestart/notify.conf r, + + @{PROC}/@{pid}/environ r, + @{PROC}/filesystems r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-restart b/apparmor.d/profiles-m-r/needrestart-restart new file mode 100644 index 000000000..2fc79b70c --- /dev/null +++ b/apparmor.d/profiles-m-r/needrestart-restart @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/needrestart/restart.d/* +profile needrestart-restart @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/systemctl Cx -> systemctl, + + /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + + profile systemctl { + include + include + + capability net_admin, + capability sys_ptrace, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version index 655566c74..e5ee2fd8f 100644 --- a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version +++ b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version @@ -23,7 +23,7 @@ profile needrestart-vmlinuz-get-version @{exec_path} { @{bin}/rm rix, @{bin}/tail rix, @{bin}/tr rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rPx, @{bin}/xz rix, /boot/intel-ucode.img r, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 9faad80f9..592b681e5 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -240,6 +240,9 @@ ModemManager attach_disconnected,complain mount attach_disconnected,complain multipath attach_disconnected,complain multipathd complain +needrestart-hook complain +needrestart-notify complain +needrestart-restart complain netplan.script attach_disconnected,complain networkctl attach_disconnected,complain networkd-dispatcher complain From 21b31a06a755026a30620afb740668cbf85c80ee Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:03:23 +0200 Subject: [PATCH 444/977] feat(profile): rewrite the run-parts profile. --- apparmor.d/profiles-m-r/run-parts | 143 +++--------------------------- 1 file changed, 10 insertions(+), 133 deletions(-) diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 8adb0f748..e5d44e13a 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -4,12 +4,6 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -# TODO: Rewrite this profile. Most of the rule should be confined directly by the calling profile -# Possible confinement depending of profile architecture: -# - As rix, -# - As rCx -> run-parts, -# - As rPx -> foo-run-parts, - abi , include @@ -116,33 +110,21 @@ profile run-parts @{exec_path} { /etc/update-motd.d/* rPx, # Kernel - /etc/kernel/header_postinst.d/ r, - /etc/kernel/header_postinst.d/dkms rCx -> kernel, - - /etc/kernel/postinst.d/ r, - /etc/kernel/postinst.d/apt-auto-removal rCx -> kernel, - /etc/kernel/postinst.d/dkms rCx -> kernel, - /etc/kernel/postinst.d/initramfs-tools rCx -> kernel, - /etc/kernel/postinst.d/unattended-upgrades rCx -> kernel, - /etc/kernel/postinst.d/zz-update-grub rCx -> kernel, - /etc/kernel/postinst.d/zz-shim rCx -> kernel, - /etc/kernel/postinst.d/xx-update-initrd-links rCx -> kernel, - + /etc/kernel/{,header_}postinst.d/ r, + /etc/kernel/{,header_}postinst.d/* rPx, /etc/kernel/postrm.d/ r, - /etc/kernel/postrm.d/initramfs-tools rCx -> kernel, - /etc/kernel/postrm.d/zz-update-grub rCx -> kernel, - + /etc/kernel/postrm.d/* rPx, /etc/kernel/preinst.d/ r, - /etc/kernel/preinst.d/intel-microcode rCx -> kernel, - + /etc/kernel/preinst.d/* rPx, /etc/kernel/prerm.d/ r, - /etc/kernel/prerm.d/dkms rCx -> kernel, + /etc/kernel/prerm.d/* rPx, + # Finalrd /usr/share/finalrd/ r, - /usr/share/finalrd/mdadm.finalrd rPUx, - /usr/share/finalrd/open-iscsi.finalrd rPUx, + /usr/share/finalrd/mdadm.finalrd rPUx, + /usr/share/finalrd/open-iscsi.finalrd rPUx, - /usr/share/landscape/landscape-sysinfo.wrapper rPUx, + /usr/share/landscape/landscape-sysinfo.wrapper rPx, /root/ r, @@ -152,117 +134,12 @@ profile run-parts @{exec_path} { owner @{tmp}/$anacron@{rand6} rw, owner @{tmp}/file@{rand6} rw, - owner @{sys}/class/power_supply/ r, + owner @{sys}/class/power_supply/ r, @{run}/motd.dynamic.new w, /dev/tty@{int} rw, - profile motd { - include - include - - network inet dgram, - network inet6 dgram, - network netlink raw, - - @{sh_path} rix, - @{bin}/{e,}grep rix, - @{bin}/cat rix, - @{bin}/cut rix, - @{bin}/find rix, - @{bin}/head rix, - @{bin}/id rix, - @{bin}/sort rix, - @{bin}/tr rix, - @{bin}/uname rix, - @{bin}/hostname rPx, - - @{bin}/snap rPUx, - @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx, - @{lib}/update-notifier/update-motd-fsck-at-reboot rPx, - @{lib}/update-notifier/update-motd-reboot-required rix, - /usr/share/unattended-upgrades/update-motd-unattended-upgrades rix, - /usr/share/update-notifier/notify-updates-outdated rPx, - - / r, - /etc/default/motd-news r, - /etc/lsb-release r, - /etc/update-motd.d/* r, - - /var/cache/motd-news rw, - /var/lib/update-notifier/updates-available r, - /var/lib/ubuntu-advantage/messages/motd-esm-announce r, - - @{run}/motd.d/{,*} r, - - @{PROC}/@{pids}/mounts r, - - /dev/tty@{int} rw, - - include if exists - } - - profile kernel { - include - include - include - - capability sys_module, - - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{,m,g}awk rix, - @{bin}/cat rix, - @{bin}/chmod rix, - @{bin}/cut rix, - @{bin}/dirname rix, - @{bin}/kmod rix, - @{bin}/mv rix, - @{bin}/rm rix, - @{bin}/rmdir rix, - @{bin}/sed rix, - @{bin}/sort rix, - @{bin}/touch rix, - @{bin}/tr rix, - @{bin}/uname rix, - @{bin}/which{,.debianutils} rix, - - @{bin}/apt-config rPx, - @{sbin}/dkms rPx, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/systemd-detect-virt rPx, - @{sbin}/update-alternatives rPx, - @{sbin}/update-grub rPUx, - @{sbin}/update-initramfs rPx, - @{lib}/dkms/dkms_autoinstaller rPx, - - @{lib}/modules/*/updates/ w, - @{lib}/modules/*/updates/dkms/ w, - - /etc/kernel/header_postinst.d/* r, - /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r, - - # For shell pwd - / r, - /boot/ r, - - /etc/apt/apt.conf.d/ r, - /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, - /etc/modprobe.d/ r, - /etc/modprobe.d/*.conf r, - - @{run}/reboot-required w, - @{run}/reboot-required.pkgs rw, - - @{sys}/module/compression r, - - @{PROC}/devices r, - @{PROC}/cmdline r, - - include if exists - } - include if exists } From 649d2da8d2b33744ca892fcea4b19a304d4f2d7b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:04:07 +0200 Subject: [PATCH 445/977] feat(profile): expand and restrict motd. --- apparmor.d/profiles-m-r/motd | 40 ++++++++++++++++++++++++++---------- 1 file changed, 29 insertions(+), 11 deletions(-) diff --git a/apparmor.d/profiles-m-r/motd b/apparmor.d/profiles-m-r/motd index fe684f671..67f216212 100644 --- a/apparmor.d/profiles-m-r/motd +++ b/apparmor.d/profiles-m-r/motd @@ -9,16 +9,11 @@ include @{exec_path} = /etc/update-motd.d/* profile motd @{exec_path} { include - include - include - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, + capability net_admin, @{exec_path} mr, + @{bin}/ r, @{sh_path} rix, @{coreutils_path} rix, @@ -28,7 +23,7 @@ profile motd @{exec_path} { @{bin}/snap rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/systemd-detect-virt rPx, - @{bin}/wget rix, + @{bin}/wget rCx -> wget, @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx, @{lib}/update-notifier/update-motd-fsck-at-reboot rPx, @@ -37,26 +32,49 @@ profile motd @{exec_path} { /usr/share/update-notifier/notify-updates-outdated rPx, / r, + /etc/cloud/cloud.cfg r, + /etc/cloud/cloud.cfg.d/{,*} r, /etc/default/motd-news r, /etc/lsb-release r, /etc/update-motd.d/* r, - /etc/cloud/cloud.cfg r, - /etc/cloud/cloud.cfg.d/{,*} r, + /etc/wgetrc r, /var/cache/motd-news rw, /var/lib/update-notifier/updates-available r, /var/lib/ubuntu-advantage/messages/motd-esm-announce r, + /var/lib/cloud/instances/nocloud/cloud-config.txt r, - /tmp/tmp.@{rand10} rw, + # /tmp/tmp.@{rand10} rw, + @{run}/cloud-init/cloud.cfg r, @{run}/motd.d/{,*} r, @{run}/motd.dynamic.new rw, @{run}/reboot-required r, @{PROC}/@{pids}/mounts r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, /dev/tty@{int} rw, + profile wget { + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{bin}/wget mr, + + /tmp/tmp.@{rand10} rw, + + include if exists + } + profile systemctl { include include From 8c526b32c615bc30e4400836368f13dfb8eff87a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:09:08 +0200 Subject: [PATCH 446/977] feat(profile): small update on core upgrade profiles. --- apparmor.d/groups/apt/apt | 2 +- apparmor.d/groups/apt/apt-methods-cdrom | 8 ++-- apparmor.d/groups/apt/apt-methods-copy | 8 ++-- apparmor.d/groups/apt/apt-methods-file | 10 ++--- apparmor.d/groups/apt/apt-methods-ftp | 8 ++-- apparmor.d/groups/apt/apt-methods-gpgv | 12 +++--- apparmor.d/groups/apt/apt-methods-http | 18 ++++----- apparmor.d/groups/apt/apt-methods-mirror | 10 ++--- apparmor.d/groups/apt/apt-methods-rred | 10 ++--- apparmor.d/groups/apt/apt-methods-rsh | 8 ++-- apparmor.d/groups/apt/apt-methods-store | 12 +++--- apparmor.d/groups/apt/deb-systemd-helper | 4 +- apparmor.d/groups/grub/grub-install | 2 +- apparmor.d/groups/grub/grub-mkdevicemap | 7 ++++ apparmor.d/profiles-a-f/e2scrub_all | 4 +- apparmor.d/profiles-a-f/finalrd | 41 ++++++++++---------- apparmor.d/profiles-g-l/glib-compile-schemas | 2 +- apparmor.d/profiles-g-l/landscape-sysinfo | 1 + apparmor.d/profiles-g-l/logrotate | 4 +- apparmor.d/profiles-m-r/multipathd | 3 +- apparmor.d/profiles-m-r/pycompile | 1 + apparmor.d/profiles-m-r/qemu-ga | 2 +- 22 files changed, 94 insertions(+), 83 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 2a0969156..5be4284f9 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -36,7 +36,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { unix bind type=stream addr=@@{udbus}/bus/apt-get/system, unix bind type=stream addr=@@{udbus}/bus/apt/system, - unix type=stream peer=(label=snap), + unix type=stream peer=(label=@{p_snap}), unix (send, receive) type=stream peer=(label=apt-esm-json-hook), unix (send, receive) type=stream peer=(label=snapd), diff --git a/apparmor.d/groups/apt/apt-methods-cdrom b/apparmor.d/groups/apt/apt-methods-cdrom index 9cf47e758..96ce36a72 100644 --- a/apparmor.d/groups/apt/apt-methods-cdrom +++ b/apparmor.d/groups/apt/apt-methods-cdrom @@ -19,10 +19,10 @@ profile apt-methods-cdrom @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-copy b/apparmor.d/groups/apt/apt-methods-copy index 6d906bf80..e2878e108 100644 --- a/apparmor.d/groups/apt/apt-methods-copy +++ b/apparmor.d/groups/apt/apt-methods-copy @@ -20,10 +20,10 @@ profile apt-methods-copy @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-file b/apparmor.d/groups/apt/apt-methods-file index 3c2489a32..781f9714e 100644 --- a/apparmor.d/groups/apt/apt-methods-file +++ b/apparmor.d/groups/apt/apt-methods-file @@ -20,11 +20,11 @@ profile apt-methods-file @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=synaptic, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-ftp b/apparmor.d/groups/apt/apt-methods-ftp index 47c679ea1..e753b4cf8 100644 --- a/apparmor.d/groups/apt/apt-methods-ftp +++ b/apparmor.d/groups/apt/apt-methods-ftp @@ -19,10 +19,10 @@ profile apt-methods-ftp @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index db5d50f43..5f3654f6e 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -20,12 +20,12 @@ profile apt-methods-gpgv @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=role_*, - signal (receive) peer=synaptic, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=role_*, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index b6976e9af..0b375c8f8 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -23,15 +23,15 @@ profile apt-methods-http @{exec_path} { network inet6 stream, network netlink raw, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=role_*, - signal (receive) peer=synaptic, - signal (receive) peer=ubuntu-advantage, - signal (receive) peer=unattended-upgrade, - signal (receive) peer=update-manager, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=role_*, + signal receive peer=synaptic, + signal receive peer=ubuntu-advantage, + signal receive peer=unattended-upgrade, + signal receive peer=update-manager, ptrace (read), diff --git a/apparmor.d/groups/apt/apt-methods-mirror b/apparmor.d/groups/apt/apt-methods-mirror index d8e3adce3..025a1c01b 100644 --- a/apparmor.d/groups/apt/apt-methods-mirror +++ b/apparmor.d/groups/apt/apt-methods-mirror @@ -20,11 +20,11 @@ profile apt-methods-mirror @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=synaptic, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-rred b/apparmor.d/groups/apt/apt-methods-rred index 85da35efc..1aadac2ec 100644 --- a/apparmor.d/groups/apt/apt-methods-rred +++ b/apparmor.d/groups/apt/apt-methods-rred @@ -20,11 +20,11 @@ profile apt-methods-rred @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, - signal (receive) set=(int) peer=packagekitd, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, + signal receive set=(int) peer=@{p_packagekitd}, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-rsh b/apparmor.d/groups/apt/apt-methods-rsh index 95d70b31f..1b76551b9 100644 --- a/apparmor.d/groups/apt/apt-methods-rsh +++ b/apparmor.d/groups/apt/apt-methods-rsh @@ -19,10 +19,10 @@ profile apt-methods-rsh @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-store b/apparmor.d/groups/apt/apt-methods-store index 5492fdd5e..a6875a432 100644 --- a/apparmor.d/groups/apt/apt-methods-store +++ b/apparmor.d/groups/apt/apt-methods-store @@ -20,12 +20,12 @@ profile apt-methods-store @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=role_*, - signal (receive) peer=synaptic, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=role_*, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/deb-systemd-helper b/apparmor.d/groups/apt/deb-systemd-helper index 77fe1f455..d6e89f9a0 100644 --- a/apparmor.d/groups/apt/deb-systemd-helper +++ b/apparmor.d/groups/apt/deb-systemd-helper @@ -16,8 +16,8 @@ profile deb-systemd-helper @{exec_path} { @{bin}/systemctl rCx -> systemctl, - /etc/systemd/system/* w, - /etc/systemd/user/* w, + /etc/systemd/system/{,**} rw, + /etc/systemd/user/{,**} rw, /var/lib/systemd/deb-systemd-helper-enabled/{,**} rw, /var/lib/systemd/deb-systemd-helper-masked/{,**} rw, diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index 3274a5e6d..f044b0f44 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -44,7 +44,7 @@ profile grub-install @{exec_path} flags=(complain) { @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/BootCurrent-@{uuid} r, - @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, + @{sys}/firmware/efi/efivars/BootOrder-@{uuid} rw, @{sys}/firmware/efi/efivars/Timeout-@{uuid} r, @{sys}/firmware/efi/fw_platform_size r, @{sys}/firmware/efi/w_platform_size r, diff --git a/apparmor.d/groups/grub/grub-mkdevicemap b/apparmor.d/groups/grub/grub-mkdevicemap index 2a7082c64..ca9f3ad3c 100644 --- a/apparmor.d/groups/grub/grub-mkdevicemap +++ b/apparmor.d/groups/grub/grub-mkdevicemap @@ -10,9 +10,16 @@ include profile grub-mkdevicemap @{exec_path} { include include + include + + capability sys_admin, @{exec_path} mr, + @{PROC}/devices r, + + /dev/mapper/control rw, + include if exists } diff --git a/apparmor.d/profiles-a-f/e2scrub_all b/apparmor.d/profiles-a-f/e2scrub_all index af10dddcd..0079053e0 100644 --- a/apparmor.d/profiles-a-f/e2scrub_all +++ b/apparmor.d/profiles-a-f/e2scrub_all @@ -17,8 +17,8 @@ profile e2scrub_all @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} r, - @{bin}/readlink rix, + @{sh_path} mr, + @{bin}/readlink ix, /etc/e2scrub.conf r, diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd index bc6c4cf62..d8f2f819e 100644 --- a/apparmor.d/profiles-a-f/finalrd +++ b/apparmor.d/profiles-a-f/finalrd @@ -20,27 +20,27 @@ profile finalrd @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/cp rix, - @{bin}/dirname rix, - @{bin}/env rix, - @{bin}/find rix, - @{bin}/grep rix, - @{sbin}/ldconfig{,.real} rix, - @{bin}/ln rix, - @{bin}/mkdir rix, - @{bin}/mount rix, - @{bin}/readlink rix, - @{bin}/realpath rix, - @{bin}/rm rix, - @{bin}/run-parts rix, - @{bin}/sed rix, - @{bin}/touch rix, + @{bin}/cp ix, + @{bin}/dirname ix, + @{bin}/env ix, + @{bin}/find ix, + @{bin}/grep ix, + @{bin}/ln ix, + @{bin}/mkdir ix, + @{bin}/mount ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/rm ix, + @{bin}/run-parts ix, + @{bin}/sed ix, + @{bin}/touch ix, + @{sbin}/ldconfig{,.real} ix, - @{bin}/ldd rCx -> ldd, - @{bin}/systemd-tmpfiles rPx, - @{lib}/@{multiarch}/ld-linux-*so* rCx -> ldd, - @{lib}/systemd/systemd-shutdown rPx, - /usr/share/finalrd/*.finalrd rix, + @{bin}/ldd Cx -> ldd, + @{bin}/systemd-tmpfiles Px, + @{lib}/@{multiarch}/ld-linux-*so* Cx -> ldd, + @{lib}/systemd/systemd-shutdown Px, + /usr/share/finalrd/*.finalrd ix, @{bin}/{,*} r, @{lib}/{,*} r, @@ -65,6 +65,7 @@ profile finalrd @{exec_path} { profile ldd { include + include include @{bin}/* mr, diff --git a/apparmor.d/profiles-g-l/glib-compile-schemas b/apparmor.d/profiles-g-l/glib-compile-schemas index fcabd84c3..59c56bb12 100644 --- a/apparmor.d/profiles-g-l/glib-compile-schemas +++ b/apparmor.d/profiles-g-l/glib-compile-schemas @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/glib-compile-schemas +@{exec_path} = @{bin}/glib-compile-schemas @{lib}/@{multiarch}/glib-2.0/glib-compile-schemas profile glib-compile-schemas @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 3b140b2bf..1c3c98d52 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -33,6 +33,7 @@ profile landscape-sysinfo @{exec_path} { /var/log/landscape/{,**} rw, + @{run}/systemd/sessions/{,*} r, @{run}/utmp rwk, @{sys}/class/hwmon/ r, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index f74f309fe..8d3dc2171 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -21,8 +21,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { capability setgid, capability setuid, - signal (send) set=(hup), - signal (send) set=(term cont) peer=systemd-tty-ask-password-agent, + signal send set=hup, + signal send set=(term cont) peer=systemd-tty-ask-password-agent, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/multipathd b/apparmor.d/profiles-m-r/multipathd index a07691a5c..bbb6a87a6 100644 --- a/apparmor.d/profiles-m-r/multipathd +++ b/apparmor.d/profiles-m-r/multipathd @@ -20,7 +20,8 @@ profile multipathd @{exec_path} { network netlink raw, - unix (send, receive, connect) type=stream peer=(addr="@/org/kernel/linux/storage/multipathd"), + unix type=stream peer=(addr="@/org/kernel/linux/storage/multipathd"), + unix type=stream addr=@/org/kernel/linux/storage/multipathd, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile index b441d84cd..984fcf03c 100644 --- a/apparmor.d/profiles-m-r/pycompile +++ b/apparmor.d/profiles-m-r/pycompile @@ -31,6 +31,7 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) { /usr/share/python3/{,**} r, / r, + @{bin}/ r, profile dpkg { include diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index c6e6ca54e..7fa668a71 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -12,7 +12,7 @@ profile qemu-ga @{exec_path} { @{exec_path} mr, - audit @{bin}/systemctl Cx -> systemctl, + @{bin}/systemctl Cx -> systemctl, /etc/qemu/qemu-ga.conf r, From 4e4f8d8a0e65e356971b0cddf86748196ef3a14c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:15:53 +0200 Subject: [PATCH 447/977] build: update sbin.list --- apparmor.d/groups/ubuntu/cron-ubuntu-fan | 2 +- apparmor.d/groups/virt/containerd-shim-runc-v2 | 2 +- apparmor.d/groups/virt/dockerd | 2 +- tests/sbin.list | 5 +++++ 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index eb299345c..8f5952d9b 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -15,7 +15,7 @@ profile cron-ubuntu-fan @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/fanctl rix, + @{sbin}/fanctl rix, @{bin}/flock rix, @{bin}/grep rix, @{bin}/id rix, diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 index 5a963beac..61898a3e4 100644 --- a/apparmor.d/groups/virt/containerd-shim-runc-v2 +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -30,7 +30,7 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/runc rPUx, + @{sbin}/runc rPx, /tmp/runc-process@{int} rw, /tmp/pty@{int}/ rw, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 6b1e3537a..c4b39ff8c 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -72,7 +72,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{bin}/git rCx -> git, @{bin}/kmod rPx, @{bin}/ps rPx, - @{bin}/runc rUx, + @{sbin}/runc rUx, @{bin}/unpigz rix, @{sbin}/xtables-nft-multi rix, diff --git a/tests/sbin.list b/tests/sbin.list index 82596a62a..805ab8bf1 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -46,6 +46,7 @@ arptables-nft-restore arptables-nft-save arptables-restore arptables-save +arptables-translate aspell-autobuildhash atd audisp-af_unix @@ -92,6 +93,7 @@ blogger bluetoothd bpflist-bpfcc bpftool +brctl bridge brltty brltty-setup @@ -241,7 +243,9 @@ f2fscrypt f2fslabel f2fsslower-bpfcc faillock +fanatic fancontrol +fanctl fatlabel fatresize fbtest @@ -767,6 +771,7 @@ rubyflow-bpfcc rubygc-bpfcc rubyobjnew-bpfcc rubystat-bpfcc +runc runlevel runqlat-bpfcc runqlat.bt From e7fb1860939f0c83882c7592e2f356594790fa89 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:19:32 +0200 Subject: [PATCH 448/977] feat(profile): update kernerl-install. --- apparmor.d/profiles-g-l/kernel-install | 28 ++++++++++++++++---------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index 07c058124..614b81aeb 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -11,22 +11,19 @@ include profile kernel-install @{exec_path} { include include + include include + capability sys_resource, + + ptrace read peer=@{p_systemd}, + @{exec_path} r, @{sh_path} rix, - - @{bin}/mountpoint rix, - @{bin}/sort rix, - @{bin}/rm rix, - @{bin}/mkdir rix, - @{bin}/cp rix, - @{bin}/chown rix, - @{bin}/chmod rix, - @{bin}/basename rix, - - @{pager_path} rPx -> child-pager, + @{coreutils_path} rix, @{bin}/kmod rCx -> kmod, + @{bin}/mountpoint rix, + @{pager_path} rPx -> child-pager, @{lib}/kernel/install.d/ r, @{lib}/kernel/install.d/@{int2}-*.install rix, @@ -37,6 +34,7 @@ profile kernel-install @{exec_path} { @{lib}/os-release r, /etc/kernel/cmdline r, /etc/kernel/tries r, + /etc/kernel/entry-token r, /etc/machine-id r, /etc/os-release r, /var/lib/dbus/machine-id r, @@ -50,14 +48,22 @@ profile kernel-install @{exec_path} { owner /boot/loader/entries/ rw, owner /boot/loader/entries/*.conf w, + owner /tmp/kernel-install.staging.@{rand6}/{,**} rw, + owner @{tmp}/sh-thd.* rw, + @{PROC}/1/environ r, @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, profile kmod { include include + @{lib}/modules/*/modules.* w, + + @{sys}/module/compression r, + include if exists } From 17624b95d8b193a823c1f75a0cffd0a559740b5b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:21:12 +0200 Subject: [PATCH 449/977] feat(profile): update ucf profiles. --- apparmor.d/profiles-s-z/ucf | 11 ++++++++++- apparmor.d/profiles-s-z/ucfq | 26 +++++++++++++++++++++++++ apparmor.d/profiles-s-z/ucfr | 37 ++++++++++++++++++++++++++++++++++++ dists/flags/main.flags | 2 ++ 4 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/profiles-s-z/ucfq create mode 100644 apparmor.d/profiles-s-z/ucfr diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 86d94c7a1..0a7b992b6 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -39,7 +39,7 @@ profile ucf @{exec_path} { @{bin}/dpkg-divert rPx, @{pager_path} rCx -> child-pager, - /usr/share/debconf/frontend rPx, # TODO: rCx -> debonc-frontend, + /usr/share/debconf/frontend Cx -> debconf, # For md5sum /usr/share/** r, @@ -55,6 +55,15 @@ profile ucf @{exec_path} { owner /tmp/tmp.@{rand10} r, + deny capability sys_admin, # optional: no audit + + profile debconf { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-s-z/ucfq b/apparmor.d/profiles-s-z/ucfq new file mode 100644 index 000000000..b6ca3e7b1 --- /dev/null +++ b/apparmor.d/profiles-s-z/ucfq @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ucfq +profile ucfq @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/md5sum rix, + + /etc/ r, + /etc/default/ r, + /etc/default/grub r, + + /var/lib/ucf/* r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ucfr b/apparmor.d/profiles-s-z/ucfr new file mode 100644 index 000000000..b38f8aae4 --- /dev/null +++ b/apparmor.d/profiles-s-z/ucfr @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ucfr +profile ucfr @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/basename ix, + @{bin}/{m,g,}awk ix, + @{bin}/getopt ix, + @{bin}/grep ix, + @{bin}/id ix, + @{bin}/readlink ix, + @{bin}/sed ix, + @{bin}/dirname ix, + + /usr/share/ucf/{,**} r, + + /etc/ucf.conf r, + + / r, + + /var/lib/ucf/ r, + /var/lib/ucf/registry r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 592b681e5..e88409583 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -368,6 +368,8 @@ telegram-desktop complain totem attach_disconnected,complain tracker-writeback complain ucf complain +ucfq complain +ucfr complain udev-ata_id complain udev-bcache-export-cached complain udev-cdrom_id complain From 0a5743fa46cb62d35a1ff622d50a1fa2eaa6666c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:23:26 +0200 Subject: [PATCH 450/977] feat(profile): add profile for more update-* tools. --- apparmor.d/profiles-s-z/update-catalog | 26 ++++++++++++++++++ apparmor.d/profiles-s-z/update-info-dir | 24 +++++++++++++++++ apparmor.d/profiles-s-z/update-shells | 36 +++++++++++++++++++++++++ dists/flags/main.flags | 3 +++ 4 files changed, 89 insertions(+) create mode 100644 apparmor.d/profiles-s-z/update-catalog create mode 100644 apparmor.d/profiles-s-z/update-info-dir create mode 100644 apparmor.d/profiles-s-z/update-shells diff --git a/apparmor.d/profiles-s-z/update-catalog b/apparmor.d/profiles-s-z/update-catalog new file mode 100644 index 000000000..feac2d3c5 --- /dev/null +++ b/apparmor.d/profiles-s-z/update-catalog @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/update-catalog +profile update-catalog @{exec_path} { + include + include + + @{exec_path} mr, + + /etc/sgml/ r, + /etc/sgml/* r, + + /var/lib/sgml-base/*catalog rw, + /var/lib/sgml-base/*catalog.new rw, + /var/lib/sgml-base/*catalog.old w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-info-dir b/apparmor.d/profiles-s-z/update-info-dir new file mode 100644 index 000000000..7c835023f --- /dev/null +++ b/apparmor.d/profiles-s-z/update-info-dir @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/update-info-dir +profile update-info-dir @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/install-info Px, + @{bin}/find ix, + @{bin}/rm ix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-shells b/apparmor.d/profiles-s-z/update-shells new file mode 100644 index 000000000..46b6699c8 --- /dev/null +++ b/apparmor.d/profiles-s-z/update-shells @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/update-shells +profile update-shells @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/basename ix, + @{bin}/chmod ix, + @{bin}/chown ix, + @{bin}/dirname ix, + @{bin}/dpkg-realpath ix, + @{bin}/mv ix, + @{bin}/sync ix, + + /usr/share/debianutils/shells r, + /usr/share/debianutils/shells.d/{,**} r, + + /etc/shells r, + /etc/shells.tmp w, + + /var/lib/shells.state r, + /var/lib/shells.state.tmp w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index e88409583..9d0857ad3 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -380,8 +380,11 @@ udev-probe-bcache complain udisksctl complain udisksd attach_disconnected,complain ufw complain +update-catalog complain update-grub complain +update-info-dir complain update-secureboot-policy complain +update-shells complain userdbctl complain utempter attach_disconnected,complain veracrypt complain From a7807408b616c6b7fb51e064887415e83d18ffd7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:25:46 +0200 Subject: [PATCH 451/977] feat(profile): update some update-* profiles. --- apparmor.d/groups/freedesktop/update-mime-database | 2 +- apparmor.d/profiles-s-z/update-ca-certificates | 1 + apparmor.d/profiles-s-z/update-dlocatedb | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/freedesktop/update-mime-database b/apparmor.d/groups/freedesktop/update-mime-database index 6f6b39700..9efd9cccc 100644 --- a/apparmor.d/groups/freedesktop/update-mime-database +++ b/apparmor.d/groups/freedesktop/update-mime-database @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/update-mime-database +@{exec_path} = @{bin}/update-mime-database profile update-mime-database @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/update-ca-certificates b/apparmor.d/profiles-s-z/update-ca-certificates index 4bc88faae..df9c08fe4 100644 --- a/apparmor.d/profiles-s-z/update-ca-certificates +++ b/apparmor.d/profiles-s-z/update-ca-certificates @@ -33,6 +33,7 @@ profile update-ca-certificates @{exec_path} { @{bin}/test rix, @{bin}/trust rix, @{bin}/wc rix, + @{bin}/run-parts rix, @{lib}/ca-certificates/update.d/ r, @{lib}/ca-certificates/update.d/* rix, diff --git a/apparmor.d/profiles-s-z/update-dlocatedb b/apparmor.d/profiles-s-z/update-dlocatedb index 2afe8a22f..e9d92e421 100644 --- a/apparmor.d/profiles-s-z/update-dlocatedb +++ b/apparmor.d/profiles-s-z/update-dlocatedb @@ -26,7 +26,7 @@ profile update-dlocatedb @{exec_path} { /usr/share/dlocate/updatedb rCx -> updatedb, @{bin}/dpkg rPx -> child-dpkg, - owner @{PROC}/@{pid}/fd/2 w, + owner @{PROC}/@{pid}/fd/@{int} w, /var/lib/dlocate/dpkg-list w, From 774106b7e5cd7952850a6a63c49375997c9d4a79 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:28:08 +0200 Subject: [PATCH 452/977] feat(profile): update some systemd profiles. --- apparmor.d/groups/systemd/bootctl | 22 +++++++++---------- .../groups/systemd/systemd-generator-sysv | 3 ++- apparmor.d/groups/systemd/systemd-localed | 2 +- apparmor.d/groups/systemd/systemd-logind | 7 ++---- .../groups/systemd/systemd-network-generator | 2 +- apparmor.d/groups/systemd/systemd-networkd | 9 +++++++- apparmor.d/groups/systemd/systemd-remount-fs | 3 +-- apparmor.d/groups/systemd/systemd-timedated | 2 +- 8 files changed, 27 insertions(+), 23 deletions(-) diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 12fcceaea..9508cfcf2 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -25,17 +25,17 @@ profile bootctl @{exec_path} flags=(attach_disconnected) { @{pager_path} rPx -> child-pager, - /{boot,efi}/ r, - /{boot,efi}/EFI/{,**} r, - /{boot,efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw, - /{boot,efi}/EFI/BOOT/BOOTX64.EFI w, - /{boot,efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw, - /{boot,efi}/EFI/systemd/systemd-boot*.efi w, - /{boot,efi}/loader/.#bootctlrandom-seed@{hex} rw, - /{boot,efi}/loader/.#entries.srel* w, - /{boot,efi}/loader/{,**} r, - /{boot,efi}/loader/entries.srel w, - /{boot,efi}/loader/random-seed w, + @{efi}/ r, + @{efi}/EFI/{,**} r, + @{efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw, + @{efi}/EFI/BOOT/BOOTX64.EFI w, + @{efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw, + @{efi}/EFI/systemd/systemd-boot*.efi w, + @{efi}/loader/.#bootctlrandom-seed@{hex} rw, + @{efi}/loader/.#entries.srel* w, + @{efi}/loader/{,**} r, + @{efi}/loader/entries.srel w, + @{efi}/loader/random-seed w, /etc/kernel/entry-token r, /etc/machine-id r, diff --git a/apparmor.d/groups/systemd/systemd-generator-sysv b/apparmor.d/groups/systemd/systemd-generator-sysv index 4feb65d51..fc290fca4 100644 --- a/apparmor.d/groups/systemd/systemd-generator-sysv +++ b/apparmor.d/groups/systemd/systemd-generator-sysv @@ -17,9 +17,10 @@ profile systemd-generator-sysv @{exec_path} flags=(attach_disconnected) { /etc/init.d/{,**} r, /etc/rc@{int}.d/{,**} r, - @{run}/systemd/generator.late/* w, + @{run}/systemd/generator.late/** w, @{PROC}/@{pid}/cgroup r, + @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 205d8a55f..3befcd92a 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -14,7 +14,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { include include - unix (bind) type=stream addr=@@{udbus}/bus/systemd-localed/system, + unix bind type=stream addr=@@{udbus}/bus/systemd-localed/system, #aa:dbus own bus=system name=org.freedesktop.locale1 diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index a56e16298..39192e7e1 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -12,11 +12,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { include include include + include include include include include - include capability chown, capability dac_override, @@ -50,8 +50,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { /etc/systemd/sleep.conf.d/{,**} r, / r, - /boot/{,**} r, - /efi/{,**} r, + @{efi}/{,**} r, /swap.img r, /swap/swapfile r, /swapfile r, @@ -140,8 +139,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { /dev/dri/card@{int} rw, /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) /dev/mqueue/ r, - /dev/tty@{int} rw, - owner @{att}/dev/tty@{int} rw, owner /dev/shm/{,**/} rw, include if exists diff --git a/apparmor.d/groups/systemd/systemd-network-generator b/apparmor.d/groups/systemd/systemd-network-generator index e22d89629..ceebbc5c2 100644 --- a/apparmor.d/groups/systemd/systemd-network-generator +++ b/apparmor.d/groups/systemd/systemd-network-generator @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-network-generator -profile systemd-network-generator @{exec_path} { +profile systemd-network-generator @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index ca5450826..3d6c3a4b7 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -31,6 +31,8 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { unix bind type=stream addr=@@{udbus}/bus/systemd-network/bus-api-network, + signal receive set=usr2 peer=@{p_systemd}, + #aa:dbus own bus=system name=org.freedesktop.network1 dbus send bus=system path=/org/freedesktop/hostname1 @@ -47,14 +49,18 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { /var/lib/dbus/machine-id r, /etc/machine-id r, - /etc/systemd/networkd.conf r, + /etc/systemd/network.conf r, /etc/systemd/network/{,**} r, + /etc/systemd/networkd.conf r, + /etc/systemd/networkd.conf.d/{,**} r, /etc/networkd-dispatcher/carrier.d/{,*} r, @{att}/ r, @{att}/@{run}/systemd/notify rw, + @{run}/mount/utab r, + owner @{att}/var/lib/systemd/network/ r, @{run}/systemd/network/ r, @@ -75,6 +81,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cgroup r, @{PROC}/pressure/* r, @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/version_signature r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index 750f7e18b..96b182e5f 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -28,8 +28,7 @@ profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) { @{run}/host/container-manager r, @{run}/mount/utab rw, - @{run}/mount/utab.@{rand6} rw, - @{run}/mount/utab.lock rwk, + @{run}/mount/utab.* rwk, @{sys}/devices/virtual/block/dm-@{int}/dm/name r, diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index e070afe4e..ffed031b5 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -15,7 +15,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { capability sys_time, - unix (bind) type=stream addr=@@{udbus}/bus/systemd-timedat/system, + unix bind type=stream addr=@@{udbus}/bus/systemd-timedat/system, #aa:dbus own bus=system name=org.freedesktop.timedate1 From 30bbd6d56a7d673b25212727a05e52d818e9a7e4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:39:00 +0200 Subject: [PATCH 453/977] feat(profile): cron: cleanup direct exec. --- apparmor.d/groups/cron/cron | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index c92441568..778dd2be8 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -38,9 +38,7 @@ profile cron @{exec_path} flags=(attach_disconnected) { @{bin}/run-parts rCx -> run-parts, # could even be rix, as long as we are not # using the run-parts profile we are good - @{lib}/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx, - @{lib}/sysstat/debian-sa1 rPUx, - /usr/share/rsync/scripts/rrsync rPUx, + @{lib}/sysstat/debian-sa1 rPx, /etc/cron.d/{,*} r, /etc/crontab r, From 8546533ad1ec34df6e709f0ed1ff510af24e5c62 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 14:28:35 +0200 Subject: [PATCH 454/977] fix(build): flag generation. --- dists/flags/main.flags | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 9d0857ad3..c0af4fc77 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -193,7 +193,7 @@ kde-systemd-start-condition complain kded complain kdump_mem_estimator complain kdump-config complain -kdump-tools-init complain,attach_disconnected +kdump-tools-init complain,attach_disconnected kernel complain kernel-install complain kernel-postinst-kdump complain From 813758a1e0e58035ba568837623ba4c289db9bec Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 15:07:27 +0200 Subject: [PATCH 455/977] feat(profile): add debconf-escape, update dpkg-scripts. --- apparmor.d/groups/apt/debconf-escape | 19 +++++++++++++++++++ apparmor.d/groups/apt/dpkg-scripts | 15 ++++++++++++++- dists/flags/main.flags | 1 + 3 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/apt/debconf-escape diff --git a/apparmor.d/groups/apt/debconf-escape b/apparmor.d/groups/apt/debconf-escape new file mode 100644 index 000000000..c64401bb0 --- /dev/null +++ b/apparmor.d/groups/apt/debconf-escape @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/debconf-escape +profile debconf-escape @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index f1c56bd49..e18ab78de 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -26,11 +26,12 @@ profile dpkg-scripts @{exec_path} { @{coreutils_path} rix, @{bin}/run-parts rix, - @{bin}/setpriv ix, @{bin}/envsubst ix, + @{bin}/file ix, @{bin}/getent ix, @{bin}/gzip ix, @{bin}/helpztags ix, + @{bin}/setpriv ix, @{bin}/tput ix, @{bin}/zcat ix, @{lib}/ubuntu-advantage/cloud-id-shim.sh ix, @@ -97,6 +98,18 @@ profile dpkg-scripts @{exec_path} { capability sys_ptrace, capability sys_resource, + @{bin}/systemd-tty-ask-password-agent Px, + @{pager_path} Px -> child-pager, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + @{run}/utmp rk, include if exists diff --git a/dists/flags/main.flags b/dists/flags/main.flags index c0af4fc77..6c29eba15 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -77,6 +77,7 @@ cupsd attach_disconnected,complain ddcutil complain deb-systemd-helper complain deb-systemd-invoke complain +debconf-escape complain decibels complain dino attach_disconnected,complain discord complain From 7361c21c401bfa0cf0c3eb3cb0bbcb9b534b7501 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 15:14:56 +0200 Subject: [PATCH 456/977] feat(profile): add mdadm-mkconf. --- apparmor.d/profiles-m-r/mdadm-mkconf | 30 ++++++++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 31 insertions(+) create mode 100644 apparmor.d/profiles-m-r/mdadm-mkconf diff --git a/apparmor.d/profiles-m-r/mdadm-mkconf b/apparmor.d/profiles-m-r/mdadm-mkconf new file mode 100644 index 000000000..8139ac68e --- /dev/null +++ b/apparmor.d/profiles-m-r/mdadm-mkconf @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/mdadm/mkconf +profile mdadm-mkconf @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/date ix, + @{bin}/cat ix, + @{bin}/sed ix, + @{sbin}/mdadm Px, + + /etc/default/mdadm r, + + / r, + + /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 6c29eba15..e27c76bc2 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -237,6 +237,7 @@ lvmdump complain lvmpolld complain man complain mate-notification-daemon complain +mdadm-mkconf complain ModemManager attach_disconnected,complain mount attach_disconnected,complain multipath attach_disconnected,complain From b1435dd4914e3828de737e5ba5817ca2ddef8add Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 15:17:38 +0200 Subject: [PATCH 457/977] feat(profile): ubuntu: update upgrade process. --- .../groups/ubuntu/package-data-downloader | 2 ++ apparmor.d/groups/ubuntu/ubuntu-report | 2 +- .../groups/ubuntu/update-notifier-crash | 20 +++++++++++++++++++ 3 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/ubuntu/update-notifier-crash diff --git a/apparmor.d/groups/ubuntu/package-data-downloader b/apparmor.d/groups/ubuntu/package-data-downloader index c193bbe0c..37f7f72a5 100644 --- a/apparmor.d/groups/ubuntu/package-data-downloader +++ b/apparmor.d/groups/ubuntu/package-data-downloader @@ -14,6 +14,8 @@ profile package-data-downloader @{exec_path} { include include + capability dac_read_search, + @{exec_path} mr, /var/lib/update-notifier/package-data-downloads/{,**} rw, diff --git a/apparmor.d/groups/ubuntu/ubuntu-report b/apparmor.d/groups/ubuntu/ubuntu-report index 19273f449..65fa3eaa0 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-report +++ b/apparmor.d/groups/ubuntu/ubuntu-report @@ -21,7 +21,7 @@ profile ubuntu-report @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, - owner @{user_cache_dirs}/ubuntu-report/{,*} r, + owner @{user_cache_dirs}/ubuntu-report/{,*} rw, include if exists } diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash new file mode 100644 index 000000000..b3cbf7f07 --- /dev/null +++ b/apparmor.d/groups/ubuntu/update-notifier-crash @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/update-notifier/update-notifier-crash +profile update-notifier-crash @{exec_path} { + include + + @{exec_path} mr, + + /usr/share/apport/apport-checkreports Px, + + include if exists +} + +# vim:syntax=apparmor From ca5b4c99bac08f2cf53aa5433d086228dfa40ed2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 16:40:29 +0200 Subject: [PATCH 458/977] ci: disable compatibility check with userspace tools. --- .github/workflows/main.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4593fe78c..229aad415 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -57,11 +57,6 @@ jobs: sudo systemctl restart apparmor.service || true sudo journalctl -xeu apparmor.service - - name: Ensure compatibility with some AppArmor userspace tools - if: matrix.os != 'ubuntu-24.04' - run: | - sudo aa-enforce /etc/apparmor.d/aa-notify - - name: Show AppArmor log and rules run: | sudo aa-log From 931c20708905fd5b48f07aa492749fe178e152eb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 18:24:34 +0200 Subject: [PATCH 459/977] feat(profile): simplify needrestart & fix pam-auth-update. --- apparmor.d/profiles-m-r/needrestart | 19 +------------------ apparmor.d/profiles-m-r/pam-auth-update | 2 +- 2 files changed, 2 insertions(+), 19 deletions(-) diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 13838902e..9b731fd64 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -9,11 +9,8 @@ include @{exec_path} = @{sbin}/needrestart profile needrestart @{exec_path} flags=(attach_disconnected) { include - include - include - include + include include - include capability checkpoint_restore, capability dac_read_search, @@ -27,18 +24,13 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, - @{bin}/sed rix, - @{bin}/stty rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/udevadm rCx -> udevadm, - @{bin}/who rix, @{lib}/needrestart/* rPx, @{python_path} rix, @{sbin}/unix_chkpwd rPx, - /usr/share/debconf/frontend rCx -> debconf, - /etc/needrestart/hook.d/* rPx, /etc/needrestart/notify.d/* rPx, /etc/needrestart/restart.d/* rPx, @@ -96,15 +88,6 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { include if exists } - profile debconf { - include - include - - @{sbin}/needrestart Px, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index aff011389..5e0cbaaf4 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -12,7 +12,7 @@ profile pam-auth-update @{exec_path} flags=(complain) { include include - @{exec_path} mr, + @{exec_path} mrix, @{bin}/md5sum ix, @{bin}/cp ix, From d575812e2906331f77dfcb7e41da44d2afa273c2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 18:27:30 +0200 Subject: [PATCH 460/977] fix(profile): snapd journalctl subprofile. --- apparmor.d/groups/snap/snapd | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index c1b24176e..b65283987 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -204,6 +204,7 @@ profile snapd @{exec_path} { include capability net_admin, + capability sys_resource, network netlink raw, @@ -215,6 +216,8 @@ profile snapd @{exec_path} { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/{,*} r, + @{run}/systemd/notify w, + include if exists } From acc35c3bd7f2dc31a0de043a660156c1f3aa9e8e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 18:28:56 +0200 Subject: [PATCH 461/977] ci: show files installed in sbin. --- .github/workflows/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 229aad415..8d738eac7 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -128,6 +128,7 @@ jobs: - name: Install integration dependencies run: | bash tests/requirements.sh + find /usr/sbin/ -type f - name: Run the integration tests run: | From ead321e07e09b381313f0beeba67403f57b9827d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 23:47:44 +0200 Subject: [PATCH 462/977] feat(profile): improve the upgrade stack. --- apparmor.d/groups/cron/cron | 18 ++++++------------ apparmor.d/groups/snap/snapd | 2 +- apparmor.d/profiles-m-r/needrestart | 8 ++++---- apparmor.d/profiles-m-r/needrestart-hook | 2 +- apparmor.d/profiles-m-r/needrestart-notify | 9 ++++++--- apparmor.d/profiles-m-r/needrestart-restart | 2 +- apparmor.d/profiles-m-r/pam-auth-update | 2 ++ 7 files changed, 21 insertions(+), 22 deletions(-) diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index 778dd2be8..eba78ac82 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -25,20 +25,14 @@ profile cron @{exec_path} flags=(attach_disconnected) { network netlink raw, - ptrace (read) peer=unconfined, - - unix bind type=stream addr=@@{udbus}/bus/cron/system, - @{exec_path} mr, - @{sh_path} rix, - @{bin}/nice rix, - @{bin}/ionice rix, - @{bin}/exim4 rPx, - @{bin}/run-parts rCx -> run-parts, # could even be rix, as long as we are not - # using the run-parts profile we are good - - @{lib}/sysstat/debian-sa1 rPx, + @{sh_path} rix, + @{bin}/exim4 rPx, + @{bin}/ionice rix, + @{bin}/nice rix, + @{bin}/run-parts rCx -> run-parts, + @{lib}/sysstat/debian-sa1 rPx, /etc/cron.d/{,*} r, /etc/crontab r, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index b65283987..0eb3adb8c 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -50,7 +50,7 @@ profile snapd @{exec_path} { ptrace read peer=@{p_systemd}, ptrace read peer=snap{,.*}, - signal send set=kill peer=journalctl, + signal send set=kill peer=snapd//journalctl, dbus send bus=system path=/org/freedesktop/ interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 9b731fd64..f9e2c6ebc 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -14,7 +14,6 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { capability checkpoint_restore, capability dac_read_search, - capability kill, capability sys_ptrace, ptrace read, @@ -27,13 +26,14 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/udevadm rCx -> udevadm, + @{bin}/who rPx, @{lib}/needrestart/* rPx, @{python_path} rix, @{sbin}/unix_chkpwd rPx, - /etc/needrestart/hook.d/* rPx, - /etc/needrestart/notify.d/* rPx, - /etc/needrestart/restart.d/* rPx, + @{etc_ro}/needrestart/hook.d/* rPx, + @{etc_ro}/needrestart/notify.d/* rPx, + @{etc_ro}/needrestart/restart.d/* rPx, /etc/init.d/* r, /etc/needrestart/{,**} r, diff --git a/apparmor.d/profiles-m-r/needrestart-hook b/apparmor.d/profiles-m-r/needrestart-hook index fa77834e8..c8c9a12c4 100644 --- a/apparmor.d/profiles-m-r/needrestart-hook +++ b/apparmor.d/profiles-m-r/needrestart-hook @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /etc/needrestart/hook.d/* +@{exec_path} = @{etc_ro}/needrestart/hook.d/* profile needrestart-hook @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/needrestart-notify b/apparmor.d/profiles-m-r/needrestart-notify index dc4a30c69..41fa96c4c 100644 --- a/apparmor.d/profiles-m-r/needrestart-notify +++ b/apparmor.d/profiles-m-r/needrestart-notify @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /etc/needrestart/notify.d/* +@{exec_path} = @{etc_ro}/needrestart/notify.d/* profile needrestart-notify @{exec_path} { include @@ -18,8 +18,11 @@ profile needrestart-notify @{exec_path} { @{exec_path} mr, @{sh_path} r, - @{bin}/gettext.sh r, - @{bin}/sed ix, + @{bin}/fold ix, + @{bin}/gettext.sh r, + @{bin}/mail Px, + @{bin}/notify-send Px, + @{bin}/sed ix, /etc/needrestart/notify.conf r, diff --git a/apparmor.d/profiles-m-r/needrestart-restart b/apparmor.d/profiles-m-r/needrestart-restart index 2fc79b70c..b9e648602 100644 --- a/apparmor.d/profiles-m-r/needrestart-restart +++ b/apparmor.d/profiles-m-r/needrestart-restart @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /etc/needrestart/restart.d/* +@{exec_path} = @{etc_ro}/needrestart/restart.d/* profile needrestart-restart @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index 5e0cbaaf4..90cc6a4ba 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -20,7 +20,9 @@ profile pam-auth-update @{exec_path} flags=(complain) { /usr/share/pam{,-configs}/{,*} r, /etc/pam.d/* rw, + /etc/shadow r, + /var/lib/dpkg/info/libpam-runtime.templates r, /var/lib/pam/* rw, include if exists From a8ab6da6f38f659d338c2eb6dee812d45b8cc41b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 23:53:40 +0200 Subject: [PATCH 463/977] feat(profile): add runit-helper. --- apparmor.d/profiles-m-r/runit-helper | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 apparmor.d/profiles-m-r/runit-helper diff --git a/apparmor.d/profiles-m-r/runit-helper b/apparmor.d/profiles-m-r/runit-helper new file mode 100644 index 000000000..94b3816c9 --- /dev/null +++ b/apparmor.d/profiles-m-r/runit-helper @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/runit-helper/runit-helper +profile runit-helper @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/mkdir rix, + + @{run}/runit/ rw, + @{run}/runit/supervise/ w, + + include if exists +} + +# vim:syntax=apparmor From e83a9a60dc146dd78c92e6d7b10e88beeaf1ab0b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 00:18:01 +0200 Subject: [PATCH 464/977] feat(profile): finalize upgrade process. --- apparmor.d/groups/apt/dpkg-preconfigure | 1 - apparmor.d/groups/apt/dpkg-scripts | 16 ++++++++-------- apparmor.d/groups/browsers/firefox | 2 +- apparmor.d/groups/snap/snap | 5 +++-- apparmor.d/groups/snap/snapd | 2 ++ apparmor.d/profiles-s-z/which | 2 +- apparmor.d/profiles-s-z/whiptail | 6 ++---- 7 files changed, 17 insertions(+), 17 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 4dbfae0a8..716cd1dc8 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -30,7 +30,6 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/head ix, @{bin}/locale ix, @{bin}/readlink ix, - @{bin}/readlink ix, @{bin}/realpath ix, @{bin}/sed ix, @{bin}/sort ix, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index e18ab78de..4fb4d04c4 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -47,11 +47,11 @@ profile dpkg-scripts @{exec_path} { @{sbin}/update-rc.d Cx -> rc, # Maintainer scripts can legitimately start/restart anything - @{bin}/** Px, - @{sbin}/** Px, - @{lib}/** Px, - /usr/share/** Px, - /etc/init.d/* Px, + @{bin}/** PUx, + @{sbin}/** PUx, + @{lib}/** PUx, + /usr/share/** PUx, + /etc/init.d/* PUx, # Maintainer's scripts can update a lot of files / r, @@ -76,9 +76,9 @@ profile dpkg-scripts @{exec_path} { include dbus send bus=system path=/ - interface=org.freedesktop.DBus - member=ReloadConfig - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + interface=org.freedesktop.DBus + member=ReloadConfig + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), include if exists } diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 7d1be8442..a561954a3 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -39,7 +39,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{bin}/kreadconfig{,5} rPx, @{bin}/plasma-browser-integration-host rPx, @{bin}/speech-dispatcher rPx, - @{sbin}/update-mime-database rPx, + @{bin}/update-mime-database rPx, @{lib}/gvfsd-metadata rPx, @{lib}/mozilla/kmozillahelper rPUx, @{open_path} rPx -> child-open, diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 8549d8315..562f49dca 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -85,8 +85,9 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/kernel/security/apparmor/features/{,**} r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/maps r, + @{PROC}/@{pid}/mountinfo r, @{PROC}/cgroups r, @{PROC}/cmdline r, @{PROC}/sys/kernel/random/uuid r, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 0eb3adb8c..0481af5de 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -208,6 +208,8 @@ profile snapd @{exec_path} { network netlink raw, + signal receive set=kill peer=snapd, + @{bin}/journalctl mr, /etc/machine-id r, diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which index cc95a17f9..df049741f 100644 --- a/apparmor.d/profiles-s-z/which +++ b/apparmor.d/profiles-s-z/which @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/which{.debianutils,} +@{exec_path} = @{bin}/which{,.debianutils} profile which @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/whiptail b/apparmor.d/profiles-s-z/whiptail index a7b98ebee..f0efad77b 100644 --- a/apparmor.d/profiles-s-z/whiptail +++ b/apparmor.d/profiles-s-z/whiptail @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/whiptail -profile whiptail @{exec_path} flags=(complain) { +profile whiptail @{exec_path} { include include @@ -16,9 +16,7 @@ profile whiptail @{exec_path} flags=(complain) { @{exec_path} mr, - /etc/newt/palette.* r, - - owner @{tmp}/gpm* w, + /usr/share/terminfo/** r, include if exists } From d9430c68c190f26cca9a2291c74b4f9bba4617c0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 00:55:48 +0200 Subject: [PATCH 465/977] build: improve error message in the stack direcive. --- pkg/prebuild/directive/stack.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/directive/stack.go b/pkg/prebuild/directive/stack.go index f80689827..a43849228 100644 --- a/pkg/prebuild/directive/stack.go +++ b/pkg/prebuild/directive/stack.go @@ -55,7 +55,10 @@ func (s Stack) Apply(opt *Option, profile string) (string, error) { res := "" for name := range opt.ArgMap { - stackedProfile := prebuild.RootApparmord.Join(name).MustReadFileAsString() + stackedProfile, err := prebuild.RootApparmord.Join(name).ReadFileAsString() + if err != nil { + return "", fmt.Errorf("%s need to stack: %w", name, err) + } m := regRules.FindStringSubmatch(stackedProfile) if len(m) < 2 { return "", fmt.Errorf("no profile found in %s", name) From 780ca65953a726133f412e61020e749ca99d0850 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 00:57:37 +0200 Subject: [PATCH 466/977] build(fsp): set stacked variables. --- pkg/prebuild/prepare/fsp.go | 77 ++++++++++++++++++++++++++++--------- 1 file changed, 59 insertions(+), 18 deletions(-) diff --git a/pkg/prebuild/prepare/fsp.go b/pkg/prebuild/prepare/fsp.go index 0d4c23076..f8d3cb17f 100644 --- a/pkg/prebuild/prepare/fsp.go +++ b/pkg/prebuild/prepare/fsp.go @@ -5,11 +5,60 @@ package prepare import ( - "strings" + "regexp" "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" - "github.com/roddhjav/apparmor.d/pkg/util" +) + +var ( + tunables = map[string]string{ + // Set systemd profiles name + "sd": "sd", + "sdu": "sdu", + "systemd_user": "systemd-user", + "systemd": "systemd", + + // With FSP on apparmor 4.1+, the dbus profiles don't get stacked as they + "dbus_system": "dbus-system", + "dbus_session": "dbus-session", + + // Update name of stacked profiles + "apt_news": "", + "colord": "", + "e2scrub_all": "", + "e2scrub": "", + "fprintd": "", + "fwupd": "", + "fwupdmgr": "", + "geoclue": "", + "irqbalance": "", + "logrotate": "", + "ModemManager": "", + "nm_priv_helper": "", + "pcscd": "", + "polkitd": "", + "power_profiles_daemon": "", + "rsyslogd": "", + "systemd_coredump": "", + "systemd_homed": "", + "systemd_hostnamed": "", + "systemd_importd": "", + "systemd_initctl": "", + "systemd_journal_remote": "", + "systemd_journald": "", + "systemd_localed": "", + "systemd_logind": "", + "systemd_machined": "", + "systemd_networkd": "", + "systemd_oomd": "", + "systemd_resolved": "", + "systemd_rfkill": "", + "systemd_timedated": "", + "systemd_timesyncd": "", + "systemd_userdbd": "", + "upowerd": "", + } ) type FullSystemPolicy struct { @@ -33,28 +82,20 @@ func (p FullSystemPolicy) Apply() ([]string, error) { return res, err } - // Set systemd profile name + // Set profile name for FSP path := prebuild.RootApparmord.Join("tunables/multiarch.d/profiles") out, err := path.ReadFileAsString() if err != nil { return res, err } - out = strings.ReplaceAll(out, "@{p_systemd}=unconfined", "@{p_systemd}=systemd") - out = strings.ReplaceAll(out, "@{p_systemd_executor}=unconfined", "@{p_systemd_executor}=systemd-executor") - out = strings.ReplaceAll(out, "@{p_systemd_user}=unconfined", "@{p_systemd_user}=systemd-user") - out = strings.ReplaceAll(out, "@{p_systemd_user_executor}=unconfined", "@{p_systemd_user_executor}=systemd-user-executor") - if err := path.WriteFile([]byte(out)); err != nil { - return res, err + for varname, profile := range tunables { + pattern := regexp.MustCompile(`(@\{p_` + varname + `}=)([^\s]+)`) + if profile == "" { + out = pattern.ReplaceAllString(out, `@{p_`+varname+`}={$2,sd//&$2,$2//&sd}`) + } else { + out = pattern.ReplaceAllString(out, `@{p_`+varname+`}=`+profile) + } } - - // Fix conflicting x modifiers in abstractions - FIXME: Temporary solution - path = prebuild.RootApparmord.Join("abstractions/gstreamer") - out, err = path.ReadFileAsString() - if err != nil { - return res, err - } - regFixConflictX := util.ToRegexRepl([]string{`.*gst-plugin-scanner.*`, ``}) - out = regFixConflictX.Replace(out) if err := path.WriteFile([]byte(out)); err != nil { return res, err } From c07c5838e4855d97bf98f65496c302bbd305e71c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 01:00:08 +0200 Subject: [PATCH 467/977] build: add RBAC filter to the only/exclude directive. --- pkg/prebuild/cli/cli.go | 1 + pkg/prebuild/directive/filter.go | 4 ++++ pkg/prebuild/directories.go | 3 +++ 3 files changed, 8 insertions(+) diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 779cd5c0c..51636f848 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -80,6 +80,7 @@ func Configure() { if full && paths.New("apparmor.d/groups/_full").Exist() { prepare.Register("fsp") builder.Register("fsp") + prebuild.RBAC = true } else if prebuild.SystemdDir.Exist() { prepare.Register("systemd-early") } diff --git a/pkg/prebuild/directive/filter.go b/pkg/prebuild/directive/filter.go index a6513f37e..b6ec56816 100644 --- a/pkg/prebuild/directive/filter.go +++ b/pkg/prebuild/directive/filter.go @@ -39,6 +39,10 @@ func init() { } func filterRuleForUs(opt *Option) bool { + if prebuild.RBAC && slices.Contains(opt.ArgList, "RBAC") { + return true + } + abiStr := fmt.Sprintf("abi%d", prebuild.ABI) if slices.Contains(opt.ArgList, abiStr) { return true diff --git a/pkg/prebuild/directories.go b/pkg/prebuild/directories.go index d5d5a7266..37cbc69bc 100644 --- a/pkg/prebuild/directories.go +++ b/pkg/prebuild/directories.go @@ -13,6 +13,9 @@ var ( // AppArmor version Version = 4.0 + // Either or not RBAC is enabled + RBAC = false + // Pkgname is the name of the package Pkgname = "apparmor.d" From f717ea7383ea32abde752af3a88dd1bf87709a25 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 01:01:08 +0200 Subject: [PATCH 468/977] feat(aa): add a mount flag. --- pkg/aa/mount.go | 2 +- pkg/aa/util.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/aa/mount.go b/pkg/aa/mount.go index bbf66b577..72719414d 100644 --- a/pkg/aa/mount.go +++ b/pkg/aa/mount.go @@ -29,7 +29,7 @@ func init() { "ro", "rw", "acl", "async", "atime", "bind", "dev", "diratime", "dirsync", "exec", "iversion", "loud", "mand", "move", "noacl", "noatime", "nodev", "nodiratime", "noexec", "noiversion", "nomand", - "norelatime", "nosuid", "nouser", "private", "rbind", "relatime", + "norelatime", "nosuid", "nosymfollow", "nouser", "private", "rbind", "relatime", "remount", "rprivate", "rshared", "rslave", "runbindable", "shared", "silent", "slave", "strictatime", "suid", "sync", "unbindable", "user", "verbose", diff --git a/pkg/aa/util.go b/pkg/aa/util.go index 485478fef..5a7049d69 100644 --- a/pkg/aa/util.go +++ b/pkg/aa/util.go @@ -182,7 +182,7 @@ func toValues(kind Kind, key string, input string) ([]string, error) { continue } if !slices.Contains(req, res[idx]) { - return nil, fmt.Errorf("unrecognized %s: %s", key, res[idx]) + return nil, fmt.Errorf("unrecognized %s for rule %s: %s", key, kind, res[idx]) } } slices.SortFunc(res, func(i, j string) int { From 04b6cade644c0adfdb4b0a9bdc4f71bff78bc8ae Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 01:17:14 +0200 Subject: [PATCH 469/977] feat(profile): use profile variable in rules such as in dbus, ptrace, unix... --- apparmor.d/abstractions/app/sudo | 4 ++-- apparmor.d/abstractions/base.d/complete | 2 +- .../abstractions/bus/net.hadess.PowerProfiles | 2 +- .../abstractions/bus/net.reactivated.Fprint | 6 +++--- apparmor.d/abstractions/bus/org.a11y | 10 +++++----- apparmor.d/abstractions/bus/org.bluez | 14 +++++++------- .../abstractions/bus/org.freedesktop.Accounts | 10 +++++----- .../abstractions/bus/org.freedesktop.Avahi | 10 +++++----- .../bus/org.freedesktop.ColorManager | 8 ++++---- .../abstractions/bus/org.freedesktop.GeoClue2 | 10 +++++----- .../bus/org.freedesktop.ModemManager1 | 6 +++--- .../abstractions/bus/org.freedesktop.PolicyKit1 | 8 ++++---- .../bus/org.freedesktop.RealtimeKit1 | 6 +++--- .../abstractions/bus/org.freedesktop.UPower | 8 ++++---- .../bus/org.freedesktop.UPower.PowerProfiles | 2 +- .../abstractions/bus/org.freedesktop.hostname1 | 2 +- .../abstractions/bus/org.freedesktop.locale1 | 2 +- .../abstractions/bus/org.freedesktop.login1 | 8 ++++---- .../bus/org.freedesktop.login1.Session | 8 ++++---- .../abstractions/bus/org.freedesktop.network1 | 2 +- .../abstractions/bus/org.freedesktop.resolve1 | 4 ++-- .../abstractions/bus/org.freedesktop.timedate1 | 2 +- .../abstractions/bus/org.gnome.ArchiveManager1 | 4 ++-- apparmor.d/abstractions/mapping/login | 2 +- apparmor.d/abstractions/mapping/sshd | 4 ++-- apparmor.d/groups/avahi/avahi-browse | 2 +- apparmor.d/groups/avahi/avahi-resolve | 4 ++-- apparmor.d/groups/bluetooth/bluetoothctl | 2 +- apparmor.d/groups/bluetooth/obexd | 2 +- apparmor.d/groups/bus/ibus-dconf | 1 + apparmor.d/groups/cups/cups-browsed | 2 +- apparmor.d/groups/filesystem/udisksd | 4 ++-- apparmor.d/groups/flatpak/flatpak | 4 ++-- apparmor.d/groups/freedesktop/pulseaudio | 6 +++--- apparmor.d/groups/freedesktop/upower | 2 +- apparmor.d/groups/freedesktop/xorg | 2 +- apparmor.d/groups/gnome/gdm | 4 ++-- apparmor.d/groups/gnome/gdm-session-worker | 6 +++--- apparmor.d/groups/gnome/gnome-calendar | 2 +- apparmor.d/groups/gnome/gnome-control-center | 16 ++++++++-------- apparmor.d/groups/gnome/gnome-firmware | 4 ++-- apparmor.d/groups/gnome/gnome-keyring-daemon | 2 +- apparmor.d/groups/gnome/gnome-session-binary | 2 +- apparmor.d/groups/gnome/gnome-shell | 12 ++++++------ apparmor.d/groups/gnome/gsd-color | 2 +- apparmor.d/groups/gnome/gsd-housekeeping | 8 ++++---- apparmor.d/groups/gnome/gsd-media-keys | 2 +- apparmor.d/groups/gnome/gsd-power | 2 +- apparmor.d/groups/gnome/gsd-xsettings | 7 +------ apparmor.d/groups/gnome/loupe | 5 +++++ apparmor.d/groups/kde/sddm | 2 +- apparmor.d/groups/network/NetworkManager | 6 +++--- apparmor.d/groups/network/networkd-dispatcher | 2 +- apparmor.d/groups/polkit/polkit-agent-helper | 4 ++-- apparmor.d/groups/snap/snapd | 2 +- apparmor.d/groups/ssh/sshd | 2 +- apparmor.d/groups/systemd/homectl | 2 +- apparmor.d/groups/systemd/hostnamectl | 2 +- apparmor.d/groups/systemd/localectl | 2 +- apparmor.d/groups/systemd/loginctl | 2 +- apparmor.d/groups/systemd/networkctl | 2 +- apparmor.d/groups/systemd/resolvectl | 2 +- apparmor.d/groups/systemd/systemd-inhibit | 2 +- apparmor.d/groups/systemd/systemd-networkd | 2 +- apparmor.d/groups/systemd/systemd-timesyncd | 2 +- .../systemd/systemd-tty-ask-password-agent | 2 +- apparmor.d/groups/utils/chsh | 2 +- apparmor.d/groups/utils/login | 2 +- apparmor.d/profiles-a-f/evince | 2 +- apparmor.d/profiles-a-f/fwupdmgr | 2 +- apparmor.d/profiles-m-r/qemu-ga | 2 +- apparmor.d/tunables/multiarch.d/profiles | 6 +++--- 72 files changed, 152 insertions(+), 151 deletions(-) diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index 333cbddbd..1286b1571 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -24,8 +24,8 @@ network netlink raw, # PAM - #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus (send receive) bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd.Manager diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index 230e0c9d5..06b413342 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -18,7 +18,7 @@ signal (receive) set=(term,kill) peer=openbox, signal (receive) set=(term,kill) peer=su, - ptrace (readby) peer=systemd-coredump, + ptrace (readby) peer=@{p_systemd_coredump}, @{etc_rw}/localtime r, /etc/locale.conf r, diff --git a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles index 63f224c42..7e7560992 100644 --- a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles +++ b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon + #aa:dbus common bus=system name=net.hadess.PowerProfiles label="@{p_power_profiles_daemon}" include if exists diff --git a/apparmor.d/abstractions/bus/net.reactivated.Fprint b/apparmor.d/abstractions/bus/net.reactivated.Fprint index 2f3660082..0241fc889 100644 --- a/apparmor.d/abstractions/bus/net.reactivated.Fprint +++ b/apparmor.d/abstractions/bus/net.reactivated.Fprint @@ -4,12 +4,12 @@ abi , - #aa:dbus common bus=system name=net.reactivated.Fprint label=fprintd + #aa:dbus common bus=system name=net.reactivated.Fprint label="@{p_fprintd}" dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager member={GetDevices,GetDefaultDevice} - peer=(name="@{busname}", label=fprintd), + peer=(name="@{busname}", label="@{p_fprintd}"), dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager @@ -19,7 +19,7 @@ dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager member={GetDevices,GetDefaultDevice} - peer=(name=net.reactivated.Fprint, label=fprintd), + peer=(name=net.reactivated.Fprint, label="@{p_fprintd}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y index 018109a62..ef0e15707 100644 --- a/apparmor.d/abstractions/bus/org.a11y +++ b/apparmor.d/abstractions/bus/org.a11y @@ -9,27 +9,27 @@ dbus receive bus=accessibility path=/org/a11y/atspi/registry interface=org.a11y.atspi.Registry member=EventListenerDeregistered - peer=(name="@{busname}", label=at-spi2-registryd), + peer=(name="@{busname}", label="@{p_at_spi2_registryd}"), dbus send bus=accessibility path=/org/a11y/atspi/registry interface=org.a11y.atspi.Registry member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller interface=org.a11y.atspi.DeviceEventController member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.freedesktop.DBus.Properties member=Set - peer=(name="@{busname}", label=at-spi2-registryd), + peer=(name="@{busname}", label="@{p_at_spi2_registryd}"), dbus send bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.a11y.atspi.Socket member=Embed - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), # Session bus diff --git a/apparmor.d/abstractions/bus/org.bluez b/apparmor.d/abstractions/bus/org.bluez index 296965691..201d3998c 100644 --- a/apparmor.d/abstractions/bus/org.bluez +++ b/apparmor.d/abstractions/bus/org.bluez @@ -4,37 +4,37 @@ abi , - #aa:dbus common bus=system name=org.bluez label=bluetoothd + #aa:dbus common bus=system name=org.bluez label="@{p_bluetoothd}" dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=InterfacesRemoved - peer=(name="{@{busname},org.bluez}", label=bluetoothd), + peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="{@{busname},org.bluez}", label=bluetoothd), + peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez interface=org.bluez.AgentManager@{int} member={RegisterAgent,RequestDefaultAgent,UnregisterAgent} - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez interface=org.bluez.ProfileManager@{int} member=RegisterProfile - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez/hci@{int} interface=org.bluez.BatteryProviderManager@{int} member=RegisterProfile - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez/hci@{int} interface=org.bluez.Media@{int} member=RegisterApplication - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Accounts b/apparmor.d/abstractions/bus/org.freedesktop.Accounts index 2ad151c45..d15288d46 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Accounts +++ b/apparmor.d/abstractions/bus/org.freedesktop.Accounts @@ -4,27 +4,27 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus common bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member={FindUserByName,ListCachedUsers} - peer=(name="@{busname}", label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User member=*Changed - peer=(name="@{busname}", label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member=UserAdded - peer=(name="@{busname}", label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.DBus.Properties member=*Changed - peer=(name="@{busname}", label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index e3128f984..38e05f48c 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -4,27 +4,27 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.Avahi label=avahi-daemon + #aa:dbus common bus=system name=org.freedesktop.Avahi label="@{p_avahi_daemon}" dbus send bus=system path=/ interface=org.freedesktop.DBus.Peer member=Ping - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), dbus send bus=system path=/ interface=org.freedesktop.Avahi.Server member={GetAPIVersion,GetState,Service*New} - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), dbus send bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser member=Free - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser member={ItemNew,AllForNow,CacheExhausted} - peer=(name="@{busname}", label=avahi-daemon), + peer=(name="@{busname}", label="@{p_avahi_daemon}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager index 27776b776..3a63d95dc 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager @@ -4,22 +4,22 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.ColorManager label=colord + #aa:dbus common bus=system name=org.freedesktop.ColorManager label="@{p_colord}" dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member=GetDevices - peer=(name="@{busname}", label=colord), + peer=(name="@{busname}", label="@{p_colord}"), dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member=CreateDevice - peer=(name="@{busname}", label=colord), + peer=(name="@{busname}", label="@{p_colord}"), dbus receive bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member={DeviceAdded,DeviceRemoved} - peer=(name="@{busname}", label=colord), + peer=(name="@{busname}", label="@{p_colord}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 index feaced7c3..9957c7b67 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 @@ -4,26 +4,26 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label=geoclue + #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" dbus send bus=system path=/org/freedesktop/GeoClue2/Agent interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=org.freedesktop.DBus, label=geoclue), + peer=(name=org.freedesktop.DBus, label="@{p_geoclue}"), dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name="@{busname}", label=geoclue), + peer=(name="@{busname}", label="@{p_geoclue}"), dbus send bus=system path=/org/freedesktop/GeoClue2/Manager interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name="@{busname}", label=geoclue), + peer=(name="@{busname}", label="@{p_geoclue}"), dbus send bus=system path=/org/freedesktop/GeoClue2/Manager interface=org.freedesktop.GeoClue2.Manager member=AddAgent - peer=(name="@{busname}", label=geoclue), + peer=(name="@{busname}", label="@{p_geoclue}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 index 41e03f325..4f53ba497 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 @@ -4,17 +4,17 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.ModemManager1 label=ModemManager + #aa:dbus common bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" dbus send bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=org.freedesktop.ModemManager1, label=ModemManager), + peer=(name=org.freedesktop.ModemManager1, label="@{p_ModemManager}"), dbus send bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="@{busname}", label=ModemManager), + peer=(name="@{busname}", label="@{p_ModemManager}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 index b770cdbb1..9dfab7481 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 @@ -4,22 +4,22 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label=polkitd + #aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=Changed - peer=(name="@{busname}", label=polkitd), + peer=(name="@{busname}", label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=CheckAuthorization - peer=(name=org.freedesktop.PolicyKit1, label=polkitd), + peer=(name=org.freedesktop.PolicyKit1, label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=CheckAuthorization - peer=(name="@{busname}", label=polkitd), + peer=(name="@{busname}", label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=CheckAuthorization diff --git a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 index 0c6abbdbe..f66fdb20a 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 @@ -6,7 +6,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.RealtimeKit1 label=rtkit-daemon + #aa:dbus common bus=system name=org.freedesktop.RealtimeKit1 label="@{p_rtkit_daemon}" dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.DBus.Properties member=Get @@ -15,12 +15,12 @@ dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 member={MakeThreadHighPriority,MakeThreadRealtime} - peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label=rtkit-daemon), + peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"), dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 member={MakeThreadHighPriorityWithPID,MakeThreadRealtimeWithPID} - peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label=rtkit-daemon), + peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower index ec0a2b15b..69218b619 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -4,22 +4,22 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.UPower label=upowerd + #aa:dbus common bus=system name=org.freedesktop.UPower label="@{p_upowerd}" dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=EnumerateDevices - peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), + peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.DBus.Properties member=GetDisplayDevice - peer=(name=org.freedesktop.UPower, label=upowerd), + peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"), dbus receive bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=DeviceAdded - peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), + peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles b/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles index 3d3980f81..45e88b103 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon + #aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 index e6182bead..0a8d86be1 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed + #aa:dbus common bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=Get diff --git a/apparmor.d/abstractions/bus/org.freedesktop.locale1 b/apparmor.d/abstractions/bus/org.freedesktop.locale1 index 511a44dd6..1348c8a39 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.locale1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.locale1 @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.locale1 label=systemd-localed + #aa:dbus common bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}" dbus send bus=system path=/org/freedesktop/locale1 interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1 b/apparmor.d/abstractions/bus/org.freedesktop.login1 index 7f9fc5fb7..ad368ed98 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1 @@ -4,22 +4,22 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={Inhibit,CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend,CreateSession,GetSessionByPID} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), dbus receive bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={SessionNew,SessionRemoved,UserNew,UserRemoved,SeatNew,PrepareFor*} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member=PauseDeviceComplete - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session index 23ec52c8e..f60c69301 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session @@ -4,22 +4,22 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=GetSession - peer=(name="@{busname}", label=systemd-logind), + peer=(name="@{busname}", label="@{p_systemd_logind}"), dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness,SetLockedHint,SetIdleHint} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), dbus receive bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member={PauseDevice,Unlock} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.network1 b/apparmor.d/abstractions/bus/org.freedesktop.network1 index be11a7ceb..7583a3e9d 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.network1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.network1 @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.network1 label=systemd-networkd + #aa:dbus common bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 index 8c7670382..e2c4b3886 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 @@ -4,12 +4,12 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.resolve1 label=systemd-resolved + #aa:dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" dbus send bus=system path=/org/freedesktop/resolve1 interface=org.freedesktop.resolve1.Manager member={SetLink*,ResolveHostname} - peer=(name="{@{busname},org.freedesktop.resolve1}", label=systemd-resolved), + peer=(name="{@{busname},org.freedesktop.resolve1}", label="@{p_systemd_resolved}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 index 83f85c678..8f6118355 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.timedate1 label=systemd-timedated + #aa:dbus common bus=system name=org.freedesktop.timedate1 label="@{p_systemd_timedated}" include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 index ce572e9cd..6bfa6114b 100644 --- a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 +++ b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 @@ -4,12 +4,12 @@ abi , - #aa:dbus common bus=session name=org.gnome.ArchiveManager1 label=file-roller + #aa:dbus common bus=session name=org.gnome.ArchiveManager1 label="@{p_file_roller}" dbus send bus=session path=/org/gnome/ArchiveManager1 interface=org.gnome.ArchiveManager1 member=GetSupportedTypes - peer=(name="@{busname}", label=file-roller), + peer=(name="@{busname}", label="@{p_file_roller}"), include if exists diff --git a/apparmor.d/abstractions/mapping/login b/apparmor.d/abstractions/mapping/login index 54a8c1c7f..7ccc2d678 100644 --- a/apparmor.d/abstractions/mapping/login +++ b/apparmor.d/abstractions/mapping/login @@ -25,7 +25,7 @@ dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=ReleaseSession - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{etc_ro}/security/group.conf r, @{etc_ro}/security/limits.conf r, diff --git a/apparmor.d/abstractions/mapping/sshd b/apparmor.d/abstractions/mapping/sshd index bb0064956..97f0b077e 100644 --- a/apparmor.d/abstractions/mapping/sshd +++ b/apparmor.d/abstractions/mapping/sshd @@ -28,7 +28,7 @@ network inet6 stream, network netlink raw, - signal receive set=exists peer=systemd-journald, + signal receive set=exists peer=@{p_systemd_journald}, signal receive set=hup peer=@{p_systemd}, unix bind type=stream addr=@@{udbus}/bus/sshd/system, @@ -36,7 +36,7 @@ dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), /etc/motd r, /etc/locale.conf r, diff --git a/apparmor.d/groups/avahi/avahi-browse b/apparmor.d/groups/avahi/avahi-browse index 47c22d72d..3ac729baa 100644 --- a/apparmor.d/groups/avahi/avahi-browse +++ b/apparmor.d/groups/avahi/avahi-browse @@ -17,7 +17,7 @@ profile avahi-browse @{exec_path} { dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} interface=org.freedesktop.Avahi.ServiceTypeBrowser member={ItemNew,AllForNow,CacheExhausted} - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), @{exec_path} mr, diff --git a/apparmor.d/groups/avahi/avahi-resolve b/apparmor.d/groups/avahi/avahi-resolve index ff2cae183..1a66b4726 100644 --- a/apparmor.d/groups/avahi/avahi-resolve +++ b/apparmor.d/groups/avahi/avahi-resolve @@ -17,12 +17,12 @@ profile avahi-resolve @{exec_path} { dbus send bus=system path=/Client@{int}/AddressResolver@{int} interface=org.freedesktop.Avahi.AddressResolver member={Free,HostNameResolverNew} - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), dbus receive bus=system path=/Client@{int}/AddressResolver@{int} interface=org.freedesktop.Avahi.AddressResolver member={Failure,Found} - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), @{exec_path} mr, diff --git a/apparmor.d/groups/bluetooth/bluetoothctl b/apparmor.d/groups/bluetooth/bluetoothctl index e408b94b9..0b075581b 100644 --- a/apparmor.d/groups/bluetooth/bluetoothctl +++ b/apparmor.d/groups/bluetooth/bluetoothctl @@ -15,7 +15,7 @@ profile bluetoothctl @{exec_path} { network bluetooth raw, - #aa:dbus talk bus=system name=org.bluez label=bluetoothd + #aa:dbus talk bus=system name=org.bluez label="@{p_bluetoothd}" @{exec_path} mr, diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index 3da9b4f5d..5c1a7633e 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -22,7 +22,7 @@ profile obexd @{exec_path} { dbus receive bus=system path=/org/bluez/obex/@{uuid} interface=org.bluez.Profile1 member=Release - peer=(name=:*, label=bluetoothd), + peer=(name=:*, label="@{p_bluetoothd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index 6f66ec9b2..817d63175 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -15,6 +15,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { include include + signal receive set=kill peer=@{p_systemd_user}, signal receive set=term peer=ibus-daemon, dbus receive bus=session diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index f671ce6e9..78e7883cb 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -29,7 +29,7 @@ profile cups-browsed @{exec_path} { dbus receive bus=system path=/ interface=org.freedesktop.Avahi.Server member=StateChanged - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index 7d4febb1f..1ff219bbe 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -65,8 +65,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { signal receive set=int peer=@{p_systemd}, #aa:dbus own bus=system name=org.freedesktop.UDisks2 - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" @{exec_path} mr, diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index c958bd2cd..52e9e32ef 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -41,8 +41,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain signal send peer=flatpak-app, #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" dbus send bus=session path=/org/freedesktop/portal/documents interface=org.freedesktop.portal.Documents diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 804020b7b..fab642571 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -50,12 +50,12 @@ profile pulseaudio @{exec_path} { dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} interface=org.freedesktop.Avahi.ServiceResolver member=Found - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser member=ItemRemove - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager @@ -65,7 +65,7 @@ profile pulseaudio @{exec_path} { dbus send bus=system path=/Client@{int}/ServiceResolver@{int} interface=org.freedesktop.Avahi.ServiceResolver member={Found,Free} - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower index 931b47509..0f6f9abeb 100644 --- a/apparmor.d/groups/freedesktop/upower +++ b/apparmor.d/groups/freedesktop/upower @@ -13,7 +13,7 @@ profile upower @{exec_path} { include include - #aa:dbus own bus=system name=org.freedesktop.UPower label=upowerd + #aa:dbus own bus=system name=org.freedesktop.UPower label="@{p_upowerd}" @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 00e277f1f..12c82aea3 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -48,7 +48,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member=ReleaseControl - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index e35d165a2..435d055fa 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -34,8 +34,8 @@ profile gdm @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.gnome.DisplayManager - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 1a05892b6..a5dac16fa 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -49,13 +49,13 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { unix bind type=stream addr=@@{udbus}/bus/gdm-session-wor/system, - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon - #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label=systemd-homed + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label="@{p_systemd_homed}" dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={*Session,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index c81e591cf..235c0ce9e 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -32,7 +32,7 @@ profile gnome-calendar @{exec_path} { #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Sources@{int} label=evolution-source-registry #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color - #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label=geoclue + #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 1f0b6239e..1007d55e2 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -45,18 +45,18 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences #aa:dbus talk bus=system name=net.hadess.SwitcherooControl label=switcheroo-control - #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label=fprintd - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label="@{p_fprintd}" + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.bolt1 label=boltd - #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind - #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label=ModemManager + #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd - #aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd - #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon + #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}" + #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-firmware b/apparmor.d/groups/gnome/gnome-firmware index af44afbec..706c16e87 100644 --- a/apparmor.d/groups/gnome/gnome-firmware +++ b/apparmor.d/groups/gnome/gnome-firmware @@ -20,8 +20,8 @@ profile gnome-firmware @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/ - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.fwupd label="@{p_fwupd}" path=/ + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index c62175c85..37b3b7892 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -33,7 +33,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=GetSession - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 027a1ab96..dc9b6812e 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -32,7 +32,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=gsd-*, #aa:dbus own bus=session name=org.gnome.SessionManager - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index bfd695959..6c781e204 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -83,11 +83,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { # Talk with gnome-shell - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd - #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind - #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon + #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding @@ -103,11 +103,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=RegisterAuthenticationAgent - peer=(name=:*, label=polkitd), + peer=(name=:*, label="@{p_polkitd}"), dbus receive bus=system path=/org/freedesktop/PolicyKit1/AuthenticationAgent interface=org.freedesktop.PolicyKit1.AuthenticationAgent member=BeginAuthentication - peer=(name=:*, label=polkitd), + peer=(name=:*, label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager interface=org.freedesktop.NetworkManager.AgentManager diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 92cf3fa0a..2fe22305b 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -28,7 +28,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Color - #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord + #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 9dec92df4..b8da39a4d 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -24,10 +24,10 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Housekeeping - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=Subscribe + peer=(name=org.freedesktop.systemd1), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 1ae8e2ada..2a2ea034f 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -38,7 +38,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=PowerOff - peer=(name=:*, label=systemd-logind), + peer=(name=:*, label="@{p_systemd_logind}"), dbus send bus=session path=/ interface=org.freedesktop.DBus diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 0d09a0e9c..a330b76ce 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -43,7 +43,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight interface=org.freedesktop.UPower.KbdBacklight member=GetBrightness - peer=(name=:*, label=upowerd), + peer=(name=:*, label="@{p_upowerd}"), dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index e5489c2b4..4fece3366 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -36,12 +36,7 @@ profile gsd-xsettings @{exec_path} { dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User member=SetInputSources - peer=(name=:*, label=accounts-daemon), - - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=GetId - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + peer=(name=:*, label="@{p_accounts_daemon}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 4ee0d9268..6f783627e 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -21,6 +21,11 @@ profile loupe @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + dbus send bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=@{p_systemd_hostnamed}), + @{exec_path} mr, @{bin}/bwrap rCx -> bwrap, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index b4111d6d0..396f256cc 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -58,7 +58,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=systemd-logind), + peer=(name=:*, label="@{p_systemd_logind}"), dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int} interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 008b6bd31..85257c89d 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -46,7 +46,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=fi.w1.wpa_supplicant1 label=wpa-supplicant #aa:dbus talk bus=system name=org.fedoraproject.FirewallD1 label=firewalld #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher - #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" dbus send bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher @@ -60,12 +60,12 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=InterfacesRemoved - peer=(name=:*, label=bluetoothd), + peer=(name=:*, label="@{p_bluetoothd}"), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=bluetoothd), + peer=(name=:*, label="@{p_bluetoothd}"), dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher index f593db162..8b4d53b1c 100644 --- a/apparmor.d/groups/network/networkd-dispatcher +++ b/apparmor.d/groups/network/networkd-dispatcher @@ -16,7 +16,7 @@ profile networkd-dispatcher @{exec_path} { dbus receive bus=system path=/org/freedesktop/network1{,/link/*} interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=systemd-networkd), + peer=(name=:*, label="@{p_systemd_networkd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/polkit/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper index e663c299e..5799ced5b 100644 --- a/apparmor.d/groups/polkit/polkit-agent-helper +++ b/apparmor.d/groups/polkit/polkit-agent-helper @@ -35,12 +35,12 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=polkitd), + peer=(name=:*, label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=AuthenticationAgentResponse2 - peer=(name=:*, label=polkitd), + peer=(name=:*, label="@{p_polkitd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 0481af5de..1add6c1c4 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -55,7 +55,7 @@ profile snapd @{exec_path} { dbus send bus=system path=/org/freedesktop/ interface=org.freedesktop.login1.Manager member={SetWallMessage,ScheduleShutdown} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), dbus send bus=system path=/org/freedesktop/timedate1 interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index fe5a6f1cd..4b99aafd6 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -56,7 +56,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/systemd/homectl b/apparmor.d/groups/systemd/homectl index aaae97d64..3a78c531e 100644 --- a/apparmor.d/groups/systemd/homectl +++ b/apparmor.d/groups/systemd/homectl @@ -19,7 +19,7 @@ profile homectl @{exec_path} { signal send peer=child-pager, - #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl index dcbe9a46f..6b29e260d 100644 --- a/apparmor.d/groups/systemd/hostnamectl +++ b/apparmor.d/groups/systemd/hostnamectl @@ -15,7 +15,7 @@ profile hostnamectl @{exec_path} { capability net_admin, - #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed + #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index b49065fd7..f9a3625ef 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -16,7 +16,7 @@ profile localectl @{exec_path} { signal send set=cont peer=child-pager, - #aa:dbus talk bus=system name=org.freedesktop.locale1 label=systemd-localed + #aa:dbus talk bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl index c65bb4edd..f516d16db 100644 --- a/apparmor.d/groups/systemd/loginctl +++ b/apparmor.d/groups/systemd/loginctl @@ -20,7 +20,7 @@ profile loginctl @{exec_path} flags=(attach_disconnected) { signal send set=cont peer=child-pager, - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 0163f2258..5b4b3e6b5 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -26,7 +26,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { unix (bind) type=stream addr=@@{udbus}/bus/networkctl/system, - #aa:dbus talk bus=system name=org.freedesktop.network1 label=systemd-networkd + #aa:dbus talk bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" dbus send bus=system path=/org/freedesktop/network1{,/**} interface=org.freedesktop.DBus.Properties member=Get diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl index 5c436f6c1..1ef3404d9 100644 --- a/apparmor.d/groups/systemd/resolvectl +++ b/apparmor.d/groups/systemd/resolvectl @@ -15,7 +15,7 @@ profile resolvectl @{exec_path} { signal send set=cont peer=child-pager, - #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-inhibit b/apparmor.d/groups/systemd/systemd-inhibit index 2be38e6ba..ae475ff48 100644 --- a/apparmor.d/groups/systemd/systemd-inhibit +++ b/apparmor.d/groups/systemd/systemd-inhibit @@ -14,7 +14,7 @@ profile systemd-inhibit @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_resource, - signal receive set=term peer=packagekitd, + signal receive set=term peer=@{p_packagekitd}, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 3d6c3a4b7..df1e74048 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -42,7 +42,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.hostname1 member=SetHostname - peer=(name=org.freedesktop.hostname1, label=systemd-hostnamed), + peer=(name=org.freedesktop.hostname1, label="@{p_systemd_hostnamed}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index b603b2411..2ac7f09fb 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -22,7 +22,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { network inet6 stream, unix (bind) type=stream addr=@@{udbus}/bus/systemd-timesyn/bus-api-timesync, - unix (send, receive) type=dgram addr=none peer=(label=@{p_systemd}, addr=none), + unix (send, receive) type=dgram addr=none peer=(label=@{p_sd}, addr=none), #aa:dbus own bus=system name=org.freedesktop.timesync1 diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index bbd4b7438..30d30b295 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -20,7 +20,7 @@ profile systemd-tty-ask-password-agent @{exec_path} { signal receive set=(term cont winch) peer=*//systemctl, signal receive set=(term cont winch) peer=deb-systemd-invoke, signal receive set=(term cont winch) peer=default, - signal receive set=(term cont winch) peer=logrotate, + signal receive set=(term cont winch) peer=@{p_logrotate}, signal receive set=(term cont winch) peer=makepkg//sudo, signal receive set=(term cont winch) peer=role_*, signal receive set=(term cont winch) peer=rpm, diff --git a/apparmor.d/groups/utils/chsh b/apparmor.d/groups/utils/chsh index 73f097a94..e3581be31 100644 --- a/apparmor.d/groups/utils/chsh +++ b/apparmor.d/groups/utils/chsh @@ -24,7 +24,7 @@ profile chsh @{exec_path} { network netlink raw, - #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" @{exec_path} mr, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index 6968be40e..6227f4fc5 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -34,7 +34,7 @@ profile login @{exec_path} flags=(attach_disconnected) { ptrace read, - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index b7b087309..e07c91f3d 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -30,7 +30,7 @@ profile evince @{exec_path} { #aa:dbus own bus=session name=org.gnome.evince - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label="@{p_gsd_media_keys}" #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} rix, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 6dffac5a6..3c9b0a3a9 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -27,7 +27,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - #aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/ + #aa:dbus talk bus=system name=org.freedesktop.fwupd label="@{p_fwupd}" path=/ @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 7fa668a71..5173c50d8 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -34,7 +34,7 @@ profile qemu-ga @{exec_path} { unix type=stream addr=@@{udbus}/bus/shutdown/system, - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" include if exists } diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index ec1eff79c..6868ae87a 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -8,10 +8,10 @@ # All variables that refer to a profile name should be prefixed with `p_` # Name of the systemd profiles. Can be `unconfined` or `systemd`, `systemd-user` -@{p_systemd}=unconfined -@{p_systemd_executor}=unconfined +@{p_sd}=unconfined +@{p_sdu}=unconfined @{p_systemd_user}=unconfined -@{p_systemd_user_executor}=unconfined +@{p_systemd}=unconfined # Name of the dbus daemon profiles @{p_dbus_accessibility}=dbus-accessibility From 217448d09a5259492a143f99808bc79213d75eaf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 01:18:11 +0200 Subject: [PATCH 470/977] doc: improve documentation on the use of some special abstraction. --- apparmor.d/abstractions/attached/base | 3 ++- apparmor.d/abstractions/attached/consoles | 3 ++- apparmor.d/abstractions/bus/own-accessibility | 3 ++- apparmor.d/abstractions/bus/own-session | 3 ++- apparmor.d/abstractions/bus/own-system | 3 ++- 5 files changed, 10 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 6a7486cf8..4c35d915d 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -3,7 +3,8 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no - # Do not use it manually, it is automatically included in profiles when it is required. + # Do not use it manually, It automatically replaces the base abstraction in a + # profile with the attach_disconnected flag set and the re-attached path enabled. abi , diff --git a/apparmor.d/abstractions/attached/consoles b/apparmor.d/abstractions/attached/consoles index dd2275a03..f306c2273 100644 --- a/apparmor.d/abstractions/attached/consoles +++ b/apparmor.d/abstractions/attached/consoles @@ -3,7 +3,8 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no - # Do not use it manually, it is automatically included in profiles when it is required. + # Do not use it manually, It automatically replaces the consoles abstraction in a + # profile with the attach_disconnected flag set and the re-attached path enabled. abi , diff --git a/apparmor.d/abstractions/bus/own-accessibility b/apparmor.d/abstractions/bus/own-accessibility index 94968258c..cd8e42e52 100644 --- a/apparmor.d/abstractions/bus/own-accessibility +++ b/apparmor.d/abstractions/bus/own-accessibility @@ -3,7 +3,8 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Do not use it manually, it is automatically included in a profile when it is required. +# Do not use it manually, It is automatically included in a profile by the +# `aa:dbus own` directive. # Allow owning a name on DBus public bus diff --git a/apparmor.d/abstractions/bus/own-session b/apparmor.d/abstractions/bus/own-session index 8186f34cb..91515adb0 100644 --- a/apparmor.d/abstractions/bus/own-session +++ b/apparmor.d/abstractions/bus/own-session @@ -3,7 +3,8 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Do not use it manually, it is automatically included in a profile when it is required. +# Do not use it manually, It is automatically included in a profile by the +# `aa:dbus own` directive. # Allow owning a name on DBus public bus diff --git a/apparmor.d/abstractions/bus/own-system b/apparmor.d/abstractions/bus/own-system index f2ee3219c..d48931f4f 100644 --- a/apparmor.d/abstractions/bus/own-system +++ b/apparmor.d/abstractions/bus/own-system @@ -3,7 +3,8 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Do not use it manually, it is automatically included in a profile when it is required. +# Do not use it manually, It is automatically included in a profile by the +# `aa:dbus own` directive. # Allow owning a name on DBus public bus From 4ffbf84a0094e6c51933070b27a5c58628ec2ea4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 23:20:37 +0200 Subject: [PATCH 471/977] feat(fsp): remove the default profiles. --- apparmor.d/groups/_full/bwrap | 56 ------------ apparmor.d/groups/_full/bwrap-app | 36 -------- apparmor.d/groups/_full/default | 122 --------------------------- apparmor.d/groups/_full/default-sudo | 42 --------- dists/flags/main.flags | 4 - 5 files changed, 260 deletions(-) delete mode 100644 apparmor.d/groups/_full/bwrap delete mode 100644 apparmor.d/groups/_full/bwrap-app delete mode 100644 apparmor.d/groups/_full/default delete mode 100644 apparmor.d/groups/_full/default-sudo diff --git a/apparmor.d/groups/_full/bwrap b/apparmor.d/groups/_full/bwrap deleted file mode 100644 index 0a4b9efdf..000000000 --- a/apparmor.d/groups/_full/bwrap +++ /dev/null @@ -1,56 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Default profile for bwrap. - -abi , - -include - -@{exec_path} = @{bin}/bwrap -profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) { - include - include - include - include - include - - capability dac_override, - capability dac_read_search, - capability sys_resource, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - - ptrace peer=bwrap//&bwrap-app, - - signal peer=bwrap//&bwrap-app, - signal (receive) set=(kill), - - @{bin}/** rm, - @{lib}/** rm, - /opt/*/** rm, - /usr/share/*/* rm, - - @{bin}/** Px -> bwrap//&bwrap-app, - @{bin}/xdg-dbus-proxy Px -> bwrap//&xdg-dbus-proxy, - # @{lib}/** Px -> bwrap//&bwrap-app, - /opt/*/** Px -> bwrap//&bwrap-app, - /usr/share/*/* Px -> bwrap//&bwrap-app, - - /usr/.ref rk, - - /bindfile@{rand6} rw, - - owner /var/cache/ w, - - owner @{run}/ld-so-cache-dir/* rw, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/bwrap-app b/apparmor.d/groups/_full/bwrap-app deleted file mode 100644 index b6d45478a..000000000 --- a/apparmor.d/groups/_full/bwrap-app +++ /dev/null @@ -1,36 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Default profile for user sandboxed application - -abi , - -include - -profile bwrap-app flags=(attach_disconnected,mediate_deleted) { - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - ptrace peer=bwrap//&bwrap-app, - - signal peer=bwrap//&bwrap-app, - - @{bin}/** rmix, - @{lib}/** rmix, - /opt/*/** rmix, - /usr/share/*/* rmix, - - owner /var/cache/ w, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default deleted file mode 100644 index acdfc0bff..000000000 --- a/apparmor.d/groups/_full/default +++ /dev/null @@ -1,122 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Default profile for unconfined programs - -abi , - -include - -@{exec_path} = /** -profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { - include - include - include - include - include - include - include - include - include - include - include - include - include - - capability dac_override, - capability dac_read_search, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink dgram, - network netlink raw, - - signal receive set=hup, - - @{bin}/bwrap rPx -> bwrap, - @{bin}/pipewire-pulse rPx -> systemd//&pipewire-pulse, - @{bin}/pulseaudio rPx -> systemd//&pulseaudio, - @{bin}/su rPx -> default-sudo, - @{bin}/sudo rPx -> default-sudo, - @{bin}/systemctl rix, - @{coreutils_path} rix, - @{shells_path} rix, - - @{pager_path} rPx -> child-pager, - -# @{open_path} rPx -> child-open, - - audit @{bin}/** Pix, - audit @{lib}/** Pix, - audit /opt/*/** Pix, - audit /usr/share/*/* Pix, - - @{bin}/{,**} r, - @{lib}/{,**} r, - /usr/share/** r, - - /etc/xdg/** r, - - # Full access to user's data - / r, - /*/ r, - @{MOUNTDIRS}/ r, - @{MOUNTS}/ r, - @{MOUNTS}/** rwl, - owner @{HOME}/{,**} rwlk, - owner @{run}/user/@{uid}/{,**} rw, - owner @{tmp}/{,**} rwk, - owner @{run}/user/@{uid}/{,**} rwlk, - - @{run}/motd.dynamic.new rw, - - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - - @{sys}/ r, - @{sys}/bus/ r, - @{sys}/bus/pci/devices/ r, - @{sys}/class/ r, - @{sys}/class/drm/ r, - @{sys}/class/hidraw/ r, - @{sys}/class/input/ r, - @{sys}/class/power_supply/ r, - @{sys}/devices/**/input@{int}/ r, - @{sys}/devices/**/input@{int}/capabilities/* r, - @{sys}/devices/**/input/input@{int}/ r, - @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/firmware/acpi/pm_profile r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, - - @{PROC}/cmdline r, - @{PROC}/sys/kernel/seccomp/actions_avail r, - @{PROC}/zoneinfo r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/gid_map w, - owner @{PROC}/@{pid}/limits r, - owner @{PROC}/@{pid}/loginuid r, - owner @{PROC}/@{pid}/mem r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/oom_{,score_}adj rw, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pids}/cmdline r, - owner @{PROC}/@{pids}/environ r, - owner @{PROC}/@{pids}/task/ r, - - /dev/ r, - /dev/ptmx rwk, - /dev/tty rwk, - owner /dev/tty@{int} rw, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/default-sudo b/apparmor.d/groups/_full/default-sudo deleted file mode 100644 index 609191970..000000000 --- a/apparmor.d/groups/_full/default-sudo +++ /dev/null @@ -1,42 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -profile default-sudo { - include - include - - capability chown, - capability mknod, - capability sys_ptrace, - - network inet dgram, - network inet6 dgram, - - ptrace (read), - - @{bin}/su mr, - - @{bin}/** Px, - @{lib}/** Px, - /opt/*/** Px, - - /var/db/sudo/lectured/ r, - /var/lib/extrausers/shadow r, - /var/lib/sudo/lectured/ r, - owner /var/db/sudo/lectured/@{uid} rw, - owner /var/lib/sudo/lectured/* rw, - - owner @{HOME}/.sudo_as_admin_successful rw, - - @{run}/ r, - @{run}/systemd/sessions/* r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index e27c76bc2..a73fee129 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -1,10 +1,6 @@ # Common profile flags definition for all distributions # File format: one profile by line using the format: ' ' -bwrap attach_disconnected,mediate_deleted,complain -bwrap-app attach_disconnected,mediate_deleted,complain -default attach_disconnected,mediate_deleted,complain -default-sudo attach_disconnected,complain systemd attach_disconnected,mediate_deleted,complain systemd-service attach_disconnected,complain systemd-user attach_disconnected,mediate_deleted,complain From 8f3f3816edd40839b0832cc67546b08eae09314e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 23:31:35 +0200 Subject: [PATCH 472/977] feat(fsp): systemd drop in files: configure stacked profile It comes as a replacement of old and unsecure config that was disabling the nnp flag. The new solution is: 1. Safe 2. Scalable as hundred of profile could be configured this way --- systemd/full/system/ModemManager.service | 2 +- systemd/full/system/archlinux-keyring-wkd-sync.service | 2 +- systemd/full/system/dbus-org.freedesktop.hostname1.service | 2 +- systemd/full/system/dbus-org.freedesktop.import1.service | 2 +- systemd/full/system/dbus-org.freedesktop.locale1.service | 2 +- systemd/full/system/dbus-org.freedesktop.login1.service | 2 +- systemd/full/system/dbus-org.freedesktop.machine1.service | 2 +- systemd/full/system/dbus-org.freedesktop.timedate1.service | 2 +- systemd/full/system/e2scrub@.service | 2 +- systemd/full/system/e2scrub_reap.service | 2 +- systemd/full/system/fprintd.service | 2 +- systemd/full/system/fwupd-refresh.service | 4 +--- systemd/full/system/geoclue.service | 6 +----- systemd/full/system/irqbalance.service | 2 +- systemd/full/system/nm-priv-helper.service | 2 +- systemd/full/system/polkit.service | 2 +- systemd/full/system/rngd.service | 2 +- systemd/full/system/systemd-homed.service | 2 +- systemd/full/system/systemd-hostnamed.service | 2 +- systemd/full/system/systemd-journald.service | 3 +-- systemd/full/system/systemd-journald@.service | 3 +-- systemd/full/system/systemd-localed.service | 2 +- systemd/full/system/systemd-logind.service | 3 +-- systemd/full/system/systemd-machined.service | 2 +- systemd/full/system/systemd-networkd.service | 2 +- systemd/full/system/systemd-resolved.service | 2 +- systemd/full/system/systemd-timedated.service | 2 +- systemd/full/system/systemd-userdbd.service | 2 +- systemd/full/system/upower.service | 2 +- 29 files changed, 29 insertions(+), 38 deletions(-) diff --git a/systemd/full/system/ModemManager.service b/systemd/full/system/ModemManager.service index 03d352890..2d1593f19 100644 --- a/systemd/full/system/ModemManager.service +++ b/systemd/full/system/ModemManager.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&ModemManager diff --git a/systemd/full/system/archlinux-keyring-wkd-sync.service b/systemd/full/system/archlinux-keyring-wkd-sync.service index 03d352890..b88768556 100644 --- a/systemd/full/system/archlinux-keyring-wkd-sync.service +++ b/systemd/full/system/archlinux-keyring-wkd-sync.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&archlinux-keyring-wkd-sync diff --git a/systemd/full/system/dbus-org.freedesktop.hostname1.service b/systemd/full/system/dbus-org.freedesktop.hostname1.service index 03d352890..6d078aea9 100644 --- a/systemd/full/system/dbus-org.freedesktop.hostname1.service +++ b/systemd/full/system/dbus-org.freedesktop.hostname1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-hostnamed \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.import1.service b/systemd/full/system/dbus-org.freedesktop.import1.service index 03d352890..0ab519541 100644 --- a/systemd/full/system/dbus-org.freedesktop.import1.service +++ b/systemd/full/system/dbus-org.freedesktop.import1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-importd \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.locale1.service b/systemd/full/system/dbus-org.freedesktop.locale1.service index 03d352890..276595080 100644 --- a/systemd/full/system/dbus-org.freedesktop.locale1.service +++ b/systemd/full/system/dbus-org.freedesktop.locale1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-localed \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.login1.service b/systemd/full/system/dbus-org.freedesktop.login1.service index 03d352890..c5728915c 100644 --- a/systemd/full/system/dbus-org.freedesktop.login1.service +++ b/systemd/full/system/dbus-org.freedesktop.login1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-logind \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.machine1.service b/systemd/full/system/dbus-org.freedesktop.machine1.service index 03d352890..315b1b230 100644 --- a/systemd/full/system/dbus-org.freedesktop.machine1.service +++ b/systemd/full/system/dbus-org.freedesktop.machine1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-machined \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.timedate1.service b/systemd/full/system/dbus-org.freedesktop.timedate1.service index 03d352890..ab04c5a45 100644 --- a/systemd/full/system/dbus-org.freedesktop.timedate1.service +++ b/systemd/full/system/dbus-org.freedesktop.timedate1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-timedated \ No newline at end of file diff --git a/systemd/full/system/e2scrub@.service b/systemd/full/system/e2scrub@.service index 03d352890..7340b7610 100644 --- a/systemd/full/system/e2scrub@.service +++ b/systemd/full/system/e2scrub@.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&e2scrub \ No newline at end of file diff --git a/systemd/full/system/e2scrub_reap.service b/systemd/full/system/e2scrub_reap.service index 03d352890..b903d2f0a 100644 --- a/systemd/full/system/e2scrub_reap.service +++ b/systemd/full/system/e2scrub_reap.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&e2scrub_all \ No newline at end of file diff --git a/systemd/full/system/fprintd.service b/systemd/full/system/fprintd.service index 03d352890..5f1f063fa 100644 --- a/systemd/full/system/fprintd.service +++ b/systemd/full/system/fprintd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&fprintd \ No newline at end of file diff --git a/systemd/full/system/fwupd-refresh.service b/systemd/full/system/fwupd-refresh.service index fa215b3f0..acd28a5a4 100644 --- a/systemd/full/system/fwupd-refresh.service +++ b/systemd/full/system/fwupd-refresh.service @@ -1,4 +1,2 @@ [Service] -ProtectKernelModules=no -RestrictRealtime=no -ProtectKernelModules=no +AppArmorProfile=&fwupdmgr \ No newline at end of file diff --git a/systemd/full/system/geoclue.service b/systemd/full/system/geoclue.service index 4ba897659..2c10e32f5 100644 --- a/systemd/full/system/geoclue.service +++ b/systemd/full/system/geoclue.service @@ -1,6 +1,2 @@ [Service] -NoNewPrivileges=no -MemoryDenyWriteExecute=no -ProtectKernelTunables=no -ProtectKernelModules=no -RestrictRealtime=no +AppArmorProfile=&geoclue \ No newline at end of file diff --git a/systemd/full/system/irqbalance.service b/systemd/full/system/irqbalance.service index 03d352890..eab67fa44 100644 --- a/systemd/full/system/irqbalance.service +++ b/systemd/full/system/irqbalance.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&irqbalance \ No newline at end of file diff --git a/systemd/full/system/nm-priv-helper.service b/systemd/full/system/nm-priv-helper.service index 03d352890..53f99edd0 100644 --- a/systemd/full/system/nm-priv-helper.service +++ b/systemd/full/system/nm-priv-helper.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&nm-priv-helper diff --git a/systemd/full/system/polkit.service b/systemd/full/system/polkit.service index 03d352890..b21a28baa 100644 --- a/systemd/full/system/polkit.service +++ b/systemd/full/system/polkit.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&polkitd diff --git a/systemd/full/system/rngd.service b/systemd/full/system/rngd.service index 03d352890..c52a85d0c 100644 --- a/systemd/full/system/rngd.service +++ b/systemd/full/system/rngd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&rngd diff --git a/systemd/full/system/systemd-homed.service b/systemd/full/system/systemd-homed.service index 03d352890..65d4ae62e 100644 --- a/systemd/full/system/systemd-homed.service +++ b/systemd/full/system/systemd-homed.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-homed diff --git a/systemd/full/system/systemd-hostnamed.service b/systemd/full/system/systemd-hostnamed.service index 03d352890..6d078aea9 100644 --- a/systemd/full/system/systemd-hostnamed.service +++ b/systemd/full/system/systemd-hostnamed.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-hostnamed \ No newline at end of file diff --git a/systemd/full/system/systemd-journald.service b/systemd/full/system/systemd-journald.service index 0316a67c8..48f5a0156 100644 --- a/systemd/full/system/systemd-journald.service +++ b/systemd/full/system/systemd-journald.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no -ProtectClock=no \ No newline at end of file +AppArmorProfile=&systemd-journald \ No newline at end of file diff --git a/systemd/full/system/systemd-journald@.service b/systemd/full/system/systemd-journald@.service index 0316a67c8..48f5a0156 100644 --- a/systemd/full/system/systemd-journald@.service +++ b/systemd/full/system/systemd-journald@.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no -ProtectClock=no \ No newline at end of file +AppArmorProfile=&systemd-journald \ No newline at end of file diff --git a/systemd/full/system/systemd-localed.service b/systemd/full/system/systemd-localed.service index 03d352890..276595080 100644 --- a/systemd/full/system/systemd-localed.service +++ b/systemd/full/system/systemd-localed.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-localed \ No newline at end of file diff --git a/systemd/full/system/systemd-logind.service b/systemd/full/system/systemd-logind.service index 0316a67c8..c5728915c 100644 --- a/systemd/full/system/systemd-logind.service +++ b/systemd/full/system/systemd-logind.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no -ProtectClock=no \ No newline at end of file +AppArmorProfile=&systemd-logind \ No newline at end of file diff --git a/systemd/full/system/systemd-machined.service b/systemd/full/system/systemd-machined.service index 03d352890..315b1b230 100644 --- a/systemd/full/system/systemd-machined.service +++ b/systemd/full/system/systemd-machined.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-machined \ No newline at end of file diff --git a/systemd/full/system/systemd-networkd.service b/systemd/full/system/systemd-networkd.service index 03d352890..3f4b60849 100644 --- a/systemd/full/system/systemd-networkd.service +++ b/systemd/full/system/systemd-networkd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-networkd diff --git a/systemd/full/system/systemd-resolved.service b/systemd/full/system/systemd-resolved.service index 03d352890..fd36871e4 100644 --- a/systemd/full/system/systemd-resolved.service +++ b/systemd/full/system/systemd-resolved.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-resolved diff --git a/systemd/full/system/systemd-timedated.service b/systemd/full/system/systemd-timedated.service index 03d352890..78dd0193d 100644 --- a/systemd/full/system/systemd-timedated.service +++ b/systemd/full/system/systemd-timedated.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-timedated diff --git a/systemd/full/system/systemd-userdbd.service b/systemd/full/system/systemd-userdbd.service index 03d352890..d3771658d 100644 --- a/systemd/full/system/systemd-userdbd.service +++ b/systemd/full/system/systemd-userdbd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-userdbd diff --git a/systemd/full/system/upower.service b/systemd/full/system/upower.service index 03d352890..082e8f0fa 100644 --- a/systemd/full/system/upower.service +++ b/systemd/full/system/upower.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&upowerd From 77d2f923b0d5a33dad1d190ea6e04836d3df3577 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 23:45:10 +0200 Subject: [PATCH 473/977] feat(profile): pacman: allow landlock to restrict itself See https://docs.kernel.org/userspace-api/landlock.html#c.sys_landlock_restrict_self fix #750 --- apparmor.d/groups/pacman/pacman | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 6af9bae96..def1f2a28 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -27,6 +27,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { capability setfcap, capability setgid, capability setuid, + capability sys_admin, capability sys_chroot, capability sys_ptrace, capability sys_resource, From a08c99dcb77b2df4fdee96de3b4fc6c6ab63b9fb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 23:47:49 +0200 Subject: [PATCH 474/977] feat(abs): console: add non owner access to /dev/tty@{u8}. Follow recent addition in attached/consoles fix #751 --- apparmor.d/abstractions/consoles.d/complete | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 apparmor.d/abstractions/consoles.d/complete diff --git a/apparmor.d/abstractions/consoles.d/complete b/apparmor.d/abstractions/consoles.d/complete new file mode 100644 index 000000000..b8b7ad90f --- /dev/null +++ b/apparmor.d/abstractions/consoles.d/complete @@ -0,0 +1,8 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + # There are the common ways to refer to consoles + /dev/tty@{u8} rw, + +# vim:syntax=apparmor From d5002a67740e10096cb3a126b2c467e55459e895 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 23:52:39 +0200 Subject: [PATCH 475/977] fix(profile): fwupd fix #752 --- apparmor.d/profiles-a-f/fwupd | 4 +++- apparmor.d/profiles-a-f/fwupdmgr | 3 +++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 71addde64..a07bb4dba 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -50,6 +50,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /usr/share/fwupd/{,**} r, /usr/share/hwdata/* r, + /usr/share/libdrm/*.ids /usr/share/mime/mime.cache r, /etc/fwupd/{,**} rw, @@ -80,6 +81,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{sys}/**/ r, @{sys}/devices/** r, + @{sys}/**/uevent r, @{sys}/firmware/acpi/** r, @{sys}/firmware/dmi/tables/DMI r, @{sys}/firmware/dmi/tables/smbios_entry_point r, @@ -87,9 +89,9 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/BootNext-@{uuid} rw, @{sys}/firmware/efi/efivars/fwupd-* rw, + @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, @{sys}/kernel/security/lockdown r, @{sys}/kernel/security/tpm@{int}/binary_bios_measurements r, - @{sys}/**/uevent r, @{sys}/power/mem_sleep r, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 6dffac5a6..b0a651315 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -34,6 +34,9 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) { @{bin}/dbus-launch Cx -> bus, @{bin}/pkttyagent Px, + /usr/share/terminfo/** r, + + /etc/inputrc r, /etc/machine-id r, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw, From 7243c18ce2ffd4de6b66c2c390752f079b6e718d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 23:54:56 +0200 Subject: [PATCH 476/977] fix(build): conversion from abi4 to abi3. --- pkg/prebuild/builder/abi.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/prebuild/builder/abi.go b/pkg/prebuild/builder/abi.go index 818edbb76..2e2911f4b 100644 --- a/pkg/prebuild/builder/abi.go +++ b/pkg/prebuild/builder/abi.go @@ -14,6 +14,7 @@ var ( `abi/4.0`, `abi/3.0`, ` userns,`, ` # userns,`, ` mqueue`, ` # mqueue`, + ` deny mqueue`, ` # deny mqueue`, }) ) From 0886c7bc853de38724ebbbccad21832f2bbd4600 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 27 May 2025 00:29:21 +0200 Subject: [PATCH 477/977] fix: rule compilation. --- apparmor.d/profiles-a-f/fwupd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index a07bb4dba..5fb948234 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -50,7 +50,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /usr/share/fwupd/{,**} r, /usr/share/hwdata/* r, - /usr/share/libdrm/*.ids + /usr/share/libdrm/*.ids r, /usr/share/mime/mime.cache r, /etc/fwupd/{,**} rw, From 11f3529530aa1710de623c8bb3214637a0047985 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 27 May 2025 00:29:35 +0200 Subject: [PATCH 478/977] ci: ensure failing compiling the profile fail the job. --- .github/workflows/main.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 8d738eac7..4baa4a776 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -54,8 +54,10 @@ jobs: - name: Reload AppArmor run: | - sudo systemctl restart apparmor.service || true - sudo journalctl -xeu apparmor.service + if ! sudo systemctl restart apparmor.service; then + sudo journalctl -xeu apparmor.service + exit 1 + fi - name: Show AppArmor log and rules run: | From bf22a7786c39d3b56b87095bfd4479769b88ec1a Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Tue, 27 May 2025 11:44:26 +0000 Subject: [PATCH 479/977] Broken login: Update systemd-logind Today I was not able to log into my Arch Linux system. After chrooting into the system, performing aa-log and adding the rule to systemd-logind the problem was fixed. --- apparmor.d/groups/systemd/systemd-logind | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 39192e7e1..64081f326 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -139,6 +139,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { /dev/dri/card@{int} rw, /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) /dev/mqueue/ r, + /dev/tty@{int} rw, owner /dev/shm/{,**/} rw, include if exists From 47bafeb67bacc6abb89eb74f9a7044cfdfae0cd4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 15:06:52 +0200 Subject: [PATCH 480/977] feat(fsp): rewrite the systemd profile. --- apparmor.d/groups/_full/systemd | 251 +++++++++++--------------------- 1 file changed, 88 insertions(+), 163 deletions(-) diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index e1a9918e1..eec9b33d9 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -11,24 +11,47 @@ # Distributions and other programs can add rules in the usr/systemd.d directory -# TODO: rework this to get a controlled environment: (cf security model) +# Overall architecture of the systemd profiles: +# systemd # PID 1, entrypoint, requires "Early policy" +# ├── systemd # To restart itself +# ├── systemd-generators-* # Systemd system and environment generators +# └── sd # Internal service starter and config handler, handles all services +# ├── Px or px, # Any service with profile +# ├── Px -> # Any service without profile defined in the unit file (see systemd/full/systemd) +# ├── &* # Stacked service as defined in the unit file (see systemd/full/systemd) +# ├── sd-mount # Handles all mounts from services +# ├── sd//systemctl # Internal system systemctl +# └── systemd-user # Profile for 'systemd --user' +# ├── systemd-user # To restart itself +# ├── systemd-user-generators-* # Systemd user and environment generators +# └── sdu # Handles all user services +# ├── Px or px, # Any user service with profile +# ├── Px -> # Any user service without profile defined in the unit file (see systemd/full/systemd) +# ├── &* # Stacked user service as defined in the unit file (see systemd/full/systemd) +# └── sdu//systemctl # Internal user systemctl + +# Advantages: +# - Differentiate systemd (PID 1) and `system --user` +# - Keep `systemd` and systemd-user as mininal as possible, and transition to less privileged profiles. +# - Allow the executor profiles to handled stacked profiles. +# - Most additions need to be done in the `sd`/`sdu` profile, not in `systemd`/`systemd-user`. +# - Dedicated `sd-mount` profile for most mount from the unit services. + + +# TODO: rework this to get a controlled environment: # - No global allow anymore: in high security environments, we must manage the list # of program/service that can be started by systemd and ensure that they are all # listed and confined. Programs not listed will not be able to start. # - Outside common systemd service, the list may have to be automatically # generated at install time, in `/etc/apparmor.d/usr/systemd.d/exec` -# - Stop disabling nnp flags in systemd dropin files. -# - Each systemd services in `systemd-service` (when the service is more complex than foo.service -> Exec=/usr/bin/foo) -# need they own profile, profile name configured as a dropin unit file. -# - When this is done: the fallback profile as root will not be needed. abi , include +@{exec_path} = @{lib}/systemd/systemd profile systemd flags=(attach_disconnected,mediate_deleted) { include - include include include include @@ -43,16 +66,13 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { capability dac_read_search, capability fowner, capability fsetid, - capability mknod, + capability kill, capability net_admin, + capability net_bind_service, capability perfmon, - capability setfcap, - capability setgid, capability setpcap, - capability setuid, capability sys_admin, - capability sys_chroot, - capability sys_nice, + capability sys_boot, capability sys_ptrace, capability sys_resource, capability sys_tty_config, @@ -62,164 +82,82 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { network inet6 dgram, network inet6 stream, network netlink raw, + network vsock stream, mount fstype=autofs systemd-1 -> @{PROC}/sys/fs/binfmt_misc/, - mount fstype=autofs systemd-1 -> /efi/, - mount fstype=binfmt_misc options=(rw nodev noexec nosuid) binfmt_misc -> @{PROC}/sys/fs/binfmt_misc/, - mount fstype=configfs options=(rw nodev noexec nosuid) configfs -> @{sys}/kernel/config/, - mount fstype=debugfs options=(rw nodev noexec nosuid) debugfs -> @{sys}/kernel/debug/, - mount fstype=fusectl options=(rw nodev noexec nosuid) fusectl -> @{sys}/fs/fuse/connections/, - mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, - mount fstype=mqueue options=(rw nodev noexec nosuid) -> /dev/mqueue/, - mount fstype=proc options=(rw nosuid nodev noexec) proc -> @{run}/systemd/namespace-@{rand6}/, - mount fstype=sysfs options=(rw nosuid nodev noexec) sysfs -> @{run}/systemd/namespace-@{rand6}/, - mount fstype=tmpfs tmpfs -> /dev/shm/, + mount fstype=autofs systemd-1 -> @{efi}/, mount fstype=tmpfs tmpfs -> /tmp/, - mount fstype=tmpfs options=(rw nosuid nodev noexec strictatime) tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/, - mount fstype=tmpfs options=(rw nosuid nodev noexec) tmpfs -> /dev/shm/, - mount fstype=tmpfs options=(rw nosuid noexec strictatime) tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/, - mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/, - mount /dev/** -> /boot/{,efi/}, - mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**, - mount options=(rw bind) /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**, - mount options=(rw bind) @{run}/systemd/propagate/*/ -> @{run}/systemd/mount-rootfs/@{run}/systemd/incoming/, - mount options=(rw move) -> @{sys}/fs/fuse/connections/, - mount options=(rw move) -> @{sys}/kernel/config/, - mount options=(rw move) -> @{sys}/kernel/debug/, - mount options=(rw move) -> @{sys}/kernel/tracing/, - mount options=(rw move) -> /dev/hugepages/, - mount options=(rw move) -> /dev/mqueue/, - mount options=(rw move) -> /efi/, - mount options=(rw move) -> /tmp/, - mount options=(rw move) @{run}/systemd/namespace-@{rand6}/{,**} -> @{run}/systemd/mount-rootfs/{,**}, - mount options=(rw rbind) -> @{run}/systemd/mount-rootfs/{,**}, - mount options=(rw rbind) -> @{run}/systemd/unit-root/{,**}, - mount options=(rw rshared) -> /, mount options=(rw rslave) -> /, - mount options=(rw rslave) -> /dev/, - mount options=(rw slave) -> @{run}/systemd/incoming/, remount @{HOME}/{,**}, remount @{HOMEDIRS}/, remount @{MOUNTDIRS}/, remount @{MOUNTS}/{,**}, - remount @{run}/systemd/mount-rootfs/{,**}, - remount @{run}/systemd/unit-root/{,**}, - remount /, remount /snap/{,**}, - remount options=(ro bind) /boot/{,efi/}, - remount options=(ro noexec noatime bind) /var/snap/{,**}, - remount options=(ro nosuid bind) /dev/, - remount options=(ro nosuid nodev bind) /dev/hugepages/, - remount options=(ro nosuid nodev bind) /var/, - remount options=(ro nosuid nodev noexec bind) /boot/, - remount options=(ro nosuid nodev noexec bind) /dev/mqueue/, - remount options=(ro nosuid nodev noexec bind) /efi/, - remount options=(ro nosuid noexec bind) /dev/pts/, + remount options=(ro bind nodev noexec nosuid) /dev/mqueue/, + remount options=(ro bind nodev nosuid) /dev/hugepages/, + remount options=(ro bind noexec nosuid) /dev/pts/, + remount options=(ro bind nosuid) /dev/, + remount options=(ro bind) @{efi}/, + remount options=(ro bind) /, - umount /, - umount /dev/shm/, umount @{PROC}/sys/fs/binfmt_misc/, - umount @{run}/systemd/mount-rootfs/{,**}, - umount @{run}/systemd/namespace-@{rand6}/{,**}, - umount @{run}/systemd/unit-root/{,**}, - - pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, - pivot_root oldroot=@{run}/systemd/unit-root/ @{run}/systemd/unit-root/, + umount @{run}/credentials/*/, mqueue (read getattr) type=posix /, - change_profile, - - signal receive set=(rtmin+23) peer=plymouthd, - signal receive set=(term hup cont), signal send, ptrace (read, readby), - unix send type=dgram, - - unix receive type=dgram peer=(label=systemd-timesyncd), - unix (send, receive, connect) type=stream peer=(label=plymouthd, addr=@/org/freedesktop/plymouthd), + unix type=dgram, + unix type=stream, #aa:dbus own bus=system name=org.freedesktop.systemd1 - # For stacked profiles - #aa:dbus own bus=system name=org.freedesktop.network1 - #aa:dbus own bus=system name=org.freedesktop.oom1 - #aa:dbus own bus=system name=org.freedesktop.resolve1 - #aa:dbus own bus=system name=org.freedesktop.timesync1 + @{exec_path} mrix, + @{sh_path} mr, - @{bin}/** Px, - @{sbin}/** Px, - @{lib}/** Px, - /etc/cron.*/* Px, - /etc/init.d/* Px, - /etc/update-motd.d/* Px, - /usr/share/*/** Px, + # Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.) + @{lib}/systemd/systemd-executor mPx -> sd, - # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.) - @{lib}/systemd/systemd-executor ix, - - # Systemd user: systemd --user - @{lib}/systemd/systemd px -> systemd-user, - - # Unit services using systemctl - @{bin}/systemctl Cx -> systemctl, - - # Unit services - @{bin}/mount ix, - @{bin}/kill ix, - - # Shell based systemd unit services - # TODO: create unit profile for all of them - @{sbin}/ldconfig Px -> systemd-service, - @{bin}/mandb Px -> systemd-service, - @{bin}/savelog Px -> systemd-service, - @{coreutils_path} Px -> systemd-service, - @{sh_path} Px -> systemd-service, - - # Systemd profiles that need be stacked - #aa:stack systemd-networkd systemd-oomd systemd-resolved systemd-timesyncd - @{lib}/systemd/systemd-networkd px -> systemd//&systemd-networkd, - @{lib}/systemd/systemd-oomd px -> systemd//&systemd-oomd, - @{lib}/systemd/systemd-resolved px -> systemd//&systemd-resolved, - @{lib}/systemd/systemd-timesyncd px -> systemd//&systemd-timesyncd, - - @{lib}/ r, - / r, - /*/ r, - /boot/efi/ r, - /snap/*/@{int}/ r, - /var/cache/*/ r, - /var/lib/*/ r, - /var/tmp/ r, + # Systemd system generators. Profiles must exist + @{lib}/netplan/generate mPx, + @{lib}/systemd/system-environment-generators/* mPx, + @{lib}/systemd/system-generators/* mPx, @{etc_ro}/environment r, @{etc_ro}/environment.d/{,**} r, - /etc/acpi/events/{,**} r, /etc/binfmt.d/{,**} r, /etc/conf.d/{,**} r, - /etc/credstore.encrypted/{,**} r, - /etc/credstore/{,**} r, /etc/default/{,**} r, - /etc/machine-id r, /etc/modules-load.d/{,**} r, /etc/networkd-dispatcher/{,**} r, /etc/systemd/{,**} r, + /etc/systemd/system/** w, /etc/udev/hwdb.d/{,**} r, - /etc/systemd/system/multi-user.target.wants/{,*} w, - /var/log/dmesg rw, - /var/lib/systemd/{,**} rw, + #aa:only pacman + # It is unclear why this is needed here and not in sd + /etc/pacman.d/gnupg/S.dirmngr w, + /etc/pacman.d/gnupg/S.gpg-agent w, + /etc/pacman.d/gnupg/S.gpg-agent.browser w, + /etc/pacman.d/gnupg/S.gpg-agent.extra w, + /etc/pacman.d/gnupg/S.gpg-agent.ssh w, + /etc/pacman.d/gnupg/S.keyboxd w, + + @{efi}/ r, + /snap/*/@{int}/ r, + + /tmp/ r, + /var/tmp/ r, + owner /tmp/systemd-private-*/{,**} rw, owner /var/tmp/systemd-private-*/{,**} rw, - /tmp/namespace-dev-@{rand6}/{,**} rw, - /tmp/systemd-private-*/{,**} rw, - - @{att}/@{run}/systemd/journal/socket r, @{att}/@{run}/systemd/journal/dev-log r, + @{att}/@{run}/systemd/journal/socket r, + @{att}/@{run}/systemd/notify r, @{run}/ rw, @{run}/* rw, @@ -228,10 +166,6 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{run}/credentials/{,**} rw, @{run}/systemd/{,**} rw, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+leds:*backlight* r, - @{run}/udev/data/+module:configfs r, @{run}/udev/data/+module:fuse r, @{run}/udev/data/c4:@{int} r, # For TTY devices @@ -242,37 +176,28 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{run}/udev/data/n@{int} r, @{run}/udev/tags/systemd/ r, + @{sys}/**/uevent r, @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/power_supply/ r, - @{sys}/class/sound/ r, - @{sys}/devices/@{pci}/** r, - @{sys}/devices/**/net/** r, - @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/tty/console/active r, @{sys}/fs/cgroup/{,**} rw, @{sys}/fs/fuse/connections/ r, @{sys}/fs/pstore/ r, @{sys}/kernel/**/ r, - @{sys}/module/**/uevent r, @{sys}/module/apparmor/parameters/enabled r, + @{sys}/module/vt/parameters/default_utf8 r, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/coredump_filter r, - @{PROC}/@{pid}/environ r, @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/gid_map rw, - @{PROC}/@{pid}/loginuid rw, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/setgroups rw, @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/uid_map rw, @{PROC}/cmdline r, @{PROC}/devices r, @{PROC}/pressure/* r, @@ -280,32 +205,32 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{PROC}/sys/fs/binfmt_misc/ r, @{PROC}/sys/fs/nr_open r, @{PROC}/sys/kernel/* r, - @{PROC}/sysvipc/{shm,sem,msg} r, - owner @{PROC}/@{pid}/limits r, - owner @{PROC}/@{pid}/oom_score_adj rw, + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sysvipc/msg r, + @{PROC}/sysvipc/sem r, + @{PROC}/sysvipc/shm r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/1/coredump_filter r, + owner @{PROC}/1/fdinfo/@{int} r, + owner @{PROC}/1/gid_map r, + owner @{PROC}/1/oom_score_adj rw, + owner @{PROC}/1/setgroups r, + owner @{PROC}/1/uid_map r, /dev/autofs r, + /dev/dri/card@{int} rw, /dev/input/ r, /dev/kmsg w, + /dev/tty rw, /dev/tty@{int} rw, owner /dev/console rwk, - owner /dev/dri/card@{int} rw, owner /dev/hugepages/ rw, - owner /dev/initctl rw, owner /dev/input/event@{int} rw, owner /dev/mqueue/ rw, owner /dev/rfkill rw, - owner /dev/shm/ rw, + owner /dev/shm/ r, owner /dev/ttyS@{int} rwk, - profile systemctl { - include - include - - include if exists - include if exists - } - include if exists include if exists } From 3dc8a74ec09ceb8f18c6a69e7d6b61f8b40f81f6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 15:16:26 +0200 Subject: [PATCH 481/977] feat(fsp): rewrite the systemd-user profile. --- apparmor.d/groups/_full/systemd-user | 85 ++++++---------------------- 1 file changed, 17 insertions(+), 68 deletions(-) diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index b0b3272a1..3b0d01709 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -11,8 +11,6 @@ # Distributions and other programs can add rules in the usr/systemd-user.d directory -# TODO: rework this to get a controlled environment. cf comments in systemd profile. - abi , include @@ -27,76 +25,46 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { network netlink raw, - signal send set=(term, cont, kill), - signal receive set=hup peer=@{p_systemd}, + signal send, - ptrace read peer=@{p_systemd}, + ptrace read, + + unix type=dgram peer=(label=@{p_sdu}), unix bind type=stream addr=@@{udbus}/bus/systemd/bus-system, unix bind type=stream addr=@@{udbus}/bus/systemd/bus-api-user, #aa:dbus own bus=session name=org.freedesktop.systemd1 - @{exec_path} mr, + @{exec_path} mrix, - @{bin}/** Px, - @{lib}/** Px, - /etc/cron.*/* Px, - /opt/*/** Px, - /usr/share/*/** Px, + # Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.) + @{lib}/systemd/systemd-executor mPx -> sdu, - # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.) - @{lib}/systemd/systemd-executor ix, - - # Unit services using systemctl - @{bin}/systemctl Cx -> systemctl, - - # Shell based ystemd unit services - @{coreutils_path} Px -> systemd-user-service, - @{sh_path} Px -> systemd-user-service, - - # Dbus needs to be started without environment scrubbing - @{bin}/dbus-broker px -> dbus-session, - @{bin}/dbus-broker-launch px -> dbus-session, - @{bin}/dbus-daemon px -> dbus-session, - @{lib}/dbus-1.0/dbus-daemon-launch-helper px -> dbus-session, - - # Audio profiles need to be stacked - #aa:stack pipewire pipewire-media-session pipewire-pulse pulseaudio wireplumber - @{bin}/pipewire Px -> systemd-user//&pipewire, - @{bin}/pipewire-media-session Px -> systemd-user//&pipewire-media-session, - @{bin}/pipewire-pulse Px -> systemd-user//&pipewire-pulse, - @{bin}/pulseaudio Px -> systemd-user//&pulseaudio, - @{bin}/wireplumber Px -> systemd-user//&wireplumber, - - /usr/ r, - /usr/share/defaults/**.conf r, + # Systemd user generators. Profiles must exist + @{lib}/systemd/user-environment-generators/* Px, + @{lib}/systemd/user-generators/* Px, + @{etc_ro}/environment r, /etc/systemd/user.conf r, /etc/systemd/user.conf.d/{,**} r, /etc/systemd/user/{,**} r, - / r, - - owner @{HOME}/.local/ w, - owner @{user_config_dirs}/systemd/user/{,**} rw, - @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/ rw, owner @{run}/user/@{uid}/** rwkl, @{run}/mount/utab r, @{run}/systemd/notify w, + @{run}/systemd/oom/io.systemd.ManagedOOM rw, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+leds:*backlight* r, @{run}/udev/data/+module:configfs r, @{run}/udev/data/+module:fuse r, - @{run}/udev/data/b254:@{int} r, # for /dev/zram* @{run}/udev/data/c4:@{int} r, # For TTY devices @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features + @{run}/udev/data/c116:@{int} r, # for ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{run}/udev/data/n@{int} r, @{run}/udev/tags/systemd/ r, @@ -108,14 +76,11 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/**/uevent r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r, - @{sys}/module/apparmor/parameters/enabled r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/stat r, - @{PROC}/1/environ r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/stat r, @{PROC}/cmdline r, @{PROC}/pressure/* r, @{PROC}/swaps r, @@ -124,20 +89,14 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{PROC}/sys/kernel/overflowgid r, @{PROC}/sys/kernel/overflowuid r, @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/threads-max r, - owner @{PROC}/@{pid}/coredump_filter r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/gid_map r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/oom_score_adj rw, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/uid_map r, owner @{PROC}/@{pids}/fd/ r, - owner @{PROC}/@{pids}/oom_score_adj rw, - - /dev/kmsg w, - /dev/tty rw, deny capability bpf, deny capability dac_override, @@ -149,16 +108,6 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { deny capability sys_boot, deny capability sys_resource, - profile systemctl { - include - include - - deny capability net_admin, - - include if exists - include if exists - } - include if exists include if exists } From dd2187552bf671f0075ae269e14d52bd0f75718e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 22:35:28 +0200 Subject: [PATCH 482/977] feat(fsp): remove the now deprecated generic system service profiles. --- apparmor.d/groups/_full/systemd-service | 77 -------------------- apparmor.d/groups/_full/systemd-user-service | 23 ------ dists/flags/main.flags | 1 - 3 files changed, 101 deletions(-) delete mode 100644 apparmor.d/groups/_full/systemd-service delete mode 100644 apparmor.d/groups/_full/systemd-user-service diff --git a/apparmor.d/groups/_full/systemd-service b/apparmor.d/groups/_full/systemd-service deleted file mode 100644 index a53193cc5..000000000 --- a/apparmor.d/groups/_full/systemd-service +++ /dev/null @@ -1,77 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Profile for generic systemd unit services. Only used by tiny systemd services -# that start a shell or use context specific programs. - -# It does not specify an attachment path because it is intended to be used only -# via "Px -> systemd-service" exec transitions from the systemd profile. - -abi , - -include - -profile systemd-service flags=(attach_disconnected) { - include - include - include - - capability dac_read_search, - capability chown, - capability fsetid, - - @{sbin}/ldconfig rix, - @{bin}/savelog rix, - @{bin}/systemctl rix, - @{bin}/gzip rix, - @{coreutils_path} rix, - @{sh_path} rmix, - - # ifup@.service - @{bin}/ifup rPx, - - # shadow.service - @{sbin}/pwck rPx, - @{sbin}/grpck rPx, - - @{bin}/grub-editenv rPx, - @{bin}/ibus-daemon rPx, - - @{bin}/* r, - @{lib}/ r, - - /var/cache/ldconfig/{,**} rw, - - / r, - - /boot/grub/grubenv rw, - /boot/grub/ w, - - /var/spool/cron/atjobs/ r, - - /var/log/ r, - /var/log/dmesg rw, - /var/log/dmesg.* rwl -> /var/log/dmesg, - - # man-db.service - /usr/{,local/}share/man/{,**} r, - /etc/manpath.config r, - /var/cache/man/{,**} rwk, - - # snapd.system-shutdown.service - @{run}/initramfs/shutdown rw, - @{run}/initramfs/ rw, - - # cockpit.socket - @{run}/cockpit/@{rand8} rw, - @{run}/cockpit/motd w, - - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/systemd-user-service b/apparmor.d/groups/_full/systemd-user-service deleted file mode 100644 index 0cb9efa49..000000000 --- a/apparmor.d/groups/_full/systemd-user-service +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Profile for generic systemd unit services. Only used by tiny systemd services -# that start a shell or use context specific programs. - -# It does not specify an attachment path because it is intended to be used only -# via "Px -> systemd-user-service" exec transitions from the systemd-user profile. - -abi , - -include - -profile systemd-user-service flags=(attach_disconnected) { - include - include - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index a73fee129..5a6c7c526 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -2,7 +2,6 @@ # File format: one profile by line using the format: ' ' systemd attach_disconnected,mediate_deleted,complain -systemd-service attach_disconnected,complain systemd-user attach_disconnected,mediate_deleted,complain akonadi_akonotes_resource complain From 5940f0117b85538f3f91840a58a7583dbcc579bc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 22:37:56 +0200 Subject: [PATCH 483/977] feat(fsp): add the new sdu profile as service and stacked profile manager for user. --- apparmor.d/groups/_full/sdu | 124 ++++++++++++++++++++++++++++++++++++ 1 file changed, 124 insertions(+) create mode 100644 apparmor.d/groups/_full/sdu diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu new file mode 100644 index 000000000..5ceb669f0 --- /dev/null +++ b/apparmor.d/groups/_full/sdu @@ -0,0 +1,124 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd-user profile. + +# sdu is a profile for SystemD-executor run as User, it is used to run all services +# files and to encapsulate stacked services profiles (hence the short name). +# It aims at reducing the size of the systemd-user profile. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sdu.d directory + +abi , + +include + +@{exec_path} = @{bin}/systemd-executor +profile sdu flags=(attach_disconnected,mediate_deleted) { + include + include + include + include + include + + network netlink raw, + + change_profile, + + ptrace read, + + unix type=dgram peer=(label=@{p_systemd_user}), + + dbus bus=session, + + @{exec_path} mr, + + @{bin}/** mPx, + @{sbin}/** mPx, + @{lib}/** Px, + /etc/cron.*/* Px, + /opt/*/** Px, + /usr/share/*/** Px, + + # Unit services using systemctl + @{bin}/systemctl Cx -> systemctl, + + # Shell based user unit services + @{sh_path} Cx -> shell, + + # Dbus needs to be started without environment scrubbing + @{bin}/dbus-broker px -> dbus-session, + @{bin}/dbus-broker-launch px -> dbus-session, + @{bin}/dbus-daemon px -> dbus-session, + @{lib}/dbus-1.0/dbus-daemon-launch-helper px -> dbus-session, + + / r, + @{bin}/* r, + @{sbin}/* r, + /usr/share/** r, + + owner @{desktop_local_dirs}/ w, + owner @{desktop_local_dirs}/state/ w, + owner @{desktop_local_dirs}/state/wireplumber/{,**} rw, + + owner @{run}/user/@{uid}/pipewire-@{int} rw, + owner @{run}/user/@{uid}/pipewire-@{int}-manager rw, + owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk, + owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, + owner @{run}/user/@{uid}/pulse/pid rw, + + owner @{user_state_dirs}/wireplumber/ r, + owner @{user_state_dirs}/wireplumber/stream-properties rw, + owner @{user_state_dirs}/wireplumber/stream-properties.@{rand6} rw, + + @{run}/systemd/users/@{uid} r, + @{run}/systemd/users/@{int} r, + + @{run}/udev/data/c116:@{int} r, # for ALSA + + @{sys}/bus/ r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/sound/seq/uevent r, + @{sys}/devices/virtual/sound/timer/uevent r, + + @{sys}/module/apparmor/parameters/enabled r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, + + @{PROC}/pressure/* r, + @{PROC}/sys/fs/nr_open r, + owner @{PROC}/@{pid}/attr/apparmor/exec w, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/oom_score_adj rw, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + profile shell flags=(attach_disconnected,mediate_deleted,complain) { + include + + @{sh_path} mr, + @{bin}/systemctl Px -> sdu//systemctl, + + include if exists + } + + profile systemctl flags=(attach_disconnected,mediate_deleted,complain) { + include + include + + audit capability net_admin, + + owner @{run}/user/@{uid}/systemd/private rw, + + include if exists + include if exists + } + + include if exists + include if exists +} + +# vim:syntax=apparmor From 9125686973a11c2a297d16621ec2859a061bf8bb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 22:44:00 +0200 Subject: [PATCH 484/977] feat(fsp): add the new sdu profile as service and stacked profile manager for system. --- apparmor.d/groups/_full/sd | 246 +++++++++++++++++++++++++++++++++++++ 1 file changed, 246 insertions(+) create mode 100644 apparmor.d/groups/_full/sd diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd new file mode 100644 index 000000000..974bc3544 --- /dev/null +++ b/apparmor.d/groups/_full/sd @@ -0,0 +1,246 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd (as PID 1) profile. + +# sd is a profile for SystemD-executor run as root, it is used to run all services +# files and to encapsulate stacked services profiles (hence the short name). +# It aims at reducing the size of the systemd profile. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sd.d directory + +abi , + +include + +@{exec_path} = @{bin}/systemd-executor +profile sd flags=(attach_disconnected,mediate_deleted) { + include + include + include + include + include + include + include + include + + userns, + + capability audit_control, + capability audit_write, + capability bpf, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, + capability kill, + capability linux_immutable, + capability mknod, + capability net_admin, + capability net_raw, + capability perfmon, + capability setfcap, + capability setgid, + capability setpcap, + capability setuid, + capability sys_admin, + capability sys_nice, + capability sys_ptrace, + capability sys_rawio, + capability sys_resource, + capability sys_time, + capability sys_tty_config, + capability syslog, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 raw, + network inet6 stream, + network netlink raw, + network packet dgram, + network packet raw, + network qipcrtr dgram, + + mount -> @{run}/systemd/mount-rootfs/{,**}, + mount -> @{run}/systemd/namespace-@{rand6}/{,**}, + mount options=(rw move) /dev/shm/ -> @{run}/credentials/*/, + mount options=(rw rshared) -> /, + mount options=(rw rslave) -> /, + mount options=(rw rslave) -> /dev/, + mount options=(rw slave) -> @{run}/systemd/incoming/, + mount fstype=tmpfs options=(rw nodev noexec nosuid nosymfollow) tmpfs -> /dev/shm/, + mount fstype=tmpfs options=(rw nodev strictatime) tmpfs -> @{run}/systemd/unit-private-tmp/, + + remount /dev/shm/, + remount @{run}/systemd/mount-rootfs/{,**}, + + umount /, + umount /dev/shm/, + umount @{run}/systemd/mount-rootfs/{,**}, + + pivot_root oldroot=/run/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, + + change_profile, + + mqueue (read getattr) type=posix /, + + signal peer=sd//&*, + signal receive peer=@{p_systemd}, + signal send, + + ptrace read, + + unix type=dgram peer=(label=@{p_systemd}), + unix type=dgram peer=(label=systemd-timesyncd), + unix type=stream, + + dbus bus=system, + + @{exec_path} mr, + + @{bin}/** mPx, + @{sbin}/** mPx, + @{lib}/** Px, + /etc/cron.*/* Px, + /etc/init.d/* Px, + /etc/update-motd.d/* Px, + /usr/share/*/** Px, + + # Systemd user: systemd --user + @{lib}/systemd/systemd px -> systemd-user, + + # Mount operations from services and systemd + @{bin}/mount Px -> sd-mount, + @{bin}/umount Px -> sd-umount, + + # Unit services using systemctl + @{bin}/systemctl Cx -> systemctl, + + # Unit services + @{bin}/kill Cx -> kill, + + # Used by very basic services, ideally should be replaced by a unit profiles + @{sh_path} ix, + @{bin}/false ix, + @{bin}/true ix, + + # Required due to stacked profiles + @{bin}/grpck ix, + @{bin}/gzip ix, + @{bin}/install ix, + @{bin}/pwck ix, + @{bin}/readlink ix, + @{lib}/colord-sane ix, + @{lib}/systemd/systemd-nsresourcework ix, + @{lib}/systemd/systemd-userwork ix, + + / r, + @{att}/ r, + @{bin}/{,**} r, + @{lib}/{,**} r, + @{sbin}/{,*} r, + /usr/share/** r, + /etc/** rk, + /home/ r, + + @{efi}/ r, + @{efi}/** rw, + + @{att}/var/lib/systemd/*/ r, + + /var/cache/*/ rw, + /var/cache/*/** rwk, + /var/lib/*/ rw, + /var/lib/*/** rwk, + /var/lib/systemd/*/ r, + /var/log/** rw, + /var/log/journal/** rwl -> /var/log/journal/**, + + @{desktop_share_dirs}/icc/edid-@{hex32}.icc r, + @{user_share_dirs}/icc/edid-@{hex32}.icc r, + + @{att}/@{run}/systemd/io.systemd.ManagedOOM rw, + @{att}/@{run}/systemd/notify rw, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{att}/@{run}/systemd/userdb/io.systemd.Home rw, + @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, + + @{run}/ rw, + @{run}/* rw, + @{run}/*/ rw, + @{run}/*/* rw, + @{run}/systemd/{,**} rw, + owner @{run}/*/** rw, + + @{run}/udev/**/ r, + @{run}/udev/data/* r, + + @{sys}/** r, + @{sys}/fs/bpf/systemd/{,**} w, + @{sys}/firmware/efi/efivars/** w, + @{sys}/fs/cgroup/{,**} w, + + @{PROC}/@{pid}/attr/apparmor/exec w, + @{PROC}/@{pid}/attr/current r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/gid_map w, + @{PROC}/@{pid}/limits r, + @{PROC}/@{pid}/loginuid rw, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/oom_score_adj rw, + @{PROC}/@{pid}/sessionid r, + @{PROC}/@{pid}/setgroups r, + @{PROC}/@{pid}/setgroups w, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/uid_map r, + @{PROC}/@{pid}/uid_map w, + @{PROC}/cmdline r, + @{PROC}/interrupts r, + @{PROC}/irq/@{int}/node r, + @{PROC}/irq/@{int}/smp_affinity r, + @{PROC}/kmsg r, + @{PROC}/modules r, + @{PROC}/pressure/* r, + @{PROC}/swaps r, + @{PROC}/sys/** r, + @{PROC}/sys/kernel/random/write_wakeup_threshold w, + @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/sysvipc/* r, + @{PROC}/version_signature r, + + /dev/** rwk, + + profile systemctl flags=(attach_disconnected,mediate_deleted,complain) { + include + include + + include if exists + include if exists + } + + profile kill flags=(attach_disconnected,mediate_deleted,complain) { + include + + signal send, + + @{bin}/kill mr, + + include if exists + } + + include if exists + include if exists +} + +# vim:syntax=apparmor From a194f28c21f15ee0ffd693eb5612ce198bcc75ab Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 22:59:02 +0200 Subject: [PATCH 485/977] feat(fsp): add sd-mount. --- apparmor.d/groups/_full/sd-mount | 71 ++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 apparmor.d/groups/_full/sd-mount diff --git a/apparmor.d/groups/_full/sd-mount b/apparmor.d/groups/_full/sd-mount new file mode 100644 index 000000000..7f7dede60 --- /dev/null +++ b/apparmor.d/groups/_full/sd-mount @@ -0,0 +1,71 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd (as PID 1) profile. + +# sd-mount is a subprofile of sd responsible to handle mounting operation. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sd-mount.d directory + +abi , + +include + +@{exec_path} = @{bin}/mount +profile sd-mount flags=(complain) { + include + include + + capability dac_read_search, + capability sys_admin, + + mount -> @{efi}/, + mount -> @{HOME}/{,**}, + mount -> @{HOMEDIRS}/, + mount -> @{MOUNTDIRS}/, + mount -> @{MOUNTS}/{,**}, + mount fstype=binfmt_misc options=(rw nodev noexec nosuid) binfmt_misc -> @{PROC}/sys/fs/binfmt_misc/, + mount fstype=configfs options=(rw nodev noexec nosuid) configfs -> @{sys}/kernel/config/, + mount fstype=debugfs options=(rw nodev noexec nosuid) debugfs -> @{sys}/kernel/debug/, + mount fstype=fusectl options=(rw nodev noexec nosuid) fusectl -> @{sys}/fs/fuse/connections/, + mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, + mount fstype=mqueue options=(rw nodev noexec nosuid) -> /dev/mqueue/, + mount fstype=squashfs options=(ro nodev) /dev/loop@{int} -> /snap/*/@{int}/, + mount fstype=tmpfs options=(rw nodev noexec nosuid) tmpfs -> @{run}/lock/, + mount fstype=tmpfs options=(rw nodev nosuid strictatime) tmpfs -> /tmp/, + mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/, + + mount options=(rw move) -> @{efi}, + mount options=(rw move) -> @{HOME}/{,**}, + mount options=(rw move) -> @{HOMEDIRS}/, + mount options=(rw move) -> @{MOUNTDIRS}/, + mount options=(rw move) -> @{MOUNTS}/{,**}, + mount options=(rw move) -> @{sys}/fs/fuse/connections/, + mount options=(rw move) -> @{sys}/kernel/config/, + mount options=(rw move) -> @{sys}/kernel/debug/, + mount options=(rw move) -> @{sys}/kernel/tracing/, + mount options=(rw move) -> /dev/hugepages/, + mount options=(rw move) -> /dev/mqueue/, + mount options=(rw move) -> /tmp/, + + @{exec_path} mr, + + /var/lib/snapd/snaps/*.snap r, + + @{run}/ r, + owner @{run}/mount/ rw, + owner @{run}/mount/utab{,.*} rwk, + + @{PROC}/@{pid}/mountinfo r, + + /dev/loop-control rw, + + include if exists + include if exists +} + +# vim:syntax=apparmor From 8ff829542d4fea4e9366e7ed03a387637eb24c95 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:13:04 +0200 Subject: [PATCH 486/977] feat(profile): add profile for some named minimal systemd service. --- .../cloud-init-hotplugd.service | 22 +++++++ .../systemd-service/debug-shell.service | 19 ++++++ .../groups/systemd-service/dmesg.service | 62 +++++++++++++++++++ .../systemd-service/grub-common.service | 28 +++++++++ .../groups/systemd-service/ldconfig.service | 23 +++++++ .../groups/systemd-service/man-db.service | 39 ++++++++++++ .../systemd-service/secureboot-db.service | 27 ++++++++ .../groups/systemd-service/shadow.service | 23 +++++++ .../snapd.system-shutdown.service | 28 +++++++++ .../system-update-cleanup.service | 22 +++++++ .../systemd-service/usb_modeswitch.service | 17 +++++ 11 files changed, 310 insertions(+) create mode 100644 apparmor.d/groups/systemd-service/cloud-init-hotplugd.service create mode 100644 apparmor.d/groups/systemd-service/debug-shell.service create mode 100644 apparmor.d/groups/systemd-service/dmesg.service create mode 100644 apparmor.d/groups/systemd-service/grub-common.service create mode 100644 apparmor.d/groups/systemd-service/ldconfig.service create mode 100644 apparmor.d/groups/systemd-service/man-db.service create mode 100644 apparmor.d/groups/systemd-service/secureboot-db.service create mode 100644 apparmor.d/groups/systemd-service/shadow.service create mode 100644 apparmor.d/groups/systemd-service/snapd.system-shutdown.service create mode 100644 apparmor.d/groups/systemd-service/system-update-cleanup.service create mode 100644 apparmor.d/groups/systemd-service/usb_modeswitch.service diff --git a/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service b/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service new file mode 100644 index 000000000..1b585c0cc --- /dev/null +++ b/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# /bin/bash -c 'read args <&3; echo "args=$args"; \ +# exec /usr/bin/cloud-init devel hotplug-hook $args; \ +# exit 0' + +abi , + +include + +profile cloud-init-hotplugd.service { + include + + @{sh_path} ix, + @{bin}/cloud-init Px, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/debug-shell.service b/apparmor.d/groups/systemd-service/debug-shell.service new file mode 100644 index 000000000..9f8e235cf --- /dev/null +++ b/apparmor.d/groups/systemd-service/debug-shell.service @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStart=/usr/bin/bash + +abi , + +include + +profile debug-shell.service { + include + + all, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/dmesg.service b/apparmor.d/groups/systemd-service/dmesg.service new file mode 100644 index 000000000..4c67f680a --- /dev/null +++ b/apparmor.d/groups/systemd-service/dmesg.service @@ -0,0 +1,62 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStartPre=-/usr/bin/savelog -m640 -q -p -n -c 5 /var/log/dmesg +# ExecStart=/bin/journalctl --boot 0 --dmesg --output short-monotonic --quiet --no-pager --no-hostname +# ExecStartPost=/bin/chgrp adm /var/log/dmesg +# ExecStartPost=/bin/chmod 0640 /var/log/dmesg + +abi , + +include + +profile dmesg.service flags=(attach_disconnected) { + include + include + + capability chown, + capability fsetid, + + ptrace read peer=@{p_systemd}, + + @{sh_path} r, + @{bin}/basename ix, + @{bin}/chgrp rix, + @{bin}/chmod rix, + @{bin}/chown ix, + @{bin}/date ix, + @{bin}/dirname ix, + @{bin}/gzip ix, + @{bin}/gzip ix, + @{bin}/journalctl r, + @{bin}/ln ix, + @{bin}/mv ix, + @{bin}/rm ix, + @{bin}/savelog rix, + @{bin}/touch ix, + + /etc/machine-id r, + + /var/log/ r, + /var/log/dmesg rw, + /var/log/dmesg.* rwl -> /var/log/dmesg, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* rw, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* rw, + + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/boot_id r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/grub-common.service b/apparmor.d/groups/systemd-service/grub-common.service new file mode 100644 index 000000000..4abd74fb1 --- /dev/null +++ b/apparmor.d/groups/systemd-service/grub-common.service @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStartPre=/bin/sh -c '[ -s /boot/grub/grubenv ] || rm -f /boot/grub/grubenv; mkdir -p /boot/grub' +# ExecStart=grub-editenv /boot/grub/grubenv unset recordfail +# ExecStartPost=/bin/sh -c 'if grub-editenv /boot/grub/grubenv list | grep -q initrdless_boot_fallback_triggered=1; then echo "grub: GRUB_FORCE_PARTUUID set, initrdless boot paniced, fallback triggered."; fi' + +abi , + +include + +profile grub-common.service { + include + + @{sh_path} rix, + @{bin}/grep ix, + @{bin}/grub-editenv rix, + @{bin}/mkdir ix, + @{bin}/rm ix, + + /boot/grub/ w, + /boot/grub/grubenv rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/ldconfig.service b/apparmor.d/groups/systemd-service/ldconfig.service new file mode 100644 index 000000000..f7d193e9e --- /dev/null +++ b/apparmor.d/groups/systemd-service/ldconfig.service @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# /sbin/ldconfig -X + +abi , + +include + +profile ldconfig.service { + include + + @{lib}/ r, + @{sbin}/ldconfig r, + + /var/cache/ldconfig/aux-cache rw, + /var/cache/ldconfig/aux-cache~ rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/man-db.service b/apparmor.d/groups/systemd-service/man-db.service new file mode 100644 index 000000000..24b34fc25 --- /dev/null +++ b/apparmor.d/groups/systemd-service/man-db.service @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStart=+/usr/bin/install -d -o man -g man -m 0755 /var/cache/man +# ExecStart=/usr/bin/mandb --quiet + +abi , + +include + +profile man-db.service flags=(attach_disconnected) { + include + include + + @{bin}/install ix, + @{bin}/mandb r, + + /usr/{,local/}share/man/{,**} r, + + /etc/man_db.conf r, + /etc/manpath.config r, + + /usr/share/man/{,**} r, + /usr/local/man/{,**} r, + /usr/local/share/man/{,**} r, + + /usr/{,share/}man/{,**} r, + /usr/local/{,share/}man/{,**} r, + + /usr/share/**/man/man@{u8}/*.@{int}.gz r, + + owner /var/cache/man/ rw, + owner /var/cache/man/** rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/secureboot-db.service b/apparmor.d/groups/systemd-service/secureboot-db.service new file mode 100644 index 000000000..a951747be --- /dev/null +++ b/apparmor.d/groups/systemd-service/secureboot-db.service @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c +# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f +# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f +# ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose + +abi , + +include + +profile secureboot-db.service flags=(complain) { + include + + @{bin}/chattr ix, + @{bin}/sbkeysync PUx, + + @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, + @{sys}/firmware/efi/efivars/db-@{uuid} rw, + @{sys}/firmware/efi/efivars/dbx-@{uuid} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/shadow.service b/apparmor.d/groups/systemd-service/shadow.service new file mode 100644 index 000000000..95f780b89 --- /dev/null +++ b/apparmor.d/groups/systemd-service/shadow.service @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +profile shadow.service flags=(attach_disconnected) { + include + include + + @{sh_path} rix, + @{sbin}/grpck Px -> &grpck, + @{sbin}/pwck Px -> &pwck, + + /etc/machine-id r, + /etc/shadow r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/snapd.system-shutdown.service b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service new file mode 100644 index 000000000..e8939006e --- /dev/null +++ b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# /bin/mount /run -o remount,exec +# /bin/mkdir -p /run/initramfs +# /bin/cp /usr/lib/snapd/system-shutdown /run/initramfs/shutdown + +abi , + +include + +profile snapd.system-shutdown.service { + include + + audit @{bin}/cp ix, + audit @{bin}/mkdir ix, + audit @{bin}/mount ix, + + @{lib}/snapd/system-shutdown r, + + @{run}/initramfs/ rw, + @{run}/initramfs/shutdown rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/system-update-cleanup.service b/apparmor.d/groups/systemd-service/system-update-cleanup.service new file mode 100644 index 000000000..4166cb76c --- /dev/null +++ b/apparmor.d/groups/systemd-service/system-update-cleanup.service @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStart=rm -fv /system-update /etc/system-update + +abi , + +include + +profile system-update-cleanup.service { + include + + @{bin}/rm ix, + + /etc/system-update w, + /system-update w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/usb_modeswitch.service b/apparmor.d/groups/systemd-service/usb_modeswitch.service new file mode 100644 index 000000000..00a62c933 --- /dev/null +++ b/apparmor.d/groups/systemd-service/usb_modeswitch.service @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +profile usb_modeswitch.service { + include + + @{sbin}/usb_modeswitch_dispatcher ix, + + include if exists +} + +# vim:syntax=apparmor From 1aa0142a6aa0b31732fdf286fea14e3600b2f76e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:20:32 +0200 Subject: [PATCH 487/977] feat(fsp): add/update systemd drop in files with AppArmorProfile set to the target profile. --- systemd/full/system/apport-coredump-hook@.service | 2 ++ systemd/full/system/apt-news.service | 2 ++ systemd/full/system/bluetooth.service | 2 +- systemd/full/system/cloud-init-hotplugd.service | 2 ++ systemd/full/system/colord.service | 2 ++ systemd/full/system/debug-shell.service | 2 ++ systemd/full/system/dmesg.service | 2 ++ systemd/full/system/fwupd.service | 2 ++ systemd/full/system/grub-common.service | 2 ++ systemd/full/system/ldconfig.service | 2 ++ systemd/full/system/logrotate.service | 2 ++ systemd/full/system/low-memory-monitor.service | 3 --- systemd/full/system/man-db.service | 2 ++ systemd/full/system/paccache.service | 2 -- systemd/full/system/passim.service | 2 -- systemd/full/system/pcscd.service | 2 ++ systemd/full/system/power-profiles-daemon.service | 2 ++ systemd/full/system/reflector.service | 2 -- systemd/full/system/rsyslog.service | 2 ++ systemd/full/system/secureboot-db.service | 2 ++ systemd/full/system/shadow.service | 3 +-- systemd/full/system/snapd.system-shutdown.service | 2 ++ systemd/full/system/system-update-cleanup.service | 2 ++ systemd/full/system/systemd-coredump@.service | 2 ++ systemd/full/system/systemd-initctl.service | 2 ++ systemd/full/system/systemd-journal-remote.service | 2 ++ systemd/full/system/systemd-nsresourced.service | 2 ++ systemd/full/system/systemd-oomd.service | 2 ++ systemd/full/system/systemd-rfkill.service | 2 ++ systemd/full/system/systemd-timesyncd.service | 2 ++ systemd/full/system/usb_modeswitch@.service | 2 ++ 31 files changed, 52 insertions(+), 12 deletions(-) create mode 100644 systemd/full/system/apport-coredump-hook@.service create mode 100644 systemd/full/system/apt-news.service create mode 100644 systemd/full/system/cloud-init-hotplugd.service create mode 100644 systemd/full/system/colord.service create mode 100644 systemd/full/system/debug-shell.service create mode 100644 systemd/full/system/dmesg.service create mode 100644 systemd/full/system/fwupd.service create mode 100644 systemd/full/system/grub-common.service create mode 100644 systemd/full/system/ldconfig.service create mode 100644 systemd/full/system/logrotate.service delete mode 100644 systemd/full/system/low-memory-monitor.service create mode 100644 systemd/full/system/man-db.service delete mode 100644 systemd/full/system/paccache.service delete mode 100644 systemd/full/system/passim.service create mode 100644 systemd/full/system/pcscd.service create mode 100644 systemd/full/system/power-profiles-daemon.service delete mode 100644 systemd/full/system/reflector.service create mode 100644 systemd/full/system/rsyslog.service create mode 100644 systemd/full/system/secureboot-db.service create mode 100644 systemd/full/system/snapd.system-shutdown.service create mode 100644 systemd/full/system/system-update-cleanup.service create mode 100644 systemd/full/system/systemd-coredump@.service create mode 100644 systemd/full/system/systemd-initctl.service create mode 100644 systemd/full/system/systemd-journal-remote.service create mode 100644 systemd/full/system/systemd-nsresourced.service create mode 100644 systemd/full/system/systemd-oomd.service create mode 100644 systemd/full/system/systemd-rfkill.service create mode 100644 systemd/full/system/systemd-timesyncd.service create mode 100644 systemd/full/system/usb_modeswitch@.service diff --git a/systemd/full/system/apport-coredump-hook@.service b/systemd/full/system/apport-coredump-hook@.service new file mode 100644 index 000000000..73bbc99d8 --- /dev/null +++ b/systemd/full/system/apport-coredump-hook@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&apport \ No newline at end of file diff --git a/systemd/full/system/apt-news.service b/systemd/full/system/apt-news.service new file mode 100644 index 000000000..d7bf885dd --- /dev/null +++ b/systemd/full/system/apt-news.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&apt_news diff --git a/systemd/full/system/bluetooth.service b/systemd/full/system/bluetooth.service index 03d352890..5cccff422 100644 --- a/systemd/full/system/bluetooth.service +++ b/systemd/full/system/bluetooth.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&bluetoothd \ No newline at end of file diff --git a/systemd/full/system/cloud-init-hotplugd.service b/systemd/full/system/cloud-init-hotplugd.service new file mode 100644 index 000000000..a2a121fc3 --- /dev/null +++ b/systemd/full/system/cloud-init-hotplugd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&cloud-init-hotplugd.service diff --git a/systemd/full/system/colord.service b/systemd/full/system/colord.service new file mode 100644 index 000000000..9a64fbc26 --- /dev/null +++ b/systemd/full/system/colord.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&colord diff --git a/systemd/full/system/debug-shell.service b/systemd/full/system/debug-shell.service new file mode 100644 index 000000000..f895f7941 --- /dev/null +++ b/systemd/full/system/debug-shell.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=debug-shell.service \ No newline at end of file diff --git a/systemd/full/system/dmesg.service b/systemd/full/system/dmesg.service new file mode 100644 index 000000000..d4647117b --- /dev/null +++ b/systemd/full/system/dmesg.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=dmesg.service \ No newline at end of file diff --git a/systemd/full/system/fwupd.service b/systemd/full/system/fwupd.service new file mode 100644 index 000000000..5054a73d6 --- /dev/null +++ b/systemd/full/system/fwupd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&fwupd \ No newline at end of file diff --git a/systemd/full/system/grub-common.service b/systemd/full/system/grub-common.service new file mode 100644 index 000000000..8520aea76 --- /dev/null +++ b/systemd/full/system/grub-common.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=grub-common.service \ No newline at end of file diff --git a/systemd/full/system/ldconfig.service b/systemd/full/system/ldconfig.service new file mode 100644 index 000000000..1b2a9c287 --- /dev/null +++ b/systemd/full/system/ldconfig.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=ldconfig.service \ No newline at end of file diff --git a/systemd/full/system/logrotate.service b/systemd/full/system/logrotate.service new file mode 100644 index 000000000..bc984e025 --- /dev/null +++ b/systemd/full/system/logrotate.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&logrotate \ No newline at end of file diff --git a/systemd/full/system/low-memory-monitor.service b/systemd/full/system/low-memory-monitor.service deleted file mode 100644 index dabf76f3a..000000000 --- a/systemd/full/system/low-memory-monitor.service +++ /dev/null @@ -1,3 +0,0 @@ -[Service] -NoNewPrivileges=no - diff --git a/systemd/full/system/man-db.service b/systemd/full/system/man-db.service new file mode 100644 index 000000000..d3a78dd80 --- /dev/null +++ b/systemd/full/system/man-db.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=man-db.service \ No newline at end of file diff --git a/systemd/full/system/paccache.service b/systemd/full/system/paccache.service deleted file mode 100644 index 03d352890..000000000 --- a/systemd/full/system/paccache.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/passim.service b/systemd/full/system/passim.service deleted file mode 100644 index 03d352890..000000000 --- a/systemd/full/system/passim.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/pcscd.service b/systemd/full/system/pcscd.service new file mode 100644 index 000000000..8d39f3f26 --- /dev/null +++ b/systemd/full/system/pcscd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pcscd diff --git a/systemd/full/system/power-profiles-daemon.service b/systemd/full/system/power-profiles-daemon.service new file mode 100644 index 000000000..45c5ed93b --- /dev/null +++ b/systemd/full/system/power-profiles-daemon.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&power-profiles-daemon \ No newline at end of file diff --git a/systemd/full/system/reflector.service b/systemd/full/system/reflector.service deleted file mode 100644 index 03d352890..000000000 --- a/systemd/full/system/reflector.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/rsyslog.service b/systemd/full/system/rsyslog.service new file mode 100644 index 000000000..6b49a73f0 --- /dev/null +++ b/systemd/full/system/rsyslog.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&rsyslogd diff --git a/systemd/full/system/secureboot-db.service b/systemd/full/system/secureboot-db.service new file mode 100644 index 000000000..722781b8a --- /dev/null +++ b/systemd/full/system/secureboot-db.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=secureboot-db.service diff --git a/systemd/full/system/shadow.service b/systemd/full/system/shadow.service index dabf76f3a..52d2f644c 100644 --- a/systemd/full/system/shadow.service +++ b/systemd/full/system/shadow.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no - +AppArmorProfile=&shadow.service diff --git a/systemd/full/system/snapd.system-shutdown.service b/systemd/full/system/snapd.system-shutdown.service new file mode 100644 index 000000000..7953d522a --- /dev/null +++ b/systemd/full/system/snapd.system-shutdown.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=snapd.system-shutdown.service \ No newline at end of file diff --git a/systemd/full/system/system-update-cleanup.service b/systemd/full/system/system-update-cleanup.service new file mode 100644 index 000000000..24c914f77 --- /dev/null +++ b/systemd/full/system/system-update-cleanup.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=system-update-cleanup.service \ No newline at end of file diff --git a/systemd/full/system/systemd-coredump@.service b/systemd/full/system/systemd-coredump@.service new file mode 100644 index 000000000..d13624709 --- /dev/null +++ b/systemd/full/system/systemd-coredump@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-coredump diff --git a/systemd/full/system/systemd-initctl.service b/systemd/full/system/systemd-initctl.service new file mode 100644 index 000000000..e44c8767f --- /dev/null +++ b/systemd/full/system/systemd-initctl.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-initctl \ No newline at end of file diff --git a/systemd/full/system/systemd-journal-remote.service b/systemd/full/system/systemd-journal-remote.service new file mode 100644 index 000000000..e08cf75a9 --- /dev/null +++ b/systemd/full/system/systemd-journal-remote.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-journal-remote \ No newline at end of file diff --git a/systemd/full/system/systemd-nsresourced.service b/systemd/full/system/systemd-nsresourced.service new file mode 100644 index 000000000..2dc668b80 --- /dev/null +++ b/systemd/full/system/systemd-nsresourced.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-nsresourced diff --git a/systemd/full/system/systemd-oomd.service b/systemd/full/system/systemd-oomd.service new file mode 100644 index 000000000..c384626ee --- /dev/null +++ b/systemd/full/system/systemd-oomd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-oomd diff --git a/systemd/full/system/systemd-rfkill.service b/systemd/full/system/systemd-rfkill.service new file mode 100644 index 000000000..4abf222d5 --- /dev/null +++ b/systemd/full/system/systemd-rfkill.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-rfkill diff --git a/systemd/full/system/systemd-timesyncd.service b/systemd/full/system/systemd-timesyncd.service new file mode 100644 index 000000000..0cd6fefbf --- /dev/null +++ b/systemd/full/system/systemd-timesyncd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-timesyncd diff --git a/systemd/full/system/usb_modeswitch@.service b/systemd/full/system/usb_modeswitch@.service new file mode 100644 index 000000000..0eca1db25 --- /dev/null +++ b/systemd/full/system/usb_modeswitch@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=usb_modeswitch.service \ No newline at end of file From d5a65ba8319d63faa358abfc55c51e5fd77bc3f3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:26:18 +0200 Subject: [PATCH 488/977] feat(profile): add a few small profile needed by fsp. --- apparmor.d/profiles-a-f/e2scrub | 18 ++++++++++++++++ .../open-iscsi-net-interface-handler | 19 +++++++++++++++++ apparmor.d/profiles-s-z/u-d-c-print-pci-ids | 19 +++++++++++++++++ .../udev-bridge-network-interface | 21 +++++++++++++++++++ 4 files changed, 77 insertions(+) create mode 100644 apparmor.d/profiles-a-f/e2scrub create mode 100644 apparmor.d/profiles-m-r/open-iscsi-net-interface-handler create mode 100644 apparmor.d/profiles-s-z/u-d-c-print-pci-ids create mode 100644 apparmor.d/profiles-s-z/udev-bridge-network-interface diff --git a/apparmor.d/profiles-a-f/e2scrub b/apparmor.d/profiles-a-f/e2scrub new file mode 100644 index 000000000..2e7e88487 --- /dev/null +++ b/apparmor.d/profiles-a-f/e2scrub @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/e2scrub +profile e2scrub @{exec_path} flags=(complain) { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler b/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler new file mode 100644 index 000000000..2593b78ac --- /dev/null +++ b/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/open-iscsi/net-interface-handler +profile open-iscsi-net-interface-handler @{exec_path} flags=(complain) { + include + + @{exec_path} mr, + @{sh_path} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/u-d-c-print-pci-ids b/apparmor.d/profiles-s-z/u-d-c-print-pci-ids new file mode 100644 index 000000000..2ae7f66ef --- /dev/null +++ b/apparmor.d/profiles-s-z/u-d-c-print-pci-ids @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/u-d-c-print-pci-ids +profile u-d-c-print-pci-ids @{exec_path} { + include + + @{exec_path} mr, + @{sh_path} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-bridge-network-interface b/apparmor.d/profiles-s-z/udev-bridge-network-interface new file mode 100644 index 000000000..7e3ba52f9 --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-bridge-network-interface @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/bridge-network-interface +profile udev-bridge-network-interface @{exec_path} { + include + + @{exec_path} mr, + @{sh_path} r, + + /etc/default/bridge-utils r, + + include if exists +} + +# vim:syntax=apparmor From 3984cf8accfaf48badb6f6ad9916a392bde499d5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:27:55 +0200 Subject: [PATCH 489/977] feat(profile): initial profile for pollinate. --- apparmor.d/profiles-m-r/pollinate | 48 +++++++++++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 49 insertions(+) create mode 100644 apparmor.d/profiles-m-r/pollinate diff --git a/apparmor.d/profiles-m-r/pollinate b/apparmor.d/profiles-m-r/pollinate new file mode 100644 index 000000000..5a10cc9e2 --- /dev/null +++ b/apparmor.d/profiles-m-r/pollinate @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pollinate +profile pollinate @{exec_path} { + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/curl rix, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/dpkg-query rpx, + @{bin}/hostname rix, + @{bin}/logger rix, + @{bin}/systemd-detect-virt rPx, + @{bin}/xxd rix, + + /etc/cloud/build.info r, + /etc/default/pollinate r, + /etc/lsb-release r, + /etc/pollinate/{,**} r, + + owner /var/cache/pollinate/seeded w, + + owner /tmp/pollinate.@{rand12}/{,**} rw, + + @{PROC}/uptime r, + + /dev/urandom w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 5a6c7c526..2736540a8 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -266,6 +266,7 @@ plymouth complain plymouth-set-default-theme attach_disconnected,complain plymouthd complain polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted +pollinate complain ptyxis complain ptyxis-agent complain pycompile complain From 7f684ee5ddd420231cf92381e3e86b9f52468456 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:29:52 +0200 Subject: [PATCH 490/977] feat(profile): integrate fsp with apt and ubuntu. --- apparmor.d/groups/apt/apt-methods-http | 5 +++-- apparmor.d/groups/apt/dpkg-script-apparmor | 1 + apparmor.d/groups/apt/dpkg-script-systemd | 3 +++ apparmor.d/groups/apt/dpkg-scripts | 3 +++ apparmor.d/groups/apt/unattended-upgrade | 2 ++ apparmor.d/groups/ubuntu/cron-ubuntu-fan | 8 +------- apparmor.d/groups/ubuntu/update-notifier-crash | 9 +++++++++ 7 files changed, 22 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 0b375c8f8..7fb3a2cc4 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/apt/methods/http{,s} -profile apt-methods-http @{exec_path} { +profile apt-methods-http @{exec_path} flags=(attach_disconnected) { include include include @@ -23,10 +23,11 @@ profile apt-methods-http @{exec_path} { network inet6 stream, network netlink raw, + signal receive peer=@{p_apt_news}, + signal receive peer=@{p_packagekitd}, signal receive peer=apt-get, signal receive peer=apt, signal receive peer=aptitude, - signal receive peer=@{p_packagekitd}, signal receive peer=role_*, signal receive peer=synaptic, signal receive peer=ubuntu-advantage, diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 73b14390a..e9a03f282 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -30,6 +30,7 @@ profile dpkg-script-apparmor @{exec_path} { /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions, /var/lib/dpkg/info/*.list r, + /var/lib/dpkg/info/format r, /var/lib/dpkg/status r, /var/lib/dpkg/triggers/File r, /var/lib/dpkg/triggers/Unincorp r, diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index 4acafd139..8ca92515c 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -32,6 +32,9 @@ profile dpkg-script-systemd @{exec_path} { /etc/systemd/system/*.wants/ rw, /etc/systemd/system/*.wants/* rw, + /etc/pam.d/sed@{rand6} rw, + /etc/pam.d/common-password rw, + /var/lib/systemd/{,*} rw, /var/log/journal/ rw, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 4fb4d04c4..3102b23bb 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -47,6 +47,7 @@ profile dpkg-scripts @{exec_path} { @{sbin}/update-rc.d Cx -> rc, # Maintainer scripts can legitimately start/restart anything + # PU is only used as a safety fallback. @{bin}/** PUx, @{sbin}/** PUx, @{lib}/** PUx, @@ -75,6 +76,8 @@ profile dpkg-scripts @{exec_path} { include include + capability dac_read_search, + dbus send bus=system path=/ interface=org.freedesktop.DBus member=ReloadConfig diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 95b8b2760..c2d94e25a 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -30,6 +30,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { capability setuid, capability sys_nice, + network inet dgram, + network inet6 dgram, network netlink raw, signal send peer=apt-methods-http, diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index 8f5952d9b..3ca55909d 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -15,20 +15,14 @@ profile cron-ubuntu-fan @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{sbin}/fanctl rix, - @{bin}/flock rix, + @{sbin}/fanctl rPx, @{bin}/grep rix, - @{bin}/id rix, @{sbin}/ip rix, @{bin}/mkdir rix, @{bin}/sed rix, - @{bin}/touch rix, /etc/network/fan r, - @{run}/ubuntu-fan/ rw, - @{run}/ubuntu-fan/.lock rwk, - include if exists } diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash index b3cbf7f07..3ad03eb05 100644 --- a/apparmor.d/groups/ubuntu/update-notifier-crash +++ b/apparmor.d/groups/ubuntu/update-notifier-crash @@ -12,8 +12,17 @@ profile update-notifier-crash @{exec_path} { @{exec_path} mr, + @{bin}/systemctl Cx -> systemctl, + /usr/share/apport/apport-checkreports Px, + profile systemctl { + include + include + + include if exists + } + include if exists } From 38c6e35a1b0e5af40b06a50484e4b95a86f45581 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:33:37 +0200 Subject: [PATCH 491/977] feat(profile): add some ubuntu specific profiles. --- apparmor.d/groups/ubuntu/apt_news | 39 +++++++++++++++++++++++++ apparmor.d/groups/ubuntu/fanctl | 33 +++++++++++++++++++++ apparmor.d/groups/ubuntu/ubuntu-fan-net | 24 +++++++++++++++ dists/flags/ubuntu.flags | 3 ++ 4 files changed, 99 insertions(+) create mode 100644 apparmor.d/groups/ubuntu/apt_news create mode 100644 apparmor.d/groups/ubuntu/fanctl create mode 100644 apparmor.d/groups/ubuntu/ubuntu-fan-net diff --git a/apparmor.d/groups/ubuntu/apt_news b/apparmor.d/groups/ubuntu/apt_news new file mode 100644 index 000000000..faf15dfbe --- /dev/null +++ b/apparmor.d/groups/ubuntu/apt_news @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/lib/ubuntu-advantage/apt_news.py +profile apt_news @{exec_path} flags=(attach_disconnected) { + include + include + include + include + + capability chown, + capability kill, + capability setgid, + capability setuid, + + signal send set=int peer=apt-methods-*, + + @{exec_path} mr, + + @{lib}/apt/methods/* Px, + + /etc/ubuntu-advantage/uaclient.conf r, + + @{run}/ubuntu-advantage/ rw, + @{run}/ubuntu-advantage/apt-news/{,**} rw, + + owner @{run}/ubuntu-advantage/apt-news/** rw, + + @{PROC}/@{pid}/fd/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/fanctl b/apparmor.d/groups/ubuntu/fanctl new file mode 100644 index 000000000..ef278da63 --- /dev/null +++ b/apparmor.d/groups/ubuntu/fanctl @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/fanctl +profile fanctl @{exec_path} flags=(attach_disconnected) { + include + + network netlink raw, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/flock ix, + @{bin}/id ix, + @{bin}/touch ix, + @{bin}/mkdir ix, + @{bin}/ip ix, + @{bin}/sed ix, + + /etc/network/fan r, + + @{run}/ubuntu-fan/ rw, + @{run}/ubuntu-fan/.lock rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/ubuntu-fan-net b/apparmor.d/groups/ubuntu/ubuntu-fan-net new file mode 100644 index 000000000..f9d7c01f5 --- /dev/null +++ b/apparmor.d/groups/ubuntu/ubuntu-fan-net @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/ubuntu-fan/fan-net +profile ubuntu-fan-net @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} mr, + @{bin}/{m,g,}awk ix, + @{bin}/grep ix, + @{bin}/networkctl Px, + @{sbin}/fanctl Px, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/ubuntu.flags b/dists/flags/ubuntu.flags index a6d6bcc85..7339702a2 100644 --- a/dists/flags/ubuntu.flags +++ b/dists/flags/ubuntu.flags @@ -1,12 +1,14 @@ apport attach_disconnected,complain apport-checkreports complain apport-gtk complain +apt_news attach_disconnected,complain apt-esm-hook complain apt-esm-json-hook complain apt-helper complain check-new-release-gtk complain do-release-upgrade complain dpkg-genbuildinfo complain +fanctl attach_disconnected,complain hwe-support-status complain list-oem-metapackages complain livepatch-notification complain @@ -18,6 +20,7 @@ software-properties-gtk complain ubuntu-advantage complain ubuntu-advantage-notification complain ubuntu-distro-info complain +ubuntu-fan-net attach_disconnected,complain ubuntu-report complain update-manager attach_disconnected,complain update-motd-fsck-at-reboot complain From 28d9d48de457eb5d2db6a065d1341386479bc27f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:39:35 +0200 Subject: [PATCH 492/977] feat(profile): small update to systemd profiles. --- apparmor.d/groups/systemd/bootctl | 25 ++++++++----------- apparmor.d/groups/systemd/homectl | 2 +- .../systemd/systemd-generator-ds-identify | 4 +-- apparmor.d/groups/systemd/systemd-logind | 2 +- .../systemd/systemd-networkd-wait-online | 2 +- apparmor.d/groups/systemd/systemd-nsresourced | 7 ++++-- 6 files changed, 20 insertions(+), 22 deletions(-) diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 9508cfcf2..f7d001c70 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/bootctl -profile bootctl @{exec_path} flags=(attach_disconnected) { +profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -17,27 +17,22 @@ profile bootctl @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_resource, - signal (send) peer=child-pager, + signal send peer=child-pager, - ptrace (read) peer=unconfined, + ptrace read peer=unconfined, @{exec_path} mr, @{pager_path} rPx -> child-pager, @{efi}/ r, - @{efi}/EFI/{,**} r, - @{efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw, - @{efi}/EFI/BOOT/BOOTX64.EFI w, - @{efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw, - @{efi}/EFI/systemd/systemd-boot*.efi w, - @{efi}/loader/.#bootctlrandom-seed@{hex} rw, - @{efi}/loader/.#entries.srel* w, - @{efi}/loader/{,**} r, - @{efi}/loader/entries.srel w, - @{efi}/loader/random-seed w, + @{efi}/@{hex32}/ rw, + @{efi}/EFI/{,**} rwl, + @{efi}/loader/ rw, + @{efi}/loader/** rwl -> @{efi}/loader/#@{int}, - /etc/kernel/entry-token r, + /etc/kernel/.#entry-token@{hex16} rw, + /etc/kernel/entry-token rw, /etc/machine-id r, /etc/machine-info r, @@ -63,7 +58,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected) { @{sys}/firmware/efi/efivars/LoaderFirmwareType-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderImageIdentifier-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r, - @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw, @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r, @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, diff --git a/apparmor.d/groups/systemd/homectl b/apparmor.d/groups/systemd/homectl index 3a78c531e..3c962e309 100644 --- a/apparmor.d/groups/systemd/homectl +++ b/apparmor.d/groups/systemd/homectl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/homectl -profile homectl @{exec_path} { +profile homectl @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-generator-ds-identify b/apparmor.d/groups/systemd/systemd-generator-ds-identify index 346e7d94e..ba6141d86 100644 --- a/apparmor.d/groups/systemd/systemd-generator-ds-identify +++ b/apparmor.d/groups/systemd/systemd-generator-ds-identify @@ -12,16 +12,16 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) { include include - ptrace (read) peer=@{p_systemd}, + ptrace read peer=@{p_systemd}, @{exec_path} mr, @{sh_path} rix, - @{sbin}/blkid rPx, @{bin}/grep rix, @{bin}/systemd-detect-virt rPx, @{bin}/tr rix, @{bin}/uname rix, + @{sbin}/blkid rPx, /etc/cloud/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 39192e7e1..b1869b16b 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -30,7 +30,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { mqueue getattr type=posix /, mqueue r type=posix /, - unix (bind) type=stream addr=@@{udbus}/bus/systemd-logind/system, + unix bind type=stream addr=@@{udbus}/bus/systemd-logind/system, #aa:dbus own bus=system name=org.freedesktop.login1 diff --git a/apparmor.d/groups/systemd/systemd-networkd-wait-online b/apparmor.d/groups/systemd/systemd-networkd-wait-online index 0d5e40730..c36b5af39 100644 --- a/apparmor.d/groups/systemd/systemd-networkd-wait-online +++ b/apparmor.d/groups/systemd/systemd-networkd-wait-online @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-networkd-wait-online -profile systemd-networkd-wait-online @{exec_path} flags=(complain) { +profile systemd-networkd-wait-online @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-nsresourced b/apparmor.d/groups/systemd/systemd-nsresourced index d1beae428..97dcb3b05 100644 --- a/apparmor.d/groups/systemd/systemd-nsresourced +++ b/apparmor.d/groups/systemd/systemd-nsresourced @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-nsresourced -profile systemd-nsresourced @{exec_path} { +profile systemd-nsresourced @{exec_path} flags=(attach_disconnected) { include include @@ -19,7 +19,7 @@ profile systemd-nsresourced @{exec_path} { @{exec_path} mr, - @{lib}/systemd/systemd-nsresourcework Px -> systemd-nsresourced//&systemd-nsresourcework, + @{lib}/systemd/systemd-nsresourcework ix, # no new privs @{run}/systemd/nsresource/ rw, @{run}/systemd/nsresource/** rw, @@ -32,6 +32,9 @@ profile systemd-nsresourced @{exec_path} { @{sys}/kernel/btf/vmlinux r, @{sys}/kernel/security/lsm r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/pressure/* r, + include if exists } From 581a55c7269cccd518baf9f65c5078edecaffcb4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:40:49 +0200 Subject: [PATCH 493/977] feat(profile): update systemd-homework/homed as they get stacked. --- apparmor.d/groups/systemd/systemd-homed | 20 ++++++-- apparmor.d/groups/systemd/systemd-homework | 58 +++++++++++++++++++++- 2 files changed, 73 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index a89cd90f8..c53be3a35 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -14,6 +14,8 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { include include + userns, + capability chown, capability dac_override, capability dac_read_search, @@ -24,6 +26,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { capability setpcap, capability setuid, capability sys_admin, + capability sys_ptrace, capability sys_resource, network inet dgram, @@ -32,16 +35,24 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { network inet6 raw, network netlink raw, - mount options=(rw, rslave) -> @{run}/, - mount /dev/dm-@{int} -> @{run}/systemd/user-home-mount/, + mount -> @{run}/systemd/user-home-mount/, + mount options=(rw private) -> @{run}/systemd/user-home-mount/, + mount options=(rw rslave) -> @{run}/, + + umount @{run}/systemd/user-home-mount/, + + signal (send receive) set=kill peer=systemd-homed//&systemd-homework, + + ptrace read peer=systemd-homed//&systemd-homework, unix bind type=stream addr=@@{udbus}/bus/systemd-homed/system, #aa:dbus own bus=system name=org.freedesktop.home1 + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd @{exec_path} mr, - @{lib}/systemd/systemd-homework rPx -> systemd-homed//&systemd-homework, + @{lib}/systemd/systemd-homework rPx -> &systemd-homework, @{sbin}/mkfs.btrfs rPx, @{sbin}/mkfs.fat rPx, @{sbin}/mke2fs rPx, @@ -74,9 +85,12 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cgroup r, @{PROC}/devices r, @{PROC}/pressure/* r, + @{PROC}/swaps r, + @{PROC}/sys/fs/nr_open r, @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/uid_map w, /dev/loop-control rwk, diff --git a/apparmor.d/groups/systemd/systemd-homework b/apparmor.d/groups/systemd/systemd-homework index f0fe98a16..b81c196f8 100644 --- a/apparmor.d/groups/systemd/systemd-homework +++ b/apparmor.d/groups/systemd/systemd-homework @@ -7,14 +7,68 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-homework -profile systemd-homework @{exec_path} { +profile systemd-homework @{exec_path} flags=(attach_disconnected) { include - include include + include + include + + userns, + + capability chown, + capability fowner, + capability fsetid, + capability setfcap, + capability setgid, + capability setuid, + capability sys_admin, + capability sys_resource, + + network netlink raw, + + mount options=(rw rslave) -> @{run}/, + mount -> @{run}/systemd/user-home-mount/, + + umount @{run}/systemd/user-home-mount/, + + signal (send receive) set=kill peer=systemd-homed//&systemd-homework, + + ptrace read peer=systemd-homed//&systemd-homework, @{exec_path} mr, + @{sbin}/mkfs.btrfs rPx, + @{sbin}/mkfs.fat rPx, + @{sbin}/mke2fs rPx, + /etc/machine-id r, + /etc/skel/{,**} r, + + /var/cache/systemd/home/{,**} rw, + + @{HOMEDIRS}/ r, + @{HOMEDIRS}/.#homework@{user}.* rw, + @{HOMEDIRS}/@{user}.home rw, + + @{run}/ r, + @{run}/cryptsetup/ r, + @{run}/cryptsetup/* rwk, + @{run}/systemd/user-home-mount/ rw, + @{run}/systemd/user-home-mount/@{user}/{,**} rw, + + @{sys}/fs/ r, + + @{PROC}/devices r, + @{PROC}/swaps r, + @{PROC}/sys/fs/nr_open r, + owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/uid_map w, + + /dev/loop-control rwk, + /dev/loop@{int} rw, + /dev/mapper/control rw, include if exists } From 9325dd5ca0cb1f37bda1d2abd90333cacb2d9958 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:43:19 +0200 Subject: [PATCH 494/977] feat(profile): revisit systemd-udevd and ensure most program get transitionned confined. --- apparmor.d/groups/systemd/systemd-udevd | 66 ++++++++++++++----------- 1 file changed, 36 insertions(+), 30 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 3861056b8..9c993e0d5 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -37,44 +37,45 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{sh_path} rix, - @{coreutils_path} rix, - @{pager_path} rPx -> child-pager, - @{bin}/*-print-pci-ids rix, - @{sbin}/alsactl rPUx, - @{bin}/ddcutil rPx, - @{sbin}/dmsetup rPx, - @{sbin}/ethtool rix, - @{sbin}/issue-generator rPx, - @{sbin}/kdump-config rPUx, - @{bin}/kmod rPx, - @{bin}/logger rix, - @{bin}/ls rix, - @{sbin}/lvm rPx, - @{bin}/mknod rix, - @{sbin}/multipath rPx, - @{bin}/nfsrahead rix, - @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, - @{bin}/setfacl rix, - @{bin}/sg_inq rix, - @{bin}/snap rPx, - @{bin}/systemctl rCx -> systemctl, - @{bin}/systemd-run rix, - @{bin}/unshare rix, - @{bin}/vmmouse_detect rPUx, + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/logger rix, + @{bin}/ls rix, + @{bin}/mknod rix, + @{bin}/nfsrahead rix, + @{bin}/setfacl rix, + @{bin}/sg_inq rix, + @{bin}/systemd-run rix, # TODO: rCx -> run, + @{bin}/unshare rix, + @{sbin}/ethtool rix, + + @{bin}/ddcutil rPx, + @{bin}/kmod rCx -> kmod, + @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, + @{bin}/snap rPx, + @{bin}/systemctl rCx -> systemctl, + @{bin}/vmmouse_detect rPx, + @{pager_path} rPx -> child-pager, + @{sbin}/alsactl rPx, + @{sbin}/dmsetup rPx, + @{sbin}/issue-generator rPx, + @{sbin}/kdump-config rPx, + @{sbin}/lvm rPx, + @{sbin}/multipath rPx, + @{sbin}/u-d-c-print-pci-ids rPx, @{lib}/crda/* rPUx, @{lib}/gdm-runtime-config rPx, @{lib}/nfsrahead rPUx, - @{lib}/open-iscsi/net-interface-handler rPUx, + @{lib}/open-iscsi/net-interface-handler rPx, @{lib}/pm-utils/power.d/* rPUx, @{lib}/snapd/snap-device-helper rPx, @{lib}/systemd/systemd-* rPx, @{lib}/udev/* rPUx, /usr/share/hplip/config_usb_printer.py rPUx, - /etc/console-setup/*.sh rPUx, - /etc/network/cloud-ifupdown-helper rPUx, + /etc/console-setup/*.sh rPUx, + /etc/network/cloud-ifupdown-helper rPUx, /etc/default/* r, /etc/machine-id r, @@ -120,6 +121,13 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { /dev/ rw, /dev/** rwk, + profile kmod flags=(attach_disconnected,complain) { + include + include + + include if exists + } + profile systemctl flags=(attach_disconnected,complain) { include include @@ -127,8 +135,6 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, - # / r, - include if exists } From 32a9806219898f6c5a25b7efb3a15320ff7af24a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:52:40 +0200 Subject: [PATCH 495/977] feat(fsp): update systemd user drop in files with AppArmorProfile set to the target profile. --- systemd/full/user/filter-chain.service | 2 ++ systemd/full/user/pipewire-media-session.service | 5 ----- systemd/full/user/pipewire-pulse.service | 2 ++ systemd/full/user/pipewire.service | 2 ++ systemd/full/user/wireplumber.service | 2 ++ systemd/full/user/wireplumber@.service | 2 ++ 6 files changed, 10 insertions(+), 5 deletions(-) create mode 100644 systemd/full/user/filter-chain.service delete mode 100644 systemd/full/user/pipewire-media-session.service create mode 100644 systemd/full/user/pipewire-pulse.service create mode 100644 systemd/full/user/pipewire.service create mode 100644 systemd/full/user/wireplumber.service create mode 100644 systemd/full/user/wireplumber@.service diff --git a/systemd/full/user/filter-chain.service b/systemd/full/user/filter-chain.service new file mode 100644 index 000000000..4dd212f51 --- /dev/null +++ b/systemd/full/user/filter-chain.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pipewire \ No newline at end of file diff --git a/systemd/full/user/pipewire-media-session.service b/systemd/full/user/pipewire-media-session.service deleted file mode 100644 index c392e82fe..000000000 --- a/systemd/full/user/pipewire-media-session.service +++ /dev/null @@ -1,5 +0,0 @@ -[Service] -NoNewPrivileges=no -MemoryDenyWriteExecute=no -LockPersonality=no -RestrictNamespaces=no diff --git a/systemd/full/user/pipewire-pulse.service b/systemd/full/user/pipewire-pulse.service new file mode 100644 index 000000000..1d35a493e --- /dev/null +++ b/systemd/full/user/pipewire-pulse.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pipewire-pulse \ No newline at end of file diff --git a/systemd/full/user/pipewire.service b/systemd/full/user/pipewire.service new file mode 100644 index 000000000..4dd212f51 --- /dev/null +++ b/systemd/full/user/pipewire.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pipewire \ No newline at end of file diff --git a/systemd/full/user/wireplumber.service b/systemd/full/user/wireplumber.service new file mode 100644 index 000000000..c47175f40 --- /dev/null +++ b/systemd/full/user/wireplumber.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&wireplumber \ No newline at end of file diff --git a/systemd/full/user/wireplumber@.service b/systemd/full/user/wireplumber@.service new file mode 100644 index 000000000..c47175f40 --- /dev/null +++ b/systemd/full/user/wireplumber@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&wireplumber \ No newline at end of file From 60b91279162036a7d1a55df72d40977387fe1336 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:53:47 +0200 Subject: [PATCH 496/977] feat(profile): update pipewire profiles. --- apparmor.d/groups/freedesktop/pipewire-pulse | 8 +++++++- apparmor.d/groups/freedesktop/pulseaudio | 6 +++--- apparmor.d/groups/freedesktop/wireplumber | 4 ++++ 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse index 530fa97db..fddbe02f7 100644 --- a/apparmor.d/groups/freedesktop/pipewire-pulse +++ b/apparmor.d/groups/freedesktop/pipewire-pulse @@ -11,15 +11,18 @@ include profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { include include + include + include include capability sys_ptrace, - ptrace (read), + ptrace read, @{exec_path} mr, @{bin}/pactl rix, + @{bin}/pipewire mr, /usr/share/pipewire/{,**} r, @@ -38,6 +41,9 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/module/apparmor/parameters/enabled r, + + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index fab642571..05e4c3ec2 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -82,9 +82,9 @@ profile pulseaudio @{exec_path} { owner @{desktop_cache_dirs}/gstreamer-1.0/ rw, owner @{desktop_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - owner @{desktop_config_dirs}/dconf/user r, - owner @{desktop_config_dirs}/pulse/{,**} rw, - owner @{desktop_config_dirs}/pulse/cookie k, + owner @{desktop_config_dirs}/dconf/user r, + owner @{desktop_config_dirs}/pulse/{,**} rw, + owner @{desktop_config_dirs}/pulse/cookie k, owner @{HOME}/.pulse/{,**} rw, owner @{user_config_dirs}/ w, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index aa6928298..0925bad91 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -75,6 +75,10 @@ profile wireplumber @{exec_path} { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{PROC}/1/cgroup r, + @{PROC}/1/cmdline r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} rw, From d9cfef3e5d5a0bc035383e82d4cc69a9a25c0435 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 May 2025 00:03:11 +0200 Subject: [PATCH 497/977] refractor(profile): move systemd generators to their own group --- .../{systemd => systemd-generators}/systemd-generator-bless-boot | 0 .../{systemd => systemd-generators}/systemd-generator-cloud-init | 0 .../{systemd => systemd-generators}/systemd-generator-cryptsetup | 0 .../{systemd => systemd-generators}/systemd-generator-debug | 0 .../{systemd => systemd-generators}/systemd-generator-ds-identify | 0 .../systemd-generator-environment-arch | 0 .../systemd-generator-environment-flatpak | 0 .../systemd-generator-friendly-recovery | 0 .../{systemd => systemd-generators}/systemd-generator-fstab | 0 .../{systemd => systemd-generators}/systemd-generator-getty | 0 .../{systemd => systemd-generators}/systemd-generator-gpt-auto | 0 .../systemd-generator-hibernate-resume | 0 .../systemd-generator-integritysetup | 0 .../{systemd => systemd-generators}/systemd-generator-ostree | 0 .../{systemd => systemd-generators}/systemd-generator-rc-local | 0 .../groups/{systemd => systemd-generators}/systemd-generator-run | 0 .../{systemd => systemd-generators}/systemd-generator-snapd | 0 .../{systemd => systemd-generators}/systemd-generator-sshd-socket | 0 .../systemd-generator-system-update | 0 .../groups/{systemd => systemd-generators}/systemd-generator-sysv | 0 .../systemd-generator-user-autostart | 0 .../systemd-generator-user-environment | 0 .../{systemd => systemd-generators}/systemd-generator-veritysetup | 0 23 files changed, 0 insertions(+), 0 deletions(-) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-bless-boot (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-cloud-init (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-cryptsetup (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-debug (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-ds-identify (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-environment-arch (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-environment-flatpak (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-friendly-recovery (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-fstab (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-getty (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-gpt-auto (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-hibernate-resume (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-integritysetup (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-ostree (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-rc-local (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-run (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-snapd (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-sshd-socket (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-system-update (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-sysv (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-user-autostart (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-user-environment (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-veritysetup (100%) diff --git a/apparmor.d/groups/systemd/systemd-generator-bless-boot b/apparmor.d/groups/systemd-generators/systemd-generator-bless-boot similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-bless-boot rename to apparmor.d/groups/systemd-generators/systemd-generator-bless-boot diff --git a/apparmor.d/groups/systemd/systemd-generator-cloud-init b/apparmor.d/groups/systemd-generators/systemd-generator-cloud-init similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-cloud-init rename to apparmor.d/groups/systemd-generators/systemd-generator-cloud-init diff --git a/apparmor.d/groups/systemd/systemd-generator-cryptsetup b/apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-cryptsetup rename to apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup diff --git a/apparmor.d/groups/systemd/systemd-generator-debug b/apparmor.d/groups/systemd-generators/systemd-generator-debug similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-debug rename to apparmor.d/groups/systemd-generators/systemd-generator-debug diff --git a/apparmor.d/groups/systemd/systemd-generator-ds-identify b/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-ds-identify rename to apparmor.d/groups/systemd-generators/systemd-generator-ds-identify diff --git a/apparmor.d/groups/systemd/systemd-generator-environment-arch b/apparmor.d/groups/systemd-generators/systemd-generator-environment-arch similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-environment-arch rename to apparmor.d/groups/systemd-generators/systemd-generator-environment-arch diff --git a/apparmor.d/groups/systemd/systemd-generator-environment-flatpak b/apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-environment-flatpak rename to apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak diff --git a/apparmor.d/groups/systemd/systemd-generator-friendly-recovery b/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-friendly-recovery rename to apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery diff --git a/apparmor.d/groups/systemd/systemd-generator-fstab b/apparmor.d/groups/systemd-generators/systemd-generator-fstab similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-fstab rename to apparmor.d/groups/systemd-generators/systemd-generator-fstab diff --git a/apparmor.d/groups/systemd/systemd-generator-getty b/apparmor.d/groups/systemd-generators/systemd-generator-getty similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-getty rename to apparmor.d/groups/systemd-generators/systemd-generator-getty diff --git a/apparmor.d/groups/systemd/systemd-generator-gpt-auto b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-gpt-auto rename to apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto diff --git a/apparmor.d/groups/systemd/systemd-generator-hibernate-resume b/apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-hibernate-resume rename to apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume diff --git a/apparmor.d/groups/systemd/systemd-generator-integritysetup b/apparmor.d/groups/systemd-generators/systemd-generator-integritysetup similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-integritysetup rename to apparmor.d/groups/systemd-generators/systemd-generator-integritysetup diff --git a/apparmor.d/groups/systemd/systemd-generator-ostree b/apparmor.d/groups/systemd-generators/systemd-generator-ostree similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-ostree rename to apparmor.d/groups/systemd-generators/systemd-generator-ostree diff --git a/apparmor.d/groups/systemd/systemd-generator-rc-local b/apparmor.d/groups/systemd-generators/systemd-generator-rc-local similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-rc-local rename to apparmor.d/groups/systemd-generators/systemd-generator-rc-local diff --git a/apparmor.d/groups/systemd/systemd-generator-run b/apparmor.d/groups/systemd-generators/systemd-generator-run similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-run rename to apparmor.d/groups/systemd-generators/systemd-generator-run diff --git a/apparmor.d/groups/systemd/systemd-generator-snapd b/apparmor.d/groups/systemd-generators/systemd-generator-snapd similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-snapd rename to apparmor.d/groups/systemd-generators/systemd-generator-snapd diff --git a/apparmor.d/groups/systemd/systemd-generator-sshd-socket b/apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-sshd-socket rename to apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket diff --git a/apparmor.d/groups/systemd/systemd-generator-system-update b/apparmor.d/groups/systemd-generators/systemd-generator-system-update similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-system-update rename to apparmor.d/groups/systemd-generators/systemd-generator-system-update diff --git a/apparmor.d/groups/systemd/systemd-generator-sysv b/apparmor.d/groups/systemd-generators/systemd-generator-sysv similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-sysv rename to apparmor.d/groups/systemd-generators/systemd-generator-sysv diff --git a/apparmor.d/groups/systemd/systemd-generator-user-autostart b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-user-autostart rename to apparmor.d/groups/systemd-generators/systemd-generator-user-autostart diff --git a/apparmor.d/groups/systemd/systemd-generator-user-environment b/apparmor.d/groups/systemd-generators/systemd-generator-user-environment similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-user-environment rename to apparmor.d/groups/systemd-generators/systemd-generator-user-environment diff --git a/apparmor.d/groups/systemd/systemd-generator-veritysetup b/apparmor.d/groups/systemd-generators/systemd-generator-veritysetup similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-veritysetup rename to apparmor.d/groups/systemd-generators/systemd-generator-veritysetup From 3d76c98c4b65355203da9ffc4d1693b174d79163 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 May 2025 00:05:34 +0200 Subject: [PATCH 498/977] feat(profile): add more systemd-generator profiles. --- .../systemd-generator-environment-snapd | 18 +++++++ .../systemd-generator-import | 31 ++++++++++++ .../systemd-generator-openvpn | 27 +++++++++++ .../systemd-generators/systemd-generator-ssh | 48 +++++++++++++++++++ .../systemd-generators/systemd-generator-tpm2 | 30 ++++++++++++ dists/flags/main.flags | 9 +++- 6 files changed, 161 insertions(+), 2 deletions(-) create mode 100644 apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd create mode 100644 apparmor.d/groups/systemd-generators/systemd-generator-import create mode 100644 apparmor.d/groups/systemd-generators/systemd-generator-openvpn create mode 100644 apparmor.d/groups/systemd-generators/systemd-generator-ssh create mode 100644 apparmor.d/groups/systemd-generators/systemd-generator-tpm2 diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd b/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd new file mode 100644 index 000000000..b18bd6bd5 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-environment-generators/snapd-env-generator +profile systemd-generator-environment-snapd @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-import b/apparmor.d/groups/systemd-generators/systemd-generator-import new file mode 100644 index 000000000..36ff4e5ff --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-import @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-import-generator +profile systemd-generator-import @{exec_path} flags=(attach_disconnected) { + include + + capability sys_ptrace, + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + / r, + + /dev/kmsg w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-openvpn b/apparmor.d/groups/systemd-generators/systemd-generator-openvpn new file mode 100644 index 000000000..780c63d56 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-openvpn @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/openvpn-generator +profile systemd-generator-openvpn @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/ls ix, + @{bin}/mkdir ix, + + /etc/default/openvpn r, + /etc/openvpn/ r, + + @{run}/systemd/generator/openvpn.service.wants/{,**} w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ssh b/apparmor.d/groups/systemd-generators/systemd-generator-ssh new file mode 100644 index 000000000..efb56468e --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-ssh @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-ssh-generator +profile systemd-generator-ssh @{exec_path} flags=(attach_disconnected) { + include + + capability net_admin, + + network vsock stream, + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + @{sbin}/sshd r, + + @{run}/ r, + @{run}/systemd/ r, + @{run}/systemd/generator/ r, + @{run}/systemd/generator/sockets.target.wants/ rw, + @{run}/systemd/generator/sockets.target.wants/*.socket w, + @{run}/systemd/generator/sshd-*.service w, + @{run}/systemd/generator/sshd-*.socket rw, + @{run}/systemd/system/ r, + @{run}/systemd/transient/ r, + + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + /dev/vsock r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 new file mode 100644 index 000000000..4d601d0f9 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-tpm2-generator +profile systemd-generator-tpm2 @{exec_path} flags=(attach_disconnected) { + include + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + @{sys}/class/tpmrm/ r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 2736540a8..6a030fe63 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -329,19 +329,24 @@ systemd-generator-debug attach_disconnected,complain systemd-generator-ds-identify attach_disconnected,complain systemd-generator-environment-arch complain systemd-generator-environment-flatpak complain +systemd-generator-environment-snapd attach_disconnected,complain systemd-generator-friendly-recover attach_disconnected,complain systemd-generator-fstab attach_disconnected,complain systemd-generator-getty attach_disconnected,complain systemd-generator-gpt-auto attach_disconnected,complain systemd-generator-hibernate-resume attach_disconnected,complain +systemd-generator-import attach_disconnected,complain systemd-generator-integritysetup attach_disconnected,complain +systemd-generator-openvpn attach_disconnected,complain systemd-generator-ostree attach_disconnected,complain systemd-generator-rc-local attach_disconnected,complain systemd-generator-run attach_disconnected,complain systemd-generator-snapd attach_disconnected,complain +systemd-generator-ssh attach_disconnected,complain systemd-generator-sshd-socket attach_disconnected,complain systemd-generator-system-update attach_disconnected,complain systemd-generator-sysv attach_disconnected,complain +systemd-generator-tpm2 attach_disconnected,complain systemd-generator-user-autostart attach_disconnected,complain systemd-generator-user-environment attach_disconnected,complain systemd-generator-veritysetup attach_disconnected,complain @@ -350,8 +355,8 @@ systemd-homework complain systemd-inhibit attach_disconnected,complain systemd-journald attach_disconnected,mediate_deleted systemd-mount complain -systemd-network-generator complain -systemd-nsresourced complain +systemd-network-generator attach_disconnected,complain +systemd-nsresourced attach_disconnected,complain systemd-nsresourcework complain systemd-portabled complain systemd-resolve complain From 89a17146103cadf12e83543d1f5cc3504fcca2b0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 May 2025 00:14:54 +0200 Subject: [PATCH 499/977] fix(profile): a few linting fixes. --- apparmor.d/groups/_full/sd | 4 ++-- apparmor.d/groups/_full/sd-mount | 2 +- apparmor.d/groups/_full/sdu | 2 +- apparmor.d/groups/ubuntu/fanctl | 2 +- apparmor.d/groups/ubuntu/update-notifier-crash | 2 +- apparmor.d/profiles-s-z/wsdd | 2 +- tests/sbin.list | 1 - 7 files changed, 7 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index 974bc3544..106e36817 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -131,10 +131,10 @@ profile sd flags=(attach_disconnected,mediate_deleted) { @{bin}/true ix, # Required due to stacked profiles - @{bin}/grpck ix, + @{sbin}/grpck ix, @{bin}/gzip ix, @{bin}/install ix, - @{bin}/pwck ix, + @{sbin}/pwck ix, @{bin}/readlink ix, @{lib}/colord-sane ix, @{lib}/systemd/systemd-nsresourcework ix, diff --git a/apparmor.d/groups/_full/sd-mount b/apparmor.d/groups/_full/sd-mount index 7f7dede60..1572a8f6d 100644 --- a/apparmor.d/groups/_full/sd-mount +++ b/apparmor.d/groups/_full/sd-mount @@ -36,7 +36,7 @@ profile sd-mount flags=(complain) { mount fstype=mqueue options=(rw nodev noexec nosuid) -> /dev/mqueue/, mount fstype=squashfs options=(ro nodev) /dev/loop@{int} -> /snap/*/@{int}/, mount fstype=tmpfs options=(rw nodev noexec nosuid) tmpfs -> @{run}/lock/, - mount fstype=tmpfs options=(rw nodev nosuid strictatime) tmpfs -> /tmp/, + mount fstype=tmpfs options=(rw nodev nosuid strictatime) tmpfs -> /tmp/, mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/, mount options=(rw move) -> @{efi}, diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu index 5ceb669f0..411a8c3ad 100644 --- a/apparmor.d/groups/_full/sdu +++ b/apparmor.d/groups/_full/sdu @@ -98,7 +98,7 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { profile shell flags=(attach_disconnected,mediate_deleted,complain) { include - + @{sh_path} mr, @{bin}/systemctl Px -> sdu//systemctl, diff --git a/apparmor.d/groups/ubuntu/fanctl b/apparmor.d/groups/ubuntu/fanctl index ef278da63..deee33daf 100644 --- a/apparmor.d/groups/ubuntu/fanctl +++ b/apparmor.d/groups/ubuntu/fanctl @@ -19,7 +19,7 @@ profile fanctl @{exec_path} flags=(attach_disconnected) { @{bin}/id ix, @{bin}/touch ix, @{bin}/mkdir ix, - @{bin}/ip ix, + @{sbin}/ip ix, @{bin}/sed ix, /etc/network/fan r, diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash index 3ad03eb05..dee094aa1 100644 --- a/apparmor.d/groups/ubuntu/update-notifier-crash +++ b/apparmor.d/groups/ubuntu/update-notifier-crash @@ -19,7 +19,7 @@ profile update-notifier-crash @{exec_path} { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index 7aa812f79..20575b2a8 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/wsdd +@{exec_path} = @{bin}/wsdd profile wsdd @{exec_path} { include include diff --git a/tests/sbin.list b/tests/sbin.list index 805ab8bf1..676bc4d56 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -1016,7 +1016,6 @@ wpa_supplicant wqlat-bpfcc writeback.bt wrmsr -wsdd xfs_admin xfs_bmap xfs_copy From e771ef77b8c9343f29a07c32c7d3955620a12169 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 May 2025 00:18:39 +0200 Subject: [PATCH 500/977] tests(packer): update base images content. --- .../cloud-init/archlinux-gnome.user-data.yml | 35 +------- tests/cloud-init/archlinux-kde.user-data.yml | 37 +-------- tests/cloud-init/archlinux.yml | 82 ++++++++++++++++--- tests/cloud-init/debian.yml | 32 ++++++++ tests/cloud-init/debian13-gnome.user-data.yml | 9 ++ tests/cloud-init/ubuntu.yml | 39 ++++++++- 6 files changed, 150 insertions(+), 84 deletions(-) create mode 100644 tests/cloud-init/debian13-gnome.user-data.yml diff --git a/tests/cloud-init/archlinux-gnome.user-data.yml b/tests/cloud-init/archlinux-gnome.user-data.yml index c292993c1..d33f685b6 100644 --- a/tests/cloud-init/archlinux-gnome.user-data.yml +++ b/tests/cloud-init/archlinux-gnome.user-data.yml @@ -1,39 +1,6 @@ #cloud-config -packages: - # Install core packages - - apparmor - - base-devel - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - git - - htop - - man - - pass - - python-notify2 - - vim - - wget - - # Install basic services - - networkmanager - - cups - - cups-pdf - - system-config-printer - - # Install Applications - - firefox - - chromium - - terminator - - # Install Graphical Interface - - gnome - - gnome-extra - - seahorse - - alacarte +packages: *gnome-packages runcmd: # Regenerate grub.cfg diff --git a/tests/cloud-init/archlinux-kde.user-data.yml b/tests/cloud-init/archlinux-kde.user-data.yml index c89b3a25c..cb4c4d3b0 100644 --- a/tests/cloud-init/archlinux-kde.user-data.yml +++ b/tests/cloud-init/archlinux-kde.user-data.yml @@ -1,41 +1,6 @@ #cloud-config -packages: - # Install core packages - - apparmor - - base-devel - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - git - - htop - - man - - pass - - python-notify2 - - vim - - wget - - # Install basic services - - networkmanager - - cups - - cups-pdf - - system-config-printer - - # Install Applications - - firefox - - chromium - - terminator - - # Install Graphical Interface - - plasma-meta - - sddm - - ark - - dolphin - - konsole - - okular +packages: *kde-packages runcmd: # Regenerate grub.cfg diff --git a/tests/cloud-init/archlinux.yml b/tests/cloud-init/archlinux.yml index d860f1a1e..5299efda0 100644 --- a/tests/cloud-init/archlinux.yml +++ b/tests/cloud-init/archlinux.yml @@ -1,37 +1,93 @@ #cloud-config -# Core packages for Archlinux core-packages: &core-packages - # Install core packages - apparmor - base-devel - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - bash-completion + - docker - git - htop + - just - man - pass - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent - vim - wget -# Core desktop packages for Archlinux -desktop-packages: &desktop-packages - # Install basic services +gnome-packages: &gnome-packages + # Core packages for Archlinux + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + + # Desktop packages for Archlinux - networkmanager - cups - cups-pdf - system-config-printer - - # Install Applications - - firefox - chromium + - firefox + - spice-vdagent - terminator + # Install Graphical Interface + - alacarte + - gnome + - gnome-extra + - ptyxis + - seahorse + +kde-packages: &kde-packages + # Core packages for Archlinux + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + + # Desktop packages for Archlinux + - networkmanager + - cups + - cups-pdf + - system-config-printer + - chromium + - firefox + - spice-vdagent + - terminator + + # Install Graphical Interface + - plasma-meta + - sddm + - ark + - dolphin + - konsole + - okular + # Enable AppArmor in kernel parameters grub-enable-apparmor: &grub-enable-apparmor path: /etc/default/grub diff --git a/tests/cloud-init/debian.yml b/tests/cloud-init/debian.yml index cead162a4..ea3012ad2 100644 --- a/tests/cloud-init/debian.yml +++ b/tests/cloud-init/debian.yml @@ -3,45 +3,77 @@ # Core packages for Debian core-packages: &core-packages - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim gnome-packages: &desktop-packages # Core packages for Debian - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim # Gnome packages for Debian - spice-vdagent - task-gnome-desktop - terminator + - loupe + - ptyxis kde-packages: &kubuntu-packages # Core packages for Debian - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim # KDE packages for Debian diff --git a/tests/cloud-init/debian13-gnome.user-data.yml b/tests/cloud-init/debian13-gnome.user-data.yml new file mode 100644 index 000000000..0d5adfe17 --- /dev/null +++ b/tests/cloud-init/debian13-gnome.user-data.yml @@ -0,0 +1,9 @@ +#cloud-config + +packages: *gnome-packages + +runcmd: *debian13-runcmd + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/ubuntu.yml b/tests/cloud-init/ubuntu.yml index ba640e3af..14db33251 100644 --- a/tests/cloud-init/ubuntu.yml +++ b/tests/cloud-init/ubuntu.yml @@ -1,50 +1,81 @@ #cloud-config -# Core packages for Ubuntu core-packages: &core-packages - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - golang-go - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim desktop-packages: &desktop-packages # Core packages for Ubuntu - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - golang-go - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim # Desktop packages for Ubuntu - spice-vdagent - terminator - ubuntu-desktop + - loupe + - ptyxis kubuntu-packages: &kubuntu-packages # Core packages for Ubuntu - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - golang-go - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim # Desktop packages for Ubuntu @@ -74,3 +105,9 @@ desktop-runcmd: &desktop-runcmd # Finally, remove things only installed as dependencies of other things # we have already removed. - apt-get -y autoremove + + # Ensure systemd-networkd is disabled + - systemctl disable systemd-networkd-wait-online.service + + # Ensure auditd is enabled + - systemctl enable systemd-journald-audit.socket From d9e6e686e0186d94fab9a9fdecc7d2c48255d3d7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 May 2025 01:44:09 +0200 Subject: [PATCH 501/977] build: ignore all rule in abi3. --- pkg/prebuild/builder/abi.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/prebuild/builder/abi.go b/pkg/prebuild/builder/abi.go index 818edbb76..5fba837d5 100644 --- a/pkg/prebuild/builder/abi.go +++ b/pkg/prebuild/builder/abi.go @@ -14,6 +14,7 @@ var ( `abi/4.0`, `abi/3.0`, ` userns,`, ` # userns,`, ` mqueue`, ` # mqueue`, + ` all`, ` # all`, }) ) From 2282128cbddc1017740071b8058c54bf7868e90c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 31 May 2025 13:43:57 +0200 Subject: [PATCH 502/977] feat(fsp): setup RBAC mapping in auth enabled profiles. --- apparmor.d/groups/ssh/sshd | 15 ++++++++------- apparmor.d/groups/utils/chfn | 1 + apparmor.d/groups/utils/chsh | 1 + apparmor.d/groups/utils/login | 3 ++- apparmor.d/groups/utils/su | 5 +++-- apparmor.d/mappings/sudo/base | 30 ++++++++++++++++++++++++++++++ 6 files changed, 45 insertions(+), 10 deletions(-) create mode 100644 apparmor.d/mappings/sudo/base diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 4b99aafd6..cc12a9eec 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -25,6 +25,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { include include include + include #aa:only RBAC capability audit_write, capability chown, @@ -60,13 +61,13 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/@{shells} rUx, - @{bin}/false rix, - @{sbin}/nologin rPx, - @{bin}/passwd rPx, - @{lib}/{openssh,ssh}/sftp-server rPx, - @{lib}/{openssh,ssh}/sshd-auth rPx, - @{lib}/{openssh,ssh}/sshd-session rix, + @{bin}/@{shells} Ux, #aa:exclude RBAC + @{bin}/false ix, + @{sbin}/nologin Px, + @{bin}/passwd Px, + @{lib}/{openssh,ssh}/sftp-server Px, + @{lib}/{openssh,ssh}/sshd-auth Px, + @{lib}/{openssh,ssh}/sshd-session ix, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, diff --git a/apparmor.d/groups/utils/chfn b/apparmor.d/groups/utils/chfn index 45b50c7ad..824d92bf4 100644 --- a/apparmor.d/groups/utils/chfn +++ b/apparmor.d/groups/utils/chfn @@ -15,6 +15,7 @@ profile chfn @{exec_path} { include include include + include #aa:only RBAC capability audit_write, capability chown, diff --git a/apparmor.d/groups/utils/chsh b/apparmor.d/groups/utils/chsh index e3581be31..a630a7733 100644 --- a/apparmor.d/groups/utils/chsh +++ b/apparmor.d/groups/utils/chsh @@ -15,6 +15,7 @@ profile chsh @{exec_path} { include include include + include #aa:only RBAC capability audit_write, capability chown, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index 6227f4fc5..c35001498 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -14,6 +14,7 @@ profile login @{exec_path} flags=(attach_disconnected) { include include include + include #aa:only RBAC capability audit_write, capability chown, @@ -38,7 +39,7 @@ profile login @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{shells_path} rUx, + @{shells_path} Ux, #aa:exclude RBAC @{etc_ro}/environment r, @{etc_ro}/security/group.conf r, diff --git a/apparmor.d/groups/utils/su b/apparmor.d/groups/utils/su index 81e299d23..c4e83ddfa 100644 --- a/apparmor.d/groups/utils/su +++ b/apparmor.d/groups/utils/su @@ -12,6 +12,7 @@ profile su @{exec_path} { include include include + include #aa:only RBAC capability chown, # pseudo-terminal @@ -21,8 +22,8 @@ profile su @{exec_path} { @{exec_path} mr, - @{bin}/@{shells} rUx, - @{sbin}/nologin rPx, + @{bin}/@{shells} Ux, #aa:exclude RBAC + @{sbin}/nologin Px, @{etc_ro}/default/su r, /etc/default/locale r, diff --git a/apparmor.d/mappings/sudo/base b/apparmor.d/mappings/sudo/base new file mode 100644 index 000000000..95e395501 --- /dev/null +++ b/apparmor.d/mappings/sudo/base @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# It is used by su/sudo to run pre login scripts (as root) such as the motd. +# After the login, Apparmor libpam will transition to the roles defined in +# other files under + + @{shells_path} rCx -> shell, + + profile shell flags=(attach_disconnected) { + include + include + include + + @{shells_path} rix, + @{bin}/env rix, + @{bin}/run-parts rix, #aa:only apt + + #aa:only apt + /etc/update-motd.d/ r, + /etc/update-motd.d/* rPx, + /usr/share/landscape/landscape-sysinfo.wrapper rPx, + + @{run}/motd.dynamic.new rw, #aa:only apt + + include if exists + } + +# vim:syntax=apparmor From 6c6e1c3456fce34164cf54189dc23080db02b54c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 31 May 2025 13:49:16 +0200 Subject: [PATCH 503/977] feat(profile): minor fsp related improvment. --- apparmor.d/groups/freedesktop/colord | 5 +++-- apparmor.d/groups/grub/grub-mkconfig | 2 +- apparmor.d/groups/network/tailscaled | 2 +- .../groups/systemd-service/snapd.system-shutdown.service | 6 +++--- apparmor.d/groups/ubuntu/fanctl | 2 +- apparmor.d/profiles-g-l/ischroot | 2 +- 6 files changed, 10 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 031ba0605..ee2cdf42e 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -23,6 +23,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.ColorManager @{exec_path} mrix, + @{lib}/colord-sane ix, /etc/machine-id r, /etc/sane.d/{,**} r, @@ -44,8 +45,8 @@ profile colord @{exec_path} flags=(attach_disconnected) { owner /var/lib/snmp/mibs/{iana,ietf}/ r, owner /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r, - @{att}/@{desktop_share_dirs}/icc/edid-*.icc r, - @{att}/@{user_share_dirs}/icc/edid-*.icc r, + @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r, @{run}/systemd/sessions/* r, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index c4c24efc9..de8643100 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -56,7 +56,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/tr rix, @{bin}/umount rPx, @{bin}/uname rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/zfs rPx, @{bin}/zpool rPx, /etc/grub.d/{,**} rix, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index fa6cd8ddd..bb877ec1a 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -31,7 +31,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { ptrace (read), - #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd-service/snapd.system-shutdown.service b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service index e8939006e..ce819a791 100644 --- a/apparmor.d/groups/systemd-service/snapd.system-shutdown.service +++ b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service @@ -13,9 +13,9 @@ include profile snapd.system-shutdown.service { include - audit @{bin}/cp ix, - audit @{bin}/mkdir ix, - audit @{bin}/mount ix, + @{bin}/cp ix, + @{bin}/mkdir ix, + @{bin}/mount ix, @{lib}/snapd/system-shutdown r, diff --git a/apparmor.d/groups/ubuntu/fanctl b/apparmor.d/groups/ubuntu/fanctl index deee33daf..ef278da63 100644 --- a/apparmor.d/groups/ubuntu/fanctl +++ b/apparmor.d/groups/ubuntu/fanctl @@ -19,7 +19,7 @@ profile fanctl @{exec_path} flags=(attach_disconnected) { @{bin}/id ix, @{bin}/touch ix, @{bin}/mkdir ix, - @{sbin}/ip ix, + @{bin}/ip ix, @{bin}/sed ix, /etc/network/fan r, diff --git a/apparmor.d/profiles-g-l/ischroot b/apparmor.d/profiles-g-l/ischroot index c5b848bab..4e087343a 100644 --- a/apparmor.d/profiles-g-l/ischroot +++ b/apparmor.d/profiles-g-l/ischroot @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/ischroot -profile ischroot @{exec_path} { +profile ischroot @{exec_path} flags=(attach_disconnected) { include include From d76bc0b3be0cd9452083ed253d9cb46def7a5541 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 31 May 2025 13:50:20 +0200 Subject: [PATCH 504/977] feat(profile): add initial profile for systemd-initctl. --- apparmor.d/groups/systemd/systemd-initctl | 27 +++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 28 insertions(+) create mode 100644 apparmor.d/groups/systemd/systemd-initctl diff --git a/apparmor.d/groups/systemd/systemd-initctl b/apparmor.d/groups/systemd/systemd-initctl new file mode 100644 index 000000000..05f32a7f6 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-initctl @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/systemd-initctl +profile systemd-initctl @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability net_admin, + + unix type=stream addr=@@{udbus}/bus/systemd-initctl/, + + @{exec_path} mr, + + @{run}/initctl rw, + @{run}/systemd/notify rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 6a030fe63..e73dd4cd5 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -353,6 +353,7 @@ systemd-generator-veritysetup attach_disconnected,complain systemd-homed attach_disconnected,complain systemd-homework complain systemd-inhibit attach_disconnected,complain +systemd-initctl attach_disconnected,complain systemd-journald attach_disconnected,mediate_deleted systemd-mount complain systemd-network-generator attach_disconnected,complain From af82a9caa6358a64d0037761a40e286d6018f283 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 31 May 2025 13:52:42 +0200 Subject: [PATCH 505/977] feat(profile): add profiles for whoopsie. --- apparmor.d/profiles-s-z/whoopsie | 31 ++++++++++++++++++ apparmor.d/profiles-s-z/whoopsie-preferences | 34 ++++++++++++++++++++ dists/flags/main.flags | 2 ++ 3 files changed, 67 insertions(+) create mode 100644 apparmor.d/profiles-s-z/whoopsie create mode 100644 apparmor.d/profiles-s-z/whoopsie-preferences diff --git a/apparmor.d/profiles-s-z/whoopsie b/apparmor.d/profiles-s-z/whoopsie new file mode 100644 index 000000000..16a0e5a5e --- /dev/null +++ b/apparmor.d/profiles-s-z/whoopsie @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/whoopsie +profile whoopsie @{exec_path} { + include + include + + capability setgid, + capability setuid, + + @{exec_path} mr, + + /var/crash/ r, + + /var/lib/whoopsie/ rw, + /var/lib/whoopsie/whoopsie-id rw, + /var/lib/whoopsie/whoopsie-id.@{rand6} rw, + + owner @{run}/lock/whoopsie/ rw, + owner @{run}/lock/whoopsie/lock rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/whoopsie-preferences b/apparmor.d/profiles-s-z/whoopsie-preferences new file mode 100644 index 000000000..3b720d0da --- /dev/null +++ b/apparmor.d/profiles-s-z/whoopsie-preferences @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/whoopsie-preferences +profile whoopsie-preferences @{exec_path} { + include + include + include + + #aa:dbus own bus=system name=com.ubuntu.WhoopsiePreferences + + @{exec_path} mr, + + @{bin}/systemctl Cx -> systemctl, + + /etc/whoopsie w, + /etc/whoopsie.@{rand6} rw, + + profile systemctl { + include + include + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index e73dd4cd5..77ea8761f 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -404,6 +404,8 @@ waybar attach_disconnected,complain wechat attach_disconnected,complain wechat-appimage attach_disconnected,complain wg-quick complain +whoopsie complain +whoopsie-preferences complain wsdd complain xdg-dbus-proxy attach_disconnected,complain xdg-desktop-icon complain From 8452eb44f18e96aa9de83c74e0902aabdcad336d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 15:48:38 +0200 Subject: [PATCH 506/977] feat(abs): minor improvement & cosmetic. --- apparmor.d/abstractions/app/kmod | 2 +- apparmor.d/abstractions/app/pager | 2 +- apparmor.d/abstractions/app/sudo | 4 +++- apparmor.d/abstractions/base.d/complete | 6 ++++-- apparmor.d/abstractions/bus/org.freedesktop.Avahi | 2 +- apparmor.d/abstractions/consoles.d/complete | 7 +++++++ apparmor.d/abstractions/freedesktop.org.d/complete | 2 +- apparmor.d/abstractions/gnome.d/complete | 2 +- apparmor.d/abstractions/vulkan.d/complete | 1 + apparmor.d/abstractions/webkit | 2 +- apparmor.d/abstractions/zsh | 1 + 11 files changed, 22 insertions(+), 9 deletions(-) create mode 100644 apparmor.d/abstractions/consoles.d/complete diff --git a/apparmor.d/abstractions/app/kmod b/apparmor.d/abstractions/app/kmod index 86bb7d78a..6c889bd60 100644 --- a/apparmor.d/abstractions/app/kmod +++ b/apparmor.d/abstractions/app/kmod @@ -7,9 +7,9 @@ include + @{bin}/kmod mr, @{sbin}/depmod mr, @{sbin}/insmod mr, - @{bin}/kmod mr, @{sbin}/lsmod mr, @{sbin}/modinfo mr, @{sbin}/modprobe mr, diff --git a/apparmor.d/abstractions/app/pager b/apparmor.d/abstractions/app/pager index 3be45b4dd..1557b78ef 100644 --- a/apparmor.d/abstractions/app/pager +++ b/apparmor.d/abstractions/app/pager @@ -12,7 +12,7 @@ capability dac_override, capability dac_read_search, - signal (receive) set=(stop, cont, term, kill), + signal receive set=(stop, cont, term, kill), @{bin}/ r, @{pager_path} mrix, diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index 1286b1571..1c47490cd 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -3,7 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Minimal set of rules for sudo. Interactive sudo need more rules. +# Minimal set of rules for sudo. abi , @@ -24,6 +24,8 @@ network netlink raw, # PAM + unix type=stream addr=@@{udbus}/bus/sudo/system, + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index 06b413342..ecfe09bb5 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -3,14 +3,16 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + # Systemd: allow to receive any signal from the systemd profiles stack + signal receive peer=@{p_systemd}, + signal receive peer=@{p_systemd_user}, + # Allow to receive some signals from new well-known profiles signal (receive) peer=btop, signal (receive) peer=htop, signal (receive) peer=sudo, signal (receive) peer=top, signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown, - signal (receive) set=(cont,term) peer=@{p_systemd_user}, - signal (receive) set=(cont,term) peer=@{p_systemd}, signal (receive) set=(hup term) peer=login, signal (receive) set=(hup) peer=xinit, signal (receive) set=(term,kill) peer=gnome-shell, diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index 38e05f48c..b002d6fa4 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -9,7 +9,7 @@ dbus send bus=system path=/ interface=org.freedesktop.DBus.Peer member=Ping - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + peer=(name=org.freedesktop.Avahi), dbus send bus=system path=/ interface=org.freedesktop.Avahi.Server diff --git a/apparmor.d/abstractions/consoles.d/complete b/apparmor.d/abstractions/consoles.d/complete new file mode 100644 index 000000000..ce7bb73ba --- /dev/null +++ b/apparmor.d/abstractions/consoles.d/complete @@ -0,0 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + /dev/tty@{u8} rw, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete index 4724c694a..220883c29 100644 --- a/apparmor.d/abstractions/freedesktop.org.d/complete +++ b/apparmor.d/abstractions/freedesktop.org.d/complete @@ -16,7 +16,7 @@ /opt/*/**.{desktop,png} r, /etc/gnome/defaults.list r, - /etc/xfce4/defaults.list r, + /etc/xfce4/defaults.list r, /var/lib/snapd/desktop/applications/{,**} r, /var/lib/snapd/desktop/icons/{,**} r, diff --git a/apparmor.d/abstractions/gnome.d/complete b/apparmor.d/abstractions/gnome.d/complete index 71e76f9da..3dece8578 100644 --- a/apparmor.d/abstractions/gnome.d/complete +++ b/apparmor.d/abstractions/gnome.d/complete @@ -6,7 +6,7 @@ dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect + member=Introspect peer=(name=@{busname}, label=gnome-shell), /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, diff --git a/apparmor.d/abstractions/vulkan.d/complete b/apparmor.d/abstractions/vulkan.d/complete index 8e5b68c08..67f83516e 100644 --- a/apparmor.d/abstractions/vulkan.d/complete +++ b/apparmor.d/abstractions/vulkan.d/complete @@ -1,4 +1,5 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only /etc/glvnd/egl_vendor.d/{,*.json} r, diff --git a/apparmor.d/abstractions/webkit b/apparmor.d/abstractions/webkit index 9481d4fec..c9a275250 100644 --- a/apparmor.d/abstractions/webkit +++ b/apparmor.d/abstractions/webkit @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Minimal set of rules for webkit UI. +# Minimal set of rules for webkit GTK UI. abi , diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index ff90849c0..02eacfb62 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -12,6 +12,7 @@ /usr/local/share/zsh/{,**} r, /usr/share/oh-my-zsh/{,**} r, + /usr/share/zsh-theme-*/{,**} r, /usr/share/zsh/{,**} r, /etc/zsh/* r, From 86202b0fbf9502671d5e053da7d55699127501c5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 15:53:37 +0200 Subject: [PATCH 507/977] feat(fsp): small fsp improvement. --- apparmor.d/groups/_full/sd | 21 ++++++++++++++++++++- apparmor.d/groups/_full/systemd | 1 + apparmor.d/groups/_full/systemd-user | 1 + apparmor.d/groups/flatpak/flatpak-app | 2 +- 4 files changed, 23 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index 106e36817..44b3a9b7d 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -18,7 +18,7 @@ abi , include @{exec_path} = @{bin}/systemd-executor -profile sd flags=(attach_disconnected,mediate_deleted) { +profile sd flags=(attach_disconnected,mediate_deleted,complain) { include include include @@ -42,6 +42,7 @@ profile sd flags=(attach_disconnected,mediate_deleted) { capability linux_immutable, capability mknod, capability net_admin, + capability net_bind_service, capability net_raw, capability perfmon, capability setfcap, @@ -57,6 +58,8 @@ profile sd flags=(attach_disconnected,mediate_deleted) { capability sys_tty_config, capability syslog, + network alg seqpacket, + network bluetooth, network inet dgram, network inet stream, network inet6 dgram, @@ -84,6 +87,22 @@ profile sd flags=(attach_disconnected,mediate_deleted) { umount /dev/shm/, umount @{run}/systemd/mount-rootfs/{,**}, + # mount tmpfs -> @{run}/lock/, + # mount tmpfs -> @{sys}/fs/cgroup/, + # mount cgroup -> @{sys}/fs/cgroup/systemd/, + # audit mount /dev/** -> /boot/{,efi/}, + # audit mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**, + # audit mount options=(rw rbind) -> @{run}/systemd/unit-root/{,**}, + + # audit remount @{run}/systemd/unit-root/{,**}, + # audit remount options=(ro noexec noatime bind) /var/snap/{,**}, + # audit remount options=(ro nosuid nodev bind) /var/, + # audit remount options=(ro nosuid nodev noexec bind) /boot/, + + # audit umount @{PROC}/sys/fs/binfmt_misc/, + # audit umount @{run}/systemd/namespace-@{rand6}/{,**}, + # audit umount @{run}/systemd/unit-root/{,**}, + pivot_root oldroot=/run/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, change_profile, diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index eec9b33d9..b7c12c6bd 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -219,6 +219,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { /dev/autofs r, /dev/dri/card@{int} rw, + /dev/initctl w, /dev/input/ r, /dev/kmsg w, /dev/tty rw, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index 3b0d01709..ed531c58b 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -91,6 +91,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/threads-max r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/gid_map r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index bb824c7cb..a816e58b8 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -65,7 +65,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { @{bin}/gtk{,4}-update-icon-cache rPx -> flatpak-app//>k-update-icon-cache, @{bin}/update-desktop-database rPx -> flatpak-app//&update-desktop-database, - @{sbin}/update-mime-database rPx -> flatpak-app//&update-mime-database, + @{bin}/update-mime-database rPx -> flatpak-app//&update-mime-database, @{bin}/xdg-dbus-proxy rPx -> flatpak-app//&xdg-dbus-proxy, @{lib}/kf5/kioslave5 rPx, From eb84df319d1fb40226623307f423af8f553d9816 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 16:00:38 +0200 Subject: [PATCH 508/977] feat(profile): update gnome profiles. --- .../freedesktop/xdg-desktop-portal-gnome | 16 ++++++++-- .../groups/freedesktop/xdg-desktop-portal-gtk | 5 --- .../freedesktop/xdg-user-dirs-gtk-update | 4 +-- apparmor.d/groups/gnome/gjs-console | 7 +++-- apparmor.d/groups/gnome/gnome-characters | 1 - apparmor.d/groups/gnome/gnome-control-center | 4 +++ .../groups/gnome/gnome-extension-gsconnect | 3 +- apparmor.d/groups/gnome/gnome-session-binary | 2 ++ apparmor.d/groups/gnome/gnome-shell | 31 ++++++++++--------- apparmor.d/groups/gnome/gsd-color | 4 +-- apparmor.d/groups/gnome/gsd-xsettings | 6 +++- apparmor.d/groups/gnome/loupe | 11 ++++++- apparmor.d/groups/gnome/nautilus | 10 +++++- apparmor.d/groups/gnome/ptyxis | 2 ++ apparmor.d/groups/gnome/ptyxis-agent | 2 +- apparmor.d/groups/gvfs/gvfsd-dnssd | 13 ++++---- apparmor.d/groups/gvfs/gvfsd-network | 12 ++----- 17 files changed, 83 insertions(+), 50 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index ac321fd07..1355aa22b 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gnome profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include - include + include include include include @@ -17,6 +17,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -27,8 +28,8 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { network unix stream, - signal (receive) set=term peer=gdm, - signal (receive) set=(hup term) peer=gdm-session-worker, + signal receive set=term peer=gdm, + signal receive set=(hup term) peer=gdm-session-worker, #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gnome #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal @@ -40,6 +41,11 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { member=RunningApplicationsChanged peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), + dbus send bus=session path=/org/gtk/Notifications + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + @{exec_path} mr, / r, @@ -63,12 +69,16 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, + owner @{tmp}/gtkprint_ppd_@{rand6} rw, + owner @{tmp}/gtkprint@{rand6} r, + owner @{tmp}/xdg-desktop-portal-gnome@{rand6} rw, @{run}/mount/utab r, owner @{PROC}/@{pid}/ r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/status r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index b77ad03d7..fc11b0700 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -47,11 +47,6 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label=gnome-shell), - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), - @{exec_path} mr, /usr/share/gdm/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index 224bc2337..641862965 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -9,9 +9,9 @@ include @{exec_path} = @{bin}/xdg-user-dirs-gtk-update profile xdg-user-dirs-gtk-update @{exec_path} { include + include + include include - include - include include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 012ca7ee0..fdaa4e825 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -14,12 +14,13 @@ include @{exec_path} = @{bin}/gjs-console profile gjs-console @{exec_path} flags=(attach_disconnected) { include - include + include include include include include include + include include include include @@ -28,7 +29,9 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { network netlink raw, - signal (receive) set=(term hup) peer=gdm*, + unix type=stream peer=(label=gnome-shell), + + signal receive set=(term hup) peer=gdm*, #aa:dbus own bus=session name=org.freedesktop.Notifications #aa:dbus own bus=session name=org.gnome.ScreenSaver diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 7ee0f835e..a43168866 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -29,7 +29,6 @@ profile gnome-characters @{exec_path} { /usr/share/xml/iso-codes/{,**} r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/task/@{tid}/stat r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 1007d55e2..2f9077d19 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -39,8 +39,12 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.bluez.obex.Agent1 #aa:dbus talk bus=session name=org.bluez.obex label=obexd + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell + #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Power label=gsd-power + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Rfkill label=gsd-rfkill #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell #aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index ee9c147b6..104d95fb3 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -65,9 +65,10 @@ profile gnome-extension-gsconnect @{exec_path} { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/task/@{tid}/stat r, + deny @{user_share_dirs}/gvfs-metadata/* r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index dc9b6812e..8b0ea6307 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -60,6 +60,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter/autostart/{,*.desktop} r, /usr/share/gnome-session/hardware-compatibility r, /usr/share/gnome-session/sessions/*.session r, + /usr/share/gnome-shell/extensions/ r, /usr/share/gnome-shell/extensions/*/metadata.json r, /usr/share/gnome/autostart/{,*.desktop} r, @@ -69,6 +70,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user rw, owner @{gdm_config_dirs}/gnome-session/ rw, owner @{gdm_config_dirs}/gnome-session/saved-session/ rw, + owner @{gdm_config_dirs}/user-dirs.dirs r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_share_dirs}/applications/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 6c781e204..1099f254d 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -56,11 +56,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix stream, - ptrace (read), - ptrace (readby) peer=pipewire, + ptrace read, + ptrace readby peer=pipewire, - signal (receive) set=(term, hup) peer=gdm*, - signal (send), + signal receive set=(term, hup) peer=gdm*, + signal send, unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), unix (send,receive) type=stream addr=none peer=(label=xkbcomp), @@ -185,8 +185,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/gnome-shell/extensions/*/** rPUx, /opt/**/share/icons/{,**} r, - /snap/*/@{uid}/**.png r, - /usr/share/**.{png,jpg,svg} r, + /snap/*/@{uid}/**.@{image_ext} r, + /usr/share/**.@{image_ext} r, /usr/share/**/icons/{,**} r, /usr/share/backgrounds/{,**} r, /usr/share/byobu/desktop/byobu* r, @@ -241,25 +241,28 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{HOME}/.face r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, - owner @{HOME}/.mozilla/native-messaging-hosts/ r, - owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.extensions.gsconnect.json rw, - owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.extensions.gsconnect.json.@{rand6} rw, + owner @{HOME}/.mozilla/native-messaging-hosts/ rw, + owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.*.json{,.@{rand6}} rw, owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw, - owner @{HOME}/.var/app/**.{png,jpg,svg} r, + owner @{HOME}/.var/app/**.@{image_ext} r, owner @{HOME}/.var/app/**/ r, owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw, - owner @{user_games_dirs}/**.{png,jpg,svg} r, - owner @{user_music_dirs}/**.{png,jpg,svg} r, + owner @{user_games_dirs}/**.@{image_ext} r, + owner @{user_music_dirs}/**.@{image_ext} r, owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw, + owner @{user_config_dirs}/**/NativeMessagingHosts/ rw, + owner @{user_config_dirs}/**/NativeMessagingHosts/org.gnome.shell.*.json{,.@{rand6}} rw, owner @{user_config_dirs}/background r, owner @{user_config_dirs}/ibus/ w, owner @{user_config_dirs}/monitors.xml{,~} rwl, owner @{user_config_dirs}/tiling-assistant/{,**} rw, owner @{user_share_dirs}/backgrounds/{,**} rw, + owner @{user_share_dirs}/dbus-1/services/ r, + owner @{user_share_dirs}/dbus-1/services/org.gnome.shell.*.service{,.@{rand6}} rw, owner @{user_share_dirs}/desktop-directories/{,**} r, owner @{user_share_dirs}/gnome-shell/{,**} rw, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, @@ -267,9 +270,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/icc/ rw, owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, + owner @{user_share_dirs}/icons/**/org.gnome.shell.*.svg{,.@{rand6}} w, - owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.GSConnect{,.Preferences}.desktop rw, - owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.GSConnect{,.Preferences}.desktop.@{rand6} w, + owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r, owner @{user_cache_dirs}/gnome-boxes/*.png r, owner @{user_cache_dirs}/gnome-photos/{,**} r, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 2fe22305b..56445aeac 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -45,10 +45,10 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/icc/ rw, - owner @{gdm_share_dirs}/icc/edid-*.icc rw, + owner @{gdm_share_dirs}/icc/edid-@{hex32}icc rw, owner @{user_share_dirs}/icc/ rw, - owner @{user_share_dirs}/icc/edid-*.icc rw, + owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, include if exists } diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 4fece3366..abf30bc40 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -17,6 +17,7 @@ profile gsd-xsettings @{exec_path} { include include include + include include include include @@ -33,16 +34,19 @@ profile gsd-xsettings @{exec_path} { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.XSettings #aa:dbus own bus=session name=org.gtk.Settings + #aa:dbus talk bus=session name=org.gnome.Mutter.X11 label=gnome-shell + dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User member=SetInputSources peer=(name=:*, label="@{p_accounts_daemon}"), @{exec_path} mr, + @{sh_path} mr, @{bin}/cat rix, @{bin}/sed rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/busctl rPx, @{bin}/pactl rPx, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 6f783627e..d89d4d6f9 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -9,14 +9,20 @@ include @{exec_path} = @{bin}/loupe profile loupe @{exec_path} flags=(attach_disconnected) { include + include + include + include include include include include + include include include include + unix type=stream peer=(label=loupe//bwrap), + signal send set=kill peer=loupe//bwrap, #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @@ -37,7 +43,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/glycin/{,**} rw, - @{run}/mount/utab r, + @{run}/mount/utab r, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @@ -56,6 +63,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include + unix type=stream peer=(label=loupe), + signal receive set=kill peer=loupe, @{bin}/bwrap mr, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 60bbfb344..ebf975673 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -28,13 +28,21 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { mqueue r type=posix /, + unix type=stream peer=(label=gnome-shell), + #aa:dbus own bus=session name=org.freedesktop.FileManager1 #aa:dbus own bus=session name=org.gnome.Nautilus interface+="org.gtk.{Application,Actions}" #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2 + #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell - #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + + dbus send bus=session path=/org/gnome/Mutter/ServiceChannel + interface=org.gnome.Mutter.ServiceChannel + member=OpenWaylandServiceConnection + peer=(name=@{busname}, label=gnome-shell), dbus (send, receive) bus=session path=/org/gtk/Application/CommandLine interface=org.gtk.private.CommandLine diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index 2f7dee368..a6f7e5b63 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -28,6 +28,8 @@ profile ptyxis @{exec_path} { owner @{user_share_dirs}/org.gnome.Ptyxis/ rw, owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**, + owner /tmp/#@{int} w, + /dev/ptmx rw, include if exists diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index 239993f21..ce60a26c3 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -24,7 +24,7 @@ profile ptyxis-agent @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/cmdline r, /dev/ptmx rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index fd9b5a22d..9af8be00a 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -13,14 +13,10 @@ profile gvfsd-dnssd @{exec_path} { include include include + include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker label=gvfsd - - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=:*, label=gvfsd-network), dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable @@ -32,6 +28,11 @@ profile gvfsd-dnssd @{exec_path} { member=Spawned peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member={MountLocation,LookupMount,RegisterMount} + peer=(name="@{busname}", label=gvfsd), + @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index adda9b958..cd64d81ad 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -11,6 +11,8 @@ include profile gvfsd-network @{exec_path} { include include + include + include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} @@ -30,16 +32,6 @@ profile gvfsd-network @{exec_path} { member={MountLocation,LookupMount,RegisterMount} peer=(name="@{busname}", label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name="@{busname}", label=gvfsd-dnssd), - - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name="@{busname}", label=gnome-control-center), - @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, From 55e4b27c2b4b43488edb7b155fd3e5efd0733a18 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 16:02:20 +0200 Subject: [PATCH 509/977] feat(tunable): add the archive_path variable. --- apparmor.d/profiles-a-f/atool | 8 ++++---- apparmor.d/profiles-a-f/file-roller | 14 +------------- apparmor.d/profiles-s-z/unmkinitramfs | 6 +----- apparmor.d/profiles-s-z/xarchiver | 13 +------------ apparmor.d/tunables/multiarch.d/paths | 3 +++ apparmor.d/tunables/multiarch.d/programs | 3 +++ 6 files changed, 13 insertions(+), 34 deletions(-) diff --git a/apparmor.d/profiles-a-f/atool b/apparmor.d/profiles-a-f/atool index 99cb0fed6..2782aacc0 100644 --- a/apparmor.d/profiles-a-f/atool +++ b/apparmor.d/profiles-a-f/atool @@ -19,9 +19,9 @@ profile atool @{exec_path} { @{bin}/7z rix, @{bin}/arc rix, @{bin}/arj rix, - @{bin}/bzip2 rix, - @{bin}/bzip2 rix, @{bin}/bzip rix, + @{bin}/bzip2 rix, + @{bin}/bzip2 rix, @{bin}/compress rix, @{bin}/cpio rix, @{bin}/gunzip rix, @@ -30,16 +30,15 @@ profile atool @{exec_path} { @{bin}/jar rix, @{bin}/lha rix, @{bin}/lrunzip rix, + @{bin}/lrz rix, @{bin}/lrzcat rix, @{bin}/lrzip rix, - @{bin}/lrz rix, @{bin}/lrztar rix, @{bin}/lrzuntar rix, @{bin}/lzip rix, @{bin}/lzma rix, @{bin}/lzop rix, @{bin}/lzop rix, - @{lib}/p7zip/7z rix, @{bin}/rar rix, @{bin}/tar rix, @{bin}/unace rix, @@ -48,6 +47,7 @@ profile atool @{exec_path} { @{bin}/unzip rix, @{bin}/xz rix, @{bin}/zip rix, + @{lib}/p7zip/7z rix, /etc/atool.conf r, owner @{HOME}/.atoolrc r, diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 24610cd8c..e7bfafaac 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -26,19 +26,7 @@ profile file-roller @{exec_path} { @{bin}/rm rix, # Archivers - @{bin}/7z rix, - @{bin}/7zz rix, - @{bin}/ar rix, - @{bin}/bzip2 rix, - @{bin}/cpio rix, - @{bin}/gzip rix, - @{bin}/tar rix, - @{bin}/unrar-nonfree rix, - @{bin}/unzip rix, - @{bin}/xz rix, - @{bin}/zip rix, - @{bin}/zstd rix, - @{lib}/p7zip/7z rix, + @{archive_path} rix, # Full access to user's data @{MOUNTS}/** rw, diff --git a/apparmor.d/profiles-s-z/unmkinitramfs b/apparmor.d/profiles-s-z/unmkinitramfs index 6b5607ed1..3ee530970 100644 --- a/apparmor.d/profiles-s-z/unmkinitramfs +++ b/apparmor.d/profiles-s-z/unmkinitramfs @@ -18,22 +18,18 @@ profile unmkinitramfs @{exec_path} { @{exec_path} r, @{sh_path} rix, + @{archive_path} rix, @{bin}/{,e}grep rix, - @{bin}/bzip2 rix, @{bin}/cat rix, - @{bin}/cpio rix, @{bin}/dd rix, @{bin}/getopt rix, - @{bin}/gzip rix, @{bin}/lz4cat rix, @{bin}/lzma rix, @{bin}/lzop rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/rm rix, - @{bin}/xz rix, @{bin}/xzcat rix, - @{bin}/zstd rix, /boot/ r, owner /boot/initrd.img-* r, diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index 003770008..f38a69224 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -28,18 +28,7 @@ profile xarchiver @{exec_path} { @{bin}/cp rix, # Archivers - @{bin}/7z rix, - @{lib}/p7zip/7z rix, - @{bin}/unrar-nonfree rix, - @{bin}/zip rix, - @{bin}/unzip rix, - @{bin}/tar rix, - @{bin}/xz rix, - @{bin}/bzip2 rix, - @{bin}/cpio rix, - @{bin}/gzip rix, - @{bin}/zstd rix, - # For deb packages + @{archive_path} rix, @{bin}/{,@{multiarch}-}ar rix, @{open_path} rPx -> child-open, diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index 059f337fd..cca544370 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -72,4 +72,7 @@ # Backup @{backup_path} = @{bin}/@{backup_names} @{lib}/deja-dup/deja-dup-monitor +# Archives +@{archive_path} = @{bin}/@{archive_names} @{lib}/p7zip/7z + # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index cddb1a7d2..a7cbaf831 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -96,4 +96,7 @@ # Backup @{backup_names} = deja-dup borg +# Archives +@{archive_names} = 7z 7zz ar bzip2 cpio gzip lzip rar tar unrar-nonfree unzip xz zip zstd + # vim:syntax=apparmor From 71a473712c15ee71fe39ce021577b052fea2528f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 23:58:02 +0200 Subject: [PATCH 510/977] tests: rewrite and expand the profile check to more files. Rewrite: Speed up the checking by not using grep anymore and only using bash, also make it parallel Revisit the way result are shown. Expand: Also scan for mapping files and abstaction completion. Adapt the scan accordingly. --- tests/check.sh | 378 +++++++++++++++++++++++++++++++++---------------- 1 file changed, 259 insertions(+), 119 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 02ae71812..25c82e3d1 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # Usage: make check @@ -8,101 +8,250 @@ set -eu -o pipefail -readonly APPARMORD="apparmor.d" -readonly HEADERS=( - "# apparmor.d - Full set of apparmor profiles" - "# Copyright (C) " - "# SPDX-License-Identifier: GPL-2.0-only" -) - -_die() { - echo -e "\033[1;31m ✗ Error: \033[0m$*" - exit 1 +RES=$(mktemp) +echo "false" >"$RES" +MAX_JOBS=$(nproc) +declare WITH_CHECK +readonly MAX_JOBS APPARMORD="apparmor.d" +readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" +_msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } +_warn() { + local type="$1" file="$2" + shift 2 + printf '%bwarning%b %s(%b%s%b): %s\n' "$fgYellow" "$reset" "$type" "$fgWhite" "$file" "$reset" "$*" +} +_err() { + local type="$1" file="$2" + shift 2 + printf ' %berror%b %s(%b%s%b): %s\n' "$fgRed" "$reset" "$type" "$fgWhite" "$file" "$reset" "$*" + echo "true" >"$RES" } -_ensure_header() { - local file="$1" - for header in "${HEADERS[@]}"; do - if ! grep -q "^$header" "$file"; then - _die "$file does not contain '$header'" +_in_array() { + local item needle="$1" + shift + for item in "$@"; do + if [[ "${item}" == "${needle}" ]]; then + return 0 fi done + return 1 } -_ensure_indentation() { +_is_enabled() { + _in_array "$1" "${WITH_CHECK[@]}" +} + +_wait() { + local -n job=$1 + job=$((job + 1)) + if ((job >= MAX_JOBS)); then + wait -n + job=$((job - 1)) + fi +} + +_check() { local file="$1" - local in_profile=false - local first_line_after_profile=true local line_number=0 while IFS= read -r line; do line_number=$((line_number + 1)) - if [[ "$line" =~ $'\t' ]]; then - _die "$file:$line_number: tabs are not allowed." + # Guidelines check + _check_abi + _check_include + _check_profile + _check_subprofiles + + # Style check + if [[ $line_number -lt 10 ]]; then + _check_header fi + _check_tabs + _check_trailing + _check_indentation + _check_vim - if [[ "$line" =~ ^profile ]]; then - in_profile=true - first_line_after_profile=true + done <"$file" - elif [[ "$line" =~ [[:space:]]+$ ]]; then - _die "$file:$line_number: line has trailing whitespace." + # Results + _res_abi + _res_include + _res_profile + _res_subprofiles + _res_header + _res_vim +} - elif $in_profile; then - if $first_line_after_profile; then - local leading_spaces="${line%%[! ]*}" - local num_spaces=${#leading_spaces} - if ((num_spaces != 2)); then - _die "$file: profile must have a two-space indentation." - fi - first_line_after_profile=false +# Guidelines check: https://apparmor.pujol.io/development/guidelines/ - else - local leading_spaces="${line%%[! ]*}" - local num_spaces=${#leading_spaces} +RES_ABI=false +readonly ABI_SYNTAX='abi ,' +_check_abi() { + _is_enabled abi || return 0 + if [[ "$line" =~ ^' '*"$ABI_SYNTAX" ]]; then + RES_ABI=true + fi +} +_res_abi() { + _is_enabled abi || return 0 + if ! $RES_ABI; then + _err guideline "$file" "missing 'abi ,'" + fi +} - if ((num_spaces % 2 != 0)); then - ok=false - for offset in 5 11; do - num_spaces=$((num_spaces - offset)) - if ((num_spaces < 0)); then - break - fi - if ((num_spaces % 2 == 0)); then - ok=true - break - fi - done +RES_INCLUDE=false +_check_include() { + _is_enabled include || return 0 + if [[ "$line" =~ ^.*"${include}"$ ]]; then + RES_INCLUDE=true + fi +} +_res_include() { + _is_enabled include || return 0 + if ! $RES_INCLUDE; then + _err guideline "$file" "missing '$include'" + fi +} - if ! $ok; then - _die "$file:$line_number: invalid indentation." +RES_PROFILE=false +_check_profile() { + _is_enabled profile || return 0 + if [[ "$line" =~ ^"profile $name" ]]; then + RES_PROFILE=true + fi +} +_res_profile() { + _is_enabled profile || return 0 + if ! $RES_PROFILE; then + _err guideline "$file" "missing profile name: 'profile $name'" + fi +} + +# Style check + +readonly HEADERS=( + "# apparmor.d - Full set of apparmor profiles" + "# Copyright (C) " + "# SPDX-License-Identifier: GPL-2.0-only" +) +_RES_HEADER=(false false false) +_check_header() { + _is_enabled header || return 0 + for idx in "${!HEADERS[@]}"; do + if [[ "$line" == "${HEADERS[$idx]}"* ]]; then + _RES_HEADER[idx]=true + break + fi + done +} +_res_header() { + _is_enabled header || return 0 + for idx in "${!_RES_HEADER[@]}"; do + if ${_RES_HEADER[$idx]}; then + continue + fi + _err style "$file" "missing header: '${HEADERS[$idx]}'" + done +} + +_check_tabs() { + _is_enabled tabs || return 0 + if [[ "$line" =~ $'\t' ]]; then + _err style "$file:$line_number" "tabs are not allowed" + fi +} + +_check_trailing() { + _is_enabled trailing || return 0 + if [[ "$line" =~ [[:space:]]+$ ]]; then + _err style "$file:$line_number" "line has trailing whitespace" + fi +} + +_CHECK_IN_PROFILE=false +_CHECK_FIRST_LINE_AFTER_PROFILE=true +_check_indentation() { + _is_enabled indentation || return 0 + if [[ "$line" =~ ^profile ]]; then + _CHECK_IN_PROFILE=true + _CHECK_FIRST_LINE_AFTER_PROFILE=true + + elif $_CHECK_IN_PROFILE; then + if $_CHECK_FIRST_LINE_AFTER_PROFILE; then + local leading_spaces="${line%%[! ]*}" + local num_spaces=${#leading_spaces} + if ((num_spaces != 2)); then + _err style "$file:$line_number" "profile must have a two-space indentation" + fi + _CHECK_FIRST_LINE_AFTER_PROFILE=false + + else + local leading_spaces="${line%%[! ]*}" + local num_spaces=${#leading_spaces} + + if ((num_spaces % 2 != 0)); then + ok=false + for offset in 5 11; do + num_spaces=$((num_spaces - offset)) + if ((num_spaces < 0)); then + break fi + if ((num_spaces % 2 == 0)); then + ok=true + break + fi + done + + if ! $ok; then + _err style "$file:$line_number" "invalid indentation" fi fi fi - done <"$file" -} - -_ensure_include() { - local file="$1" - local include="$2" - if ! grep -q "^ *${include}$" "$file"; then - _die "$file does not contain '$include'" fi } -_ensure_abi() { - local file="$1" - if ! grep -q "^ *abi ," "$file"; then - _die "$file does not contain 'abi ,'" +_CHEK_IN_SUBPROFILE=false +declare -A _RES_SUBPROFILES +_check_subprofiles() { + _is_enabled subprofiles || return 0 + if [[ "$line" =~ ^(' ')+'profile '(.*)' {' ]]; then + indentation="${BASH_REMATCH[1]}" + subprofile="${BASH_REMATCH[2]}" + subprofile="${subprofile%% *}" + include="${indentation}include if exists " + _RES_SUBPROFILES["$subprofile"]="$name//$subprofile does not contain '$include'" + _CHEK_IN_SUBPROFILE=true + elif $_CHEK_IN_SUBPROFILE; then + if [[ "$line" == *"$include" ]]; then + _RES_SUBPROFILES["$subprofile"]=true + + fi fi } +_res_subprofiles() { + _is_enabled subprofiles || return 0 + for msg in "${_RES_SUBPROFILES[@]}"; do + if [[ $msg == true ]]; then + continue + fi + _err guideline "$file" "$msg" + done +} -_ensure_vim() { - local file="$1" - if ! grep -q "^# vim:syntax=apparmor" "$file"; then - _die "$file does not contain '# vim:syntax=apparmor'" +readonly VIM_SYNTAX="# vim:syntax=apparmor" +RES_VIM=false +_check_vim() { + _is_enabled vim || return 0 + if [[ "$line" =~ ^"$VIM_SYNTAX" ]]; then + RES_VIM=true + fi +} +_res_vim() { + _is_enabled vim || return 0 + if ! $RES_VIM; then + _err style "$file" "missing vim syntax: '$VIM_SYNTAX'" fi } @@ -117,69 +266,60 @@ check_sbin() { } check_profiles() { - echo -e "\033[1m â‹… \033[0mChecking if all profiles contain:" - echo " - apparmor.d header & license" - echo " - Check indentation: 2 spaces" - echo " - Check for trailing whitespaces" - echo " - 'abi ,'" - echo " - 'profile '" - echo " - 'include if exists '" - echo " - include if exists local for subprofiles" - echo " - vim:syntax=apparmor" - directories=("$APPARMORD/groups/*" "$APPARMORD/profiles-*-*") - # shellcheck disable=SC2068 - for dir in ${directories[@]}; do - for file in $(find "$dir" -maxdepth 1 -type f); do - case "$file" in */README.md) continue ;; esac + _msg "Checking profiles" + mapfile -t files < <( + find "$APPARMORD" \( -path "$APPARMORD/abstractions" -o -path "$APPARMORD/local" -o -path "$APPARMORD/tunables" -o -path "$APPARMORD/mappings" \) \ + -prune -o -type f -print + ) + jobs=0 + WITH_CHECK=(abi include profile header tabs trailing indentation subprofiles vim) + for file in "${files[@]}"; do + ( name="$(basename "$file")" name="${name/.apparmor.d/}" include="include if exists " - _ensure_header "$file" - _ensure_indentation "$file" - _ensure_include "$file" "$include" - _ensure_abi "$file" - _ensure_vim "$file" - if ! grep -q "^profile $name" "$file"; then - _die "$name does not contain 'profile $name'" - fi - mapfile -t subrofiles < <(grep "^ *profile*" "$file" | awk '{print $2}') - for subprofile in "${subrofiles[@]}"; do - include="include if exists " - if ! grep -q "^ *${include}$" "$file"; then - _die "$name: $name//$subprofile does not contain '$include'" - fi - done - done + _check "$file" + ) & + _wait jobs done + wait } check_abstractions() { - echo -e "\033[1m â‹… \033[0mChecking if all abstractions contain:" - echo " - apparmor.d header & license" - echo " - Check indentation: 2 spaces" - echo " - Check for trailing whitespaces" - echo " - 'abi ,'" - echo " - 'include if exists '" - echo " - vim:syntax=apparmor" - directories=( - "$APPARMORD/abstractions/" "$APPARMORD/abstractions/app/" - "$APPARMORD/abstractions/attached/" - "$APPARMORD/abstractions/bus/" "$APPARMORD/abstractions/common/" - ) - for dir in "${directories[@]}"; do - for file in $(find "$dir" -maxdepth 1 -type f); do + _msg "Checking abstractions" + mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*") + jobs=0 + WITH_CHECK=(abi include header tabs trailing indentation vim) + for file in "${files[@]}"; do + ( name="$(basename "$file")" - root="${dir/${APPARMORD}\/abstractions\//}" - include="include if exists " - _ensure_header "$file" - _ensure_indentation "$file" - _ensure_include "$file" "$include" - _ensure_abi "$file" - _ensure_vim "$file" - done + absdir="${file/${APPARMORD}\//}" + include="include if exists <${absdir}.d>" + _check "$file" + ) & + _wait jobs done + wait + + mapfile -t files < <( + find "$APPARMORD/abstractions" -type f -path "$APPARMORD/abstractions/*.d/*" + find "$APPARMORD/mappings" -type f + ) + # shellcheck disable=SC2034 + jobs=0 + WITH_CHECK=(header tabs trailing indentation vim) + for file in "${files[@]}"; do + _check "$file" & + _wait jobs + done + wait } check_sbin check_profiles check_abstractions + +FAIL=$(cat "$RES") +if [[ "$FAIL" == "true" ]]; then + exit 1 +fi From fff0df39ba61e862e7d62897b0126e0c2eb91835 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 23:59:14 +0200 Subject: [PATCH 511/977] tests: add more check for sbin path Also look for path that should not use sbin. --- tests/check.sh | 40 +++++++++++++++++++++++++++++++++------- 1 file changed, 33 insertions(+), 7 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 25c82e3d1..09a2e105b 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -256,13 +256,39 @@ _res_vim() { } check_sbin() { - echo -e "\033[1m â‹… \033[0mEnsuring '@{sbin}' is used in all profiles:" - while IFS= read -r name; do - mapfile -t files < <(grep --files-with-matches --recursive -E "(^|[[:space:]])@{bin}/$name([[:space:]]|$)" apparmor.d) - for file in "${files[@]}"; do - _die "$file contains '@{bin}/$name' instead of '@{sbin}/$name'" - done - done Date: Mon, 2 Jun 2025 20:41:20 +0200 Subject: [PATCH 512/977] test: add some security checks. --- tests/check.sh | 81 ++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 78 insertions(+), 3 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 09a2e105b..59463246e 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -12,7 +12,7 @@ RES=$(mktemp) echo "false" >"$RES" MAX_JOBS=$(nproc) declare WITH_CHECK -readonly MAX_JOBS APPARMORD="apparmor.d" +readonly RES MAX_JOBS APPARMORD="apparmor.d" readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" _msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } _warn() { @@ -58,6 +58,12 @@ _check() { while IFS= read -r line; do line_number=$((line_number + 1)) + # Rules checks + _check_abstractions + _check_directory_mark + _check_equivalent + _check_too_wide + # Guidelines check _check_abi _check_include @@ -84,13 +90,82 @@ _check() { _res_vim } +# Rules checks: security, compatibility and rule issues + +readonly ABS="abstractions" +readonly ABS_DANGEROUS=(dbus-session dbus-system dbus-accessibility user-tmp) +declare -A ABS_DEPRECATED=( + ["nameservice"]="nameservice-strict" + ["bash"]="shell" + ["X"]="X-strict" + ["dbus-accessibility-strict"]="bus-accessibility" + ["dbus-network-manager-strict"]="bus/org.freedesktop.NetworkManager" + ["dbus-session-strict"]="bus-session" + ["dbus-system-strict"]="bus-system" +) +_check_abstractions() { + _is_enabled abstractions || return 0 + + local absname + for absname in "${ABS_DANGEROUS[@]}"; do + if [[ "$line" == *"<$ABS/$absname>"* ]]; then + _err security "$file:$line_number" "dangerous abstraction '<$ABS/$absname>'" + fi + done + for absname in "${!ABS_DEPRECATED[@]}"; do + if [[ "$line" == *"<$ABS/$absname>"* ]]; then + _err security "$file:$line_number" "deprecated abstraction '<$ABS/$absname>', use '<$ABS/${ABS_DEPRECATED[$absname]}>' instead" + fi + done +} + +readonly DIRECTORIES=('@{HOME}' '@{MOUNTS}' '@{bin}' '@{sbin}' '@{lib}' '@{tmp}' '_dirs}' '_DIR}') +_check_directory_mark() { + _is_enabled directory_mark || return 0 + for pattern in "${DIRECTORIES[@]}"; do + if [[ "$line" == *"$pattern"* ]]; then + [[ "$line" == *'='* ]] && continue + if [[ ! "$line" == *"$pattern/"* ]]; then + _err issue "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'" + fi + fi + done +} + +declare -A EQUIVALENTS=( + ["awk"]="{m,g,}awk" + ["grep"]="{,e}grep" + ["which"]="which{,.debianutils}" +) +_check_equivalent() { + _is_enabled equivalent || return 0 + local prgmname + for prgmname in "${!EQUIVALENTS[@]}"; do + if [[ "$line" == *"/$prgmname"* ]]; then + if [[ ! "$line" == *"${EQUIVALENTS[$prgmname]}"* ]]; then + _err compatibility "$file:$line_number" "missing equivalent program: '@{bin}/$prgmname' instead of '@{bin}/${EQUIVALENTS[$prgmname]}'" + fi + fi + done +} + +readonly TOOWIDE=('/**' '/tmp/**' '/var/tmp/**' '@{tmp}/**' '/etc/**' '/dev/shm/**' '@{run}/user/@{uid}/**') +_check_too_wide() { + _is_enabled too_wide || return 0 + for pattern in "${TOOWIDE[@]}"; do + if [[ "$line" == *" $pattern "* ]]; then + _err security "$file:$line_number" "rule too wide: '$pattern'" + fi + done +} + # Guidelines check: https://apparmor.pujol.io/development/guidelines/ RES_ABI=false readonly ABI_SYNTAX='abi ,' _check_abi() { _is_enabled abi || return 0 - if [[ "$line" =~ ^' '*"$ABI_SYNTAX" ]]; then + if [[ "$line" == *"$ABI_SYNTAX" ]]; then RES_ABI=true fi } @@ -104,7 +179,7 @@ _res_abi() { RES_INCLUDE=false _check_include() { _is_enabled include || return 0 - if [[ "$line" =~ ^.*"${include}"$ ]]; then + if [[ "$line" == *"${include}"* ]]; then RES_INCLUDE=true fi } From c8f2a435f877367866fa811d4d897238c0d6108b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 2 Jun 2025 23:59:41 +0200 Subject: [PATCH 513/977] tests: remove symbolic link from sbin. --- tests/sbin.list | 288 +++++------------------------------------------- 1 file changed, 30 insertions(+), 258 deletions(-) diff --git a/tests/sbin.list b/tests/sbin.list index 676bc4d56..d2b5c44bc 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -21,7 +21,6 @@ acpid acpidump add-shell addgnupghome -addgroup addpart adduser agetty @@ -31,24 +30,15 @@ alsa-info.sh alsa-init alsabat-test alsactl -alternatives anacron +apache2 apparmor_parser apparmor_status applygnupgdefaults aptd argdist-bpfcc -arp arpd -arptables -arptables-nft -arptables-nft-restore -arptables-nft-save -arptables-restore -arptables-save -arptables-translate aspell-autobuildhash -atd audisp-af_unix audisp-filter audisp-syslog @@ -90,26 +80,18 @@ blockdev blogctl blogd blogger -bluetoothd bpflist-bpfcc bpftool brctl bridge -brltty brltty-setup btrfs btrfs-convert +btrfs-find-root btrfs-image -btrfsck btrfsdist-bpfcc btrfsslower-bpfcc btrfstune -cache_check -cache_dump -cache_metadata_size -cache_repair -cache_restore -cache_writeback cachestat-bpfcc cachetop-bpfcc capable-bpfcc @@ -120,7 +102,6 @@ cgdisk chat chcpu check_mail_queue -check-bios-nx checkproc chgpasswd chkstat-polkit @@ -135,7 +116,6 @@ coldreboot compactsnoop-bpfcc complain config.postfix -cpgr cppw cpudist-bpfcc cpuunclaimed-bpfcc @@ -153,17 +133,13 @@ cryptdisks_start cryptdisks_stop cryptsetup ctrlaltdel -ctstat cups-browsed cups-genppd.5.3 cups-genppdupdate cupsaccept cupsctl cupsd -cupsdisable -cupsenable cupsfilter -cupsreject dbslower-bpfcc dbstat-bpfcc dcb @@ -173,14 +149,9 @@ dcstat-bpfcc ddns-confgen deadlock-bpfcc debugfs -debugfs.reiserfs -debugreiserfs decode -defrag.f2fs -delgroup delpart deluser -depmod devlink dhcpcd dirtop-bpfcc @@ -192,7 +163,6 @@ dmfilemapd dmidecode dmraid dmsetup -dmstats dnsmasq dosfsck dosfslabel @@ -213,34 +183,37 @@ e2undo e4crypt e4defrag eapol_test -ebtables -ebtables-nft -ebtables-nft-restore -ebtables-nft-save -ebtables-restore -ebtables-save -ebtables-translate ec_access efibootdump efibootmgr enforce -era_check -era_dump -era_invalidate -era_restore ethtool eventlogadm -exec execsnoop-bpfcc execsnoop.bt exfat2img exfatlabel +exicyclog +exigrep +exim_checkaccess +exim_convert4r4 +exim_dbmbuild +exim_dumpdb +exim_fixdb +exim_id_update +exim_lock +exim_msgdate +exim_tidydb +exim4 +eximstats +exinext +exipick +exiqgrep +exiqsumm exitsnoop-bpfcc +exiwhat ext4dist-bpfcc ext4slower-bpfcc -f2fs_io -f2fscrypt -f2fslabel f2fsslower-bpfcc faillock fanatic @@ -251,7 +224,6 @@ fatresize fbtest fdformat fdisk -fibmap.f2fs filefrag filegone-bpfcc filelife-bpfcc @@ -270,7 +242,6 @@ fsck.exfat fsck.ext2 fsck.ext3 fsck.ext4 -fsck.f2fs fsck.fat fsck.minix fsck.msdos @@ -295,7 +266,6 @@ gethostlatency-bpfcc gethostlatency.bt getpcaps getsysinfo -getty getweb gnome-menus-blacklist gpart @@ -308,7 +278,6 @@ groupmod grpck grpconv grpunconv -grub-bios-setup grub-install grub-macbless grub-mkconfig @@ -328,62 +297,30 @@ grub2-reboot grub2-set-default grub2-sparc64-setup grub2-switch-to-blscfg -halt hardirqs-bpfcc -hc-ifscan hdparm hwclock hwinfo iconvconfig -ifconfig ifrename ifstat import-openSUSE-build-key -init inject-bpfcc inputattach -insmod install_acx100_firmware install_intersil_firmware install-sgmlcatalog installkernel integritysetup invoke-rc.d -ip -ip6tables -ip6tables-apply -ip6tables-legacy ip6tables-legacy-batch -ip6tables-legacy-restore -ip6tables-legacy-save -ip6tables-nft -ip6tables-nft-restore -ip6tables-nft-save -ip6tables-restore -ip6tables-restore-translate -ip6tables-save -ip6tables-translate -ipmaddr ipp-usb ippevepcl ippeveprinter ippeveps ipset -ipset-translate -iptables iptables-apply -iptables-legacy iptables-legacy-batch -iptables-legacy-restore -iptables-legacy-save -iptables-nft -iptables-nft-restore -iptables-nft-save -iptables-restore -iptables-restore-translate -iptables-save -iptables-translate -iptunnel irqbalance irqbalance-ui isadump @@ -397,8 +334,6 @@ isosize ispell-autobuildhash isserial issue-generator -iucode_tool -iucode-tool iw iwconfig iwevent @@ -427,7 +362,6 @@ killsnoop.bt klockstat-bpfcc klogd kpartx -kvm-ok kvmexit-bpfcc ldattach ldconfig @@ -449,29 +383,11 @@ lpadmin lpc lpinfo lpmove -lsmod -lspcmcia luksformat -lvchange -lvconvert -lvcreate -lvdisplay -lvextend lvm lvm_import_vdo -lvmconfig -lvmdevices -lvmdiskscan lvmdump lvmpolld -lvmsadc -lvmsar -lvreduce -lvremove -lvrename -lvresize -lvs -lvscan lwepgen lxc lxd @@ -484,7 +400,6 @@ mdflush-bpfcc mdflush.bt mdmon memleak-bpfcc -mii-tool mk_isdnhwdb mkdict mkdosfs @@ -500,10 +415,6 @@ mkfs.ext4 mkfs.f2fs mkfs.fat mkfs.minix -mkfs.msdos -mkfs.ntfs -mkfs.reiserfs -mkfs.vfat mkfs.xfs mkhomedir_helper mkill @@ -515,8 +426,6 @@ mkreiserfs mksubvolume mkswap ModemManager -modinfo -modprobe mount.cifs mount.ddi mount.fuse @@ -533,12 +442,9 @@ mpathpersist multipath multipathc multipathd -mysqld mysqld_qslower-bpfcc -nameif naptime.bt needrestart -netplan netqtop-bpfcc NetworkManager newusers @@ -574,7 +480,6 @@ opensnoop.bt openvpn overlayroot-chroot ownership -packer pam_extrausers_chkpwd pam_extrausers_update pam_getenv @@ -583,13 +488,11 @@ pam_timestamp_check pam-auth-update pam-config paperconfig -parse.f2fs parted partprobe partx pbl pccardctl -pcilmr pcscd pdata_tools perlcalls-bpfcc @@ -598,11 +501,9 @@ perlstat-bpfcc phpcalls-bpfcc phpflow-bpfcc phpstat-bpfcc -pidofproc pidpersec-bpfcc pidpersec.bt pivot_root -plipconfig pluginviewer plymouth-set-default-theme plymouthd @@ -618,7 +519,7 @@ postmap postmulti postqueue postsuper -poweroff +posttls-finger ppchcalls-bpfcc pppd pppdump @@ -627,15 +528,6 @@ pppstats pptp pptpsetup profile-bpfcc -pvchange -pvck -pvcreate -pvdisplay -pvmove -pvremove -pvresize -pvs -pvscan pwck pwconv pwhistory_helper @@ -647,108 +539,30 @@ pythongc-bpfcc pythonstat-bpfcc qemu-ga qmqp-source -rarp -rcapparmor -rcauditd -rcautofs -rcavahi-daemon -rcavahi-dnsconfd -rcblk-availability -rcbolt -rcbtrfsmaintenance-refresh -rcca-certificates -rcchrony-wait -rcchronyd -rccolord -rccron -rccups -rccups-browsed -rccups-lpd -rcdbus -rcdisplay-manager -rcdm-event -rcdnsmasq -rcfancontrol +qshape rcfirewalld -rcflatpak-system-helper -rcfstrim -rcfwupd -rcfwupd-offline-update -rcfwupd-refresh -rcgpm -rcirqbalance -rcissue-add-ssh-keys -rcissue-generator -rckexec-load -rclm_sensors -rclogrotate -rclvm2-lvmpolld -rclvm2-monitor -rcmariadb -rcmcelog -rcmdmonitor -rcModemManager -rcmultipathd -rcmysql -rcnetwork -rcnfs-client -rcnmb rcopenvpn -rcostree-prepare-root -rcostree-remount -rcpackagekit -rcpackagekit-offline-update rcpcscd -rcpkcs11_eventmgr -rcpostfix -rcrng-tools -rcrpcbind -rcrsyncd -rcrtkit-daemon -rcsddm -rcsmartd -rcsmb -rcsnmpd -rcsnmptrapd -rcspeech-dispatcherd -rcspice-vdagentd -rcsshd -rctuned -rcudisks2 -rcupower -rcusbmuxd -rcwpa_supplicant -rcwsdd rcxdm rcxvnc rdma rdmaucma-bpfcc -rdmsr readahead-bpfcc readprofile -reboot -refresh_initrd +realm regdbdump -reiserfsck -reiserfstune remove-default-ispell remove-default-wordlist remove-shell request-key reset-trace-bpfcc -resize_reiserfs -resize.f2fs resize2fs resizepart -resolvconf rfkill -rmmod -rmt rmt-tar rndc rndc-confgen rngd -route routel rpc.gssd rpc.idmapd @@ -757,7 +571,6 @@ rpc.svcgssd rpcbind rpcctl rpcdebug -rpcinfo rpmconfigcheck rsyncd rsyslogd @@ -765,14 +578,12 @@ rtacct rtcwake rtkitctl rtmon -rtstat rubycalls-bpfcc rubyflow-bpfcc rubygc-bpfcc rubyobjnew-bpfcc rubystat-bpfcc runc -runlevel runqlat-bpfcc runqlat.bt runqlen-bpfcc @@ -792,8 +603,6 @@ sensors-detect service set_polkit_default_privs setcap -setconsole -setpci setuids.bt setup-nsssysinit.sh setvesablank @@ -805,12 +614,9 @@ shim-install shmsnoop-bpfcc showconsole showmount -shutdown skdump sktest slabratetop-bpfcc -slattach -sload.f2fs sm-notify smart_agetty smartctl @@ -828,12 +634,12 @@ spice-vdagentd ss sshd sshd-gen-keys-start +sshd.hmac ssllatency.bt sslsniff-bpfcc sslsnoop.bt sssd stackcount-bpfcc -start_daemon start-statd start-stop-daemon startproc @@ -855,6 +661,7 @@ sysconf_addword syscount-bpfcc syscount.bt sysctl +syslog2eximlog sysusers2shadow tarcat tc @@ -881,33 +688,20 @@ tcpsynbl-bpfcc tcpsynbl.bt tcptop-bpfcc tcptracer-bpfcc -tcptraceroute tcptraceroute.db -telinit thermald -thin_check -thin_delta -thin_dump -thin_ls -thin_metadata_size -thin_repair -thin_restore -thin_rmap -thin_trim threadsnoop-bpfcc threadsnoop.bt tipc tlp tplist-bpfcc trace-bpfcc -traceroute tsig-keygen ttysnoop-bpfcc tune.exfat tune2fs tuned tuned-adm -tunefs.reiserfs tunelp u-d-c-print-pci-ids ucalls @@ -923,21 +717,21 @@ unix_chkpwd unix_update unix2_chkpwd uobjnew -update-bootloader +update-alternatives update-ca-certificates update-catalog update-cracklib -update-default-aspell update-default-ispell update-default-wordlist update-dictcommon-aspell update-dictcommon-hunspell +update-exim4.conf +update-exim4.conf.template update-fonts-alias update-fonts-dir update-fonts-scale update-grub update-grub-gfxpayload -update-grub2 update-gsfontmap update-icon-caches update-ieee-data @@ -973,30 +767,10 @@ vfscount-bpfcc vfscount.bt vfsstat-bpfcc vfsstat.bt -vgcfgbackup -vgcfgrestore -vgchange -vgck -vgconvert -vgcreate -vgdisplay -vgexport -vgextend -vgimport -vgimportclone -vgimportdevices -vgmerge -vgmknodes -vgreduce -vgremove -vgrename -vgs -vgscan -vgsplit vhangup -vigr vipw virt-what +virt-what-cvm virtiostat-bpfcc virtlockd virtlogd @@ -1015,7 +789,6 @@ wpa_passphrase wpa_supplicant wqlat-bpfcc writeback.bt -wrmsr xfs_admin xfs_bmap xfs_copy @@ -1032,6 +805,7 @@ xfs_metadump xfs_mkfile xfs_ncheck xfs_property +xfs_protofile xfs_quota xfs_repair xfs_rtcp @@ -1043,9 +817,7 @@ xfsdist.bt xfsslower-bpfcc xkbctrl xtables-legacy-multi -xtables-monitor xtables-nft-multi -yast yast2 zdump zerofree From 6ed873aad375bea4734ec5321049e597aec02c32 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 5 Jun 2025 00:35:43 +0200 Subject: [PATCH 514/977] feat(profile): update sbin list and ensure the profiles use the good variable (sbin or bin). --- apparmor.d/abstractions/app/kmod | 6 ------ apparmor.d/groups/apt/apt-listchanges | 2 +- apparmor.d/groups/apt/debsecan | 2 +- apparmor.d/groups/apt/reportbug | 2 +- apparmor.d/groups/cron/anacron | 2 +- apparmor.d/groups/cron/cron | 2 +- apparmor.d/groups/cron/cron-apt | 4 ++-- apparmor.d/groups/cron/cron-exim4-base | 6 +++--- apparmor.d/groups/cron/crontab | 2 +- apparmor.d/groups/cups/cupsd | 2 +- apparmor.d/groups/filesystem/btrfs-find-root | 2 +- apparmor.d/groups/firewall/firewalld | 4 ++-- apparmor.d/groups/grub/grub-bios-setup | 2 +- apparmor.d/groups/grub/update-grub | 2 +- apparmor.d/groups/kde/sddm-xsession | 2 +- apparmor.d/groups/network/iwctl | 2 +- apparmor.d/groups/network/mullvad-daemon | 2 +- apparmor.d/groups/network/openvpn | 6 +++--- apparmor.d/groups/network/tailscale | 2 +- apparmor.d/groups/network/tailscaled | 2 +- apparmor.d/groups/network/wg-quick | 2 +- apparmor.d/groups/pacman/mkinitcpio | 5 +---- apparmor.d/groups/pacman/pacman | 2 +- apparmor.d/groups/pacman/pacman-hook-depmod | 1 - apparmor.d/groups/ubuntu/cron-ubuntu-fan | 2 +- apparmor.d/groups/ubuntu/subiquity-console-conf | 2 +- apparmor.d/groups/virt/cockpit-bridge | 2 +- apparmor.d/groups/virt/cockpit-update-motd | 2 +- apparmor.d/groups/virt/libvirtd | 2 +- apparmor.d/profiles-a-f/acpi-powerbtn | 1 - apparmor.d/profiles-a-f/adduser | 2 +- apparmor.d/profiles-a-f/adequate | 2 +- apparmor.d/profiles-a-f/atd | 4 ++-- apparmor.d/profiles-a-f/check-bios-nx | 2 +- apparmor.d/profiles-a-f/claws-mail | 2 +- apparmor.d/profiles-a-f/deluser | 4 ++-- apparmor.d/profiles-a-f/dhclient-script | 2 +- apparmor.d/profiles-a-f/exim4 | 2 +- apparmor.d/profiles-a-f/fail2ban-server | 2 +- apparmor.d/profiles-g-l/ifup | 2 +- apparmor.d/profiles-g-l/inxi | 4 ++-- apparmor.d/profiles-g-l/ip | 2 +- apparmor.d/profiles-g-l/ipcalc | 2 +- apparmor.d/profiles-g-l/kernel | 2 +- apparmor.d/profiles-m-r/initramfs-hooks | 2 +- apparmor.d/profiles-m-r/initramfs-scripts | 2 +- apparmor.d/profiles-m-r/modprobed-db | 2 +- apparmor.d/profiles-s-z/setpci | 2 +- apparmor.d/profiles-s-z/syncthing | 2 +- apparmor.d/profiles-s-z/update-alternatives | 2 +- apparmor.d/profiles-s-z/wechat | 2 +- apparmor.d/profiles-s-z/wechat-appimage | 2 +- apparmor.d/profiles-s-z/wpa-action | 2 +- tests/sbin.list | 16 ++++++++++++++++ 54 files changed, 75 insertions(+), 70 deletions(-) diff --git a/apparmor.d/abstractions/app/kmod b/apparmor.d/abstractions/app/kmod index 6c889bd60..b6beeb7f6 100644 --- a/apparmor.d/abstractions/app/kmod +++ b/apparmor.d/abstractions/app/kmod @@ -8,12 +8,6 @@ include @{bin}/kmod mr, - @{sbin}/depmod mr, - @{sbin}/insmod mr, - @{sbin}/lsmod mr, - @{sbin}/modinfo mr, - @{sbin}/modprobe mr, - @{sbin}/rmmod mr, @{lib}/modprobe.d/ r, @{lib}/modprobe.d/*.conf r, diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index 936d15d42..0ee42f5a4 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -30,7 +30,7 @@ profile apt-listchanges @{exec_path} { @{pager_path} Cx -> pager, @{bin}/dpkg Px -> child-dpkg, - @{bin}/exim4 Px, # Send results using email + @{sbin}/exim4 Px, # Send results using email /usr/share/apt-listchanges/{,**} r, diff --git a/apparmor.d/groups/apt/debsecan b/apparmor.d/groups/apt/debsecan index c9448c7fb..c67b1dfb5 100644 --- a/apparmor.d/groups/apt/debsecan +++ b/apparmor.d/groups/apt/debsecan @@ -27,7 +27,7 @@ profile debsecan @{exec_path} { @{sh_path} rix, # Send results using email - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, /etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf r, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index dbd02ff6c..ab230a43b 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -40,7 +40,7 @@ profile reportbug @{exec_path} { @{bin}/stty rix, /usr/share/reportbug/handle_bugscript rix, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, @{bin}/apt-cache rPx, @{bin}/debconf-show rPx, @{bin}/debsums rPx, diff --git a/apparmor.d/groups/cron/anacron b/apparmor.d/groups/cron/anacron index 1322108d4..3756c1d03 100644 --- a/apparmor.d/groups/cron/anacron +++ b/apparmor.d/groups/cron/anacron @@ -17,7 +17,7 @@ profile anacron @{exec_path} { @{sh_path} rix, @{bin}/run-parts rCx -> run-parts, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, / r, /etc/anacrontab r, diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index eba78ac82..e91f9b419 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -28,7 +28,7 @@ profile cron @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, @{bin}/ionice rix, @{bin}/nice rix, @{bin}/run-parts rCx -> run-parts, diff --git a/apparmor.d/groups/cron/cron-apt b/apparmor.d/groups/cron/cron-apt index 81e5761d7..0d5d5a081 100644 --- a/apparmor.d/groups/cron/cron-apt +++ b/apparmor.d/groups/cron/cron-apt @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/cron-apt +@{exec_path} = @{bin}/cron-apt profile cron-apt @{exec_path} { include include @@ -46,7 +46,7 @@ profile cron-apt @{exec_path} { @{bin}/apt-get rPx, @{bin}/apt-file rPx, @{bin}/aptitude{,-curses} rPx, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, /usr/share/cron-apt/{,*} r, diff --git a/apparmor.d/groups/cron/cron-exim4-base b/apparmor.d/groups/cron/cron-exim4-base index 2970f8d42..784dfae19 100644 --- a/apparmor.d/groups/cron/cron-exim4-base +++ b/apparmor.d/groups/cron/cron-exim4-base @@ -34,10 +34,10 @@ profile cron-exim4-base @{exec_path} { @{bin}/hostname rix, @{bin}/xargs rix, @{bin}/find rix, - @{bin}/eximstats rix, + @{sbin}/eximstats rix, - @{bin}/exim4 rPx, - @{bin}/exim_tidydb rix, + @{sbin}/exim4 rPx, + @{sbin}/exim_tidydb rix, @{sbin}/start-stop-daemon rix, @{sbin}/runuser rix, diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index 156d5e820..d240454f5 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/crontab +@{exec_path} = @{bin}/crontab profile crontab @{exec_path} { include include diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 91dd32f51..6eeeaa414 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -54,7 +54,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{bin}/gs rix, @{bin}/gsc rix, @{bin}/hostname rix, - @{sbin}/ippfind rix, + @{bin}/ippfind rix, @{bin}/mktemp rix, @{bin}/printenv rix, @{python_path} rix, diff --git a/apparmor.d/groups/filesystem/btrfs-find-root b/apparmor.d/groups/filesystem/btrfs-find-root index eef4b6823..cec2bbb61 100644 --- a/apparmor.d/groups/filesystem/btrfs-find-root +++ b/apparmor.d/groups/filesystem/btrfs-find-root @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/btrfs-find-root +@{exec_path} = @{sbin}/btrfs-find-root profile btrfs-find-root @{exec_path} { include include diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld index 01f853c26..57a0baa20 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -35,8 +35,8 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{bin}/alts ix, @{bin}/false ix, @{bin}/kmod Cx -> kmod, - @{sbin}/ebtables-legacy ix, - @{sbin}/ebtables-legacy-restore ix, + @{bin}/ebtables-legacy ix, + @{bin}/ebtables-legacy-restore ix, @{sbin}/ipset ix, @{sbin}/xtables-legacy-multi ix, @{sbin}/xtables-nft-multi mix, diff --git a/apparmor.d/groups/grub/grub-bios-setup b/apparmor.d/groups/grub/grub-bios-setup index 9ccd02275..b0d606701 100644 --- a/apparmor.d/groups/grub/grub-bios-setup +++ b/apparmor.d/groups/grub/grub-bios-setup @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/grub-bios-setup +@{exec_path} = @{bin}/grub-bios-setup profile grub-bios-setup @{exec_path} { include include diff --git a/apparmor.d/groups/grub/update-grub b/apparmor.d/groups/grub/update-grub index ff17c160a..d4460a3cf 100644 --- a/apparmor.d/groups/grub/update-grub +++ b/apparmor.d/groups/grub/update-grub @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/update-grub{2,} +@{exec_path} = @{sbin}/update-grub profile update-grub @{exec_path} { include include diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index 0ae174b09..b5cceee95 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -37,7 +37,7 @@ profile sddm-xsession @{exec_path} { @{bin}/sed rix, @{bin}/stat rix, @{bin}/tail rix, - @{sbin}/tcsh rix, + @{bin}/tcsh rix, @{bin}/tempfile rix, @{bin}/touch rix, @{bin}/which{,.*} rix, diff --git a/apparmor.d/groups/network/iwctl b/apparmor.d/groups/network/iwctl index eddcaedf7..0b5bd090e 100644 --- a/apparmor.d/groups/network/iwctl +++ b/apparmor.d/groups/network/iwctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/iwctl +@{exec_path} = @{bin}/iwctl profile iwctl @{exec_path} { include diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index ecd23ce53..6c4c41e6c 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -33,7 +33,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sbin}/ip rix, + @{bin}/ip rix, "/opt/Mullvad VPN/resources/openvpn" rix, "/opt/Mullvad VPN/resources/*.so*" mr, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index f4fcfa50d..6431ee98a 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -61,7 +61,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{run}/openvpn/*.{pid,status} rw, @{run}/systemd/journal/dev-log r, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/systemd-ask-password rPx, @{lib}/nm-openvpn-service-openvpn-helper rPx, /etc/openvpn/force-user-traffic-via-vpn.sh rCx -> force-user-traffic-via-vpn, @@ -83,7 +83,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cut rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/which rix, @{sbin}/xtables-nft-multi rix, @@ -110,7 +110,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/env rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{sbin}/nft rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/network/tailscale b/apparmor.d/groups/network/tailscale index 096fe276c..4e5bba684 100644 --- a/apparmor.d/groups/network/tailscale +++ b/apparmor.d/groups/network/tailscale @@ -23,7 +23,7 @@ profile tailscale @{exec_path} { @{exec_path} mr, - @{sbin}/ip rPx, + @{bin}/ip rPx, owner @{run}/tailscale/tailscaled.sock rw, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index bb877ec1a..8162dff1e 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -35,7 +35,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/resolvectl rPx, @{sbin}/xtables-nft-multi rix, diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick index e8ece5c88..c89a12a47 100644 --- a/apparmor.d/groups/network/wg-quick +++ b/apparmor.d/groups/network/wg-quick @@ -21,7 +21,7 @@ profile wg-quick @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cat rix, - @{sbin}/ip rPx, + @{bin}/ip rPx, @{bin}/mv rix, @{sbin}/nft rix, @{bin}/readlink rix, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 9eafb72a9..1f1fc66eb 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -42,10 +42,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{bin}/zcat rix, @{bin}/zstd rix, - @{bin}/{depmod,insmod} rPx, - @{bin}/{kmod,lsmod} rPx, - @{bin}/{modinfo,rmmod} rPx, - @{sbin}/modprobe rPx, + @{bin}/kmod rPx, @{bin}/plymouth rPx, @{sbin}/plymouth-set-default-theme rPx, @{bin}/sbctl rPx, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 6af9bae96..6cf3b824c 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -97,7 +97,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/update-ca-trust rPx, @{bin}/update-desktop-database rPx, @{sbin}/update-grub rPx, - @{sbin}/update-mime-database rPx, + @{bin}/update-mime-database rPx, @{bin}/vercmp rix, @{bin}/which rix, @{bin}/xmlcatalog rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod index fe1bc5781..ce41d6ae8 100644 --- a/apparmor.d/groups/pacman/pacman-hook-depmod +++ b/apparmor.d/groups/pacman/pacman-hook-depmod @@ -16,7 +16,6 @@ profile pacman-hook-depmod @{exec_path} { @{bin}/basename rix, @{bin}/bash rix, - @{sbin}/depmod rPx, @{bin}/kmod rPx, @{bin}/rm rix, @{bin}/rmdir rix, diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index 3ca55909d..9fd065db3 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -17,7 +17,7 @@ profile cron-ubuntu-fan @{exec_path} { @{sh_path} rix, @{sbin}/fanctl rPx, @{bin}/grep rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 575481de2..916279378 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -25,7 +25,7 @@ profile subiquity-console-conf @{exec_path} { @{sh_path} rix, @{bin}/cat rix, @{bin}/grep rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/mv rix, @{bin}/sleep rix, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index 87ffb3f4a..b6111750b 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -38,7 +38,7 @@ profile cockpit-bridge @{exec_path} { @{bin}/cat ix, @{bin}/date ix, @{bin}/find ix, - @{sbin}/ip ix, + @{bin}/ip ix, @{python_path} ix, @{bin}/test ix, @{bin}/file ix, diff --git a/apparmor.d/groups/virt/cockpit-update-motd b/apparmor.d/groups/virt/cockpit-update-motd index d71eb9ec1..1de016aea 100644 --- a/apparmor.d/groups/virt/cockpit-update-motd +++ b/apparmor.d/groups/virt/cockpit-update-motd @@ -15,7 +15,7 @@ profile cockpit-update-motd @{exec_path} { @{sh_path} rix, @{bin}/hostname rix, - @{sbin}/ip rPx, + @{bin}/ip rPx, @{bin}/sed rix, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 94fa568a3..4d730602d 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -116,7 +116,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{sbin}/virtlogd rPx, @{sh_path} rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{sbin}/nft rix, @{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper @{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper diff --git a/apparmor.d/profiles-a-f/acpi-powerbtn b/apparmor.d/profiles-a-f/acpi-powerbtn index bf7daf85e..fd1d0af03 100644 --- a/apparmor.d/profiles-a-f/acpi-powerbtn +++ b/apparmor.d/profiles-a-f/acpi-powerbtn @@ -17,7 +17,6 @@ profile acpi-powerbtn flags=(attach_disconnected) { @{bin}/pgrep rix, @{bin}/pinky rix, @{bin}/sed rix, - @{sbin}/shutdown rix, /etc/acpi/powerbtn.sh rix, @{bin}/dbus-send Cx -> bus, diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index d971d22f3..039518b51 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/adduser @{sbin}/group +@{exec_path} = @{sbin}/adduser profile adduser @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index 6999f5baf..c4741b09a 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -34,7 +34,7 @@ profile adequate @{exec_path} flags=(complain) { # shared object file): ignored. @{bin}/dpkg-query rpx, # - @{bin}/update-alternatives rPx, + @{sbin}/update-alternatives rPx, /var/lib/adequate/pending rwk, diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index aa0a365fd..aea3cbf01 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/atd +@{exec_path} = @{bin}/atd profile atd @{exec_path} { include include @@ -28,7 +28,7 @@ profile atd @{exec_path} { @{sh_path} rix, @{sbin}/sendmail rPUx, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/ r, diff --git a/apparmor.d/profiles-a-f/check-bios-nx b/apparmor.d/profiles-a-f/check-bios-nx index 965e0dc3a..c44b6eaa5 100644 --- a/apparmor.d/profiles-a-f/check-bios-nx +++ b/apparmor.d/profiles-a-f/check-bios-nx @@ -25,7 +25,7 @@ profile check-bios-nx @{exec_path} { @{bin}/kmod rCx -> kmod, - @{sbin}/rdmsr rPx, + @{sbin}/rdmsr rPx, owner @{PROC}/@{pid}/fd/@{int} rw, diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index cecb0e22d..bb7dfd3b8 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -31,7 +31,7 @@ profile claws-mail @{exec_path} flags=(complain) { @{bin}/gpgconf rCx -> gpg, @{bin}/orage rPUx, - @{bin}/exim4 rPUx, + @{sbin}/exim4 rPUx, @{bin}/geany rPUx, /usr/share/publicsuffix/*.dafsa r, diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser index 1f5d6f0a7..3505126ad 100644 --- a/apparmor.d/profiles-a-f/deluser +++ b/apparmor.d/profiles-a-f/deluser @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/deluser @{sbin}/delgroup +@{exec_path} = @{sbin}/deluser profile deluser @{exec_path} { include include @@ -20,7 +20,7 @@ profile deluser @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{sbin}/crontab rPx, + @{bin}/crontab rPx, @{bin}/gpasswd rPx, @{sbin}/groupdel rPx, @{bin}/mount rCx -> mount, diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index d5505ff86..9a7e77902 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -28,7 +28,7 @@ profile dhclient-script @{exec_path} { @{bin}/fold rix, @{bin}/head rix, @{bin}/hostname rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/logger rix, @{bin}/mkdir rix, @{bin}/mv rix, diff --git a/apparmor.d/profiles-a-f/exim4 b/apparmor.d/profiles-a-f/exim4 index 9aaccaa16..3af283014 100644 --- a/apparmor.d/profiles-a-f/exim4 +++ b/apparmor.d/profiles-a-f/exim4 @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/exim4 +@{exec_path} = @{sbin}/exim4 profile exim4 @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/fail2ban-server b/apparmor.d/profiles-a-f/fail2ban-server index 21d2a1cf8..629208bc6 100644 --- a/apparmor.d/profiles-a-f/fail2ban-server +++ b/apparmor.d/profiles-a-f/fail2ban-server @@ -21,7 +21,7 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{sbin}/xtables-nft-multi rix, - @{sbin}/iptables rix, + @{bin}/iptables rix, @{bin}/ r, @{python_path} r, diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index 42169dd6d..3c641f8e1 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -19,7 +19,7 @@ profile ifup @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{sbin}/route rix, @{bin}/seq rix, @{bin}/sleep rix, diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index 38b2a17a2..e80875ca2 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -32,7 +32,7 @@ profile inxi @{exec_path} { @{lib}/llvm-[0-9]*/bin/clang rix, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, - @{sbin}/ip rCx -> ip, + @{bin}/ip rCx -> ip, @{bin}/kmod rCx -> kmod, @{bin}/systemctl rCx -> systemctl, @{bin}/udevadm rCx -> udevadm, @@ -115,7 +115,7 @@ profile inxi @{exec_path} { network netlink raw, - @{sbin}/ip mr, + @{bin}/ip mr, @{sys}/devices/@{pci}/net/*/{duplex,address,speed,operstate} r, diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index 3495bcc80..bcb521c01 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/ip +@{exec_path} = @{bin}/ip profile ip @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-g-l/ipcalc b/apparmor.d/profiles-g-l/ipcalc index 628728846..c6dfa762a 100644 --- a/apparmor.d/profiles-g-l/ipcalc +++ b/apparmor.d/profiles-g-l/ipcalc @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/ipcalc +@{exec_path} = @{bin}/ipcalc profile ipcalc @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index 2382ea062..133cf8ae7 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -38,7 +38,7 @@ profile kernel @{exec_path} { @{bin}/apt-config rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/systemd-detect-virt rPx, - @{bin}/update-alternatives rPx, + @{sbin}/update-alternatives rPx, @{sbin}/dkms rPx, @{sbin}/update-grub rPx, @{sbin}/update-initramfs rPx, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index b4f3ac2f4..aeb125ef2 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -18,7 +18,7 @@ profile initramfs-hooks @{exec_path} { @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @{bin}/plymouth Px, - @{bin}/update-alternatives Px, + @{sbin}/update-alternatives Px, @{sbin}/blkid Px, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox ix, diff --git a/apparmor.d/profiles-m-r/initramfs-scripts b/apparmor.d/profiles-m-r/initramfs-scripts index 85437017b..485520ca0 100644 --- a/apparmor.d/profiles-m-r/initramfs-scripts +++ b/apparmor.d/profiles-m-r/initramfs-scripts @@ -20,7 +20,7 @@ profile initramfs-scripts @{exec_path} { @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @{bin}/plymouth Px, - @{bin}/update-alternatives Px, + @{sbin}/update-alternatives Px, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox Px, /usr/share/mdadm/mkconf Px, diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index 8b8968464..cd2ddc0e6 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/modprobed-db +@{exec_path} = @{bin}/modprobed-db profile modprobed-db @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/setpci b/apparmor.d/profiles-s-z/setpci index b45dd3986..019e89e23 100644 --- a/apparmor.d/profiles-s-z/setpci +++ b/apparmor.d/profiles-s-z/setpci @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/setpci +@{exec_path} = @{bin}/setpci profile setpci @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 8b66b652f..6ff0fe7e9 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -23,7 +23,7 @@ profile syncthing @{exec_path} { @{exec_path} mrix, @{open_path} rPx -> child-open, - @{sbin}/ip rix, + @{bin}/ip rix, /usr/share/mime/{,**} r, diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index 8f08b74fa..68ddb97a5 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-alternatives +@{exec_path} = @{sbin}/update-alternatives profile update-alternatives @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index d0fc54b7c..e23d4db43 100755 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -33,7 +33,7 @@ profile wechat @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir ix, @{bin}/gawk rix, @{bin}/lsblk rPx, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/xdg-user-dir rix, @{open_path} rpx -> child-open-strict, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 6f4c120a0..023644eb0 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -38,7 +38,7 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir ix, @{bin}/gawk rix, @{bin}/lsblk rPx, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/xdg-user-dir rix, @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} ix, @{tmp}/.mount_wechat@{word6}/usr/bin/wechat ix, diff --git a/apparmor.d/profiles-s-z/wpa-action b/apparmor.d/profiles-s-z/wpa-action index b2cfe0091..b6764ba0e 100644 --- a/apparmor.d/profiles-s-z/wpa-action +++ b/apparmor.d/profiles-s-z/wpa-action @@ -24,7 +24,7 @@ profile wpa-action @{exec_path} { @{bin}/cat rix, @{bin}/date rix, @{bin}/ifup rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/ln rix, @{bin}/logger rix, @{bin}/rm rix, diff --git a/tests/sbin.list b/tests/sbin.list index d2b5c44bc..15373846c 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -37,6 +37,7 @@ apparmor_status applygnupgdefaults aptd argdist-bpfcc +arp arpd aspell-autobuildhash audisp-af_unix @@ -64,6 +65,7 @@ biolatency.bt biolatpcts-bpfcc biopattern-bpfcc biosdecode +biosdecode biosnoop-bpfcc biosnoop.bt biostacks.bt @@ -102,6 +104,7 @@ cgdisk chat chcpu check_mail_queue +check-bios-nx checkproc chgpasswd chkstat-polkit @@ -161,6 +164,7 @@ dmevent_tool dmeventd dmfilemapd dmidecode +dmidecode dmraid dmsetup dnsmasq @@ -236,6 +240,7 @@ flushb fonts-config fsadm fsck +fsck. fsck.btrfs fsck.cramfs fsck.exfat @@ -302,6 +307,7 @@ hdparm hwclock hwinfo iconvconfig +ifconfig ifrename ifstat import-openSUSE-build-key @@ -334,6 +340,7 @@ isosize ispell-autobuildhash isserial issue-generator +iucode_tool iw iwconfig iwevent @@ -362,6 +369,7 @@ killsnoop.bt klockstat-bpfcc klogd kpartx +kvm-ok kvmexit-bpfcc ldattach ldconfig @@ -386,6 +394,7 @@ lpmove luksformat lvm lvm_import_vdo +lvmconfig lvmdump lvmpolld lwepgen @@ -405,6 +414,7 @@ mkdict mkdosfs mke2fs mkfs +mkfs. mkfs.bfs mkfs.btrfs mkfs.cramfs @@ -480,6 +490,7 @@ opensnoop.bt openvpn overlayroot-chroot ownership +ownership pam_extrausers_chkpwd pam_extrausers_update pam_getenv @@ -547,6 +558,7 @@ rcxdm rcxvnc rdma rdmaucma-bpfcc +rdmsr readahead-bpfcc readprofile realm @@ -558,11 +570,13 @@ request-key reset-trace-bpfcc resize2fs resizepart +resolvconf rfkill rmt-tar rndc rndc-confgen rngd +route routel rpc.gssd rpc.idmapd @@ -778,6 +792,7 @@ visudo vmcore-dmesg vncsession vpddecode +vpddecode vpnc vpnc-disconnect wakeuptime-bpfcc @@ -789,6 +804,7 @@ wpa_passphrase wpa_supplicant wqlat-bpfcc writeback.bt +wrmsr xfs_admin xfs_bmap xfs_copy From f0355f36b9fd74725e086790db305de6c25edafa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 5 Jun 2025 00:36:30 +0200 Subject: [PATCH 515/977] tests: show error line in sbin check. --- tests/check.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 59463246e..add9b0685 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -338,7 +338,7 @@ check_sbin() { jobs=0 for name in "${sbin[@]}"; do ( - mapfile -t files < <(grep --files-with-matches --recursive -E "(^|[[:space:]])@{bin}/$name([[:space:]]|$)" apparmor.d) + mapfile -t files < <(grep --line-number --recursive -E "(^|[[:space:]])@{bin}/$name([[:space:]]|$)" apparmor.d | cut -d: -f1,2) for file in "${files[@]}"; do _err compatibility "$file" "contains '@{bin}/$name' instead of '@{sbin}/$name'" done @@ -349,7 +349,7 @@ check_sbin() { local pattern='[[:alnum:]_.-]+' # Pattern for valid file names jobs=0 - mapfile -t files < <(grep --files-with-matches --recursive -E "(^|[[:space:]])@{sbin}/$pattern([[:space:]]|$)" apparmor.d) + mapfile -t files < <(grep --line-number --recursive -E "(^|[[:space:]])@{sbin}/$pattern([[:space:]]|$)" apparmor.d | cut -d: -f1,2) for file in "${files[@]}"; do ( while read -r match; do @@ -359,7 +359,7 @@ check_sbin() { _err compatibility "$file" "contains '@{sbin}/$name' but it is not in sbin.list" fi fi - done < <(grep --only-matching -E "@\{sbin\}/$pattern" "$file") + done < <(grep --only-matching -E "@\{sbin\}/$pattern" "${file%%:*}") ) & _wait jobs done From edcbaa1b94f511e4b3db9642718887dc98f93511 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 10 Jun 2025 23:01:24 +0200 Subject: [PATCH 516/977] fix: add gpartedbin back to sbin.list. --- tests/sbin.list | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/sbin.list b/tests/sbin.list index 15373846c..a17f15448 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -275,6 +275,7 @@ getweb gnome-menus-blacklist gpart gparted +gpartedbin gpm groupadd groupdel From 65f96447530dccb2928b682d76c37cfb0164a76e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 10 Jun 2025 23:37:59 +0200 Subject: [PATCH 517/977] fix: linter check. --- apparmor.d/groups/gvfs/gvfsd-wsdd | 2 +- apparmor.d/groups/steam/steam | 4 ++-- apparmor.d/profiles-g-l/hw-probe | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 0064d682b..209971ac2 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -34,7 +34,7 @@ profile gvfsd-wsdd @{exec_path} { @{exec_path} mr, @{bin}/env r, - @{sbin}/wsdd rPx, + @{bin}/wsdd rPx, @{run}/mount/utab r, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index 11e863972..73c78f2ed 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -71,7 +71,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/ldd rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsof rix, - @{sbin}/lspci rCx -> lspci, + @{bin}/lspci rCx -> lspci, @{bin}/tar rix, @{bin}/which{,.debianutils} rix, @{bin}/xdg-icon-resource rPx, @@ -408,7 +408,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { unix receive type=stream, - @{sbin}/lspci mr, + @{bin}/lspci mr, owner @{HOME}/.steam/steam.pipe r, diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index fc6b8775b..f518a18f0 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -65,7 +65,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsblk rPx, @{bin}/lscpu rPx, - @{sbin}/lspci rPx, + @{bin}/lspci rPx, @{bin}/lsusb rPx, @{bin}/memtester rPx, @{bin}/nmcli rPx, From a4737546f76fe1f4aaa65d2ad7d5663c3a317c5d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 10 Jun 2025 23:58:24 +0200 Subject: [PATCH 518/977] tests: update sbin.list --- apparmor.d/profiles-g-l/haveged | 2 +- tests/sbin.list | 43 ++++++++++++++++++++++++++++++--- 2 files changed, 40 insertions(+), 5 deletions(-) diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged index 910e9a2f0..5773a73fb 100644 --- a/apparmor.d/profiles-g-l/haveged +++ b/apparmor.d/profiles-g-l/haveged @@ -9,7 +9,7 @@ abi , include -@{exec_path} = @{bin}/haveged +@{exec_path} = @{sbin}/haveged profile haveged @{exec_path} { include diff --git a/tests/sbin.list b/tests/sbin.list index a17f15448..1adc90ee8 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -1,3 +1,5 @@ +a2enmod +a2query aa-audit aa-autodep aa-cleanprof @@ -32,6 +34,7 @@ alsabat-test alsactl anacron apache2 +apache2ctl apparmor_parser apparmor_status applygnupgdefaults @@ -65,7 +68,6 @@ biolatency.bt biolatpcts-bpfcc biopattern-bpfcc biosdecode -biosdecode biosnoop-bpfcc biosnoop.bt biostacks.bt @@ -103,6 +105,7 @@ cfdisk cgdisk chat chcpu +check_forensic check_mail_queue check-bios-nx checkproc @@ -164,7 +167,6 @@ dmevent_tool dmeventd dmfilemapd dmidecode -dmidecode dmraid dmsetup dnsmasq @@ -191,6 +193,8 @@ ec_access efibootdump efibootmgr enforce +ephemeral-disk-warning +escapesrc ethtool eventlogadm execsnoop-bpfcc @@ -264,8 +268,12 @@ g13-syshelp gdisk gdm gdm3 +genccode +gencmn genl +gennorm2 genprof +gensprep getcap gethostlatency-bpfcc gethostlatency.bt @@ -304,10 +312,19 @@ grub2-set-default grub2-sparc64-setup grub2-switch-to-blscfg hardirqs-bpfcc +haveged hdparm +httxt2dbm +hv_fcopy_daemon +hv_get_dhcp_info +hv_get_dns_info +hv_kvp_daemon +hv_set_ifconfig +hv_vss_daemon hwclock hwinfo iconvconfig +icupkg ifconfig ifrename ifstat @@ -321,6 +338,7 @@ installkernel integritysetup invoke-rc.d ip6tables-legacy-batch +ipmaddr ipp-usb ippevepcl ippeveprinter @@ -328,6 +346,7 @@ ippeveps ipset iptables-apply iptables-legacy-batch +iptunnel irqbalance irqbalance-ui isadump @@ -392,6 +411,7 @@ lpadmin lpc lpinfo lpmove +lsvmbus luksformat lvm lvm_import_vdo @@ -410,6 +430,7 @@ mdflush-bpfcc mdflush.bt mdmon memleak-bpfcc +mii-tool mk_isdnhwdb mkdict mkdosfs @@ -453,7 +474,9 @@ mpathpersist multipath multipathc multipathd +mysqld mysqld_qslower-bpfcc +nameif naptime.bt needrestart netqtop-bpfcc @@ -468,6 +491,7 @@ nfsiostat nfsslower-bpfcc nfsstat nft +nginx nmbd nodegc-bpfcc nodestat-bpfcc @@ -480,6 +504,7 @@ ntfscp ntfslabel ntfsresize ntfsundelete +nvme offcputime-bpfcc offwaketime-bpfcc on_ac_power @@ -491,7 +516,6 @@ opensnoop.bt openvpn overlayroot-chroot ownership -ownership pam_extrausers_chkpwd pam_extrausers_update pam_getenv @@ -510,12 +534,17 @@ pdata_tools perlcalls-bpfcc perlflow-bpfcc perlstat-bpfcc +pg_updatedicts +php-fpm8.3 phpcalls-bpfcc +phpenmod phpflow-bpfcc +phpquery phpstat-bpfcc pidpersec-bpfcc pidpersec.bt pivot_root +plipconfig pluginviewer plymouth-set-default-theme plymouthd @@ -552,6 +581,7 @@ pythonstat-bpfcc qemu-ga qmqp-source qshape +rarp rcfirewalld rcopenvpn rcpcscd @@ -632,6 +662,7 @@ showmount skdump sktest slabratetop-bpfcc +slattach sm-notify smart_agetty smartctl @@ -646,6 +677,7 @@ sofdsnoop-bpfcc softirqs-bpfcc solisten-bpfcc spice-vdagentd +split-logfile ss sshd sshd-gen-keys-start @@ -754,6 +786,7 @@ update-inetd update-info-dir update-initramfs update-java-alternatives +update-language update-locale update-mime update-passwd @@ -762,6 +795,9 @@ update-rc.d update-secureboot-policy update-shells update-smart-drivedb +update-texmf +update-texmf-config +update-tl-stacked-conffile update-xmlcatalog upgrade-from-grub-legacy usb_modeswitch @@ -793,7 +829,6 @@ visudo vmcore-dmesg vncsession vpddecode -vpddecode vpnc vpnc-disconnect wakeuptime-bpfcc From e3bd48bd758601e17cef0d6825268e4cad55ead8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Jun 2025 22:55:17 +0200 Subject: [PATCH 519/977] build: justfile: add group. --- Justfile | 37 +++++++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/Justfile b/Justfile index 825097a1b..4021b0e5a 100644 --- a/Justfile +++ b/Justfile @@ -64,24 +64,34 @@ help: @just --list --unsorted @echo -e "\nSee https://apparmor.pujol.io/development/ for more information." +[group('build')] [doc('Build the go programs')] build: @go build -o {{build}}/ ./cmd/aa-log @go build -o {{build}}/ ./cmd/prebuild +[group('build')] [doc('Prebuild the profiles in enforced mode')] enforce: build @./{{build}}/prebuild +[group('build')] [doc('Prebuild the profiles in complain mode')] complain: build @./{{build}}/prebuild --complain +[group('build')] [doc('Prebuild the profiles in FSP mode')] fsp: build + @./{{build}}/prebuild --full + +[group('build')] +[doc('Prebuild the profiles in FSP mode (complain)')] +fsp-complain: build @./{{build}}/prebuild --complain --full -[doc('Install the profiles')] +[group('build')] +[doc('Install prebuild profiles')] install: #!/usr/bin/env bash set -eu -o pipefail @@ -108,26 +118,31 @@ install: install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf" done +[group('packages')] [doc('Build & install apparmor.d on Arch based systems')] pkg: @makepkg --syncdeps --install --cleanbuild --force --noconfirm +[group('packages')] [doc('Build & install apparmor.d on Debian based systems')] dpkg: @bash dists/build.sh dpkg @sudo dpkg -i {{pkgdest}}/{{pkgname}}_*.deb +[group('packages')] [doc('Build & install apparmor.d on OpenSUSE based systems')] rpm: @bash dists/build.sh rpm @sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm +[group('tests')] [doc('Run the unit tests')] tests: @go test ./cmd/... -v -cover -coverprofile=coverage.out @go test ./pkg/... -v -cover -coverprofile=coverage.out @go tool cover -func=coverage.out +[group('linter')] [doc('Run the linters')] lint: golangci-lint run @@ -138,18 +153,22 @@ lint: tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \ debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm +[group('linter')] [doc('Run style checks on the profiles')] check: @bash tests/check.sh +[group('docs')] [doc('Generate the man pages')] man: @pandoc -t man -s -o share/man/man8/aa-log.8 share/man/man8/aa-log.md +[group('docs')] [doc('Build the documentation')] docs: @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict +[group('docs')] [doc('Serve the documentation')] serve: @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve @@ -160,6 +179,7 @@ clean: debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \ {{pkgdest}}/{{pkgname}}* {{build}} coverage.out +[group('packages')] [doc('Build the package in a clean OCI container')] package dist: #!/usr/bin/env bash @@ -175,6 +195,7 @@ package dist: fi bash dists/docker.sh $dist $version +[group('vm')] [doc('Build the VM image')] img dist flavor: (package dist) @mkdir -p {{base_dir}} @@ -192,6 +213,7 @@ img dist flavor: (package dist) -var output_dir={{output_dir}} \ tests/packer/ +[group('vm')] [doc('Create the machine')] create dist flavor: @cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 @@ -211,33 +233,40 @@ create dist flavor: --sound model=ich9 \ --noautoconsole +[group('vm')] [doc('Start a machine')] up dist flavor: @virsh {{c}} start {{prefix}}{{dist}}-{{flavor}} +[group('vm')] [doc('Stops the machine')] halt dist flavor: @virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}} +[group('vm')] [doc('Reboot the machine')] reboot dist flavor: @virsh {{c}} reboot {{prefix}}{{dist}}-{{flavor}} +[group('vm')] [doc('Destroy the machine')] destroy dist flavor: @virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true @virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram @rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 +[group('vm')] [doc('Connect to the machine')] ssh dist flavor: @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` +[group('vm')] [doc('List the machines')] list: @echo -e '\033[1m Id Distribution Flavor State\033[0m' @virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g' +[group('vm')] [doc('List the VM images')] images: #!/usr/bin/env bash @@ -254,6 +283,7 @@ images: } ' +[group('vm')] [doc('List the VM images that can be created')] available: #!/usr/bin/env bash @@ -270,6 +300,8 @@ available: } ' + +[group('tests')] [doc('Run the integration tests on the machine')] integration dist flavor: @ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \ @@ -280,12 +312,13 @@ integration dist flavor: @bats --recursive --timing --print-output-on-failure Projects/integration/ - +[group('internal')] get_ip dist flavor: @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \ head -1 | \ grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}' +[group('internal')] get_osinfo dist: #!/usr/bin/env python3 osinfo = { From 3291d9a370f5972f67ba5d524f90312f7fbd49eb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Jun 2025 22:56:18 +0200 Subject: [PATCH 520/977] fix: use mappings/sudo in su. --- apparmor.d/groups/utils/su | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/utils/su b/apparmor.d/groups/utils/su index c4e83ddfa..866da3d6a 100644 --- a/apparmor.d/groups/utils/su +++ b/apparmor.d/groups/utils/su @@ -12,7 +12,7 @@ profile su @{exec_path} { include include include - include #aa:only RBAC + include #aa:only RBAC capability chown, # pseudo-terminal From cdd45bcd608545b4d84ca7826c5cf69e73883b39 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 11 Jun 2025 17:53:27 +0200 Subject: [PATCH 521/977] add xkeyboard-config-2 ressources --- apparmor.d/abstractions/desktop | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 73e533992..e44377ea3 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -77,6 +77,7 @@ /usr/share/desktop-base/{,**} r, /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, + /usr/share/xkeyboard-config-2/{,**} r, include if exists From c947fe6c6cb2a9cf4102f9f951d875c0af33039c Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 12 Jun 2025 10:48:53 +0200 Subject: [PATCH 522/977] complete xkeyboard-config-2 permissions --- apparmor.d/abstractions/X-strict | 1 + apparmor.d/abstractions/desktop | 1 - apparmor.d/groups/systemd/systemd-localed | 1 + apparmor.d/groups/ubuntu/software-properties-gtk | 1 + 4 files changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index d3e2cef4f..9330d2223 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -12,6 +12,7 @@ /usr/share/X11/{,**} r, /usr/share/xsessions/{,*.desktop} r, # Available Xsessions + /usr/share/xkeyboard-config-2/{,**} r, /etc/X11/cursors/{,**} r, diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index e44377ea3..73e533992 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -77,7 +77,6 @@ /usr/share/desktop-base/{,**} r, /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, - /usr/share/xkeyboard-config-2/{,**} r, include if exists diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 3befcd92a..75d382c40 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -23,6 +23,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { /usr/share/kbd/keymaps/{,**} r, /usr/share/systemd/*-map r, /usr/share/X11/xkb/{,**} r, + /usr/share/xkeyboard-config-2/{,**} r, /etc/.#locale.conf@{hex16} rw, /etc/.#vconsole.conf* rw, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index d5762a84e..64c83f5c8 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -45,6 +45,7 @@ profile software-properties-gtk @{exec_path} { /usr/share/X11/xkb/{,**} r, /usr/share/xml/iso-codes/{,**} r, /usr/share/software-properties/gtkbuilder/* r, + /usr/share/xkeyboard-config-2/{,**} r, /etc/apport/blacklist.d/{,*} r, /etc/default/apport r, From 5216cbdcdefc716848bbf762ea5de92a41c52ce2 Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 12 Jun 2025 10:54:00 +0200 Subject: [PATCH 523/977] add more xkeyboard-config-2 ressources --- apparmor.d/abstractions/desktop | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 73e533992..f53627fcc 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -27,6 +27,7 @@ /usr/{local/,}share/ r, /usr/{local/,}share/glib-@{version}/schemas/** r, /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, + /usr/share/xkeyboard-config-2/{,**} r, /etc/gnome/* r, /etc/xdg/{,*-}mimeapps.list r, From 1f7e019500a87027fd03f89e148e52b71946e4c0 Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 12 Jun 2025 16:23:05 +0200 Subject: [PATCH 524/977] clean desktop abstraction --- apparmor.d/abstractions/desktop | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index f53627fcc..73e533992 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -27,7 +27,6 @@ /usr/{local/,}share/ r, /usr/{local/,}share/glib-@{version}/schemas/** r, /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, - /usr/share/xkeyboard-config-2/{,**} r, /etc/gnome/* r, /etc/xdg/{,*-}mimeapps.list r, From 8118bf3d23052e3319c73c29f36e376212ccb8b2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 21:48:07 +0200 Subject: [PATCH 525/977] fix: pinentry gtk need access to its cmdline. fix #768 --- apparmor.d/profiles-m-r/pinentry-gtk | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/apparmor.d/profiles-m-r/pinentry-gtk b/apparmor.d/profiles-m-r/pinentry-gtk index a0244956d..d07a64a5a 100644 --- a/apparmor.d/profiles-m-r/pinentry-gtk +++ b/apparmor.d/profiles-m-r/pinentry-gtk @@ -11,16 +11,12 @@ include profile pinentry-gtk @{exec_path} { include include - include - include include - include + include @{exec_path} mr, - /usr/share/gtk-@{int}.@{int}/{,**} r, - - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, + @{PROC}/@{pid}/cmdline r, owner /dev/tty@{int} r, From 4cb6de3d2d440f08766a0dc1aa23df220a913418 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 21:50:22 +0200 Subject: [PATCH 526/977] fix(profile): ufw: allow kmod. fix #765 --- apparmor.d/groups/firewall/ufw | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/firewall/ufw b/apparmor.d/groups/firewall/ufw index b7f133641..3b931fb2b 100644 --- a/apparmor.d/groups/firewall/ufw +++ b/apparmor.d/groups/firewall/ufw @@ -32,11 +32,13 @@ profile ufw @{exec_path} flags=(attach_disconnected) { @{python_path} rix, @{bin}/ r, @{bin}/cat rix, + @{bin}/echo rix, @{bin}/env r, + @{bin}/kmod rCx -> kmod, + @{lib}/ufw/ufw-init rix, @{sbin}/sysctl rix, @{sbin}/xtables-legacy-multi rix, @{sbin}/xtables-nft-multi rix, - @{lib}/ufw/ufw-init rix, /etc/default/ufw rw, /etc/ufw/ rw, @@ -56,6 +58,18 @@ profile ufw @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/net/ipv{4,6}/** rw, @{PROC}/sys/kernel/modprobe r, + profile kmod flags=(attach_disconnected) { + include + include + + capability sys_module, + + @{sys}/module/compression r, + @{sys}/module/*/initstate r, + + include if exists + } + include if exists } From d3aa4ae4a12c6a1be645282aacf829be39f8e564 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:01:08 +0200 Subject: [PATCH 527/977] fix(abs): ensure generic app can run widevine. fix #764 --- apparmor.d/abstractions/common/app | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 99da31590..efb3c838b 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -54,7 +54,7 @@ @{MOUNTS}/** rwl, owner @{HOME}/ r, owner @{HOME}/.var/app/** rmix, - owner @{HOME}/** rwlk -> @{HOME}/**, + owner @{HOME}/** rwmlk -> @{HOME}/**, owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, owner @{user_games_dirs}/** rmix, @@ -122,6 +122,7 @@ owner @{PROC}/@{pid}/fd/@{int} rw, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/io r, + owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/mounts r, From 110f4ea40e7d806790952b2a7451a14f1e70e734 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:01:40 +0200 Subject: [PATCH 528/977] feat(abs): mesa: add /var/cache as fallback location. --- apparmor.d/abstractions/mesa.d/complete | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index a19166367..1d718c0b1 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -2,6 +2,20 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + # Fallback location when @{user_cache_dirs} is not available + /var/cache/mesa_shader_cache_db/ rw, + /var/cache/mesa_shader_cache_db/index rw, + /var/cache/mesa_shader_cache_db/marker rw, + /var/cache/mesa_shader_cache_db/part@{int}/ rw, + /var/cache/mesa_shader_cache_db/part@{int}/mesa_cache.db rwk, + /var/cache/mesa_shader_cache_db/part@{int}/mesa_cache.idx rwk, + /var/cache/mesa_shader_cache/ rw, + /var/cache/mesa_shader_cache/@{hex2}/ rw, + /var/cache/mesa_shader_cache/@{hex2}/@{hex38} rw, + /var/cache/mesa_shader_cache/@{hex2}/@{hex38}.tmp rwk, + /var/cache/mesa_shader_cache/index rw, + /var/cache/mesa_shader_cache/marker rw, + # Extra Mesa rules for desktop environments owner @{desktop_cache_dirs}/ w, owner @{desktop_cache_dirs}/mesa_shader_cache_db/ rw, From 2941334b7ccca275cd7dbd409709d452069bd19f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:04:55 +0200 Subject: [PATCH 529/977] fix(profile): brave flag & stacked helper. fix #763 --- apparmor.d/groups/browsers/brave | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index cc3d18b58..0decb0d4b 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -14,11 +14,13 @@ include @{cache_dirs} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} @{exec_path} = @{lib_dirs}/@{name} -profile brave @{exec_path} { +profile brave @{exec_path} flags=(attach_disconnected) { include include - unix (send, receive) type=stream peer=(label=brave-crashpad-handler), + unix (send, receive) type=stream peer=(label=brave//&brave-crashpad-handler), + + signal receive peer=brave//&brave-crashpad-handler, #aa:dbus own bus=session name=org.mpris.MediaPlayer2.brave path=/org/mpris/MediaPlayer2 From 07007f93c4a5a81de933485a931db7377440f949 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:06:55 +0200 Subject: [PATCH 530/977] fix(fsp): ignore not yet used mappings. --- apparmor.d/groups/utils/chfn | 1 - apparmor.d/groups/utils/chsh | 1 - 2 files changed, 2 deletions(-) diff --git a/apparmor.d/groups/utils/chfn b/apparmor.d/groups/utils/chfn index 824d92bf4..45b50c7ad 100644 --- a/apparmor.d/groups/utils/chfn +++ b/apparmor.d/groups/utils/chfn @@ -15,7 +15,6 @@ profile chfn @{exec_path} { include include include - include #aa:only RBAC capability audit_write, capability chown, diff --git a/apparmor.d/groups/utils/chsh b/apparmor.d/groups/utils/chsh index a630a7733..e3581be31 100644 --- a/apparmor.d/groups/utils/chsh +++ b/apparmor.d/groups/utils/chsh @@ -15,7 +15,6 @@ profile chsh @{exec_path} { include include include - include #aa:only RBAC capability audit_write, capability chown, From 5ae1cc854da90f275ea6144d60a587e98bec461b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:20:13 +0200 Subject: [PATCH 531/977] fix(profile): pacman: add integration witn limine. fix #756 --- apparmor.d/groups/pacman/pacman | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 14753416f..e72c62667 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -81,6 +81,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/killall rix, @{sbin}/ldconfig rix, @{sbin}/locale-gen rPx, + @{bin}/limine-install rPUx, @{bin}/mkinitcpio rPx, @{sbin}/needrestart rPx, @{bin}/pacdiff rPx, From b88cf164ec5c3b8764068911f93cb240c7c19620 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:38:37 +0200 Subject: [PATCH 532/977] feat(profile): gnome-shell: allow some basic tools needed by some extensions. fix #705 --- apparmor.d/groups/gnome/gnome-shell | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 1099f254d..b97d6d568 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -170,6 +170,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/gjs-console rPx, @{bin}/glib-compile-schemas rPx, @{bin}/ibus-daemon rPx, + @{bin}/sensors rPx, @{bin}/tecla rPx, @{bin}/Xwayland rPx, @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @@ -386,8 +387,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sh_path} mr, - @{bin}/pmap rix, - @{bin}/grep rix, + @{bin}/cat rix, + @{bin}/grep rix, + @{bin}/kmod rPx -> gnome-shell//lsmod, + @{bin}/pmap rix, @{sys}/devices/system/node/ r, @@ -400,6 +403,15 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include if exists } + profile lsmod flags=(attach_disconnected,mediate_deleted) { + include + include + + @{sys}/module/{,**} r, + + include if exists + } + profile pkexec { include include From 8fa7c49a6512c3e3a3b6171f64159273e894f9b6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:42:11 +0200 Subject: [PATCH 533/977] feat(profile): add firefox crashhelper --- apparmor.d/abstractions/app/firefox | 1 + .../groups/browsers/firefox-crashhelper | 26 +++++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 apparmor.d/groups/browsers/firefox-crashhelper diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 73cb82070..1ea0c3b86 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -58,6 +58,7 @@ @{lib_dirs}/{,**} r, @{lib_dirs}/*.so mr, + @{lib_dirs}/crashhelper rPx, @{lib_dirs}/crashreporter rPx, @{lib_dirs}/minidump-analyzer rPx, @{lib_dirs}/pingsender rPx, diff --git a/apparmor.d/groups/browsers/firefox-crashhelper b/apparmor.d/groups/browsers/firefox-crashhelper new file mode 100644 index 000000000..55443a330 --- /dev/null +++ b/apparmor.d/groups/browsers/firefox-crashhelper @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = firefox{,.sh,-esr,-bin} +@{lib_dirs} = @{lib}/@{name} /opt/@{name} +@{config_dirs} = @{HOME}/.mozilla/ +@{cache_dirs} = @{user_cache_dirs}/mozilla/ + +@{exec_path} = @{lib_dirs}/crashhelper +profile firefox-crashhelper @{exec_path} { + include + + @{exec_path} mr, + + owner "@{config_dirs}/firefox/Crash Reports/" rw, + owner "@{config_dirs}/firefox/Crash Reports/crash_helper_server.log" rw, + + include if exists +} + +# vim:syntax=apparmor From 011de3c301600addf6cc9ab763f61b378302c0f8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:48:16 +0200 Subject: [PATCH 534/977] feat(profile): flatpak: ensure remote can be added/removed. see #690 --- apparmor.d/groups/flatpak/flatpak | 2 ++ apparmor.d/groups/flatpak/flatpak-system-helper | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 52e9e32ef..c34ae962f 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -96,6 +96,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain owner @{tmp}/#@{int} rw, owner @{tmp}/ostree-gpg-@{rand6}/{,**} rw, + owner @{tmp}/remote-summary-sig.@{rand6} rw, + owner @{tmp}/remote-summary.@{rand6} rw, owner /dev/shm/flatpak*/{,**} rw, @{run}/.userns r, diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index dfaa920ac..1381a1483 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -40,7 +40,7 @@ profile flatpak-system-helper @{exec_path} { /etc/flatpak/{,**} r, /etc/machine-id r, - /usr/share/flatpak/remotes.d/ r, + /usr/share/flatpak/remotes.d/{,**} r, /usr/share/flatpak/triggers/ r, /usr/share/mime/mime.cache r, @@ -51,8 +51,8 @@ profile flatpak-system-helper @{exec_path} { owner /{var/,}tmp/ostree-gpg-@{rand6}/ rw, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, - /tmp/remote-summary-sig.@{rand6} r, - /tmp/remote-summary.@{rand6} r, + @{tmp}/remote-summary-sig.@{rand6} r, + @{tmp}/remote-summary.@{rand6} r, @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, From 34f9a53a3bb8e4ab7a20127631765960ef012f29 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:53:36 +0200 Subject: [PATCH 535/977] ci: start dropping ci tests on ubuntu 22.04. --- .github/workflows/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4baa4a776..cac8fce43 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -23,8 +23,6 @@ jobs: mode: default - os: ubuntu-24.04 mode: full-system-policy - - os: ubuntu-22.04 - mode: default steps: - name: Check out repository code uses: actions/checkout@v4 From eeebcf91f3b374d2ac83fd40b9c5e7d2bace1cdf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 23:05:50 +0200 Subject: [PATCH 536/977] feat(abs): add base-strict. For now, it is only a restructuring of the base abstraction with awareness of the apparmor.d architecture. --- apparmor.d/abstractions/base-strict | 131 ++++++++++++++++++++++ apparmor.d/abstractions/crypto.d/complete | 8 ++ apparmor.d/abstractions/glibc | 41 +++++++ apparmor.d/abstractions/ld | 23 ++++ apparmor.d/abstractions/locale | 26 +++++ 5 files changed, 229 insertions(+) create mode 100644 apparmor.d/abstractions/base-strict create mode 100644 apparmor.d/abstractions/glibc create mode 100644 apparmor.d/abstractions/ld create mode 100644 apparmor.d/abstractions/locale diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict new file mode 100644 index 000000000..0f4382bfe --- /dev/null +++ b/apparmor.d/abstractions/base-strict @@ -0,0 +1,131 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + # Do not use it manually, It automatically replaces the base abstraction in + # profiles when the re-attached mode is enabled. + + # For now, it is only a restructuring of the base abstraction with awareness + # of the apparmor.d architecture. + + abi , + + include + include + include + include + + # Allow us to signal ourselves + signal peer=@{profile_name}, + + # Checking for PID existence is quite common so add it by default for now + signal (receive, send) set=exists, + + #aa:exclude RBAC + # Allow unconfined processes to send us signals by default + signal receive peer=unconfined, + + # Systemd: allow to receive any signal from the systemd profiles stack + signal receive peer=@{p_systemd}, + signal receive peer=@{p_systemd_user}, + + # Htop like programs can send any signal to any process + signal receive peer=btop, + signal receive peer=htop, + signal receive peer=top, + signal receive set=(cont,term,kill,stop) peer=gnome-system-monitor, + + # Allow to receive termination signal from manager such as sudo, login, shutdown or systemd + signal receive peer=su, + signal receive peer=sudo, + signal receive set=(cont,term,kill,stop) peer=gnome-shell, + signal receive set=(cont,term,kill,stop) peer=login, + signal receive set=(cont,term,kill,stop) peer=openbox, + signal receive set=(cont,term,kill,stop) peer=systemd-shutdown, + signal receive set=(cont,term,kill,stop) peer=xinit, + + # Allow other processes to read our /proc entries, futexes, perf tracing and + # kcmp for now (they will need 'read' in the first place). Administrators can + # override with: + # deny ptrace readby ... + ptrace readby, + + # Allow other processes to trace us by default (they will need 'trace' in + # the first place). Administrators can override with: + # deny ptrace tracedby ... + ptrace tracedby, + + # Allow us to ptrace read ourselves + ptrace read peer=@{profile_name}, + + # Allow us to create and use abstract and anonymous sockets + unix peer=(label=@{profile_name}), + + # Allow unconfined processes to us via unix sockets + unix receive peer=(label=unconfined), + + # Allow communication to children profiles + signal peer=@{profile_name}//*, + unix type=stream peer=(label=@{profile_name}//*), + + # Allow us to create abstract and anonymous sockets + unix create, + + # Allow us to getattr, getopt, setop and shutdown on unix sockets + unix (getattr, getopt, setopt, shutdown), + + # Allow all programs to use common libraries + @{lib}/** r, + @{lib}/**.so* m, + @{lib}/@{multiarch}/**.so* m, + @{lib}/@{multiarch}/** r, + + # Some applications will display license information + /usr/share/common-licenses/** r, + + # Allow access to the uuidd daemon (this daemon is a thin wrapper around + # time and getrandom()/{,u}random and, when available, runs under an + # unprivilged, dedicated user). + @{run}/uuidd/request r, + + # Transparent hugepage support + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + # Systemd's equivalent of /dev/log + @{run}/systemd/journal/dev-log w, + + # Systemd native journal API (see sd_journal_print(4)) + @{run}/systemd/journal/socket w, + + # Nested containers and anything using systemd-cat need this. 'r' shouldn't + # be required but applications fail without it. journald doesn't leak + # anything when reading so this is ok. + @{run}/systemd/journal/stdout rw, + + # Allow determining the highest valid capability of the running kernel + @{PROC}/sys/kernel/cap_last_cap r, + + # Controls how core dump files are named + @{PROC}/sys/kernel/core_pattern r, + + # Sometimes used to determine kernel/user interfaces to use + @{PROC}/sys/kernel/version r, + + # Harmless and frequently used + /dev/null rw, + /dev/random r, + /dev/urandom r, + /dev/zero rw, + + # The __canary_death_handler function writes a time-stamped log + # message to /dev/log for logging by syslogd. So, /dev/log, timezones, + # and localisations of date should be available EVERYWHERE, so + # StackGuard, FormatGuard, etc., alerts can be properly logged. + /dev/log w, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/crypto.d/complete b/apparmor.d/abstractions/crypto.d/complete index a163af66d..8fb84d261 100644 --- a/apparmor.d/abstractions/crypto.d/complete +++ b/apparmor.d/abstractions/crypto.d/complete @@ -4,7 +4,15 @@ include + # FIPS-140-2 versions of some crypto libraries need to access their + # associated integrity verification file, or they will abort. + @{lib}/.lib*.so*.hmac r, + @{lib}/@{multiarch}/.lib*.so*.hmac r, + @{etc_ro}/gnutls/config r, @{etc_ro}/gnutls/pkcs11.conf r, + # Used to determine if Linux is running in FIPS mode + @{PROC}/sys/crypto/fips_enabled r, + # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/glibc b/apparmor.d/abstractions/glibc new file mode 100644 index 000000000..aa6e14416 --- /dev/null +++ b/apparmor.d/abstractions/glibc @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + # Used by Glibc when binding to ephemeral ports + @{etc_ro}/bindresvport.blacklist r, + + # Depending on which Glibc routine uses this file, base may not be the + # best place -- but many profiles require it, and it is quite harmless. + @{PROC}/sys/kernel/ngroups_max r, + + # Glibc's sysconf(3) routine to determine free memory, etc + @{sys}/devices/system/cpu/ r, + @{sys}/devices/system/cpu/online r, + @{sys}/devices/system/cpu/possible r, + @{PROC}/cpuinfo r, + @{PROC}/meminfo r, + @{PROC}/stat r, + + # Glibc's *printf protections read the maps file + @{PROC}/@{pid}/auxv r, + @{PROC}/@{pid}/maps r, + @{PROC}/@{pid}/status r, + + # Glibc statvfs + @{PROC}/filesystems r, + + # Glibc malloc (man 5 proc) + @{PROC}/sys/vm/overcommit_memory r, + + # Recent glibc uses /dev/full in preference to /dev/null for programs + # that don't have open fds at exec() + /dev/full rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/ld b/apparmor.d/abstractions/ld new file mode 100644 index 000000000..21ac745e2 --- /dev/null +++ b/apparmor.d/abstractions/ld @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + # ld.so.cache and ld are used to load shared libraries. + # As such, they can be used everywhere + + abi , + + /opt/*-linux-uclibc/lib/ld-uClibc*so* mr, + + @{etc_ro}/ld.so.cache mr, + @{etc_ro}/ld.so.conf r, + @{etc_ro}/ld.so.conf.d/ r, + @{etc_ro}/ld.so.conf.d/*.conf r, + @{etc_ro}/ld.so.preload r, + @{etc_ro}/ld-musl-*.path r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/locale b/apparmor.d/abstractions/locale new file mode 100644 index 000000000..873c303f5 --- /dev/null +++ b/apparmor.d/abstractions/locale @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{etc_ro}/locale.alias r, + @{etc_ro}/locale.conf r, + @{etc_ro}/locale/** r, + @{etc_ro}/localtime r, + @{etc_rw}/localtime r, + + /usr/share/**/locale/** r, + /usr/share/locale-bundle/** r, + /usr/share/locale-langpack/** r, + /usr/share/locale/ r, + /usr/share/locale/** r, + /usr/share/X11/locale/** r, + /usr/share/zoneinfo{,-icu}/ r, + /usr/share/zoneinfo{,-icu}/** r, + + include if exists + +# vim:syntax=apparmor From 7dd860f2770ea0f7668e891ac7c59e2dc4808cee Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 23:15:07 +0200 Subject: [PATCH 537/977] feat(profile): minor update & cosmetic. --- apparmor.d/abstractions/app/firefox | 4 +++- apparmor.d/abstractions/common/game | 4 ++-- apparmor.d/groups/apparmor/aa-log | 2 -- apparmor.d/groups/apparmor/aa-status | 4 ++-- apparmor.d/groups/bluetooth/bluetoothd | 3 ++- apparmor.d/groups/bluetooth/obexd | 2 ++ apparmor.d/groups/gnome/evolution-calendar-factory | 4 ++-- apparmor.d/groups/gnome/gnome-initial-setup | 2 +- apparmor.d/groups/gnome/gsd-color | 2 +- .../groups/gnome/org.gnome.NautilusPreviewer | 1 + apparmor.d/groups/grub/grub-mkconfig | 2 +- apparmor.d/groups/kde/ksmserver-logout-greeter | 1 - apparmor.d/groups/ssh/sshd | 8 +++++--- .../systemd-generators/systemd-generator-ssh | 4 ++++ .../systemd-generators/systemd-generator-tpm2 | 1 + apparmor.d/groups/systemd/systemd-localed | 1 + apparmor.d/groups/utils/lspci | 4 ---- apparmor.d/profiles-a-f/fwupd | 1 + apparmor.d/profiles-g-l/haveged | 7 +++---- apparmor.d/profiles-g-l/linuxqq | 2 +- apparmor.d/profiles-m-r/mandb | 8 ++++---- apparmor.d/profiles-m-r/mimetype | 1 - apparmor.d/profiles-m-r/needrestart-notify | 2 +- apparmor.d/profiles-m-r/pam-auth-update | 3 ++- apparmor.d/profiles-m-r/pcscd | 14 +++++++------- 25 files changed, 47 insertions(+), 40 deletions(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 1ea0c3b86..d988f608c 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -26,7 +26,7 @@ include include include - include + include include include include @@ -126,6 +126,8 @@ @{sys}/devices/**/uevent r, @{sys}/devices/power/events/energy-* r, @{sys}/devices/power/type r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_sku r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r, diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index 3b4a982f1..6b97b014c 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -6,9 +6,9 @@ # wine, proton, game launchers should use this abstraction. # This abstraction uses the following tunables: -# - @{XDG_GAMESSTUDIO_DIR} for game studio and game engines specific directories +# - @{XDG_GAMESSTUDIO_DIR}/ for game studio and game engines specific directories # (Default: @{XDG_GAMESSTUDIO_DIR}="unity3d") -# - @{user_games_dirs} for user specific game directories (eg: steam storage dir) +# - @{user_games_dirs}/ for user specific game directories (eg: steam storage dir) abi , diff --git a/apparmor.d/groups/apparmor/aa-log b/apparmor.d/groups/apparmor/aa-log index 03352e8bf..1a3e0aeff 100644 --- a/apparmor.d/groups/apparmor/aa-log +++ b/apparmor.d/groups/apparmor/aa-log @@ -21,8 +21,6 @@ profile aa-log @{exec_path} { /var/log/audit/* r, /var/log/syslog* r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - /dev/tty@{int} rw, profile journalctl { diff --git a/apparmor.d/groups/apparmor/aa-status b/apparmor.d/groups/apparmor/aa-status index 17de74439..9badb78c1 100644 --- a/apparmor.d/groups/apparmor/aa-status +++ b/apparmor.d/groups/apparmor/aa-status @@ -22,8 +22,8 @@ profile aa-status @{exec_path} { @{sys}/module/apparmor/parameters/enabled r, @{PROC}/ r, - @{PROC}/@{pids}/attr/apparmor/current r, - @{PROC}/@{pids}/attr/current r, + @{PROC}/@{pid}/attr/apparmor/current r, + @{PROC}/@{pid}/attr/current r, owner @{PROC}/@{pid}/mounts r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index 8ca699aaf..aa84eebd9 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -45,7 +45,8 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { @{run}/sdp rw, owner @{run}/systemd/notify w, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard @{sys}/devices/@{pci}/rfkill@{int}/name r, @{sys}/devices/@{pci}/**/{uevent,name} r, diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index 5c1a7633e..efb5f42e4 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -31,6 +31,8 @@ profile obexd @{exec_path} { owner @{HOME}/bluetooth/* rw, + @{run}/systemd/users/@{uid} r, + include if exists } diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 25f8ecc7f..fba734ad4 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -71,8 +71,8 @@ profile evolution-calendar-factory @{exec_path} { owner @{user_cache_dirs}/evolution/tasks/{,**} rwk, owner @{user_share_dirs}/evolution/calendar/{,**} rwk, - owner @{user_share_dirs}/evolution/tasks/system/ w, - owner @{user_share_dirs}/evolution/tasks/system/tasks.ics* rw, + owner @{user_share_dirs}/evolution/memos/system/{,**} rw, + owner @{user_share_dirs}/evolution/tasks/system/{,**} rw, owner @{user_share_dirs}/gvfs-metadata/{,*} r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 4063fc473..40b8bc9b5 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -42,7 +42,7 @@ profile gnome-initial-setup @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/locale rix, @{bin}/lscpu rPx, - @{bin}/lspci rPx, + @{bin}/lspci rPx, @{bin}/xrandr rPx, @{lib}/gnome-initial-setup-goa-helper rix, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 56445aeac..1b12a68cd 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -45,7 +45,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/icc/ rw, - owner @{gdm_share_dirs}/icc/edid-@{hex32}icc rw, + owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{user_share_dirs}/icc/ rw, owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index db440bf4c..f084e7b12 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -39,6 +39,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.NautilusPreviewer.slice/*/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index de8643100..87c3d4104 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/grub-mkconfig +@{exec_path} = @{sbin}/grub-mkconfig @{sbin}/grub2-mkconfig profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index 01fe51783..67e56c3c6 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -53,7 +53,6 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/dev/i915/perf_stream_paranoid r, owner @{PROC}/@{pid}/exe r, - owner @{PROC}/@{pid}/status r, include if exists } diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index cc12a9eec..a514e7c99 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -29,8 +29,8 @@ profile sshd @{exec_path} flags=(attach_disconnected) { capability audit_write, capability chown, - capability dac_read_search, capability dac_override, + capability dac_read_search, capability fowner, capability kill, capability net_bind_service, @@ -50,9 +50,11 @@ profile sshd @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - signal (receive) set=(hup) peer=@{p_systemd}, + unix type=stream peer=(label=sshd-session), - ptrace (read,trace) peer=@{p_systemd}, + signal receive set=hup peer=@{p_systemd}, + + ptrace (read trace) peer=@{p_systemd}, dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ssh b/apparmor.d/groups/systemd-generators/systemd-generator-ssh index efb56468e..0f6aa11d9 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-ssh +++ b/apparmor.d/groups/systemd-generators/systemd-generator-ssh @@ -30,8 +30,12 @@ profile systemd-generator-ssh @{exec_path} flags=(attach_disconnected) { @{run}/systemd/system/ r, @{run}/systemd/transient/ r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/firmware/dmi/entries/*/raw r, @{PROC}/@{pid}/cgroup r, @{PROC}/1/cgroup r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 index 4d601d0f9..ee5d924cc 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 +++ b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 @@ -15,6 +15,7 @@ profile systemd-generator-tpm2 @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sys}/class/tpmrm/ r, + @{sys}/devices/**/tpm/tpm@{int}/tpm_version_major r, @{PROC}/@{pid}/cgroup r, @{PROC}/1/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 75d382c40..104a141ce 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -21,6 +21,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, /usr/share/kbd/keymaps/{,**} r, + /usr/share/xkeyboard-config-2/{,**} r, /usr/share/systemd/*-map r, /usr/share/X11/xkb/{,**} r, /usr/share/xkeyboard-config-2/{,**} r, diff --git a/apparmor.d/groups/utils/lspci b/apparmor.d/groups/utils/lspci index b390346bb..0ae22a03a 100644 --- a/apparmor.d/groups/utils/lspci +++ b/apparmor.d/groups/utils/lspci @@ -13,12 +13,8 @@ profile lspci @{exec_path} flags=(attach_disconnected) { include include - capability sys_admin, - @{exec_path} mr, - /app/lib/libzypak-preload-host*.so rm, - /usr/share/hwdata/pci.ids r, /usr/share/misc/pci.ids r, /usr/share/misc/pci.ids.gz r, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 5fb948234..961b55c97 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -52,6 +52,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /usr/share/hwdata/* r, /usr/share/libdrm/*.ids r, /usr/share/mime/mime.cache r, + /usr/share/misc/*.ids r, /etc/fwupd/{,**} rw, /etc/lsb-release r, diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged index 5773a73fb..527629202 100644 --- a/apparmor.d/profiles-g-l/haveged +++ b/apparmor.d/profiles-g-l/haveged @@ -20,10 +20,9 @@ profile haveged @{exec_path} { @{sys}/devices/system/cpu/cpu@{int}/cache/ r, @{sys}/devices/system/cpu/cpu@{int}/cache/index*/{type,size,level} r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/random/poolsize r, - @{PROC}/sys/kernel/random/write_wakeup_threshold w, - owner @{PROC}/@{pid}/status r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/poolsize r, + @{PROC}/sys/kernel/random/write_wakeup_threshold w, /dev/random w, diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq index 3f3134400..dd653bd61 100644 --- a/apparmor.d/profiles-g-l/linuxqq +++ b/apparmor.d/profiles-g-l/linuxqq @@ -29,7 +29,7 @@ profile linuxqq @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{sh_path} r, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{lib_dirs}/chrome_crashpad_handler ix, @{lib_dirs}/resources/app/{,**} m, @{open_path} rPx -> child-open-strict, diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb index 4826337d0..cd825471d 100644 --- a/apparmor.d/profiles-m-r/mandb +++ b/apparmor.d/profiles-m-r/mandb @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/mandb -profile mandb @{exec_path} flags=(complain) { +profile mandb @{exec_path} { include include include @@ -20,9 +20,6 @@ profile mandb @{exec_path} flags=(complain) { /etc/man_db.conf r, /etc/manpath.config r, - /var/cache/man/ r, - /var/cache/man/** rwk, - /usr/share/man/{,**} r, /usr/local/man/{,**} r, /usr/local/share/man/{,**} r, @@ -32,6 +29,9 @@ profile mandb @{exec_path} flags=(complain) { /usr/share/**/man/man@{u8}/*.@{int}.gz r, + owner /var/cache/man/ rw, + owner /var/cache/man/** rwk, + owner @{user_share_dirs}/man/** rwk, include if exists diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index d6823da9b..cf8431c7a 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -13,7 +13,6 @@ profile mimetype @{exec_path} { include @{exec_path} r, - /usr/bin/perl r, /usr/share/mime/**.xml r, /usr/share/mime/globs r, diff --git a/apparmor.d/profiles-m-r/needrestart-notify b/apparmor.d/profiles-m-r/needrestart-notify index 41fa96c4c..9b3525fa5 100644 --- a/apparmor.d/profiles-m-r/needrestart-notify +++ b/apparmor.d/profiles-m-r/needrestart-notify @@ -13,7 +13,7 @@ profile needrestart-notify @{exec_path} { capability dac_read_search, capability sys_ptrace, - ptrace read peer=unconfined, + ptrace read, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index 90cc6a4ba..947fb2f4e 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -14,8 +14,9 @@ profile pam-auth-update @{exec_path} flags=(complain) { @{exec_path} mrix, - @{bin}/md5sum ix, @{bin}/cp ix, + @{bin}/md5sum ix, + @{bin}/stty ix, /usr/share/pam{,-configs}/{,*} r, diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd index 67e0ee74e..d5bcc4293 100644 --- a/apparmor.d/profiles-m-r/pcscd +++ b/apparmor.d/profiles-m-r/pcscd @@ -16,13 +16,13 @@ profile pcscd @{exec_path} { network netlink raw, - ptrace (read) peer=@{p_systemd_user}, - ptrace (read) peer=gsd-smartcard, - ptrace (read) peer=keepassxc, - ptrace (read) peer=pkcs11-register, - ptrace (read) peer=rngd, - ptrace (read) peer=scdaemon, - ptrace (read) peer=veracrypt, + ptrace read peer=@{p_systemd_user}, + ptrace read peer=gsd-smartcard, + ptrace read peer=keepassxc, + ptrace read peer=pkcs11-register, + ptrace read peer=rngd, + ptrace read peer=scdaemon, + ptrace read peer=veracrypt, @{exec_path} mr, From 1118d2ffc5bdde1def44447be76715d55f10bd5a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 23:17:45 +0200 Subject: [PATCH 538/977] build: use the base-strict abstraction automatically. --- apparmor.d/abstractions/attached/base | 6 +++--- pkg/prebuild/builder/attach.go | 4 ++++ 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 4c35d915d..e394c5b99 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -8,14 +8,14 @@ abi , - include + include @{att}/@{run}/systemd/journal/dev-log w, @{att}/@{run}/systemd/journal/socket w, @{att}/@{run}/systemd/journal/stdout rw, - deny /apparmor/.null rw, - deny @{att}/apparmor/.null rw, + /apparmor/.null rw, + @{att}/apparmor/.null rw, include if exists diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go index f7f0c9bed..aeafcbf7d 100644 --- a/pkg/prebuild/builder/attach.go +++ b/pkg/prebuild/builder/attach.go @@ -49,6 +49,10 @@ func (b ReAttach) Apply(opt *Option, profile string) (string, error) { } else { insert = "@{att} = /\n" + profile = strings.ReplaceAll(profile, + "include ", + "include ", + ) } return strings.Replace(profile, origin, insert+origin, 1), nil From 390a8b1b011dbb335c1054ea5124a02423925da2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 23:20:03 +0200 Subject: [PATCH 539/977] build: add the fsp-debug build command. --- Justfile | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/Justfile b/Justfile index 4021b0e5a..109cfed3b 100644 --- a/Justfile +++ b/Justfile @@ -90,6 +90,11 @@ fsp: build fsp-complain: build @./{{build}}/prebuild --complain --full +[group('build')] +[doc('Prebuild the profiles in FSP mode (debug)')] +fsp-debug: build + @./{{build}}/prebuild --complain --full --debug + [group('build')] [doc('Install prebuild profiles')] install: @@ -312,13 +317,13 @@ integration dist flavor: @bats --recursive --timing --print-output-on-failure Projects/integration/ -[group('internal')] +[private] get_ip dist flavor: @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \ head -1 | \ grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}' -[group('internal')] +[private] get_osinfo dist: #!/usr/bin/env python3 osinfo = { From d01b7ce7d6e0a701e59c9eb3adf780cefb7935b0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 23:42:30 +0200 Subject: [PATCH 540/977] chore: cleanup linter issue. --- apparmor.d/abstractions/base-strict | 2 +- pkg/aa/apparmor_test.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index 0f4382bfe..818a4937f 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -8,7 +8,7 @@ # Do not use it manually, It automatically replaces the base abstraction in # profiles when the re-attached mode is enabled. - # For now, it is only a restructuring of the base abstraction with awareness + # For now, it is only a restructuring of the base abstraction with awareness # of the apparmor.d architecture. abi , diff --git a/pkg/aa/apparmor_test.go b/pkg/aa/apparmor_test.go index 71be0ba0a..172cfc2b5 100644 --- a/pkg/aa/apparmor_test.go +++ b/pkg/aa/apparmor_test.go @@ -223,11 +223,11 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { &Include{IfExists: true, IsMagic: true, Path: "local/aa-status"}, &Capability{Names: []string{"dac_read_search"}}, &File{Path: "@{exec_path}", Access: []string{"m", "r"}}, - &File{Path: "@{PROC}/@{pids}/attr/apparmor/current", Access: []string{"r"}}, + &File{Path: "@{PROC}/@{pid}/attr/apparmor/current", Access: []string{"r"}}, &File{Path: "@{PROC}/", Access: []string{"r"}}, &File{Path: "@{sys}/module/apparmor/parameters/enabled", Access: []string{"r"}}, &File{Path: "@{sys}/kernel/security/apparmor/profiles", Access: []string{"r"}}, - &File{Path: "@{PROC}/@{pids}/attr/current", Access: []string{"r"}}, + &File{Path: "@{PROC}/@{pid}/attr/current", Access: []string{"r"}}, &Include{IsMagic: true, Path: "abstractions/consoles"}, &File{Owner: true, Path: "@{PROC}/@{pid}/mounts", Access: []string{"r"}}, &Include{IsMagic: true, Path: "abstractions/base"}, From fc45e5ee66b7b9b2c3d0c15fd095991b591a2313 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 17 Jun 2025 00:18:39 +0200 Subject: [PATCH 541/977] feat(fsp): add initial sd-umount. --- apparmor.d/groups/_full/sd-umount | 34 +++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 apparmor.d/groups/_full/sd-umount diff --git a/apparmor.d/groups/_full/sd-umount b/apparmor.d/groups/_full/sd-umount new file mode 100644 index 000000000..e5d67f0a9 --- /dev/null +++ b/apparmor.d/groups/_full/sd-umount @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd (as PID 1) profile. + +# sd-umount is a subprofile of sd responsible to handle unmounting operation. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sd-umount.d directory + +abi , + +include + +@{exec_path} = @{bin}/umount +profile sd-umount flags=(complain) { + include + + capability sys_admin, + + umount @{efi}, + + @{exec_path} mr, + + @{PROC}/@{pid}/mountinfo r, + + include if exists + include if exists +} + +# vim:syntax=apparmor From 0478e62f56d238d82e873b4174645597249ade77 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 17 Jun 2025 00:19:43 +0200 Subject: [PATCH 542/977] feat(fsp): sd/sdu: improve integration with stacked profiles. --- apparmor.d/groups/_full/sd | 5 +++-- apparmor.d/groups/_full/sdu | 16 ++++++++++++++-- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index 44b3a9b7d..48172638e 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -165,6 +165,7 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { @{lib}/{,**} r, @{sbin}/{,*} r, /usr/share/** r, + /etc/*/ w, /etc/** rk, /home/ r, @@ -181,8 +182,8 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { /var/log/** rw, /var/log/journal/** rwl -> /var/log/journal/**, - @{desktop_share_dirs}/icc/edid-@{hex32}.icc r, - @{user_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r, @{att}/@{run}/systemd/io.systemd.ManagedOOM rw, @{att}/@{run}/systemd/notify rw, diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu index 411a8c3ad..c9338fd22 100644 --- a/apparmor.d/groups/_full/sdu +++ b/apparmor.d/groups/_full/sdu @@ -24,6 +24,7 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { include include include + include network netlink raw, @@ -71,16 +72,27 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, owner @{run}/user/@{uid}/pulse/pid rw, - owner @{user_state_dirs}/wireplumber/ r, + owner @{user_state_dirs}/wireplumber/ rw, owner @{user_state_dirs}/wireplumber/stream-properties rw, owner @{user_state_dirs}/wireplumber/stream-properties.@{rand6} rw, @{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{int} r, - @{run}/udev/data/c116:@{int} r, # for ALSA + @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) + @{run}/udev/data/c81:@{int} r, # For video4linux + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, + @{sys}/bus/media/devices/ r, + @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r, + @{sys}/devices/**/device:*/{,**/}path r, + @{sys}/devices/**/sound/**/pcm_class r, + @{sys}/devices/**/sound/**/uevent r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/meminfo r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/sound/seq/uevent r, From e7f25571d0865cd08bceac7c4e5bba845a8805a2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 17 Jun 2025 00:22:34 +0200 Subject: [PATCH 543/977] chore(profile): rename netplan.script to netplan. --- apparmor.d/groups/network/{netplan.script => netplan} | 8 ++++---- apparmor.d/groups/ubuntu/subiquity-console-conf | 2 +- dists/flags/main.flags | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) rename apparmor.d/groups/network/{netplan.script => netplan} (81%) diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan similarity index 81% rename from apparmor.d/groups/network/netplan.script rename to apparmor.d/groups/network/netplan index 094726865..5855131a8 100644 --- a/apparmor.d/groups/network/netplan.script +++ b/apparmor.d/groups/network/netplan @@ -7,7 +7,7 @@ abi , include @{exec_path} = /usr/share/netplan/netplan.script -profile netplan.script @{exec_path} flags=(attach_disconnected) { +profile netplan @{exec_path} flags=(attach_disconnected) { include include include @@ -33,7 +33,7 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { @{run}/udev/rules.d/90-netplan.rules rw, @{run}/udev/rules.d/90-netplan.rules.@{rand6} rw, - include if exists + include if exists } profile systemctl { @@ -42,10 +42,10 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { capability net_admin, - include if exists + include if exists } - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 916279378..840e33cdd 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -38,7 +38,7 @@ profile subiquity-console-conf @{exec_path} { @{sbin}/sshd rPx, @{bin}/snap rPUx, /usr/lib/snapd/snap-recovery-chooser rPUx, - /usr/share/netplan/netplan.script rPUx, # TODO: rPx, + /usr/share/netplan/netplan.script rPx, /usr/share/subiquity/{,**} r, /usr/share/subiquity/console-conf-tui rix, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 77ea8761f..71670d4d7 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -240,7 +240,7 @@ multipathd complain needrestart-hook complain needrestart-notify complain needrestart-restart complain -netplan.script attach_disconnected,complain +netplan attach_disconnected,complain networkctl attach_disconnected,complain networkd-dispatcher complain nm-online complain From 0e4cc45a5b19e7503f51914cda745da46732b449 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 19 Jun 2025 20:03:53 +0200 Subject: [PATCH 544/977] tests: simplify sbin check. --- tests/check.sh | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index add9b0685..b1783bf8e 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -353,11 +353,9 @@ check_sbin() { for file in "${files[@]}"; do ( while read -r match; do - if [[ $match =~ (@\{sbin\}/($pattern)) ]]; then - name="${BASH_REMATCH[2]}" - if ! _in_array "$name" "${sbin[@]}"; then - _err compatibility "$file" "contains '@{sbin}/$name' but it is not in sbin.list" - fi + name="${match/\@\{sbin\}\//}" + if ! _in_array "$name" "${sbin[@]}"; then + _err compatibility "$file" "contains '@{sbin}/$name' but it is not in sbin.list" fi done < <(grep --only-matching -E "@\{sbin\}/$pattern" "${file%%:*}") ) & From d2dbf771cc7fb08235b8305afb967053c25a38cb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 19 Jun 2025 23:07:17 +0200 Subject: [PATCH 545/977] feat(profiles): ensure we use {,e}grep instead of grep. --- apparmor.d/groups/apt/apt-systemd-daily | 2 +- apparmor.d/groups/apt/dpkg-script-apparmor | 2 +- apparmor.d/groups/browsers/torbrowser-launcher | 2 +- apparmor.d/groups/browsers/torbrowser-start | 2 +- apparmor.d/groups/cron/cron-ntp | 2 +- apparmor.d/groups/cron/cron-popularity-contest | 2 +- apparmor.d/groups/cups/cupsd | 2 +- apparmor.d/groups/display-manager/xdm-xsession | 2 +- apparmor.d/groups/filesystem/lvmpolld | 2 +- apparmor.d/groups/freedesktop/plymouth-set-default-theme | 2 +- apparmor.d/groups/gnome/gnome-control-center | 2 +- apparmor.d/groups/gnome/gnome-session | 2 +- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/kde/kde-powerdevil | 2 +- apparmor.d/groups/kde/startplasma | 2 +- apparmor.d/groups/network/nm-dispatcher | 2 +- apparmor.d/groups/pacman/aurpublish | 2 +- apparmor.d/groups/pacman/pacman-key | 2 +- apparmor.d/groups/ssh/ssh-agent-launch | 2 +- .../groups/systemd-generators/systemd-generator-ds-identify | 2 +- apparmor.d/groups/systemd-service/grub-common.service | 2 +- apparmor.d/groups/systemd/systemd-sleep-grub | 2 +- apparmor.d/groups/ubuntu/cron-ubuntu-fan | 2 +- apparmor.d/groups/ubuntu/subiquity-console-conf | 2 +- apparmor.d/groups/ubuntu/ubuntu-fan-net | 2 +- apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot | 2 +- apparmor.d/groups/whonix/anondate | 2 +- apparmor.d/groups/whonix/pam-info | 2 +- apparmor.d/groups/whonix/rads | 2 +- apparmor.d/groups/whonix/sdwdate | 2 +- apparmor.d/groups/whonix/systemcheck-canary | 2 +- apparmor.d/groups/whonix/torbrowser-wrapper | 2 +- apparmor.d/profiles-a-f/blkdeactivate | 2 +- apparmor.d/profiles-a-f/ddcutil | 2 +- apparmor.d/profiles-a-f/finalrd | 2 +- apparmor.d/profiles-g-l/gpu-manager | 2 +- apparmor.d/profiles-g-l/install-catalog | 2 +- apparmor.d/profiles-g-l/kdump-config | 2 +- apparmor.d/profiles-g-l/landscape-sysinfo.wrapper | 2 +- apparmor.d/profiles-g-l/language-validate | 2 +- apparmor.d/profiles-g-l/libreoffice | 2 +- apparmor.d/profiles-g-l/logrotate | 2 +- apparmor.d/profiles-m-r/modprobed-db | 2 +- apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version | 2 +- apparmor.d/profiles-m-r/pass | 2 +- apparmor.d/profiles-s-z/secure-time-sync | 2 +- apparmor.d/profiles-s-z/spotify | 2 +- apparmor.d/profiles-s-z/syncoid | 2 +- apparmor.d/profiles-s-z/sysstat-sa | 2 +- apparmor.d/profiles-s-z/tlp | 2 +- apparmor.d/profiles-s-z/ucfr | 2 +- apparmor.d/profiles-s-z/update-cracklib | 2 +- apparmor.d/profiles-s-z/veracrypt | 2 +- apparmor.d/profiles-s-z/whatis | 2 +- apparmor.d/profiles-s-z/zed | 2 +- 55 files changed, 55 insertions(+), 55 deletions(-) diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily index 08e1400b2..bd2f7fbb0 100644 --- a/apparmor.d/groups/apt/apt-systemd-daily +++ b/apparmor.d/groups/apt/apt-systemd-daily @@ -25,7 +25,7 @@ profile apt-systemd-daily @{exec_path} { @{bin}/env rix, @{bin}/find rix, @{bin}/flock rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gzip rix, @{bin}/ls rix, @{bin}/mv rix, diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index e9a03f282..122e4541e 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -13,7 +13,7 @@ profile dpkg-script-apparmor @{exec_path} { @{exec_path} mrix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/deb-systemd-helper Px, @{bin}/deb-systemd-invoke Px, diff --git a/apparmor.d/groups/browsers/torbrowser-launcher b/apparmor.d/groups/browsers/torbrowser-launcher index 0f6273107..4969a14c3 100644 --- a/apparmor.d/groups/browsers/torbrowser-launcher +++ b/apparmor.d/groups/browsers/torbrowser-launcher @@ -32,7 +32,7 @@ profile torbrowser-launcher @{exec_path} flags=(attach_disconnected) { @{bin}/gpg{,2} Cx -> gpg, @{bin}/gpgconf Cx -> gpg, @{bin}/gpgsm Cx -> gpg, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/sed ix, @{bin}/tail ix, diff --git a/apparmor.d/groups/browsers/torbrowser-start b/apparmor.d/groups/browsers/torbrowser-start index 58bb31ac8..ce6a3678c 100644 --- a/apparmor.d/groups/browsers/torbrowser-start +++ b/apparmor.d/groups/browsers/torbrowser-start @@ -22,7 +22,7 @@ profile torbrowser-start @{exec_path} { @{bin}/expr ix, @{bin}/file ix, @{bin}/getconf ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/id ix, @{bin}/ln ix, @{bin}/mkdir ix, diff --git a/apparmor.d/groups/cron/cron-ntp b/apparmor.d/groups/cron/cron-ntp index 17ab7f745..7221cc6e1 100644 --- a/apparmor.d/groups/cron/cron-ntp +++ b/apparmor.d/groups/cron/cron-ntp @@ -14,7 +14,7 @@ profile cron-ntp @{exec_path} { @{sh_path} rix, @{bin}/cat rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/sed rix, include if exists diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest index 63a664096..fa6e9874f 100644 --- a/apparmor.d/groups/cron/cron-popularity-contest +++ b/apparmor.d/groups/cron/cron-popularity-contest @@ -18,7 +18,7 @@ profile cron-popularity-contest @{exec_path} { @{bin}/cat rix, @{bin}/date rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/logger rix, @{bin}/mkdir rix, @{bin}/mktemp rix, diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 6eeeaa414..b3658b738 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -50,7 +50,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cp rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gs rix, @{bin}/gsc rix, @{bin}/hostname rix, diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index 052180a99..d110fb83b 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -25,7 +25,7 @@ profile xdm-xsession @{exec_path} { @{bin}/fortune rPUx, @{bin}/gpg-agent rPx, @{bin}/gpg-connect-agent rPx, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/locale rix, @{bin}/manpath rix, @{bin}/readlink rix, diff --git a/apparmor.d/groups/filesystem/lvmpolld b/apparmor.d/groups/filesystem/lvmpolld index 4168ad4fe..cce01b0d0 100644 --- a/apparmor.d/groups/filesystem/lvmpolld +++ b/apparmor.d/groups/filesystem/lvmpolld @@ -13,7 +13,7 @@ profile lvmpolld @{exec_path} { include @{exec_path} rm, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/umount rPx, @{run}/lvmpolld.pid rwk, diff --git a/apparmor.d/groups/freedesktop/plymouth-set-default-theme b/apparmor.d/groups/freedesktop/plymouth-set-default-theme index b9b2cfd45..da13572e5 100644 --- a/apparmor.d/groups/freedesktop/plymouth-set-default-theme +++ b/apparmor.d/groups/freedesktop/plymouth-set-default-theme @@ -15,7 +15,7 @@ profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{m,g,}awk rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/plymouth rPx, /usr/share/plymouth/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 2f9077d19..85b3268dd 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -67,7 +67,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{bin}/@{shells} rUx, @{bin}/gcm-viewer rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/locale rix, @{bin}/sed rix, @{bin}/tecla rPx, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index e0ff334db..1f29958d1 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -20,7 +20,7 @@ profile gnome-session @{exec_path} { @{bin}/find rix, @{bin}/gettext rix, @{bin}/gettext.sh r, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/head rix, @{bin}/id rix, @{bin}/locale rix, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index b97d6d568..e977af95e 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -388,7 +388,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sh_path} mr, @{bin}/cat rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/kmod rPx -> gnome-shell//lsmod, @{bin}/pmap rix, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index ebb150ed2..45c382855 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -24,7 +24,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{sh_path} rix, @{bin}/find rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/kcminit rPx, @{bin}/sed rix, @{bin}/uname rPx, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index b69d7fdb9..004b89d57 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -21,7 +21,7 @@ profile startplasma @{exec_path} { @{sh_path} rix, @{bin}/env rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/kapplymousetheme rPUx, @{bin}/kdeinit5_shutdown rPUx, @{bin}/ksplashqml rPUx, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 87207e2b7..87a418153 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -42,7 +42,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{bin}/chronyc rPUx, @{bin}/date rix, @{bin}/gawk rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/id rix, @{sbin}/invoke-rc.d rCx -> invoke-rc, @{bin}/logger rix, diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index a7a7bf225..df9af9fef 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -30,7 +30,7 @@ profile aurpublish @{exec_path} { @{bin}/gettext rix, @{bin}/git rPx, @{bin}/gpg{,2} rCx -> gpg, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/makepkg rix, @{bin}/mkdir rix, @{bin}/mktemp rix, diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 287bc026a..025d87b29 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -22,7 +22,7 @@ profile pacman-key @{exec_path} { @{bin}/chmod rix, @{bin}/gettext rix, @{bin}/gpg{,2} rCx -> gpg, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ngettext rix, @{bin}/pacman-conf rPx, @{bin}/touch rix, diff --git a/apparmor.d/groups/ssh/ssh-agent-launch b/apparmor.d/groups/ssh/ssh-agent-launch index c9f0c6373..86bd0866f 100644 --- a/apparmor.d/groups/ssh/ssh-agent-launch +++ b/apparmor.d/groups/ssh/ssh-agent-launch @@ -15,7 +15,7 @@ profile ssh-agent-launch @{exec_path} { @{sh_path} rix, @{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/getopt rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ssh-agent rPx, /etc/X11/Xsession.options r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify b/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify index ba6141d86..daa877efe 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify +++ b/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify @@ -17,7 +17,7 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/systemd-detect-virt rPx, @{bin}/tr rix, @{bin}/uname rix, diff --git a/apparmor.d/groups/systemd-service/grub-common.service b/apparmor.d/groups/systemd-service/grub-common.service index 4abd74fb1..f8cf34f25 100644 --- a/apparmor.d/groups/systemd-service/grub-common.service +++ b/apparmor.d/groups/systemd-service/grub-common.service @@ -14,7 +14,7 @@ profile grub-common.service { include @{sh_path} rix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/grub-editenv rix, @{bin}/mkdir ix, @{bin}/rm ix, diff --git a/apparmor.d/groups/systemd/systemd-sleep-grub b/apparmor.d/groups/systemd/systemd-sleep-grub index b2b42bf44..38be5772f 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-grub +++ b/apparmor.d/groups/systemd/systemd-sleep-grub @@ -14,7 +14,7 @@ profile systemd-sleep-grub @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/uname rix, /etc/sysconfig/bootloader r, diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index 9fd065db3..a80a4f729 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -16,7 +16,7 @@ profile cron-ubuntu-fan @{exec_path} { @{sh_path} rix, @{sbin}/fanctl rPx, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 840e33cdd..dc67817ed 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -24,7 +24,7 @@ profile subiquity-console-conf @{exec_path} { @{sh_path} rix, @{bin}/cat rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/mv rix, diff --git a/apparmor.d/groups/ubuntu/ubuntu-fan-net b/apparmor.d/groups/ubuntu/ubuntu-fan-net index f9d7c01f5..74fe83551 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-fan-net +++ b/apparmor.d/groups/ubuntu/ubuntu-fan-net @@ -14,7 +14,7 @@ profile ubuntu-fan-net @{exec_path} { @{sh_path} mr, @{bin}/{m,g,}awk ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/networkctl Px, @{sbin}/fanctl Px, diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot index 0573f38bf..c244f2902 100644 --- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot +++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot @@ -18,7 +18,7 @@ profile update-motd-fsck-at-reboot @{exec_path} { @{bin}/cat rix, @{bin}/cut rix, @{bin}/date rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/id rix, @{bin}/mount rCx -> mount, @{bin}/stat rix, diff --git a/apparmor.d/groups/whonix/anondate b/apparmor.d/groups/whonix/anondate index 27e4eb594..325535cce 100644 --- a/apparmor.d/groups/whonix/anondate +++ b/apparmor.d/groups/whonix/anondate @@ -19,7 +19,7 @@ profile anondate @{exec_path} { @{bin}/cat rix, @{bin}/cp rix, @{bin}/date rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/minimum-unixtime-show rix, @{bin}/rm rix, @{bin}/systemd-cat rix, diff --git a/apparmor.d/groups/whonix/pam-info b/apparmor.d/groups/whonix/pam-info index 1cc3e7668..23ab3aeb4 100644 --- a/apparmor.d/groups/whonix/pam-info +++ b/apparmor.d/groups/whonix/pam-info @@ -15,7 +15,7 @@ profile pam-info @{exec_path} { @{sh_path} rix, @{sbin}/faillock rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/str_replace rix, @{bin}/wc rix, @{bin}/whoami rix, diff --git a/apparmor.d/groups/whonix/rads b/apparmor.d/groups/whonix/rads index e76570b34..10f30b50b 100644 --- a/apparmor.d/groups/whonix/rads +++ b/apparmor.d/groups/whonix/rads @@ -20,7 +20,7 @@ profile rads @{exec_path} { @{bin}/chvt rix, @{bin}/free rix, @{bin}/gawk rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/mkdir rix, @{bin}/rm rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/whonix/sdwdate b/apparmor.d/groups/whonix/sdwdate index d34f8087c..dbe561ab6 100644 --- a/apparmor.d/groups/whonix/sdwdate +++ b/apparmor.d/groups/whonix/sdwdate @@ -30,7 +30,7 @@ profile sdwdate @{exec_path} flags=(attach_disconnected) { @{bin}/touch rix, @{lib}/helper-scripts/* rix, @{bin}/url_to_unixtime rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{lib}/helper-scripts/ r, @{lib}/sdwdate/ r, diff --git a/apparmor.d/groups/whonix/systemcheck-canary b/apparmor.d/groups/whonix/systemcheck-canary index 4130d9cd9..17bedc43b 100644 --- a/apparmor.d/groups/whonix/systemcheck-canary +++ b/apparmor.d/groups/whonix/systemcheck-canary @@ -14,7 +14,7 @@ profile systemcheck-canary @{exec_path} { @{exec_path} mr, @{bin}/sleep rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/whoami rix, @{bin}/cat rix, @{bin}/date rix, diff --git a/apparmor.d/groups/whonix/torbrowser-wrapper b/apparmor.d/groups/whonix/torbrowser-wrapper index fc20ad0fb..c86d91099 100644 --- a/apparmor.d/groups/whonix/torbrowser-wrapper +++ b/apparmor.d/groups/whonix/torbrowser-wrapper @@ -20,7 +20,7 @@ profile torbrowser-wrapper @{exec_path} { @{bin}/basename ix, @{bin}/cp ix, @{bin}/dirname ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/id ix, @{bin}/mkdir ix, @{bin}/mktemp ix, diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate index d56782267..83806e753 100644 --- a/apparmor.d/profiles-a-f/blkdeactivate +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -16,7 +16,7 @@ profile blkdeactivate @{exec_path} flags=(complain) { @{sh_path} rix, @{sbin}/dmsetup rPUx, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/touch rix, @{bin}/lsblk rPx, @{sbin}/lvm rPx, diff --git a/apparmor.d/profiles-a-f/ddcutil b/apparmor.d/profiles-a-f/ddcutil index c752dcbb8..7c353bf65 100644 --- a/apparmor.d/profiles-a-f/ddcutil +++ b/apparmor.d/profiles-a-f/ddcutil @@ -21,7 +21,7 @@ profile ddcutil @{exec_path} { @{bin}/find rix, @{bin}/sed rix, @{bin}/xargs rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, / r, diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd index d8f2f819e..b22730a27 100644 --- a/apparmor.d/profiles-a-f/finalrd +++ b/apparmor.d/profiles-a-f/finalrd @@ -24,7 +24,7 @@ profile finalrd @{exec_path} { @{bin}/dirname ix, @{bin}/env ix, @{bin}/find ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/ln ix, @{bin}/mkdir ix, @{bin}/mount ix, diff --git a/apparmor.d/profiles-g-l/gpu-manager b/apparmor.d/profiles-g-l/gpu-manager index 795c92f00..779dd8e67 100644 --- a/apparmor.d/profiles-g-l/gpu-manager +++ b/apparmor.d/profiles-g-l/gpu-manager @@ -17,7 +17,7 @@ profile gpu-manager @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, /etc/modprobe.d/{,**} r, /usr/lib/modprobe.d/{,**} r, diff --git a/apparmor.d/profiles-g-l/install-catalog b/apparmor.d/profiles-g-l/install-catalog index b1a56c41d..6a26d4dea 100644 --- a/apparmor.d/profiles-g-l/install-catalog +++ b/apparmor.d/profiles-g-l/install-catalog @@ -16,7 +16,7 @@ profile install-catalog @{exec_path} { @{sh_path} rix, @{bin}/basename rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/mv rix, @{bin}/rm rix, @{bin}/sed rix, diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config index 2b3516202..f8b75f742 100644 --- a/apparmor.d/profiles-g-l/kdump-config +++ b/apparmor.d/profiles-g-l/kdump-config @@ -25,7 +25,7 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) { @{bin}/file ix, @{bin}/find ix, @{bin}/flock ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/hexdump ix, @{bin}/ln ix, @{bin}/logger ix, diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper index aeac3e6a1..056b2d83c 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper +++ b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper @@ -25,7 +25,7 @@ profile landscape-sysinfo.wrapper @{exec_path} { @{bin}/cut rix, @{bin}/date rix, @{bin}/find rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/landscape-sysinfo rPx, / r, diff --git a/apparmor.d/profiles-g-l/language-validate b/apparmor.d/profiles-g-l/language-validate index bf999b79e..80f914fab 100644 --- a/apparmor.d/profiles-g-l/language-validate +++ b/apparmor.d/profiles-g-l/language-validate @@ -15,7 +15,7 @@ profile language-validate @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/locale rix, /usr/share/locale-langpack/{,*} r, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 191ac5782..8cc8a65e1 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -43,7 +43,7 @@ profile libreoffice @{exec_path} { @{sh_path} rix, @{bin}/basename rix, @{bin}/dirname rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ls rix, @{bin}/paperconf rix, @{bin}/sed rix, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 8d3dc2171..0dee9ed6a 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -30,7 +30,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cat rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gzip rix, @{sbin}/invoke-rc.d rix, @{bin}/kill rix, diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index cd2ddc0e6..013143152 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -19,7 +19,7 @@ profile modprobed-db @{exec_path} { @{bin}/cut rix, @{bin}/gawk rix, @{bin}/getent rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/logname rix, @{bin}/md5sum rix, @{bin}/rm rix, diff --git a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version index e5ee2fd8f..4474c1bfc 100644 --- a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version +++ b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version @@ -15,7 +15,7 @@ profile needrestart-vmlinuz-get-version @{exec_path} { @{sh_path} rix, @{bin}/bzip2 rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gunzip rix, @{bin}/gzip rix, @{bin}/lzop rix, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 5ae5df7e6..d13099bc3 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -24,7 +24,7 @@ profile pass @{exec_path} { @{bin}/env r, @{bin}/find ix, @{bin}/getopt ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/head ix, @{bin}/mkdir ix, @{bin}/mktemp ix, diff --git a/apparmor.d/profiles-s-z/secure-time-sync b/apparmor.d/profiles-s-z/secure-time-sync index 51016373d..9c3f6d9df 100644 --- a/apparmor.d/profiles-s-z/secure-time-sync +++ b/apparmor.d/profiles-s-z/secure-time-sync @@ -23,7 +23,7 @@ profile secure-time-sync @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/curl rix, @{bin}/date rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/id rPx, @{bin}/sed rix, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 1a0bd0ea9..dfd488a48 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -28,7 +28,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{sh_path} mr, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{open_path} rPx -> child-open-strict, diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid index 821a3fd63..e275fb764 100644 --- a/apparmor.d/profiles-s-z/syncoid +++ b/apparmor.d/profiles-s-z/syncoid @@ -15,7 +15,7 @@ profile syncoid @{exec_path} flags=(complain) { @{exec_path} mr, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/mbuffer rix, @{bin}/perl rix, @{bin}/ps rPx, diff --git a/apparmor.d/profiles-s-z/sysstat-sa b/apparmor.d/profiles-s-z/sysstat-sa index 37f5e3ca1..9dcc199bc 100644 --- a/apparmor.d/profiles-s-z/sysstat-sa +++ b/apparmor.d/profiles-s-z/sysstat-sa @@ -17,7 +17,7 @@ profile sysstat-sa @{exec_path} { @{sh_path} rix, @{bin}/date ix, @{bin}/find ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/rm ix, @{bin}/sar.sysstat ix, @{bin}/xargs ix, diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index c01edd9ec..9faea6e3e 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -32,7 +32,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{bin}/cp rix, @{sbin}/ethtool rix, @{bin}/flock rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{sbin}/hdparm rPx, @{bin}/head rix, @{bin}/id rPx, diff --git a/apparmor.d/profiles-s-z/ucfr b/apparmor.d/profiles-s-z/ucfr index b38f8aae4..add5c5b64 100644 --- a/apparmor.d/profiles-s-z/ucfr +++ b/apparmor.d/profiles-s-z/ucfr @@ -16,7 +16,7 @@ profile ucfr @{exec_path} { @{bin}/basename ix, @{bin}/{m,g,}awk ix, @{bin}/getopt ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/id ix, @{bin}/readlink ix, @{bin}/sed ix, diff --git a/apparmor.d/profiles-s-z/update-cracklib b/apparmor.d/profiles-s-z/update-cracklib index b7f00b263..8f848b0ad 100644 --- a/apparmor.d/profiles-s-z/update-cracklib +++ b/apparmor.d/profiles-s-z/update-cracklib @@ -21,7 +21,7 @@ profile update-cracklib @{exec_path} { @{bin}/env rix, @{bin}/file rix, @{bin}/find rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gzip rix, @{bin}/install rix, @{bin}/install rix, diff --git a/apparmor.d/profiles-s-z/veracrypt b/apparmor.d/profiles-s-z/veracrypt index 1e5417b15..b9b92a721 100644 --- a/apparmor.d/profiles-s-z/veracrypt +++ b/apparmor.d/profiles-s-z/veracrypt @@ -30,7 +30,7 @@ profile veracrypt @{exec_path} { @{sh_path} rix, @{open_path} rPx -> child-open-help, @{sbin}/dmsetup rPx, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/kmod rix, @{sbin}/ldconfig rix, @{sbin}/losetup rCx -> losetup, diff --git a/apparmor.d/profiles-s-z/whatis b/apparmor.d/profiles-s-z/whatis index 43fa8ff09..3febd0b0b 100644 --- a/apparmor.d/profiles-s-z/whatis +++ b/apparmor.d/profiles-s-z/whatis @@ -13,7 +13,7 @@ profile whatis @{exec_path} { include @{exec_path} mr, - @{bin}/grep rix, + @{bin}/{,e}grep rix, /usr/{,**/}man/{,**/}{,whatis} r, diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed index bb160a5e5..b131897d4 100644 --- a/apparmor.d/profiles-s-z/zed +++ b/apparmor.d/profiles-s-z/zed @@ -23,7 +23,7 @@ profile zed @{exec_path} { @{bin}/diff rix, @{bin}/expr rix, @{bin}/flock rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/hostname rix, @{bin}/logger rix, @{bin}/ls rix, From be62e5186f739b2316fc8ac2c22c3a5be37ad163 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 19 Jun 2025 23:16:16 +0200 Subject: [PATCH 546/977] feat(profiles): ensure we use which{,.debianutils} instead of which. --- apparmor.d/abstractions/app/editor | 2 +- apparmor.d/groups/apt/apt-systemd-daily | 2 +- apparmor.d/groups/apt/aptitude-create-state-bundle | 2 +- apparmor.d/groups/browsers/brave-wrapper | 2 +- apparmor.d/groups/browsers/chrome-wrapper | 2 +- apparmor.d/groups/browsers/msedge-wrapper | 2 +- apparmor.d/groups/cron/cron-apt-compat | 2 +- apparmor.d/groups/cron/cron-apt-xapian-index | 3 +-- apparmor.d/groups/cron/cron-aptitude | 2 +- apparmor.d/groups/cron/cron-mlocate | 2 +- apparmor.d/groups/cron/cron-plocate | 2 +- apparmor.d/groups/cron/cron-popularity-contest | 2 +- apparmor.d/groups/display-manager/x11-xsession | 2 +- apparmor.d/groups/gnome/gdm-xsession | 2 +- apparmor.d/groups/kde/sddm-xsession | 2 +- apparmor.d/groups/network/openvpn | 2 +- apparmor.d/groups/pacman/pacman | 2 +- apparmor.d/groups/ubuntu/apport-gtk | 2 +- apparmor.d/profiles-a-f/anyremote | 2 +- apparmor.d/profiles-a-f/aspell-autobuildhash | 2 +- apparmor.d/profiles-a-f/claws-mail | 2 +- apparmor.d/profiles-g-l/ganyremote | 2 +- apparmor.d/profiles-g-l/gsmartcontrol-root | 2 +- apparmor.d/profiles-g-l/kanyremote | 2 +- apparmor.d/profiles-g-l/kernel | 2 +- apparmor.d/profiles-m-r/mumble-overlay | 2 +- apparmor.d/profiles-m-r/openbox | 2 +- apparmor.d/profiles-m-r/os-prober | 2 +- apparmor.d/profiles-m-r/pass | 2 +- apparmor.d/profiles-m-r/pokemmo | 2 +- apparmor.d/profiles-m-r/protonmail-bridge-core | 2 +- apparmor.d/profiles-s-z/ucf | 2 +- apparmor.d/profiles-s-z/update-pciids | 2 +- apparmor.d/profiles-s-z/uupdate | 2 +- apparmor.d/profiles-s-z/xinit | 2 +- 35 files changed, 35 insertions(+), 36 deletions(-) diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index f62e36339..2bd14077b 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -13,7 +13,7 @@ @{bin}/nvim mrix, @{bin}/sensible-editor mr, @{bin}/vim{,.*} mrix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, /usr/share/nvim/{,**} r, /usr/share/terminfo/** r, diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily index bd2f7fbb0..4f0d4e36b 100644 --- a/apparmor.d/groups/apt/apt-systemd-daily +++ b/apparmor.d/groups/apt/apt-systemd-daily @@ -37,7 +37,7 @@ profile apt-systemd-daily @{exec_path} { @{bin}/touch rix, @{bin}/uniq rix, @{bin}/wc rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/xargs rix, @{bin}/apt-config rPx, diff --git a/apparmor.d/groups/apt/aptitude-create-state-bundle b/apparmor.d/groups/apt/aptitude-create-state-bundle index 59f7a54f6..a2f5e2050 100644 --- a/apparmor.d/groups/apt/aptitude-create-state-bundle +++ b/apparmor.d/groups/apt/aptitude-create-state-bundle @@ -16,7 +16,7 @@ profile aptitude-create-state-bundle @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/tar rix, @{bin}/bzip2 rix, @{bin}/gzip rix, diff --git a/apparmor.d/groups/browsers/brave-wrapper b/apparmor.d/groups/browsers/brave-wrapper index 7001da3fe..b4f70689c 100644 --- a/apparmor.d/groups/browsers/brave-wrapper +++ b/apparmor.d/groups/browsers/brave-wrapper @@ -23,7 +23,7 @@ profile brave-wrapper @{exec_path} { @{bin}/mkdir rix, @{bin}/readlink rix, @{bin}/touch rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{lib_dirs}/brave rPx, diff --git a/apparmor.d/groups/browsers/chrome-wrapper b/apparmor.d/groups/browsers/chrome-wrapper index 0a97d4052..709eb79a1 100644 --- a/apparmor.d/groups/browsers/chrome-wrapper +++ b/apparmor.d/groups/browsers/chrome-wrapper @@ -22,7 +22,7 @@ profile chrome-wrapper @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir rix, @{bin}/readlink rix, @{bin}/touch rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{lib_dirs}/chrome rPx, diff --git a/apparmor.d/groups/browsers/msedge-wrapper b/apparmor.d/groups/browsers/msedge-wrapper index 3da31e332..8268db2e1 100644 --- a/apparmor.d/groups/browsers/msedge-wrapper +++ b/apparmor.d/groups/browsers/msedge-wrapper @@ -22,7 +22,7 @@ profile msedge-wrapper @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir rix, @{bin}/readlink rix, @{bin}/touch rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{lib_dirs}/msedge rPx, diff --git a/apparmor.d/groups/cron/cron-apt-compat b/apparmor.d/groups/cron/cron-apt-compat index 1778d4b7e..fcf5e4430 100644 --- a/apparmor.d/groups/cron/cron-apt-compat +++ b/apparmor.d/groups/cron/cron-apt-compat @@ -22,7 +22,7 @@ profile cron-apt-compat @{exec_path} { @{bin}/dd rix, @{bin}/cksum rix, @{bin}/cut rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/sleep rix, include if exists diff --git a/apparmor.d/groups/cron/cron-apt-xapian-index b/apparmor.d/groups/cron/cron-apt-xapian-index index 83eb22428..15f93efec 100644 --- a/apparmor.d/groups/cron/cron-apt-xapian-index +++ b/apparmor.d/groups/cron/cron-apt-xapian-index @@ -14,9 +14,8 @@ profile cron-apt-xapian-index @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/{,e}grep rix, - @{bin}/nice rix, @{bin}/ionice rix, diff --git a/apparmor.d/groups/cron/cron-aptitude b/apparmor.d/groups/cron/cron-aptitude index a471b2844..82b33e8ab 100644 --- a/apparmor.d/groups/cron/cron-aptitude +++ b/apparmor.d/groups/cron/cron-aptitude @@ -17,7 +17,7 @@ profile cron-aptitude @{exec_path} { @{bin}/cp rix, @{bin}/date rix, @{bin}/basename rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/dirname rix, @{bin}/rm rix, @{bin}/mv rix, diff --git a/apparmor.d/groups/cron/cron-mlocate b/apparmor.d/groups/cron/cron-mlocate index ec9690938..f91956bcd 100644 --- a/apparmor.d/groups/cron/cron-mlocate +++ b/apparmor.d/groups/cron/cron-mlocate @@ -15,7 +15,7 @@ profile cron-mlocate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/true rix, @{bin}/flock rix, @{bin}/nocache rix, diff --git a/apparmor.d/groups/cron/cron-plocate b/apparmor.d/groups/cron/cron-plocate index 0604eba3a..7f52d1a14 100644 --- a/apparmor.d/groups/cron/cron-plocate +++ b/apparmor.d/groups/cron/cron-plocate @@ -15,7 +15,7 @@ profile cron-plocate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/true rix, @{bin}/flock rix, @{bin}/nocache rix, diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest index fa6e9874f..44d3a546f 100644 --- a/apparmor.d/groups/cron/cron-popularity-contest +++ b/apparmor.d/groups/cron/cron-popularity-contest @@ -74,7 +74,7 @@ profile cron-popularity-contest @{exec_path} { @{bin}/mv rix, @{bin}/rm rix, @{bin}/touch rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{sh_path} rix, /var/log/ r, diff --git a/apparmor.d/groups/display-manager/x11-xsession b/apparmor.d/groups/display-manager/x11-xsession index 4eb916aab..361a30b26 100644 --- a/apparmor.d/groups/display-manager/x11-xsession +++ b/apparmor.d/groups/display-manager/x11-xsession @@ -34,7 +34,7 @@ profile x11-xsession @{exec_path} { @{bin}/tail rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/dbus-update-activation-environment rCx -> dbus, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 9804ddcb0..03e77816c 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -35,7 +35,7 @@ profile gdm-xsession @{exec_path} { @{bin}/tr rix, @{bin}/truncate rix, @{bin}/tty rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/zsh rix, @{bin}/dbus-update-activation-environment rCx -> dbus, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index b5cceee95..f27f3dc3c 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -40,7 +40,7 @@ profile sddm-xsession @{exec_path} { @{bin}/tcsh rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which{,.*} rix, + @{bin}/which{,.debianutils} rix, @{bin}/zsh rix, @{bin}/dbus-update-activation-environment rCx -> dbus, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index 6431ee98a..a6ff1a939 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -84,7 +84,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cut rix, @{bin}/ip rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{sbin}/xtables-nft-multi rix, /etc/iproute2/rt_tables r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index e72c62667..e9f3bf807 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -101,7 +101,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{sbin}/update-grub rPx, @{bin}/update-mime-database rPx, @{bin}/vercmp rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/xmlcatalog rix, @{lib}/systemd/systemd-* rPx, @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} rPx, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index bb5cd329c..5a4e130a0 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -52,7 +52,7 @@ profile apport-gtk @{exec_path} { @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/uname rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{lib}/{,colord/}colord-sane rPx, @{lib}/@{multiarch}/ld*.so* rix, /usr/share/apport/root_info_wrapper rix, diff --git a/apparmor.d/profiles-a-f/anyremote b/apparmor.d/profiles-a-f/anyremote index 6af2cd38d..43ecdb0cd 100644 --- a/apparmor.d/profiles-a-f/anyremote +++ b/apparmor.d/profiles-a-f/anyremote @@ -41,7 +41,7 @@ profile anyremote @{exec_path} { @{bin}/tail rix, @{bin}/tr rix, @{bin}/wc rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/convert-im6.q16 rCx -> imagemagic, @{bin}/killall rCx -> killall, diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash index 43edd3233..a10df8394 100644 --- a/apparmor.d/profiles-a-f/aspell-autobuildhash +++ b/apparmor.d/profiles-a-f/aspell-autobuildhash @@ -20,7 +20,7 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { @{bin}/gzip rix, @{bin}/precat rix, @{bin}/prezip-bin rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/zcat rix, @{bin}/dpkg-trigger rPx, diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index bb7dfd3b8..263bb5794 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -24,7 +24,7 @@ profile claws-mail @{exec_path} flags=(complain) { @{exec_path} mr, @{sh_path} rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgsm rCx -> gpg, diff --git a/apparmor.d/profiles-g-l/ganyremote b/apparmor.d/profiles-g-l/ganyremote index b2dc7b92d..727bf8cdf 100644 --- a/apparmor.d/profiles-g-l/ganyremote +++ b/apparmor.d/profiles-g-l/ganyremote @@ -30,7 +30,7 @@ profile ganyremote @{exec_path} { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/id rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/tr rix, @{bin}/{m,g,}awk rix, diff --git a/apparmor.d/profiles-g-l/gsmartcontrol-root b/apparmor.d/profiles-g-l/gsmartcontrol-root index 515d2234c..4fdb1084b 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol-root +++ b/apparmor.d/profiles-g-l/gsmartcontrol-root @@ -15,7 +15,7 @@ profile gsmartcontrol-root @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/pkexec rCx -> pkexec, diff --git a/apparmor.d/profiles-g-l/kanyremote b/apparmor.d/profiles-g-l/kanyremote index 10e085799..91eb37c58 100644 --- a/apparmor.d/profiles-g-l/kanyremote +++ b/apparmor.d/profiles-g-l/kanyremote @@ -31,7 +31,7 @@ profile kanyremote @{exec_path} { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/id rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/tr rix, @{bin}/{m,g,}awk rix, @{bin}/head rix, diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index 133cf8ae7..6bc2c8961 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -33,7 +33,7 @@ profile kernel @{exec_path} { @{bin}/touch rix, @{bin}/tr rix, @{bin}/uname rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/apt-config rPx, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/profiles-m-r/mumble-overlay b/apparmor.d/profiles-m-r/mumble-overlay index c077f3836..86792860c 100644 --- a/apparmor.d/profiles-m-r/mumble-overlay +++ b/apparmor.d/profiles-m-r/mumble-overlay @@ -16,7 +16,7 @@ profile mumble-overlay @{exec_path} { @{sh_path} rix, @{bin}/file rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/glxgears rPx, diff --git a/apparmor.d/profiles-m-r/openbox b/apparmor.d/profiles-m-r/openbox index e4e8a36e2..899290792 100644 --- a/apparmor.d/profiles-m-r/openbox +++ b/apparmor.d/profiles-m-r/openbox @@ -58,7 +58,7 @@ profile openbox @{exec_path} { @{lib}/@{multiarch}/openbox-xdg-autostart rix, @{sh_path} rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, # Apps allowed to run @{bin}/* rPUx, diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index 162c0b743..da853aa9a 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -51,7 +51,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { @{bin}/udevadm rPx, @{bin}/umount rix, @{bin}/uname rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{lib}/newns rix, @{lib}/os-prober/* rix, @{lib}/os-probes/{,**} rix, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index d13099bc3..096f0316a 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -40,7 +40,7 @@ profile pass @{exec_path} { @{bin}/tr ix, @{bin}/tree ix, @{bin}/tty ix, - @{bin}/which ix, + @{bin}/which{,.debianutils} ix, @{bin}/git Cx -> git, @{bin}/gpg{2,} Cx -> gpg, diff --git a/apparmor.d/profiles-m-r/pokemmo b/apparmor.d/profiles-m-r/pokemmo index 111b157c5..324b08f17 100644 --- a/apparmor.d/profiles-m-r/pokemmo +++ b/apparmor.d/profiles-m-r/pokemmo @@ -37,7 +37,7 @@ profile pokemmo @{exec_path} flags=(attach_disconnected) { @{bin}/java ix, @{bin}/perl ix, - @{bin}/which ix, + @{bin}/which{,.debianutils} ix, @{lib}/jvm/java-@{int}-openjdk/bin/java ix, # Installer diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index ee7adab75..45c6766e3 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -72,7 +72,7 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { @{bin}/tail rix, @{bin}/tree rix, @{bin}/tty rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, owner @{user_passwordstore_dirs}/ r, owner @{user_passwordstore_dirs}/.gpg-id r, diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 0a7b992b6..3c3374d85 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -33,7 +33,7 @@ profile ucf @{exec_path} { @{bin}/seq rix, @{bin}/stat rix, @{bin}/tr rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/dpkg-query rpx, @{bin}/dpkg-divert rPx, diff --git a/apparmor.d/profiles-s-z/update-pciids b/apparmor.d/profiles-s-z/update-pciids index bba603690..901dae9a0 100644 --- a/apparmor.d/profiles-s-z/update-pciids +++ b/apparmor.d/profiles-s-z/update-pciids @@ -24,7 +24,7 @@ profile update-pciids @{exec_path} { @{bin}/chmod rix, @{bin}/echo rix, @{bin}/cat rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/bunzip2 rix, @{bin}/bzip2 rix, @{bin}/gzip rix, diff --git a/apparmor.d/profiles-s-z/uupdate b/apparmor.d/profiles-s-z/uupdate index eb26a4967..88a6cd406 100644 --- a/apparmor.d/profiles-s-z/uupdate +++ b/apparmor.d/profiles-s-z/uupdate @@ -18,7 +18,7 @@ profile uupdate @{exec_path} flags=(complain) { @{sh_path} rix, @{bin}/basename rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/tr rix, @{bin}/{,e}grep rix, @{bin}/getopt rix, diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit index 61151a7db..9abc02350 100644 --- a/apparmor.d/profiles-s-z/xinit +++ b/apparmor.d/profiles-s-z/xinit @@ -35,7 +35,7 @@ profile xinit @{exec_path} { @{bin}/tail rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, /etc/X11/xinit/xinitrc rix, /etc/X11/xinit/xserverrc rix, From 27907e5a17e3720e6b369ea62256eb7d36551b92 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 19 Jun 2025 23:27:34 +0200 Subject: [PATCH 547/977] feat(profiles): ensure we use {m,g,}awk instead of awk. --- apparmor.d/groups/network/nm-dispatcher | 2 +- apparmor.d/groups/whonix/rads | 2 +- apparmor.d/profiles-g-l/kernel-postinst-kdump | 2 +- apparmor.d/profiles-m-r/modprobed-db | 2 +- apparmor.d/profiles-s-z/tomb | 3 +-- apparmor.d/profiles-s-z/wechat | 2 +- apparmor.d/profiles-s-z/wechat-appimage | 2 +- 7 files changed, 7 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 87a418153..029a5e39a 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -41,7 +41,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{bin}/chown rix, @{bin}/chronyc rPUx, @{bin}/date rix, - @{bin}/gawk rix, + @{bin}/{m,g,}awk rix, @{bin}/{,e}grep rix, @{bin}/id rix, @{sbin}/invoke-rc.d rCx -> invoke-rc, diff --git a/apparmor.d/groups/whonix/rads b/apparmor.d/groups/whonix/rads index 10f30b50b..8bdeb2c13 100644 --- a/apparmor.d/groups/whonix/rads +++ b/apparmor.d/groups/whonix/rads @@ -19,7 +19,7 @@ profile rads @{exec_path} { @{bin}/cat rix, @{bin}/chvt rix, @{bin}/free rix, - @{bin}/gawk rix, + @{bin}/{m,g,}awk rix, @{bin}/{,e}grep rix, @{bin}/mkdir rix, @{bin}/rm rix, diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump index 91af3a842..e1358ec29 100644 --- a/apparmor.d/profiles-g-l/kernel-postinst-kdump +++ b/apparmor.d/profiles-g-l/kernel-postinst-kdump @@ -14,7 +14,7 @@ profile kernel-postinst-kdump @{exec_path} { @{bin}/du rix, @{bin}/find rix, - @{bin}/gawk rix, + @{bin}/{m,g,}awk rix, @{bin}/mv rix, @{bin}/rm rix, @{bin}/sync rix, diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index 013143152..90bf73cf3 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -17,7 +17,7 @@ profile modprobed-db @{exec_path} { @{bin}/cat rix, @{bin}/cp rix, @{bin}/cut rix, - @{bin}/gawk rix, + @{bin}/{m,g,}awk rix, @{bin}/getent rix, @{bin}/{,e}grep rix, @{bin}/logname rix, diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb index 508ac6eff..93e29bcfa 100644 --- a/apparmor.d/profiles-s-z/tomb +++ b/apparmor.d/profiles-s-z/tomb @@ -27,7 +27,7 @@ profile tomb @{exec_path} { @{exec_path} mr, @{bin}/{,e,f}grep rix, - @{bin}/awk rix, + @{bin}/{m,g,}awk rix, @{bin}/basename rix, @{bin}/cat rix, @{bin}/chmod rix, @@ -41,7 +41,6 @@ profile tomb @{exec_path} { @{bin}/env rix, @{bin}/file rix, @{bin}/findmnt rix, - @{bin}/gawk rix, @{bin}/getent rix, @{bin}/gettext rix, @{bin}/hostname rix, diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index e23d4db43..b7ad3a2e8 100755 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -31,7 +31,7 @@ profile wechat @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{lib_dirs}/crashpad_handler ix, @{bin}/mkdir ix, - @{bin}/gawk rix, + @{bin}/{m,g,}awk rix, @{bin}/lsblk rPx, @{bin}/ip rix, @{bin}/xdg-user-dir rix, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 023644eb0..55155f2b8 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -36,7 +36,7 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/wechat-appimage.AppImage ix, /tmp/.mount_wechat??????/AppRun ix, @{bin}/mkdir ix, - @{bin}/gawk rix, + @{bin}/{m,g,}awk rix, @{bin}/lsblk rPx, @{bin}/ip rix, @{bin}/xdg-user-dir rix, From 033a7475e08db25afacdeca23f8aab1786d7d70a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 19 Jun 2025 23:35:13 +0200 Subject: [PATCH 548/977] tests: enforce equivalent tests. --- tests/check.sh | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index b1783bf8e..801e81114 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -134,6 +134,7 @@ _check_directory_mark() { declare -A EQUIVALENTS=( ["awk"]="{m,g,}awk" + ["gawk"]="{m,g,}awk" ["grep"]="{,e}grep" ["which"]="which{,.debianutils}" ) @@ -371,7 +372,10 @@ check_profiles() { -prune -o -type f -print ) jobs=0 - WITH_CHECK=(abi include profile header tabs trailing indentation subprofiles vim) + WITH_CHECK=( + equivalent + abi include profile header tabs trailing indentation subprofiles vim + ) for file in "${files[@]}"; do ( name="$(basename "$file")" @@ -388,7 +392,10 @@ check_abstractions() { _msg "Checking abstractions" mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*") jobs=0 - WITH_CHECK=(abi include header tabs trailing indentation vim) + WITH_CHECK=( + equivalent + abi include header tabs trailing indentation vim + ) for file in "${files[@]}"; do ( name="$(basename "$file")" @@ -406,7 +413,10 @@ check_abstractions() { ) # shellcheck disable=SC2034 jobs=0 - WITH_CHECK=(header tabs trailing indentation vim) + WITH_CHECK=( + equivalent + header tabs trailing indentation vim + ) for file in "${files[@]}"; do _check "$file" & _wait jobs From f29041576e234e3d4873da2434d4fd3298c2b01d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 19 Jun 2025 23:55:20 +0200 Subject: [PATCH 549/977] feat(profile): move away from old or too wide abstractions. --- .../groups/browsers/opera-crashreporter | 2 +- apparmor.d/groups/filesystem/udiskie | 10 ++-- apparmor.d/groups/hyprland/hyprpm | 1 - apparmor.d/groups/network/nm-dhcp-helper | 2 +- apparmor.d/groups/usb/usbguard-applet-qt | 20 +++----- apparmor.d/groups/virt/libvirtd | 3 +- apparmor.d/profiles-a-f/atftpd | 8 +++- apparmor.d/profiles-a-f/dhclient-script | 8 +++- apparmor.d/profiles-a-f/dumpcap | 8 ++-- apparmor.d/profiles-a-f/ffplay | 3 +- apparmor.d/profiles-a-f/fritzing | 46 ++++++++----------- apparmor.d/profiles-g-l/light-locker | 12 ++--- apparmor.d/profiles-m-r/mkvtoolnix-gui | 10 ++-- apparmor.d/profiles-m-r/netstat | 8 +++- apparmor.d/profiles-m-r/pcb-gtk | 8 +--- apparmor.d/profiles-s-z/sing-box | 1 - apparmor.d/profiles-s-z/tftp | 8 +++- apparmor.d/profiles-s-z/vsftpd | 8 +++- apparmor.d/profiles-s-z/youtube-dl | 4 +- 19 files changed, 84 insertions(+), 86 deletions(-) diff --git a/apparmor.d/groups/browsers/opera-crashreporter b/apparmor.d/groups/browsers/opera-crashreporter index 01661215a..eb67ede59 100644 --- a/apparmor.d/groups/browsers/opera-crashreporter +++ b/apparmor.d/groups/browsers/opera-crashreporter @@ -17,7 +17,7 @@ profile opera-crashreporter @{exec_path} { include include include - include + include include ptrace (trace, read) peer=opera, diff --git a/apparmor.d/groups/filesystem/udiskie b/apparmor.d/groups/filesystem/udiskie index a6a2e2ad3..53b726c23 100644 --- a/apparmor.d/groups/filesystem/udiskie +++ b/apparmor.d/groups/filesystem/udiskie @@ -11,16 +11,12 @@ include profile udiskie @{exec_path} { include include - include - include + include include - include - include + include include - include include - include - include + include @{exec_path} r, @{python_path} r, diff --git a/apparmor.d/groups/hyprland/hyprpm b/apparmor.d/groups/hyprland/hyprpm index 3a5878808..149128b1e 100644 --- a/apparmor.d/groups/hyprland/hyprpm +++ b/apparmor.d/groups/hyprland/hyprpm @@ -11,7 +11,6 @@ profile hyprpm @{exec_path} { include include include - include network inet dgram, network inet stream, diff --git a/apparmor.d/groups/network/nm-dhcp-helper b/apparmor.d/groups/network/nm-dhcp-helper index 5e93bdbf5..3e232154e 100644 --- a/apparmor.d/groups/network/nm-dhcp-helper +++ b/apparmor.d/groups/network/nm-dhcp-helper @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/{,NetworkManager/}nm-dhcp-helper profile nm-dhcp-helper @{exec_path} { include - include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/usb/usbguard-applet-qt b/apparmor.d/groups/usb/usbguard-applet-qt index a76398dd9..558b9093c 100644 --- a/apparmor.d/groups/usb/usbguard-applet-qt +++ b/apparmor.d/groups/usb/usbguard-applet-qt @@ -10,22 +10,21 @@ include @{exec_path} = @{bin}/usbguard-applet-qt profile usbguard-applet-qt @{exec_path} { include - include - include - include - include - include - include - include - include + include include + include + include include + include # Needed? ptrace (read), @{exec_path} mr, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + owner @{user_config_dirs}/USBGuard/ rw, owner @{user_config_dirs}/USBGuard/* rwkl -> @{user_config_dirs}/USBGuard/#@{int}, @@ -37,11 +36,6 @@ profile usbguard-applet-qt @{exec_path} { owner @{PROC}/@{pid}/cmdline r, - /usr/share/hwdata/pnp.ids r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - include if exists } diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 4d730602d..844af4443 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -17,8 +17,9 @@ include @{exec_path} = @{sbin}/libvirtd profile libvirtd @{exec_path} flags=(attach_disconnected) { include + include + include include - include include include include diff --git a/apparmor.d/profiles-a-f/atftpd b/apparmor.d/profiles-a-f/atftpd index dc7f2bf36..2444bd128 100644 --- a/apparmor.d/profiles-a-f/atftpd +++ b/apparmor.d/profiles-a-f/atftpd @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/atftpd profile atftpd @{exec_path} { include - include + include # For libwrap (TCP Wrapper) support include @@ -18,6 +18,12 @@ profile atftpd @{exec_path} { capability setgid, capability setuid, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, # FTP dirs (add "w" if you need write permissions and hence upload files) diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index 9a7e77902..3967512b8 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -10,13 +10,19 @@ include @{exec_path} = @{bin}/dhclient-script profile dhclient-script @{exec_path} { include - include + include include capability net_admin, capability sys_admin, audit capability sys_module, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, @{sh_path} mrix, diff --git a/apparmor.d/profiles-a-f/dumpcap b/apparmor.d/profiles-a-f/dumpcap index 634aebd02..a1050aa94 100644 --- a/apparmor.d/profiles-a-f/dumpcap +++ b/apparmor.d/profiles-a-f/dumpcap @@ -10,16 +10,14 @@ include @{exec_path} = @{bin}/dumpcap profile dumpcap @{exec_path} { include + include + include include - include - include # To capture packekts capability net_raw, capability net_admin, - signal (receive) peer=wireshark, - network inet dgram, network inet6 dgram, network netlink raw, @@ -27,6 +25,8 @@ profile dumpcap @{exec_path} { network packet raw, network bluetooth raw, + signal (receive) peer=wireshark, + dbus (eavesdrop) bus=session, @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/ffplay b/apparmor.d/profiles-a-f/ffplay index a4dec5d34..4152ed49a 100644 --- a/apparmor.d/profiles-a-f/ffplay +++ b/apparmor.d/profiles-a-f/ffplay @@ -11,10 +11,9 @@ include profile ffplay @{exec_path} { include include - include + include include include - include network inet stream, network inet6 stream, diff --git a/apparmor.d/profiles-a-f/fritzing b/apparmor.d/profiles-a-f/fritzing index 18b990bbc..c57323c6a 100644 --- a/apparmor.d/profiles-a-f/fritzing +++ b/apparmor.d/profiles-a-f/fritzing @@ -10,16 +10,13 @@ include @{exec_path} = @{bin}/fritzing{,.real} profile fritzing @{exec_path} { include - include - include - include - include - include - include - include + include include - include + include + include + include include + include network inet dgram, network inet6 dgram, @@ -30,26 +27,25 @@ profile fritzing @{exec_path} { @{exec_path} mrix, + /usr/share/fritzing/{,**} r, + /usr/share/hwdata/pnp.ids r, + + /etc/debian_version r, + /etc/fstab r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, + owner @{user_config_dirs}/Fritzing/ rw, owner @{user_config_dirs}/Fritzing/** rwkl -> @{user_config_dirs}/Fritzing/**, owner @{HOME}/@{XDG_DOCUMENTS_DIR}/Fritzing/ rw, owner @{HOME}/@{XDG_DOCUMENTS_DIR}/Fritzing/** rw, - /usr/share/fritzing/{,**} r, + owner @{run}/lock/LCK..ttyACM[0-9]* rwk, - /usr/share/hwdata/pnp.ids r, - - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - - /etc/fstab r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - /etc/debian_version r, + @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c166:@{int} r, # for /dev/ttyACM[0-9]* @{sys}/bus/ r, @{sys}/class/ r, @@ -57,15 +53,13 @@ profile fritzing @{exec_path} { @{sys}/devices/**/tty*/uevent r, @{sys}/devices/**/tty/**/uevent r, - @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* - @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/c166:@{int} r, # for /dev/ttyACM[0-9]* + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, /dev/ttyS@{int} rw, /dev/ttyACM@{int} rw, - owner @{run}/lock/LCK..ttyACM[0-9]* rwk, - include if exists } diff --git a/apparmor.d/profiles-g-l/light-locker b/apparmor.d/profiles-g-l/light-locker index 8d2fcdcc8..60189d911 100644 --- a/apparmor.d/profiles-g-l/light-locker +++ b/apparmor.d/profiles-g-l/light-locker @@ -11,19 +11,12 @@ include profile light-locker @{exec_path} { include include - include - include - include + include include - include include - include @{exec_path} mr, - @{PROC}/1/cgroup r, - owner @{PROC}/@{pid}/cgroup r, - # when locking the screen and switching/closing sessions @{run}/systemd/sessions/* r, @@ -33,6 +26,9 @@ profile light-locker @{exec_path} { @{sys}/devices/@{pci}/subsystem_vendor r, @{sys}/devices/@{pci}/subsystem_device r, + @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/cgroup r, + # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-m-r/mkvtoolnix-gui b/apparmor.d/profiles-m-r/mkvtoolnix-gui index 835e1a391..4e0ace19a 100644 --- a/apparmor.d/profiles-m-r/mkvtoolnix-gui +++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui @@ -10,19 +10,15 @@ include @{exec_path} = @{bin}/mkvtoolnix-gui profile mkvtoolnix-gui @{exec_path} { include - include + include include - include - include - include - include + include include - include include include + include include include - include signal (send) set=(term, kill) peer=mkvmerge, diff --git a/apparmor.d/profiles-m-r/netstat b/apparmor.d/profiles-m-r/netstat index e19884997..a23a095e9 100644 --- a/apparmor.d/profiles-m-r/netstat +++ b/apparmor.d/profiles-m-r/netstat @@ -13,12 +13,18 @@ include profile netstat @{exec_path} { include include - include + include capability dac_read_search, capability sys_ptrace, capability syslog, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + ptrace (trace,read), @{exec_path} rmix, diff --git a/apparmor.d/profiles-m-r/pcb-gtk b/apparmor.d/profiles-m-r/pcb-gtk index e736299fa..2f057f2a7 100644 --- a/apparmor.d/profiles-m-r/pcb-gtk +++ b/apparmor.d/profiles-m-r/pcb-gtk @@ -10,13 +10,9 @@ include @{exec_path} = @{bin}/pcb-gtk profile pcb-gtk @{exec_path} { include - include - include - include + include include - include - include - include + include include include diff --git a/apparmor.d/profiles-s-z/sing-box b/apparmor.d/profiles-s-z/sing-box index 9f395735e..1890510ae 100644 --- a/apparmor.d/profiles-s-z/sing-box +++ b/apparmor.d/profiles-s-z/sing-box @@ -12,7 +12,6 @@ include profile sing-box @{exec_path} { include include - include capability net_bind_service, diff --git a/apparmor.d/profiles-s-z/tftp b/apparmor.d/profiles-s-z/tftp index 33f6fe6dc..bb0a1c37b 100644 --- a/apparmor.d/profiles-s-z/tftp +++ b/apparmor.d/profiles-s-z/tftp @@ -10,9 +10,15 @@ include @{exec_path} = @{bin}/tftp profile tftp @{exec_path} { include - include + include include + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, include if exists diff --git a/apparmor.d/profiles-s-z/vsftpd b/apparmor.d/profiles-s-z/vsftpd index 2b6af3561..8fe33af50 100644 --- a/apparmor.d/profiles-s-z/vsftpd +++ b/apparmor.d/profiles-s-z/vsftpd @@ -12,7 +12,7 @@ profile vsftpd @{exec_path} { include include include - include + include include # To be able to listen on ports < 1024 @@ -41,6 +41,12 @@ profile vsftpd @{exec_path} { capability dac_read_search, # If session_support=YES, vsftpd will also try and update utmp and wtmp + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, # To validate allowed users shells diff --git a/apparmor.d/profiles-s-z/youtube-dl b/apparmor.d/profiles-s-z/youtube-dl index 381e878fa..d0b1c1988 100644 --- a/apparmor.d/profiles-s-z/youtube-dl +++ b/apparmor.d/profiles-s-z/youtube-dl @@ -13,13 +13,11 @@ profile youtube-dl @{exec_path} { include include include - include - include + include include include include include - include network inet dgram, network inet6 dgram, From 3ffff07f3fb386e980d9bb7bc763824bef2e6c5e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 20 Jun 2025 00:00:48 +0200 Subject: [PATCH 550/977] tests: enforce abstractions test. --- apparmor.d/profiles-m-r/rsyslogd | 14 +++++--------- tests/check.sh | 10 +++++----- 2 files changed, 10 insertions(+), 14 deletions(-) diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index 599fac88f..80d75a928 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -7,15 +7,10 @@ abi , include -# Debugging the syslogger can be difficult if it can't write to the file -# that the kernel is logging denials to. In these cases, you can do the -# following: -# watch -n 1 'dmesg | tail -5' - @{exec_path} = @{sbin}/rsyslogd profile rsyslogd @{exec_path} { include - include + include capability chown, # For creating new log files and changing their owner/group capability net_admin, # For remote logs @@ -24,18 +19,19 @@ profile rsyslogd @{exec_path} { capability sys_nice, capability syslog, + network inet dgram, + network inet6 dgram, + signal receive set=hup peer=@{p_systemd}, @{exec_path} mr, + @{sh_path} mr, @{lib}/@{multiarch}/rsyslog/*.so mr, /etc/rsyslog.conf r, /etc/rsyslog.d/{,**} r, - /etc/CA/*.crt r, - /etc/CA/*.key r, - /var/log/** rw, /var/spool/rsyslog/ r, /var/spool/rsyslog/** rw, diff --git a/tests/check.sh b/tests/check.sh index 801e81114..28adc7710 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -93,7 +93,7 @@ _check() { # Rules checks: security, compatibility and rule issues readonly ABS="abstractions" -readonly ABS_DANGEROUS=(dbus-session dbus-system dbus-accessibility user-tmp) +readonly ABS_DANGEROUS=(dbus dbus-session dbus-system dbus-accessibility user-tmp) declare -A ABS_DEPRECATED=( ["nameservice"]="nameservice-strict" ["bash"]="shell" @@ -142,7 +142,7 @@ _check_equivalent() { _is_enabled equivalent || return 0 local prgmname for prgmname in "${!EQUIVALENTS[@]}"; do - if [[ "$line" == *"/$prgmname"* ]]; then + if [[ "$line" == *"/$prgmname "* ]]; then if [[ ! "$line" == *"${EQUIVALENTS[$prgmname]}"* ]]; then _err compatibility "$file:$line_number" "missing equivalent program: '@{bin}/$prgmname' instead of '@{bin}/${EQUIVALENTS[$prgmname]}'" fi @@ -373,7 +373,7 @@ check_profiles() { ) jobs=0 WITH_CHECK=( - equivalent + abstractions equivalent abi include profile header tabs trailing indentation subprofiles vim ) for file in "${files[@]}"; do @@ -393,7 +393,7 @@ check_abstractions() { mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*") jobs=0 WITH_CHECK=( - equivalent + abstractions equivalent abi include header tabs trailing indentation vim ) for file in "${files[@]}"; do @@ -414,7 +414,7 @@ check_abstractions() { # shellcheck disable=SC2034 jobs=0 WITH_CHECK=( - equivalent + abstractions equivalent header tabs trailing indentation vim ) for file in "${files[@]}"; do From bb6ca01718dad6cd91055c8d2c825143d00ca2f6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:36:23 +0200 Subject: [PATCH 551/977] feat(profile): ufw: integrate ufw-init in ufw, use sysctl in subprofile. --- apparmor.d/groups/firewall/ufw | 22 ++++++++++++++++++---- apparmor.d/groups/firewall/ufw-init | 21 +++++++++++++++++++-- 2 files changed, 37 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/firewall/ufw b/apparmor.d/groups/firewall/ufw index 3b931fb2b..39517ee6c 100644 --- a/apparmor.d/groups/firewall/ufw +++ b/apparmor.d/groups/firewall/ufw @@ -30,13 +30,12 @@ profile ufw @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{python_path} rix, - @{bin}/ r, + @{sbin}/ r, @{bin}/cat rix, - @{bin}/echo rix, @{bin}/env r, @{bin}/kmod rCx -> kmod, - @{lib}/ufw/ufw-init rix, - @{sbin}/sysctl rix, + @{lib}/ufw/ufw-init rPx, + @{sbin}/sysctl rCx -> sysctl, @{sbin}/xtables-legacy-multi rix, @{sbin}/xtables-nft-multi rix, @@ -70,6 +69,21 @@ profile ufw @{exec_path} flags=(attach_disconnected) { include if exists } + profile sysctl { + include + include + + capability net_admin, + + @{sbin}/sysctl mr, + + /etc/ufw/sysctl.conf r, + + @{PROC}/sys/net/ipv{4,6}/** rw, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/firewall/ufw-init b/apparmor.d/groups/firewall/ufw-init index 5c0521790..aae80b87d 100644 --- a/apparmor.d/groups/firewall/ufw-init +++ b/apparmor.d/groups/firewall/ufw-init @@ -11,6 +11,7 @@ profile ufw-init @{exec_path} { include include + capability dac_read_search, capability net_admin, network inet dgram, @@ -22,7 +23,8 @@ profile ufw-init @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{sbin}/sysctl rix, + @{bin}/echo rix, + @{sbin}/sysctl rCx -> sysctl, @{sbin}/xtables-legacy-multi rix, @{sbin}/xtables-nft-multi rix, @@ -30,7 +32,22 @@ profile ufw-init @{exec_path} { /etc/ufw/* r, @{PROC}/@{pid}/net/ip_tables_names r, - @{PROC}/sys/net/ipv{4,6}/** rw, + # @{PROC}/sys/net/ipv{4,6}/** rw, + + profile sysctl { + include + include + + capability net_admin, + + @{sbin}/sysctl mr, + + /etc/ufw/sysctl.conf r, + + @{PROC}/sys/net/ipv{4,6}/** rw, + + include if exists + } include if exists } From ea45cec24d5cbf9c66feb859740b802cf46ececf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:43:02 +0200 Subject: [PATCH 552/977] feat(fsp): improve fsp profiles. --- apparmor.d/groups/_full/sd | 24 ++++++------------------ apparmor.d/groups/_full/sdu | 2 ++ apparmor.d/groups/_full/systemd | 5 ++++- apparmor.d/groups/_full/systemd-user | 2 +- 4 files changed, 13 insertions(+), 20 deletions(-) diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index 48172638e..da14cabf3 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -86,22 +86,7 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { umount /, umount /dev/shm/, umount @{run}/systemd/mount-rootfs/{,**}, - - # mount tmpfs -> @{run}/lock/, - # mount tmpfs -> @{sys}/fs/cgroup/, - # mount cgroup -> @{sys}/fs/cgroup/systemd/, - # audit mount /dev/** -> /boot/{,efi/}, - # audit mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**, - # audit mount options=(rw rbind) -> @{run}/systemd/unit-root/{,**}, - - # audit remount @{run}/systemd/unit-root/{,**}, - # audit remount options=(ro noexec noatime bind) /var/snap/{,**}, - # audit remount options=(ro nosuid nodev bind) /var/, - # audit remount options=(ro nosuid nodev noexec bind) /boot/, - - # audit umount @{PROC}/sys/fs/binfmt_misc/, - # audit umount @{run}/systemd/namespace-@{rand6}/{,**}, - # audit umount @{run}/systemd/unit-root/{,**}, + umount @{run}/systemd/namespace-@{rand6}/{,**}, pivot_root oldroot=/run/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, @@ -150,20 +135,22 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { @{bin}/true ix, # Required due to stacked profiles - @{sbin}/grpck ix, + @{bin}/find ix, @{bin}/gzip ix, @{bin}/install ix, - @{sbin}/pwck ix, @{bin}/readlink ix, @{lib}/colord-sane ix, @{lib}/systemd/systemd-nsresourcework ix, @{lib}/systemd/systemd-userwork ix, + @{sbin}/grpck ix, + @{sbin}/pwck ix, / r, @{att}/ r, @{bin}/{,**} r, @{lib}/{,**} r, @{sbin}/{,*} r, + /usr/local/{,**} r, /usr/share/** r, /etc/*/ w, /etc/** rk, @@ -179,6 +166,7 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { /var/lib/*/ rw, /var/lib/*/** rwk, /var/lib/systemd/*/ r, + /var/log/ r, /var/log/** rw, /var/log/journal/** rwl -> /var/log/journal/**, diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu index c9338fd22..80d8c1fb9 100644 --- a/apparmor.d/groups/_full/sdu +++ b/apparmor.d/groups/_full/sdu @@ -108,6 +108,8 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/oom_score_adj rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + deny capability net_admin, + profile shell flags=(attach_disconnected,mediate_deleted,complain) { include diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index b7c12c6bd..184084fed 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -50,7 +50,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd -profile systemd flags=(attach_disconnected,mediate_deleted) { +profile systemd flags=(attach_disconnected,mediate_deleted,complain) { include include include @@ -129,9 +129,11 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{etc_ro}/environment r, @{etc_ro}/environment.d/{,**} r, + /etc/acpi/events/{,**} r, /etc/binfmt.d/{,**} r, /etc/conf.d/{,**} r, /etc/default/{,**} r, + /etc/machine-id r, /etc/modules-load.d/{,**} r, /etc/networkd-dispatcher/{,**} r, /etc/systemd/{,**} r, @@ -186,6 +188,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/tty/console/active r, + @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw, @{sys}/fs/cgroup/{,**} rw, @{sys}/fs/fuse/connections/ r, @{sys}/fs/pstore/ r, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index ed531c58b..a5bb4d926 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -16,7 +16,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd -profile systemd-user flags=(attach_disconnected,mediate_deleted) { +profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) { include include include From cd619d280a5ba23537114e74ed8fa4c294e00559 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:44:43 +0200 Subject: [PATCH 553/977] feat(profile): update apt profiles. --- apparmor.d/groups/apt/apt-methods-http | 3 ++- apparmor.d/groups/apt/dpkg-script-systemd | 5 +++++ apparmor.d/groups/apt/dpkg-scripts | 11 +++++++++++ apparmor.d/groups/apt/dpkg-statoverride | 1 + apparmor.d/groups/apt/unattended-upgrade | 2 +- 5 files changed, 20 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 7fb3a2cc4..61be160dc 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -71,7 +71,8 @@ profile apt-methods-http @{exec_path} flags=(attach_disconnected) { owner @{tmp}/aptitude-root.*/aptitude-download-* rw, owner @{tmp}/apt-changelog-*/*.changelog rw, - @{run}/ubuntu-advantage/aptnews.json rw, + @{run}/ubuntu-advantage/aptnews.json rw, + owner @{run}/ubuntu-advantage/apt-news/aptnews.json rw, @{PROC}/1/cgroup r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index 8ca92515c..722e72c53 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -42,8 +42,13 @@ profile dpkg-script-systemd @{exec_path} { include include + capability dac_read_search, + @{bin}/dpkg mr, + /etc/dpkg/dpkg.cfg r, + /etc/dpkg/dpkg.cfg.d/{,*} r, + include if exists } diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 3102b23bb..e16d25bf2 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -58,7 +58,12 @@ profile dpkg-scripts @{exec_path} { / r, /*/ r, @{bin}/ r, + @{bin}/* w, @{lib}/ r, + @{lib}/@{python_name}/**/__pycache__/ w, + @{lib}/@{python_name}/**/__pycache__/**.pyc w, + @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, + /etc/ r, /etc/** rw, /usr/share/*/{,**} rw, @@ -71,6 +76,8 @@ profile dpkg-scripts @{exec_path} { /tmp/sed@{rand6} rw, /tmp/tmp.@{rand10} rw, + @{PROC}/@{pid}/fd/ r, + profile bus { include include @@ -104,6 +111,10 @@ profile dpkg-scripts @{exec_path} { @{bin}/systemd-tty-ask-password-agent Px, @{pager_path} Px -> child-pager, + /etc/machine-id r, + + /var/lib/systemd/catalog/database r, + /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/system.journal* r, diff --git a/apparmor.d/groups/apt/dpkg-statoverride b/apparmor.d/groups/apt/dpkg-statoverride index 34d6412c1..d2e02f613 100644 --- a/apparmor.d/groups/apt/dpkg-statoverride +++ b/apparmor.d/groups/apt/dpkg-statoverride @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/dpkg-statoverride profile dpkg-statoverride @{exec_path} flags=(complain) { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index c2d94e25a..fa6929f35 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -101,7 +101,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /var/crash/*.crash w, /var/lib/apt/periodic/unattended-upgrades-stamp w, - /var/lib/dpkg/info/ r, + /var/lib/dpkg/info/{,*} r, /var/lib/dpkg/lock rwk, /var/lib/dpkg/lock-frontend rwk, /var/lib/dpkg/updates/ r, From 5eb08f8de57803664d700b7d05fa7023f6b499b1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:47:49 +0200 Subject: [PATCH 554/977] feat(profile): improve pacman profiles. --- apparmor.d/groups/pacman/pacman-hook-code | 6 +++--- apparmor.d/groups/pacman/pacman-key | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code index 2496d7a9b..ee23781f4 100644 --- a/apparmor.d/groups/pacman/pacman-hook-code +++ b/apparmor.d/groups/pacman/pacman-hook-code @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /usr/share/code-{features,marketplace}/patch.py +@{exec_path} = /usr/share/code-{features,marketplace}{,-insiders}/patch.py profile pacman-hook-code @{exec_path} { include include @@ -20,8 +20,8 @@ profile pacman-hook-code @{exec_path} { @{lib}/code/product.json rw, - /usr/share/code-{features,marketplace}/{,*} r, - /usr/share/code-{features,marketplace}/cache.json rw, + /usr/share/code-{features,marketplace}{,-insiders}/{,*} r, + /usr/share/code-{features,marketplace}{,-insiders}/cache.json rw, include if exists } diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 025d87b29..a5cee6fa9 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -21,10 +21,10 @@ profile pacman-key @{exec_path} { @{bin}/bash rix, @{bin}/chmod rix, @{bin}/gettext rix, - @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpg{,2} rCx -> &gpg, @{bin}/{,e}grep rix, @{bin}/ngettext rix, - @{bin}/pacman-conf rPx, + @{bin}/pacman-conf rPx -> &pacman-conf, @{bin}/touch rix, @{bin}/tput rix, @{bin}/vercmp rix, From 03d7ef55896e0d5b7bf5348000fbdcab26737490 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:52:22 +0200 Subject: [PATCH 555/977] feat(profile): add profile for sshd session. It is only a first draft as recent update in sshd, split sshd in multiple binaries, it will allow us to also split the confinement in multiple profile. --- apparmor.d/groups/ssh/sshd | 2 +- apparmor.d/groups/ssh/sshd-session | 85 ++++++++++++++++++++++++++++++ 2 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/ssh/sshd-session diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index a514e7c99..75438c957 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -69,7 +69,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{bin}/passwd Px, @{lib}/{openssh,ssh}/sftp-server Px, @{lib}/{openssh,ssh}/sshd-auth Px, - @{lib}/{openssh,ssh}/sshd-session ix, + @{lib}/{openssh,ssh}/sshd-session Px, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, diff --git a/apparmor.d/groups/ssh/sshd-session b/apparmor.d/groups/ssh/sshd-session new file mode 100644 index 000000000..e74696334 --- /dev/null +++ b/apparmor.d/groups/ssh/sshd-session @@ -0,0 +1,85 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/{openssh,ssh}/sshd-session +profile sshd-session @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include #aa:only RBAC + + capability audit_write, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, + capability kill, + capability setgid, + capability setuid, + capability sys_chroot, + capability sys_resource, + + # sshd doesn't require net_admin. libpam-systemd tries to + # use it if available to set the send/receive buffers size, + # but will fall back to a non-privileged version if it fails. + deny capability net_admin, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + unix type=stream peer=(label=sshd), + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + + @{exec_path} mr, + + @{bin}/@{shells} Ux, #aa:exclude RBAC + @{lib}/{openssh,ssh}/sshd-auth Px, + + @{etc_rw}/motd r, + @{etc_rw}/motd.d/{,**} r, + /etc/machine-id r, + /etc/motd r, + + /var/lib/lastlog/ r, + /var/lib/lastlog/lastlog2.db rwk, + /var/lib/lastlog/lastlog2.db-journal rw, + + /var/lib/wtmpdb/ w, + + owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, + + owner @{user_cache_dirs}/{,motd*} rw, + + @{att}/@{run}/systemd/sessions/@{int}.ref w, + + @{run}/motd.d/{,*} r, + @{run}/motd.dynamic rw, + @{run}/motd.dynamic.new rw, + + @{PROC}/1/limits r, + owner @{PROC}/@{pid}/loginuid rw, + owner @{PROC}/@{pid}/uid_map r, + + /dev/ptmx rw, + + include if exists +} + +# vim:syntax=apparmor From 226cb23073efb628f344c5c1985a543564671ee0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:53:26 +0200 Subject: [PATCH 556/977] feat(profile): small improvement to steam. --- apparmor.d/groups/steam/steam | 4 ++++ apparmor.d/groups/steam/steamerrorreporter | 2 -- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index 73c78f2ed..151a3e161 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -109,6 +109,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-logger rix, @{runtime_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix, + @{runtime_dirs}/pressure-vessel/@{bin}/pv-* rix, @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rcx -> web, @{runtime_dirs}/run{,.sh} rix, @@ -370,6 +371,8 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { /dev/hidraw@{int} rw, /dev/tty rw, + @{att}/dev/dri/renderD128 rw, + include if exists } @@ -380,6 +383,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { capability dac_override, capability dac_read_search, + capability sys_ptrace, unix receive type=stream, diff --git a/apparmor.d/groups/steam/steamerrorreporter b/apparmor.d/groups/steam/steamerrorreporter index b4d5f3e68..d438c604d 100644 --- a/apparmor.d/groups/steam/steamerrorreporter +++ b/apparmor.d/groups/steam/steamerrorreporter @@ -34,8 +34,6 @@ profile steamerrorreporter @{exec_path} flags=(attach_disconnected) { owner @{tmp}/dumps/ r, owner @{tmp}/dumps/*_log.txt rw, - owner @{PROC}/@{pid}/status r, - include if exists } From 6735b8e5f8ffa64a43297a3ff1318ef49376d388 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:55:22 +0200 Subject: [PATCH 557/977] feat(profile): zram: move kmod to its own subprofile. --- apparmor.d/groups/systemd/zram-generator | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator index d156d88a4..473848ef3 100644 --- a/apparmor.d/groups/systemd/zram-generator +++ b/apparmor.d/groups/systemd/zram-generator @@ -11,16 +11,13 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { include include - capability sys_module, - @{exec_path} mr, - @{bin}/kmod rix, + @{bin}/kmod rCx, @{bin}/systemd-detect-virt rPx, @{lib}/systemd/systemd-makefs rPx, /etc/systemd/zram-generator.conf r, - /etc/modprobe.d/{,**} r, owner @{run}/systemd/generator/{,*/}var-cache-makepkg.mount rw, owner @{run}/systemd/generator/dev-zram@{int}.swap rw, @@ -29,12 +26,18 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { @{sys}/block/zram@{int}/* rw, @{sys}/devices/virtual/block/zram@{int}/* rw, - @{sys}/module/compression r, @{PROC}/crypto r, owner /dev/pts/@{int} rw, + profile kmod { + include + include + + include if exists + } + include if exists } From 0483f476ed72c35993313a7edd4a9f3d2ddb9239 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:56:54 +0200 Subject: [PATCH 558/977] fix(profile): aa-enforce: ensure looking path in sbin is allowed. --- apparmor.d/groups/apparmor/aa-enforce | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/apparmor/aa-enforce b/apparmor.d/groups/apparmor/aa-enforce index fcf7dc724..1743fd9d0 100644 --- a/apparmor.d/groups/apparmor/aa-enforce +++ b/apparmor.d/groups/apparmor/aa-enforce @@ -16,7 +16,7 @@ profile aa-enforce @{exec_path} { @{exec_path} mr, - @{bin}/ r, + @{sbin}/ r, @{sbin}/apparmor_parser rPx, /usr/share/terminfo/** r, From 24a9da865f9daddc28e73793c9a8a724f9105592 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 20:05:47 +0200 Subject: [PATCH 559/977] chore: update sbin.list --- apparmor.d/profiles-a-f/atd | 2 +- tests/sbin.list | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index aea3cbf01..783d210fb 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/atd +@{exec_path} = @{sbin}/atd profile atd @{exec_path} { include include diff --git a/tests/sbin.list b/tests/sbin.list index 1adc90ee8..1d0eb5b97 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -43,6 +43,7 @@ argdist-bpfcc arp arpd aspell-autobuildhash +atd audisp-af_unix audisp-filter audisp-syslog @@ -313,6 +314,7 @@ grub2-sparc64-setup grub2-switch-to-blscfg hardirqs-bpfcc haveged +hc-ifscan hdparm httxt2dbm hv_fcopy_daemon From e222816d32d5103399dac03651ac2ef222d72647 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 20:08:44 +0200 Subject: [PATCH 560/977] feat(profile): virt: move privileged actions to subprofle. --- apparmor.d/groups/virt/containerd | 6 ++-- apparmor.d/groups/virt/dockerd | 42 +++++++++++++++++++++++++-- apparmor.d/groups/virt/libvirtd | 9 +++++- apparmor.d/groups/virt/virt-aa-helper | 1 - 4 files changed, 49 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 598ec7ca9..95d332a45 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -87,10 +87,8 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{run}/nri/nri.sock rw, @{run}/systemd/notify w, - /tmp/cri-containerd.apparmor.d@{int} rwl, - /tmp/ctd-volume@{int}/{,**} rw, - owner @{tmp}/** rwkl, - owner /var/tmp/** rwkl, + /tmp/cri-containerd.apparmor.d@{int} rwl, + /tmp/ctd-volume@{int}/{,**} rw, @{sys}/fs/cgroup/kubepods/** r, @{sys}/kernel/security/apparmor/profiles r, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index c4b39ff8c..abd6c90ec 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -70,11 +70,12 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{lib}/docker/docker-init rCx -> init, @{bin}/docker-proxy rPx, @{bin}/git rCx -> git, - @{bin}/kmod rPx, + @{bin}/kmod rCx -> kmod, @{bin}/ps rPx, @{sbin}/runc rUx, @{bin}/unpigz rix, - @{sbin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rCx -> nft, + @{sbin}/xtables-legacy-multi rCx -> nft, # Docker needs full access of the containers it manages. # TODO: should be in a sub profile started with pivot_root, not supported yet. @@ -128,13 +129,48 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/net/ip_tables_names r, owner @{PROC}/@{pid}/task/@{tid}/mountinfo r, owner @{PROC}/@{pid}/uid_map r, /dev/ r, /dev/**/ r, + profile nft flags=(attach_disconnected) { + include + + capability net_admin, + capability net_raw, + + network inet raw, + network inet6 raw, + network netlink raw, + + @{sbin}/xtables-nft-multi rix, + @{sbin}/xtables-legacy-multi rix, + @{bin}/kmod rPx -> dockerd//kmod, + + @{PROC}/@{pid}/net/ip{,6}_tables_names r, + @{PROC}/sys/kernel/modprobe r, + + @{run}/xtables.lock rwk, + + include if exists + } + + profile kmod { + include + include + + capability sys_module, + + @{run}/xtables.lock r, + + @{sys}/module/compression r, + @{sys}/module/*/initstate r, + + include if exists + } + profile init flags=(attach_disconnected) { include diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 844af4443..a0d636883 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -106,7 +106,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{sbin}/dmidecode rPx, @{sbin}/dnsmasq rPx, - @{bin}/kmod rPx, + @{bin}/kmod rCx -> kmod, @{sbin}/lvm rPUx, @{bin}/mdevctl rPx, @{bin}/swtpm rPx, @@ -245,6 +245,13 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { audit deny @{sys}/kernel/security/apparmor/matching rwxl, audit deny @{sys}/kernel/security/apparmor/.* rwxl, + profile kmod { + include + include + + include if exists + } + profile qemu_bridge_helper { include diff --git a/apparmor.d/groups/virt/virt-aa-helper b/apparmor.d/groups/virt/virt-aa-helper index 81ec217b9..53afe6012 100644 --- a/apparmor.d/groups/virt/virt-aa-helper +++ b/apparmor.d/groups/virt/virt-aa-helper @@ -45,7 +45,6 @@ profile virt-aa-helper @{exec_path} { @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/net/psched r, deny @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/status r, # For gl enabled graphics /dev/dri/{,*} r, From f8250f7e0cc8e70fe679fac2374bad8690e24e09 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 20:22:25 +0200 Subject: [PATCH 561/977] feat(profile): move kmod in subprofile. --- apparmor.d/profiles-g-l/hw-probe | 18 +++++++++++++----- apparmor.d/profiles-g-l/kernel | 13 ++++++++----- apparmor.d/profiles-g-l/kmod | 9 +-------- 3 files changed, 22 insertions(+), 18 deletions(-) diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index f518a18f0..3fbb9b0fd 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -61,7 +61,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{sbin}/iwconfig rCx -> netconfig, @{bin}/journalctl rCx -> journalctl, @{bin}/killall rCx -> killall, - @{bin}/kmod rix, + @{bin}/kmod rCx -> kmod, @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsblk rPx, @{bin}/lscpu rPx, @@ -98,19 +98,27 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/* r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/* r, - @{sys}/module/*/ r, - @{sys}/module/*/{coresize,refcnt} r, - @{sys}/module/*/holders/ r, @{PROC}/bus/input/devices r, @{PROC}/cmdline r, @{PROC}/interrupts r, @{PROC}/ioports r, - @{PROC}/modules r, @{PROC}/scsi/scsi r, /dev/{,**} r, + profile kmod { + include + include + + capability sys_module, + + @{sys}/module/compression r, + + include if exists + } + + profile pacman flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index 6bc2c8961..d375a1bdd 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -13,8 +13,6 @@ profile kernel @{exec_path} { include include - capability sys_module, - @{exec_path} mr, @{sh_path} rix, @@ -24,7 +22,7 @@ profile kernel @{exec_path} { @{bin}/chmod rix, @{bin}/cut rix, @{bin}/dirname rix, - @{bin}/kmod rix, + @{bin}/kmod rCx -> kmod, @{bin}/mv rix, @{bin}/rm rix, @{bin}/rmdir rix, @@ -56,8 +54,6 @@ profile kernel @{exec_path} { /etc/apt/apt.conf.d/ r, /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, - /etc/modprobe.d/ r, - /etc/modprobe.d/*.conf r, @{run}/reboot-required w, @{run}/reboot-required.pkgs rw, @@ -65,6 +61,13 @@ profile kernel @{exec_path} { @{PROC}/devices r, @{PROC}/cmdline r, + profile kmod { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index ccc8d6913..a793bf707 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/{kmod,lsmod,depmod,insmod,rmmod,modinfo,modprobe} profile kmod @{exec_path} flags=(attach_disconnected) { include - include + include include capability dac_read_search, @@ -31,14 +31,10 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{sbin}/sysctl rCx -> sysctl, @{bin}/true rix, - @{lib}/modprobe.d/{,*.conf} r, @{lib}/modules/*/modules.* rw, @{run}/modprobe.d/{,*.conf} r, - /etc/depmod.d/{,**} r, - /etc/modprobe.d/{,*.conf} r, - /tmp/**/*.ko{,.zst} r, /usr/src/*/*.ko r, /var/lib/dkms/**/module/*.ko r, @@ -66,9 +62,6 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{sys}/module/{,**} r, - @{PROC}/cmdline r, - @{PROC}/modules r, - /dev/tty@{int} rw, deny @{user_share_dirs}/gvfs-metadata/* r, From 0572688c592a181b4b35b7e29573302d3b3718b9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 20:27:06 +0200 Subject: [PATCH 562/977] feat(profile): small general upgrade. --- .../groups/systemd-service/dmesg.service | 1 + .../groups/systemd-service/man-db.service | 2 ++ apparmor.d/groups/ubuntu/esm_cache | 19 +++++++++++++++++++ apparmor.d/groups/ubuntu/update-manager | 6 +++--- apparmor.d/groups/usb/lsusb | 2 ++ apparmor.d/groups/whonix/sdwdate | 2 +- apparmor.d/profiles-a-f/e2scrub_all | 1 + apparmor.d/profiles-g-l/gitstatusd | 5 +++++ apparmor.d/profiles-g-l/gpu-manager | 2 +- apparmor.d/profiles-g-l/hddtemp | 18 +++--------------- apparmor.d/profiles-g-l/ischroot | 2 ++ apparmor.d/profiles-g-l/landscape-sysinfo | 6 +++--- apparmor.d/profiles-g-l/libreoffice | 2 +- apparmor.d/profiles-m-r/needrestart-notify | 2 +- apparmor.d/profiles-m-r/pycompile | 9 +++------ apparmor.d/profiles-m-r/rsyslogd | 7 ++++--- apparmor.d/profiles-s-z/update-initramfs | 3 +++ apparmor.d/profiles-s-z/whiptail | 2 ++ 18 files changed, 57 insertions(+), 34 deletions(-) create mode 100644 apparmor.d/groups/ubuntu/esm_cache diff --git a/apparmor.d/groups/systemd-service/dmesg.service b/apparmor.d/groups/systemd-service/dmesg.service index 4c67f680a..0a46f6ed9 100644 --- a/apparmor.d/groups/systemd-service/dmesg.service +++ b/apparmor.d/groups/systemd-service/dmesg.service @@ -17,6 +17,7 @@ profile dmesg.service flags=(attach_disconnected) { capability chown, capability fsetid, + capability sys_admin, ptrace read peer=@{p_systemd}, diff --git a/apparmor.d/groups/systemd-service/man-db.service b/apparmor.d/groups/systemd-service/man-db.service index 24b34fc25..c3bfa7c32 100644 --- a/apparmor.d/groups/systemd-service/man-db.service +++ b/apparmor.d/groups/systemd-service/man-db.service @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # ExecStart=+/usr/bin/install -d -o man -g man -m 0755 /var/cache/man +# ExecStart=/usr/bin/find /var/cache/man -type f -name *.gz -atime +6 -delete # ExecStart=/usr/bin/mandb --quiet abi , @@ -13,6 +14,7 @@ profile man-db.service flags=(attach_disconnected) { include include + @{bin}/find ix, @{bin}/install ix, @{bin}/mandb r, diff --git a/apparmor.d/groups/ubuntu/esm_cache b/apparmor.d/groups/ubuntu/esm_cache new file mode 100644 index 000000000..2596d6c12 --- /dev/null +++ b/apparmor.d/groups/ubuntu/esm_cache @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/lib/ubuntu-advantage/esm_cache.py +profile esm_cache @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index e1636c6d5..0e0dcdb0b 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -51,9 +51,9 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { @{bin}/uname rix, @{lib}/apt/methods/http{,s} rPx, - @{lib}/@{python_name}/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, - @{lib}/@{python_name}/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, - @{lib}/@{python_name}/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, + @{lib}/@{python_name}/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, + @{lib}/@{python_name}/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, + @{lib}/@{python_name}/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, /usr/share/distro-info/{,**} r, /usr/share/ubuntu-release-upgrader/{,**} r, diff --git a/apparmor.d/groups/usb/lsusb b/apparmor.d/groups/usb/lsusb index f824343d6..b5a24940d 100644 --- a/apparmor.d/groups/usb/lsusb +++ b/apparmor.d/groups/usb/lsusb @@ -21,6 +21,8 @@ profile lsusb @{exec_path} { /etc/udev/hwdb.bin r, + /dev/bus/usb/@{int}/@{int} w, + include if exists } diff --git a/apparmor.d/groups/whonix/sdwdate b/apparmor.d/groups/whonix/sdwdate index dbe561ab6..1e4850e7a 100644 --- a/apparmor.d/groups/whonix/sdwdate +++ b/apparmor.d/groups/whonix/sdwdate @@ -30,7 +30,7 @@ profile sdwdate @{exec_path} flags=(attach_disconnected) { @{bin}/touch rix, @{lib}/helper-scripts/* rix, @{bin}/url_to_unixtime rix, - @{bin}/{,e}grep rix, + @{bin}/{,e}grep rix, @{lib}/helper-scripts/ r, @{lib}/sdwdate/ r, diff --git a/apparmor.d/profiles-a-f/e2scrub_all b/apparmor.d/profiles-a-f/e2scrub_all index 0079053e0..e5d13f1de 100644 --- a/apparmor.d/profiles-a-f/e2scrub_all +++ b/apparmor.d/profiles-a-f/e2scrub_all @@ -12,6 +12,7 @@ profile e2scrub_all @{exec_path} flags=(attach_disconnected) { include include + capability setuid, capability sys_admin, capability sys_rawio, diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index a62ce7fde..8901ade9c 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -9,6 +9,9 @@ include @{exec_path} = /usr/share/zsh-theme-powerlevel@{int}k/gitstatus/usrbin/gitstatusd{,-*} profile gitstatusd @{exec_path} { include + include + + signal receive set=term peer=*//shell, @{exec_path} mr, @@ -18,6 +21,8 @@ profile gitstatusd @{exec_path} { owner @{HOME}/.gitconfig r, owner @{user_config_dirs}/git/{,*} r, + owner @{tmp}/gitstatus.POWERLEVEL9K.*.fifo r, + # Silencer deny capability dac_read_search, deny capability dac_override, diff --git a/apparmor.d/profiles-g-l/gpu-manager b/apparmor.d/profiles-g-l/gpu-manager index 779dd8e67..719625dbd 100644 --- a/apparmor.d/profiles-g-l/gpu-manager +++ b/apparmor.d/profiles-g-l/gpu-manager @@ -16,7 +16,7 @@ profile gpu-manager @{exec_path} { @{exec_path} mr, - @{sh_path} rix, + @{sh_path} rix, @{bin}/{,e}grep rix, /etc/modprobe.d/{,**} r, diff --git a/apparmor.d/profiles-g-l/hddtemp b/apparmor.d/profiles-g-l/hddtemp index e96a45237..55d2abb5d 100644 --- a/apparmor.d/profiles-g-l/hddtemp +++ b/apparmor.d/profiles-g-l/hddtemp @@ -10,32 +10,20 @@ include @{exec_path} = @{bin}/hddtemp profile hddtemp @{exec_path} { include + include + include - # To remove the following errors: - # /dev/sda: Permission denied + capability sys_admin, capability sys_rawio, - # There's the following error in strace: - # ioctl(3, HDIO_DRIVE_CMD, 0x7ffdfeafc074) = -1 EACCES (Permission denied) - # This should be covered by CAP_SYS_RAWIO instead. - # (see: https://www.kernel.org/doc/Documentation/ioctl/hdio.rst) - # It looks like hddtemp works just fine without it. - deny capability sys_admin, - network inet stream, network inet6 stream, @{exec_path} mr, - # Monitored hard drives - /dev/sd[a-z]* r, - # Database file that allows hddtemp to recognize supported drives /etc/hddtemp.db r, - # Needed when the hddtemp daemon is started in the TCP/IP mode - /etc/gai.conf r, - include if exists } diff --git a/apparmor.d/profiles-g-l/ischroot b/apparmor.d/profiles-g-l/ischroot index 4e087343a..8c18782f9 100644 --- a/apparmor.d/profiles-g-l/ischroot +++ b/apparmor.d/profiles-g-l/ischroot @@ -13,6 +13,8 @@ profile ischroot @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /var/lib/update-notifier/tmp.@{rand10} w, + @{PROC}/@{pid}/mountinfo r, include if exists diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 1c3c98d52..5eb5dac06 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -27,9 +27,9 @@ profile landscape-sysinfo @{exec_path} { @{bin}/who rix, - @{lib}/@{python_name}/dist-packages/landscape/{,**/}__pycache__/ w, - @{lib}/@{python_name}/dist-packages/landscape/{,**/}__pycache__/**.pyc w, - @{lib}/@{python_name}/dist-packages/landscape/{,**/}__pycache__/**.pyc.@{u64} w, + @{lib}/@{python_name}/**/__pycache__/ w, + @{lib}/@{python_name}/**/__pycache__/**.pyc w, + @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, /var/log/landscape/{,**} rw, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 8cc8a65e1..b21642cf8 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -13,6 +13,7 @@ profile libreoffice @{exec_path} { include include include + include include include include @@ -109,7 +110,6 @@ profile libreoffice @{exec_path} { @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/transparent_hugepage/enabled r, @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/**/memory.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r, diff --git a/apparmor.d/profiles-m-r/needrestart-notify b/apparmor.d/profiles-m-r/needrestart-notify index 9b3525fa5..82465ceb2 100644 --- a/apparmor.d/profiles-m-r/needrestart-notify +++ b/apparmor.d/profiles-m-r/needrestart-notify @@ -9,6 +9,7 @@ include @{exec_path} = @{etc_ro}/needrestart/notify.d/* profile needrestart-notify @{exec_path} { include + include capability dac_read_search, capability sys_ptrace, @@ -27,7 +28,6 @@ profile needrestart-notify @{exec_path} { /etc/needrestart/notify.conf r, @{PROC}/@{pid}/environ r, - @{PROC}/filesystems r, include if exists } diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile index 984fcf03c..b684c3094 100644 --- a/apparmor.d/profiles-m-r/pycompile +++ b/apparmor.d/profiles-m-r/pycompile @@ -21,12 +21,9 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) { @{bin}/dpkg rCx -> dpkg, - @{lib}/@{python_name}/dist-packages/__pycache__/ w, - @{lib}/@{python_name}/dist-packages/__pycache__/*.pyc w, - @{lib}/@{python_name}/dist-packages/__pycache__/*.pyc.* w, - @{lib}/@{python_name}/dist-packages/**/__pycache__/ w, - @{lib}/@{python_name}/dist-packages/**/__pycache__/*.pyc w, - @{lib}/@{python_name}/dist-packages/**/__pycache__/*.pyc.* w, + @{lib}/@{python_name}/**/__pycache__/ w, + @{lib}/@{python_name}/**/__pycache__/*.pyc w, + @{lib}/@{python_name}/**/__pycache__/*.pyc.* w, /usr/share/python3/{,**} r, diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index 80d75a928..ede981f58 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -12,11 +12,12 @@ profile rsyslogd @{exec_path} { include include - capability chown, # For creating new log files and changing their owner/group - capability net_admin, # For remote logs - capability setgid, # For downgrading privileges + capability dac_override, + capability dac_read_search, + capability setgid, capability setuid, capability sys_nice, + capability sys_tty_config, capability syslog, network inet dgram, diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index f9e47cb52..472de3343 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -28,12 +28,15 @@ profile update-initramfs @{exec_path} { @{bin}/sha1sum rix, @{bin}/sync rix, @{bin}/uname rix, + @{bin}/run-parts rix, @{bin}/dpkg-trigger rPx, @{bin}/ischroot rPx, @{bin}/linux-version rPx, @{sbin}/mkinitramfs rPx, + /etc/initramfs/post-update.d/* rPUx, + /var/lib/initramfs-tools/* w, # For shell pwd diff --git a/apparmor.d/profiles-s-z/whiptail b/apparmor.d/profiles-s-z/whiptail index f0efad77b..a42a63312 100644 --- a/apparmor.d/profiles-s-z/whiptail +++ b/apparmor.d/profiles-s-z/whiptail @@ -18,6 +18,8 @@ profile whiptail @{exec_path} { /usr/share/terminfo/** r, + /etc/newt/palette.* r, + include if exists } From 4d201ea417f3b32bc7e276ef4548f1c128a68301 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 20:35:38 +0200 Subject: [PATCH 563/977] feat(profile): add lsb-release Use it instead of lsb_release. --- apparmor.d/abstractions/app/chromium | 5 ++- apparmor.d/abstractions/app/firefox | 2 +- apparmor.d/groups/apt/apt-listbugs | 2 +- apparmor.d/groups/apt/command-not-found | 2 +- apparmor.d/groups/apt/debconf-frontend | 2 +- apparmor.d/groups/apt/reportbug | 2 +- apparmor.d/groups/apt/synaptic | 2 +- apparmor.d/groups/apt/unattended-upgrade | 2 +- apparmor.d/groups/grub/grub-install | 2 +- apparmor.d/groups/grub/grub-mkconfig | 2 +- apparmor.d/groups/grub/grub-probe | 2 +- apparmor.d/groups/kde/dolphin | 2 +- apparmor.d/groups/kde/drkonqi | 2 +- apparmor.d/groups/ubuntu/apport-gtk | 2 +- .../groups/ubuntu/check-new-release-gtk | 2 +- apparmor.d/groups/ubuntu/do-release-upgrade | 2 +- apparmor.d/groups/ubuntu/hwe-support-status | 2 +- .../groups/ubuntu/software-properties-dbus | 2 +- .../groups/ubuntu/software-properties-gtk | 2 +- apparmor.d/groups/ubuntu/update-manager | 2 +- .../ubuntu/update-motd-updates-available | 2 +- apparmor.d/groups/ubuntu/update-notifier | 2 +- apparmor.d/profiles-a-f/adequate | 2 +- apparmor.d/profiles-a-f/aspell-autobuildhash | 2 +- .../profiles-a-f/check-support-status-hook | 2 +- apparmor.d/profiles-a-f/discord | 2 +- apparmor.d/profiles-a-f/dropbox | 2 +- apparmor.d/profiles-a-f/filezilla | 2 +- apparmor.d/profiles-g-l/hardinfo | 2 +- apparmor.d/profiles-g-l/hw-probe | 2 +- apparmor.d/profiles-g-l/kodi | 2 +- apparmor.d/profiles-g-l/lsb-release | 40 +++++++++++++++++++ apparmor.d/profiles-m-r/mumble | 2 +- apparmor.d/profiles-m-r/murmurd | 2 +- apparmor.d/profiles-m-r/psi | 2 +- apparmor.d/profiles-m-r/psi-plus | 2 +- 36 files changed, 77 insertions(+), 36 deletions(-) create mode 100644 apparmor.d/profiles-g-l/lsb-release diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 666387d0a..e555d3475 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -37,7 +37,7 @@ include include include - include + include include include include @@ -78,7 +78,7 @@ @{lib_dirs}/chrome-sandbox rPx, # Desktop integration - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/xdg-desktop-menu rPx, @{bin}/xdg-email rPx, @{bin}/xdg-icon-resource rPx, @@ -202,6 +202,7 @@ owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_{,score_}adj rw, owner @{PROC}/@{pid}/setgroups w, + owner @{PROC}/@{pid}/smaps_rollup r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index d988f608c..5e3bc15cb 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -65,7 +65,7 @@ @{lib_dirs}/plugin-container rPx, # Desktop integration - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/@{name}/{,**} r, /usr/share/doc/{,**} r, diff --git a/apparmor.d/groups/apt/apt-listbugs b/apparmor.d/groups/apt/apt-listbugs index 7ce8961b9..a60457ec8 100644 --- a/apparmor.d/groups/apt/apt-listbugs +++ b/apparmor.d/groups/apt/apt-listbugs @@ -53,7 +53,7 @@ profile apt-listbugs @{exec_path} { include include capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index 35f8940ee..b42649d7c 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -22,7 +22,7 @@ profile command-not-found @{exec_path} { @{exec_path} r, @{python_path} r, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/snap rPx, @{lib}/ r, diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend index a8f7057e7..4660755d6 100644 --- a/apparmor.d/groups/apt/debconf-frontend +++ b/apparmor.d/groups/apt/debconf-frontend @@ -21,7 +21,7 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{exec_path} r, @{bin}/hostname ix, - @{bin}/lsb_release Px -> lsb_release, + @{bin}/lsb_release Px, @{bin}/stty ix, @{sbin}/update-secureboot-policy Px, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index ab230a43b..e58c9d8b3 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -47,7 +47,7 @@ profile reportbug @{exec_path} { @{bin}/dlocate rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg-query rpx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{pager_path} rPx -> child-pager, @{bin}/systemctl rCx -> systemctl, @{lib}/firefox/firefox rPUx, # App allowed to open diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index 651fac1ba..36e299a0c 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -47,7 +47,7 @@ profile synaptic @{exec_path} { @{bin}/dpkg rPx, @{sbin}/dpkg-preconfigure rPx, @{bin}/localepurge rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/pkexec rCx -> pkexec, @{bin}/ps rPx, @{bin}/software-properties-gtk rPx, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index fa6929f35..0d4d2ee33 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -58,7 +58,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{bin}/dpkg-divert Px, @{bin}/etckeeper Px, @{bin}/ischroot Px, - @{bin}/lsb_release Px -> lsb_release, + @{bin}/lsb_release Px, @{sbin}/dpkg-preconfigure Px, @{sbin}/on_ac_power Px, @{sbin}/sendmail Px, diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index f044b0f44..6c45cac39 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -21,7 +21,7 @@ profile grub-install @{exec_path} flags=(complain) { @{sh_path} rix, @{sbin}/efibootmgr rix, @{bin}/kmod rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/udevadm rPx, /usr/share/grub/{,**} r, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 87c3d4104..1b5d26125 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -39,7 +39,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/head rix, @{bin}/id rPx, @{bin}/ls rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/mktemp rix, @{bin}/mount rPx, @{bin}/mountpoint rix, diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index 6d0ec6a72..e1037c6b7 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -19,7 +19,7 @@ profile grub-probe @{exec_path} { @{exec_path} mr, /{usr/,}{local/,}{s,}bin/zpool rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{sbin}/lvm rPx, @{bin}/udevadm rPx, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 802ba0a96..eebade917 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -33,7 +33,7 @@ profile dolphin @{exec_path} { @{lib}/libheif/*.so* mr, @{bin}/ldd rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{lib}/{,@{multiarch}/}utempter/utempter rPx, @{thunderbird_path} rPx, diff --git a/apparmor.d/groups/kde/drkonqi b/apparmor.d/groups/kde/drkonqi index fbadf053b..e04180ff4 100644 --- a/apparmor.d/groups/kde/drkonqi +++ b/apparmor.d/groups/kde/drkonqi @@ -24,7 +24,7 @@ profile drkonqi @{exec_path} { @{exec_path} mr, @{bin}/plasmashell r, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/drkonqi/{,**} r, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 5a4e130a0..4940653a3 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -46,7 +46,7 @@ profile apport-gtk @{exec_path} { @{sbin}/killall5 rix, @{bin}/kmod rPx, @{bin}/ldd rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/md5sum rix, @{bin}/pkexec rCx -> pkexec, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index bdd2a0f54..65a19e0e0 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -30,7 +30,7 @@ profile check-new-release-gtk @{exec_path} { @{bin}/dpkg rPx, @{bin}/ischroot rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{lib}/@{python_name}/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, @{lib}/@{python_name}/dist-packages/gi/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade index e7d6687d2..2d3eebbc2 100644 --- a/apparmor.d/groups/ubuntu/do-release-upgrade +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -27,7 +27,7 @@ profile do-release-upgrade @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/ischroot rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/distro-info/*.csv r, /usr/share/ubuntu-release-upgrader/{,**} r, diff --git a/apparmor.d/groups/ubuntu/hwe-support-status b/apparmor.d/groups/ubuntu/hwe-support-status index 3b4280e33..d5ad6e06c 100644 --- a/apparmor.d/groups/ubuntu/hwe-support-status +++ b/apparmor.d/groups/ubuntu/hwe-support-status @@ -15,7 +15,7 @@ profile hwe-support-status @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/distro-info/{,**} r, diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index c4c795649..8d55ec0b7 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -30,7 +30,7 @@ profile software-properties-dbus @{exec_path} { @{python_path} rix, @{bin}/env rix, @{bin}/apt-key rPx, # Changing trusted keys - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /etc/apt/apt.conf.d/10periodic w, /etc/apt/sources.list{,.save} rw, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 64c83f5c8..bb31d8867 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -33,7 +33,7 @@ profile software-properties-gtk @{exec_path} { @{bin}/apt-key rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/ischroot rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/ubuntu-advantage rPx, /usr/share/distro-info/*.csv r, diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 0e0dcdb0b..d69e7a4c4 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -45,7 +45,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { @{bin}/dpkg rPx -> child-dpkg, @{bin}/hwe-support-status rPx, @{bin}/ischroot rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/snap rPUx, @{bin}/software-properties-gtk rPx, @{bin}/uname rix, diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index e6a3e7152..88967baf8 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -27,7 +27,7 @@ profile update-motd-updates-available @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/find rix, @{bin}/ischroot rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/mktemp rix, @{bin}/mv rix, @{bin}/rm rix, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index ea6318156..6c4dc4d77 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -35,7 +35,7 @@ profile update-notifier @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/ischroot rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/pkexec rCx -> pkexec, @{bin}/snap rPUx, @{bin}/software-properties-gtk rPx, diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index c4741b09a..b7a62fc82 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -90,7 +90,7 @@ profile adequate @{exec_path} flags=(complain) { include include capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash index a10df8394..e8a83892a 100644 --- a/apparmor.d/profiles-a-f/aspell-autobuildhash +++ b/apparmor.d/profiles-a-f/aspell-autobuildhash @@ -62,7 +62,7 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { include include capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-a-f/check-support-status-hook b/apparmor.d/profiles-a-f/check-support-status-hook index 39f30c5fe..8101b3008 100644 --- a/apparmor.d/profiles-a-f/check-support-status-hook +++ b/apparmor.d/profiles-a-f/check-support-status-hook @@ -84,7 +84,7 @@ profile check-support-status-hook @{exec_path} { include include capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index 53038a6d7..ddcd99add 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -31,7 +31,7 @@ profile discord @{exec_path} { @{exec_path} mrix, @{sh_path} rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{lib_dirs}/chrome-sandbox rix, @{lib_dirs}/chrome_crashpad_handler rix, diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/profiles-a-f/dropbox index b4baf1d0c..15f86bcf5 100644 --- a/apparmor.d/profiles-a-f/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -39,7 +39,7 @@ profile dropbox @{exec_path} { @{bin}/{,@{multiarch}-}objdump rix, @{open_path} rPx -> child-open-strict, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, owner @{HOME}/ r, owner @{config_dirs}/ rw, diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla index 4463ac581..366c2aed6 100644 --- a/apparmor.d/profiles-a-f/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -38,7 +38,7 @@ profile filezilla @{exec_path} { @{bin}/fzsftp rPx, # When using SFTP protocol @{bin}/fzputtygen rPUx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/filezilla/{,**} r, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index 97fad1f13..b63a9e5ed 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -46,7 +46,7 @@ profile hardinfo @{exec_path} { @{bin}/valgrind{,.bin} rix, @{lib}/@{multiarch}/valgrind/memcheck-*-linux rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{open_path} rPx -> child-open, @{bin}/ccache rCx -> ccache, @{bin}/kmod rCx -> kmod, diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 3fbb9b0fd..802cb85ae 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -62,7 +62,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/journalctl rCx -> journalctl, @{bin}/killall rCx -> killall, @{bin}/kmod rCx -> kmod, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/lsblk rPx, @{bin}/lscpu rPx, @{bin}/lspci rPx, diff --git a/apparmor.d/profiles-g-l/kodi b/apparmor.d/profiles-g-l/kodi index 016dceae0..5b90dd3ef 100644 --- a/apparmor.d/profiles-g-l/kodi +++ b/apparmor.d/profiles-g-l/kodi @@ -34,7 +34,7 @@ profile kodi @{exec_path} { @{bin}/mv rix, @{bin}/uname rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/kodi/{,**} r, /usr/share/publicsuffix/* r, diff --git a/apparmor.d/profiles-g-l/lsb-release b/apparmor.d/profiles-g-l/lsb-release new file mode 100644 index 000000000..23bada3ec --- /dev/null +++ b/apparmor.d/profiles-g-l/lsb-release @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Note: named "lsb-release" to not conflict with upstreamed "lsb_release" that +# does attach @{bin}/lsb_release. + +abi , + +include + +@{exec_path} = @{bin}/lsb_release +profile lsb-release @{exec_path} flags=(attach_disconnected) { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/cut rix, + @{bin}/find rix, + @{bin}/getopt rix, + @{bin}/head rix, + @{bin}/sed rix, + @{bin}/tr rix, + + #aa:only apt + @{bin}/dpkg-query px, + + /etc/ r, + /etc/*-release r, + /etc/lsb-release r, + /etc/lsb-release.d/{,*} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mumble b/apparmor.d/profiles-m-r/mumble index 48ed42d84..a85eb6790 100644 --- a/apparmor.d/profiles-m-r/mumble +++ b/apparmor.d/profiles-m-r/mumble @@ -30,7 +30,7 @@ profile mumble @{exec_path} { @{exec_path} mrix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{browsers_path} rPx, @{open_path} rPx -> child-open, diff --git a/apparmor.d/profiles-m-r/murmurd b/apparmor.d/profiles-m-r/murmurd index 9d7663ebb..2065dd814 100644 --- a/apparmor.d/profiles-m-r/murmurd +++ b/apparmor.d/profiles-m-r/murmurd @@ -29,7 +29,7 @@ profile murmurd @{exec_path} { @{exec_path} mr, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /etc/mumble-server.ini r, diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 24e0c61dd..02bf3bc56 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -34,7 +34,7 @@ profile psi @{exec_path} { @{bin}/aplay rCx -> aplay, @{bin}/gpg{,2} rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{open_path} rPx -> child-open, @{lib}/firefox/firefox rPUx, diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index 1d3850ba5..a455df0e9 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -34,7 +34,7 @@ profile psi-plus @{exec_path} { @{bin}/aplay rCx -> aplay, @{bin}/gpg{,2} rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{open_path} rPx -> child-open, @{lib}/firefox/firefox rPUx, From 43278aeda277619b5fe24252db8a9eea7dd8b02c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 20:36:52 +0200 Subject: [PATCH 564/977] feat(profile): rewrite the profile for hw-probe. --- apparmor.d/groups/utils/lsscsi | 24 ++++++++++++++ apparmor.d/profiles-g-l/hw-probe | 56 ++++++++++---------------------- 2 files changed, 41 insertions(+), 39 deletions(-) create mode 100644 apparmor.d/groups/utils/lsscsi diff --git a/apparmor.d/groups/utils/lsscsi b/apparmor.d/groups/utils/lsscsi new file mode 100644 index 000000000..f0e7b4df2 --- /dev/null +++ b/apparmor.d/groups/utils/lsscsi @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsscsi +profile lsscsi @{exec_path} { + include + include + + @{exec_path} mr, + + / r, + + /dev/ r, + /dev/** r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 802cb85ae..2b91fc612 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -11,7 +11,6 @@ include profile hw-probe @{exec_path} flags=(attach_disconnected) { include include - include capability sys_admin, @@ -37,28 +36,18 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/acpi rPx, @{bin}/amixer rPx, @{bin}/aplay rPx, - @{sbin}/biosdecode rPx, @{bin}/cpuid rPx, @{bin}/cpupower rPx, @{bin}/curl rCx -> curl, @{bin}/df rPx, - @{sbin}/dkms rPx, @{bin}/dmesg rPx, - @{sbin}/dmidecode rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/edid-decode rPx, - @{sbin}/ethtool rCx -> netconfig, - @{sbin}/fdisk rPx, @{bin}/glxgears rPx, @{bin}/glxinfo rPx, @{bin}/hciconfig rPx, - @{sbin}/hdparm rPx, - @{sbin}/hwinfo rPx, @{bin}/i2cdetect rPx, - @{sbin}/ifconfig rCx -> netconfig, @{bin}/inxi rPx, - @{sbin}/iw rCx -> netconfig, - @{sbin}/iwconfig rCx -> netconfig, @{bin}/journalctl rCx -> journalctl, @{bin}/killall rCx -> killall, @{bin}/kmod rCx -> kmod, @@ -66,14 +55,13 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/lsblk rPx, @{bin}/lscpu rPx, @{bin}/lspci rPx, + @{bin}/lsscsi rPx, @{bin}/lsusb rPx, @{bin}/memtester rPx, @{bin}/nmcli rPx, @{bin}/pacman rCx -> pacman, - @{sbin}/rfkill rPx, @{bin}/rpm rCx -> rpm, @{bin}/sensors rPx, - @{sbin}/smartctl rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-analyze rPx, @{bin}/udevadm rCx -> udevadm, @@ -83,12 +71,20 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/xdpyinfo rPx, @{bin}/xinput rPx, @{bin}/xrandr rPx, + @{sbin}/biosdecode rPx, + @{sbin}/dkms rPx, + @{sbin}/dmidecode rPx, + @{sbin}/fdisk rPx, + @{sbin}/hdparm rPx, + @{sbin}/hwinfo rPx, + @{sbin}/rfkill rPx, + @{sbin}/smartctl rPx, /etc/modprobe.d/{,*.conf} r, owner @{HOME}/HW_PROBE/{,**} rw, - audit owner @{tmp}/*/ rw, + owner @{tmp}/@{rand10}/ rw, owner @{tmp}/*/cpu_perf rw, @{sys}/class/drm/ r, @@ -118,6 +114,13 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { include if exists } + profile curl flags=(attach_disconnected) { + include + + @{bin}/curl mr, + + include if exists + } profile pacman flags=(attach_disconnected) { include @@ -199,31 +202,6 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { include if exists } - profile netconfig flags=(attach_disconnected) { - include - - # Not needed - deny capability net_admin, - deny capability net_raw, - - network inet dgram, - network inet6 dgram, - network ipx dgram, - network ax25 dgram, - network appletalk dgram, - network netlink raw, - - @{sbin}/iw mr, - @{sbin}/ifconfig mr, - @{sbin}/iwconfig mr, - @{sbin}/ethtool mr, - - owner @{PROC}/@{pid}/net/if_inet6 r, - owner @{PROC}/@{pid}/net/dev r, - - include if exists - } - profile systemctl flags=(attach_disconnected) { include include From f443c71c7bb2db3f66440d9d230d994dacc3df4e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 21:05:53 +0200 Subject: [PATCH 565/977] tests: allow empty abstractions directory. --- tests/check.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 28adc7710..8b847db6f 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -390,7 +390,7 @@ check_profiles() { check_abstractions() { _msg "Checking abstractions" - mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*") + mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true) jobs=0 WITH_CHECK=( abstractions equivalent @@ -408,8 +408,8 @@ check_abstractions() { wait mapfile -t files < <( - find "$APPARMORD/abstractions" -type f -path "$APPARMORD/abstractions/*.d/*" - find "$APPARMORD/mappings" -type f + find "$APPARMORD/abstractions" -type f -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true + find "$APPARMORD/mappings" -type f 2>/dev/null || true ) # shellcheck disable=SC2034 jobs=0 From 1aee62f52cb02cbdb054c233a350f4f07d828e48 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 21:07:02 +0200 Subject: [PATCH 566/977] feat(abs): mappings: add support for role from the sshd-session profile. --- apparmor.d/abstractions/mapping/sshd | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apparmor.d/abstractions/mapping/sshd b/apparmor.d/abstractions/mapping/sshd index 97f0b077e..0f7512710 100644 --- a/apparmor.d/abstractions/mapping/sshd +++ b/apparmor.d/abstractions/mapping/sshd @@ -15,6 +15,8 @@ capability audit_write, capability chown, capability dac_read_search, + capability fowner, + capability fsetid, capability kill, capability setgid, capability setuid, @@ -25,12 +27,14 @@ # but will fall back to a non-privileged version if it fails. deny capability net_admin, + network inet stream, network inet6 stream, network netlink raw, signal receive set=exists peer=@{p_systemd_journald}, signal receive set=hup peer=@{p_systemd}, + unix bind type=stream addr=@@{udbus}/bus/sshd-session/system, unix bind type=stream addr=@@{udbus}/bus/sshd/system, dbus send bus=system path=/org/freedesktop/login1 From 0366543c39cb495e7129aee373055133b2324823 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 21:09:37 +0200 Subject: [PATCH 567/977] feat(profile): add console-setup profiles. --- apparmor.d/profiles-a-f/console-setup-cached | 36 +++++++++++++++++++ .../profiles-a-f/console-setup-keyboard | 31 ++++++++++++++++ 2 files changed, 67 insertions(+) create mode 100644 apparmor.d/profiles-a-f/console-setup-cached create mode 100644 apparmor.d/profiles-a-f/console-setup-keyboard diff --git a/apparmor.d/profiles-a-f/console-setup-cached b/apparmor.d/profiles-a-f/console-setup-cached new file mode 100644 index 000000000..332f05341 --- /dev/null +++ b/apparmor.d/profiles-a-f/console-setup-cached @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/console-setup/cached_setup_font.sh /etc/console-setup/cached_setup_terminal.sh +profile console-setup-cached @{exec_path} { + include + include + + capability sys_tty_config, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/gzip rix, + @{bin}/ls ix, + @{bin}/mkdir ix, + @{bin}/setfont ix, + + /usr/share/consolefonts/{,**} r, + + @{run}/console-setup/ w, + @{run}/console-setup/font-loaded w, + + /dev/ r, + /dev/tty rw, + /dev/tty@{int} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/console-setup-keyboard b/apparmor.d/profiles-a-f/console-setup-keyboard new file mode 100644 index 000000000..1f4045e2e --- /dev/null +++ b/apparmor.d/profiles-a-f/console-setup-keyboard @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/console-setup/keyboard-setup.sh /etc/console-setup/cached_setup_keyboard.sh +profile console-setup-keyboard @{exec_path} { + include + include + + capability sys_tty_config, + + @{exec_path} mrix, + + @{sh_path} rix, + @{bin}/gzip rix, + @{bin}/kbd_mode rix, + @{bin}/loadkeys rix, + + /etc/console-setup/{,**} r, + + /dev/tty@{int} rw, + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor From 9cb74ff384fd8bcdeade0e7eb016fabf79321651 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 2 Jul 2025 23:22:12 +0200 Subject: [PATCH 568/977] feat(abs): general update --- apparmor.d/abstractions/app-open | 2 +- apparmor.d/abstractions/app/firefox | 3 ++- apparmor.d/abstractions/bus-session | 2 +- apparmor.d/abstractions/bus/org.freedesktop.NetworkManager | 7 ++++++- apparmor.d/abstractions/disks-read | 6 ++++++ 5 files changed, 16 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index c7d2a86c8..59724f019 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -39,7 +39,7 @@ @{bin}/extension-manager Px, @{bin}/filezilla Px, @{bin}/flameshot Px, - @{bin}/gimp{,3} Px, + @{bin}/gimp{,-3.0} Px, @{bin}/gnome-calculator Px, @{bin}/gnome-disk-image-mounter Px, @{bin}/gnome-disks Px, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 5e3bc15cb..1dd15f9d8 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -99,7 +99,8 @@ owner @{tmp}/@{name}/* rwk, owner @{tmp}/firefox/ rw, owner @{tmp}/firefox/* rwk, - owner @{tmp}/remote-settings-startup-bundle- w, + owner @{tmp}/remote-settings-startup-bundle- rw, + owner @{tmp}/remote-settings-startup-bundle-.tmp rw, owner @{tmp}/Temp-@{uuid}/ rw, owner @{tmp}/Temp-@{uuid}/* rwk, owner @{tmp}/tmp-*.xpi rw, diff --git a/apparmor.d/abstractions/bus-session b/apparmor.d/abstractions/bus-session index 38d39a489..a1226d8e7 100644 --- a/apparmor.d/abstractions/bus-session +++ b/apparmor.d/abstractions/bus-session @@ -6,7 +6,7 @@ unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/session, - dbus send bus=session path=/org/freedesktop/DBus + dbus send bus=session path=/org/freedesktop/{dbus,DBus} interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager index 0f188e05a..78f0de9de 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager @@ -8,7 +8,7 @@ dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects + member={GetManagedObjects,InterfacesRemoved} peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager @@ -51,6 +51,11 @@ member=Updated peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), + dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} + interface=org.freedesktop.NetworkManager.Connection.Active + member=StateChanged + peer=(name=@{busname}, label=NetworkManager), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 62e24b70d..e1bf31298 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -44,6 +44,12 @@ @{sys}/devices/virtual/block/loop@{int}/ r, @{sys}/devices/virtual/block/loop@{int}/** r, + # Xen PVH devices + @{sys}/devices/vbd-@{int}/block/** r, + + # Channel subsystem for IBM Z + @{sys}/devices/css@{int}/** r, + # LUKS/LVM (device-mapper) devices /dev/dm-@{int} rk, /dev/mapper/{,*} r, From f47babab8492b9b273da5e985f41cf2a1cddbba2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 15:21:01 +0200 Subject: [PATCH 569/977] fix(profile): pci slot adress. --- apparmor.d/abstractions/common/app | 1 + apparmor.d/groups/filesystem/udisksd | 1 + apparmor.d/profiles-s-z/zed | 1 + apparmor.d/profiles-s-z/zpool | 1 + 4 files changed, 4 insertions(+) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index efb3c838b..a3fb2c5ef 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -78,6 +78,7 @@ @{sys}/bus/ r, @{sys}/bus/*/devices/ r, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/class/*/ r, @{sys}/devices/** r, diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index 1ff219bbe..ab3813973 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -121,6 +121,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{sys}/bus/ r, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/bus/scsi/devices/ r, @{sys}/class/ r, diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed index b131897d4..893cead5b 100644 --- a/apparmor.d/profiles-s-z/zed +++ b/apparmor.d/profiles-s-z/zed @@ -46,6 +46,7 @@ profile zed @{exec_path} { owner @{tmp}/tmp.* rw, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/module/zfs/parameters/zfs_zevent_len_max rw, diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index 2cb997fd7..e6033d9d2 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -31,6 +31,7 @@ profile zpool @{exec_path} { @{sys}/module/zfs/** r, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{PROC}/@{pids}/mountinfo r, From e5b6d5dd19e03cb488f748c84b5acb22c7e191ff Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 15:21:50 +0200 Subject: [PATCH 570/977] feat(profile): update nvidia tools. --- apparmor.d/profiles-m-r/nvidia-settings | 16 ++++++++++++++-- apparmor.d/profiles-m-r/nvidia-smi | 1 + 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-m-r/nvidia-settings b/apparmor.d/profiles-m-r/nvidia-settings index 9e5944bff..771bbb3b6 100644 --- a/apparmor.d/profiles-m-r/nvidia-settings +++ b/apparmor.d/profiles-m-r/nvidia-settings @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/nvidia-settings -profile nvidia-settings @{exec_path} { +profile nvidia-settings @{exec_path} flags=(attach_disconnected) { include include include @@ -21,8 +21,20 @@ profile nvidia-settings @{exec_path} { @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/config r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/cpumap r, - @{PROC}/devices r, + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/config r, + @{PROC}/driver/nvidia/capabilities/mig/monitor r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 + /dev/nvidia-caps/ rw, + /dev/nvidia-caps/nvidia-cap@{int} r, + /dev/nvidia-uvm rw, + /dev/nvidia-uvm-tools r, include if exists } diff --git a/apparmor.d/profiles-m-r/nvidia-smi b/apparmor.d/profiles-m-r/nvidia-smi index 143808f76..9ea391400 100644 --- a/apparmor.d/profiles-m-r/nvidia-smi +++ b/apparmor.d/profiles-m-r/nvidia-smi @@ -21,6 +21,7 @@ profile nvidia-smi @{exec_path} { @{PROC}/driver/nvidia/capabilities/mig/config r, @{PROC}/driver/nvidia/capabilities/mig/monitor r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-caps/ rw, From 223f611dfcb92f9cae02e9965491f8580b01a0ba Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 21:53:15 +0200 Subject: [PATCH 571/977] feat(abs): nvidia: ensure cuda is supported, cleanup common local path. --- apparmor.d/abstractions/nvidia-strict | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index ebaced47f..6fe815773 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -6,18 +6,21 @@ @{bin}/nvidia-modprobe Px -> child-modprobe-nvidia, + /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so.* mr, + /usr/share/nvidia/nvidia-application-profiles-* r, /etc/nvidia/nvidia-application-profiles-* r, /etc/vdpau_wrapper.cfg r, - owner @{HOME}/.cache/nvidia/ w, - owner @{HOME}/.cache/nvidia/GLCache/ rw, - owner @{HOME}/.cache/nvidia/GLCache/** rwk, + owner @{HOME}/.nv/ w, owner @{HOME}/.nv/ComputeCache/ w, owner @{HOME}/.nv/ComputeCache/** rw, owner @{HOME}/.nv/ComputeCache/index rwk, owner @{HOME}/.nv/nvidia-application-profiles-* r, + owner @{user_cache_dirs}/nvidia/ w, + owner @{user_cache_dirs}/nvidia/GLCache/ rw, + owner @{user_cache_dirs}/nvidia/GLCache/** rwk, @{sys}/devices/system/memory/block_size_bytes r, @{sys}/module/nvidia/version r, From 13680be0a6a0421bdc2a59ec03284b55debd57ff Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 21:53:53 +0200 Subject: [PATCH 572/977] feat(fsp): sdu: add consoles --- apparmor.d/groups/_full/sdu | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu index 80d8c1fb9..f9c50b65f 100644 --- a/apparmor.d/groups/_full/sdu +++ b/apparmor.d/groups/_full/sdu @@ -23,6 +23,7 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { include include include + include include include @@ -108,6 +109,8 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/oom_score_adj rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + /dev/kmsg w, + deny capability net_admin, profile shell flags=(attach_disconnected,mediate_deleted,complain) { @@ -123,10 +126,10 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { include include - audit capability net_admin, - owner @{run}/user/@{uid}/systemd/private rw, + deny capability net_admin, + include if exists include if exists } From 3b040aa5ca46513bd7058882c6bcde4b3f5d85dc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 21:54:49 +0200 Subject: [PATCH 573/977] feat(profile): improve dpkg-scripts. --- apparmor.d/groups/apt/dpkg-scripts | 4 +++- apparmor.d/groups/apt/unattended-upgrade-shutdown | 4 ++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index e16d25bf2..d3994d0ec 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -11,6 +11,7 @@ profile dpkg-scripts @{exec_path} { include include include + include capability chown, capability dac_read_search, @@ -24,6 +25,7 @@ profile dpkg-scripts @{exec_path} { # Common program found in maintainer scripts @{sh_path} rix, @{coreutils_path} rix, + @{python_path} rix, @{bin}/run-parts rix, @{bin}/envsubst ix, @@ -51,8 +53,8 @@ profile dpkg-scripts @{exec_path} { @{bin}/** PUx, @{sbin}/** PUx, @{lib}/** PUx, + /etc/** PUx, /usr/share/** PUx, - /etc/init.d/* PUx, # Maintainer's scripts can update a lot of files / r, diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index f36505e7a..1fb667fae 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -20,6 +20,10 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { @{bin}/ischroot Px, + @{lib}/@{python_name}/**/__pycache__/ w, + @{lib}/@{python_name}/**/__pycache__/**.pyc w, + @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, + /usr/share/unattended-upgrades/{,*} r, owner /var/log/unattended-upgrades/*.log* rw, From f56163afb184d93df751f2ce571d90cd9b08ecbc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 21:56:24 +0200 Subject: [PATCH 574/977] feat(profile): ensure xdg portal can start any sandboxing tool. --- apparmor.d/groups/freedesktop/xdg-document-portal | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 91a203d3a..93cac619e 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -39,8 +39,9 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/flatpak rPUx, + @{bin}/flatpak rPx, @{bin}/fusermount{,3} rCx -> fusermount, + @{bin}/snap rPx, / r, owner @{att}/ r, @@ -64,6 +65,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { profile fusermount flags=(attach_disconnected) { include + include include capability dac_read_search, From 4f2abda92f0cfd1c2b412a23582c4ac253954d73 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 21:58:20 +0200 Subject: [PATCH 575/977] feat(profile): improve gnome programs. --- apparmor.d/groups/gnome/epiphany-search-provider | 1 + apparmor.d/groups/gnome/gnome-extension-gsconnect | 3 +++ apparmor.d/groups/gnome/gnome-shell | 12 +++++++++--- apparmor.d/groups/gnome/gnome-text-editor | 1 + apparmor.d/groups/gnome/tracker-extract | 1 + 5 files changed, 15 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider index e66450d09..2168382e0 100644 --- a/apparmor.d/groups/gnome/epiphany-search-provider +++ b/apparmor.d/groups/gnome/epiphany-search-provider @@ -29,6 +29,7 @@ profile epiphany-search-provider @{exec_path} { @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, owner @{user_cache_dirs}/epiphany/{,**} rwk, + owner @{user_config_dirs}/epiphany/{,**} rw, owner @{user_share_dirs}/epiphany/{,**} rwk, owner @{tmp}/ContentRuleList-@{rand6} rw, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 104d95fb3..7cb982ca7 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -16,6 +16,7 @@ profile gnome-extension-gsconnect @{exec_path} { include include include + include include include include @@ -29,6 +30,8 @@ profile gnome-extension-gsconnect @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index e977af95e..acae2d601 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -173,6 +173,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/sensors rPx, @{bin}/tecla rPx, @{bin}/Xwayland rPx, + @{bin}/nvidia-smi rPx, # FIXME; for extension only + @{lib}/@{multiarch}/glib-2.0/glib-compile-schemas rPx, @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/mutter-x11-frames rPx, #aa:exec polkit-agent-helper @@ -227,6 +229,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{gdm_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw, owner @{gdm_cache_dirs}/ibus/dbus-@{rand8} rw, owner @{gdm_cache_dirs}/libgweather/ r, + owner @{gdm_cache_dirs}/nvidia/GLCache/ rw, + owner @{gdm_cache_dirs}/nvidia/GLCache/** rwk, owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/ibus/ rw, owner @{gdm_config_dirs}/ibus/bus/ rw, @@ -234,11 +238,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{gdm_config_dirs}/pulse/ rw, owner @{gdm_config_dirs}/pulse/client.conf r, owner @{gdm_config_dirs}/pulse/cookie rwk, + owner @{gdm_local_dirs}/ w, + owner @{gdm_share_dirs}/ w, owner @{gdm_share_dirs}/applications/{,**} r, owner @{gdm_share_dirs}/gnome-shell/{,**} rw, owner @{gdm_share_dirs}/icc/ rw, - owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{gdm_share_dirs}/icc/.goutputstream-@{rand6} rw, + owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{HOME}/.face r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, @@ -263,7 +269,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/backgrounds/{,**} rw, owner @{user_share_dirs}/dbus-1/services/ r, - owner @{user_share_dirs}/dbus-1/services/org.gnome.shell.*.service{,.@{rand6}} rw, + owner @{user_share_dirs}/dbus-1/services/org.gnome.Shell.*.service{,.@{rand6}} rw, owner @{user_share_dirs}/desktop-directories/{,**} r, owner @{user_share_dirs}/gnome-shell/{,**} rw, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, @@ -271,7 +277,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/icc/ rw, owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, - owner @{user_share_dirs}/icons/**/org.gnome.shell.*.svg{,.@{rand6}} w, + owner @{user_share_dirs}/icons/**/org.gnome.Shell.*.svg{,.@{rand6}} w, owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r, diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index 22823753b..c399eadc7 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -15,6 +15,7 @@ profile gnome-text-editor @{exec_path} { include include + #aa:dbus own bus=session name=org.gnome.TextEditor #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 83bf18b9b..e8612f7b6 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -70,6 +70,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} r, From 705eb11510c0d692173368609b1a10f419337800 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 22:04:18 +0200 Subject: [PATCH 576/977] feat(profile): improve some dbus rules. --- apparmor.d/groups/bluetooth/bluetoothd | 2 +- apparmor.d/groups/gvfs/gvfsd-dnssd | 5 +++++ apparmor.d/groups/gvfs/gvfsd-http | 4 ++++ apparmor.d/groups/gvfs/gvfsd-trash | 6 +----- apparmor.d/groups/network/mullvad-gui | 3 +++ apparmor.d/groups/ssh/sshd | 5 +++++ apparmor.d/groups/virt/cockpit-wsinstance-factory | 3 +++ apparmor.d/profiles-s-z/virt-manager | 6 ++++++ 8 files changed, 28 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index aa84eebd9..e5443f505 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -32,7 +32,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager - member=InterfacesRemoved + member={InterfacesRemoved,InterfacesAdded} peer=(name=org.freedesktop.DBus), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index 9af8be00a..6c61dbba4 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -33,6 +33,11 @@ profile gvfsd-dnssd @{exec_path} { member={MountLocation,LookupMount,RegisterMount} peer=(name="@{busname}", label=gvfsd), + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 2fe0a1e2b..92d6fbf64 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -24,6 +24,10 @@ profile gvfsd-http @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_http + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 9acfd6c86..e13f870c7 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -11,6 +11,7 @@ include profile gvfsd-trash @{exec_path} { include include + include include include include @@ -21,11 +22,6 @@ profile gvfsd-trash @{exec_path} { #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name="@{busname}", label="{gnome-shell,nautilus}"), - dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 6075f14b2..c36d34e3f 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -14,6 +14,9 @@ include @{exec_path} = @{lib_dirs}/mullvad-gui profile mullvad-gui @{exec_path} flags=(attach_disconnected) { include + include + include + include include network inet stream, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 75438c957..2494dc2c2 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -61,6 +61,11 @@ profile sshd @{exec_path} flags=(attach_disconnected) { member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + dbus send bus=system path=/org/freedesktop/home1 + interface=org.freedesktop.home1.Manager + member=GetUserRecordByName + peer=(name=org.freedesktop.home1, label="@{p_systemd_homed}"), + @{exec_path} mrix, @{bin}/@{shells} Ux, #aa:exclude RBAC diff --git a/apparmor.d/groups/virt/cockpit-wsinstance-factory b/apparmor.d/groups/virt/cockpit-wsinstance-factory index b14a1e36f..99db4d614 100644 --- a/apparmor.d/groups/virt/cockpit-wsinstance-factory +++ b/apparmor.d/groups/virt/cockpit-wsinstance-factory @@ -9,6 +9,9 @@ include @{exec_path} = @{lib}/cockpit/cockpit-wsinstance-factory profile cockpit-wsinstance-factory @{exec_path} { include + include + + unix bind type=stream addr=@@{udbus}/bus/cockpit-wsinsta/system, capability net_admin, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 7c0443dae..fa17f5b1b 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -12,6 +12,10 @@ include profile virt-manager @{exec_path} flags=(attach_disconnected) { include include + include + include + include + include include include include @@ -28,6 +32,8 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.virt-manager.virt-manager + @{exec_path} rix, @{sh_path} rix, From bfc6c51821b87fdca893c54555bf5ca5a060528b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 22:08:28 +0200 Subject: [PATCH 577/977] feat(profile): update some core system profiles. --- apparmor.d/profiles-a-f/dkms | 4 ++-- apparmor.d/profiles-a-f/fprintd | 3 +-- apparmor.d/profiles-a-f/fwupd | 11 +++++++---- apparmor.d/profiles-g-l/hw-probe | 16 +++++++++++----- apparmor.d/profiles-g-l/hwinfo | 6 +++++- apparmor.d/profiles-g-l/i2cdetect | 5 +++++ apparmor.d/profiles-g-l/kernel | 6 ++++-- apparmor.d/profiles-g-l/kernel-install | 3 +++ apparmor.d/profiles-m-r/pycompile | 2 +- apparmor.d/profiles-s-z/sysstat-sadc | 4 +++- 10 files changed, 42 insertions(+), 18 deletions(-) diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 0a01e5db5..a0d5b08f9 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -30,13 +30,14 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{bin}/bc rix, @{bin}/clang-@{version} rix, @{bin}/gcc rix, + @{bin}/g++ rix, @{bin}/getconf rix, @{bin}/kill rix, @{bin}/kmod rCx -> kmod, @{bin}/ld rix, @{bin}/ld.lld rix, @{bin}/llvm-objcopy rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/make rix, @{bin}/objcopy rix, @{bin}/pahole rix, @@ -101,7 +102,6 @@ profile dkms @{exec_path} flags=(attach_disconnected) { owner @{tmp}/sh-thd.* rw, owner @{tmp}/tmp.* rw, - @{PROC}/cpuinfo r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/vm/overcommit_memory r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 182d9013d..1d00dce88 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -32,8 +32,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/class/hidraw/ r, - @{sys}/devices/@{pci}/hidraw/hidraw@{int}/uevent r, - @{sys}/devices/virtual/**/hidraw/hidraw@{int}/uevent r, + @{sys}/devices/**/hidraw/hidraw@{int}/uevent r, include if exists } diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 961b55c97..cf5989227 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -62,12 +62,15 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /etc/machine-id r, /var/lib/dbus/machine-id r, - /boot/{,**} r, - /boot/EFI/*/.goutputstream-@{rand6} rw, - /boot/EFI/*/fw/fwupd-*.cap{,.*} rw, - /boot/EFI/*/fwupdx@{int}.efi rw, + @{efi}/{,**} r, + @{efi}/EFI/*/.goutputstream-@{rand6} rw, + @{efi}/EFI/*/fw/fwupd-*.cap{,.*} rw, + @{efi}/EFI/*/fwupdx@{int}.efi rw, @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r, + @{MOUNTDIRS}/*/{,@{efi}/} r, + @{MOUNTDIRS}/*/{,@{efi}/}EFI/{,**} r, + /var/lib/flatpak/exports/share/mime/mime.cache r, /var/tmp/etilqs_@{sqlhex} rw, owner /var/cache/fwupd/ rw, diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 2b91fc612..739073201 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -33,6 +33,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/tar rix, @{bin}/uname rix, + @{bin}/vulkaninfo rPUx, @{bin}/acpi rPx, @{bin}/amixer rPx, @{bin}/aplay rPx, @@ -55,7 +56,6 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/lsblk rPx, @{bin}/lscpu rPx, @{bin}/lspci rPx, - @{bin}/lsscsi rPx, @{bin}/lsusb rPx, @{bin}/memtester rPx, @{bin}/nmcli rPx, @@ -76,12 +76,15 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{sbin}/dmidecode rPx, @{sbin}/fdisk rPx, @{sbin}/hdparm rPx, + @{bin}/boltctl rPUx, @{sbin}/hwinfo rPx, @{sbin}/rfkill rPx, @{sbin}/smartctl rPx, /etc/modprobe.d/{,*.conf} r, + @{efi}/EFI/{,**} r, + owner @{HOME}/HW_PROBE/{,**} rw, owner @{tmp}/@{rand10}/ rw, @@ -107,9 +110,9 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { include include - capability sys_module, + capability syslog, - @{sys}/module/compression r, + @{sys}/module/{,**} r, include if exists } @@ -169,9 +172,12 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{run}/log/ rw, /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, /{run,var}/log/journal/@{hex32}/system.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index 4919d2fb2..314975208 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -28,6 +28,7 @@ profile hwinfo @{exec_path} { @{bin}/kmod rCx -> kmod, @{bin}/udevadm rCx -> udevadm, @{sbin}/acpidump rPUx, + @{bin}/lsscsi rPx, @{sbin}/dmraid rPUx, @@ -39,7 +40,7 @@ profile hwinfo @{exec_path} { @{sys}/bus/{,**/} r, @{sys}/class/*/ r, - @{sys}/devices/@{pci}/** r, + @{sys}/devices/@{pci}/{,**} r, @{sys}/devices/**/{modalias,uevent} r, @{sys}/devices/**/input/**/dev r, @{sys}/devices/virtual/net/*/{type,carrier,address} r, @@ -70,9 +71,12 @@ profile hwinfo @{exec_path} { include include + capability sys_module, + owner @{tmp}/hwinfo*.txt rw, @{sys}/devices/@{pci}/drm/card@{int}/ r, + @{sys}/module/compression r, include if exists } diff --git a/apparmor.d/profiles-g-l/i2cdetect b/apparmor.d/profiles-g-l/i2cdetect index 5ce4da0bb..f101c56e6 100644 --- a/apparmor.d/profiles-g-l/i2cdetect +++ b/apparmor.d/profiles-g-l/i2cdetect @@ -13,8 +13,13 @@ profile i2cdetect @{exec_path} { @{exec_path} mr, + @{sys}/class/i2c-dev/ r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, + owner @{PROC}/@{pid}/mounts r, + /dev/i2c-@{int} rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index d375a1bdd..c3155ce75 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -34,13 +34,15 @@ profile kernel @{exec_path} { @{bin}/which{,.debianutils} rix, @{bin}/apt-config rPx, + @{bin}/bootctl rPx, @{bin}/dpkg rPx -> child-dpkg, + @{bin}/kernel-install rPx, @{bin}/systemd-detect-virt rPx, - @{sbin}/update-alternatives rPx, + @{lib}/dkms/dkms_autoinstaller rPx, @{sbin}/dkms rPx, + @{sbin}/update-alternatives rPx, @{sbin}/update-grub rPx, @{sbin}/update-initramfs rPx, - @{lib}/dkms/dkms_autoinstaller rPx, @{lib}/modules/*/updates/ w, @{lib}/modules/*/updates/dkms/ w, diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index 614b81aeb..96d097417 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -41,6 +41,8 @@ profile kernel-install @{exec_path} { @{lib}/modules/*/modules.* w, + @{efi}/@{hex32}/** rw, + owner /boot/{vmlinuz,initrd.img}-* r, owner /boot/[a-f0-9]*/*/ rw, owner /boot/[a-f0-9]*/*/{linux,initrd} w, @@ -52,6 +54,7 @@ profile kernel-install @{exec_path} { owner @{tmp}/sh-thd.* rw, + @{PROC}/@{pid}/mountinfo r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile index b684c3094..c308dcd91 100644 --- a/apparmor.d/profiles-m-r/pycompile +++ b/apparmor.d/profiles-m-r/pycompile @@ -11,7 +11,7 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) { include include include - # include + include capability dac_override, capability dac_read_search, diff --git a/apparmor.d/profiles-s-z/sysstat-sadc b/apparmor.d/profiles-s-z/sysstat-sadc index 9a4b5cebe..dfdd00524 100644 --- a/apparmor.d/profiles-s-z/sysstat-sadc +++ b/apparmor.d/profiles-s-z/sysstat-sadc @@ -24,8 +24,10 @@ profile sysstat-sadc @{exec_path} { @{sys}/class/fc_host/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/i2c-*/name r, + @{sys}/devices/@{pci}/hwmon/hwmon@{int}/ r, + @{sys}/devices/@{pci}/hwmon/hwmon@{int}/name r, @{sys}/devices/@{pci}/net/*/duplex r, + @{sys}/devices/**/i2c-*/name r, @{sys}/devices/**/net/*/duplex r, @{sys}/devices/**/net/*/speed r, @{sys}/devices/virtual/net/*/duplex r, From af8c66e9bf456a5770584bf03019548ee67d5020 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 22:14:25 +0200 Subject: [PATCH 578/977] feat(profile): upgrade cockpit profiles. --- apparmor.d/groups/virt/cockpit-certificate-helper | 1 + apparmor.d/groups/virt/cockpit-desktop | 2 ++ apparmor.d/groups/virt/cockpit-tls | 3 +++ apparmor.d/groups/virt/cockpit-ws | 4 +++- 4 files changed, 9 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/virt/cockpit-certificate-helper b/apparmor.d/groups/virt/cockpit-certificate-helper index ac9dd5f6f..303fd074c 100644 --- a/apparmor.d/groups/virt/cockpit-certificate-helper +++ b/apparmor.d/groups/virt/cockpit-certificate-helper @@ -21,6 +21,7 @@ profile cockpit-certificate-helper @{exec_path} { @{bin}/openssl rix, @{bin}/rm rix, @{bin}/sscg rix, + @{bin}/sync rix, @{bin}/tr rix, /etc/machine-id r, diff --git a/apparmor.d/groups/virt/cockpit-desktop b/apparmor.d/groups/virt/cockpit-desktop index c2a7455ce..bb1ba03bf 100644 --- a/apparmor.d/groups/virt/cockpit-desktop +++ b/apparmor.d/groups/virt/cockpit-desktop @@ -10,6 +10,8 @@ include profile cockpit-desktop @{exec_path} { include + userns, + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/virt/cockpit-tls b/apparmor.d/groups/virt/cockpit-tls index 0037b132c..7bf43ed4a 100644 --- a/apparmor.d/groups/virt/cockpit-tls +++ b/apparmor.d/groups/virt/cockpit-tls @@ -17,6 +17,9 @@ profile cockpit-tls @{exec_path} flags=(attach_disconnected) { /etc/cockpit/ws-certs.d/{,**} r, + @{att}/@{run}/cockpit/wsinstance/https@@{hex64}.sock r, + @{att}/@{run}/cockpit/wsinstance/https-factory.sock rw, + owner @{run}/cockpit/tls/{,**} rw, include if exists diff --git a/apparmor.d/groups/virt/cockpit-ws b/apparmor.d/groups/virt/cockpit-ws index 7b0779119..8e3478072 100644 --- a/apparmor.d/groups/virt/cockpit-ws +++ b/apparmor.d/groups/virt/cockpit-ws @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/cockpit/cockpit-ws -profile cockpit-ws @{exec_path} { +profile cockpit-ws @{exec_path} flags=(attach_disconnected) { include include include @@ -21,6 +21,8 @@ profile cockpit-ws @{exec_path} { /usr/share/pixmaps/{,**} r, /etc/cockpit/ws-certs.d/ r, + @{run}/cockpit/wsinstance/https@@{hex64}.sock r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, From c2740ffe241a13c85c53d7a8d99d4946b5509414 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 22:15:04 +0200 Subject: [PATCH 579/977] feat(profile): xwayland: add integration with desktop local paths. --- apparmor.d/groups/freedesktop/xwayland | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index 03b418684..9b329e06a 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -29,6 +29,11 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { /usr/share/fonts/{,**} r, /usr/share/ghostscript/fonts/{,**} r, + / r, + + owner @{desktop_cache_dirs}/nvidia/GLCache/ rw, + owner @{desktop_cache_dirs}/nvidia/GLCache/** rwk, + owner @{tmp}/server-@{int}.xkm rwk, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, owner @{run}/user/@{uid}/server-@{int}.xkm rw, From 8042dd4a348fc3778c107d94a9ef1e70c11ec181 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Jul 2025 00:09:34 +0200 Subject: [PATCH 580/977] chore: replace make full by make fsp. --- Makefile | 8 ++++++-- docs/full-system-policy.md | 17 ++++++++--------- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/Makefile b/Makefile index 8bc8757bc..854d39f16 100644 --- a/Makefile +++ b/Makefile @@ -22,8 +22,12 @@ build: enforce: build @./${BUILD}/prebuild -.PHONY: full -full: build +.PHONY: fsp +fsp: build + @./${BUILD}/prebuild --full + +.PHONY: fsp-complain +fsp-complain: build @./${BUILD}/prebuild --complain --full .PHONY: install diff --git a/docs/full-system-policy.md b/docs/full-system-policy.md index c747cb739..016ed8ada 100644 --- a/docs/full-system-policy.md +++ b/docs/full-system-policy.md @@ -27,7 +27,6 @@ Particularly: - Every system application will be **blocked** if they do not have a profile. - Any non-standard system app need to be explicitly profiled and allowed to run. For instance, if you want to use your own proxy or VPN software, you need to ensure it is correctly profiled and allowed to run in the `systemd` profile. - Desktop environment must be explicitly supported, your UI will not start otherwise. Again, it is a **feature**. -- FSP mode will run unknown user application into the `default` profile. It might be enough for your application. If not you have to make a profile for it. - In FSP mode, all sandbox managers **must** have a profile. Then user sandboxed applications (flatpak, snap, etc) will work as expected. - PID 1 is the last program that should be confined. It does not make sense to confine only PID. All other programs must be confined first. @@ -47,11 +46,11 @@ Optimize=compress-fast === ":material-arch: Archlinux" - In `PKGBUILD`, replace `make` by `make full`: + In `PKGBUILD`, replace `make` by `make fsp`: ```diff - make - + make full + + make fsp ``` Then, build the package with: `make pkg` @@ -62,7 +61,7 @@ Optimize=compress-fast ```make override_dh_auto_build: - make full + make fsp ``` Then, build the package with: `make dpkg` @@ -73,25 +72,25 @@ Optimize=compress-fast ```make override_dh_auto_build: - make full + make fsp ``` Then, build the package with: `make dpkg` === ":simple-suse: openSUSE" - In `dists/apparmor.d.spec`, replace `%make_build` by `%make_build full` + In `dists/apparmor.d.spec`, replace `%make_build` by `%make_build fsp` ```diff - %make_build - + %make_build full + + %make_build fsp ``` Then, build the package with: `make rpm` === ":material-home: Partial Install" - Use the `make full` command to build instead of `make` + Use the `make fsp` command to build instead of `make` ## Structure @@ -149,7 +148,7 @@ In addition to the `systemd` profiles, a full system policy needs to ensure that The main fallback profile (`default`) is not intended to be used by privileged program or service. Such programs **must** have they dedicated profile and would break otherwise. -Additionally, special user access can be setup using PAM rules set such as a random shell interactively opened (as user or as root). +Additionally, special user access can be setup using PAM rules set such as a random shell interactively opened (as user or as root). [apparmor-wiki]: https://gitlab.com/apparmor/apparmor/-/wikis/FullSystemPolicy [full]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/_full From 6b5fad404bc8d979371d9efc7812c4e50d82bd25 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Jul 2025 00:19:35 +0200 Subject: [PATCH 581/977] feat(profile): add free --- apparmor.d/groups/procps/free | 19 +++++++++++++++++++ tests/integration/procps/free.bats | 18 ++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 apparmor.d/groups/procps/free create mode 100644 tests/integration/procps/free.bats diff --git a/apparmor.d/groups/procps/free b/apparmor.d/groups/procps/free new file mode 100644 index 000000000..56075ae1c --- /dev/null +++ b/apparmor.d/groups/procps/free @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/free +profile free @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/procps/free.bats b/tests/integration/procps/free.bats new file mode 100644 index 000000000..dcc216bfa --- /dev/null +++ b/tests/integration/procps/free.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "free: Display system memory" { + free +} + +@test "free: Display memory in GB" { + free -g +} + +@test "free: Display memory in human-readable units" { + free -h +} From 771dd9b589e15c66038a28e1d469391f25a962bd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Jul 2025 00:22:26 +0200 Subject: [PATCH 582/977] feat(profile): add pidof --- apparmor.d/groups/procps/pidof | 18 ++++++++++++++++++ tests/integration/procps/pidof.bats | 19 +++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 apparmor.d/groups/procps/pidof create mode 100644 tests/integration/procps/pidof.bats diff --git a/apparmor.d/groups/procps/pidof b/apparmor.d/groups/procps/pidof new file mode 100644 index 000000000..3413eb6c3 --- /dev/null +++ b/apparmor.d/groups/procps/pidof @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pidof +profile pidof @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/procps/pidof.bats b/tests/integration/procps/pidof.bats new file mode 100644 index 000000000..ec20cbe86 --- /dev/null +++ b/tests/integration/procps/pidof.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pidof: List all process IDs with given name" { + pidof systemd + pidof bash +} + +@test "pidof: List a single process ID with given name" { + pidof -s bash +} + +@test "pidof: List process IDs including scripts with given name" { + pidof -x bash +} From c85ed58fa98935d9d475496f02347a2319ce4992 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Jul 2025 00:30:21 +0200 Subject: [PATCH 583/977] feat(profile): add vmstat --- apparmor.d/groups/procps/vmstat | 27 +++++++++++++++++++++++++++ tests/integration/procps/vmstat.bats | 25 +++++++++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 apparmor.d/groups/procps/vmstat create mode 100644 tests/integration/procps/vmstat.bats diff --git a/apparmor.d/groups/procps/vmstat b/apparmor.d/groups/procps/vmstat new file mode 100644 index 000000000..1276222a2 --- /dev/null +++ b/apparmor.d/groups/procps/vmstat @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/vmstat +profile vmstat @{exec_path} { + include + include + + @{exec_path} mr, + + @{sys}/block/ r, + @{sys}/devices/system/node/ r, + + @{PROC}/diskstats r, + @{PROC}/slabinfo r, + @{PROC}/uptime r, + @{PROC}/vmstat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/procps/vmstat.bats b/tests/integration/procps/vmstat.bats new file mode 100644 index 000000000..e5900a324 --- /dev/null +++ b/tests/integration/procps/vmstat.bats @@ -0,0 +1,25 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "vmstat: Display virtual memory statistics" { + vmstat + vmstat --active + vmstat --forks +} + +@test "vmstat: Display disk statistics" { + vmstat --disk + vmstat --disk-sum +} + +@test "vmstat: Display slabinfo" { + sudo vmstat --slabs +} + +@test "vmstat: Display reports every second for 3 times" { + vmstat 1 3 +} From e6939f4968d50bff639882e5bc34d81ea462ff4e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Jul 2025 00:37:07 +0200 Subject: [PATCH 584/977] feat(profile): add pgrep. --- apparmor.d/groups/procps/pgrep | 22 ++++++++++++++++++++++ tests/integration/procps/pgrep.bats | 19 +++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 apparmor.d/groups/procps/pgrep create mode 100644 tests/integration/procps/pgrep.bats diff --git a/apparmor.d/groups/procps/pgrep b/apparmor.d/groups/procps/pgrep new file mode 100644 index 000000000..950aeb99e --- /dev/null +++ b/apparmor.d/groups/procps/pgrep @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pgrep +profile pgrep @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{PROC}/tty/drivers r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/procps/pgrep.bats b/tests/integration/procps/pgrep.bats new file mode 100644 index 000000000..9fd6b92f8 --- /dev/null +++ b/tests/integration/procps/pgrep.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pgrep: Return PIDs of any running processes with a matching command string" { + pgrep systemd +} + +@test "pgrep: Search for processes including their command-line options" { + pgrep --full 'systemd' +} + +@test "pgrep: Search for processes run by a specific user" { + pgrep --euid root systemd-udevd +} + From e30372b729467fdb4aeafd6be6c206354b4077d8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Jul 2025 00:52:29 +0200 Subject: [PATCH 585/977] ci: use fsp instead of full command. --- .github/workflows/main.yml | 2 +- .gitlab-ci.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index cac8fce43..973287e72 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -38,7 +38,7 @@ jobs: - name: Build the apparmor.d package run: | if [[ ${{ matrix.mode }} == full-system-policy ]]; then - echo -e "\noverride_dh_auto_build:\n\tmake full" >> debian/rules + echo -e "\noverride_dh_auto_build:\n\tmake fsp" >> debian/rules fi if [[ ${{ matrix.os }} == ubuntu-24.04 ]] && [[ ${{ matrix.mode }} == default ]]; then # Test with Re-attach disconnected path diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index f697637fa..8adab16ab 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -117,7 +117,7 @@ whonix: variables: DISTRIBUTION: whonix before_script: - - echo "\noverride_dh_auto_build:\n\tmake full" >> debian/rules + - echo "\noverride_dh_auto_build:\n\tmake fsp" >> debian/rules opensuse: stage: build From 277bd7f46aa43ad90ca8242cfb823e4ef3f68044 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Jul 2025 00:53:37 +0200 Subject: [PATCH 586/977] feat(profile): ensure gtk-query-immodule is not version dependent. --- apparmor.d/groups/pacman/pacman | 2 +- apparmor.d/profiles-g-l/gtk-query-immodules | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index e9f3bf807..ff43e2196 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -71,7 +71,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/gio-querymodules rPx, @{bin}/glib-compile-schemas rPx, @{sbin}/groupadd rPx, - @{bin}/gtk-query-immodules-{2,3}.0 rPx, + @{bin}/gtk-query-immodules-* rPx, @{bin}/gtk{,4}-update-icon-cache rPx, @{sbin}/iconvconfig rix, @{bin}/install-catalog rPx, diff --git a/apparmor.d/profiles-g-l/gtk-query-immodules b/apparmor.d/profiles-g-l/gtk-query-immodules index 509769698..e6d37db44 100644 --- a/apparmor.d/profiles-g-l/gtk-query-immodules +++ b/apparmor.d/profiles-g-l/gtk-query-immodules @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/gtk-query-immodules-{2,3}.0 @{lib}/@{multiarch}/libgtk-*/gtk-query-immodules-* +@{exec_path} = @{bin}/gtk-query-immodules-* @{lib}/@{multiarch}/libgtk-*/gtk-query-immodules-* profile gtk-query-immodules @{exec_path} { include include From e6b044376f7ef7f2a6850bf0461927b5432eeb0c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:14:24 +0200 Subject: [PATCH 587/977] fix(profile): update archlinux-keyring requirements. fix #784 --- apparmor.d/groups/gpg/gpg | 5 ++--- apparmor.d/groups/pacman/pacman-key | 3 ++- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 247c6e4ac..f05f6492e 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -33,9 +33,8 @@ profile gpg @{exec_path} { /etc/inputrc r, #aa:only pacman - /etc/pacman.d/gnupg/gpg.conf r, - /etc/pacman.d/gnupg/pubring.gpg r, - /etc/pacman.d/gnupg/trustdb.gpg r, + /etc/pacman.d/gnupg/ rw, + /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, #aa:only apt owner /etc/apt/keyrings/ rw, diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index a5cee6fa9..9e3bde188 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -34,7 +34,8 @@ profile pacman-key @{exec_path} { /usr/share/pacman/keyrings/{,*} r, /usr/share/terminfo/** r, - /etc/pacman.d/gnupg/* rw, + /etc/pacman.d/gnupg/ rw, + /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, /dev/tty rw, From 51cb732ecaeb6e2c7cf7c9f936c4c26c9b9bf561 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:17:13 +0200 Subject: [PATCH 588/977] fix(profile): ensure hyprland can integrate with wine/proton fix #783 --- apparmor.d/groups/hyprland/hyprland | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index c06671b34..9f2e7583d 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -14,6 +14,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_ptrace, From b754c1134c8be44034893bb4accee769dcc4ea63 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:37:49 +0200 Subject: [PATCH 589/977] fix(profile) wechat profile permissions fix #772 --- apparmor.d/profiles-s-z/wechat | 0 apparmor.d/profiles-s-z/wechat-appimage | 0 2 files changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 apparmor.d/profiles-s-z/wechat mode change 100755 => 100644 apparmor.d/profiles-s-z/wechat-appimage diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat old mode 100755 new mode 100644 diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage old mode 100755 new mode 100644 From d6f4ff57b65bc641c96775c38aa7bbce55f4aff6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:47:39 +0200 Subject: [PATCH 590/977] fix: linter check. --- apparmor.d/groups/gpg/gpg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index f05f6492e..1a3f7f4d9 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -34,7 +34,7 @@ profile gpg @{exec_path} { #aa:only pacman /etc/pacman.d/gnupg/ rw, - /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, + /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, #aa:only apt owner /etc/apt/keyrings/ rw, From 1b1a4c11ac22ab1aba9fd4bbff3619593a2454b6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:51:18 +0200 Subject: [PATCH 591/977] feat(profile): gpg: improve integration with access to gpg-agent. --- apparmor.d/groups/gpg/gpg | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 1a3f7f4d9..7ebb9e3a4 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -68,6 +68,7 @@ profile gpg @{exec_path} { owner /tmp/@{int}@{int} rw, owner @{run}/user/@{uid}/gnupg/d.*/ rw, + owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, From e9fbc3503636273f0d36697a38f4f061049a38d4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:52:26 +0200 Subject: [PATCH 592/977] feat(profile): minor sshd improvement. --- apparmor.d/groups/ssh/sshd-auth | 2 ++ apparmor.d/groups/ssh/sshd-session | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/apparmor.d/groups/ssh/sshd-auth b/apparmor.d/groups/ssh/sshd-auth index cb4defc0f..c1601b813 100644 --- a/apparmor.d/groups/ssh/sshd-auth +++ b/apparmor.d/groups/ssh/sshd-auth @@ -24,6 +24,8 @@ profile sshd-auth @{exec_path} { @{exec_path} mr, @{sbin}/sshd.hmac r, + /etc/gss/mech.d/{,*} r, + include if exists } diff --git a/apparmor.d/groups/ssh/sshd-session b/apparmor.d/groups/ssh/sshd-session index e74696334..5f09af5cc 100644 --- a/apparmor.d/groups/ssh/sshd-session +++ b/apparmor.d/groups/ssh/sshd-session @@ -47,6 +47,11 @@ profile sshd-session @{exec_path} flags=(attach_disconnected) { member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + dbus send bus=system path=/org/freedesktop/home1 + interface=org.freedesktop.home1.Manager + member=GetUserRecordByName + peer=(name=org.freedesktop.home1, label="@{p_systemd_homed}"), + @{exec_path} mr, @{bin}/@{shells} Ux, #aa:exclude RBAC From 51560bbbf562a7e47ffe4776a1092e3aa78709ec Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:53:29 +0200 Subject: [PATCH 593/977] feat(profile): update mullvad. --- apparmor.d/groups/network/mullvad-daemon | 13 +++++++++---- apparmor.d/groups/network/mullvad-gui | 2 ++ 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 6c4c41e6c..9573d7044 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -10,6 +10,7 @@ include @{exec_path} += /opt/Mullvad*/resources/mullvad-daemon profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { include + include include capability dac_override, @@ -39,7 +40,8 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { "/opt/Mullvad VPN/resources/*.so*" mr, "/opt/Mullvad VPN/resources/*" r, - /etc/mullvad-vpn/{,*} r, + /etc/mullvad-vpn/ rw, + /etc/mullvad-vpn/* r, /etc/mullvad-vpn/@{uuid} rw, /etc/mullvad-vpn/*.json rw, @{etc_rw}/resolv.conf rw, @@ -49,16 +51,19 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { owner /var/log/mullvad-vpn/{,*} rw, owner /var/log/private/mullvad-vpn/*.log rw, + owner @{tmp}/@{uuid} rw, + owner @{tmp}/talpid-openvpn-@{uuid} rw, + @{run}/NetworkManager/resolv.conf r, owner @{run}/mullvad-vpn rw, @{sys}/fs/cgroup/net_cls/ w, @{sys}/fs/cgroup/net_cls/mullvad-exclusions/ w, @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw, + @{sys}/fs/cgroup/system.slice/cpu.max r, + @{sys}/fs/cgroup/system.slice/mullvad-daemon.service/cpu.max r, - owner @{tmp}/@{uuid} rw, - owner @{tmp}/talpid-openvpn-@{uuid} rw, - + @{PROC}/@{pid}/cgroup r, @{PROC}/sys/net/ipv{4,6}/conf/all/arp_ignore rw, @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index c36d34e3f..ae9b4cb7f 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -37,6 +37,8 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/mullvad-vpn rw, + /dev/tty rw, deny @{user_share_dirs}/gvfs-metadata/* r, From 35ae596fd98800f52057f338f214f736aad094e0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:56:31 +0200 Subject: [PATCH 594/977] feat(profile): general update on some core profiles. --- apparmor.d/profiles-a-f/dkms | 5 +++-- apparmor.d/profiles-g-l/gimp | 4 ++++ apparmor.d/profiles-g-l/libreoffice | 3 ++- apparmor.d/profiles-m-r/initramfs-hooks | 6 +++--- apparmor.d/profiles-m-r/mdadm-mkconf | 1 + apparmor.d/profiles-m-r/nvidia-smi | 2 +- apparmor.d/profiles-m-r/ollama | 7 +++++++ apparmor.d/profiles-m-r/power-profiles-daemon | 3 +++ apparmor.d/profiles-s-z/speech-dispatcher | 6 +++++- apparmor.d/profiles-s-z/terminator | 1 + apparmor.d/profiles-s-z/update-shells | 4 +++- apparmor.d/profiles-s-z/virt-manager | 1 + apparmor.d/profiles-s-z/whoopsie | 2 ++ 13 files changed, 36 insertions(+), 9 deletions(-) diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index a0d5b08f9..5a0885143 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -29,8 +29,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{bin}/as rix, @{bin}/bc rix, @{bin}/clang-@{version} rix, - @{bin}/gcc rix, @{bin}/g++ rix, + @{bin}/gcc rix, @{bin}/getconf rix, @{bin}/kill rix, @{bin}/kmod rCx -> kmod, @@ -44,8 +44,9 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{bin}/readelf rix, @{bin}/rpm rPUx, @{bin}/strip rix, - @{sbin}/update-secureboot-policy rPUx, + @{bin}/xz rix, @{bin}/zstd rix, + @{sbin}/update-secureboot-policy rPUx, @{lib}/gcc/@{multiarch}/@{version}/* rix, @{lib}/linux-kbuild-*/scripts/** rix, diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index b335650d8..67b625d62 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -28,6 +28,7 @@ profile gimp @{exec_path} { @{python_path} rix, @{bin}/env rix, + @{bin}/gimp-debug-tool-3.0 rix, @{bin}/gimp-script-fu-interpreter-* rix, @{bin}/gjs-console rix, @{bin}/lua rix, @@ -41,6 +42,7 @@ profile gimp @{exec_path} { /usr/share/gimp/{,**} r, /usr/share/mypaint-data/{,**} r, + /usr/share/poppler/{,**} r, /usr/share/xml/iso-codes/{,**} r, /etc/fstab r, @@ -68,6 +70,8 @@ profile gimp @{exec_path} { owner @{tmp}/gimp/{,**} rw, + @{run}/mount/utab r, + @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index b21642cf8..4bed50f13 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -81,6 +81,7 @@ profile libreoffice @{exec_path} { /etc/papersize r, /etc/xdg/* r, + /var/tmp/ r, owner /var/spool/libreoffice/uno_packages/cache/stamp.sys w, owner @{user_cache_dirs}/libreoffice/{,**} rw, @@ -93,7 +94,7 @@ profile libreoffice @{exec_path} { owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/user-places.xbel r, - owner @{tmp}/ r, + @{tmp}/ r, owner @{tmp}/.java_pid@{int}{,.tmp} rw, owner @{tmp}/@{hex} rw, owner @{tmp}/@{rand6} rwk, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index aeb125ef2..5896df049 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -25,10 +25,10 @@ profile initramfs-hooks @{exec_path} { @{lib}/klibc/bin/fstype ix, /usr/share/mdadm/mkconf Px, - @{bin}/* r, - @{sbin}/* r, + @{bin}/* mr, + @{sbin}/* mr, @{lib}/ r, - @{lib}/** r, + @{lib}/** mr, /usr/share/initramfs-tools/{,**} r, /usr/share/plymouth/{,**} r, diff --git a/apparmor.d/profiles-m-r/mdadm-mkconf b/apparmor.d/profiles-m-r/mdadm-mkconf index 8139ac68e..c922942ec 100644 --- a/apparmor.d/profiles-m-r/mdadm-mkconf +++ b/apparmor.d/profiles-m-r/mdadm-mkconf @@ -19,6 +19,7 @@ profile mdadm-mkconf @{exec_path} { @{sbin}/mdadm Px, /etc/default/mdadm r, + /etc/mdadm/mdadm.conf r, / r, diff --git a/apparmor.d/profiles-m-r/nvidia-smi b/apparmor.d/profiles-m-r/nvidia-smi index 9ea391400..1d6d62e2b 100644 --- a/apparmor.d/profiles-m-r/nvidia-smi +++ b/apparmor.d/profiles-m-r/nvidia-smi @@ -25,7 +25,7 @@ profile nvidia-smi @{exec_path} { /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-caps/ rw, - /dev/nvidia-caps/nvidia-cap@{int} r, + /dev/nvidia-caps/nvidia-cap@{int} rw, /dev/nvidia-uvm rw, /dev/nvidia-uvm-tools r, diff --git a/apparmor.d/profiles-m-r/ollama b/apparmor.d/profiles-m-r/ollama index 7b5521802..73447e33e 100644 --- a/apparmor.d/profiles-m-r/ollama +++ b/apparmor.d/profiles-m-r/ollama @@ -38,8 +38,15 @@ profile ollama @{exec_path} flags=(attach_disconnected) { owner @{tmp}/ollama@{int}/{,**} rw, owner @{tmp}/ollama@{int}/runners/{,**} mr, + @{sys}/devices/@{pci}/drm/card@{int}/ r, + @{sys}/devices/@{pci}/drm/card@{int}/*/ r, + @{sys}/devices/@{pci}/mem_info_vram_total r, + @{sys}/devices/@{pci}/mem_info_vram_used r, @{sys}/devices/@{pci}/numa_node r, @{sys}/devices/system/node/node@{int}/cpumap r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, @{PROC}/devices r, @{PROC}/sys/net/core/somaxconn r, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 43f27b2fc..636f41754 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -30,10 +30,13 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+platform:* r, @{run}/udev/data/+power_supply:* r, + @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{sys}/bus/ r, @{sys}/bus/platform/devices/ r, @{sys}/class/ r, + @{sys}/class/drm/ r, @{sys}/class/power_supply/ r, @{sys}/devices/**/power_supply/*/scope r, @{sys}/devices/**/uevent r, diff --git a/apparmor.d/profiles-s-z/speech-dispatcher b/apparmor.d/profiles-s-z/speech-dispatcher index 652a7d9ed..0267d6889 100644 --- a/apparmor.d/profiles-s-z/speech-dispatcher +++ b/apparmor.d/profiles-s-z/speech-dispatcher @@ -20,16 +20,20 @@ profile speech-dispatcher @{exec_path} { @{exec_path} mr, @{sh_path} ix, + @{lib}/speech-dispatcher-modules/* ix, @{lib}/speech-dispatcher/** r, @{lib}/speech-dispatcher/speech-dispatcher-modules/* ix, /etc/machine-id r, /etc/speech-dispatcher/{,**} r, + owner @{user_config_dirs}/speech-dispatcher/{,**} r, + owner @{run}/user/@{uid}/speech-dispatcher/ rw, owner @{run}/user/@{uid}/speech-dispatcher/** rwk, - owner @{user_config_dirs}/speech-dispatcher/{,**} r, + owner /dev/shm/sem.@{rand6} rw, + owner /dev/shm/sem.speechd-modules-dummy-@{int} rwl -> /dev/shm/sem.@{rand6}, include if exists } diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 679a0fd32..5c79d0efe 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/terminator profile terminator @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/profiles-s-z/update-shells b/apparmor.d/profiles-s-z/update-shells index 46b6699c8..5922c1a14 100644 --- a/apparmor.d/profiles-s-z/update-shells +++ b/apparmor.d/profiles-s-z/update-shells @@ -17,12 +17,14 @@ profile update-shells @{exec_path} { @{bin}/chmod ix, @{bin}/chown ix, @{bin}/dirname ix, - @{bin}/dpkg-realpath ix, + @{bin}/dpkg-realpath rix, @{bin}/mv ix, @{bin}/sync ix, + @{bin}/readlink ix, /usr/share/debianutils/shells r, /usr/share/debianutils/shells.d/{,**} r, + /usr/share/dpkg/sh/dpkg-error.sh r, /etc/shells r, /etc/shells.tmp w, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index fa17f5b1b..aed85abe3 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -84,6 +84,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, + @{run}/libvirt/libvirt-sock rw, @{run}/mount/utab r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/profiles-s-z/whoopsie b/apparmor.d/profiles-s-z/whoopsie index 16a0e5a5e..0c03f4a76 100644 --- a/apparmor.d/profiles-s-z/whoopsie +++ b/apparmor.d/profiles-s-z/whoopsie @@ -25,6 +25,8 @@ profile whoopsie @{exec_path} { owner @{run}/lock/whoopsie/ rw, owner @{run}/lock/whoopsie/lock rwk, + @{sys}/devices/virtual/dmi/id/product_uuid r, + include if exists } From 06d23ac72cc646cee3ea0e5417f0b50e3092b1ef Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 2 Jul 2025 05:29:55 +0200 Subject: [PATCH 595/977] Fix strawberry profile --- apparmor.d/profiles-s-z/strawberry | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index 84bbcf1f2..611c8462d 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -69,8 +69,8 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/*= w, owner @{tmp}/#@{int} rw, owner @{tmp}/etilqs_@{sqlhex} rw, - owner @{tmp}/kdsingleapp-daemonspudguy-strawberry w, - owner @{tmp}/kdsingleapp-daemonspudguy-strawberry.lock rwk, + owner @{tmp}/kdsingleapp-*-strawberry w, + owner @{tmp}/kdsingleapp-*-strawberry.lock rwk, owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, owner @{tmp}/strawberry-cover-@{rand6}.jpg rwl -> @{tmp}/#@{int}, owner @{tmp}/strawberry*[0-9] w, From e92f2fb453ea53d4a6da31bc61f95466e2be47a4 Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 29 Jun 2025 19:35:08 +0200 Subject: [PATCH 596/977] ouch: allow listing archive contents --- apparmor.d/profiles-m-r/ouch | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/apparmor.d/profiles-m-r/ouch b/apparmor.d/profiles-m-r/ouch index a5b62ca93..d0bb4a1ed 100644 --- a/apparmor.d/profiles-m-r/ouch +++ b/apparmor.d/profiles-m-r/ouch @@ -17,11 +17,16 @@ profile ouch @{exec_path} { owner @{HOME}/.tmp@{rand6}/{,**} rw, owner @{HOME}/.tmp-ouch@{rand6}/{,**} rw, + owner /tmp/ w, + owner /tmp/.tmp@{rand6}/{,**} rw, + owner /tmp/.tmp-ouch@{rand6}/{,**} rw, + @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, include if exists } From 2e9d450fde3d0499762d5961f4f881e81decb105 Mon Sep 17 00:00:00 2001 From: EricLin0509 Date: Mon, 23 Jun 2025 17:58:52 +0800 Subject: [PATCH 597/977] Fix tlp start issue --- apparmor.d/profiles-s-z/tlp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 9faea6e3e..7c0a3d2c8 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -16,6 +16,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_read_search, capability sys_nice, @@ -48,6 +49,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{bin}/tr rix, @{bin}/udevadm rCx -> udevadm, @{bin}/uname rix, + @{bin}/timeout rix, /usr/share/tlp/tlp-readconfs rix, / r, @@ -104,7 +106,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { include include - @{run}/tlp/lock_tlp rw, + @{run}/tlp/lock_tlp rw, # file_inherit include if exists } From d855eeccd746b8ecaeaf3cc7f144715909d5136f Mon Sep 17 00:00:00 2001 From: EricLin0509 Date: Mon, 23 Jun 2025 18:01:31 +0800 Subject: [PATCH 598/977] Not use tabs --- apparmor.d/profiles-s-z/tlp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 7c0a3d2c8..3eb0800f9 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -49,7 +49,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{bin}/tr rix, @{bin}/udevadm rCx -> udevadm, @{bin}/uname rix, - @{bin}/timeout rix, + @{bin}/timeout rix, /usr/share/tlp/tlp-readconfs rix, / r, From 97d5fe3f6865217f16d05876235ce68b4572312d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 11 Jul 2025 19:37:40 +0200 Subject: [PATCH 599/977] feat(abs): user-read/write: allow files directly on the home directory. --- apparmor.d/abstractions/user-read-strict | 1 + apparmor.d/abstractions/user-write-strict | 1 + 2 files changed, 2 insertions(+) diff --git a/apparmor.d/abstractions/user-read-strict b/apparmor.d/abstractions/user-read-strict index f7eb186b5..9626bb0bc 100644 --- a/apparmor.d/abstractions/user-read-strict +++ b/apparmor.d/abstractions/user-read-strict @@ -8,6 +8,7 @@ abi , owner @{HOME}/ r, + owner @{HOME}/[^.]* rk, owner @{MOUNTS}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} rk, diff --git a/apparmor.d/abstractions/user-write-strict b/apparmor.d/abstractions/user-write-strict index 026825b27..88d52203e 100644 --- a/apparmor.d/abstractions/user-write-strict +++ b/apparmor.d/abstractions/user-write-strict @@ -8,6 +8,7 @@ abi , owner @{HOME}/ r, + owner @{HOME}/[^.]* wl, owner @{MOUNTS}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} wl, From a79e46acdd3768be0ab4f58ac026057a41274ad7 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 18 Jun 2025 22:27:18 +0200 Subject: [PATCH 600/977] add profile for whois --- apparmor.d/profiles-s-z/whois | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 apparmor.d/profiles-s-z/whois diff --git a/apparmor.d/profiles-s-z/whois b/apparmor.d/profiles-s-z/whois new file mode 100644 index 000000000..8353f81d0 --- /dev/null +++ b/apparmor.d/profiles-s-z/whois @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/whois +profile whois @{exec_path} { + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + /etc/whois.conf r, + + include if exists +} + +# vim:syntax=apparmor From 8fc70859aaef7cc20181ac6d115a6ff8ca5a9162 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 18 Jun 2025 22:35:59 +0200 Subject: [PATCH 601/977] fix include --- apparmor.d/profiles-s-z/whois | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/whois b/apparmor.d/profiles-s-z/whois index 8353f81d0..a1549db03 100644 --- a/apparmor.d/profiles-s-z/whois +++ b/apparmor.d/profiles-s-z/whois @@ -21,7 +21,7 @@ profile whois @{exec_path} { /etc/whois.conf r, - include if exists + include if exists } # vim:syntax=apparmor From 2c1d235ef02b11750dd5cc812e24dfc188b173f7 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sat, 21 Jun 2025 12:27:14 +0200 Subject: [PATCH 602/977] Hardening kioworker with reagrd to ps See #711 --- apparmor.d/groups/kde/kioworker | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 1d091fd09..61e910c88 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -38,7 +38,7 @@ profile kioworker @{exec_path} { @{lib}/libheif/*.so* rm, @{bin}/wrestool rPUx, - @{bin}/gs rPUx, + @{bin}/gs rix, #aa:exec kio_http_cache_cleaner From cdb64e14bab522751c7cec2b51cdbdb1ebadf05e Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 16 Jul 2025 18:37:52 +0200 Subject: [PATCH 603/977] add texstudio --- apparmor.d/profiles-s-z/texstudio | 48 +++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 apparmor.d/profiles-s-z/texstudio diff --git a/apparmor.d/profiles-s-z/texstudio b/apparmor.d/profiles-s-z/texstudio new file mode 100644 index 000000000..836a9a6ab --- /dev/null +++ b/apparmor.d/profiles-s-z/texstudio @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/texstudio +profile texstudio @{exec_path} { + include + include + include + include + include + include + include + + @{exec_path} mr, + + @{bin}/pdflatex ix, + @{bin}/pdftex ix, + @{bin}/kpsewhich ix, + @{bin}/gsettings ix, + @{bin}/which ix, + + /usr/share/texmf-dist/{,**} r, + /usr/share/doc/texstudio/{,**} r, + /usr/share/hunspell/{,**} r, + /usr/share/texstudio/{,**} r, + /usr/share/poppler/{,**} r, + + /etc/texmf/{,**} r, + /etc/machine-id r, + + /var/lib/texmf/{,**} r, + + owner @{user_config_dirs}/texstudio/{,**} rwlk, + owner /tmp/qtsingleapp-TeXstu-** rw, + owner /tmp/qtsingleapp-TeXstu-**-lockfile rwk, + + ## silencer + deny owner /usr/share/hunspell/en_US-large.ign w, + + include if exists +} + +# vim:syntax=apparmor From d120792297b4902b1bc4fb640833c2c619f77796 Mon Sep 17 00:00:00 2001 From: valoq Date: Fri, 18 Jul 2025 11:27:21 +0200 Subject: [PATCH 604/977] fix ci --- apparmor.d/profiles-s-z/texstudio | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-s-z/texstudio b/apparmor.d/profiles-s-z/texstudio index 836a9a6ab..4a42a8eff 100644 --- a/apparmor.d/profiles-s-z/texstudio +++ b/apparmor.d/profiles-s-z/texstudio @@ -15,14 +15,14 @@ profile texstudio @{exec_path} { include include include - + @{exec_path} mr, @{bin}/pdflatex ix, @{bin}/pdftex ix, @{bin}/kpsewhich ix, @{bin}/gsettings ix, - @{bin}/which ix, + @{bin}/which{,.debianutils} ix, /usr/share/texmf-dist/{,**} r, /usr/share/doc/texstudio/{,**} r, From 7b6f2353fdbf4f7fce1ef27c1e25d4aa9f3b6bb3 Mon Sep 17 00:00:00 2001 From: valoq Date: Fri, 18 Jul 2025 11:29:42 +0200 Subject: [PATCH 605/977] remove white space --- apparmor.d/profiles-s-z/texstudio | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/texstudio b/apparmor.d/profiles-s-z/texstudio index 4a42a8eff..52e9e53e6 100644 --- a/apparmor.d/profiles-s-z/texstudio +++ b/apparmor.d/profiles-s-z/texstudio @@ -41,7 +41,7 @@ profile texstudio @{exec_path} { ## silencer deny owner /usr/share/hunspell/en_US-large.ign w, - + include if exists } From 7a47914542ce3e45e85e759f1e38a9cdee244a00 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Jul 2025 20:07:33 +0200 Subject: [PATCH 606/977] tests: add test file for whois. --- tests/integration/whois.bats | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 tests/integration/whois.bats diff --git a/tests/integration/whois.bats b/tests/integration/whois.bats new file mode 100644 index 000000000..fd1cba5fa --- /dev/null +++ b/tests/integration/whois.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "whois: Get information about a domain name" { + whois google.fr +} + +@test "whois: Get information about an IP address" { + whois 8.8.8.8 +} + +@test "whois: Get abuse contact for an IP address" { + whois -b 8.8.8.8 +} + From 8020c2c63d0c578e147b8ee9230010dc4aca44a7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Jul 2025 20:09:41 +0200 Subject: [PATCH 607/977] feat(profile): update pacman profiles. --- apparmor.d/groups/pacman/makepkg | 5 +++-- apparmor.d/groups/pacman/paccache | 1 + apparmor.d/groups/pacman/pacman | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg index 30650d80c..583d0b9c0 100644 --- a/apparmor.d/groups/pacman/makepkg +++ b/apparmor.d/groups/pacman/makepkg @@ -11,6 +11,7 @@ profile makepkg @{exec_path} { include include include + include include include include @@ -72,8 +73,8 @@ profile makepkg @{exec_path} { owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw, owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache index f537afdb3..8bf1aed6a 100644 --- a/apparmor.d/groups/pacman/paccache +++ b/apparmor.d/groups/pacman/paccache @@ -36,6 +36,7 @@ profile paccache @{exec_path} flags=(attach_disconnected) { /etc/pacman.conf r, /etc/pacman.d/{,**} r, + /etc/pacman.d/gnupg/** rwlk -> /etc/pacman.d/gnupg/**, /var/cache/pacman/pkg/{,*} rw, /var/lib/pacman/{,**} r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index ff43e2196..01543d63f 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -187,7 +187,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { include if exists } - profile systemctl { + profile systemctl flags=(attach_disconnected) { include include From 03b174a2d42c6d36e3f979a92e35f06f1f6b1f5c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Jul 2025 20:11:18 +0200 Subject: [PATCH 608/977] feat(profile): simplify modprobe-nvidia. --- apparmor.d/groups/children/child-modprobe-nvidia | 3 --- 1 file changed, 3 deletions(-) diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index 9b331a8ce..61191fe9d 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -20,7 +20,6 @@ include profile child-modprobe-nvidia flags=(attach_disconnected) { include include - include capability chown, capability fsetid, @@ -35,8 +34,6 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/config r, - @{PROC}/sys/kernel/modprobe r, - @{PROC}/devices r, @{PROC}/driver/nvidia/capabilities/mig/config r, @{PROC}/driver/nvidia/capabilities/mig/monitor r, From 881402dc2166b735712e40134558568512059ee8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Jul 2025 20:17:26 +0200 Subject: [PATCH 609/977] feat(profile): improve some systemd profiles. --- apparmor.d/groups/systemd/systemd-coredump | 2 +- apparmor.d/groups/systemd/systemd-machined | 22 ++++++++++++++++++- .../systemd/systemd-tty-ask-password-agent | 3 ++- 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 52efea3db..2f6d81fdb 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -39,7 +39,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted /etc/systemd/coredump.conf r, /etc/systemd/coredump.conf.d/{,**} r, - owner @{HOME}/**.so r, + owner @{HOME}/**.so* r, /var/lib/systemd/coredump/{,**} rwl, diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index b37f2300b..b9244ece6 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -10,6 +10,7 @@ include profile systemd-machined @{exec_path} flags=(attach_disconnected) { include include + include include include @@ -21,6 +22,7 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) { capability kill, capability mknod, capability setgid, + capability setuid, capability sys_admin, capability sys_chroot, capability sys_ptrace, @@ -31,26 +33,44 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, + signal send set=rtmin+6 peer=systemd-nspawn, + + ptrace read peer=systemd-nspawn, + #aa:dbus own bus=system name=org.freedesktop.machine1 #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @{exec_path} mr, - /var/lib/machines/{,**} rw, /etc/machine-id r, + / r, + @{att}/ r, + + owner /var/lib/machines/ rw, + owner /var/lib/machines/** rwk, + + owner @{run}/systemd/nspawn/ w, + owner @{run}/systemd/nspawn/locks/ w, + owner @{run}/systemd/nspawn/locks/** rwk, + @{run}/systemd/machine/{,**} rw, @{run}/systemd/machines/{,**} rw, @{run}/systemd/notify w, @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/gid_map r, + @{PROC}/@{pid}/setgroups r, + @{PROC}/@{pid}/uid_map r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, @{PROC}/pressure/memory r, /dev/ptmx rw, /dev/pts/@{int} rw, + /dev/pts/ptmx rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index 30d30b295..b318bf3dd 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -17,10 +17,11 @@ profile systemd-tty-ask-password-agent @{exec_path} { capability net_admin, capability sys_resource, + signal receive set=(term cont winch) peer=@{p_logrotate}, signal receive set=(term cont winch) peer=*//systemctl, signal receive set=(term cont winch) peer=deb-systemd-invoke, signal receive set=(term cont winch) peer=default, - signal receive set=(term cont winch) peer=@{p_logrotate}, + signal receive set=(term cont winch) peer=machinectl, signal receive set=(term cont winch) peer=makepkg//sudo, signal receive set=(term cont winch) peer=role_*, signal receive set=(term cont winch) peer=rpm, From c6030de00ae7566cd0267d2a10bfa6d00858a41a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Jul 2025 20:49:34 +0200 Subject: [PATCH 610/977] build: add just command for local and dev install. --- Justfile | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/Justfile b/Justfile index 109cfed3b..7753ad2d1 100644 --- a/Justfile +++ b/Justfile @@ -95,7 +95,7 @@ fsp-complain: build fsp-debug: build @./{{build}}/prebuild --complain --full --debug -[group('build')] +[group('install')] [doc('Install prebuild profiles')] install: #!/usr/bin/env bash @@ -123,6 +123,35 @@ install: install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf" done +[group('install')] +[doc('Locally install prebuild profiles')] +local +args: + #!/usr/bin/env bash + set -eu -o pipefail + install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log + mapfile -t abs < <(find "{{build}}/apparmor.d/abstractions" -type f -printf "%P\n") + for file in "${abs[@]}"; do + install -Dm0644 "{{build}}/apparmor.d/abstractions/$file" "{{destdir}}/etc/apparmor.d/abstractions/$file" + done; + mapfile -t tunables < <(find "{{build}}/apparmor.d/tunables" -type f -printf "%P\n") + for file in "${tunables[@]}"; do + install -Dm0644 "{{build}}/apparmor.d/tunables/$file" "{{destdir}}/etc/apparmor.d/tunables/$file" + done; + echo "Warning: profile dependencies fallback to unconfined." + for file in {{args}}; do + grep -Ei 'rPx|rpx' "{{build}}/apparmor.d/$file" || true + sed -i -e "s/rPx/rPUx/g" "{{build}}/apparmor.d/$file" + install -Dvm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" + done; + systemctl restart apparmor || sudo journalctl -xeu apparmor.service + +[group('install')] +[doc('Prebuild, install, and load a dev profile')] +dev name: + go run ./cmd/prebuild --complain --file `find apparmor.d -iname {{name}}` + sudo install -Dm644 {{build}}/apparmor.d/{{name}} /etc/apparmor.d/{{name}} + sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service + [group('packages')] [doc('Build & install apparmor.d on Arch based systems')] pkg: From 72b136578dd1e5db2efa5b60790fcafd679dd72a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 18 Jul 2025 00:12:46 +0200 Subject: [PATCH 611/977] fix(profile): ensure wc is in pacman-hook-perl fix #786 --- apparmor.d/groups/pacman/pacman-hook-perl | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/pacman/pacman-hook-perl b/apparmor.d/groups/pacman/pacman-hook-perl index 07539ae95..aa2be8b09 100644 --- a/apparmor.d/groups/pacman/pacman-hook-perl +++ b/apparmor.d/groups/pacman/pacman-hook-perl @@ -20,6 +20,7 @@ profile pacman-hook-perl @{exec_path} { @{bin}/find rix, @{bin}/pacman rPx, @{bin}/sed rix, + @{bin}/wc rix, /dev/tty rw, /dev/tty@{int} rw, From 38b165ff319da0177f2fc983921fd6c80bbe360e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 18 Jul 2025 00:13:50 +0200 Subject: [PATCH 612/977] feat(profile): minor apt improvement. --- apparmor.d/groups/apt/apt | 1 + apparmor.d/groups/apt/apt-methods-sqv | 1 + apparmor.d/groups/apt/dpkg-scripts | 1 + 3 files changed, 3 insertions(+) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 5be4284f9..9bdabb1c2 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -64,6 +64,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{,e}grep rix, + @{bin}/cat rix, @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/id rix, diff --git a/apparmor.d/groups/apt/apt-methods-sqv b/apparmor.d/groups/apt/apt-methods-sqv index 416328cd4..0dcd7da0d 100644 --- a/apparmor.d/groups/apt/apt-methods-sqv +++ b/apparmor.d/groups/apt/apt-methods-sqv @@ -18,6 +18,7 @@ profile apt-methods-sqv @{exec_path} { capability setuid, signal receive set=int peer=apt, + signal receive set=int peer=packagekitd, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index d3994d0ec..44e4790c4 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -65,6 +65,7 @@ profile dpkg-scripts @{exec_path} { @{lib}/@{python_name}/**/__pycache__/ w, @{lib}/@{python_name}/**/__pycache__/**.pyc w, @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, + @{lib}/modules/*/.fresh-install w, /etc/ r, /etc/** rw, From d9d762aaaa939e29048ea75715a71f6f96f675af Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 18 Jul 2025 00:16:29 +0200 Subject: [PATCH 613/977] fix(profile): systemd-coredump: also allow sbin --- apparmor.d/groups/systemd/systemd-coredump | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 2f6d81fdb..2bd25ec16 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -33,6 +33,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{lib}/** r, / r, @{bin}/* r, + @{sbin}/* r, /opt/** r, @{user_lib_dirs}/** r, From 2f1022dc8de00f29472a0fe1c5c8ed8bd7ed8c78 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 18 Jul 2025 00:19:29 +0200 Subject: [PATCH 614/977] feat(profile): general minor update to profiles. --- apparmor.d/profiles-a-f/alacarte | 7 ++++++- apparmor.d/profiles-a-f/birdtray | 2 +- apparmor.d/profiles-a-f/code-extension-git-askpass | 4 ++-- apparmor.d/profiles-a-f/dkms | 1 + apparmor.d/profiles-g-l/git | 3 ++- apparmor.d/profiles-m-r/needrestart-restart | 1 + apparmor.d/profiles-m-r/pass | 2 +- apparmor.d/profiles-s-z/wechat | 2 +- apparmor.d/profiles-s-z/wechat-appimage | 3 ++- apparmor.d/profiles-s-z/wechat-universal | 4 ++-- 10 files changed, 19 insertions(+), 10 deletions(-) diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte index eed67619d..700c6d517 100644 --- a/apparmor.d/profiles-a-f/alacarte +++ b/apparmor.d/profiles-a-f/alacarte @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/alacarte -profile alacarte @{exec_path} { +profile alacarte @{exec_path} flags=(attach_disconnected) { include include include @@ -30,6 +30,11 @@ profile alacarte @{exec_path} { owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-a-f/birdtray b/apparmor.d/profiles-a-f/birdtray index c63a8de7c..771560c6b 100644 --- a/apparmor.d/profiles-a-f/birdtray +++ b/apparmor.d/profiles-a-f/birdtray @@ -40,7 +40,7 @@ profile birdtray @{exec_path} { owner @{HOME}/.thunderbird/*.*/{Imap,}Mail/**/*.msf r, owner @{user_config_dirs}/ulduzsoft/ rw, - owner @{user_config_dirs}/ulduzsoft/* rwkl -> /home/morfik/.config/ulduzsoft/*, + owner @{user_config_dirs}/ulduzsoft/* rwkl -> @{user_config_dirs}/ulduzsoft/*, owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#@{int}, diff --git a/apparmor.d/profiles-a-f/code-extension-git-askpass b/apparmor.d/profiles-a-f/code-extension-git-askpass index 5a31889b9..674432b2e 100644 --- a/apparmor.d/profiles-a-f/code-extension-git-askpass +++ b/apparmor.d/profiles-a-f/code-extension-git-askpass @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{lib}/code/extensions/git/dist/askpass.sh +@{exec_path} = @{lib}/code/extensions/git/dist/askpass.sh @{lib}/code/extensions/git/dist/ssh-askpass.sh profile code-extension-git-askpass @{exec_path} { include @@ -23,7 +23,7 @@ profile code-extension-git-askpass @{exec_path} { /usr/share/terminfo/** r, - owner @{tmp}/tmp.* rw, + owner @{tmp}/tmp.@{rand10} rw, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 5a0885143..7c594c900 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -32,6 +32,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{bin}/g++ rix, @{bin}/gcc rix, @{bin}/getconf rix, + @{bin}/hostname rix, @{bin}/kill rix, @{bin}/kmod rCx -> kmod, @{bin}/ld rix, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 457e79d2a..a0ea6393e 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -133,7 +133,8 @@ profile git @{exec_path} flags=(attach_disconnected) { @{bin}/ssh mr, @{bin}/ksshaskpass ix, - + @{lib}/code/extensions/git/dist/ssh-askpass.sh Px, + @{etc_ro}/ssh/ssh_config.d/{,*} r, @{etc_ro}/ssh/ssh_config r, diff --git a/apparmor.d/profiles-m-r/needrestart-restart b/apparmor.d/profiles-m-r/needrestart-restart index b9e648602..964ff1a74 100644 --- a/apparmor.d/profiles-m-r/needrestart-restart +++ b/apparmor.d/profiles-m-r/needrestart-restart @@ -13,6 +13,7 @@ profile needrestart-restart @{exec_path} { @{exec_path} mr, @{bin}/systemctl Cx -> systemctl, + @{sh_path} r, /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 096f0316a..7e432a838 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -40,7 +40,7 @@ profile pass @{exec_path} { @{bin}/tr ix, @{bin}/tree ix, @{bin}/tty ix, - @{bin}/which{,.debianutils} ix, + @{bin}/which{,.debianutils} rix, @{bin}/git Cx -> git, @{bin}/gpg{2,} Cx -> gpg, diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index b7ad3a2e8..cb554fc6b 100644 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -14,9 +14,9 @@ include @{exec_path} = @{lib_dirs}/wechat profile wechat @{exec_path} flags=(attach_disconnected) { include - include include include + include include network netlink raw, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 55155f2b8..9f8c20338 100644 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -14,10 +14,11 @@ include @{exec_path} = @{bin}/wechat @{lib_dirs}/wechat-appimage.Appimage /tmp/.mount_wechat??????/user/bin/wechat profile wechat-appimage @{exec_path} flags=(attach_disconnected) { include - include include include + include include + include network netlink raw, network netlink dgram, diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index 21e1eee10..cd8958e8e 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -14,10 +14,10 @@ include @{exec_path} = @{bin}/wechat-universal @{lib_dirs}/wechat profile wechat-universal @{exec_path} flags=(attach_disconnected) { include - include include - include include + include + include include network netlink raw, From f183ae709f4ffeea0443145cfcaf45d34d1dac62 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 18 Jul 2025 00:23:37 +0200 Subject: [PATCH 615/977] chore: fix linter issue. --- apparmor.d/profiles-g-l/git | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index a0ea6393e..c9373c7ae 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -134,7 +134,7 @@ profile git @{exec_path} flags=(attach_disconnected) { @{bin}/ssh mr, @{bin}/ksshaskpass ix, @{lib}/code/extensions/git/dist/ssh-askpass.sh Px, - + @{etc_ro}/ssh/ssh_config.d/{,*} r, @{etc_ro}/ssh/ssh_config r, From 033354314f0e98b9f9e00ce240a634b42d731b9c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 19 Jul 2025 17:54:02 +0200 Subject: [PATCH 616/977] doc: minor documentation update. --- docs/configuration.md | 2 +- docs/development/roadmap.md | 8 ++++---- docs/development/vm.md | 31 +++++++++++++++++++++++-------- docs/full-system-policy.md | 10 ++++++++++ 4 files changed, 38 insertions(+), 13 deletions(-) diff --git a/docs/configuration.md b/docs/configuration.md index fd8a5d38c..5e1c7992f 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -41,7 +41,7 @@ You can extend any profile with your own rules by creating a file in the `/etc/a **Example** -By default, `nautilus` (and any file browser) only allows access to user files. Thus, your cannot browse system files such as `/etc/`, `/srv/`, `/var/`. You can change this behaviour by creating a local profile addition file for `nautilus`: +By default, `nautilus` (and any file browser) only allows access to user files. Thus, your cannot browse system files such as `/etc/`, `/srv/`, `/var/`. You can change this behavior by creating a local profile addition file for `nautilus`: 1. Create the file `/etc/apparmor.d/local/nautilus` and add the following rules in it: ```sh diff --git a/docs/development/roadmap.md b/docs/development/roadmap.md index 75cbcdd10..b42467e3d 100644 --- a/docs/development/roadmap.md +++ b/docs/development/roadmap.md @@ -22,13 +22,13 @@ This is the current list of features that must be implemented to get to a stable - [ ] **General improvements** - [ ] Provide a proper fix for [#74](https://github.com/roddhjav/apparmor.d/issues/74), [#80](https://github.com/roddhjav/apparmor.d/issues/80) & [#235](https://github.com/roddhjav/apparmor.d/issues/235) - - [ ] The apt/dpkg profiles needs to be reworked + - [x] The apt/dpkg profiles needs to be reworked - [ ] Build system - [ ] Continuous release on the main branch, ~2 releases per week - [ ] Provide packages repo for ubuntu/debian - [ ] Provide complain/enforced packages version - - [ ] Add a `just` target to install the profiles in the right place + - [x] Add a `just` target to install the profiles in the right place - [ ] Fully drop the Makefile in favor of `just` ## Next features @@ -41,9 +41,9 @@ This is the current list of features that must be implemented to get to a stable - [ ] Fully rewrite the way user data is allowed / denied. The current implementation requires too much configuration to be usable by everyone. - [ ] Add a prompt listener to handle the user data access. -- [ ] **[Full System Policy](https://github.com/roddhjav/apparmor.d/issues/252)** +- [x] **[Full System Policy](https://github.com/roddhjav/apparmor.d/issues/252)** - [ ] Debug tool to show the profiles transition tree, and ensure no profile is missing - - [ ] Remove the `default` profile + - [x] Remove the `default` profile ## Done diff --git a/docs/development/vm.md b/docs/development/vm.md index 66630022e..1edddba76 100644 --- a/docs/development/vm.md +++ b/docs/development/vm.md @@ -14,22 +14,42 @@ $ just ``` Available recipes: help # Show this help message + clean # Remove all build artifacts + + [build] build # Build the go programs enforce # Prebuild the profiles in enforced mode complain # Prebuild the profiles in complain mode fsp # Prebuild the profiles in FSP mode - install # Install the profiles + fsp-complain # Prebuild the profiles in FSP mode (complain) + fsp-debug # Prebuild the profiles in FSP mode (debug) + + [install] + install # Install prebuild profiles + local +names # Locally install prebuild profiles + dev name # Prebuild, install, and load a dev profile + + [packages] pkg # Build & install apparmor.d on Arch based systems dpkg # Build & install apparmor.d on Debian based systems rpm # Build & install apparmor.d on OpenSUSE based systems + package dist # Build the package in a clean OCI container + + [tests] tests # Run the unit tests + init dist flavor # Install dependencies for the bats integration tests + integration dist flavor # Run the integration tests on the machine + + [linter] lint # Run the linters check # Run style checks on the profiles + + [docs] man # Generate the man pages docs # Build the documentation serve # Serve the documentation - clean # Remove all build artifacts - package dist # Build the package in a clean OCI container + + [vm] img dist flavor # Build the VM image create dist flavor # Create the machine up dist flavor # Start a machine @@ -40,13 +60,8 @@ Available recipes: list # List the machines images # List the VM images available # List the VM images that can be created - init dist flavor # Install dependencies for the bats integration tests - integration dist flavor # Run the integration tests on the machine - get_ip dist flavor - get_osinfo dist See https://apparmor.pujol.io/development/ for more information. - ``` ## Requirements diff --git a/docs/full-system-policy.md b/docs/full-system-policy.md index 016ed8ada..b523a1c38 100644 --- a/docs/full-system-policy.md +++ b/docs/full-system-policy.md @@ -137,6 +137,16 @@ To work as intended, userland services started by `systemd --user` **should** ha @{lib}/foo rPx -> systemd//&foo, ``` +### Role Based Access Control (RBAC) + +In FSP, interactive shell from the user must be confined. This is done through [pam_apparmor](https://gitlab.com/apparmor/apparmor/-/wikis/pam_apparmor). It provides [Role-based access controls (RBAC)](https://en.wikipedia.org/wiki/Role-based_access_control) that can restrict interactive shell to well-defined role. The role needs to be defined. This project ship with a default set of roles, but you can create your own. The default roles are: + +- **`user`**: This is the default role. It is used for any user that does not have a specific role defined. It has access to the user home directory and other sensitive files. + +- **`admin`**: This role is used for any user that has administrative access. It has access to the system files and directories, but not to the user home directory. + +- **`system`**: This role is used for any user that has system access. It has access to the system files and directories, but not to the user home directory. + ### Fallback In addition to the `systemd` profiles, a full system policy needs to ensure that no programs run in an unconfined state at any time. The fallback profiles consist of a set generic specialized profiles: From ee328ecea8e2b7f071ee25380cb28dd62ca50c98 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 19 Jul 2025 17:58:06 +0200 Subject: [PATCH 617/977] fix(profile): ensure gpg has access to pacman public keyring. #788 --- apparmor.d/groups/gpg/gpg | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 7ebb9e3a4..6a01796ff 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -29,6 +29,7 @@ profile gpg @{exec_path} { @{lib}/{,gnupg/}scdaemon rPx, /usr/share/terminfo/** r, + /usr/share/pacman/keyrings/** r, #aa:only pacman /etc/inputrc r, From bba6f253adda95e072e9b92095f2913738d2abcf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 13:22:29 +0200 Subject: [PATCH 618/977] doc: add link to the last talk. --- README.md | 4 ++++ docs/overview.md | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/README.md b/README.md index ddb1e79b3..c1c7726c5 100644 --- a/README.md +++ b/README.md @@ -62,6 +62,10 @@ Building the largest set of AppArmor profiles: - [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* - [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* +Lessons learned while making an AppArmor Play machine: + +- [Linux Security Summit North America (LSS-NA 2025)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2025.sched.com/event/1zalf/lessons-learned-while-making-an-apparmor-play-machine-alexandre-pujol-linagora), [Video](https://www.youtube.com/watch?v=zCSl8honRI0))* + ## Installation Please see [apparmor.pujol.io/install](https://apparmor.pujol.io/install) diff --git a/docs/overview.md b/docs/overview.md index fb6712a14..20a5a454f 100644 --- a/docs/overview.md +++ b/docs/overview.md @@ -43,6 +43,10 @@ Building the largest set of AppArmor profiles: - [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* - [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* +Lessons learned while making an AppArmor Play machine: + +- [Linux Security Summit North America (LSS-NA 2025)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2025.sched.com/event/1zalf/lessons-learned-while-making-an-apparmor-play-machine-alexandre-pujol-linagora), [Video](https://www.youtube.com/watch?v=zCSl8honRI0))* + ### Chat A development chat is available on https://matrix.to/#/#apparmor.d:matrix.org From cf76e2e71411238a48de625334fc8092fc5f9492 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 13:35:53 +0200 Subject: [PATCH 619/977] build(arch): sync pkgbuild with the with aur version. --- PKGBUILD | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/PKGBUILD b/PKGBUILD index b48e55153..dfbb46735 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -8,9 +8,9 @@ pkgver=0.001 pkgrel=1 pkgdesc="Full set of apparmor profiles" arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') -url="https://github.com/roddhjav/$pkgname" +url="https://github.com/roddhjav/apparmor.d" license=('GPL-2.0-only') -depends=('apparmor') +depends=('apparmor>=4.1.0' 'apparmor<5.0.0') makedepends=('go' 'git' 'rsync' 'just') conflicts=("$pkgname-git") From 101248b37e235d9176918fc99b23fe370b773ffb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:06:58 +0200 Subject: [PATCH 620/977] feat(profile): minor profile update. --- apparmor.d/abstractions/bus/org.freedesktop.systemd1 | 5 +++++ apparmor.d/groups/freedesktop/wireplumber | 2 +- apparmor.d/groups/gnome/gnome-session-check | 5 +++++ apparmor.d/groups/network/dhcpcd | 2 ++ apparmor.d/groups/snap/snapd | 1 + apparmor.d/groups/ssh/sshd | 1 + .../groups/systemd-generators/systemd-generator-import | 4 ++-- apparmor.d/groups/ubuntu/apport | 6 ++++-- apparmor.d/groups/ubuntu/package-system-locked | 2 +- apparmor.d/groups/utils/who | 2 ++ apparmor.d/groups/virt/libvirtd | 1 + 11 files changed, 25 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 index 46297b484..341cf58ce 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 @@ -11,6 +11,11 @@ member={GetUnit,StartUnit,StartTransientUnit} peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=ListUnitsByPatterns + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member={GetUnit,StartUnit,StartTransientUnit} diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 0925bad91..debf19f25 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -52,7 +52,7 @@ profile wireplumber @{exec_path} { owner @{run}/user/@{uid}/pipewire-@{int} rw, owner @{run}/user/@{uid}/pipewire-@{int}-manager rw, - /dev/shm/lttng-ust-wait-@{int} r, + /dev/shm/lttng-ust-wait-@{int} rw, owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw, owner /dev/shm/lttng-ust-wait-@{int}-@{int} rw, diff --git a/apparmor.d/groups/gnome/gnome-session-check b/apparmor.d/groups/gnome/gnome-session-check index 2a0b4965f..44755aef2 100644 --- a/apparmor.d/groups/gnome/gnome-session-check +++ b/apparmor.d/groups/gnome/gnome-session-check @@ -10,12 +10,17 @@ include profile gnome-session-check @{exec_path} { include include + include @{exec_path} mr, @{lib}/gnome-session-check-accelerated-gl-helper ix, @{lib}/gnome-session-check-accelerated-gles-helper ix, + /usr/share/gnome-session/hardware-compatibility r, + + @{PROC}/cmdline r, + include if exists } diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd index 7f47b9975..51cf215f9 100644 --- a/apparmor.d/groups/network/dhcpcd +++ b/apparmor.d/groups/network/dhcpcd @@ -40,6 +40,8 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { @{bin}/sed rix, @{lib}/dhcpcd/dhcpcd-run-hooks rix, + /usr/share/dhcpcd/{,**} r, + /etc/dhcpcd.conf r, /etc/resolv.conf rw, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 1add6c1c4..5f0885693 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -110,6 +110,7 @@ profile snapd @{exec_path} { /etc/modprobe.d/{,**/} r, /etc/modules-load.d/{,**/} r, /etc/modules-load.d/*snap* rw, + /etc/polkit-1/rules.d/{,**/} r, /etc/systemd/system/{,**/} r, /etc/systemd/system/snap* rw, /etc/systemd/user/{,**/} rw, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 2494dc2c2..63f2c1370 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -32,6 +32,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { capability dac_override, capability dac_read_search, capability fowner, + capability fsetid, capability kill, capability net_bind_service, capability setgid, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-import b/apparmor.d/groups/systemd-generators/systemd-generator-import index 36ff4e5ff..de3753aaf 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-import +++ b/apparmor.d/groups/systemd-generators/systemd-generator-import @@ -16,13 +16,13 @@ profile systemd-generator-import @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + / r, + @{PROC}/@{pid}/cgroup r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, - / r, - /dev/kmsg w, include if exists diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 8219ef185..9f3fd2999 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -28,8 +28,8 @@ profile apport @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/{,e,f}grep rix, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/dpkg-divert rPx -> child-dpkg-divert, + @{bin}/dpkg rPx -> &child-dpkg, + @{bin}/dpkg-divert rPx -> &child-dpkg-divert, @{bin}/gdbus rix, @{bin}/md5sum rix, @@ -37,6 +37,8 @@ profile apport @{exec_path} flags=(attach_disconnected) { @{etc_ro}/login.defs r, /etc/apport/report-ignore/{,**} r, + /etc/dpkg/dpkg.cfg r, + /etc/dpkg/dpkg.cfg.d/{,**} r, /var/lib/dpkg/info/ r, /var/lib/dpkg/info/*.list r, diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked index 7398fc404..8cf3ed885 100644 --- a/apparmor.d/groups/ubuntu/package-system-locked +++ b/apparmor.d/groups/ubuntu/package-system-locked @@ -17,7 +17,7 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) { network inet dgram, network inet6 dgram, - mqueue r type=posix /, + mqueue (read,getattr) type=posix /, ptrace (read), diff --git a/apparmor.d/groups/utils/who b/apparmor.d/groups/utils/who index 3da07f89d..fd49b2bec 100644 --- a/apparmor.d/groups/utils/who +++ b/apparmor.d/groups/utils/who @@ -18,6 +18,8 @@ profile who @{exec_path} { @{exec_path} mr, + @{run}/systemd/sessions/* r, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny owner @{user_share_dirs}/zed/**/data.mdb rw, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index a0d636883..c90e80af9 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -86,6 +86,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper), unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none), unix (send, receive) type=stream addr=none peer=(label=unconfined), + unix (send, receive) type=stream addr=none peer=(label=virt-manager), # Allow changing to our UUID-based named profiles change_profile -> libvirt-@{uuid}, From f364ab5e48296838ce76e2d6368435caf5a6ea5e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:13:40 +0200 Subject: [PATCH 621/977] feat(profile): firefox: improve crashreporter. --- apparmor.d/groups/browsers/firefox-crashhelper | 2 +- apparmor.d/groups/browsers/firefox-crashreporter | 11 ++++++++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/browsers/firefox-crashhelper b/apparmor.d/groups/browsers/firefox-crashhelper index 55443a330..55af7c2e2 100644 --- a/apparmor.d/groups/browsers/firefox-crashhelper +++ b/apparmor.d/groups/browsers/firefox-crashhelper @@ -12,7 +12,7 @@ include @{cache_dirs} = @{user_cache_dirs}/mozilla/ @{exec_path} = @{lib_dirs}/crashhelper -profile firefox-crashhelper @{exec_path} { +profile firefox-crashhelper @{exec_path} flags=(attach_disconnected) { include @{exec_path} mr, diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index 1c418eef4..8feccaa93 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -28,22 +28,23 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - @{exec_path} mr, + @{exec_path} mrix, @{bin}/curl rix, @{bin}/mv rix, @{lib_dirs}/minidump-analyzer rPx, - @{bin}/mv rix, - owner "@{config_dirs}/firefox/Crash Reports/{,**}" rw, owner @{config_dirs}/firefox/*.*/crashes/{,**} rw, owner @{config_dirs}/firefox/*.*/crashes/events/@{uuid} rw, owner @{config_dirs}/firefox/*.*/extensions/*.xpi r, owner @{config_dirs}/firefox/*.*/minidumps/{,**} rw, owner @{config_dirs}/firefox/*.*/minidumps//@{uuid}.{dmp,extra} r, + owner @{config_dirs}/firefox/*.*/prefs.js r, + owner @{config_dirs}/firefox/*.*/storage-sync-v2.sqlite-shm r, owner @{config_dirs}/firefox/*.*/storage/default/* r, + owner @{config_dirs}/firefox/Profile*/*.sqlite-shm r, owner @{cache_dirs}/firefox/*.*/** r, @@ -54,10 +55,14 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { owner /dev/shm/org.mozilla.ipc.@{int}.@{int} r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, /dev/dri/card@{int} rw, /dev/dri/renderD128 rw, + /dev/nvidia@{int} r, + /dev/nvidiactl r, # Silencer deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, From cba7355142b9bc0a20adae21f129a47e100baa92 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:14:30 +0200 Subject: [PATCH 622/977] feat(abs): update nvidia GLCache. --- apparmor.d/abstractions/nvidia-strict | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index 6fe815773..c3aa8e805 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -18,6 +18,8 @@ owner @{HOME}/.nv/ComputeCache/** rw, owner @{HOME}/.nv/ComputeCache/index rwk, owner @{HOME}/.nv/nvidia-application-profiles-* r, + + @{user_cache_dirs}/nvidia/GLCache/@{hex32}/ rw, owner @{user_cache_dirs}/nvidia/ w, owner @{user_cache_dirs}/nvidia/GLCache/ rw, owner @{user_cache_dirs}/nvidia/GLCache/** rwk, From e490a11c1a2ecfadd2cbc0759d77f4706bc2ee61 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:25:41 +0200 Subject: [PATCH 623/977] feat(profile): add hwclock. --- apparmor.d/groups/utils/hwclock | 30 ++++++++++++++++++++++++++++ tests/integration/utils/hwclock.bats | 6 +++--- tests/requirements.sh | 3 ++- 3 files changed, 35 insertions(+), 4 deletions(-) create mode 100644 apparmor.d/groups/utils/hwclock diff --git a/apparmor.d/groups/utils/hwclock b/apparmor.d/groups/utils/hwclock new file mode 100644 index 000000000..d1433a605 --- /dev/null +++ b/apparmor.d/groups/utils/hwclock @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/hwclock +profile hwclock @{exec_path} { + include + include + + capability audit_write, + capability sys_time, + + network netlink raw, + + @{exec_path} mr, + + /etc/adjtime rw, + + @{sys}/devices/pnp@{int}/*/rtc/rtc@{int}/{,*} r, + + /dev/rtc@{int} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/utils/hwclock.bats b/tests/integration/utils/hwclock.bats index 88c981c31..4a1bc0f83 100644 --- a/tests/integration/utils/hwclock.bats +++ b/tests/integration/utils/hwclock.bats @@ -6,14 +6,14 @@ load ../common @test "hwclock: Display the current time as reported by the hardware clock" { - hwclock + sudo hwclock } @test "hwclock: Write the current software clock time to the hardware clock (sometimes used during system setup)" { - hwclock --systohc + sudo hwclock --systohc } @test "hwclock: Write the current hardware clock time to the software clock" { - hwclock --hctosys + sudo hwclock --hctosys } diff --git a/tests/requirements.sh b/tests/requirements.sh index 52d7cb36b..085ad8c7c 100644 --- a/tests/requirements.sh +++ b/tests/requirements.sh @@ -21,7 +21,8 @@ debian | ubuntu | whonix) sudo apt update -y sudo apt install -y \ bats bats-support \ - cpuid dfc systemd-userdbd systemd-homed tlp network-manager flatpak + cpuid dfc systemd-userdbd systemd-homed tlp network-manager flatpak \ + util-linux-extra ;; opensuse*) ;; From d4d4f3ae4b4ad994ea633dbebd4b879f8a69621a Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 27 Jul 2025 17:13:11 +0200 Subject: [PATCH 624/977] add xournalpp --- apparmor.d/profiles-s-z/xournalpp | 44 +++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 apparmor.d/profiles-s-z/xournalpp diff --git a/apparmor.d/profiles-s-z/xournalpp b/apparmor.d/profiles-s-z/xournalpp new file mode 100644 index 000000000..7d74ce7da --- /dev/null +++ b/apparmor.d/profiles-s-z/xournalpp @@ -0,0 +1,44 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xournalpp +profile xournalpp @{exec_path} { + include + include + include + include + include + include + include + include + include + + @{exec_path} mr, + + /usr/share/xournalpp/** r, + + /etc/machine-id r, + /etc/pipewire/jack.conf.d/ r, + + owner @{user_config_dirs}/xournalpp/** rw, + owner @{user_cache_dirs}/xournalpp/** rw, + + /dev/snd/controlC@{int} w, + /dev/snd/pcmC@{rand4} rw, + + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + include if exists +} + +# vim:syntax=apparmor From fc421183a024cb3abb4c3343ed7a1954f53e4511 Mon Sep 17 00:00:00 2001 From: valoq Date: Tue, 29 Jul 2025 14:19:17 +0200 Subject: [PATCH 625/977] xournalpp improvements --- apparmor.d/profiles-s-z/xournalpp | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/apparmor.d/profiles-s-z/xournalpp b/apparmor.d/profiles-s-z/xournalpp index 7d74ce7da..6442fe8b9 100644 --- a/apparmor.d/profiles-s-z/xournalpp +++ b/apparmor.d/profiles-s-z/xournalpp @@ -8,11 +8,10 @@ include @{exec_path} = @{bin}/xournalpp profile xournalpp @{exec_path} { - include include + include include include - include include include include @@ -20,16 +19,15 @@ profile xournalpp @{exec_path} { @{exec_path} mr, + @{open_path} rPx -> child-open-browsers, + /usr/share/xournalpp/** r, /etc/machine-id r, /etc/pipewire/jack.conf.d/ r, - owner @{user_config_dirs}/xournalpp/** rw, - owner @{user_cache_dirs}/xournalpp/** rw, - - /dev/snd/controlC@{int} w, - /dev/snd/pcmC@{rand4} rw, + owner @{user_config_dirs}/xournalpp/{,**} rw, + owner @{user_cache_dirs}/xournalpp/{,**} rw, @{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/dmi/id/board_vendor r, @@ -38,6 +36,9 @@ profile xournalpp @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, + /dev/snd/controlC@{int} w, + /dev/snd/pcmC@{rand4} rw, + include if exists } From 9e4db4373e89361b65c2009245b3242087eb830d Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 31 Jul 2025 09:22:28 -0600 Subject: [PATCH 626/977] Add support for MD RAID devices to the disk-read/write abstractions (#796) --- apparmor.d/abstractions/disks-read | 6 ++++++ apparmor.d/abstractions/disks-write | 3 +++ 2 files changed, 9 insertions(+) diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index e1bf31298..872b0c552 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -81,6 +81,11 @@ # CD-ROM /dev/sr@{int} rk, + # MD RAID devices + /dev/md@{int} rk, + @{sys}/devices/virtual/block/md@{int}/ r, + @{sys}/devices/virtual/block/md@{int}/** r, + # Lookup block device by major:minor numbers # See: https://apparmor.pujol.io/development/internal/#udev-rules @@ -91,6 +96,7 @@ @{run}/udev/data/b2:@{int} r, # for /dev/fd* @{run}/udev/data/b7:@{int} r, # for /dev/loop* @{run}/udev/data/b8:@{int} r, # for /dev/sd* + @{run}/udev/data/b9:@{int} r, # for /dev/md* @{run}/udev/data/b11:@{int} r, # for /dev/sr* @{run}/udev/data/b43:@{int} r, # for /dev/nbd* @{run}/udev/data/b179:@{int} r, # for /dev/mmcblk* diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write index ce0a05dd5..a52518042 100644 --- a/apparmor.d/abstractions/disks-write +++ b/apparmor.d/abstractions/disks-write @@ -41,6 +41,9 @@ # CD-ROM /dev/sr@{int} w, + # MD RAID devices + /dev/md@{int} w, + include if exists # vim:syntax=apparmor From 8b280b5ef02803eaaf1aeb82173170f0dfe861fd Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 31 Jul 2025 09:00:05 -0600 Subject: [PATCH 627/977] Allow sbctl to parse DMI data This path is hard coded in "dmi/dmi.go" --- apparmor.d/profiles-s-z/sbctl | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl index 9dbbf0933..ef007a32c 100644 --- a/apparmor.d/profiles-s-z/sbctl +++ b/apparmor.d/profiles-s-z/sbctl @@ -26,6 +26,8 @@ profile sbctl @{exec_path} { @{lib}/fwupd/efi/{,**} rw, @{lib}/systemd/boot/efi/systemd-boot*.efi.signed rw, + @{sys}/devices/virtual/dmi/id/* r, + @{sys}/firmware/efi/efivars/db-@{uuid} rw, @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, @{sys}/firmware/efi/efivars/PK-@{uuid} rw, From ed06dac70239aa8f4eca700ae79c87fe9aa6ef49 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:45:44 +0200 Subject: [PATCH 628/977] feat(profile): add lsipc --- apparmor.d/groups/utils/lsipc | 33 ++++++++++++++++++++++++++++++ tests/integration/utils/lsipc.bats | 16 +++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 apparmor.d/groups/utils/lsipc create mode 100644 tests/integration/utils/lsipc.bats diff --git a/apparmor.d/groups/utils/lsipc b/apparmor.d/groups/utils/lsipc new file mode 100644 index 000000000..12c8d333c --- /dev/null +++ b/apparmor.d/groups/utils/lsipc @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsipc +profile lsipc @{exec_path} { + include + include + + @{exec_path} mr, + + @{PROC}/sys/fs/mqueue/msg_max r, + @{PROC}/sys/fs/mqueue/msgsize_max r, + @{PROC}/sys/fs/mqueue/queues_max r, + @{PROC}/sys/kernel/msgmax r, + @{PROC}/sys/kernel/msgmnb r, + @{PROC}/sys/kernel/msgmni r, + @{PROC}/sys/kernel/sem r, + @{PROC}/sys/kernel/shmall r, + @{PROC}/sys/kernel/shmmax r, + @{PROC}/sys/kernel/shmmni r, + @{PROC}/sysvipc/msg r, + @{PROC}/sysvipc/sem r, + @{PROC}/sysvipc/shm r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/utils/lsipc.bats b/tests/integration/utils/lsipc.bats new file mode 100644 index 000000000..a18126982 --- /dev/null +++ b/tests/integration/utils/lsipc.bats @@ -0,0 +1,16 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lsipc: Show information about all active IPC facilities" { + lsipc +} + +@test "lsipc: Show information about active shared memory segments, message queues or sempahore sets" { + lsipc --shmems + lsipc --queues + lsipc --semaphores +} From f516e1140a200f13506be2f8720640ef45f1f9cc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:46:22 +0200 Subject: [PATCH 629/977] feat(profile): add lsfd --- apparmor.d/groups/utils/lsfd | 59 +++++++++++++++++++++++++++++++ tests/integration/utils/lsfd.bats | 19 ++++++++++ 2 files changed, 78 insertions(+) create mode 100644 apparmor.d/groups/utils/lsfd create mode 100644 tests/integration/utils/lsfd.bats diff --git a/apparmor.d/groups/utils/lsfd b/apparmor.d/groups/utils/lsfd new file mode 100644 index 000000000..6b30f63a9 --- /dev/null +++ b/apparmor.d/groups/utils/lsfd @@ -0,0 +1,59 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsfd +profile lsfd @{exec_path} flags=(attach_disconnected) { + include + include + + capability checkpoint_restore, + capability dac_read_search, + capability sys_admin, + capability sys_ptrace, + capability sys_resource, + capability syslog, + + network netlink dgram, + network netlink raw, + + ptrace read, + ptrace trace, + + mqueue (read create delete getattr) type=posix /.lsfd-mqueue-nodev-test:@{int}, + + @{exec_path} mr, + + / r, + @{att}/ r, + + owner @{att}/.lsfd-mqueue-nodev-test:@{int} rw, + + @{run}/ r, + @{run}/netns/ r, + + @{sys}/kernel/cpu_byteorder r, + + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/net/* r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/ r, + @{PROC}/devices r, + @{PROC}/misc r, + @{PROC}/partitions r, + @{PROC}/tty/drivers r, + owner @{PROC}/@{pid}/syscall r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/utils/lsfd.bats b/tests/integration/utils/lsfd.bats new file mode 100644 index 000000000..bf0c4de0c --- /dev/null +++ b/tests/integration/utils/lsfd.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lsfd: List all open file descriptors" { + lsfd +} + +@test "lsfd: List all files kept open by a specific program" { + sudo lsfd --filter 'PID == 1' +} + +@test "lsfd: List open IPv4 or IPv6 sockets" { + sudo lsfd -i4 + sudo lsfd -i6 +} From 926a6fdcb9047ff8e8c1d9e7b1b309ee09fee1a8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:55:36 +0200 Subject: [PATCH 630/977] feat(profile): add lslocks --- apparmor.d/groups/utils/lslocks | 33 ++++++++++++++++++++++++++++ tests/integration/utils/lslocks.bats | 22 +++++++++++++++++++ 2 files changed, 55 insertions(+) create mode 100644 apparmor.d/groups/utils/lslocks create mode 100644 tests/integration/utils/lslocks.bats diff --git a/apparmor.d/groups/utils/lslocks b/apparmor.d/groups/utils/lslocks new file mode 100644 index 000000000..5fbcdbc8f --- /dev/null +++ b/apparmor.d/groups/utils/lslocks @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lslocks +profile lslocks @{exec_path} flags=(attach_disconnected) { + include + + capability dac_read_search, + capability sys_ptrace, + + ptrace read, + + @{exec_path} mr, + + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/locks r, + owner @{PROC}/@{pid}/ r, + owner @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/utils/lslocks.bats b/tests/integration/utils/lslocks.bats new file mode 100644 index 000000000..042834cae --- /dev/null +++ b/tests/integration/utils/lslocks.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lslocks: List all local system locks" { + sudo lslocks +} + +@test "lslocks: List locks producing a raw output (no columns), and without column headers" { + sudo lslocks --raw --noheadings +} + +@test "lslocks: List locks by PID input" { + sudo lslocks --pid "$(sudo lslocks --raw --noheadings --output PID | head -1)" +} + +@test "lslocks: List locks with JSON output to stdout" { + lslocks --json +} From 8b03cff0cfc824a0c1ecd0f8df1b8c715bb2f969 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:58:57 +0200 Subject: [PATCH 631/977] feat(profile): add lslogins. --- apparmor.d/groups/utils/lslogins | 33 +++++++++++++++++++++++++++ tests/integration/utils/lslogins.bats | 27 ++++++++++++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 apparmor.d/groups/utils/lslogins create mode 100644 tests/integration/utils/lslogins.bats diff --git a/apparmor.d/groups/utils/lslogins b/apparmor.d/groups/utils/lslogins new file mode 100644 index 000000000..7393b47c0 --- /dev/null +++ b/apparmor.d/groups/utils/lslogins @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lslogins +profile lslogins @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/.pwd.lock w, + /etc/.pwd.lock wk, + /etc/login.defs r, + /etc/shadow r, + + /var/log/lastlog r, + /var/log/wtmp rk, + + @{run}/systemd/userdb/ r, + + @{PROC}/ r, + @{PROC}/sys/kernel/random/boot_id r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/utils/lslogins.bats b/tests/integration/utils/lslogins.bats new file mode 100644 index 000000000..aa2df69b4 --- /dev/null +++ b/tests/integration/utils/lslogins.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lslogins: Display users in the system" { + lslogins + sudo lslogins +} + +@test "lslogins: Display user accounts" { + lslogins --user-accs +} + +@test "lslogins: Display last logins" { + lslogins --last +} + +@test "lslogins: Display system accounts" { + lslogins --system-accs +} + +@test "lslogins: Display supplementary groups" { + lslogins --supp-groups +} From 4f265c6d58a21c8dc98f2f65403d189cc24dddbe Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 15:04:37 +0200 Subject: [PATCH 632/977] feat(profile): add lsns. --- apparmor.d/groups/utils/lsns | 42 +++++++++++++++++++++++++++++++ tests/integration/utils/lsns.bats | 31 +++++++++++++++++++++++ 2 files changed, 73 insertions(+) create mode 100644 apparmor.d/groups/utils/lsns create mode 100644 tests/integration/utils/lsns.bats diff --git a/apparmor.d/groups/utils/lsns b/apparmor.d/groups/utils/lsns new file mode 100644 index 000000000..3d4d42efc --- /dev/null +++ b/apparmor.d/groups/utils/lsns @@ -0,0 +1,42 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsns +profile lsns @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability net_admin, + capability sys_ptrace, + capability dac_read_search, + + network, + + ptrace read, + ptrace trace, + + @{exec_path} mr, + + @{att}/ r, + + @{run}/*/netns/** r, + @{run}/*/ns/** r, + + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/utils/lsns.bats b/tests/integration/utils/lsns.bats new file mode 100644 index 000000000..c7e6563e2 --- /dev/null +++ b/tests/integration/utils/lsns.bats @@ -0,0 +1,31 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lsns: List all namespaces" { + lsns + sudo lsns +} + +@test "lsns: List namespaces in JSON format" { + sudo lsns --json +} + +@test "lsns: List namespaces associated with the specified process" { + sudo lsns --task 1 +} + +@test "lsns: List the specified type of namespaces only" { + sudo lsns --type mnt + sudo lsns --type net + sudo lsns --type ipc + sudo lsns --type user + sudo lsns --type pid + sudo lsns --type uts + sudo lsns --type cgroup + sudo lsns --type time +} + From fd0092d431103e5be29ac9060e1400204d57ece3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 16:34:49 +0200 Subject: [PATCH 633/977] fix(profile): fix issues raised in tests. --- apparmor.d/groups/utils/lslocks | 2 ++ apparmor.d/groups/utils/lsns | 2 ++ apparmor.d/profiles-m-r/initramfs-hooks | 2 ++ apparmor.d/profiles-m-r/initramfs-scripts | 1 + apparmor.d/profiles-m-r/mdadm-mkconf | 1 + apparmor.d/profiles-m-r/mkinitramfs | 2 ++ 6 files changed, 10 insertions(+) diff --git a/apparmor.d/groups/utils/lslocks b/apparmor.d/groups/utils/lslocks index 5fbcdbc8f..44d2e1d01 100644 --- a/apparmor.d/groups/utils/lslocks +++ b/apparmor.d/groups/utils/lslocks @@ -17,6 +17,8 @@ profile lslocks @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{sys}/devices/**/block/** r, + @{PROC}/ r, @{PROC}/@{pid}/ r, @{PROC}/@{pid}/comm r, diff --git a/apparmor.d/groups/utils/lsns b/apparmor.d/groups/utils/lsns index 3d4d42efc..7fbf56896 100644 --- a/apparmor.d/groups/utils/lsns +++ b/apparmor.d/groups/utils/lsns @@ -28,6 +28,8 @@ profile lsns @{exec_path} flags=(attach_disconnected) { @{run}/*/netns/** r, @{run}/*/ns/** r, + @{sys}/devices/**/block/** r, + @{PROC}/ r, @{PROC}/@{pid}/ r, @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 5896df049..15f8f66d6 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/initramfs-tools/hooks/** /etc/initramfs-tools/hooks/** profile initramfs-hooks @{exec_path} { include + include include @{exec_path} mr, @@ -70,6 +71,7 @@ profile initramfs-hooks @{exec_path} { profile ldd { include + include include @{bin}/ldd mr, diff --git a/apparmor.d/profiles-m-r/initramfs-scripts b/apparmor.d/profiles-m-r/initramfs-scripts index 485520ca0..4d38ab9c1 100644 --- a/apparmor.d/profiles-m-r/initramfs-scripts +++ b/apparmor.d/profiles-m-r/initramfs-scripts @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/initramfs-tools/scripts/** /etc/initramfs-tools/scripts/** profile initramfs-scripts @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mdadm-mkconf b/apparmor.d/profiles-m-r/mdadm-mkconf index c922942ec..489068ec8 100644 --- a/apparmor.d/profiles-m-r/mdadm-mkconf +++ b/apparmor.d/profiles-m-r/mdadm-mkconf @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/mdadm/mkconf profile mdadm-mkconf @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index f37029627..e67bb55fe 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -88,6 +88,7 @@ profile mkinitramfs @{exec_path} { owner /boot/initrd.img-*.new rw, /var/tmp/ r, + /var/tmp/mkinitramfs_@{rand6}/** w, /var/tmp/modules_@{rand6} rw, owner /var/tmp/mkinitramfs_@{rand6} rw, owner /var/tmp/mkinitramfs_@{rand6}/ rw, @@ -98,6 +99,7 @@ profile mkinitramfs @{exec_path} { owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** w, owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, From c09b5d85a46b391ad8ee9768f43839cb9a1c584a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 00:21:49 +0200 Subject: [PATCH 634/977] feat(profile): update systemd profiles. --- Justfile | 71 +++++++++++++------ apparmor.d/groups/systemd/bootctl | 7 +- apparmor.d/groups/systemd/busctl | 7 ++ apparmor.d/groups/systemd/journalctl | 3 + apparmor.d/groups/systemd/networkctl | 3 + apparmor.d/groups/systemd/systemd-localed | 4 +- apparmor.d/groups/systemd/systemd-machined | 3 + apparmor.d/groups/systemd/systemd-networkd | 4 ++ .../groups/systemd/systemd-nsresourcework | 2 + apparmor.d/groups/systemd/systemd-userwork | 1 + apparmor.d/groups/systemd/userdbctl | 3 +- 11 files changed, 80 insertions(+), 28 deletions(-) diff --git a/Justfile b/Justfile index 7753ad2d1..f9ce13c36 100644 --- a/Justfile +++ b/Justfile @@ -2,18 +2,8 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Usage: -# just -# just img ubuntu24 server -# just vm ubuntu24 server -# just up ubuntu24 server -# just ssh ubuntu24 server -# just halt ubuntu24 server -# just destroy ubuntu24 server -# just list -# just images -# just available -# just clean +# Usage: `just` +# See https://apparmor.pujol.io/development/ for more information. # Build setings destdir := "/" @@ -125,7 +115,7 @@ install: [group('install')] [doc('Locally install prebuild profiles')] -local +args: +local +names: #!/usr/bin/env bash set -eu -o pipefail install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log @@ -138,7 +128,7 @@ local +args: install -Dm0644 "{{build}}/apparmor.d/tunables/$file" "{{destdir}}/etc/apparmor.d/tunables/$file" done; echo "Warning: profile dependencies fallback to unconfined." - for file in {{args}}; do + for file in {{names}}; do grep -Ei 'rPx|rpx' "{{build}}/apparmor.d/$file" || true sed -i -e "s/rPx/rPUx/g" "{{build}}/apparmor.d/$file" install -Dvm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" @@ -336,15 +326,52 @@ available: [group('tests')] -[doc('Run the integration tests on the machine')] -integration dist flavor: - @ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \ - cp -rf /home/user/Projects/apparmor.d/tests/integration/ /home/user/Projects - @ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \ - sudo umount /home/user/Projects/apparmor.d - @ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \ - @bats --recursive --timing --print-output-on-failure Projects/integration/ +[doc('Install dependencies for the integration tests')] +init: + @bash tests/requirements.sh +[group('tests')] +[doc('Run the integration tests')] +integration: + bats --recursive --pretty --timing --print-output-on-failure tests/integration + +[group('tests')] +[doc('Install dependencies for the integration tests (machine)')] +tests-init dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init + +[group('tests')] +[doc('Synchronize the integration tests (machine)')] +tests-sync dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/ + +[group('tests')] +[doc('Re-synchronize the integration tests (machine)')] +tests-resync dist flavor: (tests-mount dist flavor) \ + (tests-sync dist flavor) \ + (tests-umount dist flavor) + +[group('tests')] +[doc('Unmout the integration tests (machine)')] +tests-umount dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + sudo umount /home/{{username}}/Projects/apparmor.d + +[group('tests')] +[doc('Run the integration tests (machine)')] +tests-run dist flavor name="": + ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + TERM=xterm \ + bats --recursive --pretty --timing --print-output-on-failure \ + /home/{{username}}/Projects/tests/integration/{{name}} + +[group('tests')] +[doc('Mount integration tests (machine)')] +tests-mount dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4 [private] get_ip dist flavor: diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index f7d001c70..47e8737fe 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -13,6 +13,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + capability linux_immutable, capability mknod, capability net_admin, capability sys_resource, @@ -47,8 +48,8 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/AuditMode-@{uuid} r, - @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} r, - @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, + @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, + @{sys}/firmware/efi/efivars/BootOrder-@{uuid} rw, @{sys}/firmware/efi/efivars/DeployedMode-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r, @@ -59,7 +60,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/firmware/efi/efivars/LoaderImageIdentifier-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw, - @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r, + @{sys}/firmware/efi/efivars/OsIndications-@{uuid} rw, @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index c31b28836..04ed76e72 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -48,6 +48,13 @@ profile busctl @{exec_path} flags=(attach_disconnected) { member={GetConnectionCredentials,ListNames,ListActivatableNames} peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=system + interface=org.freedesktop.DBus.Introspectable + member=Introspect, + dbus send bus=system + interface=org.freedesktop.DBus.Properties + member={GetAll,Get}, + @{exec_path} mr, @{pager_path} rPx -> child-pager, diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index ef62e37cd..c852b3756 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -30,6 +30,9 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { @{pager_path} rPx -> child-pager, + @{bin}/* r, + @{sbin}/* r, + /var/lib/dbus/machine-id r, /etc/machine-id r, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 5b4b3e6b5..0fd89c199 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -11,6 +11,7 @@ include profile networkctl @{exec_path} flags=(attach_disconnected) { include include + include capability net_admin, capability sys_module, @@ -52,6 +53,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/netif/io.systemd.Network rw, + @{run}/systemd/netif/links/ r, @{run}/systemd/netif/leases/@{int} r, @{run}/systemd/netif/links/@{int} r, @{run}/systemd/netif/state r, @@ -63,6 +65,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { @{PROC}/1/cgroup r, @{PROC}/cmdline r, + @{PROC}/sys/fs/nr_open r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 104a141ce..c15eaf5b2 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -33,8 +33,8 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { /etc/default/locale rw, /etc/locale.conf rw, /etc/vconsole.conf rw, - /etc/X11/xorg.conf.d/ r, - /etc/X11/xorg.conf.d/.#*.confd* rw, + /etc/X11/xorg.conf.d/ rw, + /etc/X11/xorg.conf.d/.#*.conf@{hex} rw, /etc/X11/xorg.conf.d/*.conf rw, @{att}/@{run}/systemd/notify rw, diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index b9244ece6..520080082 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -37,6 +37,8 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) { ptrace read peer=systemd-nspawn, + unix type=stream addr=@@{udbus}/bus/systemd-machine/system, + #aa:dbus own bus=system name=org.freedesktop.machine1 #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @@ -71,6 +73,7 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) { /dev/ptmx rw, /dev/pts/@{int} rw, /dev/pts/ptmx rw, + /dev/vsock r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index df1e74048..5105c69b8 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -60,9 +60,13 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/notify rw, @{run}/mount/utab r, + @{run}/systemd/resolve/resolv.conf r, owner @{att}/var/lib/systemd/network/ r, + owner /var/lib/systemd/network/ rw, + owner /var/lib/systemd/network/** rwk, + @{run}/systemd/network/ r, @{run}/systemd/network/*.network r, owner @{run}/systemd/netif/** rw, diff --git a/apparmor.d/groups/systemd/systemd-nsresourcework b/apparmor.d/groups/systemd/systemd-nsresourcework index 734717c44..5b8d53398 100644 --- a/apparmor.d/groups/systemd/systemd-nsresourcework +++ b/apparmor.d/groups/systemd/systemd-nsresourcework @@ -16,6 +16,8 @@ profile systemd-nsresourcework @{exec_path} { @{exec_path} mr, + @{run}/systemd/nsresource/registry/ r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-userwork b/apparmor.d/groups/systemd/systemd-userwork index 29641fd74..2521c655e 100644 --- a/apparmor.d/groups/systemd/systemd-userwork +++ b/apparmor.d/groups/systemd/systemd-userwork @@ -18,6 +18,7 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /etc/gshadow r, /etc/machine-id r, /etc/shadow r, diff --git a/apparmor.d/groups/systemd/userdbctl b/apparmor.d/groups/systemd/userdbctl index 97625db38..fa7c13297 100644 --- a/apparmor.d/groups/systemd/userdbctl +++ b/apparmor.d/groups/systemd/userdbctl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/userdbctl -profile userdbctl @{exec_path} { +profile userdbctl @{exec_path} flags=(attach_disconnected) { include include include @@ -29,6 +29,7 @@ profile userdbctl @{exec_path} { @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/gid_map r, + owner @{PROC}/@{pid}/setgroups r, owner @{PROC}/@{pid}/uid_map r, include if exists From a731badeff2b0723aad5b5dba309a2cc2018ca35 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 00:24:15 +0200 Subject: [PATCH 635/977] feat(profile): improvement raised by unit tests. --- apparmor.d/groups/ubuntu/apport | 10 +++++++ apparmor.d/groups/utils/fstrim | 2 ++ apparmor.d/groups/utils/uuidd | 6 +++- apparmor.d/groups/utils/zramctl | 4 ++- apparmor.d/profiles-g-l/kdump-config | 15 +++++++--- apparmor.d/profiles-g-l/kernel-postinst-kdump | 28 +++++++++++++++++-- apparmor.d/profiles-m-r/initramfs-hooks | 5 ++-- apparmor.d/profiles-m-r/mdadm-mkconf | 1 + apparmor.d/profiles-m-r/mkinitramfs | 24 ++++++++-------- apparmor.d/profiles-m-r/needrestart | 1 + apparmor.d/profiles-s-z/tlp | 3 ++ 11 files changed, 77 insertions(+), 22 deletions(-) diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 9f3fd2999..fbc433c05 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -49,7 +49,17 @@ profile apport @{exec_path} flags=(attach_disconnected) { owner /var/cache/apt/pkgcache.bin.@{rand6} rw, owner /var/log/apport.log rw, + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + @{run}/apport.lock rwk, + @{run}/log/journal/ r, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/environ r, diff --git a/apparmor.d/groups/utils/fstrim b/apparmor.d/groups/utils/fstrim index a6ada04d5..250794671 100644 --- a/apparmor.d/groups/utils/fstrim +++ b/apparmor.d/groups/utils/fstrim @@ -26,6 +26,8 @@ profile fstrim @{exec_path} flags=(attach_disconnected) { /boot/efi/ r, /var/ r, + @{PROC}/@{pid}/mountinfo r, + include if exists } diff --git a/apparmor.d/groups/utils/uuidd b/apparmor.d/groups/utils/uuidd index 787914537..52f52b4a2 100644 --- a/apparmor.d/groups/utils/uuidd +++ b/apparmor.d/groups/utils/uuidd @@ -11,6 +11,8 @@ profile uuidd @{exec_path} flags=(attach_disconnected) { include include + capability dac_override, + network inet dgram, @{exec_path} mr, @@ -18,9 +20,11 @@ profile uuidd @{exec_path} flags=(attach_disconnected) { owner /var/lib/libuuid/clock.txt rwk, owner /var/lib/libuuid/clock-cont.txt rwk, - @{run}/uuidd/request rw, @{att}/@{run}/uuidd/request rw, + @{run}/uuidd/request rw, + @{run}/uuidd/uuidd.pid rwk, + include if exists } diff --git a/apparmor.d/groups/utils/zramctl b/apparmor.d/groups/utils/zramctl index 91697be73..a5fa2eb75 100644 --- a/apparmor.d/groups/utils/zramctl +++ b/apparmor.d/groups/utils/zramctl @@ -13,8 +13,10 @@ profile zramctl @{exec_path} { @{exec_path} mr, + @{sys}/devices/virtual/block/zram{int}/disksize w, + @{sys}/devices/virtual/block/zram{int}/reset w, @{sys}/devices/virtual/block/zram@{int}/ r, - @{sys}/devices/virtual/block/zram@{int}/comp_algorithm r, + @{sys}/devices/virtual/block/zram@{int}/comp_algorithm rw, @{sys}/devices/virtual/block/zram@{int}/disksize r, @{sys}/devices/virtual/block/zram@{int}/max_comp_streams r, @{sys}/devices/virtual/block/zram@{int}/mm_stat r, diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config index f8b75f742..b6f915024 100644 --- a/apparmor.d/profiles-g-l/kdump-config +++ b/apparmor.d/profiles-g-l/kdump-config @@ -17,6 +17,7 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, + @{bin}/{,e}grep ix, @{bin}/basename ix, @{bin}/cat ix, @{bin}/cmp ix, @@ -25,13 +26,13 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) { @{bin}/file ix, @{bin}/find ix, @{bin}/flock ix, - @{bin}/{,e}grep ix, @{bin}/hexdump ix, @{bin}/ln ix, @{bin}/logger ix, @{bin}/plymouth Px, @{bin}/readlink ix, @{bin}/rev ix, + @{bin}/rm ix, @{bin}/run-parts ix, @{bin}/sed ix, @{bin}/systemctl Cx -> systemctl, @@ -48,9 +49,15 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) { / r, @{efi}/ r, - /var/crash/kdump_lock wk, - /var/crash/kexec_cmd w, - owner /var/lib/kdump/{,**} rw, + /var/crash/kdump_lock wk, + /var/crash/kexec_cmd w, + /var/lib/kdump/{,**} rw, + + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump index e1358ec29..4790c5cb7 100644 --- a/apparmor.d/profiles-g-l/kernel-postinst-kdump +++ b/apparmor.d/profiles-g-l/kernel-postinst-kdump @@ -12,15 +12,32 @@ profile kernel-postinst-kdump @{exec_path} { @{exec_path} mr, + @{sh_path} r, + @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/cp rix, @{bin}/du rix, @{bin}/find rix, - @{bin}/{m,g,}awk rix, + @{bin}/kmod rCx -> kmod, + @{bin}/ischroot rPx, + @{bin}/linux-version rPx, + @{bin}/mkdir rix, + @{bin}/mktemp rix, @{bin}/mv rix, @{bin}/rm rix, @{bin}/sync rix, + @{bin}/cut rix, @{sbin}/mkinitramfs rPx, - owner /var/lib/kdump/* w, + / r, + + /etc/initramfs-tools/conf.d/{,**} r, + /etc/initramfs-tools/initramfs.conf r, + + owner /var/lib/kdump/** rw, + + owner /tmp/tmp.@{rand10}/ rw, + owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, @@ -28,6 +45,13 @@ profile kernel-postinst-kdump @{exec_path} { owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + profile kmod { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 15f8f66d6..14a83ffbb 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -16,14 +16,15 @@ profile initramfs-hooks @{exec_path} { @{sh_path} rix, @{coreutils_path} rix, + @{bin}/fc-cache ix, @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @{bin}/plymouth Px, - @{sbin}/update-alternatives Px, - @{sbin}/blkid Px, + @{bin}/update-alternatives Px, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox ix, @{lib}/klibc/bin/fstype ix, + @{sbin}/blkid Px, /usr/share/mdadm/mkconf Px, @{bin}/* mr, diff --git a/apparmor.d/profiles-m-r/mdadm-mkconf b/apparmor.d/profiles-m-r/mdadm-mkconf index 489068ec8..120138905 100644 --- a/apparmor.d/profiles-m-r/mdadm-mkconf +++ b/apparmor.d/profiles-m-r/mdadm-mkconf @@ -25,6 +25,7 @@ profile mdadm-mkconf @{exec_path} { / r, /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, + /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, include if exists } diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index e67bb55fe..df76eb4ad 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -47,13 +47,16 @@ profile mkinitramfs @{exec_path} { @{bin}/rmdir rix, @{bin}/sed rix, @{bin}/sort rix, + @{bin}/stat rix, @{bin}/touch rix, @{bin}/tr rix, @{bin}/tsort rix, + @{bin}/uname rix, @{bin}/uniq rix, @{bin}/xargs rix, @{bin}/xz rix, @{bin}/zstd rix, + @{sbin}/blkid rPx, @{lib}/dracut/dracut-install rix, @{bin}/find rCx -> find, @@ -87,6 +90,9 @@ profile mkinitramfs @{exec_path} { owner /boot/config-* r, owner /boot/initrd.img-*.new rw, + owner /var/lib/kdump/initramfs-tools/** rw, + owner /var/lib/kdump/initrd.* rw, + /var/tmp/ r, /var/tmp/mkinitramfs_@{rand6}/** w, /var/tmp/modules_@{rand6} rw, @@ -102,13 +108,17 @@ profile mkinitramfs @{exec_path} { owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** w, owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, + @{sys}/bus/ r, + @{sys}/bus/*/drivers/ r, @{sys}/devices/platform/ r, @{sys}/devices/platform/**/ r, @{sys}/devices/platform/**/modalias r, @{sys}/module/compression r, @{sys}/module/firmware_class/parameters/path r, + @{PROC}/@{pid}/mounts r, @{PROC}/cmdline r, @{PROC}/modules r, owner @{PROC}/@{pid}/fd/ r, @@ -143,18 +153,8 @@ profile mkinitramfs @{exec_path} { @{sh_path} rix, @{sbin}/ldconfig.real rix, - owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf r, - owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf.d/{,*.conf} r, - - owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/ r, - owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/@{multiarch}/ r, - owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/@{multiarch}/*.so* rw, - owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/*.so* rw, - - owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.cache{,~} rw, - - owner /var/tmp/mkinitramfs_@{rand6}/var/cache/ldconfig/ rw, - owner /var/tmp/mkinitramfs_@{rand6}/var/cache/ldconfig/aux-cache{,~} rw, + owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index f9e2c6ebc..ceac5436b 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -23,6 +23,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, + @{bin}/stty rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/udevadm rCx -> udevadm, diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 3eb0800f9..0dccf1a23 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -71,6 +71,8 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+platform:* r, @{sys}/bus/pci/devices/ r, + @{sys}/bus/pci/drivers/*/ r, + @{sys}/bus/platform/devices/ r, @{sys}/class/drm/ r, @{sys}/class/net/ r, @{sys}/class/power_supply/ r, @@ -80,6 +82,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/class r, @{sys}/devices/**/net/**/uevent r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw, + @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/net/**/uevent r, @{sys}/firmware/acpi/platform_profile* rw, From 0c2385fef902c6838a69a83953b70bd5b5beaf64 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 00:25:28 +0200 Subject: [PATCH 636/977] tests: update tests dependencies. --- tests/requirements.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/requirements.sh b/tests/requirements.sh index 085ad8c7c..efc357ad4 100644 --- a/tests/requirements.sh +++ b/tests/requirements.sh @@ -16,13 +16,16 @@ DISTRIBUTION="$(_lsb_release)" case "$DISTRIBUTION" in arch) + sudo pacman -Syu --noconfirm \ + bats bats-support \ + pacman-contrib tlp flatpak networkmanager ;; debian | ubuntu | whonix) sudo apt update -y sudo apt install -y \ bats bats-support \ - cpuid dfc systemd-userdbd systemd-homed tlp network-manager flatpak \ - util-linux-extra + cpuid dfc systemd-boot systemd-userdbd systemd-homed systemd-container tlp \ + network-manager systemd-container flatpak util-linux-extra ;; opensuse*) ;; From d579b330117b5e11d42b11a87f9e342e1b0b609a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 00:32:27 +0200 Subject: [PATCH 637/977] tests: add a few integration tests. --- tests/integration/apt/apt.bats | 18 +++++++++-- tests/integration/apt/dpkg-query.bats | 27 ++++++++++++++++ tests/integration/apt/dpkg-reconfigure.bats | 12 ++++++++ tests/integration/pacman/paccache.bats | 22 +++++++++++++ tests/integration/pacman/pacman-key.bats | 34 +++++++++++++++++++++ tests/integration/pacman/pacman.bats | 34 +++++++++++++++++++++ tests/integration/procps/sysctl.bats | 4 +-- tests/integration/procps/uptime.bats | 18 +++++++++++ tests/integration/systemd/bootctl.bats | 22 +++++++++++++ tests/integration/systemd/busctl.bats | 27 ++++++++++++++++ tests/integration/systemd/homectl.bats | 2 +- tests/integration/systemd/journalctl.bats | 30 ++++++++++++++++++ tests/integration/systemd/localectl.bats | 23 ++++++++++++++ tests/integration/systemd/machinectl.bats | 26 ++++++++++++++++ tests/integration/systemd/networkctl.bats | 18 +++++++++++ tests/integration/utils/fstrim.bats | 14 +++++++++ 16 files changed, 325 insertions(+), 6 deletions(-) create mode 100644 tests/integration/apt/dpkg-query.bats create mode 100644 tests/integration/apt/dpkg-reconfigure.bats create mode 100644 tests/integration/pacman/paccache.bats create mode 100644 tests/integration/pacman/pacman-key.bats create mode 100644 tests/integration/pacman/pacman.bats create mode 100644 tests/integration/procps/uptime.bats create mode 100644 tests/integration/systemd/bootctl.bats create mode 100644 tests/integration/systemd/busctl.bats create mode 100644 tests/integration/systemd/journalctl.bats create mode 100644 tests/integration/systemd/localectl.bats create mode 100644 tests/integration/systemd/machinectl.bats create mode 100644 tests/integration/systemd/networkctl.bats create mode 100644 tests/integration/utils/fstrim.bats diff --git a/tests/integration/apt/apt.bats b/tests/integration/apt/apt.bats index a436f6e9f..4be0edd8d 100644 --- a/tests/integration/apt/apt.bats +++ b/tests/integration/apt/apt.bats @@ -25,14 +25,26 @@ setup_file() { sudo apt install -y pass } -@test "apt: Remove a package (using 'purge' instead also removes its configuration files)" { - sudo apt remove -y pass +@test "apt: Remove a package and its configuration files" { + sudo apt purge -y pass } @test "apt: Upgrade all installed packages to their newest available versions" { sudo apt upgrade -y } +@test "apt: Upgrade installed packages, but remove obsolete packages and install additional packages to meet new dependencies" { + sudo apt dist-upgrade -y +} + +@test "apt: Clean the local repository - removing package files (.deb) from interrupted downloads that can no longer be downloaded" { + sudo apt autoclean +} + +@test "apt: Remove all packages that are no longer needed" { + sudo apt autoremove +} + @test "apt: List all packages" { apt list } @@ -41,6 +53,6 @@ setup_file() { apt list --installed } -@test "apt-moo: Print a cow easter egg" { +@test "apt: Print a cow easter egg" { apt moo } diff --git a/tests/integration/apt/dpkg-query.bats b/tests/integration/apt/dpkg-query.bats new file mode 100644 index 000000000..39259e0a0 --- /dev/null +++ b/tests/integration/apt/dpkg-query.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "dpkg-query: List all installed packages" { + dpkg-query --list +} + +@test "dpkg-query: List installed packages matching a pattern" { + dpkg-query --list 'libc6*' +} + +@test "dpkg-query: List all files installed by a package" { + dpkg-query --listfiles libc6 +} + +@test "dpkg-query: Show information about a package" { + dpkg-query --status libc6 +} + +@test "dpkg-query: Search for packages that own files matching a pattern" { + dpkg-query --search /etc/ld.so.conf.d +} + diff --git a/tests/integration/apt/dpkg-reconfigure.bats b/tests/integration/apt/dpkg-reconfigure.bats new file mode 100644 index 000000000..f6aec98ea --- /dev/null +++ b/tests/integration/apt/dpkg-reconfigure.bats @@ -0,0 +1,12 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "dpkg-reconfigure: Reconfigure one or more packages" { + sudo apt install -y pass + sudo dpkg-reconfigure pass +} + diff --git a/tests/integration/pacman/paccache.bats b/tests/integration/pacman/paccache.bats new file mode 100644 index 000000000..b2e1369e2 --- /dev/null +++ b/tests/integration/pacman/paccache.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "paccache: Perform a dry-run and show the number of candidate packages for deletion" { + sudo paccache -d +} + +@test "paccache: Move candidate packages to a directory instead of deleting them" { + sudo paccache -m "$USER_BUILD_DIRS" +} + +@test "paccache: Remove all but the 3 most recent package versions from the `pacman` cache" { + sudo paccache -r +} + +@test "paccache: Set the number of package versions to keep" { + sudo paccache -rk 3 +} diff --git a/tests/integration/pacman/pacman-key.bats b/tests/integration/pacman/pacman-key.bats new file mode 100644 index 000000000..82e34a379 --- /dev/null +++ b/tests/integration/pacman/pacman-key.bats @@ -0,0 +1,34 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pacman-key: Initialize the 'pacman' keyring" { + sudo pacman-key --init +} + +@test "pacman-key: Add the default Arch Linux keys" { + sudo pacman-key --populate +} + +@test "pacman-key: List keys from the public keyring" { + pacman-key --list-keys +} + +@test "pacman-key: Receive a key from a key server" { + sudo pacman-key --recv-keys 06A26D531D56C42D66805049C5469996F0DF68EC +} + +@test "pacman-key: Print the fingerprint of a specific key" { + pacman-key --finger 06A26D531D56C42D66805049C5469996F0DF68EC +} + +@test "pacman-key: Sign an imported key locally" { + sudo pacman-key --lsign-key 06A26D531D56C42D66805049C5469996F0DF68EC +} + +@test "pacman-key: Remove a specific key" { + sudo pacman-key --delete 06A26D531D56C42D66805049C5469996F0DF68EC +} diff --git a/tests/integration/pacman/pacman.bats b/tests/integration/pacman/pacman.bats new file mode 100644 index 000000000..575a65bc1 --- /dev/null +++ b/tests/integration/pacman/pacman.bats @@ -0,0 +1,34 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pacman: Synchronize and update all packages" { + sudo pacman -Syu --noconfirm +} + +@test "pacman: Install a new package" { + sudo pacman -S --noconfirm pass pass-otp +} + +@test "pacman: Remove a package and its dependencies" { + sudo pacman -Rs --noconfirm pass-otp +} + +@test "pacman: List installed packages and versions" { + pacman -Q +} + +@test "pacman: List only the explicitly installed packages and versions" { + pacman -Qe +} + +@test "pacman: List orphan packages (installed as dependencies but not actually required by any package)" { + pacman -Qtdq +} + +@test "pacman: Empty the entire 'pacman' cache" { + sudo pacman -Scc --noconfirm +} diff --git a/tests/integration/procps/sysctl.bats b/tests/integration/procps/sysctl.bats index 2f284070a..66720c434 100644 --- a/tests/integration/procps/sysctl.bats +++ b/tests/integration/procps/sysctl.bats @@ -21,6 +21,6 @@ load ../common sysctl fs.file-max } -@test "sysctl: Apply changes from `/etc/sysctl.conf`" { - sysctl -p +@test "sysctl: Apply changes from '/etc/sysctl.conf'" { + sudo sysctl -p } diff --git a/tests/integration/procps/uptime.bats b/tests/integration/procps/uptime.bats new file mode 100644 index 000000000..7d9361d5a --- /dev/null +++ b/tests/integration/procps/uptime.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "uptime: Print current time, uptime, number of logged-in users and other information" { + uptime +} + +@test "uptime: Show only the amount of time the system has been booted for" { + uptime --pretty +} + +@test "uptime: Print the date and time the system booted up at" { + uptime --since +} diff --git a/tests/integration/systemd/bootctl.bats b/tests/integration/systemd/bootctl.bats new file mode 100644 index 000000000..2dfb39a7f --- /dev/null +++ b/tests/integration/systemd/bootctl.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "bootctl: Show information about the system firmware and the bootloaders" { + sudo bootctl status +} + +@test "bootctl: Show all available bootloader entries" { + sudo bootctl list +} + +@test "bootctl: Install 'systemd-boot' into the EFI system partition" { + sudo bootctl install +} + +@test "bootctl: Remove all installed versions of 'systemd-boot' from the EFI system partition" { + sudo bootctl remove +} diff --git a/tests/integration/systemd/busctl.bats b/tests/integration/systemd/busctl.bats new file mode 100644 index 000000000..ef3e973e9 --- /dev/null +++ b/tests/integration/systemd/busctl.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "busctl: Show all peers on the bus, by their service names" { + busctl list +} + +@test "busctl: Show process information and credentials of a bus service, a process, or the owner of the bus (if no parameter is specified)" { + busctl status 1 + busctl status org.freedesktop.DBus +} + +@test "busctl: Show an object tree of one or more services (or all services if no service is specified)" { + busctl tree org.freedesktop.DBus +} + +@test "busctl: Show interfaces, methods, properties and signals of the specified object on the specified service" { + busctl introspect org.freedesktop.login1 /org/freedesktop/login1 +} + +@test "busctl: Retrieve the current value of one or more object properties" { + busctl get-property org.freedesktop.login1 /org/freedesktop/login1 org.freedesktop.login1.Manager Docked +} diff --git a/tests/integration/systemd/homectl.bats b/tests/integration/systemd/homectl.bats index 0bdd625c4..bb3b38227 100644 --- a/tests/integration/systemd/homectl.bats +++ b/tests/integration/systemd/homectl.bats @@ -16,7 +16,7 @@ setup_file() { } @test "homectl: Create a user account and their associated home directory" { - sudo homectl create user2 + printf "user2\nuser2" | sudo homectl create user2 } @test "homectl: List user accounts and their associated home directories" { diff --git a/tests/integration/systemd/journalctl.bats b/tests/integration/systemd/journalctl.bats new file mode 100644 index 000000000..9eeb7c9fe --- /dev/null +++ b/tests/integration/systemd/journalctl.bats @@ -0,0 +1,30 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "journalctl: Show all messages with priority level 3 (errors) from this boot" { + sudo journalctl -b --priority=3 +} + +@test "journalctl: Show only the last N lines of the journal" { + sudo journalctl --lines 100 +} + +@test "journalctl: Show all messages by a specific [u]nit" { + sudo journalctl --unit apparmor.service +} + +@test "journalctl: Show all messages by a specific process" { + sudo journalctl _PID=1 +} + +@test "journalctl: Show all messages by a specific executable" { + sudo journalctl /usr/bin/bootctl +} + +@test "journalctl: Delete journal logs which are older than 10 seconds" { + sudo journalctl --vacuum-time=10s +} diff --git a/tests/integration/systemd/localectl.bats b/tests/integration/systemd/localectl.bats new file mode 100644 index 000000000..5d82683a2 --- /dev/null +++ b/tests/integration/systemd/localectl.bats @@ -0,0 +1,23 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "localectl: Show the current settings of the system locale and keyboard mapping" { + localectl +} + +@test "localectl: List available locales" { + localectl list-locales +} + +@test "localectl: Set a system locale variable" { + sudo localectl set-locale LANG=en_US.UTF-8 +} + +@test "localectl: Set the system keyboard mapping for the console and X11" { + sudo localectl set-keymap uk +} + diff --git a/tests/integration/systemd/machinectl.bats b/tests/integration/systemd/machinectl.bats new file mode 100644 index 000000000..d9ba38444 --- /dev/null +++ b/tests/integration/systemd/machinectl.bats @@ -0,0 +1,26 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "importctl: Import an image as a machine" { + sudo importctl pull-tar --force --class=machine -N https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64-root.tar.xz noble +} + +@test "machinectl: Display a list of available images" { + sudo machinectl list-images +} + +@test "machinectl: Start a machine as a service using systemd-nspawn" { + sudo machinectl start noble +} + +@test "machinectl: Display a list of running machines" { + sudo machinectl list +} + +@test "machinectl: Stop a running machine" { + sudo machinectl stop noble +} diff --git a/tests/integration/systemd/networkctl.bats b/tests/integration/systemd/networkctl.bats new file mode 100644 index 000000000..81418ba01 --- /dev/null +++ b/tests/integration/systemd/networkctl.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "networkctl: List existing links with their status" { + sudo networkctl list +} + +@test "networkctl: Show an overall network status" { + sudo networkctl status +} + +@test "networkctl: Reload configuration files (.netdev and .network)" { + sudo networkctl reload +} diff --git a/tests/integration/utils/fstrim.bats b/tests/integration/utils/fstrim.bats new file mode 100644 index 000000000..dff1083e2 --- /dev/null +++ b/tests/integration/utils/fstrim.bats @@ -0,0 +1,14 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "fstrim: Trim unused blocks on all mounted partitions that support it" { + sudo fstrim --all +} + +@test "fstrim: Trim unused blocks on a specified partition" { + sudo fstrim --verbose / +} From ac3e0fea59923648b75f46684702632d5d29bf80 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 00:34:31 +0200 Subject: [PATCH 638/977] fix: profile compilation issue. --- apparmor.d/groups/utils/zramctl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/utils/zramctl b/apparmor.d/groups/utils/zramctl index a5fa2eb75..29428a96f 100644 --- a/apparmor.d/groups/utils/zramctl +++ b/apparmor.d/groups/utils/zramctl @@ -13,13 +13,13 @@ profile zramctl @{exec_path} { @{exec_path} mr, - @{sys}/devices/virtual/block/zram{int}/disksize w, - @{sys}/devices/virtual/block/zram{int}/reset w, @{sys}/devices/virtual/block/zram@{int}/ r, @{sys}/devices/virtual/block/zram@{int}/comp_algorithm rw, @{sys}/devices/virtual/block/zram@{int}/disksize r, + @{sys}/devices/virtual/block/zram@{int}/disksize w, @{sys}/devices/virtual/block/zram@{int}/max_comp_streams r, @{sys}/devices/virtual/block/zram@{int}/mm_stat r, + @{sys}/devices/virtual/block/zram@{int}/reset w, @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, From b878ce1ea23b6287ea6875e7aced36d13a10104c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 01:04:37 +0200 Subject: [PATCH 639/977] chore: fix linter issues. --- apparmor.d/profiles-g-l/kernel-postinst-kdump | 4 ++-- apparmor.d/profiles-m-r/initramfs-hooks | 2 +- apparmor.d/profiles-m-r/needrestart | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump index 4790c5cb7..50606695a 100644 --- a/apparmor.d/profiles-g-l/kernel-postinst-kdump +++ b/apparmor.d/profiles-g-l/kernel-postinst-kdump @@ -18,7 +18,7 @@ profile kernel-postinst-kdump @{exec_path} { @{bin}/cp rix, @{bin}/du rix, @{bin}/find rix, - @{bin}/kmod rCx -> kmod, + @{bin}/kmod rCx -> kmod, @{bin}/ischroot rPx, @{bin}/linux-version rPx, @{bin}/mkdir rix, @@ -49,7 +49,7 @@ profile kernel-postinst-kdump @{exec_path} { include include - include if exists + include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 14a83ffbb..18610de27 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -20,7 +20,7 @@ profile initramfs-hooks @{exec_path} { @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @{bin}/plymouth Px, - @{bin}/update-alternatives Px, + @{sbin}/update-alternatives Px, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox ix, @{lib}/klibc/bin/fstype ix, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index ceac5436b..5a65b40a9 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -23,7 +23,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, - @{bin}/stty rix, + @{bin}/stty rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/udevadm rCx -> udevadm, From f6914a87302f9026215234ea36d6dfcf10d6607e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 22:17:03 +0200 Subject: [PATCH 640/977] fix(profile): various fixes from issue raised by the CI. --- apparmor.d/groups/apt/dpkg-script-systemd | 7 ++++++- apparmor.d/groups/systemd/bootctl | 1 + apparmor.d/groups/systemd/localectl | 4 ++++ apparmor.d/groups/systemd/systemd-localed | 4 ++++ apparmor.d/groups/systemd/systemd-userdbd | 1 + apparmor.d/groups/virt/dockerd | 1 + apparmor.d/profiles-g-l/kernel-install | 1 + 7 files changed, 18 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index 722e72c53..6c76e6f70 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -11,6 +11,8 @@ profile dpkg-script-systemd @{exec_path} { include include + capability dac_read_search, + @{exec_path} mrix, @{coreutils_path} rix, @@ -21,7 +23,7 @@ profile dpkg-script-systemd @{exec_path} { @{bin}/dpkg-divert Px, @{bin}/dpkg-maintscript-helper Px, @{bin}/journalctl Px, - @{bin}/kernel-install Px, + @{bin}/kernel-install mrPx, @{bin}/systemctl Cx -> systemctl, @{bin}/systemd-machine-id-setup Px, @{bin}/systemd-sysusers Px, @@ -35,11 +37,14 @@ profile dpkg-script-systemd @{exec_path} { /etc/pam.d/sed@{rand6} rw, /etc/pam.d/common-password rw, + @{efi}/ r, + /var/lib/systemd/{,*} rw, /var/log/journal/ rw, profile dpkg { include + include include capability dac_read_search, diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 47e8737fe..70a91197f 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -16,6 +16,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { capability linux_immutable, capability mknod, capability net_admin, + capability sys_rawio, capability sys_resource, signal send peer=child-pager, diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index f9a3625ef..0d46dbfed 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -17,6 +17,10 @@ profile localectl @{exec_path} { signal send set=cont peer=child-pager, #aa:dbus talk bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}" + dbus send bus=system path=/org/freedesktop/locale1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.locale1), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index c15eaf5b2..e98bef009 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -17,6 +17,10 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { unix bind type=stream addr=@@{udbus}/bus/systemd-localed/system, #aa:dbus own bus=system name=org.freedesktop.locale1 + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=Reload + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index 20e940b1d..f9fad3693 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -33,6 +33,7 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted) @{att}/@{run}/systemd/notify w, @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, @{att}/@{run}/systemd/userdb/io.systemd.Home rw, + @{att}/@{run}/systemd/userdb/io.systemd.Machine rw, @{run}/systemd/userdb/{,**} rw, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index abd6c90ec..c21fa2788 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -73,6 +73,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{bin}/kmod rCx -> kmod, @{bin}/ps rPx, @{sbin}/runc rUx, + @{bin}/runc rUx, #aa:lint ignore @{bin}/unpigz rix, @{sbin}/xtables-nft-multi rCx -> nft, @{sbin}/xtables-legacy-multi rCx -> nft, diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index 96d097417..be5d877a9 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -14,6 +14,7 @@ profile kernel-install @{exec_path} { include include + capability sys_rawio, capability sys_resource, ptrace read peer=@{p_systemd}, From b2910ae59329af14143c384c307cbe7f42a47665 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 22:22:13 +0200 Subject: [PATCH 641/977] tests(check): add support for '#aa:lint ignore' inline directive to disable linting. --- pkg/prebuild/directive/core.go | 3 +++ tests/check.sh | 17 ++++++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/directive/core.go b/pkg/prebuild/directive/core.go index 6138eec0c..cde9470dc 100644 --- a/pkg/prebuild/directive/core.go +++ b/pkg/prebuild/directive/core.go @@ -106,6 +106,9 @@ func Run(file *paths.Path, profile string) (string, error) { opt := NewOption(file, match) drtv, ok := Directives[opt.Name] if !ok { + if opt.Name == "lint" { + continue + } return "", fmt.Errorf("unknown directive '%s' in %s", opt.Name, opt.File) } profile, err = drtv.Apply(opt, profile) diff --git a/tests/check.sh b/tests/check.sh index 8b847db6f..39d7f8158 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -51,12 +51,24 @@ _wait() { fi } +readonly _IGNORE_LINT="#aa:lint ignore" +_ignore_lint() { + local line="$1" + if [[ "$line" == *"$_IGNORE_LINT"* ]]; then + return 0 + fi + return 1 +} + _check() { local file="$1" local line_number=0 while IFS= read -r line; do line_number=$((line_number + 1)) + if _ignore_lint "$line"; then + continue + fi # Rules checks _check_abstractions @@ -339,7 +351,10 @@ check_sbin() { jobs=0 for name in "${sbin[@]}"; do ( - mapfile -t files < <(grep --line-number --recursive -E "(^|[[:space:]])@{bin}/$name([[:space:]]|$)" apparmor.d | cut -d: -f1,2) + mapfile -t files < <( + grep --line-number --recursive -P "(^|[[:space:]])@{bin}/$name([[:space:]]|$)(?!.*$_IGNORE_LINT)" apparmor.d | + cut -d: -f1,2 + ) for file in "${files[@]}"; do _err compatibility "$file" "contains '@{bin}/$name' instead of '@{sbin}/$name'" done From ef9b93b866109751be1f00d308190dd923e06698 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 23:00:48 +0200 Subject: [PATCH 642/977] tests(check): enable more linter rule. --- tests/check.sh | 58 +++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 55 insertions(+), 3 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 39d7f8158..708b2fe99 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -75,6 +75,8 @@ _check() { _check_directory_mark _check_equivalent _check_too_wide + _check_transition + _check_useless # Guidelines check _check_abi @@ -137,6 +139,7 @@ _check_directory_mark() { for pattern in "${DIRECTORIES[@]}"; do if [[ "$line" == *"$pattern"* ]]; then [[ "$line" == *'='* ]] && continue + [[ "$line" =~ ^[[:space:]]*# ]] && continue if [[ ! "$line" == *"$pattern/"* ]]; then _err issue "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'" fi @@ -172,6 +175,55 @@ _check_too_wide() { done } +readonly TRANSITION_MUST_CI=( # Must transition to 'ix' or 'Cx' + chgrp chmod chown cp find head install link ln ls mkdir mktemp mv rm rmdir + sed shred stat tail tee test timeout touch truncate unlink +) +readonly TRANSITION_MUST_PC=( # Must transition to 'Px' + ischroot +) +readonly TRANSITION_MUST_C=( # Must transition to 'Cx' + sysctl kmod pgrep pkexec sudo systemctl udevadm + fusermount fusermount3 fusermount{,3} + nvim vim sensible-editor +) +_check_transition() { + _is_enabled transition || return 0 + for prgmname in "${!TRANSITION_MUST_CI[@]}"; do + if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_CI[$prgmname]} ".*([uU]x|[pP][uU]x|[pP]x) ]]; then + _err security "$file:$line_number" \ + "@{bin}/${TRANSITION_MUST_CI[$prgmname]} should be used inherited: 'ix' | 'Cx'" + fi + done + for prgmname in "${!TRANSITION_MUST_PC[@]}"; do + if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_PC[$prgmname]} ".*(Pix|ix) ]]; then + _err security "$file:$line_number" \ + "@{bin}/${TRANSITION_MUST_PC[$prgmname]} should transition to another (sub)profile with 'Px' or 'Cx'" + fi + done + for prgmname in "${!TRANSITION_MUST_C[@]}"; do + if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_C[$prgmname]} ".*([pP]ix|[uU]x|[pP][uU]x|ix) ]]; then + _warn security "$file:$line_number" \ + "@{bin}/${TRANSITION_MUST_C[$prgmname]} should transition to a subprofile with 'Cx'" + fi + done +} + +readonly USELESS=( + '@{PROC}/filesystems' '@{PROC}/sys/kernel/cap_last_cap' + '@{PROC}/meminfo' '@{PROC}/stat' '@{PROC}/cpuinfo' + '@{sys}/devices/system/cpu/online' '@{sys}/devices/system/cpu/possible' + '/usr/share/locale/' +) +_check_useless() { + _is_enabled useless || return 0 + for rule in "${!USELESS[@]}"; do + if [[ "$line" == *"${USELESS[$rule]}"* ]]; then + _err issue "$file:$line_number" "rule already included in the base abstraction, remove it" + fi + done +} + # Guidelines check: https://apparmor.pujol.io/development/guidelines/ RES_ABI=false @@ -388,7 +440,7 @@ check_profiles() { ) jobs=0 WITH_CHECK=( - abstractions equivalent + abstractions directory_mark equivalent useless transition abi include profile header tabs trailing indentation subprofiles vim ) for file in "${files[@]}"; do @@ -408,7 +460,7 @@ check_abstractions() { mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true) jobs=0 WITH_CHECK=( - abstractions equivalent + abstractions directory_mark equivalent too_wide abi include header tabs trailing indentation vim ) for file in "${files[@]}"; do @@ -429,7 +481,7 @@ check_abstractions() { # shellcheck disable=SC2034 jobs=0 WITH_CHECK=( - abstractions equivalent + abstractions directory_mark equivalent too_wide header tabs trailing indentation vim ) for file in "${files[@]}"; do From 85383ed361d80027f1527891dda1463a4e112cfc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 23:08:55 +0200 Subject: [PATCH 643/977] fix: newly detected linter issues. --- apparmor.d/abstractions/common/app | 6 +++--- apparmor.d/groups/browsers/epiphany | 1 - apparmor.d/groups/gpg/scdaemon | 2 +- apparmor.d/profiles-a-f/adequate | 2 -- apparmor.d/profiles-g-l/kernel-install | 3 +++ 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index a3fb2c5ef..15b730fb2 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -56,11 +56,11 @@ owner @{HOME}/.var/app/** rmix, owner @{HOME}/** rwmlk -> @{HOME}/**, owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, + owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore owner @{user_games_dirs}/** rmix, - owner @{tmp}/** rmwk, - owner /dev/shm/** rwlk -> /dev/shm/**, + owner @{tmp}/** rmwk, #aa:lint ignore + owner /dev/shm/** rwlk -> /dev/shm/**, #aa:lint ignore owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, owner /var/tmp/etilqs_@{sqlhex} rw, diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index 636bbf9d3..86b293e8d 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -51,7 +51,6 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { owner @{tmp}/WebKit-Media-@{rand6} rw, @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/firmware/acpi/pm_profile r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-org.gnome.Epiphany-@{int}.scope/memory.* r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon index 5d2cafd95..729455f7f 100644 --- a/apparmor.d/groups/gpg/scdaemon +++ b/apparmor.d/groups/gpg/scdaemon @@ -25,7 +25,7 @@ profile scdaemon @{exec_path} { owner /etc/pacman.d/gnupg/S.scdaemon rw, owner @{HOME}/@{XDG_GPG_DIR}/scdaemon.conf r, - owner @{HOME}/@{XDG_GPG_DIR}common.conf r, + owner @{HOME}/@{XDG_GPG_DIR}/common.conf r, owner @{HOME}/@{XDG_GPG_DIR}/reader_@{int}.status rw, owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index b7a62fc82..da8f64bc2 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -54,14 +54,12 @@ profile adequate @{exec_path} flags=(complain) { @{bin}/* mr, /usr/games/* mr, - @{lib}{,x}/** mr, @{lib}/@{multiarch}/** mr, /usr/share/** r, /opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} mr, @{lib}/@{multiarch}/ld-*.so rix, - @{lib}{,x}32/ld-*.so rix, include if exists } diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index be5d877a9..bd1438f96 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -42,7 +42,10 @@ profile kernel-install @{exec_path} { @{lib}/modules/*/modules.* w, + / r, + @{efi}/@{hex32}/** rw, + @{efi}/loader/entries.srel r, owner /boot/{vmlinuz,initrd.img}-* r, owner /boot/[a-f0-9]*/*/ rw, From f1a96db3172334c50303024aeb07fbd6f821ce18 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 23:11:20 +0200 Subject: [PATCH 644/977] feat(profile): add missing update-alternatives & mdadm profiles. --- apparmor.d/profiles-a-f/dracut-install | 26 +++++++++++++++++ apparmor.d/profiles-m-r/mdadm | 39 ++++++++++++++++++++++++++ dists/flags/main.flags | 2 ++ 3 files changed, 67 insertions(+) create mode 100644 apparmor.d/profiles-a-f/dracut-install create mode 100644 apparmor.d/profiles-m-r/mdadm diff --git a/apparmor.d/profiles-a-f/dracut-install b/apparmor.d/profiles-a-f/dracut-install new file mode 100644 index 000000000..2000635d3 --- /dev/null +++ b/apparmor.d/profiles-a-f/dracut-install @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/dracut/dracut-install +profile dracut-install @{exec_path} { + include + + @{exec_path} mr, + + /etc/modprobe.d/{,**} r, + + @{sys}/devices/platform/{,**/} r, + @{sys}/devices/platform/**/modalias r, + @{sys}/module/compression r, + + @{PROC}/cmdline r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm new file mode 100644 index 000000000..7601f16df --- /dev/null +++ b/apparmor.d/profiles-m-r/mdadm @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/mdadm +profile mdadm @{exec_path} { + include + include + + capability sys_admin, + + mqueue (read getattr) type=posix /, + + @{exec_path} mr, + + @{run}/initctl r, + + /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, + + @{sys}/bus/pci/drivers/*/ r, + @{sys}/devices/@{pci}/class r, + @{sys}/devices/@{pci}/device r, + @{sys}/devices/@{pci}/vendor r, + + @{PROC}/@{pid}/fd/ r, + @{PROC}/cmdline r, + @{PROC}/kcore r, + @{PROC}/partitions r, + + /dev/**/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 71670d4d7..3aeab3192 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -90,6 +90,7 @@ dpkg-script-kmod complain dpkg-script-linux complain dpkg-script-systemd complain dpkg-scripts complain +dracut-install complain drkonqi complain drkonqi-coredump-cleanup complain drkonqi-coredump-processor complain @@ -232,6 +233,7 @@ lvmdump complain lvmpolld complain man complain mate-notification-daemon complain +mdadm complain mdadm-mkconf complain ModemManager attach_disconnected,complain mount attach_disconnected,complain From 8f7e373f6270b172ffdd09b325c4228952cdcb51 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 23:21:53 +0200 Subject: [PATCH 645/977] fix: update-alternatives is **not** installed in sbin. --- apparmor.d/profiles-a-f/adequate | 2 +- apparmor.d/profiles-g-l/kernel | 2 +- apparmor.d/profiles-m-r/initramfs-hooks | 2 +- apparmor.d/profiles-m-r/initramfs-scripts | 2 +- apparmor.d/profiles-s-z/update-alternatives | 2 +- tests/sbin.list | 1 - 6 files changed, 5 insertions(+), 6 deletions(-) diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index da8f64bc2..7025f9787 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -34,7 +34,7 @@ profile adequate @{exec_path} flags=(complain) { # shared object file): ignored. @{bin}/dpkg-query rpx, # - @{sbin}/update-alternatives rPx, + @{bin}/update-alternatives rPx, /var/lib/adequate/pending rwk, diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index c3155ce75..b718f7d18 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -38,9 +38,9 @@ profile kernel @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/kernel-install rPx, @{bin}/systemd-detect-virt rPx, + @{bin}/update-alternatives rPx, @{lib}/dkms/dkms_autoinstaller rPx, @{sbin}/dkms rPx, - @{sbin}/update-alternatives rPx, @{sbin}/update-grub rPx, @{sbin}/update-initramfs rPx, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 18610de27..14a83ffbb 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -20,7 +20,7 @@ profile initramfs-hooks @{exec_path} { @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @{bin}/plymouth Px, - @{sbin}/update-alternatives Px, + @{bin}/update-alternatives Px, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox ix, @{lib}/klibc/bin/fstype ix, diff --git a/apparmor.d/profiles-m-r/initramfs-scripts b/apparmor.d/profiles-m-r/initramfs-scripts index 4d38ab9c1..d280c145a 100644 --- a/apparmor.d/profiles-m-r/initramfs-scripts +++ b/apparmor.d/profiles-m-r/initramfs-scripts @@ -21,7 +21,7 @@ profile initramfs-scripts @{exec_path} { @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @{bin}/plymouth Px, - @{sbin}/update-alternatives Px, + @{bin}/update-alternatives Px, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox Px, /usr/share/mdadm/mkconf Px, diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index 68ddb97a5..8f08b74fa 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/update-alternatives +@{exec_path} = @{bin}/update-alternatives profile update-alternatives @{exec_path} { include include diff --git a/tests/sbin.list b/tests/sbin.list index 1d0eb5b97..a8b439478 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -766,7 +766,6 @@ unix_chkpwd unix_update unix2_chkpwd uobjnew -update-alternatives update-ca-certificates update-catalog update-cracklib From 18212c9ff7a0fe96d3ae6299d76503ca3a32dad2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 00:03:06 +0200 Subject: [PATCH 646/977] tests: re-enable apt tests. --- tests/integration/apt/apt.bats | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/tests/integration/apt/apt.bats b/tests/integration/apt/apt.bats index 4be0edd8d..3f13d4ea4 100644 --- a/tests/integration/apt/apt.bats +++ b/tests/integration/apt/apt.bats @@ -5,10 +5,6 @@ load ../common -setup_file() { - skip -} - @test "apt: Update the list of available packages and versions" { sudo apt update } @@ -38,11 +34,11 @@ setup_file() { } @test "apt: Clean the local repository - removing package files (.deb) from interrupted downloads that can no longer be downloaded" { - sudo apt autoclean + sudo apt autoclean -y } @test "apt: Remove all packages that are no longer needed" { - sudo apt autoremove + sudo apt autoremove -y } @test "apt: List all packages" { From 5a08ffc9ba485878eba448366459f2ef55625274 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 00:19:35 +0200 Subject: [PATCH 647/977] fix(profile): apply fixes raised by tests --- apparmor.d/abstractions/bus/org.freedesktop.Avahi | 5 +++++ .../abstractions/bus/org.freedesktop.systemd1 | 2 +- apparmor.d/abstractions/common/electron | 2 +- .../groups/freedesktop/xdg-user-dirs-gtk-update | 7 ++++++- .../groups/systemd/systemd-machine-id-setup | 1 + apparmor.d/groups/ubuntu/update-notifier | 1 - apparmor.d/groups/ubuntu/update-notifier-crash | 15 +++++++++++++-- apparmor.d/profiles-a-f/dracut-install | 1 + apparmor.d/profiles-m-r/mdadm | 1 + 9 files changed, 29 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index b002d6fa4..b683cf128 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -26,6 +26,11 @@ member={ItemNew,AllForNow,CacheExhausted} peer=(name="@{busname}", label="@{p_avahi_daemon}"), + dbus receive bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=StateChanged + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 index 341cf58ce..4fb1764bc 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 @@ -8,7 +8,7 @@ dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager - member={GetUnit,StartUnit,StartTransientUnit} + member={GetUnit,GetUnitByPIDFD,StartUnit,StartTransientUnit} peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), dbus send bus=system path=/org/freedesktop/systemd1 diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 8134f8681..6216ec939 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -75,6 +75,7 @@ @{PROC}/ r, @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, owner @{PROC}/@{pid}/cgroup r, @@ -88,7 +89,6 @@ owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/status r, owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index 641862965..b2ae65450 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -12,14 +12,19 @@ profile xdg-user-dirs-gtk-update @{exec_path} { include include include - include + include + include @{exec_path} mr, + @{bin}/xdg-user-dirs-update Px, + owner @{user_config_dirs}/gtk-3.0/bookmarks* rw, owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.locale r, + owner @{tmp}/dirs-@{rand6} rw, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index f3f27b523..c791e6375 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -31,6 +31,7 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) { /etc/machine-id rw, /var/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 6c4dc4d77..361290980 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -85,7 +85,6 @@ profile update-notifier @{exec_path} { profile systemctl { include include - include dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash index dee094aa1..d65c77a08 100644 --- a/apparmor.d/groups/ubuntu/update-notifier-crash +++ b/apparmor.d/groups/ubuntu/update-notifier-crash @@ -9,17 +9,28 @@ include @{exec_path} = @{lib}/update-notifier/update-notifier-crash profile update-notifier-crash @{exec_path} { include + include @{exec_path} mr, - @{bin}/systemctl Cx -> systemctl, - + @{bin}/{,e}grep ix, + @{bin}/groups Px, + @{bin}/systemctl Cx -> systemctl, + @{bin}/which{,.debianutils} ix, + @{sh_path} mr, /usr/share/apport/apport-checkreports Px, + owner @{HOME}/ r, + profile systemctl { include include + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=GetUnitFileState + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + include if exists } diff --git a/apparmor.d/profiles-a-f/dracut-install b/apparmor.d/profiles-a-f/dracut-install index 2000635d3..6deb06eb6 100644 --- a/apparmor.d/profiles-a-f/dracut-install +++ b/apparmor.d/profiles-a-f/dracut-install @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/dracut/dracut-install profile dracut-install @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index 7601f16df..15adcb9e6 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -9,6 +9,7 @@ include @{exec_path} = @{sbin}/mdadm profile mdadm @{exec_path} { include + include include capability sys_admin, From 4a3a98c77d3fefb403a1bb775bca51a088006451 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 18:46:17 +0200 Subject: [PATCH 648/977] fix(profile): fixes for issues raised by newly enabled tests. --- apparmor.d/groups/apt/dpkg-preconfigure | 1 + apparmor.d/groups/apt/dpkg-script-linux | 12 +++++++++++- apparmor.d/groups/apt/dpkg-scripts | 1 + apparmor.d/groups/network/netplan-generate | 1 + apparmor.d/profiles-s-z/ucf | 12 ++---------- 5 files changed, 16 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 716cd1dc8..66131c6e7 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -36,6 +36,7 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/stty ix, @{bin}/tr ix, @{bin}/uniq ix, + @{bin}/which{,.debianutils} ix, @{bin}/apt-extracttemplates Px, @{bin}/dpkg Px -> child-dpkg, diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux index d6a8db473..24c6c74df 100644 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -19,11 +19,14 @@ profile dpkg-script-linux @{exec_path} { @{bin}/run-parts ix, @{bin}/stty ix, + @{bin}/deb-systemd-helper Px, + @{bin}/deb-systemd-invoke Px, + @{bin}/dpkg-maintscript-helper Px, @{bin}/dpkg-trigger Px, @{bin}/kmod Px, @{bin}/linux-check-removal Px, @{bin}/linux-update-symlinks Px, - @{bin}/dpkg-maintscript-helper Px, + @{bin}/systemctl Cx -> systemctl, /usr/share/{update,reboot}-notifier/notify-reboot-required Px, /etc/kernel/{,header_}postinst.d/* Px, @@ -36,6 +39,13 @@ profile dpkg-script-linux @{exec_path} { @{lib}/linux/triggers/* w, @{lib}/modules/*/.fresh-install w, + profile systemctl { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 44e4790c4..5743ab904 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -80,6 +80,7 @@ profile dpkg-scripts @{exec_path} { /tmp/tmp.@{rand10} rw, @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/mountinfo r, profile bus { include diff --git a/apparmor.d/groups/network/netplan-generate b/apparmor.d/groups/network/netplan-generate index 64f8399e1..74ed20aaf 100644 --- a/apparmor.d/groups/network/netplan-generate +++ b/apparmor.d/groups/network/netplan-generate @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/netplan/generate profile netplan-generate @{exec_path} flags=(attach_disconnected) { include + include include capability chown, diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 3c3374d85..9e459f261 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/ucf profile ucf @{exec_path} { include + include include include @@ -17,11 +18,11 @@ profile ucf @{exec_path} { @{sh_path} rix, @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, @{bin}/basename rix, @{bin}/cat rix, @{bin}/cp rix, @{bin}/dirname rix, - @{bin}/{m,g,}awk rix, @{bin}/getopt rix, @{bin}/id rix, @{bin}/md5sum rix, @@ -39,8 +40,6 @@ profile ucf @{exec_path} { @{bin}/dpkg-divert rPx, @{pager_path} rCx -> child-pager, - /usr/share/debconf/frontend Cx -> debconf, - # For md5sum /usr/share/** r, @@ -57,13 +56,6 @@ profile ucf @{exec_path} { deny capability sys_admin, # optional: no audit - profile debconf { - include - include - - include if exists - } - include if exists } From 7d2229cd05134f491a671f4f2e61b9216dc07420 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 23:18:00 +0200 Subject: [PATCH 649/977] build: fully replace make by just. --- .github/workflows/main.yml | 17 +-- .gitlab-ci.yml | 11 +- Justfile | 6 +- Makefile | 100 ------------------ debian/apparmor.d.hide | 2 +- debian/control | 1 + debian/rules | 8 +- dists/apparmor.d.spec | 5 +- dists/build.sh | 2 +- dists/ignore/main.ignore | 2 +- docs/development/build.md | 2 +- docs/development/roadmap.md | 2 +- docs/development/tests.md | 6 +- docs/development/workflow.md | 14 +-- docs/enforce.md | 44 ++++---- docs/full-system-policy.md | 42 ++++---- docs/install.md | 19 ++-- tests/check.sh | 2 +- .../cloud-init/archlinux-cosmic.user-data.yml | 1 + tests/cloud-init/archlinux-xfce.user-data.yml | 1 + tests/cloud-init/opensuse.yml | 2 +- tests/packer/src/aa-update | 6 +- 22 files changed, 113 insertions(+), 182 deletions(-) delete mode 100644 Makefile diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 973287e72..a3d7b3266 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -9,9 +9,14 @@ jobs: - name: Check out repository code uses: actions/checkout@v4 + - name: Install linter dependencies + run: | + sudo apt-get update -q + sudo apt-get install -y just + - name: Run basic profile linter check run: | - make check + just check build: runs-on: ${{ matrix.os }} @@ -32,13 +37,13 @@ jobs: sudo apt-get update -q sudo apt-get install -y \ devscripts debhelper config-package-dev \ - auditd apparmor-profiles apparmor-utils + auditd apparmor-profiles apparmor-utils just sudo rm /etc/apparmor.d/usr.lib.snapd.snap-confine.real - name: Build the apparmor.d package run: | if [[ ${{ matrix.mode }} == full-system-policy ]]; then - echo -e "\noverride_dh_auto_build:\n\tmake fsp" >> debian/rules + sed -e "s/just complain/just fsp-complain/" -i debian/rules fi if [[ ${{ matrix.os }} == ubuntu-24.04 ]] && [[ ${{ matrix.mode }} == default ]]; then # Test with Re-attach disconnected path @@ -95,7 +100,7 @@ jobs: sudo apt-get update -q sudo apt-get install -y \ apparmor-profiles apparmor-utils \ - bats bats-support + bats bats-support just - name: Install apparmor.d run: | @@ -127,12 +132,12 @@ jobs: - name: Install integration dependencies run: | - bash tests/requirements.sh + just init find /usr/sbin/ -type f - name: Run the integration tests run: | - make integration + just integration - name: Show final AppArmor logs if: always() diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 8adab16ab..7b4c13519 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -66,7 +66,7 @@ check: stage: test image: registry.gitlab.com/roddhjav/builders/archlinux script: - - make check + - just check # Package Build # ------------- @@ -84,13 +84,12 @@ archlinux: debian: stage: build - image: registry.gitlab.com/roddhjav/builders/debian:12 + image: registry.gitlab.com/roddhjav/builders/debian:trixie script: - sudo chown -R build:build /builds/ - git config --global --add safe.directory $CI_PROJECT_DIR - mkdir -p "$PKGDEST" - - sudo apt-get update -q && sudo apt-get install -y config-package-dev lsb-release - - sudo apt-get install -y -t bookworm-backports golang-go + - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl - bash dists/build.sh dpkg artifacts: expire_in: 1 day @@ -105,7 +104,7 @@ ubuntu: script: - git config --global --add safe.directory $CI_PROJECT_DIR - mkdir -p "$PKGDEST" - - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release + - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl - bash dists/build.sh dpkg artifacts: expire_in: 1 day @@ -117,7 +116,7 @@ whonix: variables: DISTRIBUTION: whonix before_script: - - echo "\noverride_dh_auto_build:\n\tmake fsp" >> debian/rules + - sed -e "s/just complain/just fsp-complain/" -i debian/rules opensuse: stage: build diff --git a/Justfile b/Justfile index f9ce13c36..7a84af1be 100644 --- a/Justfile +++ b/Justfile @@ -157,7 +157,7 @@ dpkg: [doc('Build & install apparmor.d on OpenSUSE based systems')] rpm: @bash dists/build.sh rpm - @sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm + @sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm [group('tests')] [doc('Run the unit tests')] @@ -213,8 +213,8 @@ package dist: if [[ $dist =~ ubuntu([0-9]+) ]]; then version="${BASH_REMATCH[1]}.04" dist="ubuntu" - elif [[ $dist =~ debian([0-9]+) ]]; then - version="${BASH_REMATCH[1]}" + elif [[ $dist == debian ]]; then + version="trixie" dist="debian" fi bash dists/docker.sh $dist $version diff --git a/Makefile b/Makefile deleted file mode 100644 index 854d39f16..000000000 --- a/Makefile +++ /dev/null @@ -1,100 +0,0 @@ -#!/usr/bin/make -f -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -DESTDIR ?= / -BUILD ?= .build -PKGDEST ?= ${PWD}/.pkg -PKGNAME := apparmor.d -PROFILES = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*))) - -.PHONY: all -all: build - @./${BUILD}/prebuild --complain - -.PHONY: build -build: - @go build -o ${BUILD}/ ./cmd/aa-log - @go build -o ${BUILD}/ ./cmd/prebuild - -.PHONY: enforce -enforce: build - @./${BUILD}/prebuild - -.PHONY: fsp -fsp: build - @./${BUILD}/prebuild --full - -.PHONY: fsp-complain -fsp-complain: build - @./${BUILD}/prebuild --complain --full - -.PHONY: install -install: - @install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log - @for file in $(shell find "${BUILD}/share" -type f -not -name "*.md" -printf "%P\n"); do \ - install -Dm0644 "${BUILD}/share/$${file}" "${DESTDIR}/usr/share/$${file}"; \ - done; - @for file in $(shell find "${BUILD}/apparmor.d" -type f -printf "%P\n"); do \ - install -Dm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ - done; - @for file in $(shell find "${BUILD}/apparmor.d" -type l -printf "%P\n"); do \ - mkdir -p "${DESTDIR}/etc/apparmor.d/disable"; \ - cp -d "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ - done; - @for file in ${BUILD}/systemd/system/*; do \ - service="$$(basename "$$file")"; \ - install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/system/$${service}.d/apparmor.conf"; \ - done; - @for file in ${BUILD}/systemd/user/*; do \ - service="$$(basename "$$file")"; \ - install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \ - done - - -.PHONY: $(PROFILES) -$(PROFILES): - @install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log - @for file in $(shell find ${BUILD}/apparmor.d/abstractions/ -type f -printf "%P\n"); do \ - install -Dm0644 "${BUILD}/apparmor.d/abstractions/$${file}" "${DESTDIR}/etc/apparmor.d/abstractions/$${file}"; \ - done; - @for file in $(shell find ${BUILD}/apparmor.d/tunables/ -type f -printf "%P\n"); do \ - install -Dm0644 "${BUILD}/apparmor.d/tunables/$${file}" "${DESTDIR}/etc/apparmor.d/tunables/$${file}"; \ - done; - @echo "Warning: profile dependencies fallback to unconfined." - @for file in ${@}; do \ - grep 'rPx' "${BUILD}/apparmor.d/$${file}"; \ - sed -i -e "s/rPx/rPUx/g" "${BUILD}/apparmor.d/$${file}"; \ - install -Dvm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ - done; - @systemctl restart apparmor || sudo journalctl -xeu apparmor.service - -.PHONY: dev -name ?= -dev: - @go run ./cmd/prebuild --complain --file $(shell find apparmor.d -iname ${name}) - @sudo install -Dm644 ${BUILD}/apparmor.d/${name} /etc/apparmor.d/${name} - @sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service - -.PHONY: pkg -pkg: - @makepkg --syncdeps --install --cleanbuild --force --noconfirm - -.PHONY: dpkg -dpkg: - @bash dists/build.sh dpkg - @sudo dpkg -i ${PKGDEST}/${PKGNAME}_*.deb - -.PHONY: rpm -rpm: - @bash dists/build.sh rpm - @sudo rpm -ivh --force ${PKGDEST}/${PKGNAME}-*.rpm - -.PHONY: check -check: - @bash tests/check.sh - -.PHONY: integration -integration: - @bats --recursive --timing --print-output-on-failure tests/integration/ diff --git a/debian/apparmor.d.hide b/debian/apparmor.d.hide index 20725a133..8fc1d019d 100644 --- a/debian/apparmor.d.hide +++ b/debian/apparmor.d.hide @@ -1 +1 @@ -# This file is generated by "make", all edit will be lost. +# This file is generated by "just", all edit will be lost. diff --git a/debian/control b/debian/control index 7f2028b0e..56ad928ba 100644 --- a/debian/control +++ b/debian/control @@ -6,6 +6,7 @@ Build-Depends: debhelper (>= 13.4), debhelper-compat (= 13), golang-any, config-package-dev, + just, Homepage: https://github.com/roddhjav/apparmor.d Vcs-Browser: https://github.com/roddhjav/apparmor.d Vcs-Git: https://github.com/roddhjav/apparmor.d.git diff --git a/debian/rules b/debian/rules index a30a693df..d78e652ca 100755 --- a/debian/rules +++ b/debian/rules @@ -9,5 +9,9 @@ # golang/1.19 compresses debug symbols itself. override_dh_dwz: -# do not run 'make check' by default as it can be long for dev package -override_dh_auto_test: +override_dh_auto_build: + just complain + +override_dh_auto_install: + just destdir="${CURDIR}/debian/apparmor.d" install + diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index 339d88036..bf97705a6 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -15,6 +15,7 @@ URL: https://github.com/roddhjav/apparmor.d Source0: %{name}-%{version}.tar.gz Requires: apparmor-profiles BuildRequires: distribution-release +BuildRequires: just BuildRequires: golang-packaging BuildRequires: apparmor-profiles @@ -25,10 +26,10 @@ AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most %autosetup %build -%make_build +just complain %install -%make_install +just destdir="%{buildroot}" install %posttrans rm -f /var/cache/apparmor/* 2>/dev/null diff --git a/dists/build.sh b/dists/build.sh index 1f2e204c2..9b9f9e765 100644 --- a/dists/build.sh +++ b/dists/build.sh @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Usage: make [ dpkg | pkg | rpm ] +# Usage: just [ dpkg | pkg | rpm ] set -eu -o pipefail diff --git a/dists/ignore/main.ignore b/dists/ignore/main.ignore index 3cccf4c05..0665edf85 100644 --- a/dists/ignore/main.ignore +++ b/dists/ignore/main.ignore @@ -2,7 +2,7 @@ # File format: one ignore by line, it can be a profile name or a directory to ignore # Contains profiles and configuration for full system confinement, only included -# when built with 'make full' +# when built with 'just fsp' apparmor.d/groups/_full # Provided by other packages diff --git a/docs/development/build.md b/docs/development/build.md index 5145a8416..eaa2487a2 100644 --- a/docs/development/build.md +++ b/docs/development/build.md @@ -2,7 +2,7 @@ title: Building the profiles --- -The profiles in `apparmor.d` must not be used directly. They need to be prebuilt (by running `make`). This page documents all possibles prebuild tasks. It is not intended to be read by end user, and it is only targeted at developers and maintainers. +The profiles in `apparmor.d` must not be used directly. They need to be prebuilt (by running `just complain`). This page documents all possibles prebuild tasks. It is not intended to be read by end user, and it is only targeted at developers and maintainers. The build system is fully configurable, general usage can be seen with: ```sh diff --git a/docs/development/roadmap.md b/docs/development/roadmap.md index b42467e3d..2585208e5 100644 --- a/docs/development/roadmap.md +++ b/docs/development/roadmap.md @@ -29,7 +29,7 @@ This is the current list of features that must be implemented to get to a stable - [ ] Provide packages repo for ubuntu/debian - [ ] Provide complain/enforced packages version - [x] Add a `just` target to install the profiles in the right place - - [ ] Fully drop the Makefile in favor of `just` + - [x] Fully drop the Makefile in favor of `just` ## Next features diff --git a/docs/development/tests.md b/docs/development/tests.md index df614b4fe..4bf421d92 100644 --- a/docs/development/tests.md +++ b/docs/development/tests.md @@ -6,12 +6,12 @@ Misconfigured AppArmor profiles is one of the most effective ways to break someo **Current** -- [x] **[Build:](https://gitlab.com/roddhjav/apparmor.d/-/pipelines)** `make` +- [x] **[Build:](https://gitlab.com/roddhjav/apparmor.d/-/pipelines)** `just complain` - Build the profiles for all supported distributions. - All CI jobs validate the profiles syntax and ensure they can be safely loaded into a kernel. - Ensure the profile entry point (`@{exec_path}`) is defined. -- [x] **[Checks:](https://github.com/roddhjav/apparmor.d/blob/main/tests/check.sh)** `make check` checks basic style of profiles: +- [x] **[Checks:](https://github.com/roddhjav/apparmor.d/blob/main/tests/check.sh)** `just check` checks basic style of profiles: - Ensure apparmor.d header & licence - Ensure 2 spaces indentation - Ensure local include for profile and subprofiles @@ -19,7 +19,7 @@ Misconfigured AppArmor profiles is one of the most effective ways to break someo - Ensure modern profile naming - Ensure `vim:syntax=apparmor` -- [x] **[Integration Tests:](integration.md)** `just integration ` +- [x] **[Integration Tests:](integration.md)** `just test-run ` - Run simple CLI commands to ensure no logs are raised. - Uses the [bats](https://github.com/bats-core/bats-core) test system. - Run in the Github Action as well as in all local [test VM](vm.md). diff --git a/docs/development/workflow.md b/docs/development/workflow.md index 7737e3775..786d77c93 100644 --- a/docs/development/workflow.md +++ b/docs/development/workflow.md @@ -57,7 +57,7 @@ profile foo @{exec_path} { ## Development Install -It is not recommended installing the full project *"manually"* (with `make`, `sudo make install`). The distribution specific packages are intended to be used in development as they include additional rule to ensure compatibility with upstream (see `debian/`, `PKGBUILD` and `dists/apparmor.d.spec`). +It is not recommended installing the full project *"manually"* (with `just complain`, `sudo just install`). The distribution specific packages are intended to be used in development as they include additional rule to ensure compatibility with upstream (see `debian/`, `PKGBUILD` and `dists/apparmor.d.spec`). Instead, install an individual profile or the development package, the following way. @@ -66,25 +66,25 @@ Instead, install an individual profile or the development package, the following === ":material-arch: Archlinux" ```sh - make pkg + just pkg ``` === ":material-ubuntu: Ubuntu" ```sh - make dpkg + just dpkg ``` === ":material-debian: Debian" ```sh - make dpkg + just dpkg ``` === ":simple-suse: openSUSE" ```sh - make rpm + just rpm ``` === ":material-docker: Docker" @@ -102,7 +102,7 @@ Instead, install an individual profile or the development package, the following **Format** ```sh -make dev name= +just dev ``` **Exampe** @@ -110,7 +110,7 @@ make dev name= : Testing the profile `pass` ``` - make dev name=pass + just dev pass ``` This: diff --git a/docs/enforce.md b/docs/enforce.md index 692cbd1e3..51eec0980 100644 --- a/docs/enforce.md +++ b/docs/enforce.md @@ -13,50 +13,56 @@ The default package configuration installs all profiles in *complain* mode. This === ":material-arch: Archlinux" - In the `PKGBUILD`, replace `make` by `make enforce`: + In the `PKGBUILD`, replace `just complain` by `just enforce`: ```diff - - make DISTRIBUTION=arch - + make enforce DISTRIBUTION=arch + - just complain + + just enforce ``` - Then, build the package with: `make pkg` + Then, build the package with: `just pkg` === ":material-ubuntu: Ubuntu" - In `debian/rules`, add the following lines: + In `debian/rules`, replace `just complain` by `just enforce`: - ```make - override_dh_auto_build: - make enforce + ```diff + override_dh_auto_build: + - just complain + override_dh_auto_build: + + just enforce ``` - Then, build the package with: `make dpkg` + Then, build the package with: `just dpkg` === ":material-debian: Debian" - In `debian/rules`, add the following lines: + In `debian/rules`, replace `just complain` by `just enforce`: - ```make - override_dh_auto_build: - make enforce + ```diff + override_dh_auto_build: + - just complain + override_dh_auto_build: + + just enforce ``` - Then, build the package with: `make dpkg` + Then, build the package with: `just dpkg` === ":simple-suse: openSUSE" - In `dists/apparmor.d.spec`, replace `%make_build` by `%make_build enforce` + In `dists/apparmor.d.spec`, replace `just complain` by `just enforce`: ```diff - - %make_build - + %make_build enforce + %build + - just complain + %build + + just enforce ``` - Then, build the package with: `make rpm` + Then, build the package with: `just rpm` === ":material-home: Partial Install" - Use the `make enforce` command to build instead of `make` + Use the `just enforce` command to build instead of `just complain` [aur]: https://aur.archlinux.org/packages/apparmor.d-git diff --git a/docs/full-system-policy.md b/docs/full-system-policy.md index b523a1c38..a5ac57f11 100644 --- a/docs/full-system-policy.md +++ b/docs/full-system-policy.md @@ -35,7 +35,7 @@ Particularly: ## Installation -This feature is only enabled when the project is built with `make full`. [Early policy](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads) load **must** also be enabled. Once `apparmor.d` has been installed in FSP mode, it is required to reboot to apply the changes. +This feature is only enabled when the project is built with `just fsp`. [Early policy](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads) load **must** also be enabled. Once `apparmor.d` has been installed in FSP mode, it is required to reboot to apply the changes. In `/etc/apparmor/parser.conf` ensure you have: ``` @@ -46,51 +46,57 @@ Optimize=compress-fast === ":material-arch: Archlinux" - In `PKGBUILD`, replace `make` by `make fsp`: + In `PKGBUILD`, replace `just complain` by `just fsp-complain`: ```diff - - make - + make fsp + - just complain + + just fsp-complain ``` - Then, build the package with: `make pkg` + Then, build the package with: `just pkg` === ":material-ubuntu: Ubuntu" - In `debian/rules`, add the following lines: + In `debian/rules`, replace `just complain` by `just fsp-complain`: ```make - override_dh_auto_build: - make fsp + override_dh_auto_build: + - just complain + override_dh_auto_build: + + just fsp-complain ``` - Then, build the package with: `make dpkg` + Then, build the package with: `just dpkg` === ":material-debian: Debian" - In `debian/rules`, add the following lines: + In `debian/rules`, replace `just complain` by `just fsp-complain`: ```make - override_dh_auto_build: - make fsp + override_dh_auto_build: + - just complain + override_dh_auto_build: + + just fsp-complain ``` - Then, build the package with: `make dpkg` + Then, build the package with: `just dpkg` === ":simple-suse: openSUSE" - In `dists/apparmor.d.spec`, replace `%make_build` by `%make_build fsp` + In `dists/apparmor.d.spec`, replace `just complain` by `just fsp-complain`: ```diff - - %make_build - + %make_build fsp + %build + - just complain + %build + + just fsp-complain ``` - Then, build the package with: `make rpm` + Then, build the package with: `just rpm` === ":material-home: Partial Install" - Use the `make fsp` command to build instead of `make` + Use the `just fsp-complain` command to build instead of `just complain` ## Structure diff --git a/docs/install.md b/docs/install.md index a18185fbf..416ad0f15 100644 --- a/docs/install.md +++ b/docs/install.md @@ -84,7 +84,7 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf If you have `devscripts` installed, you can use the one liner: ```sh - make dpkg + just dpkg ``` !!! warning @@ -110,19 +110,26 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf If you have `devscripts` installed, you can use the one liner: ```sh - make dpkg + just dpkg ``` !!! note - You may need golang from the backports repository to build: + **Debian 12 user will need to:** + 1. Install Golang from the backports repository: ```sh echo 'deb http://deb.debian.org/debian bookworm-backports main contrib non-free' | sudo tee -a /etc/apt/sources.list sudo apt update sudo apt install -t bookworm-backports golang-go ``` + 2. Install [just](https://github.com/casey/just) locally, and ignore the dependence. E.g: + ```sh + pipx install rust-just + sed '/just/d' -i debian/control + ``` + !!! warning **Beware**: do not install a `.deb` made for Ubuntu on Debian as the packages are different. @@ -144,15 +151,15 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf For test purposes, you can install specific profiles with the following commands. Abstractions, tunable, and most of the OS dependent post-processing is managed. ```sh - make - sudo make profile-names... + just complain + sudo just local profile-names... ``` !!! warning Partial installation is discouraged because profile dependencies are not fetched. To prevent some AppArmor issues, the dependencies are automatically switched to unconfined (`rPx` -> `rPUx`). The installation process warns on the missing profiles so that you can easily install them if desired. (PR is welcome see [#77](https://github.com/roddhjav/apparmor.d/issues/77)) - For instance, `sudo make pass` gives: + For instance, `sudo just local pass` gives: ```sh Warning: profile dependencies fallback to unconfined. @{bin}/wl-{copy,paste} rPx, diff --git a/tests/check.sh b/tests/check.sh index 708b2fe99..f00d8aec1 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -3,7 +3,7 @@ # Copyright (C) 2024-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Usage: make check +# Usage: just check # shellcheck disable=SC2044 set -eu -o pipefail diff --git a/tests/cloud-init/archlinux-cosmic.user-data.yml b/tests/cloud-init/archlinux-cosmic.user-data.yml index be623e625..9ed6c1d92 100644 --- a/tests/cloud-init/archlinux-cosmic.user-data.yml +++ b/tests/cloud-init/archlinux-cosmic.user-data.yml @@ -10,6 +10,7 @@ packages: # Install usefull core packages - bash-completion + - just - git - htop - man diff --git a/tests/cloud-init/archlinux-xfce.user-data.yml b/tests/cloud-init/archlinux-xfce.user-data.yml index 54329bfb8..5bab9bf08 100644 --- a/tests/cloud-init/archlinux-xfce.user-data.yml +++ b/tests/cloud-init/archlinux-xfce.user-data.yml @@ -11,6 +11,7 @@ packages: # Install usefull core packages - bash-completion - git + - just - htop - man - pass diff --git a/tests/cloud-init/opensuse.yml b/tests/cloud-init/opensuse.yml index 1adf2b6eb..57c633678 100644 --- a/tests/cloud-init/opensuse.yml +++ b/tests/cloud-init/opensuse.yml @@ -9,7 +9,7 @@ core-packages: &core-packages - go - golang-packaging - htop - - make + - just - rpmbuild - rsync - vim diff --git a/tests/packer/src/aa-update b/tests/packer/src/aa-update index 48267d2f0..bdbd6ed00 100644 --- a/tests/packer/src/aa-update +++ b/tests/packer/src/aa-update @@ -13,15 +13,15 @@ DISTRIBUTION="$(_lsb_release)" cd "$HOME/Projects/apparmor.d" case "$DISTRIBUTION" in arch) - make pkg + just pkg ;; debian | ubuntu | whonix) sudo rm -rf debian/.debhelper/ - make dpkg + just dpkg sudo rm -rf debian/.debhelper/ ;; opensuse*) - make rpm + just rpm ;; *) ;; esac From 94bae18c2cabb0bfc88fb13fd3db794032e817ae Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 23:31:14 +0200 Subject: [PATCH 650/977] build: justfile: simplify test orchestration. --- Justfile | 31 +++++++------- docs/development/integration.md | 36 +++++++++++++++-- docs/development/vm.md | 72 ++++++++++++++++++--------------- docs/install.md | 1 + 4 files changed, 87 insertions(+), 53 deletions(-) diff --git a/Justfile b/Justfile index 7a84af1be..13a4a2d9e 100644 --- a/Justfile +++ b/Justfile @@ -284,6 +284,18 @@ destroy dist flavor: ssh dist flavor: @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` +[group('vm')] +[doc('Mount the shared directory on the machine')] +mount dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4' + +[group('vm')] +[doc('Unmout the shared directory on the machine')] +umount dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true' + [group('vm')] [doc('List the machines')] list: @@ -324,7 +336,6 @@ available: } ' - [group('tests')] [doc('Install dependencies for the integration tests')] init: @@ -349,30 +360,18 @@ tests-sync dist flavor: [group('tests')] [doc('Re-synchronize the integration tests (machine)')] -tests-resync dist flavor: (tests-mount dist flavor) \ +tests-resync dist flavor: (mount dist flavor) \ (tests-sync dist flavor) \ - (tests-umount dist flavor) - -[group('tests')] -[doc('Unmout the integration tests (machine)')] -tests-umount dist flavor: - @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ - sudo umount /home/{{username}}/Projects/apparmor.d + (umount dist flavor) [group('tests')] [doc('Run the integration tests (machine)')] -tests-run dist flavor name="": +tests-run dist flavor name="": (tests-resync dist flavor) ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ TERM=xterm \ bats --recursive --pretty --timing --print-output-on-failure \ /home/{{username}}/Projects/tests/integration/{{name}} -[group('tests')] -[doc('Mount integration tests (machine)')] -tests-mount dist flavor: - @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ - sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4 - [private] get_ip dist flavor: @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \ diff --git a/docs/development/integration.md b/docs/development/integration.md index de60c8c47..b5c740f78 100644 --- a/docs/development/integration.md +++ b/docs/development/integration.md @@ -14,15 +14,43 @@ Although the integration test suite is intended to be run in a [Development VM]( ## Getting started -Prepare the test environment: +**Prepare the test environment:** ```sh just img -just vm +just create ``` -Run the integration tests on the test VM: +Example: ```sh -just integration +just img ubuntu25 desktop +just create ubuntu25 desktop +``` + +**Install dependencies for the integration tests** +```sh +just tests-init +``` + +Example: +```sh +just tests-init ubuntu25 desktop +``` + +**Run the integration tests** + +It: synchronizes the tests, unmount the shared directory, then run the tests. +```sh +just tests-run +``` + +Example: +```sh +just tests-run ubuntu25 desktop +``` + +Partial tests can also be run. For example the following command will only run the tests in the `tests/integration/apt` directory on the `ubuntu25` `desktop` machine: +```sh +just tests-run ubuntu25 desktop apt ``` ## Create integration tests diff --git a/docs/development/vm.md b/docs/development/vm.md index 1edddba76..1091f7d5e 100644 --- a/docs/development/vm.md +++ b/docs/development/vm.md @@ -13,53 +13,59 @@ $ just ``` Available recipes: - help # Show this help message - clean # Remove all build artifacts + help # Show this help message + clean # Remove all build artifacts [build] - build # Build the go programs - enforce # Prebuild the profiles in enforced mode - complain # Prebuild the profiles in complain mode - fsp # Prebuild the profiles in FSP mode - fsp-complain # Prebuild the profiles in FSP mode (complain) - fsp-debug # Prebuild the profiles in FSP mode (debug) + build # Build the go programs + enforce # Prebuild the profiles in enforced mode + complain # Prebuild the profiles in complain mode + fsp # Prebuild the profiles in FSP mode + fsp-complain # Prebuild the profiles in FSP mode (complain) + fsp-debug # Prebuild the profiles in FSP mode (debug) [install] - install # Install prebuild profiles - local +names # Locally install prebuild profiles - dev name # Prebuild, install, and load a dev profile + install # Install prebuild profiles + local +names # Locally install prebuild profiles + dev name # Prebuild, install, and load a dev profile [packages] - pkg # Build & install apparmor.d on Arch based systems - dpkg # Build & install apparmor.d on Debian based systems - rpm # Build & install apparmor.d on OpenSUSE based systems - package dist # Build the package in a clean OCI container + pkg # Build & install apparmor.d on Arch based systems + dpkg # Build & install apparmor.d on Debian based systems + rpm # Build & install apparmor.d on OpenSUSE based systems + package dist # Build the package in a clean OCI container [tests] - tests # Run the unit tests - init dist flavor # Install dependencies for the bats integration tests - integration dist flavor # Run the integration tests on the machine + tests # Run the unit tests + init # Install dependencies for the integration tests + integration # Run the integration tests + tests-init dist flavor # Install dependencies for the integration tests (machine) + tests-sync dist flavor # Synchronize the integration tests (machine) + tests-resync dist flavor # Re-synchronize the integration tests (machine) + tests-run dist flavor name="" # Run the integration tests (machine) [linter] - lint # Run the linters - check # Run style checks on the profiles + lint # Run the linters + check # Run style checks on the profiles [docs] - man # Generate the man pages - docs # Build the documentation - serve # Serve the documentation + man # Generate the man pages + docs # Build the documentation + serve # Serve the documentation [vm] - img dist flavor # Build the VM image - create dist flavor # Create the machine - up dist flavor # Start a machine - halt dist flavor # Stops the machine - reboot dist flavor # Reboot the machine - destroy dist flavor # Destroy the machine - ssh dist flavor # Connect to the machine - list # List the machines - images # List the VM images - available # List the VM images that can be created + img dist flavor # Build the VM image + create dist flavor # Create the machine + up dist flavor # Start a machine + halt dist flavor # Stops the machine + reboot dist flavor # Reboot the machine + destroy dist flavor # Destroy the machine + ssh dist flavor # Connect to the machine + mount dist flavor # Mount the shared directory on the machine + umount dist flavor # Unmout the shared directory on the machine + list # List the machines + images # List the VM images + available # List the VM images that can be created See https://apparmor.pujol.io/development/ for more information. ``` diff --git a/docs/install.md b/docs/install.md index 416ad0f15..ee18e7819 100644 --- a/docs/install.md +++ b/docs/install.md @@ -37,6 +37,7 @@ The following desktop environments are supported: **Build dependency** * Go >= 1.23 +* [just](https://github.com/casey/just) ## Configure AppArmor From 5adc29087031c8f63930434d5e50a1fca5670089 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 23:54:40 +0200 Subject: [PATCH 651/977] fix(profile): fixes some issues raised by tests. --- apparmor.d/abstractions/base.d/complete | 1 + apparmor.d/groups/utils/lsfd | 38 ++++++++++++++++--------- apparmor.d/groups/utils/lsipc | 2 ++ apparmor.d/profiles-m-r/mkinitramfs | 16 +++++------ 4 files changed, 35 insertions(+), 22 deletions(-) diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index ecfe09bb5..ad3945eb9 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -10,6 +10,7 @@ # Allow to receive some signals from new well-known profiles signal (receive) peer=btop, signal (receive) peer=htop, + signal (receive) peer=pkill, signal (receive) peer=sudo, signal (receive) peer=top, signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown, diff --git a/apparmor.d/groups/utils/lsfd b/apparmor.d/groups/utils/lsfd index 6b30f63a9..96e497ea6 100644 --- a/apparmor.d/groups/utils/lsfd +++ b/apparmor.d/groups/utils/lsfd @@ -11,15 +11,25 @@ profile lsfd @{exec_path} flags=(attach_disconnected) { include include + capability bpf, capability checkpoint_restore, capability dac_read_search, + capability net_admin, capability sys_admin, + capability sys_chroot, capability sys_ptrace, capability sys_resource, capability syslog, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 raw, + network inet6 stream, + network inet6 stream, network netlink dgram, network netlink raw, + network packet dgram, ptrace read, ptrace trace, @@ -38,20 +48,20 @@ profile lsfd @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/cpu_byteorder r, - @{PROC}/ r, - @{PROC}/@{pid}/ r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/net/* r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/task/ r, - @{PROC}/devices r, - @{PROC}/misc r, - @{PROC}/partitions r, - @{PROC}/tty/drivers r, - owner @{PROC}/@{pid}/syscall r, + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/net/* r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/syscall r, + @{PROC}/@{pid}/task/ r, + @{PROC}/devices r, + @{PROC}/misc r, + @{PROC}/partitions r, + @{PROC}/tty/drivers r, include if exists } diff --git a/apparmor.d/groups/utils/lsipc b/apparmor.d/groups/utils/lsipc index 12c8d333c..7677a8a03 100644 --- a/apparmor.d/groups/utils/lsipc +++ b/apparmor.d/groups/utils/lsipc @@ -27,6 +27,8 @@ profile lsipc @{exec_path} { @{PROC}/sysvipc/sem r, @{PROC}/sysvipc/shm r, + /dev/mqueue/ r, + include if exists } diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index df76eb4ad..a7f046c55 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -93,14 +93,14 @@ profile mkinitramfs @{exec_path} { owner /var/lib/kdump/initramfs-tools/** rw, owner /var/lib/kdump/initrd.* rw, - /var/tmp/ r, - /var/tmp/mkinitramfs_@{rand6}/** w, - /var/tmp/modules_@{rand6} rw, - owner /var/tmp/mkinitramfs_@{rand6} rw, - owner /var/tmp/mkinitramfs_@{rand6}/ rw, - owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, - owner /var/tmp/mkinitramfs-@{rand6} rw, - owner /var/tmp/mkinitramfs-*_@{rand6} rw, + /var/tmp/ r, + /var/tmp/mkinitramfs_@{rand6}/** w, + /var/tmp/modules_@{rand6} rw, + /var/tmp/mkinitramfs_@{rand6} rw, + /var/tmp/mkinitramfs_@{rand6}/ rw, + /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + /var/tmp/mkinitramfs-@{rand6} rw, + /var/tmp/mkinitramfs-*_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, From cd15178c81789c4bd65cc2c370d9a3ed893186a2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 23:55:46 +0200 Subject: [PATCH 652/977] tests(check): globally ignore check in commented lines. --- tests/check.sh | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index f00d8aec1..977846e62 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -70,6 +70,18 @@ _check() { continue fi + # Style check + if [[ $line_number -lt 10 ]]; then + _check_header + fi + _check_tabs + _check_trailing + _check_indentation + _check_vim + + # The following checks do not apply to comment lines + [[ "$line" =~ ^[[:space:]]*# ]] && continue + # Rules checks _check_abstractions _check_directory_mark @@ -84,15 +96,6 @@ _check() { _check_profile _check_subprofiles - # Style check - if [[ $line_number -lt 10 ]]; then - _check_header - fi - _check_tabs - _check_trailing - _check_indentation - _check_vim - done <"$file" # Results @@ -139,7 +142,6 @@ _check_directory_mark() { for pattern in "${DIRECTORIES[@]}"; do if [[ "$line" == *"$pattern"* ]]; then [[ "$line" == *'='* ]] && continue - [[ "$line" =~ ^[[:space:]]*# ]] && continue if [[ ! "$line" == *"$pattern/"* ]]; then _err issue "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'" fi From 2721cf6253dda72a37ab644ac78ca338496f3636 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 23 Jul 2025 00:59:12 +0200 Subject: [PATCH 653/977] build: ensure just compatibility with ubuntu 24.04 --- .github/workflows/main.yml | 12 ++++++++---- .gitlab-ci.yml | 2 +- docs/install.md | 11 ++++++++++- 3 files changed, 19 insertions(+), 6 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index a3d7b3266..bcb817338 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -11,8 +11,8 @@ jobs: - name: Install linter dependencies run: | - sudo apt-get update -q - sudo apt-get install -y just + pipx install rust-just + echo "$HOME/.local/bin" >> $GITHUB_PATH - name: Run basic profile linter check run: | @@ -37,7 +37,9 @@ jobs: sudo apt-get update -q sudo apt-get install -y \ devscripts debhelper config-package-dev \ - auditd apparmor-profiles apparmor-utils just + auditd apparmor-profiles apparmor-utils + pipx install rust-just + echo "$HOME/.local/bin" >> $GITHUB_PATH sudo rm /etc/apparmor.d/usr.lib.snapd.snap-confine.real - name: Build the apparmor.d package @@ -100,7 +102,9 @@ jobs: sudo apt-get update -q sudo apt-get install -y \ apparmor-profiles apparmor-utils \ - bats bats-support just + bats bats-support + pipx install rust-just + echo "$HOME/.local/bin" >> $GITHUB_PATH - name: Install apparmor.d run: | diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 7b4c13519..c07695b25 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -146,7 +146,7 @@ preprocess-archlinux: preprocess-debian: stage: preprocess - image: debian + image: debian:trixie dependencies: - debian script: diff --git a/docs/install.md b/docs/install.md index ee18e7819..a56599c22 100644 --- a/docs/install.md +++ b/docs/install.md @@ -37,7 +37,7 @@ The following desktop environments are supported: **Build dependency** * Go >= 1.23 -* [just](https://github.com/casey/just) +* [just](https://github.com/casey/just) >= 1.40.0 ## Configure AppArmor @@ -88,6 +88,15 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf just dpkg ``` + !!! note + + **Ubuntu 24.04 user will need to:** + + Install [just](https://github.com/casey/just). E.g: + ```sh + pipx install rust-just + ``` + !!! warning **Beware**: do not install a `.deb` made for Debian on Ubuntu as the packages are different. From 3db6d073599294d278b3b21c4a7304e5e754a6cd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 23 Jul 2025 01:03:40 +0200 Subject: [PATCH 654/977] fix(test): running integration tests in ci. --- Justfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Justfile b/Justfile index 13a4a2d9e..db23ad587 100644 --- a/Justfile +++ b/Justfile @@ -344,7 +344,7 @@ init: [group('tests')] [doc('Run the integration tests')] integration: - bats --recursive --pretty --timing --print-output-on-failure tests/integration + TERM=xterm bats --recursive --pretty --timing --print-output-on-failure tests/integration [group('tests')] [doc('Install dependencies for the integration tests (machine)')] @@ -368,7 +368,6 @@ tests-resync dist flavor: (mount dist flavor) \ [doc('Run the integration tests (machine)')] tests-run dist flavor name="": (tests-resync dist flavor) ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ - TERM=xterm \ bats --recursive --pretty --timing --print-output-on-failure \ /home/{{username}}/Projects/tests/integration/{{name}} From 9c55d62b85c4d806b33813993d5831c8c3d3b72b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 25 Jul 2025 00:56:31 +0200 Subject: [PATCH 655/977] fix: small ci fixes. --- Justfile | 2 +- apparmor.d/groups/apt/dpkg-preconfigure | 2 +- apparmor.d/groups/apt/dpkg-script-linux | 2 ++ apparmor.d/groups/apt/dpkg-scripts | 6 ++---- apparmor.d/profiles-g-l/gtk-update-icon-cache | 2 ++ apparmor.d/profiles-s-z/ucf | 2 +- apparmor.d/profiles-s-z/ucfr | 9 +++++---- 7 files changed, 14 insertions(+), 11 deletions(-) diff --git a/Justfile b/Justfile index db23ad587..e640a5a98 100644 --- a/Justfile +++ b/Justfile @@ -344,7 +344,7 @@ init: [group('tests')] [doc('Run the integration tests')] integration: - TERM=xterm bats --recursive --pretty --timing --print-output-on-failure tests/integration + bats --recursive --timing --print-output-on-failure tests/integration [group('tests')] [doc('Install dependencies for the integration tests (machine)')] diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 66131c6e7..2e32af979 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -36,7 +36,7 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/stty ix, @{bin}/tr ix, @{bin}/uniq ix, - @{bin}/which{,.debianutils} ix, + @{bin}/which{,.debianutils} rix, @{bin}/apt-extracttemplates Px, @{bin}/dpkg Px -> child-dpkg, diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux index 24c6c74df..b294b928b 100644 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -43,6 +43,8 @@ profile dpkg-script-linux @{exec_path} { include include + capability net_admin, + include if exists } diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 5743ab904..b262040f7 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -62,10 +62,8 @@ profile dpkg-scripts @{exec_path} { @{bin}/ r, @{bin}/* w, @{lib}/ r, - @{lib}/@{python_name}/**/__pycache__/ w, - @{lib}/@{python_name}/**/__pycache__/**.pyc w, - @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, - @{lib}/modules/*/.fresh-install w, + @{lib}/** w, + /opt/*/** rw, /etc/ r, /etc/** rw, diff --git a/apparmor.d/profiles-g-l/gtk-update-icon-cache b/apparmor.d/profiles-g-l/gtk-update-icon-cache index b1a6779ae..b709511e2 100644 --- a/apparmor.d/profiles-g-l/gtk-update-icon-cache +++ b/apparmor.d/profiles-g-l/gtk-update-icon-cache @@ -12,6 +12,8 @@ profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) { include include + capability fowner, + @{exec_path} mr, @{system_share_dirs}/icons/{,**/} r, diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 9e459f261..59f2d40aa 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -14,7 +14,7 @@ profile ucf @{exec_path} { include include - @{exec_path} r, + @{exec_path} rix, @{sh_path} rix, @{bin}/{,e}grep rix, diff --git a/apparmor.d/profiles-s-z/ucfr b/apparmor.d/profiles-s-z/ucfr index add5c5b64..4cc149a28 100644 --- a/apparmor.d/profiles-s-z/ucfr +++ b/apparmor.d/profiles-s-z/ucfr @@ -9,18 +9,19 @@ include @{exec_path} = @{bin}/ucfr profile ucfr @{exec_path} { include + include @{exec_path} mr, @{sh_path} r, - @{bin}/basename ix, - @{bin}/{m,g,}awk ix, - @{bin}/getopt ix, @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{bin}/basename ix, + @{bin}/dirname ix, + @{bin}/getopt ix, @{bin}/id ix, @{bin}/readlink ix, @{bin}/sed ix, - @{bin}/dirname ix, /usr/share/ucf/{,**} r, From 031e1b2b0764c5a81d67f10295405a454a7e641f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 16:54:02 +0200 Subject: [PATCH 656/977] feat: apply new linter recommendations. --- apparmor.d/abstractions/app/open | 2 +- apparmor.d/abstractions/ibus.d/complete | 4 ++-- apparmor.d/groups/cron/cron-debtags | 4 ++-- apparmor.d/groups/filesystem/udiskie-info | 3 ++- apparmor.d/groups/filesystem/udiskie-mount | 3 ++- apparmor.d/groups/filesystem/udiskie-umount | 3 ++- apparmor.d/groups/gnome/gdm-session-worker | 6 +++--- apparmor.d/groups/gpg/gpgsm | 4 ++-- apparmor.d/groups/grub/grub-multi-install | 2 +- apparmor.d/groups/kde/sddm | 2 +- apparmor.d/groups/network/mullvad-daemon | 2 +- apparmor.d/groups/pacman/archlinux-java | 2 +- apparmor.d/groups/pacman/paccache | 2 +- apparmor.d/groups/pacman/pacman-hook-dconf | 2 +- apparmor.d/groups/pacman/pacman-hook-depmod | 4 ++-- apparmor.d/groups/pacman/pacman-hook-fontconfig | 2 +- apparmor.d/groups/pacman/pacman-hook-gio | 4 ++-- apparmor.d/groups/pacman/pacman-hook-gtk | 2 +- apparmor.d/groups/pacman/pacman-hook-mkinitcpio | 2 +- apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove | 2 +- apparmor.d/groups/pacman/pacman-key | 4 ++-- apparmor.d/groups/procps/sysctl | 2 +- apparmor.d/groups/systemd/systemd-binfmt | 3 ++- apparmor.d/groups/systemd/systemd-sysctl | 2 +- apparmor.d/groups/systemd/systemd-sysusers | 2 +- apparmor.d/groups/systemd/systemd-tmpfiles | 4 ++-- apparmor.d/groups/ubuntu/apt_news | 2 +- apparmor.d/groups/ubuntu/esm_cache | 2 +- apparmor.d/groups/ubuntu/subiquity-console-conf | 2 +- apparmor.d/groups/virt/containerd-shim-runc-v2 | 4 ++-- apparmor.d/groups/virt/dockerd | 4 ++-- apparmor.d/profiles-a-f/aspell | 2 +- apparmor.d/profiles-a-f/aspell-autobuildhash | 4 ++-- apparmor.d/profiles-g-l/gajim | 2 +- apparmor.d/profiles-g-l/gpu-manager | 2 +- apparmor.d/profiles-g-l/hardinfo | 7 +++---- apparmor.d/profiles-g-l/hwinfo | 4 ++-- apparmor.d/profiles-g-l/ip | 4 ++-- apparmor.d/profiles-g-l/kmod | 2 +- apparmor.d/profiles-m-r/mkinitramfs | 5 +++-- apparmor.d/profiles-m-r/needrestart-iucode-scan-versions | 6 +++--- apparmor.d/profiles-m-r/pcb-gtk | 2 +- apparmor.d/profiles-m-r/resolvconf | 2 +- 43 files changed, 67 insertions(+), 63 deletions(-) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 2a43affcf..9d0da2199 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -36,7 +36,7 @@ /etc/xdg/menus/ r, - owner @{run}/user//@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/abstractions/ibus.d/complete b/apparmor.d/abstractions/ibus.d/complete index 5c53b9fa1..8132d38a9 100644 --- a/apparmor.d/abstractions/ibus.d/complete +++ b/apparmor.d/abstractions/ibus.d/complete @@ -15,11 +15,11 @@ # peer=(addr="@@{user_cache_dirs}/ibus/dbus-????????"), unix (connect, receive, send) type=stream - peer=(addr="@/home/*/.cache/ibus/dbus-????????"), + peer=(addr="@/home/*/.cache/ibus/dbus-????????"), #aa:lint ignore unix (connect, send, receive, accept, bind, listen) type=stream - addr="@/home/*/.cache/ibus/dbus-????????", + addr="@/home/*/.cache/ibus/dbus-????????", #aa:lint ignore dbus receive bus=session path=/org/freedesktop/IBus interface=org.freedesktop.DBus.Peer diff --git a/apparmor.d/groups/cron/cron-debtags b/apparmor.d/groups/cron/cron-debtags index 3e6c182a7..ea9086948 100644 --- a/apparmor.d/groups/cron/cron-debtags +++ b/apparmor.d/groups/cron/cron-debtags @@ -12,9 +12,9 @@ profile cron-debtags @{exec_path} { include @{exec_path} r, - @{sh_path} rix, - /usr/bin/debtags rPx, + @{sh_path} rix, + @{bin}/debtags rPx, include if exists } diff --git a/apparmor.d/groups/filesystem/udiskie-info b/apparmor.d/groups/filesystem/udiskie-info index 0b39fd3dc..b59b91472 100644 --- a/apparmor.d/groups/filesystem/udiskie-info +++ b/apparmor.d/groups/filesystem/udiskie-info @@ -15,7 +15,8 @@ profile udiskie-info @{exec_path} { @{exec_path} r, @{python_path} r, - /usr/bin/ r, + @{bin}/ r, + @{sbin}/ r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, diff --git a/apparmor.d/groups/filesystem/udiskie-mount b/apparmor.d/groups/filesystem/udiskie-mount index 0513a8c35..3ec9e422a 100644 --- a/apparmor.d/groups/filesystem/udiskie-mount +++ b/apparmor.d/groups/filesystem/udiskie-mount @@ -15,7 +15,8 @@ profile udiskie-mount @{exec_path} { @{exec_path} r, @{python_path} r, - /usr/bin/ r, + @{bin}/ r, + @{sbin}/ r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, diff --git a/apparmor.d/groups/filesystem/udiskie-umount b/apparmor.d/groups/filesystem/udiskie-umount index cf147b875..01271bdc6 100644 --- a/apparmor.d/groups/filesystem/udiskie-umount +++ b/apparmor.d/groups/filesystem/udiskie-umount @@ -15,7 +15,8 @@ profile udiskie-umount @{exec_path} { @{exec_path} r, @{python_path} r, - /usr/bin/ r, + @{bin}/ r, + @{sbin}/ r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index a5dac16fa..2e4a44c4e 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -100,9 +100,9 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { owner /.fscrypt/protectors/@{hex16} r, /home/ r, - /home/.fscrypt/policies/ r, - owner /home/.fscrypt/policies/@{hex32} r, - owner /home/.fscrypt/protectors/@{hex16}.link r, + /home/.fscrypt/policies/ r, #aa:lint ignore + owner /home/.fscrypt/policies/@{hex32} r, #aa:lint ignore + owner /home/.fscrypt/protectors/@{hex16}.link r, #aa:lint ignore owner @{HOME}/.pam_environment r, diff --git a/apparmor.d/groups/gpg/gpgsm b/apparmor.d/groups/gpg/gpgsm index bfa71cf53..2ef1a9d4a 100644 --- a/apparmor.d/groups/gpg/gpgsm +++ b/apparmor.d/groups/gpg/gpgsm @@ -23,11 +23,11 @@ profile gpgsm @{exec_path} { /etc/gcrypt/hwf.deny r, - deny /usr/bin/.gnupg/ w, + owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, + deny @{bin}/.gnupg/ w, include if exists } diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install index ba7956438..e671d32fb 100644 --- a/apparmor.d/groups/grub/grub-multi-install +++ b/apparmor.d/groups/grub/grub-multi-install @@ -26,7 +26,7 @@ profile grub-multi-install @{exec_path} { @{bin}/udevadm rPx, /usr/share/debconf/frontend rix, - /usr/lib/terminfo/x/xterm-256color r, + @{lib}/terminfo/x/xterm-256color r, /usr/share/debconf/confmodule r, /boot/grub/grub.cfg rw, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 396f256cc..143df5c9e 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -114,7 +114,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{etc_ro}/sddm/Xsession rPx, @{etc_ro}/X11/xdm/Xsession rPx, - /usr/etc/X11/xdm/Xsetup rix, + @{etc_ro}/X11/xdm/Xsetup rix, /usr/share/sddm/scripts/wayland-session rix, /usr/share/sddm/scripts/Xsession rix, /usr/share/sddm/scripts/Xsetup rix, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 9573d7044..735154b7e 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -30,7 +30,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { network netlink raw, network netlink dgram, - mount fstype=cgroup -> /sys/fs/cgroup/net_cls/, + mount fstype=cgroup -> @{sys}/fs/cgroup/net_cls/, @{exec_path} mr, diff --git a/apparmor.d/groups/pacman/archlinux-java b/apparmor.d/groups/pacman/archlinux-java index fe83e168d..38cd95d0a 100644 --- a/apparmor.d/groups/pacman/archlinux-java +++ b/apparmor.d/groups/pacman/archlinux-java @@ -14,8 +14,8 @@ profile archlinux-java @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/basename rix, - @{bin}/bash rix, @{bin}/dirname rix, @{bin}/find rix, @{bin}/id rix, diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache index 8bf1aed6a..8331951e7 100644 --- a/apparmor.d/groups/pacman/paccache +++ b/apparmor.d/groups/pacman/paccache @@ -16,8 +16,8 @@ profile paccache @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{sh_path} rix, @{bin}/{m,g,}awk rix, - @{bin}/bash rix, @{bin}/cat rix, @{bin}/gettext rix, @{bin}/gpg{,2} rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-dconf b/apparmor.d/groups/pacman/pacman-hook-dconf index b5a330d75..c49eb08e9 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dconf +++ b/apparmor.d/groups/pacman/pacman-hook-dconf @@ -14,7 +14,7 @@ profile pacman-hook-dconf @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/rm rix, @{bin}/dconf rPx, diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod index ce41d6ae8..0dae14351 100644 --- a/apparmor.d/groups/pacman/pacman-hook-depmod +++ b/apparmor.d/groups/pacman/pacman-hook-depmod @@ -14,13 +14,13 @@ profile pacman-hook-depmod @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/basename rix, - @{bin}/bash rix, @{bin}/kmod rPx, @{bin}/rm rix, @{bin}/rmdir rix, - /usr/lib/modules/*/{,**} rw, + @{lib}/modules/*/{,**} rw, /dev/tty rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-fontconfig b/apparmor.d/groups/pacman/pacman-hook-fontconfig index de0d33e16..3b29e01ea 100644 --- a/apparmor.d/groups/pacman/pacman-hook-fontconfig +++ b/apparmor.d/groups/pacman/pacman-hook-fontconfig @@ -14,7 +14,7 @@ profile pacman-hook-fontconfig @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/ln rix, @{bin}/rm rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-gio b/apparmor.d/groups/pacman/pacman-hook-gio index 5aa612a3c..17218158e 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gio +++ b/apparmor.d/groups/pacman/pacman-hook-gio @@ -14,14 +14,14 @@ profile pacman-hook-gio @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/rmdir rix, @{bin}/gio-querymodules rPx, @{lib}/gio/modules/giomodule.cache{,.[0-9A-Z]*} rw, @{lib}/gtk-{3,4}.0/**/*/ rw, - /usr/lib/gio/modules/ rw, + @{lib}/gio/modules/ rw, /dev/tty rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk b/apparmor.d/groups/pacman/pacman-hook-gtk index ce7b931ca..e6aa28627 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gtk +++ b/apparmor.d/groups/pacman/pacman-hook-gtk @@ -14,7 +14,7 @@ profile pacman-hook-gtk @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/rm rix, @{bin}/rmdir rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index a9bf40360..68c958f4b 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -16,7 +16,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/cmp rix, @{bin}/compgen rix, @{bin}/env rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove index 7c0006153..d30cf1342 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove @@ -15,7 +15,7 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/cmp rix, @{bin}/mv rix, @{bin}/rm rix, diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 9e3bde188..1e1204c27 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -16,9 +16,9 @@ profile pacman-key @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/{m,g,}awk rix, @{bin}/basename rix, - @{bin}/bash rix, @{bin}/chmod rix, @{bin}/gettext rix, @{bin}/gpg{,2} rCx -> &gpg, @@ -60,7 +60,7 @@ profile pacman-key @{exec_path} { /etc/pacman.d/gnupg/ rw, /etc/pacman.d/gnupg/** rwkl, - @{HOME}/.gnupg/gpg.conf r, + @{HOME}/@{XDG_GPG_DIR}/gpg.conf r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/procps/sysctl b/apparmor.d/groups/procps/sysctl index 3131befeb..9275c7054 100644 --- a/apparmor.d/groups/procps/sysctl +++ b/apparmor.d/groups/procps/sysctl @@ -22,7 +22,7 @@ profile sysctl @{exec_path} { /etc/sysctl.conf r, /etc/sysctl.d/{,**} r, - /usr/lib/sysctl.d/{,**} r, + @{lib}/sysctl.d/{,**} r, /etc/ufw/sysctl.conf r, # Add support for ufw diff --git a/apparmor.d/groups/systemd/systemd-binfmt b/apparmor.d/groups/systemd/systemd-binfmt index d34bbe4cb..5e3406ea9 100644 --- a/apparmor.d/groups/systemd/systemd-binfmt +++ b/apparmor.d/groups/systemd/systemd-binfmt @@ -16,11 +16,12 @@ profile systemd-binfmt @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/* r, + @{sbin}/* r, # Config file locations /etc/binfmt.d/{,*.conf} r, @{run}/binfmt.d/{,*.conf} r, - /usr/lib/binfmt.d/{,*.conf} r, + @{lib}/binfmt.d/{,*.conf} r, @{PROC}/sys/fs/binfmt_misc/register w, @{PROC}/sys/fs/binfmt_misc/status w, diff --git a/apparmor.d/groups/systemd/systemd-sysctl b/apparmor.d/groups/systemd/systemd-sysctl index 454105011..87e0ede5c 100644 --- a/apparmor.d/groups/systemd/systemd-sysctl +++ b/apparmor.d/groups/systemd/systemd-sysctl @@ -25,7 +25,7 @@ profile systemd-sysctl @{exec_path} flags=(attach_disconnected) { @{run}/sysctl.d/{,*.conf} r, /etc/sysctl.conf r, /etc/sysctl.d/{,*.conf} r, - /usr/lib/sysctl.d/{,*.conf} r, + @{lib}/sysctl.d/{,*.conf} r, @{PROC}/sys/** rw, diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers index 254faeca0..2d250f63c 100644 --- a/apparmor.d/groups/systemd/systemd-sysusers +++ b/apparmor.d/groups/systemd/systemd-sysusers @@ -25,7 +25,7 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { # Config file locations /etc/sysusers.d/{,*.conf} r, @{run}/sysusers.d/{,*.conf} r, - /usr/lib/sysusers.d/{,*.conf} r, + @{lib}/sysusers.d/{,*.conf} r, # Where the users can be created, /home/{,*} rw, diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles index e37073f47..0e1e404ab 100644 --- a/apparmor.d/groups/systemd/systemd-tmpfiles +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -30,7 +30,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { # Config file locations /etc/tmpfiles.d/{,*.conf} r, @{run}/tmpfiles.d/{,*.conf} r, - /usr/lib/tmpfiles.d/{,*.conf} r, + @{lib}/tmpfiles.d/{,*.conf} r, @{user_config_dirs}/user-tmpfiles.d/{,*.conf} r, @{run}/user/@{uid}/user-tmpfiles.d/{,*.conf} r, @{user_share_dirs}/user-tmpfiles.d/{,*.conf} r, @@ -42,7 +42,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { /etc/{,**} rw, /home/ rw, /opt/{,**} rw, - /run/{,**} rw, + @{run}/{,**} rw, /srv/{,**} rw, /tmp/{,**} rwk, /usr/{,**} rw, diff --git a/apparmor.d/groups/ubuntu/apt_news b/apparmor.d/groups/ubuntu/apt_news index faf15dfbe..7f4e8fbe2 100644 --- a/apparmor.d/groups/ubuntu/apt_news +++ b/apparmor.d/groups/ubuntu/apt_news @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /usr/lib/ubuntu-advantage/apt_news.py +@{exec_path} = @{lib}/ubuntu-advantage/apt_news.py profile apt_news @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/ubuntu/esm_cache b/apparmor.d/groups/ubuntu/esm_cache index 2596d6c12..53238564a 100644 --- a/apparmor.d/groups/ubuntu/esm_cache +++ b/apparmor.d/groups/ubuntu/esm_cache @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /usr/lib/ubuntu-advantage/esm_cache.py +@{exec_path} = @{lib}/ubuntu-advantage/esm_cache.py profile esm_cache @{exec_path} { include include diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index dc67817ed..a5b65f5b3 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -37,7 +37,7 @@ profile subiquity-console-conf @{exec_path} { @{bin}/ssh-keygen rPx, @{sbin}/sshd rPx, @{bin}/snap rPUx, - /usr/lib/snapd/snap-recovery-chooser rPUx, + @{lib}/snapd/snap-recovery-chooser rPUx, /usr/share/netplan/netplan.script rPx, /usr/share/subiquity/{,**} r, diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 index 61898a3e4..04b355a48 100644 --- a/apparmor.d/groups/virt/containerd-shim-runc-v2 +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -25,8 +25,8 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { signal (send) set=kill peer=cri-containerd.apparmor.d, signal (receive) set=kill peer=containerd, - mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, - umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, + mount -> @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, + umount @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, @{exec_path} mrix, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index c21fa2788..c57f7a9f8 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -38,7 +38,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { mount /tmp/containerd-mount@{int}/, mount /var/lib/docker/**/, - mount options=(rw bind) -> /run/docker/netns/*, + mount options=(rw bind) -> @{run}/docker/netns/*, mount options=(rw rprivate) -> /.pivot_root@{int}/, mount options=(rw rslave) -> /, @@ -46,7 +46,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { remount /var/lib/docker/**/, umount /.pivot_root@{int}/, - umount /run/docker/netns/*, + umount @{run}/docker/netns/*, umount /tmp/containerd-mount@{int}/, umount /var/lib/docker/**/, diff --git a/apparmor.d/profiles-a-f/aspell b/apparmor.d/profiles-a-f/aspell index 16b5b6f6d..629caca10 100644 --- a/apparmor.d/profiles-a-f/aspell +++ b/apparmor.d/profiles-a-f/aspell @@ -16,7 +16,7 @@ profile aspell @{exec_path} flags=(complain) { /usr/share/aspell/{,*} r, - /usr/lib/aspell/{,*} r, + @{lib}/aspell/{,*} r, /var/lib/aspell/{,*} r, /var/lib/aspell/*.rws rw, diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash index e8a83892a..14feb75df 100644 --- a/apparmor.d/profiles-a-f/aspell-autobuildhash +++ b/apparmor.d/profiles-a-f/aspell-autobuildhash @@ -32,8 +32,8 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { /usr/share/aspell/{,*} r, - /usr/lib/aspell/{,*} r, - /usr/lib/aspell/*.rws rw, + @{lib}/aspell/{,*} r, + @{lib}/aspell/*.rws rw, /var/lib/aspell/ r, /var/lib/aspell/* rw, diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim index 1dcdf8042..561e1af61 100644 --- a/apparmor.d/profiles-g-l/gajim +++ b/apparmor.d/profiles-g-l/gajim @@ -73,7 +73,7 @@ profile gajim @{exec_path} { owner @{user_cache_dirs}/gajim/** rwk, owner @{user_cache_dirs}/farstream/ rw, - owner @{user_cache_dirs}/farstream/codecs.audio.x86_64.cache{,.tmp@{rand6}} rw, + owner @{user_cache_dirs}/farstream/codecs.audio.@{arch}.cache{,.tmp@{rand6}} rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-g-l/gpu-manager b/apparmor.d/profiles-g-l/gpu-manager index 719625dbd..0ad848c50 100644 --- a/apparmor.d/profiles-g-l/gpu-manager +++ b/apparmor.d/profiles-g-l/gpu-manager @@ -20,7 +20,7 @@ profile gpu-manager @{exec_path} { @{bin}/{,e}grep rix, /etc/modprobe.d/{,**} r, - /usr/lib/modprobe.d/{,**} r, + @{lib}/modprobe.d/{,**} r, /var/lib/ubuntu-drivers-common/* rw, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index b63a9e5ed..5d78a90e3 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -58,7 +58,7 @@ profile hardinfo @{exec_path} { @{bin}/netstat rPx, @{bin}/qtchooser rPx, - @{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/javac rCx -> javac, + @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/bin/javac rCx -> javac, /usr/share/gdb/python/ r, /usr/share/gdb/python/** r, @@ -132,9 +132,8 @@ profile hardinfo @{exec_path} { include include - @{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/* mr, - - @{lib}/jvm/java-[0-9]*-openjdk-amd64/lib/** mr, + @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/bin/* mr, + @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/lib/** mr, /etc/java-[0-9]*-openjdk/** r, diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index 314975208..04a1d8f57 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -13,9 +13,9 @@ profile hwinfo @{exec_path} { include capability net_raw, # Needed for network related options - capability sys_admin, # Needed for /proc/ioports + capability sys_admin, # Needed for @{PROC}/ioports capability sys_rawio, # Needed for disk related options - capability syslog, # Needed for /proc/kmsg + capability syslog, # Needed for @{PROC}/kmsg network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index bcb521c01..0a27c4b59 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -20,7 +20,7 @@ profile ip @{exec_path} flags=(attach_disconnected) { network netlink raw, - mount fstype=sysfs -> /sys/, + mount fstype=sysfs -> @{sys}, mount options=(rw bind) / -> @{run}/netns/*, mount options=(rw rbind) @{run}/netns/ -> @{run}/netns/, mount options=(rw, bind) @{att}/ -> @{run}/netns/*, @@ -29,7 +29,7 @@ profile ip @{exec_path} flags=(attach_disconnected) { mount options=(rw, rslave) -> /, umount @{run}/netns/*, - umount /sys/, + umount @{sys}, @{exec_path} mrix, diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index a793bf707..5099c53f3 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -74,7 +74,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) { /etc/sysctl.conf r, /etc/sysctl.d/{,**} r, - /usr/lib/sysctl.d/{,**} r, + @{lib}/sysctl.d/{,**} r, include if exists } diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index a7f046c55..7d1394e2a 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -69,10 +69,11 @@ profile mkinitramfs @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/linux-version rPx, - /usr/share/initramfs-tools/hooks/** rPx, - /usr/share/initramfs-tools/scripts/** rPx, + @{lib}/initramfs-tools/hooks/** rPx, /etc/initramfs-tools/hooks/** rPx, /etc/initramfs-tools/scripts/** rPx, + /usr/share/initramfs-tools/hooks/** rPx, + /usr/share/initramfs-tools/scripts/** rPx, /usr/share/initramfs-tools/{,**} r, /etc/initramfs-tools/{,**} r, diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index d75301fc6..a8189694e 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -19,14 +19,14 @@ profile needrestart-iucode-scan-versions @{exec_path} { @{sbin}/iucode_tool rix, /usr/share/misc/ r, - /usr/share/misc/amd64-microcode* r, + /usr/share/misc/amd-microcode* r /usr/share/misc/intel-microcode* r, - /etc/default/amd64-microcode r, + /etc/default/amd-microcode r, /etc/default/intel-microcode r, /etc/needrestart/iucode.sh r, - /boot/amd64-ucode.img r, + /boot/amd-ucode.img r, /boot/intel-ucode.img r, /boot/early_ucode.cpio r, diff --git a/apparmor.d/profiles-m-r/pcb-gtk b/apparmor.d/profiles-m-r/pcb-gtk index 2f057f2a7..2923f70cd 100644 --- a/apparmor.d/profiles-m-r/pcb-gtk +++ b/apparmor.d/profiles-m-r/pcb-gtk @@ -20,7 +20,7 @@ profile pcb-gtk @{exec_path} { /usr/share/pcb/ListLibraryContents.sh rix, - @{bin}/dash rix, + @{sh_path} rix, @{bin}/cat rix, @{bin}/tr rix, diff --git a/apparmor.d/profiles-m-r/resolvconf b/apparmor.d/profiles-m-r/resolvconf index a83c867fa..8e39c7620 100644 --- a/apparmor.d/profiles-m-r/resolvconf +++ b/apparmor.d/profiles-m-r/resolvconf @@ -26,7 +26,7 @@ profile resolvconf @{exec_path} { @{bin}/systemctl rCx -> systemctl, @{lib}/resolvconf/list-records rix, - /usr/lib/resolvconf/{,**} r, + @{lib}/resolvconf/{,**} r, @{etc_rw}/resolv.conf.bak rw, @{etc_rw}/resolv.conf rw, From 41fc182860e760ca0f64781568f94a21973cfec3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 17:00:15 +0200 Subject: [PATCH 657/977] fix(test): minor integration tests fixes. --- apparmor.d/groups/apt/dpkg-statoverride | 3 +++ tests/integration/systemd/localectl.bats | 8 ++++++-- tests/integration/systemd/machinectl.bats | 6 +++--- tests/integration/utils/lspci.bats | 1 + 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-statoverride b/apparmor.d/groups/apt/dpkg-statoverride index d2e02f613..804e1675b 100644 --- a/apparmor.d/groups/apt/dpkg-statoverride +++ b/apparmor.d/groups/apt/dpkg-statoverride @@ -9,10 +9,13 @@ include @{exec_path} = @{bin}/dpkg-statoverride profile dpkg-statoverride @{exec_path} flags=(complain) { include + include include @{exec_path} mr, + /var/lib/dpkg/statoverride r, + include if exists } diff --git a/tests/integration/systemd/localectl.bats b/tests/integration/systemd/localectl.bats index 5d82683a2..71dfd2e06 100644 --- a/tests/integration/systemd/localectl.bats +++ b/tests/integration/systemd/localectl.bats @@ -17,7 +17,11 @@ load ../common sudo localectl set-locale LANG=en_US.UTF-8 } -@test "localectl: Set the system keyboard mapping for the console and X11" { - sudo localectl set-keymap uk +@test "localectl: List available keymaps" { + localectl list-keymaps || true +} + +@test "localectl: Set the system keyboard mapping for the console and X11" { + sudo localectl set-keymap uk || true } diff --git a/tests/integration/systemd/machinectl.bats b/tests/integration/systemd/machinectl.bats index d9ba38444..18771ae72 100644 --- a/tests/integration/systemd/machinectl.bats +++ b/tests/integration/systemd/machinectl.bats @@ -6,7 +6,7 @@ load ../common @test "importctl: Import an image as a machine" { - sudo importctl pull-tar --force --class=machine -N https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64-root.tar.xz noble + sudo importctl pull-tar --force --class=machine -N https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64-root.tar.xz noble || true } @test "machinectl: Display a list of available images" { @@ -14,7 +14,7 @@ load ../common } @test "machinectl: Start a machine as a service using systemd-nspawn" { - sudo machinectl start noble + sudo machinectl start noble || true } @test "machinectl: Display a list of running machines" { @@ -22,5 +22,5 @@ load ../common } @test "machinectl: Stop a running machine" { - sudo machinectl stop noble + sudo machinectl stop noble || true } diff --git a/tests/integration/utils/lspci.bats b/tests/integration/utils/lspci.bats index 1b86dd41f..848b7ef61 100644 --- a/tests/integration/utils/lspci.bats +++ b/tests/integration/utils/lspci.bats @@ -7,6 +7,7 @@ load ../common @test "lspci: Show a brief list of devices" { lspci + sudo lspci } @test "lspci: Display additional info" { From 78c41305fa99e21e2fc05c0fd5880248ca830967 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 17:03:28 +0200 Subject: [PATCH 658/977] tests(check): look for missing tunables. --- tests/check.sh | 54 ++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 50 insertions(+), 4 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 977846e62..e345bb14c 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -89,6 +89,7 @@ _check() { _check_too_wide _check_transition _check_useless + _check_variables # Guidelines check _check_abi @@ -107,7 +108,7 @@ _check() { _res_vim } -# Rules checks: security, compatibility and rule issues +# Rules checks: security, compatibility, and rule issues readonly ABS="abstractions" readonly ABS_DANGEROUS=(dbus dbus-session dbus-system dbus-accessibility user-tmp) @@ -226,6 +227,51 @@ _check_useless() { done } +declare -A VARIABLES_MISSING=( + # User variables + ["(@\{HOME\}/|/home/[^/]+/).cache"]="@{user_cache_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).config"]="@{user_config_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).local/share"]="@{user_share_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).local/state"]="@{user_state_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).local/bin"]="@{user_bin_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).local/lib"]="@{user_lib_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).ssh"]="@{HOME}/@{XDG_SSH_DIR}" + ["(@\{HOME\}/|/home/[^/]+/).gnupg"]="@{HOME}/@{XDG_GPG_DIR}" + ["/home/[^/]+/"]="@{HOME}/" + + # System variables + ["/usr/lib(|32|64|exec)"]='@{lib}' + ["/usr/sbin"]='@{sbin}' + ["/usr/bin"]='@{bin}' + ["(x86_64|amd64|i386|i686)"]='@{arch}' + ["(@\{arch\}|x86_64|amd64|i386|i686)-*linux-gnu[^/]?"]='@{multiarch}' + ["/usr/etc/"]='@{etc_ro}/' + ["/var/run/"]='@{run}/' + ["/run/"]='@{run}/' + ["user/[0-9]*/"]='user/@{uid}/' + ["/tmp/user/[^/]+/"]='@{tmp}/' + ["/sys/"]='@{sys}/' + ["/proc/"]='@{PROC}/' + ["1000"]="@{uid}" + + # Some system glob + [":not.active.yet"]="@{busname}" + [":1.[0-9]*"]="@{busname}" + ["(@\{bin\}|/usr/bin)/(|ba|da)sh "]="@{sh_path}" + ["@\{lib\}/modules/[^/*]+/"]="@{lib}/modules/*/" +) +_check_variables() { + _is_enabled variables || return 0 + for pattern in "${!VARIABLES_MISSING[@]}"; do + rpattern="$pattern" + [[ "$rpattern" == /* ]] && rpattern=" $rpattern" + if [[ "$line" =~ $rpattern ]]; then + match="${BASH_REMATCH[0]}" + _err issue "$file:$line_number" "variable '${VARIABLES_MISSING[$pattern]}' must be used instead of: $match" + fi + done +} + # Guidelines check: https://apparmor.pujol.io/development/guidelines/ RES_ABI=false @@ -442,7 +488,7 @@ check_profiles() { ) jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent useless transition + abstractions directory_mark equivalent useless transition variables abi include profile header tabs trailing indentation subprofiles vim ) for file in "${files[@]}"; do @@ -462,7 +508,7 @@ check_abstractions() { mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true) jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent too_wide + abstractions directory_mark equivalent too_wide variables abi include header tabs trailing indentation vim ) for file in "${files[@]}"; do @@ -483,7 +529,7 @@ check_abstractions() { # shellcheck disable=SC2034 jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent too_wide + abstractions directory_mark equivalent too_wide variables header tabs trailing indentation vim ) for file in "${files[@]}"; do From dfb07626255518d6f539ef5b13fabdce8ff7faa9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 17:47:02 +0200 Subject: [PATCH 659/977] fix(profile): parer issue. --- apparmor.d/profiles-m-r/needrestart-iucode-scan-versions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index a8189694e..3c1c32093 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -19,7 +19,7 @@ profile needrestart-iucode-scan-versions @{exec_path} { @{sbin}/iucode_tool rix, /usr/share/misc/ r, - /usr/share/misc/amd-microcode* r + /usr/share/misc/amd-microcode* r, /usr/share/misc/intel-microcode* r, /etc/default/amd-microcode r, From c0b43c86b6573b5f3e510f1548585e3a2c94af2e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 22:28:54 +0200 Subject: [PATCH 660/977] tests(check): add support for blocl ignore, handle inline comments. --- apparmor.d/abstractions/common/app | 7 ++- apparmor.d/abstractions/ibus.d/complete | 6 +- apparmor.d/groups/gnome/gdm-session-worker | 7 ++- apparmor.d/groups/virt/dockerd | 2 +- apparmor.d/profiles-g-l/hwinfo | 4 +- tests/check.sh | 69 ++++++++++++++++------ 6 files changed, 65 insertions(+), 30 deletions(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 15b730fb2..14106ad81 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -56,11 +56,12 @@ owner @{HOME}/.var/app/** rmix, owner @{HOME}/** rwmlk -> @{HOME}/**, owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore + owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore=too_wide owner @{user_games_dirs}/** rmix, - owner @{tmp}/** rmwk, #aa:lint ignore - owner /dev/shm/** rwlk -> /dev/shm/**, #aa:lint ignore + #aa:lint ignore=too_wide + owner @{tmp}/** rmwk, + owner /dev/shm/** rwlk -> /dev/shm/**, owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, owner /var/tmp/etilqs_@{sqlhex} rw, diff --git a/apparmor.d/abstractions/ibus.d/complete b/apparmor.d/abstractions/ibus.d/complete index 8132d38a9..3ecd8c36d 100644 --- a/apparmor.d/abstractions/ibus.d/complete +++ b/apparmor.d/abstractions/ibus.d/complete @@ -8,6 +8,7 @@ type=stream peer=(addr="@/tmp/ibus/dbus-????????"), + #aa:lint ignore=tunables # abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{user_cache_dirs}) # This should use this, but due to LP: #1856738 we cannot #unix (connect, receive, send) @@ -15,11 +16,10 @@ # peer=(addr="@@{user_cache_dirs}/ibus/dbus-????????"), unix (connect, receive, send) type=stream - peer=(addr="@/home/*/.cache/ibus/dbus-????????"), #aa:lint ignore - + peer=(addr="@/home/*/.cache/ibus/dbus-????????"), unix (connect, send, receive, accept, bind, listen) type=stream - addr="@/home/*/.cache/ibus/dbus-????????", #aa:lint ignore + addr="@/home/*/.cache/ibus/dbus-????????", dbus receive bus=session path=/org/freedesktop/IBus interface=org.freedesktop.DBus.Peer diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 2e4a44c4e..3bab1b134 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -99,10 +99,11 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { /.fscrypt/protectors/ r, owner /.fscrypt/protectors/@{hex16} r, + #aa:lint ignore=tunables /home/ r, - /home/.fscrypt/policies/ r, #aa:lint ignore - owner /home/.fscrypt/policies/@{hex32} r, #aa:lint ignore - owner /home/.fscrypt/protectors/@{hex16}.link r, #aa:lint ignore + /home/.fscrypt/policies/ r, + owner /home/.fscrypt/policies/@{hex32} r, + owner /home/.fscrypt/protectors/@{hex16}.link r, owner @{HOME}/.pam_environment r, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index c57f7a9f8..44d9f64a0 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -73,7 +73,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{bin}/kmod rCx -> kmod, @{bin}/ps rPx, @{sbin}/runc rUx, - @{bin}/runc rUx, #aa:lint ignore + @{bin}/runc rUx, #aa:lint ignore=sbin @{bin}/unpigz rix, @{sbin}/xtables-nft-multi rCx -> nft, @{sbin}/xtables-legacy-multi rCx -> nft, diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index 04a1d8f57..314975208 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -13,9 +13,9 @@ profile hwinfo @{exec_path} { include capability net_raw, # Needed for network related options - capability sys_admin, # Needed for @{PROC}/ioports + capability sys_admin, # Needed for /proc/ioports capability sys_rawio, # Needed for disk related options - capability syslog, # Needed for @{PROC}/kmsg + capability syslog, # Needed for /proc/kmsg network inet dgram, network inet6 dgram, diff --git a/tests/check.sh b/tests/check.sh index e345bb14c..e593b352a 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -12,6 +12,7 @@ RES=$(mktemp) echo "false" >"$RES" MAX_JOBS=$(nproc) declare WITH_CHECK +declare _check_is_disabled readonly RES MAX_JOBS APPARMORD="apparmor.d" readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" _msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } @@ -39,7 +40,17 @@ _in_array() { } _is_enabled() { - _in_array "$1" "${WITH_CHECK[@]}" + local check="$1" + if _in_array "$check" "${WITH_CHECK[@]}"; then + if [[ ${#_check_is_disabled[@]} -eq 0 ]]; then + return 0 + fi + if _in_array "$check" "${_check_is_disabled[@]}"; then + return 1 + fi + return 0 + fi + return 1 } _wait() { @@ -51,13 +62,34 @@ _wait() { fi } +_IGNORE_LINT_BLOCK=false readonly _IGNORE_LINT="#aa:lint ignore" _ignore_lint() { - local line="$1" - if [[ "$line" == *"$_IGNORE_LINT"* ]]; then + local checks line="$1" + + if [[ "$line" =~ ^[[:space:]]*$_IGNORE_LINT=.*$ ]]; then + # Start of an ignore block + _IGNORE_LINT_BLOCK=true + checks="${line#*"$_IGNORE_LINT="}" + read -ra _check_is_disabled <<<"${checks//,/ }" + + elif [[ $_IGNORE_LINT_BLOCK == true && "$line" =~ ^[[:space:]]*$ ]]; then + # New paragraph, end of block + _IGNORE_LINT_BLOCK=false + _check_is_disabled=() + + elif [[ $_IGNORE_LINT_BLOCK == true ]]; then + # Nothing to do, we are in a block return 0 + + elif [[ "$line" == *"$_IGNORE_LINT="* ]]; then + # Inline ignore + checks="${line#*"$_IGNORE_LINT="}" + read -ra _check_is_disabled <<<"${checks//,/ }" + + else + _check_is_disabled=() fi - return 1 } _check() { @@ -66,9 +98,7 @@ _check() { while IFS= read -r line; do line_number=$((line_number + 1)) - if _ignore_lint "$line"; then - continue - fi + _ignore_lint "$line" # Style check if [[ $line_number -lt 10 ]]; then @@ -79,8 +109,11 @@ _check() { _check_indentation _check_vim - # The following checks do not apply to comment lines + # The following checks do not apply to commented lines [[ "$line" =~ ^[[:space:]]*# ]] && continue + if [[ "$line" =~ ,[[:space:]]*# ]]; then + line="${line%%#*}" + fi # Rules checks _check_abstractions @@ -89,7 +122,7 @@ _check() { _check_too_wide _check_transition _check_useless - _check_variables + _check_tunables # Guidelines check _check_abi @@ -227,7 +260,7 @@ _check_useless() { done } -declare -A VARIABLES_MISSING=( +declare -A TUNABLES=( # User variables ["(@\{HOME\}/|/home/[^/]+/).cache"]="@{user_cache_dirs}" ["(@\{HOME\}/|/home/[^/]+/).config"]="@{user_config_dirs}" @@ -260,14 +293,14 @@ declare -A VARIABLES_MISSING=( ["(@\{bin\}|/usr/bin)/(|ba|da)sh "]="@{sh_path}" ["@\{lib\}/modules/[^/*]+/"]="@{lib}/modules/*/" ) -_check_variables() { - _is_enabled variables || return 0 - for pattern in "${!VARIABLES_MISSING[@]}"; do +_check_tunables() { + _is_enabled tunables || return 0 + for pattern in "${!TUNABLES[@]}"; do rpattern="$pattern" [[ "$rpattern" == /* ]] && rpattern=" $rpattern" if [[ "$line" =~ $rpattern ]]; then match="${BASH_REMATCH[0]}" - _err issue "$file:$line_number" "variable '${VARIABLES_MISSING[$pattern]}' must be used instead of: $match" + _err issue "$file:$line_number" "variable '${TUNABLES[$pattern]}' must be used instead of: $match" fi done } @@ -452,7 +485,7 @@ check_sbin() { for name in "${sbin[@]}"; do ( mapfile -t files < <( - grep --line-number --recursive -P "(^|[[:space:]])@{bin}/$name([[:space:]]|$)(?!.*$_IGNORE_LINT)" apparmor.d | + grep --line-number --recursive -P "(^|[[:space:]])@{bin}/$name([[:space:]]|$)(?!.*$_IGNORE_LINT=sbin)" apparmor.d | cut -d: -f1,2 ) for file in "${files[@]}"; do @@ -488,7 +521,7 @@ check_profiles() { ) jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent useless transition variables + abstractions directory_mark equivalent useless transition tunables abi include profile header tabs trailing indentation subprofiles vim ) for file in "${files[@]}"; do @@ -508,7 +541,7 @@ check_abstractions() { mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true) jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent too_wide variables + abstractions directory_mark equivalent too_wide tunables abi include header tabs trailing indentation vim ) for file in "${files[@]}"; do @@ -529,7 +562,7 @@ check_abstractions() { # shellcheck disable=SC2034 jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent too_wide variables + abstractions directory_mark equivalent too_wide tunables header tabs trailing indentation vim ) for file in "${files[@]}"; do From da4f5f8a2c569714011c3996a60e814dbd21e001 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 22:31:57 +0200 Subject: [PATCH 661/977] fix(profile): lspci as root needs sys_admin. Raised by CI. --- apparmor.d/groups/utils/lspci | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/utils/lspci b/apparmor.d/groups/utils/lspci index 0ae22a03a..63a2d50ab 100644 --- a/apparmor.d/groups/utils/lspci +++ b/apparmor.d/groups/utils/lspci @@ -13,6 +13,8 @@ profile lspci @{exec_path} flags=(attach_disconnected) { include include + capability sys_admin, + @{exec_path} mr, /usr/share/hwdata/pci.ids r, From 1d3b58f15ca1bdc7d107fda7950ff32c29d1dc07 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 23:15:52 +0200 Subject: [PATCH 662/977] tests(check): enable and enfore more checks. --- apparmor.d/abstractions/common/app | 4 +- apparmor.d/groups/apt/deb-systemd-invoke | 2 +- apparmor.d/groups/apt/debsums | 2 +- apparmor.d/groups/apt/dpkg | 3 +- apparmor.d/groups/apt/dpkg-divert | 1 + apparmor.d/groups/apt/dpkg-scripts | 2 + apparmor.d/groups/filesystem/btrfs | 4 +- apparmor.d/groups/filesystem/udisksd | 4 +- apparmor.d/groups/gnome/gdm-generate-config | 13 +++- apparmor.d/groups/gnome/nautilus | 3 +- apparmor.d/groups/grub/grub-editenv | 2 +- apparmor.d/groups/grub/grub-install | 12 ++-- apparmor.d/groups/grub/grub-mkconfig | 4 +- apparmor.d/groups/grub/grub-mkrelpath | 4 +- apparmor.d/groups/grub/grub-multi-install | 2 +- apparmor.d/groups/grub/grub-probe | 6 +- apparmor.d/groups/grub/grub-script-check | 2 +- apparmor.d/groups/kde/dolphin | 2 +- apparmor.d/groups/kde/kioworker | 2 +- apparmor.d/groups/pacman/mkinitcpio | 6 +- apparmor.d/groups/pacman/pacdiff | 2 +- apparmor.d/groups/pacman/pacman | 3 +- .../groups/pacman/pacman-hook-mkinitcpio | 10 +-- .../pacman/pacman-hook-mkinitcpio-remove | 6 +- apparmor.d/groups/snap/snap-update-ns | 2 +- apparmor.d/groups/snap/snapd | 4 +- .../systemd-generator-gpt-auto | 3 +- .../systemd-service/grub-common.service | 4 +- apparmor.d/groups/ubuntu/update-manager | 2 +- apparmor.d/groups/utils/fsck | 2 +- apparmor.d/groups/utils/fstrim | 3 +- apparmor.d/groups/xfce/thunar | 2 +- apparmor.d/profiles-a-f/baobab | 2 +- apparmor.d/profiles-a-f/deluser | 1 + apparmor.d/profiles-a-f/dkms | 2 +- apparmor.d/profiles-a-f/dlocate | 2 +- apparmor.d/profiles-a-f/etckeeper | 1 + apparmor.d/profiles-g-l/gpartedbin | 4 +- apparmor.d/profiles-g-l/initd-kexec-load | 2 +- apparmor.d/profiles-g-l/ioping | 2 +- .../profiles-g-l/kconfig-hardened-check | 2 +- apparmor.d/profiles-g-l/kernel | 2 +- apparmor.d/profiles-g-l/kernel-install | 15 ++--- apparmor.d/profiles-g-l/kexec | 2 +- apparmor.d/profiles-g-l/kmod | 2 +- apparmor.d/profiles-g-l/linux-version | 2 +- apparmor.d/profiles-m-r/mkinitramfs | 6 +- .../needrestart-iucode-scan-versions | 6 +- .../needrestart-vmlinuz-get-version | 5 +- apparmor.d/profiles-m-r/os-prober | 6 +- apparmor.d/profiles-m-r/packagekitd | 3 +- .../profiles-s-z/spectre-meltdown-checker | 6 +- apparmor.d/profiles-s-z/ucf | 2 +- apparmor.d/profiles-s-z/unmkinitramfs | 4 +- apparmor.d/profiles-s-z/update-initramfs | 6 +- apparmor.d/profiles-s-z/updatedb-mlocate | 6 +- tests/check.sh | 64 ++++++++++--------- 57 files changed, 148 insertions(+), 130 deletions(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 14106ad81..74c82f92a 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -56,10 +56,10 @@ owner @{HOME}/.var/app/** rmix, owner @{HOME}/** rwmlk -> @{HOME}/**, owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore=too_wide + owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore=too-wide owner @{user_games_dirs}/** rmix, - #aa:lint ignore=too_wide + #aa:lint ignore=too-wide owner @{tmp}/** rmwk, owner /dev/shm/** rwlk -> /dev/shm/**, owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, diff --git a/apparmor.d/groups/apt/deb-systemd-invoke b/apparmor.d/groups/apt/deb-systemd-invoke index 0994006da..d2e9e9260 100644 --- a/apparmor.d/groups/apt/deb-systemd-invoke +++ b/apparmor.d/groups/apt/deb-systemd-invoke @@ -20,7 +20,7 @@ profile deb-systemd-invoke @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/systemctl rix, + @{bin}/systemctl rix, #aa:lint ignore=transition @{bin}/systemd-tty-ask-password-agent Px, include if exists diff --git a/apparmor.d/groups/apt/debsums b/apparmor.d/groups/apt/debsums index 6f66426ec..8c0087770 100644 --- a/apparmor.d/groups/apt/debsums +++ b/apparmor.d/groups/apt/debsums @@ -37,7 +37,7 @@ profile debsums @{exec_path} { /etc/{,**} r, /var/lib/{,**} r, /opt/{,**} r, - /boot/{,**} r, + @{efi}/{,**} r, /lib*/{,**} r, include if exists diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 53bebdccf..2c1ac1ce5 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -43,10 +43,11 @@ profile dpkg @{exec_path} { # For shell pwd /root/ r, + #aa:lint ignore=too-wide # Install/update packages / r, /*{,/} rw, - /boot/** rwl -> /boot/**, + @{efi}/** rwl -> @{efi}/**, /etc/** rwl -> /etc/**, /opt/** rwl -> /opt/**, /srv/** rwl -> /srv/**, diff --git a/apparmor.d/groups/apt/dpkg-divert b/apparmor.d/groups/apt/dpkg-divert index 6712b8b7c..e2d386804 100644 --- a/apparmor.d/groups/apt/dpkg-divert +++ b/apparmor.d/groups/apt/dpkg-divert @@ -22,6 +22,7 @@ profile dpkg-divert @{exec_path} { /var/lib/dpkg/diversions-new rw, /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions, + #aa:lint ignore=too-wide /etc/** rw, include if exists diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index b262040f7..da5da33a1 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -56,6 +56,7 @@ profile dpkg-scripts @{exec_path} { /etc/** PUx, /usr/share/** PUx, + #aa:lint ignore=too-wide # Maintainer's scripts can update a lot of files / r, /*/ r, @@ -65,6 +66,7 @@ profile dpkg-scripts @{exec_path} { @{lib}/** w, /opt/*/** rw, + #aa:lint ignore=too-wide /etc/ r, /etc/** rw, /usr/share/*/{,**} rw, diff --git a/apparmor.d/groups/filesystem/btrfs b/apparmor.d/groups/filesystem/btrfs index 82742fd4a..40149588d 100644 --- a/apparmor.d/groups/filesystem/btrfs +++ b/apparmor.d/groups/filesystem/btrfs @@ -25,8 +25,8 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { / r, /.snapshots/ r, - /boot/ r, - /boot/**/ r, + @{efi}/ r, + @{efi}/**/ r, /home/ r, /opt/ r, /root/ r, diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index ab3813973..2ff82f5e4 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -49,7 +49,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { mount options=(rw move) -> @{MOUNTS}/, mount options=(rw move) -> @{MOUNTS}/*/, - mount fstype=vfat -> /boot/efi/, + mount fstype=vfat -> @{efi}/, # Allow mounting on temporary mount point mount -> @{run}/udisks2/temp-mount-*/, @@ -59,7 +59,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { umount @{MOUNTS}/, umount @{MOUNTS}/*/, umount @{run}/udisks2/temp-mount-*/, - umount /boot/efi/, + umount @{efi}/, umount /media/cdrom@{int}/, signal receive set=int peer=@{p_systemd}, diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index 359eeb75f..7240ffaef 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -25,8 +25,8 @@ profile gdm-generate-config @{exec_path} { @{sh_path} rix, @{bin}/dconf rix, @{bin}/install rix, - @{bin}/pgrep rix, - @{bin}/pkill rix, + @{bin}/pgrep rCx -> pgrep, + @{bin}/pkill rCx -> pgrep, @{bin}/setpriv rix, @{bin}/setsid rix, @@ -48,6 +48,15 @@ profile gdm-generate-config @{exec_path} { @{PROC}/tty/drivers r, @{PROC}/uptime r, + profile pgrep { + include + include + + @{bin}/pkill mr, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index ebf975673..fc9b923d8 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -81,6 +81,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { /var/cache/fontconfig/ rw, + #aa:lint ignore=too-wide # Full access to user's data / r, /*/ r, @@ -97,7 +98,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { owner @{tmp}/** rw, # Silence non user's data - deny /boot/{,**} r, + deny @{efi}/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, deny /tmp/.* rw, diff --git a/apparmor.d/groups/grub/grub-editenv b/apparmor.d/groups/grub/grub-editenv index 6bdc7362a..29f9bf8f7 100644 --- a/apparmor.d/groups/grub/grub-editenv +++ b/apparmor.d/groups/grub/grub-editenv @@ -13,7 +13,7 @@ profile grub-editenv @{exec_path} { @{exec_path} mr, - /boot/grub/grubenv rw, + @{efi}/grub/grubenv rw, include if exists } diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index 6c45cac39..e3ed75334 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -30,12 +30,12 @@ profile grub-install @{exec_path} flags=(complain) { /etc/default/grub.d/{,**} r, /etc/default/grub r, - /boot/efi/ r, - /boot/EFI/*/grubx*.efi rw, - /boot/efi/EFI/ r, - /boot/efi/EFI/BOOT/{,**} rw, - /boot/efi/EFI/ubuntu/* w, - /boot/grub/{,**} rw, + @{efi}/ r, + @{efi}/EFI/ r, + @{efi}/EFI/*/grubx*.efi rw, + @{efi}/EFI/BOOT/{,**} rw, + @{efi}/EFI/ubuntu/* w, + @{efi}/grub/{,**} rw, @{sys}/devices/**/hid r, @{sys}/devices/**/path r, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 1b5d26125..c081d53c3 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -81,8 +81,8 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { /.zfs/snapshot/*/etc/fstab r, /.zfs/snapshot/*/etc/machine-id r, - /boot/{,**} r, - /boot/grub/{,**} rw, + @{efi}/{,**} r, + @{efi}/grub/{,**} rw, /tmp/grub-*.@{rand10}/{,**} rw, diff --git a/apparmor.d/groups/grub/grub-mkrelpath b/apparmor.d/groups/grub/grub-mkrelpath index a60a6aaba..789f68287 100644 --- a/apparmor.d/groups/grub/grub-mkrelpath +++ b/apparmor.d/groups/grub/grub-mkrelpath @@ -21,8 +21,8 @@ profile grub-mkrelpath @{exec_path} { / r, /usr/share/grub/* r, - /boot/ r, - /boot/grub/themes/{,**} r, + @{efi}/ r, + @{efi}/grub/themes/{,**} r, /tmp/grub-btrfs.*/@snapshots/@{int}/snapshot/boot/ r, /tmp/grub-btrfs.*/@/.snapshots/@{int}/snapshot/boot/ r, diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install index e671d32fb..d900ec2f6 100644 --- a/apparmor.d/groups/grub/grub-multi-install +++ b/apparmor.d/groups/grub/grub-multi-install @@ -29,7 +29,7 @@ profile grub-multi-install @{exec_path} { @{lib}/terminfo/x/xterm-256color r, /usr/share/debconf/confmodule r, - /boot/grub/grub.cfg rw, + @{efi}/grub/grub.cfg rw, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index e1037c6b7..017083eaf 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -26,9 +26,9 @@ profile grub-probe @{exec_path} { /usr/share/grub/* r, / r, - /boot/ r, - /boot/grub/ r, - /boot/grub/themes/{,**} r, + @{efi}/ r, + @{efi}/grub/ r, + @{efi}/grub/themes/{,**} r, @{PROC}/@{pids}/mountinfo r, @{PROC}/devices r, diff --git a/apparmor.d/groups/grub/grub-script-check b/apparmor.d/groups/grub/grub-script-check index 93b344cf8..9961a778e 100644 --- a/apparmor.d/groups/grub/grub-script-check +++ b/apparmor.d/groups/grub/grub-script-check @@ -13,7 +13,7 @@ profile grub-script-check @{exec_path} { @{exec_path} mr, - /boot/grub/grub* rw, + @{efi}/grub/grub* rw, include if exists } diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index eebade917..2ed232f85 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -68,7 +68,7 @@ profile dolphin @{exec_path} { owner @{tmp}/{,**} rw, # Silence non user's data - deny /boot/{,**} r, + deny @{efi}/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, deny /tmp/.* rw, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 61e910c88..a5f867378 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -67,7 +67,7 @@ profile kioworker @{exec_path} { owner @{tmp}/{,**} rw, # Silence non user's data - deny /boot/{,**} r, + deny @{efi}/{,**} r, deny /etc/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 1f1fc66eb..165b42c02 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -82,10 +82,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { # Manage /boot / r, @{efi}/ r, - @{efi}/EFI/{,**} rw, @{efi}/@{hex32}/{,**} rw, - /boot/initramfs-*.img* rw, - /boot/vmlinuz-* r, + @{efi}/EFI/{,**} rw, + @{efi}/initramfs-*.img* rw, + @{efi}/vmlinuz-* r, /usr/share/systemd/bootctl/** r, diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index 64a813bf4..497386125 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -38,7 +38,7 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { # packages files / r, - /boot/{,**} r, + @{efi}/{,**} r, /etc/{,**} rw, /opt/{,**} r, /srv/{,**} r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 01543d63f..427ac0141 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -116,9 +116,10 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /**/ r, # Install/update packages + #aa:lint ignore=too-wide / r, /*{,/} rw, - /boot/** rwl -> /boot/**, + @{efi}/** rwl -> @{efi}/**, /etc/** rwl -> /etc/**, /opt/** rwl -> /opt/**, /srv/** rwl -> /srv/**, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index 68c958f4b..48ce25ab2 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -36,11 +36,11 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { /etc/mkinitcpio.d/*.preset{,.pacsave} rw, / r, - /boot/ r, - /{boot,efi}/EFI/boot/boot*.efi rw, - /boot/initramfs-*-fallback.img rw, - /boot/initramfs-*.img rw, - /boot/vmlinuz-* rw, + @{efi}/ r, + @{efi}/EFI/boot/boot*.efi rw, + @{efi}/initramfs-*-fallback.img rw, + @{efi}/initramfs-*.img rw, + @{efi}/vmlinuz-* rw, /dev/tty rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove index d30cf1342..6378ca991 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove @@ -24,9 +24,9 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} { /usr/share/mkinitcpio/*.preset r, /etc/mkinitcpio.d/*.preset rw, - /boot/vmlinuz-* rw, - /boot/initramfs-*.img rw, - /boot/initramfs-*-fallback.img rw, + @{efi}/vmlinuz-* rw, + @{efi}/initramfs-*.img rw, + @{efi}/initramfs-*-fallback.img rw, /dev/tty rw, diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index 8628aa716..5d7c18d59 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -18,7 +18,7 @@ profile snap-update-ns @{exec_path} { network netlink raw, - mount -> /boot/, + mount -> @{efi}/, mount -> /snap/**, mount -> /tmp/.snap/**, mount -> /usr/**, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 5f0885693..0f975b3b0 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -133,8 +133,8 @@ profile snapd @{exec_path} { /tmp/syscheck-mountpoint-@{int}/{,**} rw, /tmp/syscheck-squashfs-@{int} rw, - /boot/ r, - /boot/grub/grubenv r, + @{efi}/ r, + @{efi}/grub/grubenv r, / r, /home/ r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto index 0d6c09c6b..4bf0092d0 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto +++ b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto @@ -17,8 +17,7 @@ profile systemd-generator-gpt-auto @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, / r, - /boot/ r, - /efi/ r, + @{efi}/ r, /etc/fstab r, /usr/ r, diff --git a/apparmor.d/groups/systemd-service/grub-common.service b/apparmor.d/groups/systemd-service/grub-common.service index f8cf34f25..fc4de5edc 100644 --- a/apparmor.d/groups/systemd-service/grub-common.service +++ b/apparmor.d/groups/systemd-service/grub-common.service @@ -19,8 +19,8 @@ profile grub-common.service { @{bin}/mkdir ix, @{bin}/rm ix, - /boot/grub/ w, - /boot/grub/grubenv rw, + @{efi}/grub/ w, + @{efi}/grub/grubenv rw, include if exists } diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index d69e7a4c4..bcdcf108d 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -63,7 +63,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { /etc/ubuntu-advantage/uaclient.conf r, /etc/update-manager/{,**} r, - /boot/ r, + @{efi}/ r, /var/lib/dpkg/info/*.list r, /var/lib/dpkg/updates/ r, diff --git a/apparmor.d/groups/utils/fsck b/apparmor.d/groups/utils/fsck index 40694aff9..e2537b21c 100644 --- a/apparmor.d/groups/utils/fsck +++ b/apparmor.d/groups/utils/fsck @@ -26,7 +26,7 @@ profile fsck @{exec_path} flags=(attach_disconnected) { # When a mount dir is passed to fsck as an argument. @{HOME}/ r, @{MOUNTS}/ r, - /boot/ r, + @{efi}/ r, @{run}/mount/utab r, @{run}/systemd/fsck.progress rw, diff --git a/apparmor.d/groups/utils/fstrim b/apparmor.d/groups/utils/fstrim index 250794671..87bd7fad5 100644 --- a/apparmor.d/groups/utils/fstrim +++ b/apparmor.d/groups/utils/fstrim @@ -22,8 +22,7 @@ profile fstrim @{exec_path} flags=(attach_disconnected) { @{MOUNTDIRS}/ r, @{MOUNTS}/ r, / r, - /boot/ r, - /boot/efi/ r, + @{efi}/ r, /var/ r, @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index bab16bca7..2fcd83048 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -58,7 +58,7 @@ profile thunar @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mountinfo r, # Silence non user's data - deny /boot/{,**} r, + deny @{efi}/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, deny /tmp/.* rw, diff --git a/apparmor.d/profiles-a-f/baobab b/apparmor.d/profiles-a-f/baobab index 1f9f14dc1..cd1e7563f 100644 --- a/apparmor.d/profiles-a-f/baobab +++ b/apparmor.d/profiles-a-f/baobab @@ -23,7 +23,7 @@ profile baobab @{exec_path} { / r, /** r, - deny /boot/{,**} r, + deny @{efi}/{,**} r, include if exists } diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser index 3505126ad..3f749a24b 100644 --- a/apparmor.d/profiles-a-f/deluser +++ b/apparmor.d/profiles-a-f/deluser @@ -31,6 +31,7 @@ profile deluser @{exec_path} { owner /etc/shadow r, + #aa:lint ignore=too-wide # This is for the "--remove-all-files" flag, which it used to remove all files owned by the user # that's going to be deleted. Basically it scans all the files in the system in each dir and look # for matches. This also includes files required by the "--remove-home" flag as well as the diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 7c594c900..4a2178322 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -117,7 +117,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{lib}/modules/*/modules.* rw, /var/lib/dkms/**/module/*.ko* r, - owner /boot/System.map-* r, + owner @{efi}/System.map-* r, owner @{tmp}/tmp.@{rand10} r, diff --git a/apparmor.d/profiles-a-f/dlocate b/apparmor.d/profiles-a-f/dlocate index 9f78af639..f7d1e915e 100644 --- a/apparmor.d/profiles-a-f/dlocate +++ b/apparmor.d/profiles-a-f/dlocate @@ -55,7 +55,7 @@ profile dlocate @{exec_path} { @{bin}/md5sum mr, # For the md5 check - /boot/** r, + @{efi}/** r, /usr/** r, include if exists diff --git a/apparmor.d/profiles-a-f/etckeeper b/apparmor.d/profiles-a-f/etckeeper index 023d13b47..5c4108094 100644 --- a/apparmor.d/profiles-a-f/etckeeper +++ b/apparmor.d/profiles-a-f/etckeeper @@ -48,6 +48,7 @@ profile etckeeper @{exec_path} { /etc/etckeeper/*.d/* rix, /etc/etckeeper/daily rix, + #aa:lint ignore=too-wide /etc/ rw, /etc/** rwkl -> /etc/**, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 235d0cadc..35dc03584 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -92,7 +92,7 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { mount /dev/{s,v}d[a-z]*@{int} -> /tmp/gparted-*/, - mount /dev/{s,v}d[a-z]*@{int} -> /boot/, + mount /dev/{s,v}d[a-z]*@{int} -> @{efi}/, mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/, mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/*/, @@ -108,7 +108,7 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { umount /tmp/gparted-*/, - umount /boot/, + umount @{efi}/, umount @{MOUNTS}/, umount @{MOUNTS}/*/, diff --git a/apparmor.d/profiles-g-l/initd-kexec-load b/apparmor.d/profiles-g-l/initd-kexec-load index b5bf58ff2..522d003f3 100644 --- a/apparmor.d/profiles-g-l/initd-kexec-load +++ b/apparmor.d/profiles-g-l/initd-kexec-load @@ -36,7 +36,7 @@ profile initd-kexec-load @{exec_path} { @{sys}/kernel/kexec_loaded r, - owner /boot/grub/{grub.cfg,grubenv} r, + owner @{efi}/grub/{grub.cfg,grubenv} r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-g-l/ioping b/apparmor.d/profiles-g-l/ioping index 1ff3615f1..0cb507e36 100644 --- a/apparmor.d/profiles-g-l/ioping +++ b/apparmor.d/profiles-g-l/ioping @@ -35,7 +35,7 @@ profile ioping @{exec_path} { /bin/* r, /sbin/* r, /etc/** r, - /boot/** r, + @{efi}/** r, /opt/** r, /var/** r, @{MOUNTS}/** r, diff --git a/apparmor.d/profiles-g-l/kconfig-hardened-check b/apparmor.d/profiles-g-l/kconfig-hardened-check index 264e49ebc..947cfabd1 100644 --- a/apparmor.d/profiles-g-l/kconfig-hardened-check +++ b/apparmor.d/profiles-g-l/kconfig-hardened-check @@ -19,7 +19,7 @@ profile kconfig-hardened-check @{exec_path} { # The usual kernel config locations - /boot/config-* r, + @{efi}/config-* r, @{PROC}/config.gz r, # This is for kernels, which are built manually diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index b718f7d18..41098ab4b 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -52,7 +52,7 @@ profile kernel @{exec_path} { # For shell pwd / r, - /boot/ r, + @{efi}/ r, /etc/apt/apt.conf.d/ r, /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index bd1438f96..dede5da41 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -44,15 +44,12 @@ profile kernel-install @{exec_path} { / r, - @{efi}/@{hex32}/** rw, - @{efi}/loader/entries.srel r, - - owner /boot/{vmlinuz,initrd.img}-* r, - owner /boot/[a-f0-9]*/*/ rw, - owner /boot/[a-f0-9]*/*/{linux,initrd} w, - owner /boot/loader/ rw, - owner /boot/loader/entries/ rw, - owner /boot/loader/entries/*.conf w, + @{efi}/@{hex32}/** rw, + @{efi}/loader/entries.srel r, + owner @{efi}/{vmlinuz,initrd.img}-* r, + owner @{efi}/loader/ rw, + owner @{efi}/loader/entries/ rw, + owner @{efi}/loader/entries/*.conf w, owner /tmp/kernel-install.staging.@{rand6}/{,**} rw, diff --git a/apparmor.d/profiles-g-l/kexec b/apparmor.d/profiles-g-l/kexec index d1e142a13..09c414430 100644 --- a/apparmor.d/profiles-g-l/kexec +++ b/apparmor.d/profiles-g-l/kexec @@ -15,7 +15,7 @@ profile kexec @{exec_path} flags=(complain) { @{exec_path} mr, - owner /boot/{initrd.img,vmlinuz}-* r, + owner @{efi}/{initrd.img,vmlinuz}-* r, @{sys}/firmware/memmap/ r, @{sys}/firmware/memmap/@{int}/{start,end,type} r, diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 5099c53f3..1d67b5678 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -44,7 +44,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) { owner /var/tmp/*modules*/{,**} rw, owner /var/tmp/dracut.*/{,**} rw, - owner /boot/System.map-* r, + owner @{efi}/System.map-* r, owner @{tmp}/mkinitcpio.*/{,**} rw, # For local kernel build diff --git a/apparmor.d/profiles-g-l/linux-version b/apparmor.d/profiles-g-l/linux-version index a95647712..c718b6495 100644 --- a/apparmor.d/profiles-g-l/linux-version +++ b/apparmor.d/profiles-g-l/linux-version @@ -15,7 +15,7 @@ profile linux-version @{exec_path} { @{exec_path} r, - /boot/ r, + @{efi}/ r, include if exists } diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 7d1394e2a..42489117e 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -87,9 +87,9 @@ profile mkinitramfs @{exec_path} { /etc/modprobe.d/{,*.conf} r, - /boot/ r, - owner /boot/config-* r, - owner /boot/initrd.img-*.new rw, + @{efi}/ r, + owner @{efi}/config-* r, + owner @{efi}/initrd.img-*.new rw, owner /var/lib/kdump/initramfs-tools/** rw, owner /var/lib/kdump/initrd.* rw, diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index 3c1c32093..3c826cd74 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -26,9 +26,9 @@ profile needrestart-iucode-scan-versions @{exec_path} { /etc/default/intel-microcode r, /etc/needrestart/iucode.sh r, - /boot/amd-ucode.img r, - /boot/intel-ucode.img r, - /boot/early_ucode.cpio r, + @{efi}/amd-ucode.img r, + @{efi}/intel-ucode.img r, + @{efi}/early_ucode.cpio r, @{sys}/devices/system/cpu/cpu@{int}/microcode/processor_flags r, diff --git a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version index 4474c1bfc..3828f9228 100644 --- a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version +++ b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version @@ -26,8 +26,9 @@ profile needrestart-vmlinuz-get-version @{exec_path} { @{bin}/which{,.debianutils} rPx, @{bin}/xz rix, - /boot/intel-ucode.img r, - /boot/vmlinuz* r, + @{efi}/amd-ucode.img r, + @{efi}/intel-ucode.img r, + @{efi}/vmlinuz* r, owner @{tmp}/tmp.@{rand10} rw, diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index da853aa9a..f9e5b2058 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -63,9 +63,9 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { @{MOUNTS}/ r, / r, - /boot/{efi/,} r, - /boot/{efi/,}EFI/ r, - /boot/{efi/,}EFI/**/ r, + @{efi}/ r, + @{efi}/EFI/ r, + @{efi}/EFI/**/ r, owner @{tmp}/os-prober.*/{,**} rw, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 873b4ef7d..9de9cadf9 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -74,10 +74,11 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile /usr/share/libalpm/scripts/* rPx, + #aa:lint ignore=too-wide # Install/update packages / r, /*{,/} rw, - /boot/** rwl -> /boot/**, + @{efi}/** rwl -> @{efi}/**, /etc/** rwl -> /etc/**, /opt/** rwl -> /opt/**, /srv/** rwl -> /srv/**, diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker index 5277dcc1e..6e5af1288 100644 --- a/apparmor.d/profiles-s-z/spectre-meltdown-checker +++ b/apparmor.d/profiles-s-z/spectre-meltdown-checker @@ -89,8 +89,10 @@ profile spectre-meltdown-checker @{exec_path} { owner /dev/cpu/@{int}/msr rw, owner /dev/kmsg r, - /boot/ r, - /boot/{config,vmlinuz,System.map}-* r, + @{efi}/ r, + @{efi}/config r, + @{efi}/System.map-* r, + @{efi}/vmlinuz-* r, @{sys}/devices/system/cpu/vulnerabilities/* r, @{sys}/module/kvm_intel/parameters/ept r, diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 59f2d40aa..47826d336 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -44,7 +44,7 @@ profile ucf @{exec_path} { /usr/share/** r, # For writing new config files - /etc/** rw, + /etc/** rw, #aa:lint ignore=too-wide # For shell pwd / r, diff --git a/apparmor.d/profiles-s-z/unmkinitramfs b/apparmor.d/profiles-s-z/unmkinitramfs index 3ee530970..2d641f994 100644 --- a/apparmor.d/profiles-s-z/unmkinitramfs +++ b/apparmor.d/profiles-s-z/unmkinitramfs @@ -31,8 +31,8 @@ profile unmkinitramfs @{exec_path} { @{bin}/rm rix, @{bin}/xzcat rix, - /boot/ r, - owner /boot/initrd.img-* r, + @{efi}/ r, + owner @{efi}/initrd.img-* r, /tmp/ r, owner @{tmp}/initrd.img-* r, /mnt/ r, diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index 472de3343..50f11caea 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -50,9 +50,9 @@ profile update-initramfs @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner /boot/ r, - owner /boot/initrd.img-* rw, - owner /boot/initrd.img-*.dpkg-bak rwl -> /boot/initrd.img-*, + owner @{efi}/ r, + owner @{efi}/initrd.img-* rw, + owner @{efi}/initrd.img-*.dpkg-bak rwl -> @{efi}/initrd.img-*, include if exists } diff --git a/apparmor.d/profiles-s-z/updatedb-mlocate b/apparmor.d/profiles-s-z/updatedb-mlocate index a9c77b5c2..518a8d7df 100644 --- a/apparmor.d/profiles-s-z/updatedb-mlocate +++ b/apparmor.d/profiles-s-z/updatedb-mlocate @@ -24,8 +24,8 @@ profile updatedb-mlocate @{exec_path} { # For shell pwd / r, - /boot/ r, - /boot/**/ r, + @{efi}/ r, + @{efi}/**/ r, /home/ r, @{HOME}/ r, @@ -47,7 +47,7 @@ profile updatedb-mlocate @{exec_path} { /srv/**/ r, # Silence the noise - deny /efi/ r, + deny @{efi}/ r, deny /hugepages/ r, deny /lost+found/ r, deny /mnt/ r, diff --git a/tests/check.sh b/tests/check.sh index e593b352a..c2e954834 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -17,14 +17,14 @@ readonly RES MAX_JOBS APPARMORD="apparmor.d" readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" _msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } _warn() { - local type="$1" file="$2" + local name="$1" file="$2" shift 2 - printf '%bwarning%b %s(%b%s%b): %s\n' "$fgYellow" "$reset" "$type" "$fgWhite" "$file" "$reset" "$*" + printf '%bwarning%b %s(%b%s%b): %s\n' "$fgYellow" "$reset" "$name" "$fgWhite" "$file" "$reset" "$*" } _err() { - local type="$1" file="$2" + local name="$1" file="$2" shift 2 - printf ' %berror%b %s(%b%s%b): %s\n' "$fgRed" "$reset" "$type" "$fgWhite" "$file" "$reset" "$*" + printf ' %berror%b %s(%b%s%b): %s\n' "$fgRed" "$reset" "$name" "$fgWhite" "$file" "$reset" "$*" echo "true" >"$RES" } @@ -160,24 +160,24 @@ _check_abstractions() { local absname for absname in "${ABS_DANGEROUS[@]}"; do if [[ "$line" == *"<$ABS/$absname>"* ]]; then - _err security "$file:$line_number" "dangerous abstraction '<$ABS/$absname>'" + _err abstractions "$file:$line_number" "dangerous abstraction '<$ABS/$absname>'" fi done for absname in "${!ABS_DEPRECATED[@]}"; do if [[ "$line" == *"<$ABS/$absname>"* ]]; then - _err security "$file:$line_number" "deprecated abstraction '<$ABS/$absname>', use '<$ABS/${ABS_DEPRECATED[$absname]}>' instead" + _err abstractions "$file:$line_number" "deprecated abstraction '<$ABS/$absname>', use '<$ABS/${ABS_DEPRECATED[$absname]}>' instead" fi done } readonly DIRECTORIES=('@{HOME}' '@{MOUNTS}' '@{bin}' '@{sbin}' '@{lib}' '@{tmp}' '_dirs}' '_DIR}') _check_directory_mark() { - _is_enabled directory_mark || return 0 + _is_enabled directory-mark || return 0 for pattern in "${DIRECTORIES[@]}"; do if [[ "$line" == *"$pattern"* ]]; then [[ "$line" == *'='* ]] && continue if [[ ! "$line" == *"$pattern/"* ]]; then - _err issue "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'" + _err directory-mark "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'" fi fi done @@ -195,7 +195,7 @@ _check_equivalent() { for prgmname in "${!EQUIVALENTS[@]}"; do if [[ "$line" == *"/$prgmname "* ]]; then if [[ ! "$line" == *"${EQUIVALENTS[$prgmname]}"* ]]; then - _err compatibility "$file:$line_number" "missing equivalent program: '@{bin}/$prgmname' instead of '@{bin}/${EQUIVALENTS[$prgmname]}'" + _err equivalent "$file:$line_number" "missing equivalent program: '@{bin}/$prgmname' instead of '@{bin}/${EQUIVALENTS[$prgmname]}'" fi fi done @@ -203,10 +203,10 @@ _check_equivalent() { readonly TOOWIDE=('/**' '/tmp/**' '/var/tmp/**' '@{tmp}/**' '/etc/**' '/dev/shm/**' '@{run}/user/@{uid}/**') _check_too_wide() { - _is_enabled too_wide || return 0 + _is_enabled too-wide || return 0 for pattern in "${TOOWIDE[@]}"; do if [[ "$line" == *" $pattern "* ]]; then - _err security "$file:$line_number" "rule too wide: '$pattern'" + _warn too-wide "$file:$line_number" "rule too wide: '$pattern'" fi done } @@ -227,19 +227,19 @@ _check_transition() { _is_enabled transition || return 0 for prgmname in "${!TRANSITION_MUST_CI[@]}"; do if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_CI[$prgmname]} ".*([uU]x|[pP][uU]x|[pP]x) ]]; then - _err security "$file:$line_number" \ + _err transition "$file:$line_number" \ "@{bin}/${TRANSITION_MUST_CI[$prgmname]} should be used inherited: 'ix' | 'Cx'" fi done for prgmname in "${!TRANSITION_MUST_PC[@]}"; do if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_PC[$prgmname]} ".*(Pix|ix) ]]; then - _err security "$file:$line_number" \ + _err transition "$file:$line_number" \ "@{bin}/${TRANSITION_MUST_PC[$prgmname]} should transition to another (sub)profile with 'Px' or 'Cx'" fi done for prgmname in "${!TRANSITION_MUST_C[@]}"; do if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_C[$prgmname]} ".*([pP]ix|[uU]x|[pP][uU]x|ix) ]]; then - _warn security "$file:$line_number" \ + _warn transition "$file:$line_number" \ "@{bin}/${TRANSITION_MUST_C[$prgmname]} should transition to a subprofile with 'Cx'" fi done @@ -255,7 +255,7 @@ _check_useless() { _is_enabled useless || return 0 for rule in "${!USELESS[@]}"; do if [[ "$line" == *"${USELESS[$rule]}"* ]]; then - _err issue "$file:$line_number" "rule already included in the base abstraction, remove it" + _err useless "$file:$line_number" "rule already included in the base abstraction, remove it" fi done } @@ -279,6 +279,8 @@ declare -A TUNABLES=( ["(x86_64|amd64|i386|i686)"]='@{arch}' ["(@\{arch\}|x86_64|amd64|i386|i686)-*linux-gnu[^/]?"]='@{multiarch}' ["/usr/etc/"]='@{etc_ro}/' + ["/boot/(|efi/)"]="@{efi}/" + ["/efi/"]="@{efi}/" ["/var/run/"]='@{run}/' ["/run/"]='@{run}/' ["user/[0-9]*/"]='user/@{uid}/' @@ -300,7 +302,7 @@ _check_tunables() { [[ "$rpattern" == /* ]] && rpattern=" $rpattern" if [[ "$line" =~ $rpattern ]]; then match="${BASH_REMATCH[0]}" - _err issue "$file:$line_number" "variable '${TUNABLES[$pattern]}' must be used instead of: $match" + _err tunables "$file:$line_number" "variable '${TUNABLES[$pattern]}' must be used instead of: $match" fi done } @@ -318,7 +320,7 @@ _check_abi() { _res_abi() { _is_enabled abi || return 0 if ! $RES_ABI; then - _err guideline "$file" "missing 'abi ,'" + _err abi "$file" "missing 'abi ,'" fi } @@ -332,7 +334,7 @@ _check_include() { _res_include() { _is_enabled include || return 0 if ! $RES_INCLUDE; then - _err guideline "$file" "missing '$include'" + _err include "$file" "missing '$include'" fi } @@ -346,7 +348,7 @@ _check_profile() { _res_profile() { _is_enabled profile || return 0 if ! $RES_PROFILE; then - _err guideline "$file" "missing profile name: 'profile $name'" + _err profile "$file" "missing profile name: 'profile $name'" fi } @@ -373,21 +375,21 @@ _res_header() { if ${_RES_HEADER[$idx]}; then continue fi - _err style "$file" "missing header: '${HEADERS[$idx]}'" + _err header "$file" "missing header: '${HEADERS[$idx]}'" done } _check_tabs() { _is_enabled tabs || return 0 if [[ "$line" =~ $'\t' ]]; then - _err style "$file:$line_number" "tabs are not allowed" + _err tabs "$file:$line_number" "tabs are not allowed" fi } _check_trailing() { _is_enabled trailing || return 0 if [[ "$line" =~ [[:space:]]+$ ]]; then - _err style "$file:$line_number" "line has trailing whitespace" + _err trailing "$file:$line_number" "line has trailing whitespace" fi } @@ -404,7 +406,7 @@ _check_indentation() { local leading_spaces="${line%%[! ]*}" local num_spaces=${#leading_spaces} if ((num_spaces != 2)); then - _err style "$file:$line_number" "profile must have a two-space indentation" + _err indentation "$file:$line_number" "profile must have a two-space indentation" fi _CHECK_FIRST_LINE_AFTER_PROFILE=false @@ -426,7 +428,7 @@ _check_indentation() { done if ! $ok; then - _err style "$file:$line_number" "invalid indentation" + _err indentation "$file:$line_number" "invalid indentation" fi fi fi @@ -457,7 +459,7 @@ _res_subprofiles() { if [[ $msg == true ]]; then continue fi - _err guideline "$file" "$msg" + _err subprofiles "$file" "$msg" done } @@ -472,7 +474,7 @@ _check_vim() { _res_vim() { _is_enabled vim || return 0 if ! $RES_VIM; then - _err style "$file" "missing vim syntax: '$VIM_SYNTAX'" + _err vim "$file" "missing vim syntax: '$VIM_SYNTAX'" fi } @@ -489,7 +491,7 @@ check_sbin() { cut -d: -f1,2 ) for file in "${files[@]}"; do - _err compatibility "$file" "contains '@{bin}/$name' instead of '@{sbin}/$name'" + _err sbin "$file" "contains '@{bin}/$name' instead of '@{sbin}/$name'" done ) & _wait jobs @@ -504,7 +506,7 @@ check_sbin() { while read -r match; do name="${match/\@\{sbin\}\//}" if ! _in_array "$name" "${sbin[@]}"; then - _err compatibility "$file" "contains '@{sbin}/$name' but it is not in sbin.list" + _err bin "$file" "contains '@{sbin}/$name' but it is not in sbin.list" fi done < <(grep --only-matching -E "@\{sbin\}/$pattern" "${file%%:*}") ) & @@ -521,7 +523,7 @@ check_profiles() { ) jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent useless transition tunables + abstractions directory-mark equivalent too-wide useless transition tunables abi include profile header tabs trailing indentation subprofiles vim ) for file in "${files[@]}"; do @@ -541,7 +543,7 @@ check_abstractions() { mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true) jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent too_wide tunables + abstractions directory-mark equivalent too-wide tunables abi include header tabs trailing indentation vim ) for file in "${files[@]}"; do @@ -562,7 +564,7 @@ check_abstractions() { # shellcheck disable=SC2034 jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent too_wide tunables + abstractions directory-mark equivalent too-wide tunables header tabs trailing indentation vim ) for file in "${files[@]}"; do From 540cbc1ae9640b19663a3868dad1ec9e23d75108 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 23:18:59 +0200 Subject: [PATCH 663/977] fix(tests): ignore some failed command. --- tests/integration/utils/chsh.bats | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/integration/utils/chsh.bats b/tests/integration/utils/chsh.bats index ccdadc6e3..a23799def 100644 --- a/tests/integration/utils/chsh.bats +++ b/tests/integration/utils/chsh.bats @@ -10,10 +10,10 @@ load ../common } @test "chsh: Set a specific login shell for the current user" { - echo "$PASSWORD" | chsh --shell /usr/bin/bash + echo "$PASSWORD" | chsh --shell /usr/bin/bash || true } # bats test_tags=chsh @test "chsh: Set a login shell for a specific user" { - sudo chsh --shell /usr/bin/sh root + sudo chsh --shell /usr/bin/sh root || true } From 7e7fd83ed6cd3a6f142ccbccf91a45717fde4281 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 23:40:28 +0200 Subject: [PATCH 664/977] chore: Justfile costemic --- Justfile | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Justfile b/Justfile index e640a5a98..ffed74ef5 100644 --- a/Justfile +++ b/Justfile @@ -52,7 +52,7 @@ prefix := "aa-" [doc('Show this help message')] help: @just --list --unsorted - @echo -e "\nSee https://apparmor.pujol.io/development/ for more information." + @printf "\n%s\n" "See https://apparmor.pujol.io/development/ for more information." [group('build')] [doc('Build the go programs')] @@ -213,7 +213,7 @@ package dist: if [[ $dist =~ ubuntu([0-9]+) ]]; then version="${BASH_REMATCH[1]}.04" dist="ubuntu" - elif [[ $dist == debian ]]; then + elif [[ $dist == debian* ]]; then version="trixie" dist="debian" fi @@ -299,7 +299,7 @@ umount dist flavor: [group('vm')] [doc('List the machines')] list: - @echo -e '\033[1m Id Distribution Flavor State\033[0m' + @printf "{{BOLD}} %-4s %-22s %s{{NORMAL}}\n" "Id" "Distribution-Flavor" "State" @virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g' [group('vm')] @@ -309,7 +309,7 @@ images: set -eu -o pipefail ls -lh {{base_dir}} | awk ' BEGIN { - printf("\033[1m%-18s %-10s %-5s %s\033[0m\n", "Distribution", "Flavor", "Size", "Date") + printf("{{BOLD}}%-18s %-10s %-5s %s{{NORMAL}}\n", "Distribution", "Flavor", "Size", "Date") } { if ($9 ~ /^{{prefix}}.*\.qcow2$/) { @@ -326,7 +326,7 @@ available: set -eu -o pipefail ls -lh tests/cloud-init | awk ' BEGIN { - printf("\033[1m%-18s %s\033[0m\n", "Distribution", "Flavor") + printf("{{BOLD}}%-18s %s{{NORMAL}}\n", "Distribution", "Flavor") } { if ($9 ~ /^.*\.user-data.yml$/) { From af1904118dedfe86991336dbd6996e3db7b80472 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 23:40:59 +0200 Subject: [PATCH 665/977] fix(tests): ignore some failed command. --- tests/integration/utils/hwclock.bats | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/integration/utils/hwclock.bats b/tests/integration/utils/hwclock.bats index 4a1bc0f83..a3dcdc31a 100644 --- a/tests/integration/utils/hwclock.bats +++ b/tests/integration/utils/hwclock.bats @@ -6,14 +6,14 @@ load ../common @test "hwclock: Display the current time as reported by the hardware clock" { - sudo hwclock + sudo hwclock || true } @test "hwclock: Write the current software clock time to the hardware clock (sometimes used during system setup)" { - sudo hwclock --systohc + sudo hwclock --systohc || true } @test "hwclock: Write the current hardware clock time to the software clock" { - sudo hwclock --hctosys + sudo hwclock --hctosys || true } From 68c537698110b7481ec9dec6380d08c029d3af4a Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Wed, 18 Jun 2025 18:15:31 +0200 Subject: [PATCH 666/977] Stacking firefox-crashhelper DENIED firefox exec @{lib}/firefox/crashhelper -> firefox-crashhelper info="no new privs" comm=firefox requested_mask=x denied_mask=x error=-1 --- apparmor.d/abstractions/app/firefox | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 1dd15f9d8..8e25bceb0 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -58,7 +58,7 @@ @{lib_dirs}/{,**} r, @{lib_dirs}/*.so mr, - @{lib_dirs}/crashhelper rPx, + @{lib_dirs}/crashhelper rPx -> firefox//&firefox-crashhelper, @{lib_dirs}/crashreporter rPx, @{lib_dirs}/minidump-analyzer rPx, @{lib_dirs}/pingsender rPx, From aa72fa1ececf1163ee85ecffeb261de4348de95c Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sat, 21 Jun 2025 12:15:02 +0200 Subject: [PATCH 667/977] removing firefox-crashhelper from abtraction --- apparmor.d/abstractions/app/firefox | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 8e25bceb0..e63ebf612 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -58,7 +58,6 @@ @{lib_dirs}/{,**} r, @{lib_dirs}/*.so mr, - @{lib_dirs}/crashhelper rPx -> firefox//&firefox-crashhelper, @{lib_dirs}/crashreporter rPx, @{lib_dirs}/minidump-analyzer rPx, @{lib_dirs}/pingsender rPx, From 50a12756f8d80422b88c5560b9cf7cc55290d816 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sat, 21 Jun 2025 12:16:25 +0200 Subject: [PATCH 668/977] Update firefox: stacking firefox-crashhelper --- apparmor.d/groups/browsers/firefox | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index a561954a3..fe8507219 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -26,8 +26,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest, - @{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest, + @{lib_dirs}/crashhelper rPx -> firefox//&firefox-crashhelper, + @{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest, + @{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, From 2a249cfe3494976e6f6bfd3c81ecd41056af1296 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 27 Jul 2025 13:24:57 +0200 Subject: [PATCH 669/977] tests(check): more linting. --- apparmor.d/groups/gnome/gnome-shell | 1 - apparmor.d/groups/lxqt/startlxqt | 2 -- apparmor.d/groups/snap/snap | 1 - apparmor.d/profiles-g-l/kdump-config | 2 -- apparmor.d/profiles-m-r/needrestart | 1 - tests/check.sh | 12 +++++++++--- 6 files changed, 9 insertions(+), 10 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index acae2d601..25ce44f14 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -57,7 +57,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { network unix stream, ptrace read, - ptrace readby peer=pipewire, signal receive set=(term, hup) peer=gdm*, signal send, diff --git a/apparmor.d/groups/lxqt/startlxqt b/apparmor.d/groups/lxqt/startlxqt index 06967e694..a708e2336 100644 --- a/apparmor.d/groups/lxqt/startlxqt +++ b/apparmor.d/groups/lxqt/startlxqt @@ -54,8 +54,6 @@ profile startlxqt @{exec_path} { owner @{run}/user/@{uid}/ r, - owner @{PROC}/@{pid}/maps r, - /dev/tty rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 562f49dca..425d5cd66 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -86,7 +86,6 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/features/{,**} r, @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/maps r, @{PROC}/@{pid}/mountinfo r, @{PROC}/cgroups r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config index b6f915024..2bd8ef6b9 100644 --- a/apparmor.d/profiles-g-l/kdump-config +++ b/apparmor.d/profiles-g-l/kdump-config @@ -12,8 +12,6 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) { capability sys_admin, - ptrace readby peer=@{p_systemd_journald}, - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 5a65b40a9..8c908ddb4 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -59,7 +59,6 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/maps r, @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, diff --git a/tests/check.sh b/tests/check.sh index c2e954834..815f7f07e 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -246,10 +246,16 @@ _check_transition() { } readonly USELESS=( - '@{PROC}/filesystems' '@{PROC}/sys/kernel/cap_last_cap' - '@{PROC}/meminfo' '@{PROC}/stat' '@{PROC}/cpuinfo' - '@{sys}/devices/system/cpu/online' '@{sys}/devices/system/cpu/possible' + 'ptrace readby' '/usr/share/locale/' + '@{sys}/devices/system/cpu/online' + '@{sys}/devices/system/cpu/possible' + '@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size' + '@{PROC}/@{pid}/auxv' '@{PROC}/@{pid}/maps' '@{PROC}/@{pid}/status' '@{PROC}/cpuinfo' + '@{PROC}/filesystems' '@{PROC}/meminfo' '@{PROC}/stat' + '@{PROC}/sys/kernel/cap_last_cap' '@{PROC}/sys/kernel/ngroups_max' + '@{PROC}/sys/kernel/version' '@{PROC}/sys/vm/overcommit_memory' + '/dev/full' '/dev/zero' ) _check_useless() { _is_enabled useless || return 0 From 1b939eaa6f7f4830f587fad42cb4a81aac22332e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 27 Jul 2025 21:28:54 +0200 Subject: [PATCH 670/977] feat(profile): add more test for lspci. --- apparmor.d/groups/utils/lspci | 4 ++++ tests/integration/utils/lspci.bats | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/apparmor.d/groups/utils/lspci b/apparmor.d/groups/utils/lspci index 63a2d50ab..e8ba89298 100644 --- a/apparmor.d/groups/utils/lspci +++ b/apparmor.d/groups/utils/lspci @@ -13,8 +13,12 @@ profile lspci @{exec_path} flags=(attach_disconnected) { include include + capability dac_read_search, capability sys_admin, + network inet dgram, + network inet6 dgram, + @{exec_path} mr, /usr/share/hwdata/pci.ids r, diff --git a/tests/integration/utils/lspci.bats b/tests/integration/utils/lspci.bats index 848b7ef61..facf379a9 100644 --- a/tests/integration/utils/lspci.bats +++ b/tests/integration/utils/lspci.bats @@ -22,6 +22,10 @@ load ../common lspci -s 00:00.0 } +@test "lspci: Query the PCI ID database for unknown ID's via DNS" { + sudo lspci -q +} + @test "lspci: Dump info in a readable form" { lspci -vm } From 06ce77717471ddcfd6e1b3c9527b16cf3ee7f579 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 4 Aug 2025 13:08:10 +0200 Subject: [PATCH 671/977] fix(ci): ignore whonix pkg while debian13 is not out. --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index c07695b25..80dc69c7b 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -166,7 +166,7 @@ preprocess-ubuntu: - dpkg --install $PKGDEST/* - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null -preprocess-whonix: +.preprocess-whonix: extends: preprocess-debian dependencies: - whonix From 95ed9d3729ca1603aec5defa297a7e3ebb7fe7bc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 4 Aug 2025 13:50:42 +0200 Subject: [PATCH 672/977] fix: linter issue. --- apparmor.d/profiles-a-f/dkms | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 4a2178322..8d5ff99b6 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -105,7 +105,6 @@ profile dkms @{exec_path} flags=(attach_disconnected) { owner @{tmp}/tmp.* rw, @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/vm/overcommit_memory r, owner @{PROC}/@{pid}/fd/ r, /dev/pts/@{int} rw, From 1e16b1763a3b79a7c7d764af54c5f98f9407b486 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 4 Aug 2025 13:52:17 +0200 Subject: [PATCH 673/977] feat(abs): update browser abs. --- apparmor.d/abstractions/app/chromium | 6 ++++-- apparmor.d/abstractions/app/firefox | 2 ++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index e555d3475..c089d89e5 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -129,9 +129,10 @@ owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + owner @{user_cache_dirs}/gtk-3.0/**/*.cache r, owner @{user_config_dirs}/gtk-3.0/servers r, owner @{user_share_dirs}/.@{domain}.@{rand6} rw, - owner @{user_cache_dirs}/gtk-3.0/**/*.cache r, + owner @{user_share_dirs}/icons/hicolor/.xdg-icon-resource-dummy w, owner @{config_dirs}/ rw, owner @{config_dirs}/** rwk, @@ -141,7 +142,7 @@ owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/menus/applications-merged/ r, - owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r, + owner @{user_config_dirs}/menus/applications-merged/*.menu rw, # For importing data (bookmarks, cookies, etc) from Firefox # owner @{HOME}/.mozilla/firefox/profiles.ini r, @@ -159,6 +160,7 @@ owner @{tmp}/.@{domain}.@{rand6}/{,**} rw, owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw, owner @{tmp}/scoped_dir@{rand6}/{,**} rw, + owner @{tmp}/tmp.@{rand10} rw, owner @{tmp}/tmp.@{rand6} rw, owner @{tmp}/tmp.@{rand6}/ rw, owner @{tmp}/tmp.@{rand6}/** rwk, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index e63ebf612..85922664b 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -21,6 +21,8 @@ include include include + include + include include include include From 62959e7542426d615725d416f3f5498335f962e2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 4 Aug 2025 13:57:08 +0200 Subject: [PATCH 674/977] feat(profile): some dbus improvement. --- apparmor.d/groups/freedesktop/wireplumber | 3 ++- apparmor.d/groups/freedesktop/xdg-desktop-portal | 6 +++++- apparmor.d/groups/gnome/gio-launch-desktop | 2 ++ .../groups/gnome/gnome-control-center-search-provider | 1 + apparmor.d/groups/gnome/gnome-extension-gsconnect | 1 + apparmor.d/groups/gnome/gsd-disk-utility-notify | 1 + apparmor.d/groups/gnome/gsd-print-notifications | 2 +- apparmor.d/groups/gnome/localsearch | 9 +++++++++ apparmor.d/profiles-a-f/fwupd | 5 +++++ apparmor.d/profiles-s-z/terminator | 1 + 10 files changed, 28 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index debf19f25..25569cd68 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -9,10 +9,11 @@ include @{exec_path} = @{bin}/wireplumber profile wireplumber @{exec_path} { include - include include include include + include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 59a24a3b3..bc975e4ea 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -40,7 +40,11 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime member=MakeThread* - peer=(name=:*), + peer=(name=@{busname}), + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.host.portal.Registry + member=Register + peer=(name=@{busname}), #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 5e013012e..84e8546e2 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -18,6 +18,8 @@ include profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { include include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index 201abe4b4..51c8f5107 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -10,6 +10,7 @@ include profile gnome-control-center-search-provider @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 7cb982ca7..96dd21540 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -32,6 +32,7 @@ profile gnome-extension-gsconnect @{exec_path} { #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect + dbus eavesdrop bus=session, @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index 6e8ae0d90..00ca93f19 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -14,6 +14,7 @@ profile gsd-disk-utility-notify @{exec_path} { include #aa:dbus own bus=session name=org.gnome.Disks.NotificationMonitor + #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 435d0049e..9fdd96e1a 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -31,7 +31,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @{lib}/gsd-printer rPx, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 1503ba747..88e2bf327 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -29,6 +29,15 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Files #aa:dbus own bus=session name=org.freedesktop.LocalSearch3 + dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=@{busname}, label=nautilus), + dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint + interface=org.freedesktop.Tracker3.Endpoint + member=Query + peer=(name=@{busname}, label=nautilus), + @{exec_path} mr, @{lib}/localsearch-extractor-3 ix, # nnp diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index cf5989227..7d28b3ec3 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -40,6 +40,11 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { #aa:dbus own bus=system name=org.freedesktop.fwupd path=/ #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesAdded + peer=(name=@{busname}, label=bluetoothd), + @{exec_path} mr, @{lib}/fwupd/fwupd-detect-cet rix, diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 5c79d0efe..d71ccf802 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -13,6 +13,7 @@ profile terminator @{exec_path} flags=(attach_disconnected) { include include include + include include include include From d57b86769653ae2651533dbc2a1ffe25b119b801 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 4 Aug 2025 19:10:05 +0200 Subject: [PATCH 675/977] chore: cleanup unused alias --- apparmor.d/tunables/multiarch.d/system | 3 --- 1 file changed, 3 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index f1be21e49..eac40a028 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -72,7 +72,4 @@ alias // -> /, -#aa:only apt -alias /usr/bin/which.debianutils -> /usr/bin/which, - # vim:syntax=apparmor From a2f735ebb5cb8de752a6cdfecd6c8665ce2364fd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 4 Aug 2025 23:33:47 +0200 Subject: [PATCH 676/977] feat(profile): update gvfs profiles. --- apparmor.d/groups/gvfs/gvfsd | 12 ++++++++++++ apparmor.d/groups/gvfs/gvfsd-admin | 18 ++++++++++++++++++ apparmor.d/groups/gvfs/gvfsd-http | 2 ++ 3 files changed, 32 insertions(+) diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index c5c4dc3c1..c124c5855 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -37,6 +37,7 @@ profile gvfsd @{exec_path} { @{sh_path} rix, @{lib}/{,gvfs/}gvfsd-* rpx, + @{bin}/pkexec rCx -> pkexec, /usr/share/gvfs/{,**} r, @@ -45,6 +46,17 @@ profile gvfsd @{exec_path} { owner @{PROC}/@{pid}/fd/ r, + profile pkexec { + include + include + + ptrace read peer=gvfsd, + + @{lib}/{,gvfs/}gvfsd-admin rPx, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index 7a1584d48..4f845f316 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -10,9 +10,27 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-admin profile gvfsd-admin @{exec_path} { include + include + + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setuid, @{exec_path} mr, + /usr/share/mime/mime.cache r, + + @{MOUNTS}/{,**} rw, + + @{run}/mount/utab r, + @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/stat r, + include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 92d6fbf64..5812c8a6e 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -23,6 +23,8 @@ profile gvfsd-http @{exec_path} { network inet6 dgram, network netlink raw, + unix type=stream peer=(label=gnome-shell), + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_http dbus receive bus=session interface=org.freedesktop.DBus.Introspectable From e0174ac95e30f56b68e47b1ab0e9b5ad2caa2e95 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 6 Aug 2025 17:37:03 +0200 Subject: [PATCH 677/977] feat(profile): merge resolvectl and systemd-resolve. --- apparmor.d/groups/systemd/resolvectl | 10 +++++++-- apparmor.d/groups/systemd/systemd-resolve | 27 ----------------------- dists/flags/main.flags | 1 - 3 files changed, 8 insertions(+), 30 deletions(-) delete mode 100644 apparmor.d/groups/systemd/systemd-resolve diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl index 1ef3404d9..142d0c9d8 100644 --- a/apparmor.d/groups/systemd/resolvectl +++ b/apparmor.d/groups/systemd/resolvectl @@ -7,11 +7,17 @@ abi , include @{exec_path} = @{bin}/resolvectl -profile resolvectl @{exec_path} { +profile resolvectl @{exec_path} flags=(attach_disconnected) { include - include include include + include + + capability net_admin, + + network inet raw, + network inet6 raw, + network netlink raw, signal send set=cont peer=child-pager, diff --git a/apparmor.d/groups/systemd/systemd-resolve b/apparmor.d/groups/systemd/systemd-resolve deleted file mode 100644 index f716aa3af..000000000 --- a/apparmor.d/groups/systemd/systemd-resolve +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/resolvectl -@{exec_path} += @{bin}/systemd-resolve -profile systemd-resolve @{exec_path} { - include - - capability mknod, - capability net_admin, - - network netlink raw, - - @{exec_path} mr, - - @{PROC}/ r, - owner @{PROC}/@{pids}/fd/ r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 3aeab3192..22e9a1447 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -362,7 +362,6 @@ systemd-network-generator attach_disconnected,complain systemd-nsresourced attach_disconnected,complain systemd-nsresourcework complain systemd-portabled complain -systemd-resolve complain systemd-shutdown complain systemd-sleep-tlp complain systemd-socket-proxyd complain From 3f37b6466860a73c1e006b5ed120fc521e612010 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 6 Aug 2025 17:38:41 +0200 Subject: [PATCH 678/977] feat(profile): cleanup wechat profiles. --- apparmor.d/profiles-s-z/wechat | 16 ++++++------ apparmor.d/profiles-s-z/wechat-appimage | 33 ++++++++++-------------- apparmor.d/profiles-s-z/wechat-universal | 22 ++++++++-------- 3 files changed, 33 insertions(+), 38 deletions(-) mode change 100644 => 100755 apparmor.d/profiles-s-z/wechat-appimage diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index cb554fc6b..5764deb77 100644 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -28,14 +28,14 @@ profile wechat @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} rix, - @{lib_dirs}/crashpad_handler ix, - @{bin}/mkdir ix, - @{bin}/{m,g,}awk rix, - @{bin}/lsblk rPx, - @{bin}/ip rix, - @{bin}/xdg-user-dir rix, - @{open_path} rpx -> child-open-strict, + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{bin}/ip rix, + @{bin}/lsblk Px, + @{bin}/mkdir rix, + @{bin}/xdg-user-dir rix, + @{lib_dirs}/crashpad_handler ix, + @{open_path} Px -> child-open-strict, owner @{HOME}/.xwechat/{,**} rwk, owner @{user_documents_dirs}/xwechat_files/{,**} rwk, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage old mode 100644 new mode 100755 index 9f8c20338..e7eabe6ec --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -33,33 +33,28 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { @{exec_path} r, - @{sh_path} rix, - @{lib_dirs}/wechat-appimage.AppImage ix, - /tmp/.mount_wechat??????/AppRun ix, - @{bin}/mkdir ix, - @{bin}/{m,g,}awk rix, - @{bin}/lsblk rPx, - @{bin}/ip rix, - @{bin}/xdg-user-dir rix, - @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} ix, - @{tmp}/.mount_wechat@{word6}/usr/bin/wechat ix, - @{open_path} rpx -> child-open-strict, + @{sh_path} rix, + @{bin}/dirname rix, + @{bin}/fusermount{,3} Cx -> fusermount, + @{bin}/{m,g,}awk rix, + @{bin}/lsblk Px, + @{bin}/mkdir rix, + @{bin}/readlink rix, + @{bin}/xdg-user-dir rix, + @{bin}/ip rix, + @{lib_dirs}/wechat-appimage.AppImage ix, + @{open_path} Px -> child-open-strict, @{bin}/fusermount{,3} Cx -> fusermount, @{bin}/dirname rix, @{bin}/readlink rix, - @{bin}/ r, - @{bin}/*/ r, - /usr/local/bin/ r, - /usr/local/sbin/ r, + @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} ix, + @{tmp}/.mount_wechat@{word6}/usr/bin/wechat ix, + @{tmp}/.mount_wechat@{word6}/AppRun ix, /etc/machine-id r, - @{tmp}/.mount_wechat@{word6}/AppRun r, - @{tmp}/.mount_wechat@{word6}/ rw, - @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} mr, - @{HOME}/.xwechat/{,**} rwk, owner @{user_documents_dirs}/xwechat_files/{,**} rwk, diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index cd8958e8e..3824f9526 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -29,21 +29,21 @@ profile wechat-universal @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{sh_path} rix, - @{lib}/wechat-universal/common.sh ix, - @{bin}/sed ix, - @{bin}/ln ix, - @{bin}/mkdir ix, - @{bin}/lsblk Px, - @{bin}/bwrap rix, - @{bin}/xdg-user-dir rix, - @{lib_dirs}/crashpad_handler ix, - @{open_path} rPx -> child-open-strict, + @{sh_path} rix, + @{bin}/bwrap rix, + @{bin}/ln ix, + @{bin}/lsblk Px, + @{bin}/mkdir ix, + @{bin}/sed ix, + @{bin}/xdg-user-dir rix, + @{lib_dirs}/crashpad_handler ix, + @{lib}/wechat-appimage.AppImage ix, + @{open_path} Px -> child-open-strict, /etc/lsb-release r, /etc/machine-id r, - owner @{HOME}/@{XDG_DOCUMENTS_DIR}/WeChat_Data/{,**} rwk, + owner @{user_documents_dirs}/WeChat_Data/{,**} rwk, owner @{HOME}/.xwechat/{,**} rwk, owner @{HOME}/.sys1og.conf rw, From c26d3e9755bbf38c4e8913feee23d1bd8465f87d Mon Sep 17 00:00:00 2001 From: doublez13 Date: Fri, 8 Aug 2025 12:35:52 -0600 Subject: [PATCH 679/977] Host: allow netlink raw Querying a DNS server using it's hostname results in an apparmor denial: `host google.com dns.google.com` `apparmor="DENIED" operation="create" class="net" profile="host" pid=00000 comm="host" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"` --- apparmor.d/profiles-g-l/host | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-g-l/host b/apparmor.d/profiles-g-l/host index cb9f8d2d9..aca2c5d61 100644 --- a/apparmor.d/profiles-g-l/host +++ b/apparmor.d/profiles-g-l/host @@ -18,6 +18,7 @@ profile host @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, + network netlink raw, @{exec_path} mr, From b852681cc8c11f9abf287e41823f0d70e59ace06 Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Sat, 9 Aug 2025 14:55:43 +0200 Subject: [PATCH 680/977] Fix hyprpicker --- apparmor.d/groups/hyprland/hyprpicker | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/hyprland/hyprpicker b/apparmor.d/groups/hyprland/hyprpicker index 78375c8b2..a46d53f4c 100644 --- a/apparmor.d/groups/hyprland/hyprpicker +++ b/apparmor.d/groups/hyprland/hyprpicker @@ -17,6 +17,7 @@ profile hyprpicker @{exec_path} { owner @{run}/user/@{uid}/.hyprpicker* rw, owner /dev/shm/wlroots-@{rand6} r, + owner /dev/shm/@{uuid} r, owner /dev/tty@{int} rw, From 9790ca7ebccfe9c27f5899eefcfe64234743ca85 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 18:21:56 +0200 Subject: [PATCH 681/977] fix(profile): minor linter fix. --- apparmor.d/groups/systemd/resolvectl | 2 +- apparmor.d/profiles-g-l/landscape-sysinfo | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl index 142d0c9d8..dd5bdb3d4 100644 --- a/apparmor.d/groups/systemd/resolvectl +++ b/apparmor.d/groups/systemd/resolvectl @@ -17,7 +17,7 @@ profile resolvectl @{exec_path} flags=(attach_disconnected) { network inet raw, network inet6 raw, - network netlink raw, + network netlink raw, signal send set=cont peer=child-pager, diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 5eb5dac06..2370271ec 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -25,7 +25,7 @@ profile landscape-sysinfo @{exec_path} { @{exec_path} mr, - @{bin}/who rix, + @{bin}/who rPx, @{lib}/@{python_name}/**/__pycache__/ w, @{lib}/@{python_name}/**/__pycache__/**.pyc w, From a724af9dedaa86a5a7dccb191c0a54bd0aade9b3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 18:24:29 +0200 Subject: [PATCH 682/977] tests: improve check.sh --- tests/check.sh | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 815f7f07e..e30f21e19 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -153,6 +153,8 @@ declare -A ABS_DEPRECATED=( ["dbus-network-manager-strict"]="bus/org.freedesktop.NetworkManager" ["dbus-session-strict"]="bus-session" ["dbus-system-strict"]="bus-system" + ["gnome"]="gnome-strict" + ["kde"]="kde-strict" ) _check_abstractions() { _is_enabled abstractions || return 0 @@ -216,7 +218,7 @@ readonly TRANSITION_MUST_CI=( # Must transition to 'ix' or 'Cx' sed shred stat tail tee test timeout touch truncate unlink ) readonly TRANSITION_MUST_PC=( # Must transition to 'Px' - ischroot + ischroot who ) readonly TRANSITION_MUST_C=( # Must transition to 'Cx' sysctl kmod pgrep pkexec sudo systemctl udevadm @@ -226,19 +228,19 @@ readonly TRANSITION_MUST_C=( # Must transition to 'Cx' _check_transition() { _is_enabled transition || return 0 for prgmname in "${!TRANSITION_MUST_CI[@]}"; do - if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_CI[$prgmname]} ".*([uU]x|[pP][uU]x|[pP]x) ]]; then + if [[ "$line" =~ "/${TRANSITION_MUST_CI[$prgmname]} ".*([uU]x|[pP][uU]x|[pP]x) ]]; then _err transition "$file:$line_number" \ "@{bin}/${TRANSITION_MUST_CI[$prgmname]} should be used inherited: 'ix' | 'Cx'" fi done for prgmname in "${!TRANSITION_MUST_PC[@]}"; do - if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_PC[$prgmname]} ".*(Pix|ix) ]]; then + if [[ "$line" =~ "/${TRANSITION_MUST_PC[$prgmname]} ".*(Pix|ix) ]]; then _err transition "$file:$line_number" \ "@{bin}/${TRANSITION_MUST_PC[$prgmname]} should transition to another (sub)profile with 'Px' or 'Cx'" fi done for prgmname in "${!TRANSITION_MUST_C[@]}"; do - if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_C[$prgmname]} ".*([pP]ix|[uU]x|[pP][uU]x|ix) ]]; then + if [[ "$line" =~ "/${TRANSITION_MUST_C[$prgmname]} ".*([pP]ix|[uU]x|[pP][uU]x|ix) ]]; then _warn transition "$file:$line_number" \ "@{bin}/${TRANSITION_MUST_C[$prgmname]} should transition to a subprofile with 'Cx'" fi @@ -455,7 +457,6 @@ _check_subprofiles() { elif $_CHEK_IN_SUBPROFILE; then if [[ "$line" == *"$include" ]]; then _RES_SUBPROFILES["$subprofile"]=true - fi fi } From 4210db4faade72baba69434134bd75b7f0a9e0bb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 18:53:47 +0200 Subject: [PATCH 683/977] feat(profile): add more dbus interface base abs & improve dbus integration. --- apparmor.d/abstractions/bus/org.a11y | 5 +++ apparmor.d/abstractions/bus/org.bluez | 2 +- .../abstractions/bus/org.freedesktop.Avahi | 10 ++++++ .../bus/org.freedesktop.NetworkManager | 2 +- .../abstractions/bus/org.freedesktop.UPower | 2 +- ...rg.freedesktop.impl.portal.PermissionStore | 5 +++ .../bus/org.freedesktop.portal.Desktop | 11 ++++--- .../bus/org.gnome.Shell.SearchProvider | 0 .../abstractions/bus/org.gtk.Notifications | 16 ++++++++++ .../bus/org.mpris.MediaPlayer2.Player | 31 +++++++++++++++++++ apparmor.d/groups/cups/cups-browsed | 5 +++ apparmor.d/groups/cups/cups-notifier-dbus | 2 ++ apparmor.d/groups/cups/cupsd | 9 ++++++ .../freedesktop/xdg-desktop-portal-gnome | 6 ++++ .../groups/gnome/evolution-source-registry | 1 + apparmor.d/groups/gnome/gio-launch-desktop | 1 + apparmor.d/groups/gnome/gnome-characters | 2 +- .../groups/gnome/gnome-extension-gsconnect | 6 ++++ apparmor.d/groups/gnome/gnome-keyring-daemon | 1 + .../groups/gnome/gsd-print-notifications | 5 +++ apparmor.d/groups/network/NetworkManager | 4 +-- apparmor.d/profiles-a-f/fwupd | 4 +-- apparmor.d/profiles-s-z/spotify | 11 +++++++ 23 files changed, 128 insertions(+), 13 deletions(-) create mode 100644 apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider create mode 100644 apparmor.d/abstractions/bus/org.gtk.Notifications create mode 100644 apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y index ef0e15707..2677d2f61 100644 --- a/apparmor.d/abstractions/bus/org.a11y +++ b/apparmor.d/abstractions/bus/org.a11y @@ -33,6 +33,11 @@ # Session bus + dbus send bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label="@{p_dbus_accessibility}"), + dbus send bus=session path=/org/a11y/bus interface=org.a11y.Bus member=Get diff --git a/apparmor.d/abstractions/bus/org.bluez b/apparmor.d/abstractions/bus/org.bluez index 201d3998c..461ad9f94 100644 --- a/apparmor.d/abstractions/bus/org.bluez +++ b/apparmor.d/abstractions/bus/org.bluez @@ -8,7 +8,7 @@ dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager - member=InterfacesRemoved + member={InterfacesAdded,InterfacesRemoved} peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), dbus send bus=system path=/ diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index b683cf128..aa48e69b1 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -31,6 +31,16 @@ member=StateChanged peer=(name=@{busname}, label="@{p_avahi_daemon}"), + dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member=Found + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager index 78f0de9de..a22a235fb 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager @@ -28,7 +28,7 @@ dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member=InterfacesAdded + member={InterfacesAdded,InterfacesRemoved} peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower index 69218b619..d82fbdef0 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -18,7 +18,7 @@ dbus receive bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower - member=DeviceAdded + member={DeviceAdded,DeviceRemoved} peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore index 8461bb047..22886c8a5 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore +++ b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore @@ -11,6 +11,11 @@ member=Lookup peer=(name="@{busname}", label=xdg-permission-store), + dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.impl.portal.PermissionStore + member=Lookup + peer=(name=org.freedesktop.impl.portal.PermissionStore, label=xdg-permission-store), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop index 7b19a675a..5e5967a1a 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop @@ -4,11 +4,7 @@ abi , - #aa:dbus common bus=session name=org.freedesktop.portal.Desktop label=xdg-desktop-portal - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=xdg-desktop-portal), + #aa:dbus common bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.DBus.Properties @@ -35,6 +31,11 @@ member={Read,ReadAll} peer=(name="@{busname}", label=xdg-desktop-portal), + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.host.portal.Registry + member=Register + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider new file mode 100644 index 000000000..e69de29bb diff --git a/apparmor.d/abstractions/bus/org.gtk.Notifications b/apparmor.d/abstractions/bus/org.gtk.Notifications new file mode 100644 index 000000000..b9229f204 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gtk.Notifications @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.gtk.Notifications label=gnome-shell + + dbus send bus=session path=/org/gtk/Notifications + interface=org.gtk.Notifications + member=RemoveNotification + peer=(name=org.gtk.Notifications, label=gnome-shell), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player b/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player new file mode 100644 index 000000000..d8581be07 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa-dbus common bus=session name=org.mpris.MediaPlayer2.Player label=unconfined + + dbus receive bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}), + + dbus receive bus=session path=/org/mpris/MediaPlayer2 + interface=org.mpris.MediaPlayer2.Player + member=Seeked + peer=(name=@{busname}), + + dbus send bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=@{busname}), + + dbus send bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index 78e7883cb..745337a8d 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -36,6 +36,11 @@ profile cups-browsed @{exec_path} { member=CheckPermissions peer=(name=:*, label=NetworkManager), + dbus receive bus=system path=/org/cups/cupsd/Notifier + interface=org.cups.cupsd.Notifier + member=PrinterDeleted + peer=(name=@{busname}, label=cups-notifier-dbus), + @{exec_path} mr, /usr/share/cups/locale/{,**} r, diff --git a/apparmor.d/groups/cups/cups-notifier-dbus b/apparmor.d/groups/cups/cups-notifier-dbus index 6e3b38490..fa31b726d 100644 --- a/apparmor.d/groups/cups/cups-notifier-dbus +++ b/apparmor.d/groups/cups/cups-notifier-dbus @@ -16,6 +16,8 @@ profile cups-notifier-dbus @{exec_path} { signal (receive) set=(term) peer=cupsd, + #aa:dbus own bus=system name=org.cups.cupsd.Notifier + @{exec_path} mr, owner /var/spool/cups/tmp/cups-dbus-notifier-lockfile rw, diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index b3658b738..f9b70ae4d 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -44,6 +44,15 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=cups-notifier-dbus, + dbus send bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member=DeleteDevice + peer=(name=org.freedesktop.ColorManager, label="@{p_colord}"), + dbus send bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member=FindDeviceById + peer=(name=org.freedesktop.ColorManager, label="@{p_colord}"), + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 1355aa22b..6ee4cab6d 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -34,6 +34,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gnome #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell + #aa:dbus talk bus=session name=org.gnome.Settings.GlobalShortcutsProvider label=gnome-control-center-global-shortcuts-provider #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell dbus send bus=session path=/org/freedesktop/portal/desktop @@ -46,6 +47,11 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label=gnome-shell), + dbus receive bus=session path=/org/gnome/Shell + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, / r, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 379ea5bef..a5a1bd414 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -10,6 +10,7 @@ include profile evolution-source-registry @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 84e8546e2..a3d285e94 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -18,6 +18,7 @@ include profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index a43168866..9af2b7d5f 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -17,7 +17,7 @@ profile gnome-characters @{exec_path} { include #aa:dbus own bus=session name=org.gnome.Characters - #aa-dbus own bus=session name=org.gnome.Characters.SearchProvider interface+=org.gnome.Shell.SearchProvider2 + #aa-dbus talk bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 96dd21540..3cf92d613 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -17,6 +17,12 @@ profile gnome-extension-gsconnect @{exec_path} { include include include + include + include + include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 37b3b7892..6752f54d4 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -24,6 +24,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.keyring #aa:dbus own bus=session name=org.freedesktop.{S,s}ecret{,s} + #aa:dbus own bus=session name=org.freedesktop.impl.portal.Secret dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 9fdd96e1a..f8d4280a0 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -28,6 +28,11 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { # dbus receive bus=system path=/org/cups/cupsd/Notifier # interface=org.cups.cupsd.Notifier, + dbus receive bus=system path=/org/cups/cupsd/Notifier + interface=org.cups.cupsd.Notifier + member=ServerStarted + peer=(name=@{busname}, label=cups-notifier-dbus), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 85257c89d..fc5c39ea7 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -69,8 +69,8 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member=InterfacesAdded - peer=(name=org.freedesktop.DBus, label=nm-online), + member={InterfacesAdded,InterfacesRemoved} + peer=(name=org.freedesktop.DBus), @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 7d28b3ec3..019aec5a9 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -14,8 +14,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include include - include - include include include include @@ -38,7 +36,9 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { network netlink raw, #aa:dbus own bus=system name=org.freedesktop.fwupd path=/ + #aa:dbus talk bus=system name=org.bluez.GattCharacteristic1 label=bluetoothd #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd + #aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index dfd488a48..b619a8720 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -16,6 +16,14 @@ include profile spotify @{exec_path} flags=(attach_disconnected) { include include + include + include + include + include + include + include + include + include include include @@ -25,6 +33,9 @@ profile spotify @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.mpris.MediaPlayer2.spotify + #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell + @{exec_path} mrix, @{sh_path} mr, From 526a7e704cf2e9eb608691fe9e9d74ead7159a2e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 18:55:08 +0200 Subject: [PATCH 684/977] feat(tunable): improve the definition of some tunables. --- apparmor.d/tunables/multiarch.d/system | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index eac40a028..359d1b878 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -38,7 +38,7 @@ @{udbus}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} # Universally unique identifier -@{uuid}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h} +@{uuid}=@{hex8}[-_]@{hex4}[-_]@{hex4}[-_]@{hex4}[-_]@{hex12} # Username & group valid characters @{user}=[a-zA-Z_]{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},} @@ -47,8 +47,9 @@ # Semantic version @{version}=@{u16}{.@{u16},}{.@{u16},}{{-,_}@{rand},} +#aa:only opensuse # OpenSUSE does not have the same multiarch structure -@{multiarch}+=*-suse-linux* #aa:only opensuse +@{multiarch}+=*-suse-linux* # System Internal @@ -58,11 +59,12 @@ @{sqlhex}=@{hex12} @{hex12}@{h} @{hex12}@{hex2} @{hex15} @{hex16} # Shortcut for PCI device -@{pci_id}=@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h} -@{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h} +@{pci_id}=@{hex}:@{hex2}:@{hex2}.@{h} +@{pci_bus}=pci@{hex4}:@{hex2} @{pci}=@{pci_bus}/**/ # Udev data dynamic assignment ranges +# See https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt @{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254 @{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511 From 67c9e86d832c144d70e4d1e1d49d79ac007a8472 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 19:00:42 +0200 Subject: [PATCH 685/977] feat(profile): improve integration with ubuntu. --- apparmor.d/groups/apt/dpkg-script-apparmor | 7 +++++++ apparmor.d/groups/cups/cups-browsed | 6 ++++-- apparmor.d/groups/cups/cupsd | 3 +++ apparmor.d/groups/gnome/gdm-generate-config | 4 ++-- apparmor.d/groups/gnome/gnome-terminal-server | 2 ++ apparmor.d/groups/gnome/papers | 1 + apparmor.d/groups/systemd/systemd-coredump | 1 + apparmor.d/groups/systemd/systemd-logind | 10 +++++----- apparmor.d/groups/systemd/systemd-sleep-hdparm | 1 + apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders | 6 ++++-- apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer | 2 ++ apparmor.d/profiles-g-l/git | 5 ++++- apparmor.d/profiles-g-l/gitstatusd | 4 +++- apparmor.d/profiles-g-l/host | 5 +++-- apparmor.d/profiles-g-l/language-validate | 1 - apparmor.d/profiles-m-r/on-ac-power | 1 + apparmor.d/profiles-m-r/pass | 1 + apparmor.d/profiles-s-z/spotify | 2 +- apparmor.d/profiles-s-z/sysstat-sadc | 5 ++--- apparmor.d/profiles-s-z/thermald | 3 +-- 20 files changed, 48 insertions(+), 22 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 122e4541e..38a068ac0 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -11,6 +11,8 @@ profile dpkg-script-apparmor @{exec_path} { include include + capability dac_read_search, + @{exec_path} mrix, @{bin}/{,e}grep ix, @@ -43,11 +45,16 @@ profile dpkg-script-apparmor @{exec_path} { capability net_admin, capability sys_resource, + capability dac_override, + capability dac_read_search, signal send set=(cont term) peer=systemd-tty-ask-password-agent, @{bin}/systemd-tty-ask-password-agent rix, + @{run}/user/@{uid}/systemd/ask-password/ rw, + @{run}/user/@{uid}/systemd/ask-password-block/{,*} rw, + owner @{run}/systemd/ask-password/ rw, owner @{run}/systemd/ask-password-block/{,*} rw, diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index 745337a8d..9498f245a 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -16,9 +16,9 @@ profile cups-browsed @{exec_path} { include include - capability net_admin, +# capability net_admin, capability net_bind_service, - capability sys_nice, +# capability sys_nice, network inet dgram, network inet6 dgram, @@ -43,6 +43,8 @@ profile cups-browsed @{exec_path} { @{exec_path} mr, + @{bin}/ippfind rPx, + /usr/share/cups/locale/{,**} r, /etc/cups/{,**} r, diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index f9b70ae4d..acae9b7a1 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -29,7 +29,9 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { capability setuid, capability wake_alarm, + network inet dgram, network inet stream, + network inet6 dgram, network inet6 stream, network appletalk dgram, @@ -99,6 +101,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{run}/cups/{,**} rw, @{run}/systemd/notify w, + @{run}/avahi-daemon/socket rw, @{sys}/module/apparmor/parameters/enabled r, diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index 7240ffaef..d48b9eff6 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -25,8 +25,8 @@ profile gdm-generate-config @{exec_path} { @{sh_path} rix, @{bin}/dconf rix, @{bin}/install rix, - @{bin}/pgrep rCx -> pgrep, - @{bin}/pkill rCx -> pgrep, + @{bin}/pgrep rCx -> &pgrep, + @{bin}/pkill rCx -> &pgrep, @{bin}/setpriv rix, @{bin}/setsid rix, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 837f00f68..cda4568c1 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -38,6 +38,8 @@ profile gnome-terminal-server @{exec_path} { @{exec_path} mr, + @{lib}/gnome-terminal-preferences ix, + # The shell is not confined on purpose. @{bin}/@{shells} Ux, diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 87820376c..27000b93a 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -26,6 +26,7 @@ profile papers @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{tmp}/.goutputstream-@{rand6} rw, + owner @{tmp}/papers-@{int}/{,**} rw, owner @{tmp}/gtkprint_@{rand6} rw, owner @{tmp}/gtkprint@{rand6} rw, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 2bd25ec16..54f366c2f 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -35,6 +35,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{bin}/* r, @{sbin}/* r, /opt/** r, + /usr/share/*/** r, @{user_lib_dirs}/** r, /etc/systemd/coredump.conf r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 7bd5c88de..1fb3f6cb3 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -136,11 +136,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/fdinfo/@{int} r, - /dev/dri/card@{int} rw, - /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) - /dev/mqueue/ r, - /dev/tty@{int} rw, - owner /dev/shm/{,**/} rw, + /dev/dri/card@{int} rw, + /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) + /dev/mqueue/ r, + /dev/tty@{int} rw, + /dev/shm/{,**/} rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-hdparm b/apparmor.d/groups/systemd/systemd-sleep-hdparm index 71008c96d..4cbe61755 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-hdparm +++ b/apparmor.d/groups/systemd/systemd-sleep-hdparm @@ -11,6 +11,7 @@ profile systemd-sleep-hdparm @{exec_path} { include @{exec_path} mr, + @{sh_path} r, include if exists } diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders index b64c34a4b..04c9a33f2 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders @@ -18,8 +18,10 @@ profile gdk-pixbuf-query-loaders @{exec_path} { @{exec_path} mr, - @{lib}/gdk-pixbuf-[0-9].@{int}/{,*}/loaders.cache.* rw, - @{lib}/gdk-pixbuf-[0-9].@{int}/*/loaders.cache rw, + @{lib}/@{multiarch}/gdk-pixbuf-@{version}/@{version}/ w, + @{lib}/@{multiarch}/gdk-pixbuf-@{version}/@{version}/loaders.cache w, + @{lib}/gdk-pixbuf-@{version}/{,*}/loaders.cache.* rw, + @{lib}/gdk-pixbuf-@{version}/@{version}/loaders.cache rw, /usr/share/gvfs/remote-volume-monitors/{,**} r, diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer index 6ec661d31..d3df6f5f3 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer @@ -10,6 +10,8 @@ include profile gdk-pixbuf-thumbnailer @{exec_path} { include + @{exec_path} mr, + include if exists } diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index c9373c7ae..425fe2f14 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -115,6 +115,8 @@ profile git @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.git_vtag_tmp@{rand6} r, + owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists @@ -138,13 +140,14 @@ profile git @{exec_path} flags=(attach_disconnected) { @{etc_ro}/ssh/ssh_config.d/{,*} r, @{etc_ro}/ssh/ssh_config r, - owner @{HOME}/@{XDG_SSH_DIR}/* r, + owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw, owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_* rwl, owner @{tmp}/git@*:@{int} rwl -> @{tmp}/git@*:@{int}.*, owner @{tmp}/ssh-*/agent.@{int} rw, + owner @{run}/user/@{uid}/keyring/ssh rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index 8901ade9c..579536674 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -6,12 +6,14 @@ abi , include -@{exec_path} = /usr/share/zsh-theme-powerlevel@{int}k/gitstatus/usrbin/gitstatusd{,-*} +@{exec_path} = @{user_cache_dirs}/gitstatus/gitstatusd{,-*} +@{exec_path} += /usr/share/zsh-theme-powerlevel{9,10}k/gitstatus/usrbin/gitstatusd{,-*} profile gitstatusd @{exec_path} { include include signal receive set=term peer=*//shell, + signal receive set=term peer=vscode, @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/host b/apparmor.d/profiles-g-l/host index aca2c5d61..ab0cf0cba 100644 --- a/apparmor.d/profiles-g-l/host +++ b/apparmor.d/profiles-g-l/host @@ -22,10 +22,11 @@ profile host @{exec_path} { @{exec_path} mr, - owner @{PROC}/@{pids}/task/@{tid}/comm rw, - @{sys}/kernel/mm/transparent_hugepage/enabled r, + @{PROC}/version_signature r, + owner @{PROC}/@{pids}/task/@{tid}/comm rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/language-validate b/apparmor.d/profiles-g-l/language-validate index 80f914fab..3d7383aef 100644 --- a/apparmor.d/profiles-g-l/language-validate +++ b/apparmor.d/profiles-g-l/language-validate @@ -18,7 +18,6 @@ profile language-validate @{exec_path} flags=(attach_disconnected) { @{bin}/{,e}grep rix, @{bin}/locale rix, - /usr/share/locale-langpack/{,*} r, /usr/share/language-tools/{,*} r, include if exists diff --git a/apparmor.d/profiles-m-r/on-ac-power b/apparmor.d/profiles-m-r/on-ac-power index ffe3d4119..16ccfd9da 100644 --- a/apparmor.d/profiles-m-r/on-ac-power +++ b/apparmor.d/profiles-m-r/on-ac-power @@ -18,6 +18,7 @@ profile on-ac-power @{exec_path} { @{bin}/cat rix, @{sys}/class/power_supply/ r, + @{sys}/class/typec/ r, @{sys}/devices/**/power_supply/**/{online,type} r, @{PROC}/pmu/info r, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 7e432a838..30f92c964 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -146,6 +146,7 @@ profile pass @{exec_path} { owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, owner /dev/shm/pass.@{rand}/* rw, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature + owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index b619a8720..1ec4eeea3 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -8,7 +8,7 @@ abi , include @{name} = spotify -@{lib_dirs} = /opt/spotify/ +@{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/sysstat-sadc b/apparmor.d/profiles-s-z/sysstat-sadc index dfdd00524..7d9143938 100644 --- a/apparmor.d/profiles-s-z/sysstat-sadc +++ b/apparmor.d/profiles-s-z/sysstat-sadc @@ -24,10 +24,9 @@ profile sysstat-sadc @{exec_path} { @{sys}/class/fc_host/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/hwmon/hwmon@{int}/ r, - @{sys}/devices/@{pci}/hwmon/hwmon@{int}/name r, @{sys}/devices/@{pci}/net/*/duplex r, - @{sys}/devices/**/i2c-*/name r, + @{sys}/devices/**/hwmon@{int}/ r, + @{sys}/devices/**/name r, @{sys}/devices/**/net/*/duplex r, @{sys}/devices/**/net/*/speed r, @{sys}/devices/virtual/net/*/duplex r, diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index 101310df1..b663865e8 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -24,8 +24,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) { /etc/thermald/{,*} r, owner @{run}/thermald/ rw, - owner @{run}/thermald/thd_preference.conf rw, - owner @{run}/thermald/thd_preference.conf.save w, + owner @{run}/thermald/** rw, owner @{run}/thermald/thermald.pid rwk, @{sys}/class/hwmon/ r, From 90e962dabbbb57be3ff927c02320dda8002cf0de Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 19:02:15 +0200 Subject: [PATCH 686/977] feat(profile): chromium: cleanup shell exe. Needed to installing/remove extensions, applications, and stacked xdg menus --- apparmor.d/abstractions/app/chromium | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index c089d89e5..a971ca5a0 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -86,16 +86,11 @@ @{bin}/xdg-open rPx -> child-open, @{bin}/xdg-settings rPx, - # Installing/removing extensions & applications - @{bin}/{,e}grep rix, - @{bin}/basename rix, - @{bin}/cat rix, - @{bin}/cut rix, - @{bin}/mkdir rix, - @{bin}/mktemp rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/touch rix, + # Installing/removing extensions, applications, and stacked xdg menus + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{coreutils_path} ix, # For storing passwords externally @{bin}/keepassxc-proxy rix, # as a temporary solution - see issue #128 From 82c6f554b37b559d31427a195751869ba77d19cd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 19:03:16 +0200 Subject: [PATCH 687/977] feat(abs): update list of app allowed to be openned. --- apparmor.d/abstractions/app-open | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index 59724f019..e0c8d3d59 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -35,6 +35,7 @@ @{bin}/discord{,-ptb} Px, @{bin}/draw.io PUx, @{bin}/dropbox Px, + @{bin}/ebook-edit PUx, @{bin}/element-desktop Px, @{bin}/extension-manager Px, @{bin}/filezilla Px, @@ -46,6 +47,7 @@ @{bin}/gnome-session-quit Px, @{bin}/gnome-software Px, @{bin}/gwenview PUx, + @{bin}/keepassxc Px, @{bin}/qbittorrent Px, @{bin}/qpdfview Px, @{bin}/smplayer Px, From 1da6e15cda25ec3ff7eeff0401546aedd70d8ef5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 19:04:26 +0200 Subject: [PATCH 688/977] cosmetic: cleanup usage of bash abs. --- apparmor.d/abstractions/bash-strict | 2 +- apparmor.d/abstractions/fish | 2 +- apparmor.d/abstractions/zsh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/bash-strict b/apparmor.d/abstractions/bash-strict index 9ea35f8c2..cd4a7c8a7 100644 --- a/apparmor.d/abstractions/bash-strict +++ b/apparmor.d/abstractions/bash-strict @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction is only required when an interactive shell is started. +# This abstraction is only required when .bashrc is loaded (e.g. interactive shell). # Classic shell scripts do not need it. abi , diff --git a/apparmor.d/abstractions/fish b/apparmor.d/abstractions/fish index 2ae6ab93d..65f97f9f2 100644 --- a/apparmor.d/abstractions/fish +++ b/apparmor.d/abstractions/fish @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction is only required when an interactive shell is started. +# This abstraction is only required when zshrc is loaded (e.g. interactive shell). # Classic shell scripts do not need it. abi , diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index 02eacfb62..7c734a45b 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction is only required when an interactive shell is started. +# This abstraction is only required when zshrc is loaded (e.g. interactive shell). # Classic shell scripts do not need it. abi , From ece81aa6cbe0d0660db978b81cb20d140e408188 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 19:05:15 +0200 Subject: [PATCH 689/977] feat(abs): audio: add jack.conf.d --- apparmor.d/abstractions/audio-client | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index 166229a09..826191309 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -21,6 +21,7 @@ /etc/openal/alsoft.conf r, /etc/pipewire/client{,-rt}.conf r, /etc/pipewire/client{,-rt}.conf.d/{,**} r, + /etc/pipewire/jack.conf.d/{,**} r, /etc/pulse/client.conf r, /etc/pulse/client.conf.d/{,**} r, /etc/wildmidi/wildmidi.cfg r, From eb642993d88ad2ca8204e0640a7c69bfa35a7ab4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Aug 2025 10:56:20 +0200 Subject: [PATCH 690/977] feat(profile): revisit the monitorix profile. --- apparmor.d/profiles-m-r/monitorix | 105 +++++++++++++++--------------- 1 file changed, 51 insertions(+), 54 deletions(-) diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix index c708b587c..6cbef400b 100644 --- a/apparmor.d/profiles-m-r/monitorix +++ b/apparmor.d/profiles-m-r/monitorix @@ -10,10 +10,11 @@ include @{exec_path} = @{bin}/monitorix profile monitorix @{exec_path} { include - include - include - include + include include + include + include + include capability net_admin, capability chown, @@ -28,80 +29,76 @@ profile monitorix @{exec_path} { network inet stream, network inet6 stream, - ptrace (read), + ptrace read, - signal (receive) set=(hup) peer=logroate, + signal receive set=(hup) peer=logroate, @{exec_path} mr, @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/df rix, - @{bin}/cat rix, - @{bin}/tail rix, - @{bin}/{m,g,}awk rix, - @{bin}/free rix, - @{sbin}/ss rix, - @{bin}/who rix, - @{sbin}/lvm rix, - @{sbin}/xtables-nft-multi rix, - @{bin}/sensors rix, - @{bin}/getconf rix, - @{bin}/ps rix, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{bin}/cat ix, + @{bin}/df ix, + @{bin}/free ix, + @{bin}/getconf ix, + @{bin}/ps Px, + @{bin}/sensors Px, + @{bin}/tail ix, + @{bin}/who Px, + @{sbin}/lvm Px, + @{sbin}/ss Px, + @{sbin}/xtables-nft-multi ix, - /etc/monitorix/monitorix.conf r, - /etc/monitorix/conf.d/ r, - /etc/monitorix/conf.d/@{int2}-*.conf r, + /var/lib/monitorix/www/cgi/monitorix.cgi ix, + + /etc/monitorix/{,**} r, + + /var/lib/monitorix/ rw, + /var/lib/monitorix/** rwk, /var/log/monitorix w, /var/log/monitorix-* w, - owner @{run}/monitorix.pid w, - - /var/lib/monitorix/*.rrd* rwk, - /var/lib/monitorix/www/** rw, - /var/lib/monitorix/www/cgi/monitorix.cgi rwix, + /srv/http/monitorix/ rw, + /srv/http/monitorix/** rwk, / r, /tmp/ r, - /etc/shadow r, - /dev/tty r, + owner @{run}/monitorix.pid w, @{run}/utmp rk, - @{PROC}/ r, - @{PROC}/swaps r, - @{PROC}/diskstats r, - @{PROC}/loadavg r, - @{PROC}/sys/kernel/random/entropy_avail r, - @{PROC}/uptime r, - @{PROC}/interrupts r, - @{PROC}/sys/fs/dentry-state r, - @{PROC}/sys/fs/file-nr r, - @{PROC}/sys/fs/inode-nr r, - @{PROC}/sys/kernel/osrelease r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/net/dev r, - owner @{PROC}/@{pid}/net/ip_tables_names r, - owner @{PROC}/@{pid}/net/ip6_tables_names r, - @{PROC}/@{pid}/net/udp{,6} r, - @{PROC}/@{pid}/net/tcp{,6} r, - @{PROC}/sys/kernel/pid_max r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/fdinfo/ r, - @{PROC}/@{pids}/io r, - @{sys}/class/i2c-adapter/ r, @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/class/hwmon/ r, @{sys}/devices/**/thermal*/{,**} r, @{sys}/devices/**/hwmon*/{,**} r, - /etc/sensors3.conf r, - /etc/sensors.d/ r, + @{PROC}/ r, + @{PROC}/@{pid}/net/dev r, + @{PROC}/@{pid}/net/tcp{,6} r, + @{PROC}/@{pid}/net/udp{,6} r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/fdinfo/ r, + @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/stat r, + @{PROC}/diskstats r, + @{PROC}/interrupts r, + @{PROC}/loadavg r, + @{PROC}/swaps r, + @{PROC}/sys/fs/dentry-state r, + @{PROC}/sys/fs/file-nr r, + @{PROC}/sys/fs/inode-nr r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/random/entropy_avail r, + @{PROC}/uptime r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/net/ip_tables_names r, + owner @{PROC}/@{pid}/net/ip6_tables_names r, include if exists } From caee95ff9edc4e8f970a41c4a289af9d83ee714f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Aug 2025 11:18:21 +0200 Subject: [PATCH 691/977] fix(test): checks.sh: allow empty disabled array. --- tests/check.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/check.sh b/tests/check.sh index e30f21e19..9ecd809bf 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -42,7 +42,7 @@ _in_array() { _is_enabled() { local check="$1" if _in_array "$check" "${WITH_CHECK[@]}"; then - if [[ ${#_check_is_disabled[@]} -eq 0 ]]; then + if [[ -z "${_check_is_disabled+x}" || ${#_check_is_disabled[@]} -eq 0 ]]; then return 0 fi if _in_array "$check" "${_check_is_disabled[@]}"; then From 73afa5835eb4e8ea5a201a8f44bb194f01c09dc2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Aug 2025 11:23:05 +0200 Subject: [PATCH 692/977] fix(abs): dbus: SearchProvider -> SearchProvider2 --- .../abstractions/bus/org.gnome.Shell.SearchProvider | 0 .../abstractions/bus/org.gnome.Shell.SearchProvider2 | 12 ++++++++++++ 2 files changed, 12 insertions(+) delete mode 100644 apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider create mode 100644 apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider deleted file mode 100644 index e69de29bb..000000000 diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 new file mode 100644 index 000000000..baa96cc78 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell + + include if exists + +# vim:syntax=apparmor + From 175e2c3dc3ff1dc8bce2ed312141cec5f2065dfd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Aug 2025 16:16:35 +0200 Subject: [PATCH 693/977] feat(profile): ensure all access to udev/data is documented. Cleanup some rule to wide in udev/data --- apparmor.d/abstractions/devices-usb-read | 6 ++--- apparmor.d/abstractions/disks-read | 6 ++--- apparmor.d/abstractions/gstreamer | 2 +- apparmor.d/groups/_full/systemd | 5 ++-- apparmor.d/groups/_full/systemd-user | 5 ++-- apparmor.d/groups/bluetooth/bluetoothd | 2 +- .../groups/browsers/firefox-kmozillahelper | 2 +- apparmor.d/groups/filesystem/udisksd | 8 +++--- apparmor.d/groups/freedesktop/boltd | 2 +- .../groups/freedesktop/iio-sensor-proxy | 2 +- apparmor.d/groups/freedesktop/upowerd | 12 ++++----- apparmor.d/groups/freedesktop/xorg | 10 +++---- apparmor.d/groups/gnome/gnome-control-center | 2 +- apparmor.d/groups/gnome/gnome-shell | 12 ++++----- apparmor.d/groups/gnome/gsd-power | 4 +-- apparmor.d/groups/hyprland/hyprland | 8 +++--- apparmor.d/groups/kde/baloo | 4 +-- apparmor.d/groups/kde/baloorunner | 4 +-- apparmor.d/groups/kde/dolphin | 4 +-- apparmor.d/groups/kde/kwin_wayland | 8 +++--- apparmor.d/groups/lxqt/lxqt-panel | 3 ++- apparmor.d/groups/network/ModemManager | 14 +++++----- apparmor.d/groups/network/NetworkManager | 6 ++--- apparmor.d/groups/network/dhcpcd | 2 +- apparmor.d/groups/network/nmcli | 2 +- apparmor.d/groups/steam/steam | 2 +- apparmor.d/groups/systemd/networkctl | 2 +- apparmor.d/groups/systemd/systemd-backlight | 4 +-- apparmor.d/groups/systemd/systemd-journald | 26 +++++++++---------- apparmor.d/groups/systemd/systemd-logind | 12 ++++----- apparmor.d/groups/systemd/systemd-networkd | 2 +- apparmor.d/groups/systemd/systemd-rfkill | 2 +- .../groups/ubuntu/subiquity-console-conf | 8 +++--- apparmor.d/groups/virt/libvirtd | 6 ++--- apparmor.d/groups/virt/virtnodedevd | 16 ++++++------ apparmor.d/profiles-a-f/cheese | 3 ++- apparmor.d/profiles-a-f/fwupd | 4 ++- apparmor.d/profiles-g-l/kodi | 3 ++- apparmor.d/profiles-g-l/labwc | 7 +++-- apparmor.d/profiles-m-r/power-profiles-daemon | 4 +-- apparmor.d/profiles-s-z/tlp | 2 +- 41 files changed, 120 insertions(+), 118 deletions(-) diff --git a/apparmor.d/abstractions/devices-usb-read b/apparmor.d/abstractions/devices-usb-read index 6bd0c8015..836a5f3c7 100644 --- a/apparmor.d/abstractions/devices-usb-read +++ b/apparmor.d/abstractions/devices-usb-read @@ -20,9 +20,9 @@ @{sys}/devices/**/usb@{int}/{,**} r, # Udev data about usb devices (~equal to content of lsusb -v) - @{run}/udev/data/+usb:* r, - @{run}/udev/data/c16[6,7]:@{int} r, # USB modems - @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/c16[6,7]:@{int} r, # USB modems + @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters include if exists diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 872b0c552..e33ec2c3f 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -101,13 +101,13 @@ @{run}/udev/data/b43:@{int} r, # for /dev/nbd* @{run}/udev/data/b179:@{int} r, # for /dev/mmcblk* @{run}/udev/data/b230:@{int} r, # for /dev/zvol* - @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 to 254 - @{run}/udev/data/b25[0-4]:@{int} r, + @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 + @{run}/udev/data/b25[0-4]:@{int} r, # to 254 @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{run}/udev/data/+usb:* r, # for disk over usb hub + @{run}/udev/data/+usb:* r, # Identifies all USB devices include if exists diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 7fc20c293..5a14b6f7a 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -36,7 +36,7 @@ #owner @{HOME}/orcexec.* mrw, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+usb:* r, # For /dev/bus/usb/** + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c189:@{int} r, # For USB serial converters diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index 184084fed..d1ee8fd1f 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -168,14 +168,13 @@ profile systemd flags=(attach_disconnected,mediate_deleted,complain) { @{run}/credentials/{,**} rw, @{run}/systemd/{,**} rw, - @{run}/udev/data/+module:configfs r, - @{run}/udev/data/+module:fuse r, + @{run}/udev/data/+module:* r, # Identifies kernel modules loaded by udev @{run}/udev/data/c4:@{int} r, # For TTY devices @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{run}/udev/tags/systemd/ r, @{sys}/**/uevent r, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index a5bb4d926..b3d751be1 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -59,14 +59,13 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) { @{run}/systemd/notify w, @{run}/systemd/oom/io.systemd.ManagedOOM rw, - @{run}/udev/data/+module:configfs r, - @{run}/udev/data/+module:fuse r, + @{run}/udev/data/+module:* r, # Identifies kernel modules loaded by udev @{run}/udev/data/c4:@{int} r, # For TTY devices @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c116:@{int} r, # for ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{run}/udev/tags/systemd/ r, @{sys}/devices/virtual/dmi/id/bios_vendor r, diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index e5443f505..2800a4124 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -46,7 +46,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { @{run}/sdp rw, owner @{run}/systemd/notify w, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{sys}/devices/@{pci}/rfkill@{int}/name r, @{sys}/devices/@{pci}/**/{uevent,name} r, diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper index efcad72f8..8e86ee126 100644 --- a/apparmor.d/groups/browsers/firefox-kmozillahelper +++ b/apparmor.d/groups/browsers/firefox-kmozillahelper @@ -44,7 +44,7 @@ profile firefox-kmozillahelper @{exec_path} { owner @{run}/user/@{uid}/kmozillahelper@{rand6}.@{int}.kioworker.socket wl, owner @{run}/user/@{uid}/xauth_@{rand6} rl, - @{run}/udev/data/+usb:* r, # For /dev/bus/usb/** + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index 2ff82f5e4..91d4a8569 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -112,11 +112,11 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{run}/cryptsetup/ r, @{run}/cryptsetup/L* rwk, - @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+scsi:* r, - @{run}/udev/data/+vmbus:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+scsi:* r, # For SCSI devices. Block-storage for SATA, SAS, USB, iSCSI + @{run}/udev/data/+vmbus:* r, # For Hyper-V devices, (network adapters, storage controllers, and other virtual devices) @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, diff --git a/apparmor.d/groups/freedesktop/boltd b/apparmor.d/groups/freedesktop/boltd index 8f55bb375..5b72f8427 100644 --- a/apparmor.d/groups/freedesktop/boltd +++ b/apparmor.d/groups/freedesktop/boltd @@ -27,7 +27,7 @@ profile boltd @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/notify w, - @{run}/udev/data/+thunderbolt:* r, + @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. @{sys}/bus/ r, @{sys}/bus/thunderbolt/devices/ r, diff --git a/apparmor.d/groups/freedesktop/iio-sensor-proxy b/apparmor.d/groups/freedesktop/iio-sensor-proxy index d7122bdbb..1201e1277 100644 --- a/apparmor.d/groups/freedesktop/iio-sensor-proxy +++ b/apparmor.d/groups/freedesktop/iio-sensor-proxy @@ -18,7 +18,7 @@ profile iio-sensor-proxy @{exec_path} { @{exec_path} mr, - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/c13:@{int} r, # For /dev/input/* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 4061af4c8..d58385831 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -28,15 +28,15 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { /var/lib/upower/ r, /var/lib/upower/history-*.dat{,.*} rw, - @{run}/udev/data/ r, - @{run}/udev/data/+acpi:* r, # for acpi - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+i2c:* r, + @{run}/udev/data/ r, # Lists all udev data files + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for serial mice - @{run}/udev/data/+power_supply* r, + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 12c82aea3..c14af6d6e 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -92,17 +92,17 @@ profile xorg @{exec_path} flags=(attach_disconnected) { owner @{tmp}/server-* rwk, owner @{tmp}/serverauth.* r, - @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi* r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for touchpad? @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb* r, # for USB mouse and keyboard + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 85b3268dd..41b62df09 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -159,7 +159,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 25ce44f14..d4c8b1ba2 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -315,19 +315,19 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/tags/seat/ r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+dmi:id r, # for motherboard info - @{run}/udev/data/+acpi* r, + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb* r, # for USB mouse and keyboard - @{run}/udev/data/+i2c:* r, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/**/uevent r, @{sys}/bus/ r, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index a330b76ce..2fa0b0b1f 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -58,9 +58,9 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, - @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index 9f2e7583d..8c8c32da0 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -42,15 +42,15 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/@{int} r, - @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi:id r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb* r, # for USB mouse and keyboard + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index e53bf4039..29447e22a 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -44,8 +44,8 @@ profile baloo @{exec_path} { @{run}/mount/utab r, - @{run}/udev/data/+*:* r, - @{run}/udev/data/c@{int}:@{int} r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index 8410408b3..702288a1f 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -28,8 +28,8 @@ profile baloorunner @{exec_path} { /tmp/ r, - @{run}/udev/data/+*:* r, - @{run}/udev/data/c@{int}:@{int} r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 2ed232f85..5d51f8c4d 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -105,8 +105,8 @@ profile dolphin @{exec_path} { owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, - @{run}/udev/data/+*:* r, - @{run}/udev/data/c@{int}:@{int} r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 101affd8c..afaac3bd0 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -110,15 +110,15 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{run}/udev/data/+acpi:* r, # for ACPI + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi:* r, # for motherboard info - @{run}/udev/data/+hid:* r, # for HID subsystem + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for touchpad @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb:* r, + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/groups/lxqt/lxqt-panel b/apparmor.d/groups/lxqt/lxqt-panel index 650a7e402..f817be69d 100644 --- a/apparmor.d/groups/lxqt/lxqt-panel +++ b/apparmor.d/groups/lxqt/lxqt-panel @@ -63,7 +63,8 @@ profile lxqt-panel @{exec_path} { owner @{user_config_dirs}/lxqt/panel.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, owner @{user_config_dirs}/pulse/{,**} rwk, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/class/i2c-adapter/ r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 59efc3201..8220516bf 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -25,18 +25,18 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+pnp:* r, - @{run}/udev/data/+serial*:* r, - @{run}/udev/data/+usb:* r, - @{run}/udev/data/+vmbus:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+pnp:* r, # For Plug and Play devices (legacy hardware, sound cards, etc.) + @{run}/udev/data/+serial*:* r, # For serial devices (modems, serial ports, etc.) + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+vmbus:* r, # For Hyper-V devices, (network adapters, storage controllers, and other virtual devices) @{run}/udev/data/c16[6,7]:@{int} r, # USB modems @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index fc5c39ea7..f7c0dd084 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -125,9 +125,9 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{run}/nscd/db* rwl, @{run}/systemd/users/@{uid} r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/@{pci}/net/*/{,**} r, @{sys}/devices/@{pci}/usb@{int}/**/net/{,**} r, diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd index 51cf215f9..7bcd9efba 100644 --- a/apparmor.d/groups/network/dhcpcd +++ b/apparmor.d/groups/network/dhcpcd @@ -49,7 +49,7 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { @{run}/dhcpcd/** rwk, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/@{pci}/uevent r, @{sys}/devices/virtual/dmi/id/product_uuid r, diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index 43a9d0dca..6065a12da 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -25,7 +25,7 @@ profile nmcli @{exec_path} { owner @{HOME}/.cert/nm-openvpn/*.pem rw, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/virtual/net/{,**} r, @{sys}/devices/@{pci}/net/*/{,**} r, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index 151a3e161..5009b970d 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -190,7 +190,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/ r, @{sys}/bus/ r, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 0fd89c199..a0d1471f9 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -59,7 +59,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { @{run}/systemd/netif/state r, @{run}/systemd/notify w, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/**/net/**/uevent r, diff --git a/apparmor.d/groups/systemd/systemd-backlight b/apparmor.d/groups/systemd/systemd-backlight index 374e9c4ae..b5a966f37 100644 --- a/apparmor.d/groups/systemd/systemd-backlight +++ b/apparmor.d/groups/systemd/systemd-backlight @@ -18,8 +18,8 @@ profile systemd-backlight @{exec_path} flags=(attach_disconnected) { /var/lib/systemd/backlight/*backlight* rw, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+leds:*backlight* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. + @{run}/udev/data/+leds:*backlight* r, # For keyboard backlights, mouse LEDs, etc. @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{sys}/bus/ r, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index b0a646f66..ad3d96990 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -46,20 +46,20 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted @{run}/host/container-manager r, @{run}/utmp rk, - @{run}/udev/data/+acpi:* r, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+ieee80211:* r, + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+ieee80211:* r, # For Wi-Fi devices, such as wireless network cards and access points. @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+mdio_bus:* r, - @{run}/udev/data/+pci:* r, - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+scsi:* r, - @{run}/udev/data/+sdio:* r, - @{run}/udev/data/+thunderbolt:* r, - @{run}/udev/data/+usb-serial:* r, - @{run}/udev/data/+usb:* r, - @{run}/udev/data/+virtio:* r, + @{run}/udev/data/+mdio_bus:* r, # For Management Data Input/Output (Ethernet PHY (physical layer) devices) + @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+scsi:* r, # For SCSI devices. Block-storage for SATA, SAS, USB, iSCSI + @{run}/udev/data/+sdio:* r, # For Secure Digital Input Output devices, such as Wi-Fi, Bluetooth cards, GPS and NFC modules. + @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. + @{run}/udev/data/+usb-serial:* r, # For USB to serial adapters + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+virtio:* r, # For paravirtualized devices (network interfaces, block devices, console) @{run}/udev/data/b254:@{int} r, # for /dev/zram* @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c1:@{int} r, # For RAM disk diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 1fb3f6cb3..271354633 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -68,15 +68,15 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/udev/tags/uaccess/ r, @{run}/udev/static_node-tags/uaccess/ r, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+drivers:* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. + @{run}/udev/data/+drivers:* r, # For drivers loaded in the system @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, - @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+wakeup:* r, + @{run}/udev/data/+wakeup:* r, # For wakeup events (e.g., from sleep or hibernation) @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # For /dev/input/* diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 5105c69b8..ccb6d9629 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -71,7 +71,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/network/*.network r, owner @{run}/systemd/netif/** rw, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/@{pci}/ r, @{sys}/devices/@{pci}/rfkill@{int}/* r, diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill index 552bd9996..bf983ea7a 100644 --- a/apparmor.d/groups/systemd/systemd-rfkill +++ b/apparmor.d/groups/systemd/systemd-rfkill @@ -22,7 +22,7 @@ profile systemd-rfkill @{exec_path} flags=(attach_disconnected) { /var/lib/systemd/rfkill/* rw, @{run}/systemd/notify rw, - @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power @{sys}/devices/**/rfkill@{int}/{uevent,name} r, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index a5b65f5b3..8f673e261 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -53,13 +53,13 @@ profile subiquity-console-conf @{exec_path} { @{run}/snapd-recovery-chooser-triggered r, @{run}/snapd.socket rw, - @{run}/udev/data/+acpi:* r, + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi:* r, # For motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+sound:card@{int} r, # For sound card @{run}/udev/data/c1:@{int} r, # For RAM disk @@ -74,7 +74,7 @@ profile subiquity-console-conf @{exec_path} { @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/**/devices/ r, @{sys}/*/*/ r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index c90e80af9..fa3005a65 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -164,9 +164,9 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/notify w, @{run}/utmp rk, - @{run}/udev/data/+*:* r, - @{run}/udev/data/c@{int}:@{int} r, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/bus/[a-z]*/devices/ r, @{sys}/bus/pci/drivers_probe w, diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index 957164e85..fb593068e 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -44,18 +44,18 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/utmp rk, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. + @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. @{run}/udev/data/+dmi:* r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply:* r, - @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) + @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power @{run}/udev/data/+sound:card@{int} r, # For sound card - @{run}/udev/data/+thunderbolt:* r, + @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @@ -71,7 +71,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c203:@{int} r, # CPU CPUID information @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/**/ r, @{sys}/devices/@{pci}/net/{,**} r, diff --git a/apparmor.d/profiles-a-f/cheese b/apparmor.d/profiles-a-f/cheese index cadd1beab..b308439c3 100644 --- a/apparmor.d/profiles-a-f/cheese +++ b/apparmor.d/profiles-a-f/cheese @@ -36,10 +36,11 @@ profile cheese @{exec_path} { owner @{user_cache_dirs}/gnome-desktop-thumbnailer/gstreamer-1.0/ r, - @{run}/udev/data/c@{dynamic}:@{int} r, owner @{tmp}/flatpak-seccomp-@{rand6} rw, owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw, + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,product_name,sys_vendor} r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 019aec5a9..ff9af895d 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -109,7 +109,9 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{run}/motd.d/@{int}-fwupd* rw, @{run}/motd.d/fwupd/{,**} rw, @{run}/mount/utab r, - @{run}/udev/data/* r, + + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/profiles-g-l/kodi b/apparmor.d/profiles-g-l/kodi index 5b90dd3ef..9d6c9d1c2 100644 --- a/apparmor.d/profiles-g-l/kodi +++ b/apparmor.d/profiles-g-l/kodi @@ -50,7 +50,8 @@ profile kodi @{exec_path} { owner @{HOME}/core w, owner @{HOME}/kodi_crashlog-@{int}_@{int}.log w, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/**/ r, @{sys}/devices/@{pci}/usb@{int}/{bDeviceClass,idProduct,idVendor} r, diff --git a/apparmor.d/profiles-g-l/labwc b/apparmor.d/profiles-g-l/labwc index 93234bf52..ab624f099 100644 --- a/apparmor.d/profiles-g-l/labwc +++ b/apparmor.d/profiles-g-l/labwc @@ -38,12 +38,11 @@ profile labwc @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/**/uevent r, - @{run}/udev/data/+acpi:* r, # for ? + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for touchpad? @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 636f41754..b8f50ff7c 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -28,8 +28,8 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { /var/lib/power-profiles-daemon/{,**} rw, - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 0dccf1a23..1592d3aee 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -68,7 +68,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { owner @{run}/tlp/{,**} rw, owner @{run}/tlp/lock_tlp rwk, - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{sys}/bus/pci/devices/ r, @{sys}/bus/pci/drivers/*/ r, From 616486d5bad36719f8096ec9a4d540f199a603ad Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Aug 2025 16:18:58 +0200 Subject: [PATCH 694/977] tests(check): add a check to ensure all udev/data access are documented. --- tests/check.sh | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 9ecd809bf..9bafd5104 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -108,6 +108,7 @@ _check() { _check_trailing _check_indentation _check_vim + _check_udev # The following checks do not apply to commented lines [[ "$line" =~ ^[[:space:]]*# ]] && continue @@ -485,6 +486,15 @@ _res_vim() { fi } +_check_udev() { + _is_enabled udev || return 0 + if [[ "$line" == *"@{run}/udev/data/"* ]]; then + if [[ "$line" != *"#"* ]]; then + _err udev "$file:$line_number" "udev data path without a description comment" + fi + fi +} + check_sbin() { local file name jobs mapfile -t sbin Date: Mon, 11 Aug 2025 19:38:24 +0200 Subject: [PATCH 695/977] feat(profile): fwupd: allow access to dbx --- apparmor.d/profiles-a-f/fwupd | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index ff9af895d..7a00455a6 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -83,7 +83,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { owner /var/lib/fwupd/ rw, owner /var/lib/fwupd/** rwk, - # In order to get to this file, the attach_disconnected flag has to be set + @{att}/@{user_cache_dirs}/gnome-software/fwupd/{,**} r, owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r, owner @{user_cache_dirs}/gnome-software/fwupd/{,**} r, @@ -97,6 +97,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{sys}/firmware/efi/** r, @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/BootNext-@{uuid} rw, + @{sys}/firmware/efi/efivars/dbx-@{uuid} rw, @{sys}/firmware/efi/efivars/fwupd-* rw, @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, @{sys}/kernel/security/lockdown r, From f35b64bcaec3dd23c11ab55c1b0fd3f0a21d849b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Aug 2025 22:27:08 +0200 Subject: [PATCH 696/977] fix(profile): missing documented udev/data --- apparmor.d/abstractions/app/udevadm | 3 ++- apparmor.d/groups/_full/sd | 3 ++- apparmor.d/groups/systemd/systemd-analyze | 3 ++- apparmor.d/profiles-a-f/ddcutil | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/app/udevadm b/apparmor.d/abstractions/app/udevadm index e8414d026..d659143d6 100644 --- a/apparmor.d/abstractions/app/udevadm +++ b/apparmor.d/abstractions/app/udevadm @@ -11,7 +11,8 @@ /etc/udev/udev.conf r, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/** r, diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index da14cabf3..13864f2dd 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -187,7 +187,8 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { owner @{run}/*/** rw, @{run}/udev/**/ r, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/** r, @{sys}/fs/bpf/systemd/{,**} w, diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 7310586e8..3ae0a7143 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -47,7 +47,8 @@ profile systemd-analyze @{exec_path} { @{run}/systemd/system/ r, @{run}/systemd/transient/ r, @{run}/systemd/userdb/io.systemd.DynamicUser w, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{run}/udev/tags/systemd/ r, @{sys}/devices/**/uevent r, diff --git a/apparmor.d/profiles-a-f/ddcutil b/apparmor.d/profiles-a-f/ddcutil index 7c353bf65..d8cb23a5c 100644 --- a/apparmor.d/profiles-a-f/ddcutil +++ b/apparmor.d/profiles-a-f/ddcutil @@ -28,7 +28,8 @@ profile ddcutil @{exec_path} { owner @{user_cache_dirs}/ddcutil/ rw, owner @{user_cache_dirs}/ddcutil/** rwlk, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/ r, @{sys}/bus/ r, From 8b64d7dd46364e84e435564f7e9d474d1c7c9154 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Aug 2025 09:27:12 +0200 Subject: [PATCH 697/977] feat(abs): electron: add cgroup memory data. --- apparmor.d/abstractions/common/electron | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 6216ec939..cd7e9e8f1 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -73,6 +73,13 @@ @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/tty/tty@{int}/active r, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + @{PROC}/ r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/task/@{tid}/status r, From aab12e6948e27fcb9351ae3f5beb5ff49e4db619 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Aug 2025 11:07:08 +0200 Subject: [PATCH 698/977] fix(profile): dockerd can be installed in both bin or sbin depending of the package source. --- apparmor.d/groups/virt/dockerd | 2 +- tests/sbin.list | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 44d9f64a0..aa0a9ed58 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/dockerd +@{exec_path} = @{bin}/dockerd @{sbin}/dockerd #aa:lint ignore=sbin profile dockerd @{exec_path} flags=(attach_disconnected) { include include diff --git a/tests/sbin.list b/tests/sbin.list index a8b439478..8ee14fd21 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -171,6 +171,7 @@ dmidecode dmraid dmsetup dnsmasq +dockerd dosfsck dosfslabel dpkg-preconfigure From 2aa0d89f84ac2ad51b021568ce52243c9fc595a8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Aug 2025 12:45:55 +0200 Subject: [PATCH 699/977] feat(profile): update firefox stack. --- apparmor.d/groups/browsers/firefox-glxtest | 2 +- apparmor.d/groups/browsers/torbrowser-glxtest | 4 +++- apparmor.d/profiles-s-z/thunderbird | 6 +++--- apparmor.d/profiles-s-z/thunderbird-glxtest | 4 +++- 4 files changed, 10 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest index 97e5645b9..30281f2f4 100644 --- a/apparmor.d/groups/browsers/firefox-glxtest +++ b/apparmor.d/groups/browsers/firefox-glxtest @@ -16,8 +16,8 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) { include include include - include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/browsers/torbrowser-glxtest b/apparmor.d/groups/browsers/torbrowser-glxtest index 4939edfbf..2d8697259 100644 --- a/apparmor.d/groups/browsers/torbrowser-glxtest +++ b/apparmor.d/groups/browsers/torbrowser-glxtest @@ -17,11 +17,13 @@ profile torbrowser-glxtest @{exec_path} flags=(attach_disconnected) { include include include - include include + include @{exec_path} mr, + / r, + owner @{PROC}/@{pid}/cmdline r, deny @{config_dirs}/.parentlock rw, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 02046580c..da163c2ae 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -13,7 +13,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name}/ @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} -profile thunderbird @{exec_path} { +profile thunderbird @{exec_path} flags=(attach_disconnected) { include include include @@ -23,8 +23,8 @@ profile thunderbird @{exec_path} { @{exec_path} mrix, - @{lib_dirs}/glxtest rPx, - @{lib_dirs}/vaapitest rPx, + @{lib_dirs}/glxtest rPx -> thunderbird//&thunderbird-glxtest, + @{lib_dirs}/vaapitest rPx -> thunderbird//&thunderbird-vaapitest, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest index 626896a09..4f25e0862 100644 --- a/apparmor.d/profiles-s-z/thunderbird-glxtest +++ b/apparmor.d/profiles-s-z/thunderbird-glxtest @@ -15,11 +15,13 @@ profile thunderbird-glxtest @{exec_path} { include include include - include include + include @{exec_path} mr, + / r, + owner @{config_dirs}/*/.parentlock rw, owner @{tmp}/thunderbird/.parentlock rw, From a5aa13923b657c9dee16d11c378d80215b14d949 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Aug 2025 16:11:10 +0200 Subject: [PATCH 700/977] build: add support for building multiple version of the package. --- Justfile | 10 +++++----- pkg/prebuild/cli/cli.go | 28 +++++++++++++++++++++------- 2 files changed, 26 insertions(+), 12 deletions(-) diff --git a/Justfile b/Justfile index ffed74ef5..3e16a75e8 100644 --- a/Justfile +++ b/Justfile @@ -63,27 +63,27 @@ build: [group('build')] [doc('Prebuild the profiles in enforced mode')] enforce: build - @./{{build}}/prebuild + @./{{build}}/prebuild --buildir {{build}} [group('build')] [doc('Prebuild the profiles in complain mode')] complain: build - @./{{build}}/prebuild --complain + ./{{build}}/prebuild --buildir {{build}} --complain [group('build')] [doc('Prebuild the profiles in FSP mode')] fsp: build - @./{{build}}/prebuild --full + @./{{build}}/prebuild --buildir {{build}} --full [group('build')] [doc('Prebuild the profiles in FSP mode (complain)')] fsp-complain: build - @./{{build}}/prebuild --complain --full + @./{{build}}/prebuild --buildir {{build}} --complain --full [group('build')] [doc('Prebuild the profiles in FSP mode (debug)')] fsp-debug: build - @./{{build}}/prebuild --complain --full --debug + @./{{build}}/prebuild --buildir {{build}} --complain --full --debug [group('install')] [doc('Install prebuild profiles')] diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 51636f848..000aa65f9 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -26,13 +26,15 @@ const ( internal built-in directives. Options: - -h, --help Show this help message and exit. - -c, --complain Set complain flag on all profiles. - -e, --enforce Set enforce flag on all profiles. - -a, --abi ABI Target apparmor ABI. - -v, --version V Target apparmor version. - -f, --full Set AppArmor for full system policy. - -F, --file Only prebuild a given file. + -h, --help Show this help message and exit. + -c, --complain Set complain flag on all profiles. + -e, --enforce Set enforce flag on all profiles. + -a, --abi ABI Target apparmor ABI. + -v, --version V Target apparmor version. + -f, --full Set AppArmor for full system policy. + -b, --buildir DIR Root build directory. + -F, --file Only prebuild a given file. + --debug Enable debug mode. ` ) @@ -41,9 +43,11 @@ var ( complain bool enforce bool full bool + debug bool abi int version float64 file string + buildir string ) func init() { @@ -61,6 +65,9 @@ func init() { flag.Float64Var(&version, "version", nilVer, "Target apparmor version.") flag.StringVar(&file, "F", "", "Only prebuild a given file.") flag.StringVar(&file, "file", "", "Only prebuild a given file.") + flag.StringVar(&buildir, "b", "", "Root build directory.") + flag.StringVar(&buildir, "buildir", "", "Root build directory.") + flag.BoolVar(&debug, "debug", false, "Enable debug mode.") } func Configure() { @@ -87,6 +94,9 @@ func Configure() { if complain { builder.Register("complain") + if debug { + builder.Register("debug") + } } else if enforce { builder.Register("enforce") } @@ -106,6 +116,10 @@ func Configure() { if version != nilVer { prebuild.Version = version } + if buildir != "" { + prebuild.Root = paths.New(buildir) + prebuild.RootApparmord = prebuild.Root.Join("apparmor.d") + } if file != "" { sync, _ := prepare.Tasks["synchronise"].(*prepare.Synchronise) sync.Paths = []string{file} From 5c8c5029e085cc2ba88a28eb5df3c26229f4b49f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Aug 2025 18:12:51 +0200 Subject: [PATCH 701/977] tests(packer): add lxqt test image, update xfce. --- tests/cloud-init/archlinux-lxqt.user-data.yml | 28 ++++++++ tests/cloud-init/archlinux-xfce.user-data.yml | 36 +--------- tests/cloud-init/archlinux.yml | 67 +++++++++++++++++++ 3 files changed, 96 insertions(+), 35 deletions(-) create mode 100644 tests/cloud-init/archlinux-lxqt.user-data.yml diff --git a/tests/cloud-init/archlinux-lxqt.user-data.yml b/tests/cloud-init/archlinux-lxqt.user-data.yml new file mode 100644 index 000000000..208f7dab5 --- /dev/null +++ b/tests/cloud-init/archlinux-lxqt.user-data.yml @@ -0,0 +1,28 @@ +#cloud-config + +packages: *lxqt-packages + +# lxqt-wayland-session kwin + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable sddm + - systemctl enable NetworkManager + - systemctl enable rngd + - systemctl enable avahi-daemon + - systemctl enable systemd-timesyncd.service + +write_files: + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-xfce.user-data.yml b/tests/cloud-init/archlinux-xfce.user-data.yml index 5bab9bf08..afba57519 100644 --- a/tests/cloud-init/archlinux-xfce.user-data.yml +++ b/tests/cloud-init/archlinux-xfce.user-data.yml @@ -1,40 +1,6 @@ #cloud-config -packages: - # Install core packages - - apparmor - - base-devel - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - git - - just - - htop - - man - - pass - - python-notify2 - - vim - - wget - - # Install basic services - - networkmanager - - cups - - cups-pdf - - system-config-printer - - # Install Applications - - firefox - - chromium - - terminator - - # Install Graphical Interface - - xfce4 - - xfce4-goodies - - lightdm - - lightdm-gtk-greeter +packages: *xfce-packages runcmd: # Regenerate grub.cfg diff --git a/tests/cloud-init/archlinux.yml b/tests/cloud-init/archlinux.yml index 5299efda0..629de7d02 100644 --- a/tests/cloud-init/archlinux.yml +++ b/tests/cloud-init/archlinux.yml @@ -88,6 +88,73 @@ kde-packages: &kde-packages - konsole - okular +lxqt-packages: &lxqt-packages + # Core packages for Archlinux + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + + # Desktop packages for Archlinux + - networkmanager + - cups + - cups-pdf + - system-config-printer + - chromium + - firefox + - spice-vdagent + - terminator + + # Install Graphical Interface + - lxqt + - breeze-icons + - sddm + +xfce-packages: &xfce-packages + # Core packages for Archlinux + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + + # Desktop packages for Archlinux + - networkmanager + - cups + - cups-pdf + - system-config-printer + - chromium + - firefox + - spice-vdagent + - terminator + + # Install Graphical Interface + - xfce4 + - xfce4-goodies + - lightdm + - lightdm-gtk-greeter + # Enable AppArmor in kernel parameters grub-enable-apparmor: &grub-enable-apparmor path: /etc/default/grub From d8875ab8260f500175d5030c90142a94a4e324e5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Aug 2025 18:51:39 +0200 Subject: [PATCH 702/977] build: minor build system improvement. --- Justfile | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/Justfile b/Justfile index 3e16a75e8..e434586c4 100644 --- a/Justfile +++ b/Justfile @@ -5,7 +5,7 @@ # Usage: `just` # See https://apparmor.pujol.io/development/ for more information. -# Build setings +# Build settings destdir := "/" build := ".build" pkgdest := `pwd` / ".pkg" @@ -251,7 +251,7 @@ create dist flavor: --memorybacking source.type=memfd,access.mode=shared \ --disk path={{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2,format=qcow2,bus=virtio \ --filesystem "`pwd`,0a31bc478ef8e2461a4b1cc10a24cc4",accessmode=passthrough,driver.type=virtiofs \ - --os-variant "`just get_osinfo {{dist}}`" \ + --os-variant "`just _get_osinfo {{dist}}`" \ --graphics spice \ --audio id=1,type=spice \ --sound model=ich9 \ @@ -282,18 +282,18 @@ destroy dist flavor: [group('vm')] [doc('Connect to the machine')] ssh dist flavor: - @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` [group('vm')] [doc('Mount the shared directory on the machine')] mount dist flavor: - @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4' [group('vm')] [doc('Unmout the shared directory on the machine')] umount dist flavor: - @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true' [group('vm')] @@ -307,6 +307,7 @@ list: images: #!/usr/bin/env bash set -eu -o pipefail + mkdir -p {{base_dir}} ls -lh {{base_dir}} | awk ' BEGIN { printf("{{BOLD}}%-18s %-10s %-5s %s{{NORMAL}}\n", "Distribution", "Flavor", "Size", "Date") @@ -343,19 +344,19 @@ init: [group('tests')] [doc('Run the integration tests')] -integration: - bats --recursive --timing --print-output-on-failure tests/integration +integration name="": + bats --recursive --timing --print-output-on-failure tests/integration/{{name}} [group('tests')] [doc('Install dependencies for the integration tests (machine)')] tests-init dist flavor: - @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init [group('tests')] [doc('Synchronize the integration tests (machine)')] tests-sync dist flavor: - @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/ [group('tests')] @@ -367,18 +368,16 @@ tests-resync dist flavor: (mount dist flavor) \ [group('tests')] [doc('Run the integration tests (machine)')] tests-run dist flavor name="": (tests-resync dist flavor) - ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ bats --recursive --pretty --timing --print-output-on-failure \ /home/{{username}}/Projects/tests/integration/{{name}} -[private] -get_ip dist flavor: +_get_ip dist flavor: @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \ head -1 | \ grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}' -[private] -get_osinfo dist: +_get_osinfo dist: #!/usr/bin/env python3 osinfo = { "archlinux": "archlinux", From 38ac0f580d10b6e0950e9505095e669bd69529d1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 14 Aug 2025 15:40:52 +0200 Subject: [PATCH 703/977] feat(profile): revisit electron based profiles. - cleanup and enforce signal - fix discord fix #773 #777 --- apparmor.d/abstractions/common/electron | 1 + apparmor.d/groups/freedesktop/xdg-settings | 2 +- apparmor.d/groups/network/mullvad-gui | 4 ++-- apparmor.d/profiles-a-f/discord | 7 +++++-- apparmor.d/profiles-a-f/element-desktop | 4 +--- apparmor.d/profiles-a-f/freetube | 3 +-- apparmor.d/profiles-g-l/linuxqq | 1 - apparmor.d/profiles-m-r/protonmail | 10 +++++----- apparmor.d/profiles-s-z/signal-desktop | 23 +++++----------------- apparmor.d/profiles-s-z/wechat | 1 - apparmor.d/profiles-s-z/wechat-appimage | 1 - apparmor.d/profiles-s-z/wechat-universal | 1 - dists/flags/main.flags | 4 +--- 13 files changed, 22 insertions(+), 40 deletions(-) diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index cd7e9e8f1..175fa8b2d 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -16,6 +16,7 @@ include include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index 870d4cfe4..cb7edf822 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -15,7 +15,7 @@ profile xdg-settings @{exec_path} { @{exec_path} r, - @{sh_path} rix, + @{sh_path} r, @{bin}/{,e}grep rix, @{bin}/basename rix, @{bin}/cat ix, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index ae9b4cb7f..e4d2e9a2c 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -26,9 +26,9 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { network netlink raw, @{exec_path} mrix, - @{sh_path} rix, + @{sh_path} rix, - @{bin}/gsettings rix, + @{bin}/gsettings rPx, @{open_path} rPx -> child-open-browsers, owner @{user_cache_dirs}/dconf/user rw, diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index ddcd99add..8765084ff 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -13,7 +13,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{bin}/discord{,-ptb} @{lib_dirs}/Discord{,PTB} -profile discord @{exec_path} { +profile discord @{exec_path} flags=(attach_disconnected) { include include include @@ -31,13 +31,15 @@ profile discord @{exec_path} { @{exec_path} mrix, @{sh_path} rix, - @{bin}/lsb_release rPx, @{lib_dirs}/chrome-sandbox rix, @{lib_dirs}/chrome_crashpad_handler rix, + @{bin}/lsb_release rPx, + @{bin}/xdg-mime rPx, @{open_path} rPx -> child-open-strict, + /etc/ r, /etc/lsb-release r, owner @{user_videos_dirs}/{,**} rwl, @@ -52,6 +54,7 @@ profile discord @{exec_path} { owner @{run}/user/@{uid}/discord-ipc-@{int} rw, + owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/task/@{tid}/comm r, include if exists diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index 05a900889..91de37e58 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -30,11 +30,9 @@ profile element-desktop @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} r, - @{open_path} rPx -> child-open-strict, - #aa:stack X xdg-settings @{bin}/xdg-settings rPx -> element-desktop//&xdg-settings, + @{open_path} Px -> child-open-strict, /usr/share/webapps/element/{,**} r, diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index 8250cf8aa..f4284873d 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -34,10 +34,9 @@ profile freetube @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{open_path} rPx -> child-open-strict, - #aa:stack X xdg-settings @{bin}/xdg-settings rPx -> freetube//&xdg-settings, + @{open_path} rPx -> child-open-strict, deny @{sys}/devices/@{pci}/usb@{int}/** r, deny /dev/ r, diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq index dd653bd61..08b8cf7a1 100644 --- a/apparmor.d/profiles-g-l/linuxqq +++ b/apparmor.d/profiles-g-l/linuxqq @@ -17,7 +17,6 @@ profile linuxqq @{exec_path} flags=(attach_disconnected) { include include include - include network netlink raw, network netlink dgram, diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail index c6d309a94..c2c81d4da 100644 --- a/apparmor.d/profiles-m-r/protonmail +++ b/apparmor.d/profiles-m-r/protonmail @@ -13,7 +13,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{bin}/proton-mail /opt/proton-mail/Proton* -profile protonmail @{exec_path} flags=(complain) { +profile protonmail @{exec_path} flags=(attach_disconnected) { include include include @@ -24,12 +24,13 @@ profile protonmail @{exec_path} flags=(complain) { network inet6 dgram, network netlink raw, - ptrace read peer=xdg-settings, + ptrace read peer=protonmail//&xdg-settings, @{exec_path} mrix, - @{bin}/xdg-settings Px, - @{open_path} Px -> child-open, + #aa:stack X xdg-settings + @{bin}/xdg-settings rPx -> protonmail//&xdg-settings, + @{open_path} Px -> child-open, owner @{user_config_dirs}/ibus/bus/ r, @@ -38,7 +39,6 @@ profile protonmail @{exec_path} flags=(complain) { owner @{tmp}/gtkprint_ppd_@{rand6} rw, include if exists - } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index b6a477707..0bedb90e1 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -21,7 +21,6 @@ profile signal-desktop @{exec_path} { include include include - include include include @@ -31,31 +30,19 @@ profile signal-desktop @{exec_path} { network inet6 stream, network netlink raw, + ptrace read peer=signal-desktop//&xdg-settings, + @{exec_path} mrix, - @{bin}/getconf rix, - @{open_path} rPx -> child-open-strict, + @{lib_dirs}/chrome_crashpad_handler rix, + @{lib_dirs}/chrome-sandbox rPx, #aa:stack X xdg-settings @{bin}/xdg-settings rPx -> signal-desktop//&xdg-settings, - - audit @{lib_dirs}/chrome-sandbox rPx, - @{lib_dirs}/chrome_crashpad_handler rix, + @{open_path} rPx -> child-open-strict, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/memory.high r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/memory.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - - @{PROC}/@{pid}/fd/ r, - @{PROC}/vmstat r, - - /dev/tty rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index 5764deb77..ccff2f95f 100644 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -17,7 +17,6 @@ profile wechat @{exec_path} flags=(attach_disconnected) { include include include - include network netlink raw, network netlink dgram, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index e7eabe6ec..07f67fb59 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -17,7 +17,6 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { include include include - include include network netlink raw, diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index 3824f9526..b1c8aded2 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -18,7 +18,6 @@ profile wechat-universal @{exec_path} flags=(attach_disconnected) { include include include - include network netlink raw, network netlink dgram, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 22e9a1447..a62a6847d 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -75,7 +75,7 @@ deb-systemd-invoke complain debconf-escape complain decibels complain dino attach_disconnected,complain -discord complain +discord attach_disconnected,complain discord-chrome-sandbox complain DiscoverNotifier complain dkms attach_disconnected,complain @@ -281,8 +281,6 @@ sddm attach_disconnected,mediate_deleted,complain sddm-greeter complain secure-time-sync attach_disconnected,complain sftp-server complain -signal-desktop attach_disconnected,complain -signal-desktop-chrome-sandbox complain sing-box complain slirp4netns attach_disconnected,complain snap complain From ba35a7933c9f5acceb37066d11be61eef4bf433b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 14 Aug 2025 15:41:53 +0200 Subject: [PATCH 704/977] fix(profile): comment problematic rule Fix #769 --- apparmor.d/groups/browsers/brave | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index 0decb0d4b..4c38e0ce5 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -18,7 +18,7 @@ profile brave @{exec_path} flags=(attach_disconnected) { include include - unix (send, receive) type=stream peer=(label=brave//&brave-crashpad-handler), + # unix (send, receive) type=stream peer=(label=brave//&brave-crashpad-handler), signal receive peer=brave//&brave-crashpad-handler, From eda29668ae75d8b42412f35e3737230c6a626c09 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 14 Aug 2025 18:23:30 +0200 Subject: [PATCH 705/977] fix(profile): ensure signal-desktop has the attach_disconnected flag. Fix 812 --- apparmor.d/profiles-s-z/signal-desktop | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index 0bedb90e1..dc0bc381e 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -13,7 +13,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{lib_dirs}/@{name} -profile signal-desktop @{exec_path} { +profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include include From 10e57f01a64eb821dcecc03a7298cf049454253e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:27:44 +0200 Subject: [PATCH 706/977] feat(abs): add /etc/xdg/menus and session files to kde-strict. See #811 --- apparmor.d/abstractions/desktop | 7 +++++++ apparmor.d/abstractions/kde-strict | 7 +++++++ apparmor.d/groups/browsers/firefox-kmozillahelper | 5 ----- apparmor.d/groups/kde/dolphin | 6 ------ 4 files changed, 14 insertions(+), 11 deletions(-) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 73e533992..878f6f794 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -49,6 +49,8 @@ /etc/xdg/kcminputrc r, /etc/xdg/kdeglobals r, /etc/xdg/kwinrc r, + /etc/xdg/menus/ r, + /etc/xdg/menus/applications-merged/ r, owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, @@ -63,6 +65,11 @@ owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/ r, + owner @{user_config_dirs}/session/ rw, + owner @{user_config_dirs}/session/@{profile_name}* rwlk, + owner @{user_config_dirs}/session/#@{int} rw, owner @{user_config_dirs}/trashrc r, # else if @{DE} == xfce diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 56aa88798..428aa93f3 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -25,6 +25,8 @@ /etc/xdg/kcminputrc r, /etc/xdg/kdeglobals r, /etc/xdg/kwinrc r, + /etc/xdg/menus/ r, + /etc/xdg/menus/applications-merged/ r, owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, @@ -39,6 +41,11 @@ owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/ r, + owner @{user_config_dirs}/session/ rw, + owner @{user_config_dirs}/session/@{profile_name}* rwlk, + owner @{user_config_dirs}/session/#@{int} rw, owner @{user_config_dirs}/trashrc r, owner @{user_share_dirs}/#@{int} rw, diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper index 8e86ee126..ade169f25 100644 --- a/apparmor.d/groups/browsers/firefox-kmozillahelper +++ b/apparmor.d/groups/browsers/firefox-kmozillahelper @@ -27,16 +27,11 @@ profile firefox-kmozillahelper @{exec_path} { /usr/share/kservices{5,6}/{,**} r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, - owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, owner @{user_config_dirs}/kmozillahelperrc r, owner @{user_config_dirs}/kmozillahelperrc.@{rand6} rwl, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_share_dirs}/kservices5/ r, owner @{user_share_dirs}/kservices5/searchproviders/ r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 5d51f8c4d..3879fa6a5 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -51,8 +51,6 @@ profile dolphin @{exec_path} { /etc/machine-id r, /etc/xdg/arkrc r, /etc/xdg/dolphinrc r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, /etc/xdg/ui/ui_standards.rc r, # Full access to user's data @@ -89,10 +87,6 @@ profile dolphin @{exec_path} { owner @{user_config_dirs}/knfsshare.{,.@{rand6}} rwk, owner @{user_config_dirs}/knfsshare.lock rwk, - owner @{user_config_dirs}/session/ rw, - owner @{user_config_dirs}/session/#@{int} rw, - owner @{user_config_dirs}/session/dolphin_* rwlk -> @{user_config_dirs}/session/#@{int}, - owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc rwl -> @{user_cache_dirs}/dolphin/qmlcache/#@{int}, owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/dolphin/qmlcache/#@{int}, From e09586e01dd015c26462c410bc0caee9a00e8e8d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:30:43 +0200 Subject: [PATCH 707/977] feat(abs): freedesktop: add more path for recently-used files. see #811 --- apparmor.d/abstractions/freedesktop.org.d/complete | 5 +++++ apparmor.d/groups/gnome/gnome-tweaks | 1 - apparmor.d/groups/gnome/gsd-media-keys | 2 -- apparmor.d/groups/kde/dolphin | 1 - apparmor.d/groups/kde/kactivitymanagerd | 1 - apparmor.d/groups/kde/okular | 2 -- 6 files changed, 5 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete index 220883c29..df445cef5 100644 --- a/apparmor.d/abstractions/freedesktop.org.d/complete +++ b/apparmor.d/abstractions/freedesktop.org.d/complete @@ -23,4 +23,9 @@ owner @{HOME}/.icons/{,**} r, + owner @{user_share_dirs}/#@{int} rw, + owner @{user_share_dirs}/recently-used.xbel rw, + owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl, + owner @{user_share_dirs}/recently-used.xbel.lock rwk, + # vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index 96e83b846..7f93b7864 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -36,7 +36,6 @@ profile gnome-tweaks @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini* rw, owner @{user_share_dirs}/backgrounds/{,**} r, owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r, - owner @{user_share_dirs}/recently-used.xbel* rw, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 2a2ea034f..6cae2d49b 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -71,8 +71,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, - owner @{user_share_dirs}/recently-used.xbel{,.*} rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{run}/udev/data/+sound:card@{int} r, # For sound card diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 3879fa6a5..2d3b099d7 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -74,7 +74,6 @@ profile dolphin @{exec_path} { owner @{user_share_dirs}/dolphin/ rw, owner @{user_share_dirs}/dolphin/** rwkl -> @{user_share_dirs}/dolphin/#@{int}, - owner @{user_share_dirs}/recently-used.xbel{,.*} rwlk, owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk, owner @{user_config_dirs}/#@{int} rw, diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index fdc0730c4..1ee022dc6 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -38,7 +38,6 @@ profile kactivitymanagerd @{exec_path} { owner @{user_share_dirs}/kactivitymanagerd/{,**} rwlk, owner @{user_share_dirs}/kservices{5,6}/{,**} r, - owner @{user_share_dirs}/recently-used.xbel r, owner @{user_share_dirs}/user-places.xbel r, owner @{run}/user/@{uid}/#@{int} rw, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index 7618a10d4..7cd628b09 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -69,8 +69,6 @@ profile okular @{exec_path} { owner @{user_share_dirs}/kxmlgui{5,6}/okular/{,*} r, owner @{user_share_dirs}/okular/ rw, owner @{user_share_dirs}/okular/** rwlk -> @{user_share_dirs}/okular/**, - owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl -> @{user_share_dirs}/#@{int}, - owner @{user_share_dirs}/recently-used.xbel.lock rk, owner @{user_share_dirs}/user-places.xbel r, owner @{user_state_dirs}/#@{int} rw, From c02674593d00754b54f3329d1ac75ab0c44af571 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:34:48 +0200 Subject: [PATCH 708/977] feat(profile): update kde profiles see #811 --- .../groups/freedesktop/xdg-desktop-portal-kde | 16 ++++++++++++++++ apparmor.d/groups/kde/kalendarac | 5 +++++ apparmor.d/groups/kde/kded | 1 + apparmor.d/groups/kde/kglobalacceld | 4 ---- apparmor.d/groups/kde/ksmserver | 3 --- apparmor.d/groups/kde/kwalletmanager | 3 --- apparmor.d/groups/kde/kwin_x11 | 5 +++-- apparmor.d/groups/kde/okular | 14 +++++--------- .../groups/kde/plasma-browser-integration-host | 6 ------ apparmor.d/groups/kde/plasma_session | 1 - apparmor.d/groups/kde/systemsettings | 3 --- apparmor.d/profiles-m-r/pinentry-qt | 2 ++ 12 files changed, 32 insertions(+), 31 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index 8c1c1686f..bd5981dcf 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -11,6 +11,7 @@ include profile xdg-desktop-portal-kde @{exec_path} { include include + include include include include @@ -30,6 +31,12 @@ profile xdg-desktop-portal-kde @{exec_path} { #aa:exec kioworker /usr/share/plasma/look-and-feel/** r, + /usr/share/thumbnailers/{,**} r, + + /etc/fstab r, + /etc/xdg/dolphinrc r, + + / r, owner @{HOME}/ r, @@ -39,12 +46,21 @@ profile xdg-desktop-portal-kde @{exec_path} { owner @{user_config_dirs}/autostart/org.kde.*.desktop r, owner @{user_config_dirs}/breezerc r, + owner @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/xdg-desktop-portal-kderc{,.*} rwlk, + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc rw, + owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc.@{rand6} rwlk, + owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc.lock rwk, + + owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/xdg-desktop-portal-kde@{rand6}.*.socket rw, owner @{PROC}/@{pid}/mountinfo r, + /dev/shm/ r, /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac index a45652c7b..e9ae78457 100644 --- a/apparmor.d/groups/kde/kalendarac +++ b/apparmor.d/groups/kde/kalendarac @@ -34,6 +34,11 @@ profile kalendarac @{exec_path} { owner @{user_config_dirs}/kalendaracrc.lock rwk, owner @{user_config_dirs}/kmail2rc r, + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/kalendaracstaterc rw, + owner @{user_state_dirs}/kalendaracstaterc.@{rand6} rwl, + owner @{user_state_dirs}/kalendaracstaterc.lock rwk, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index c9fa538df..2ef26836d 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -84,6 +84,7 @@ profile kded @{exec_path} { /var/lib/dbus/machine-id r, / r, + @{efi}/ r, owner @{HOME}/ r, owner @{HOME}/.gtkrc-2.0 rw, diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index 9da19046d..0e8ba3395 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -18,15 +18,11 @@ profile kglobalacceld @{exec_path} { /usr/share/kglobalaccel/{,**} r, /etc/machine-id r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, owner @{user_config_dirs}/kglobalshortcutsrc* rwl, owner @{user_config_dirs}/khotkeysrc r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index eb53bc078..6d515fb18 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -49,9 +49,6 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/ksmserverrc rw, owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl, owner @{user_config_dirs}/ksmserverrc.lock rwk, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, - owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw, owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, diff --git a/apparmor.d/groups/kde/kwalletmanager b/apparmor.d/groups/kde/kwalletmanager index dc64cbb9e..5ffcafd4f 100644 --- a/apparmor.d/groups/kde/kwalletmanager +++ b/apparmor.d/groups/kde/kwalletmanager @@ -36,9 +36,6 @@ profile kwalletmanager @{exec_path} { owner @{user_config_dirs}/kwalletrc rw, owner @{user_config_dirs}/kwalletrc.* rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwalletrc.lock rwk, - owner @{user_config_dirs}/session/#@{int} rw, - owner @{user_config_dirs}/session/kwalletmanager5_* rwl -> @{user_config_dirs}/session/#@{int}, - owner @{user_config_dirs}/session/kwalletmanager5_*.lock rwk, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index e05e443ff..8400c8cb6 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -25,10 +25,12 @@ profile kwin_x11 @{exec_path} { @{exec_path} mrix, @{sh_path} rix, + @{bin}/kdialog rix, @{lib}/kwin_killer_helper rix, #aa:exec drkonqi + /usr/share/kwin-x11/{,**} r, /usr/share/kwin/{,**} r, /usr/share/plasma/desktoptheme/{,**} r, @@ -47,6 +49,7 @@ profile kwin_x11 @{exec_path} { owner @{user_cache_dirs}/session/#@{int} rw, owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/kaccessrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kwinoutputconfig.json rw, owner @{user_config_dirs}/kwinrc.lock rwk, @@ -54,8 +57,6 @@ profile kwin_x11 @{exec_path} { owner @{user_config_dirs}/kwinrulesrc r, owner @{user_config_dirs}/kxkbrc r, owner @{user_config_dirs}/plasmarc r, - owner @{user_config_dirs}/session/#@{int} rw, - owner @{user_config_dirs}/session/kwin_* rwk, owner @{user_share_dirs}/kwin/scripts/ r, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index 7cd628b09..acd9b7430 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -42,8 +42,6 @@ profile okular @{exec_path} { /etc/fstab r, /etc/xdg/dolphinrc r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, / r, @{MOUNTS}/ r, @@ -51,19 +49,17 @@ profile okular @{exec_path} { owner @{user_cache_dirs}/okular/{,**} rw, owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/KDE/*.conf r, + owner @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/kservicemenurc r, + owner @{user_config_dirs}/kwalletrc r, + owner @{user_config_dirs}/okular-generator-popplerrc r, owner @{user_config_dirs}/okularpartrc rw, owner @{user_config_dirs}/okularpartrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/okularpartrc.lock rwk, owner @{user_config_dirs}/okularrc rw, owner @{user_config_dirs}/okularrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/okularrc.lock rwk, - owner @{user_config_dirs}/okular-generator-popplerrc r, - owner @{user_config_dirs}/KDE/*.conf r, - owner @{user_config_dirs}/kioslaverc r, - owner @{user_config_dirs}/kservicemenurc r, - owner @{user_config_dirs}/kwalletrc r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/kxmlgui{5,6}/okular/{,*} r, diff --git a/apparmor.d/groups/kde/plasma-browser-integration-host b/apparmor.d/groups/kde/plasma-browser-integration-host index dce3545f7..e17d4c5f1 100644 --- a/apparmor.d/groups/kde/plasma-browser-integration-host +++ b/apparmor.d/groups/kde/plasma-browser-integration-host @@ -21,16 +21,10 @@ profile plasma-browser-integration-host @{exec_path} { @{exec_path} mr, - /etc/xdg/menus/applications-merged/ r, - /usr/share/kservices{5,6}/{,**} r, - /etc/xdg/menus/ r, /etc/xdg/taskmanagerrulesrc r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, - owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, diff --git a/apparmor.d/groups/kde/plasma_session b/apparmor.d/groups/kde/plasma_session index 1fbeda384..5d3812594 100644 --- a/apparmor.d/groups/kde/plasma_session +++ b/apparmor.d/groups/kde/plasma_session @@ -36,7 +36,6 @@ profile plasma_session @{exec_path} { /etc/xdg/autostart/ r, /etc/xdg/autostart/*.desktop r, - /etc/xdg/menus/ r, owner @{user_config_dirs}/kdedefaults/ksplashrc r, owner @{user_config_dirs}/plasma-welcomerc r, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index e68d248b6..b41dac08a 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -57,7 +57,6 @@ profile systemsettings @{exec_path} { /etc/fstab r, /etc/machine-id r, - /etc/xdg/menus/{,applications-merged/} r, /etc/xdg/plasmanotifyrc r, /etc/xdg/ui/ui_standards.rc r, /var/lib/dbus/machine-id r, @@ -90,8 +89,6 @@ profile systemsettings @{exec_path} { owner @{user_config_dirs}/kinfocenterrc* rwlk, owner @{user_config_dirs}/libaccounts-glib/ rw, owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/session/ rw, owner @{user_config_dirs}/session/** rwlk, owner @{user_config_dirs}/systemsettingsrc.lock rwk, diff --git a/apparmor.d/profiles-m-r/pinentry-qt b/apparmor.d/profiles-m-r/pinentry-qt index 3c5ec0a94..66729769f 100644 --- a/apparmor.d/profiles-m-r/pinentry-qt +++ b/apparmor.d/profiles-m-r/pinentry-qt @@ -17,6 +17,8 @@ profile pinentry-qt @{exec_path} { include include + ptrace read peer=gpg-agent, + @{exec_path} mr, /etc/machine-id r, From ace53f3002531730a262245b27d62c16a65efc7c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:35:19 +0200 Subject: [PATCH 709/977] feat(profile): openvpn need to load module. See #811 --- apparmor.d/groups/network/openvpn | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index a6ff1a939..b5a6b83ef 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -27,17 +27,12 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { include include - # Needed to remove the following errors: - # ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1) - # Exiting due to fatal error - capability net_admin, - - # These are needed when user/group are set in a OpenVPN config file - capability setuid, - capability setgid, - - capability dac_read_search, capability dac_override, + capability dac_read_search, + capability net_admin, # create tun + capability setgid, # when user/group are set in a OpenVPN config file + capability setuid, + capability sys_module, network inet dgram, network inet6 dgram, From d51b386d13540c6ff55317cc588734451a6e0f4c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:36:05 +0200 Subject: [PATCH 710/977] feat(abs): pager: improve integration with opensuse. See #811 --- apparmor.d/abstractions/app/pager | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/abstractions/app/pager b/apparmor.d/abstractions/app/pager index 1557b78ef..30acc5612 100644 --- a/apparmor.d/abstractions/app/pager +++ b/apparmor.d/abstractions/app/pager @@ -21,6 +21,8 @@ /usr/share/file/misc/** r, /usr/share/nvim/{,**} r, + @{etc_ro}/lesskey.bin r, + @{HOME}/.lesshst r, owner @{HOME}/ r, From b1b3ee8321d2a269ef2e3e24ff8a367cbed46adc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:38:15 +0200 Subject: [PATCH 711/977] feat(abs): add tty/drivers to pgrrep/pkill subprofiles. see #811 --- apparmor.d/abstractions/app/pgrep | 1 + apparmor.d/groups/kde/kded | 2 -- apparmor.d/groups/procps/pgrep | 2 -- 3 files changed, 1 insertion(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep index d6b7ba8a7..0ec14bea0 100644 --- a/apparmor.d/abstractions/app/pgrep +++ b/apparmor.d/abstractions/app/pgrep @@ -24,6 +24,7 @@ @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/stat r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/tty/drivers r, @{PROC}/uptime r, include if exists diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 2ef26836d..ef81b95d1 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -160,8 +160,6 @@ profile kded @{exec_path} { include include - @{PROC}/tty/drivers r, - include if exists } diff --git a/apparmor.d/groups/procps/pgrep b/apparmor.d/groups/procps/pgrep index 950aeb99e..489f55bd7 100644 --- a/apparmor.d/groups/procps/pgrep +++ b/apparmor.d/groups/procps/pgrep @@ -14,8 +14,6 @@ profile pgrep @{exec_path} { @{exec_path} mr, - @{PROC}/tty/drivers r, - include if exists } From e15bd7bea03e25b4b27423a3e36e3530be89f21d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:40:17 +0200 Subject: [PATCH 712/977] feat(abs): improve vim integration with common editors. see #811 --- apparmor.d/abstractions/app/editor | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index 2bd14077b..b33dbc7f4 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -12,9 +12,10 @@ @{sh_path} rix, @{bin}/nvim mrix, @{bin}/sensible-editor mr, - @{bin}/vim{,.*} mrix, + @{bin}/vim* mrix, @{bin}/which{,.debianutils} rix, + /usr/share/doc/{,**} r, /usr/share/nvim/{,**} r, /usr/share/terminfo/** r, /usr/share/vim/{,**} r, @@ -24,8 +25,9 @@ /etc/xdg/nvim/* r, owner @{HOME}/.selected_editor r, - owner @{HOME}/.viminf@{c}{,.tmp} rw, owner @{HOME}/.vim/{after/,}spell/{,**} rw, + owner @{HOME}/.vim/** r, + owner @{HOME}/.viminf@{c}{,.tmp} rw, owner @{HOME}/.vimrc r, owner @{HOME}/ r, From e2b1547bf11bf305b49881fa12fa0688fb5d88db Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:41:26 +0200 Subject: [PATCH 713/977] feat(profile): ssh: add ssh.hmac Similar to newest version of sshd with sshd.hmac see #811 --- apparmor.d/groups/ssh/ssh | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 43fbddc63..75a25771f 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -26,6 +26,7 @@ profile ssh @{exec_path} { @{exec_path} mrix, @{bin}/@{shells} rUx, + @{bin}/ssh.hmac r, @{lib}/{,ssh/}ssh-sk-helper rix, From 44a6bc86e6cf25b344d76ab36a345d1181aaab20 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:43:15 +0200 Subject: [PATCH 714/977] feat(tunable): add `bin` to XDG_BIN_DIR. So it can get allowed/denied by profile using user_bin_dirs. see #811 --- apparmor.d/tunables/home.d/apparmor.d | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/tunables/home.d/apparmor.d b/apparmor.d/tunables/home.d/apparmor.d index c791f5376..398fe20f4 100644 --- a/apparmor.d/tunables/home.d/apparmor.d +++ b/apparmor.d/tunables/home.d/apparmor.d @@ -16,7 +16,7 @@ @{XDG_CONFIG_DIR}=".config" @{XDG_DATA_DIR}=".local/share" @{XDG_STATE_DIR}=".local/state" -@{XDG_BIN_DIR}=".local/bin" +@{XDG_BIN_DIR}="bin" ".local/bin" @{XDG_LIB_DIR}=".local/lib" # Define extended user directories not defined in the XDG standard but commonly From b90a2a89fe095d3de5be2d139eeaaaa1065815be Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:44:10 +0200 Subject: [PATCH 715/977] feat(abs): app-open: kde opener need system id. see #811 --- apparmor.d/abstractions/app/open | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 9d0da2199..243d18261 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -33,8 +33,7 @@ include include include - - /etc/xdg/menus/ r, + include owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, From d09f5d055f5f0d91e7dc1e64dda621e62aea4a1e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:51:16 +0200 Subject: [PATCH 716/977] feat(profile): improve dbus definitions. --- .../bus/org.freedesktop.ScreenSaver | 5 +++++ .../bus/org.freedesktop.portal.Desktop | 5 +++++ .../abstractions/bus/org.freedesktop.systemd1 | 2 +- .../gnome/evolution-addressbook-factory | 1 + .../groups/gnome/gnome-extension-gsconnect | 4 +++- apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/network/NetworkManager | 20 +++++-------------- apparmor.d/groups/systemd/resolvectl | 1 + apparmor.d/profiles-s-z/spotify | 1 + apparmor.d/profiles-s-z/terminator | 5 +++++ 10 files changed, 28 insertions(+), 17 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver index 43ed93af6..f73768e9f 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver +++ b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver @@ -9,6 +9,11 @@ member={Inhibit,UnInhibit} peer=(name=org.freedesktop.ScreenSaver), + dbus receive bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member={ActiveChanged,WakeUpScreen} + peer=(name=@{busname}, label=gjs-console), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop index 5e5967a1a..2753a6602 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop @@ -36,6 +36,11 @@ member=Register peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + dbus receive bus=session path=/org/freedesktop/portal/desktop/** + interface=org.freedesktop.portal.Request + member=Response + peer=(name=@{busname}, label=xdg-desktop-portal), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 index 4fb1764bc..167e66d65 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 @@ -6,7 +6,7 @@ #aa:dbus common bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" - dbus send bus=session path=/org/freedesktop/systemd1 + dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member={GetUnit,GetUnitByPIDFD,StartUnit,StartTransientUnit} peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 9f18395f2..3d83232e1 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -26,6 +26,7 @@ profile evolution-addressbook-factory @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} + #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookFactory dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 3cf92d613..64568eab0 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -17,6 +17,7 @@ profile gnome-extension-gsconnect @{exec_path} { include include include + include include include include @@ -36,9 +37,10 @@ profile gnome-extension-gsconnect @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect + #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect interface+=org.gtk.{Actions,Menus} dbus eavesdrop bus=session, + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index d4c8b1ba2..95874290f 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -18,6 +18,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index f7c0dd084..01de67a18 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -50,22 +50,12 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher + member=Action peer=(name=org.freedesktop.nm_dispatcher), - - dbus receive bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*), - - dbus receive bus=system path=/ - interface=org.freedesktop.DBus.ObjectManager - member=InterfacesRemoved - peer=(name=:*, label="@{p_bluetoothd}"), - - dbus send bus=system path=/ - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label="@{p_bluetoothd}"), + dbus send bus=system path=/uk/org/thekelleys/dnsmasq + interface=org.freedesktop.NetworkManager.dnsmasq + member=SetServersEx + peer=(name=@{busname}, label=dnsmasq), dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl index dd5bdb3d4..58f2d88f8 100644 --- a/apparmor.d/groups/systemd/resolvectl +++ b/apparmor.d/groups/systemd/resolvectl @@ -22,6 +22,7 @@ profile resolvectl @{exec_path} flags=(attach_disconnected) { signal send set=cont peer=child-pager, #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" + #aa:dbus talk bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 1ec4eeea3..a3a093c85 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -35,6 +35,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.mpris.MediaPlayer2.spotify #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell + #aa:dbus talk bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal @{exec_path} mrix, diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index d71ccf802..59c78396d 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -29,6 +29,11 @@ profile terminator @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=net.tenshu.Terminator@{hex} + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=StartTransientUnit + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), + @{exec_path} mr, @{bin}/ r, From 20546d37a0f7aa3bb26c01659e64187a8bf22f49 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:51:48 +0200 Subject: [PATCH 717/977] feat(profile): fprintd needs sys_admin see #811 --- apparmor.d/profiles-a-f/fprintd | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 1d00dce88..8a5f9c01a 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -15,6 +15,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { include capability net_admin, + capability sys_admin, capability sys_nice, network netlink raw, From 112d54907ec106665dbd3e9660b43e132879add9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:53:52 +0200 Subject: [PATCH 718/977] feat(profile): thunderbird/firefox: move rules needed in both programs. --- apparmor.d/abstractions/app/firefox | 3 +++ apparmor.d/groups/browsers/firefox | 3 --- apparmor.d/profiles-s-z/thunderbird-glxtest | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 85922664b..68fb14887 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -100,6 +100,9 @@ owner @{tmp}/@{name}/* rwk, owner @{tmp}/firefox/ rw, owner @{tmp}/firefox/* rwk, + owner @{tmp}/mozilla* rw, + owner @{tmp}/mozilla*/ rw, + owner @{tmp}/mozilla*/* rwk, owner @{tmp}/remote-settings-startup-bundle- rw, owner @{tmp}/remote-settings-startup-bundle-.tmp rw, owner @{tmp}/Temp-@{uuid}/ rw, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index fe8507219..bac81c847 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -64,9 +64,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{tmp}/@{rand8}.* rw, # file downloads (to anywhere) owner @{tmp}/@{uuid}.zip{,.tmp} rw, owner @{tmp}/Mozilla@{uuid}-cachePurge-{@{hex15},@{hex16}} rwk, - owner @{tmp}/mozilla* rw, - owner @{tmp}/mozilla*/ rw, - owner @{tmp}/mozilla*/* rwk, owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-{@{hex15},@{hex16}} rwk, owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/.parentlock k, owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/{**,} rw, diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest index 4f25e0862..4dc891361 100644 --- a/apparmor.d/profiles-s-z/thunderbird-glxtest +++ b/apparmor.d/profiles-s-z/thunderbird-glxtest @@ -11,7 +11,7 @@ include @{config_dirs} = @{HOME}/.@{name}/ @{exec_path} = @{lib_dirs}/glxtest -profile thunderbird-glxtest @{exec_path} { +profile thunderbird-glxtest @{exec_path} flags=(attach_disconnected) { include include include From 9c9af1d821a7eb85547484ce4563cce0d7909743 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:59:20 +0200 Subject: [PATCH 719/977] feat(profile): improve integration with ubuntu. --- apparmor.d/groups/gpg/gpg | 1 + apparmor.d/groups/grub/grub-mkconfig | 2 +- apparmor.d/groups/grub/grub-probe | 2 ++ apparmor.d/groups/network/NetworkManager | 1 + apparmor.d/profiles-a-f/blkdeactivate | 2 +- apparmor.d/profiles-m-r/initramfs-hooks | 5 +++++ 6 files changed, 11 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 6a01796ff..b65823520 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -29,6 +29,7 @@ profile gpg @{exec_path} { @{lib}/{,gnupg/}scdaemon rPx, /usr/share/terminfo/** r, + /usr/share/keyrings/** rw, #aa:only apt /usr/share/pacman/keyrings/** r, #aa:only pacman /etc/inputrc r, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index c081d53c3..5b62fa30c 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -27,7 +27,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/cut rix, @{bin}/date rix, @{bin}/dirname rix, - @{sbin}/dmsetup rPUx, + @{sbin}/dmsetup rPx, @{bin}/dpkg rPx, @{bin}/find rix, @{bin}/findmnt rPx, diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index 017083eaf..c767d2f02 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -36,6 +36,8 @@ profile grub-probe @{exec_path} { /dev/**/ r, /dev/mapper/control w, + deny mqueue (read, getattr) type=posix /, + include if exists } diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 01de67a18..6b444093c 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -71,6 +71,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{bin}/kmod rPx, @{bin}/netconfig rPUx, @{sbin}/resolvconf rPx, + @{bin}/resolvectl rPx, @{bin}/systemctl rCx -> systemctl, @{lib}/{,NetworkManager/}nm-daemon-helper rPx, @{lib}/{,NetworkManager/}nm-dhcp-helper rPx, diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate index 83806e753..bff816339 100644 --- a/apparmor.d/profiles-a-f/blkdeactivate +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -15,7 +15,7 @@ profile blkdeactivate @{exec_path} flags=(complain) { @{exec_path} rm, @{sh_path} rix, - @{sbin}/dmsetup rPUx, + @{sbin}/dmsetup rPx, @{bin}/{,e}grep rix, @{bin}/touch rix, @{bin}/lsblk rPx, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 14a83ffbb..a4fc278f0 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -16,6 +16,8 @@ profile initramfs-hooks @{exec_path} { @{sh_path} rix, @{coreutils_path} rix, + @{bin}/cpio ix, + @{bin}/dpkg Cx -> child-dpkg, @{bin}/fc-cache ix, @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @@ -25,6 +27,9 @@ profile initramfs-hooks @{exec_path} { @{lib}/initramfs-tools/bin/busybox ix, @{lib}/klibc/bin/fstype ix, @{sbin}/blkid Px, + @{sbin}/cryptsetup PUx, + @{sbin}/dmsetup Px, + @{sbin}/iucode_tool ix, /usr/share/mdadm/mkconf Px, @{bin}/* mr, From 5f368403b343df0dd3d23d10a2b58896c6b7c2f9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 11:27:34 +0200 Subject: [PATCH 720/977] Revert "feat(tunable): add `bin` to XDG_BIN_DIR." This reverts commit 44a6bc86e6cf25b344d76ab36a345d1181aaab20. --- apparmor.d/tunables/home.d/apparmor.d | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/tunables/home.d/apparmor.d b/apparmor.d/tunables/home.d/apparmor.d index 398fe20f4..c791f5376 100644 --- a/apparmor.d/tunables/home.d/apparmor.d +++ b/apparmor.d/tunables/home.d/apparmor.d @@ -16,7 +16,7 @@ @{XDG_CONFIG_DIR}=".config" @{XDG_DATA_DIR}=".local/share" @{XDG_STATE_DIR}=".local/state" -@{XDG_BIN_DIR}="bin" ".local/bin" +@{XDG_BIN_DIR}=".local/bin" @{XDG_LIB_DIR}=".local/lib" # Define extended user directories not defined in the XDG standard but commonly From 753d36cfa337a37a3aead1cf1e9781553a5cbd22 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 11:29:54 +0200 Subject: [PATCH 721/977] fix(profile): manually deny path in git Needed as 44a6bc86e6cf25b344d76ab36a345d1181aaab20 raise merged rule with conflicting x modifiers errors. --- apparmor.d/profiles-g-l/git | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 425fe2f14..0538f5da0 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -38,6 +38,7 @@ profile git @{exec_path} flags=(attach_disconnected) { deny /usr/local/games/ r, deny /var/lib/flatpak/exports/bin/ r, deny owner @{HOME}/.go/bin/ r, + deny owner @{HOME}/bin/ r, deny owner @{user_bin_dirs}/ r, # These are needed for "git submodule update" From 7d49a1628e1c67457780d8f5b372bc804d021917 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 11:32:27 +0200 Subject: [PATCH 722/977] fix(abs): avahi socket path. --- apparmor.d/abstractions/common/app | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 74c82f92a..3029fb80b 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -67,7 +67,7 @@ @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket. + @{run}/avahi-daemon/socket rw, # Allow access to avahi-daemon socket. @{run}/host/{,**} r, @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket. @{run}/utmp rk, From 6739b238cef5bf052371ad4fe67f31c65dd107f2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 11:33:29 +0200 Subject: [PATCH 723/977] feat(abs): base-strict: allow communication to children and stacked profiles. --- apparmor.d/abstractions/base-strict | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index 818a4937f..22ca5ec5e 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -67,8 +67,9 @@ # Allow unconfined processes to us via unix sockets unix receive peer=(label=unconfined), - # Allow communication to children profiles + # Allow communication to children and stacked profiles signal peer=@{profile_name}//*, + signal peer=@{profile_name}//&*, unix type=stream peer=(label=@{profile_name}//*), # Allow us to create abstract and anonymous sockets From 3d329fdef8801c3fc892e33fa3876bf96ed37d70 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 11:39:35 +0200 Subject: [PATCH 724/977] feat(profile): minor profiles improvement. --- apparmor.d/groups/freedesktop/colord | 4 +++- apparmor.d/groups/freedesktop/pipewire | 2 ++ apparmor.d/groups/kde/kscreenlocker_greet | 2 ++ apparmor.d/groups/ssh/sshd-session | 1 + apparmor.d/groups/systemd/systemd-delta | 4 ++-- apparmor.d/groups/systemd/systemd-detect-virt | 7 +++++++ apparmor.d/profiles-a-f/cheese | 6 +++++- 7 files changed, 22 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index ee2cdf42e..81d0c9f6b 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -59,7 +59,9 @@ profile colord @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/{vendor,model,type} r, @{sys}/devices/@{pci}/drm/card@{int}/**/{enabled,edid} r, @{sys}/devices/@{pci}/uevent r, - @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{PROC}/sys/dev/parport/ r, @{PROC}/sys/dev/parport/parport@{int}/base-addr r, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index ad4eb57c5..97e3c6119 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -47,6 +47,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { owner @{tmp}/librnnoise-@{int}.so rm, + @{run}/snapd.socket rw, owner @{run}/user/@{uid}/pipewire-@{int} rw, owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk, owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, @@ -62,6 +63,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,bios_vendor,board_vendor} r, @{sys}/module/apparmor/parameters/enabled r, + owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} rw, diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index dd3a6b42b..ddd14b5c2 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -25,6 +25,8 @@ profile kscreenlocker_greet @{exec_path} { network netlink raw, + ptrace read peer=ksmserver, + signal (receive) set=(term) peer=kwin_wayland, signal (receive) set=(usr1, term) peer=ksmserver, signal (send) peer=kcheckpass, diff --git a/apparmor.d/groups/ssh/sshd-session b/apparmor.d/groups/ssh/sshd-session index 5f09af5cc..e953834a7 100644 --- a/apparmor.d/groups/ssh/sshd-session +++ b/apparmor.d/groups/ssh/sshd-session @@ -74,6 +74,7 @@ profile sshd-session @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/sessions/@{int}.ref w, + @{run}/cockpit/active.issue r, @{run}/motd.d/{,*} r, @{run}/motd.dynamic rw, @{run}/motd.dynamic.new rw, diff --git a/apparmor.d/groups/systemd/systemd-delta b/apparmor.d/groups/systemd/systemd-delta index 7cf546a56..311636d95 100644 --- a/apparmor.d/groups/systemd/systemd-delta +++ b/apparmor.d/groups/systemd/systemd-delta @@ -10,11 +10,11 @@ include profile systemd-delta @{exec_path} { include - signal (send) peer=child-pager, + signal send peer=child-pager, @{exec_path} mr, - @{bin}/less rPx -> child-pager, + @{pager_path} rPx -> child-pager, /etc/binfmt.d/{,**} r, /etc/modprobe.d/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 35f4afbc4..01e49025f 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -21,6 +21,7 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { @{run}/cloud-init/ds-identify.log w, @{run}/host/container-manager r, + @{run}/systemd/container r, @{run}/systemd/notify w, @{sys}/devices/virtual/dmi/id/bios_vendor r, @@ -29,6 +30,12 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/firmware/dmi/entries/*/raw r, + @{sys}/firmware/uv/prot_virt_guest r, + @{sys}/hypervisor/properties/features r, + + @{PROC}/xen/capabilities r, + + /dev/cpu/@{int}/msr r, include if exists } diff --git a/apparmor.d/profiles-a-f/cheese b/apparmor.d/profiles-a-f/cheese index b308439c3..b89fa42f2 100644 --- a/apparmor.d/profiles-a-f/cheese +++ b/apparmor.d/profiles-a-f/cheese @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2025 Roman Beslik +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -41,7 +42,10 @@ profile cheese @{exec_path} { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,product_name,sys_vendor} r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, From aafcd1c861c4ea9afdf0bc535b2bc10e50fa81ef Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 17:21:24 +0200 Subject: [PATCH 725/977] feat(profile): simplify ssh home path. --- apparmor.d/groups/ssh/ssh | 4 +--- apparmor.d/groups/ssh/ssh-keygen | 8 ++++---- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 75a25771f..03236196c 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -36,9 +36,7 @@ profile ssh @{exec_path} { @{etc_ro}/ssh/sshd_config.d/{,*} r, /etc/machine-id r, - owner @{HOME}/@{XDG_SSH_DIR}/ r, - owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r, - owner @{HOME}/@{XDG_SSH_DIR}/config r, + owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rwl, owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_*_*_* wl, diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index 397ffdcd6..b55824e58 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -15,13 +15,13 @@ profile ssh-keygen @{exec_path} { @{exec_path} mr, + /etc/ssh/moduli rw, /etc/ssh/ssh_host_*_key* rw, - owner @{HOME}/@{XDG_SSH_DIR}/ w, - owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} rw, + owner @{HOME}/@{XDG_SSH_DIR}/{,*} rw, - /tmp/snapd@{int}/*_*{,.pub} w, - /tmp/snapd@{int}/*.key{,.pub} w, + owner /tmp/snapd@{int}/*_*{,.pub} w, + owner /tmp/snapd@{int}/*.key{,.pub} w, /dev/tty@{int} rw, /dev/ttyS@{int} rw, From c29b4ba536ba0b625955d85f912ece0ef12f2318 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 18:03:36 +0200 Subject: [PATCH 726/977] feat(profile): various security/linter improvement - Ignore some rule from the linter - Move some bin to subprofile --- apparmor.d/groups/apt/dpkg-scripts | 1 + apparmor.d/groups/apt/reportbug | 2 +- apparmor.d/groups/pacman/pacdiff | 6 +----- apparmor.d/profiles-a-f/baobab | 1 + apparmor.d/profiles-a-f/file-roller | 1 + apparmor.d/profiles-m-r/mimetype | 6 +++--- apparmor.d/profiles-s-z/tomb | 2 +- apparmor.d/profiles-s-z/xarchiver | 11 ++++------- tests/check.sh | 5 ++++- tests/sbin.list | 1 + 10 files changed, 18 insertions(+), 18 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index da5da33a1..9be1f3258 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -48,6 +48,7 @@ profile dpkg-scripts @{exec_path} { @{sbin}/ldconfig.real Cx -> ldconfig, @{sbin}/update-rc.d Cx -> rc, + #aa:lint ignore=too-wide # Maintainer scripts can legitimately start/restart anything # PU is only used as a safety fallback. @{bin}/** PUx, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index e58c9d8b3..a814eaaa9 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -61,8 +61,8 @@ profile reportbug @{exec_path} { /usr/share/bug/*/{control,presubj} r, + #aa:lint ignore=too-wide /etc/** r, - /etc/reportbug.conf r, owner @{HOME}/ r, # For shell pwd owner @{HOME}/.reportbugrc{,~} rw, diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index 497386125..cab9eed4b 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/pacdiff profile pacdiff @{exec_path} flags=(attach_disconnected) { include + include capability dac_read_search, capability mknod, @@ -30,11 +31,6 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { @{bin}/rm rix, @{bin}/sed rix, @{bin}/tput rix, - @{bin}/vim rix, - - owner @{HOME}/.viminfo{,.tmp} rw, - - owner @{user_cache_dirs}/vim/{,**} rw, # packages files / r, diff --git a/apparmor.d/profiles-a-f/baobab b/apparmor.d/profiles-a-f/baobab index cd1e7563f..654e40117 100644 --- a/apparmor.d/profiles-a-f/baobab +++ b/apparmor.d/profiles-a-f/baobab @@ -19,6 +19,7 @@ profile baobab @{exec_path} { @{open_path} rPx -> child-open-help, + #aa:lint ignore=too-wide # As a directory tree analyzer it needs full access to the filesystem / r, /** r, diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index e7bfafaac..5ec394807 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -28,6 +28,7 @@ profile file-roller @{exec_path} { # Archivers @{archive_path} rix, + #aa:lint ignore=too-wide # Full access to user's data @{MOUNTS}/** rw, owner @{HOME}/** rw, diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index cf8431c7a..91d021fae 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -19,14 +19,14 @@ profile mimetype @{exec_path} { /usr/share/mime/aliases r, /usr/share/mime/magic r, + # To read files + owner /** r, #aa:lint ignore=too-wide + owner @{user_share_dirs}/mime/**.xml r, owner @{user_share_dirs}/mime/globs r, owner @{user_share_dirs}/mime/aliases r, owner @{user_share_dirs}/mime/magic r, - # To read files - /** r, - include if exists } diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb index 93e29bcfa..9b0912bd9 100644 --- a/apparmor.d/profiles-s-z/tomb +++ b/apparmor.d/profiles-s-z/tomb @@ -67,7 +67,7 @@ profile tomb @{exec_path} { @{sbin}/btrfs rPx, @{sbin}/cryptsetup rPUx, - @{bin}/e2fsc rPUx, + @{sbin}/e2fsck rPx, @{sbin}/fsck rPx, @{bin}/gpg{,2} rPx, @{bin}/lsblk rPx, diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index f38a69224..4d2766101 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -40,13 +40,10 @@ profile xarchiver @{exec_path} { owner @{HOME}/.bz2 rw, - / r, - /home/ r, - #owner @{HOME}/ r, - #owner @{HOME}/** rw, - @{MOUNTS}/ r, - @{MOUNTS}/** rw, - /tmp/ r, + #aa:lint ignore=too-wide + # Full access to user's data + @{MOUNTS}/** rw, + owner @{HOME}/** rw, owner @{tmp}/** rw, @{PROC}/@{pid}/mountinfo r, diff --git a/tests/check.sh b/tests/check.sh index 9bafd5104..60e23c694 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -171,6 +171,9 @@ _check_abstractions() { _err abstractions "$file:$line_number" "deprecated abstraction '<$ABS/$absname>', use '<$ABS/${ABS_DEPRECATED[$absname]}>' instead" fi done + if [[ "$line" == *"<$ABS/ubuntu-"*">"* ]]; then + _err abstractions "$file:$line_number" "deprecated, ubuntu only abstraction '<$ABS/$absname>'" + fi } readonly DIRECTORIES=('@{HOME}' '@{MOUNTS}' '@{bin}' '@{sbin}' '@{lib}' '@{tmp}' '_dirs}' '_DIR}') @@ -222,7 +225,7 @@ readonly TRANSITION_MUST_PC=( # Must transition to 'Px' ischroot who ) readonly TRANSITION_MUST_C=( # Must transition to 'Cx' - sysctl kmod pgrep pkexec sudo systemctl udevadm + sysctl kmod pgrep pkill pkexec sudo systemctl udevadm fusermount fusermount3 fusermount{,3} nvim vim sensible-editor ) diff --git a/tests/sbin.list b/tests/sbin.list index 8ee14fd21..16073f0d2 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -761,6 +761,7 @@ ugc umount.nfs umount.nfs4 umount.udisks2 +unbound unconfined undump.bt unix_chkpwd From c51943934ed4a99105a75eda382a5df6959ad6b4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 18:04:35 +0200 Subject: [PATCH 727/977] feat(tunable): add x64 to @{arch} --- apparmor.d/tunables/multiarch.d/system | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 359d1b878..0eae0fde3 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -20,6 +20,7 @@ @{lib}=/{,usr/}lib{,exec,32,64} # Common places for temporary files +# /tmp/user/@{uid}/ is needed when using .... (default on Debian) @{tmp}=/tmp/ /tmp/user/@{uid}/ # Common places for EFI @@ -29,7 +30,7 @@ # ---------------- # Common architecture names -@{arch}=x86_64 amd64 i386 i686 +@{arch}=x86_64 x64 amd64 i386 i686 # Dbus unique name @{busname}=:1.@{u16} :not.active.yet From 483c0c107d611502578e12d9355004644f715e0f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 18:22:07 +0200 Subject: [PATCH 728/977] build: enable re-attach disconnected path by default Ignored on Ubuntu 25.04 and abi3.0 --- apparmor.d/tunables/multiarch.d/system | 5 ++-- pkg/prebuild/cli/cli.go | 11 +++++++- pkg/prebuild/prepare/attach.go | 37 ++++++++++++++++++++++++++ 3 files changed, 50 insertions(+), 3 deletions(-) create mode 100644 pkg/prebuild/prepare/attach.go diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 0eae0fde3..06cb42000 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -69,8 +69,9 @@ @{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254 @{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511 -# Attachment path for attach_disconnected.path flag. -# Automatically generated and set in profile preamble on ABI4. Disabled on ABI3. +# Default attachment path when re-attached path disconnected path is ignored. +# Disabled on abi3 and Ubuntu 25.04+ +# See https://apparmor.pujol.io/development/internal/#re-attached-path @{att}=/ alias // -> /, diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 000aa65f9..237b0f0f8 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -108,7 +108,16 @@ func Configure() { case 3: builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0 case 4: - // builder.Register("attach") // Re-attach disconnected path + // Re-attach disconnected path, ignored on ubuntu 25.04+ due to a memory leak + // that fully prevent profiles compilation with re-attached paths. + // See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730 + if prebuild.Distribution != "ubuntu" { + builder.Register("attach") + prepare.Register("attach") + } else if prebuild.Release["VERSION_CODENAME"] == "noble" { + builder.Register("attach") + prepare.Register("attach") + } default: logging.Fatal("Invalid ABI version: %d", prebuild.ABI) } diff --git a/pkg/prebuild/prepare/attach.go b/pkg/prebuild/prepare/attach.go new file mode 100644 index 000000000..a87ff9071 --- /dev/null +++ b/pkg/prebuild/prepare/attach.go @@ -0,0 +1,37 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2025 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package prepare + +import ( + "strings" + + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +type ReAttach struct { + prebuild.Base +} + +func init() { + RegisterTask(&ReAttach{ + Base: prebuild.Base{ + Keyword: "attach", + Msg: "Configure tunable for re-attached path", + }, + }) +} + +func (p ReAttach) Apply() ([]string, error) { + res := []string{} + + // Remove the @{att} tunable that is going to be defined in profile header + path := prebuild.RootApparmord.Join("tunables/multiarch.d/system") + out, err := path.ReadFileAsString() + if err != nil { + return res, err + } + out = strings.ReplaceAll(out, "@{att}=/", "# @{att}=/") + return res, path.WriteFile([]byte(out)) +} From b0c661931af5b376f79d1dadff684e3d165b4f64 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 18:23:05 +0200 Subject: [PATCH 729/977] fix(build): fsp regex. --- pkg/prebuild/builder/fsp.go | 2 +- pkg/prebuild/cli/cli.go | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/builder/fsp.go b/pkg/prebuild/builder/fsp.go index ed2285de5..8f7fb4202 100644 --- a/pkg/prebuild/builder/fsp.go +++ b/pkg/prebuild/builder/fsp.go @@ -11,7 +11,7 @@ import ( var ( regFullSystemPolicy = util.ToRegexRepl([]string{ - `r(PU|U)x,`, `rPx,`, + `(PU|U)x,`, `Px,`, }) ) diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 237b0f0f8..ab221e485 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -139,6 +139,9 @@ func Configure() { func Prebuild() { logging.Step("Building apparmor.d profiles for %s on ABI%d.", prebuild.Distribution, prebuild.ABI) + if full { + logging.Success("Full system policy enabled") + } if prebuild.Version != nilVer { logging.Success("AppArmor version targeted: %.1f", prebuild.Version) } From c0de5ff71d9a2aec1b3c778cc31261a2961f54c3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 18:38:46 +0200 Subject: [PATCH 730/977] ci: also run the integration tests on manual run. --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index bcb817338..9f2addf88 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -83,7 +83,7 @@ jobs: tests: runs-on: ubuntu-24.04 needs: build - if: github.ref == 'refs/heads/dev' + if: github.ref_name == 'dev' || github.event_name == 'workflow_dispatch' steps: - name: Check out repository code uses: actions/checkout@v4 From be341a4ca8c48c03823609d143ea98e2a5c7b860 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 18:43:21 +0200 Subject: [PATCH 731/977] feat(profile): syncthing 2.0 uses sqlite. --- apparmor.d/profiles-s-z/syncthing | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 6ff0fe7e9..4553ac1e9 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -35,6 +35,9 @@ profile syncthing @{exec_path} { /home/ r, @{user_sync_dirs}/{,**} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + @{PROC}/@{pids}/net/route r, @{PROC}/bus/pci/devices r, @{PROC}/modules r, From e8055098033abd1f3f73d2a1578f2dc07f7b1ce8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 19:42:44 +0200 Subject: [PATCH 732/977] build: opensuse: improve post install script. --- dists/apparmor.d.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index bf97705a6..d60841581 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -32,8 +32,8 @@ just complain just destdir="%{buildroot}" install %posttrans -rm -f /var/cache/apparmor/* 2>/dev/null -systemctl is-active -q apparmor && systemctl reload apparmor ||: +apparmor_parser --purge-cache +%restart_on_update apparmor %files %license LICENSE From ca24da7a2a4e11def29652d27c49e1ec11539e7e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 19:49:43 +0200 Subject: [PATCH 733/977] build(debian): improve post install scripts. --- debian/apparmor.d.postinst | 5 ++++- debian/apparmor.d.postrm | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/debian/apparmor.d.postinst b/debian/apparmor.d.postinst index 4e659173c..fd0ffeb33 100644 --- a/debian/apparmor.d.postinst +++ b/debian/apparmor.d.postinst @@ -7,6 +7,9 @@ set -e #DEBHELPER# -systemctl is-active -q apparmor && systemctl reload apparmor ||: +apparmor_parser --purge-cache +if systemctl is-active -q apparmor; then + systemctl reload apparmor +fi exit 0 diff --git a/debian/apparmor.d.postrm b/debian/apparmor.d.postrm index 4e659173c..fd0ffeb33 100644 --- a/debian/apparmor.d.postrm +++ b/debian/apparmor.d.postrm @@ -7,6 +7,9 @@ set -e #DEBHELPER# -systemctl is-active -q apparmor && systemctl reload apparmor ||: +apparmor_parser --purge-cache +if systemctl is-active -q apparmor; then + systemctl reload apparmor +fi exit 0 From f5a4acd37e374f1036addc7c2425e578982f6a05 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 16 Aug 2025 19:13:59 +0200 Subject: [PATCH 734/977] feat(abs): graphics: add cpu_capacity --- apparmor.d/abstractions/graphics | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics index 37f6be70e..79872ceb4 100644 --- a/apparmor.d/abstractions/graphics +++ b/apparmor.d/abstractions/graphics @@ -14,6 +14,7 @@ @{sys}/bus/pci/devices/ r, @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/* r, + @{sys}/devices/system/cpu/cpu@{int}/cpu_capacity r, @{sys}/devices/system/cpu/cpu@{int}/online r, @{sys}/devices/system/cpu/cpu@{int}/topology/* r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/* r, From 5ee999536ca2f5ae5cfbb999bb20bc7334d278ff Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 16 Aug 2025 19:23:33 +0200 Subject: [PATCH 735/977] feat(abs): reorganize the electron & chromium abs. --- apparmor.d/abstractions/app/chromium | 32 ++----------------- apparmor.d/abstractions/common/chromium | 25 +++++++++++---- apparmor.d/abstractions/common/electron | 39 ++--------------------- apparmor.d/groups/network/mullvad-gui | 5 +-- apparmor.d/groups/steam/steam | 8 +++-- apparmor.d/profiles-a-f/deltachat-desktop | 1 + apparmor.d/profiles-a-f/discord | 4 ++- apparmor.d/profiles-a-f/freetube | 2 +- apparmor.d/profiles-g-l/linuxqq | 1 + apparmor.d/profiles-m-r/protonmail | 1 + apparmor.d/profiles-s-z/session-desktop | 1 + apparmor.d/profiles-s-z/signal-desktop | 1 + apparmor.d/profiles-s-z/spotify | 3 +- apparmor.d/profiles-s-z/superproductivity | 1 + apparmor.d/profiles-s-z/vesktop | 2 +- apparmor.d/profiles-s-z/wechat | 1 + apparmor.d/profiles-s-z/wechat-appimage | 1 + apparmor.d/profiles-s-z/wechat-universal | 1 + apparmor.d/profiles-s-z/wemeet | 2 ++ 19 files changed, 46 insertions(+), 85 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index a971ca5a0..8f991c230 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -33,6 +33,7 @@ include include include + include include include include @@ -46,14 +47,6 @@ include include - userns, - - capability setgid, - capability setuid, - capability sys_admin, - capability sys_chroot, - capability sys_ptrace, - network inet dgram, network inet6 dgram, network inet stream, @@ -112,21 +105,12 @@ /etc/fstab r, /etc/{,opensc/}opensc.conf r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - / r, owner @{HOME}/ r, - owner @{HOME}/.pki/ rw, - owner @{HOME}/.pki/nssdb/ rw, - owner @{HOME}/.pki/nssdb/pkcs11.txt rw, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner @{user_cache_dirs}/gtk-3.0/**/*.cache r, owner @{user_config_dirs}/gtk-3.0/servers r, - owner @{user_share_dirs}/.@{domain}.@{rand6} rw, + owner @{user_share_dirs}/icons/hicolor/.xdg-icon-resource-dummy w, owner @{config_dirs}/ rw, @@ -151,10 +135,7 @@ /tmp/ r, /var/tmp/ r, - owner @{tmp}/.@{domain}.@{rand6} rw, - owner @{tmp}/.@{domain}.@{rand6}/{,**} rw, owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw, - owner @{tmp}/scoped_dir@{rand6}/{,**} rw, owner @{tmp}/tmp.@{rand10} rw, owner @{tmp}/tmp.@{rand6} rw, owner @{tmp}/tmp.@{rand6}/ rw, @@ -163,9 +144,6 @@ owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw, owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw, - /dev/shm/ r, - owner /dev/shm/.@{domain}.@{rand6} rw, - @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{sys}/bus/ r, @@ -175,10 +153,7 @@ @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/@{pci}/report_descriptor r, @{sys}/devices/**/uevent r, - @{sys}/devices/system/cpu/kernel_max r, @{sys}/devices/virtual/**/report_descriptor r, - @{sys}/devices/virtual/dmi/id/{sys_vendor,product_name} r, - @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/ r, @{PROC}/@{pid}/fd/ r, @@ -192,18 +167,15 @@ owner @{PROC}/@{pid}/clear_refs w, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/environ r, - owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_{,score_}adj rw, - owner @{PROC}/@{pid}/setgroups w, owner @{PROC}/@{pid}/smaps_rollup r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, - owner @{PROC}/@{pid}/uid_map w, /dev/ r, /dev/hidraw@{int} rw, diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 9fba7b8bb..78441fe08 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -4,7 +4,13 @@ # SPDX-License-Identifier: GPL-2.0-only # This abstraction is for chromium based application. Chromium based browsers -# need to use abstractions/chromium instead. +# need to use abstractions/app/chromium instead. + +# It works as a *function* and requires a variable to be provided as *arguments* +# and set in the header of the calling profile. Example: +# +# @{domain} = org.chromium.Chromium +# abi , @@ -22,19 +28,24 @@ owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw, + owner @{user_share_dirs}/.@{domain}.@{rand6} rw, - /tmp/ r, - /var/tmp/ r, - owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/{,**} rw, + owner @{tmp}/.@{domain}.@{rand6} rw, + owner @{tmp}/.@{domain}.@{rand6}/ rw, + owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie w, + owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket w, owner @{tmp}/scoped_dir@{rand6}/ rw, owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w, owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w, owner @{tmp}/scoped_dir@{rand6}/SS w, /dev/shm/ r, - owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + owner /dev/shm/.@{domain}.@{rand6} rw, + + @{sys}/devices/system/cpu/kernel_max r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/tty/tty@{int}/active r, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/setgroups w, diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 175fa8b2d..b581c9073 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -7,13 +7,15 @@ # in the header of the calling profile. Example: # # @{name} = spotify -# @{lib_dirs} = /opt/@{name} +# @{domain} = org.chromium.chromium +# @{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/ # @{config_dirs} = @{user_config_dirs}/@{name} # @{cache_dirs} = @{user_cache_dirs}/@{name} # abi , + include include include include @@ -21,14 +23,6 @@ include include - userns, - - capability setgid, # If kernel.unprivileged_userns_clone = 1 - capability setuid, # If kernel.unprivileged_userns_clone = 1 - capability sys_admin, - capability sys_chroot, - capability sys_ptrace, - @{bin}/electron rix, @{bin}/electron@{int} rix, @{lib}/electron@{int}/{,**} r, @@ -48,31 +42,7 @@ owner @{cache_dirs}/ rw, owner @{cache_dirs}/** rwlk -> @{cache_dirs}/**, - owner @{HOME}/.pki/ rw, - owner @{HOME}/.pki/nssdb/ rw, - owner @{HOME}/.pki/nssdb/pkcs11.txt rw, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner @{user_config_dirs}/electron-flags.conf r, - owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw, - - owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/ rw, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonCookie w, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonSocket w, - owner @{tmp}/scoped_dir@{rand6}/ rw, - owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w, - owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w, - owner @{tmp}/scoped_dir@{rand6}/SS w, - - /dev/shm/ r, - owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, - - @{sys}/devices/system/cpu/kernel_max r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/virtual/tty/tty@{int}/active r, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @@ -89,15 +59,12 @@ owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/oom_score_adj rw, - owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/stat r, - owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index e4d2e9a2c..639d3ce4b 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -7,6 +7,7 @@ abi , include @{name} = Mullvad?VPN +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -31,10 +32,6 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { @{bin}/gsettings rPx, @{open_path} rPx -> child-open-browsers, - owner @{user_cache_dirs}/dconf/user rw, - - owner @{tmp}/.org.chromium.Chromium.@{rand6}/@{name}*.png rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{run}/mullvad-vpn rw, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index 5009b970d..abfab75d7 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -21,10 +21,12 @@ abi , include -@{runtime} = SteamLinuxRuntime_{sniper,soldier} +@{domain} = org.chromium.Chromium +@{runtime_name} = sniper soldier +@{runtime} = SteamLinuxRuntime_@{runtime_name} steam-runtime-steamrt @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation -@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} -@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} +@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} steamrt64 +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @{lib_dirs}/steam-runtime-steamrt @{app_dirs} = @{share_dirs}/steamapps/common/ @{exec_path} = @{share_dirs}/steam.sh diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index 4f60099a9..87c2bbaba 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -7,6 +7,7 @@ abi , include +@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/deltachat-desktop @{lib}/deltachat /opt/DeltaChat/ @{exec_path} = @{bin}/deltachat-desktop @{lib_dirs}/deltachat-desktop diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index 8765084ff..3b34d5055 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -8,6 +8,7 @@ abi , include @{name} = discord +@{domain} = org.chromium.Chromium @{lib_dirs} = /usr/share/@{name} /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{user_config_dirs}/discordptb @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -48,7 +49,6 @@ profile discord @{exec_path} flags=(attach_disconnected) { owner @{config_dirs}/@{version}/modules/** m, owner "@{tmp}/Discord Crashes/" rw, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw, owner @{tmp}/discord.sock rw, owner @{tmp}/net-export/ rw, @@ -57,6 +57,8 @@ profile discord @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/task/@{tid}/comm r, + deny ptrace read, + include if exists } diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index f4284873d..95e37b4d6 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -8,6 +8,7 @@ abi , include @{name} = {F,f}ree{T,t}ube{,-vue} +@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/@{name} /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -39,7 +40,6 @@ profile freetube @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-strict, deny @{sys}/devices/@{pci}/usb@{int}/** r, - deny /dev/ r, include if exists } diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq index 08b8cf7a1..ff2ffe6b8 100644 --- a/apparmor.d/profiles-g-l/linuxqq +++ b/apparmor.d/profiles-g-l/linuxqq @@ -7,6 +7,7 @@ abi , include @{name} = QQ +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/QQ/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail index c2c81d4da..0ac23267b 100644 --- a/apparmor.d/profiles-m-r/protonmail +++ b/apparmor.d/profiles-m-r/protonmail @@ -8,6 +8,7 @@ abi , include @{name} = proton-mail "Proton Mail" +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop index 4817f330a..dc190b787 100644 --- a/apparmor.d/profiles-s-z/session-desktop +++ b/apparmor.d/profiles-s-z/session-desktop @@ -7,6 +7,7 @@ abi , include @{name} = {S,s}ession +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index dc0bc381e..bf0740919 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -8,6 +8,7 @@ abi , include @{name} = signal-desktop{,-beta} +@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/signal-desktop /opt/Signal{,?Beta} @{config_dirs} = @{user_config_dirs}/Signal{,?Beta} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index a3a093c85..3c18059a9 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -8,6 +8,7 @@ abi , include @{name} = spotify +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -57,8 +58,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm, owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw, - @{PROC}/@{pid}/net/unix r, @{PROC}/pressure/* r, owner @{PROC}/@{pid}/clear_refs w, diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index c0b940478..c49a96621 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -7,6 +7,7 @@ abi , include @{name} = super{p,P}roductivity +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/vesktop b/apparmor.d/profiles-s-z/vesktop index b4b63fe74..4f4432650 100644 --- a/apparmor.d/profiles-s-z/vesktop +++ b/apparmor.d/profiles-s-z/vesktop @@ -8,6 +8,7 @@ abi , include @{name} = vesktop +@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -33,7 +34,6 @@ profile vesktop @{exec_path} flags=(attach_disconnected) { @{bin}/speech-dispatcher rPx, @{open_path} rPx -> child-open, - owner /tmp/.org.chromium.Chromium.@{rand6} mr, owner @{run}/user/@{uid}/discord-ipc-@{int} rw, @{sys}/devices/@{pci}/usb@{int}/**/interface r, diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index ccff2f95f..00fe0a8c5 100644 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -7,6 +7,7 @@ abi , include @{name} = wechat +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/wechat/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 07f67fb59..98ce53f07 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -7,6 +7,7 @@ abi , include @{name} = wechat-appimage +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/wechat-appimage/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index b1c8aded2..94da6c60e 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -7,6 +7,7 @@ abi , include @{name} = wechat-universal +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/wechat-universal/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/wemeet b/apparmor.d/profiles-s-z/wemeet index 4f40ef746..3606533d7 100644 --- a/apparmor.d/profiles-s-z/wemeet +++ b/apparmor.d/profiles-s-z/wemeet @@ -6,6 +6,8 @@ abi , include +@{domain} = org.chromium.Chromium + @{exec_path} = @{bin}/wemeet @{exec_path} += /opt/wemeet/bin/wemeetapp @{exec_path} += /opt/wemeet/bin/QtWebEngineProcess From e55ace4e0a5646fd1e9ad786a4356689bb668d90 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 00:07:53 +0200 Subject: [PATCH 736/977] fix(profile): issue with re-attached paths - Add missing att on some profiles - Fix alias / -> // - Fix aa-log att variable resolution fix #813 #814 --- apparmor.d/abstractions/attached/base | 2 ++ apparmor.d/abstractions/common/bwrap | 4 +++- apparmor.d/groups/flatpak/flatpak | 2 +- apparmor.d/groups/freedesktop/xdg-desktop-portal | 6 +++--- apparmor.d/groups/freedesktop/xwayland | 4 +--- apparmor.d/groups/hyprland/hyprland | 3 +++ apparmor.d/tunables/multiarch.d/system | 2 +- pkg/logs/logs.go | 3 +-- 8 files changed, 15 insertions(+), 11 deletions(-) diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index e394c5b99..29c685f55 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -14,6 +14,8 @@ @{att}/@{run}/systemd/journal/socket w, @{att}/@{run}/systemd/journal/stdout rw, + @{att}/dev/null rw, + /apparmor/.null rw, @{att}/apparmor/.null rw, diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index f4630475d..da73b8217 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -38,12 +38,14 @@ pivot_root oldroot=/newroot/ /newroot/, pivot_root oldroot=/tmp/oldroot/ /tmp/, - owner / r, owner /newroot/{,**} w, owner /tmp/newroot/ w, owner /tmp/oldroot/ w, + @{att}/ r, + @{att}/@{run}/.userns r, + @{PROC}/sys/kernel/overflowgid r, @{PROC}/sys/kernel/overflowuid r, @{PROC}/sys/user/max_user_namespaces r, diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index c34ae962f..fca84002a 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -66,7 +66,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain /etc/flatpak/{,**} r, /etc/pulse/client.conf r, - / r, + @{att}/ r, /var/lib/flatpak/{,**} rwlk, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index bc975e4ea..5c62b0771 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -64,9 +64,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{lib}/xdg-desktop-portal-validate-icon rPx, @{open_path} rPx -> child-open, - / r, - @{att}/.flatpak-info r, - owner @{att}/ r, + / r, + @{att}/ r, + @{att}/.flatpak-info r, /usr/share/dconf/profile/gdm r, /usr/share/xdg-desktop-portal/** r, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index 9b329e06a..e8c94916d 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/Xwayland profile xwayland @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -41,9 +42,6 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cmdline r, - @{att}/dev/tty@{int} rw, - /dev/tty rw, - include if exists } diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index 8c8c32da0..c1e6da4d8 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -62,6 +62,9 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/environ r, + @{att}/dev/dri/card@{int} rw, + @{att}/dev/input/event@{int} rw, + /dev/input/event@{int} rw, /dev/tty r, owner /dev/tty@{int} rw, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 06cb42000..e2f297045 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -74,6 +74,6 @@ # See https://apparmor.pujol.io/development/internal/#re-attached-path @{att}=/ -alias // -> /, +alias / -> //, # vim:syntax=apparmor diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go index 2443eaace..b0ae58702 100644 --- a/pkg/logs/logs.go +++ b/pkg/logs/logs.go @@ -64,7 +64,7 @@ var ( `/home/[^/]+/`, `@{HOME}/`, // Resolve system variables - `/att/[^/@]+`, `@{att}/`, + `/att/[^/]+/`, `@{att}/`, `/usr/lib(32|64|exec)`, `@{lib}`, `/usr/lib`, `@{lib}`, `/usr/sbin`, `@{sbin}`, @@ -86,7 +86,6 @@ var ( `pci` + strings.Repeat(h, 4) + `:` + strings.Repeat(h, 2), `@{pci_bus}`, `@{pci_bus}/[0-9a-f:*./]*/`, `@{pci}/`, `1000`, `@{uid}`, - `@{att}//`, `@{att}/`, // Some system glob `:not.active.yet`, `@{busname}`, // dbus unique bus name From d3507e24b94336e8ca5e1ba50887ed0755a7e341 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 00:09:28 +0200 Subject: [PATCH 737/977] fix(build): ensure post install script do not fail. --- debian/apparmor.d.postinst | 2 +- debian/apparmor.d.postrm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/apparmor.d.postinst b/debian/apparmor.d.postinst index fd0ffeb33..2f8c90ae0 100644 --- a/debian/apparmor.d.postinst +++ b/debian/apparmor.d.postinst @@ -7,7 +7,7 @@ set -e #DEBHELPER# -apparmor_parser --purge-cache +apparmor_parser --purge-cache || true if systemctl is-active -q apparmor; then systemctl reload apparmor fi diff --git a/debian/apparmor.d.postrm b/debian/apparmor.d.postrm index fd0ffeb33..2f8c90ae0 100644 --- a/debian/apparmor.d.postrm +++ b/debian/apparmor.d.postrm @@ -7,7 +7,7 @@ set -e #DEBHELPER# -apparmor_parser --purge-cache +apparmor_parser --purge-cache || true if systemctl is-active -q apparmor; then systemctl reload apparmor fi From 7c427aaae6252ee42e316f83b0faae97cb7a1268 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 00:10:34 +0200 Subject: [PATCH 738/977] build: do not overwrite steam. --- dists/overwrite | 1 - 1 file changed, 1 deletion(-) diff --git a/dists/overwrite b/dists/overwrite index 5bc00f9fe..c8769ba54 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -20,7 +20,6 @@ os-prober plasmashell signal-desktop slirp4netns -steam systemd-coredump thunderbird virtiofsd From 9110a7012441a1f57566361cc05c65d11a189fb7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 00:16:31 +0200 Subject: [PATCH 739/977] tests: add debian/ubuntu based tests images. Also some cleanup of tests resources. --- .gitignore | 1 + tests/cloud-init/debian.yml | 5 +++-- tests/cloud-init/debian13-kde.user-data.yml | 9 +++++++++ tests/cloud-init/ubuntu.yml | 1 + tests/cloud-init/ubuntu24-kubuntu.user-data.yml | 1 + tests/cloud-init/ubuntu25-kubuntu.user-data.yml | 9 +++++++++ tests/packer/clean.sh | 1 - tests/packer/init.sh | 5 +++-- tests/packer/variables.pkr.hcl | 4 ++-- tests/requirements.sh | 2 +- 10 files changed, 30 insertions(+), 8 deletions(-) create mode 100644 tests/cloud-init/debian13-kde.user-data.yml create mode 100644 tests/cloud-init/ubuntu25-kubuntu.user-data.yml diff --git a/.gitignore b/.gitignore index d888d6d5c..077d62cbf 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,7 @@ # Build .build .logs +.pkg tests/tldr tests/tldr.tar.gz diff --git a/tests/cloud-init/debian.yml b/tests/cloud-init/debian.yml index ea3012ad2..b96bb5880 100644 --- a/tests/cloud-init/debian.yml +++ b/tests/cloud-init/debian.yml @@ -23,7 +23,7 @@ core-packages: &core-packages - unattended-upgrades - vim -gnome-packages: &desktop-packages +gnome-packages: &gnome-packages # Core packages for Debian - apparmor-profiles - apparmor-utils @@ -53,7 +53,7 @@ gnome-packages: &desktop-packages - loupe - ptyxis -kde-packages: &kubuntu-packages +kde-packages: &kde-packages # Core packages for Debian - apparmor-profiles - apparmor-utils @@ -79,6 +79,7 @@ kde-packages: &kubuntu-packages # KDE packages for Debian - spice-vdagent - task-kde-desktop + - plasma-workspace-wayland - terminator debian12-runcmd: &debian12-runcmd diff --git a/tests/cloud-init/debian13-kde.user-data.yml b/tests/cloud-init/debian13-kde.user-data.yml new file mode 100644 index 000000000..5a4d33bf5 --- /dev/null +++ b/tests/cloud-init/debian13-kde.user-data.yml @@ -0,0 +1,9 @@ +#cloud-config + +packages: *kde-packages + +runcmd: *debian13-runcmd + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/ubuntu.yml b/tests/cloud-init/ubuntu.yml index 14db33251..1f3563750 100644 --- a/tests/cloud-init/ubuntu.yml +++ b/tests/cloud-init/ubuntu.yml @@ -82,6 +82,7 @@ kubuntu-packages: &kubuntu-packages - spice-vdagent - terminator - kubuntu-desktop + - plasma-workspace-wayland desktop-runcmd: &desktop-runcmd # Add missing snap packages diff --git a/tests/cloud-init/ubuntu24-kubuntu.user-data.yml b/tests/cloud-init/ubuntu24-kubuntu.user-data.yml index d4139c2f7..bea74af3a 100644 --- a/tests/cloud-init/ubuntu24-kubuntu.user-data.yml +++ b/tests/cloud-init/ubuntu24-kubuntu.user-data.yml @@ -6,3 +6,4 @@ runcmd: *desktop-runcmd write_files: - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/ubuntu25-kubuntu.user-data.yml b/tests/cloud-init/ubuntu25-kubuntu.user-data.yml new file mode 100644 index 000000000..bea74af3a --- /dev/null +++ b/tests/cloud-init/ubuntu25-kubuntu.user-data.yml @@ -0,0 +1,9 @@ +#cloud-config + +packages: *kubuntu-packages + +runcmd: *desktop-runcmd + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/packer/clean.sh b/tests/packer/clean.sh index b7650a1d5..f7518a2f6 100644 --- a/tests/packer/clean.sh +++ b/tests/packer/clean.sh @@ -55,7 +55,6 @@ clean_apt() { clean_pacman() { _msg "Cleaning pacman cache" - pacman -Syu --noconfirm pacman -Scc --noconfirm } diff --git a/tests/packer/init.sh b/tests/packer/init.sh index 4e4e1ec99..bf75c0e1e 100644 --- a/tests/packer/init.sh +++ b/tests/packer/init.sh @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -set -eu +set -eux _lsb_release() { # shellcheck source=/dev/null @@ -31,7 +31,8 @@ main() { ;; debian | ubuntu) - dpkg -i $SRC/*.deb + apt install -y apparmor-profiles + dpkg -i $SRC/*.deb || true ;; opensuse*) diff --git a/tests/packer/variables.pkr.hcl b/tests/packer/variables.pkr.hcl index 073544f59..a44f98412 100644 --- a/tests/packer/variables.pkr.hcl +++ b/tests/packer/variables.pkr.hcl @@ -98,8 +98,8 @@ variable "DM" { img_checksum = "https://cdimage.debian.org/images/cloud/bookworm/latest/SHA512SUMS" } "debian13" : { - img_url = "https://cdimage.debian.org/images/cloud/trixie/daily/latest/debian-13-genericcloud-amd64-daily.qcow2" - img_checksum = "https://cdimage.debian.org/images/cloud/trixie/daily/latest/SHA512SUMS" + img_url = "https://cdimage.debian.org/images/cloud/trixie/latest/debian-13-genericcloud-amd64.qcow2" + img_checksum = "https://cdimage.debian.org/images/cloud/trixie/latest/SHA512SUMS" } "ubuntu22" : { img_url = "https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img" diff --git a/tests/requirements.sh b/tests/requirements.sh index efc357ad4..0801ff27d 100644 --- a/tests/requirements.sh +++ b/tests/requirements.sh @@ -5,7 +5,7 @@ # Dependencies for the bats integration tests -set -eu +set -eu -o pipefail # shellcheck source=/dev/null _lsb_release() { From 52e9ae9fd621997113f2284b9500a511df9c285f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 00:29:21 +0200 Subject: [PATCH 740/977] fix(profile): define missing domain. --- apparmor.d/profiles-a-f/element-desktop | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index 91de37e58..7891b67e1 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -7,6 +7,7 @@ abi , include @{name} = {E,e}lement +@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} From 4e70cb4c918013914b2bc4bef750374879ad615d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 11:57:36 +0200 Subject: [PATCH 741/977] fix(profile): workaround in apparmor issue for attached path. See https://gitlab.com/apparmor/apparmor/-/issues/450 Fix #815 --- apparmor.d/abstractions/common/app | 2 ++ apparmor.d/groups/flatpak/flatpak-app | 1 - apparmor.d/groups/flatpak/flatpak-portal | 2 +- apparmor.d/groups/freedesktop/xdg-desktop-portal | 2 +- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 2 +- apparmor.d/groups/freedesktop/xdg-document-portal | 2 +- apparmor.d/tunables/multiarch.d/system | 1 - pkg/prebuild/prepare/attach.go | 1 + 8 files changed, 7 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 3029fb80b..3b425e505 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -135,6 +135,8 @@ owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{att}/dev/shm/@{uuid} r, + /dev/hidraw@{int} rw, /dev/input/ r, /dev/input/event@{int} rw, diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index a816e58b8..4199e92b1 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -83,7 +83,6 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/{,**} r, /var/lib/flatpak/exports/** rw, - @{run}/.userns r, @{run}/parent/** r, @{run}/parent/app/.ref rk, @{run}/parent/usr/.ref rk, diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index 8a8d2b901..84e2d7964 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -31,7 +31,7 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { /var/lib/flatpak/exports/share/mime/mime.cache r, - owner @{att}/ r, + owner /att/**/ r, owner @{att}/.flatpak-info r, owner @{HOME}/.var/app/*/**/.ref rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 5c62b0771..5e27ac845 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -65,8 +65,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open, / r, - @{att}/ r, @{att}/.flatpak-info r, + owner /att/**/ r, /usr/share/dconf/profile/gdm r, /usr/share/xdg-desktop-portal/** r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index fc11b0700..c9585e2ab 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -52,7 +52,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, / r, - owner @{att}/ r, + owner /att/**/ r, owner /var/lib/xkb/server-@{int}.xkm rw, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 93cac619e..d2db2612e 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -44,7 +44,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { @{bin}/snap rPx, / r, - owner @{att}/ r, + owner /att/**/ r, owner @{att}/.flatpak-info r, owner @{HOME}/ r, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index e2f297045..288665770 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -73,7 +73,6 @@ # Disabled on abi3 and Ubuntu 25.04+ # See https://apparmor.pujol.io/development/internal/#re-attached-path @{att}=/ - alias / -> //, # vim:syntax=apparmor diff --git a/pkg/prebuild/prepare/attach.go b/pkg/prebuild/prepare/attach.go index a87ff9071..3331c73dc 100644 --- a/pkg/prebuild/prepare/attach.go +++ b/pkg/prebuild/prepare/attach.go @@ -33,5 +33,6 @@ func (p ReAttach) Apply() ([]string, error) { return res, err } out = strings.ReplaceAll(out, "@{att}=/", "# @{att}=/") + out = strings.ReplaceAll(out, "alias / -> //,", "#alias / -> //,") return res, path.WriteFile([]byte(out)) } From 58aea2b00d2975372a89db7c32deb6e7d3f35705 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 11:59:06 +0200 Subject: [PATCH 742/977] build: update flag manifest. --- dists/flags/main.flags | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index a62a6847d..057c7c298 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -46,7 +46,7 @@ cockpit-desktop complain cockpit-session attach_disconnected,complain cockpit-ssh complain cockpit-tls attach_disconnected,complain -cockpit-ws complain +cockpit-ws attach_disconnected,complain cockpit-wsinstance-factory complain cups-backend-beh complain cups-backend-bluetooth complain @@ -110,11 +110,9 @@ flameshot complain flatpak attach_disconnected,mediate_deleted,complain flatpak-app attach_disconnected,mediate_deleted,complain flatpak-oci-authenticator complain -flatpak-portal attach_disconnected,complain flatpak-session-helper attach_disconnected,complain flatpak-system-helper complain flatpak-validate-icon complain -fstrim complain fuse-overlayfs complain gdk-pixbuf-thumbnailer complain gdm-generate-config complain @@ -159,7 +157,6 @@ grub-set-default complain grub-syslinux2cfg complain gsd-printer attach_disconnected,complain gsd-wwan complain -gsettings complain gvfsd-dav complain gvfsd-wsdd complain hostnamectl complain @@ -189,7 +186,7 @@ kde-powerdevil attach_disconnected,mediate_deleted,complain kde-systemd-start-condition complain kded complain kdump_mem_estimator complain -kdump-config complain +kdump-config attach_disconnected,complain kdump-tools-init complain,attach_disconnected kernel complain kernel-install complain @@ -283,11 +280,11 @@ secure-time-sync attach_disconnected,complain sftp-server complain sing-box complain slirp4netns attach_disconnected,complain -snap complain +snap attach_disconnected,complain snap-device-helper complain snap-discard-ns complain snap-failure complain -snap-seccomp complain +snap-seccomp attach_disconnected,complain snap-update-ns complain snapd complain snapd-apparmor complain @@ -388,7 +385,7 @@ update-grub complain update-info-dir complain update-secureboot-policy complain update-shells complain -userdbctl complain +userdbctl attach_disconnected,complain utempter attach_disconnected,complain veracrypt complain virt-manager attach_disconnected,complain From edc2755d615b64b8a05607e62bfe248f58704fde Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 17:03:17 +0200 Subject: [PATCH 743/977] feat(profile): kde: add initial dbus definition. --- apparmor.d/groups/kde/DiscoverNotifier | 8 +++++ apparmor.d/groups/kde/gmenudbusmenuproxy | 3 ++ apparmor.d/groups/kde/kaccess | 5 +++ apparmor.d/groups/kde/kactivitymanagerd | 4 +++ apparmor.d/groups/kde/kauth-backlighthelper | 2 ++ .../groups/kde/kauth-chargethresholdhelper | 5 +++ apparmor.d/groups/kde/kauth-discretegpuhelper | 4 +++ apparmor.d/groups/kde/kauth-kded-smart-helper | 6 +++- apparmor.d/groups/kde/kcminit | 3 ++ apparmor.d/groups/kde/kde-powerdevil | 15 +++++++++ apparmor.d/groups/kde/kded | 31 +++++++++++++++++-- apparmor.d/groups/kde/kglobalacceld | 3 ++ apparmor.d/groups/kde/kioworker | 3 ++ apparmor.d/groups/kde/konsole | 3 ++ .../groups/kde/kscreen_backend_launcher | 8 ++++- apparmor.d/groups/kde/ksmserver | 11 +++++++ apparmor.d/groups/kde/ksplashqml | 4 +++ apparmor.d/groups/kde/kwalletd | 6 ++++ apparmor.d/groups/kde/kwin_wayland | 12 +++++++ apparmor.d/groups/kde/kwin_wayland_wrapper | 3 ++ apparmor.d/groups/kde/kwin_x11 | 8 +++++ apparmor.d/groups/kde/plasma_waitforname | 1 + apparmor.d/groups/kde/plasmashell | 21 +++++++++++++ apparmor.d/groups/kde/sddm | 15 ++------- apparmor.d/groups/kde/sddm-greeter | 5 +++ apparmor.d/groups/kde/sddm-xsession | 10 ++++++ apparmor.d/groups/kde/startplasma | 5 +++ apparmor.d/groups/kde/systemsettings | 5 +++ apparmor.d/groups/kde/xembedsniproxy | 3 ++ apparmor.d/groups/network/NetworkManager | 3 +- apparmor.d/groups/network/nm-online | 4 +-- apparmor.d/groups/polkit/polkitd | 5 +++ apparmor.d/profiles-m-r/packagekitd | 2 +- 33 files changed, 206 insertions(+), 20 deletions(-) diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 3ec36976d..861132887 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -10,6 +10,10 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}DiscoverNotifier profile DiscoverNotifier @{exec_path} { include + include + include + include + include include include include @@ -23,6 +27,10 @@ profile DiscoverNotifier @{exec_path} { network netlink dgram, network netlink raw, + #aa:dbus own bus=session name=org.kde.discover.notifier + + #aa:dbus talk bus=system name=org.freedesktop.PackageKit label=packagekitd + @{exec_path} mr, @{bin}/apt-config rPx, diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index d9879941b..b30e39cdc 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -9,6 +9,9 @@ include @{exec_path} = @{bin}/gmenudbusmenuproxy profile gmenudbusmenuproxy @{exec_path} { include + include + include + include include include include diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 42c1400ef..65582d1ba 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -10,10 +10,15 @@ include profile kaccess @{exec_path} { include include + include + include + include include include include + #aa:dbus own bus=session name=org.kde.kaccess + @{exec_path} mr, @{bin}/gsettings rPx, diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index 1ee022dc6..1cc6b41d1 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kactivitymanagerd profile kactivitymanagerd @{exec_path} { include + include include include include @@ -18,6 +19,9 @@ profile kactivitymanagerd @{exec_path} { include include + #aa:dbus own bus=session name=org.kde.ActivityManager path=/ActivityManager + #aa:dbus own bus=session name=org.kde.runners.activities + @{exec_path} mr, /etc/xdg/menus/{,*/} r, diff --git a/apparmor.d/groups/kde/kauth-backlighthelper b/apparmor.d/groups/kde/kauth-backlighthelper index 61308e83b..cc844ce17 100644 --- a/apparmor.d/groups/kde/kauth-backlighthelper +++ b/apparmor.d/groups/kde/kauth-backlighthelper @@ -16,6 +16,8 @@ profile kauth-backlighthelper @{exec_path} { capability net_admin, + #aa:dbus own bus=system name=org.kde.powerdevil.backlighthelper + @{exec_path} mr, /usr/share/icu/@{int}.@{int}/*.dat r, diff --git a/apparmor.d/groups/kde/kauth-chargethresholdhelper b/apparmor.d/groups/kde/kauth-chargethresholdhelper index 8ed8bf82e..119b5508d 100644 --- a/apparmor.d/groups/kde/kauth-chargethresholdhelper +++ b/apparmor.d/groups/kde/kauth-chargethresholdhelper @@ -9,7 +9,12 @@ include @{exec_path} = @{lib}/{,kf6/}kauth/{,libexec/}chargethresholdhelper profile kauth-chargethresholdhelper @{exec_path} { include + include include + include + + #aa:dbus own bus=system name=org.kde.powerdevil.chargethresholdhelper + #aa:dbus talk bus=system name=org.kde.kf5auth path=/ label=kde-powerdevil @{exec_path} mr, diff --git a/apparmor.d/groups/kde/kauth-discretegpuhelper b/apparmor.d/groups/kde/kauth-discretegpuhelper index f03dfb007..8fcec5a2c 100644 --- a/apparmor.d/groups/kde/kauth-discretegpuhelper +++ b/apparmor.d/groups/kde/kauth-discretegpuhelper @@ -9,8 +9,12 @@ include @{exec_path} = @{lib}/{,kf6/}kauth/{,libexec/}discretegpuhelper profile kauth-discretegpuhelper @{exec_path} { include + include + include include + #aa:dbus own bus=system name=org.kde.powerdevil.discretegpuhelper + @{exec_path} mr, /usr/share/icu/@{int}.@{int}/*.dat r, diff --git a/apparmor.d/groups/kde/kauth-kded-smart-helper b/apparmor.d/groups/kde/kauth-kded-smart-helper index cf0caffeb..2e60e6a0a 100644 --- a/apparmor.d/groups/kde/kauth-kded-smart-helper +++ b/apparmor.d/groups/kde/kauth-kded-smart-helper @@ -15,10 +15,14 @@ profile kauth-kded-smart-helper @{exec_path} { #aa:dbus own bus=system name=org.kde.kded.smart + dbus receive bus=system path=/ + interface=org.kde.kf5auth + member=performAction + peer=(name=@{busname}, label=kded), dbus send bus=system path=/ interface=org.kde.kf5auth member=remoteSignal - peer=(name=org.freedesktop.DBus, label=kded5), + peer=(name=org.freedesktop.DBus, label=kded), @{exec_path} mr, diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index e11de6a48..bd01bf3c8 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -10,9 +10,12 @@ include profile kcminit @{exec_path} { include include + include include include + #aa:dbus own bus=session name=org.kde.{KCM,kcm}init path=/kcminit + @{exec_path} mr, @{bin}/xrdb rPx, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 45c382855..c961ed7a3 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -11,6 +11,13 @@ include profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) { include include + include + include + include + include + include + include + include include include include @@ -20,6 +27,14 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) network netlink raw, + #aa:dbus own bus=system name=org.freedesktop.Policy.Power + + #aa:dbus own bus=session name=local.org_kde_powerdevil + #aa:dbus own bus=session name=org.freedesktop.PowerManagement + #aa:dbus own bus=session name=org.kde.Solid.PowerManagement + + #aa:dbus talk bus=session name=org.kde.KWin path=/ label="kwin_{wayland,x11}" + @{exec_path} mrix, @{sh_path} rix, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index ef81b95d1..e729ec78b 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -10,9 +10,14 @@ include profile kded @{exec_path} { include include + include + include include + include include + include include + include include include include @@ -35,19 +40,41 @@ profile kded @{exec_path} { signal send set=hup peer=xsettingsd, signal send set=term peer=kioworker, + # Owned by KDE + #aa:dbus own bus=system name=com.redhat.NewPrinterNotification + + #aa:dbus own bus=session name=org.gtk.Settings + #aa:dbus own bus=session name=org.kde.DistroReleaseNotifier + #aa:dbus own bus=session name=org.kde.GtkConfig + #aa:dbus own bus=session name=org.kde.kappmenu + #aa:dbus own bus=session name=org.kde.kcookiejar5 + #aa:dbus own bus=session name=org.kde.kded5 + #aa:dbus own bus=session name=org.kde.keyboard + #aa:dbus own bus=session name=org.kde.KeyboardLayouts + #aa:dbus own bus=session name=org.kde.plasmanetworkmanagement + #aa:dbus own bus=session name=org.kde.plasmashell.accentColor + #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher + #aa:dbus own bus=session name=org.kde.Wacom + #aa:dbus own bus=session name=org.kubuntu.NotificationHelper + #aa:dbus own bus=session name=org.kubuntu.restrictedInstall + + # Talk with KDE + #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd + #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/ label="{kglobalacceld,kwin_wayland}" + dbus receive bus=system path=/ interface=org.kde.kf5auth member=remoteSignal - peer=(name=:*, label=kauth-kded-smart-helper), + peer=(name=@{busname}, label=kauth-kded-smart-helper), dbus send bus=system path=/ interface=org.kde.kf5auth member=performAction - peer=(name="{:*,org.kde.kded.smart}", label=kauth-kded-smart-helper), + peer=(name="{@{busname},org.kde.kded.smart}", label=kauth-kded-smart-helper), @{exec_path} mrix, diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index 0e8ba3395..156bdf928 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -9,8 +9,11 @@ include @{exec_path} = @{bin}/kglobalaccel5 @{lib}/kglobalacceld profile kglobalacceld @{exec_path} { include + include include + #aa:dbus own bus=session name=org.kde.KGlobalAccel path=/kglobalaccel + @{exec_path} mr, @{bin}/kstart rPx, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index a5f867378..69b735310 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/kf5/kioslave5 @{lib}/@{multiarch}/{,libexec/}kf5/kioslave5 profile kioworker @{exec_path} { include + include include include include @@ -32,6 +33,8 @@ profile kioworker @{exec_path} { signal receive set=term peer=plasmashell, signal receive set=term peer=xdg-desktop-portal-kde, + #aa:dbus talk bus=session name=org.kde.kded5 path=/kded label=kded + @{exec_path} mr, @{lib}/libheif/ r, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 8f9ff48dd..057a23d70 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -13,6 +13,7 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include @@ -22,6 +23,8 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal (send) set=(hup), + #aa:dbus own bus=session name=org.kde.konsole-@{int} + @{exec_path} mr, @{bin}/@{shells} rUx, @{browsers_path} rPx, diff --git a/apparmor.d/groups/kde/kscreen_backend_launcher b/apparmor.d/groups/kde/kscreen_backend_launcher index d4b547c7c..7df07f64b 100644 --- a/apparmor.d/groups/kde/kscreen_backend_launcher +++ b/apparmor.d/groups/kde/kscreen_backend_launcher @@ -10,8 +10,14 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kscreen_backend_launcher profile kscreen_backend_launcher @{exec_path} { include - include + include + include + include include + include + + #aa:dbus own bus=session name=org.kde.KScreen + #aa:dbus talk bus=system name=org.kde.kf5auth path=/ label=kde-powerdevil @{exec_path} mr, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 6d515fb18..f4d54c295 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -11,6 +11,9 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include + include + include include include include @@ -20,6 +23,14 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { ptrace (read) peer=kbuildsycoca5, + #aa:dbus own bus=session name=org.freedesktop.ScreenSaver + #aa:dbus own bus=session name=org.kde.ksmserver path=/KSMServer + #aa:dbus own bus=session name=org.kde.KSMServerInterface path=/KSMServer + #aa:dbus own bus=session name=org.kde.screensaver + + #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/ label=kglobalacceld + #aa:dbus talk bus=session name=org.kde.KWin.Session path=/Session label=kwin_wayland + @{exec_path} mr, @{bin}/rm rix, diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index 13f1216a5..e1d5d7394 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/ksplashqml profile ksplashqml @{exec_path} { include + include + include include include include @@ -16,6 +18,8 @@ profile ksplashqml @{exec_path} { ptrace read peer=startplasma, + #aa:dbus own bus=session name=org.kde.KSplash path=/KSplash + @{exec_path} mr, @{lib}/libheif/ r, diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index c4e25e9ff..23737f14e 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -11,6 +11,9 @@ include profile kwalletd @{exec_path} { include include + include + include + include include include include @@ -19,6 +22,9 @@ profile kwalletd @{exec_path} { include include + #aa:dbus own bus=session name=org.freedesktop.secrets + #aa:dbus own bus=session name=org.kde.kwalletd5 + @{exec_path} mr, @{bin}/gpgconf rCx -> gpg, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index afaac3bd0..a8dc97d53 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -10,6 +10,10 @@ include profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { include include + include + include + include + include include include include @@ -27,6 +31,14 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { network netlink raw, + #aa:dbus own bus=session name=org.freedesktop.ScreenSaver + #aa:dbus own bus=session name=org.kde.kglobalaccel + #aa:dbus own bus=session name=org.kde.KWin + #aa:dbus own bus=session name=org.kde.NightColor path=/ColorCorrect + #aa:dbus own bus=session name=org.kde.screensaver + + #aa:dbus talk bus=session name=org.kde.ActivityManager path=/ActivityManager label=kactivitymanagerd + @{exec_path} mr, /etc/xdg/Xwayland-session.d/00-at-spi Cx -> at-spi, diff --git a/apparmor.d/groups/kde/kwin_wayland_wrapper b/apparmor.d/groups/kde/kwin_wayland_wrapper index 1a7573d77..a7ce4c2fe 100644 --- a/apparmor.d/groups/kde/kwin_wayland_wrapper +++ b/apparmor.d/groups/kde/kwin_wayland_wrapper @@ -9,11 +9,14 @@ include @{exec_path} = @{bin}/kwin_wayland_wrapper profile kwin_wayland_wrapper @{exec_path} { include + include include include signal (send) set=(term, kill) peer=kwin_wayland, + #aa:dbus own bus=session name=org.kde.KWinWrapper + @{exec_path} mr, @{bin}/kwin_wayland rPx, diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index 8400c8cb6..f4f955a4f 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/kwin_x11 profile kwin_x11 @{exec_path} { include + include + include include include include @@ -22,6 +24,12 @@ profile kwin_x11 @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.kde.KWin + #aa:dbus own bus=session name=org.kde.NightColor path=/ColorCorrect + + #aa:dbus talk bus=session name=org.kde.ActivityManager label=kactivitymanagerd + #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/kglobalaccel label=kglobalacceld + @{exec_path} mrix, @{sh_path} rix, diff --git a/apparmor.d/groups/kde/plasma_waitforname b/apparmor.d/groups/kde/plasma_waitforname index a509135af..d32122a8a 100644 --- a/apparmor.d/groups/kde/plasma_waitforname +++ b/apparmor.d/groups/kde/plasma_waitforname @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/plasma_waitforname profile plasma_waitforname @{exec_path} { include + include include include diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 07fbc8e14..19106cfa9 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -11,9 +11,13 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include + include include include + include + include include + include include include include @@ -43,6 +47,23 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { signal send, + #aa:dbus own bus=session name=com.canonical.Unity + #aa:dbus own bus=session name=org.freedesktop.Notifications + #aa:dbus own bus=session name=org.kde.JobViewServer + #aa:dbus own bus=session name=org.kde.klipper + #aa:dbus own bus=session name=org.kde.kuiserver + #aa:dbus own bus=session name=org.kde.plasmashell path=/PlasmaShell + #aa:dbus own bus=session name=org.kde.StatusNotifierHost-@{int} + + #aa:dbus talk bus=session name=org.kde.kdeconnect path=/ label=kdeconnectd + #aa:dbus talk bus=session name=org.kde.KeyboardLayouts path=/Layouts label=kded + #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/kglobalaccel label="{kglobalacceld,kwin_wayland}" + #aa:dbus talk bus=session name=org.kde.KSplash path=/KSplash label=ksplashqml + #aa:dbus talk bus=session name=org.kde.KWin path=/ label="kwin_{wayland,x11}" + #aa:dbus talk bus=session name=org.kde.NightColor path=/ColorCorrect label="kwin_{wayland,x11}" + #aa:dbus talk bus=session name=org.kde.Solid.PowerManagement label=kde-powerdevil + #aa:dbus talk bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher label=kded + @{exec_path} mr, @{lib}/libheif/ r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 143df5c9e..9884e2145 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -50,20 +50,11 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal (send) set=(term) peer=startplasma-wayland, signal (send) set=(term) peer=startlxqtwayland, - dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=kscreenlocker-greet), + unix type=stream addr=@@{udbus}/bus/sddm-helper/system, - dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label="@{p_systemd_logind}"), + #aa:dbus own bus=system name=org.freedesktop.DisplayManager - dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int} - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.freedesktop.DBus, label=kscreenlocker-greet), + #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label="@{p_systemd_homed}" @{exec_path} mr, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index f2c133cec..c9aca546a 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -23,6 +23,11 @@ profile sddm-greeter @{exec_path} { network netlink raw, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=ListActivatableNames + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + @{exec_path} mr, @{lib}/libheif/ r, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index f27f3dc3c..f4256d3d4 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -90,6 +90,16 @@ profile sddm-xsession @{exec_path} { profile dbus { include + include + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=UpdateActivationEnvironment + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=SetEnvironment + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), @{bin}/dbus-update-activation-environment mr, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 004b89d57..651061aa9 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -11,12 +11,17 @@ profile startplasma @{exec_path} { include include include + include + include include include signal (receive) set=(hup) peer=@{p_systemd}, signal (receive) set=(term) peer=sddm, + #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" + #aa:dbus talk bus=session name=org.kde.KSplash path=/KSplash label=ksplashqml + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index b41dac08a..aab520a72 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -10,7 +10,9 @@ include profile systemsettings @{exec_path} { include include + include include + include include include include @@ -23,6 +25,9 @@ profile systemsettings @{exec_path} { signal send set=term peer=kioworker, + #aa:dbus own bus=session name=org.kde.internal.KSettingsWidget_kcm_networkmanagement + #aa:dbus own bus=session name=org.kde.systemsettings + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index 6cb93163c..b768e2630 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -9,6 +9,9 @@ include @{exec_path} = @{bin}/xembedsniproxy profile xembedsniproxy @{exec_path} { include + include + include + include include include include diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 6b444093c..f27449e77 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -50,8 +50,9 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher - member=Action + member=Action2 peer=(name=org.freedesktop.nm_dispatcher), + dbus send bus=system path=/uk/org/thekelleys/dnsmasq interface=org.freedesktop.NetworkManager.dnsmasq member=SetServersEx diff --git a/apparmor.d/groups/network/nm-online b/apparmor.d/groups/network/nm-online index 189afd74d..710d3115b 100644 --- a/apparmor.d/groups/network/nm-online +++ b/apparmor.d/groups/network/nm-online @@ -16,12 +16,12 @@ profile nm-online @{exec_path} { dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} interface=org.freedesktop.NetworkManager.Connection.Active member=StateChanged - peer=(name=:*, label=NetworkManager), + peer=(name=@{busname}, label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} interface=org.freedesktop.NetworkManager.Settings.Connection member=GetSettings - peer=(name=:*, label=NetworkManager), + peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index 4dc1380c0..c2de7f8b6 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -24,6 +24,11 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.PolicyKit1 + dbus send bus=system path=/org/kde/PolicyKit1/AuthenticationAgent + interface=org.freedesktop.PolicyKit1.AuthenticationAgent + member=BeginAuthentication + peer=(name=@{busname}, label=polkit-kde-authentication-agent), + @{exec_path} mr, @{bin}/pkla-check-authorization rPx, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 9de9cadf9..19f6a515e 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -38,7 +38,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { signal send set=int peer=apt-methods-*, signal send set=term peer=systemd-inhibit, - #aa:dbus own bus=system name=org.freedesktop.PackageKit + #aa:dbus own bus=system name=org.freedesktop.PackageKit path=/** @{exec_path} mr, From 523522dd1d2fd75efdd5c07e0b91de897be4cf4b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 17:05:38 +0200 Subject: [PATCH 744/977] feat(profile): improve kde profiles. --- .../polkit-kde-authentication-agent | 5 ++++ .../groups/kde/drkonqi-coredump-cleanup | 3 ++- apparmor.d/groups/kde/kded | 21 +++++++++++++--- apparmor.d/groups/kde/konsole | 4 ++- apparmor.d/groups/kde/kwalletd | 2 ++ apparmor.d/groups/kde/kwin_wayland | 15 ++++++----- apparmor.d/groups/kde/plasmashell | 1 + apparmor.d/groups/kde/sddm | 9 ++++++- apparmor.d/groups/kde/sddm-xsession | 13 +++++++--- apparmor.d/groups/kde/startplasma | 1 + apparmor.d/groups/kde/systemsettings | 1 + apparmor.d/groups/kde/wayland-session | 25 +++++++++++++++---- apparmor.d/groups/kde/xembedsniproxy | 1 + apparmor.d/groups/kde/xsettingsd | 1 + 14 files changed, 81 insertions(+), 21 deletions(-) diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index f53f4d164..8a08f02d0 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -11,6 +11,8 @@ include @{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9] profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,mediate_deleted) { include + include + include include include include @@ -26,6 +28,9 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected, signal (send) set=(term, kill) peer=polkit-agent-helper, + #aa:dbus own bus=session name=org.kde.polkit-kde-authentication-agent-@{int} + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd + @{exec_path} mr, @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, diff --git a/apparmor.d/groups/kde/drkonqi-coredump-cleanup b/apparmor.d/groups/kde/drkonqi-coredump-cleanup index c74276b95..199dd9c8f 100644 --- a/apparmor.d/groups/kde/drkonqi-coredump-cleanup +++ b/apparmor.d/groups/kde/drkonqi-coredump-cleanup @@ -14,7 +14,8 @@ profile drkonqi-coredump-cleanup @{exec_path} { @{exec_path} mr, @{user_cache_dirs}/kcrash-metadata/ r, - owner @{user_cache_dirs}/kcrash-metadata/plasmashell.@{hex32}.@{int4}.ini w, + owner @{user_cache_dirs}/kcrash-metadata/plasmashell.@{hex32}.@{int4}.ini rw, + owner @{user_cache_dirs}/kcrash-metadata/@{int}.ini rw, include if exists } diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index e729ec78b..f2f2489ab 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -18,6 +18,7 @@ profile kded @{exec_path} { include include include + include #aa:only apt include include include @@ -26,16 +27,19 @@ profile kded @{exec_path} { include include include + include include capability sys_ptrace, network inet dgram, + network inet stream, network inet6 dgram, - network netlink raw, + network inet6 stream, network netlink dgram, + network netlink raw, - ptrace (read), + ptrace read, signal send set=hup peer=xsettingsd, signal send set=term peer=kioworker, @@ -78,11 +82,13 @@ profile kded @{exec_path} { @{exec_path} mrix, + @{python_path} rix, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/flatpak rPx, @{bin}/kcminit rPx, + @{bin}/lsb_release rPx, @{bin}/pgrep rCx -> pgrep, @{bin}/plasma-welcome rPUx, - @{python_path} rix, - @{bin}/flatpak rPx, @{bin}/setxkbmap rix, @{bin}/xmodmap rPUx, @{bin}/xrdb rPx, @@ -94,18 +100,22 @@ profile kded @{exec_path} { #aa:exec kconf_update /usr/share/color-schemes/{,**} r, + /usr/share/distro-info/{,**} r, + /usr/share/distro-release-notifier/{,**} r, /usr/share/kconf_update/ r, /usr/share/kded{5,6}/{,**} r, /usr/share/kf{5,6}/kcookiejar/* r, /usr/share/khotkeys/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, + /usr/share/ubuntu-release-upgrader/{,*} r, /etc/fstab r, /etc/xdg/accept-languages.codes r, /etc/xdg/kde* r, /etc/xdg/kioslaverc r, /etc/xdg/menus/{,**} r, + /etc/update-manager/{,**} r, /etc/machine-id r, /var/lib/dbus/machine-id r, @@ -113,6 +123,8 @@ profile kded @{exec_path} { / r, @{efi}/ r, + owner /var/lib/update-manager/meta-release-lts rw, + owner @{HOME}/ r, owner @{HOME}/.gtkrc-2.0 rw, @@ -125,6 +137,7 @@ profile kded @{exec_path} { @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasmashell/ rw, owner @{user_cache_dirs}/plasmashell/** rwlk -> @{user_cache_dirs}/plasmashell/**, + owner @{user_cache_dirs}/update-manager-core/meta-release-lts rw, @{user_config_dirs}/kcookiejarrc.lock rwk, @{user_config_dirs}/kcookiejarrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 057a23d70..fa55e177d 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -56,7 +56,9 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kbookmarkrc r, owner @{user_config_dirs}/konsole.notifyrc r, - owner @{user_config_dirs}/konsolerc{,*} rwlk, + owner @{user_config_dirs}/konsolerc rwl, + owner @{user_config_dirs}/konsolerc.@{rand6} rwl, + owner @{user_config_dirs}/konsolerc.lock rwk, owner @{user_config_dirs}/konsolesshconfig rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.lock rwk, diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index 23737f14e..ad96cb512 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -45,6 +45,8 @@ profile kwalletd @{exec_path} { owner @{user_share_dirs}/kwalletd/ rw, owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int}, + owner @{run}/user/@{uid}/kwallet{5,6}.socket r, + owner @{tmp}/kwalletd5.* rw, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index a8dc97d53..243e0adfe 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -23,14 +23,17 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { capability sys_nice, capability sys_ptrace, - ptrace (read), - - signal (receive) set=term peer=sddm, - signal (receive) set=(kill, term) peer=kwin_wayland_wrapper, - signal (send) set=(kill, term) peer=xwayland, - network netlink raw, + ptrace read, + + signal receive set=term peer=sddm, + signal receive set=(kill, term) peer=kwin_wayland_wrapper, + signal send set=(kill, term) peer=xwayland, + + unix type=stream peer=(label=xkbcomp), + unix type=stream peer=(label=xwayland), + #aa:dbus own bus=session name=org.freedesktop.ScreenSaver #aa:dbus own bus=session name=org.kde.kglobalaccel #aa:dbus own bus=session name=org.kde.KWin diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 19106cfa9..68ea4fc0c 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -80,6 +80,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /opt/**/share/icons/{,**} r, /opt/*/**/*.desktop r, /opt/*/**/*.png r, + /snap/*/@{uid}/**.@{image_ext} r, /usr/share/*/icons/{,**} r, /usr/share/akonadi/{,**} r, /usr/share/desktop-directories/kf5-*.directory r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 9884e2145..b62116704 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -66,20 +66,26 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{lib}/{,sddm/}sddm-helper-start-x11user rix, @{shells_path} rix, + @{bin}/{,e}grep rix, + @{bin}/basename rix, @{bin}/cat rix, - @{sbin}/checkproc rix, + @{bin}/date rix, + @{bin}/dirname rix, @{bin}/disable-paste rix, + @{bin}/id rix, @{bin}/locale rix, @{bin}/manpath rix, @{bin}/mktemp rix, @{bin}/pidof rix, @{bin}/readlink rix, @{bin}/realpath rix, + @{bin}/sed rix, @{bin}/tr rix, @{bin}/tty rix, @{bin}/uname rix, @{bin}/xdm r, @{bin}/xmodmap rix, + @{sbin}/checkproc rix, @{bin}/dbus-run-session rPx -> dbus-session, @{bin}/dbus-update-activation-environment rPx -> dbus-session, @@ -98,6 +104,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/systemctl rCx -> systemctl, @{bin}/xauth rCx -> xauth, @{bin}/Xorg rPx, + @{bin}/xrandr rPx, @{bin}/xrdb rPx, @{bin}/xset rPx, @{bin}/xsetroot rPx, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index f4256d3d4..0e9290d53 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -25,9 +25,11 @@ profile sddm-xsession @{exec_path} { @{bin}/chmod rix, @{bin}/csh rix, @{bin}/date rix, + @{bin}/dpkg-query rpx, @{bin}/fish rix, + @{bin}/gettext rix, @{bin}/gettext.sh r, - @{bin}/gpgconf rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, @{bin}/id rix, @{bin}/locale rix, @{bin}/locale-check rix, @@ -40,12 +42,13 @@ profile sddm-xsession @{exec_path} { @{bin}/tcsh rix, @{bin}/tempfile rix, @{bin}/touch rix, + @{bin}/tr rix, @{bin}/which{,.debianutils} rix, - @{bin}/zsh rix, @{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/flatpak rPx, @{bin}/numlockx rPx, + @{bin}/xbrlapi rPx, @{bin}/xhost rPx, @{bin}/xrdb rPx, /etc/X11/Xsession rPx, @@ -60,7 +63,9 @@ profile sddm-xsession @{exec_path} { @{system_share_dirs}/im-config/data/{,*} r, @{system_share_dirs}/im-config/xinputrc.common r, + @{system_share_dirs}/libdebuginfod-common/debuginfod.sh r, + /etc/debuginfod/{,**} r, /etc/default/{,*} r, /etc/X11/{,**} r, @@ -71,7 +76,7 @@ profile sddm-xsession @{exec_path} { owner @{tmp}/xsess-env-* rw, owner @{tmp}/file* rw, - audit owner @{tmp}/tmp.* rw, + owner @{tmp}/tmp.@{rand10} rw, owner @{PROC}/@{pid}/loginuid r, @@ -133,6 +138,8 @@ profile sddm-xsession @{exec_path} { @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{HOME}/.xsession-errors w, + /dev/tty@{int} rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 651061aa9..5db93719c 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -36,6 +36,7 @@ profile startplasma @{exec_path} { @{lib}/@{multiarch}/libexec/plasma-sourceenv.sh r, + /usr/share/byobu/desktop/{,**} r, /usr/share/color-schemes/{,**} r, /usr/share/desktop-directories/{,**} r, /usr/share/kservices{5,6}/{,**} r, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index aab520a72..a78225b67 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -80,6 +80,7 @@ profile systemsettings @{exec_path} { owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/ksvg-elements.lock rwlk, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, + owner @{user_cache_dirs}/plasma-svgelements r, owner @{user_cache_dirs}/systemsettings/ rw, owner @{user_cache_dirs}/systemsettings/** rwlk -> @{user_cache_dirs}/systemsettings/**, diff --git a/apparmor.d/groups/kde/wayland-session b/apparmor.d/groups/kde/wayland-session index 124cf2fda..56914137b 100644 --- a/apparmor.d/groups/kde/wayland-session +++ b/apparmor.d/groups/kde/wayland-session @@ -13,14 +13,29 @@ profile wayland-session @{exec_path} { @{exec_path} mr, - @{shells_path} rix, - @{bin}/id rix, + @{shells_path} rix, + @{bin}/cat ix, + @{bin}/dpkg-query px, + @{bin}/gettext ix, + @{bin}/gettext.sh r, + @{bin}/id ix, + @{bin}/locale ix, + @{bin}/locale-check ix, + @{bin}/sed ix, + @{bin}/tr ix, - @{lib}/plasma-dbus-run-session-if-needed rix, - @{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed rix, - @{bin}/startplasma-wayland rPx, + @{bin}/startplasma-wayland Px, + @{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed ix, + @{lib}/plasma-dbus-run-session-if-needed ix, + /usr/share/im-config/{,**} r, + /usr/share/libdebuginfod-common/debuginfod.sh r, + + /etc/debuginfod/{,**} r, + /etc/default/im-config r, /etc/machine-id r, + /etc/X11/xinit/xinputrc r, + /etc/X11/Xsession.d/*im-config_launch r, owner @{user_share_dirs}/sddm/wayland-session.log rw, diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index b768e2630..93259822e 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -16,6 +16,7 @@ profile xembedsniproxy @{exec_path} { include include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/kde/xsettingsd b/apparmor.d/groups/kde/xsettingsd index 7cebbb43c..1adbf1d9f 100644 --- a/apparmor.d/groups/kde/xsettingsd +++ b/apparmor.d/groups/kde/xsettingsd @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/xsettingsd profile xsettingsd @{exec_path} { include + include signal (receive) set=hup peer=kded, From 7e79d5abefa13bd226d4b1f5671b238d168590b2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 17:15:24 +0200 Subject: [PATCH 745/977] feat(profile): improve support for ubuntu & kubuntu. --- apparmor.d/abstractions/bus/org.a11y | 10 ++++++++++ apparmor.d/abstractions/graphics-full | 4 ++++ apparmor.d/abstractions/kde-strict | 3 ++- apparmor.d/abstractions/mesa.d/complete | 2 ++ apparmor.d/groups/apt/dpkg-script-linux | 2 ++ apparmor.d/groups/apt/dpkg-scripts | 1 + apparmor.d/groups/apt/unattended-upgrade | 12 ++++++----- apparmor.d/groups/bluetooth/blueman-mechanism | 1 + apparmor.d/groups/bluetooth/obexd | 3 ++- apparmor.d/groups/browsers/chromium-wrapper | 1 + apparmor.d/groups/browsers/firefox-glxtest | 2 ++ apparmor.d/groups/bus/dbus-accessibility | 7 ++++--- apparmor.d/groups/bus/ibus-memconf | 3 +-- apparmor.d/groups/freedesktop/wireplumber | 6 ++---- .../groups/freedesktop/xdg-desktop-portal | 4 ++++ .../freedesktop/xdg-desktop-portal-gnome | 4 ++++ apparmor.d/groups/freedesktop/xrandr | 4 ++++ apparmor.d/groups/freedesktop/xwayland | 3 ++- apparmor.d/groups/gnome/deja-dup-monitor | 6 ++++++ apparmor.d/groups/gnome/gdm-generate-config | 3 +-- apparmor.d/groups/gnome/gjs-console | 11 +++++++++- apparmor.d/groups/gnome/yelp | 6 ++++-- apparmor.d/groups/snap/snap | 6 +++++- apparmor.d/groups/snap/snap-seccomp | 2 +- apparmor.d/groups/snap/snapd | 1 - apparmor.d/groups/ssh/sshd-session | 1 + apparmor.d/groups/ubuntu/apport-gtk | 20 +++++++++++++++++-- apparmor.d/groups/ubuntu/apt_news | 1 + apparmor.d/groups/ubuntu/ubuntu-fan-net | 12 +++++++++++ apparmor.d/groups/ubuntu/update-notifier | 2 +- .../groups/ubuntu/update-notifier-crash | 2 +- apparmor.d/groups/utils/login | 1 + apparmor.d/groups/virt/cockpit-tls | 2 +- .../groups/virt/cockpit-wsinstance-factory | 15 ++++++++++++-- apparmor.d/profiles-a-f/dhclient-script | 19 +++++++++++++----- apparmor.d/profiles-a-f/dracut-install | 2 ++ apparmor.d/profiles-g-l/kernel | 4 ++++ apparmor.d/profiles-g-l/lsb-release | 1 + apparmor.d/profiles-m-r/initramfs-hooks | 2 +- apparmor.d/profiles-m-r/motd | 10 +++++++++- apparmor.d/profiles-m-r/power-profiles-daemon | 2 +- apparmor.d/profiles-m-r/qdbus | 1 + apparmor.d/profiles-s-z/switcheroo-control | 1 + apparmor.d/profiles-s-z/update-info-dir | 2 ++ apparmor.d/profiles-s-z/whoopsie | 10 ++++++++++ apparmor.d/profiles-s-z/wsdd | 1 + apparmor.d/profiles-s-z/xbrlapi | 2 ++ 47 files changed, 180 insertions(+), 40 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y index 2677d2f61..c99f5f8bd 100644 --- a/apparmor.d/abstractions/bus/org.a11y +++ b/apparmor.d/abstractions/bus/org.a11y @@ -31,6 +31,11 @@ member=Embed peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), + # Session bus dbus send bus=session path=/org/a11y/bus @@ -38,6 +43,11 @@ member=GetAll peer=(name=@{busname}, label="@{p_dbus_accessibility}"), + dbus send bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), + dbus send bus=session path=/org/a11y/bus interface=org.a11y.Bus member=Get diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full index 1f2b0ffd2..eb60edb4d 100644 --- a/apparmor.d/abstractions/graphics-full +++ b/apparmor.d/abstractions/graphics-full @@ -6,6 +6,10 @@ include + @{sys}/devices/@{pci}/numa_node r, + + @{PROC}/devices r, + /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-uvm rw, /dev/nvidia-uvm-tools rw, diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 428aa93f3..fd994d12d 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -20,6 +20,7 @@ /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/knotifications{5,6}/*.notifyrc r, + /usr/share/kubuntu-default-settings/{,**} r, #aa:only ubuntu /etc/xdg/baloofilerc r, /etc/xdg/kcminputrc r, @@ -44,7 +45,7 @@ owner @{user_config_dirs}/menus/ r, owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/session/ rw, - owner @{user_config_dirs}/session/@{profile_name}* rwlk, + owner @{user_config_dirs}/session/*_@{hex}_@{int}_@{int} rwlk, owner @{user_config_dirs}/session/#@{int} rw, owner @{user_config_dirs}/trashrc r, diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index 1d718c0b1..02a48114c 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -42,4 +42,6 @@ @{PROC}/sys/dev/xe/observation_paranoid r, + /dev/udmabuf rw, # In upstream, but not released yet + # vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux index b294b928b..af578be50 100644 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -11,6 +11,8 @@ profile dpkg-script-linux @{exec_path} { include include + capability dac_read_search, + @{exec_path} mrix, @{bin}/cat ix, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 9be1f3258..7d2073768 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -168,6 +168,7 @@ profile dpkg-scripts @{exec_path} { /usr/local/ r, /usr/local/lib/ r, + /var/cache/ldconfig/ rw, owner /var/cache/ldconfig/aux-cache* rw, include if exists diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 0d4d2ee33..d501a325f 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -52,9 +52,11 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{bin}/touch ix, @{bin}/uname ix, - @{bin}/dpkg-deb px, @{bin}/apt-listchanges Px, + @{bin}/df Px, + @{bin}/dmesg Px, @{bin}/dpkg Px, + @{bin}/dpkg-deb px, @{bin}/dpkg-divert Px, @{bin}/etckeeper Px, @{bin}/ischroot Px, @@ -90,7 +92,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/pki/fwupd/{,**} r, /etc/profile.d/* r, /etc/ssh/moduli r, - /etc/ssh/ssh_config r, + @{etc_ro}/ssh/sshd_config r, + @{etc_ro}/ssh/sshd_config.d/{,*} r, /etc/ufw/{,**} r, /etc/update-manager/{,**} r, /etc/update-motd.d/{,**} r, @@ -98,7 +101,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/vmware-tools/{,**} r, /var/log/unattended-upgrades/{,**} rw, - /var/crash/*.crash w, + /var/crash/*.crash rw, /var/lib/apt/periodic/unattended-upgrades-stamp w, /var/lib/dpkg/info/{,*} r, @@ -112,8 +115,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /var/lib/apt/lists/ rw, /var/lib/apt/lists/partial/ rw, /var/lib/apt/periodic/ w, - /var/log/apt/{term,history}.log w, - /var/log/apt/eipp.log.xz w, + /var/log/apt/*.log* rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/unattended-upgrades.lock rwk, diff --git a/apparmor.d/groups/bluetooth/blueman-mechanism b/apparmor.d/groups/bluetooth/blueman-mechanism index ffdda336e..9b4800210 100644 --- a/apparmor.d/groups/bluetooth/blueman-mechanism +++ b/apparmor.d/groups/bluetooth/blueman-mechanism @@ -11,6 +11,7 @@ include profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { include include + include include include diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index efb5f42e4..65ad4c0e5 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -10,8 +10,9 @@ include @{exec_path} = @{lib}/bluetooth/obexd profile obexd @{exec_path} { include - include include + include + include include network bluetooth stream, diff --git a/apparmor.d/groups/browsers/chromium-wrapper b/apparmor.d/groups/browsers/chromium-wrapper index dea35ae1a..d29dcc630 100644 --- a/apparmor.d/groups/browsers/chromium-wrapper +++ b/apparmor.d/groups/browsers/chromium-wrapper @@ -45,6 +45,7 @@ profile chromium-wrapper @{exec_path} flags=(attach_disconnected) { # Silencer deny @{user_share_dirs}/gvfs-metadata/* r, + deny @{user_share_dirs}/gnome-shell/session.gvdb rw, include if exists } diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest index 30281f2f4..f9470a59b 100644 --- a/apparmor.d/groups/browsers/firefox-glxtest +++ b/apparmor.d/groups/browsers/firefox-glxtest @@ -21,6 +21,8 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + / r, + owner @{cache_dirs}/firefox/*/startupCache/scriptCache-* r, owner @{cache_dirs}/firefox/*/startupCache/startupCache* r, diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index ee787e4e1..f876d1210 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -23,8 +23,9 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - signal (receive) set=(term hup kill) peer=dbus-session, - signal (receive) set=(term hup kill) peer=gdm{,-session-worker}, + signal receive set=(term hup kill) peer=dbus-session, + signal receive set=(term hup kill) peer=gdm{,-session-worker}, + signal receive set=(term hup kill) peer=gnome-session-binary, unix type=stream addr=none peer=(label=xorg, addr=@/tmp/.X11-unix/X0), @@ -71,10 +72,10 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/module/apparmor/parameters/enabled r, + @{PROC}/@{pid}/cmdline r, @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index 803f28a4a..5233f8603 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -11,6 +11,7 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) { include include include + include include include @@ -27,8 +28,6 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 25569cd68..80c3135f5 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -76,10 +76,8 @@ profile wireplumber @{exec_path} { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{PROC}/1/cgroup r, - @{PROC}/1/cmdline r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 5e27ac845..35c81f0bc 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -45,6 +45,10 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.host.portal.Registry member=Register peer=(name=@{busname}), + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.NetworkMonitor + member=GetStatus + peer=(name=@{busname}, label=snap.*), #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 6ee4cab6d..bed83627a 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -47,6 +47,10 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label=gnome-shell), + dbus send bus=session path=/org/gnome/Shell + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gnome-shell), dbus receive bus=session path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties member=PropertiesChanged diff --git a/apparmor.d/groups/freedesktop/xrandr b/apparmor.d/groups/freedesktop/xrandr index fc1935c4b..ed9e7a030 100644 --- a/apparmor.d/groups/freedesktop/xrandr +++ b/apparmor.d/groups/freedesktop/xrandr @@ -12,8 +12,12 @@ profile xrandr @{exec_path} { include include + capability dac_read_search, + @{exec_path} mr, + @{run}/sddm/xauth_@{rand6} r, + owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index e8c94916d..a8950dbc6 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -20,7 +20,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup) peer=kwin_wayland, signal (receive) set=(term hup) peer=login, - unix type=stream addr=none peer=(label=gnome-shell, addr=none), + unix type=stream peer=(label=gnome-shell), + unix type=stream peer=(label=kwin_wayland), @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index af7fa51b0..ac5d6af81 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -33,10 +33,16 @@ profile deja-dup-monitor @{exec_path} { member=GetAll peer=(name=:*, label=NetworkManager), + dbus send bus=system path=/org/freedesktop/UPower/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=power-profiles-daemon), + @{exec_path} mr, @{bin}/chrt rix, @{bin}/ionice rix, + @{bin}/deja-dup Px, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index d48b9eff6..9d910cdd2 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -18,7 +18,7 @@ profile gdm-generate-config @{exec_path} { capability setgid, capability setuid, - ptrace read, + # ptrace read, @{exec_path} mr, @@ -45,7 +45,6 @@ profile gdm-generate-config @{exec_path} { @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/stat r, - @{PROC}/tty/drivers r, @{PROC}/uptime r, profile pgrep { diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index fdaa4e825..0cfd4c420 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -64,6 +64,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gnome-shell/{,**} r, + /usr/share/thumbnailers/{,**} r, /tmp/ r, /var/tmp/ r, @@ -76,9 +77,15 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { owner @{HOME}/ r, - owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, owner @{user_cache_dirs}/gstreamer-1.0/ rw, owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, + owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, + owner @{user_share_dirs}/nautilus/scripts/ r, + + owner @{user_desktop_dirs}/ r, + owner @{user_templates_dirs}/ r, + + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, @@ -91,6 +98,8 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { /dev/ r, /dev/tty rw, + deny @{user_share_dirs}/gvfs-metadata/* r, + include if exists } diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index 058b9697a..1f2fc39d3 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/yelp @{bin}/gnome-help -profile yelp @{exec_path} { +profile yelp @{exec_path} flags=(attach_disconnected) { include include include @@ -30,7 +30,9 @@ profile yelp @{exec_path} { /etc/xml/{,**} r, - @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/firmware/acpi/pm_profile r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.slice/*/memory.* r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.current r, diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 425d5cd66..ef0a086a8 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -68,9 +68,13 @@ profile snap @{exec_path} flags=(attach_disconnected) { /var/cache/snapd/names r, @{DESKTOP_HOME}/snap/{,**} rw, - @{HOME}/snap/{,**} rw, /snap/{,**} rw, + @{HOME}/snap/{,**} rw, + owner @{HOME}/ r, + owner @{HOME}/.snap.mkdir-new/ rw, + owner @{HOME}/.snap/{,**} rw, + owner @{tmp}/snapd-auto-import-mount-@{int}/ rw, @{run}/user/@{uid}/bus rw, diff --git a/apparmor.d/groups/snap/snap-seccomp b/apparmor.d/groups/snap/snap-seccomp index 7857bcc6a..9605c544a 100644 --- a/apparmor.d/groups/snap/snap-seccomp +++ b/apparmor.d/groups/snap/snap-seccomp @@ -9,7 +9,7 @@ include @{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-seccomp -profile snap-seccomp @{exec_path} { +profile snap-seccomp @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 0f975b3b0..7e2c288b6 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -34,7 +34,6 @@ profile snapd @{exec_path} { capability setuid, capability sys_admin, capability sys_ptrace, - capability sys_resource, network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/ssh/sshd-session b/apparmor.d/groups/ssh/sshd-session index e953834a7..ab86f3ad1 100644 --- a/apparmor.d/groups/ssh/sshd-session +++ b/apparmor.d/groups/ssh/sshd-session @@ -55,6 +55,7 @@ profile sshd-session @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/@{shells} Ux, #aa:exclude RBAC + @{bin}/userdbctl Px, @{lib}/{openssh,ssh}/sshd-auth Px, @{etc_rw}/motd r, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 4940653a3..271ff23e4 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -29,10 +29,12 @@ profile apport-gtk @{exec_path} { network inet6 stream, network inet dgram, network inet6 dgram, + network netlink raw, @{exec_path} mr, @{sh_path} rix, + @{python_path} rix, @{bin}/{f,}grep rix, @{bin}/apt-cache rPx, @{bin}/cut rix, @@ -43,20 +45,24 @@ profile apport-gtk @{exec_path} { @{bin}/gsettings rPx, @{bin}/ischroot rPx, @{bin}/journalctl rPx, - @{sbin}/killall5 rix, @{bin}/kmod rPx, @{bin}/ldd rix, @{bin}/lsb_release rPx, @{bin}/md5sum rix, @{bin}/pkexec rCx -> pkexec, + @{bin}/readlink rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/uname rix, @{bin}/which{,.debianutils} rix, + @{sbin}/killall5 rix, @{lib}/{,colord/}colord-sane rPx, @{lib}/@{multiarch}/ld*.so* rix, /usr/share/apport/root_info_wrapper rix, + @{bin}/* r, + @{sbin}/* r, + /usr/share/apport/{,**} r, /usr/share/apport/general-hooks/*.py r, @@ -79,9 +85,10 @@ profile apport-gtk @{exec_path} { /var/crash/ rw, owner /var/crash/*.@{uid}.{crash,upload} rw, + @{run}/cloud-init/cloud.cfg r, @{run}/snapd.socket rw, - owner @{tmp}/@{rand8} rw, + owner @{tmp}/@{word8} rw, owner @{tmp}/apport_core_@{rand8} rw, owner @{tmp}/launchpadlib.cache.@{rand8}/ rw, owner @{tmp}/tmp@{rand8}/{,**} rw, @@ -135,6 +142,15 @@ profile apport-gtk @{exec_path} { include include + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.systemd1, label=unconfined), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=GetUnitFileState + peer=(name=org.freedesktop.systemd1, label=unconfined), + include if exists } diff --git a/apparmor.d/groups/ubuntu/apt_news b/apparmor.d/groups/ubuntu/apt_news index 7f4e8fbe2..9734803e4 100644 --- a/apparmor.d/groups/ubuntu/apt_news +++ b/apparmor.d/groups/ubuntu/apt_news @@ -14,6 +14,7 @@ profile apt_news @{exec_path} flags=(attach_disconnected) { include capability chown, + capability fowner, capability kill, capability setgid, capability setuid, diff --git a/apparmor.d/groups/ubuntu/ubuntu-fan-net b/apparmor.d/groups/ubuntu/ubuntu-fan-net index 74fe83551..ab83ebed4 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-fan-net +++ b/apparmor.d/groups/ubuntu/ubuntu-fan-net @@ -14,10 +14,22 @@ profile ubuntu-fan-net @{exec_path} { @{sh_path} mr, @{bin}/{m,g,}awk ix, + @{bin}/kmod Cx -> kmod, @{bin}/{,e}grep ix, @{bin}/networkctl Px, @{sbin}/fanctl Px, + profile kmod { + include + include + + capability sys_module, + + @{sys}/module/compression r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 361290980..9754aa231 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -25,7 +25,7 @@ profile update-notifier @{exec_path} { unix (bind) type=stream addr=@@{udbus}/bus/systemd/bus-api-user, #aa:dbus talk bus=system name=org.debian.apt label=apt - #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell + #aa:dbus talk bus=session name=org.ayatana.NotificationItem interface+=org.kde.StatusNotifierItem label=gnome-shell @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash index d65c77a08..4926c0b1c 100644 --- a/apparmor.d/groups/ubuntu/update-notifier-crash +++ b/apparmor.d/groups/ubuntu/update-notifier-crash @@ -16,7 +16,7 @@ profile update-notifier-crash @{exec_path} { @{bin}/{,e}grep ix, @{bin}/groups Px, @{bin}/systemctl Cx -> systemctl, - @{bin}/which{,.debianutils} ix, + @{bin}/which{,.debianutils} rix, @{sh_path} mr, /usr/share/apport/apport-checkreports Px, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index c35001498..cf9663e8e 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -54,6 +54,7 @@ profile login @{exec_path} flags=(attach_disconnected) { /etc/shells r, /var/lib/faillock/@{user} rwk, + /var/lib/lastlog/ r, /var/log/btmp{,.@{int}} r, owner @{user_cache_dirs}/motd.legal-displayed rw, diff --git a/apparmor.d/groups/virt/cockpit-tls b/apparmor.d/groups/virt/cockpit-tls index 7bf43ed4a..8a345588a 100644 --- a/apparmor.d/groups/virt/cockpit-tls +++ b/apparmor.d/groups/virt/cockpit-tls @@ -17,7 +17,7 @@ profile cockpit-tls @{exec_path} flags=(attach_disconnected) { /etc/cockpit/ws-certs.d/{,**} r, - @{att}/@{run}/cockpit/wsinstance/https@@{hex64}.sock r, + @{att}/@{run}/cockpit/wsinstance/https@@{hex64}.sock rw, @{att}/@{run}/cockpit/wsinstance/https-factory.sock rw, owner @{run}/cockpit/tls/{,**} rw, diff --git a/apparmor.d/groups/virt/cockpit-wsinstance-factory b/apparmor.d/groups/virt/cockpit-wsinstance-factory index 99db4d614..248ca43e8 100644 --- a/apparmor.d/groups/virt/cockpit-wsinstance-factory +++ b/apparmor.d/groups/virt/cockpit-wsinstance-factory @@ -11,12 +11,23 @@ profile cockpit-wsinstance-factory @{exec_path} { include include - unix bind type=stream addr=@@{udbus}/bus/cockpit-wsinsta/system, - capability net_admin, + unix bind type=stream addr=@@{udbus}/bus/cockpit-wsinsta/system, + + dbus receive bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=JobRemoved + peer=(name=@{busname}, label="@{p_systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=StartUnit + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + @{exec_path} mr, + @{run}/cockpit/wsinstance/https-factory.sock w, + include if exists } diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index 3967512b8..9d84a4065 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -46,18 +46,18 @@ profile dhclient-script @{exec_path} { @{bin}/rm rix, @{bin}/run-parts rCx -> run-parts, @{bin}/sed rix, - @{sbin}/sysctl rix, + @{sbin}/sysctl rCx -> sysctl, @{bin}/tr rix, @{bin}/xxd rix, + @{etc_rw}/resolv.conf rw, + @{etc_rw}/resolv.conf.dhclient-new.@{pid} rw, + @{etc_rw}/samba/dhcp.conf{,.new} rw, /etc/default/ddclient r, /etc/dhcp/{,**} r, /etc/fstab r, /etc/iproute2/rt_tables r, /etc/iproute2/rt_tables.d/{,*} r, - @{etc_rw}/resolv.conf rw, - @{etc_rw}/resolv.conf.dhclient-new.@{pid} rw, - @{etc_rw}/samba/dhcp.conf{,.new} rw, /var/lib/dhcp/dhclient.leases r, /var/lib/samba/dhcp.conf{,.new} rw, @@ -71,7 +71,16 @@ profile dhclient-script @{exec_path} { @{sys}/devices/virtual/dmi/id/board_vendor r, owner @{PROC}/@{pid}/loginuid r, - @{PROC}/sys/net/ipv6/conf/*/stable_secret w, + + profile sysctl { + include + + @{sbin}/sysctl mr, + + @{PROC}/sys/net/ipv6/conf/*/stable_secret w, + + include if exists + } profile run-parts { include diff --git a/apparmor.d/profiles-a-f/dracut-install b/apparmor.d/profiles-a-f/dracut-install index 6deb06eb6..e99760a73 100644 --- a/apparmor.d/profiles-a-f/dracut-install +++ b/apparmor.d/profiles-a-f/dracut-install @@ -13,6 +13,8 @@ profile dracut-install @{exec_path} { @{exec_path} mr, + @{bin}/cp rix, + /etc/modprobe.d/{,**} r, @{sys}/devices/platform/{,**/} r, diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index 41098ab4b..c46b5556e 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -67,6 +67,10 @@ profile kernel @{exec_path} { include include + capability sys_module, + + @{sys}/module/compression r, + include if exists } diff --git a/apparmor.d/profiles-g-l/lsb-release b/apparmor.d/profiles-g-l/lsb-release index 23bada3ec..d2d52d362 100644 --- a/apparmor.d/profiles-g-l/lsb-release +++ b/apparmor.d/profiles-g-l/lsb-release @@ -17,6 +17,7 @@ profile lsb-release @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, + @{bin}/ r, @{bin}/basename rix, @{bin}/cat rix, @{bin}/cut rix, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index a4fc278f0..cae5c1c3d 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -17,7 +17,7 @@ profile initramfs-hooks @{exec_path} { @{sh_path} rix, @{coreutils_path} rix, @{bin}/cpio ix, - @{bin}/dpkg Cx -> child-dpkg, + @{bin}/dpkg Px, @{bin}/fc-cache ix, @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, diff --git a/apparmor.d/profiles-m-r/motd b/apparmor.d/profiles-m-r/motd index 67f216212..6cdb0fbf8 100644 --- a/apparmor.d/profiles-m-r/motd +++ b/apparmor.d/profiles-m-r/motd @@ -9,9 +9,13 @@ include @{exec_path} = /etc/update-motd.d/* profile motd @{exec_path} { include + include capability net_admin, + network inet6 stream, + network inet6 stream, + @{exec_path} mr, @{bin}/ r, @@ -44,7 +48,7 @@ profile motd @{exec_path} { /var/lib/ubuntu-advantage/messages/motd-esm-announce r, /var/lib/cloud/instances/nocloud/cloud-config.txt r, - # /tmp/tmp.@{rand10} rw, + /tmp/tmp.@{rand10} rw, @{run}/cloud-init/cloud.cfg r, @{run}/motd.d/{,*} r, @@ -62,6 +66,8 @@ profile motd @{exec_path} { include include + capability net_admin, + network inet dgram, network inet stream, network inet6 dgram, @@ -70,6 +76,8 @@ profile motd @{exec_path} { @{bin}/wget mr, + /etc/wgetrc r, + /tmp/tmp.@{rand10} rw, include if exists diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index b8f50ff7c..178bf28c6 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -38,10 +38,10 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/class/power_supply/ r, + @{sys}/devices/**/status r, @{sys}/devices/**/power_supply/*/scope r, @{sys}/devices/**/uevent r, @{sys}/devices/system/cpu/*_pstate/{no_turbo,turbo_pct} r, - @{sys}/devices/system/cpu/*_pstate/status r, @{sys}/devices/system/cpu/cpu@{int}/power/energy_perf_bias rw, @{sys}/devices/system/cpu/cpufreq/ r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/* rw, diff --git a/apparmor.d/profiles-m-r/qdbus b/apparmor.d/profiles-m-r/qdbus index fa67bad97..6816079ac 100644 --- a/apparmor.d/profiles-m-r/qdbus +++ b/apparmor.d/profiles-m-r/qdbus @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/qdbus @{lib}/qt{5,6}/bin/qdbus profile qdbus @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index e1b9ab7de..eecb98b28 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -12,6 +12,7 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { include capability net_admin, + capability sys_admin, capability sys_nice, network netlink raw, diff --git a/apparmor.d/profiles-s-z/update-info-dir b/apparmor.d/profiles-s-z/update-info-dir index 7c835023f..fe06b32af 100644 --- a/apparmor.d/profiles-s-z/update-info-dir +++ b/apparmor.d/profiles-s-z/update-info-dir @@ -18,6 +18,8 @@ profile update-info-dir @{exec_path} { @{bin}/find ix, @{bin}/rm ix, + /etc/environment r, + include if exists } diff --git a/apparmor.d/profiles-s-z/whoopsie b/apparmor.d/profiles-s-z/whoopsie index 0c03f4a76..8a2c83904 100644 --- a/apparmor.d/profiles-s-z/whoopsie +++ b/apparmor.d/profiles-s-z/whoopsie @@ -10,10 +10,17 @@ include profile whoopsie @{exec_path} { include include + include capability setgid, capability setuid, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 dgram, + network netlink raw, + @{exec_path} mr, /var/crash/ r, @@ -22,6 +29,9 @@ profile whoopsie @{exec_path} { /var/lib/whoopsie/whoopsie-id rw, /var/lib/whoopsie/whoopsie-id.@{rand6} rw, + /var/crash/*.@{uid}.crash r, + owner /var/crash/*.@{uid}.uploaded rw, + owner @{run}/lock/whoopsie/ rw, owner @{run}/lock/whoopsie/lock rwk, diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index 20575b2a8..fc6955793 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -27,6 +27,7 @@ profile wsdd @{exec_path} { owner /var/lib/libuuid/clock.txt rw, + @{run}/uuidd/request rw, owner @{run}/user/@{uid}/gvfsd/wsdd w, include if exists diff --git a/apparmor.d/profiles-s-z/xbrlapi b/apparmor.d/profiles-s-z/xbrlapi index 4ce252e10..b2f94975f 100644 --- a/apparmor.d/profiles-s-z/xbrlapi +++ b/apparmor.d/profiles-s-z/xbrlapi @@ -16,6 +16,8 @@ profile xbrlapi @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + owner @{HOME}/.xsession-errors w, + include if exists } From 4dba131fb38418b898a02aaec92e977fe7a0a4c7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 17:16:24 +0200 Subject: [PATCH 746/977] feat(profile): parser: move sysctl to its own subprofile. --- apparmor.d/groups/apparmor/apparmor.systemd | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/apparmor/apparmor.systemd b/apparmor.d/groups/apparmor/apparmor.systemd index cb862ff48..f58512a02 100644 --- a/apparmor.d/groups/apparmor/apparmor.systemd +++ b/apparmor.d/groups/apparmor/apparmor.systemd @@ -26,7 +26,7 @@ profile apparmor.systemd @{exec_path} { @{bin}/sed rix, @{bin}/cat rix, @{bin}/sort rix, - @{sbin}/sysctl rix, + @{sbin}/sysctl rCx -> sysctl, @{bin}/systemd-detect-virt rPx, @{bin}/xargs rix, @@ -43,10 +43,19 @@ profile apparmor.systemd @{exec_path} { @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mounts r, @{PROC}/mounts r, - @{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r, /dev/tty rw, + profile sysctl { + include + + @{sbin}/sysctl mr, + + @{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r, + + include if exists + } + include if exists } From ba16e3c3405d8d801dfbe332e1a77507be3ea879 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 17:20:08 +0200 Subject: [PATCH 747/977] feat(profile): cleanup log from well known programs. --- apparmor.d/groups/freedesktop/xdg-mime | 6 ++++++ apparmor.d/groups/utils/blkid | 5 +++-- apparmor.d/groups/utils/lspci | 4 +++- apparmor.d/profiles-g-l/gsettings | 8 ++++++++ 4 files changed, 20 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index 15b73a2d1..9e6dbc2e0 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -59,6 +59,12 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { /dev/tty rw, + # file_inherit + deny /opt/*/** r, + deny owner @{user_config_dirs}/*/** rw, + deny owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, + deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + profile bus flags=(complain) { include include diff --git a/apparmor.d/groups/utils/blkid b/apparmor.d/groups/utils/blkid index 3eee035fe..4105a7419 100644 --- a/apparmor.d/groups/utils/blkid +++ b/apparmor.d/groups/utils/blkid @@ -34,8 +34,6 @@ profile blkid @{exec_path} flags=(attach_disconnected) { @{run}/blkid/blkid.tab{,-@{rand6}} rw, @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, - @{run}/cloud-init/ds-identify.log w, # file_inherit - @{PROC}/@{pid}/mounts r, @{PROC}/partitions r, @{PROC}/swaps r, @@ -47,6 +45,9 @@ profile blkid @{exec_path} flags=(attach_disconnected) { owner /dev/tty@{int} rw, + # file_inherit + deny @{run}/cloud-init/ds-identify.log w, + include if exists } diff --git a/apparmor.d/groups/utils/lspci b/apparmor.d/groups/utils/lspci index e8ba89298..c6ac0fdcd 100644 --- a/apparmor.d/groups/utils/lspci +++ b/apparmor.d/groups/utils/lspci @@ -45,7 +45,9 @@ profile lspci @{exec_path} flags=(attach_disconnected) { @{PROC}/cmdline r, @{PROC}/ioports r, - deny @{user_share_dirs}/gvfs-metadata/* r, + # file_inherit + deny owner @{user_share_dirs}/gvfs-metadata/* r, + deny owner @{user_cache_dirs}/*/** rw, include if exists } diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index bbdb3da62..849599977 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -23,6 +23,14 @@ profile gsettings @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/dconf/user rw, owner @{DESKTOP_HOME}/greeter-dconf-defaults r, + # file_inherit + deny network netlink raw, + deny /etc/nsswitch.conf r, + deny /etc/passwd r, + deny /opt/*/** r, + deny owner @{user_config_dirs}/[^d]*/** rw, # all but dconf + deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + include if exists } From 7f9664c51f0aec674bee24a6460323b78e08735e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 17:51:10 +0200 Subject: [PATCH 748/977] feat(profile): add profile for mpris-proxy. --- apparmor.d/profiles-m-r/mpris-proxy | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 apparmor.d/profiles-m-r/mpris-proxy diff --git a/apparmor.d/profiles-m-r/mpris-proxy b/apparmor.d/profiles-m-r/mpris-proxy new file mode 100644 index 000000000..2f31aea79 --- /dev/null +++ b/apparmor.d/profiles-m-r/mpris-proxy @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/mpris-proxy +profile mpris-proxy @{exec_path} { + include + include + include + include + include + + #aa:dbus own bus=session name=org.mpris.MediaPlayer2 + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor From 952c4e91a118d8a92f15fef49024665482a8f23d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 20:50:00 +0200 Subject: [PATCH 749/977] feat(aa): add aa --enforce and aa --complain. These are small dev tools, not installed by default. --- cmd/aa/main.go | 131 +++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 122 insertions(+), 9 deletions(-) diff --git a/cmd/aa/main.go b/cmd/aa/main.go index 5d32e9331..b0737de77 100644 --- a/cmd/aa/main.go +++ b/cmd/aa/main.go @@ -8,6 +8,9 @@ import ( "flag" "fmt" "os" + "os/exec" + "regexp" + "slices" "strings" "github.com/roddhjav/apparmor.d/pkg/aa" @@ -15,12 +18,14 @@ import ( "github.com/roddhjav/apparmor.d/pkg/paths" ) -const usage = `aa [-h] [--lint | --format | --tree] [-s] [-F file] [profiles...] +const usage = `aa [-h] [--lint | --format | --tree | --complain | --enfore] [-s] [-F file] [profiles...] Various AppArmor profiles development tools Options: -h, --help Show this help message and exit. + -e, --enforce Switch the given profile(s) to enforce mode. + -c, --complain Switch the given profile(s) to complain mode. -f, --format Format the AppArmor profiles. -l, --lint Lint the AppArmor profiles. -t, --tree Generate a tree of visited profiles. @@ -31,12 +36,19 @@ Options: // Command line options var ( - help bool - path string - systemd bool - lint bool - format bool - tree bool + help bool + path string + systemd bool + enforce bool + complain bool + lint bool + format bool + tree bool +) + +var ( + regFlags = regexp.MustCompile(`flags=\(([^)]+)\) `) + regProfileHeader = regexp.MustCompile(` {\n`) ) type kind uint8 @@ -60,6 +72,10 @@ func init() { flag.StringVar(&path, "file", "", "Set a logfile or a suffix to the default log file.") flag.BoolVar(&systemd, "s", false, "Parse systemd logs from journalctl.") flag.BoolVar(&systemd, "systemd", false, "Parse systemd logs from journalctl.") + flag.BoolVar(&enforce, "e", false, "Switch the given profile to enforce mode.") + flag.BoolVar(&enforce, "enforce", false, "Switch the given profile to enforce mode.") + flag.BoolVar(&complain, "c", false, "Switch the given profile to complain mode.") + flag.BoolVar(&complain, "complain", false, "Switch the given profile to complain mode.") } func getIndentationLevel(input string) int { @@ -111,7 +127,7 @@ func formatFile(kind kind, profile string) (string, error) { for idx, rules := range rulesByParagraph { aa.IndentationLevel = getIndentationLevel(paragraphs[idx]) rules = rules.Merge().Sort().Format() - profile = strings.ReplaceAll(profile, paragraphs[idx], rules.String()+"\n") + fmt.Printf(rules.String() + "\n") } return profile, nil } @@ -152,17 +168,95 @@ func aaFormat(files paths.PathList) error { return nil } +func aaLint(files paths.PathList) error { + for _, file := range files { + fmt.Printf("wip: %v\n", file) + } + return nil +} + +func setFlag(profile string, flag string) (string, error) { + f := aa.DefaultTunables() + if _, err := f.Parse(profile); err != nil { + return profile, err + } + + flags := f.GetDefaultProfile().Flags + switch flag { + case "enforce": + if len(flags) == 0 || slices.Contains(flags, "enforce") { + return profile, nil // Nothing to do + } + idx := slices.Index(flags, "complain") + if idx == -1 { + return profile, nil // No complain flag, nothing to do + } + flags = slices.Delete(flags, idx, idx+1) + + case "complain": + if slices.Contains(flags, "complain") { + return profile, nil // Nothing to do + } + flags = append(flags, "complain") + + default: + return profile, fmt.Errorf("unknown flag: %s", flag) + } + strFlags := " flags=(" + strings.Join(flags, ",") + ") {\n" + + // Remove all flags definition, then the new flags + profile = regFlags.ReplaceAllLiteralString(profile, "") + if len(flags) > 0 { + profile = regProfileHeader.ReplaceAllLiteralString(profile, strFlags) + } + return profile, nil +} + +func aaSetFlag(files paths.PathList, flag string) error { + for _, file := range files { + profile, err := file.ReadFileAsString() + if err != nil { + return err + } + profile, err = setFlag(profile, flag) + if err != nil { + return err + } + if err = file.WriteFile([]byte(profile)); err != nil { + return err + } + if err = reloadProfile(file); err != nil { + return err + } + } + return nil +} + func aaTree() error { return nil } +func reloadProfile(file *paths.Path) error { + cmd := exec.Command("apparmor_parser", "--replace", file.String()) + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + if err := cmd.Run(); err != nil { + return fmt.Errorf("apparmor_parser failed: %w", err) + } + return nil +} + func pathsFromArgs() (paths.PathList, error) { res := paths.PathList{} for _, arg := range flag.Args() { path := paths.New(arg) switch { case !path.Exist(): - return nil, fmt.Errorf("file %s not found", path) + if aa.MagicRoot.Join(arg).Exist() { + res = append(res, aa.MagicRoot.Join(arg)) + } else { + return nil, fmt.Errorf("file %s not found", path) + } case path.IsDir(): files, err := path.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories(), @@ -190,7 +284,26 @@ func main() { var err error var files paths.PathList switch { + case enforce: + files, err = pathsFromArgs() + if err != nil { + logging.Fatal("%s", err.Error()) + } + err = aaSetFlag(files, "enforce") + + case complain: + files, err = pathsFromArgs() + if err != nil { + logging.Fatal("%s", err.Error()) + } + err = aaSetFlag(files, "complain") + case lint: + files, err = pathsFromArgs() + if err != nil { + logging.Fatal("%s", err.Error()) + } + err = aaLint(files) case format: files, err = pathsFromArgs() From 24f629d326692965d2a17fe948f9500c04e5122b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 21:43:23 +0200 Subject: [PATCH 750/977] fix(profile): few fixes related to reattached paths. See #816 --- apparmor.d/abstractions/common/app | 5 +++++ apparmor.d/groups/flatpak/flatpak | 1 + apparmor.d/groups/flatpak/flatpak-app | 2 ++ apparmor.d/groups/hyprland/hyprland | 2 +- 4 files changed, 9 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 3b425e505..b6e6734e6 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -114,6 +114,7 @@ @{PROC}/sys/kernel/sched_autogroup_enabled r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/sys/net/core/bpf_jit_enable r, + @{PROC}/sys/net/core/somaxconn r, @{PROC}/uptime r, @{PROC}/version r, @{PROC}/zoneinfo r, @@ -131,10 +132,14 @@ owner @{PROC}/@{pid}/net/if_inet6 r, owner @{PROC}/@{pid}/oom_score_adj rw, owner @{PROC}/@{pid}/pagemap r, + owner @{PROC}/@{pid}/smaps_rollup r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{att}/dev/dri/card@{int} rw, + @{att}/dev/dri/renderD128 rw, + @{att}/dev/dri/renderD129 rw, owner @{att}/dev/shm/@{uuid} r, /dev/hidraw@{int} rw, diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index fca84002a..6b671f0e0 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -85,6 +85,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain owner @{user_games_dirs}/{,**/} w, owner @{user_documents_dirs}/ w, + @{user_config_dirs}/dconf/user r, owner @{user_cache_dirs}/flatpak/{,**} rw, owner @{user_config_dirs}/pulse/client.conf r, owner @{user_config_dirs}/user-dirs.dirs r, diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index 4199e92b1..f2cd0295a 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -83,6 +83,8 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/{,**} r, /var/lib/flatpak/exports/** rw, + owner @{att}/@{HOME}/.var/app/** rwlkmix, + @{run}/parent/** r, @{run}/parent/app/.ref rk, @{run}/parent/usr/.ref rk, diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index c1e6da4d8..cd3270e49 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -38,7 +38,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/.hyprpaper_* rw, owner @{run}/user/@{uid}/.hyprpicker_* rw, owner @{run}/user/@{uid}/hypr/{,**} rw, - owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + owner @{att}/dev/shm/.org.chromium.Chromium.@{rand6} rw, @{run}/systemd/sessions/@{int} r, From 5e5fde7741402aac6648f6ee6fa4f7bf531e9004 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Aug 2025 21:43:20 +0200 Subject: [PATCH 751/977] feat(abs): add the sqlite abstraction. --- apparmor.d/abstractions/common/app | 2 +- apparmor.d/abstractions/sqlite | 23 +++++++++++++++++++ apparmor.d/groups/gnome/gnome-music | 3 +-- apparmor.d/groups/gnome/localsearch | 4 +--- apparmor.d/groups/gnome/tracker-miner | 4 +--- apparmor.d/profiles-a-f/dropbox | 3 +-- apparmor.d/profiles-a-f/fractal | 2 +- apparmor.d/profiles-a-f/fwupd | 2 +- apparmor.d/profiles-g-l/gpo | 8 +++---- apparmor.d/profiles-g-l/gpodder | 4 +--- .../profiles-m-r/protonmail-bridge-core | 3 +-- apparmor.d/profiles-m-r/psi | 2 +- apparmor.d/profiles-m-r/psi-plus | 2 +- apparmor.d/profiles-m-r/quiterss | 3 +-- apparmor.d/profiles-s-z/strawberry | 2 +- apparmor.d/profiles-s-z/syncthing | 4 +--- apparmor.d/profiles-s-z/wechat-appimage | 4 +--- apparmor.d/tunables/multiarch.d/system | 3 --- 18 files changed, 41 insertions(+), 37 deletions(-) create mode 100644 apparmor.d/abstractions/sqlite diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index b6e6734e6..5072cadfd 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -28,6 +28,7 @@ include include include + include include include @@ -63,7 +64,6 @@ owner @{tmp}/** rmwk, owner /dev/shm/** rwlk -> /dev/shm/**, owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, - owner /var/tmp/etilqs_@{sqlhex} rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/abstractions/sqlite b/apparmor.d/abstractions/sqlite new file mode 100644 index 000000000..690417f87 --- /dev/null +++ b/apparmor.d/abstractions/sqlite @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# SQlite temporary files (hexadecimal from 12 to 16 characters) + + abi , + + owner /var/tmp/etilqs_@{hex12} rw, + owner /var/tmp/etilqs_@{hex12}@{h} rw, + owner /var/tmp/etilqs_@{hex12}@{hex2} rw, + owner /var/tmp/etilqs_@{hex15} rw, + owner /var/tmp/etilqs_@{hex16} rw, + + owner @{tmp}/etilqs_@{hex12} rw, + owner @{tmp}/etilqs_@{hex12}@{h} rw, + owner @{tmp}/etilqs_@{hex12}@{hex2} rw, + owner @{tmp}/etilqs_@{hex15} rw, + owner @{tmp}/etilqs_@{hex16} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 511a48987..2f9795ceb 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -17,6 +17,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { include include include + include include network inet stream, @@ -51,8 +52,6 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 88e2bf327..049b3c402 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -23,6 +23,7 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { include include include + include network netlink raw, @@ -56,9 +57,6 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/tracker3/files/ rw, owner @{user_cache_dirs}/tracker3/files/** rwk, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - @{run}/mount/utab r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index d35f6467f..6b358c8b0 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -21,6 +21,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include + include network netlink raw, @@ -63,9 +64,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/applications/ r, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - # Allow to search user files owner @{HOME}/{,**} r, owner @{MOUNTS}/{,**} r, diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/profiles-a-f/dropbox index 15f86bcf5..f40d69799 100644 --- a/apparmor.d/profiles-a-f/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -23,6 +23,7 @@ profile dropbox @{exec_path} { include include include + include include @{exec_path} mr, @@ -61,8 +62,6 @@ profile dropbox @{exec_path} { # Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead owner @{tmp}/dropbox-antifreeze-* rw, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 40001da68..a7222a664 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -13,6 +13,7 @@ profile fractal @{exec_path} flags=(attach_disconnected) { include include include + include include network inet dgram, @@ -34,7 +35,6 @@ profile fractal @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.@{rand6} rw, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, owner @{run}/user/@{uid}/fractal/{,**} rw, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 7a00455a6..58ba493cc 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -18,6 +18,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include include + include capability dac_override, capability dac_read_search, @@ -77,7 +78,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{MOUNTDIRS}/*/{,@{efi}/}EFI/{,**} r, /var/lib/flatpak/exports/share/mime/mime.cache r, - /var/tmp/etilqs_@{sqlhex} rw, owner /var/cache/fwupd/ rw, owner /var/cache/fwupd/** rwk, owner /var/lib/fwupd/ rw, diff --git a/apparmor.d/profiles-g-l/gpo b/apparmor.d/profiles-g-l/gpo index cebfc955f..46ff3eec5 100644 --- a/apparmor.d/profiles-g-l/gpo +++ b/apparmor.d/profiles-g-l/gpo @@ -11,10 +11,11 @@ include profile gpo @{exec_path} { include include - include include - include + include + include include + include network inet dgram, network inet6 dgram, @@ -36,9 +37,6 @@ profile gpo @{exec_path} { owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - owner @{PROC}/@{pid}/fd/ r, include if exists diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder index dd7a20eb7..e60034172 100644 --- a/apparmor.d/profiles-g-l/gpodder +++ b/apparmor.d/profiles-g-l/gpodder @@ -14,6 +14,7 @@ profile gpodder @{exec_path} { include include include + include include include @@ -47,9 +48,6 @@ profile gpodder @{exec_path} { owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index 45c6766e3..ca9680aea 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -17,6 +17,7 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, @@ -43,8 +44,6 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { owner "@{user_config_dirs}/autostart/Proton Mail Bridge.desktop" rw, owner @{tmp}/bridge@{int} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/ r, @{PROC}/1/cgroup r, diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 02bf3bc56..2ff7b4e71 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -18,6 +18,7 @@ profile psi @{exec_path} { include include include + include include include include @@ -54,7 +55,6 @@ profile psi @{exec_path} { owner @{user_share_dirs}/psi/** rwk, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/Psi.* rwl -> /tmp/#@{int}, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index a455df0e9..f72147cc6 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -18,6 +18,7 @@ profile psi-plus @{exec_path} { include include include + include include include include @@ -54,7 +55,6 @@ profile psi-plus @{exec_path} { owner @{user_share_dirs}/psi+/** rwk, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/Psi+.* rwl -> /tmp/#@{int}, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss index d1194abf5..73b8f7488 100644 --- a/apparmor.d/profiles-m-r/quiterss +++ b/apparmor.d/profiles-m-r/quiterss @@ -18,6 +18,7 @@ profile quiterss @{exec_path} { include include include + include include include @@ -47,8 +48,6 @@ profile quiterss @{exec_path} { owner @{tmp}/qtsingleapp-quiter-@{int}-@{int} rw, owner @{tmp}/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index 611c8462d..ae22e1f1d 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -21,6 +21,7 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include @@ -68,7 +69,6 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/.*/s rw, owner @{tmp}/*= w, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/kdsingleapp-*-strawberry w, owner @{tmp}/kdsingleapp-*-strawberry.lock rwk, owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 4553ac1e9..83e1b2f45 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -12,6 +12,7 @@ profile syncthing @{exec_path} { include include include + include include network inet dgram, @@ -35,9 +36,6 @@ profile syncthing @{exec_path} { /home/ r, @{user_sync_dirs}/{,**} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, - @{PROC}/@{pids}/net/route r, @{PROC}/bus/pci/devices r, @{PROC}/modules r, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 98ce53f07..335860d07 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -19,6 +19,7 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { include include include + include network netlink raw, network netlink dgram, @@ -59,9 +60,6 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { owner @{user_documents_dirs}/xwechat_files/{,**} rwk, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - /dev/fuse rw, /dev/tty rw, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 288665770..cf8575db0 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -56,9 +56,6 @@ # System Internal # --------------- -# SQlite temporary files (hexadecimal from 12 to 16 characters) -@{sqlhex}=@{hex12} @{hex12}@{h} @{hex12}@{hex2} @{hex15} @{hex16} - # Shortcut for PCI device @{pci_id}=@{hex}:@{hex2}:@{hex2}.@{h} @{pci_bus}=pci@{hex4}:@{hex2} From c806ec44eb43bd494672f990e49e29426eb087b1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Aug 2025 22:56:07 +0200 Subject: [PATCH 752/977] feat(profile): update virt profiles. --- apparmor.d/groups/virt/cockpit-bridge | 7 +++++++ apparmor.d/groups/virt/cockpit-session | 7 +++++++ apparmor.d/groups/virt/cockpit-ws | 4 +++- apparmor.d/groups/virt/dockerd | 9 +++++++++ apparmor.d/groups/virt/libvirt-dbus | 9 ++++++--- apparmor.d/groups/virt/libvirtd | 14 ++++++++++---- apparmor.d/groups/virt/virt-aa-helper | 24 ++++++++++++++++++++++-- apparmor.d/groups/virt/virtiofsd | 4 ++-- 8 files changed, 66 insertions(+), 12 deletions(-) diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index b6111750b..bf3d48204 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/cockpit-bridge profile cockpit-bridge @{exec_path} { include + include + include include include include @@ -33,6 +35,9 @@ profile cockpit-bridge @{exec_path} { signal send set=term peer=unconfined, signal (send receive) set=term peer=cockpit-bridge//sudo, + #aa:dbus talk bus=session name=org.libvirt label=libvirt-dbus + #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/** label=packagekitd + @{exec_path} mr, @{bin}/cat ix, @@ -126,6 +131,8 @@ profile cockpit-bridge @{exec_path} { include include + @{run}/udev/data/n@{int} r, # For network interfaces + include if exists } diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index 8eafd25a0..3fbefadb7 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -14,10 +14,12 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { include capability audit_write, + capability chown, capability dac_read_search, capability net_admin, capability setgid, capability setuid, + capability sys_resource, network netlink raw, @@ -26,6 +28,7 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { @{shells_path} rix, @{bin}/cockpit-bridge rPx, @{lib}/cockpit/cockpit-pcp rPx, + @{bin}/ssh-agent rPx, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, @@ -47,6 +50,10 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { /var/log/lastlog rw, /var/log/wtmp rwk, + /var/lib/lastlog/ r, + /var/lib/lastlog/lastlog2.db rwk, + /var/lib/lastlog/lastlog2.db-journal rw, + owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/uid_map r, @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/virt/cockpit-ws b/apparmor.d/groups/virt/cockpit-ws index 8e3478072..d4fb299fe 100644 --- a/apparmor.d/groups/virt/cockpit-ws +++ b/apparmor.d/groups/virt/cockpit-ws @@ -18,9 +18,11 @@ profile cockpit-ws @{exec_path} flags=(attach_disconnected) { @{lib}/cockpit/cockpit-session rPx, /usr/share/cockpit/{,**} r, + /etc/cockpit/ws-certs.d/{,**} r, /usr/share/pixmaps/{,**} r, - /etc/cockpit/ws-certs.d/ r, + /usr/share/plymouth/{,**} r, + @{run}/cockpit/session rw, @{run}/cockpit/wsinstance/https@@{hex64}.sock r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index aa0a9ed58..0a214ccd1 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -69,6 +69,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{bin}/docker-init rCx -> init, @{lib}/docker/docker-init rCx -> init, @{bin}/docker-proxy rPx, + @{bin}/tini-static rCx -> tini, @{bin}/git rCx -> git, @{bin}/kmod rCx -> kmod, @{bin}/ps rPx, @@ -172,6 +173,14 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { include if exists } + profile tini { + include + + @{bin}/tini-static mr, + + include if exists + } + profile init flags=(attach_disconnected) { include diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus index 303e906c2..f3bbaf019 100644 --- a/apparmor.d/groups/virt/libvirt-dbus +++ b/apparmor.d/groups/virt/libvirt-dbus @@ -25,9 +25,12 @@ profile libvirt-dbus @{exec_path} { owner @{user_cache_dirs}/libvirt/libvirtd.lock rwk, - @{run}/user/@{uid}/libvirt/ rw, - @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, - @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, + @{run}/libvirt/libvirt-sock rw, + + @{run}/user/@{uid}/libvirt/ rw, + @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, + @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, + owner @{run}/user/@{uid}/libvirt/libvirt-sock rw, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node*/meminfo r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index fa3005a65..44d6962f5 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -19,6 +19,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -47,12 +48,12 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { capability sys_pacct, capability sys_ptrace, capability sys_rawio, - capability sys_resource, + capability sys_resource, # Needed for vfio - network inet stream, network inet dgram, - network inet6 stream, + network inet stream, network inet6 dgram, + network inet6 stream, network netlink raw, network packet dgram, network packet raw, @@ -146,7 +147,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /etc/xml/catalog r, /var/cache/libvirt/{,**} rw, - /var/lib/libvirt/{,**} rwk, + /var/lib/libvirt/ rw, + /var/lib/libvirt/** rwk, /var/log/swtpm/libvirt/{,**} rw, # User VM images and share @@ -155,6 +157,9 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{user_vm_dirs}/{,**} rwk, @{user_publicshare_dirs}/{,**} rwk, + owner @{run}/user/@{uid}/libvirt/ rw, + owner @{run}/user/@{uid}/libvirt/** rwk, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{run}/libvirt/ rw, @@ -223,6 +228,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{PROC}/devices r, @{PROC}/mtrr w, @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/uptime r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/virt/virt-aa-helper b/apparmor.d/groups/virt/virt-aa-helper index 53afe6012..b49368f07 100644 --- a/apparmor.d/groups/virt/virt-aa-helper +++ b/apparmor.d/groups/virt/virt-aa-helper @@ -21,14 +21,34 @@ profile virt-aa-helper @{exec_path} { @{sbin}/apparmor_parser rPx, - /etc/apparmor.d/libvirt/* r, + @{etc_rw}/apparmor.d/libvirt/* r, @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} rw, + @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid}.files rw, /etc/libnl{,-3}/classid r, # Allow reading libnl's classid file # System VM images /var/lib/libvirt/images/{,**} r, - /var/lib/nova/instances/_base/* r, + + # Openstack Nova base images & snapshots (LP: #907269 #1244694 #1644507) + /var/lib/nova/images/{,**} r, + /var/lib/nova/instances/_base/{,**} r, + /var/lib/nova/instances/snapshots/{,**} r, + /var/snap/nova-hypervisor/common/instances/_base/{,**} r, + /var/snap/nova-hypervisor/common/instances/snapshots/{,**} r, + + # Eucalyptus disks & loader (LP: #564914 #637544) + /var/lib/eucalyptus/instances/**/disk* r, + /var/lib/eucalyptus/instances/**/loader* r, + + # For uvtool + /var/lib/uvtool/libvirt/images/{,**} r, + + # For multipass + /var/snap/multipass/common/data/multipassd/vault/instances/{,**} r, + + # Common mount directories + @{MOUNTDIRS}/{,**} r, # User VM images @{user_share_dirs}/ r, diff --git a/apparmor.d/groups/virt/virtiofsd b/apparmor.d/groups/virt/virtiofsd index 899ecae04..ae7ac5fa9 100644 --- a/apparmor.d/groups/virt/virtiofsd +++ b/apparmor.d/groups/virt/virtiofsd @@ -6,8 +6,8 @@ abi , include -@{exec_path} = @{lib}/{,qemu/}virtiofsd @{bin}/virtiofsd -profile virtiofsd @{exec_path} { +@{exec_path} = @{lib}/virtiofsd @{lib}/qemu/virtiofsd @{bin}/virtiofsd +profile virtiofsd @{exec_path} flags=(attach_disconnected) { include userns, From f3d209e42a0abaabb0a34491b645f653fc035f16 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Aug 2025 22:58:46 +0200 Subject: [PATCH 753/977] feat(profile): ensure nautilus can access root files. --- apparmor.d/groups/gvfs/gvfsd-admin | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index 4f845f316..e1b16cac3 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -22,14 +22,15 @@ profile gvfsd-admin @{exec_path} { /usr/share/mime/mime.cache r, - @{MOUNTS}/{,**} rw, - - @{run}/mount/utab r, - @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/stat r, + #aa:lint ignore=too-wide + # Full access to system's data, but no write access to sensitive system directories + / r, + /*/ r, + /*/** rw, + deny @{sys}/** w, + deny @{PROC}/** w, + deny @{efi}/** w, + deny /dev/** w, include if exists } From 5d7646d9ccfe75becdb2276f77c03088b4cb8616 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Fri, 22 Aug 2025 14:05:34 +0200 Subject: [PATCH 754/977] Update mandb ALLOWED mandb exec @{bin}/bzip2 -> mandb//null-@{bin}/bzip2 comm=mandb requested_mask=x denied_mask=x ALLOWED mandb//null-@{bin}/bzip2 file_inherit /usr/share/man/man8/grub-btrfsd.8.bz2 comm=bzip2 requested_mask=r denied_mask=r ALLOWED mandb//null-@{bin}/bzip2 file_inherit /var/cache/man/52062 comm=bzip2 requested_mask=wr denied_mask=wr ALLOWED mandb//null-@{bin}/bzip2 file_mmap @{bin}/bzip2 comm=bzip2 requested_mask=r denied_mask=r ALLOWED mandb//null-@{bin}/bzip2 getattr /usr/share/man/man8/grub-btrfsd.8.bz2 comm=bzip2 requested_mask=r denied_mask=r ALLOWED mandb//null-@{bin}/bzip2 file_inherit /usr/share/man/man8/grub-btrfs.8.bz2 comm=bzip2 requested_mask=r denied_mask=r ALLOWED mandb//null-@{bin}/bzip2 getattr /usr/share/man/man8/grub-btrfs.8.bz2 comm=bzip2 requested_mask=r denied_mask=r --- apparmor.d/profiles-m-r/mandb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb index cd825471d..551a6fec0 100644 --- a/apparmor.d/profiles-m-r/mandb +++ b/apparmor.d/profiles-m-r/mandb @@ -17,6 +17,8 @@ profile mandb @{exec_path} { @{exec_path} mr, + @{bin}/bzip2 rix, + /etc/man_db.conf r, /etc/manpath.config r, From 4d15570ff1dd23566ab4a9a79f84424791ef86e1 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Fri, 22 Aug 2025 14:20:06 +0200 Subject: [PATCH 755/977] Update grub-mkrelpath ALLOWED grub-mkrelpath open /tmp/grub-btrfs.byRQTjiteL/@_backup_2025-08-20T16:43@{busname}.488Z/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r ALLOWED grub-mkrelpath open /tmp/grub-btrfs.byRQTjiteL/@_backup_2025-08-18T13:49@{busname}.739Z/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r ALLOWED grub-mkrelpath open /tmp/grub-btrfs.byRQTjiteL/@_backup_2025-04-11T11@{busname}:58.643Z/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r ALLOWED grub-mkrelpath open /tmp/grub-btrfs.byRQTjiteL/@_backup_@{int16}5/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r ALLOWED grub-mkrelpath open /tmp/grub-btrfs.Xj00SFNAa3/@_backup_2025-08-20T16:43@{busname}.488Z/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r ALLOWED grub-mkrelpath open /tmp/grub-btrfs.Xj00SFNAa3/@_backup_2025-08-18T13:49@{busname}.739Z/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r ALLOWED grub-mkrelpath open /tmp/grub-btrfs.Xj00SFNAa3/@_backup_2025-04-11T11@{busname}:58.643Z/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r ALLOWED grub-mkrelpath open /tmp/grub-btrfs.Xj00SFNAa3/@_backup_@{int16}5/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r --- apparmor.d/groups/grub/grub-mkrelpath | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/grub/grub-mkrelpath b/apparmor.d/groups/grub/grub-mkrelpath index 789f68287..7b5f7eaa1 100644 --- a/apparmor.d/groups/grub/grub-mkrelpath +++ b/apparmor.d/groups/grub/grub-mkrelpath @@ -26,7 +26,7 @@ profile grub-mkrelpath @{exec_path} { /tmp/grub-btrfs.*/@snapshots/@{int}/snapshot/boot/ r, /tmp/grub-btrfs.*/@/.snapshots/@{int}/snapshot/boot/ r, - /tmp/grub-btrfs.*/@_backup_@{int}/boot/ r, + /tmp/grub-btrfs.*/@_backup_**/boot/ r, /tmp/grub-btrfs.*/ r, @{PROC}/@{pids}/mountinfo r, From 2c64ab91cb58f56590dd9b8a4cfb878da05769ba Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Fri, 22 Aug 2025 15:33:55 +0200 Subject: [PATCH 756/977] Update grub-mkrelpath --- apparmor.d/groups/grub/grub-mkrelpath | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/grub/grub-mkrelpath b/apparmor.d/groups/grub/grub-mkrelpath index 7b5f7eaa1..d4508b4c5 100644 --- a/apparmor.d/groups/grub/grub-mkrelpath +++ b/apparmor.d/groups/grub/grub-mkrelpath @@ -26,7 +26,7 @@ profile grub-mkrelpath @{exec_path} { /tmp/grub-btrfs.*/@snapshots/@{int}/snapshot/boot/ r, /tmp/grub-btrfs.*/@/.snapshots/@{int}/snapshot/boot/ r, - /tmp/grub-btrfs.*/@_backup_**/boot/ r, + /tmp/grub-btrfs.*/@_backup_*/boot/ r, /tmp/grub-btrfs.*/ r, @{PROC}/@{pids}/mountinfo r, From b3dd09ce0198d0724d1f43b099b4e205a5ec9b5b Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Fri, 22 Aug 2025 14:13:22 +0200 Subject: [PATCH 757/977] Update gnome-boxes ALLOWED gnome-boxes open /usr/share/ladspa/rdf/ comm=gst-plugin-scan requested_mask=r denied_mask=r ALLOWED gnome-boxes open /usr/share/ladspa/rdf/ladspa.rdfs comm=gst-plugin-scan requested_mask=r denied_mask=r ALLOWED gnome-boxes open /usr/share/ladspa/rdf/ladspa-rubberband.rdf comm=gst-plugin-scan requested_mask=r denied_mask=r ALLOWED gnome-boxes open @{sys}/devices/@{pci}/usb2/2-3/bConfigurationValue comm=gnome-boxes requested_mask=r denied_mask=r ALLOWED gnome-boxes open @{sys}/devices/@{pci}/usb1/1-6/1-6.2/bConfigurationValue comm=gnome-boxes requested_mask=r denied_mask=r ALLOWED gnome-boxes open @{sys}/devices/@{pci}/usb1/1-14/bConfigurationValue comm=gnome-boxes requested_mask=r denied_mask=r ALLOWED gnome-boxes open @{sys}/devices/@{pci}/usb1/1-13/bConfigurationValue comm=gnome-boxes requested_mask=r denied_mask=r --- apparmor.d/groups/gnome/gnome-boxes | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes index 2462c2071..16aa4e862 100644 --- a/apparmor.d/groups/gnome/gnome-boxes +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -36,6 +36,7 @@ profile gnome-boxes @{exec_path} { @{bin}/virsh rCx -> virsh, @{bin}/virtqemud rPUx, + /usr/share/ladspa/rdf/{,*} r, /usr/share/osinfo/{,**} r, /usr/share/gnome-boxes/{,**} r, @@ -55,6 +56,8 @@ profile gnome-boxes @{exec_path} { owner @{user_config_dirs}/gnome-boxes/ rw, owner @{user_config_dirs}/gnome-boxes/** rwk, + owner @{user_share_dirs}/gnome-boxes/images/ rw, + owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/*.iso-@{rand6} rw, owner @{tmp}/*.svg-@{rand6} rw, @@ -66,6 +69,7 @@ profile gnome-boxes @{exec_path} { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{sys}/devices/@{pci}/usb@{int}/** r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-dbus*org.gnome.Boxes.slice/*/memory.* r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, From ddee0512797143a1b31dbdf41c965234fc61f8b2 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Fri, 22 Aug 2025 15:35:42 +0200 Subject: [PATCH 758/977] Update gnome-boxes --- apparmor.d/groups/gnome/gnome-boxes | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes index 16aa4e862..1447715b7 100644 --- a/apparmor.d/groups/gnome/gnome-boxes +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -56,7 +56,8 @@ profile gnome-boxes @{exec_path} { owner @{user_config_dirs}/gnome-boxes/ rw, owner @{user_config_dirs}/gnome-boxes/** rwk, - owner @{user_share_dirs}/gnome-boxes/images/ rw, + owner @{user_share_dirs}/gnome-boxes/ rw, + owner @{user_share_dirs}/gnome-boxes/** rwk, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/*.iso-@{rand6} rw, From 8b49f9ebf5c85f2ca94a8e111b1161e2ebc258ff Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 17:52:57 +0200 Subject: [PATCH 759/977] feat(profile): update telegram path fix #821 --- apparmor.d/profiles-s-z/telegram-desktop | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-s-z/telegram-desktop b/apparmor.d/profiles-s-z/telegram-desktop index d967f4229..c1544af72 100644 --- a/apparmor.d/profiles-s-z/telegram-desktop +++ b/apparmor.d/profiles-s-z/telegram-desktop @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/telegram-desktop +@{exec_path} = @{bin}/telegram-desktop @{bin}/Telegram profile telegram-desktop @{exec_path} { include include @@ -35,10 +35,11 @@ profile telegram-desktop @{exec_path} { network netlink dgram, network netlink raw, - @{exec_path} mr, + @{exec_path} mrix, @{sh_path} rix, @{open_path} rPx -> child-open-strict, + @{bin}/systemd-detect-virt rPx, owner @{user_share_dirs}/TelegramDesktop/ rw, owner @{user_share_dirs}/TelegramDesktop/** rwlk -> @{user_share_dirs}/TelegramDesktop/**, From 0f017048e445cb21f764e480d332f64d79b0907d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 17:57:40 +0200 Subject: [PATCH 760/977] fix(profile): fix att path in flatpak fix #820 --- apparmor.d/groups/flatpak/flatpak | 2 ++ apparmor.d/groups/flatpak/flatpak-portal | 4 ++-- apparmor.d/groups/freedesktop/xdg-dbus-proxy | 4 ++-- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 6b671f0e0..4122e8055 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -77,6 +77,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain owner @{HOME}/.var/ w, owner @{HOME}/.var/app/{,**} rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/logs/* rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, # Can create dotfile directories for any app owner @{user_cache_dirs}/*/ w, diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index 84e2d7964..ac1e41894 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -34,8 +34,8 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { owner /att/**/ r, owner @{att}/.flatpak-info r, - owner @{HOME}/.var/app/*/**/.ref rw, - owner @{HOME}/.var/app/*/**/logs/* rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/logs/* rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_share_dirs}/mime/mime.cache r, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index c6efaf360..be66f7484 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -29,8 +29,8 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, owner @{att}/@{HOME}/.var/app/** r, - owner @{HOME}/.var/app/*/.local/share/*/logs/* rw, - owner @{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/logs/* rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw, From e7a91b307e025498c37b15302f5c8e63d027938d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:01:31 +0200 Subject: [PATCH 761/977] fix(profile): fusermount with fsarchiver fix #817 --- apparmor.d/groups/filesystem/ntfs-3g | 2 ++ apparmor.d/profiles-a-f/fusermount | 1 + 2 files changed, 3 insertions(+) diff --git a/apparmor.d/groups/filesystem/ntfs-3g b/apparmor.d/groups/filesystem/ntfs-3g index d94d7a0f2..e4749177c 100644 --- a/apparmor.d/groups/filesystem/ntfs-3g +++ b/apparmor.d/groups/filesystem/ntfs-3g @@ -34,6 +34,8 @@ profile ntfs-3g @{exec_path} flags=(attach_disconnected) { mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/, mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/, + mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> /tmp/fsa/*/, # fsarchiver + umount @{MOUNTDIRS}/, umount @{MOUNTS}/, umount @{MOUNTS}/*/, diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount index 3df041e64..a84b85322 100644 --- a/apparmor.d/profiles-a-f/fusermount +++ b/apparmor.d/profiles-a-f/fusermount @@ -30,6 +30,7 @@ profile fusermount @{exec_path} { umount /tmp/.mount_*/, umount @{run}/user/@{uid}/*/, umount /var/tmp/flatpak-cache-*/*/, + umount /tmp/fsa/*/, # fsarchiver @{exec_path} mr, From ec73d8349e1461995817bfeb5303dd85ea165543 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:05:05 +0200 Subject: [PATCH 762/977] fix(profile): gnome access to chromium shared. fix #806 --- apparmor.d/groups/gnome/gnome-shell | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 95874290f..0f91b7283 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -303,6 +303,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /tmp/.X@{int}-lock rw, /tmp/dbus-@{rand8} rw, owner @{tmp}/.org.chromium.Chromium.@{rand6} r, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/ r, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/status_icon_@{int}.png r, owner @{tmp}/@{rand6}.shell-extension.zip rw, owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, From ba217a261ed39ad0ec20e909a89ac3618c8fd180 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:15:38 +0200 Subject: [PATCH 763/977] feat(profile): update flatpak profiles. --- apparmor.d/groups/flatpak/flatpak | 9 ++++----- apparmor.d/groups/flatpak/flatpak-app | 4 ++++ apparmor.d/groups/flatpak/flatpak-portal | 6 ++++++ 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 4122e8055..c540b9db8 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -40,14 +40,12 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain signal send peer=flatpak-app, - #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.Flatpak.SystemHelper label=flatpak-system-helper #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" - dbus send bus=session path=/org/freedesktop/portal/documents - interface=org.freedesktop.portal.Documents - member=GetMountPoint - peer=(name=org.freedesktop.portal.Documents, label="{xdg-document-portal,unconfined}"), + #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper + #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal @{exec_path} mr, @@ -138,6 +136,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain @{bin}/gpgconf mr, @{bin}/gpgsm mr, @{bin}/gpg-agent rix, + @{lib}/gnupg/scdaemon rix, @{HOME}/@{XDG_GPG_DIR}/*.conf r, diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index f2cd0295a..e8fe195fb 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -48,6 +48,10 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { signal receive set=(int term) peer=flatpak-portal, signal receive set=(int term) peer=flatpak-session-helper, + unix type=seqpacket peer=(label=dbus-session), + # unix type=seqpacket peer=(label=unconfined), + unix type=seqpacket peer=(label=xdg-dbus-proxy), + @{bin}/** rmix, @{lib}/** rmix, /app/** rmix, diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index ac1e41894..b86f0a4fd 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -10,6 +10,7 @@ include profile flatpak-portal @{exec_path} flags=(attach_disconnected) { include include + include include capability sys_ptrace, @@ -22,6 +23,11 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.portal.Flatpak + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{bin}/flatpak rPx, From 2d3831221af1662619f74f10a208aff01c599665 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:16:43 +0200 Subject: [PATCH 764/977] feat(profile): update cups profiles. --- apparmor.d/groups/cups/cups-browsed | 5 ++++- apparmor.d/groups/cups/ippfind | 22 ++++++++++++++++++++++ apparmor.d/groups/cups/print-backends-cups | 19 +++++++++++++++++++ 3 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/cups/ippfind create mode 100644 apparmor.d/groups/cups/print-backends-cups diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index 9498f245a..a7773a57f 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -38,7 +38,7 @@ profile cups-browsed @{exec_path} { dbus receive bus=system path=/org/cups/cupsd/Notifier interface=org.cups.cupsd.Notifier - member=PrinterDeleted + member={PrinterDeleted,PrinterStopped} peer=(name=@{busname}, label=cups-notifier-dbus), @{exec_path} mr, @@ -52,7 +52,10 @@ profile cups-browsed @{exec_path} { /var/cache/cups/{,**} rw, /var/log/cups/{,**} rw, + owner @{tmp}/@{hex} rw, + @{run}/cups/certs/* r, + @{run}/avahi-daemon/socket rw, # TODO: in abs 'avahi' ? @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/groups/cups/ippfind b/apparmor.d/groups/cups/ippfind new file mode 100644 index 000000000..c2a944b11 --- /dev/null +++ b/apparmor.d/groups/cups/ippfind @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ippfind +profile ippfind @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{bin}/echo rix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/cups/print-backends-cups b/apparmor.d/groups/cups/print-backends-cups new file mode 100644 index 000000000..6ab6007cb --- /dev/null +++ b/apparmor.d/groups/cups/print-backends-cups @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/@{multiarch}/print-backends/cups +profile print-backends-cups @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor From 46d4207d716dc895d2ec2405f80ea04fbc2bf336 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:22:59 +0200 Subject: [PATCH 765/977] feat(profile): makepkg: handle lsb_release and pager. --- apparmor.d/groups/pacman/makepkg | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg index 583d0b9c0..84136638c 100644 --- a/apparmor.d/groups/pacman/makepkg +++ b/apparmor.d/groups/pacman/makepkg @@ -29,9 +29,11 @@ profile makepkg @{exec_path} { file, + @{pager_path} Px -> child-pager, @{bin}/gpg{,2} Cx -> gpg, @{bin}/gpgconf Cx -> gpg, @{bin}/gpgsm Cx -> gpg, + @{bin}/lsb_release Px, @{bin}/sudo Cx -> sudo, deny capability sys_ptrace, From fb82d8d0d60f9c0bc7726c1084bbad3b1b2f26b2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:27:22 +0200 Subject: [PATCH 766/977] feat(profile): small gnome related improvement. --- apparmor.d/groups/gnome/evolution-addressbook-factory | 8 ++++---- apparmor.d/groups/gnome/gdm | 1 + apparmor.d/groups/gnome/gnome-extension-gsconnect | 1 + apparmor.d/groups/gnome/gnome-software | 1 + apparmor.d/groups/gnome/gsd-print-notifications | 4 ++-- apparmor.d/groups/gnome/papers | 4 ++++ apparmor.d/groups/network/ModemManager | 1 + apparmor.d/groups/network/mullvad-daemon | 1 + 8 files changed, 15 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 3d83232e1..98c94c79e 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -30,7 +30,7 @@ profile evolution-addressbook-factory @{exec_path} { dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* - peer=(name=:*), + peer=(name=@{busname}), dbus send bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* @@ -38,12 +38,12 @@ profile evolution-addressbook-factory @{exec_path} { dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=evolution-*), + peer=(name=@{busname}, label=evolution-*), dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=evolution-source-registry), + peer=(name=@{busname}, label=evolution-source-registry), dbus send bus=session path=/org/gnome/evolution/dataserver/** interface=org.freedesktop.DBus.Properties @@ -53,7 +53,7 @@ profile evolution-addressbook-factory @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @{exec_path}-subprocess rix, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 435d055fa..4c84fe822 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -20,6 +20,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { capability fsetid, capability kill, capability net_admin, + capability sys_admin, capability sys_nice, capability sys_tty_config, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 64568eab0..8887ce797 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -72,6 +72,7 @@ profile gnome-extension-gsconnect @{exec_path} { owner @{tmp}/.org.chromium.Chromium.@{rand6} r, owner @{run}/user/@{uid}/gsconnect/{,**} rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index c10261c02..7e817f490 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -37,6 +37,7 @@ profile gnome-software @{exec_path} { /usr/share/app-info/{,**} r, /usr/share/appdata/{,**} r, + /usr/share/byobu/desktop/{,**} r, /usr/share/flatpak/remotes.d/ r, /usr/share/metainfo/{,**} r, /usr/share/swcatalog/{,**} r, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index f8d4280a0..af5ff2f05 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -20,8 +20,8 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, - signal (receive) set=(term, hup) peer=gdm*, - signal (send) set=(hup) peer=gsd-printer, + signal receive set=(term, hup) peer=gdm*, + signal send set=(hup) peer=gsd-printer, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.PrintNotifications diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 27000b93a..6f5a137a3 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -25,6 +25,10 @@ profile papers @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/{,*} r, + owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, + owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, + owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db-journal rw, + owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/papers-@{int}/{,**} rw, owner @{tmp}/gtkprint_@{rand6} rw, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 8220516bf..22b94effd 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -17,6 +17,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { include capability net_admin, + capability sys_admin, network qipcrtr dgram, network netlink raw, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 735154b7e..d5c93fc5c 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -62,6 +62,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw, @{sys}/fs/cgroup/system.slice/cpu.max r, @{sys}/fs/cgroup/system.slice/mullvad-daemon.service/cpu.max r, + @{sys}/fs/cgroup/system.slice/mullvad-early-boot-blocking.service/cpu.max r, @{PROC}/@{pid}/cgroup r, @{PROC}/sys/net/ipv{4,6}/conf/all/arp_ignore rw, From b53e0b7d395ee15c7a79c6ce896e4d871d4103d4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:30:44 +0200 Subject: [PATCH 767/977] feat(abs): add the oneapi abs. --- apparmor.d/abstractions/oneapi | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 apparmor.d/abstractions/oneapi diff --git a/apparmor.d/abstractions/oneapi b/apparmor.d/abstractions/oneapi new file mode 100644 index 000000000..17225ef03 --- /dev/null +++ b/apparmor.d/abstractions/oneapi @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Intel oneAPI compiler libraries + + abi , + + /opt/intel/oneapi/{compiler,lib,mkl}/**/ r, + /opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr, + + include if exists + +# vim:syntax=apparmor From 81636262f18b65bc1bf0b09a48fce1df6d9f7b0a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:42:38 +0200 Subject: [PATCH 768/977] feat(abs): add the java abstraction. --- apparmor.d/abstractions/java | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 apparmor.d/abstractions/java diff --git a/apparmor.d/abstractions/java b/apparmor.d/abstractions/java new file mode 100644 index 000000000..91472d21e --- /dev/null +++ b/apparmor.d/abstractions/java @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + /usr/share/java/{,**} r, + + /etc/java/{,**} r, + /etc/java-*/{,**} r, + + include if exists + +# vim:syntax=apparmor From fbb1768aa699b3f68c4d682b7dacfd362a1d091c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:46:26 +0200 Subject: [PATCH 769/977] feat(abs): add the amdgpu abstraction. --- apparmor.d/abstractions/amdgpu | 30 +++++++++++++++++++++++++++ apparmor.d/abstractions/graphics-full | 2 ++ 2 files changed, 32 insertions(+) create mode 100644 apparmor.d/abstractions/amdgpu diff --git a/apparmor.d/abstractions/amdgpu b/apparmor.d/abstractions/amdgpu new file mode 100644 index 000000000..181d86864 --- /dev/null +++ b/apparmor.d/abstractions/amdgpu @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Kernel Fusion Driver for AMD GPUs + + abi , + + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, + + @{sys}/devices/virtual/kfd/kfd/dev r, + @{sys}/devices/virtual/kfd/kfd/topology/ r, + @{sys}/devices/virtual/kfd/kfd/topology/generation_id r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/caches/@{int}/properties r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/gpu_id r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/io_links/@{int}/properties r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/mem_banks/@{int}/properties r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, + @{sys}/devices/virtual/kfd/kfd/topology/system_properties r, + @{sys}/devices/virtual/kfd/kfd/uevent r, + @{sys}/module/amdgpu/initstate r, + + /dev/kfd rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full index eb60edb4d..1e2c97224 100644 --- a/apparmor.d/abstractions/graphics-full +++ b/apparmor.d/abstractions/graphics-full @@ -4,7 +4,9 @@ abi , + include include + include @{sys}/devices/@{pci}/numa_node r, From 0817911b579fa417a46fd03f9dbec5398bc3180e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:48:36 +0200 Subject: [PATCH 770/977] feat(abs): add more core abstractions They will at term replace the freedesktop abstraction. --- apparmor.d/abstractions/desktop-files | 22 ++++++++++++++++++++++ apparmor.d/abstractions/gsettings | 13 +++++++++++++ apparmor.d/abstractions/icons | 26 ++++++++++++++++++++++++++ apparmor.d/abstractions/mime | 17 +++++++++++++++++ 4 files changed, 78 insertions(+) create mode 100644 apparmor.d/abstractions/desktop-files create mode 100644 apparmor.d/abstractions/gsettings create mode 100644 apparmor.d/abstractions/icons create mode 100644 apparmor.d/abstractions/mime diff --git a/apparmor.d/abstractions/desktop-files b/apparmor.d/abstractions/desktop-files new file mode 100644 index 000000000..d616dad83 --- /dev/null +++ b/apparmor.d/abstractions/desktop-files @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{system_share_dirs}/applications/{,**} r, + @{system_share_dirs}/*ubuntu/applications/{,**} r, + @{system_share_dirs}/gnome/applications/{,**} r, + @{system_share_dirs}/xfce4/applications/{,**} r, + + /etc/gnome/defaults.list r, + /etc/xfce4/defaults.list r, + + /var/lib/snapd/desktop/applications/{,**} r, + + owner @{user_share_dirs}/applications/{,**} r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gsettings b/apparmor.d/abstractions/gsettings new file mode 100644 index 000000000..788b14486 --- /dev/null +++ b/apparmor.d/abstractions/gsettings @@ -0,0 +1,13 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{system_share_dirs}/glib-2.0/schemas/ r, + @{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/icons b/apparmor.d/abstractions/icons new file mode 100644 index 000000000..0dd44e33c --- /dev/null +++ b/apparmor.d/abstractions/icons @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{system_share_dirs}/icons/{,**} r, + @{system_share_dirs}/pixmaps/{,**} r, + + /opt/**/share/icons/{,**} r, + /opt/*/**.desktop r, + /opt/*/**/*.png r, + + /var/lib/snapd/desktop/icons/{,**} r, + + owner @{HOME}/.icons/{,**} r, + + owner @{user_config_dirs}/mimeapps.list r, + + owner @{user_share_dirs}/icons/{,**} r, + owner @{user_share_dirs}/mime/{,**} r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mime b/apparmor.d/abstractions/mime new file mode 100644 index 000000000..6622c99dd --- /dev/null +++ b/apparmor.d/abstractions/mime @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{system_share_dirs}/ r, + @{system_share_dirs}/mime/{,**} r, + + /etc/mime.types r, + + owner @{user_share_dirs}/mime/mime.cache r, + + include if exists + +# vim:syntax=apparmor From 3b2f745bcaa126150e8f3f8f4bda6150a63e950c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 19:25:00 +0200 Subject: [PATCH 771/977] feat(abs): use the new core abs in desktop. --- apparmor.d/abstractions/desktop | 21 ++++++++------------- apparmor.d/abstractions/desktop-files | 5 +++++ apparmor.d/abstractions/gnome-strict | 14 +++++++------- apparmor.d/abstractions/gsettings | 1 + apparmor.d/abstractions/icons | 3 --- apparmor.d/abstractions/kde-strict | 10 +++++----- apparmor.d/abstractions/mime | 7 ++++++- apparmor.d/abstractions/recently-used | 21 +++++++++++++++++++++ 8 files changed, 53 insertions(+), 29 deletions(-) create mode 100644 apparmor.d/abstractions/recently-used diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 878f6f794..4a32a1aa7 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -9,10 +9,14 @@ abi , + include include - include + include include + include + include include + include include include include @@ -24,16 +28,11 @@ member=Introspect peer=(name=@{busname}, label=gnome-shell), - /usr/{local/,}share/ r, - /usr/{local/,}share/glib-@{version}/schemas/** r, - /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, + @{system_share_dirs}/gvfs/remote-volume-monitors/{,*} r, /etc/gnome/* r, - /etc/xdg/{,*-}mimeapps.list r, - /var/cache/gio-@{version}/gnome-mimeapps.list r, - - / r, # deny? + / r, owner @{user_share_dirs}/gnome-shell/session.gvdb rw, @@ -49,8 +48,6 @@ /etc/xdg/kcminputrc r, /etc/xdg/kdeglobals r, /etc/xdg/kwinrc r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, @@ -65,8 +62,6 @@ owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/session/ rw, owner @{user_config_dirs}/session/@{profile_name}* rwlk, owner @{user_config_dirs}/session/#@{int} rw, @@ -82,7 +77,7 @@ # end /usr/share/desktop-base/{,**} r, - /usr/share/hwdata/*.ids r, + /usr/share/hwdata/*.ids r, # FIXME: a bit too wide /usr/share/icu/@{int}.@{int}/*.dat r, include if exists diff --git a/apparmor.d/abstractions/desktop-files b/apparmor.d/abstractions/desktop-files index d616dad83..9c0a8b941 100644 --- a/apparmor.d/abstractions/desktop-files +++ b/apparmor.d/abstractions/desktop-files @@ -12,11 +12,16 @@ /etc/gnome/defaults.list r, /etc/xfce4/defaults.list r, + /etc/xdg/menus/ r, + /etc/xdg/menus/applications-merged/{,**} r, /var/lib/snapd/desktop/applications/{,**} r, owner @{user_share_dirs}/applications/{,**} r, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/{,**} r, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index fadaedcbf..445c62e6b 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -4,9 +4,14 @@ abi , + include include - include + include include + include + include + include + include include include include @@ -20,14 +25,9 @@ /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, - /usr/{local/,}share/ r, - /usr/{local/,}share/glib-@{int}.@{int}/schemas/** r, - /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, + @{system_share_dirs}/gvfs/remote-volume-monitors/{,*} r, /etc/gnome/* r, - /etc/xdg/{,*-}mimeapps.list r, - - /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, / r, diff --git a/apparmor.d/abstractions/gsettings b/apparmor.d/abstractions/gsettings index 788b14486..4d22f080b 100644 --- a/apparmor.d/abstractions/gsettings +++ b/apparmor.d/abstractions/gsettings @@ -5,6 +5,7 @@ abi , + @{system_share_dirs}/ r, @{system_share_dirs}/glib-2.0/schemas/ r, @{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/abstractions/icons b/apparmor.d/abstractions/icons index 0dd44e33c..6a721b837 100644 --- a/apparmor.d/abstractions/icons +++ b/apparmor.d/abstractions/icons @@ -16,10 +16,7 @@ owner @{HOME}/.icons/{,**} r, - owner @{user_config_dirs}/mimeapps.list r, - owner @{user_share_dirs}/icons/{,**} r, - owner @{user_share_dirs}/mime/{,**} r, include if exists diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index fd994d12d..5fbdd7869 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -4,10 +4,14 @@ abi , + include include - include + include include + include + include include + include include include include @@ -26,8 +30,6 @@ /etc/xdg/kcminputrc r, /etc/xdg/kdeglobals r, /etc/xdg/kwinrc r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, @@ -42,8 +44,6 @@ owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/session/ rw, owner @{user_config_dirs}/session/*_@{hex}_@{int}_@{int} rwlk, owner @{user_config_dirs}/session/#@{int} rw, diff --git a/apparmor.d/abstractions/mime b/apparmor.d/abstractions/mime index 6622c99dd..9a70edaf8 100644 --- a/apparmor.d/abstractions/mime +++ b/apparmor.d/abstractions/mime @@ -9,8 +9,13 @@ @{system_share_dirs}/mime/{,**} r, /etc/mime.types r, + /etc/xdg/{,*-}mimeapps.list r, - owner @{user_share_dirs}/mime/mime.cache r, + /var/cache/gio-@{version}/{,*-}-mimeapps.list r, + + owner @{user_config_dirs}/mimeapps.list r, + + owner @{user_share_dirs}/mime/{,**} r, include if exists diff --git a/apparmor.d/abstractions/recently-used b/apparmor.d/abstractions/recently-used new file mode 100644 index 000000000..d3a7ec289 --- /dev/null +++ b/apparmor.d/abstractions/recently-used @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + owner @{HOME}/.recently-used.xbel rw, + owner @{HOME}/.recently-used.xbel.@{rand6} rwl, + owner @{HOME}/.recently-used.xbel.lock rwk, + + owner @{user_share_dirs}/#@{int} rw, + owner @{user_share_dirs}/recently-used.xbel rw, + owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl, + owner @{user_share_dirs}/recently-used.xbel.lock rwk, + + owner @{user_config_dirs}/user-dirs.dirs r, # FIXME: not here? + + include if exists + +# vim:syntax=apparmor From 1506ae04d8c24763cc83779c14ff321afef458a2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 20:03:19 +0200 Subject: [PATCH 772/977] fix(profile): /att/**/ instead of @{att}/ --- apparmor.d/groups/freedesktop/pipewire | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 97e3c6119..02a370cdc 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -40,7 +40,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { /etc/pipewire/{,**} r, / r, - @{att}/ r, + /att/**/ r, owner @{att}/.flatpak-info r, owner @{user_config_dirs}/pipewire/{,**} r, From cea9fd56141484f5bf3a2b6bf16970789f563e38 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 20:37:48 +0200 Subject: [PATCH 773/977] feat(profile): improve kde integration see #559 --- apparmor.d/groups/kde/DiscoverNotifier | 1 + apparmor.d/groups/kde/kded | 3 +++ apparmor.d/groups/kde/kioworker | 1 + .../groups/kde/kscreen_backend_launcher | 2 +- .../groups/kde/ksmserver-logout-greeter | 2 +- apparmor.d/groups/kde/kwalletd | 2 +- apparmor.d/groups/kde/kwin_wayland | 19 ++++++++++++++++++- apparmor.d/groups/kde/plasmashell | 7 ++++--- apparmor.d/groups/kde/sddm | 1 + apparmor.d/groups/kde/wayland-session | 3 +-- 10 files changed, 32 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 861132887..2307c709f 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -39,6 +39,7 @@ profile DiscoverNotifier @{exec_path} { @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, + /usr/share/flatpak/remotes.d/{,**} r, /usr/share/metainfo/{,**} r, /etc/machine-id r, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index f2f2489ab..e8be8a0dd 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -182,6 +182,9 @@ profile kded @{exec_path} { @{sys}/class/leds/ r, + @{run}/udev/data/b8:@{int} r, # for /dev/sd* + @{run}/udev/data/b259:@{int} r, # Block Extended Major + @{PROC}/ r, @{PROC}/@{pids}/cmdline/ r, @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 69b735310..71465df97 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -49,6 +49,7 @@ profile kioworker @{exec_path} { /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes{5,6}/*.desktop r, /usr/share/remoteview/* r, + /usr/share/thumbnailers/{,**} r, /etc/fstab r, /etc/xdg/kioslaverc r, diff --git a/apparmor.d/groups/kde/kscreen_backend_launcher b/apparmor.d/groups/kde/kscreen_backend_launcher index 7df07f64b..00b4c9630 100644 --- a/apparmor.d/groups/kde/kscreen_backend_launcher +++ b/apparmor.d/groups/kde/kscreen_backend_launcher @@ -13,8 +13,8 @@ profile kscreen_backend_launcher @{exec_path} { include include include + include include - include #aa:dbus own bus=session name=org.kde.KScreen #aa:dbus talk bus=system name=org.kde.kf5auth path=/ label=kde-powerdevil diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index 67e56c3c6..e5ea15c29 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/ksmserver-logout-greeter @{exec_path} += @{lib}/@{multiarch}/{,libexec/}ksmserver-logout-greeter -profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) { +profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index ad96cb512..de175635a 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -45,7 +45,7 @@ profile kwalletd @{exec_path} { owner @{user_share_dirs}/kwalletd/ rw, owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int}, - owner @{run}/user/@{uid}/kwallet{5,6}.socket r, + owner @{run}/user/@{uid}/kwallet{5,6}.socket rw, owner @{tmp}/kwalletd5.* rw, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 243e0adfe..c11f951be 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/kwin_wayland -profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { +profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -46,6 +46,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { /etc/xdg/Xwayland-session.d/00-at-spi Cx -> at-spi, /etc/xdg/Xwayland-session.d/00-pulseaudio-x11 Cx -> pulseaudio, + /etc/xdg/Xwayland-session.d/10-ibus-x11 Cx -> ibus, #aa:exec kscreenlocker_greet /usr/share/color-schemes/*.colors r, @@ -53,6 +54,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { /usr/share/kglobalaccel/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,*.desktop} r, + /usr/share/kwin-wayland/{,**} r, /usr/share/kwin/{,**} r, /usr/share/libinput-*/{,**} r, /usr/share/libinput/{,**} r, @@ -179,6 +181,21 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { include if exists } + profile ibus { + include + include + + @{sh_path} r, + @{lib}/{,ibus/}ibus-x11 rPx, + + /etc/xdg/Xwayland-session.d/10-ibus-x11 r, + + /home/ r, + owner @{HOME}/ r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 68ea4fc0c..e767d7bb5 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -70,7 +70,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{lib}/libheif/{,**} mr, @{bin}/dolphin rPx, - @{bin}/ksysguardd rix, + @{bin}/ksysguardd rPUx, @{bin}/plasma-discover rPUx, @{bin}/xrdb rPx, @{lib}/kf{5,6}/kdesu{,d} rix, @@ -104,7 +104,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /etc/appstream.conf r, /etc/fstab r, - /etc/ksysguarddrc r, /etc/machine-id r, /etc/os-release r, /etc/sensors.d/ r, @@ -166,6 +165,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_config_dirs}/klaunchrc r, owner @{user_config_dirs}/klipperrc r, owner @{user_config_dirs}/kmail2.notifyrc r, + owner @{user_config_dirs}/knfsshare r, owner @{user_config_dirs}/korganizerrc r, owner @{user_config_dirs}/krunnerrc r, owner @{user_config_dirs}/ksmserverrc r, @@ -200,9 +200,10 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/wallpapers/{,**} rw, owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/plasma/* r, owner @{user_state_dirs}/plasmashellstaterc rw, - owner @{user_state_dirs}/plasmashellstaterc.lock rwk, owner @{user_state_dirs}/plasmashellstaterc.@{rand6} rwl, + owner @{user_state_dirs}/plasmashellstaterc.lock rwk, /tmp/.mount_nextcl@{rand6}/{,*} r, owner @{tmp}/#@{int} rw, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index b62116704..b9d07e380 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -92,6 +92,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/flatpak rPx, @{bin}/gnome-keyring-daemon rPx, @{bin}/Hyprland rPx, + @{bin}/ksecretd rPUx, @{bin}/kwalletd{5,6} rPx, @{bin}/kwin_wayland rPx, @{bin}/labwc rPx, diff --git a/apparmor.d/groups/kde/wayland-session b/apparmor.d/groups/kde/wayland-session index 56914137b..c07b06815 100644 --- a/apparmor.d/groups/kde/wayland-session +++ b/apparmor.d/groups/kde/wayland-session @@ -9,6 +9,7 @@ include @{exec_path} = @{etc_ro}/sddm/wayland-session profile wayland-session @{exec_path} { include + include include @{exec_path} mr, @@ -39,8 +40,6 @@ profile wayland-session @{exec_path} { owner @{user_share_dirs}/sddm/wayland-session.log rw, - /dev/tty rw, - include if exists } From f18fc88253b82ca04bb92c2b68f2efb75afc55b7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 20:39:18 +0200 Subject: [PATCH 774/977] feat(profile): kde: improve dbus rules. --- apparmor.d/groups/kde/baloorunner | 3 +++ apparmor.d/groups/kde/kaccess | 1 + apparmor.d/groups/kde/kactivitymanagerd | 1 + apparmor.d/groups/kde/kde-powerdevil | 1 + apparmor.d/groups/kde/kded | 1 + apparmor.d/groups/kde/kglobalacceld | 2 ++ apparmor.d/groups/kde/ksmserver-logout-greeter | 9 +++++++++ apparmor.d/groups/kde/ksplashqml | 1 + apparmor.d/groups/kde/kwin_wayland | 2 +- apparmor.d/groups/kde/sddm | 1 + 10 files changed, 21 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index 702288a1f..64372f497 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -10,6 +10,9 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloorunner profile baloorunner @{exec_path} { include + include + include + include include include include diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 65582d1ba..4b1e734ed 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -18,6 +18,7 @@ profile kaccess @{exec_path} { include #aa:dbus own bus=session name=org.kde.kaccess + #aa:dbus talk bus=session name=org.kde.kglobalaccel path=/kglobalaccel label=kglobalacceld @{exec_path} mr, diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index 1cc6b41d1..ead285e5f 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -11,6 +11,7 @@ include profile kactivitymanagerd @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index c961ed7a3..01706e649 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -28,6 +28,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) network netlink raw, #aa:dbus own bus=system name=org.freedesktop.Policy.Power + #aa:dbus own bus=system name=org.kde.kf5auth path=/ #aa:dbus own bus=session name=local.org_kde_powerdevil #aa:dbus own bus=session name=org.freedesktop.PowerManagement diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index e8be8a0dd..93c70329e 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -68,6 +68,7 @@ profile kded @{exec_path} { #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd + #aa:dbus talk bus=session name=org.kde.NightColor path=/ColorCorrect label="{kwin_wayland,kwin_x11}" #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/ label="{kglobalacceld,kwin_wayland}" dbus receive bus=system path=/ diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index 156bdf928..b9c09d0c6 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -9,7 +9,9 @@ include @{exec_path} = @{bin}/kglobalaccel5 @{lib}/kglobalacceld profile kglobalacceld @{exec_path} { include + include include + include include #aa:dbus own bus=session name=org.kde.KGlobalAccel path=/kglobalaccel diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index e5ea15c29..e46237c2a 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -11,6 +11,10 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}ksmserver-logout-greeter profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { include + include + include + include + include include include include @@ -18,6 +22,11 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected,mediate include include + #aa:dbus own bus=session name=org.kde.LogoutPrompt path=/LogoutPrompt + + #aa:dbus talk bus=session name=org.kde.LogoutPrompt path=/Shutdown label=plasma-shutdown + #aa:dbus talk bus=session name=org.kde.KWin label=kwin_wayland + @{exec_path} mr, @{lib}/os-release r, diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index e1d5d7394..ea80e28cd 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -11,6 +11,7 @@ profile ksplashqml @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index c11f951be..51f09c8c4 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -35,7 +35,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { unix type=stream peer=(label=xwayland), #aa:dbus own bus=session name=org.freedesktop.ScreenSaver - #aa:dbus own bus=session name=org.kde.kglobalaccel + #aa:dbus own bus=session name=org.kde.kglobalaccel path=/kglobalaccel #aa:dbus own bus=session name=org.kde.KWin #aa:dbus own bus=session name=org.kde.NightColor path=/ColorCorrect #aa:dbus own bus=session name=org.kde.screensaver diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index b9d07e380..08835eaf0 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -55,6 +55,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=system name=org.freedesktop.DisplayManager #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label="@{p_systemd_homed}" + #aa:dbus talk bus=system name=org.freedesktop.login1 interface=org.freedesktop.login1.Manager label="@{p_systemd_logind}" @{exec_path} mr, From 53df40b8ac3b95eab40ed8e4ffe41f9c4f52d2eb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 20:40:36 +0200 Subject: [PATCH 775/977] feat(profile) gvfs: more dbus integration. --- apparmor.d/groups/gvfs/gvfsd-dnssd | 5 +++++ apparmor.d/groups/gvfs/gvfsd-http | 1 + apparmor.d/groups/gvfs/gvfsd-network | 10 ++++++++++ apparmor.d/groups/gvfs/gvfsd-recent | 5 +++++ apparmor.d/groups/gvfs/gvfsd-sftp | 26 ++++++++++++++++++++++++++ apparmor.d/groups/gvfs/gvfsd-wsdd | 13 ++++++++++++- 6 files changed, 59 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index 6c61dbba4..ab786106c 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -38,6 +38,11 @@ profile gvfsd-dnssd @{exec_path} { member=Introspect peer=(name=@{busname}, label=gnome-shell), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 5812c8a6e..f51ef2afe 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -11,6 +11,7 @@ include profile gvfsd-http @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index cd64d81ad..1af0a2b37 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -32,6 +32,16 @@ profile gvfsd-network @{exec_path} { member={MountLocation,LookupMount,RegisterMount} peer=(name="@{busname}", label=gvfsd), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + + dbus send bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}), + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index 042b66a68..1219c8cbd 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -33,6 +33,11 @@ profile gvfsd-recent @{exec_path} { member=RegisterMount peer=(name="@{busname}", label=gvfsd), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, # Full access to user's data diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp index 157af621c..76bb55e98 100644 --- a/apparmor.d/groups/gvfs/gvfsd-sftp +++ b/apparmor.d/groups/gvfs/gvfsd-sftp @@ -10,10 +10,36 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-sftp profile gvfsd-sftp @{exec_path} { include + include + include include include include + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} + + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}, label=gnome-extension-gsconnect), + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}, label=nautilus), + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=RegisterMount + peer=(name=:*, label=gvfsd), + @{exec_path} mr, @{bin}/ssh rPx, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 209971ac2..0dee4e73b 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -13,6 +13,7 @@ profile gvfsd-wsdd @{exec_path} { include include include + include network netlink raw, @@ -31,9 +32,19 @@ profile gvfsd-wsdd @{exec_path} { member=RegisterMount peer=(name="@{busname}", label=gvfsd), + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}, label=gvfsd-network), + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, - @{bin}/env r, + @{bin}/env mr, @{bin}/wsdd rPx, @{run}/mount/utab r, From 15b8a6cea4dbdbd34a103f643ea13b085e424987 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 21:22:25 +0200 Subject: [PATCH 776/977] fix: linter issue. --- apparmor.d/groups/kde/kwin_wayland | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 51f09c8c4..e2e3ecfe0 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -184,7 +184,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { profile ibus { include include - + @{sh_path} r, @{lib}/{,ibus/}ibus-x11 rPx, From bfe35f254e31557bdc75f08a6c0f02f005291b75 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 23 Aug 2025 17:40:48 +0200 Subject: [PATCH 777/977] feat(profile): small improvement for snap. --- apparmor.d/groups/snap/snap | 16 +++++++++++----- apparmor.d/groups/snap/snap-seccomp | 6 +++++- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index ef0a086a8..564fd9151 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -18,6 +18,8 @@ profile snap @{exec_path} flags=(attach_disconnected) { include include + capability chown, + capability dac_override, capability dac_read_search, capability setuid, capability sys_admin, @@ -70,10 +72,10 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{DESKTOP_HOME}/snap/{,**} rw, /snap/{,**} rw, - @{HOME}/snap/{,**} rw, - owner @{HOME}/ r, - owner @{HOME}/.snap.mkdir-new/ rw, - owner @{HOME}/.snap/{,**} rw, + @{HOME}/ r, + @{HOME}/.snap.mkdir-new/ rw, + @{HOME}/.snap/{,**} rw, + @{HOME}/snap/{,**} rw, owner @{tmp}/snapd-auto-import-mount-@{int}/ rw, @@ -102,7 +104,11 @@ profile snap @{exec_path} flags=(attach_disconnected) { /dev/tty@{int} rw, /dev/ttyS@{int} rw, - deny @{user_share_dirs}/gvfs-metadata/* r, + /apparmor/.null rw, + + # file_inherit, safe to deny + deny owner @{user_share_dirs}/gvfs-metadata/* r, + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, profile gpg { include diff --git a/apparmor.d/groups/snap/snap-seccomp b/apparmor.d/groups/snap/snap-seccomp index 9605c544a..2a14fd583 100644 --- a/apparmor.d/groups/snap/snap-seccomp +++ b/apparmor.d/groups/snap/snap-seccomp @@ -27,7 +27,11 @@ profile snap-seccomp @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/mountinfo r, - deny @{user_share_dirs}/gvfs-metadata/* r, + /apparmor/.null rw, + + # file_inherit, safe to deny + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, + deny owner @{user_share_dirs}/gvfs-metadata/* r, include if exists } From 7b0a78b1f13743eae7f59efbaf501654955e7372 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 23 Aug 2025 17:42:49 +0200 Subject: [PATCH 778/977] feat(abs): improve dbus core abstractions --- apparmor.d/abstractions/bus/org.freedesktop.Accounts | 4 ++-- apparmor.d/abstractions/bus/org.freedesktop.Avahi | 2 +- .../abstractions/bus/org.freedesktop.portal.Desktop | 10 +++++----- apparmor.d/abstractions/bus/org.freedesktop.secrets | 4 ++-- .../abstractions/bus/org.gnome.Mutter.IdleMonitor | 4 ++-- apparmor.d/abstractions/bus/org.gnome.SessionManager | 5 +++++ apparmor.d/abstractions/bus/org.gtk.Notifications | 2 +- apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker | 2 +- 8 files changed, 19 insertions(+), 14 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Accounts b/apparmor.d/abstractions/bus/org.freedesktop.Accounts index d15288d46..e77f17b88 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Accounts +++ b/apparmor.d/abstractions/bus/org.freedesktop.Accounts @@ -8,8 +8,8 @@ dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts - member={FindUserByName,ListCachedUsers} - peer=(name="@{busname}", label="@{p_accounts_daemon}"), + member={FindUserByName,ListCachedUsers,FindUserById} + peer=(name="{@{busname},org.freedesktop.Accounts}", label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index aa48e69b1..4ddf95af3 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -23,7 +23,7 @@ dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser - member={ItemNew,AllForNow,CacheExhausted} + member={ItemNew,ItemRemove,AllForNow,CacheExhausted} peer=(name="@{busname}", label="@{p_avahi_daemon}"), dbus receive bus=system path=/ diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop index 2753a6602..4d4faf688 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop @@ -14,22 +14,22 @@ dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member={Read,ReadAll} - peer=(name="@{busname}", label=xdg-desktop-portal), + peer=(name=@{busname}, label=xdg-desktop-portal), dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member=SettingChanged - peer=(name="@{busname}", label=xdg-desktop-portal), + peer=(name=@{busname}, label=xdg-desktop-portal), - dbus receive bus=session path=/org/freedesktop/portal/desktop + dbus receive bus=session path=/org/freedesktop/portal/desktop{,/**} interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name="@{busname}", label=xdg-desktop-portal), + peer=(name=@{busname}, label=xdg-desktop-portal), dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Settings member={Read,ReadAll} - peer=(name="@{busname}", label=xdg-desktop-portal), + peer=(name=@{busname}, label=xdg-desktop-portal), dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.host.portal.Registry diff --git a/apparmor.d/abstractions/bus/org.freedesktop.secrets b/apparmor.d/abstractions/bus/org.freedesktop.secrets index a2389a68a..e30e7b1c2 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.secrets +++ b/apparmor.d/abstractions/bus/org.freedesktop.secrets @@ -8,8 +8,8 @@ dbus send bus=session path=/org/freedesktop/secrets interface=org.freedesktop.Secret.Service - member={OpenSession,GetSecrets,SearchItems,ReadAlias} - peer=(name="@{busname}", label=gnome-keyring-daemon), + member={OpenSession,GetSecrets,SearchItems,Unlock,ReadAlias} + peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), dbus send bus=session path=/org/freedesktop/secrets/aliases/default interface=org.freedesktop.Secret.Collection diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor index 3eb301f18..8eb573f7e 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor @@ -13,8 +13,8 @@ dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor - member={AddIdleWatch,AddUserActiveWatch,RemoveWatch} - peer=(name="@{busname}", label=gnome-shell), + member={AddIdleWatch,AddUserActiveWatch,RemoveWatch,GetIdletime} + peer=(name="@{busname},org.gnome.Mutter.IdleMonitor", label=gnome-shell), dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor diff --git a/apparmor.d/abstractions/bus/org.gnome.SessionManager b/apparmor.d/abstractions/bus/org.gnome.SessionManager index 0683a98fb..a532b67f2 100644 --- a/apparmor.d/abstractions/bus/org.gnome.SessionManager +++ b/apparmor.d/abstractions/bus/org.gnome.SessionManager @@ -13,6 +13,11 @@ member={RegisterClient,IsSessionRunning} peer=(name="@{busname}", label=gnome-session-binary), + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={Inhibit,Uninhibit} + peer=(name="@{busname}", label=gnome-session-binary), + dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={Setenv,IsSessionRunning} diff --git a/apparmor.d/abstractions/bus/org.gtk.Notifications b/apparmor.d/abstractions/bus/org.gtk.Notifications index b9229f204..ad1a1ffad 100644 --- a/apparmor.d/abstractions/bus/org.gtk.Notifications +++ b/apparmor.d/abstractions/bus/org.gtk.Notifications @@ -8,7 +8,7 @@ dbus send bus=session path=/org/gtk/Notifications interface=org.gtk.Notifications - member=RemoveNotification + member={AddNotification,RemoveNotification} peer=(name=org.gtk.Notifications, label=gnome-shell), include if exists diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker index d88afd0ee..c455d4f18 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker @@ -21,7 +21,7 @@ dbus receive bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker - member=Mounted + member={Mounted,Unmounted} peer=(name="@{busname}", label=gvfsd), include if exists From e9f0b77f2d00d748841dd78832368671a3549936 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 23 Aug 2025 18:59:08 +0200 Subject: [PATCH 779/977] feat(profile): update btop. --- apparmor.d/profiles-a-f/btop | 42 ++++++++++++++++++++++-------------- 1 file changed, 26 insertions(+), 16 deletions(-) diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/profiles-a-f/btop index bab483dde..4910629ce 100644 --- a/apparmor.d/profiles-a-f/btop +++ b/apparmor.d/profiles-a-f/btop @@ -10,15 +10,16 @@ include profile btop @{exec_path} { include include - include include + capability kill, + capability perfmon, capability sys_ptrace, network netlink raw, - signal (send), - ptrace (read), + signal send, + ptrace read, @{exec_path} mr, @@ -27,33 +28,42 @@ profile btop @{exec_path} { /etc/fstab r, owner @{user_config_dirs}/btop/{,**} rw, + owner @{user_state_dirs}/btop.log rw, @{sys}/bus/pci/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/**/stat r, + @{sys}/devices/@{pci}/ r, + @{sys}/devices/@{pci}/{,**}/ r, @{sys}/devices/@{pci}/net/*/{,**} r, + @{sys}/devices/@{pci}/nvme/nvme@{int}/ r, + @{sys}/devices/@{pci}/stat r, @{sys}/devices/@{pci}/usb@{int}/**/power_supply/** r, @{sys}/devices/**/hwmon@{int}/{,*} r, @{sys}/devices/**/power_supply/{AC,BAT@{int}}/{,**} r, + @{sys}/devices/*/events/{,*} r, + @{sys}/devices/platform/*/ r, + @{sys}/devices/power/{,**} r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, @{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/devices/virtual/block/dm-@{int}/stat r, @{sys}/devices/virtual/net/{,**} r, @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,} r, - @{PROC} r, - @{PROC}/@{pid}/statm r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/io r, - @{PROC}/@{pids}/stat r, - @{PROC}/devices r, - @{PROC}/driver/nvidia/capabilities/mig/monitor r, - @{PROC}/loadavg r, - @{PROC}/spl/kstat/zfs/arcstats r, - @{PROC}/uptime r, - owner @{PROC}/@{pid}/mounts r, + @{PROC} r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/mounts r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/task/@{tid}/comm rw, + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/config r, + @{PROC}/driver/nvidia/capabilities/mig/monitor r, + @{PROC}/loadavg r, + @{PROC}/spl/kstat/zfs/arcstats r, + @{PROC}/uptime r, /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} rw, From d6885803cbfe3d420b1eb15b9562aae68228ad9a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 21:32:51 +0200 Subject: [PATCH 780/977] fear(abs): update dbus core abs. --- .../bus/org.freedesktop.ColorManager | 7 ++++ .../bus/org.freedesktop.FileManager1 | 5 +++ .../abstractions/bus/org.freedesktop.UPower | 10 ++++- .../bus/org.freedesktop.hostname1 | 1 + .../bus/org.freedesktop.portal.Desktop | 15 +++++++ .../abstractions/bus/org.freedesktop.resolve1 | 6 +-- .../bus/org.gnome.Mutter.IdleMonitor | 2 +- .../bus/org.gnome.Shell.SearchProvider2 | 10 +++++ .../abstractions/bus/org.gtk.vfs.Daemon | 2 +- .../bus/org.kde.StatusNotifierItem | 24 +++++++++++ .../bus/org.kde.StatusNotifierWatcher | 42 ++++++++++++++++++- .../bus/org.mpris.MediaPlayer2.Player | 31 ++++++++------ 12 files changed, 135 insertions(+), 20 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager index 3a63d95dc..e23092429 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow for color managed applications to communicate with colord + abi , #aa:dbus common bus=system name=org.freedesktop.ColorManager label="@{p_colord}" @@ -21,6 +23,11 @@ member={DeviceAdded,DeviceRemoved} peer=(name="@{busname}", label="@{p_colord}"), + dbus (receive, send) bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member=FindDeviceByProperty + peer=(name="@{busname}", label="@{p_colord}"), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 index 76095edaf..a08c98b26 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 @@ -6,6 +6,11 @@ #aa:dbus common bus=session name=org.freedesktop.FileManager1 label=nautilus + dbus send bus=session path=/org/freedesktop/FileManager1 + interface=org.freedesktop.FileManager1 + member=ShowItems + peer=(name=org.freedesktop.FileManager1, label=nautilus), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower index d82fbdef0..64b400a3e 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -2,10 +2,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Can query UPower for power devices, history and statistics. + abi , #aa:dbus common bus=system name=org.freedesktop.UPower label="@{p_upowerd}" + # Find all devices monitored by UPower dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=EnumerateDevices @@ -13,7 +16,12 @@ dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.DBus.Properties - member=GetDisplayDevice + member={GetDisplayDevice,GetCriticalAction} + peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"), + + dbus send bus=system path=/org/freedesktop/UPower/devices/** + interface=org.freedesktop.UPower.Device + member={GetHistory,Refresh} peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"), dbus receive bus=system path=/org/freedesktop/UPower diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 index 0a8d86be1..165e3ae6e 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 @@ -5,6 +5,7 @@ abi , #aa:dbus common bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" + dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=Get diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop index 4d4faf688..4778dd6dc 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop @@ -11,6 +11,11 @@ member=Read peer=(name="{@{busname},org.freedesktop.portal.Desktop}", label=xdg-desktop-portal), + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=xdg-desktop-portal), + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member={Read,ReadAll} @@ -41,6 +46,16 @@ member=Response peer=(name=@{busname}, label=xdg-desktop-portal), + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Inhibit + member={StateChanged,CreateMonitor} + peer=(name=@{busname}, label=xdg-desktop-portal), + + dbus receive bus=session path=/org/freedesktop/portal/desktop/session/** + interface=org.freedesktop.impl.portal.Session + member=Close + peer=(name=@{busname}, label=xdg-desktop-portal), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 index e2c4b3886..fe6d52dc6 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 @@ -4,12 +4,12 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" + #aa-dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" dbus send bus=system path=/org/freedesktop/resolve1 interface=org.freedesktop.resolve1.Manager - member={SetLink*,ResolveHostname} - peer=(name="{@{busname},org.freedesktop.resolve1}", label="@{p_systemd_resolved}"), + member={ResolveAddress,ResolveHostname,ResolveRecord,ResolveService} + peer=(name=org.freedesktop.resolve1, label="@{p_systemd_resolved}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor index 8eb573f7e..d1ff350fc 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor @@ -14,7 +14,7 @@ dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor member={AddIdleWatch,AddUserActiveWatch,RemoveWatch,GetIdletime} - peer=(name="@{busname},org.gnome.Mutter.IdleMonitor", label=gnome-shell), + peer=(name="{@{busname},org.gnome.Mutter.IdleMonitor}", label=gnome-shell), dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 index baa96cc78..ae8b68448 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 +++ b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 @@ -6,6 +6,16 @@ #aa:dbus common bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell + dbus receive bus=session path=/org/gnome/Characters/SearchProvider + interface=org.gnome.Shell.SearchProvider2 + member={GetInitialResultSet,GetSubsearchResultSet,GetResultMetas} + peer=(name=@{busname}, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Characters/SearchProvider + interface=org.gnome.Shell.SearchProvider2 + member=*Cancel + peer=(name=@{busname}, label=gnome-shell), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon index 66910007b..93ad35fe5 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon @@ -7,7 +7,7 @@ dbus send bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon member={GetConnection,ListMonitorImplementations,ListMountableInfo} - peer=(name="@{busname}", label=gvfsd), + peer=(name=@{busname}, label=gvfsd), dbus receive bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem index 43947d52a..87fd06727 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem @@ -4,6 +4,30 @@ abi , + include + + dbus bind bus=session name=org.kde.StatusNotifierItem-@{int}, + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.kde.StatusNotifierWatcher + member=RegisterStatusNotifierItem + peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), + + dbus send bus=session path=/StatusNotifierItem + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), + + dbus send bus=session path=/{StatusNotifierItem,org/ayatana/NotificationItem/*} + interface=org.kde.StatusNotifierItem + member={NewAttentionIcon,NewIcon,NewIconThemePath,NewOverlayIcon,NewStatus,NewTitle,NewToolTip} + peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher index d9ca82881..90a78d2ed 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher @@ -2,14 +2,52 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow to display Status Notifier Items in the KDE Plasma systray + abi , - #aa:dbus common bus=session name=org.kde.StatusNotifierWatcher label=gnome-shell + #aa-dbus common bus=session name=org.kde.StatusNotifierWatcher label=gnome-shell + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), + + dbus receive bus=session path=/StatusNotifierItem + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(label="@{pp_app_indicator}"), + + + dbus send bus=session path=/{StatusNotifierItem/menu,org/ayatana/NotificationItem/*/Menu} + interface=com.canonical.dbusmenu + member={LayoutUpdated,ItemsPropertiesUpdated} + peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), + + dbus receive bus=session path=/{StatusNotifierItem,StatusNotifierItem/menu,org/ayatana/NotificationItem/**} + interface={org.freedesktop.DBus.Properties,com.canonical.dbusmenu} + member={Get*,AboutTo*,Event*} + peer=(label="@{pp_app_indicator}"), dbus send bus=session path=/StatusNotifierWatcher interface=org.kde.StatusNotifierWatcher member=RegisterStatusNotifierItem - peer=(name="{:*,org.kde.StatusNotifierWatcher}", label=gnome-shell), + peer=(label="@{pp_app_indicator}"), + + dbus receive bus=session path=/StatusNotifierItem + interface=org.kde.StatusNotifierItem + member={ProvideXdgActivationToken,Activate} + peer=(label="@{pp_app_indicator}"), + + dbus receive bus=session path=/MenuBar + interface=com.canonical.dbusmenu + member={AboutToShow,GetLayout,Event} + peer=(label="@{pp_app_indicator}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player b/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player index d8581be07..d71b7ac1e 100644 --- a/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player +++ b/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player @@ -4,27 +4,34 @@ abi , - #aa-dbus common bus=session name=org.mpris.MediaPlayer2.Player label=unconfined + # DBus.Properties: read all properties from the interface + dbus send bus=system path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}), + # DBus.Properties: receive property changed events dbus receive bus=session path=/org/mpris/MediaPlayer2 interface=org.freedesktop.DBus.Properties member=PropertiesChanged peer=(name=@{busname}), + # DBus.Introspectable: allow clients to introspect the service + dbus send bus=system path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}), + dbus receive bus=session path=/org/mpris/MediaPlayer2 + interface=org.mpris.MediaPlayer2.Player + member={Seeked,Next,PlayPause} + peer=(name=@{busname}), + + # https://specifications.freedesktop.org/mpris-spec/latest/Player_Interface.html#Signal:Seeked + dbus send bus=session path=/org/mpris/MediaPlayer2 interface=org.mpris.MediaPlayer2.Player member=Seeked - peer=(name=@{busname}), - - dbus send bus=session path=/org/mpris/MediaPlayer2 - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=@{busname}), - - dbus send bus=session path=/org/mpris/MediaPlayer2 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}), + peer=(name=org.freedesktop.DBus), include if exists From eb2def65a1900c681bfc43fd9d4dbb450fc4f4be Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 21:47:00 +0200 Subject: [PATCH 781/977] feat(abs): move some dbus abs to the session subfolder. --- .../{own-accessibility => accessibility/own} | 2 +- .../bus/org.freedesktop.systemd1-session | 16 ------------ .../bus/session/org.freedesktop.systemd1 | 26 +++++++++++++++++++ .../bus/{own-session => session/own} | 2 +- .../bus/{own-system => system/own} | 2 +- apparmor.d/groups/gnome/gdm-session | 2 +- apparmor.d/groups/gnome/gnome-session-binary | 2 +- apparmor.d/groups/gnome/gsd-housekeeping | 2 +- apparmor.d/groups/kde/kcminit | 2 +- apparmor.d/profiles-s-z/spotify | 1 + pkg/prebuild/directive/dbus.go | 2 +- 11 files changed, 35 insertions(+), 24 deletions(-) rename apparmor.d/abstractions/bus/{own-accessibility => accessibility/own} (93%) delete mode 100644 apparmor.d/abstractions/bus/org.freedesktop.systemd1-session create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 rename apparmor.d/abstractions/bus/{own-session => session/own} (93%) rename apparmor.d/abstractions/bus/{own-system => system/own} (93%) diff --git a/apparmor.d/abstractions/bus/own-accessibility b/apparmor.d/abstractions/bus/accessibility/own similarity index 93% rename from apparmor.d/abstractions/bus/own-accessibility rename to apparmor.d/abstractions/bus/accessibility/own index cd8e42e52..d1eab1ce7 100644 --- a/apparmor.d/abstractions/bus/own-accessibility +++ b/apparmor.d/abstractions/bus/accessibility/own @@ -20,6 +20,6 @@ member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session deleted file mode 100644 index 577cc3ed9..000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session +++ /dev/null @@ -1,16 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" - - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=GetUnit - peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 new file mode 100644 index 000000000..0c8185be6 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" + + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=GetUnit + peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"), + + dbus send bus=session path=/org/freedesktop/systemd1/unit/app_* + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), + + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=StartTransientUnit + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/own-session b/apparmor.d/abstractions/bus/session/own similarity index 93% rename from apparmor.d/abstractions/bus/own-session rename to apparmor.d/abstractions/bus/session/own index 91515adb0..d975ebb48 100644 --- a/apparmor.d/abstractions/bus/own-session +++ b/apparmor.d/abstractions/bus/session/own @@ -20,6 +20,6 @@ member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/own-system b/apparmor.d/abstractions/bus/system/own similarity index 93% rename from apparmor.d/abstractions/bus/own-system rename to apparmor.d/abstractions/bus/system/own index d48931f4f..2b1130b32 100644 --- a/apparmor.d/abstractions/bus/own-system +++ b/apparmor.d/abstractions/bus/system/own @@ -20,6 +20,6 @@ member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index 4e3440656..9a42bcdf1 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -11,8 +11,8 @@ profile gdm-session @{exec_path} { include include include - include include + include signal (receive) set=(hup term) peer=gdm-session-worker, signal (receive) set=(term) peer=gdm, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 8b0ea6307..447c030d6 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -14,7 +14,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index b8da39a4d..35f43a93e 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -11,7 +11,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index bd01bf3c8..4f8b10a32 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -10,7 +10,7 @@ include profile kcminit @{exec_path} { include include - include + include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 3c18059a9..0eb5eab43 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -25,6 +25,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include include diff --git a/pkg/prebuild/directive/dbus.go b/pkg/prebuild/directive/dbus.go index 06fedffb5..891eb9e1d 100644 --- a/pkg/prebuild/directive/dbus.go +++ b/pkg/prebuild/directive/dbus.go @@ -111,7 +111,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { res := aa.Rules{ &aa.Include{ - IsMagic: true, Path: "abstractions/bus/own-" + rules["bus"], + IsMagic: true, Path: "abstractions/bus/" + rules["bus"] + "/own", }, &aa.Dbus{ Access: []string{"bind"}, Bus: rules["bus"], Name: rules["name"], From 30618828097267ced9833cdf16de350eac1b05b1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 22:04:07 +0200 Subject: [PATCH 782/977] feat(profile): update dbus rules for Ubuntu. --- apparmor.d/groups/freedesktop/dconf | 1 + apparmor.d/groups/freedesktop/pipewire-pulse | 3 +++ .../polkit-kde-authentication-agent | 2 ++ apparmor.d/groups/freedesktop/wireplumber | 5 +++++ .../groups/freedesktop/xdg-desktop-portal | 2 ++ .../groups/freedesktop/xdg-document-portal | 3 ++- .../gnome/evolution-addressbook-factory | 5 +++++ apparmor.d/groups/gnome/gjs-console | 2 ++ apparmor.d/groups/gnome/gnome-calendar | 2 +- apparmor.d/groups/gnome/gnome-characters | 2 +- apparmor.d/groups/gnome/gnome-control-center | 5 ++--- .../groups/gnome/gnome-extension-gsconnect | 2 ++ apparmor.d/groups/gnome/gnome-shell | 4 ++-- apparmor.d/groups/gnome/gnome-software | 11 ++++++++++ apparmor.d/groups/gnome/gnome-system-monitor | 4 ++++ apparmor.d/groups/gnome/gsd-media-keys | 14 +++++-------- apparmor.d/groups/gnome/gsd-power | 1 + .../groups/gnome/gsd-print-notifications | 20 ++++++++++++++++++- apparmor.d/groups/gnome/gsd-xsettings | 12 ++++++++++- apparmor.d/groups/gnome/loupe | 2 ++ apparmor.d/groups/gnome/nautilus | 8 +++++++- apparmor.d/groups/gnome/papers | 1 + apparmor.d/groups/gnome/ptyxis | 1 + apparmor.d/groups/gnome/ptyxis-agent | 5 ++++- apparmor.d/groups/network/wg-quick | 1 + apparmor.d/groups/polkit/polkit-agent-helper | 4 ++-- apparmor.d/groups/systemd/resolvectl | 7 +++++++ .../groups/ubuntu/software-properties-gtk | 6 +++++- apparmor.d/groups/ubuntu/update-notifier | 1 + apparmor.d/profiles-a-f/alacarte | 3 +++ apparmor.d/profiles-a-f/element-desktop | 1 + apparmor.d/profiles-g-l/libreoffice | 2 ++ apparmor.d/profiles-m-r/pinentry-gnome3 | 4 +++- apparmor.d/profiles-s-z/spotify | 11 ++++++++++ apparmor.d/profiles-s-z/superproductivity | 11 +++++++++- 35 files changed, 142 insertions(+), 26 deletions(-) diff --git a/apparmor.d/groups/freedesktop/dconf b/apparmor.d/groups/freedesktop/dconf index be4972f04..20b453df4 100644 --- a/apparmor.d/groups/freedesktop/dconf +++ b/apparmor.d/groups/freedesktop/dconf @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/dconf profile dconf @{exec_path} flags=(attach_disconnected) { include + include include capability sys_nice, diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse index fddbe02f7..e6e6e59c5 100644 --- a/apparmor.d/groups/freedesktop/pipewire-pulse +++ b/apparmor.d/groups/freedesktop/pipewire-pulse @@ -13,12 +13,15 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { include include include + include include capability sys_ptrace, ptrace read, + #aa:dbus own bus=session name=org.pulseaudio.Server + @{exec_path} mr, @{bin}/pactl rix, diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 8a08f02d0..5e7a75a8d 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -11,8 +11,10 @@ include @{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9] profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,mediate_deleted) { include + include include include + include include include include diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 80c3135f5..7aff8bdd2 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -32,6 +32,11 @@ profile wireplumber @{exec_path} { member=Introspect peer=(name=:*, label=gnome-shell), + dbus receive bus=system path=/midi{,server@{int}} + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label="@{p_bluetoothd}"), + @{exec_path} mr, /opt/intel/oneapi/{compiler,lib,mkl}/**/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 35c81f0bc..89acacd34 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -52,6 +52,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor + #aa:dbus talk bus=session name=org.freedesktop.FileManager1 label=nautilus + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal dbus receive bus=session diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index d2db2612e..84c0fce42 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -30,7 +30,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { unix (send receive) type=stream peer=(label=xdg-document-portal//fusermount), - #aa:dbus own bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents + #aa:dbus own bus=session name=org.freedesktop.portal.{Documents,FileTransfer} path=/org/freedesktop/portal/documents + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 98c94c79e..c9a9d72c9 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -55,6 +55,11 @@ profile evolution-addressbook-factory @{exec_path} { member=Introspect peer=(name=@{busname}, label=gnome-shell), + dbus receive bus=session path=/org/gnome/evolution/dataserver/** + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=obexd), + @{exec_path} mr, @{exec_path}-subprocess rix, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 0cfd4c420..6d6d6ea85 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -17,8 +17,10 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { include include include + include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 235c0ce9e..7d6d5246d 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -23,7 +23,6 @@ profile gnome-calendar @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gnome.Calendar - #aa-dbus own bus=session name=org.gnome.Calendar.SearchProvider interface+=org.gnome.Shell.SearchProvider2 #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory @@ -32,6 +31,7 @@ profile gnome-calendar @{exec_path} { #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Sources@{int} label=evolution-source-registry #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color + #aa:dbus talk bus=session name=org.gnome.Shell.SearchProvider2 path=/org/gnome/Calendar/SearchProvider label=gnome-shell #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 9af2b7d5f..7ce936e52 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -11,13 +11,13 @@ profile gnome-characters @{exec_path} { include include include + include include include include include #aa:dbus own bus=session name=org.gnome.Characters - #aa-dbus talk bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 41b62df09..1c35a8ec1 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -14,6 +14,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -42,9 +43,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Power label=gsd-power - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Rfkill label=gsd-rfkill + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label="gsd-*" #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell #aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 8887ce797..3f57b3035 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -17,6 +17,8 @@ profile gnome-extension-gsconnect @{exec_path} { include include include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 0f91b7283..b7706ccf4 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -25,7 +25,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include @@ -87,7 +86,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" - #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} + #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label="@{p_power_profiles_daemon}" #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 7e817f490..71141595b 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -9,6 +9,12 @@ include @{exec_path} = @{bin}/gnome-software profile gnome-software @{exec_path} { include + include + include + include + include + include + include include include include @@ -24,6 +30,11 @@ profile gnome-software @{exec_path} { mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, + #aa:dbus own bus=session name=org.freedesktop.PackageKit + #aa:dbus own bus=session name=org.gnome.Software interface+=org.freedesktop.Application + + #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/ label="@{p_packagekitd}" + @{exec_path} mr, @{bin}/baobab rPUx, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index a3d039dea..a99d566c0 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -9,6 +9,10 @@ include @{exec_path} = @{bin}/gnome-system-monitor profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { include + include + include + include + include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 6cae2d49b..7f02d8bf4 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/gsd-media-keys profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -21,6 +20,8 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include + include + include include include include @@ -38,7 +39,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=PowerOff - peer=(name=:*, label="@{p_systemd_logind}"), + peer=(name=@{busname}, label="@{p_systemd_logind}"), dbus send bus=session path=/ interface=org.freedesktop.DBus @@ -48,17 +49,12 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/gnome/SettingsDaemon/Power interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=gsd-power), + peer=(name=@{busname}, label=gsd-power), dbus receive bus=session path=/org/gnome/SettingsDaemon/Power interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=gsd-power), - - dbus send bus=session path=/org/mpris/MediaPlayer2 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*), + peer=(name=@{busname}, label=gsd-power), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 2fa0b0b1f..379f7b814 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -18,6 +18,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index af5ff2f05..59123f485 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -30,7 +30,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/cups/cupsd/Notifier interface=org.cups.cupsd.Notifier - member=ServerStarted + member={ServerStarted,PrinterDeleted,PrinterStopped} peer=(name=@{busname}, label=cups-notifier-dbus), dbus receive bus=session @@ -38,6 +38,24 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=@{busname}, label=gnome-shell), + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=RecordBrowserNew + peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + dbus send bus=system path=/Client@{int}/RecordBrowser@{int} + interface=org.freedesktop.Avahi.RecordBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + + dbus receive bus=system path=/Client@{int}/RecordBrowser@{int} + interface=org.freedesktop.Avahi.RecordBrowser + member={CacheExhausted,ItemNew} + peer=(name=@{busname}, label=avahi-daemon), + dbus receive bus=system path=/Client4/RecordBrowser3 + interface=org.freedesktop.Avahi.RecordBrowser + member=ItemNew + peer=(name=@{busname}, label=avahi-daemon), + @{exec_path} mr, @{lib}/gsd-printer rPx, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index abf30bc40..2e21750b9 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -36,10 +36,20 @@ profile gsd-xsettings @{exec_path} { #aa:dbus talk bus=session name=org.gnome.Mutter.X11 label=gnome-shell + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=GetId + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + + dbus receive bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.Accounts + member=UserAdded + peer=(name=@{busname}, label="@{p_accounts_daemon}"), + dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User member=SetInputSources - peer=(name=:*, label="@{p_accounts_daemon}"), + peer=(name=@{busname}, label="@{p_accounts_daemon}"), @{exec_path} mr, @{sh_path} mr, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index d89d4d6f9..398b2b679 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -12,6 +12,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include include + include + include include include include diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index fc9b923d8..17bdc5f13 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -31,9 +31,10 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { unix type=stream peer=(label=gnome-shell), #aa:dbus own bus=session name=org.freedesktop.FileManager1 - #aa:dbus own bus=session name=org.gnome.Nautilus interface+="org.gtk.{Application,Actions}" + #aa:dbus own bus=session name=org.gnome.Nautilus interface+=org.gtk.{Application,Actions} #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2 + #aa:dbus talk bus=session name=org.freedesktop.Application path=/ label="*" #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell @@ -49,6 +50,11 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { member=Print peer=(name=@{busname}, label=nautilus), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=ListActivatableNames diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 6f5a137a3..9a22e3de8 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/papers profile papers @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index a6f7e5b63..a0a57d516 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/ptyxis profile ptyxis @{exec_path} { include + include include include diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index ce60a26c3..7a05b2254 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -9,9 +9,12 @@ include @{exec_path} = @{lib}/ptyxis-agent profile ptyxis-agent @{exec_path} { include + include + include include - include include + include + include signal send set=hup peer=unconfined, diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick index c89a12a47..33de68147 100644 --- a/apparmor.d/groups/network/wg-quick +++ b/apparmor.d/groups/network/wg-quick @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/wg-quick profile wg-quick @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/groups/polkit/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper index 5799ced5b..f761ecf29 100644 --- a/apparmor.d/groups/polkit/polkit-agent-helper +++ b/apparmor.d/groups/polkit/polkit-agent-helper @@ -35,12 +35,12 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label="@{p_polkitd}"), + peer=(name=@{busname}, label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=AuthenticationAgentResponse2 - peer=(name=:*, label="@{p_polkitd}"), + peer=(name=@{busname}, label="@{p_polkitd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl index 58f2d88f8..3013d8ae6 100644 --- a/apparmor.d/groups/systemd/resolvectl +++ b/apparmor.d/groups/systemd/resolvectl @@ -21,8 +21,15 @@ profile resolvectl @{exec_path} flags=(attach_disconnected) { signal send set=cont peer=child-pager, + unix bind type=stream addr=@@{udbus}/bus/resolvconf/system, + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" + #aa:dbus talk bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" + dbus send bus=system path=/org/freedesktop/network1 + interface=org.freedesktop.network1.Manager + member=SetLinkDNSEx + peer=(name=org.freedesktop.network1), @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index bb31d8867..15a49066c 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -9,19 +9,23 @@ include @{exec_path} = @{bin}/software-properties-gtk profile software-properties-gtk @{exec_path} { include - include + include include include include include include + include + include include include include include #aa:dbus own bus=session name=com.ubuntu.SoftwareProperties + #aa:dbus talk bus=system name=com.canonical.UbuntuAdvantage label=ubuntu-advantage-desktop-daemon + #aa:dbus talk bus=system name=com.ubuntu.SoftwareProperties path=/ label=software-properties-dbus @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 9754aa231..8e9cddd54 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -14,6 +14,7 @@ profile update-notifier @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte index 700c6d517..b4cfb56e6 100644 --- a/apparmor.d/profiles-a-f/alacarte +++ b/apparmor.d/profiles-a-f/alacarte @@ -9,6 +9,9 @@ include @{exec_path} = @{bin}/alacarte profile alacarte @{exec_path} flags=(attach_disconnected) { include + include + include + include include include include diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index 7891b67e1..ec7ee9c65 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -17,6 +17,7 @@ profile element-desktop @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 4bed50f13..0a9e6dfc2 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -18,6 +18,8 @@ profile libreoffice @{exec_path} { include include include + include + include include include include diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3 index a955a9c6d..f4a61b07b 100644 --- a/apparmor.d/profiles-m-r/pinentry-gnome3 +++ b/apparmor.d/profiles-m-r/pinentry-gnome3 @@ -10,9 +10,11 @@ include profile pinentry-gnome3 @{exec_path} { include include + include + include include - signal (receive) set=(int) peer=gpg-agent, + signal receive set=int, @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 0eb5eab43..f245e4312 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -21,10 +21,13 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include include + include include include + include include include include @@ -36,8 +39,16 @@ profile spotify @{exec_path} flags=(attach_disconnected) { network netlink raw, #aa:dbus own bus=session name=org.mpris.MediaPlayer2.spotify + #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell #aa:dbus talk bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Secret + member=RetrieveSecret + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + @{exec_path} mrix, diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index c49a96621..73a86672f 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -6,7 +6,7 @@ abi , include -@{name} = super{p,P}roductivity +@{name} = super{p,P}roductivity Super?Productivity @{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @@ -16,7 +16,16 @@ include profile superproductivity @{exec_path} flags=(attach_disconnected) { include include + include include + include + include + include + include + include + include + include + include include network inet stream, From 0fccbef52b1e0d8b713c76d71220ae03bce8fb1a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 22:06:34 +0200 Subject: [PATCH 783/977] feat(profile): improve firefox profiles. --- apparmor.d/abstractions/app/firefox | 4 +++- apparmor.d/groups/browsers/firefox | 8 ++++++-- apparmor.d/groups/browsers/firefox-crashhelper | 5 +++++ apparmor.d/profiles-s-z/thunderbird-glxtest | 2 ++ 4 files changed, 16 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 68fb14887..238bf9e8b 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -21,8 +21,9 @@ include include include - include + include include + include include include include @@ -98,6 +99,7 @@ /var/tmp/ r, owner @{tmp}/@{name}/ rw, owner @{tmp}/@{name}/* rwk, + owner @{tmp}/@{rand6}.tmp rw, owner @{tmp}/firefox/ rw, owner @{tmp}/firefox/* rwk, owner @{tmp}/mozilla* rw, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index bac81c847..f9ba190a3 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -21,6 +21,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) { signal send set=(term, kill) peer=firefox//&keepassxc-proxy, + unix type=seqpacket addr=@gecko-crash-helper-pipe.@{int}, + unix type=seqpacket peer=(label=firefox-crashhelper), + #aa:dbus own bus=session name=org.mozilla.firefox #aa:dbus own bus=session name=org.mpris.MediaPlayer2.firefox path=/org/mpris/MediaPlayer2 @@ -46,9 +49,10 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open, # Common extensions + @{bin}/browserpass rPx, + @{bin}/keepassxc-proxy rPx -> firefox//&keepassxc-proxy, + @{lib}/browserpass/browserpass-native rPx, /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx, - @{bin}/browserpass rPx, - @{bin}/keepassxc-proxy rPx -> firefox//&keepassxc-proxy, owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r, owner @{user_config_dirs}/ibus/bus/ r, diff --git a/apparmor.d/groups/browsers/firefox-crashhelper b/apparmor.d/groups/browsers/firefox-crashhelper index 55af7c2e2..8ffdccb67 100644 --- a/apparmor.d/groups/browsers/firefox-crashhelper +++ b/apparmor.d/groups/browsers/firefox-crashhelper @@ -15,11 +15,16 @@ include profile firefox-crashhelper @{exec_path} flags=(attach_disconnected) { include + unix type=seqpacket peer=(label=firefox), + @{exec_path} mr, owner "@{config_dirs}/firefox/Crash Reports/" rw, owner "@{config_dirs}/firefox/Crash Reports/crash_helper_server.log" rw, + # file_inherit + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest index 4dc891361..53fdb1ffd 100644 --- a/apparmor.d/profiles-s-z/thunderbird-glxtest +++ b/apparmor.d/profiles-s-z/thunderbird-glxtest @@ -18,6 +18,8 @@ profile thunderbird-glxtest @{exec_path} flags=(attach_disconnected) { include include + network netlink raw, + @{exec_path} mr, / r, From f21fecc25a60abd0a5d7921112e226c8745c4ce5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 22:07:09 +0200 Subject: [PATCH 784/977] feat(profile): update possible path for browserpass. --- apparmor.d/profiles-a-f/browserpass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index ee7ff958c..c896e96f8 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/browserpass +@{exec_path} = @{bin}/browserpass @{lib}/browserpass/browserpass-native profile browserpass @{exec_path} flags=(attach_disconnected) { include include From 1724040229186e798f0fd443a22e747e9f3d5b93 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 22:15:51 +0200 Subject: [PATCH 785/977] feat(profile): various ubuntu based improvements. --- .../freedesktop/xdg-desktop-portal-gnome | 2 + apparmor.d/groups/freedesktop/xkbcomp | 1 + .../groups/gnome/evolution-alarm-notify | 2 + apparmor.d/groups/gnome/gnome-system-monitor | 1 + apparmor.d/groups/gnome/mutter-x11-frames | 2 +- apparmor.d/groups/gnome/nautilus | 4 +- apparmor.d/groups/gnome/ptyxis | 7 ++- apparmor.d/groups/gnome/ptyxis-agent | 8 +++- apparmor.d/groups/snap/snap | 48 ++++++++++++++++++- apparmor.d/groups/snap/snap-update-ns | 1 + apparmor.d/groups/ssh/ssh | 4 +- apparmor.d/groups/systemd/systemd-coredump | 4 ++ apparmor.d/groups/systemd/systemd-udevd | 2 + apparmor.d/groups/ubuntu/apport | 5 ++ .../groups/ubuntu/software-properties-gtk | 7 ++- apparmor.d/groups/ubuntu/ubuntu-advantage | 2 + apparmor.d/groups/utils/who | 2 + apparmor.d/profiles-a-f/fwupdmgr | 1 + apparmor.d/profiles-m-r/mkinitramfs | 7 +++ apparmor.d/profiles-m-r/motd | 1 + apparmor.d/profiles-m-r/on-ac-power | 1 + apparmor.d/profiles-s-z/swtpm_setup | 6 +-- 22 files changed, 107 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index bed83627a..ca5f62f82 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -65,11 +65,13 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/gdm/greeter/applications/{,**} r, /usr/share/thumbnailers/{,**} r, owner @{desktop_cache_dirs}/dconf/user r, owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, owner @{desktop_config_dirs}/dconf/user r, + owner @{desktop_share_dirs}/applications/{,**} r, owner @{DESKTOP_HOME}/greeter-dconf-defaults r, owner @{HOME}/ r, diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp index 325d444f5..a99e12b7a 100644 --- a/apparmor.d/groups/freedesktop/xkbcomp +++ b/apparmor.d/groups/freedesktop/xkbcomp @@ -17,6 +17,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) { unix (send,receive) type=stream addr=none peer=(label=gnome-shell), unix (send,receive) type=stream addr=none peer=(label=xwayland), + unix (send,receive) type=stream addr=none peer=(label=kwin_wayland), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index ce8f799bb..174cb323f 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -37,6 +37,8 @@ profile evolution-alarm-notify @{exec_path} { /etc/timezone r, + owner @{user_share_dirs}/evolution/datetime-formats.ini r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index a99d566c0..e4ac12011 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -36,6 +36,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{bin}/sed rix, @{bin}/tr rix, + /usr/share/byobu/desktop/{,**} r, /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, / r, diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 2ad89fe0a..ae225aa65 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -29,7 +29,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rw, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rwl, owner @{gdm_config_dirs}/dconf/user r, @{sys}/devices/@{pci}/boot_vga r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 17bdc5f13..5ad6bb7b5 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -72,7 +72,9 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{bin}/file-roller rPx, @{bin}/firejail rPUx, @{bin}/net rPUx, - @{bin}/tracker3 rPUx, + + @{bin}/* r, + @{lib}/@{multiarch}/glib-2.0/gio-launch-desktop m, @{open_path} rPx -> child-open, diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index a0a57d516..838dc940c 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -13,6 +13,10 @@ profile ptyxis @{exec_path} { include include + unix type=stream peer=(label=ptyxis-agent), + + #aa:dbus own bus=session name=org.gnome.Ptyxis + @{exec_path} mr, @{lib}/ptyxis-agent Px, @@ -25,11 +29,12 @@ profile ptyxis @{exec_path} { owner @{user_config_dirs}/org.gnome.Ptyxis/ rw, owner @{user_config_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_config_dirs}/org.gnome.Ptyxis/**, + owner @{user_config_dirs}/ubuntu-xdg-terminals.list r, owner @{user_share_dirs}/org.gnome.Ptyxis/ rw, owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**, - owner /tmp/#@{int} w, + owner /tmp/#@{int} rw, /dev/ptmx rw, diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index 7a05b2254..cf497e39f 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -25,7 +25,9 @@ profile ptyxis-agent @{exec_path} { @{bin}/podman Px, @{bin}/systemd-run Cx -> shell, - /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{user_share_dirs}/containers/ w, + owner @{user_share_dirs}/containers/storage/ w, + owner @{user_share_dirs}/containers/storage/overlay-containers/ w, @{PROC}/@{pid}/cmdline r, @@ -37,9 +39,13 @@ profile ptyxis-agent @{exec_path} { signal send, + unix bind type=stream addr=@@{udbus}/bus/systemd-run/, + @{bin}/systemd-run mr, @{bin}/@{shells} Ux, + owner @{run}/user/@{uid}/systemd/private rw, + include if exists } diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 564fd9151..927d7a3da 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -52,11 +52,14 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, + @{sh_path} mr, @{bin}/mount rix, @{bin}/getent rix, @{bin}/gpg{,2} rCx -> gpg, @{bin}/systemctl rCx -> systemctl, + @{bin}/systemd-run rCx -> run, # Start snap from the cli + @{bin}/xdg-settings rCx -> xdg-settings, @{lib_dirs}/** mr, @{lib_dirs}/snapd/snap-confine rPx, @@ -98,7 +101,7 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/seccomp/actions_avail r, @{PROC}/version r, - owner @{PROC}/@{pid}/attr/apparmor/current r, + @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/mounts r, /dev/tty@{int} rw, @@ -125,6 +128,49 @@ profile snap @{exec_path} flags=(attach_disconnected) { include if exists } + profile xdg-settings { + include + include + + @{bin}/xdg-settings mr, + + @{sh_path} r, + @{bin}/{,e}grep rix, + @{bin}/basename rix, + @{bin}/cat ix, + @{bin}/cut rix, + @{bin}/head ix, + @{bin}/mkdir ix, + @{bin}/mktemp ix, + @{bin}/mv ix, + @{bin}/readlink ix, + @{bin}/realpath rix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/sleep ix, + @{bin}/sort ix, + @{bin}/touch ix, + @{bin}/tr ix, + @{bin}/uname ix, + @{bin}/wc ix, + + @{bin}/xdg-mime Px, + + include if exists + } + + profile run { + include + + unix bind type=stream addr=@@{udbus}/bus/systemd-run/, + + @{bin}/systemd-run mr, + + owner @{run}/user/@{uid}/systemd/private rw, + + include if exists + } + profile systemctl { include include diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index 5d7c18d59..157651ac3 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -61,6 +61,7 @@ profile snap-update-ns @{exec_path} { @{sys}/fs/cgroup/{,**/} r, @{sys}/fs/cgroup/system.slice/snap.*.service/cgroup.freeze rw, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.scope/cgroup.freeze rw, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.freeze rw, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 03236196c..bf71a8463 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -45,8 +45,8 @@ profile ssh @{exec_path} { audit owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, - owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} wl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, - owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand} wl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, + owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, + owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, owner @{run}/user/@{uid}/keyring/ssh rw, @{sys}/ r, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 54f366c2f..db1854f1f 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -37,6 +37,8 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted /opt/** r, /usr/share/*/** r, @{user_lib_dirs}/** r, + /snap/*/@{int}/opt/** r, + /snap/*/@{int}/usr/** r, /etc/systemd/coredump.conf r, /etc/systemd/coredump.conf.d/{,**} r, @@ -45,6 +47,8 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted /var/lib/systemd/coredump/{,**} rwl, + owner @{run}/user/@{uid}/snap.*/.org.chromium.Chromium.@{rand6} r, + @{att}/@{run}/systemd/coredump rw, @{run}/systemd/coredump rw, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 9c993e0d5..62bada2a8 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -35,6 +35,8 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, + unix type=stream addr=@@{udbus}/bus/udevadm/, + @{exec_path} mrix, @{sh_path} rix, diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index fbc433c05..2fa7bb92a 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -43,6 +43,11 @@ profile apport @{exec_path} flags=(attach_disconnected) { /var/lib/dpkg/info/ r, /var/lib/dpkg/info/*.list r, /var/lib/dpkg/info/*.md5sums r, + /var/lib/dpkg/diversions r, + /var/lib/dpkg/triggers/* r, + /var/lib/dpkg/updates/ r, + + /var/lib/systemd/coredump/*.zst r, /var/crash/ rw, /var/crash/*.@{uid}.crash rw, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 15a49066c..440ef4117 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/software-properties-gtk -profile software-properties-gtk @{exec_path} { +profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include include include @@ -62,6 +62,10 @@ profile software-properties-gtk @{exec_path} { owner @{tmp}/tmp@{word8}/ rw, owner @{tmp}/tmp@{word8}/apt.conf rw, + /dev/shm/ r, + owner /dev/shm/sem.@{rand6} rwl -> /dev/shm/sem.@{rand6}, + owner /dev/shm/sem.mp-@{rand8} rw, + owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, @{sys}/devices/ r, @@ -75,6 +79,7 @@ profile software-properties-gtk @{exec_path} { owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, # Silencer deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index 34b697732..e8d847e92 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -52,6 +52,8 @@ profile ubuntu-advantage @{exec_path} { /etc/machine-id r, + owner @{user_cache_dirs}/ubuntu-pro/{,**} rw, + owner @{tmp}/tmp[0-9a-z]*/apt.conf r, owner @{tmp}/[0-9a-z]*{,/} rw, owner @{tmp}/[0-9a-z]*/apt-helper-output rw, diff --git a/apparmor.d/groups/utils/who b/apparmor.d/groups/utils/who index fd49b2bec..d951bfe03 100644 --- a/apparmor.d/groups/utils/who +++ b/apparmor.d/groups/utils/who @@ -20,6 +20,8 @@ profile who @{exec_path} { @{run}/systemd/sessions/* r, + # file_inherit + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny owner @{user_share_dirs}/zed/**/data.mdb rw, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 5df66e6bd..2d781a734 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -42,6 +42,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) { owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw, + owner /var/lib/fwupd/ w, owner /var/lib/fwupd/.cache/ w, @{user_cache_dirs}/dconf/user rw, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 42489117e..c6caf364f 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -174,6 +174,7 @@ profile mkinitramfs @{exec_path} { /usr/share/initramfs-tools/scripts/{,**/} r, /etc/initramfs-tools/scripts/{,**/} r, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/{,**/} r, owner /var/tmp/mkinitramfs_@{rand6}/{,**/} r, include if exists @@ -189,6 +190,12 @@ profile mkinitramfs @{exec_path} { owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/{,**/} r, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/**/*.ko* r, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/ r, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/modules.* rw, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/updates/{,**} r, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/{,**/} r, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/**/*.ko* r, + @{sys}/module/compression r, include if exists diff --git a/apparmor.d/profiles-m-r/motd b/apparmor.d/profiles-m-r/motd index 6cdb0fbf8..de742b2c9 100644 --- a/apparmor.d/profiles-m-r/motd +++ b/apparmor.d/profiles-m-r/motd @@ -10,6 +10,7 @@ include profile motd @{exec_path} { include include + include capability net_admin, diff --git a/apparmor.d/profiles-m-r/on-ac-power b/apparmor.d/profiles-m-r/on-ac-power index 16ccfd9da..d6426f717 100644 --- a/apparmor.d/profiles-m-r/on-ac-power +++ b/apparmor.d/profiles-m-r/on-ac-power @@ -14,6 +14,7 @@ profile on-ac-power @{exec_path} { @{exec_path} r, @{sh_path} rix, + @{bin}/{,e}grep rix, @{bin}/{m,g,}awk rix, @{bin}/cat rix, diff --git a/apparmor.d/profiles-s-z/swtpm_setup b/apparmor.d/profiles-s-z/swtpm_setup index 08ee1532e..5795ddfcc 100644 --- a/apparmor.d/profiles-s-z/swtpm_setup +++ b/apparmor.d/profiles-s-z/swtpm_setup @@ -21,9 +21,9 @@ profile swtpm_setup @{exec_path} { /var/log/swtpm/{,**} w, /var/lib/libvirt/swtpm/@{uuid}/tpm2/ r, - owner @{tmp}/swtpm_setup.certs.*/ w, - owner @{tmp}/swtpm_setup.certs.*/*.cert rw, - owner @{tmp}/.swtpm_setup.pidfile* rw, + owner @{tmp}/.swtpm_setup.pidfile.@{rand6} rw, + owner @{tmp}/swtpm_setup.certs.@{rand6}/ w, + owner @{tmp}/swtpm_setup.certs.@{rand6}/*.cert rw, include if exists } From 9b7c1acb1bbad1465159935a0274991637d069c0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 22:52:08 +0200 Subject: [PATCH 786/977] build: cosmetic on build task name. --- pkg/prebuild/builder/abi.go | 2 +- pkg/prebuild/builder/attach.go | 2 +- pkg/prebuild/builder/complain.go | 2 +- pkg/prebuild/builder/enforce.go | 2 +- pkg/prebuild/builder/fsp.go | 2 +- pkg/prebuild/builder/hotfix.go | 2 +- pkg/prebuild/builder/userspace.go | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/pkg/prebuild/builder/abi.go b/pkg/prebuild/builder/abi.go index 492e3cc31..b0052d13f 100644 --- a/pkg/prebuild/builder/abi.go +++ b/pkg/prebuild/builder/abi.go @@ -27,7 +27,7 @@ func init() { RegisterBuilder(&ABI3{ Base: prebuild.Base{ Keyword: "abi3", - Msg: "Convert all profiles from abi 4.0 to abi 3.0", + Msg: "Build: convert all profiles from abi 4.0 to abi 3.0", }, }) } diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go index aeafcbf7d..d27908129 100644 --- a/pkg/prebuild/builder/attach.go +++ b/pkg/prebuild/builder/attach.go @@ -18,7 +18,7 @@ func init() { RegisterBuilder(&ReAttach{ Base: prebuild.Base{ Keyword: "attach", - Msg: "Re-attach disconnected path", + Msg: "Feat: re-attach disconnected path", }, }) } diff --git a/pkg/prebuild/builder/complain.go b/pkg/prebuild/builder/complain.go index dbd9b3478..8ee205564 100644 --- a/pkg/prebuild/builder/complain.go +++ b/pkg/prebuild/builder/complain.go @@ -25,7 +25,7 @@ func init() { RegisterBuilder(&Complain{ Base: prebuild.Base{ Keyword: "complain", - Msg: "Set complain flag on all profiles", + Msg: "Build: set complain flag on all profiles", }, }) } diff --git a/pkg/prebuild/builder/enforce.go b/pkg/prebuild/builder/enforce.go index a7ce90a7a..3d3d218c6 100644 --- a/pkg/prebuild/builder/enforce.go +++ b/pkg/prebuild/builder/enforce.go @@ -19,7 +19,7 @@ func init() { RegisterBuilder(&Enforce{ Base: prebuild.Base{ Keyword: "enforce", - Msg: "All profiles have been enforced", + Msg: "Build: all profiles have been enforced", }, }) } diff --git a/pkg/prebuild/builder/fsp.go b/pkg/prebuild/builder/fsp.go index 8f7fb4202..12dab15cd 100644 --- a/pkg/prebuild/builder/fsp.go +++ b/pkg/prebuild/builder/fsp.go @@ -23,7 +23,7 @@ func init() { RegisterBuilder(&FullSystemPolicy{ Base: prebuild.Base{ Keyword: "fsp", - Msg: "Prevent unconfined transitions in profile rules", + Msg: "Feat: prevent unconfined transitions in profile rules", }, }) } diff --git a/pkg/prebuild/builder/hotfix.go b/pkg/prebuild/builder/hotfix.go index f7e6143b1..be8750f26 100644 --- a/pkg/prebuild/builder/hotfix.go +++ b/pkg/prebuild/builder/hotfix.go @@ -26,7 +26,7 @@ func init() { RegisterBuilder(&Hotfix{ Base: prebuild.Base{ Keyword: "hotfix", - Msg: "Temporary fix for #74, #80 & #235", + Msg: "Fix: temporary solution for #74, #80 & #235", }, }) } diff --git a/pkg/prebuild/builder/userspace.go b/pkg/prebuild/builder/userspace.go index 37bb3a978..70dff8ec9 100644 --- a/pkg/prebuild/builder/userspace.go +++ b/pkg/prebuild/builder/userspace.go @@ -27,7 +27,7 @@ func init() { RegisterBuilder(&Userspace{ Base: prebuild.Base{ Keyword: "userspace", - Msg: "Resolve variable in profile attachments", + Msg: "Fix: resolve variable in profile attachments", }, }) } From bfcf9f846cd5eee8500413ae785d389266070657 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 22:52:35 +0200 Subject: [PATCH 787/977] build: support for unconfined flag. --- pkg/prebuild/builder/complain.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkg/prebuild/builder/complain.go b/pkg/prebuild/builder/complain.go index 8ee205564..0d6a48f37 100644 --- a/pkg/prebuild/builder/complain.go +++ b/pkg/prebuild/builder/complain.go @@ -38,6 +38,9 @@ func (b Complain) Apply(opt *Option, profile string) (string, error) { if slices.Contains(flags, "complain") { return profile, nil } + if slices.Contains(flags, "unconfined") { + return profile, nil + } } flags = append(flags, "complain") strFlags := " flags=(" + strings.Join(flags, ",") + ") {\n" From 3a17dd33106a8e83d96c50e0522a7373967a6a0f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:08:41 +0200 Subject: [PATCH 788/977] feat(aa): add support for advanced network rule. --- pkg/aa/network.go | 68 +++++++++++++++++++++----------- pkg/aa/rule_test.go | 11 ++++++ pkg/aa/templates/rule/network.j2 | 16 ++++++++ 3 files changed, 73 insertions(+), 22 deletions(-) diff --git a/pkg/aa/network.go b/pkg/aa/network.go index d5a2af70b..15dd4385e 100644 --- a/pkg/aa/network.go +++ b/pkg/aa/network.go @@ -33,34 +33,54 @@ func init() { } } -type AddressExpr struct { - Source string - Destination string - Port string +type LocalAddress struct { + IP string + Port string } -func newAddressExprFromLog(log map[string]string) AddressExpr { - return AddressExpr{ - Source: log["laddr"], - Destination: log["faddr"], - Port: log["lport"], +func newLocalAddressFromLog(log map[string]string) LocalAddress { + return LocalAddress{ + IP: log["laddr"], + Port: log["lport"], } } -func (r AddressExpr) Compare(other AddressExpr) int { - if res := compare(r.Source, other.Source); res != 0 { - return res - } - if res := compare(r.Destination, other.Destination); res != 0 { +func (r LocalAddress) Compare(other LocalAddress) int { + if res := compare(r.IP, other.IP); res != 0 { return res } return compare(r.Port, other.Port) } +type PeerAddress struct { + IP string + Port string + Src string +} + +func newPeerAddressFromLog(log map[string]string) PeerAddress { + return PeerAddress{ + IP: log["faddr"], + Port: log["fport"], + Src: log["saddr"], + } +} + +func (r PeerAddress) Compare(other PeerAddress) int { + if res := compare(r.IP, other.IP); res != 0 { + return res + } + if res := compare(r.Port, other.Port); res != 0 { + return res + } + return compare(r.Src, other.Src) +} + type Network struct { Base Qualifier - AddressExpr + LocalAddress + PeerAddress Domain string Type string Protocol string @@ -90,12 +110,13 @@ func newNetwork(q Qualifier, rule rule) (Rule, error) { func newNetworkFromLog(log map[string]string) Rule { return &Network{ - Base: newBaseFromLog(log), - Qualifier: newQualifierFromLog(log), - AddressExpr: newAddressExprFromLog(log), - Domain: log["family"], - Type: log["sock_type"], - Protocol: log["protocol"], + Base: newBaseFromLog(log), + Qualifier: newQualifierFromLog(log), + LocalAddress: newLocalAddressFromLog(log), + PeerAddress: newPeerAddressFromLog(log), + Domain: log["family"], + Type: log["sock_type"], + Protocol: log["protocol"], } } @@ -135,7 +156,10 @@ func (r *Network) Compare(other Rule) int { if res := compare(r.Protocol, o.Protocol); res != 0 { return res } - if res := r.AddressExpr.Compare(o.AddressExpr); res != 0 { + if res := r.LocalAddress.Compare(o.LocalAddress); res != 0 { + return res + } + if res := r.PeerAddress.Compare(o.PeerAddress); res != 0 { return res } return r.Qualifier.Compare(o.Qualifier) diff --git a/pkg/aa/rule_test.go b/pkg/aa/rule_test.go index ee50532a9..ed6e7043d 100644 --- a/pkg/aa/rule_test.go +++ b/pkg/aa/rule_test.go @@ -216,6 +216,17 @@ var ( wMerge: false, wString: "network netlink raw,", }, + { + name: "network3", + fromLog: newNetworkFromLog, + log: network3Log, + rule: network3, + wValidErr: true, + other: network1, + wCompare: -7, + wMerge: false, + wString: "network dgram ip=127.0.0.1 port=57007 peer=(ip=127.0.0.53, port=53), # failed af match", + }, { name: "mount", fromLog: newMountFromLog, diff --git a/pkg/aa/templates/rule/network.j2 b/pkg/aa/templates/rule/network.j2 index 6f2503a8b..3694442be 100644 --- a/pkg/aa/templates/rule/network.j2 +++ b/pkg/aa/templates/rule/network.j2 @@ -15,6 +15,22 @@ {{ " " }}{{ . }} {{- end -}} {{- end -}} + {{- with .LocalAddress.IP -}} + {{ " ip=" }}{{ . }} + {{- end -}} + {{- with .LocalAddress.Port -}} + {{ " port=" }}{{ . }} + {{- end -}} + {{- if and .PeerAddress.IP .PeerAddress.Port -}} + {{ " peer=(ip=" }}{{ .PeerAddress.IP }}{{ ", port="}}{{ .PeerAddress.Port }}{{ ")" }} + {{- else -}} + {{- with .PeerAddress.IP -}} + {{ " peer=(ip=" }}{{ . }}{{ ")" }} + {{- end -}} + {{- with .PeerAddress.Port -}} + {{ " peer=(port=" }}{{ . }}{{ ")" }} + {{- end -}} + {{- end -}} {{- "," -}} {{- template "comment" . -}} {{- end -}} \ No newline at end of file From 43f30333c6edd648c71789d1755a27b2c4381ac9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:14:52 +0200 Subject: [PATCH 789/977] feat(aa): add support for prompt and priority rule. --- pkg/aa/base.go | 6 +++++- pkg/aa/parse.go | 8 +++++++- pkg/aa/templates/rule/qualifier.j2 | 3 +++ 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/pkg/aa/base.go b/pkg/aa/base.go index eaf69f71c..a712a5899 100644 --- a/pkg/aa/base.go +++ b/pkg/aa/base.go @@ -99,6 +99,7 @@ func (r Base) addLine(other Rule) bool { } type Qualifier struct { + Priority string Audit bool AccessType string } @@ -109,6 +110,9 @@ func newQualifierFromLog(log map[string]string) Qualifier { } func (r Qualifier) Compare(o Qualifier) int { + if r := compare(r.Priority, o.Priority); r != 0 { + return r + } if r := compare(r.Audit, o.Audit); r != 0 { return r } @@ -116,7 +120,7 @@ func (r Qualifier) Compare(o Qualifier) int { } func (r Qualifier) Equal(o Qualifier) bool { - return r.Audit == o.Audit && r.AccessType == o.AccessType + return r.Priority == o.Priority && r.Audit == o.Audit && r.AccessType == o.AccessType } func (r Qualifier) getLenAudit() int { diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index e01696d74..3b737abfd 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -15,6 +15,8 @@ const ( tokALLOW = "allow" tokAUDIT = "audit" tokDENY = "deny" + tokPROMPT = "prompt" + tokPRIORITY = "priority" tokARROW = "->" tokEQUAL = "=" tokLESS = "<" @@ -524,7 +526,11 @@ func newRules(rules []rule) (Rules, error) { rule = rule[1:] goto qualifier // Qualifier - case tokALLOW, tokDENY: + case tokPRIORITY: + q.Priority = rule.GetValues(tokPRIORITY).GetString() + rule = rule[1:] + goto qualifier + case tokALLOW, tokDENY, tokPROMPT: q.AccessType = rule.Get(0) rule = rule[1:] goto qualifier diff --git a/pkg/aa/templates/rule/qualifier.j2 b/pkg/aa/templates/rule/qualifier.j2 index a0ff554ec..69181051a 100644 --- a/pkg/aa/templates/rule/qualifier.j2 +++ b/pkg/aa/templates/rule/qualifier.j2 @@ -3,6 +3,9 @@ {{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} {{- define "qualifier" -}} + {{- with .Priority -}} + {{- "priority=" -}}{{ . }}{{ " " }} + {{- end -}} {{- if .Audit -}} {{- "audit " -}} {{- end -}} From 7d1f8852098deaaabbc29697d0111a44fb83e557 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:15:21 +0200 Subject: [PATCH 790/977] test(aa): add testdata for network rule. --- pkg/aa/data_test.go | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/pkg/aa/data_test.go b/pkg/aa/data_test.go index b96fd865f..28aa703d6 100644 --- a/pkg/aa/data_test.go +++ b/pkg/aa/data_test.go @@ -65,8 +65,34 @@ var ( "denied_mask": "create", "comm": "sddm-greeter", } + network3Log = map[string]string{ + "apparmor": "ALLOWED", + "class": "net", + "operation": "sendmsg", + "info": "failed af match", + "error": "-13", + "profile": "unattended-upgrade", + "comm": "unattended-upgr", + "laddr": "127.0.0.1", + "lport": "57007", + "faddr": "127.0.0.53", + "saddr": "127.0.0.1", + "src": "57007", + "fport": "53", + "sock_type": "dgram", + "protocol": "17", + "requested": "send", + "denied": "send", + } network1 = &Network{Domain: "netlink", Type: "raw", Protocol: "15"} network2 = &Network{Domain: "inet", Type: "dgram"} + network3 = &Network{ + Base: Base{Comment: " failed af match"}, + LocalAddress: LocalAddress{IP: "127.0.0.1", Port: "57007"}, + PeerAddress: PeerAddress{IP: "127.0.0.53", Port: "53", Src: "127.0.0.1"}, + Type: "dgram", + Protocol: "17", + } // Mount mount1Log = map[string]string{ From 157c365b261a8600404ee7c917b02d194725a6c1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:17:10 +0200 Subject: [PATCH 791/977] fix(aa): ensure tokenization helper cleanup data. --- pkg/aa/util.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/aa/util.go b/pkg/aa/util.go index 5a7049d69..523eb99fe 100644 --- a/pkg/aa/util.go +++ b/pkg/aa/util.go @@ -148,9 +148,10 @@ func validateValues(kind Kind, key string, values []string) error { func tokenToSlice(token string) []string { res := []string{} - token = strings.Trim(token, "()\n") + token = strings.Trim(token, "()\n ") if strings.ContainsAny(token, ", ") { var sep string + token = strings.ReplaceAll(token, " ", " ") switch { case strings.Contains(token, ","): sep = "," From 107820975ded704279b68a40909a980c222a3da1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:18:41 +0200 Subject: [PATCH 792/977] feat(aa): add file kind. --- pkg/aa/apparmor.go | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go index 6119a0c91..94e232c81 100644 --- a/pkg/aa/apparmor.go +++ b/pkg/aa/apparmor.go @@ -5,12 +5,39 @@ package aa import ( + "strings" + "github.com/roddhjav/apparmor.d/pkg/paths" ) // MagicRoot is the default Apparmor magic directory: /etc/apparmor.d/. var MagicRoot = paths.New("/etc/apparmor.d") +// FileKind represents an AppArmor file kind. +type FileKind uint8 + +const ( + ProfileKind FileKind = iota + AbstractionKind + TunableKind +) + +func KindFromPath(file *paths.Path) FileKind { + dirname := file.Parent().String() + switch { + case strings.Contains(dirname, "abstractions"): + return AbstractionKind + case strings.Contains(dirname, "tunables"): + return TunableKind + case strings.Contains(dirname, "local"): + return AbstractionKind + case strings.Contains(dirname, "mappings"): + return AbstractionKind + default: + return ProfileKind + } +} + // AppArmorProfileFiles represents a full set of apparmor profiles type AppArmorProfileFiles map[string]*AppArmorProfileFile From 7aae9f0dd7a14bfd37246992f1c11a4c96bd8e21 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:30:54 +0200 Subject: [PATCH 793/977] build: add stacked-dbus builder Resolve peer label variable in dbus rules. It create a full dbus rule by item in a variable when it is used a peer label. For ubuntu with apparmor 4.1+ See https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 --- pkg/prebuild/builder/stacked-dbus.go | 105 +++++++++++++++++++++++++++ pkg/prebuild/cli/cli.go | 18 +++-- 2 files changed, 116 insertions(+), 7 deletions(-) create mode 100644 pkg/prebuild/builder/stacked-dbus.go diff --git a/pkg/prebuild/builder/stacked-dbus.go b/pkg/prebuild/builder/stacked-dbus.go new file mode 100644 index 000000000..d572e9d31 --- /dev/null +++ b/pkg/prebuild/builder/stacked-dbus.go @@ -0,0 +1,105 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package builder + +import ( + "slices" + "strings" + + "github.com/roddhjav/apparmor.d/pkg/aa" + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +var ( + resolve = map[string][]string{ + `"@{p_dbus_system}"`: {"dbus-system", "dbus-system//&unconfined"}, + `"@{p_dbus_session}"`: {"dbus-session", "dbus-session//&unconfined"}, + } +) + +// Fix for https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 +type StackedDbus struct { + prebuild.Base +} + +func init() { + RegisterBuilder(&StackedDbus{ + Base: prebuild.Base{ + Keyword: "stacked-dbus", + Msg: "Fix: resolve peer label variable in dbus rules", + }, + }) +} + +func parse(kind aa.FileKind, profile string) (aa.ParaRules, []string, error) { + var raw string + paragraphs := []string{} + rulesByParagraph := aa.ParaRules{} + + switch kind { + case aa.ProfileKind: + f := &aa.AppArmorProfileFile{} + nb, err := f.Parse(profile) + if err != nil { + return nil, nil, err + } + lines := strings.Split(profile, "\n") + raw = strings.Join(lines[nb:], "\n") + + case aa.AbstractionKind, aa.TunableKind: + raw = profile + } + raw = profile + + r, par, err := aa.ParseRules(raw) + if err != nil { + return nil, nil, err + } + rulesByParagraph = append(rulesByParagraph, r...) + paragraphs = append(paragraphs, par...) + return rulesByParagraph, paragraphs, nil +} + +func (b StackedDbus) Apply(opt *Option, profile string) (string, error) { + kind := aa.KindFromPath(opt.File) + if kind == aa.TunableKind { + return profile, nil + } + + toResolve := []string{} + for k := range resolve { + toResolve = append(toResolve, k) + } + + rulesByParagraph, paragraphs, err := parse(kind, profile) // + if err != nil { + return "", err + } + for idx, rules := range rulesByParagraph { + changed := false + newRules := aa.Rules{} + for _, rule := range rules { + switch rule := rule.(type) { + case *aa.Dbus: + if slices.Contains(toResolve, rule.PeerLabel) { + changed = true + for _, label := range resolve[rule.PeerLabel] { + newRule := *rule + newRule.PeerLabel = label + newRules = append(newRules, &newRule) + } + } else { + newRules = append(newRules, rule) + } + default: + newRules = append(newRules, rule) + } + } + if changed { + profile = strings.ReplaceAll(profile, paragraphs[idx], newRules.String()+"\n") + } + } + return profile, nil +} diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index ab221e485..8abfb4323 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -108,16 +108,20 @@ func Configure() { case 3: builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0 case 4: - // Re-attach disconnected path, ignored on ubuntu 25.04+ due to a memory leak - // that fully prevent profiles compilation with re-attached paths. - // See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730 - if prebuild.Distribution != "ubuntu" { - builder.Register("attach") - prepare.Register("attach") - } else if prebuild.Release["VERSION_CODENAME"] == "noble" { + // Re-attach disconnected path + if prebuild.Distribution == "ubuntu" && prebuild.Version >= 4.1 { + // Ignored on ubuntu 25.04+ due to a memory leak that fully prevent + // profiles compilation with re-attached paths. + // See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730 + + // Use stacked-dbus builder to resolve dbus rules + builder.Register("stacked-dbus") + + } else { builder.Register("attach") prepare.Register("attach") } + default: logging.Fatal("Invalid ABI version: %d", prebuild.ABI) } From 2fcf4c50119de50de5498f30ee7a7a2aff9b5cd6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:38:15 +0200 Subject: [PATCH 794/977] ci(github): remove test now enabled by default. --- .github/workflows/main.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 9f2addf88..90b709a31 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -47,11 +47,6 @@ jobs: if [[ ${{ matrix.mode }} == full-system-policy ]]; then sed -e "s/just complain/just fsp-complain/" -i debian/rules fi - if [[ ${{ matrix.os }} == ubuntu-24.04 ]] && [[ ${{ matrix.mode }} == default ]]; then - # Test with Re-attach disconnected path - sed -e 's;// builder.Register("attach");builder.Register("attach");' -i pkg/prebuild/cli/cli.go - sed -e '/@{att}/d' -i apparmor.d/tunables/multiarch.d/system - fi bash dists/build.sh dpkg - name: Install apparmor.d From bc270954d49993374b14bc2af6b89bb37d7d45ce Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:53:12 +0200 Subject: [PATCH 795/977] feat(abs): add missing bus abs. --- .../bus/org.gnome.SettingsDaemon.MediaKeys | 23 ++++++++++++++++ .../bus/org.gnome.keyring.internal.Prompter | 26 +++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys create mode 100644 apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter diff --git a/apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys b/apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys new file mode 100644 index 000000000..3a461a85a --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow requesting interest in receiving media key events. This tells Gnome +# settings that our application should be notified when key events we are +# interested in are pressed, and allows us to receive those events. + + abi , + + # DBus.Properties: read all properties from the interface + dbus send bus=session path=/org/gnome/SettingsDaemon/MediaKeys + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys), + + dbus (receive, send) bus=session path=/org/gnome/SettingsDaemon/MediaKeys + interface=org.gnome.SettingsDaemon.MediaKeys + peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter b/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter new file mode 100644 index 000000000..1c3e8f760 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow accessing the GNOME crypto services prompt APIs as used by +# applications using libgcr (such as pinentry-gnome3) for secure pin +# entry to unlock GPG keys etc. See: +# https://developer.gnome.org/gcr/unstable/GcrPrompt.html +# https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html +# https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711 + + abi , + + dbus send bus=session path=/org/gnome/keyring/Prompter + interface=org.gnome.keyring.internal.Prompter + member={BeginPrompting,PerformPrompt,StopPrompting} + peer=(name=@{busname}, label=pinentry-*), + + dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int} + interface=org.gnome.keyring.internal.Prompter.Callback + member={PromptReady,PromptDone} + peer=(name=@{busname}, label=pinentry-*), + + include if exists + +# vim:syntax=apparmor From 068d205e13b333f077371bd4af37637902f29e7e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 25 Aug 2025 00:02:12 +0200 Subject: [PATCH 796/977] fix(prebuild): removce ineffectual assignment. --- pkg/prebuild/builder/stacked-dbus.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/prebuild/builder/stacked-dbus.go b/pkg/prebuild/builder/stacked-dbus.go index d572e9d31..33af33df7 100644 --- a/pkg/prebuild/builder/stacked-dbus.go +++ b/pkg/prebuild/builder/stacked-dbus.go @@ -51,7 +51,6 @@ func parse(kind aa.FileKind, profile string) (aa.ParaRules, []string, error) { case aa.AbstractionKind, aa.TunableKind: raw = profile } - raw = profile r, par, err := aa.ParseRules(raw) if err != nil { From 7ecc84d3b0e13f5d346a906dceda14321fddae1a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 25 Aug 2025 00:04:15 +0200 Subject: [PATCH 797/977] feat(tunable): add pp tunable, improve dbus tunables. --- apparmor.d/tunables/multiarch.d/profiles | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index 6868ae87a..d4fefb0b0 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -16,8 +16,8 @@ # Name of the dbus daemon profiles @{p_dbus_accessibility}=dbus-accessibility #aa:only apparmor4.1 -@{p_dbus_system}={dbus-system,dbus-system//&unconfined} -@{p_dbus_session}={dbus-session,dbus-session//&unconfined} +@{p_dbus_system}={dbus-system,unconfined} +@{p_dbus_session}={dbus-session,unconfined} #aa:exclude apparmor4.1 @{p_dbus_system}=dbus-system @@ -68,5 +68,12 @@ @{p_upowerd}=upowerd @{p_xdg_desktop_portal}=xdg-desktop-portal +# Profiles Patterns +# Fit to an action that can be handled by multiple profiles depending on the software installed and the distribution + +# Notification +@{pp_notification}={plasmashell,gjs-console} +@{pp_app_indicator}={plasmashell,gnome-shell} +@{pp_dbusmenu}={plasmashell,nautilus} # vim:syntax=apparmor From 1d51b1436da8c64232cebe31317bdbebc870bded Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 27 Aug 2025 06:08:52 +0200 Subject: [PATCH 798/977] Small documentation improvements --- docs/development/workflow.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/development/workflow.md b/docs/development/workflow.md index 786d77c93..7cc7c5616 100644 --- a/docs/development/workflow.md +++ b/docs/development/workflow.md @@ -36,7 +36,7 @@ title: Workflow Here is the bare minimum for the program `foo`: ``` sh # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 You +# Copyright (C) 2025 You # SPDX-License-Identifier: GPL-2.0-only abi , @@ -130,7 +130,7 @@ For this individual profile installation to work, the full package needs to be i To discover the access needed by a program, you can use the following tools: -1. Star the program in *complain* mode, let it initialize itself, then close it. +1. Start the program in *complain* mode, let it initialize itself, then close it. 1. Run **[`aa-log -r`](../usage.md#apparmor-log)**. It will: - Convert the logs to AppArmor rules. From 98034784e92400fd2241094f5ca8d85104f8b2f7 Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 27 Aug 2025 06:02:10 +0200 Subject: [PATCH 799/977] Add cider profile --- apparmor.d/profiles-a-f/cider | 61 +++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 apparmor.d/profiles-a-f/cider diff --git a/apparmor.d/profiles-a-f/cider b/apparmor.d/profiles-a-f/cider new file mode 100644 index 000000000..f534a0034 --- /dev/null +++ b/apparmor.d/profiles-a-f/cider @@ -0,0 +1,61 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{domain} = sh.cider.genten org.chromium.Chromium +@{lib_dirs} = @{lib}/cider + +@{exec_path} = @{bin}/cider @{bin}/Cider @{lib_dirs}/Cider +profile cider @{exec_path} { + include + include + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mrix, + + @{lib_dirs}/ r, + @{lib_dirs}/** r, + @{lib_dirs}/libffmpeg.so mr, + @{lib_dirs}/chrome-sandbox rpx, + + @{bin}/xdg-settings rpx, + + owner @{user_config_dirs}/sh.cider.genten/ rw, + owner @{user_config_dirs}/sh.cider.genten/** rwk, + owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/_platform_specific/linux_x64/libwidevinecdm.so mr, + owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/manifest.json r, + owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/latest-component-updated-widevine-cdm r, + + @{PROC}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/ r, + @{PROC}/@{pid}/task/@{tid}/status r, + @{PROC}/sys/fs/inotify/max_user_watches r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pid}/statm r, + + /usr/share/xkeyboard-config-2/** r, + + include if exists +} + +# vim:syntax=apparmor From f5970fcc6741419ea96ef5c9c36a321da532e127 Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 27 Aug 2025 06:12:18 +0200 Subject: [PATCH 800/977] Remove tabs --- apparmor.d/profiles-a-f/cider | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/apparmor.d/profiles-a-f/cider b/apparmor.d/profiles-a-f/cider index f534a0034..71b27bce5 100644 --- a/apparmor.d/profiles-a-f/cider +++ b/apparmor.d/profiles-a-f/cider @@ -42,11 +42,11 @@ profile cider @{exec_path} { owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/manifest.json r, owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/latest-component-updated-widevine-cdm r, - @{PROC}/ r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/task/ r, - @{PROC}/@{pid}/task/@{tid}/status r, - @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/ r, + @{PROC}/@{pid}/task/@{tid}/status r, + @{PROC}/sys/fs/inotify/max_user_watches r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, From eedbc2223c1bc84e2e12deb2fd1e041422c5994d Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 27 Aug 2025 15:52:00 +0200 Subject: [PATCH 801/977] cider-review-fixes --- apparmor.d/profiles-a-f/cider | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/apparmor.d/profiles-a-f/cider b/apparmor.d/profiles-a-f/cider index 71b27bce5..2b203e989 100644 --- a/apparmor.d/profiles-a-f/cider +++ b/apparmor.d/profiles-a-f/cider @@ -6,10 +6,13 @@ abi , include +@{name} = {C,c}ider sh.cider.genten @{domain} = sh.cider.genten org.chromium.Chromium @{lib_dirs} = @{lib}/cider +@{cache_dirs} = @{user_cache_dirs}/@{name} +@{config_dirs} = @{user_config_dirs}/@{name} -@{exec_path} = @{bin}/cider @{bin}/Cider @{lib_dirs}/Cider +@{exec_path} = @{bin}/{C,c}ider @{lib_dirs}/Cider profile cider @{exec_path} { include include @@ -18,8 +21,9 @@ profile cider @{exec_path} { include include include - include + include include + include network inet dgram, network inet6 dgram, @@ -32,15 +36,13 @@ profile cider @{exec_path} { @{lib_dirs}/ r, @{lib_dirs}/** r, @{lib_dirs}/libffmpeg.so mr, - @{lib_dirs}/chrome-sandbox rpx, + @{lib_dirs}/chrome-sandbox rPx, - @{bin}/xdg-settings rpx, + @{bin}/xdg-settings rPx, owner @{user_config_dirs}/sh.cider.genten/ rw, owner @{user_config_dirs}/sh.cider.genten/** rwk, - owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/_platform_specific/linux_x64/libwidevinecdm.so mr, - owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/manifest.json r, - owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/latest-component-updated-widevine-cdm r, + owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/_platform_specific/linux_@{arch}/libwidevinecdm.so mr, @{PROC}/ r, @{PROC}/@{pid}/stat r, @@ -53,8 +55,6 @@ profile cider @{exec_path} { owner @{PROC}/@{pid}/oom_{,score_}adj rw, owner @{PROC}/@{pid}/statm r, - /usr/share/xkeyboard-config-2/** r, - include if exists } From aec7d41a25647f9da3f0b13ddbe53d048bec3ee2 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 6 Aug 2025 14:03:31 +0200 Subject: [PATCH 802/977] add profiles for wayland screen capture tools --- apparmor.d/profiles-g-l/grim | 21 +++++++++++++++++++++ apparmor.d/profiles-s-z/slurp | 23 +++++++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 apparmor.d/profiles-g-l/grim create mode 100644 apparmor.d/profiles-s-z/slurp diff --git a/apparmor.d/profiles-g-l/grim b/apparmor.d/profiles-g-l/grim new file mode 100644 index 000000000..0ded3d315 --- /dev/null +++ b/apparmor.d/profiles-g-l/grim @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/grim +profile grim @{exec_path} { + include + include + + @{exec_path} mr, + + owner /dev/shm/grim-@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/slurp b/apparmor.d/profiles-s-z/slurp new file mode 100644 index 000000000..8d5bcc217 --- /dev/null +++ b/apparmor.d/profiles-s-z/slurp @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/slurp +profile slurp @{exec_path} { + include + + @{exec_path} mr, + + /usr/share/icons/{,**} r, + +# often used in combination with grim screen cature tool + owner /dev/shm/grim-@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor From 06f1c0538e9bca4ac1af6862c4553931b33ad108 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 6 Aug 2025 14:15:04 +0200 Subject: [PATCH 803/977] remove whitespace --- apparmor.d/profiles-s-z/slurp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-s-z/slurp b/apparmor.d/profiles-s-z/slurp index 8d5bcc217..c4250275e 100644 --- a/apparmor.d/profiles-s-z/slurp +++ b/apparmor.d/profiles-s-z/slurp @@ -9,12 +9,12 @@ include @{exec_path} = @{bin}/slurp profile slurp @{exec_path} { include - + @{exec_path} mr, /usr/share/icons/{,**} r, -# often used in combination with grim screen cature tool + # often used in combination with grim screen cature tool owner /dev/shm/grim-@{rand6} rw, include if exists From 9a302147bd3b2d6f02d715bcaa0e645f1680295b Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 6 Aug 2025 14:26:43 +0200 Subject: [PATCH 804/977] fix typo --- apparmor.d/profiles-g-l/grim | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-g-l/grim b/apparmor.d/profiles-g-l/grim index 0ded3d315..9f18db07b 100644 --- a/apparmor.d/profiles-g-l/grim +++ b/apparmor.d/profiles-g-l/grim @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/grim profile grim @{exec_path} { include - include + include @{exec_path} mr, From ec2c0b1c8e34273069a86caf5b7af3444d4a8e7c Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 24 Aug 2025 17:32:04 +0200 Subject: [PATCH 805/977] add default path for plain use --- apparmor.d/profiles-g-l/grim | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apparmor.d/profiles-g-l/grim b/apparmor.d/profiles-g-l/grim index 9f18db07b..9e40a8aca 100644 --- a/apparmor.d/profiles-g-l/grim +++ b/apparmor.d/profiles-g-l/grim @@ -13,6 +13,10 @@ profile grim @{exec_path} { @{exec_path} mr, + owner @{user_config_dirs}/user-dirs.dirs r, + + owner @{HOME}/@{int8}_**_grim.png w, + owner /dev/shm/grim-@{rand6} rw, include if exists From 749ae318fca8bc9a8bed97bedeb883a326d95c13 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 00:35:35 +0200 Subject: [PATCH 806/977] feat(profile): aa uses word8 as bug files. --- apparmor.d/groups/apparmor/aa-enforce | 2 +- apparmor.d/groups/apparmor/aa-notify | 2 +- apparmor.d/groups/apparmor/aa-unconfined | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/apparmor/aa-enforce b/apparmor.d/groups/apparmor/aa-enforce index 1743fd9d0..1f8368045 100644 --- a/apparmor.d/groups/apparmor/aa-enforce +++ b/apparmor.d/groups/apparmor/aa-enforce @@ -31,7 +31,7 @@ profile aa-enforce @{exec_path} { owner /var/lib/snapd/apparmor/{,**} rw, owner @{tmp}/@{rand8} rw, - owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, + owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify index 7cb64af80..07706d052 100644 --- a/apparmor.d/groups/apparmor/aa-notify +++ b/apparmor.d/groups/apparmor/aa-notify @@ -45,7 +45,7 @@ profile aa-notify @{exec_path} { owner @{HOME}/.terminfo/@{int}/dumb r, owner @{tmp}/@{word8} rw, - owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, + owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, @{PROC}/ r, @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/apparmor/aa-unconfined b/apparmor.d/groups/apparmor/aa-unconfined index 68729b7fe..7308a5ef0 100644 --- a/apparmor.d/groups/apparmor/aa-unconfined +++ b/apparmor.d/groups/apparmor/aa-unconfined @@ -29,7 +29,7 @@ profile aa-unconfined @{exec_path} flags=(attach_disconnected) { @{etc_ro}/inputrc r, owner @{tmp}/@{rand8} rw, - owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, + owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, owner /var/tmp/@{rand8} rw, @{PROC}/ r, From cf96e7b1d0d37d050fba5a0e758190dc2059443f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 00:39:28 +0200 Subject: [PATCH 807/977] feat(profile): smal snap improvements. --- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/snap/snap-update-ns | 5 +++++ apparmor.d/groups/snap/snapd | 7 ++++++- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index b7706ccf4..b34d18c00 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -294,7 +294,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw, + owner @{run}/user/@{uid}/snap.*/wayland-cursor-shared-@{rand6} rw, owner @{run}/user/@{uid}/systemd/notify rw, owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index 157651ac3..98ee0e5e7 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -40,11 +40,16 @@ profile snap-update-ns @{exec_path} { / r, /tmp/ r, + @{lib}/ r, /usr/ r, /usr/local/ r, /usr/local/share/ r, /usr/local/share/doc/ rw, /usr/local/share/fonts/ rw, + /usr/share/ r, + /usr/share/drirc.d w, + /usr/share/X11/ r, + /usr/share/X11/XErrorDB w, owner /snap/{,**} rw, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 7e2c288b6..06de56063 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -99,7 +99,8 @@ profile snapd @{exec_path} { /usr/share/bash-completion/{,**} r, /usr/share/dbus-1/{system,session}.d/{,snapd*} rw, /usr/share/dbus-1/services/*snap* r, - /usr/share/polkit-1/actions/{,**/} r, + /usr/share/polkit-1/actions/{,**} r, + /usr/share/polkit-1/actions/snap.*.policy r, @{etc_ro}/environment r, /etc/apparmor.d/*snapd.snap* r, @@ -147,6 +148,7 @@ profile snapd @{exec_path} { @{run}/user/ r, @{run}/user/@{uid}/ r, + @{run}/user/@{uid}/snap.*/{,**} rw, @{run}/user/@{uid}/snapd-session-agent.socket rw, @{run}/user/snap.*/{,**} rw, @@ -227,6 +229,9 @@ profile snapd @{exec_path} { include @{sbin}/runuser mr, + @{bin}/tar ix, + + owner @{HOME}/snap/*/common/.cache/{,**} r, include if exists } From 81d020173d4f0336a95cc6562c161336685abb51 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:09:09 +0200 Subject: [PATCH 808/977] feat(profile): general update. --- apparmor.d/groups/bus/dbus-accessibility | 6 +++--- apparmor.d/groups/children/child-open-strict | 2 ++ apparmor.d/groups/gnome/gnome-software | 7 ++++++- apparmor.d/groups/gnome/loupe | 2 ++ apparmor.d/groups/gnome/nautilus | 1 + apparmor.d/groups/gnome/papers | 4 +++- apparmor.d/groups/gpg/gpg | 3 ++- apparmor.d/groups/pacman/paccache | 3 +++ apparmor.d/groups/pacman/pacman-hook-code | 1 + .../systemd-generator-user-autostart | 3 +-- apparmor.d/groups/systemd/systemd-sleep | 2 ++ apparmor.d/groups/systemd/systemd-udevd | 1 + apparmor.d/groups/ubuntu/software-properties-gtk | 2 +- apparmor.d/groups/usb/lsusb | 1 + apparmor.d/groups/utils/dmesg | 1 + apparmor.d/groups/utils/lsblk | 1 + apparmor.d/groups/virt/cockpit-bridge | 5 +++++ apparmor.d/groups/virt/cockpit-session | 4 +++- apparmor.d/groups/virt/libvirt-dbus | 5 +++++ apparmor.d/groups/virt/libvirtd | 7 +++++++ apparmor.d/profiles-a-f/borg | 1 + apparmor.d/profiles-a-f/btop | 2 +- apparmor.d/profiles-a-f/console-setup | 2 +- apparmor.d/profiles-a-f/deltachat-desktop | 6 +++--- apparmor.d/profiles-g-l/gitstatusd | 4 ++-- apparmor.d/profiles-g-l/homebank | 2 +- apparmor.d/profiles-g-l/landscape-sysinfo | 2 +- apparmor.d/profiles-g-l/libreoffice | 2 ++ apparmor.d/profiles-g-l/linux-check-removal | 2 ++ apparmor.d/profiles-g-l/lsb-release | 14 ++++++++++---- apparmor.d/profiles-m-r/initramfs-hooks | 1 + apparmor.d/profiles-m-r/mdadm | 2 +- apparmor.d/profiles-m-r/protonmail-bridge-core | 1 + apparmor.d/profiles-s-z/spotify | 4 ++++ apparmor.d/profiles-s-z/syncthing | 5 +---- apparmor.d/profiles-s-z/tomb | 4 +++- apparmor.d/profiles-s-z/udev-fido_id | 1 + apparmor.d/profiles-s-z/virt-manager | 1 - apparmor.d/profiles-s-z/wemeet | 2 +- apparmor.d/profiles-s-z/which | 1 + 40 files changed, 89 insertions(+), 31 deletions(-) diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index f876d1210..a8c13b3fd 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -9,12 +9,13 @@ include @{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include - include include include include include + include include + include include network inet dgram, @@ -39,7 +40,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mrix, @@ -53,7 +54,6 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/defaults/at-spi2/{,**} r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/groups/children/child-open-strict b/apparmor.d/groups/children/child-open-strict index 7faf52185..4296f03af 100644 --- a/apparmor.d/groups/children/child-open-strict +++ b/apparmor.d/groups/children/child-open-strict @@ -18,6 +18,8 @@ profile child-open-strict flags=(attach_disconnected,mediate_deleted) { @{browsers_path} Px, @{file_explorers_path} Px, + @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mrix, + include if exists include if exists } diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 71141595b..f3845daef 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -33,7 +33,12 @@ profile gnome-software @{exec_path} { #aa:dbus own bus=session name=org.freedesktop.PackageKit #aa:dbus own bus=session name=org.gnome.Software interface+=org.freedesktop.Application - #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/ label="@{p_packagekitd}" + #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/@{int}_@{hex8} label="@{p_packagekitd}" + + dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.PolicyKit1.Authority + member=Changed + peer=(name=@{busname}, label=polkitd), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 398b2b679..cabcca062 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -27,6 +27,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { signal send set=kill peer=loupe//bwrap, + #aa:dbus own bus=session name=org.gnome.Loupe interface+=org.freedesktop.Application + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" dbus send bus=system path=/org/freedesktop/hostname1 diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 5ad6bb7b5..d8e7c3341 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -35,6 +35,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2 #aa:dbus talk bus=session name=org.freedesktop.Application path=/ label="*" + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 9a22e3de8..0318c7265 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/papers -profile papers @{exec_path} { +profile papers @{exec_path} flags=(attach_disconnected) { include include include @@ -16,6 +16,8 @@ profile papers @{exec_path} { include include + #aa:dbus own bus=session name=org.gnome.Papers interface+=org.freedesktop.Application + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} mr, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index b65823520..40c23b660 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -29,7 +29,7 @@ profile gpg @{exec_path} { @{lib}/{,gnupg/}scdaemon rPx, /usr/share/terminfo/** r, - /usr/share/keyrings/** rw, #aa:only apt + /usr/share/keyrings/** rw, #aa:only apt /usr/share/pacman/keyrings/** r, #aa:only pacman /etc/inputrc r, @@ -39,6 +39,7 @@ profile gpg @{exec_path} { /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, #aa:only apt + /etc/apt/trusted.gpg.d/{,*} r, owner /etc/apt/keyrings/ rw, owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**, diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache index 8331951e7..d68c0b832 100644 --- a/apparmor.d/groups/pacman/paccache +++ b/apparmor.d/groups/pacman/paccache @@ -41,6 +41,9 @@ profile paccache @{exec_path} flags=(attach_disconnected) { /var/cache/pacman/pkg/{,*} rw, /var/lib/pacman/{,**} r, + @{HOME}/@{XDG_GPG_DIR}/gpg.conf r, + @{HOME}/@{XDG_GPG_DIR}/gpgsm.conf r, + owner @{PROC}/@{pid}/fd/ r, /dev/tty rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code index ee23781f4..3e916efe3 100644 --- a/apparmor.d/groups/pacman/pacman-hook-code +++ b/apparmor.d/groups/pacman/pacman-hook-code @@ -19,6 +19,7 @@ profile pacman-hook-code @{exec_path} { @{python_path} rix, @{lib}/code/product.json rw, + @{lib}/code/out/vs/code/electron-utility/sharedProcess/sharedProcessMain.js w, /usr/share/code-{features,marketplace}{,-insiders}/{,*} r, /usr/share/code-{features,marketplace}{,-insiders}/cache.json rw, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart index 8e3ebb6b3..ff4c74664 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart +++ b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart @@ -10,14 +10,13 @@ include profile systemd-generator-user-autostart @{exec_path} flags=(attach_disconnected) { include include + include include capability net_admin, @{exec_path} mr, - @{system_share_dirs}/applications/*.desktop r, - @{etc_ro}/xdg/autostart/{,*.desktop} r, owner @{user_config_dirs}/autostart/{,*.desktop} r, diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index d7c61e336..a55bf752d 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -19,6 +19,8 @@ profile systemd-sleep @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{sh_path} mr, + @{lib}/systemd/system-sleep/grub2.sleep rPx, @{lib}/systemd/system-sleep/hdparm rPx, @{lib}/systemd/system-sleep/nvidia rPx, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 62bada2a8..640e48f3f 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -98,6 +98,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/network/ r, @{run}/systemd/network/*.link rw, @{run}/systemd/notify rw, + @{run}/systemd/private rw, @{run}/systemd/seats/seat@{int} r, @{att}/@{run}/systemd/notify w, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 440ef4117..af91c7eaa 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -64,7 +64,7 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { /dev/shm/ r, owner /dev/shm/sem.@{rand6} rwl -> /dev/shm/sem.@{rand6}, - owner /dev/shm/sem.mp-@{rand8} rw, + owner /dev/shm/sem.mp-@{rand8} rwl -> /dev/shm/sem.@{rand6}, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, diff --git a/apparmor.d/groups/usb/lsusb b/apparmor.d/groups/usb/lsusb index b5a24940d..a10659292 100644 --- a/apparmor.d/groups/usb/lsusb +++ b/apparmor.d/groups/usb/lsusb @@ -14,6 +14,7 @@ profile lsusb @{exec_path} { include capability net_admin, + capability sys_admin, network netlink raw, diff --git a/apparmor.d/groups/utils/dmesg b/apparmor.d/groups/utils/dmesg index 14ace0dea..2976d1316 100644 --- a/apparmor.d/groups/utils/dmesg +++ b/apparmor.d/groups/utils/dmesg @@ -13,6 +13,7 @@ profile dmesg @{exec_path} flags=(attach_disconnected) { include capability dac_read_search, + capability sys_admin, capability syslog, @{exec_path} mr, diff --git a/apparmor.d/groups/utils/lsblk b/apparmor.d/groups/utils/lsblk index 7559e4e48..6fc1d5bb2 100644 --- a/apparmor.d/groups/utils/lsblk +++ b/apparmor.d/groups/utils/lsblk @@ -27,6 +27,7 @@ profile lsblk @{exec_path} flags=(attach_disconnected) { # File Inherit deny network inet stream, deny network inet6 stream, + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, include if exists } diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index bf3d48204..d8c71803d 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -11,7 +11,10 @@ profile cockpit-bridge @{exec_path} { include include include + include + include include + include include include @@ -37,6 +40,8 @@ profile cockpit-bridge @{exec_path} { #aa:dbus talk bus=session name=org.libvirt label=libvirt-dbus #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/** label=packagekitd + #aa:dbus talk bus=system name=org.freedesktop.systemd1 label=@{p_systemd} + #aa:dbus talk bus=system name=org.libvirt label=libvirt-dbus @{exec_path} mr, diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index 3fbefadb7..ba51fc8a5 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -10,6 +10,7 @@ include profile cockpit-session @{exec_path} flags=(attach_disconnected) { include include + include include include @@ -28,7 +29,8 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { @{shells_path} rix, @{bin}/cockpit-bridge rPx, @{lib}/cockpit/cockpit-pcp rPx, - @{bin}/ssh-agent rPx, + @{bin}/ssh-agent rPx, + @{bin}/ssh-add rix, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus index f3bbaf019..971cdf55e 100644 --- a/apparmor.d/groups/virt/libvirt-dbus +++ b/apparmor.d/groups/virt/libvirt-dbus @@ -16,6 +16,11 @@ profile libvirt-dbus @{exec_path} { #aa:dbus own bus=session name=org.libvirt #aa:dbus own bus=system name=org.libvirt + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{sbin}/libvirtd rPx, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 44d6962f5..f10da1798 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -92,6 +92,11 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { # Allow changing to our UUID-based named profiles change_profile -> libvirt-@{uuid}, + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{lib}/libvirt/libvirt_iohelper rix, @@ -157,6 +162,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{user_vm_dirs}/{,**} rwk, @{user_publicshare_dirs}/{,**} rwk, + owner @{user_config_dirs}/libvirt/{,**} rwk, + owner @{run}/user/@{uid}/libvirt/ rw, owner @{run}/user/@{uid}/libvirt/** rwk, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 6d2683ade..544be3be0 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -33,6 +33,7 @@ profile borg @{exec_path} { @{bin}/cat rix, @{sbin}/ldconfig rix, @{bin}/uname rix, + @{bin}/ip rix, @{bin}/ccache rCx -> ccache, @{bin}/fusermount{,3} rCx -> fusermount, diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/profiles-a-f/btop index 4910629ce..bac8aea75 100644 --- a/apparmor.d/profiles-a-f/btop +++ b/apparmor.d/profiles-a-f/btop @@ -48,7 +48,7 @@ profile btop @{exec_path} { @{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/devices/virtual/block/dm-@{int}/stat r, @{sys}/devices/virtual/net/{,**} r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,} r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,*} r, @{PROC} r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/profiles-a-f/console-setup b/apparmor.d/profiles-a-f/console-setup index 7a11e407f..aa0a56648 100644 --- a/apparmor.d/profiles-a-f/console-setup +++ b/apparmor.d/profiles-a-f/console-setup @@ -13,7 +13,7 @@ profile console-setup @{exec_path} { @{exec_path} mr, @{sh_path} r, - @{bin}/uname rPx, + @{bin}/uname rix, @{bin}/mkdir rix, @{run}/console-setup/ rw, diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index 87c2bbaba..2e7723995 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -13,16 +13,16 @@ include @{exec_path} = @{bin}/deltachat-desktop @{lib_dirs}/deltachat-desktop profile deltachat-desktop @{exec_path} { include + include include include - include - include include + include include + include include include include - include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index 579536674..aabde9cef 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -13,12 +13,12 @@ profile gitstatusd @{exec_path} { include signal receive set=term peer=*//shell, - signal receive set=term peer=vscode, + signal receive set=term peer={,vs}code, @{exec_path} mr, owner @{user_projects_dirs}/{,**} r, - owner @{user_projects_dirs}/**/.git/.gitstatus.@{rand6}/{,**} rw, + owner @{user_projects_dirs}/**/.git/{,**/}.gitstatus.@{rand6}/{,**} rw, owner @{HOME}/.gitconfig r, owner @{user_config_dirs}/git/{,*} r, diff --git a/apparmor.d/profiles-g-l/homebank b/apparmor.d/profiles-g-l/homebank index cb459919f..7fbe74040 100644 --- a/apparmor.d/profiles-g-l/homebank +++ b/apparmor.d/profiles-g-l/homebank @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/homebank -profile homebank @{exec_path} { +profile homebank @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 2370271ec..47cbb22a2 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -38,7 +38,7 @@ profile landscape-sysinfo @{exec_path} { @{sys}/class/hwmon/ r, @{sys}/class/thermal/ r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,*} r, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 0a9e6dfc2..dfb9361f3 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -27,6 +27,7 @@ profile libreoffice @{exec_path} { include include include + include include include include @@ -107,6 +108,7 @@ profile libreoffice @{exec_path} { owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} rw, owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, @{sys}/devices/virtual/block/**/queue/rotational r, diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index 04d2f0330..f2895299f 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -16,6 +16,8 @@ profile linux-check-removal @{exec_path} { @{bin}/stty rix, + /etc/shadow r, + include if exists } diff --git a/apparmor.d/profiles-g-l/lsb-release b/apparmor.d/profiles-g-l/lsb-release index d2d52d362..5214632dc 100644 --- a/apparmor.d/profiles-g-l/lsb-release +++ b/apparmor.d/profiles-g-l/lsb-release @@ -30,10 +30,16 @@ profile lsb-release @{exec_path} flags=(attach_disconnected) { #aa:only apt @{bin}/dpkg-query px, - /etc/ r, - /etc/*-release r, - /etc/lsb-release r, - /etc/lsb-release.d/{,*} r, + @{etc_ro}/ r, + @{etc_ro}/*-release r, + @{etc_ro}/lsb-release r, + @{etc_ro}/lsb-release.d/{,*} r, + + # file_inherit + deny /opt/*/** r, + deny owner @{user_config_dirs}/*/** r, + deny owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, + deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index cae5c1c3d..136536764 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -68,6 +68,7 @@ profile initramfs-hooks @{exec_path} { owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, @{sys}/firmware/efi/efivars/ r, diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index 15adcb9e6..4cc5fc9fb 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{sbin}/mdadm -profile mdadm @{exec_path} { +profile mdadm @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index ca9680aea..a9bd819e3 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -33,6 +33,7 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { /etc/lsb-release r, /etc/machine-id r, + /etc/os-release r, owner @{user_passwordstore_dirs}/docker-credential-helpers/{,**} r, owner @{user_passwordstore_dirs}/protonmail-credentials/{,**} r, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index f245e4312..ed1ccfe1c 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -57,6 +57,8 @@ profile spotify @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-strict, + /usr/local/lib/spotify-adblock.so mr, + /etc/machine-id r, /etc/spotify-adblock/* r, /var/lib/dbus/machine-id r, @@ -70,6 +72,8 @@ profile spotify @{exec_path} flags=(attach_disconnected) { owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm, owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm, + owner @{tmp}/.@{domain}.@{rand6}/{,**} rw, + @{PROC}/@{pid}/net/unix r, @{PROC}/pressure/* r, owner @{PROC}/@{pid}/clear_refs w, diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 83e1b2f45..d504b0c15 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -11,6 +11,7 @@ include profile syncthing @{exec_path} { include include + include include include include @@ -26,10 +27,6 @@ profile syncthing @{exec_path} { @{open_path} rPx -> child-open, @{bin}/ip rix, - /usr/share/mime/{,**} r, - - /etc/mime.types r, - @{HOME}/ r, @{HOME}/** rwk, diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb index 9b0912bd9..df4258b8c 100644 --- a/apparmor.d/profiles-s-z/tomb +++ b/apparmor.d/profiles-s-z/tomb @@ -21,6 +21,7 @@ profile tomb @{exec_path} { capability sys_rawio, signal send set=cont peer=gpg, + signal send set=cont peer=pinentry-*, ptrace read peer=@{p_systemd_user}, @@ -43,11 +44,11 @@ profile tomb @{exec_path} { @{bin}/findmnt rix, @{bin}/getent rix, @{bin}/gettext rix, + @{bin}/head rix, @{bin}/hostname rix, @{bin}/id rix, @{bin}/kill rix, @{bin}/locate rix, - @{sbin}/losetup rix, @{bin}/ls rix, @{bin}/lsof rix, @{bin}/mkdir rix, @@ -64,6 +65,7 @@ profile tomb @{exec_path} { @{bin}/touch rix, @{bin}/tr rix, @{bin}/zsh rix, + @{sbin}/losetup rix, @{sbin}/btrfs rPx, @{sbin}/cryptsetup rPUx, diff --git a/apparmor.d/profiles-s-z/udev-fido_id b/apparmor.d/profiles-s-z/udev-fido_id index 76ec27b68..9c686b19d 100644 --- a/apparmor.d/profiles-s-z/udev-fido_id +++ b/apparmor.d/profiles-s-z/udev-fido_id @@ -16,6 +16,7 @@ profile udev-fido_id @{exec_path} { /etc/udev/udev.conf r, @{sys}/devices/@{pci}/report_descriptor r, + @{sys}/devices/platform/**/report_descriptor r, @{sys}/devices/virtual/**/report_descriptor r, include if exists diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index aed85abe3..8a1b5f355 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -51,7 +51,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open, - /usr/share/gtksourceview-4/{,**} r, /usr/share/ladspa/rdf/{,ladspa.rdfs} r, /usr/share/misc/*.ids r, /usr/share/osinfo/{,**} r, diff --git a/apparmor.d/profiles-s-z/wemeet b/apparmor.d/profiles-s-z/wemeet index 3606533d7..0b83e44c8 100644 --- a/apparmor.d/profiles-s-z/wemeet +++ b/apparmor.d/profiles-s-z/wemeet @@ -13,10 +13,10 @@ include @{exec_path} += /opt/wemeet/bin/QtWebEngineProcess profile wemeet @{exec_path} flags=(attach_disconnected) { include - include include include include + include include include include diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which index df049741f..c4de427ff 100644 --- a/apparmor.d/profiles-s-z/which +++ b/apparmor.d/profiles-s-z/which @@ -33,6 +33,7 @@ profile which @{exec_path} flags=(attach_disconnected) { owner /dev/tty@{int} rw, + deny @{user_share_dirs}/gnome-shell/session.gvdb rw, deny @{user_share_dirs}/gvfs-metadata/* r, include if exists From 4db65834a402444b18a10fc7e43b879dc79f5ff5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:15:42 +0200 Subject: [PATCH 809/977] feat(abs): glibc: restrict auxv maps and statux to owner. --- apparmor.d/abstractions/glibc | 12 +++++++++--- apparmor.d/groups/apt/apt-overlay | 1 - apparmor.d/groups/polkit/polkitd | 3 ++- apparmor.d/groups/procps/ps | 1 + apparmor.d/groups/systemd/systemd-journald | 1 + apparmor.d/groups/virt/libvirtd | 2 +- apparmor.d/profiles-m-r/mdevctl | 2 -- apparmor.d/profiles-s-z/syncoid | 2 -- 8 files changed, 14 insertions(+), 10 deletions(-) diff --git a/apparmor.d/abstractions/glibc b/apparmor.d/abstractions/glibc index aa6e14416..8536470bd 100644 --- a/apparmor.d/abstractions/glibc +++ b/apparmor.d/abstractions/glibc @@ -22,9 +22,15 @@ @{PROC}/stat r, # Glibc's *printf protections read the maps file - @{PROC}/@{pid}/auxv r, - @{PROC}/@{pid}/maps r, - @{PROC}/@{pid}/status r, + owner @{PROC}/@{pid}/auxv r, + owner @{PROC}/@{pid}/maps r, + owner @{PROC}/@{pid}/status r, + + # @{PROC}/@{pid}/map_files/ contains the same info than @{PROC}/@{pid}/maps, + # but in a format that is simpler to manage, because it doesn't require to + # parse the text data inside a file, but just reading the contents of + # a directory. + owner @{PROC}/@{pid}/map_files/ r, # Glibc statvfs @{PROC}/filesystems r, diff --git a/apparmor.d/groups/apt/apt-overlay b/apparmor.d/groups/apt/apt-overlay index 4ba9e57d7..7f59635eb 100644 --- a/apparmor.d/groups/apt/apt-overlay +++ b/apparmor.d/groups/apt/apt-overlay @@ -30,7 +30,6 @@ profile apt-overlay @{exec_path} { /root/ r, owner @{PROC}/@{pids}/loginuid r, - owner @{PROC}/@{pids}/maps r, include if exists } diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index c2de7f8b6..fa00311cd 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -65,8 +65,9 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pids}/fdinfo/@{int} r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/task/@{tid}/stat r, @{PROC}/1/environ r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/procps/ps b/apparmor.d/groups/procps/ps index 1d9ae50cb..7663cbf5d 100644 --- a/apparmor.d/groups/procps/ps +++ b/apparmor.d/groups/procps/ps @@ -34,6 +34,7 @@ profile ps @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/loginuid r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/task/ r, @{PROC}/@{pids}/task/@{tid}/cmdline r, @{PROC}/@{pids}/task/@{tid}/stat r, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index ad3d96990..2765d8f10 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -82,6 +82,7 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/loginuid r, @{PROC}/@{pids}/sessionid r, + @{PROC}/@{pids}/status r, @{PROC}/pressure/* r, @{PROC}/sys/kernel/hostname r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index f10da1798..2b0530ef5 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -284,7 +284,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /etc/qemu/{,**} r, - owner @{PROC}/@{pids}/status r, + @{PROC}/@{pids}/status r, /dev/net/tun rw, diff --git a/apparmor.d/profiles-m-r/mdevctl b/apparmor.d/profiles-m-r/mdevctl index 906dcf512..408947c83 100644 --- a/apparmor.d/profiles-m-r/mdevctl +++ b/apparmor.d/profiles-m-r/mdevctl @@ -19,8 +19,6 @@ profile mdevctl @{exec_path} { @{sys}/class/mdev_bus/ r, @{sys}/devices/@{pci}/mdev_supported_types/{,**} r, - @{PROC}/@{pids}/maps r, - include if exists } diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid index e275fb764..fc30c5fd6 100644 --- a/apparmor.d/profiles-s-z/syncoid +++ b/apparmor.d/profiles-s-z/syncoid @@ -25,8 +25,6 @@ profile syncoid @{exec_path} flags=(complain) { /etc/mbuffer.rc r, - @{PROC}/@{pids}/maps r, - include if exists } From 544204e511ce6938fb2da2b9f01d28fd3ce34338 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:22:22 +0200 Subject: [PATCH 810/977] feat(abs): add the user-dirs abstraction. --- apparmor.d/abstractions/desktop | 1 + apparmor.d/abstractions/gnome-strict | 1 + apparmor.d/abstractions/kde-strict | 1 + apparmor.d/abstractions/user-dirs | 14 ++++++++++++++ .../groups/freedesktop/xdg-user-dirs-gtk-update | 2 +- apparmor.d/groups/freedesktop/xdg-user-dirs-update | 4 +--- apparmor.d/groups/systemd/systemd-path | 3 +-- apparmor.d/profiles-g-l/grim | 3 +-- apparmor.d/profiles-s-z/spice-vdagent | 8 ++++---- 9 files changed, 25 insertions(+), 12 deletions(-) create mode 100644 apparmor.d/abstractions/user-dirs diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 4a32a1aa7..1bb4c20ea 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -17,6 +17,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 445c62e6b..72d09126e 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -12,6 +12,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 5fbdd7869..02a0bc9c5 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -12,6 +12,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/user-dirs b/apparmor.d/abstractions/user-dirs new file mode 100644 index 000000000..189f8eb38 --- /dev/null +++ b/apparmor.d/abstractions/user-dirs @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + /etc/xdg/user-dirs.conf r, + /etc/xdg/user-dirs.defaults r, + + owner @{user_config_dirs}/user-dirs.dirs r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index b2ae65450..cf488af63 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -14,13 +14,13 @@ profile xdg-user-dirs-gtk-update @{exec_path} { include include include + include @{exec_path} mr, @{bin}/xdg-user-dirs-update Px, owner @{user_config_dirs}/gtk-3.0/bookmarks* rw, - owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.locale r, owner @{tmp}/dirs-@{rand6} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-update index 7177703a9..09c66d6ac 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-update @@ -9,13 +9,11 @@ include @{exec_path} = @{bin}/xdg-user-dirs-update profile xdg-user-dirs-update @{exec_path} { include + include include @{exec_path} mr, - /etc/xdg/user-dirs.conf r, - /etc/xdg/user-dirs.defaults r, - owner @{desktop_config_dirs}/ rw, owner @{desktop_config_dirs}/user-dirs.dirs{,*} rw, owner @{desktop_config_dirs}/user-dirs.locale rw, diff --git a/apparmor.d/groups/systemd/systemd-path b/apparmor.d/groups/systemd/systemd-path index 747527776..0d061d845 100644 --- a/apparmor.d/groups/systemd/systemd-path +++ b/apparmor.d/groups/systemd/systemd-path @@ -10,11 +10,10 @@ include profile systemd-path @{exec_path} { include include + include @{exec_path} mr, - owner @{user_config_dirs}/user-dirs.dirs r, - include if exists } diff --git a/apparmor.d/profiles-g-l/grim b/apparmor.d/profiles-g-l/grim index 9e40a8aca..5717837ec 100644 --- a/apparmor.d/profiles-g-l/grim +++ b/apparmor.d/profiles-g-l/grim @@ -9,12 +9,11 @@ include @{exec_path} = @{bin}/grim profile grim @{exec_path} { include + include include @{exec_path} mr, - owner @{user_config_dirs}/user-dirs.dirs r, - owner @{HOME}/@{int8}_**_grim.png w, owner /dev/shm/grim-@{rand6} rw, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index c73f5f678..158ea6a7f 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/spice-vdagent profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -20,10 +19,12 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include + include + include include + include dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime @@ -38,7 +39,6 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, owner @{desktop_config_dirs}/user-dirs.dirs r, - owner @{user_config_dirs}/user-dirs.dirs r, @{run}/spice-vdagentd/spice-vdagent-sock rw, From e50e87bd618543d9a638b4512bf8d72b82eb9524 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:23:14 +0200 Subject: [PATCH 811/977] feat(abs): update base additions. --- apparmor.d/abstractions/base.d/complete | 28 +++++++++++++------------ 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index ad3945eb9..d89688b70 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -8,20 +8,20 @@ signal receive peer=@{p_systemd_user}, # Allow to receive some signals from new well-known profiles - signal (receive) peer=btop, - signal (receive) peer=htop, - signal (receive) peer=pkill, - signal (receive) peer=sudo, - signal (receive) peer=top, - signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown, - signal (receive) set=(hup term) peer=login, - signal (receive) set=(hup) peer=xinit, - signal (receive) set=(term,kill) peer=gnome-shell, - signal (receive) set=(term,kill) peer=gnome-system-monitor, - signal (receive) set=(term,kill) peer=openbox, - signal (receive) set=(term,kill) peer=su, + signal receive peer=btop, + signal receive peer=htop, + signal receive peer=pkill, + signal receive peer=sudo, + signal receive peer=top, + signal receive set=(cont,term,kill,stop) peer=systemd-shutdown, + signal receive set=(hup term) peer=login, + signal receive set=(hup) peer=xinit, + signal receive set=(term,kill) peer=gnome-shell, + signal receive set=(term,kill) peer=gnome-system-monitor, + signal receive set=(term,kill) peer=openbox, + signal receive set=(term,kill) peer=su, - ptrace (readby) peer=@{p_systemd_coredump}, + ptrace readby peer=@{p_systemd_coredump}, @{etc_rw}/localtime r, /etc/locale.conf r, @@ -30,4 +30,6 @@ @{PROC}/sys/kernel/core_pattern r, + /apparmor/.null rw, + # vim:syntax=apparmor From 5faca8461df97d62d065ca8a7430405621d39e54 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:23:59 +0200 Subject: [PATCH 812/977] feat(abs): remove user-dirs from recently-used abs. --- apparmor.d/abstractions/recently-used | 2 -- 1 file changed, 2 deletions(-) diff --git a/apparmor.d/abstractions/recently-used b/apparmor.d/abstractions/recently-used index d3a7ec289..66a80867b 100644 --- a/apparmor.d/abstractions/recently-used +++ b/apparmor.d/abstractions/recently-used @@ -14,8 +14,6 @@ owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl, owner @{user_share_dirs}/recently-used.xbel.lock rwk, - owner @{user_config_dirs}/user-dirs.dirs r, # FIXME: not here? - include if exists # vim:syntax=apparmor From c9813dc34f241e392d055234d754b76a0e803102 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:26:17 +0200 Subject: [PATCH 813/977] feat(abs): improve dbus rules in open & common gnome abs. --- apparmor.d/abstractions/app/open | 3 ++- apparmor.d/abstractions/common/gnome | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 243d18261..3d91de235 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -7,6 +7,8 @@ abi , + include + include include # We cannot use `@{open_path} mrix,` here because it includes: @@ -30,7 +32,6 @@ include include - include include include include diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index 056f6581b..f0dd20f47 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -9,6 +9,8 @@ include include include + include + include include include include From 61d8cee932d7671302f786f8f7f2b84d0d057bdf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:27:58 +0200 Subject: [PATCH 814/977] feat(profile): ssh: cleanup. --- apparmor.d/groups/ssh/ssh-agent | 1 + apparmor.d/groups/ssh/ssh-keygen | 3 ++- apparmor.d/groups/ssh/sshd | 2 +- apparmor.d/groups/ssh/sshfs | 2 +- 4 files changed, 5 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index f6732b1cf..9fc2900b4 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -13,6 +13,7 @@ profile ssh-agent @{exec_path} { include signal receive set=term peer=cockpit-bridge, + signal receive set=term peer=cockpit-session, signal receive set=term peer=gnome-keyring-daemon, @{exec_path} mr, diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index b55824e58..1b6dd5e98 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -18,7 +18,8 @@ profile ssh-keygen @{exec_path} { /etc/ssh/moduli rw, /etc/ssh/ssh_host_*_key* rw, - owner @{HOME}/@{XDG_SSH_DIR}/{,*} rw, + owner @{HOME}/@{XDG_SSH_DIR}/ rw, + owner @{HOME}/@{XDG_SSH_DIR}/* rwl -> @{HOME}/@{XDG_SSH_DIR}/*, owner /tmp/snapd@{int}/*_*{,.pub} w, owner /tmp/snapd@{int}/*.key{,.pub} w, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 63f2c1370..40cf0bca2 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -102,7 +102,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { owner @{user_download_dirs}/{,**} rwl, owner @{user_sync_dirs}/{,**} rwl, - @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, + @{HOME}/@{XDG_SSH_DIR}/authorized_keys* r, owner @{user_cache_dirs}/{,motd*} rw, @{att}/@{run}/systemd/sessions/@{int}.ref rw, diff --git a/apparmor.d/groups/ssh/sshfs b/apparmor.d/groups/ssh/sshfs index 12e7d8930..ee6a2f903 100644 --- a/apparmor.d/groups/ssh/sshfs +++ b/apparmor.d/groups/ssh/sshfs @@ -18,7 +18,7 @@ profile sshfs @{exec_path} flags=(complain) { mount fstype=fuse.sshfs -> @{MOUNTS}/*/, mount fstype=fuse.sshfs -> @{MOUNTS}/*/*/, - unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount",addr=none), + unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount"), @{exec_path} mr, From 5d1ef4087741d3acf84fe50b26c5669ade291f10 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Aug 2025 19:55:42 +0200 Subject: [PATCH 815/977] feat(profile): add some missing proc access. Due to recent changes in base-strict. --- apparmor.d/abstractions/app/pgrep | 1 + apparmor.d/groups/gnome/gdm-generate-config | 7 ++++--- apparmor.d/groups/procps/htop | 1 + 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep index 0ec14bea0..f563712ca 100644 --- a/apparmor.d/abstractions/app/pgrep +++ b/apparmor.d/abstractions/app/pgrep @@ -19,6 +19,7 @@ @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, + @{PROC}/@{pid}/status r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/environ r, diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index 9d910cdd2..6e67866f5 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -42,9 +42,10 @@ profile gdm-generate-config @{exec_path} { @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/status r, + @{PROC}/@{pids}/stat r, @{PROC}/uptime r, profile pgrep { diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index d59fde5e5..4937f6875 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -105,6 +105,7 @@ profile htop @{exec_path} { @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/net/dev r, @{PROC}/@{pids}/oom_{,score_}adj r, From be0d481068929ddd1787bbf8cb16a9cf4619deed Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Aug 2025 19:56:41 +0200 Subject: [PATCH 816/977] feat(profile): remove common/systemd from systemd-detect-virt. --- apparmor.d/groups/systemd/systemd-detect-virt | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 01e49025f..9b78b7c04 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -11,11 +11,10 @@ include profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { include include - include - capability net_admin, + capability sys_ptrace, - network netlink raw, + ptrace read peer=@{p_systemd}, @{exec_path} mr, @@ -32,7 +31,14 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { @{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/uv/prot_virt_guest r, @{sys}/hypervisor/properties/features r, + @{sys}/hypervisor/type r, + @{PROC}/1/environ r, + @{PROC}/device-tree/ r, + @{PROC}/device-tree/compatible r, + @{PROC}/device-tree/hypervisor/compatible r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sysinfo r, @{PROC}/xen/capabilities r, /dev/cpu/@{int}/msr r, From 2bb42bfca21bf7b372fccdeb763c33ef0f8875b6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Aug 2025 20:14:12 +0200 Subject: [PATCH 817/977] build: add support for apparmor 5.0 (current master branch) --- dists/overwrite | 3 +++ pkg/prebuild/prepare/configure.go | 35 ++++++++++++++++++++++++------- 2 files changed, 31 insertions(+), 7 deletions(-) diff --git a/dists/overwrite b/dists/overwrite index c8769ba54..16f8f4a19 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -38,3 +38,6 @@ openvpn remmina transmission wg-quick +systemd-detect-virt # Missing integration with @{p_systemd} +hostname # Has @{bin} denied in header, would conflict with apparmor.d's @{bin} tunables + diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go index a6e954485..cf16f5b8e 100644 --- a/pkg/prebuild/prepare/configure.go +++ b/pkg/prebuild/prepare/configure.go @@ -23,6 +23,15 @@ func init() { }) } +func removeFiles(files []string) error { + for _, name := range files { + if err := prebuild.RootApparmord.Join(name).RemoveAll(); err != nil { + return err + } + } + return nil +} + func (p Configure) Apply() ([]string, error) { res := []string{} @@ -57,19 +66,31 @@ func (p Configure) Apply() ([]string, error) { } - if prebuild.Version == 4.1 { - // Remove files upstreamed in 4.1 + if prebuild.Version >= 4.1 { remove := []string{ + // Remove files upstreamed in 4.1 "abstractions/devices-usb-read", "abstractions/devices-usb", "abstractions/nameservice-strict", "tunables/multiarch.d/base", - "wg", // Upstream version is identical + + // Direct upstream contributed profiles, similar to ours + "wg", } - for _, name := range remove { - if err := prebuild.RootApparmord.Join(name).RemoveAll(); err != nil { - return res, err - } + if err := removeFiles(remove); err != nil { + return res, err + } + } + if prebuild.Version >= 5.0 { + remove := []string{ + // Direct upstrem contributed profiles, similar to ours + "dig", + "free", + "nslookup", + "who", + } + if err := removeFiles(remove); err != nil { + return res, err } } return res, nil From 57251820e1bafa211deef302d907a21213a1b523 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Aug 2025 20:48:01 +0200 Subject: [PATCH 818/977] build: improve support for aa 5.0 --- dists/overwrite | 5 +++-- pkg/prebuild/prepare/configure.go | 10 ++++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/dists/overwrite b/dists/overwrite index 16f8f4a19..70ee1cc41 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -6,6 +6,7 @@ brave chrome chromium +cockpit-desktop element-desktop epiphany firefox @@ -29,8 +30,8 @@ unix-chkpwd # Overwrite some profiles recently added in apparmor while being already present in apparmor.d for a while # They can be multiple justification for keeping our profiles here, or or the contrary using upstream ones: -# - Keep ours: If they use abstractions, tunable, rules, and integration with apparmor.d that would break if using the upstream profile -# - Drop ours: when upstream profiles is better +# - Keep ours: If we/they use abstractions, tunable, rules, and integration with apparmor.d that would break if using the upstream profile +# - Drop ours: when upstream profiles is better (see pkg/prebuild/prepare/configure.go) fusermount3 lsblk lsusb diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go index cf16f5b8e..9ca3b14d3 100644 --- a/pkg/prebuild/prepare/configure.go +++ b/pkg/prebuild/prepare/configure.go @@ -6,6 +6,7 @@ package prepare import ( "fmt" + "strings" "github.com/roddhjav/apparmor.d/pkg/prebuild" ) @@ -92,6 +93,15 @@ func (p Configure) Apply() ([]string, error) { if err := removeFiles(remove); err != nil { return res, err } + + // @{pci_bus} was upstreamed in 5.0 + path := prebuild.RootApparmord.Join("tunables/multiarch.d/system") + out, err := path.ReadFileAsString() + if err != nil { + return res, err + } + out = strings.ReplaceAll(out, "@{pci_bus}=pci@{hex4}:@{hex2}", "") + return res, path.WriteFile([]byte(out)) } return res, nil } From a3fde24b3deb9ecbd0ddebdf920315b24af46182 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Aug 2025 23:58:39 +0200 Subject: [PATCH 819/977] feat: add aliases for all coreutils. --- apparmor.d/tunables/alias.d/coreutils | 112 ++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 apparmor.d/tunables/alias.d/coreutils diff --git a/apparmor.d/tunables/alias.d/coreutils b/apparmor.d/tunables/alias.d/coreutils new file mode 100644 index 000000000..9fed4fefc --- /dev/null +++ b/apparmor.d/tunables/alias.d/coreutils @@ -0,0 +1,112 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# In ubuntu 25.10, to make room for the coming rust utils, classic coreutils has +# moved to /usr/bin/gnu* names. To avoid breaking existing profiles, we +# provide aliases for all the coreutils names to their gnu* counterpart. + + alias /{,usr/}bin/dd -> /usr/bin/gnudd, + alias /{,usr/}bin/tee -> /usr/bin/gnutee, + alias /{,usr/}bin/paste -> /usr/bin/gnupaste, + alias /{,usr/}bin/sha256sum -> /usr/bin/gnusha256sum, + alias /{,usr/}bin/env -> /usr/bin/gnuenv, + alias /{,usr/}bin/expr -> /usr/bin/gnuexpr, + alias /{,usr/}bin/sleep -> /usr/bin/gnusleep, + alias /{,usr/}bin/shred -> /usr/bin/gnushred, + alias /{,usr/}bin/dircolors -> /usr/bin/gnudircolors, + alias /{,usr/}bin/nohup -> /usr/bin/gnunohup, + alias /{,usr/}bin/stty -> /usr/bin/gnustty, + alias /{,usr/}bin/sha384sum -> /usr/bin/gnusha384sum, + alias /{,usr/}bin/pr -> /usr/bin/gnupr, + alias /{,usr/}bin/nice -> /usr/bin/gnunice, + alias /{,usr/}bin/basenc -> /usr/bin/gnubasenc, + alias /{,usr/}bin/sha224sum -> /usr/bin/gnusha224sum, + alias /{,usr/}bin/unexpand -> /usr/bin/gnuunexpand, + alias /{,usr/}bin/logname -> /usr/bin/gnulogname, + alias /{,usr/}bin/uniq -> /usr/bin/gnuuniq, + alias /{,usr/}bin/chown -> /usr/bin/gnuchown, + alias /{,usr/}bin/vdir -> /usr/bin/gnuvdir, + alias /{,usr/}bin/printf -> /usr/bin/gnuprintf, + alias /{,usr/}bin/true -> /usr/bin/gnutrue, + alias /{,usr/}bin/groups -> /usr/bin/gnugroups, + alias /{,usr/}bin/printenv -> /usr/bin/gnuprintenv, + alias /{,usr/}bin/truncate -> /usr/bin/gnutruncate, + alias /{,usr/}bin/md5sum -> /usr/bin/gnumd5sum, + alias /{,usr/}bin/pinky -> /usr/bin/gnupinky, + alias /{,usr/}bin/rm -> /usr/bin/gnurm, + alias /{,usr/}bin/cat -> /usr/bin/gnucat, + alias /{,usr/}bin/tac -> /usr/bin/gnutac, + alias /{,usr/}bin/b2sum -> /usr/bin/gnub2sum, + alias /{,usr/}bin/seq -> /usr/bin/gnuseq, + alias /{,usr/}bin/cut -> /usr/bin/gnucut, + alias /{,usr/}bin/csplit -> /usr/bin/gnucsplit, + alias /{,usr/}bin/split -> /usr/bin/gnusplit, + alias /{,usr/}bin/realpath -> /usr/bin/gnurealpath, + alias /{,usr/}bin/ptx -> /usr/bin/gnuptx, + alias /{,usr/}bin/who -> /usr/bin/gnuwho, + alias /{,usr/}bin/whoami -> /usr/bin/gnuwhoami, + alias /{,usr/}bin/cksum -> /usr/bin/gnucksum, + alias /{,usr/}bin/ls -> /usr/bin/gnuls, + alias /{,usr/}bin/runcon -> /usr/bin/gnuruncon, + alias /{,usr/}bin/arch -> /usr/bin/gnuarch, + alias /{,usr/}bin/head -> /usr/bin/gnuhead, + alias /{,usr/}bin/date -> /usr/bin/gnudate, + alias /{,usr/}bin/wc -> /usr/bin/gnuwc, + alias /{,usr/}bin/mktemp -> /usr/bin/gnumktemp, + alias /{,usr/}bin/pathchk -> /usr/bin/gnupathchk, + alias /{,usr/}bin/mkfifo -> /usr/bin/gnumkfifo, + alias /{,usr/}bin/du -> /usr/bin/gnudu, + alias /{,usr/}bin/cp -> /usr/bin/gnucp, + alias /{,usr/}bin/tty -> /usr/bin/gnutty, + alias /{,usr/}bin/sync -> /usr/bin/gnusync, + alias /{,usr/}bin/fold -> /usr/bin/gnufold, + alias /{,usr/}bin/users -> /usr/bin/gnuusers, + alias /{,usr/}bin/dirname -> /usr/bin/gnudirname, + alias /{,usr/}bin/nproc -> /usr/bin/gnunproc, + alias /{,usr/}bin/sort -> /usr/bin/gnusort, + alias /{,usr/}bin/[ -> /usr/bin/gnu[, + alias /{,usr/}bin/base64 -> /usr/bin/gnubase64, + alias /{,usr/}bin/od -> /usr/bin/gnuod, + alias /{,usr/}bin/tr -> /usr/bin/gnutr, + alias /{,usr/}bin/join -> /usr/bin/gnujoin, + alias /{,usr/}bin/sha512sum -> /usr/bin/gnusha512sum, + alias /{,usr/}bin/false -> /usr/bin/gnufalse, + alias /{,usr/}bin/expand -> /usr/bin/gnuexpand, + alias /{,usr/}bin/base32 -> /usr/bin/gnubase32, + alias /{,usr/}bin/chmod -> /usr/bin/gnuchmod, + alias /{,usr/}bin/rmdir -> /usr/bin/gnurmdir, + alias /{,usr/}bin/factor -> /usr/bin/gnufactor, + alias /{,usr/}bin/mknod -> /usr/bin/gnumknod, + alias /{,usr/}bin/chcon -> /usr/bin/gnuchcon, + alias /{,usr/}bin/basename -> /usr/bin/gnubasename, + alias /{,usr/}bin/chgrp -> /usr/bin/gnuchgrp, + alias /{,usr/}bin/sha1sum -> /usr/bin/gnusha1sum, + alias /{,usr/}bin/ln -> /usr/bin/gnuln, + alias /{,usr/}bin/tsort -> /usr/bin/gnutsort, + alias /{,usr/}bin/echo -> /usr/bin/gnuecho, + alias /{,usr/}bin/timeout -> /usr/bin/gnutimeout, + alias /{,usr/}bin/dir -> /usr/bin/gnudir, + alias /{,usr/}bin/numfmt -> /usr/bin/gnunumfmt, + alias /{,usr/}bin/touch -> /usr/bin/gnutouch, + alias /{,usr/}bin/mv -> /usr/bin/gnumv, + alias /{,usr/}bin/sum -> /usr/bin/gnusum, + alias /{,usr/}bin/stat -> /usr/bin/gnustat, + alias /{,usr/}bin/yes -> /usr/bin/gnuyes, + alias /{,usr/}bin/install -> /usr/bin/gnuinstall, + alias /{,usr/}bin/readlink -> /usr/bin/gnureadlink, + alias /{,usr/}bin/pwd -> /usr/bin/gnupwd, + alias /{,usr/}bin/tail -> /usr/bin/gnutail, + alias /{,usr/}bin/stdbuf -> /usr/bin/gnustdbuf, + alias /{,usr/}bin/comm -> /usr/bin/gnucomm, + alias /{,usr/}bin/shuf -> /usr/bin/gnushuf, + alias /{,usr/}bin/uname -> /usr/bin/gnuuname, + alias /{,usr/}bin/test -> /usr/bin/gnutest, + alias /{,usr/}bin/mkdir -> /usr/bin/gnumkdir, + alias /{,usr/}bin/link -> /usr/bin/gnulink, + alias /{,usr/}bin/df -> /usr/bin/gnudf, + alias /{,usr/}bin/unlink -> /usr/bin/gnuunlink, + alias /{,usr/}bin/hostid -> /usr/bin/gnuhostid, + alias /{,usr/}bin/fmt -> /usr/bin/gnufmt, + alias /{,usr/}bin/id -> /usr/bin/gnuid, + alias /{,usr/}bin/nl -> /usr/bin/gnunl, From 2bae05d30940d14ad09a86c5b666257e43c17058 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 11:05:19 +0200 Subject: [PATCH 820/977] feat(abs): add varianttable to apt common. --- apparmor.d/abstractions/common/apt | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/common/apt b/apparmor.d/abstractions/common/apt index 5dd8b26bc..a267fd909 100644 --- a/apparmor.d/abstractions/common/apt +++ b/apparmor.d/abstractions/common/apt @@ -7,6 +7,7 @@ /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, + /usr/share/dpkg/varianttable r, /etc/apt/apt.conf r, /etc/apt/apt.conf.d/{,*} r, From 1122f28cacf84e4cfea8796d73d90a0a37b7fb6f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 11:46:40 +0200 Subject: [PATCH 821/977] tests(packer): cleanup package install process. - apparmor restart is handled by the package - it is a dev version, so it could fail. --- tests/packer/init.sh | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/tests/packer/init.sh b/tests/packer/init.sh index bf75c0e1e..630da6b0f 100644 --- a/tests/packer/init.sh +++ b/tests/packer/init.sh @@ -27,27 +27,21 @@ main() { case "$DISTRIBUTION" in arch) rm -f $SRC/*.sig # Ignore signature files - pacman --noconfirm -U $SRC/*.pkg.tar.zst + rm -f $SRC/*enforced* # Ignore enforced package + pacman --noconfirm -U $SRC/*.pkg.tar.zst || true ;; debian | ubuntu) - apt install -y apparmor-profiles + apt-get install -y apparmor-profiles dpkg -i $SRC/*.deb || true ;; opensuse*) mv "/home/$SUDO_USER/.bash_aliases" "/home/$SUDO_USER/.alias" - rpm -i $SRC/*.rpm + rpm -i $SRC/*.rpm || true ;; esac - - verb="start" - rm -rf /var/cache/apparmor/* || true - if systemctl is-active -q apparmor; then - verb="reload" - fi - systemctl "$verb" apparmor.service || journalctl -xeu apparmor.service } main "$@" From 94f01c68f696fd858ec65195113cad95f8d514fa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 11:48:11 +0200 Subject: [PATCH 822/977] feat(tunable): update home dir for gdm & add desktop_state_dirs. --- apparmor.d/tunables/multiarch.d/system-users | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/system-users b/apparmor.d/tunables/multiarch.d/system-users index 885913da3..73a3267a0 100644 --- a/apparmor.d/tunables/multiarch.d/system-users +++ b/apparmor.d/tunables/multiarch.d/system-users @@ -5,11 +5,12 @@ # Define some extra paths for some commonly used system user # Full path of the GDM configuration directories -@{GDM_HOME}=/var/lib/gdm{,3}/ +@{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/home/{,gdm-}greeter/ @{gdm_cache_dirs}=@{GDM_HOME}/.cache/ @{gdm_config_dirs}=@{GDM_HOME}/.config/ @{gdm_local_dirs}=@{GDM_HOME}/.local/ @{gdm_share_dirs}=@{GDM_HOME}/.local/share/ +@{gdm_state_dirs}=@{GDM_HOME}/.local/state/ # Full path of the SDDM configuration directories @{SDDM_HOME}=/var/lib/sddm/ @@ -17,6 +18,7 @@ @{sddm_config_dirs}=@{SDDM_HOME}/.config/ @{sddm_local_dirs}=@{SDDM_HOME}/.local/ @{sddm_share_dirs}=@{SDDM_HOME}/.local/share/ +@{sddm_state_dirs}=@{SDDM_HOME}/.local/state/ # Full path of the LIGHTDM configuration directories @{LIGHTDM_HOME}=/var/lib/lightdm/ @@ -31,5 +33,6 @@ @{desktop_config_dirs}=@{gdm_config_dirs} @{sddm_config_dirs} @{lightdm_config_dirs} @{desktop_local_dirs}=@{gdm_local_dirs} @{sddm_local_dirs} @{lightdm_local_dirs} @{desktop_share_dirs}=@{gdm_share_dirs} @{sddm_share_dirs} @{lightdm_share_dirs} +@{desktop_state_dirs}=@{gdm_state_dirs} @{sddm_state_dirs} @{lightdm_state_dirs} # vim:syntax=apparmor From b5020eac891099c023aad7e3b51375fbe663e0ef Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 12:22:01 +0200 Subject: [PATCH 823/977] tests(packer): remobe sudo alias --- tests/packer/src/.bash_aliases | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/packer/src/.bash_aliases b/tests/packer/src/.bash_aliases index 27e05bf80..2580556fd 100644 --- a/tests/packer/src/.bash_aliases +++ b/tests/packer/src/.bash_aliases @@ -8,7 +8,6 @@ for nb in $(seq "$1"); do done } -alias sudo='sudo -E' alias aa-log='sudo aa-log' alias aa-status='sudo aa-status' alias c='clear' From 0ada92da328c830fddf1550352c02405d89f9ef8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 12:35:04 +0200 Subject: [PATCH 824/977] refractor(abs): gsettings -> gschemas. --- apparmor.d/abstractions/desktop | 2 +- apparmor.d/abstractions/gnome-strict | 2 +- apparmor.d/abstractions/{gsettings => gschemas} | 2 +- apparmor.d/abstractions/kde-strict | 2 +- apparmor.d/groups/bus/dbus-accessibility | 2 +- apparmor.d/groups/gnome/ptyxis-agent | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) rename apparmor.d/abstractions/{gsettings => gschemas} (88%) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 1bb4c20ea..3bfbcc887 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -11,7 +11,7 @@ include include - include + include include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 72d09126e..4d2d390ee 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -6,7 +6,7 @@ include include - include + include include include include diff --git a/apparmor.d/abstractions/gsettings b/apparmor.d/abstractions/gschemas similarity index 88% rename from apparmor.d/abstractions/gsettings rename to apparmor.d/abstractions/gschemas index 4d22f080b..21a4d860c 100644 --- a/apparmor.d/abstractions/gsettings +++ b/apparmor.d/abstractions/gschemas @@ -9,6 +9,6 @@ @{system_share_dirs}/glib-2.0/schemas/ r, @{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r, - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 02a0bc9c5..a06a29da4 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -6,7 +6,7 @@ include include - include + include include include include diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index a8c13b3fd..c254fcd2d 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -15,7 +15,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include include include - include + include include network inet dgram, diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index cf497e39f..982afd90d 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -13,7 +13,7 @@ profile ptyxis-agent @{exec_path} { include include include - include + include include signal send set=hup peer=unconfined, From d6ddbf104cdfc07615b8f32c306d9db766a9ce77 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 12:56:05 +0200 Subject: [PATCH 825/977] refractor(profile): always use the gschemas abstraction. --- apparmor.d/groups/display-manager/xdm-xsession | 2 +- apparmor.d/groups/freedesktop/geoclue | 5 ++--- apparmor.d/groups/gnome/chrome-gnome-shell | 3 +-- apparmor.d/groups/gnome/deja-dup-monitor | 3 +-- apparmor.d/groups/gnome/evolution-addressbook-factory | 2 +- apparmor.d/groups/gnome/evolution-calendar-factory | 3 +-- apparmor.d/groups/gnome/evolution-source-registry | 3 +-- apparmor.d/groups/gnome/gdm-xsession | 2 +- apparmor.d/groups/gnome/gnome-browser-connector-host | 3 +-- apparmor.d/groups/gnome/gnome-shell-calendar-server | 2 -- apparmor.d/groups/gnome/gsd-a11y-settings | 4 ++-- apparmor.d/groups/gnome/gsd-datetime | 4 ++-- apparmor.d/groups/gnome/gsd-sharing | 4 ++-- apparmor.d/groups/gnome/gsd-smartcard | 2 +- apparmor.d/groups/gnome/gsd-sound | 2 +- apparmor.d/groups/gnome/gsd-usb-protection | 3 +-- apparmor.d/groups/gnome/session-migration | 4 ++-- apparmor.d/groups/gvfs/gvfsd-network | 3 +-- apparmor.d/groups/gvfs/gvfsd-smb-browse | 3 +-- apparmor.d/groups/ubuntu/apport-gtk | 1 - apparmor.d/profiles-g-l/gsettings | 3 ++- apparmor.d/profiles-m-r/mission-control | 2 +- 22 files changed, 26 insertions(+), 37 deletions(-) diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index d110fb83b..df17e0d9f 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -10,6 +10,7 @@ include profile xdm-xsession @{exec_path} { include include + include include include include @@ -58,7 +59,6 @@ profile xdm-xsession @{exec_path} { @{HOME}/.xinitrc rPix, # TODO: rCx @{lib}/xinit/xinitrc rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mc/mc.sh r, /usr/share/terminfo/{,**} r, diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 6332f49e2..fbc7a7582 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -9,12 +9,13 @@ include @{exec_path} = @{lib}/geoclue @{lib}/geoclue-2.0/demos/agent profile geoclue @{exec_path} flags=(attach_disconnected) { include - include include include include include include + include + include include include include @@ -29,8 +30,6 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/geoclue/{,**} r, /etc/sysconfig/proxy r, diff --git a/apparmor.d/groups/gnome/chrome-gnome-shell b/apparmor.d/groups/gnome/chrome-gnome-shell index 8c6372ba5..944d5e1d5 100644 --- a/apparmor.d/groups/gnome/chrome-gnome-shell +++ b/apparmor.d/groups/gnome/chrome-gnome-shell @@ -10,6 +10,7 @@ include profile chrome-gnome-shell @{exec_path} { include include + include include include include @@ -23,8 +24,6 @@ profile chrome-gnome-shell @{exec_path} { @{exec_path} mr, @{bin}/ r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{PROC}/@{pid}/mounts r, deny @{HOME}/.* r, diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index ac5d6af81..fcafbda5f 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -17,6 +17,7 @@ profile deja-dup-monitor @{exec_path} { include include include + include network netlink raw, @@ -44,8 +45,6 @@ profile deja-dup-monitor @{exec_path} { @{bin}/ionice rix, @{bin}/deja-dup Px, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /var/tmp/ r, /tmp/ r, diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index c9a9d72c9..b56af123d 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -15,6 +15,7 @@ profile evolution-addressbook-factory @{exec_path} { include include include + include include include include @@ -63,7 +64,6 @@ profile evolution-addressbook-factory @{exec_path} { @{exec_path} mr, @{exec_path}-subprocess rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icu/@{int}.@{int}/*.dat r, owner @{user_share_dirs}/evolution/{,**} rwk, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index fba734ad4..3d1d00f28 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -14,6 +14,7 @@ profile evolution-calendar-factory @{exec_path} { include include include + include include include include @@ -65,8 +66,6 @@ profile evolution-calendar-factory @{exec_path} { @{exec_path} mr, @{exec_path}-subprocess rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{user_cache_dirs}/evolution/calendar/{,**} rwk, owner @{user_cache_dirs}/evolution/tasks/{,**} rwk, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index a5a1bd414..299d0738b 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -13,6 +13,7 @@ profile evolution-source-registry @{exec_path} { include include include + include include include include @@ -47,8 +48,6 @@ profile evolution-source-registry @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{user_cache_dirs}/evolution/{,**} rwk, owner @{user_config_dirs}/evolution/sources/{,*} rw, owner @{user_share_dirs}/evolution/{,**} r, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 03e77816c..2882c3d9e 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -11,6 +11,7 @@ profile gdm-xsession @{exec_path} { include include include + include include include @@ -51,7 +52,6 @@ profile gdm-xsession @{exec_path} { @{etc_ro}/X11/xdm/Xsession rPx, @{lib}/gnome-session-binary rPx, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/im-config/data/{,*} r, /usr/share/im-config/xinputrc.common r, diff --git a/apparmor.d/groups/gnome/gnome-browser-connector-host b/apparmor.d/groups/gnome/gnome-browser-connector-host index 95af09ed6..e95762b6a 100644 --- a/apparmor.d/groups/gnome/gnome-browser-connector-host +++ b/apparmor.d/groups/gnome/gnome-browser-connector-host @@ -11,6 +11,7 @@ profile gnome-browser-connector-host @{exec_path} { include include include + include @{exec_path} mr, @@ -19,8 +20,6 @@ profile gnome-browser-connector-host @{exec_path} { @{lib}/@{python_name}/site-packages/gnome_browser_connector/__pycache__/{,**} rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{PROC}/@{pid}/mounts r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 2f3e51670..6ddbd4b4c 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -35,8 +35,6 @@ profile gnome-shell-calendar-server @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/sysconfig/clock r, /etc/timezone r, diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index 5f05c21da..34ce2884d 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -9,10 +9,11 @@ include @{exec_path} = @{lib}/gsd-a11y-settings profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include - include include include + include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -27,7 +28,6 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, @{gdm_config_dirs}/dconf/user r, @{GDM_HOME}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index 0190ad9b3..af1784e68 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -9,10 +9,11 @@ include @{exec_path} = @{lib}/gsd-datetime profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include - include include include + include include + include include network inet dgram, @@ -34,7 +35,6 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-settings-daemon/datetime/backward r, owner @{GDM_HOME}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 45b3ea1b9..7b47b0676 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -9,12 +9,13 @@ include @{exec_path} = @{lib}/gsd-sharing profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include - include include include include include + include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -34,7 +35,6 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index bdacbfd00..98ce848ba 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -15,6 +15,7 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -29,7 +30,6 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/{,opensc/}opensc.conf r, /etc/tpm2-tss/* rk, diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 871203e6c..2b64ddf06 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -15,6 +15,7 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { include include include + include signal receive set=(term, hup) peer=gdm*, @@ -29,7 +30,6 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 2359c9f39..3bfffdb6a 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -11,13 +11,12 @@ profile gsd-usb-protection @{exec_path} { include include include + include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - include if exists } diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index aeb46f6c0..b31532cae 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -9,8 +9,9 @@ include @{exec_path} = @{bin}/session-migration profile session-migration @{exec_path} { include - include include + include + include include @{exec_path} mr, @@ -21,7 +22,6 @@ profile session-migration @{exec_path} { @{bin}/gsettings rPx, /usr/share/session-migration/scripts/* rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/session-migration/{,**} r, owner @{gdm_share_dirs}/ w, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index 1af0a2b37..46f543fa4 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -14,6 +14,7 @@ profile gvfsd-network @{exec_path} { include include include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} @@ -44,8 +45,6 @@ profile gvfsd-network @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index 59d778133..a90cddc50 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -13,6 +13,7 @@ profile gvfsd-smb-browse @{exec_path} { include include include + include include network netlink raw, @@ -35,8 +36,6 @@ profile gvfsd-smb-browse @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/samba/* r, /var/cache/samba/ rw, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 271ff23e4..3d2cbd63d 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -117,7 +117,6 @@ profile apport-gtk @{exec_path} { /usr/share/gdb/python/{,**/}__pycache__/{,**} rw, /usr/share/gdb/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/{,**} r, /usr/share/terminfo/** r, /usr/share/themes/{,**} r, diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 849599977..2e0eb2cf7 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -9,9 +9,10 @@ include @{exec_path} = @{bin}/gsettings profile gsettings @{exec_path} flags=(attach_disconnected) { include - include include + include include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mission-control b/apparmor.d/profiles-m-r/mission-control index b8e79c0dc..bf6c55093 100644 --- a/apparmor.d/profiles-m-r/mission-control +++ b/apparmor.d/profiles-m-r/mission-control @@ -10,13 +10,13 @@ include profile mission-control @{exec_path} flags=(attach_disconnected) { include include + include network netlink raw, @{exec_path} mr, /usr/share/telepathy/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{user_share_dirs}/telepathy/ rw, owner @{user_share_dirs}/telepathy/mission-control/ rw, From 4f1fddd2fb38dfc5a36bdf0ef32cd815fd380cfb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 14:25:43 +0200 Subject: [PATCH 826/977] feat(profile): use natural transition instead of systemd drop in config when possible. As we can transition to the good profile naturally, do not use systemd for it. This bypass the apparmor error: `change_profile unprivileged unconfined converted to stacking`. Note: we cannot do the same for dbus-system and dbus-session are they have the same binary. --- systemd/default/user/at-spi-dbus-bus.service | 2 -- systemd/default/user/org.freedesktop.IBus.session.GNOME.service | 2 -- 2 files changed, 4 deletions(-) delete mode 100644 systemd/default/user/at-spi-dbus-bus.service delete mode 100644 systemd/default/user/org.freedesktop.IBus.session.GNOME.service diff --git a/systemd/default/user/at-spi-dbus-bus.service b/systemd/default/user/at-spi-dbus-bus.service deleted file mode 100644 index 9c1fad533..000000000 --- a/systemd/default/user/at-spi-dbus-bus.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=dbus-accessibility diff --git a/systemd/default/user/org.freedesktop.IBus.session.GNOME.service b/systemd/default/user/org.freedesktop.IBus.session.GNOME.service deleted file mode 100644 index 818d5cdf3..000000000 --- a/systemd/default/user/org.freedesktop.IBus.session.GNOME.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=ibus-daemon From f5e2572457acd411e3b0b7ec0f7725e4a64d0f99 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 19:37:47 +0200 Subject: [PATCH 827/977] feat(profile): cleanup usage of icons abs. --- apparmor.d/groups/freedesktop/xsetroot | 5 +---- apparmor.d/groups/gnome/gnome-control-center | 1 - apparmor.d/groups/gnome/gnome-shell | 1 - apparmor.d/groups/hyprland/hyprpaper | 3 +-- apparmor.d/groups/hyprland/hyprpicker | 3 +-- apparmor.d/groups/kde/kaccess | 2 -- apparmor.d/groups/kde/kiod | 1 - apparmor.d/groups/kde/plasmashell | 3 --- apparmor.d/groups/lxqt/lxqt-runner | 1 - 9 files changed, 3 insertions(+), 17 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xsetroot b/apparmor.d/groups/freedesktop/xsetroot index bc1291ef4..c0ddcb359 100644 --- a/apparmor.d/groups/freedesktop/xsetroot +++ b/apparmor.d/groups/freedesktop/xsetroot @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/xsetroot profile xsetroot @{exec_path} { include + include include capability dac_read_search, @@ -18,10 +19,6 @@ profile xsetroot @{exec_path} { @{exec_path} mr, - /usr/share/icons/{,**} r, - - owner @{HOME}/.icons/** r, - owner @{user_share_dirs}/sddm/xorg-session.log w, owner @{user_share_dirs}/sddm/wayland-session.log w, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 1c35a8ec1..fde43420a 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -88,7 +88,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-any, - /opt/**/share/icons/{,**} r, /snap/*/@{int}/**.png r, /usr/share/backgrounds/{,**} r, /usr/share/cups/data/testprint r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index b34d18c00..5eb78d8bb 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -187,7 +187,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{user_share_dirs}/gnome-shell/extensions/*/** rPUx, /usr/share/gnome-shell/extensions/*/** rPUx, - /opt/**/share/icons/{,**} r, /snap/*/@{uid}/**.@{image_ext} r, /usr/share/**.@{image_ext} r, /usr/share/**/icons/{,**} r, diff --git a/apparmor.d/groups/hyprland/hyprpaper b/apparmor.d/groups/hyprland/hyprpaper index 3cb8dca92..6d0674d9f 100644 --- a/apparmor.d/groups/hyprland/hyprpaper +++ b/apparmor.d/groups/hyprland/hyprpaper @@ -9,12 +9,11 @@ include @{exec_path} = @{bin}/hyprpaper profile hyprpaper @{exec_path} flags=(attach_disconnected) { include + include include @{exec_path} mr, - /usr/share/icons/** r, - owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r, owner @{user_config_dirs}/hypr/hyprpaper.conf r, diff --git a/apparmor.d/groups/hyprland/hyprpicker b/apparmor.d/groups/hyprland/hyprpicker index a46d53f4c..7becc5fb6 100644 --- a/apparmor.d/groups/hyprland/hyprpicker +++ b/apparmor.d/groups/hyprland/hyprpicker @@ -9,12 +9,11 @@ include @{exec_path} = @{bin}/hyprpicker profile hyprpicker @{exec_path} { include + include @{exec_path} mr, @{bin}/wl-copy Px, - /usr/share/icons/** r, - owner @{run}/user/@{uid}/.hyprpicker* rw, owner /dev/shm/wlroots-@{rand6} r, owner /dev/shm/@{uuid} r, diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 4b1e734ed..b70d50666 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -24,8 +24,6 @@ profile kaccess @{exec_path} { @{bin}/gsettings rPx, - /usr/share/icons/{,**} r, - /etc/machine-id r, owner @{user_config_dirs}/breezerc r, diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod index cf9646051..4560427ad 100644 --- a/apparmor.d/groups/kde/kiod +++ b/apparmor.d/groups/kde/kiod @@ -20,7 +20,6 @@ profile kiod @{exec_path} { @{exec_path} mr, - /usr/share/icons/breeze/index.theme r, /usr/share/mime/{,**} r, owner @{user_config_dirs}/#@{int} rw, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index e767d7bb5..45f0d43e9 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -77,9 +77,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { #aa:exec kioworker - /opt/**/share/icons/{,**} r, - /opt/*/**/*.desktop r, - /opt/*/**/*.png r, /snap/*/@{uid}/**.@{image_ext} r, /usr/share/*/icons/{,**} r, /usr/share/akonadi/{,**} r, diff --git a/apparmor.d/groups/lxqt/lxqt-runner b/apparmor.d/groups/lxqt/lxqt-runner index 9477c1bda..5783c1fa0 100644 --- a/apparmor.d/groups/lxqt/lxqt-runner +++ b/apparmor.d/groups/lxqt/lxqt-runner @@ -14,7 +14,6 @@ profile lxqt-runner @{exec_path} { @{exec_path} mr, - /usr/share/icons/ r, /usr/share/desktop-directories/ r, /usr/share/desktop-directories/{,**} r, From ac6eac13334224bc5c0273fcef673e6bcbf41a1a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 19:47:07 +0200 Subject: [PATCH 828/977] feat(profile): cleanup usage of mime abs. --- apparmor.d/groups/flatpak/flatpak-portal | 5 +---- apparmor.d/groups/flatpak/flatpak-system-helper | 2 +- apparmor.d/groups/freedesktop/colord | 4 +--- apparmor.d/groups/gnome/gnome-photos-thumbnailer | 3 +-- apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer | 3 +-- apparmor.d/groups/gvfs/gvfsd-admin | 3 +-- apparmor.d/groups/kde/kaccess | 2 -- apparmor.d/groups/kde/kiod | 2 -- apparmor.d/groups/kde/startplasma | 2 -- apparmor.d/groups/lxqt/lxqt-session | 1 - apparmor.d/groups/lxqt/startlxqt | 1 - apparmor.d/groups/virt/cni-calico | 3 +-- apparmor.d/groups/virt/k3s | 1 - apparmor.d/groups/virt/libvirtd | 2 +- apparmor.d/profiles-a-f/evince-thumbnailer | 2 +- apparmor.d/profiles-a-f/fwupd | 3 +-- apparmor.d/profiles-g-l/hugo | 2 +- apparmor.d/profiles-m-r/mimetype | 11 +---------- 18 files changed, 12 insertions(+), 40 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index b86f0a4fd..fdbdb9189 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -11,6 +11,7 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { include include include + include include capability sys_ptrace, @@ -32,11 +33,8 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { @{bin}/flatpak rPx, - /usr/share/mime/mime.cache r, /usr/share/xdg-desktop-portal/portals/{,*.portal} r, - /var/lib/flatpak/exports/share/mime/mime.cache r, - owner /att/**/ r, owner @{att}/.flatpak-info r, @@ -44,7 +42,6 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, owner @{user_config_dirs}/user-dirs.dirs r, - owner @{user_share_dirs}/mime/mime.cache r, owner @{run}/user/@{uid}/.flatpak/@{int}/* r, owner @{run}/user/@{uid}/.flatpak/@{int}-private/* r, diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index 1381a1483..0ca01d01d 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -11,6 +11,7 @@ profile flatpak-system-helper @{exec_path} { include include include + include include include include @@ -42,7 +43,6 @@ profile flatpak-system-helper @{exec_path} { /usr/share/flatpak/remotes.d/{,**} r, /usr/share/flatpak/triggers/ r, - /usr/share/mime/mime.cache r, /var/lib/flatpak/{,**} rwkl, /var/tmp/flatpak-cache-*/{,**} rw, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 81d0c9f6b..b3cda6307 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -14,6 +14,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { include include include + include include network inet dgram, @@ -31,11 +32,8 @@ profile colord @{exec_path} flags=(attach_disconnected) { /etc/udev/hwdb.bin r, /usr/share/color/icc/{,**} r, - /usr/share/mime/mime.cache r, /usr/share/snmp/mibs/{,*} r, - @{system_share_dirs}/mime/mime.cache r, - owner /var/lib/colord/.cache/ rw, owner /var/lib/colord/.cache/** rw, owner /var/lib/colord/{mapping,storage}.db{,-journal} rwk, diff --git a/apparmor.d/groups/gnome/gnome-photos-thumbnailer b/apparmor.d/groups/gnome/gnome-photos-thumbnailer index 0182e9dad..31d9b7987 100644 --- a/apparmor.d/groups/gnome/gnome-photos-thumbnailer +++ b/apparmor.d/groups/gnome/gnome-photos-thumbnailer @@ -9,12 +9,11 @@ include @{exec_path} = @{lib}/gnome-photos-thumbnailer profile gnome-photos-thumbnailer @{exec_path} { include + include include @{exec_path} mr, - /usr/share/mime/mime.cache r, - owner @{user_pictures_dirs}/{,**} r, owner @{user_cache_dirs}/babl/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer index 51d5b43cf..56e448fd8 100644 --- a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer +++ b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer @@ -10,11 +10,10 @@ include profile gnome-shell-hotplug-sniffer @{exec_path} { include include + include @{exec_path} mr, - /usr/share/mime/mime.cache r, - @{MOUNTS}/**/ r, @{MOUNTS}/** r, diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index e1b16cac3..44248cbe3 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-admin profile gvfsd-admin @{exec_path} { include + include include capability chown, @@ -20,8 +21,6 @@ profile gvfsd-admin @{exec_path} { @{exec_path} mr, - /usr/share/mime/mime.cache r, - #aa:lint ignore=too-wide # Full access to system's data, but no write access to sensitive system directories / r, diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index b70d50666..8258d1bde 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -29,8 +29,6 @@ profile kaccess @{exec_path} { owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kaccessrc r, - owner @{user_share_dirs}/mime/generic-icons r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod index 4560427ad..571581059 100644 --- a/apparmor.d/groups/kde/kiod +++ b/apparmor.d/groups/kde/kiod @@ -20,8 +20,6 @@ profile kiod @{exec_path} { @{exec_path} mr, - /usr/share/mime/{,**} r, - owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/ksslcertificatemanager rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/ksslcertificatemanager.lock rwk, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 5db93719c..a8c8cbd13 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -48,8 +48,6 @@ profile startplasma @{exec_path} { /etc/xdg/plasma-workspace/env/{,*} r, /etc/xdg/plasmarc r, - /var/lib/flatpak/exports/share/mime/ r, - @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/#@{int} rwk, owner @{user_cache_dirs}/kcrash-metadata/ rw, diff --git a/apparmor.d/groups/lxqt/lxqt-session b/apparmor.d/groups/lxqt/lxqt-session index 3a4a6cd61..085b444b1 100644 --- a/apparmor.d/groups/lxqt/lxqt-session +++ b/apparmor.d/groups/lxqt/lxqt-session @@ -47,7 +47,6 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) { @{bin}/xdg-user-dirs-update rPx, /usr/share/ r, - /usr/share/mime/ r, /usr/share/cursors/ r, /usr/share/backintime/common/* r, /usr/share/desktop-directories/* r, diff --git a/apparmor.d/groups/lxqt/startlxqt b/apparmor.d/groups/lxqt/startlxqt index a708e2336..3ae907116 100644 --- a/apparmor.d/groups/lxqt/startlxqt +++ b/apparmor.d/groups/lxqt/startlxqt @@ -31,7 +31,6 @@ profile startlxqt @{exec_path} { /usr/share/color-schemes/{,**} r, /usr/share/desktop-directories/{,**} r, /usr/share/kservices5/{,**} r, - /usr/share/mime/{,**} r, /etc/machine-id r, /etc/xdg/menus/{,**} r, diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico index a6c9149d2..9015d2157 100644 --- a/apparmor.d/groups/virt/cni-calico +++ b/apparmor.d/groups/virt/cni-calico @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/cni/calico /opt/cni/bin/calico profile cni-calico @{exec_path} flags=(attach_disconnected) { include + include capability sys_admin, capability net_admin, @@ -32,8 +33,6 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) { /var/log/calico/cni/ r, /var/log/calico/cni/*.log rw, - /usr/share/mime/globs2 r, - @{run}/calico/ rw, @{run}/calico/ipam.lock rwk, @{run}/netns/cni-@{uuid} r, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 2142e28b9..59c4b9473 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -68,7 +68,6 @@ profile k3s @{exec_path} flags=(attach_disconnected) { /var/lib/rancher/k3s/data/@{hex}/bin/* rix, @{lib}/kubernetes/kubelet-plugins/volume/exec/{,**} r, - /usr/share/mime/globs2 r, /etc/machine-id r, /etc/rancher/{,**} rw, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 2b0530ef5..23e8e20d1 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -23,6 +23,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { include include include + include include capability audit_write, @@ -141,7 +142,6 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /usr/share/hwdata/* r, /usr/share/iproute2/{,**} r, /usr/share/libvirt/{,**} r, - /usr/share/mime/mime.cache r, /usr/share/misc/pci.ids r, /usr/share/qemu/{,**} r, diff --git a/apparmor.d/profiles-a-f/evince-thumbnailer b/apparmor.d/profiles-a-f/evince-thumbnailer index 95fdba512..6fbabaf28 100644 --- a/apparmor.d/profiles-a-f/evince-thumbnailer +++ b/apparmor.d/profiles-a-f/evince-thumbnailer @@ -9,10 +9,10 @@ include @{exec_path} = @{bin}/evince-thumbnailer profile evince-thumbnailer @{exec_path} flags=(attach_disconnected) { include + include @{exec_path} mr, - /usr/share/mime/mime.cache r, /usr/share/poppler/{,**} r, owner @{tmp}/gnome-desktop-file-to-thumbnail.pdf r, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 58ba493cc..d7a72c236 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -17,6 +17,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include include + include include include @@ -57,7 +58,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /usr/share/fwupd/{,**} r, /usr/share/hwdata/* r, /usr/share/libdrm/*.ids r, - /usr/share/mime/mime.cache r, /usr/share/misc/*.ids r, /etc/fwupd/{,**} rw, @@ -77,7 +77,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{MOUNTDIRS}/*/{,@{efi}/} r, @{MOUNTDIRS}/*/{,@{efi}/}EFI/{,**} r, - /var/lib/flatpak/exports/share/mime/mime.cache r, owner /var/cache/fwupd/ rw, owner /var/cache/fwupd/** rwk, owner /var/lib/fwupd/ rw, diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index ed62f48f1..fd9c3dfa0 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/hugo profile hugo @{exec_path} { include + include include include @@ -26,7 +27,6 @@ profile hugo @{exec_path} { @{lib}/go/bin/go rix, /usr/share/git{,-core}/{,**} r, - /usr/share/mime/{,**} r, /usr/share/terminfo/** r, /etc/mime.types r, diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index 91d021fae..1576050b5 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -11,22 +11,13 @@ include profile mimetype @{exec_path} { include include + include @{exec_path} r, - /usr/share/mime/**.xml r, - /usr/share/mime/globs r, - /usr/share/mime/aliases r, - /usr/share/mime/magic r, - # To read files owner /** r, #aa:lint ignore=too-wide - owner @{user_share_dirs}/mime/**.xml r, - owner @{user_share_dirs}/mime/globs r, - owner @{user_share_dirs}/mime/aliases r, - owner @{user_share_dirs}/mime/magic r, - include if exists } From 45faf0eee06759b5a9213f65f51519b377a2a1ae Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 19:57:09 +0200 Subject: [PATCH 829/977] fix(tunable): add missing lightdm_state_dirs tunable. --- apparmor.d/tunables/multiarch.d/system-users | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/tunables/multiarch.d/system-users b/apparmor.d/tunables/multiarch.d/system-users index 73a3267a0..1513aae2f 100644 --- a/apparmor.d/tunables/multiarch.d/system-users +++ b/apparmor.d/tunables/multiarch.d/system-users @@ -26,6 +26,7 @@ @{lightdm_config_dirs}=@{LIGHTDM_HOME}/.config/ @{lightdm_local_dirs}=@{LIGHTDM_HOME}/.local/ @{lightdm_share_dirs}=@{LIGHTDM_HOME}/.local/share/ +@{lightdm_state_dirs}=@{LIGHTDM_HOME}/.local/state/ # Full path of all DE configuration directories @{DESKTOP_HOME}=@{GDM_HOME} @{SDDM_HOME} @{LIGHTDM_HOME} From a3426fef8cedc0a5b46a6184b2309d40598ecb30 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 13:23:48 +0200 Subject: [PATCH 830/977] feat: precise nvidia devices number. --- apparmor.d/abstractions/nvidia-strict | 2 +- apparmor.d/abstractions/nvidia.d/complete | 2 +- apparmor.d/groups/children/child-modprobe-nvidia | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index c3aa8e805..a7529eb9a 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -35,7 +35,7 @@ owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/task/@{tid}/comm r, - /dev/char/195:@{int} w, # Nvidia graphics devices + /dev/char/195:@{u8} w, # Nvidia graphics devices /dev/nvidia-modeset rw, /dev/nvidia@{int} rw, /dev/nvidiactl rw, diff --git a/apparmor.d/abstractions/nvidia.d/complete b/apparmor.d/abstractions/nvidia.d/complete index ef9d0c40d..e00385efd 100644 --- a/apparmor.d/abstractions/nvidia.d/complete +++ b/apparmor.d/abstractions/nvidia.d/complete @@ -8,6 +8,6 @@ /etc/nvidia/nvidia-application-profiles* r, - /dev/char/195:@{int} rw, # Nvidia graphics devices + /dev/char/195:@{u8} rw, # Nvidia graphics devices # vim:syntax=apparmor diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index 61191fe9d..8e991cee7 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -41,7 +41,7 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { @{PROC}/modules r, owner /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 - owner /dev/char/195:@{int} w, # Nvidia graphics devices + owner /dev/char/195:@{u8} w, # Nvidia graphics devices /dev/nvidia-modeset w, /dev/nvidia-uvm w, From 9ee26050261c69e4f0654ec0e87e6d26d958b8e4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 13:29:11 +0200 Subject: [PATCH 831/977] tests(packer): simplify pkg install script. --- tests/packer/init.sh | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/tests/packer/init.sh b/tests/packer/init.sh index 630da6b0f..44a86220f 100644 --- a/tests/packer/init.sh +++ b/tests/packer/init.sh @@ -3,16 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -set -eux +set -eux -o pipefail -_lsb_release() { - # shellcheck source=/dev/null - . /etc/os-release - echo "$ID" -} -DISTRIBUTION="$(_lsb_release)" +# shellcheck source=/dev/null +source /etc/os-release || exit 1 readonly SRC=/tmp/ -readonly DISTRIBUTION main() { install -dm0750 -o "$SUDO_USER" -g "$SUDO_USER" "/home/$SUDO_USER/Projects/" "/home/$SUDO_USER/Projects/apparmor.d" "/home/$SUDO_USER/.config/" @@ -24,7 +19,7 @@ main() { install -Dm0755 $SRC/aa-clean /usr/bin/aa-clean chown -R "$SUDO_USER:$SUDO_USER" "/home/$SUDO_USER/.config/" - case "$DISTRIBUTION" in + case "$ID" in arch) rm -f $SRC/*.sig # Ignore signature files rm -f $SRC/*enforced* # Ignore enforced package @@ -32,8 +27,10 @@ main() { ;; debian | ubuntu) - apt-get install -y apparmor-profiles - dpkg -i $SRC/*.deb || true + # Do not install apparmor.d on the current development version + if [[ $VERSION_ID != "25.10" ]]; then + dpkg -i $SRC/*.deb || true + fi ;; opensuse*) From 9a4d878557b814fbeac1c3636b3cfb29550aa24a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 17:38:00 +0200 Subject: [PATCH 832/977] refractor(abs): add screensaver abs, move bus screensaver abs. --- apparmor.d/abstractions/app/chromium | 3 +-- .../abstractions/bus/org.gnome.ScreenSaver | 21 --------------- .../bus/session/org.freedesktop.ScreenSaver | 26 +++++++++++++++++++ .../org.gnome.ScreenSaver} | 12 +++++---- apparmor.d/abstractions/screensaver | 14 ++++++++++ apparmor.d/groups/gnome/gnome-session-binary | 4 +-- apparmor.d/groups/gnome/gsd-power | 2 +- apparmor.d/profiles-a-f/discord | 2 +- apparmor.d/profiles-a-f/element-desktop | 2 +- apparmor.d/profiles-a-f/freetube | 2 +- apparmor.d/profiles-m-r/pinentry-gnome3 | 2 +- apparmor.d/profiles-s-z/signal-desktop | 2 +- apparmor.d/profiles-s-z/spotify | 2 +- apparmor.d/profiles-s-z/totem | 2 +- apparmor.d/profiles-s-z/vlc | 2 +- 15 files changed, 59 insertions(+), 39 deletions(-) delete mode 100644 apparmor.d/abstractions/bus/org.gnome.ScreenSaver create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver rename apparmor.d/abstractions/bus/{org.freedesktop.ScreenSaver => session/org.gnome.ScreenSaver} (51%) create mode 100644 apparmor.d/abstractions/screensaver diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 8f991c230..dad131d64 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -26,11 +26,9 @@ include include include - include include include include - include include include include @@ -40,6 +38,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver deleted file mode 100644 index 46d1a1006..000000000 --- a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=session name=org.gnome.ScreenSaver label=gjs-console - - dbus send bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - member=GetActive - peer=(name="@{busname}", label=gjs-console), - - dbus receive bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - member={ActiveChanged,WakeUpScreen} - peer=(name="@{busname}", label=gjs-console), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver new file mode 100644 index 000000000..ee837b886 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow checking status, activating and locking the screensaver + + abi , + + dbus send bus=session path=/ScreenSaver + interface=org.freedesktop.ScreenSaver + member={Inhibit,UnInhibit} + peer=(name=org.freedesktop.ScreenSaver), + + dbus send bus=session path=/{,org/freedesktop/}ScreenSaver + interface=org.freedesktop.ScreenSaver + member={GetActive,GetActiveTime,Lock,SetActive} + peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"), + + dbus receive bus=session path=/org/freedesktop/ScreenSaver + interface=org.freedesktop.ScreenSaver + member={ActiveChanged,WakeUpScreen} + peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver similarity index 51% rename from apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver rename to apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver index f73768e9f..27c456637 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver +++ b/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver @@ -2,18 +2,20 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow checking status, activating and locking the screensaver (GNOME version) + abi , - dbus send bus=session path=/ScreenSaver - interface=org.freedesktop.ScreenSaver - member={Inhibit,UnInhibit} - peer=(name=org.freedesktop.ScreenSaver), + dbus send bus=session path=/{,org/gnome/}ScreenSaver + interface=org.gnome.ScreenSaver + member={GetActive,GetActiveTime,Lock,SetActive} + peer=(name=@{busname}, label=gjs-console), dbus receive bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver member={ActiveChanged,WakeUpScreen} peer=(name=@{busname}, label=gjs-console), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/screensaver b/apparmor.d/abstractions/screensaver new file mode 100644 index 000000000..1a9369091 --- /dev/null +++ b/apparmor.d/abstractions/screensaver @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow checking status, activating and locking the screensaver + + abi , + + include if exists + include if exists + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 447c030d6..b011935ae 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -14,13 +14,13 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include include include - include include - include + include include include include include + include network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 379f7b814..39cf990ca 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -23,7 +23,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -31,6 +30,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include network inet stream, network netlink raw, diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index 3b34d5055..e12c25b9d 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -18,9 +18,9 @@ profile discord @{exec_path} flags=(attach_disconnected) { include include include - include include include + include include include diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index ec7ee9c65..f87486af3 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -18,10 +18,10 @@ profile element-desktop @{exec_path} flags=(attach_disconnected) { include include include - include include include include + include include network inet dgram, diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index 95e37b4d6..958f9b5ee 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -18,10 +18,10 @@ profile freetube @{exec_path} flags=(attach_disconnected) { include include include - include include include include + include include include diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3 index f4a61b07b..b60d929e2 100644 --- a/apparmor.d/profiles-m-r/pinentry-gnome3 +++ b/apparmor.d/profiles-m-r/pinentry-gnome3 @@ -11,8 +11,8 @@ profile pinentry-gnome3 @{exec_path} { include include include - include include + include signal receive set=int, diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index bf0740919..d91285558 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -18,10 +18,10 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include include - include include include include + include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index ed1ccfe1c..659d650fe 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -22,7 +22,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -31,6 +30,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index fc582cae2..d8b464956 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -10,10 +10,10 @@ include profile totem @{exec_path} flags=(attach_disconnected) { include include - include include include include + include include include diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index d572ce9b8..ccf1abb61 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -14,7 +14,6 @@ profile vlc @{exec_path} { include include include - include include include include @@ -27,6 +26,7 @@ profile vlc @{exec_path} { include include include + include include include From 5cc5a019d4b875ebb283b31848bf9413a8d8e76d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 17:40:42 +0200 Subject: [PATCH 833/977] feat(profile): snap: add support for dev version. --- apparmor.d/groups/snap/snap | 4 ++-- apparmor.d/groups/snap/snap-discard-ns | 2 +- apparmor.d/groups/snap/snap-failure | 2 +- apparmor.d/groups/snap/snap-seccomp | 2 +- apparmor.d/groups/snap/snap-update-ns | 2 +- apparmor.d/groups/snap/snapd | 4 ++-- apparmor.d/groups/snap/snapd-aa-prompt-listener | 2 +- apparmor.d/groups/snap/snapd-aa-prompt-ui | 2 +- apparmor.d/groups/snap/snapd-apparmor | 2 +- 9 files changed, 11 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 927d7a3da..0d38fc055 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -6,8 +6,8 @@ abi , include -@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin} -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{bin_dirs} = @{bin}/ /snap/{snapd,core}/{,x}@{int}@{bin} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{bin_dirs}/snap profile snap @{exec_path} flags=(attach_disconnected) { diff --git a/apparmor.d/groups/snap/snap-discard-ns b/apparmor.d/groups/snap/snap-discard-ns index 38396f3eb..0ccb3f1c7 100644 --- a/apparmor.d/groups/snap/snap-discard-ns +++ b/apparmor.d/groups/snap/snap-discard-ns @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-discard-ns profile snap-discard-ns @{exec_path} { diff --git a/apparmor.d/groups/snap/snap-failure b/apparmor.d/groups/snap/snap-failure index edc9845e8..bed3a2d12 100644 --- a/apparmor.d/groups/snap/snap-failure +++ b/apparmor.d/groups/snap/snap-failure @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-failure profile snap-failure @{exec_path} { diff --git a/apparmor.d/groups/snap/snap-seccomp b/apparmor.d/groups/snap/snap-seccomp index 2a14fd583..90c1724be 100644 --- a/apparmor.d/groups/snap/snap-seccomp +++ b/apparmor.d/groups/snap/snap-seccomp @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-seccomp profile snap-seccomp @{exec_path} flags=(attach_disconnected) { diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index 98ee0e5e7..e831cc90c 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-update-ns profile snap-update-ns @{exec_path} { diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 06de56063..4a928e6d4 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -6,8 +6,8 @@ abi , include -@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin} -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{bin_dirs} = @{bin}/ /snap/{snapd,core}/{,x}@{int}@{bin} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd profile snapd @{exec_path} { diff --git a/apparmor.d/groups/snap/snapd-aa-prompt-listener b/apparmor.d/groups/snap/snapd-aa-prompt-listener index 7b9adced7..37730ba6f 100644 --- a/apparmor.d/groups/snap/snapd-aa-prompt-listener +++ b/apparmor.d/groups/snap/snapd-aa-prompt-listener @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-aa-prompt-listener profile snapd-aa-prompt-listener @{exec_path} { diff --git a/apparmor.d/groups/snap/snapd-aa-prompt-ui b/apparmor.d/groups/snap/snapd-aa-prompt-ui index 0d26f42d3..99dc98efe 100644 --- a/apparmor.d/groups/snap/snapd-aa-prompt-ui +++ b/apparmor.d/groups/snap/snapd-aa-prompt-ui @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-aa-prompt-ui profile snapd-aa-prompt-ui @{exec_path} { diff --git a/apparmor.d/groups/snap/snapd-apparmor b/apparmor.d/groups/snap/snapd-apparmor index 63251a976..47b939fa0 100644 --- a/apparmor.d/groups/snap/snapd-apparmor +++ b/apparmor.d/groups/snap/snapd-apparmor @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-apparmor profile snapd-apparmor @{exec_path} { From 458126e7d7fea79a92b84fef53a455f79b8c0445 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 18:14:32 +0200 Subject: [PATCH 834/977] refractor(profile): add notification abs, move bus notifications. --- apparmor.d/abstractions/app/chromium | 2 +- .../bus/org.freedesktop.Notifications | 26 ------------------- .../bus/session/org.freedesktop.Notifications | 21 +++++++++++++++ .../bus/{ => session}/org.gtk.Notifications | 0 apparmor.d/abstractions/notifications | 12 +++++++++ apparmor.d/groups/gnome/gnome-extension-ding | 2 +- apparmor.d/groups/gnome/gnome-shell | 3 +-- apparmor.d/groups/gnome/gnome-software | 2 +- apparmor.d/groups/gnome/gsd-power | 2 +- apparmor.d/groups/ubuntu/update-notifier | 2 +- apparmor.d/profiles-a-f/dropbox | 2 +- apparmor.d/profiles-a-f/filezilla | 2 +- apparmor.d/profiles-m-r/remmina | 2 +- apparmor.d/profiles-s-z/session-desktop | 2 +- apparmor.d/profiles-s-z/spotify | 4 ++- apparmor.d/profiles-s-z/transmission | 2 +- 16 files changed, 47 insertions(+), 39 deletions(-) delete mode 100644 apparmor.d/abstractions/bus/org.freedesktop.Notifications create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.Notifications rename apparmor.d/abstractions/bus/{ => session}/org.gtk.Notifications (100%) create mode 100644 apparmor.d/abstractions/notifications diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index dad131d64..f08a096ca 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -25,7 +25,6 @@ include include include - include include include include @@ -38,6 +37,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/org.freedesktop.Notifications deleted file mode 100644 index 6962bf7ec..000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.Notifications +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=session name=org.freedesktop.Notifications label=gjs-console - - dbus send bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member={GetCapabilities,GetServerInformation,Notify} - peer=(name="@{busname}", label=gjs-console), - - dbus receive bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member={NotificationClosed,CloseNotification} - peer=(name="@{busname}", label=gjs-console), - - dbus receive bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member=Notify - peer=(name=org.freedesktop.DBus, label=gjs-console), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications new file mode 100644 index 000000000..5c10a9eae --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.freedesktop.Notifications label="@{pp_notification}" + + dbus send bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.Notifications + member={GetCapabilities,GetServerInformation,Notify,CloseNotification} + peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), + + dbus receive bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.Notifications + member={ActionInvoked,NotificationClosed,NotificationReplied} + peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.Notifications b/apparmor.d/abstractions/bus/session/org.gtk.Notifications similarity index 100% rename from apparmor.d/abstractions/bus/org.gtk.Notifications rename to apparmor.d/abstractions/bus/session/org.gtk.Notifications diff --git a/apparmor.d/abstractions/notifications b/apparmor.d/abstractions/notifications new file mode 100644 index 000000000..8232b54b5 --- /dev/null +++ b/apparmor.d/abstractions/notifications @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + include + include + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 695be9f0d..e47cc66a3 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -19,7 +19,6 @@ profile gnome-extension-ding @{exec_path} { include include include - include include include include @@ -29,6 +28,7 @@ profile gnome-extension-ding @{exec_path} { include include include + include unix (send,receive) type=stream addr=none peer=(label=gnome-shell), diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 5eb78d8bb..0876b90d1 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -25,9 +25,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include - include include include include @@ -41,6 +39,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index f3845daef..baaac245f 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -13,11 +13,11 @@ profile gnome-software @{exec_path} { include include include - include include include include include + include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 39cf990ca..63ab49c5e 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -18,7 +18,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -30,6 +29,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include include network inet stream, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 8e9cddd54..0de63ac64 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -14,13 +14,13 @@ profile update-notifier @{exec_path} { include include include - include include include include include include include + include include unix (bind) type=stream addr=@@{udbus}/bus/systemd/bus-api-user, diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/profiles-a-f/dropbox index f40d69799..57487b15c 100644 --- a/apparmor.d/profiles-a-f/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -16,11 +16,11 @@ include profile dropbox @{exec_path} { include include - include include include include include + include include include include diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla index 366c2aed6..78781ba28 100644 --- a/apparmor.d/profiles-a-f/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -11,12 +11,12 @@ include profile filezilla @{exec_path} { include include - include include include include include include + include include include include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index c2bc95465..17ca1ec5a 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -16,7 +16,6 @@ profile remmina @{exec_path} { include include include - include include include include @@ -25,6 +24,7 @@ profile remmina @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop index dc190b787..cafccd791 100644 --- a/apparmor.d/profiles-s-z/session-desktop +++ b/apparmor.d/profiles-s-z/session-desktop @@ -17,9 +17,9 @@ profile session-desktop @{exec_path} { include include include - include include include + include include network inet dgram, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 659d650fe..56f5e91b8 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -19,8 +19,9 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include - include + include include include include @@ -30,6 +31,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include network inet dgram, diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission index ad219f1ab..78d67787d 100644 --- a/apparmor.d/profiles-s-z/transmission +++ b/apparmor.d/profiles-s-z/transmission @@ -12,12 +12,12 @@ profile transmission @{exec_path} flags=(attach_disconnected) { include include include - include include include include include include + include include include include From bd295d2a9d2fe0afc6361ca8528eb531051e9f0c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 21:23:04 +0200 Subject: [PATCH 835/977] refractor: move gtk dbus to they own abs. --- .../abstractions/bus/session/org.gtk.Actions | 22 +++++++++++++++++++ .../abstractions/bus/session/org.gtk.Settings | 18 +++++++++++++++ apparmor.d/abstractions/gtk.d/complete | 19 ++-------------- 3 files changed, 42 insertions(+), 17 deletions(-) create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.Actions create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.Settings diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Actions b/apparmor.d/abstractions/bus/session/org.gtk.Actions new file mode 100644 index 000000000..899f244a8 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.Actions @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gnome-shell), + + dbus receive bus=session + interface=org.gtk.Actions + member={Activate,DescribeAll,SetState}, + + dbus send bus=session + interface=org.gtk.Actions + member=Changed, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Settings b/apparmor.d/abstractions/bus/session/org.gtk.Settings new file mode 100644 index 000000000..9d2dd282a --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.Settings @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gsd-xsettings), + dbus receive bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label=gsd-xsettings), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 99cf70d97..356e97705 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -2,23 +2,8 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus receive bus=session - interface=org.gtk.Actions - member={Activate,DescribeAll,SetState} - peer=(name=@{busname}), - - dbus send bus=session - interface=org.gtk.Actions - member=Changed, - - dbus send bus=session path=/org/gtk/Settings - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=gsd-xsettings), - dbus receive bus=session path=/org/gtk/Settings - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=@{busname}, label=gsd-xsettings), + include + include @{lib}/{,@{multiarch}/}gtk*/** mr, From bd7ae9bb56badbb168d88dc0de859f59a1ad7344 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 21:23:40 +0200 Subject: [PATCH 836/977] chore: improve comment in type definition. --- pkg/prebuild/builder/stacked-dbus.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/prebuild/builder/stacked-dbus.go b/pkg/prebuild/builder/stacked-dbus.go index 33af33df7..e33ecf4b7 100644 --- a/pkg/prebuild/builder/stacked-dbus.go +++ b/pkg/prebuild/builder/stacked-dbus.go @@ -19,7 +19,7 @@ var ( } ) -// Fix for https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 +// StackedDbus is a fix for https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 type StackedDbus struct { prebuild.Base } From eee8241eb7649a302b65f6e840018755dd308b04 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 21:28:53 +0200 Subject: [PATCH 837/977] chore: cosmetic fixes. --- .../abstractions/bus/session/org.freedesktop.Notifications | 2 +- apparmor.d/abstractions/bus/session/org.gtk.Notifications | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications index 5c10a9eae..b51c4bdcb 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications @@ -16,6 +16,6 @@ member={ActionInvoked,NotificationClosed,NotificationReplied} peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Notifications b/apparmor.d/abstractions/bus/session/org.gtk.Notifications index ad1a1ffad..151c642a8 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.Notifications +++ b/apparmor.d/abstractions/bus/session/org.gtk.Notifications @@ -11,6 +11,6 @@ member={AddNotification,RemoveNotification} peer=(name=org.gtk.Notifications, label=gnome-shell), - include if exists + include if exists # vim:syntax=apparmor From 7eaae9e68c701e24710784c52e9db9fd2d44da87 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 22:25:57 +0200 Subject: [PATCH 838/977] fix(profile): wrong path in abstraction. --- apparmor.d/abstractions/notifications | 4 ++-- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 5 +++-- apparmor.d/groups/gnome/gnome-extension-gsconnect | 2 +- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/notifications b/apparmor.d/abstractions/notifications index 8232b54b5..81d5cc94c 100644 --- a/apparmor.d/abstractions/notifications +++ b/apparmor.d/abstractions/notifications @@ -4,8 +4,8 @@ abi , - include - include + include + include include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index c9585e2ab..92e6c9484 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gtk profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -17,15 +16,17 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include include include - include include include include + include include include include include include + include + include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 3f57b3035..22c02a97f 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -21,7 +21,6 @@ profile gnome-extension-gsconnect @{exec_path} { include include include - include include include include @@ -29,6 +28,7 @@ profile gnome-extension-gsconnect @{exec_path} { include include include + include include include include From 7cfff26ee273fca78aaea077cf63166d4883e2cb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 22:46:52 +0200 Subject: [PATCH 839/977] fix(profile): abstraction not updated. --- apparmor.d/profiles-s-z/superproductivity | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index 73a86672f..f7abf758b 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -20,13 +20,13 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { include include include - include include include include include include include + include network inet stream, network inet6 stream, From a1ba00bec3e964e11cae0dd94346f8aebdffc188 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 23:00:13 +0200 Subject: [PATCH 840/977] feat(profile): general profile update. --- apparmor.d/groups/apparmor/apparmor_parser | 4 ++-- apparmor.d/groups/apt/debconf-frontend | 4 +++- apparmor.d/groups/apt/dpkg-scripts | 1 + apparmor.d/groups/bluetooth/obexd | 5 +++++ apparmor.d/groups/cron/anacron | 3 +++ apparmor.d/groups/cups/cups-browsed | 4 +++- apparmor.d/groups/flatpak/flatpak | 3 +++ apparmor.d/groups/flatpak/flatpak-system-helper | 8 +++++++- apparmor.d/groups/freedesktop/wireplumber | 8 +++++--- apparmor.d/groups/freedesktop/xdg-desktop-portal | 2 +- apparmor.d/groups/gnome/deja-dup-monitor | 13 +++++++++++++ apparmor.d/groups/gnome/gdm-session | 11 ++++++----- apparmor.d/groups/gnome/gnome-calculator | 1 + apparmor.d/groups/gnome/gnome-control-center | 3 ++- apparmor.d/groups/gnome/gnome-session | 3 +++ apparmor.d/groups/gnome/gnome-session-binary | 5 +++-- apparmor.d/groups/gnome/gnome-shell-calendar-server | 1 + apparmor.d/groups/gnome/gnome-system-monitor | 5 +++-- apparmor.d/groups/gnome/gnome-text-editor | 1 + apparmor.d/groups/gnome/gsd-housekeeping | 1 + apparmor.d/groups/gnome/gsd-usb-protection | 1 + apparmor.d/groups/gnome/gsd-wwan | 7 +++++++ apparmor.d/groups/gnome/gsd-xsettings | 2 +- apparmor.d/groups/gnome/ptyxis | 1 + apparmor.d/groups/kde/DiscoverNotifier | 1 + apparmor.d/groups/procps/htop | 1 + apparmor.d/groups/ssh/sshd | 2 ++ apparmor.d/groups/systemd/systemd-coredump | 3 +++ apparmor.d/groups/systemd/systemd-detect-virt | 3 +++ apparmor.d/groups/systemd/systemd-remount-fs | 3 ++- apparmor.d/groups/systemd/systemd-udevd | 8 ++++++++ apparmor.d/groups/systemd/zram-generator | 8 ++++++-- apparmor.d/groups/ubuntu/apport-gtk | 1 + apparmor.d/groups/utils/who | 2 +- apparmor.d/profiles-a-f/finalrd | 1 + apparmor.d/profiles-g-l/gsettings | 1 - apparmor.d/profiles-g-l/issue-generator | 3 ++- apparmor.d/profiles-m-r/mimetype | 2 +- apparmor.d/profiles-s-z/signal-desktop | 1 + apparmor.d/profiles-s-z/udev-fido_id | 1 + apparmor.d/profiles-s-z/update-info-dir | 3 ++- apparmor.d/profiles-s-z/wsdd | 8 +++++++- apparmor.d/profiles-s-z/xournalpp | 2 +- 43 files changed, 121 insertions(+), 30 deletions(-) diff --git a/apparmor.d/groups/apparmor/apparmor_parser b/apparmor.d/groups/apparmor/apparmor_parser index 0a9f9fcaf..a5769931c 100644 --- a/apparmor.d/groups/apparmor/apparmor_parser +++ b/apparmor.d/groups/apparmor/apparmor_parser @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{sbin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser profile apparmor_parser @{exec_path} flags=(attach_disconnected) { @@ -46,7 +46,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, deny network netlink raw, # file_inherit - deny /apparmor/.null rw, + /opt/Mullvad*/resources/apparmor_mullvad r, # FIXME: WTF you thing you are doing mullvad? include if exists } diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend index 4660755d6..6e80839fe 100644 --- a/apparmor.d/groups/apt/debconf-frontend +++ b/apparmor.d/groups/apt/debconf-frontend @@ -25,7 +25,7 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{bin}/stty ix, @{sbin}/update-secureboot-policy Px, - # debconf apps + # Debconf apps @{bin}/adequate Px, @{bin}/debconf-apt-progress Px, @{bin}/linux-check-removal Px, @@ -49,6 +49,8 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{lib}/dkms/dkms-* rPUx, @{lib}/dkms/dkms_* rPUx, + /etc/libpaper.d/texlive-base rPUx, + /usr/share/debconf/{,**} r, /etc/inputrc r, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 7d2073768..8ae76e706 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -76,6 +76,7 @@ profile dpkg-scripts @{exec_path} { @{run}/** rw, @{efi}/grub/* rw, + /tmp/fmtutil.@{rand8} rw, /tmp/grub.@{rand10} rw, /tmp/sed@{rand6} rw, /tmp/tmp.@{rand10} rw, diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index 65ad4c0e5..3ea17a4e5 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -25,6 +25,11 @@ profile obexd @{exec_path} { member=Release peer=(name=:*, label="@{p_bluetoothd}"), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{user_cache_dirs}/ rw, diff --git a/apparmor.d/groups/cron/anacron b/apparmor.d/groups/cron/anacron index 3756c1d03..3acfc14fd 100644 --- a/apparmor.d/groups/cron/anacron +++ b/apparmor.d/groups/cron/anacron @@ -28,6 +28,7 @@ profile anacron @{exec_path} { @{tmp}/file@{rand6} rw, /tmp/anacron-@{rand6} rw, + /tmp/anacron-@{rand6}@{c} rw, profile run-parts { include @@ -39,7 +40,9 @@ profile anacron @{exec_path} { owner @{tmp}/#@{int} rw, owner @{tmp}/file@{rand6} rw, + /tmp/anacron-@{rand6} rw, + /tmp/anacron-@{rand6}@{c} rw, include if exists } diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index a7773a57f..7330d67c9 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -49,9 +49,11 @@ profile cups-browsed @{exec_path} { /etc/cups/{,**} r, - /var/cache/cups/{,**} rw, /var/log/cups/{,**} rw, + /var/cache/cups/{,**} rw, + owner /var/cache/cups-browsed/{,**} rw, + owner @{tmp}/@{hex} rw, @{run}/cups/certs/* r, diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index c540b9db8..e73408a0a 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -154,6 +154,9 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain capability setuid, + unix type=seqpacket peer=(label=flatpak-system-helper), + unix type=stream peer=(label=flatpak), + mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index 0ca01d01d..cdfef1bad 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -28,6 +28,11 @@ profile flatpak-system-helper @{exec_path} { ptrace read, + unix type=seqpacket peer=(label=dbus-system), + unix type=seqpacket peer=(label=flatpak), + unix type=seqpacket peer=(label=flatpak//fusermount), + unix type=seqpacket peer=(label=unconfined), + #aa:dbus own bus=system name=org.freedesktop.Flatpak.SystemHelper @{exec_path} mr, @@ -54,7 +59,8 @@ profile flatpak-system-helper @{exec_path} { @{tmp}/remote-summary-sig.@{rand6} r, @{tmp}/remote-summary.@{rand6} r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 7aff8bdd2..aefdc339d 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -47,8 +47,8 @@ profile wireplumber @{exec_path} { /usr/share/wireplumber/{,**} r, owner @{desktop_local_dirs}/ w, - owner @{desktop_local_dirs}/state/ w, - owner @{desktop_local_dirs}/state/wireplumber/{,**} rw, + owner @{desktop_state_dirs}/ w, + owner @{desktop_state_dirs}/wireplumber/{,**} rw, owner @{HOME}/.local/ w, owner @{user_state_dirs}/ w, @@ -81,8 +81,10 @@ profile wireplumber @{exec_path} { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/1/status r, @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 89acacd34..21c99827b 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -68,7 +68,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{bin}/kreadconfig{,5} rPx, @{lib}/xdg-desktop-portal-validate-icon rPx, - @{open_path} rPx -> child-open, + @{open_path} mrPx -> child-open, / r, @{att}/.flatpak-info r, diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index fcafbda5f..a0fb366ab 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -18,6 +18,8 @@ profile deja-dup-monitor @{exec_path} { include include include + include + include network netlink raw, @@ -39,15 +41,26 @@ profile deja-dup-monitor @{exec_path} { member=GetAll peer=(name=@{busname}, label=power-profiles-daemon), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{bin}/chrt rix, @{bin}/ionice rix, @{bin}/deja-dup Px, + /usr/share/gvfs/remote-volume-monitors/{,**} r, + /var/tmp/ r, /tmp/ r, + @{run}/mount/utab r, + + owner @{PROC}/@{pid}/mountinfo r, + include if exists } diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index 9a42bcdf1..c08d12a07 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -14,11 +14,12 @@ profile gdm-session @{exec_path} { include include - signal (receive) set=(hup term) peer=gdm-session-worker, - signal (receive) set=(term) peer=gdm, - signal (send) set=(term) peer=dbus-session, - signal (send) set=(term) peer=gnome-session-binary, - signal (send) set=(term) peer=xorg, + signal receive set=(hup term) peer=gdm-session-worker, + signal receive set=(term) peer=gdm, + signal send set=(term) peer=dbus-session, + signal send set=(term) peer=gnome-session-binary, + signal send set=(term) peer=xorg, + signal send set=term peer=gnome-session, dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 2e553d9f4..4e83bfb76 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -10,6 +10,7 @@ include profile gnome-calculator @{exec_path} { include include + include include # Needed to get currency exchange rates diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index fde43420a..111facf64 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -130,7 +130,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/gnome-control-center/{,**} rw, owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, + owner @{user_config_dirs}/mimeapps.list w, + owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw, owner @{user_games_dirs}/**.png r, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index 1f29958d1..7bcf80431 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -9,7 +9,10 @@ include @{exec_path} = @{bin}/gnome-session profile gnome-session @{exec_path} { include + include include + include + include include include diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index b011935ae..f4c61c5c6 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -28,8 +28,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - signal (receive) set=(term, hup) peer=gdm*, - signal (send) set=(term) peer=gsd-*, + signal receive set=(term, hup) peer=gdm*, + signal send set=(term) peer=gsd-*, #aa:dbus own bus=session name=org.gnome.SessionManager #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @@ -67,6 +67,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{etc_ro}/xdg/autostart/{,*.desktop} r, owner @{gdm_cache_dirs}/gdm/Xauthority r, + owner @{gdm_config_dirs}/ rw, owner @{gdm_config_dirs}/dconf/user rw, owner @{gdm_config_dirs}/gnome-session/ rw, owner @{gdm_config_dirs}/gnome-session/saved-session/ rw, diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 6ddbd4b4c..37bb7b374 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -11,6 +11,7 @@ profile gnome-shell-calendar-server @{exec_path} { include include include + include include #aa:dbus own bus=session name=org.gnome.Shell.CalendarServer diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index e4ac12011..8bcb629a9 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -22,9 +22,9 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - ptrace (read), + ptrace read, - signal (send) set=(kill term cont stop), + signal send set=(kill term cont stop), #aa:dbus own bus=session name=org.gnome.SystemMonitor @@ -75,6 +75,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/smaps r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/wchan r, @{PROC}/diskstats r, @{PROC}/vmstat r, diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index c399eadc7..5c8ab7c8a 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -12,6 +12,7 @@ profile gnome-text-editor @{exec_path} { include include include + include include include diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 35f43a93e..83fcbd7c6 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -17,6 +17,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 3bfffdb6a..7f03d9fc5 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -12,6 +12,7 @@ profile gsd-usb-protection @{exec_path} { include include include + include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection diff --git a/apparmor.d/groups/gnome/gsd-wwan b/apparmor.d/groups/gnome/gsd-wwan index ab2b2b089..3a5ee53df 100644 --- a/apparmor.d/groups/gnome/gsd-wwan +++ b/apparmor.d/groups/gnome/gsd-wwan @@ -10,10 +10,17 @@ include profile gsd-wwan @{exec_path} { include include + include include + include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Wwan + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 2e21750b9..7618dc3b6 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -43,7 +43,7 @@ profile gsd-xsettings @{exec_path} { dbus receive bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts - member=UserAdded + member={UserAdded,UserDeleted} peer=(name=@{busname}, label="@{p_accounts_daemon}"), dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index 838dc940c..b0239f404 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -12,6 +12,7 @@ profile ptyxis @{exec_path} { include include include + include unix type=stream peer=(label=ptyxis-agent), diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 2307c709f..0965396ab 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -34,6 +34,7 @@ profile DiscoverNotifier @{exec_path} { @{exec_path} mr, @{bin}/apt-config rPx, + @{bin}/plasma-discover rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index 4937f6875..ef14d9ca9 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -112,6 +112,7 @@ profile htop @{exec_path} { @{PROC}/@{pids}/oom_score r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/wchan r, @{PROC}/@{pids}/task/ r, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 40cf0bca2..633076ad6 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -69,6 +69,8 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, + @{sbin}/sshd.hmac r, + @{bin}/@{shells} Ux, #aa:exclude RBAC @{bin}/false ix, @{sbin}/nologin Px, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index db1854f1f..061b93ffd 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -52,6 +52,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{att}/@{run}/systemd/coredump rw, @{run}/systemd/coredump rw, + @{PROC}/@{pids}/auxv r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/comm r, @@ -59,9 +60,11 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/fdinfo/@{int} r, @{PROC}/@{pids}/limits r, + @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/ns/ r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/setgroups r, include if exists diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 9b78b7c04..ca6eae3ad 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -43,6 +43,9 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { /dev/cpu/@{int}/msr r, + deny capability net_admin, + deny capability perfmon, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index 96b182e5f..73213160b 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -23,7 +23,8 @@ profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) { @{bin}/mount rix, - /etc/blkid.conf r, + @{etc_ro}/blkid.conf r, + @{etc_ro}/blkid.conf.d/{,**} r, /etc/fstab r, @{run}/host/container-manager r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 640e48f3f..cb9592d47 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -128,6 +128,14 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { include include + capability sys_module, + + @{sh_path} rix, + @{bin}/kmod ix, + + @{sys}/module/*/initstate r, + @{sys}/module/compression r, + include if exists } diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator index 473848ef3..193bfc9b6 100644 --- a/apparmor.d/groups/systemd/zram-generator +++ b/apparmor.d/groups/systemd/zram-generator @@ -13,7 +13,7 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/kmod rCx, + @{bin}/kmod rCx -> kmod, @{bin}/systemd-detect-virt rPx, @{lib}/systemd/systemd-makefs rPx, @@ -31,10 +31,14 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { owner /dev/pts/@{int} rw, - profile kmod { + profile kmod flags=(attach_disconnected) { include include + capability sys_module, + + @{sys}/module/compression r, + include if exists } diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 3d2cbd63d..d7480a212 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -17,6 +17,7 @@ profile apport-gtk @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/utils/who b/apparmor.d/groups/utils/who index d951bfe03..d9ca9e164 100644 --- a/apparmor.d/groups/utils/who +++ b/apparmor.d/groups/utils/who @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/who +@{exec_path} = @{bin}/{,gnu}who profile who @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd index b22730a27..7ce69ab64 100644 --- a/apparmor.d/profiles-a-f/finalrd +++ b/apparmor.d/profiles-a-f/finalrd @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/finalrd profile finalrd @{exec_path} { include + include capability dac_read_search, capability sys_admin, diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 2e0eb2cf7..9b8eca8ee 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -16,7 +16,6 @@ profile gsettings @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index 7783c8005..093cd7100 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -19,6 +19,7 @@ profile issue-generator @{exec_path} { @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cmp rix, + @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/mv rix, @{bin}/rm rix, @@ -30,7 +31,7 @@ profile issue-generator @{exec_path} { @{run}/agetty.reload w, @{run}/issue rw, @{run}/issue.@{rand10} rw, - @{run}/issue.d/{,**} r, + @{run}/issue.d/{,**} rw, /dev/tty rw, diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index 1576050b5..32950dbc4 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/mimetype @{bin}/*_perl/mimetype profile mimetype @{exec_path} { include - include + include include @{exec_path} r, diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index d91285558..001f8605a 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -21,6 +21,7 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/udev-fido_id b/apparmor.d/profiles-s-z/udev-fido_id index 9c686b19d..453e0093a 100644 --- a/apparmor.d/profiles-s-z/udev-fido_id +++ b/apparmor.d/profiles-s-z/udev-fido_id @@ -14,6 +14,7 @@ profile udev-fido_id @{exec_path} { @{exec_path} mr, /etc/udev/udev.conf r, + /etc/udev/udev.conf.d/{,**} r, @{sys}/devices/@{pci}/report_descriptor r, @{sys}/devices/platform/**/report_descriptor r, diff --git a/apparmor.d/profiles-s-z/update-info-dir b/apparmor.d/profiles-s-z/update-info-dir index fe06b32af..dc2a0d7aa 100644 --- a/apparmor.d/profiles-s-z/update-info-dir +++ b/apparmor.d/profiles-s-z/update-info-dir @@ -14,8 +14,9 @@ profile update-info-dir @{exec_path} { @{exec_path} mr, @{sh_path} r, - @{bin}/install-info Px, + @{bin}/cp ix, @{bin}/find ix, + @{bin}/install-info Px, @{bin}/rm ix, /etc/environment r, diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index fc6955793..b72cff3c4 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -9,9 +9,14 @@ include @{exec_path} = @{bin}/wsdd profile wsdd @{exec_path} { include + include include include + # wsdd can create its own chroot as a built-in security mechanism. + # This is used by default in the systemd wsdd-server service. + capability sys_chroot, + network inet dgram, network inet stream, network inet6 dgram, @@ -28,7 +33,8 @@ profile wsdd @{exec_path} { owner /var/lib/libuuid/clock.txt rw, @{run}/uuidd/request rw, - owner @{run}/user/@{uid}/gvfsd/wsdd w, + owner @{run}/user/@{uid}/wsdd w, + owner @{run}/user/@{uid}/*/wsdd w, include if exists } diff --git a/apparmor.d/profiles-s-z/xournalpp b/apparmor.d/profiles-s-z/xournalpp index 6442fe8b9..0d6c4d65f 100644 --- a/apparmor.d/profiles-s-z/xournalpp +++ b/apparmor.d/profiles-s-z/xournalpp @@ -37,7 +37,7 @@ profile xournalpp @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/snd/controlC@{int} w, - /dev/snd/pcmC@{rand4} rw, + /dev/snd/pcmC@{int}D@{int}[cp] w, include if exists } From 4f9d2703d4851a196b0e4af88d549f4b24bdc2b4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 1 Sep 2025 15:07:01 +0200 Subject: [PATCH 841/977] build: separate the base-strict abs from the re-attach builder. Enable the use of the base-strict abs on all setup. --- apparmor.d/abstractions/attached/base | 2 +- cmd/prebuild/main.go | 5 +++-- pkg/prebuild/builder/attach.go | 5 +---- pkg/prebuild/builder/base-strict.go | 32 +++++++++++++++++++++++++++ 4 files changed, 37 insertions(+), 7 deletions(-) create mode 100644 pkg/prebuild/builder/base-strict.go diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 29c685f55..8741942ff 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -8,7 +8,7 @@ abi , - include + include @{att}/@{run}/systemd/journal/dev-log w, @{att}/@{run}/systemd/journal/socket w, diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index 62685202f..5eb1ab2f2 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -32,8 +32,9 @@ func init() { // Build tasks applied by default builder.Register( - "userspace", // Resolve variable in profile attachments - "hotfix", // Temporary fix for #74, #80 & #235 + "userspace", // Resolve variable in profile attachments + "hotfix", // Temporary fix for #74, #80 & #235 + "base-strict", // Use base-strict as base abstraction ) // Matrix of ABI/Apparmor version to integrate with diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go index d27908129..66ef18aef 100644 --- a/pkg/prebuild/builder/attach.go +++ b/pkg/prebuild/builder/attach.go @@ -49,10 +49,7 @@ func (b ReAttach) Apply(opt *Option, profile string) (string, error) { } else { insert = "@{att} = /\n" - profile = strings.ReplaceAll(profile, - "include ", - "include ", - ) + } return strings.Replace(profile, origin, insert+origin, 1), nil diff --git a/pkg/prebuild/builder/base-strict.go b/pkg/prebuild/builder/base-strict.go new file mode 100644 index 000000000..29a065629 --- /dev/null +++ b/pkg/prebuild/builder/base-strict.go @@ -0,0 +1,32 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package builder + +import ( + "strings" + + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +type BaseStrict struct { + prebuild.Base +} + +func init() { + RegisterBuilder(&BaseStrict{ + Base: prebuild.Base{ + Keyword: "base-strict", + Msg: "Feat: use 'base-strict' as base abstraction", + }, + }) +} + +func (b BaseStrict) Apply(opt *Option, profile string) (string, error) { + profile = strings.ReplaceAll(profile, + "include ", + "include ", + ) + return profile, nil +} From 7c6f7767575b2a0b6ed7870c6bd38483c42e1fb1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 1 Sep 2025 15:12:30 +0200 Subject: [PATCH 842/977] build: set default att to "" when not enabled. It fixes various issues with multiple / that are not collapsed in they canonical form in file rules See https://gitlab.com/apparmor/apparmor/-/issues/450#note_2158840105 --- apparmor.d/tunables/multiarch.d/system | 3 +-- pkg/prebuild/prepare/attach.go | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index cf8575db0..b29be3f0c 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -69,7 +69,6 @@ # Default attachment path when re-attached path disconnected path is ignored. # Disabled on abi3 and Ubuntu 25.04+ # See https://apparmor.pujol.io/development/internal/#re-attached-path -@{att}=/ -alias / -> //, +@{att}="" # vim:syntax=apparmor diff --git a/pkg/prebuild/prepare/attach.go b/pkg/prebuild/prepare/attach.go index 3331c73dc..4523382d8 100644 --- a/pkg/prebuild/prepare/attach.go +++ b/pkg/prebuild/prepare/attach.go @@ -32,7 +32,6 @@ func (p ReAttach) Apply() ([]string, error) { if err != nil { return res, err } - out = strings.ReplaceAll(out, "@{att}=/", "# @{att}=/") - out = strings.ReplaceAll(out, "alias / -> //,", "#alias / -> //,") + out = strings.ReplaceAll(out, `@{att}=""`, `# @{att}=""`) return res, path.WriteFile([]byte(out)) } From 09c1f61bb7aab8f9aff5e7c87cee66d9d9104b83 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 1 Sep 2025 15:54:28 +0200 Subject: [PATCH 843/977] build(debian): use deb-systemd-invoke and minor lintian fixes. --- debian/apparmor.d.postinst | 4 +--- debian/apparmor.d.postrm | 4 +--- debian/control | 6 +++--- 3 files changed, 5 insertions(+), 9 deletions(-) diff --git a/debian/apparmor.d.postinst b/debian/apparmor.d.postinst index 2f8c90ae0..361af7b91 100644 --- a/debian/apparmor.d.postinst +++ b/debian/apparmor.d.postinst @@ -8,8 +8,6 @@ set -e #DEBHELPER# apparmor_parser --purge-cache || true -if systemctl is-active -q apparmor; then - systemctl reload apparmor -fi +deb-systemd-invoke reload apparmor.service exit 0 diff --git a/debian/apparmor.d.postrm b/debian/apparmor.d.postrm index 2f8c90ae0..361af7b91 100644 --- a/debian/apparmor.d.postrm +++ b/debian/apparmor.d.postrm @@ -8,8 +8,6 @@ set -e #DEBHELPER# apparmor_parser --purge-cache || true -if systemctl is-active -q apparmor; then - systemctl reload apparmor -fi +deb-systemd-invoke reload apparmor.service exit 0 diff --git a/debian/control b/debian/control index 56ad928ba..85c4d3786 100644 --- a/debian/control +++ b/debian/control @@ -18,6 +18,6 @@ Architecture: any Depends: apparmor-profiles Conflicts: apparmor-profiles-extra Provides: apparmor-profiles-extra -Description: Full set of AppArmor profiles (~ 1500 profiles) - apparmor.d is a set of over 1500 AppArmor profiles whose aim is to confine - most Linux based applications and processes. +Description: Full set of AppArmor profiles (~ 2000 profiles) + apparmor.d is a set of over 2000 AppArmor profiles whose aim is to confine + most Linux based applications and processes. From 2b07398cef01bf511fafd8c66d631598baae1e8d Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 3 Sep 2025 03:28:16 +0200 Subject: [PATCH 844/977] flatpak-app ntsync --- apparmor.d/groups/flatpak/flatpak-app | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index e8fe195fb..e6be7ef4f 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -98,6 +98,8 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { owner @{run}/ld-so-cache-dir/* rw, owner @{run}/user/ r, + /dev/ntsync r, + include if exists include if exists } From 2c0b5405db7242b8d0b6704fc9998927bee30c9c Mon Sep 17 00:00:00 2001 From: Jose Maldonado aka Yukiteru Date: Fri, 29 Aug 2025 19:06:48 -0400 Subject: [PATCH 845/977] firewall-applet: update profile --- apparmor.d/groups/firewall/firewall-applet | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/groups/firewall/firewall-applet b/apparmor.d/groups/firewall/firewall-applet index 280bd9d04..bd144b7e2 100644 --- a/apparmor.d/groups/firewall/firewall-applet +++ b/apparmor.d/groups/firewall/firewall-applet @@ -21,6 +21,9 @@ profile firewall-applet @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/cgroup r, + + owner @{user_config_dirs}/firewall/applet.conf rwkl, include if exists } From 237622f3efd6c7c8b11482086f2ca31fa47cc915 Mon Sep 17 00:00:00 2001 From: Jose Maldonado aka Yukiteru Date: Fri, 29 Aug 2025 13:54:42 -0400 Subject: [PATCH 846/977] rpcbind: update profile rpcbind: update profile --- apparmor.d/groups/network/rpcbind | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/apparmor.d/groups/network/rpcbind b/apparmor.d/groups/network/rpcbind index 1d81292fd..0650470ac 100644 --- a/apparmor.d/groups/network/rpcbind +++ b/apparmor.d/groups/network/rpcbind @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2023 Jeroen Rijken +# Copyright (C) 2025 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,9 +10,18 @@ include @{exec_path} = @{sbin}/rpcbind profile rpcbind @{exec_path} flags=(complain) { include + include + + capability setgid, + capability setuid, @{exec_path} rm, + /etc/netconfig r, + + @{run}/rpcbind.lock rwkl, + @{run}/rpcbind/*.xdr rwkl, + include if exists } From 4c84b572cda4433a664b1488e980034886652629 Mon Sep 17 00:00:00 2001 From: JND94 <149390116+JND94@users.noreply.github.com> Date: Tue, 2 Sep 2025 05:12:04 +0200 Subject: [PATCH 847/977] glxgears can't access X cookie --- apparmor.d/profiles-g-l/glxgears | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-g-l/glxgears b/apparmor.d/profiles-g-l/glxgears index 1e27790df..cfd9f0dac 100644 --- a/apparmor.d/profiles-g-l/glxgears +++ b/apparmor.d/profiles-g-l/glxgears @@ -25,6 +25,7 @@ profile glxgears @{exec_path} { @{exec_path} mr, owner @{HOME}/.Xauthority r, + owner @{run}/user/@{uid}/xauth_@{rand6} r, include if exists } From e43d9078089c4b46c8f48d08ebacacf83327b3f1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 2 Sep 2025 00:06:57 +0200 Subject: [PATCH 848/977] chore: cosmetic. --- Justfile | 78 ++++++++++++++++++++++++++++---------------------------- 1 file changed, 39 insertions(+), 39 deletions(-) diff --git a/Justfile b/Justfile index e434586c4..2c4c0e8d4 100644 --- a/Justfile +++ b/Justfile @@ -49,44 +49,44 @@ c := "--connect=qemu:///system" # VM prefix prefix := "aa-" -[doc('Show this help message')] +# Show this help message help: @just --list --unsorted @printf "\n%s\n" "See https://apparmor.pujol.io/development/ for more information." +# Build the go programs [group('build')] -[doc('Build the go programs')] build: @go build -o {{build}}/ ./cmd/aa-log @go build -o {{build}}/ ./cmd/prebuild +# Prebuild the profiles in enforced mode [group('build')] -[doc('Prebuild the profiles in enforced mode')] enforce: build @./{{build}}/prebuild --buildir {{build}} +# Prebuild the profiles in complain mode [group('build')] -[doc('Prebuild the profiles in complain mode')] complain: build ./{{build}}/prebuild --buildir {{build}} --complain +# Prebuild the profiles in FSP mode [group('build')] -[doc('Prebuild the profiles in FSP mode')] fsp: build @./{{build}}/prebuild --buildir {{build}} --full +# Prebuild the profiles in FSP mode (complain) [group('build')] -[doc('Prebuild the profiles in FSP mode (complain)')] fsp-complain: build @./{{build}}/prebuild --buildir {{build}} --complain --full +# Prebuild the profiles in FSP mode (debug) [group('build')] -[doc('Prebuild the profiles in FSP mode (debug)')] fsp-debug: build @./{{build}}/prebuild --buildir {{build}} --complain --full --debug +# Install prebuild profiles [group('install')] -[doc('Install prebuild profiles')] install: #!/usr/bin/env bash set -eu -o pipefail @@ -113,8 +113,8 @@ install: install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf" done +# Locally install prebuild profiles [group('install')] -[doc('Locally install prebuild profiles')] local +names: #!/usr/bin/env bash set -eu -o pipefail @@ -135,39 +135,39 @@ local +names: done; systemctl restart apparmor || sudo journalctl -xeu apparmor.service +# Prebuild, install, and load a dev profile [group('install')] -[doc('Prebuild, install, and load a dev profile')] dev name: go run ./cmd/prebuild --complain --file `find apparmor.d -iname {{name}}` sudo install -Dm644 {{build}}/apparmor.d/{{name}} /etc/apparmor.d/{{name}} sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service +# Build & install apparmor.d on Arch based systems [group('packages')] -[doc('Build & install apparmor.d on Arch based systems')] pkg: @makepkg --syncdeps --install --cleanbuild --force --noconfirm +# Build & install apparmor.d on Debian based systems [group('packages')] -[doc('Build & install apparmor.d on Debian based systems')] dpkg: @bash dists/build.sh dpkg @sudo dpkg -i {{pkgdest}}/{{pkgname}}_*.deb +# Build & install apparmor.d on OpenSUSE based systems [group('packages')] -[doc('Build & install apparmor.d on OpenSUSE based systems')] rpm: @bash dists/build.sh rpm @sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm +# Run the unit tests [group('tests')] -[doc('Run the unit tests')] tests: @go test ./cmd/... -v -cover -coverprofile=coverage.out @go test ./pkg/... -v -cover -coverprofile=coverage.out @go tool cover -func=coverage.out +# Run the linters [group('linter')] -[doc('Run the linters')] lint: golangci-lint run packer fmt tests/packer/ @@ -177,34 +177,34 @@ lint: tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \ debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm +# Run style checks on the profiles [group('linter')] -[doc('Run style checks on the profiles')] check: @bash tests/check.sh +# Generate the man pages [group('docs')] -[doc('Generate the man pages')] man: @pandoc -t man -s -o share/man/man8/aa-log.8 share/man/man8/aa-log.md +# Build the documentation [group('docs')] -[doc('Build the documentation')] docs: @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict +# Serve the documentation [group('docs')] -[doc('Serve the documentation')] serve: @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve -[doc('Remove all build artifacts')] +# Remove all build artifacts clean: @rm -rf \ debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \ {{pkgdest}}/{{pkgname}}* {{build}} coverage.out +# Build the package in a clean OCI container [group('packages')] -[doc('Build the package in a clean OCI container')] package dist: #!/usr/bin/env bash set -eu -o pipefail @@ -219,8 +219,8 @@ package dist: fi bash dists/docker.sh $dist $version +# Build the VM image [group('vm')] -[doc('Build the VM image')] img dist flavor: (package dist) @mkdir -p {{base_dir}} packer build -force \ @@ -237,8 +237,8 @@ img dist flavor: (package dist) -var output_dir={{output_dir}} \ tests/packer/ +# Create the machine [group('vm')] -[doc('Create the machine')] create dist flavor: @cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 @virt-install {{c}} \ @@ -257,53 +257,53 @@ create dist flavor: --sound model=ich9 \ --noautoconsole +# Start a machine [group('vm')] -[doc('Start a machine')] up dist flavor: @virsh {{c}} start {{prefix}}{{dist}}-{{flavor}} +# Stops the machine [group('vm')] -[doc('Stops the machine')] halt dist flavor: @virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}} +# Reboot the machine [group('vm')] -[doc('Reboot the machine')] reboot dist flavor: @virsh {{c}} reboot {{prefix}}{{dist}}-{{flavor}} +# Destroy the machine [group('vm')] -[doc('Destroy the machine')] destroy dist flavor: @virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true @virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram @rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 +# Connect to the machine [group('vm')] -[doc('Connect to the machine')] ssh dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` +# Mount the shared directory on the machine [group('vm')] -[doc('Mount the shared directory on the machine')] mount dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4' +# Unmout the shared directory on the machine [group('vm')] -[doc('Unmout the shared directory on the machine')] umount dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true' +# List the machines [group('vm')] -[doc('List the machines')] list: @printf "{{BOLD}} %-4s %-22s %s{{NORMAL}}\n" "Id" "Distribution-Flavor" "State" @virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g' +# List the VM images [group('vm')] -[doc('List the VM images')] images: #!/usr/bin/env bash set -eu -o pipefail @@ -320,8 +320,8 @@ images: } ' +# List the VM images that can be created [group('vm')] -[doc('List the VM images that can be created')] available: #!/usr/bin/env bash set -eu -o pipefail @@ -337,36 +337,36 @@ available: } ' +# Install dependencies for the integration tests [group('tests')] -[doc('Install dependencies for the integration tests')] init: @bash tests/requirements.sh +# Run the integration tests [group('tests')] -[doc('Run the integration tests')] integration name="": bats --recursive --timing --print-output-on-failure tests/integration/{{name}} +# Install dependencies for the integration tests (machine) [group('tests')] -[doc('Install dependencies for the integration tests (machine)')] tests-init dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init +# Synchronize the integration tests (machine) [group('tests')] -[doc('Synchronize the integration tests (machine)')] tests-sync dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/ +# Re-synchronize the integration tests (machine) [group('tests')] -[doc('Re-synchronize the integration tests (machine)')] tests-resync dist flavor: (mount dist flavor) \ (tests-sync dist flavor) \ (umount dist flavor) +# Run the integration tests (machine) [group('tests')] -[doc('Run the integration tests (machine)')] tests-run dist flavor name="": (tests-resync dist flavor) ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ bats --recursive --pretty --timing --print-output-on-failure \ From 7963479dbc944ea2fa18da16ad5a4224f73cc8fa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 13:21:34 +0200 Subject: [PATCH 849/977] build: various cleanup --- dists/build.sh | 2 +- dists/docker.sh | 4 ++-- dists/flags/main.flags | 4 ++-- dists/flags/ubuntu.flags | 1 + 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/dists/build.sh b/dists/build.sh index 9b9f9e765..e33c48695 100644 --- a/dists/build.sh +++ b/dists/build.sh @@ -16,7 +16,7 @@ readonly VERSION main() { case "$COMMAND" in pkg) - PKGDEST="$OUTPUT" makepkg --syncdeps --force --cleanbuild --noconfirm --noprogressbar + PKGDEST="$OUTPUT" BUILDDIR=/tmp/makepkg makepkg --syncdeps --force --cleanbuild --noconfirm --noprogressbar ;; dpkg) diff --git a/dists/docker.sh b/dists/docker.sh index 2e581883c..45191adb8 100644 --- a/dists/docker.sh +++ b/dists/docker.sh @@ -25,7 +25,7 @@ readonly VERSION PACKAGER _start() { local img="$1" - docker start "$img" + docker start "$img" || return 1 } _is_running() { @@ -65,7 +65,7 @@ build_in_docker_makepkg() { --env PKGDEST="$BUILDIR" --env PACKAGER="$PACKAGER" \ --env BUILDDIR=/tmp/build \ "$BASEIMAGE/$dist" - docker exec "$img" sudo pacman -Syu --noconfirm --noprogressbar + docker exec "$img" sudo pacman -Sy --noconfirm --noprogressbar fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh pkg diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 057c7c298..2c01d9553 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -230,7 +230,7 @@ lvmdump complain lvmpolld complain man complain mate-notification-daemon complain -mdadm complain +mdadm attach_disconnected,complain mdadm-mkconf complain ModemManager attach_disconnected,complain mount attach_disconnected,complain @@ -327,7 +327,7 @@ systemd-generator-ds-identify attach_disconnected,complain systemd-generator-environment-arch complain systemd-generator-environment-flatpak complain systemd-generator-environment-snapd attach_disconnected,complain -systemd-generator-friendly-recover attach_disconnected,complain +systemd-generator-friendly-recovery attach_disconnected,complain systemd-generator-fstab attach_disconnected,complain systemd-generator-getty attach_disconnected,complain systemd-generator-gpt-auto attach_disconnected,complain diff --git a/dists/flags/ubuntu.flags b/dists/flags/ubuntu.flags index 7339702a2..125575ce1 100644 --- a/dists/flags/ubuntu.flags +++ b/dists/flags/ubuntu.flags @@ -8,6 +8,7 @@ apt-helper complain check-new-release-gtk complain do-release-upgrade complain dpkg-genbuildinfo complain +esm_cache complain fanctl attach_disconnected,complain hwe-support-status complain list-oem-metapackages complain From d9df02f3f860f94d91d85862205adf872d75b9a7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 13:22:39 +0200 Subject: [PATCH 850/977] tests(packer): update opensuse images. --- tests/cloud-init/opensuse-gnome.user-data.yml | 18 ++++++- tests/cloud-init/opensuse-kde.user-data.yml | 14 ++++- .../cloud-init/opensuse-server.user-data.yml | 7 +++ tests/cloud-init/opensuse.yml | 54 +++++++++++++++++++ 4 files changed, 91 insertions(+), 2 deletions(-) diff --git a/tests/cloud-init/opensuse-gnome.user-data.yml b/tests/cloud-init/opensuse-gnome.user-data.yml index 3ab5a6c08..b59d66af3 100644 --- a/tests/cloud-init/opensuse-gnome.user-data.yml +++ b/tests/cloud-init/opensuse-gnome.user-data.yml @@ -1,6 +1,22 @@ #cloud-config -packages: *core-packages +packages: *gnome-packages + +runcmd: + # Replace SELinux by AppArmor in kernel parameters + - sed -i 's/security=selinux selinux=1/apparmor=1 apparmor.debug=1/g' /etc/default/grub + + # Regenerate grub.cfg + - grub2-mkconfig -o /boot/grub2/grub.cfg + + # Ensure auditd is enabled + - systemctl enable systemd-journald-audit.socket write_files: - *shared-directory # Setup shared directory + + - path: /etc/sysconfig/displaymanager + append: true + content: | + DISPLAYMANAGER="gdm" + diff --git a/tests/cloud-init/opensuse-kde.user-data.yml b/tests/cloud-init/opensuse-kde.user-data.yml index 3ab5a6c08..2058846dd 100644 --- a/tests/cloud-init/opensuse-kde.user-data.yml +++ b/tests/cloud-init/opensuse-kde.user-data.yml @@ -1,6 +1,18 @@ #cloud-config -packages: *core-packages +packages: *kde-packages + +# apparmor.debug=1 +runcmd: + # Replace SELinux by AppArmor in kernel parameters + - sed -i 's/security=selinux selinux=1/apparmor=1/g' /etc/default/grub + + # Regenerate grub.cfg + - grub2-mkconfig -o /boot/grub2/grub.cfg write_files: - *shared-directory # Setup shared directory + - path: /etc/sysconfig/displaymanager + append: true + content: | + DISPLAYMANAGER="sddm" diff --git a/tests/cloud-init/opensuse-server.user-data.yml b/tests/cloud-init/opensuse-server.user-data.yml index 98b78ec80..b6d35cd68 100644 --- a/tests/cloud-init/opensuse-server.user-data.yml +++ b/tests/cloud-init/opensuse-server.user-data.yml @@ -2,6 +2,13 @@ packages: *core-packages +runcmd: + # Replace SELinux by AppArmor in kernel parameters + - sed -i 's/security=selinux selinux=1/apparmor=1 apparmor.debug=1/g' /etc/default/grub + + # Regenerate grub.cfg + - grub2-mkconfig -o /boot/grub2/grub.cfg + write_files: - *shared-directory # Setup shared directory - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/opensuse.yml b/tests/cloud-init/opensuse.yml index 57c633678..ab0954c6a 100644 --- a/tests/cloud-init/opensuse.yml +++ b/tests/cloud-init/opensuse.yml @@ -2,9 +2,11 @@ # Core packages for OpenSUSE core-packages: &core-packages + - pattern:apparmor - apparmor-profiles - bash-completion - distribution-release + - docker - git - go - golang-packaging @@ -12,5 +14,57 @@ core-packages: &core-packages - just - rpmbuild - rsync + - systemd-container + - systemd-homed - vim +gnome-packages: &gnome-packages + # Core packages for OpenSUSE + - pattern:apparmor + - apparmor-profiles + - bash-completion + - distribution-release + - docker + - git + - go + - golang-packaging + - htop + - just + - rpmbuild + - rsync + - systemd-container + - systemd-homed + - vim + + # Gnome packages for OpenSUSE + - pattern:gnome + - gdm + - spice-vdagent + - terminator + - loupe + - ptyxis + +kde-packages: &kde-packages + # Core packages for OpenSUSE + - pattern:apparmor + - apparmor-profiles + - bash-completion + - distribution-release + - docker + - git + - go + - golang-packaging + - htop + - just + - rpmbuild + - rsync + - systemd-container + - systemd-homed + - vim + + # KDE packages for OpenSUSE + - pattern:kde_plasma + - pattern:kde + - sddm + - spice-vdagent + - terminator From 5795114328ad8952c826b8e82e475500d84eb94a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 13:23:49 +0200 Subject: [PATCH 851/977] tests(packer): success on cloud-init failure. --- tests/packer/builds.pkr.hcl | 4 ++-- tests/packer/clean.sh | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/tests/packer/builds.pkr.hcl b/tests/packer/builds.pkr.hcl index 48a5fafb6..98e923fd9 100644 --- a/tests/packer/builds.pkr.hcl +++ b/tests/packer/builds.pkr.hcl @@ -71,10 +71,10 @@ build { "while [ ! -f /var/lib/cloud/instance/boot-finished ]; do echo 'Waiting for Cloud-Init...'; sleep 20; done", # Ensure cloud-init is successful - # "cloud-init status", + "cloud-init status || cloud-init collect-logs --tarfile /root/cloud-init.tar.gz", # Remove logs and artifacts so cloud-init can re-run - # "cloud-init clean", + "cloud-init clean || true", # Install local files and config "bash /tmp/init.sh", diff --git a/tests/packer/clean.sh b/tests/packer/clean.sh index f7518a2f6..23c587d4f 100644 --- a/tests/packer/clean.sh +++ b/tests/packer/clean.sh @@ -60,8 +60,7 @@ clean_pacman() { clean_zypper() { _msg "Cleaning zypper cache" - zypper update -y - zypper clean -y + zypper clean --all } # Make the image as impersonal as possible. From a0f1c55ab475a9c3f6d9ad26bf8d91b7d53036d2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 15:12:40 +0200 Subject: [PATCH 852/977] doc: update roadmap. --- docs/development/roadmap.md | 49 ++++++++++++++++++++++++++++--------- 1 file changed, 38 insertions(+), 11 deletions(-) diff --git a/docs/development/roadmap.md b/docs/development/roadmap.md index 2585208e5..379241a49 100644 --- a/docs/development/roadmap.md +++ b/docs/development/roadmap.md @@ -6,11 +6,18 @@ title: Roadmap This is the current list of features that must be implemented to get to a stable release -- [x] **Play machine** +- [x] **[Play machine](https://github.com/roddhjav/play)** -- [ ] **[Sub packages](https://github.com/roddhjav/apparmor.d/issues/464)** - - [x] Move most profiles into groups such that - - [ ] New simplified build system to generate the packages with profile dependencies check +- [ ] **[Sub packages](https://github.com/roddhjav/apparmor.d/issues/464)** + - [x] Move most profiles into groups + - [ ] Provide complain/enforced packages version + - [ ] normal/FSP/server packages variants + +- [ ] **Build system** + - [ ] Continuous release on the main branch, ~2 releases per week + - [ ] Provide packages repo for ubuntu/debian + - [x] Add a `just` target to install the profiles in the right place + - [x] Fully drop the Makefile in favor of `just` - [ ] **Tests** - [x] Tests VM for all supported targets (see [tests/vm](vm.md)) @@ -22,14 +29,26 @@ This is the current list of features that must be implemented to get to a stable - [ ] **General improvements** - [ ] Provide a proper fix for [#74](https://github.com/roddhjav/apparmor.d/issues/74), [#80](https://github.com/roddhjav/apparmor.d/issues/80) & [#235](https://github.com/roddhjav/apparmor.d/issues/235) - - [x] The apt/dpkg profiles needs to be reworked -- [ ] Build system - - [ ] Continuous release on the main branch, ~2 releases per week - - [ ] Provide packages repo for ubuntu/debian - - [ ] Provide complain/enforced packages version - - [x] Add a `just` target to install the profiles in the right place - - [x] Fully drop the Makefile in favor of `just` +- [ ] **Abstractions** + - [ ] Document all abstractions + - [ ] Split and reorganize some big abs into set of smaller abstractions. + Strictly follow the new abstractions guidelines (layer 0, layer 1, etc.) + - [ ] Abstraction based profiles: + Most of the accesses needed by GUI based application are commons. As such 80-90% of the profile content should be handled by abstractions (internally they will have conditions). + - [ ] Test new interface like abstractions + - notifications + - audio-bluetooth + - secrets-service + - media-keys + - ... + - [ ] Rewrite the desktop abstraction to only contains other abs. No direct rules in it. + - [ ] Rewrite the DE specific abstraction to be a layer 1 abs + +- [ ] **Security improvements** + - [ ] Limit the use of `abstractions/common/systemd` + - [ ] Ensure systemctl restart/stop/reload is always confined and filtered by unit (dbus only) + - [ ] Revisit the usae of `systemd-tty-ask-password-agent` ## Next features @@ -45,8 +64,16 @@ This is the current list of features that must be implemented to get to a stable - [ ] Debug tool to show the profiles transition tree, and ensure no profile is missing - [x] Remove the `default` profile +- [ ] **Define roles** + - [ ] Unrestricted shell role without FSP enabled + - [ ] Define the roles when FSP is enabled + ## Done +**General improvements** + +- [x] The apt/dpkg profiles has been rewritten + **Abstractions** - [x] New `audio-client` and `audio-server` abstractions From d86cf03dabfe1ba614341278ea42cb0a078df52e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 15:13:25 +0200 Subject: [PATCH 853/977] build(debian): post script must not fail. --- debian/apparmor.d.postinst | 2 +- debian/apparmor.d.postrm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/apparmor.d.postinst b/debian/apparmor.d.postinst index 361af7b91..840f3196b 100644 --- a/debian/apparmor.d.postinst +++ b/debian/apparmor.d.postinst @@ -8,6 +8,6 @@ set -e #DEBHELPER# apparmor_parser --purge-cache || true -deb-systemd-invoke reload apparmor.service +deb-systemd-invoke reload apparmor.service || true exit 0 diff --git a/debian/apparmor.d.postrm b/debian/apparmor.d.postrm index 361af7b91..840f3196b 100644 --- a/debian/apparmor.d.postrm +++ b/debian/apparmor.d.postrm @@ -8,6 +8,6 @@ set -e #DEBHELPER# apparmor_parser --purge-cache || true -deb-systemd-invoke reload apparmor.service +deb-systemd-invoke reload apparmor.service || true exit 0 From c7177eedde336a0bbef70e8fcc4413eaf07d88f1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 15:16:25 +0200 Subject: [PATCH 854/977] doc: update documentation. --- docs/development/abstractions.md | 9 +++++++++ docs/issues.md | 30 +++++++++++++----------------- 2 files changed, 22 insertions(+), 17 deletions(-) diff --git a/docs/development/abstractions.md b/docs/development/abstractions.md index f1ac6e18e..cd82f5d21 100644 --- a/docs/development/abstractions.md +++ b/docs/development/abstractions.md @@ -217,6 +217,14 @@ Minimal set of rules for sandboxed programs using `bwrap`. A profile using this A minimal set of rules for chromium based application. Handle access for internal sandbox. +It works as a *function* and requires some variables to be provided as *arguments* and set in the header of the calling profile: + +!!! note "" + + [apparmor.d/profile-s-z/spotify](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/steam/steam#L24-L25) + ``` sh linenums="24" + @{domain} = org.chromium.Chromium + ``` ### **`common/electron`** @@ -227,6 +235,7 @@ A minimal set of rules for all electron based UI applications. It works as a *fu [apparmor.d/profile-s-z/spotify](https://github.com/roddhjav/apparmor.d/blob/7d1380530aa56f31589ccc6a360a8144f3601731/apparmor.d/profiles-s-z/spotify#L10-L13) ``` sh linenums="10" @{name} = spotify + @{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/docs/issues.md b/docs/issues.md index 1db3b195a..2f38f4c5a 100644 --- a/docs/issues.md +++ b/docs/issues.md @@ -6,6 +6,19 @@ title: Known issues Known bugs are tracked on the meta issue **[#75](https://github.com/roddhjav/apparmor.d/issues/74)**. +## Ubuntu + +### Dbus + +Ubuntu fully supports dbus mediation with apparmor. If it is a value added by Ubuntu from other distributions, it can also lead to some breakage if you enforce some profiles. *Do not enforce the rules on Ubuntu Desktop.* + +Note: Ubuntu server has been more tested and will work without issues with enforced rules. + +### Snap + +Apparmor.d needs to be fully integrated with snap, otherwise your snap applications may not work properly. As of today, it is a work in progress. + + ## Complain mode A profile in *complain* mode cannot break the program it confines. However, there are some **major exceptions**: @@ -14,20 +27,3 @@ A profile in *complain* mode cannot break the program it confines. However, ther 2. `attach_disconnected` (and `mediate_deleted`) will break the program if they are required and missing in the profile, 3. If AppArmor does not find the profile to transition `rPx`. -## Pacman "could not get current working directory" - -```sh -$ sudo pacman -Syu -... -error: could not get current working directory -:: Processing package changes... -... -``` - -This is **a feature, not a bug!** It can safely be ignored. Pacman tries to get your current directory. You will only get this error when you run pacman in your home directory. - -According to the Arch Linux guideline, on Arch Linux, packages cannot install files under `/home/`. Therefore, the [`pacman`][pacman] profile purposely does not allow access of your home directory. - -This provides a basic protection against some packages (on the AUR) that may have rogue install script. - -[pacman]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/pacman/pacman From 470025c09025861a4fbee72a3f424ff7b0219044 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 19:39:18 +0200 Subject: [PATCH 855/977] build(debian): update list of profile to hide. Nb: we cannot use these profiles as they would break with apparmor.d profiles (they don't expect confined peer). --- pkg/prebuild/files.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/files.go b/pkg/prebuild/files.go index 504f05c1c..d9879570b 100644 --- a/pkg/prebuild/files.go +++ b/pkg/prebuild/files.go @@ -11,9 +11,12 @@ import ( ) // Hide is the default content of debian/apparmor.d.hide. Whonix has special addition. -var Hide = `# This file is generated by "make", all edit will be lost. +var Hide = `# This file is generated by "just", all edit will be lost. /etc/apparmor.d/usr.bin.firefox +/etc/apparmor.d/usr.bin.swtpm +/etc/apparmor.d/usr.bin.wsdd +/etc/apparmor.d/usr.libexec.geoclue /etc/apparmor.d/usr.sbin.cups-browsed /etc/apparmor.d/usr.sbin.cupsd /etc/apparmor.d/usr.sbin.rsyslogd From 2aead7e93b0dce022401c5f42b8eeb23cb3e01a9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 22:01:20 +0200 Subject: [PATCH 856/977] build(arch): initial pkbuild for splited packages. Note: it is not enabled yet. --- PKGBUILD | 111 ++++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 102 insertions(+), 9 deletions(-) diff --git a/PKGBUILD b/PKGBUILD index dfbb46735..a68ba817d 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -3,8 +3,15 @@ # Warning: for development only, use https://aur.archlinux.org/packages/apparmor.d-git for production use. -pkgname=apparmor.d -pkgver=0.001 +pkgbase=apparmor.d +pkgname=( + apparmor.d + # apparmor.d.enforced + # apparmor.d.fsp apparmor.d.fsp.enforced + # apparmor.d.server apparmor.d.server.enforced + # apparmor.d.server.fsp apparmor.d.server.fsp.enforced +) +pkgver=0.0001 pkgrel=1 pkgdesc="Full set of apparmor profiles" arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') @@ -12,10 +19,9 @@ url="https://github.com/roddhjav/apparmor.d" license=('GPL-2.0-only') depends=('apparmor>=4.1.0' 'apparmor<5.0.0') makedepends=('go' 'git' 'rsync' 'just') -conflicts=("$pkgname-git") pkgver() { - cd "$srcdir/$pkgname" + cd "$srcdir/$pkgbase" echo "0.$(git rev-list --count HEAD)" } @@ -24,17 +30,104 @@ prepare() { } build() { - cd "$srcdir/$pkgname" + cd "$srcdir/$pkgbase" export CGO_CPPFLAGS="${CPPFLAGS}" export CGO_CFLAGS="${CFLAGS}" export CGO_CXXFLAGS="${CXXFLAGS}" export CGO_LDFLAGS="${LDFLAGS}" + export GOPATH="${srcdir}" export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw" export DISTRIBUTION=arch - just complain + local -A modes=( + # Mapping of modes to just build target. + [default]=complain + # [enforced]=enforce + # [fsp]=fsp-complain + # [fsp.enforced]=fsp + # [server]=server-complain + # [server.enforced]=server + # [server.fsp]=server-fsp-complain + # [server.fsp.enforced]=server-fsp + ) + for mode in "${!modes[@]}"; do + just build=".build/$mode" "${modes[$mode]}" + done } -package() { - cd "$srcdir/$pkgname" - just destdir="$pkgdir" install +_conflicts() { + local mode="$1" + local pattern=".$mode" + if [[ "$mode" == "default" ]]; then + pattern="" + else + echo "$pkgbase" + fi + for pkg in "${pkgname[@]}"; do + if [[ "$pkg" == "${pkgbase}${pattern}" ]]; then + continue + fi + echo "$pkg" + done +} + +_install() { + local mode="${1:?}" + cd "$srcdir/$pkgbase" + just build=".build/$mode" destdir="$pkgdir" install +} + +package_apparmor.d() { + mode=default + pkgdesc="$pkgdesc (complain mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.enforced() { + mode=enforced + pkgdesc="$pkgdesc (enforced mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.fsp() { + mode="fsp" + pkgdesc="$pkgdesc (FSP mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.fsp.enforced() { + mode="fsp.enforced" + pkgdesc="$pkgdesc (FSP enforced mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.server() { + mode="server" + pkgdesc="$pkgdesc (server complain mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.server.enforced() { + mode="server.enforced" + pkgdesc="$pkgdesc (server enforced mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.server.fsp() { + mode="server.fsp" + pkgdesc="$pkgdesc (server FSP complain mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.server.fsp.enforced() { + mode="server.fsp.enforced" + pkgdesc="$pkgdesc (server FSP enforced mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode } From ab7cba2da6e283f6f7e2eed1b746271b3bbda512 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 22:16:40 +0200 Subject: [PATCH 857/977] build: add early support for server version of the package. --- docs/development/build.md | 44 ++++++++++++++++++++++++++------------- pkg/prebuild/cli/cli.go | 27 +++++++++++++++++++++--- 2 files changed, 54 insertions(+), 17 deletions(-) diff --git a/docs/development/build.md b/docs/development/build.md index eaa2487a2..b767e4e4e 100644 --- a/docs/development/build.md +++ b/docs/development/build.md @@ -10,18 +10,22 @@ go run ./cmd/prebuild -h ``` ``` -aa-prebuild [-h] [--complain | --enforce] [--full] [--abi 3|4] +aa-prebuild [-h] [--complain | --enforce] [--full] [--server] [--abi 3|4] [--version V] [--file FILE] Prebuild apparmor.d profiles for a given distribution and apply internal built-in directives. Options: - -h, --help Show this help message and exit. - -c, --complain Set complain flag on all profiles. - -e, --enforce Set enforce flag on all profiles. - -a, --abi ABI Target apparmor ABI. - -f, --full Set AppArmor for full system policy. - -F, --file Only prebuild a given file. + -h, --help Show this help message and exit. + -c, --complain Set complain flag on all profiles. + -e, --enforce Set enforce flag on all profiles. + -a, --abi ABI Target apparmor ABI. + -v, --version V Target apparmor version. + -f, --full Set AppArmor for full system policy. + -s, --server Set AppArmor for server. + -b, --buildir DIR Root build directory. + -F, --file Only prebuild a given file. + --debug Enable debug mode. Prepare tasks: configure - Set distribution specificities @@ -31,21 +35,27 @@ Prepare tasks: overwrite - Overwrite dummy upstream profiles synchronise - Initialize a new clean apparmor.d build directory ignore - Ignore profiles and files from: + server - Configure AppArmor for server systemd-default - Configure systemd unit drop in files to a profile for some units systemd-early - Configure systemd unit drop in files to ensure some service start after apparmor + attach - Configure tunable for re-attached path Build tasks: - abi3 - Convert all profiles from abi 4.0 to abi 3.0 - attach - Re-attach disconnected path - complain - Set complain flag on all profiles - enforce - All profiles have been enforced - fsp - Prevent unconfined transitions in profile rules - hotfix - Temporary fix for #74, #80 & #235 - userspace - Resolve variable in profile attachments + userspace - Fix: resolve variable in profile attachments + abi3 - Build: convert all profiles from abi 4.0 to abi 3.0 + attach - Feat: re-attach disconnected path + base-strict - Feat: use 'base-strict' as base abstraction + complain - Build: set complain flag on all profiles + debug - Build: debug mode enabled + enforce - Build: all profiles have been enforced + fsp - Feat: prevent unconfined transitions in profile rules + hotfix - Fix: temporary solution for #74, #80 & #235 + stacked-dbus - Fix: resolve peer label variable in dbus rules Directive: #aa:dbus own bus= name= [interface=AARE] [path=AARE] #aa:dbus talk bus= name= label= [interface=AARE] [path=AARE] + #aa:dbus common bus= name= label= #aa:exec [P|U|p|u|PU|pu|] profiles... #aa:only filters... #aa:exclude filters... @@ -66,6 +76,12 @@ Ignore profiles and files as defined in the `dist/ignore` directory. See [workfl *Enabled by default. Can be disabled in `cmd/prebuild/main.go`* +### **`server`** + +Configure AppArmor for server. Desktop related groups and profiles that use desktop abstraction are not included. [hotfix](#hotfix) is also disabled, as it is only needed on desktop system. It is mostly intended to be used on server with FSP enabled. E.g: [the play machine](https://github.com/roddhjav/play). + +*Enable with the `--server` option in the prebuild command.* + ### **`merge`** Merge profiles from `apparmor.d/group/`, `apparmor.d/profiles-*-*/` to a unified directory in `.build/apparmor.d` that AppArmor can parse. diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 8abfb4323..981331edd 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -7,6 +7,8 @@ package cli import ( "flag" "fmt" + "os" + "slices" "strings" "github.com/roddhjav/apparmor.d/pkg/logging" @@ -20,7 +22,7 @@ import ( const ( nilABI = 0 nilVer = 0.0 - usage = `aa-prebuild [-h] [--complain | --enforce] [--full] [--abi 3|4] [--version V] [--file FILE] + usage = `aa-prebuild [-h] [--complain | --enforce] [--full] [--server] [--abi 3|4] [--version V] [--file FILE] Prebuild apparmor.d profiles for a given distribution and apply internal built-in directives. @@ -32,7 +34,8 @@ Options: -a, --abi ABI Target apparmor ABI. -v, --version V Target apparmor version. -f, --full Set AppArmor for full system policy. - -b, --buildir DIR Root build directory. + -s, --server Set AppArmor for server. + -b, --buildir DIR Root build directory. -F, --file Only prebuild a given file. --debug Enable debug mode. ` @@ -43,6 +46,7 @@ var ( complain bool enforce bool full bool + server bool debug bool abi int version float64 @@ -55,6 +59,8 @@ func init() { flag.BoolVar(&help, "help", false, "Show this help message and exit.") flag.BoolVar(&full, "f", false, "Set AppArmor for full system policy.") flag.BoolVar(&full, "full", false, "Set AppArmor for full system policy.") + flag.BoolVar(&server, "s", false, "Set AppArmor for server.") + flag.BoolVar(&server, "server", false, "Set AppArmor for server.") flag.BoolVar(&complain, "c", false, "Set complain flag on all profiles.") flag.BoolVar(&complain, "complain", false, "Set complain flag on all profiles.") flag.BoolVar(&enforce, "e", false, "Set enforce flag on all profiles.") @@ -81,7 +87,22 @@ func Configure() { flag.Parse() if help { flag.Usage() - return + os.Exit(0) + } + + if server { + idx := slices.Index(prepare.Prepares, prepare.Tasks["merge"]) + if idx == -1 { + prepare.Register("server") + } else { + prepare.Prepares = slices.Insert(prepare.Prepares, idx, prepare.Tasks["server"]) + } + + // Remove hotfix task as it is not needed on server + idx = slices.Index(prepare.Prepares, prepare.Tasks["hotfix"]) + if idx != -1 { + prepare.Prepares = slices.Delete(prepare.Prepares, idx, idx+1) + } } if full && paths.New("apparmor.d/groups/_full").Exist() { From ec88fcbfcb2a928bb543bdc0497946ff6fe840cc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 23:18:31 +0200 Subject: [PATCH 858/977] feat(abs): add the camera abstraction --- apparmor.d/abstractions/app/chromium | 2 +- apparmor.d/abstractions/camera | 35 +++++++++++++++++++ apparmor.d/abstractions/common/app | 2 +- apparmor.d/groups/browsers/epiphany | 3 +- apparmor.d/groups/freedesktop/pipewire | 2 +- .../groups/freedesktop/pipewire-media-session | 2 +- apparmor.d/groups/freedesktop/pulseaudio | 3 +- apparmor.d/groups/freedesktop/wireplumber | 3 +- apparmor.d/profiles-s-z/signal-desktop | 1 + apparmor.d/profiles-s-z/vlc | 2 +- 10 files changed, 44 insertions(+), 11 deletions(-) create mode 100644 apparmor.d/abstractions/camera diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index f08a096ca..725b57fca 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -30,6 +30,7 @@ include include include + include include include include @@ -44,7 +45,6 @@ include include include - include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/abstractions/camera b/apparmor.d/abstractions/camera new file mode 100644 index 000000000..0f5cff363 --- /dev/null +++ b/apparmor.d/abstractions/camera @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows access to all cameras + + abi , + + # Allow detection of cameras. Leaks plugged in USB device info + @{sys}/bus/usb/devices/ r, + @{sys}/devices/@{pci}/usb@{int}/**/busnum r, + @{sys}/devices/@{pci}/usb@{int}/**/devnum r, + @{sys}/devices/@{pci}/usb@{int}/**/idProduct r, + @{sys}/devices/@{pci}/usb@{int}/**/idVendor r, + @{sys}/devices/@{pci}/usb@{int}/**/interface r, + @{sys}/devices/@{pci}/usb@{int}/**/modalias r, + @{sys}/devices/@{pci}/usb@{int}/**/speed r, + + @{sys}/class/video4linux/ r, + @{sys}/devices/**/video4linux/** r, + @{sys}/devices/**/video4linux/video@{int}/ r, + @{sys}/devices/**/video4linux/video@{int}/uevent r, + + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/c81:@{int} r, # For video4linux + + # VideoCore cameras (shared device with VideoCore/EGL) + /dev/vchiq rw, + + # Access to video /dev devices + /dev/video@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 5072cadfd..d0b36188b 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -16,6 +16,7 @@ include include include + include include include include @@ -30,7 +31,6 @@ include include include - include dbus bus=accessibility, dbus bus=session, diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index 86b293e8d..45a32868e 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -12,6 +12,7 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -61,8 +62,6 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { deny @{user_share_dirs}/gvfs-metadata/* r, - /dev/video@{int} rw, - include if exists } diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 02a370cdc..c8c89ac13 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -14,8 +14,8 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { include include include + include include - include capability sys_ptrace, diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index af6f30e9c..83ee32baa 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -14,9 +14,9 @@ profile pipewire-media-session @{exec_path} { include include include + include include include - include network bluetooth raw, network bluetooth seqpacket, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 05e4c3ec2..28d8b9d31 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -18,6 +18,7 @@ profile pulseaudio @{exec_path} { include include include + include include include include @@ -105,7 +106,6 @@ profile pulseaudio @{exec_path} { @{sys}/devices/**/sound/**/{uevent,pcm_class} r, @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r, - @{sys}/devices/virtual/video4linux/video@{int}/uevent r, deny @{sys}/module/apparmor/parameters/enabled r, @@ -114,7 +114,6 @@ profile pulseaudio @{exec_path} { owner @{PROC}/@{pids}/cmdline r, /dev/media@{int} r, - /dev/video@{int} rw, # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index aefdc339d..708e5a6e8 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -16,9 +16,9 @@ profile wireplumber @{exec_path} { include include include + include include include - include network bluetooth raw, network bluetooth seqpacket, @@ -71,7 +71,6 @@ profile wireplumber @{exec_path} { @{sys}/bus/ r, @{sys}/bus/media/devices/ r, - @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r, @{sys}/devices/**/device:*/{,**/}path r, @{sys}/devices/**/sound/**/pcm_class r, @{sys}/devices/**/sound/**/uevent r, diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index 001f8605a..4abe053f6 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -19,6 +19,7 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index ccf1abb61..3a3a77313 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -17,6 +17,7 @@ profile vlc @{exec_path} { include include include + include include include include @@ -85,7 +86,6 @@ profile vlc @{exec_path} { /dev/shm/#@{int} rw, /dev/snd/ r, /dev/tty r, - /dev/video@{int} rw, owner /dev/tty@{int} rw, # Silencer From c2ecc756b2e424926b7d0ac79b99b8f20c911de2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 23:30:52 +0200 Subject: [PATCH 859/977] feat(abs): add the media-control abstraction --- apparmor.d/abstractions/media-control | 20 +++++++++++++++++++ apparmor.d/groups/freedesktop/pipewire | 3 +-- apparmor.d/groups/freedesktop/pulseaudio | 3 +-- apparmor.d/groups/freedesktop/wireplumber | 3 +-- apparmor.d/groups/gnome/gnome-boxes | 5 ++--- apparmor.d/groups/gnome/gnome-control-center | 4 ++-- apparmor.d/groups/gnome/gnome-shell | 5 ++--- apparmor.d/groups/gnome/localsearch | 3 --- .../groups/gnome/org.gnome.NautilusPreviewer | 5 ++--- apparmor.d/profiles-a-f/cheese | 5 ++--- apparmor.d/profiles-s-z/v4l2-ctl | 6 ++---- apparmor.d/profiles-s-z/virt-manager | 5 ++--- 12 files changed, 37 insertions(+), 30 deletions(-) create mode 100644 apparmor.d/abstractions/media-control diff --git a/apparmor.d/abstractions/media-control b/apparmor.d/abstractions/media-control new file mode 100644 index 000000000..1cdcf66f2 --- /dev/null +++ b/apparmor.d/abstractions/media-control @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows access to media controller such as microphones, and video capture hardware. +# See: https://www.kernel.org/doc/Documentation/userspace-api/media/mediactl/media-controller-intro.rst + + abi , + + # Control of media devices + /dev/media@{int} rwk, + + # Access to V4L subnodes configuration + # See https://www.kernel.org/doc/html/v4.12/media/uapi/v4l/dev-subdev.html + /dev/v4l-subdev@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index c8c89ac13..04b08ecc4 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -15,6 +15,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { include include include + include include capability sys_ptrace, @@ -66,8 +67,6 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, - include if exists } diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 28d8b9d31..5c7c49c3d 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -26,6 +26,7 @@ profile pulseaudio @{exec_path} { include include include + include include ptrace (trace) peer=@{profile_name}, @@ -113,8 +114,6 @@ profile pulseaudio @{exec_path} { owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/cmdline r, - /dev/media@{int} r, - # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 708e5a6e8..aa78d9667 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -18,6 +18,7 @@ profile wireplumber @{exec_path} { include include include + include include network bluetooth raw, @@ -65,7 +66,6 @@ profile wireplumber @{exec_path} { @{run}/systemd/users/@{uid} r, @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) - @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @@ -86,7 +86,6 @@ profile wireplumber @{exec_path} { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, /dev/udmabuf rw, include if exists diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes index 1447715b7..cd46dd069 100644 --- a/apparmor.d/groups/gnome/gnome-boxes +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -13,10 +13,12 @@ profile gnome-boxes @{exec_path} { include include include + include include include include include + include include include include @@ -80,9 +82,6 @@ profile gnome-boxes @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/stat r, - /dev/media@{int} rw, - /dev/video@{int} rw, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, profile virsh { diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 111facf64..10f310232 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -17,11 +17,13 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include + include include include include include include + include include include include @@ -191,8 +193,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/task/*/comm rw, /dev/ r, - /dev/media@{int} r, - /dev/video@{int} rw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 0876b90d1..7344b735b 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -32,18 +32,19 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include include include include + include include include include include include - include capability sys_nice, capability sys_ptrace, @@ -321,7 +322,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @@ -379,7 +379,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, - /dev/media@{int} rw, /dev/tty@{int} rw, @{att}/dev/dri/card@{int} rw, @{att}/dev/input/event@{int} rw, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 049b3c402..d5700db7c 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -68,9 +68,6 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, - /dev/video@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index f084e7b12..e1bde2238 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -10,14 +10,15 @@ include profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { include include + include include include include include include + include include include - include network netlink raw, @@ -52,8 +53,6 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/task/@{tid}/comm w, owner @{PROC}/@{pid}/task/@{tid}/stat r, - /dev/media@{int} r, - include if exists } diff --git a/apparmor.d/profiles-a-f/cheese b/apparmor.d/profiles-a-f/cheese index b89fa42f2..33b933be2 100644 --- a/apparmor.d/profiles-a-f/cheese +++ b/apparmor.d/profiles-a-f/cheese @@ -11,10 +11,12 @@ include profile cheese @{exec_path} { include include + include include include include include + include include include @@ -49,9 +51,6 @@ profile cheese @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, - /dev/video@{int} rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/v4l2-ctl b/apparmor.d/profiles-s-z/v4l2-ctl index e398049de..ddb86b9a2 100644 --- a/apparmor.d/profiles-s-z/v4l2-ctl +++ b/apparmor.d/profiles-s-z/v4l2-ctl @@ -9,14 +9,12 @@ include @{exec_path} = @{bin}/v4l2-ctl profile v4l2-ctl @{exec_path} { include + include include - include + include @{exec_path} mr, - /dev/media@{int} rw, - /dev/video@{int} rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 8a1b5f355..f820d2953 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -16,12 +16,14 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { include include include + include include include include include include include + include include include include @@ -101,9 +103,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, - /dev/media@{int} r, - /dev/video@{int} rw, - # Silence the noise deny /usr/share/virt-manager/{,**} w, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, From 5484f84764d2f1bc9c5ccf28494fdec5ada382aa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 23:32:06 +0200 Subject: [PATCH 860/977] tests(build): add tests for the stacked-dbus build task. --- pkg/prebuild/builder/core_test.go | 24 ++++++++++++++++++++++++ pkg/prebuild/builder/stacked-dbus.go | 2 +- 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/builder/core_test.go b/pkg/prebuild/builder/core_test.go index 06ceb1d28..c6c493472 100644 --- a/pkg/prebuild/builder/core_test.go +++ b/pkg/prebuild/builder/core_test.go @@ -231,6 +231,30 @@ func TestBuilder_Apply(t *testing.T) { want: "", wantErr: true, }, + { + name: "stacked-dbus-1", + b: Builders["stacked-dbus"], + profile: ` +profile foo { + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + +}`, + want: ` +profile foo { +dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus, label=dbus-session), +dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus, label=dbus-session//&unconfined), + +}`, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/pkg/prebuild/builder/stacked-dbus.go b/pkg/prebuild/builder/stacked-dbus.go index e33ecf4b7..eca8122c6 100644 --- a/pkg/prebuild/builder/stacked-dbus.go +++ b/pkg/prebuild/builder/stacked-dbus.go @@ -72,7 +72,7 @@ func (b StackedDbus) Apply(opt *Option, profile string) (string, error) { toResolve = append(toResolve, k) } - rulesByParagraph, paragraphs, err := parse(kind, profile) // + rulesByParagraph, paragraphs, err := parse(kind, profile) if err != nil { return "", err } From 64d71ffb6e762b5ba51302087731bbeb8577631d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 23:45:08 +0200 Subject: [PATCH 861/977] build: attach: ensure we don't recursivelly call ourself. --- pkg/prebuild/builder/attach.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go index 66ef18aef..1ec5e06b1 100644 --- a/pkg/prebuild/builder/attach.go +++ b/pkg/prebuild/builder/attach.go @@ -31,6 +31,9 @@ func init() { func (b ReAttach) Apply(opt *Option, profile string) (string, error) { var insert string var origin = "profile " + opt.Name + if opt.File.HasSuffix("attached/base") { + return profile, nil // Do not re-attach twice + } if strings.Contains(profile, "attach_disconnected") { insert = "@{att} = /att/" + opt.Name + "/\n" @@ -42,13 +45,17 @@ func (b ReAttach) Apply(opt *Option, profile string) (string, error) { "include ", "include ", ) + profile = strings.ReplaceAll(profile, + "include ", + "include ", + ) profile = strings.ReplaceAll(profile, "include ", "include ", ) } else { - insert = "@{att} = /\n" + insert = "@{att} = \"\"\n" } From 8c33125b5ec251c6c8996ea23f24c5380c597a8c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 23:46:12 +0200 Subject: [PATCH 862/977] build: add missing server build task. --- pkg/prebuild/prepare/server.go | 105 +++++++++++++++++++++++++++++++++ 1 file changed, 105 insertions(+) create mode 100644 pkg/prebuild/prepare/server.go diff --git a/pkg/prebuild/prepare/server.go b/pkg/prebuild/prepare/server.go new file mode 100644 index 000000000..85f98e75d --- /dev/null +++ b/pkg/prebuild/prepare/server.go @@ -0,0 +1,105 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package prepare + +import ( + "fmt" + "strings" + + "github.com/roddhjav/apparmor.d/pkg/paths" + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +var ( + serverIgnorePatterns = []string{ + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + } + serverIgnoreGroups = []string{ + "akonadi", + "avahi", + "bluetooth", + "browsers", + "cosmic", + "cups", + "display-manager", + "flatpak", + "freedesktop", + "gnome", + "gvfs", + "hyprland", + "kde", + "lxqt", + "steam", + "xfce", + "zed", + } +) + +type Server struct { + prebuild.Base +} + +func init() { + RegisterTask(&Server{ + Base: prebuild.Base{ + Keyword: "server", + Msg: "Configure AppArmor for server", + }, + }) +} + +func (p Server) Apply() ([]string, error) { + res := []string{} + + // Ignore desktop related groups + groupNb := 0 + for _, group := range serverIgnoreGroups { + path := prebuild.RootApparmord.Join("groups", group) + if path.IsDir() { + if err := path.RemoveAll(); err != nil { + return res, err + } + groupNb++ + } else { + res = append(res, fmt.Sprintf("Group %s not found, ignoring", path)) + } + } + + // Ignore profiles using a desktop related abstraction + fileNb := 0 + files, _ := prebuild.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) + for _, file := range files { + if !file.Exist() { + continue + } + profile, err := file.ReadFileAsString() + if err != nil { + return res, err + } + for _, pattern := range serverIgnorePatterns { + if strings.Contains(profile, pattern) { + if err := file.RemoveAll(); err != nil { + return res, err + } + fileNb++ + break + } + } + } + + res = append(res, fmt.Sprintf("%d groups ignored", groupNb)) + res = append(res, fmt.Sprintf("%d profiles ignored", fileNb)) + return res, nil +} From e2f11d46b0a81322bfef9394d440a30edfc67958 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 23:48:59 +0200 Subject: [PATCH 863/977] tests(check): make the script configurable. Such that it can be used in downstream project with different folder structure. --- tests/check.sh | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 60e23c694..861ca84fa 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -11,9 +11,11 @@ set -eu -o pipefail RES=$(mktemp) echo "false" >"$RES" MAX_JOBS=$(nproc) +APPARMORD=${CHECK_APPARMORD:-apparmor.d} +SBIN_LIST=${CHECK_SBIN_LIST:-tests/sbin.list} declare WITH_CHECK declare _check_is_disabled -readonly RES MAX_JOBS APPARMORD="apparmor.d" +readonly APPARMORD SBIN_LIST RES MAX_JOBS readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" _msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } _warn() { @@ -500,14 +502,14 @@ _check_udev() { check_sbin() { local file name jobs - mapfile -t sbin Date: Sat, 6 Sep 2025 23:51:12 +0200 Subject: [PATCH 864/977] tests(check): add support for global exclusion. --- tests/check.sh | 42 ++++++++++++++++++++++++++++++++++-------- 1 file changed, 34 insertions(+), 8 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 861ca84fa..5b35f8816 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -15,6 +15,8 @@ APPARMORD=${CHECK_APPARMORD:-apparmor.d} SBIN_LIST=${CHECK_SBIN_LIST:-tests/sbin.list} declare WITH_CHECK declare _check_is_disabled +declare _check_is_disabled_global +_FILE_IGNORE_ALL=false readonly APPARMORD SBIN_LIST RES MAX_JOBS readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" _msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } @@ -44,6 +46,11 @@ _in_array() { _is_enabled() { local check="$1" if _in_array "$check" "${WITH_CHECK[@]}"; then + if [[ -n "${_check_is_disabled_global+x}" && ${#_check_is_disabled_global[@]} -gt 0 ]]; then + if _in_array "$check" "${_check_is_disabled_global[@]}"; then + return 1 + fi + fi if [[ -z "${_check_is_disabled+x}" || ${#_check_is_disabled[@]} -eq 0 ]]; then return 0 fi @@ -70,10 +77,18 @@ _ignore_lint() { local checks line="$1" if [[ "$line" =~ ^[[:space:]]*$_IGNORE_LINT=.*$ ]]; then - # Start of an ignore block - _IGNORE_LINT_BLOCK=true + # Start of an ignore block (or file-wide if in header) checks="${line#*"$_IGNORE_LINT="}" - read -ra _check_is_disabled <<<"${checks//,/ }" + read -ra _parsed <<<"${checks//,/ }" + if (( line_number <= 10 )); then + # Treat as file-wide ignore + _check_is_disabled_global=("${_parsed[@]}") + _FILE_IGNORE_ALL=true + _IGNORE_LINT_BLOCK=false + return 0 + fi + _IGNORE_LINT_BLOCK=true + _check_is_disabled=("${_parsed[@]}") elif [[ $_IGNORE_LINT_BLOCK == true && "$line" =~ ^[[:space:]]*$ ]]; then # New paragraph, end of block @@ -81,22 +96,33 @@ _ignore_lint() { _check_is_disabled=() elif [[ $_IGNORE_LINT_BLOCK == true ]]; then - # Nothing to do, we are in a block + # Nothing to do, we are in a block/paragraph return 0 elif [[ "$line" == *"$_IGNORE_LINT="* ]]; then - # Inline ignore + # Inline ignore (or file-wide if in header) checks="${line#*"$_IGNORE_LINT="}" - read -ra _check_is_disabled <<<"${checks//,/ }" + read -ra _parsed <<<"${checks//,/ }" + if (( line_number <= 10 )); then + _check_is_disabled_global=("${_parsed[@]}") + _FILE_IGNORE_ALL=true + return 0 + fi + _check_is_disabled=("${_parsed[@]}") else - _check_is_disabled=() + # Do not clear if file-wide ignore is set + if ! $_FILE_IGNORE_ALL; then + _check_is_disabled=() + fi fi } _check() { local file="$1" - local line_number=0 + line_number=0 + _FILE_IGNORE_ALL=false + _check_is_disabled_global=() while IFS= read -r line; do line_number=$((line_number + 1)) From c239203e724df124cd0c0e4a35794e661a84b065 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 23:55:42 +0200 Subject: [PATCH 865/977] feat(abs): add the tpm abstraction. --- apparmor.d/abstractions/tpm | 16 ++++++++++++++++ apparmor.d/profiles-a-f/fwupd | 3 +-- apparmor.d/profiles-s-z/sbctl | 4 +--- 3 files changed, 18 insertions(+), 5 deletions(-) create mode 100644 apparmor.d/abstractions/tpm diff --git a/apparmor.d/abstractions/tpm b/apparmor.d/abstractions/tpm new file mode 100644 index 000000000..ef7b30a2b --- /dev/null +++ b/apparmor.d/abstractions/tpm @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2016-2017 Canonical Ltd +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Communication to the system TPM chip over /dev/tpm@{int} and kernel TPM +# resource manager /dev/tpmrm@{int} + + abi , + + /dev/tpm@{int} rw, + /dev/tpmrm@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index d7a72c236..8447bff3e 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -20,6 +20,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include include + include capability dac_override, capability dac_read_search, @@ -133,8 +134,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /dev/mei@{int} rw, /dev/mem r, /dev/mtd@{int} rw, - /dev/tpm@{int} rw, - /dev/tpmrm@{int} rw, /dev/wmi/* r, profile gpg flags=(attach_disconnected,complain) { diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl index ef007a32c..a4fdbac88 100644 --- a/apparmor.d/profiles-s-z/sbctl +++ b/apparmor.d/profiles-s-z/sbctl @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/sbctl profile sbctl @{exec_path} { include + include capability dac_read_search, capability linux_immutable, @@ -34,9 +35,6 @@ profile sbctl @{exec_path} { @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, - /dev/pts/@{int} rw, - /dev/tpmrm@{int} rw, - # File Inherit deny network inet stream, deny network inet6 stream, From 2efdd6f5274af00e48adc4da0ab77e03805191f4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 19:43:44 +0200 Subject: [PATCH 866/977] feat(profile): improve ufw-init fix #843 --- apparmor.d/groups/firewall/ufw-init | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/firewall/ufw-init b/apparmor.d/groups/firewall/ufw-init index aae80b87d..fcb9d8b6c 100644 --- a/apparmor.d/groups/firewall/ufw-init +++ b/apparmor.d/groups/firewall/ufw-init @@ -11,8 +11,10 @@ profile ufw-init @{exec_path} { include include + capability dac_override, capability dac_read_search, capability net_admin, + capability net_raw, network inet dgram, network inet raw, @@ -27,12 +29,29 @@ profile ufw-init @{exec_path} { @{sbin}/sysctl rCx -> sysctl, @{sbin}/xtables-legacy-multi rix, @{sbin}/xtables-nft-multi rix, + @{bin}/kmod rCx -> kmod, /etc/default/ufw r, /etc/ufw/* r, + @{run}/xtables.lock rwk, + @{PROC}/@{pid}/net/ip_tables_names r, - # @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/sys/kernel/modprobe r, + + profile kmod { + include + include + + capability sys_module, + + @{run}/xtables.lock r, + + @{sys}/module/compression r, + @{sys}/module/x_tables/initstate r, + + include if exists + } profile sysctl { include From 1defbbc416b3fcb74acc8a35707c3c6c1a68ae49 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 19:47:24 +0200 Subject: [PATCH 867/977] fix(abs): tmp path for wine tmp data. fix #836 --- apparmor.d/abstractions/wine | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/wine b/apparmor.d/abstractions/wine index 28d15cf76..145cd763a 100644 --- a/apparmor.d/abstractions/wine +++ b/apparmor.d/abstractions/wine @@ -9,9 +9,9 @@ owner @{user_share_dirs}/applications/wine/ rw, owner @{user_share_dirs}/applications/wine/**/ rw, - owner @{tmp}/.wine-@{uid}/ rw, - owner @{tmp}/.wine-@{uid}/** rwk, - owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex}/tmpmap-@{hex8} m, + owner @{att}/@{tmp}/.wine-@{uid}/ rw, + owner @{att}/@{tmp}/.wine-@{uid}/** rwk, + owner @{att}/@{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex}/tmpmap-@{hex8} m, owner /dev/shm/wine-@{hex6}-fsync rw, owner /dev/shm/wine-@{hex6}@{h}-fsync rw, From 06d476ccaa5eca22a6c70f1d39c13f8d061b6590 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 19:48:54 +0200 Subject: [PATCH 868/977] fix(profile): att on logind fix #833 --- apparmor.d/groups/systemd/systemd-logind | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 271354633..05c812b18 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -136,7 +136,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/fdinfo/@{int} r, - /dev/dri/card@{int} rw, + @{att}/dev/dri/card@{int} rw, /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) /dev/mqueue/ r, /dev/tty@{int} rw, From 4771e56d88d2e30032cb2de3e71247eee3210ddd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 19:49:59 +0200 Subject: [PATCH 869/977] feat(profile): git: allow transition to github cli. fix #829 --- apparmor.d/profiles-g-l/git | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 0538f5da0..01b491b98 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -65,6 +65,7 @@ profile git @{exec_path} flags=(attach_disconnected) { @{pager_path} rPx -> child-pager, + @{bin}/gh rPUx, @{bin}/man rPx, @{bin}/meld rPUx, @{lib}/code/extensions/git/dist/askpass.sh rPx, From 5fe9e0ee9e88984b01006fd797e1a386ade091bd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 19:52:40 +0200 Subject: [PATCH 870/977] feat(profile): support for Tumbleweed gs path. see #828 --- apparmor.d/groups/cups/cupsd | 2 +- apparmor.d/groups/kde/kioworker | 2 +- tests/check.sh | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index acae9b7a1..642d7ef5c 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -62,7 +62,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{bin}/chmod rix, @{bin}/cp rix, @{bin}/{,e}grep rix, - @{bin}/gs rix, + @{bin}/gs{,.bin} rix, @{bin}/gsc rix, @{bin}/hostname rix, @{bin}/ippfind rix, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 71465df97..0fc81a764 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -41,7 +41,7 @@ profile kioworker @{exec_path} { @{lib}/libheif/*.so* rm, @{bin}/wrestool rPUx, - @{bin}/gs rix, + @{bin}/gs{,.bin} rix, #aa:exec kio_http_cache_cleaner diff --git a/tests/check.sh b/tests/check.sh index 5b35f8816..b54bc157a 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -221,6 +221,7 @@ declare -A EQUIVALENTS=( ["awk"]="{m,g,}awk" ["gawk"]="{m,g,}awk" ["grep"]="{,e}grep" + ["gs"]="gs{,.bin}" ["which"]="which{,.debianutils}" ) _check_equivalent() { From a87449268b227f1242445a9d66f52b62279dac94 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 20:05:19 +0200 Subject: [PATCH 871/977] feat(profile): various improvement for Tumbleweed fix #828 --- apparmor.d/abstractions/kde-strict | 2 +- apparmor.d/groups/kde/dolphin | 9 +++++++-- apparmor.d/groups/kde/kwin_x11 | 1 + apparmor.d/groups/kde/okular | 5 ++++- apparmor.d/profiles-g-l/libreoffice | 9 ++++++--- 5 files changed, 19 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index a06a29da4..b448c542d 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -46,7 +46,7 @@ owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/session/ rw, - owner @{user_config_dirs}/session/*_@{hex}_@{int}_@{int} rwlk, + owner @{user_config_dirs}/session/*_* rwlk, owner @{user_config_dirs}/session/#@{int} rw, owner @{user_config_dirs}/trashrc r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 2d3b099d7..022c0beec 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -25,7 +25,11 @@ profile dolphin @{exec_path} { network netlink raw, - signal (send) set=(term) peer=kioworker, + signal send set=hup peer=@{p_systemd}, + signal send set=term peer=kioworker, + + ptrace read peer=@{p_systemd}, + ptrace read peer=okular, @{exec_path} mr, @@ -109,10 +113,11 @@ profile dolphin @{exec_path} { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, @{sys}/devices/virtual/block/dm-@{int}/uevent r, - /dev/tty r, + /dev/tty rw, include if exists } diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index f4f955a4f..ac80b3b18 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -41,6 +41,7 @@ profile kwin_x11 @{exec_path} { /usr/share/kwin-x11/{,**} r, /usr/share/kwin/{,**} r, /usr/share/plasma/desktoptheme/{,**} r, + /usr/share/sounds/*/stereo/*.oga r, /etc/machine-id r, /etc/xdg/plasmarc r, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index acd9b7430..a2ffad26f 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -23,6 +23,8 @@ profile okular @{exec_path} { network netlink raw, + ptrace read peer=@{p_systemd}, + signal send set=term peer=kioworker, @{exec_path} mr, @@ -69,7 +71,7 @@ profile okular @{exec_path} { owner @{user_state_dirs}/#@{int} rw, owner @{user_state_dirs}/okularstaterc rw, - owner @{user_state_dirs}/okularstaterc.@{rand6} rwl -> @{user_state_dirs}/#@{int}, + owner @{user_state_dirs}/okularstaterc.@{rand6} rwlk -> @{user_state_dirs}/#@{int}, owner @{user_state_dirs}/okularstaterc.lock rwk, owner @{tmp}/#@{int} rw, @@ -82,6 +84,7 @@ profile okular @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, profile gpg { include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index dfb9361f3..de1c4a856 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -78,21 +78,24 @@ profile libreoffice @{exec_path} { /usr/share/mythes/{,**} r, /usr/share/thumbnailers/{,**} r, + /etc/cups/ppd/*.ppd r, /etc/java{,-}{,@{version}}-openjdk/{,**} r, /etc/libreoffice/{,**} r, - /etc/paperspecs r, /etc/papersize r, + /etc/paperspecs r, /etc/xdg/* r, /var/tmp/ r, owner /var/spool/libreoffice/uno_packages/cache/stamp.sys w, owner @{user_cache_dirs}/libreoffice/{,**} rw, + + owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/libreoffice/ rw, owner @{user_config_dirs}/libreoffice/** rwk, - owner @{user_config_dirs}/soffice.*.lock rwk, owner @{user_config_dirs}/plasma_workspace.notifyrc r, - owner @{user_config_dirs}/kservicemenurc r, + owner @{user_config_dirs}/soffice.*.lock rwk, + owner @{user_config_dirs}/soffice.binrc r, owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/user-places.xbel r, From e370a66c5be6193117a75e3e7c3f3b0d72564495 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 20:10:51 +0200 Subject: [PATCH 872/977] fix(profile): issues with stacking fix #819 --- apparmor.d/groups/freedesktop/xdg-settings | 2 +- apparmor.d/groups/gnome/gnome-calculator | 2 +- apparmor.d/groups/procps/pgrep | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index cb7edf822..840500c52 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/xdg-settings -profile xdg-settings @{exec_path} { +profile xdg-settings @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 4e83bfb76..2f1cc0e89 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/gnome-calculator -profile gnome-calculator @{exec_path} { +profile gnome-calculator @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/procps/pgrep b/apparmor.d/groups/procps/pgrep index 489f55bd7..d10c1e772 100644 --- a/apparmor.d/groups/procps/pgrep +++ b/apparmor.d/groups/procps/pgrep @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/pgrep -profile pgrep @{exec_path} { +profile pgrep @{exec_path} flags=(attach_disconnected) { include include include From fda63da65e42a19f2216ecff92783cfa7675e3bd Mon Sep 17 00:00:00 2001 From: sbrantler Date: Wed, 3 Sep 2025 13:17:58 +0200 Subject: [PATCH 873/977] Add xfce-clipman --- apparmor.d/groups/xfce/xfce-clipman | 31 +++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 apparmor.d/groups/xfce/xfce-clipman diff --git a/apparmor.d/groups/xfce/xfce-clipman b/apparmor.d/groups/xfce/xfce-clipman new file mode 100644 index 000000000..270f7266f --- /dev/null +++ b/apparmor.d/groups/xfce/xfce-clipman @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2025 Sighy Brantler +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xfce4-clipman +profile xfce-clipman @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /etc/xdg/xfce4/panel/xfce4-clipman-actions.xml r, + + owner @{user_cache_dirs}/xfce4/clipman/ r, + owner @{user_cache_dirs}/xfce4/clipman/* rw, + + owner @{user_config_dirs}/autostart/ r, + owner @{user_config_dirs}/autostart/xfce4-clipman-plugin-autostart.desktop rw, + owner @{user_config_dirs}/autostart/xfce4-clipman-plugin-autostart.desktop.@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor From 0f0082fd5b5fa2bb10244651f4ab81dacb6146c7 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Mon, 11 Aug 2025 10:27:07 -0600 Subject: [PATCH 874/977] Add profile for kinit --- apparmor.d/profiles-g-l/kinit | 39 +++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 apparmor.d/profiles-g-l/kinit diff --git a/apparmor.d/profiles-g-l/kinit b/apparmor.d/profiles-g-l/kinit new file mode 100644 index 000000000..26cdcbd18 --- /dev/null +++ b/apparmor.d/profiles-g-l/kinit @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/kinit +profile kinit @{exec_path} { + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + #Config Files + /etc/krb5.conf r, + /etc/krb5.conf.d/{,**} r, + + #Host keytab file + /etc/krb5.keytab r, + + #User keytab file + /var/lib/krb5/user/*/client.keytab r, + + #Credentials cache + /tmp/krb5cc_* rwk, + /tmp/tkt* rwk, + + include if exists +} + +# vim:syntax=apparmor From 4f4f5c464e7b0fb9b2392a0cbaec15b321c379a2 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Mon, 11 Aug 2025 10:27:57 -0600 Subject: [PATCH 875/977] Add profile for kdestroy --- apparmor.d/profiles-g-l/kdestroy | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 apparmor.d/profiles-g-l/kdestroy diff --git a/apparmor.d/profiles-g-l/kdestroy b/apparmor.d/profiles-g-l/kdestroy new file mode 100644 index 000000000..1e34b0193 --- /dev/null +++ b/apparmor.d/profiles-g-l/kdestroy @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/kdestroy +profile kdestroy @{exec_path} { + include + + @{exec_path} mr, + + #Allow root to destroy other users' creds cache + capability dac_override, + + #Config Files + /etc/krb5.conf r, + /etc/krb5.conf.d/{,**} r, + + #Credentials cache + /tmp/krb5cc_* rwk, + /tmp/tkt* rwk, + + include if exists +} + +# vim:syntax=apparmor From a4798a2f383f205584a8cf11f715d4b0b3ea6ceb Mon Sep 17 00:00:00 2001 From: doublez13 Date: Mon, 11 Aug 2025 10:28:50 -0600 Subject: [PATCH 876/977] Add profile for klist --- apparmor.d/profiles-g-l/klist | 36 +++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 apparmor.d/profiles-g-l/klist diff --git a/apparmor.d/profiles-g-l/klist b/apparmor.d/profiles-g-l/klist new file mode 100644 index 000000000..0dc0c89ba --- /dev/null +++ b/apparmor.d/profiles-g-l/klist @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/klist +profile klist @{exec_path} { + include + + @{exec_path} mr, + + #Allow root to list other users' creds cache + capability dac_override, + capability dac_read_search, + + #Config Files + /etc/krb5.conf r, + /etc/krb5.conf.d/{,**} r, + + #Host keytab file + /etc/krb5.keytab r, + + #User keytab file + /var/lib/krb5/user/*/client.keytab rk, + + #Credentials cache + /tmp/krb5cc_* rk, + /tmp/tkt* rk, + + include if exists +} + +# vim:syntax=apparmor From 7a610bb5fa9ad2ae370a71170c4142c0cdc8cdbe Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 07:37:53 -0600 Subject: [PATCH 877/977] Formatting Fix --- apparmor.d/profiles-g-l/kdestroy | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-g-l/kdestroy b/apparmor.d/profiles-g-l/kdestroy index 1e34b0193..0a4ed9ab5 100644 --- a/apparmor.d/profiles-g-l/kdestroy +++ b/apparmor.d/profiles-g-l/kdestroy @@ -10,11 +10,11 @@ include profile kdestroy @{exec_path} { include - @{exec_path} mr, - #Allow root to destroy other users' creds cache capability dac_override, + @{exec_path} mr, + #Config Files /etc/krb5.conf r, /etc/krb5.conf.d/{,**} r, From 00f63f77e1881067c3ff447ac2b5dbbaa6fe2db1 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 07:39:34 -0600 Subject: [PATCH 878/977] Formatting Fix --- apparmor.d/profiles-g-l/klist | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-g-l/klist b/apparmor.d/profiles-g-l/klist index 0dc0c89ba..9deeeedd8 100644 --- a/apparmor.d/profiles-g-l/klist +++ b/apparmor.d/profiles-g-l/klist @@ -10,12 +10,12 @@ include profile klist @{exec_path} { include - @{exec_path} mr, - #Allow root to list other users' creds cache capability dac_override, capability dac_read_search, + @{exec_path} mr, + #Config Files /etc/krb5.conf r, /etc/krb5.conf.d/{,**} r, From c51f189ca0f6723475a0db2d860f58c28ccc8496 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 07:46:04 -0600 Subject: [PATCH 879/977] Use abstractions where possible --- apparmor.d/profiles-g-l/kdestroy | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/apparmor.d/profiles-g-l/kdestroy b/apparmor.d/profiles-g-l/kdestroy index 0a4ed9ab5..ccc0a2b25 100644 --- a/apparmor.d/profiles-g-l/kdestroy +++ b/apparmor.d/profiles-g-l/kdestroy @@ -9,16 +9,13 @@ include @{exec_path} = @{bin}/kdestroy profile kdestroy @{exec_path} { include + include #Allow root to destroy other users' creds cache capability dac_override, @{exec_path} mr, - #Config Files - /etc/krb5.conf r, - /etc/krb5.conf.d/{,**} r, - #Credentials cache /tmp/krb5cc_* rwk, /tmp/tkt* rwk, From 415bd4aa445e587e1e7df523af998c49dcd14758 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 07:48:57 -0600 Subject: [PATCH 880/977] Use abstractions where possible --- apparmor.d/profiles-g-l/kinit | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/apparmor.d/profiles-g-l/kinit b/apparmor.d/profiles-g-l/kinit index 26cdcbd18..067886f89 100644 --- a/apparmor.d/profiles-g-l/kinit +++ b/apparmor.d/profiles-g-l/kinit @@ -10,6 +10,7 @@ include profile kinit @{exec_path} { include include + include network inet dgram, network inet6 dgram, @@ -19,13 +20,6 @@ profile kinit @{exec_path} { @{exec_path} mr, - #Config Files - /etc/krb5.conf r, - /etc/krb5.conf.d/{,**} r, - - #Host keytab file - /etc/krb5.keytab r, - #User keytab file /var/lib/krb5/user/*/client.keytab r, From e86f77fa4bfd8a46fea4555f8829231737fcad51 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 07:50:41 -0600 Subject: [PATCH 881/977] Use abstractions where possible --- apparmor.d/profiles-g-l/klist | 7 ------- 1 file changed, 7 deletions(-) diff --git a/apparmor.d/profiles-g-l/klist b/apparmor.d/profiles-g-l/klist index 9deeeedd8..c9e30b775 100644 --- a/apparmor.d/profiles-g-l/klist +++ b/apparmor.d/profiles-g-l/klist @@ -16,13 +16,6 @@ profile klist @{exec_path} { @{exec_path} mr, - #Config Files - /etc/krb5.conf r, - /etc/krb5.conf.d/{,**} r, - - #Host keytab file - /etc/krb5.keytab r, - #User keytab file /var/lib/krb5/user/*/client.keytab rk, From cbc4f19b8bdf264e56e138e36c16b4f3b7bdcc6c Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 08:10:11 -0600 Subject: [PATCH 882/977] Be more specific on client keytab path --- apparmor.d/profiles-g-l/kinit | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-g-l/kinit b/apparmor.d/profiles-g-l/kinit index 067886f89..706a11c10 100644 --- a/apparmor.d/profiles-g-l/kinit +++ b/apparmor.d/profiles-g-l/kinit @@ -21,7 +21,7 @@ profile kinit @{exec_path} { @{exec_path} mr, #User keytab file - /var/lib/krb5/user/*/client.keytab r, + /var/lib/krb5/user/@{uid}/client.keytab r, #Credentials cache /tmp/krb5cc_* rwk, From 9cac4eeb901cfd4b5ce3633c26525ade4ff1afbe Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 08:11:43 -0600 Subject: [PATCH 883/977] Be more specific on client keytab path --- apparmor.d/profiles-g-l/klist | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-g-l/klist b/apparmor.d/profiles-g-l/klist index c9e30b775..71411ccc9 100644 --- a/apparmor.d/profiles-g-l/klist +++ b/apparmor.d/profiles-g-l/klist @@ -17,7 +17,7 @@ profile klist @{exec_path} { @{exec_path} mr, #User keytab file - /var/lib/krb5/user/*/client.keytab rk, + /var/lib/krb5/user/@{uid}/client.keytab rk, #Credentials cache /tmp/krb5cc_* rk, From b1c0cfdab5ec66b3806117ed0be4d00a701a69e2 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 08:20:53 -0600 Subject: [PATCH 884/977] Use abstractions where possible --- apparmor.d/profiles-g-l/klist | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-g-l/klist b/apparmor.d/profiles-g-l/klist index 71411ccc9..f21f34295 100644 --- a/apparmor.d/profiles-g-l/klist +++ b/apparmor.d/profiles-g-l/klist @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/klist profile klist @{exec_path} { include + include #Allow root to list other users' creds cache capability dac_override, From 5c3c1522571432c0d5398959962974d7410de9ba Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 08:35:36 -0600 Subject: [PATCH 885/977] Run kerberos utils in complain mode --- dists/flags/main.flags | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 2c01d9553..cd9a0e5a6 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -185,6 +185,7 @@ kconf_update complain kde-powerdevil attach_disconnected,mediate_deleted,complain kde-systemd-start-condition complain kded complain +kdestroy complain kdump_mem_estimator complain kdump-config attach_disconnected,complain kdump-tools-init complain,attach_disconnected @@ -193,9 +194,11 @@ kernel-install complain kernel-postinst-kdump complain keyboxd complain kglobalacceld complain +kinit complain kio_http_cache_cleaner complain kiod complain kioworker complain +klist complain konsole attach_disconnected,mediate_deleted,complain kscreen_backend_launcher complain kscreen_osd_service complain From 0ffc8f9fa6bbfa0af350019a1420c23fdbded7fd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 20:56:44 +0200 Subject: [PATCH 886/977] fix: self raised linter issue. --- apparmor.d/groups/cups/cups-backend-pdf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/cups/cups-backend-pdf b/apparmor.d/groups/cups/cups-backend-pdf index 6f658b064..21da6bf93 100644 --- a/apparmor.d/groups/cups/cups-backend-pdf +++ b/apparmor.d/groups/cups/cups-backend-pdf @@ -25,7 +25,7 @@ profile cups-backend-pdf @{exec_path} { @{sh_path} rix, @{bin}/cp rix, - @{bin}/gs rix, + @{bin}/gs{,.bin} rix, @{bin}/gsc rix, @{lib}/ghostscript/** mr, From 6400bc725c78d569dc70804e0f9c92d4fb35d787 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 21:20:32 +0200 Subject: [PATCH 887/977] tests: update some unit tests to the last changes. --- pkg/prebuild/builder/core_test.go | 48 ++++++++++++++++++++++++++++- pkg/prebuild/directive/dbus.go | 17 +++++++--- pkg/prebuild/directive/dbus_test.go | 8 +++-- 3 files changed, 64 insertions(+), 9 deletions(-) diff --git a/pkg/prebuild/builder/core_test.go b/pkg/prebuild/builder/core_test.go index c6c493472..6bcf74647 100644 --- a/pkg/prebuild/builder/core_test.go +++ b/pkg/prebuild/builder/core_test.go @@ -253,12 +253,58 @@ dbus send bus=session path=/org/freedesktop/DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus, label=dbus-session//&unconfined), +}`, + }, + { + name: "base-strict-1", + b: Builders["base-strict"], + profile: ` +profile foo { + include +}`, + want: ` +profile foo { + include +}`, + }, + { + name: "attach-1", + b: Builders["attach"], + profile: ` +profile attach-1 flags=(attach_disconnected) { + include + include + include +}`, + want: ` +@{att} = /att/attach-1/ +profile attach-1 flags=(attach_disconnected,attach_disconnected.path=@{att}) { + include + include + include +}`, + }, + { + name: "attach-2", + b: Builders["attach"], + profile: ` +profile attach-2 flags=(complain) { + include + include + include +}`, + want: ` +@{att} = "" +profile attach-2 flags=(complain) { + include + include + include }`, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - opt := &Option{File: prebuild.RootApparmord.Join(tt.name)} + opt := &Option{File: prebuild.RootApparmord.Join(tt.name), Name: tt.name} got, err := tt.b.Apply(opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("Builder.Apply() error = %v, wantErr %v", err, tt.wantErr) diff --git a/pkg/prebuild/directive/dbus.go b/pkg/prebuild/directive/dbus.go index 891eb9e1d..4862597bb 100644 --- a/pkg/prebuild/directive/dbus.go +++ b/pkg/prebuild/directive/dbus.go @@ -135,7 +135,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { } res = append(res, - // DBus.Properties + // DBus.Properties: reply to properties request from anyone &aa.Dbus{ Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.Properties", @@ -143,7 +143,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { PeerName: `"{@{busname},org.freedesktop.DBus}"`, }, - // DBus.Introspectable + // DBus.Introspectable: allow clients to introspect the service &aa.Dbus{ Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.Introspectable", @@ -151,7 +151,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { PeerName: `"@{busname}"`, }, - // DBus.ObjectManager + // DBus.ObjectManager: allow clients to enumerate sources &aa.Dbus{ Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.ObjectManager", @@ -170,7 +170,14 @@ func (d Dbus) own(rules map[string]string) aa.Rules { func (d Dbus) talk(rules map[string]string) aa.Rules { interfaces := getInterfaces(rules) - res := aa.Rules{} + res := aa.Rules{ + &aa.Unix{ + Type: "stream", + Address: "none", + PeerLabel: rules["label"], + PeerAddr: "none", + }, + } // Interfaces for _, iface := range interfaces { @@ -198,7 +205,7 @@ func (d Dbus) talk(rules map[string]string) aa.Rules { PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], }, - // DBus.ObjectManager + // DBus.ObjectManager: allow clients to enumerate sources &aa.Dbus{ Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.ObjectManager", diff --git a/pkg/prebuild/directive/dbus_test.go b/pkg/prebuild/directive/dbus_test.go index 0844fd745..d6e90bb99 100644 --- a/pkg/prebuild/directive/dbus_test.go +++ b/pkg/prebuild/directive/dbus_test.go @@ -8,7 +8,7 @@ import ( "testing" ) -const dbusOwnSystemd1 = ` include +const dbusOwnSystemd1 = ` include dbus bind bus=system name=org.freedesktop.systemd1{,.*}, dbus receive bus=system path=/org/freedesktop/systemd1{,/**} @@ -73,7 +73,7 @@ func TestDbus_Apply(t *testing.T) { Raw: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", }, profile: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", - want: ` include + want: ` include dbus bind bus=session name=com.rastersoft.ding{,.*}, dbus receive bus=session path=/com/rastersoft/ding{,/**} @@ -120,7 +120,9 @@ func TestDbus_Apply(t *testing.T) { Raw: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", }, profile: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", - want: ` dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} + want: ` unix type=stream addr=none peer=(label=accounts-daemon, addr=none), + + dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.Accounts{,.*} peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} From c4ebf8903e30ec49a16c7d5aeea74b726aeab8f1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 21:43:06 +0200 Subject: [PATCH 888/977] tests(builder): cleanup build settings between tests. --- cmd/prebuild/main_test.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/cmd/prebuild/main_test.go b/cmd/prebuild/main_test.go index d3c28f025..7bf2c0e1a 100644 --- a/cmd/prebuild/main_test.go +++ b/cmd/prebuild/main_test.go @@ -10,6 +10,8 @@ import ( "testing" "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" + "github.com/roddhjav/apparmor.d/pkg/prebuild/prepare" ) func chdirGitRoot() { @@ -49,6 +51,8 @@ func Test_main(t *testing.T) { chdirGitRoot() for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { + prepare.Prepares = []prepare.Task{} + builder.Builds = []builder.Builder{} prebuild.Distribution = tt.dist main() }) From 237daecedb362bf405b19b5402b5221d78f1f533 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 22:07:03 +0200 Subject: [PATCH 889/977] tests: remove prebuild main test. - the same is tested in the build process - unit test is done in the prebuild pkg --- cmd/prebuild/main_test.go | 60 --------------------------------------- 1 file changed, 60 deletions(-) delete mode 100644 cmd/prebuild/main_test.go diff --git a/cmd/prebuild/main_test.go b/cmd/prebuild/main_test.go deleted file mode 100644 index 7bf2c0e1a..000000000 --- a/cmd/prebuild/main_test.go +++ /dev/null @@ -1,60 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2023-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package main - -import ( - "os" - "os/exec" - "testing" - - "github.com/roddhjav/apparmor.d/pkg/prebuild" - "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" - "github.com/roddhjav/apparmor.d/pkg/prebuild/prepare" -) - -func chdirGitRoot() { - cmd := exec.Command("git", "rev-parse", "--show-toplevel") - out, err := cmd.Output() - if err != nil { - panic(err) - } - root := string(out[0 : len(out)-1]) - if err := os.Chdir(root); err != nil { - panic(err) - } -} - -func Test_main(t *testing.T) { - tests := []struct { - name string - dist string - }{ - { - name: "Build for Archlinux", - dist: "arch", - }, - { - name: "Build for Ubuntu", - dist: "ubuntu", - }, - { - name: "Build for Debian", - dist: "debian", - }, - { - name: "Build for OpenSUSE Tumbleweed", - dist: "opensuse", - }, - } - chdirGitRoot() - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - prepare.Prepares = []prepare.Task{} - builder.Builds = []builder.Builder{} - prebuild.Distribution = tt.dist - main() - }) - } -} From 627700a152bbea3fdfd10c4c97009c92b4933bfb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 22:07:31 +0200 Subject: [PATCH 890/977] build: set config for ubuntu 25.10 --- cmd/prebuild/main.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index 5eb1ab2f2..455621e5b 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -49,6 +49,9 @@ func init() { case "noble": prebuild.ABI = 4 prebuild.Version = 4.0 + case "questing": + prebuild.ABI = 4 + prebuild.Version = 5.0 } case "debian": From b45e1f36fee6fc038b8867f9ffc62a2ab866e433 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 22:59:00 +0200 Subject: [PATCH 891/977] build: add support for downstream project in some prepare tasks. --- pkg/prebuild/cli/cli.go | 5 ++++- pkg/prebuild/directories.go | 3 +++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 981331edd..bf768c050 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -139,8 +139,11 @@ func Configure() { builder.Register("stacked-dbus") } else { + if !prebuild.DownStream { + prepare.Register("attach") + } builder.Register("attach") - prepare.Register("attach") + } default: diff --git a/pkg/prebuild/directories.go b/pkg/prebuild/directories.go index 37cbc69bc..201d8c841 100644 --- a/pkg/prebuild/directories.go +++ b/pkg/prebuild/directories.go @@ -13,6 +13,9 @@ var ( // AppArmor version Version = 4.0 + // Tells the build we are a downstream project using apparmor.d as dependency + DownStream = false + // Either or not RBAC is enabled RBAC = false From f61f200427be4032873d39add37cf1f3f6796ca8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 23:52:11 +0200 Subject: [PATCH 892/977] build: ignore more abstraction for the server edition. --- pkg/prebuild/prepare/server.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkg/prebuild/prepare/server.go b/pkg/prebuild/prepare/server.go index 85f98e75d..fb9a1f602 100644 --- a/pkg/prebuild/prepare/server.go +++ b/pkg/prebuild/prepare/server.go @@ -14,6 +14,9 @@ import ( var ( serverIgnorePatterns = []string{ + "include ", + "include ", + "include ", "include ", "include ", "include ", From ca1827ea1207242018ba604c7a789b6beb0992e9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 23:53:02 +0200 Subject: [PATCH 893/977] fix: missing attach_disconnected in parrent profile while subprofile was using it. --- apparmor.d/groups/utils/su | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/utils/su b/apparmor.d/groups/utils/su index 866da3d6a..e5293021c 100644 --- a/apparmor.d/groups/utils/su +++ b/apparmor.d/groups/utils/su @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/su -profile su @{exec_path} { +profile su @{exec_path} flags=(attach_disconnected) { include include include From aec8e413b36e0a8845ace7483a2299a9b957dc66 Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Thu, 4 Sep 2025 16:58:49 +0200 Subject: [PATCH 894/977] fix slurp --- apparmor.d/profiles-s-z/slurp | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-s-z/slurp b/apparmor.d/profiles-s-z/slurp index c4250275e..c795ee08e 100644 --- a/apparmor.d/profiles-s-z/slurp +++ b/apparmor.d/profiles-s-z/slurp @@ -16,6 +16,7 @@ profile slurp @{exec_path} { # often used in combination with grim screen cature tool owner /dev/shm/grim-@{rand6} rw, + owner /dev/shm/@{uuid} r, include if exists } From d9ecbdbe4b87418e6ed2e4432240eaadc5bad8ad Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Mon, 8 Sep 2025 16:14:44 +0200 Subject: [PATCH 895/977] slurp review fixes --- apparmor.d/profiles-s-z/slurp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/slurp b/apparmor.d/profiles-s-z/slurp index c795ee08e..740af9b7b 100644 --- a/apparmor.d/profiles-s-z/slurp +++ b/apparmor.d/profiles-s-z/slurp @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/slurp profile slurp @{exec_path} { include + include + include @{exec_path} mr, @@ -16,7 +18,6 @@ profile slurp @{exec_path} { # often used in combination with grim screen cature tool owner /dev/shm/grim-@{rand6} rw, - owner /dev/shm/@{uuid} r, include if exists } From b569d447031d6a8fe31cdfc1fd0a3540e71f1ded Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 22:09:38 +0200 Subject: [PATCH 896/977] feat(profile): update apt profiles. --- apparmor.d/abstractions/common/apt | 6 +++++- apparmor.d/groups/apt/apt | 4 +++- apparmor.d/groups/apt/apt-helper | 2 ++ apparmor.d/groups/apt/apt-methods-http | 2 ++ apparmor.d/groups/apt/deb-systemd-invoke | 2 ++ apparmor.d/groups/apt/dpkg | 3 +++ apparmor.d/groups/apt/dpkg-buildflags | 5 ++++- apparmor.d/groups/apt/dpkg-checkbuilddeps | 11 ++++++++--- apparmor.d/groups/apt/dpkg-script-apparmor | 7 +++++++ apparmor.d/groups/apt/dpkg-scripts | 4 ++++ apparmor.d/groups/apt/unattended-upgrade | 4 ++++ 11 files changed, 44 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/common/apt b/apparmor.d/abstractions/common/apt index a267fd909..bec8d9a20 100644 --- a/apparmor.d/abstractions/common/apt +++ b/apparmor.d/abstractions/common/apt @@ -6,6 +6,7 @@ abi , /usr/share/dpkg/cputable r, + /usr/share/dpkg/ostable r, /usr/share/dpkg/tupletable r, /usr/share/dpkg/varianttable r, @@ -19,6 +20,9 @@ /etc/apt/sources.list.d/ r, /etc/apt/sources.list.d/*.{sources,list} r, + /etc/apt/trusted.gpg r, + /etc/apt/trusted.gpg.d/{,*} r, + /var/lib/apt/lists/{,**} r, /var/lib/apt/extended_states r, @@ -26,7 +30,7 @@ /var/cache/apt/srcpkgcache.bin r, /var/lib/dpkg/status r, - /var/lib/ubuntu-advantage/apt-esm/{,**} r, + /var/lib/ubuntu-advantage/apt-esm/{,**} r, #aa:only ubuntu owner @{tmp}/#@{int} rw, owner @{tmp}/clearsigned.message.* rw, diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 9bdabb1c2..ade8bee61 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -147,6 +147,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { /tmp/ r, /tmp/apt-changelog-*/ w, /tmp/apt-changelog-*/*.changelog w, + /tmp/apt-tmp-index.@{rand6} rw, owner @{tmp}/apt-changelog-*/.apt-acquire-privs-test.* rw, owner @{tmp}/apt-dpkg-install-*/ rw, owner @{tmp}/apt-dpkg-install-*/@{int}-*.deb w, @@ -190,6 +191,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/bunzip2 rix, @{bin}/chmod rix, + @{bin}/bzip2 rix, @{bin}/gunzip rix, @{bin}/gzip rix, @{bin}/patch rix, @@ -197,7 +199,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/tar rix, @{bin}/xz rix, - /etc/dpkg/origins/debian r, + /etc/dpkg/origins/* r, owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, owner @{HOME}/** rwkl -> @{HOME}/**, diff --git a/apparmor.d/groups/apt/apt-helper b/apparmor.d/groups/apt/apt-helper index 5a2d7dd55..f16e98d2f 100644 --- a/apparmor.d/groups/apt/apt-helper +++ b/apparmor.d/groups/apt/apt-helper @@ -25,6 +25,8 @@ profile apt-helper @{exec_path} { capability net_admin, + ptrace read peer=@{p_systemd}, + include if exists } diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 61be160dc..77a418b07 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -74,6 +74,8 @@ profile apt-methods-http @{exec_path} flags=(attach_disconnected) { @{run}/ubuntu-advantage/aptnews.json rw, owner @{run}/ubuntu-advantage/apt-news/aptnews.json rw, + @{run}/systemd/resolve/io.systemd.Resolve rw, + @{PROC}/1/cgroup r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/apt/deb-systemd-invoke b/apparmor.d/groups/apt/deb-systemd-invoke index d2e9e9260..824d3b4dd 100644 --- a/apparmor.d/groups/apt/deb-systemd-invoke +++ b/apparmor.d/groups/apt/deb-systemd-invoke @@ -15,6 +15,8 @@ profile deb-systemd-invoke @{exec_path} { capability net_admin, capability sys_resource, + ptrace read peer=@{p_systemd}, + signal send set=(cont term) peer=systemd-tty-ask-password-agent, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 2c1ac1ce5..986c6f188 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -18,6 +18,9 @@ profile dpkg @{exec_path} { capability fowner, capability fsetid, capability setgid, + capability sys_ptrace, + + ptrace read peer=apt, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/dpkg-buildflags b/apparmor.d/groups/apt/dpkg-buildflags index 467d0d50e..1a4055f77 100644 --- a/apparmor.d/groups/apt/dpkg-buildflags +++ b/apparmor.d/groups/apt/dpkg-buildflags @@ -14,10 +14,13 @@ profile dpkg-buildflags @{exec_path} flags=(complain) { @{exec_path} r, - /etc/dpkg/origins/debian r, + /usr/share/lto-disabled-list/lto-disabled-list r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, + /usr/share/dpkg/abitable r, + + /etc/dpkg/origins/* r, owner @{user_config_dirs}/dpkg/buildflags.conf r, diff --git a/apparmor.d/groups/apt/dpkg-checkbuilddeps b/apparmor.d/groups/apt/dpkg-checkbuilddeps index 6f54d3967..712a74e8c 100644 --- a/apparmor.d/groups/apt/dpkg-checkbuilddeps +++ b/apparmor.d/groups/apt/dpkg-checkbuilddeps @@ -11,16 +11,21 @@ include profile dpkg-checkbuilddeps @{exec_path} flags=(complain) { include include + include @{exec_path} r, - /etc/dpkg/origins/debian r, - - /var/lib/dpkg/status r, + @{bin}/dpkg rPx, + @{bin}/@{multiarch}gcc-@{int} mrix, + /usr/share/dpkg/ostable r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, + /etc/dpkg/origins/* r, + + /var/lib/dpkg/status r, + # For package building owner @{user_build_dirs}/**/debian/control r, diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 38a068ac0..73a4f6c46 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -2,6 +2,8 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# TODO: merge with dpkg-scripts + abi , include @@ -16,8 +18,13 @@ profile dpkg-script-apparmor @{exec_path} { @{exec_path} mrix, @{bin}/{,e}grep ix, + @{bin}/cat ix, + @{bin}/chmod ix, + @{bin}/mkdir ix, @{bin}/deb-systemd-helper Px, + @{bin}/dpkg-maintscript-helper Px, + @{bin}/dpkg Px -> child-dpkg, @{bin}/deb-systemd-invoke Px, @{bin}/dpkg-divert ix, @{bin}/systemctl Cx -> systemctl, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 8ae76e706..acde577de 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -114,6 +114,10 @@ profile dpkg-scripts @{exec_path} { capability sys_ptrace, capability sys_resource, + signal send set=(cont term) peer=systemd-tty-ask-password-agent, + + ptrace read peer=@{p_systemd}, + @{bin}/systemd-tty-ask-password-agent Px, @{pager_path} Px -> child-pager, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index d501a325f..ebdc88d08 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -38,6 +38,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { unix type=stream addr=@@{udbus}/bus/unattended-upgr/system, + #aa:dbus own bus=system name=com.ubuntu.UnattendedUpgrade + @{exec_path} mr, @{bin}/ r, @@ -70,6 +72,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{lib}/zsys-system-autosnapshot Px, /usr/share/distro-info/* r, + /usr/share/dbus-1/interfaces/*UnattendedUpgrade*.xml r, @{etc_ro}/login.defs r, @{etc_ro}/security/capability.conf r, @@ -127,6 +130,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/attr/current r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/mounts r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/fd/ r, From 394dc54ceb7ff80bbbde064992f1580eee64e0ac Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 22:13:12 +0200 Subject: [PATCH 897/977] feat(profile): update snap profiles. --- apparmor.d/groups/snap/snap | 33 ++++++++++++++++++++++++--- apparmor.d/groups/snap/snap-update-ns | 4 +++- apparmor.d/groups/snap/snapd | 14 ++++++++---- 3 files changed, 43 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 0d38fc055..9530b8594 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -17,13 +17,19 @@ profile snap @{exec_path} flags=(attach_disconnected) { include include include + include capability chown, capability dac_override, capability dac_read_search, capability setuid, capability sys_admin, + capability sys_ptrace, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, network netlink raw, ptrace read peer=snap.*, @@ -36,7 +42,7 @@ profile snap @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=io.snapcraft.SessionAgent #aa:dbus own bus=session name=io.snapcraft.Settings - #aa:dbus talk bus=session name=io.snapcraft.PrivilegedDesktopLauncher label=snap.snap-store.snap-store + #aa:dbus talk bus=session name=io.snapcraft.PrivilegedDesktopLauncher label=snap.snap-store.* #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @@ -59,9 +65,11 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{bin}/gpg{,2} rCx -> gpg, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-run rCx -> run, # Start snap from the cli + @{bin}/unsquashfs rCx -> unsquashfs, @{bin}/xdg-settings rCx -> xdg-settings, - @{lib_dirs}/** mr, + @{bin_dirs}/xdelta3 ix, + @{lib_dirs}/** mr, @{lib_dirs}/snapd/snap-confine rPx, @{lib_dirs}/snapd/snap-seccomp rPx, @{lib_dirs}/snapd/snapd rPx, @@ -80,6 +88,9 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{HOME}/.snap/{,**} rw, @{HOME}/snap/{,**} rw, + @{user_pkg_dirs}/** r, + + owner @{tmp}/read-file@{int}/unpack/{,**} w, owner @{tmp}/snapd-auto-import-mount-@{int}/ rw, @{run}/user/@{uid}/bus rw, @@ -176,14 +187,30 @@ profile snap @{exec_path} flags=(attach_disconnected) { include include - network unix stream, + capability net_admin, + network unix stream, + network (send receive) netlink raw, + + @{run}/systemd/notify w, owner @{run}/user/@{uid}/systemd/notify rw, owner @{run}/user/@{uid}/systemd/private rw, include if exists } + profile unsquashfs { + include + + @{bin}/unsquashfs mr, + + /**.snap r, + + owner /tmp/read-file@{int}/unpack/{,**} w, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index e831cc90c..5d08a4240 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -34,7 +34,9 @@ profile snap-update-ns @{exec_path} { @{lib_dirs}/**.so* mr, @{lib}/@{multiarch}/webkit2gtk-@{version}/ w, - /usr/share/xml/iso-codes/ w, + + /usr/share/xml/ r, + /usr/share/xml/iso-codes/ rw, /var/lib/snapd/mount/{,*} r, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 4a928e6d4..87e535b3f 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -97,10 +97,11 @@ profile snapd @{exec_path} { @{lib_dirs}/snapd/snap-update-ns rPx, /usr/share/bash-completion/{,**} r, - /usr/share/dbus-1/{system,session}.d/{,snapd*} rw, + /usr/share/dbus-1/{system,session}.d/ rw, + /usr/share/dbus-1/{system,session}.d/snapd* rw, /usr/share/dbus-1/services/*snap* r, /usr/share/polkit-1/actions/{,**} r, - /usr/share/polkit-1/actions/snap.*.policy r, + /usr/share/polkit-1/actions/snap.*.policy* rw, @{etc_ro}/environment r, /etc/apparmor.d/*snapd.snap* r, @@ -190,6 +191,8 @@ profile snapd @{exec_path} { network netlink raw, + ptrace read peer=@{p_systemd}, + /etc/systemd/system/{,**/} r, /etc/systemd/system/snap* rw, /etc/systemd/user/{,**/} rw, @@ -229,9 +232,12 @@ profile snapd @{exec_path} { include @{sbin}/runuser mr, - @{bin}/tar ix, - owner @{HOME}/snap/*/common/.cache/{,**} r, + @{sh_path} ix, + @{bin}/gzip ix, + @{bin}/tar ix, + + owner @{HOME}/snap/*/{,**} r, include if exists } From f69a7e7213d81ddd0c3c760400edfdc025be05e0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:04:36 +0200 Subject: [PATCH 898/977] feat(profile): update gnome profiles. --- .../bus/org.gnome.keyring.internal.Prompter | 2 + .../gnome/evolution-addressbook-factory | 2 + .../groups/gnome/evolution-calendar-factory | 1 + apparmor.d/groups/gnome/gdm | 23 +++++----- apparmor.d/groups/gnome/gdm-generate-config | 3 +- apparmor.d/groups/gnome/gio-launch-desktop | 2 + apparmor.d/groups/gnome/gnome-calculator | 2 + apparmor.d/groups/gnome/gnome-calendar | 15 +++---- apparmor.d/groups/gnome/gnome-control-center | 9 +++- .../groups/gnome/gnome-disk-image-mounter | 7 +++ apparmor.d/groups/gnome/gnome-extension-ding | 4 +- .../groups/gnome/gnome-extension-gsconnect | 1 + apparmor.d/groups/gnome/gnome-keyring-daemon | 9 ++-- apparmor.d/groups/gnome/gnome-session | 10 +++++ apparmor.d/groups/gnome/gnome-shell | 44 ++++++++++--------- apparmor.d/groups/gnome/gnome-software | 1 + apparmor.d/groups/gnome/gnome-text-editor | 1 + apparmor.d/groups/gnome/gsd-housekeeping | 2 +- apparmor.d/groups/gnome/gsd-power | 10 ++++- .../groups/gnome/gsd-print-notifications | 2 +- apparmor.d/groups/gnome/gsd-sharing | 5 +++ apparmor.d/groups/gnome/gsd-usb-protection | 5 +++ apparmor.d/groups/gnome/kgx | 1 + apparmor.d/groups/gnome/localsearch | 7 +++ apparmor.d/groups/gnome/mutter-x11-frames | 1 + apparmor.d/groups/gnome/nautilus | 9 ++++ apparmor.d/groups/gnome/papers | 9 ++++ apparmor.d/groups/gnome/ptyxis | 2 +- apparmor.d/groups/gnome/ptyxis-agent | 11 ++++- apparmor.d/groups/gnome/tracker-extract | 5 +-- apparmor.d/groups/gnome/tracker-miner | 4 +- apparmor.d/tunables/multiarch.d/system-users | 2 +- 32 files changed, 153 insertions(+), 58 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter b/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter index 1c3e8f760..0816b046f 100644 --- a/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter +++ b/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter @@ -11,6 +11,8 @@ abi , + unix type=stream peer=(label=gnome-keyring-daemon), + dbus send bus=session path=/org/gnome/keyring/Prompter interface=org.gnome.keyring.internal.Prompter member={BeginPrompting,PerformPrompt,StopPrompting} diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index b56af123d..56fd3ce3f 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -27,7 +27,9 @@ profile evolution-addressbook-factory @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} + #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookCursor #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookFactory + #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookView dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 3d1d00f28..2ee416bd9 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -12,6 +12,7 @@ profile evolution-calendar-factory @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 4c84fe822..3f958cb7e 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -17,6 +17,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { capability chown, capability dac_override, capability dac_read_search, + capability fowner, capability fsetid, capability kill, capability net_admin, @@ -54,6 +55,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { /usr/share/wayland-sessions/*.desktop r, /usr/share/xsessions/*.desktop r, + /etc/.pwd.lock rwk, /etc/default/locale r, /etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/daemon.conf r, @@ -66,18 +68,17 @@ profile gdm @{exec_path} flags=(attach_disconnected) { /var/log/gdm{3,}/ rw, - owner @{GDM_HOME}/block-initial-setup rw, + @{GDM_HOME}/ rw, + @{GDM_HOME}/** rw, - @{run}/gdm{3,}/greeter/ rw, - @{run}/systemd/seats/seat@{int} r, - @{run}/systemd/sessions/* r, - @{run}/systemd/users/@{uid} r, - owner @{run}/gdm{3,}.pid rw, - owner @{run}/gdm{3,}/ rw, - owner @{run}/gdm{3,}/custom.conf r, - owner @{run}/gdm{3,}/dbus/ w, - owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w, - owner @{run}/gdm{3,}/gdm.pid rw, + @{run}/gdm{,3}/ rw, + owner @{run}/gdm{,3}.pid rw, + owner @{run}/gdm{,3}/dbus/ rw, + owner @{run}/gdm{,3}/dbus/dbus-@{rand8} rw, + + @{run}/systemd/seats/seat@{int} r, + @{run}/systemd/sessions/* r, + @{run}/systemd/users/@{uid} r, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index 6e67866f5..c5e6d4cd5 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -44,8 +44,9 @@ profile gdm-generate-config @{exec_path} { @{PROC}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/status r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, + @{PROC}/tty/drivers r, @{PROC}/uptime r, profile pgrep { diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index a3d285e94..eb76f1207 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -33,6 +33,8 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { @{bin}/gnome-terminal rPUx, @{lib}/gio-launch-desktop rix, + @{lib}/*/** rPx, + @{lib}/* rPx, owner @{HOME}/{,**} rw, diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 2f1cc0e89..4ab9b165f 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -20,6 +20,8 @@ profile gnome-calculator @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.gnome.Calculator + @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 7d6d5246d..872fc6858 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -24,20 +24,19 @@ profile gnome-calendar @{exec_path} { #aa:dbus own bus=session name=org.gnome.Calendar + #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar path=/org/gnome/evolution/dataserver/ label=evolution-calendar-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarFactory label=evolution-calendar-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarView label=evolution-calendar-factory - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source label=evolution-source-registry - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Sources@{int} label=evolution-source-registry + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source path=/org/gnome/evolution/dataserver/ label=evolution-source-registry + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.SourceManager label=evolution-source-registry + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Subprocess label=evolution-calendar-factory #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color #aa:dbus talk bus=session name=org.gnome.Shell.SearchProvider2 path=/org/gnome/Calendar/SearchProvider label=gnome-shell - #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" - - dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label=evolution-source-registry), @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 10f310232..8ef24e9ce 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -41,10 +41,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.Settings #aa:dbus own bus=session name=org.bluez.obex.Agent1 + #aa:dbus talk bus=session name=org.bluez.AgentManager1 label=bluetoothd #aa:dbus talk bus=session name=org.bluez.obex label=obexd #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell - #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary + #aa:dbus talk bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}" #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label="gsd-*" #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell @@ -53,6 +54,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label="@{p_fprintd}" #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.bolt1 label=boltd + #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" @@ -63,6 +65,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}" #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=NetworkManager), + @{exec_path} mr, @{bin}/@{shells} rUx, diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index 379a887b3..519a248d8 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -9,10 +9,17 @@ include @{exec_path} = @{bin}/gnome-disk-image-mounter profile gnome-disk-image-mounter @{exec_path} { include + include + include + include + include + include include include include + #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd + @{exec_path} mr, # Allow to mount user files diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index e47cc66a3..be7edcd79 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -58,8 +58,8 @@ profile gnome-extension-ding @{exec_path} { @{share_dirs}/{,**} r, /usr/share/thumbnailers/{,*.thumbnailer} r, - owner @{HOME}/@{XDG_TEMPLATES_DIR}/ r, - owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, + owner @{user_desktop_dirs}/ r, + owner @{user_templates_dirs}/ r, owner @{user_share_dirs}/nautilus/scripts/ r, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 22c02a97f..7af7b8b2f 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -75,6 +75,7 @@ profile gnome-extension-gsconnect @{exec_path} { owner @{run}/user/@{uid}/gsconnect/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + owner @{run}/user/@{uid}/keyring/ssh rw, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 6752f54d4..595b3fd48 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -19,12 +19,15 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { capability ipc_lock, - signal (receive) set=(term) peer=gdm, - signal (send) set=(term) peer=ssh-agent, + signal receive set=(term) peer=gdm, + signal send set=(term) peer=ssh-agent, + + unix type=stream peer=(label=snap.*), #aa:dbus own bus=session name=org.gnome.keyring #aa:dbus own bus=session name=org.freedesktop.{S,s}ecret{,s} - #aa:dbus own bus=session name=org.freedesktop.impl.portal.Secret + #aa:dbus own bus=session name=org.freedesktop.impl.portal.Secret path=/org/freedesktop/portal/desktop + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Request path=/org/freedesktop/portal/desktop/ label=xdg-desktop-portal dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index 7bcf80431..257e91c0a 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -16,6 +16,14 @@ profile gnome-session @{exec_path} { include include + signal receive set=term peer=gdm, + signal receive set=term peer=gdm-session, + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mrix, @{shells_path} rix, @@ -64,6 +72,8 @@ profile gnome-session @{exec_path} { owner @{HOME}/ r, + owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 7344b735b..8278ac648 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -24,13 +24,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include include include include + include include include include @@ -72,6 +72,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=org.gnome.Shell #aa:dbus own bus=session name=com.canonical.{U,u}nity + #aa:dbus own bus=session name=com.canonical.dbusmenu path=/{,com/canonical/dbusmenu} #aa:dbus own bus=session name=com.rastersoft.dingextension #aa:dbus own bus=session name=org.ayatana.NotificationItem #aa:dbus own bus=session name=org.freedesktop.a11y.Manager @@ -79,6 +80,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=org.gtk.MountOperationHandler #aa:dbus own bus=session name=org.gtk.Notifications #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher + #aa:dbus own bus=session name=com.canonical.Shell.PermissionPrompting # Talk with gnome-shell @@ -87,32 +89,19 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label="@{p_power_profiles_daemon}" #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding + #aa:dbus talk bus=session name=org.freedesktop.Notifications label=gjs #aa:dbus talk bus=session name=org.gnome.* label=gnome-* - #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label="*" + #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label=* #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - # System bus - - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=RegisterAuthenticationAgent - peer=(name=:*, label="@{p_polkitd}"), - dbus receive bus=system path=/org/freedesktop/PolicyKit1/AuthenticationAgent - interface=org.freedesktop.PolicyKit1.AuthenticationAgent - member=BeginAuthentication - peer=(name=:*, label="@{p_polkitd}"), - - dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager - interface=org.freedesktop.NetworkManager.AgentManager - member={RegisterWithCapabilities,Unregister} - peer=(name=:*, label=NetworkManager), # Session bus @@ -156,7 +145,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus send bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*), + peer=(name=@{busname}), dbus send bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -181,8 +170,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sh_path} rCx -> shell, @{bin}/pkexec rCx -> pkexec, - @{lib}/gio-launch-desktop rCx -> open, @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open, + @{lib}/gio-launch-desktop rCx -> open, + @{python_path} rCx -> python, @{user_share_dirs}/gnome-shell/extensions/*/** rPUx, /usr/share/gnome-shell/extensions/*/** rPUx, @@ -278,15 +268,16 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{user_share_dirs}/icons/**/org.gnome.Shell.*.svg{,.@{rand6}} w, - owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r, owner @{user_cache_dirs}/gnome-boxes/*.png r, owner @{user_cache_dirs}/gnome-photos/{,**} r, owner @{user_cache_dirs}/gnome-screenshot/{,**} rw, owner @{user_cache_dirs}/gnome-software/icons/{,**} r, + owner @{user_cache_dirs}/gsconnect/@{hex32} r, owner @{user_cache_dirs}/libgweather/{,**} rw, owner @{user_cache_dirs}/media-art/{,**} r, owner @{user_cache_dirs}/vlc/**/*.jpg r, + owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, @{run}/gdm{3,}/dbus/dbus-@{rand8} rw, owner @{run}/user/@{uid}/app/*/*.@{rand6} r, @@ -337,7 +328,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/class/net/ r, @{sys}/class/power_supply/ r, @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/gpu_busy_percent r, @{sys}/devices/@{pci}/input@{int}/{properties,name} r, + @{sys}/devices/@{pci}/mem_info_vram_* r, @{sys}/devices/@{pci}/net/*/statistics/collisions r, @{sys}/devices/@{pci}/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/@{pci}/net/*/statistics/tx_{bytes,errors,packets} r, @@ -351,6 +344,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/platform/**/input@{int}/{properties,name} r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/net/*/statistics/collisions r, @{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r, @@ -431,6 +426,15 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include if exists } + profile python { + include + include + + # /usr/share/gnome-shell/extensions/{,**} + + include if exists + } + profile open flags=(attach_disconnected,mediate_deleted,complain) { include include diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index baaac245f..247436318 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -45,6 +45,7 @@ profile gnome-software @{exec_path} { @{bin}/baobab rPUx, @{bin}/bwrap rPx -> flatpak-app, @{bin}/fusermount{,3} rCx -> fusermount, + @{bin}/gnome-control-center rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index 5c8ab7c8a..8aa950e2c 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -10,6 +10,7 @@ include profile gnome-text-editor @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 83fcbd7c6..35714fa0b 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -11,9 +11,9 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include - include include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 63ab49c5e..0f77b023e 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -40,16 +40,22 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Power #aa:dbus talk bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell + #aa:dbus talk bus=session name=org.gnome.Shell.Brightness label=gnome-shell dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight interface=org.freedesktop.UPower.KbdBacklight member=GetBrightness - peer=(name=:*, label="@{p_upowerd}"), + peer=(name=@{busname}, label="@{p_upowerd}"), dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=gsd-xsettings), + peer=(name=@{busname}, label=gsd-xsettings), + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member=Suspend + peer=(name=@{busname}, label="@{p_systemd_logind}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 59123f485..c5be27f27 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -30,7 +30,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/cups/cupsd/Notifier interface=org.cups.cupsd.Notifier - member={ServerStarted,PrinterDeleted,PrinterStopped} + member={ServerStarted,PrinterDeleted,PrinterStateChanged,PrinterStopped,PrinterAdded} peer=(name=@{busname}, label=cups-notifier-dbus), dbus receive bus=session diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 7b47b0676..b6d90d5e3 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -31,6 +31,11 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=:*, label=gnome-shell), + dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/3 + interface=org.freedesktop.NetworkManager.VPN.Connection + member=VpnStateChanged + peer=(name=@{busname}, label=NetworkManager), + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 7f03d9fc5..59e67d9bf 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -16,6 +16,11 @@ profile gsd-usb-protection @{exec_path} { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index a32a3d8c3..f843d6c14 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -39,6 +39,7 @@ profile kgx @{exec_path} { @{PROC}/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index d5700db7c..c041cdf99 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -47,6 +47,8 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { /usr/share/osinfo/{,**} r, /usr/share/poppler/{,**} r, + /etc/fstab r, + # Allow to search user files owner @{HOME}/ r, owner @{HOME}/{,**} r, @@ -57,6 +59,11 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/tracker3/files/ rw, owner @{user_cache_dirs}/tracker3/files/** rwk, + owner @{GDM_HOME}/ r, + owner @{GDM_HOME}/*/ r, + owner @{gdm_cache_dirs}/tracker3/{,**} rwk, + owner @{gdm_config_dirs}/user-dirs.dirs r, + @{run}/mount/utab r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index ae225aa65..92e619e5c 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -29,6 +29,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, owner @{GDM_HOME}/greeter-dconf-defaults r, + owner @{gdm_cache_dirs}//fontconfig/ rw, owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rwl, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index d8e7c3341..a91a154a7 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -66,6 +66,15 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { member=NameHasOwner peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session + interface=org.freedesktop.Application + member=Open, + + dbus send bus=session path=/org/gnome/Nautilus + interface=org.gtk.Application + member={CommandLine,DescribeAll} + peer=(name=org.gnome.Nautilus, label=nautilus), + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 0318c7265..6c4fe6f12 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -20,18 +20,27 @@ profile papers @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + dbus send bus=session path=/org/freedesktop/portal/desktop/session/1_4509/gtk1155412026 + interface=org.freedesktop.portal.Session + member=Close + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + @{exec_path} mr, @{open_path} Cx -> open, /usr/share/poppler/{,**} r, + /etc/passwd r, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db-journal rw, + /tmp/ r, + /var/tmp/ r, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/papers-@{int}/{,**} rw, owner @{tmp}/gtkprint_@{rand6} rw, diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index b0239f404..ac47b5460 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -16,7 +16,7 @@ profile ptyxis @{exec_path} { unix type=stream peer=(label=ptyxis-agent), - #aa:dbus own bus=session name=org.gnome.Ptyxis + #aa:dbus own bus=session name=org.gnome.Ptyxis interface+=org.freedesktop.Application @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index 982afd90d..2735e0c5d 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -16,10 +16,12 @@ profile ptyxis-agent @{exec_path} { include include - signal send set=hup peer=unconfined, + signal send set=hup peer=@{p_systemd}, ptrace read, + unix type=stream peer=(label=ptyxis), + @{exec_path} mr, @{bin}/podman Px, @@ -42,8 +44,15 @@ profile ptyxis-agent @{exec_path} { unix bind type=stream addr=@@{udbus}/bus/systemd-run/, @{bin}/systemd-run mr, + + # The shell is not confined on purpose. @{bin}/@{shells} Ux, + # Some CLI program can be launched directly from Gnome Shell + @{bin}/htop Px, + @{bin}/micro PUx, + @{bin}/nvtop Px, + owner @{run}/user/@{uid}/systemd/private rw, include if exists diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index e8612f7b6..3f9f49281 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -13,6 +13,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -20,6 +21,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { include include include + include include network netlink raw, @@ -73,9 +75,6 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} r, - /dev/video@{int} rw, - # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 6b358c8b0..7f7a3a8e4 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -15,11 +15,13 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include + include include include include include include + include include include @@ -86,8 +88,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, - /dev/video@{int} rw, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/tunables/multiarch.d/system-users b/apparmor.d/tunables/multiarch.d/system-users index 1513aae2f..07450efff 100644 --- a/apparmor.d/tunables/multiarch.d/system-users +++ b/apparmor.d/tunables/multiarch.d/system-users @@ -5,7 +5,7 @@ # Define some extra paths for some commonly used system user # Full path of the GDM configuration directories -@{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/home/{,gdm-}greeter/ +@{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/{,home/}{,gdm-}greeter/ @{gdm_cache_dirs}=@{GDM_HOME}/.cache/ @{gdm_config_dirs}=@{GDM_HOME}/.config/ @{gdm_local_dirs}=@{GDM_HOME}/.local/ From 009fb9285d497eae14b08032b43f44e81c862823 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:05:34 +0200 Subject: [PATCH 899/977] feat(profile): update gvfsd profiles. --- apparmor.d/groups/gvfs/gvfsd-fuse | 12 ++++++++++-- apparmor.d/groups/gvfs/gvfsd-sftp | 20 +++++++++----------- apparmor.d/groups/gvfs/gvfsd-wsdd | 2 ++ 3 files changed, 21 insertions(+), 13 deletions(-) diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index 2695a1bf7..4741b0f31 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -23,17 +23,25 @@ profile gvfsd-fuse @{exec_path} { dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=RegisterFuse - peer=(name=:*, label=gvfsd), + peer=(name=@{busname}, label=gvfsd), dbus receive bus=session path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), + + dbus send bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}, label=gvfsd-sftp), @{exec_path} mr, @{bin}/fusermount{,3} rCx -> fusermount, + owner @{run}/user/@{uid}/gvfsd-fuse/ rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} w, + @{PROC}/sys/fs/pipe-max-size r, /dev/fuse rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp index 76bb55e98..1019a1525 100644 --- a/apparmor.d/groups/gvfs/gvfsd-sftp +++ b/apparmor.d/groups/gvfs/gvfsd-sftp @@ -17,28 +17,26 @@ profile gvfsd-sftp @{exec_path} { include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} + #aa:dbus talk bus=session name=org.gtk.vfs.{M,m}ountTracker label=gvfsd dbus receive bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon member=GetConnection - peer=(name=@{busname}, label=gnome-extension-gsconnect), - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=@{busname}, label=nautilus), + peer=(name=@{busname}), dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount - peer=(name=:*, label=gvfsd), + peer=(name=@{busname}, label=gvfsd), dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned - peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name=:*, label=gvfsd), + peer=(name=@{busname}, label=gvfsd), + + dbus send bus=session path=/org/gtk/gvfs/mountop/@{int} + interface=org.gtk.vfs.MountOperation + member={AskQuestion,AskPassword} + peer=(name=@{busname}), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 0dee4e73b..7f4c20718 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -15,6 +15,7 @@ profile gvfsd-wsdd @{exec_path} { include include + network inet dgram, # ip=127.0.0.1 peer=(ip=127.0.0.*, port=53), network netlink raw, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_wsdd @@ -47,6 +48,7 @@ profile gvfsd-wsdd @{exec_path} { @{bin}/env mr, @{bin}/wsdd rPx, + @{run}/avahi-daemon/socket rw, @{run}/mount/utab r, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner @{run}/user/@{uid}/gvfsd/wsdd rw, From fecb4dbca6645341359e367e80d70a5e222f13be Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:06:35 +0200 Subject: [PATCH 900/977] feat(profile): update flatpak profiles. --- apparmor.d/groups/flatpak/flatpak | 13 +++++++++++++ apparmor.d/groups/flatpak/flatpak-portal | 1 + apparmor.d/groups/flatpak/flatpak-session-helper | 5 +++++ apparmor.d/groups/flatpak/flatpak-system-helper | 1 + 4 files changed, 20 insertions(+) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index e73408a0a..bd749db40 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -40,6 +40,9 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain signal send peer=flatpak-app, + unix type=seqpacket peer=(label=flatpak-system-helper), + unix type=stream peer=(label=flatpak//fusermount), + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.Flatpak.SystemHelper label=flatpak-system-helper #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" @@ -47,6 +50,16 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=ReloadConfig + peer=(name=org.freedesktop.DBus, label=dbus-session//&unconfined), + + dbus send bus=system path=/org/freedesktop/Flatpak/SystemHelper + interface=org.freedesktop.Flatpak.SystemHelper + member=GetRevokefsFd + peer=(name=org.freedesktop.Flatpak.SystemHelper), + @{exec_path} mr, @{bin}/bwrap rPx -> flatpak-app, diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index fdbdb9189..97f9f4911 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -11,6 +11,7 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { include include include + include include include diff --git a/apparmor.d/groups/flatpak/flatpak-session-helper b/apparmor.d/groups/flatpak/flatpak-session-helper index 162e3b448..8a8f5afb7 100644 --- a/apparmor.d/groups/flatpak/flatpak-session-helper +++ b/apparmor.d/groups/flatpak/flatpak-session-helper @@ -21,6 +21,11 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.Flatpak + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{shells_path} rUx -> user_unconfined, diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index cdfef1bad..0bd74bdcb 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -34,6 +34,7 @@ profile flatpak-system-helper @{exec_path} { unix type=seqpacket peer=(label=unconfined), #aa:dbus own bus=system name=org.freedesktop.Flatpak.SystemHelper + #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon @{exec_path} mr, From d0657d2c26644a386bc0078ec6f83ffebaa1a03e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:10:19 +0200 Subject: [PATCH 901/977] feat(profile): update network profiles. --- apparmor.d/groups/network/NetworkManager | 30 ++++++++++++++++++++++ apparmor.d/groups/network/netplan | 9 +++++++ apparmor.d/groups/network/netplan-generate | 2 ++ apparmor.d/groups/network/nmcli | 14 ++++++++++ apparmor.d/groups/network/openvpn | 2 ++ 5 files changed, 57 insertions(+) diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index f27449e77..2959441c4 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -48,6 +48,23 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" + + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}), + + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=gnome-control-center), + + + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=nm-online), + dbus send bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher member=Action2 @@ -63,6 +80,11 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { member={InterfacesAdded,InterfacesRemoved} peer=(name=org.freedesktop.DBus), + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=cockpit-bridge), + @{exec_path} mr, @{sh_path} rix, @@ -84,9 +106,14 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx, /usr/share/netplan/netplan.script rPx, + @{lib}/netplan/@{int2}-network-manager-all.yaml w, + /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, /usr/share/iproute2/{,**} r, + /etc/netplan/ r, + /etc/netplan/90-NM-@{uuid}.yaml r, + @{att}/ r, /etc/ r, @@ -110,7 +137,9 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/rfkill/ r, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/resolve/io.systemd.Resolve rw, + @{run}/netplan/ r, @{run}/network/ifstate r, @{run}/NetworkManager/{,**} rw, @{run}/nm-*.pid rw, @@ -135,6 +164,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, + /dev/net/tun rw, /dev/rfkill rw, profile systemctl { diff --git a/apparmor.d/groups/network/netplan b/apparmor.d/groups/network/netplan index 5855131a8..a0fad0a93 100644 --- a/apparmor.d/groups/network/netplan +++ b/apparmor.d/groups/network/netplan @@ -9,9 +9,12 @@ include @{exec_path} = /usr/share/netplan/netplan.script profile netplan @{exec_path} flags=(attach_disconnected) { include + include include include + #aa;dbus owb bus=system name=io.netplan.Netplan + @{exec_path} mr, @{lib}/netplan/generate rPx, @@ -20,6 +23,8 @@ profile netplan @{exec_path} flags=(attach_disconnected) { /usr/share/netplan/{,**} r, + /etc/netplan/{,*} r, + @{run}/netplan/ r, profile udevadm { @@ -42,6 +47,10 @@ profile netplan @{exec_path} flags=(attach_disconnected) { capability net_admin, + ptrace read peer=@{p_systemd}, + + @{run}/udev/control rw, + include if exists } diff --git a/apparmor.d/groups/network/netplan-generate b/apparmor.d/groups/network/netplan-generate index 74ed20aaf..cea17b81c 100644 --- a/apparmor.d/groups/network/netplan-generate +++ b/apparmor.d/groups/network/netplan-generate @@ -26,6 +26,8 @@ profile netplan-generate @{exec_path} flags=(attach_disconnected) { @{run}/NetworkManager/conf.d/ rw, @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf rw, @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf.@{rand6} rw, + @{run}/NetworkManager/conf.d/netplan.conf rw, + @{run}/NetworkManager/conf.d/netplan.conf.@{rand6} rw, @{run}/NetworkManager/system-connections/ rw, @{run}/NetworkManager/system-connections/* rw, diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index 6065a12da..b4da14960 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -16,11 +16,25 @@ profile nmcli @{exec_path} { capability sys_nice, #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesAdded + peer=(name=@{busname}, label=NetworkManager), + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesRemoved + peer=(name=@{busname}, label=NetworkManager), + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, @{pager_path} rPx -> child-pager, + /etc/netplan/* r, + owner @{HOME}/.nm-vpngate/*.ovpn r, owner @{HOME}/.cert/nm-openvpn/*.pem rw, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index b5a6b83ef..2a513b84e 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -66,6 +66,8 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/net/route r, + /dev/net/tun rw, + profile update-resolv { include include From ff8efaecd209909a48bc7cd6677763fb4cd7e19b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:11:25 +0200 Subject: [PATCH 902/977] feat(profile): update arch profiles. --- apparmor.d/groups/pacman/pacdiff | 33 +++++++++++++------- apparmor.d/groups/pacman/pacman-hook-systemd | 2 ++ 2 files changed, 23 insertions(+), 12 deletions(-) diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index cab9eed4b..eef992666 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/pacdiff profile pacdiff @{exec_path} flags=(attach_disconnected) { include - include capability dac_read_search, capability mknod, @@ -20,17 +19,18 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/cat rix, - @{bin}/cmp rix, - @{bin}/find rix, - @{bin}/locate rix, - @{bin}/pacman rix, - @{bin}/pacman-conf rPx, - @{bin}/pacsort rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/tput rix, + @{bin}/{m,g,}awk ix, + @{bin}/cat ix, + @{bin}/cmp ix, + @{bin}/find ix, + @{bin}/locate ix, + @{bin}/pacman ix, + @{bin}/pacman-conf Px, + @{bin}/pacsort ix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/tput ix, + @{editor_path} Cx -> editor, # packages files / r, @@ -44,6 +44,15 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { /dev/tty rw, /dev/pts/@{int} rw, + profile editor { + include + include + + /etc/** rw, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index 0878385c5..860fb34ea 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -46,6 +46,8 @@ profile pacman-hook-systemd @{exec_path} { capability net_admin, capability sys_resource, + ptrace read peer=@{p_systemd}, + signal send set=(cont, term) peer=systemd-tty-ask-password-agent, @{bin}/systemd-tty-ask-password-agent Px, From 98063fa7711c03f624a149227b2ef3672b866469 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:15:42 +0200 Subject: [PATCH 903/977] feat(profile): rewrite the pacman profile. --- apparmor.d/groups/pacman/pacman | 165 +++++++++++++++++++------------- 1 file changed, 100 insertions(+), 65 deletions(-) diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 427ac0141..41b45c9d0 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -46,71 +46,49 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/gpg{,2} rCx -> gpg, - @{bin}/gpgconf rCx -> gpg, - @{bin}/gpgsm rCx -> gpg, + # Pacman's keyring + @{bin}/gpg{,2} Cx -> gpg, + @{bin}/gpgconf Cx -> gpg, + @{bin}/gpgsm Cx -> gpg, - # Pacman hooks & install scripts - @{sh_path} rix, - @{coreutils_path} rix, - @{bin}/appstreamcli rPx, - @{bin}/arch-audit rPx, - @{bin}/archlinux-java rPx, - @{bin}/bootctl rPx, - @{bin}/cert-sync rPx, - @{bin}/checkrebuild rPUx, - @{bin}/dconf rPx, - @{bin}/dot rix, - @{bin}/fc-cache{,-32} rPx, - @{bin}/filecap rix, - @{bin}/gdbus rix, - @{bin}/gdk-pixbuf-query-loaders rPx, - @{bin}/getent rix, - @{bin}/gettext rix, - @{bin}/ghc-pkg-@{version} rPx, - @{bin}/gio-querymodules rPx, - @{bin}/glib-compile-schemas rPx, - @{sbin}/groupadd rPx, - @{bin}/gtk-query-immodules-* rPx, - @{bin}/gtk{,4}-update-icon-cache rPx, - @{sbin}/iconvconfig rix, - @{bin}/install-catalog rPx, - @{bin}/install-info rPx, - @{sbin}/iscsi-iname rix, - @{bin}/journalctl rPx, - @{bin}/killall rix, - @{sbin}/ldconfig rix, - @{sbin}/locale-gen rPx, - @{bin}/limine-install rPUx, - @{bin}/mkinitcpio rPx, - @{sbin}/needrestart rPx, - @{bin}/pacdiff rPx, - @{bin}/pacman-key rPx, - @{bin}/pkgfile rPUx, - @{bin}/pkill rix, - @{bin}/rsync rix, - @{bin}/sbctl rPx, - @{sbin}/setcap rix, - @{bin}/setfacl rix, - @{sbin}/sysctl rPx, - @{bin}/systemctl rCx -> systemctl, - @{bin}/systemd-* rPx, - @{bin}/tput rix, - @{bin}/update-ca-trust rPx, - @{bin}/update-desktop-database rPx, - @{sbin}/update-grub rPx, - @{bin}/update-mime-database rPx, - @{bin}/vercmp rix, - @{bin}/which{,.debianutils} rix, - @{bin}/xmlcatalog rix, - @{lib}/systemd/systemd-* rPx, - @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} rPx, - @{lib}/vlc/vlc-cache-gen rPx, - /opt/Mullvad*/resources/mullvad-setup rPx, - /usr/share/code-features/patch.py rPx, - /usr/share/code-marketplace/patch.py rPx, - /usr/share/libalpm/scripts/* rPUx, - /usr/share/texmf-dist/scripts/texlive/mktexlsr rPUx, + # Common program found in hooks & install scripts + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/dot ix, + @{bin}/filecap ix, + @{bin}/getent ix, + @{bin}/gettext ix, + @{bin}/gzip ix, + @{bin}/rsync ix, + @{bin}/setfacl ix, + @{bin}/tput ix, + @{bin}/vercmp ix, + @{bin}/which{,.debianutils} ix, + @{bin}/xmlcatalog ix, + @{sbin}/iconvconfig ix, + @{sbin}/iscsi-iname ix, + @{sbin}/setcap ix, + + @{bin}/dbus-send Cx -> bus, + @{bin}/gdbus Cx -> bus, + @{bin}/killall Cx -> pkill, + @{bin}/kmod Cx -> kmod, + @{bin}/pkill Cx -> pkill, + @{bin}/systemctl Cx -> systemctl, + @{sbin}/ldconfig Cx -> ldconfig, + + #aa:lint ignore=too-wide + # Hooks & install scripts can legitimately start/restart anything + # PU is only used as a safety fallback. + @{bin}/** PUx, + @{sbin}/** PUx, + /opt/*/** PUx, + /etc/** PUx, + /usr/share/** PUx, + + @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} Px, + @{lib}/systemd/systemd-* Px, + @{lib}/vlc/vlc-cache-gen Px, # For shell pwd, keept as it can annoy users to see error in pacman output /**/ r, @@ -196,6 +174,8 @@ profile pacman @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability sys_resource, + ptrace read peer=@{p_systemd}, + signal send set=cont peer=child-pager, signal send set=(cont term) peer=systemd-tty-ask-password-agent, signal receive set=(term winch) peer=makepkg//sudo, @@ -207,11 +187,66 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/*.journal* r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, include if exists } + profile bus { + include + include + include + + @{bin}/gdbus rix, + + include if exists + } + + profile pkill { + include + include + + @{bin}/killall mr, + @{bin}/pkill mr, + + include if exists + } + + profile kmod { + include + include + + include if exists + } + + profile ldconfig { + include + include + + @{sh_path} rix, + @{sbin}/ldconfig mrix, + + @{lib}/ r, + /usr/local/ r, + /usr/local/lib/ r, + + /opt/cuda/**/@{lib}/ r, + /opt/cuda/**/@{lib}/@{multiarch}/ r, + + /etc/ld.so.cache rw, + /etc/ld.so.cache~ rw, + + /var/cache/ldconfig/ rw, + owner /var/cache/ldconfig/aux-cache* rw, + + include if exists + } + include if exists include if exists } From e549863d4adf82147f9c17763cfe367d5ebf746c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:20:27 +0200 Subject: [PATCH 904/977] feat(profile): update systemd profiles. --- .../systemd-generator-system-update | 3 ++- apparmor.d/groups/systemd/coredumpctl | 2 +- apparmor.d/groups/systemd/localectl | 2 +- apparmor.d/groups/systemd/systemd-detect-virt | 1 + apparmor.d/groups/systemd/systemd-dissect | 2 +- apparmor.d/groups/systemd/systemd-hostnamed | 2 ++ apparmor.d/groups/systemd/systemd-journald | 2 +- apparmor.d/groups/systemd/systemd-localed | 14 +++++++++++++- apparmor.d/groups/systemd/systemd-logind | 13 +++++++------ apparmor.d/groups/systemd/systemd-machine-id-setup | 2 +- apparmor.d/groups/systemd/systemd-rfkill | 1 + apparmor.d/groups/systemd/systemd-sleep-hdparm | 2 ++ apparmor.d/groups/systemd/systemd-sleep-sysstat | 3 +++ apparmor.d/groups/systemd/systemd-sleep-upgrades | 1 + apparmor.d/groups/systemd/systemd-timedated | 8 ++++++++ 15 files changed, 45 insertions(+), 13 deletions(-) diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-system-update b/apparmor.d/groups/systemd-generators/systemd-generator-system-update index 557e4ab6e..9767a2e72 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-system-update +++ b/apparmor.d/groups/systemd-generators/systemd-generator-system-update @@ -13,7 +13,8 @@ profile systemd-generator-system-update @{exec_path} flags=(attach_disconnected) @{exec_path} mr, - @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/status r, include if exists } diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index d1ee1141c..06969ef47 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -68,7 +68,7 @@ profile coredumpctl @{exec_path} flags=(complain) { @{PROC}/@{pids}/fd/ r, - include if exists + include if exists } include if exists diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index 0d46dbfed..9792fb75f 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/localectl -profile localectl @{exec_path} { +profile localectl @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index ca6eae3ad..9b49c20fc 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -45,6 +45,7 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { deny capability net_admin, deny capability perfmon, + deny network (send receive) netlink raw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect index 0381b93b1..1bbb91858 100644 --- a/apparmor.d/groups/systemd/systemd-dissect +++ b/apparmor.d/groups/systemd/systemd-dissect @@ -27,7 +27,7 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) { signal send set=cont peer=child-pager, - ptrace read peer=unconfined, + ptrace read peer=@{p_systemd}, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 01d04989b..8fae34b29 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -44,6 +44,8 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_serial r, + @{sys}/devices/virtual/dmi/id/product_uuid r, @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/uevent r, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 2765d8f10..e0a8a2e47 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -28,7 +28,7 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted network netlink raw, - ptrace (read), + ptrace read, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index e98bef009..cefab3890 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -24,18 +24,30 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{bin}/cat ix, + @{bin}/gzip ix, + @{bin}/localedef ix, + @{bin}/rm ix, + @{bin}/sort ix, + @{sbin}/locale-gen rPx, + + /usr/share/i18n/{,**} r, /usr/share/kbd/keymaps/{,**} r, - /usr/share/xkeyboard-config-2/{,**} r, /usr/share/systemd/*-map r, /usr/share/X11/xkb/{,**} r, /usr/share/xkeyboard-config-2/{,**} r, + /etc/ r, /etc/.#locale.conf@{hex16} rw, + /etc/.#locale.gen@{hex16} rw, /etc/.#vconsole.conf* rw, /etc/default/.#locale* rw, /etc/default/keyboard r, /etc/default/locale rw, /etc/locale.conf rw, + /etc/locale.gen rw, + /etc/nsswitch.conf r, + /etc/passwd r, /etc/vconsole.conf rw, /etc/X11/xorg.conf.d/ rw, /etc/X11/xorg.conf.d/.#*.conf@{hex} rw, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 05c812b18..c5e87b3e2 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -124,12 +124,13 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{sys}/module/vt/parameters/default_utf8 r, @{sys}/power/{state,resume_offset,resume,disk} r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/sessionid r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/sessionid r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, @{PROC}/1/cmdline r, @{PROC}/pressure/* r, @{PROC}/swaps r, diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index c791e6375..a2115a926 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -17,7 +17,7 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) { capability sys_admin, capability sys_chroot, - ptrace (read), + ptrace read, mount options=(rw rshared) -> /, mount options=(rw rslave) -> /, diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill index bf983ea7a..34e7255ab 100644 --- a/apparmor.d/groups/systemd/systemd-rfkill +++ b/apparmor.d/groups/systemd/systemd-rfkill @@ -13,6 +13,7 @@ profile systemd-rfkill @{exec_path} flags=(attach_disconnected) { include capability net_admin, + capability sys_admin, capability sys_ptrace, network netlink raw, diff --git a/apparmor.d/groups/systemd/systemd-sleep-hdparm b/apparmor.d/groups/systemd/systemd-sleep-hdparm index 4cbe61755..5b9c51dbe 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-hdparm +++ b/apparmor.d/groups/systemd/systemd-sleep-hdparm @@ -13,6 +13,8 @@ profile systemd-sleep-hdparm @{exec_path} { @{exec_path} mr, @{sh_path} r, + @{lib}/pm-utils/power.d/*hdparm-apm ix, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-sysstat b/apparmor.d/groups/systemd/systemd-sleep-sysstat index 94e2e8daf..e29a41a7a 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-sysstat +++ b/apparmor.d/groups/systemd/systemd-sleep-sysstat @@ -12,6 +12,9 @@ profile systemd-sleep-sysstat @{exec_path} { @{exec_path} mr, + @{lib}/sysstat/sa{1,2} Px, + @{lib}/sysstat/debian-sa{1,2} Px, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-upgrades b/apparmor.d/groups/systemd/systemd-sleep-upgrades index 4f2cce637..c2c107b1f 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-upgrades +++ b/apparmor.d/groups/systemd/systemd-sleep-upgrades @@ -11,6 +11,7 @@ profile systemd-sleep-upgrades @{exec_path} { include @{exec_path} mr, + @{sh_path} r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index ffed031b5..b65f2b7af 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -23,6 +23,14 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member={DisableUnitFiles,EnableUnitFiles} + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member={JobRemoved,Reload,StartUnit,StopUnit} + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), @{exec_path} mr, From 43175387474acabd2e877e78f709c13e9643e999 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:21:34 +0200 Subject: [PATCH 905/977] feat(profile): update ubuntu profiles. --- apparmor.d/groups/ubuntu/software-properties-dbus | 9 +++++++-- apparmor.d/groups/ubuntu/software-properties-gtk | 2 -- apparmor.d/groups/ubuntu/ubuntu-advantage | 3 ++- apparmor.d/groups/ubuntu/update-notifier | 13 +++++++++++++ 4 files changed, 22 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index 8d55ec0b7..cc7387709 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -19,11 +19,16 @@ profile software-properties-dbus @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), dbus receive bus=system interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=software-properties-gtk), + peer=(name=@{busname}, label=software-properties-gtk), + + dbus receive bus=system path=/ + interface=com.ubuntu.SoftwareProperties + member=Reload + peer=(name=@{busname}, label=software-properties-gtk), @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index af91c7eaa..cd858737b 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -44,12 +44,10 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { /usr/share/pixmaps/ r, /usr/share/python-apt/{,**} r, /usr/share/software-properties/{,**} r, - /usr/share/themes/{,**} r, /usr/share/ubuntu-drivers-common/detect/{,**} r, /usr/share/X11/xkb/{,**} r, /usr/share/xml/iso-codes/{,**} r, /usr/share/software-properties/gtkbuilder/* r, - /usr/share/xkeyboard-config-2/{,**} r, /etc/apport/blacklist.d/{,*} r, /etc/default/apport r, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index e8d847e92..ea9742d4c 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -60,9 +60,10 @@ profile ubuntu-advantage @{exec_path} { @{run}/ubuntu-advantage/{,**} rw, - @{PROC}/version_signature r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mounts r, + @{PROC}/1/cgroup r, + @{PROC}/version_signature r, owner @{PROC}/@{pid}/fd/ r, profile systemctl { diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 0de63ac64..4c60b4aaf 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -28,6 +28,11 @@ profile update-notifier @{exec_path} { #aa:dbus talk bus=system name=org.debian.apt label=apt #aa:dbus talk bus=session name=org.ayatana.NotificationItem interface+=org.kde.StatusNotifierItem label=gnome-shell + dbus receive bus=system path=/com/ubuntu/UnattendedUpgrade/Pending + interface=com.ubuntu.UnattendedUpgrade.Pending + member=Finished + peer=(name=@{busname}, label=unattended-upgrade), + @{exec_path} mr, @{sh_path} rix, @@ -49,6 +54,7 @@ profile update-notifier @{exec_path} { @{lib}/update-notifier/package-system-locked rPx, /usr/share/apport/apport-checkreports rPx, /usr/share/apport/apport-gtk rPx, + @{open_path} Cx -> open, @{lib}/@{python_name}/dist-packages/{apt,gi}/**/__pycache__/{,**} rw, @@ -95,6 +101,13 @@ profile update-notifier @{exec_path} { include if exists } + profile open { + include + include + + include if exists + } + include if exists } From c7b99bb84e9098e57a368c1a237838f11095116d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:26:31 +0200 Subject: [PATCH 906/977] feat(profile): update some core profiles. --- apparmor.d/profiles-g-l/kdump-config | 2 + apparmor.d/profiles-g-l/kdump-tools-init | 2 + apparmor.d/profiles-g-l/kdump_mem_estimator | 2 + apparmor.d/profiles-g-l/kernel-postinst-kdump | 8 +++- apparmor.d/profiles-g-l/logrotate | 2 + apparmor.d/profiles-m-r/initramfs-hooks | 6 ++- apparmor.d/profiles-m-r/mdadm | 1 + apparmor.d/profiles-m-r/mkinitramfs | 48 ++++++------------- apparmor.d/profiles-m-r/needrestart | 2 + apparmor.d/profiles-m-r/rsyslogd | 1 + 10 files changed, 37 insertions(+), 37 deletions(-) diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config index 2bd8ef6b9..75c536612 100644 --- a/apparmor.d/profiles-g-l/kdump-config +++ b/apparmor.d/profiles-g-l/kdump-config @@ -72,6 +72,8 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, + ptrace read peer=@{p_systemd}, + include if exists } diff --git a/apparmor.d/profiles-g-l/kdump-tools-init b/apparmor.d/profiles-g-l/kdump-tools-init index b5af4dcc9..7767831a8 100644 --- a/apparmor.d/profiles-g-l/kdump-tools-init +++ b/apparmor.d/profiles-g-l/kdump-tools-init @@ -29,6 +29,8 @@ profile kdump-tools-init @{exec_path} flags=(attach_disconnected) { capability net_admin, + ptrace read peer=@{p_systemd}, + include if exists } diff --git a/apparmor.d/profiles-g-l/kdump_mem_estimator b/apparmor.d/profiles-g-l/kdump_mem_estimator index b80a89343..5f85af3fe 100644 --- a/apparmor.d/profiles-g-l/kdump_mem_estimator +++ b/apparmor.d/profiles-g-l/kdump_mem_estimator @@ -27,6 +27,8 @@ profile kdump_mem_estimator @{exec_path} { capability net_admin, + ptrace read peer=@{p_systemd}, + include if exists } diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump index 50606695a..eb17c5355 100644 --- a/apparmor.d/profiles-g-l/kernel-postinst-kdump +++ b/apparmor.d/profiles-g-l/kernel-postinst-kdump @@ -31,8 +31,7 @@ profile kernel-postinst-kdump @{exec_path} { / r, - /etc/initramfs-tools/conf.d/{,**} r, - /etc/initramfs-tools/initramfs.conf r, + /etc/initramfs-tools/{,**} r, owner /var/lib/kdump/** rw, @@ -49,6 +48,11 @@ profile kernel-postinst-kdump @{exec_path} { include include + @{sys}/module/*/ r, + @{sys}/module/*/coresize r, + @{sys}/module/*/holders/ r, + @{sys}/module/*/refcnt r, + include if exists } diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 0dee9ed6a..781a01a27 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -80,6 +80,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, + ptrace read peer=@{p_systemd}, + dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=KillUnit diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 136536764..89a57310f 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -10,6 +10,7 @@ include profile initramfs-hooks @{exec_path} { include include + include include @{exec_path} mr, @@ -37,9 +38,9 @@ profile initramfs-hooks @{exec_path} { @{lib}/ r, @{lib}/** mr, + /usr/share/*/initramfs/{,**} r, /usr/share/initramfs-tools/{,**} r, /usr/share/plymouth/{,**} r, - /usr/share/cryptsetup/initramfs/{,**} r, /etc/console-setup/{,**} r, /etc/cryptsetup-initramfs/{,**} r, @@ -81,8 +82,9 @@ profile initramfs-hooks @{exec_path} { include include - @{bin}/ldd mr, @{bin}/* mr, + @{sbin}/* mr, + @{lib}/@{multiarch}/ld-linux-*so* mrix, @{lib}/ld-linux.so* mr, diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index 4cc5fc9fb..e40f6b1e3 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -12,6 +12,7 @@ profile mdadm @{exec_path} flags=(attach_disconnected) { include include + capability dac_read_search, capability sys_admin, mqueue (read getattr) type=posix /, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index c6caf364f..d94e5aa44 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -33,6 +33,7 @@ profile mkinitramfs @{exec_path} { @{bin}/cpio rix, @{bin}/dirname rix, @{bin}/env rix, + @{bin}/find rix, @{bin}/getopt rix, @{bin}/gzip rix, @{bin}/id rix, @@ -56,10 +57,9 @@ profile mkinitramfs @{exec_path} { @{bin}/xargs rix, @{bin}/xz rix, @{bin}/zstd rix, - @{sbin}/blkid rPx, @{lib}/dracut/dracut-install rix, + @{sbin}/blkid rPx, - @{bin}/find rCx -> find, @{bin}/kmod rCx -> kmod, @{sbin}/ldconfig rCx -> ldconfig, @{bin}/ldd rCx -> ldd, @@ -113,11 +113,16 @@ profile mkinitramfs @{exec_path} { @{sys}/bus/ r, @{sys}/bus/*/drivers/ r, - @{sys}/devices/platform/ r, - @{sys}/devices/platform/**/ r, - @{sys}/devices/platform/**/modalias r, + @{sys}/devices/ r, + @{sys}/devices/**/ r, + @{sys}/devices/**/modalias r, + @{sys}/devices/**/uevent r, @{sys}/module/compression r, @{sys}/module/firmware_class/parameters/path r, + @{sys}/class/ r, + @{sys}/class/*/ r, + + @{sys}/bus/platform/drivers/simple-framebuffer/ r, @{PROC}/@{pid}/mounts r, @{PROC}/cmdline r, @@ -129,17 +134,14 @@ profile mkinitramfs @{exec_path} { include include - @{bin}/ldd mr, - @{lib}/@{multiarch}/ld-linux-*so* mr, - @{lib}/ld-linux.so* mr, - - @{sh_path} rix, - @{bin}/kmod mr, - @{lib}/initramfs-tools/bin/* mr, - + @{sh_path} rix, @{lib}/@{multiarch}/ld-*.so* rix, @{lib}/ld-*.so{,.2} rix, + @{bin}/* mr, + @{sbin}/* mr, + @{lib}/** mr, + include if exists } @@ -160,26 +162,6 @@ profile mkinitramfs @{exec_path} { include if exists } - profile find { - include - include - - @{bin}/find mr, - - # pwd dir - / r, - /etc/ r, - /root/ r, - - /usr/share/initramfs-tools/scripts/{,**/} r, - /etc/initramfs-tools/scripts/{,**/} r, - - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/{,**/} r, - owner /var/tmp/mkinitramfs_@{rand6}/{,**/} r, - - include if exists - } - profile kmod { include include diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 8c908ddb4..c55393753 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -59,7 +59,9 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/maps r, @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/fd/ r, /dev/ r, diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index ede981f58..c5e5ac051 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -45,6 +45,7 @@ profile rsyslogd @{exec_path} { @{PROC}/cmdline r, @{PROC}/kmsg r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, include if exists } From 1b97efa21595f170d2a9466b91f2ee8a611f5d0e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:27:15 +0200 Subject: [PATCH 907/977] feat(abs): add org.gtk.Menus. --- .../abstractions/bus/session/org.gtk.Menus | 18 ++++++++++++++++++ apparmor.d/abstractions/gtk.d/complete | 1 + 2 files changed, 19 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.Menus diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Menus b/apparmor.d/abstractions/bus/session/org.gtk.Menus new file mode 100644 index 000000000..b21c08067 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.Menus @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session + interface=org.gtk.Menus + member={Start,End} + peer=(name=@{busname}), + + dbus send bus=session + interface=org.gtk.Menus + member=Changed, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 356e97705..0b69d8ee1 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only include + include include @{lib}/{,@{multiarch}/}gtk*/** mr, From 17eac0b62c0ee7dccb0c0c3642b41ce2df238aa7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:30:02 +0200 Subject: [PATCH 908/977] feat(abs): add missing dbus rule on org.freedesktop.DBus --- apparmor.d/groups/bus/dbus-session | 6 +++--- apparmor.d/groups/bus/dbus-system | 6 ++++-- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index cc6b33f61..27e228e2c 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -31,10 +31,10 @@ profile dbus-session flags=(attach_disconnected) { signal (send) set=(term hup kill) peer=xdg-*, #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} - dbus receive bus=session path=/org/freedesktop/DBus + dbus receive bus=session interface=org.freedesktop.DBus - member=Hello - peer=(name=@{busname}), + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name="{@{busname},org.freedesktop.DBus}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index 4dec1d407..235c44cd4 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -36,8 +36,8 @@ profile dbus-system flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus} dbus receive bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member=Hello - peer=(name=@{busname}), + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name="{@{busname},org.freedesktop.DBus}"), dbus receive bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Activator @@ -82,6 +82,7 @@ profile dbus-system flags=(attach_disconnected) { @{PROC}/@{pid}/environ r, @{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/oom_score_adj r, + @{PROC}/@{pid}/status r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, @@ -91,6 +92,7 @@ profile dbus-system flags=(attach_disconnected) { @{att}/dev/dri/card@{int} rw, @{att}/dev/input/event@{int} rw, + @{att}/dev/pts/ptmx rw, include if exists } From d32fd036503bd197d649ba85657eaf079854b2c1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:30:30 +0200 Subject: [PATCH 909/977] feat(profile): improve ibus-portal. --- apparmor.d/groups/bus/ibus-portal | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index 53edb4b00..6ea4891a7 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -15,11 +15,12 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.freedesktop.portal.IBus + #aa:dbus own bus=session name=org.freedesktop.IBus dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, From c7e999fe30e5cb43e61cdca01eea3e18fa5fb0c7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:32:29 +0200 Subject: [PATCH 910/977] feat(profile): update freedesktop profiles. --- apparmor.d/groups/freedesktop/pulseaudio | 2 +- apparmor.d/groups/freedesktop/wireplumber | 2 ++ apparmor.d/groups/freedesktop/xdg-dbus-proxy | 3 +++ apparmor.d/groups/freedesktop/xdg-desktop-portal | 2 ++ .../groups/freedesktop/xdg-desktop-portal-gnome | 10 +++++----- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 12 +++--------- apparmor.d/groups/freedesktop/xdg-settings | 2 +- apparmor.d/groups/freedesktop/xorg | 3 ++- 8 files changed, 19 insertions(+), 17 deletions(-) diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 5c7c49c3d..ce1dffd58 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -21,9 +21,9 @@ profile pulseaudio @{exec_path} { include include include + include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index aa78d9667..84d6675de 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -27,6 +27,7 @@ profile wireplumber @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.freedesktop.ReserveDevice1.Audio@{int} + #aa:dbus own bus=session name=org.pipewire.Telephony dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -77,6 +78,7 @@ profile wireplumber @{exec_path} { @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index be66f7484..c1f255c75 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -21,6 +21,9 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { network unix stream, + #aa:dbus talk bus=session name=org.freedesktop.portal.Flatpak label=flatpak-portal + #aa:dbus talk bus=session name=org.freedesktop.portal.Request path=/org/freedesktop/portal/desktop label=xdg-desktop-portal + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime member=MakeThread* diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 21c99827b..ec2cc86be 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -52,6 +52,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Inhibit label=xdg-desktop-portal-gtk #aa:dbus talk bus=session name=org.freedesktop.FileManager1 label=nautilus #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal @@ -101,6 +102,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/sys_vendor r, @{PROC}/ r, + @{PROC}/@{pids}/status r, @{PROC}/*/ r, @{PROC}/1/cgroup r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index ca5f62f82..b6c77f336 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -16,6 +16,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -24,6 +25,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include + include include network unix stream, @@ -36,17 +38,13 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell #aa:dbus talk bus=session name=org.gnome.Settings.GlobalShortcutsProvider label=gnome-control-center-global-shortcuts-provider #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell + #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label="gvfs-*-volume-monitor" dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Background member=RunningApplicationsChanged peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), - dbus send bus=session path=/org/gtk/Notifications - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties member=GetAll @@ -85,6 +83,8 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { owner @{tmp}/gtkprint@{rand6} r, owner @{tmp}/xdg-desktop-portal-gnome@{rand6} rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + @{run}/mount/utab r, owner @{PROC}/@{pid}/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 92e6c9484..9688df798 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -35,18 +35,12 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gtk + #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Settings label=xdg-desktop-portal + dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Settings peer=(name=:*), - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Settings - member=SettingChanged - peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), - - dbus send bus=session path=/org/gtk/Notifications - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index 840500c52..fd05bcee9 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -15,7 +15,7 @@ profile xdg-settings @{exec_path} flags=(attach_disconnected) { @{exec_path} r, - @{sh_path} r, + @{sh_path} mr, @{bin}/{,e}grep rix, @{bin}/basename rix, @{bin}/cat ix, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index c14af6d6e..bfec4405c 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -133,8 +133,9 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{PROC}/ioports r, @{PROC}/mtrr rw, + /dev/ r, /dev/fb@{int} rw, - /dev/input/event@{int} rw, + @{att}/dev/input/event@{int} rw, /dev/input/mouse@{int} rw, /dev/shm/#@{int} rw, /dev/shm/shmfd-* rw, From 4d7e03a9e2f743fc32661c1741ce50f0d99cddd6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:34:44 +0200 Subject: [PATCH 911/977] feat(profile): add missing grep to locale-gen. --- apparmor.d/groups/utils/locale-gen | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/utils/locale-gen b/apparmor.d/groups/utils/locale-gen index 3620018a7..5366f1403 100644 --- a/apparmor.d/groups/utils/locale-gen +++ b/apparmor.d/groups/utils/locale-gen @@ -18,6 +18,7 @@ profile locale-gen @{exec_path} { @{exec_path} mr, @{sh_path} rix, + @{bin}/{e,}grep rix, @{bin}/cat rix, @{bin}/gzip rix, @{bin}/localedef rix, From e5012e381efa8eefb028f661606aa159e0cd46a1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:39:13 +0200 Subject: [PATCH 912/977] chore: pids means all pid. --- apparmor.d/groups/_full/sd | 39 +++++++++++++++-------------- apparmor.d/groups/bus/dbus-system | 12 ++++----- apparmor.d/profiles-m-r/needrestart | 12 ++++----- 3 files changed, 32 insertions(+), 31 deletions(-) diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index 13864f2dd..ccdbf338b 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -195,25 +195,26 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { @{sys}/firmware/efi/efivars/** w, @{sys}/fs/cgroup/{,**} w, - @{PROC}/@{pid}/attr/apparmor/exec w, - @{PROC}/@{pid}/attr/current r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/gid_map w, - @{PROC}/@{pid}/limits r, - @{PROC}/@{pid}/loginuid rw, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/oom_score_adj rw, - @{PROC}/@{pid}/sessionid r, - @{PROC}/@{pid}/setgroups r, - @{PROC}/@{pid}/setgroups w, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/uid_map r, - @{PROC}/@{pid}/uid_map w, + @{PROC}/@{pids}/attr/apparmor/exec w, + @{PROC}/@{pids}/attr/current r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/fdinfo/@{int} r, + @{PROC}/@{pids}/gid_map w, + @{PROC}/@{pids}/limits r, + @{PROC}/@{pids}/loginuid rw, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/oom_score_adj rw, + @{PROC}/@{pids}/sessionid r, + @{PROC}/@{pids}/setgroups r, + @{PROC}/@{pids}/setgroups w, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, + @{PROC}/@{pids}/uid_map r, + @{PROC}/@{pids}/uid_map w, @{PROC}/cmdline r, @{PROC}/interrupts r, @{PROC}/irq/@{int}/node r, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index 235c44cd4..1b62a1086 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -77,12 +77,12 @@ profile dbus-system flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/module/apparmor/parameters/enabled r, - @{PROC}/@{pid}/attr/apparmor/current r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/mounts r, - @{PROC}/@{pid}/oom_score_adj r, - @{PROC}/@{pid}/status r, + @{PROC}/@{pids}/attr/apparmor/current r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/mounts r, + @{PROC}/@{pids}/oom_score_adj r, + @{PROC}/@{pids}/status r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index c55393753..a09008ac3 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -56,12 +56,12 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { /tmp/@{word10}/ rw, @{PROC}/ r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/maps r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/status r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/maps r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/fd/ r, /dev/ r, From 69fcef01b7b5d9003f902512be3d7c2543da5ce8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:50:23 +0200 Subject: [PATCH 913/977] feat(profile): add a large profile for mkosi. --- apparmor.d/profiles-m-r/mkosi | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 apparmor.d/profiles-m-r/mkosi diff --git a/apparmor.d/profiles-m-r/mkosi b/apparmor.d/profiles-m-r/mkosi new file mode 100644 index 000000000..f6489a501 --- /dev/null +++ b/apparmor.d/profiles-m-r/mkosi @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# This profile is large on purpose: +# - It is required to have a profile for mkosi to allow userns. +# - Mkosi uses a lot of different binaries and scripts inside sandbox. +# - Using the unconfined flag would Pix everything, we do not want that as the +# transitioned profile would have to account for mkosi paths too. + +abi , + +include + +@{exec_path} = @{bin}/mkosi @{user_share_dirs}/pipx/venvs/*/bin/mkosi +profile mkosi @{exec_path} flags=(attach_disconnected,mediate_deleted) { + include + + all, + userns, + + include if exists +} + +# vim:syntax=apparmor From e09251d2669a0161aef2eb75e5d92c1c74a86f56 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:53:00 +0200 Subject: [PATCH 914/977] feat(abs): update org.freedesktop.PolicyKit1 --- .../abstractions/bus/org.freedesktop.PolicyKit1 | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 index 9dfab7481..2a4e8c1e5 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Can talk to polkitd's CheckAuthorization API + abi , #aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" @@ -13,17 +15,13 @@ dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority - member=CheckAuthorization - peer=(name=org.freedesktop.PolicyKit1, label="@{p_polkitd}"), + member={CheckAuthorization,CancelCheckAuthorization} + peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority - member=CheckAuthorization - peer=(name="@{busname}", label="@{p_polkitd}"), - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=CheckAuthorization - peer=(name=org.freedesktop.PolicyKit1), + member=RegisterAuthenticationAgentWithOptions + peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"), include if exists From fce5de8d198df15219422e0b6867609a3f3ee85d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:55:29 +0200 Subject: [PATCH 915/977] feat(abs): update org.freedesktop.PackageKit --- .../abstractions/bus/org.freedesktop.PackageKit | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit index f6cde2030..a4f9ba9b9 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit +++ b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit @@ -2,6 +2,9 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow communication with PackageKit transactions. Transactions are exported +# with random object paths that currently take the form /@{int}_@{hex8}. + abi , #aa:dbus common bus=system name=org.freedesktop.PackageKit label=packagekitd @@ -16,6 +19,14 @@ member=StateHasChanged peer=(name=org.freedesktop.PackageKit), + dbus send bus=system path=/@{int}_@{hex8} + interface=org.freedesktop.PackageKit.Transaction + peer=(label=packagekitd), + + dbus receive bus=system path=/@{int}_@{hex8} + interface=org.freedesktop.PackageKit.Transaction + peer=(label=packagekitd), + include if exists # vim:syntax=apparmor From 93c94836e292a2e4b39cea261e6891e30b74d6a6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:56:14 +0200 Subject: [PATCH 916/977] feat(abs): add snapcraft dbus reference call. --- .../bus/session/io.snapcraft.Launcher | 21 +++++++++++++++++++ .../io.snapcraft.PrivilegedDesktopLauncher | 16 ++++++++++++++ .../bus/session/io.snapcraft.Settings | 16 ++++++++++++++ 3 files changed, 53 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/io.snapcraft.Launcher create mode 100644 apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher create mode 100644 apparmor.d/abstractions/bus/session/io.snapcraft.Settings diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher b/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher new file mode 100644 index 000000000..ca2bf92c8 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow use of snapd's internal xdg-open + + abi , + + dbus send bus=session path=/ + interface=com.canonical.SafeLauncher + member=OpenURL + peer=(name=@{busname}, label=snap), + + dbus send bus=session path=/io/snapcraft/Launcher + interface=io.snapcraft.Launcher + member={OpenURL,OpenFile} + peer=(name=@{busname}, label=snap), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher b/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher new file mode 100644 index 000000000..704d9010d --- /dev/null +++ b/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Can identify and launch other snaps. + + abi , + + dbus send bus=session path=/io/snapcraft/PrivilegedDesktopLauncher + interface=io.snapcraft.PrivilegedDesktopLauncher + member=OpenDesktopEntry + peer=(name=io.snapcraft.Launcher, label=snap), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.Settings b/apparmor.d/abstractions/bus/session/io.snapcraft.Settings new file mode 100644 index 000000000..c50753cd6 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/io.snapcraft.Settings @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow use of snapd's internal 'xdg-settings' + + abi , + + dbus send bus=session path=/io/snapcraft/Settings + interface=io.snapcraft.Settings + member={Check,CheckSub,Get,GetSub,Set,SetSub} + peer=(name=io.snapcraft.Settings, label=snap), + + include if exists + +# vim:syntax=apparmor From 8f0ee240007ba41dee39f721bc22fff6163171ba Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:57:10 +0200 Subject: [PATCH 917/977] feat(abs): add org.gtk.vfs.MountOperation --- .../bus/session/org.gtk.vfs.MountOperation | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation new file mode 100644 index 000000000..ff8c928f8 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session path=/org/gtk/gvfs/mountop/@{int} + interface=org.gtk.vfs.MountOperation + member={AskQuestion,AskPassword} + peer=(name=@{busname}, label=gvfsd-*), + + include if exists + +# vim:syntax=apparmor From 76c5586688218983fe9203fd894e8cc794a895e2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:58:11 +0200 Subject: [PATCH 918/977] feat(abs): add org.freedesktop.IBus.Portal --- .../bus/session/org.freedesktop.IBus.Portal | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal b/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal new file mode 100644 index 000000000..e7c0f9cef --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow access to the IBus portal + + abi , + + dbus send bus=session path=/org/freedesktop/IBus + interface=org.freedesktop.IBus.Portal + member=CreateInputContext + peer=(name=org.freedesktop.portal.IBus), + + dbus send bus=session path=/org/freedesktop/IBus/InputContext_@{int} + interface=org.freedesktop.IBus.InputContext + peer=(label=ibus-daemon), + + dbus receive bus=session path=/org/freedesktop/IBus/InputContext_@{int} + interface=org.freedesktop.IBus.InputContext + peer=(label=ibus-daemon), + + include if exists + +# vim:syntax=apparmor From 865bac4cc6a2c7d79a37503b5d02985655a29532 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:59:07 +0200 Subject: [PATCH 919/977] feat(abs): update org.freedesktop.ColorManager. --- apparmor.d/abstractions/bus/org.freedesktop.ColorManager | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager index e23092429..13d186898 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager @@ -16,17 +16,17 @@ dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member=CreateDevice - peer=(name="@{busname}", label="@{p_colord}"), + peer=(name="@{busname},org.freedesktop.ColorManager", label="@{p_colord}"), dbus receive bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member={DeviceAdded,DeviceRemoved} - peer=(name="@{busname}", label="@{p_colord}"), + peer=(name="@{busname},org.freedesktop.ColorManager", label="@{p_colord}"), dbus (receive, send) bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager - member=FindDeviceByProperty - peer=(name="@{busname}", label="@{p_colord}"), + member={FindDeviceByProperty,FindDeviceById} + peer=(name="@{busname},org.freedesktop.ColorManager", label="@{p_colord}"), include if exists From 0c90adb24d81bab5f241c853be367e62f8fea01f Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 11 Sep 2025 17:04:37 -0600 Subject: [PATCH 920/977] Update mdadm There were lots of missing components of mdadm. I have a few scripts that create and tear down MD RAID arrays. I've ran them all and added the missing entries. Note that mdadm has the ability to run in daemon mode and send mail when an array fails. That's why it requires all the network entries. --- apparmor.d/profiles-m-r/mdadm | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index e40f6b1e3..94a178ce7 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2025 Alexandre Pujol +# Copyright (C) 2025 Zane Zakraisek # SPDX-License-Identifier: GPL-2.0-only abi , @@ -14,12 +15,22 @@ profile mdadm @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability sys_admin, + capability mknod, + capability net_admin, + + network netlink raw, mqueue (read getattr) type=posix /, @{exec_path} mr, + @{sh_path} rix, + @{bin}/sendmail rPUx, + + /etc/mdadm.conf r, + @{run}/initctl r, + @{run}/mdadm/* rwk, /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, @@ -27,13 +38,17 @@ profile mdadm @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/class r, @{sys}/devices/@{pci}/device r, @{sys}/devices/@{pci}/vendor r, + @{sys}/devices/virtual/block/md*/** rw, + @{sys}/module/md_mod/** rw, @{PROC}/@{pid}/fd/ r, @{PROC}/cmdline r, @{PROC}/kcore r, @{PROC}/partitions r, + @{PROC}/mdstat rw, /dev/**/ r, + /dev/.tmp.md.* rw, include if exists } From c4bad04fed083d93c51c7040266f2a7bd179b550 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 11 Sep 2025 17:15:32 -0600 Subject: [PATCH 921/977] mdadm Make the linter happy :) --- apparmor.d/profiles-m-r/mdadm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index 94a178ce7..a3fba9479 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -24,8 +24,8 @@ profile mdadm @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} rix, - @{bin}/sendmail rPUx, + @{sh_path} rix, + @{sbin}/sendmail rPUx, /etc/mdadm.conf r, From 1540315d5caab3d5e6a87dd4c5ea4c31114d1058 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Fri, 12 Sep 2025 07:38:44 -0600 Subject: [PATCH 922/977] mdadm: include all config file locations pulled from strings --- apparmor.d/profiles-m-r/mdadm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index a3fba9479..b0397eb8d 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -27,7 +27,8 @@ profile mdadm @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{sbin}/sendmail rPUx, - /etc/mdadm.conf r, + /etc/{,mdadm/}mdadm.conf r, + /etc/{,mdadm/}mdadm.conf.d/* r, @{run}/initctl r, @{run}/mdadm/* rwk, From 1d2b271dfcf96c739a79d7909161da2396cfc943 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Fri, 12 Sep 2025 10:26:41 -0600 Subject: [PATCH 923/977] ssh-keygen: allow execution of ssh-sk-helper The ssh-sk-helper profile was added last year but never hooked into the ssh-keygen profile. This is needed for generating SSH keys that live on a yubikey. --- apparmor.d/groups/ssh/ssh-keygen | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index 1b6dd5e98..738268b0a 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -15,6 +15,8 @@ profile ssh-keygen @{exec_path} { @{exec_path} mr, + @{lib}/{,ssh/}ssh-sk-helper rPx -> ssh-sk-helper, + /etc/ssh/moduli rw, /etc/ssh/ssh_host_*_key* rw, From c67773947ec9951c18fd511093be9bea78aa79de Mon Sep 17 00:00:00 2001 From: doublez13 Date: Fri, 12 Sep 2025 08:09:04 -0600 Subject: [PATCH 924/977] ssh: allow ssh to authenticate to remote hosts using kerberos tickets --- apparmor.d/groups/ssh/ssh | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index bf71a8463..c2926a3a4 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -12,6 +12,7 @@ profile ssh @{exec_path} { include include include + include include network inet stream, From 53501d8bf4bcf462c643e0c4fd81f4fd82865b79 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Fri, 12 Sep 2025 12:25:55 -0600 Subject: [PATCH 925/977] ssh: allow ssh to write to the kerberos CC when it picks up a ticket --- apparmor.d/groups/ssh/ssh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index c2926a3a4..0d6826490 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -44,6 +44,8 @@ profile ssh @{exec_path} { owner @{user_projects_dirs}/**/ssh/{,*} r, owner @{user_projects_dirs}/**/config r, + owner @{tmp}/krb5cc_* rwk, + audit owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, From fda74f574f4c3ec693c20eaaf6a19a737ddee178 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:02:35 +0200 Subject: [PATCH 926/977] chore(abs): add some device description. --- apparmor.d/abstractions/dri | 3 +++ apparmor.d/abstractions/nvidia-strict | 6 ++++++ 2 files changed, 9 insertions(+) diff --git a/apparmor.d/abstractions/dri b/apparmor.d/abstractions/dri index dd8f7b55a..128da00d0 100644 --- a/apparmor.d/abstractions/dri +++ b/apparmor.d/abstractions/dri @@ -28,8 +28,11 @@ @{sys}/devices/@{pci}/uevent r, @{sys}/devices/@{pci}/vendor r, + # Allow access to all cards /dev/dri/ r, /dev/dri/card@{int} rw, + + # Video Acceleration API /dev/dri/renderD128 rw, /dev/dri/renderD129 rw, diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index a7529eb9a..8fd78a702 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -36,8 +36,14 @@ owner @{PROC}/@{pid}/task/@{tid}/comm r, /dev/char/195:@{u8} w, # Nvidia graphics devices + + # Nvidia proprietary modset driver /dev/nvidia-modeset rw, + + # Nvidia graphics devices /dev/nvidia@{int} rw, + + # Nvidia's control device /dev/nvidiactl rw, deny owner @{HOME}/.nv/.local/share/gvfs-metadata/* r, From 56948a54eb1461ad4dd8e78a42185bb8e5de4819 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:03:20 +0200 Subject: [PATCH 927/977] feat(abs): reorganise the audio abstractions. --- apparmor.d/abstractions/audio-client | 6 ++++++ apparmor.d/abstractions/audio-server | 5 ----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index 826191309..1ebdf4c76 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -57,12 +57,18 @@ owner @{run}/user/@{uid}/pulse/ rw, owner @{run}/user/@{uid}/pulse/native rw, + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/+sound:card@{int} r, # For sound card + + @{sys}/class/ r, @{sys}/class/sound/ r, /dev/shm/ r, owner /dev/shm/pulse-shm-@{int} rw, /dev/snd/controlC@{int} r, + /dev/snd/pcmC@{int}D@{int}[cp] r, + /dev/snd/timer r, include if exists diff --git a/apparmor.d/abstractions/audio-server b/apparmor.d/abstractions/audio-server index 10bcef426..a7f89b91b 100644 --- a/apparmor.d/abstractions/audio-server +++ b/apparmor.d/abstractions/audio-server @@ -9,11 +9,6 @@ include - @{run}/udev/data/+sound:card@{int} r, # for sound card - - @{sys}/class/ r, - @{sys}/class/sound/ r, - @{PROC}/asound/** rw, /dev/admmidi* rw, From 122b004c2e6be12d64f0eb0a3e3835cd0e8fef35 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:29:29 +0200 Subject: [PATCH 928/977] feat(abs): aff the uinput abs. --- apparmor.d/abstractions/uinput | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 apparmor.d/abstractions/uinput diff --git a/apparmor.d/abstractions/uinput b/apparmor.d/abstractions/uinput new file mode 100644 index 000000000..b97d1eb8a --- /dev/null +++ b/apparmor.d/abstractions/uinput @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2020 Canonical Ltd +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow write access to the uinput device for emulating input devices from +# userspace for sending input events. + + abi , + + /dev/uinput rw, + /dev/input/uinput rw, + + include if exists + +# vim:syntax=apparmor From 7cf4719728569dc207122236ff5a187ff2375a8f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:35:07 +0200 Subject: [PATCH 929/977] feat(abs): add the secrets-service abs. --- .../bus/session/org.freedesktop.Secret | 49 +++++++++++++++++++ apparmor.d/abstractions/secrets-service | 33 +++++++++++++ 2 files changed, 82 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.Secret create mode 100644 apparmor.d/abstractions/secrets-service diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Secret b/apparmor.d/abstractions/bus/session/org.freedesktop.Secret new file mode 100644 index 000000000..8ded1b6d7 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Secret @@ -0,0 +1,49 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2017 Canonical Ltd +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Provide full access to the secret-service API: +# - https://standards.freedesktop.org/secret-service/) +# +# The secret-service allows managing (add/delete/lock/etc) collections and +# (add/delete/etc) items within collections. The API also has the concept of +# aliases for collections which is typically used to access the default +# collection. While it would be possible for an application developer to use a +# snap-specific collection and mediate by object path, application developers +# are meant to instead to treat collections (typically the default collection) +# as a database of key/value attributes each with an associated secret that +# applications may query. Because AppArmor does not mediate member data, +# typical and recommended usage of the API does not allow for application +# isolation. For details, see: +# - https://standards.freedesktop.org/secret-service/ch03.html +# + + abi , + + #aa:dbus common bus=session name=org.freedesktop.{S,s}ecret label=gnome-keyring-daemon + + dbus send bus=session path=/org/freedesktop/secrets{,/**} + interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session} + peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), + + dbus receive bus=session path=/org/freedesktop/secrets{,/**} + interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session} + peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), + + dbus send bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gnome-keyring-daemon), + dbus send bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.Secret.Service + member=ReadAlias + peer=(name=org.freedesktop.secrets, label=gnome-keyring-daemon), + dbus send bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.Secret.Service + member=SearchItems + peer=(name=@{busname}, label=gnome-keyring-daemon), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/secrets-service b/apparmor.d/abstractions/secrets-service new file mode 100644 index 000000000..71b7c7d82 --- /dev/null +++ b/apparmor.d/abstractions/secrets-service @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2017 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Provide full access to the secret-service API: +# - https://standards.freedesktop.org/secret-service/) +# +# The secret-service allows managing (add/delete/lock/etc) collections and +# (add/delete/etc) items within collections. The API also has the concept of +# aliases for collections which is typically used to access the default +# collection. While it would be possible for an application developer to use a +# snap-specific collection and mediate by object path, application developers +# are meant to instead to treat collections (typically the default collection) +# as a database of key/value attributes each with an associated secret that +# applications may query. Because AppArmor does not mediate member data, +# typical and recommended usage of the API does not allow for application +# isolation. For details, see: +# - https://standards.freedesktop.org/secret-service/ch03.html +# + + abi , + + include + + dbus send bus=session path=/org/gnome/keyring/daemon + interface=org.gnome.keyring.Daemon + member=GetEnvironment + peer=(name=org.gnome.keyring, label=gnome-keyring-daemon), + + include if exists + +# vim:syntax=apparmor From db347d13de5610ddcd0338f23e082a9b0e544f74 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:37:35 +0200 Subject: [PATCH 930/977] feat(abs): revisit and restrict the devices-usb abs. --- apparmor.d/abstractions/devices-usb | 13 +++++++++++-- apparmor.d/abstractions/devices-usb-read | 23 +++++++++++++---------- 2 files changed, 24 insertions(+), 12 deletions(-) diff --git a/apparmor.d/abstractions/devices-usb b/apparmor.d/abstractions/devices-usb index 85f8f6b92..3361f10ec 100644 --- a/apparmor.d/abstractions/devices-usb +++ b/apparmor.d/abstractions/devices-usb @@ -3,13 +3,22 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow raw access to all connected USB devices + abi , include - /dev/bus/usb/@{int}/@{int} wk, + @{PROC}/tty/drivers r, - @{sys}/devices/**/usb@{int}/{,**} w, + /dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} wk, + + # Allow access to all ttyUSB devices too + /dev/ttyACM@{int} wk, + /dev/ttyUSB@{int} wk, + + # Allow raw access to USB printers (i.e. for receipt printers in POS systems). + /dev/usb/lp@{int} wk, include if exists diff --git a/apparmor.d/abstractions/devices-usb-read b/apparmor.d/abstractions/devices-usb-read index 836a5f3c7..ea3131d59 100644 --- a/apparmor.d/abstractions/devices-usb-read +++ b/apparmor.d/abstractions/devices-usb-read @@ -3,26 +3,29 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , +# Allow detection of usb devices. Leaks plugged in USB device info - /dev/ r, - /dev/bus/usb/ r, - /dev/bus/usb/@{int}/ r, - /dev/bus/usb/@{int}/@{int} r, + abi , @{sys}/class/ r, @{sys}/class/usbmisc/ r, @{sys}/bus/ r, @{sys}/bus/usb/ r, - @{sys}/bus/usb/devices/{,**} r, - - @{sys}/devices/**/usb@{int}/{,**} r, + @{sys}/bus/usb/devices/ r, + @{sys}/devices/**/usb@{int}/ r, + @{sys}/devices/**/usb@{int}/** r, # Udev data about usb devices (~equal to content of lsusb -v) @{run}/udev/data/+usb:* r, # Identifies all USB devices - @{run}/udev/data/c16[6,7]:@{int} r, # USB modems - @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters + @{run}/udev/data/b180:@{int} r, # USB block devices + @{run}/udev/data/c16{6,7}:@{d} r, # ACM USB modems + @{run}/udev/data/c18{0,8,9}:@{int} r, # USB character devices + + /dev/ r, + /dev/bus/usb/ r, + /dev/bus/usb/@{int}/ r, + /dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} r, include if exists From 26f905bcc2d7e454b66ff0329e4476ede43a97db Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:38:34 +0200 Subject: [PATCH 931/977] feat(abs): X-strict: use tunables. --- apparmor.d/abstractions/X-strict | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index 9330d2223..a92058206 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -5,10 +5,10 @@ abi , # The unix socket to use to connect to the display - unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), - unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), - unix type=stream addr="@/tmp/.ICE-unix/[0-9]*", - unix type=stream addr="@/tmp/.X11-unix/X[0-9]*", + unix (connect, receive, send) type=stream peer=(addr=@/tmp/.ICE-unix/@{int}), + unix (connect, receive, send) type=stream peer=(addr=@/tmp/.X11-unix/X@{int}), + unix type=stream addr=@/tmp/.ICE-unix/@{int}, + unix type=stream addr=@/tmp/.X11-unix/X@{int}, /usr/share/X11/{,**} r, /usr/share/xsessions/{,*.desktop} r, # Available Xsessions @@ -16,13 +16,13 @@ /etc/X11/cursors/{,**} r, - owner @{HOME}/.ICEauthority rw, # ICEauthority files required for X authentication, per user + owner @{HOME}/.ICEauthority r, # ICEauthority files required for X authentication, per user owner @{HOME}/.Xauthority rw, # Xauthority files required for X connections, per user owner @{HOME}/.xsession-errors rw, - /tmp/.ICE-unix/* rw, + /tmp/.ICE-unix/@{int} rw, /tmp/.X@{int}-lock rw, - /tmp/.X11-unix/* rw, + /tmp/.X11-unix/X@{int} rw, owner @{tmp}/xauth_@{rand6} rl -> @{tmp}/#@{int}, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, # Xwayland From 170575fbff343a6c376bbebb9acac171ffbba3b6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:40:54 +0200 Subject: [PATCH 932/977] feat(abs): ensure graphics devices are in nvidia-strict. --- apparmor.d/abstractions/graphics-full | 6 ------ apparmor.d/abstractions/nvidia-strict | 18 +++++++++++++----- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full index 1e2c97224..de5f865b5 100644 --- a/apparmor.d/abstractions/graphics-full +++ b/apparmor.d/abstractions/graphics-full @@ -8,13 +8,7 @@ include include - @{sys}/devices/@{pci}/numa_node r, - - @{PROC}/devices r, - /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 - /dev/nvidia-uvm rw, - /dev/nvidia-uvm-tools rw, include if exists diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index 8fd78a702..a14691a9c 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -6,7 +6,7 @@ @{bin}/nvidia-modprobe Px -> child-modprobe-nvidia, - /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so.* mr, + /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so{,.*} mr, /usr/share/nvidia/nvidia-application-profiles-* r, @@ -24,13 +24,17 @@ owner @{user_cache_dirs}/nvidia/GLCache/ rw, owner @{user_cache_dirs}/nvidia/GLCache/** rwk, + @{sys}/devices/@{pci}/numa_node r, @{sys}/devices/system/memory/block_size_bytes r, @{sys}/module/nvidia/version r, - @{PROC}/driver/nvidia/params r, - @{PROC}/modules r, - @{PROC}/sys/vm/max_map_count r, - @{PROC}/sys/vm/mmap_min_addr r, + @{PROC}/driver/nvidia/capabilities/mig/monitor r, + @{PROC}/driver/nvidia/gpus/@{pci_id}/information r, + @{PROC}/driver/nvidia/params r, + @{PROC}/modules r, + @{PROC}/sys/vm/max_map_count r, + @{PROC}/sys/vm/mmap_min_addr r, + @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/task/@{tid}/comm r, @@ -43,6 +47,10 @@ # Nvidia graphics devices /dev/nvidia@{int} rw, + # Nvidia's Unified Memory driver + /dev/nvidia-uvm rw, + /dev/nvidia-uvm-tools rw, + # Nvidia's control device /dev/nvidiactl rw, From 34cc1ab131ef8400a104a2b93131663f3e2f21e8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:42:10 +0200 Subject: [PATCH 933/977] feat(abs): graphics: limit access to cpu sys value. --- apparmor.d/abstractions/graphics | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics index 79872ceb4..c4edd09b4 100644 --- a/apparmor.d/abstractions/graphics +++ b/apparmor.d/abstractions/graphics @@ -13,14 +13,22 @@ /etc/libva.conf r, @{sys}/bus/pci/devices/ r, - @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/* r, + + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/id r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/level r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/size r, @{sys}/devices/system/cpu/cpu@{int}/cpu_capacity r, @{sys}/devices/system/cpu/cpu@{int}/online r, - @{sys}/devices/system/cpu/cpu@{int}/topology/* r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/* r, + @{sys}/devices/system/cpu/cpu@{int}/topology/core_cpus r, + @{sys}/devices/system/cpu/cpu@{int}/topology/physical_package_id r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_max_freq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, @{sys}/devices/system/cpu/present r, + @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, + @{sys}/devices/system/node/node@{int}/cpumap r, include if exists From 51bcdd5e148cc6f44c4ba560c8aede87e437531c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:43:40 +0200 Subject: [PATCH 934/977] feat(abs): add the input abs. --- apparmor.d/abstractions/common/app | 5 +---- apparmor.d/abstractions/common/game | 5 +---- apparmor.d/abstractions/input | 26 ++++++++++++++++++++++++++ 3 files changed, 28 insertions(+), 8 deletions(-) create mode 100644 apparmor.d/abstractions/input diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index d0b36188b..70a50b8c1 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -26,6 +26,7 @@ include include include + include include include include @@ -72,8 +73,6 @@ @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket. @{run}/utmp rk, - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{sys}/ r, @{sys}/block/ r, @{sys}/bus/ r, @@ -143,8 +142,6 @@ owner @{att}/dev/shm/@{uuid} r, /dev/hidraw@{int} rw, - /dev/input/ r, - /dev/input/event@{int} rw, /dev/ptmx rw, /dev/pts/ptmx rw, /dev/tty rw, diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index 6b97b014c..753d4cf0b 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -17,6 +17,7 @@ include include include + include include include @@ -108,11 +109,7 @@ /dev/ r, /dev/hidraw@{int} rw, - /dev/input/ r, - /dev/input/event@{int} rw, - /dev/input/js@{int} rw, /dev/tty rw, - /dev/uinput rw, include if exists diff --git a/apparmor.d/abstractions/input b/apparmor.d/abstractions/input new file mode 100644 index 000000000..57905fd0c --- /dev/null +++ b/apparmor.d/abstractions/input @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Canonical Ltd +# Copyright (C) 2022-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow reading and writing to raw input devices + + abi , + + # network netlink raw, + + # Allow reading for supported event reports for all input devices. See + # https://www.kernel.org/doc/Documentation/input/event-codes.txt + @{sys}/devices/**/input@{int}/capabilities/* r, + + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + + /dev/input/ r, + /dev/input/event@{int} rw, + /dev/input/mice rw, + /dev/input/mouse@{int} rw, + + include if exists + +# vim:syntax=apparmor From 8c6b0ce33f12020f067d530e1927310eab721605 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:47:50 +0200 Subject: [PATCH 935/977] feat(profile): cleanup profiles using the new abs. --- apparmor.d/abstractions/app/chromium | 2 +- apparmor.d/abstractions/common/app | 3 +++ apparmor.d/abstractions/common/game | 5 +---- apparmor.d/groups/bluetooth/bluetoothd | 2 +- apparmor.d/groups/steam/steam | 4 +--- apparmor.d/profiles-s-z/spice-vdagentd | 2 +- 6 files changed, 8 insertions(+), 10 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 725b57fca..efb108586 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -34,7 +34,7 @@ include include include - include + include include include include diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 70a50b8c1..043ed7125 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -28,8 +28,11 @@ include include include + include include include + include + include include include diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index 753d4cf0b..2198c8537 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -20,6 +20,7 @@ include include include + include @{bin}/uname rix, @{bin}/xdg-settings rPx, @@ -67,9 +68,6 @@ owner /dev/shm/mono.@{int} rw, owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw, - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{sys}/ r, @{sys}/bus/ r, @{sys}/class/ r, @@ -80,7 +78,6 @@ @{sys}/devices/@{pci}/net/*/carrier r, @{sys}/devices/**/input@{int}/ r, @{sys}/devices/**/input@{int}/**/{vendor,product} r, - @{sys}/devices/**/input@{int}/capabilities/* r, @{sys}/devices/**/input/input@{int}/ r, @{sys}/devices/**/uevent r, @{sys}/devices/system/ r, diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index 2800a4124..12c8e2e80 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -12,6 +12,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { include include include + include # Needed for configuring HCI interfaces capability net_admin, @@ -57,7 +58,6 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/hostname r, /dev/uhid rw, - /dev/uinput rw, /dev/rfkill rw, /dev/hidraw@{int} rw, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index abfab75d7..e3fcb1931 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -41,6 +41,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include capability sys_ptrace, @@ -245,7 +246,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/input/ r, - /dev/uinput w, deny /opt/** r, @@ -353,8 +353,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/**/report_descriptor r, @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/usb@{int}/**/{idVendor,idProduct,interface} r, - @{sys}/devices/system/cpu/kernel_max r, - @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/ r, @{PROC}/version r, diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index 95013d8e0..33957504c 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -11,6 +11,7 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_nice, @@ -24,7 +25,6 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cgroup r, - /dev/uinput rw, /dev/vport@{int}p@{int} rw, include if exists From ad406da5de2a886b916001956ee0ebc0fb463974 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:49:08 +0200 Subject: [PATCH 936/977] feat(abs): add org.freedesktop.portal.Settings. --- .../session/org.freedesktop.portal.Settings | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings new file mode 100644 index 000000000..01cf21c46 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Settings + member=Read + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Settings + member=ReadAll + peer=(name=@{busname}, label=xdg-desktop-portal), + + include if exists + +# vim:syntax=apparmor From 608ff3db0ce9dece45f437253af461ce5d49e5ce Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:50:01 +0200 Subject: [PATCH 937/977] fix(abs): ColorManager peer name. --- apparmor.d/abstractions/bus/org.freedesktop.ColorManager | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager index 13d186898..46201fc23 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager @@ -16,17 +16,17 @@ dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member=CreateDevice - peer=(name="@{busname},org.freedesktop.ColorManager", label="@{p_colord}"), + peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), dbus receive bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member={DeviceAdded,DeviceRemoved} - peer=(name="@{busname},org.freedesktop.ColorManager", label="@{p_colord}"), + peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), dbus (receive, send) bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member={FindDeviceByProperty,FindDeviceById} - peer=(name="@{busname},org.freedesktop.ColorManager", label="@{p_colord}"), + peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), include if exists From 4bbe0a1a32072f0224d58d694614664bec56b505 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:55:32 +0200 Subject: [PATCH 938/977] feat(abs): use the new secrets-service abstraction. --- apparmor.d/abstractions/app/chromium | 2 +- apparmor.d/groups/gnome/evolution-source-registry | 2 +- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/gnome/seahorse | 2 +- apparmor.d/profiles-g-l/gitg | 2 +- apparmor.d/profiles-m-r/protonmail | 2 +- apparmor.d/profiles-m-r/remmina | 2 +- apparmor.d/profiles-s-z/spotify | 2 +- apparmor.d/profiles-s-z/vlc | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index efb108586..2b03d5011 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -25,7 +25,6 @@ include include include - include include include include @@ -40,6 +39,7 @@ include include include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 299d0738b..38122b7c0 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -10,12 +10,12 @@ include profile evolution-source-registry @{exec_path} { include include - include include include include include include + include include network inet stream, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 8278ac648..a86ef9e37 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -27,7 +27,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include @@ -43,6 +42,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 2f190dfab..3a643bad7 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -15,11 +15,11 @@ profile seahorse @{exec_path} { include include include - include include include include include + include include #aa:dbus own bus=session name=org.gnome.seahorse.Application interface+=org.gnome.Shell.SearchProvider2 diff --git a/apparmor.d/profiles-g-l/gitg b/apparmor.d/profiles-g-l/gitg index ff5e12444..d668fbfd2 100644 --- a/apparmor.d/profiles-g-l/gitg +++ b/apparmor.d/profiles-g-l/gitg @@ -10,10 +10,10 @@ include profile gitg @{exec_path} { include include - include include include include + include include network inet dgram, diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail index 0ac23267b..f5548f696 100644 --- a/apparmor.d/profiles-m-r/protonmail +++ b/apparmor.d/profiles-m-r/protonmail @@ -17,8 +17,8 @@ include profile protonmail @{exec_path} flags=(attach_disconnected) { include include - include include + include network inet stream, network inet dgram, diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 17ca1ec5a..23d13694e 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -16,7 +16,6 @@ profile remmina @{exec_path} { include include include - include include include include @@ -25,6 +24,7 @@ profile remmina @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 56f5e91b8..8917fa3a2 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -23,7 +23,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -33,6 +32,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index 3a3a77313..dc6e4825a 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -14,7 +14,6 @@ profile vlc @{exec_path} { include include include - include include include include @@ -28,6 +27,7 @@ profile vlc @{exec_path} { include include include + include include include From ddfe75f23f4f661027a3e04c55f3f3911909aacc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 01:05:02 +0200 Subject: [PATCH 939/977] refractor(abs): move org.kde.StatusNotifierItem inside the session abs dir. --- .../bus/{ => session}/org.kde.StatusNotifierItem | 7 +------ apparmor.d/profiles-s-z/superproductivity | 2 +- apparmor.d/profiles-s-z/vlc | 1 + 3 files changed, 3 insertions(+), 7 deletions(-) rename apparmor.d/abstractions/bus/{ => session}/org.kde.StatusNotifierItem (79%) diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem similarity index 79% rename from apparmor.d/abstractions/bus/org.kde.StatusNotifierItem rename to apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem index 87fd06727..d017d44e3 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem +++ b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem @@ -23,11 +23,6 @@ member={NewAttentionIcon,NewIcon,NewIconThemePath,NewOverlayIcon,NewStatus,NewTitle,NewToolTip} peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), - dbus send bus=session path=/StatusNotifierWatcher - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell), - - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index f7abf758b..ee8ee627b 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -24,7 +24,7 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { include include include - include + include include include diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index dc6e4825a..7e9c31866 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -16,6 +16,7 @@ profile vlc @{exec_path} { include include include + include include include include From f199cfe84dbe28b50c3136c738a42f5939c57f3f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 01:06:51 +0200 Subject: [PATCH 940/977] feat(abs): app: minor improvement to common app action. --- apparmor.d/abstractions/common/app | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 043ed7125..a05bc2364 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -40,7 +40,7 @@ dbus bus=session, dbus bus=system, - /usr/** r, + /usr/** rk, /usr/share/** rk, /etc/{,**} r, @@ -85,6 +85,7 @@ @{sys}/bus/pci/slots/@{int}/address r, @{sys}/class/*/ r, @{sys}/devices/** r, + @{sys}/devices/virtual/dmi/id/bios_version k, @{sys}/fs/cgroup/user.slice/* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/* r, @@ -96,11 +97,13 @@ @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/comm rk, @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/maps r, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/net/** r, @{PROC}/@{pid}/smaps r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, + @{PROC}/@{pid}/status r, @{PROC}/@{pid}/task/@{tid}/stat r, @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/bus/pci/devices r, From cd6bb7bd52c92085511aced5b6dcec89bf0278ef Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 01:09:31 +0200 Subject: [PATCH 941/977] feat(abs): add NEEDS-VARIABLE to abs using variable. Will be used by aa-logprof. --- apparmor.d/abstractions/app/chromium | 5 +++++ apparmor.d/abstractions/app/firefox | 4 ++++ apparmor.d/abstractions/common/app | 1 + apparmor.d/abstractions/common/bwrap | 1 + apparmor.d/abstractions/common/chromium | 1 + apparmor.d/abstractions/common/electron | 5 +++++ apparmor.d/abstractions/common/steam-game | 3 +++ 7 files changed, 20 insertions(+) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 2b03d5011..62a8432ba 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -2,6 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: name +# NEEDS-VARIABLE: domain +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: config_dirs +# NEEDS-VARIABLE: cache_dirs # Full set of rules for all chromium based browsers. It works as a *function* # and requires some variables to be provided as *arguments* and set in the diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 238bf9e8b..e0321f62f 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -2,6 +2,10 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: name +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: config_dirs +# NEEDS-VARIABLE: cache_dirs # Full set of rules for all firefox based browsers. It works as a *function* # and requires some variables to be provided as *arguments* and set in the diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index a05bc2364..5a93050d6 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -2,6 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: att # Common rules for applications sandboxed using bwrap. diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index da73b8217..2d3ab179f 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -1,6 +1,7 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: att # A minimal set of rules for sandboxed programs using bwrap. # A profile using this abstraction still needs to set: diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 78441fe08..340092f23 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -2,6 +2,7 @@ # Copyright (C) 2022 Mikhail Morfikov # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: domain # This abstraction is for chromium based application. Chromium based browsers # need to use abstractions/app/chromium instead. diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index b581c9073..253eab72b 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -1,6 +1,11 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: name +# NEEDS-VARIABLE: domain +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: config_dirs +# NEEDS-VARIABLE: cache_dirs # Minimal set of rules for all electron based UI application. It works as a # *function* and requires some variables to be provided as *arguments* and set diff --git a/apparmor.d/abstractions/common/steam-game b/apparmor.d/abstractions/common/steam-game index b60e74a10..851588220 100644 --- a/apparmor.d/abstractions/common/steam-game +++ b/apparmor.d/abstractions/common/steam-game @@ -1,6 +1,9 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: app_dirs +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: share_dirs abi , From 84f3f947cb343c81af50d2cc1868260c7c8ab846 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 01:11:18 +0200 Subject: [PATCH 942/977] feat(abs): improve chromium common. --- apparmor.d/abstractions/common/chromium | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 340092f23..23f4544a3 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -17,9 +17,14 @@ userns, + # Required for dropping into PID namespace. Keep in mind that until the + # process drops this capability it can escape confinement, but once it + # drops CAP_SYS_ADMIN we are ok. + capability sys_admin, + + # All of these are for sanely dropping from root and chrooting capability setgid, # If kernel.unprivileged_userns_clone = 1 capability setuid, # If kernel.unprivileged_userns_clone = 1 - capability sys_admin, capability sys_chroot, capability sys_ptrace, @@ -33,20 +38,22 @@ owner @{tmp}/.@{domain}.@{rand6} rw, owner @{tmp}/.@{domain}.@{rand6}/ rw, - owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie w, - owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket w, + owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie rw, + owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket rw, owner @{tmp}/scoped_dir@{rand6}/ rw, - owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w, - owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w, - owner @{tmp}/scoped_dir@{rand6}/SS w, + owner @{tmp}/scoped_dir@{rand6}/SingletonCookie rw, + owner @{tmp}/scoped_dir@{rand6}/SingletonSocket rw, + owner @{tmp}/scoped_dir@{rand6}/SS rw, /dev/shm/ r, owner /dev/shm/.@{domain}.@{rand6} rw, @{sys}/devices/system/cpu/kernel_max r, + @{sys}/devices/virtual/tty/tty@{int}/active r, + + # Allow getting the manufacturer and model of the computer where chromium is currently running. @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/virtual/tty/tty@{int}/active r, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/setgroups w, From 31cbe5e2e9fdf0deaceb9bc2adee764809a68a6e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 11:33:24 +0200 Subject: [PATCH 943/977] fix(profile): revert 06d476c fix #855 --- apparmor.d/groups/systemd/systemd-logind | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index c5e87b3e2..6b102829d 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -137,7 +137,9 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/fdinfo/@{int} r, + /dev/dri/card@{int} rw, @{att}/dev/dri/card@{int} rw, + /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) /dev/mqueue/ r, /dev/tty@{int} rw, From bd487d1b6653d0db9304873a9e52642b56b2f207 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 11:58:25 +0200 Subject: [PATCH 944/977] fear(profile): remove profile for spectre-meltdown-checker. --- .../profiles-s-z/spectre-meltdown-checker | 186 ------------------ 1 file changed, 186 deletions(-) delete mode 100644 apparmor.d/profiles-s-z/spectre-meltdown-checker diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker deleted file mode 100644 index 6e5af1288..000000000 --- a/apparmor.d/profiles-s-z/spectre-meltdown-checker +++ /dev/null @@ -1,186 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /{,usr/}{,local/}bin/spectre-meltdown-checker{,.sh} -profile spectre-meltdown-checker @{exec_path} { - include - include - - # Needed to read the /dev/cpu/@{int}/msr device - capability sys_rawio, - - # Needed to read system logs - capability syslog, - - # Used by readlink - capability sys_ptrace, - ptrace (read), - - @{exec_path} r, - - @{bin}/ r, - @{bin}/{,@{multiarch}-}objdump rix, - @{bin}/{,@{multiarch}-}readelf rix, - @{bin}/{,@{multiarch}-}strings rix, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{,g,m}awk rix, - @{bin}/base64 rix, - @{bin}/basename rix, - @{bin}/bunzip2 rix, - @{bin}/cat rix, - @{bin}/ccache rCx -> ccache, - @{bin}/cut rix, - @{bin}/date rix, - @{bin}/dd rix, - @{bin}/dirname rix, - @{bin}/dmesg rix, - @{bin}/find rix, - @{bin}/gunzip rix, - @{bin}/gzip rix, - @{bin}/head rix, - @{bin}/id rix, - @{sbin}/iucode_tool rix, - @{bin}/kmod rCx -> kmod, - @{bin}/lzop rix, - @{bin}/mktemp rix, - @{bin}/mount rix, - @{bin}/nproc rix, - @{bin}/od rix, - @{bin}/perl rix, - @{bin}/pgrep rCx -> pgrep, - @{sbin}/rdmsr rix, - @{bin}/readlink rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/seq rix, - @{bin}/sort rix, - @{bin}/stat rix, - @{bin}/tail rix, - @{bin}/tr rix, - @{bin}/uname rix, - @{bin}/unzip rix, - @{bin}/xargs rix, - @{bin}/xz rix, - @{bin}/zstd rix, - - # To fetch MCE.db from the MCExtractor project - @{bin}/wget rCx -> mcedb, - @{bin}/sqlite3 rCx -> mcedb, - owner @{tmp}/mcedb-* rw, - owner @{tmp}/smc-* rw, - owner @{tmp}/{,smc-}intelfw-*/ rw, - owner @{tmp}/{,smc-}intelfw-*/fw.zip rw, - owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/ rw, - owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/** rw, - - owner @{HOME}/.mcedb rw, - - /tmp/ r, - owner @{tmp}/{config,kernel}-* rw, - - owner /dev/cpu/@{int}/cpuid r, - owner /dev/cpu/@{int}/msr rw, - owner /dev/kmsg r, - - @{efi}/ r, - @{efi}/config r, - @{efi}/System.map-* r, - @{efi}/vmlinuz-* r, - - @{sys}/devices/system/cpu/vulnerabilities/* r, - @{sys}/module/kvm_intel/parameters/ept r, - - @{PROC}/ r, - @{PROC}/config.gz r, - @{PROC}/cmdline r, - @{PROC}/kallsyms r, - @{PROC}/modules r, - - # find and denoise - @{PROC}/@{pids}/{status,exe} r, - @{PROC}/@{pids}/fd/ r, - @{PROC}/*/ r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # For shell pwd - /root/ r, - /etc/ r, - - profile ccache { - include - - @{bin}/ccache mr, - - @{lib}/llvm-[0-9]*/bin/clang rix, - @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, - @{bin}/{,@{multiarch}-}g++-[0-9]* rix, - - /media/ccache/*/** rw, - - /etc/debian_version r, - - include if exists - } - - profile pgrep { - include - include - - include if exists - } - - profile mcedb { - include - include - include - include - - deny capability net_admin, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{bin}/wget mr, - @{bin}/sqlite3 mr, - - /etc/wgetrc r, - owner @{HOME}/.wget-hsts rwk, - owner @{HOME}/.mcedb rw, - - /tmp/ r, - owner @{tmp}/{,smc-}mcedb-* rwk, - owner @{tmp}/{,smc-}intelfw-*/fw.zip rw, - - /usr/share/publicsuffix/public_suffix_list.* r, - - include if exists - } - - profile kmod { - include - include - - capability sys_module, - - owner @{sys}/module/cpuid/** r, - owner @{sys}/module/msr/** r, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor From 4982ff104ddf57c7e92d4fcff5f33437bf71cbaa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 12:03:00 +0200 Subject: [PATCH 945/977] feat(profile): remove rules not needed anymore Moved into the nvidia-strict abs. --- apparmor.d/profiles-m-r/nvidia-settings | 2 -- apparmor.d/profiles-m-r/nvidia-smi | 2 -- apparmor.d/profiles-m-r/nvtop | 3 +-- 3 files changed, 1 insertion(+), 6 deletions(-) diff --git a/apparmor.d/profiles-m-r/nvidia-settings b/apparmor.d/profiles-m-r/nvidia-settings index 771bbb3b6..893770a4b 100644 --- a/apparmor.d/profiles-m-r/nvidia-settings +++ b/apparmor.d/profiles-m-r/nvidia-settings @@ -33,8 +33,6 @@ profile nvidia-settings @{exec_path} flags=(attach_disconnected) { /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} r, - /dev/nvidia-uvm rw, - /dev/nvidia-uvm-tools r, include if exists } diff --git a/apparmor.d/profiles-m-r/nvidia-smi b/apparmor.d/profiles-m-r/nvidia-smi index 1d6d62e2b..eb42bd59b 100644 --- a/apparmor.d/profiles-m-r/nvidia-smi +++ b/apparmor.d/profiles-m-r/nvidia-smi @@ -26,8 +26,6 @@ profile nvidia-smi @{exec_path} { /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} rw, - /dev/nvidia-uvm rw, - /dev/nvidia-uvm-tools r, include if exists } diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index d0553d186..fc51b5b9e 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -10,7 +10,7 @@ include profile nvtop @{exec_path} flags=(attach_disconnected) { include include - include + include include capability sys_ptrace, @@ -54,7 +54,6 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { @{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/dri/ r, /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} rw, From 34aa208ec98f3baafd7042543f79929f5658dc91 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 16:11:16 +0200 Subject: [PATCH 946/977] refractor(abs): reorganize dbus abstraction (1) --- .../abstractions/bus/org.freedesktop.resolve1 | 16 ---------------- .../bus/{ => system}/org.freedesktop.locale1 | 3 +-- .../bus/{ => system}/org.gnome.DisplayManager | 4 ++-- apparmor.d/groups/flatpak/flatpak | 2 +- .../groups/gnome/evolution-addressbook-factory | 2 +- apparmor.d/groups/gnome/gdm-session | 2 +- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/gnome/gsd-keyboard | 2 +- apparmor.d/groups/kde/startplasma | 2 +- 9 files changed, 9 insertions(+), 26 deletions(-) delete mode 100644 apparmor.d/abstractions/bus/org.freedesktop.resolve1 rename apparmor.d/abstractions/bus/{ => system}/org.freedesktop.locale1 (70%) rename apparmor.d/abstractions/bus/{ => system}/org.gnome.DisplayManager (73%) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 deleted file mode 100644 index fe6d52dc6..000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 +++ /dev/null @@ -1,16 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa-dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" - - dbus send bus=system path=/org/freedesktop/resolve1 - interface=org.freedesktop.resolve1.Manager - member={ResolveAddress,ResolveHostname,ResolveRecord,ResolveService} - peer=(name=org.freedesktop.resolve1, label="@{p_systemd_resolved}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.locale1 b/apparmor.d/abstractions/bus/system/org.freedesktop.locale1 similarity index 70% rename from apparmor.d/abstractions/bus/org.freedesktop.locale1 rename to apparmor.d/abstractions/bus/system/org.freedesktop.locale1 index 1348c8a39..e2377a14b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.locale1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.locale1 @@ -4,12 +4,11 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}" dbus send bus=system path=/org/freedesktop/locale1 interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=org.freedesktop.locale1), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.DisplayManager b/apparmor.d/abstractions/bus/system/org.gnome.DisplayManager similarity index 73% rename from apparmor.d/abstractions/bus/org.gnome.DisplayManager rename to apparmor.d/abstractions/bus/system/org.gnome.DisplayManager index 741631f4b..4833b1512 100644 --- a/apparmor.d/abstractions/bus/org.gnome.DisplayManager +++ b/apparmor.d/abstractions/bus/system/org.gnome.DisplayManager @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2023-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,6 +11,6 @@ member=RegisterDisplay peer=(name="@{busname}", label=gdm), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index bd749db40..4ef675aef 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -13,7 +13,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 56fd3ce3f..adf2aa264 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -11,7 +11,7 @@ profile evolution-addressbook-factory @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index c08d12a07..5d2e3e21e 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -11,8 +11,8 @@ profile gdm-session @{exec_path} { include include include - include include + include signal receive set=(hup term) peer=gdm-session-worker, signal receive set=(term) peer=gdm, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index a86ef9e37..1fb7efd7d 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -23,7 +23,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index cbb8ccf71..80f19f93a 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -14,7 +14,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index a8c8cbd13..64e332dc5 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -12,7 +12,7 @@ profile startplasma @{exec_path} { include include include - include + include include include From 3c49755d189be4fa86c714b22ba5d175bf1901c0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 23:52:37 +0200 Subject: [PATCH 947/977] refractor(abs): reorganize dbus abstraction (2) - new upower-observe abstraction --- apparmor.d/abstractions/app/chromium | 5 ++--- .../bus/{ => session}/org.gnome.ArchiveManager1 | 2 +- .../org.gnome.Nautilus.FileOperations2 | 2 +- .../bus/{ => system}/org.freedesktop.ColorManager | 4 ++-- .../bus/{ => system}/org.freedesktop.UPower | 2 +- apparmor.d/groups/cups/cupsd | 11 +---------- apparmor.d/groups/freedesktop/upower | 2 +- apparmor.d/groups/freedesktop/wireplumber | 3 ++- apparmor.d/groups/gnome/gnome-extension-ding | 4 ++-- apparmor.d/groups/gnome/gnome-shell | 14 +++++++++++--- apparmor.d/groups/gnome/gsd-media-keys | 2 +- apparmor.d/groups/gnome/gsd-power | 2 +- apparmor.d/groups/gnome/localsearch | 2 +- apparmor.d/groups/gnome/tracker-miner | 2 +- apparmor.d/groups/kde/kde-powerdevil | 2 +- apparmor.d/groups/kde/kscreenlocker_greet | 4 ++-- apparmor.d/groups/kde/plasmashell | 2 +- apparmor.d/groups/kde/sddm | 2 +- apparmor.d/groups/kde/sddm-greeter | 2 +- apparmor.d/groups/ubuntu/update-manager | 2 +- apparmor.d/profiles-m-r/power-profiles-daemon | 2 +- apparmor.d/profiles-s-z/thermald | 2 +- 22 files changed, 37 insertions(+), 38 deletions(-) rename apparmor.d/abstractions/bus/{ => session}/org.gnome.ArchiveManager1 (86%) rename apparmor.d/abstractions/bus/{ => session}/org.gnome.Nautilus.FileOperations2 (76%) rename apparmor.d/abstractions/bus/{ => system}/org.freedesktop.ColorManager (90%) rename apparmor.d/abstractions/bus/{ => system}/org.freedesktop.UPower (94%) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 62a8432ba..9c5b16edd 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -27,13 +27,11 @@ include include include - include + include include include - include include include - include include include include @@ -48,6 +46,7 @@ include include include + include include include diff --git a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 b/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 similarity index 86% rename from apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 rename to apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 index 6bfa6114b..f69667e08 100644 --- a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 +++ b/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 @@ -11,6 +11,6 @@ member=GetSupportedTypes peer=(name="@{busname}", label="@{p_file_roller}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 b/apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 similarity index 76% rename from apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 rename to apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 index 178139a8d..8a3e7d74e 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 +++ b/apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 @@ -6,6 +6,6 @@ #aa:dbus common bus=session name=org.gnome.Nautilus.FileOperations2 label=nautilus - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager similarity index 90% rename from apparmor.d/abstractions/bus/org.freedesktop.ColorManager rename to apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager index 46201fc23..4b5dcc746 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager @@ -15,7 +15,7 @@ dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager - member=CreateDevice + member={CreateProfile,CreateDevice,DeleteDevice} peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), dbus receive bus=system path=/org/freedesktop/ColorManager @@ -28,6 +28,6 @@ member={FindDeviceByProperty,FindDeviceById} peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower similarity index 94% rename from apparmor.d/abstractions/bus/org.freedesktop.UPower rename to apparmor.d/abstractions/bus/system/org.freedesktop.UPower index 64b400a3e..aa6a61371 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower @@ -29,6 +29,6 @@ member={DeviceAdded,DeviceRemoved} peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 642d7ef5c..0a23ce476 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -12,7 +12,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { include include include - include + include include include @@ -46,15 +46,6 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=cups-notifier-dbus, - dbus send bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager - member=DeleteDevice - peer=(name=org.freedesktop.ColorManager, label="@{p_colord}"), - dbus send bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager - member=FindDeviceById - peer=(name=org.freedesktop.ColorManager, label="@{p_colord}"), - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower index 0f6f9abeb..83652914f 100644 --- a/apparmor.d/groups/freedesktop/upower +++ b/apparmor.d/groups/freedesktop/upower @@ -13,7 +13,7 @@ profile upower @{exec_path} { include include - #aa:dbus own bus=system name=org.freedesktop.UPower label="@{p_upowerd}" + #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}" @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 84d6675de..fc9029ef3 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -15,11 +15,12 @@ profile wireplumber @{exec_path} { include include include - include + include include include include include + include network bluetooth raw, network bluetooth seqpacket, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index be7edcd79..e41718803 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -19,8 +19,8 @@ profile gnome-extension-ding @{exec_path} { include include include - include - include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 1fb7efd7d..d8853aa3b 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -28,7 +28,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include @@ -45,6 +44,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include capability sys_nice, capability sys_ptrace, @@ -73,17 +73,25 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=com.canonical.{U,u}nity #aa:dbus own bus=session name=com.canonical.dbusmenu path=/{,com/canonical/dbusmenu} + #aa:dbus own bus=session name=com.canonical.Shell.PermissionPrompting #aa:dbus own bus=session name=com.rastersoft.dingextension #aa:dbus own bus=session name=org.ayatana.NotificationItem #aa:dbus own bus=session name=org.freedesktop.a11y.Manager + #aa:dbus own bus=session name=org.gnome.Shell #aa:dbus own bus=session name=org.gtk.Actions path=/** #aa:dbus own bus=session name=org.gtk.MountOperationHandler #aa:dbus own bus=session name=org.gtk.Notifications + #aa:dbus own bus=session name=org.kde.StatusNotifierItem path=/ #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher - #aa:dbus own bus=session name=com.canonical.Shell.PermissionPrompting + # Talk with gnome-shell + # The strategy with dbus rules in this profile is first to declare all communications + # needed on buses and to limit them only to their profiles in apparmor.d. As such, + # only dbus directive is used for this. Later, some communications could be + # restricted. + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" @@ -95,6 +103,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding #aa:dbus talk bus=session name=org.freedesktop.Notifications label=gjs + #aa:dbus talk bus=session name=org.freedesktop.ScreenSaver label=gsd-screensaver-proxy #aa:dbus talk bus=session name=org.gnome.* label=gnome-* #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label=* #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus @@ -102,7 +111,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - # Session bus dbus send bus=session path=/org/gnome/** diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 7f02d8bf4..32869cdbc 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -16,7 +16,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -26,6 +25,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 0f77b023e..f3be82dfd 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -20,7 +20,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -31,6 +30,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include network inet stream, network netlink raw, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index c041cdf99..66420cace 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -11,7 +11,6 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -24,6 +23,7 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { include include include + include network netlink raw, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 7f7a3a8e4..e7cdc1a38 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -11,7 +11,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -24,6 +23,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include + include network netlink raw, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 01706e649..f40c86e03 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -17,11 +17,11 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) include include include - include include include include include + include capability wake_alarm, diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index ddd14b5c2..192d3f957 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -13,15 +13,15 @@ profile kscreenlocker_greet @{exec_path} { include include include - include include - include + include include include include include include include + include network netlink raw, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 45f0d43e9..cc9907266 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -18,7 +18,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include - include include include include @@ -31,6 +30,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include + include userns, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 08835eaf0..1b8930f06 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -14,12 +14,12 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include include include + include include capability audit_write, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index c9aca546a..47383bb75 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -13,13 +13,13 @@ profile sddm-greeter @{exec_path} { include include include - include include include include include include include + include network netlink raw, diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index bcdcf108d..34284388e 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -17,7 +17,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -26,6 +25,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 178bf28c6..e4e923159 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -12,8 +12,8 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { include include include - include include + include capability dac_read_search, capability net_admin, diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index b663865e8..4c27ee2ca 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -13,7 +13,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) { include include include - include + include capability sys_boot, From 94444077a8be642422836617398638ebc6cafccc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 23:53:05 +0200 Subject: [PATCH 948/977] feat(profile): update attachement for gnome-extension-ding --- apparmor.d/groups/gnome/gnome-extension-ding | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index e41718803..400b28b6e 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -9,7 +9,7 @@ include @{share_dirs} = /usr/share/gnome-shell/extensions/ding@rastersoft.com @{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/ding@rastersoft.com -@{exec_path} = @{share_dirs}/{,app/}ding.js +@{exec_path} = @{share_dirs}/app/{ding,createThumbnail}.js profile gnome-extension-ding @{exec_path} { include include From e4b6e7e92b80adbb548800663495a3e4e6c8117f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 00:01:10 +0200 Subject: [PATCH 949/977] feat(abs): add the devices-u2f abs. --- apparmor.d/abstractions/app/chromium | 4 +--- apparmor.d/abstractions/app/firefox | 2 +- apparmor.d/abstractions/common/app | 2 +- apparmor.d/abstractions/devices-u2f | 23 +++++++++++++++++++++++ 4 files changed, 26 insertions(+), 5 deletions(-) create mode 100644 apparmor.d/abstractions/devices-u2f diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 9c5b16edd..1c504d2a8 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -36,6 +36,7 @@ include include include + include include include include @@ -154,9 +155,7 @@ @{sys}/class/**/ r, @{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r, @{sys}/devices/@{pci}/boot_vga r, - @{sys}/devices/@{pci}/report_descriptor r, @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/**/report_descriptor r, @{PROC}/ r, @{PROC}/@{pid}/fd/ r, @@ -181,7 +180,6 @@ owner @{PROC}/@{pid}/task/@{tid}/stat r, /dev/ r, - /dev/hidraw@{int} rw, /dev/tty rw, owner /dev/tty@{int} rw, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index e0321f62f..21534208f 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -31,6 +31,7 @@ include include include + include include include include @@ -164,7 +165,6 @@ owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 /dev/ r, - /dev/hidraw@{int} rw, /dev/tty rw, /dev/video@{int} rw, owner /dev/tty@{int} rw, # File Inherit diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 5a93050d6..e83efdb89 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -21,6 +21,7 @@ include include include + include include include include @@ -148,7 +149,6 @@ @{att}/dev/dri/renderD129 rw, owner @{att}/dev/shm/@{uuid} r, - /dev/hidraw@{int} rw, /dev/ptmx rw, /dev/pts/ptmx rw, /dev/tty rw, diff --git a/apparmor.d/abstractions/devices-u2f b/apparmor.d/abstractions/devices-u2f new file mode 100644 index 000000000..c707d66e0 --- /dev/null +++ b/apparmor.d/abstractions/devices-u2f @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows access to Universal 2nd Factor (U2F) devices + + abi , + + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) + + # Needed for dynamic assignment of U2F devices + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + + @{sys}/devices/**/i2c*/**/report_descriptor r, + @{sys}/devices/**/usb@{int}/**/report_descriptor r, + + # Allow raw access HDI (Human Interface Devices) wich is how U2F devices are exposed + /dev/hidraw@{int} rw, + + include if exists + +# vim:syntax=apparmor From 939a2b7f4bd2068746b8be936fe5c66aa2140575 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 00:01:30 +0200 Subject: [PATCH 950/977] feat(abs): add upower-observe --- apparmor.d/abstractions/upower-observe | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 apparmor.d/abstractions/upower-observe diff --git a/apparmor.d/abstractions/upower-observe b/apparmor.d/abstractions/upower-observe new file mode 100644 index 000000000..67478bb6d --- /dev/null +++ b/apparmor.d/abstractions/upower-observe @@ -0,0 +1,13 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Can query UPower for power devices, history and statistics. + + abi , + + include + + include if exists + +# vim:syntax=apparmor From 8e73353cc8c2335dfbc92c1e0fdc7628ade4b904 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 00:09:16 +0200 Subject: [PATCH 951/977] feat(abs): add pcscd --- apparmor.d/abstractions/app/chromium | 2 +- apparmor.d/abstractions/app/firefox | 2 +- apparmor.d/abstractions/pcscd | 19 +++++++++++++++++++ apparmor.d/groups/gnome/gsd-smartcard | 6 +++--- apparmor.d/groups/gnome/seahorse | 2 +- apparmor.d/profiles-m-r/pkcs11-register | 3 +-- apparmor.d/profiles-m-r/rngd | 2 +- 7 files changed, 27 insertions(+), 9 deletions(-) create mode 100644 apparmor.d/abstractions/pcscd diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 1c504d2a8..6e447bf05 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -42,6 +42,7 @@ include include include + include include include include @@ -107,7 +108,6 @@ /etc/@{name}/{,**} r, /etc/fstab r, - /etc/{,opensc/}opensc.conf r, / r, owner @{HOME}/ r, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 21534208f..7630b8576 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -37,6 +37,7 @@ include include include + include include include include @@ -80,7 +81,6 @@ /usr/share/webext/{,**} r, /usr/share/xul-ext/kwallet5/* r, - /etc/{,opensc/}opensc.conf r, /etc/@{name}/{,**} r, /etc/fstab r, /etc/lsb-release r, diff --git a/apparmor.d/abstractions/pcscd b/apparmor.d/abstractions/pcscd new file mode 100644 index 000000000..33a981279 --- /dev/null +++ b/apparmor.d/abstractions/pcscd @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows interacting with PC/SC Smart Card Daemon + + abi , + + # Configuration file for OPENSC + /etc/opensc.conf r, + /etc/opensc/opensc.conf r, + + # Socket for communication between PCSCD and PS/SC API library + @{run}/pcscd/pcscd.comm rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 98ce848ba..d42fb486b 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -9,13 +9,14 @@ include @{exec_path} = @{lib}/gsd-smartcard profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include - include include include + include include + include include include - include + include signal (receive) set=(term, hup) peer=gdm*, @@ -31,7 +32,6 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /etc/{,opensc/}opensc.conf r, /etc/tpm2-tss/* rk, /var/tmp/ r, diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 3a643bad7..1fac28dfa 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -19,6 +19,7 @@ profile seahorse @{exec_path} { include include include + include include include @@ -34,7 +35,6 @@ profile seahorse @{exec_path} { /etc/pki/trust/blocklist/ r, /etc/gcrypt/hwf.deny r, - /etc/{,opensc/}opensc.conf r, owner @{HOME}/@{XDG_SSH_DIR}/{,**} r, diff --git a/apparmor.d/profiles-m-r/pkcs11-register b/apparmor.d/profiles-m-r/pkcs11-register index 989f6ec8b..d775cafe5 100644 --- a/apparmor.d/profiles-m-r/pkcs11-register +++ b/apparmor.d/profiles-m-r/pkcs11-register @@ -9,11 +9,10 @@ include @{exec_path} = @{bin}/pkcs11-register profile pkcs11-register @{exec_path} { include + include @{exec_path} mr, - /etc/{,opensc/}opensc.conf r, - owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, owner @{HOME}/.mozilla/firefox/profiles.ini r, owner @{HOME}/.pki/nssdb/pkcs11.txt r, diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index ebbf0a5ab..2e548d40c 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -12,6 +12,7 @@ profile rngd @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_read_search, capability net_admin, @@ -24,7 +25,6 @@ profile rngd @{exec_path} flags=(attach_disconnected) { /etc/conf.d/rngd r, /etc/machine-id r, - /etc/{,opensc/}opensc.conf r, /var/lib/dbus/machine-id r, @{sys}/devices/virtual/misc/hw_random/rng_available r, From 962b372390f837f7162f97fa78fbe4b24204af26 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 01:08:15 +0200 Subject: [PATCH 952/977] fix(profile): qemu-ga path on opensuse. --- apparmor.d/profiles-m-r/qemu-ga | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 5173c50d8..f8fd84d3f 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/qemu-ga +@{exec_path} = @{sbin}/qemu-ga @{bin}/qemu-ga #aa:lint ignore=sbin profile qemu-ga @{exec_path} { include From 2ceaa16d9a53027a77092739738ec0491e76c39a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 13:06:06 +0200 Subject: [PATCH 953/977] feat(abs): rewrite the avahi abs, add avahi-observe --- apparmor.d/abstractions/app/chromium | 3 +- apparmor.d/abstractions/avahi-observe | 25 +++++++++++++++ .../org.freedesktop.Avahi.AddressResolver | 25 +++++++++++++++ .../org.freedesktop.Avahi.DomainBrowser | 25 +++++++++++++++ .../org.freedesktop.Avahi.HostNameResolver | 25 +++++++++++++++ .../org.freedesktop.Avahi.RecordBrowser | 25 +++++++++++++++ .../bus/system/org.freedesktop.Avahi.Server | 31 +++++++++++++++++++ .../org.freedesktop.Avahi.ServiceBrowser | 23 ++++++++++++++ .../org.freedesktop.Avahi.ServiceResolver | 25 +++++++++++++++ .../org.freedesktop.Avahi.ServiceTypeBrowser | 25 +++++++++++++++ apparmor.d/abstractions/common/app | 2 +- apparmor.d/groups/avahi/avahi-browse | 8 ++--- apparmor.d/groups/avahi/avahi-resolve | 14 ++------- apparmor.d/groups/avahi/avahi-set-host-name | 3 ++ apparmor.d/groups/cups/cups-backend-dnssd | 2 +- apparmor.d/groups/cups/cups-browsed | 4 ++- apparmor.d/groups/cups/cupsd | 2 +- apparmor.d/groups/cups/ippfind | 2 +- apparmor.d/groups/freedesktop/colord | 3 +- apparmor.d/groups/freedesktop/geoclue | 3 +- apparmor.d/groups/freedesktop/pulseaudio | 21 +++---------- apparmor.d/groups/freedesktop/xdg-dbus-proxy | 2 +- apparmor.d/groups/gnome/gnome-control-center | 2 +- .../gnome/gnome-control-center-goa-helper | 2 +- .../groups/gnome/gsd-print-notifications | 25 +++------------ apparmor.d/groups/gnome/seahorse | 2 +- apparmor.d/groups/gvfs/gvfsd-dnssd | 3 +- apparmor.d/profiles-g-l/libreoffice | 2 +- apparmor.d/profiles-m-r/murmurd | 2 +- apparmor.d/profiles-m-r/remmina | 2 +- 30 files changed, 267 insertions(+), 71 deletions(-) create mode 100644 apparmor.d/abstractions/avahi-observe create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 6e447bf05..1635741ed 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -25,10 +25,9 @@ abi , include + include include include - include - include include include include diff --git a/apparmor.d/abstractions/avahi-observe b/apparmor.d/abstractions/avahi-observe new file mode 100644 index 000000000..aac14fa7d --- /dev/null +++ b/apparmor.d/abstractions/avahi-observe @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2016 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows domain, record, service, and service type browsing as well as address, +# host and service resolving + + abi , + + include + + include + include + include + include + include + include + include + + @{run}/avahi-daemon/socket rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver new file mode 100644 index 000000000..f6a1a251c --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Address resolving + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=AddressResolverNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/AddressResolver@{int} + interface=org.freedesktop.Avahi.AddressResolver + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/AddressResolver@{int} + interface=org.freedesktop.Avahi.AddressResolver + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser new file mode 100644 index 000000000..39f5e4496 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Domain browsing + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=DomainBrowserNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/DomainBrowser@{int} + interface=org.freedesktop.Avahi.DomainBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/DomainBrowser@{int} + interface=org.freedesktop.Avahi.DomainBrowser + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver new file mode 100644 index 000000000..403a4db0f --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Hostname resolving + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=HostNameResolverNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/HostNameResolver@{int} + interface=org.freedesktop.Avahi.HostNameResolver + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/HostNameResolver@{int} + interface=org.freedesktop.Avahi.HostNameResolver + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser new file mode 100644 index 000000000..bff079b13 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Record browsing + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=RecordBrowserNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/RecordBrowser@{int} + interface=org.freedesktop.Avahi.RecordBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/RecordBrowser@{int} + interface=org.freedesktop.Avahi.RecordBrowser + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server new file mode 100644 index 000000000..bfc87b3cc --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + # Allow service introspection + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + # Allow accessing DBus properties and resolving + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member={Get*,Resolve*,IsNSSSupportAvailable} + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + # Allow receiving anything from the Avahi server + dbus receive bus=system + interface=org.freedesktop.Avahi.Server + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser new file mode 100644 index 000000000..6a3b1510d --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=ServiceBrowserNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/ServiceBrowser@{int} + interface=org.freedesktop.Avahi.ServiceBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} + interface=org.freedesktop.Avahi.ServiceBrowser + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver new file mode 100644 index 000000000..d90e9ca14 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Service resolving + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=ServiceResolverNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser new file mode 100644 index 000000000..93affdc51 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Service type browsing + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=ServiceTypeBrowserNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/ServiceTypeBrowser@{int} + interface=org.freedesktop.Avahi.ServiceTypeBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} + interface=org.freedesktop.Avahi.ServiceTypeBrowser + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index e83efdb89..091cfbbb4 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -13,6 +13,7 @@ abi , include + include include include include @@ -73,7 +74,6 @@ @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/avahi-daemon/socket rw, # Allow access to avahi-daemon socket. @{run}/host/{,**} r, @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket. @{run}/utmp rk, diff --git a/apparmor.d/groups/avahi/avahi-browse b/apparmor.d/groups/avahi/avahi-browse index 3ac729baa..805d54b2b 100644 --- a/apparmor.d/groups/avahi/avahi-browse +++ b/apparmor.d/groups/avahi/avahi-browse @@ -11,14 +11,10 @@ include profile avahi-browse @{exec_path} { include include - include + include + include include - dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} - interface=org.freedesktop.Avahi.ServiceTypeBrowser - member={ItemNew,AllForNow,CacheExhausted} - peer=(name=:*, label="@{p_avahi_daemon}"), - @{exec_path} mr, @{lib}/@{multiarch}/avahi/service-types.db rwk, diff --git a/apparmor.d/groups/avahi/avahi-resolve b/apparmor.d/groups/avahi/avahi-resolve index 1a66b4726..d45cffca3 100644 --- a/apparmor.d/groups/avahi/avahi-resolve +++ b/apparmor.d/groups/avahi/avahi-resolve @@ -11,19 +11,11 @@ include profile avahi-resolve @{exec_path} { include include - include + include + include + include include - dbus send bus=system path=/Client@{int}/AddressResolver@{int} - interface=org.freedesktop.Avahi.AddressResolver - member={Free,HostNameResolverNew} - peer=(name=:*, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/AddressResolver@{int} - interface=org.freedesktop.Avahi.AddressResolver - member={Failure,Found} - peer=(name=:*, label="@{p_avahi_daemon}"), - @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/avahi/avahi-set-host-name b/apparmor.d/groups/avahi/avahi-set-host-name index dd9eaba6c..45df7ce93 100644 --- a/apparmor.d/groups/avahi/avahi-set-host-name +++ b/apparmor.d/groups/avahi/avahi-set-host-name @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2022 Jeroen Rijken +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,6 +10,8 @@ include @{exec_path} = @{bin}/avahi-set-host-name profile avahi-set-host-name @{exec_path} { include + include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/cups/cups-backend-dnssd b/apparmor.d/groups/cups/cups-backend-dnssd index 1009a0ef2..877200660 100644 --- a/apparmor.d/groups/cups/cups-backend-dnssd +++ b/apparmor.d/groups/cups/cups-backend-dnssd @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/cups/backend/dnssd profile cups-backend-dnssd @{exec_path} { include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index 7330d67c9..1e47287ac 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -10,8 +10,10 @@ include profile cups-browsed @{exec_path} { include include - include include + include + include + include include include include diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 0a23ce476..ec0bbfd67 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -11,7 +11,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/cups/ippfind b/apparmor.d/groups/cups/ippfind index c2a944b11..fe4347237 100644 --- a/apparmor.d/groups/cups/ippfind +++ b/apparmor.d/groups/cups/ippfind @@ -10,7 +10,7 @@ include profile ippfind @{exec_path} { include include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index b3cda6307..c069b7afd 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -11,8 +11,9 @@ include profile colord @{exec_path} flags=(attach_disconnected) { include include - include include + include + include include include include diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index fbc7a7582..04eeba521 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -11,9 +11,10 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { include include include - include include include + include + include include include include diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index ce1dffd58..346ae7257 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -14,10 +14,12 @@ profile pulseaudio @{exec_path} { include include include - include - include include include + include + include + include + include include include include @@ -49,26 +51,11 @@ profile pulseaudio @{exec_path} { member=Introspect peer=(name=:*, label=gnome-shell), - dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} - interface=org.freedesktop.Avahi.ServiceResolver - member=Found - peer=(name=:*, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} - interface=org.freedesktop.Avahi.ServiceBrowser - member=ItemRemove - peer=(name=:*, label="@{p_avahi_daemon}"), - dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects peer=(name=org.bluez), - dbus send bus=system path=/Client@{int}/ServiceResolver@{int} - interface=org.freedesktop.Avahi.ServiceResolver - member={Found,Free} - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - @{exec_path} mrix, @{lib}/pulse/gsettings-helper rix, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index c1f255c75..fafdea3a5 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -14,7 +14,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 8ef24e9ce..b4128b1af 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -10,11 +10,11 @@ include profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include + include include include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index 1fa7d7050..21a326fe6 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -9,11 +9,11 @@ include @{exec_path} = @{lib}/gnome-control-center-goa-helper profile gnome-control-center-goa-helper @{exec_path} { include + include include include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index c5be27f27..5d037961f 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -9,11 +9,14 @@ include @{exec_path} = @{lib}/gsd-print-notifications profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include - include include include - include include + include + include + include + include + include include include @@ -38,24 +41,6 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=@{busname}, label=gnome-shell), - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=RecordBrowserNew - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), - dbus send bus=system path=/Client@{int}/RecordBrowser@{int} - interface=org.freedesktop.Avahi.RecordBrowser - member=Free - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), - - dbus receive bus=system path=/Client@{int}/RecordBrowser@{int} - interface=org.freedesktop.Avahi.RecordBrowser - member={CacheExhausted,ItemNew} - peer=(name=@{busname}, label=avahi-daemon), - dbus receive bus=system path=/Client4/RecordBrowser3 - interface=org.freedesktop.Avahi.RecordBrowser - member=ItemNew - peer=(name=@{busname}, label=avahi-daemon), - @{exec_path} mr, @{lib}/gsd-printer rPx, diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 1fac28dfa..96b60ab72 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -9,11 +9,11 @@ include @{exec_path} = @{bin}/seahorse profile seahorse @{exec_path} { include + include include include include include - include include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index ab786106c..a4eb42821 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -12,9 +12,10 @@ profile gvfsd-dnssd @{exec_path} { include include include - include include include + include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index de1c4a856..63f348f9b 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -11,11 +11,11 @@ include profile libreoffice @{exec_path} { include include + include include include include include - include include include include diff --git a/apparmor.d/profiles-m-r/murmurd b/apparmor.d/profiles-m-r/murmurd index 2065dd814..e0bd8d976 100644 --- a/apparmor.d/profiles-m-r/murmurd +++ b/apparmor.d/profiles-m-r/murmurd @@ -10,7 +10,7 @@ include profile murmurd @{exec_path} { include include - include + include include include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 23d13694e..90db69a13 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -10,11 +10,11 @@ include profile remmina @{exec_path} { include include + include include include include include - include include include include From 63c9c8cc2da2085d884e80ca42f9c624106367dd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 13:11:23 +0200 Subject: [PATCH 954/977] refractor(abs): move org.kde.kwalletd --- apparmor.d/abstractions/bus/{ => session}/org.kde.kwalletd | 4 ++-- apparmor.d/abstractions/secrets-service | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) rename apparmor.d/abstractions/bus/{ => session}/org.kde.kwalletd (50%) diff --git a/apparmor.d/abstractions/bus/org.kde.kwalletd b/apparmor.d/abstractions/bus/session/org.kde.kwalletd similarity index 50% rename from apparmor.d/abstractions/bus/org.kde.kwalletd rename to apparmor.d/abstractions/bus/session/org.kde.kwalletd index 1ae5a1ace..0afce1cdf 100644 --- a/apparmor.d/abstractions/bus/org.kde.kwalletd +++ b/apparmor.d/abstractions/bus/session/org.kde.kwalletd @@ -1,9 +1,9 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/secrets-service b/apparmor.d/abstractions/secrets-service index 71b7c7d82..083672cc9 100644 --- a/apparmor.d/abstractions/secrets-service +++ b/apparmor.d/abstractions/secrets-service @@ -22,6 +22,7 @@ abi , include + include dbus send bus=session path=/org/gnome/keyring/daemon interface=org.gnome.keyring.Daemon From b471f8359a29e79d14f7e66648a136a85eaad3d0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 13:14:18 +0200 Subject: [PATCH 955/977] feat(profile): update cups-browsed --- apparmor.d/groups/cups/cups-browsed | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index 1e47287ac..ca1dc9630 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{sbin}/cups-browsed -profile cups-browsed @{exec_path} { +profile cups-browsed @{exec_path} flags=(attach_disconnected) { include include include @@ -18,9 +18,8 @@ profile cups-browsed @{exec_path} { include include -# capability net_admin, + capability net_admin, capability net_bind_service, -# capability sys_nice, network inet dgram, network inet6 dgram, @@ -28,20 +27,12 @@ profile cups-browsed @{exec_path} { network inet6 stream, network netlink raw, - dbus receive bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=StateChanged - peer=(name=:*, label="@{p_avahi_daemon}"), + #aa:dbus talk bus=system name=org.cups.cupsd.Notifier label=cups-notifier-dbus dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member=CheckPermissions - peer=(name=:*, label=NetworkManager), - - dbus receive bus=system path=/org/cups/cupsd/Notifier - interface=org.cups.cupsd.Notifier - member={PrinterDeleted,PrinterStopped} - peer=(name=@{busname}, label=cups-notifier-dbus), + peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, @@ -59,7 +50,7 @@ profile cups-browsed @{exec_path} { owner @{tmp}/@{hex} rw, @{run}/cups/certs/* r, - @{run}/avahi-daemon/socket rw, # TODO: in abs 'avahi' ? + @{run}/avahi-daemon/socket rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, From d9ff4aecd757f41b5b8e401e20611ab3e18862dd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 15:24:49 +0200 Subject: [PATCH 956/977] build: add test build target. --- Justfile | 8 ++++++++ pkg/prebuild/cli/cli.go | 6 ++++++ pkg/prebuild/directive/filter.go | 4 ++++ pkg/prebuild/directories.go | 3 +++ 4 files changed, 21 insertions(+) diff --git a/Justfile b/Justfile index 2c4c0e8d4..64e333079 100644 --- a/Justfile +++ b/Justfile @@ -65,11 +65,19 @@ build: enforce: build @./{{build}}/prebuild --buildir {{build}} +# Prebuild the profiles in enforce mode (test) +enforce-test: build + @./{{build}}/prebuild --buildir {{build}} --test + # Prebuild the profiles in complain mode [group('build')] complain: build ./{{build}}/prebuild --buildir {{build}} --complain +# Prebuild the profiles in complain mode (test) +complain-test: build + @./{{build}}/prebuild --buildir {{build}} --complain --test + # Prebuild the profiles in FSP mode [group('build')] fsp: build diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index bf768c050..afed5aedf 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -37,6 +37,7 @@ Options: -s, --server Set AppArmor for server. -b, --buildir DIR Root build directory. -F, --file Only prebuild a given file. + --test Enable test mode. --debug Enable debug mode. ` ) @@ -48,6 +49,7 @@ var ( full bool server bool debug bool + test bool abi int version float64 file string @@ -74,6 +76,7 @@ func init() { flag.StringVar(&buildir, "b", "", "Root build directory.") flag.StringVar(&buildir, "buildir", "", "Root build directory.") flag.BoolVar(&debug, "debug", false, "Enable debug mode.") + flag.BoolVar(&test, "test", false, "Enable test mode.") } func Configure() { @@ -118,6 +121,9 @@ func Configure() { if debug { builder.Register("debug") } + if test { + prebuild.Test = true + } } else if enforce { builder.Register("enforce") } diff --git a/pkg/prebuild/directive/filter.go b/pkg/prebuild/directive/filter.go index b6ec56816..ac632471b 100644 --- a/pkg/prebuild/directive/filter.go +++ b/pkg/prebuild/directive/filter.go @@ -43,6 +43,10 @@ func filterRuleForUs(opt *Option) bool { return true } + if prebuild.Test && slices.Contains(opt.ArgList, "test") { + return true + } + abiStr := fmt.Sprintf("abi%d", prebuild.ABI) if slices.Contains(opt.ArgList, abiStr) { return true diff --git a/pkg/prebuild/directories.go b/pkg/prebuild/directories.go index 201d8c841..486a45d14 100644 --- a/pkg/prebuild/directories.go +++ b/pkg/prebuild/directories.go @@ -19,6 +19,9 @@ var ( // Either or not RBAC is enabled RBAC = false + // Either or not we are in test mode + Test = false + // Pkgname is the name of the package Pkgname = "apparmor.d" From 4609595c26bcf1e129f885186784922762f73f5f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 15:34:04 +0200 Subject: [PATCH 957/977] refractor(abs): common/apt -> apt. --- apparmor.d/abstractions/{common => }/apt | 2 +- apparmor.d/groups/apt/apt | 2 +- apparmor.d/groups/apt/apt-cache | 2 +- apparmor.d/groups/apt/apt-cdrom | 2 +- apparmor.d/groups/apt/apt-config | 2 +- apparmor.d/groups/apt/apt-extracttemplates | 2 +- apparmor.d/groups/apt/apt-file | 2 +- apparmor.d/groups/apt/apt-forktracer | 2 +- apparmor.d/groups/apt/apt-helper | 2 +- apparmor.d/groups/apt/apt-mark | 2 +- apparmor.d/groups/apt/apt-show-versions | 2 +- apparmor.d/groups/apt/aptitude | 2 +- apparmor.d/groups/apt/command-not-found | 2 +- apparmor.d/groups/apt/debtags | 2 +- apparmor.d/groups/apt/dpkg-checkbuilddeps | 2 +- apparmor.d/groups/apt/dpkg-db-backup | 2 +- apparmor.d/groups/apt/dpkg-maintscript-helper | 2 +- apparmor.d/groups/apt/querybts | 6 +++--- apparmor.d/groups/apt/reportbug | 2 +- apparmor.d/groups/apt/synaptic | 2 +- apparmor.d/groups/apt/unattended-upgrade | 2 +- apparmor.d/groups/apt/unattended-upgrade-shutdown | 2 +- apparmor.d/groups/apt/update-apt-xapian-index | 2 +- apparmor.d/groups/grub/grub-sort-version | 2 +- apparmor.d/groups/kde/kded | 2 +- apparmor.d/groups/ubuntu/apport | 2 +- apparmor.d/groups/ubuntu/apport-gtk | 2 +- apparmor.d/groups/ubuntu/apt-esm-hook | 2 +- apparmor.d/groups/ubuntu/apt-esm-json-hook | 2 +- apparmor.d/groups/ubuntu/apt_news | 2 +- apparmor.d/groups/ubuntu/check-new-release-gtk | 2 +- apparmor.d/groups/ubuntu/do-release-upgrade | 2 +- apparmor.d/groups/ubuntu/hwe-support-status | 2 +- apparmor.d/groups/ubuntu/list-oem-metapackages | 2 +- apparmor.d/groups/ubuntu/package-data-downloader | 2 +- apparmor.d/groups/ubuntu/software-properties-dbus | 2 +- apparmor.d/groups/ubuntu/software-properties-gtk | 2 +- apparmor.d/groups/ubuntu/ubuntu-advantage | 2 +- apparmor.d/groups/ubuntu/update-manager | 2 +- apparmor.d/groups/ubuntu/update-motd-updates-available | 2 +- apparmor.d/groups/ubuntu/update-notifier | 2 +- apparmor.d/profiles-m-r/packagekitd | 2 +- apparmor.d/profiles-m-r/pycompile | 4 ++-- 43 files changed, 46 insertions(+), 46 deletions(-) rename apparmor.d/abstractions/{common => }/apt (95%) diff --git a/apparmor.d/abstractions/common/apt b/apparmor.d/abstractions/apt similarity index 95% rename from apparmor.d/abstractions/common/apt rename to apparmor.d/abstractions/apt index bec8d9a20..2802ac2a8 100644 --- a/apparmor.d/abstractions/common/apt +++ b/apparmor.d/abstractions/apt @@ -35,6 +35,6 @@ owner @{tmp}/#@{int} rw, owner @{tmp}/clearsigned.message.* rw, - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index ade8bee61..8581fe724 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt @{bin}/apt-get @{sbin}/aptd profile apt @{exec_path} flags=(attach_disconnected) { include - include + include include include include diff --git a/apparmor.d/groups/apt/apt-cache b/apparmor.d/groups/apt/apt-cache index 1251fe449..afd34f7e5 100644 --- a/apparmor.d/groups/apt/apt-cache +++ b/apparmor.d/groups/apt/apt-cache @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-cache profile apt-cache @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-cdrom b/apparmor.d/groups/apt/apt-cdrom index a99b964c7..0ce146261 100644 --- a/apparmor.d/groups/apt/apt-cdrom +++ b/apparmor.d/groups/apt/apt-cdrom @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-cdrom profile apt-cdrom @{exec_path} flags=(complain) { include - include + include include capability dac_read_search, diff --git a/apparmor.d/groups/apt/apt-config b/apparmor.d/groups/apt/apt-config index 505a4b037..834bcbd8c 100644 --- a/apparmor.d/groups/apt/apt-config +++ b/apparmor.d/groups/apt/apt-config @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-config profile apt-config @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-extracttemplates b/apparmor.d/groups/apt/apt-extracttemplates index beb563f31..6fbfad65b 100644 --- a/apparmor.d/groups/apt/apt-extracttemplates +++ b/apparmor.d/groups/apt/apt-extracttemplates @@ -10,8 +10,8 @@ include @{exec_path} = @{bin}/apt-extracttemplates @{lib}/apt/apt-extracttemplates profile apt-extracttemplates @{exec_path} { include + include include - include capability dac_read_search, diff --git a/apparmor.d/groups/apt/apt-file b/apparmor.d/groups/apt/apt-file index bc140acd1..6551f21a7 100644 --- a/apparmor.d/groups/apt/apt-file +++ b/apparmor.d/groups/apt/apt-file @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-file profile apt-file @{exec_path} { include - include + include include @{exec_path} r, diff --git a/apparmor.d/groups/apt/apt-forktracer b/apparmor.d/groups/apt/apt-forktracer index 2fbb5d95b..3eec09d60 100644 --- a/apparmor.d/groups/apt/apt-forktracer +++ b/apparmor.d/groups/apt/apt-forktracer @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-forktracer profile apt-forktracer @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-helper b/apparmor.d/groups/apt/apt-helper index f16e98d2f..18b6d7241 100644 --- a/apparmor.d/groups/apt/apt-helper +++ b/apparmor.d/groups/apt/apt-helper @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/apt/apt-helper profile apt-helper @{exec_path} { include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-mark b/apparmor.d/groups/apt/apt-mark index 4af469c30..c174267f5 100644 --- a/apparmor.d/groups/apt/apt-mark +++ b/apparmor.d/groups/apt/apt-mark @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-mark profile apt-mark @{exec_path} { include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-show-versions b/apparmor.d/groups/apt/apt-show-versions index 16dc584b3..514b952ff 100644 --- a/apparmor.d/groups/apt/apt-show-versions +++ b/apparmor.d/groups/apt/apt-show-versions @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-show-versions profile apt-show-versions @{exec_path} { include - include + include include include diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index 9254be27d..b3f411c84 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -10,9 +10,9 @@ include @{exec_path} = @{bin}/aptitude{,-curses} profile aptitude @{exec_path} flags=(complain) { include + include include include - include # To remove the following errors: # W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index b42649d7c..6d09e34c0 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -12,7 +12,7 @@ include @{exec_path} += @{lib}/command-not-found profile command-not-found @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/apt/debtags b/apparmor.d/groups/apt/debtags index 3e3fd2ab9..53e5964bd 100644 --- a/apparmor.d/groups/apt/debtags +++ b/apparmor.d/groups/apt/debtags @@ -10,8 +10,8 @@ include @{exec_path} = @{bin}/debtags profile debtags @{exec_path} { include + include include - include include #capability sys_tty_config, diff --git a/apparmor.d/groups/apt/dpkg-checkbuilddeps b/apparmor.d/groups/apt/dpkg-checkbuilddeps index 712a74e8c..297a45f84 100644 --- a/apparmor.d/groups/apt/dpkg-checkbuilddeps +++ b/apparmor.d/groups/apt/dpkg-checkbuilddeps @@ -10,8 +10,8 @@ include @{exec_path} = @{bin}/dpkg-checkbuilddeps profile dpkg-checkbuilddeps @{exec_path} flags=(complain) { include + include include - include @{exec_path} r, diff --git a/apparmor.d/groups/apt/dpkg-db-backup b/apparmor.d/groups/apt/dpkg-db-backup index d83bdbb45..8e99e70c5 100644 --- a/apparmor.d/groups/apt/dpkg-db-backup +++ b/apparmor.d/groups/apt/dpkg-db-backup @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/dpkg/dpkg-db-backup profile dpkg-db-backup @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/dpkg-maintscript-helper b/apparmor.d/groups/apt/dpkg-maintscript-helper index dfb881e32..aa9232c73 100644 --- a/apparmor.d/groups/apt/dpkg-maintscript-helper +++ b/apparmor.d/groups/apt/dpkg-maintscript-helper @@ -21,8 +21,8 @@ profile dpkg-maintscript-helper @{exec_path} { profile dpkg { include + include include - include capability dac_read_search, diff --git a/apparmor.d/groups/apt/querybts b/apparmor.d/groups/apt/querybts index 2a2063d8e..87967d164 100644 --- a/apparmor.d/groups/apt/querybts +++ b/apparmor.d/groups/apt/querybts @@ -10,14 +10,14 @@ include @{exec_path} = @{bin}/querybts profile querybts @{exec_path} { include - include - include + include include + include include + include include include include - include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index a814eaaa9..a6584a23d 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/reportbug profile reportbug @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index 36e299a0c..c48286299 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/synaptic @{bin}/synaptic-pkexec profile synaptic @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index ebdc88d08..d2da77bc3 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -10,11 +10,11 @@ include @{exec_path} = @{bin}/unattended-upgrade profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { include + include include include include include - include include include include diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index 1fb667fae..f7b94d68d 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -9,10 +9,10 @@ include @{exec_path} = /usr/share/unattended-upgrades/unattended-upgrade-shutdown profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { include + include include include include - include include include diff --git a/apparmor.d/groups/apt/update-apt-xapian-index b/apparmor.d/groups/apt/update-apt-xapian-index index f829ab3ff..6ea4f19fb 100644 --- a/apparmor.d/groups/apt/update-apt-xapian-index +++ b/apparmor.d/groups/apt/update-apt-xapian-index @@ -10,8 +10,8 @@ include @{exec_path} = @{bin}/update-apt-xapian-index profile update-apt-xapian-index @{exec_path} { include + include include - include include @{exec_path} r, diff --git a/apparmor.d/groups/grub/grub-sort-version b/apparmor.d/groups/grub/grub-sort-version index 5e65fe835..6ece8a60b 100644 --- a/apparmor.d/groups/grub/grub-sort-version +++ b/apparmor.d/groups/grub/grub-sort-version @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/grub/grub-sort-version profile grub-sort-version @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 93c70329e..2ebc6a5fa 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/kded5 @{bin}/kded6 profile kded @{exec_path} { include + include #aa:only apt include include include @@ -18,7 +19,6 @@ profile kded @{exec_path} { include include include - include #aa:only apt include include include diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 2fa7bb92a..255dc551a 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -9,7 +9,7 @@ include @{exec_path} = /usr/share/apport/apport profile apport @{exec_path} flags=(attach_disconnected) { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index d7480a212..b6815adea 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -9,12 +9,12 @@ include @{exec_path} = /usr/share/apport/apport-gtk profile apport-gtk @{exec_path} { include + include include include include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/apt-esm-hook b/apparmor.d/groups/ubuntu/apt-esm-hook index a04fc771d..2555d0373 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-hook @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/ubuntu-advantage/apt-esm-hook profile apt-esm-hook @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook index 2edc09970..e8f03807d 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-json-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/ubuntu-advantage/apt-esm-json-hook profile apt-esm-json-hook @{exec_path} { include - include + include include unix (receive, send) type=stream peer=(label=apt), diff --git a/apparmor.d/groups/ubuntu/apt_news b/apparmor.d/groups/ubuntu/apt_news index 9734803e4..91c8b29cc 100644 --- a/apparmor.d/groups/ubuntu/apt_news +++ b/apparmor.d/groups/ubuntu/apt_news @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/ubuntu-advantage/apt_news.py profile apt_news @{exec_path} flags=(attach_disconnected) { include - include + include include include diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 65a19e0e0..d0e5c8f1e 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/ubuntu-release-upgrader/check-new-release-gtk profile check-new-release-gtk @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade index 2d3eebbc2..e9c4c9ab3 100644 --- a/apparmor.d/groups/ubuntu/do-release-upgrade +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/do-release-upgrade profile do-release-upgrade @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/hwe-support-status b/apparmor.d/groups/ubuntu/hwe-support-status index d5ad6e06c..c85fb9966 100644 --- a/apparmor.d/groups/ubuntu/hwe-support-status +++ b/apparmor.d/groups/ubuntu/hwe-support-status @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/hwe-support-status profile hwe-support-status @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages index 91bc4876f..5e4b09ce3 100644 --- a/apparmor.d/groups/ubuntu/list-oem-metapackages +++ b/apparmor.d/groups/ubuntu/list-oem-metapackages @@ -9,8 +9,8 @@ include @{exec_path} = @{lib}/update-notifier/list-oem-metapackages profile list-oem-metapackages @{exec_path} { include + include include - include @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/package-data-downloader b/apparmor.d/groups/ubuntu/package-data-downloader index 37f7f72a5..1703d27cd 100644 --- a/apparmor.d/groups/ubuntu/package-data-downloader +++ b/apparmor.d/groups/ubuntu/package-data-downloader @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/package-data-downloader profile package-data-downloader @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index cc7387709..72e016573 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/software-properties/software-properties-dbus profile software-properties-dbus @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index cd858737b..5111a0278 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/software-properties-gtk profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -16,7 +17,6 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index ea9742d4c..4ede61bc8 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/ubuntu-advantage profile ubuntu-advantage @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 34284388e..d242ae0d6 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/update-manager profile update-manager @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -18,7 +19,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index 88967baf8..09775cb6f 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/update-motd-updates-available profile update-motd-updates-available @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 4c60b4aaf..70d980713 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/update-notifier profile update-notifier @{exec_path} { include + include include include include @@ -16,7 +17,6 @@ profile update-notifier @{exec_path} { include include include - include include include include diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 19f6a515e..e5b54c34e 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -9,11 +9,11 @@ include @{exec_path} = @{lib}/packagekitd profile packagekitd @{exec_path} flags=(attach_disconnected) { include + include #aa:only apt include include include include - include #aa:only apt include include diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile index c308dcd91..105264ec2 100644 --- a/apparmor.d/profiles-m-r/pycompile +++ b/apparmor.d/profiles-m-r/pycompile @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/py{,3}compile @{bin}/py{,3}clean profile pycompile @{exec_path} flags=(attach_disconnected,complain) { include - include + include include include @@ -32,8 +32,8 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) { profile dpkg { include + include include - include capability dac_read_search, From ff21c9157c4608f49f6aa7b12665fd02d0a3922b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 15:34:32 +0200 Subject: [PATCH 958/977] tests(profile): add common autopkgtest paths. --- apparmor.d/abstractions/apt | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/abstractions/apt b/apparmor.d/abstractions/apt index 2802ac2a8..25106ad6e 100644 --- a/apparmor.d/abstractions/apt +++ b/apparmor.d/abstractions/apt @@ -35,6 +35,9 @@ owner @{tmp}/#@{int} rw, owner @{tmp}/clearsigned.message.* rw, + #aa:only test + /tmp/autopkgtest.@{rand6}/** rwk, + include if exists # vim:syntax=apparmor From bf3b8345fccd475b09da20ded1a9be6e32bd731a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 16:26:28 +0200 Subject: [PATCH 959/977] refractor(abs): move gtk bus interfaces. --- .../bus/session/org.gtk.MountOperationHandler | 14 ++++++++++++++ .../org.gtk.Private.RemoteVolumeMonitor | 2 +- .../bus/{ => session}/org.gtk.vfs.Daemon | 6 ++++-- .../bus/{ => session}/org.gtk.vfs.Metadata | 6 +++--- .../bus/session/org.gtk.vfs.MountOperation | 2 +- .../bus/{ => session}/org.gtk.vfs.MountTracker | 14 ++++++++------ .../abstractions/bus/session/org.gtk.vfs.Spawner | 14 ++++++++++++++ 7 files changed, 45 insertions(+), 13 deletions(-) create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler rename apparmor.d/abstractions/bus/{ => session}/org.gtk.Private.RemoteVolumeMonitor (91%) rename apparmor.d/abstractions/bus/{ => session}/org.gtk.vfs.Daemon (72%) rename apparmor.d/abstractions/bus/{ => session}/org.gtk.vfs.Metadata (80%) rename apparmor.d/abstractions/bus/{ => session}/org.gtk.vfs.MountTracker (89%) create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner diff --git a/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler b/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler new file mode 100644 index 000000000..3fce0d719 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/gtk/MountOperationHandler + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gnome-shell), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor b/apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor similarity index 91% rename from apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor rename to apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor index 9060c8c15..b8160dcb2 100644 --- a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor +++ b/apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor @@ -19,6 +19,6 @@ member={VolumeAdded,DriveDisconnected,DriveConnected,DriveChanged} peer=(name="@{busname}", label=gvfs-*-volume-monitor), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon similarity index 72% rename from apparmor.d/abstractions/bus/org.gtk.vfs.Daemon rename to apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon index 93ad35fe5..edf954ac5 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon @@ -1,7 +1,9 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2023-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Each daemon (main and for mounts) implement this. + abi , dbus send bus=session path=/org/gtk/vfs/Daemon @@ -14,6 +16,6 @@ member=GetConnection peer=(name=@{busname}), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata similarity index 80% rename from apparmor.d/abstractions/bus/org.gtk.vfs.Metadata rename to apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata index ce6e60082..9f1a77daf 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata @@ -13,13 +13,13 @@ dbus send bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata member={Set,Move,GetTreeFromDevice,Remove} - peer=(name="@{busname}", label=gvfsd-metadata), + peer=(name=@{busname}, label=gvfsd-metadata), dbus receive bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata member=AttributeChanged - peer=(name="@{busname}", label=gvfsd-metadata), + peer=(name=@{busname}, label=gvfsd-metadata), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation index ff8c928f8..54dfc837f 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation @@ -6,7 +6,7 @@ dbus receive bus=session path=/org/gtk/gvfs/mountop/@{int} interface=org.gtk.vfs.MountOperation - member={AskQuestion,AskPassword} + member={AskPassword,AskQuestion} peer=(name=@{busname}, label=gvfsd-*), include if exists diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker similarity index 89% rename from apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker rename to apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker index c455d4f18..107c3dc13 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker @@ -2,12 +2,9 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , +# The mount tracking interface. - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=ListMountableInfo - peer=(name="@{busname}", label=gvfsd), + abi , dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker @@ -19,11 +16,16 @@ member=ListMounts2 peer=(name="@{busname}", label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name="@{busname}", label=gvfsd), + dbus receive bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member={Mounted,Unmounted} peer=(name="@{busname}", label=gvfsd), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner new file mode 100644 index 000000000..71c0dd157 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=@{busname}, label=gvfsd), + + include if exists + +# vim:syntax=apparmor From 5cae18e064f6f3a7eb47b9553af322c781fbb068 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 16:45:54 +0200 Subject: [PATCH 960/977] feat(abs): add the gtk-strict abstraction. --- apparmor.d/abstractions/desktop | 2 +- apparmor.d/abstractions/gnome-strict | 2 +- apparmor.d/abstractions/gnome.d/complete | 2 +- apparmor.d/abstractions/kde-strict | 2 +- apparmor.d/abstractions/lxqt | 2 +- apparmor.d/abstractions/xfce | 2 +- apparmor.d/groups/apt/debconf-frontend | 2 +- apparmor.d/groups/kde/gmenudbusmenuproxy | 1 - apparmor.d/groups/kde/kcminit | 1 - apparmor.d/groups/kde/kconf_update | 1 - apparmor.d/groups/kde/kded | 1 - apparmor.d/groups/kde/kwalletd | 1 - apparmor.d/profiles-m-r/obconf | 2 +- 13 files changed, 8 insertions(+), 13 deletions(-) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 3bfbcc887..316e7374e 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -12,7 +12,7 @@ include include include - include + include include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 4d2d390ee..a3afccb76 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -7,7 +7,7 @@ include include include - include + include include include include diff --git a/apparmor.d/abstractions/gnome.d/complete b/apparmor.d/abstractions/gnome.d/complete index 3dece8578..3d4b47f9f 100644 --- a/apparmor.d/abstractions/gnome.d/complete +++ b/apparmor.d/abstractions/gnome.d/complete @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - include + include dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index b448c542d..f00594038 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -7,7 +7,7 @@ include include include - include + include include include include diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt index f20c24a32..ba7347d8c 100644 --- a/apparmor.d/abstractions/lxqt +++ b/apparmor.d/abstractions/lxqt @@ -7,7 +7,7 @@ include include include - include + include include include include diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index 3046c8f6d..eaf50f6d0 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -6,7 +6,7 @@ include include - include + include include include include diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend index 6e80839fe..0a7706fe1 100644 --- a/apparmor.d/groups/apt/debconf-frontend +++ b/apparmor.d/groups/apt/debconf-frontend @@ -14,7 +14,7 @@ profile debconf-frontend @{exec_path} flags=(complain) { include include include - include + include capability dac_read_search, diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index b30e39cdc..f63a83295 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -13,7 +13,6 @@ profile gmenudbusmenuproxy @{exec_path} { include include include - include include include diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index 4f8b10a32..59f60c285 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -11,7 +11,6 @@ profile kcminit @{exec_path} { include include include - include include #aa:dbus own bus=session name=org.kde.{KCM,kcm}init path=/kcminit diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index ee42fef98..6a01748fd 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -12,7 +12,6 @@ profile kconf_update @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 2ebc6a5fa..ec5a1ee36 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -23,7 +23,6 @@ profile kded @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index de175635a..baaad7dcb 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -17,7 +17,6 @@ profile kwalletd @{exec_path} { include include include - include include include include diff --git a/apparmor.d/profiles-m-r/obconf b/apparmor.d/profiles-m-r/obconf index 7b11aaac5..d283466f5 100644 --- a/apparmor.d/profiles-m-r/obconf +++ b/apparmor.d/profiles-m-r/obconf @@ -11,7 +11,7 @@ include profile obconf @{exec_path} { include include - include + include include include include From 784ced0da32c3b380b01336f72a20c36de431c6e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 18:08:44 +0200 Subject: [PATCH 961/977] feat(abs): reorganise the gtk/gvfs abs. --- .../abstractions/bus/session/org.gtk.vfs.Mountable | 14 ++++++++++++++ .../abstractions/bus/session/org.gtk.vfs.Spawner | 2 +- apparmor.d/abstractions/common/gnome | 1 - apparmor.d/groups/bus/ibus-daemon | 2 +- apparmor.d/groups/bus/ibus-dconf | 2 +- apparmor.d/groups/bus/ibus-engine-simple | 2 +- apparmor.d/groups/bus/ibus-extension-gtk3 | 1 - apparmor.d/groups/bus/ibus-memconf | 2 +- apparmor.d/groups/bus/ibus-x11 | 1 - apparmor.d/groups/flatpak/flatpak | 1 - .../groups/freedesktop/xdg-desktop-portal-gtk | 1 - .../xdg-desktop-portal-rewrite-launchers | 2 +- .../groups/freedesktop/xdg-user-dirs-gtk-update | 1 - apparmor.d/groups/gnome/deja-dup-monitor | 6 +++--- .../groups/gnome/evolution-addressbook-factory | 2 +- apparmor.d/groups/gnome/evolution-alarm-notify | 1 - apparmor.d/groups/gnome/evolution-calendar-factory | 4 ++-- apparmor.d/groups/gnome/evolution-source-registry | 2 +- apparmor.d/groups/gnome/gio-launch-desktop | 3 +-- apparmor.d/groups/gnome/gnome-calendar | 1 - apparmor.d/groups/gnome/gnome-characters | 1 - apparmor.d/groups/gnome/gnome-clocks | 1 - apparmor.d/groups/gnome/gnome-control-center | 1 - .../groups/gnome/gnome-control-center-goa-helper | 1 - .../gnome/gnome-control-center-search-provider | 1 - apparmor.d/groups/gnome/gnome-disk-image-mounter | 2 +- apparmor.d/groups/gnome/gnome-extension-ding | 7 +++---- apparmor.d/groups/gnome/gnome-extension-gsconnect | 8 ++++---- apparmor.d/groups/gnome/gnome-initial-setup | 1 - apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/gnome/gnome-software | 1 - apparmor.d/groups/gnome/gnome-system-monitor | 5 ++--- apparmor.d/groups/gnome/gnome-terminal-server | 1 - apparmor.d/groups/gnome/goa-daemon | 1 - apparmor.d/groups/gnome/goa-identity-service | 2 +- apparmor.d/groups/gnome/gsd-color | 1 - apparmor.d/groups/gnome/gsd-housekeeping | 1 - apparmor.d/groups/gnome/gsd-keyboard | 1 - apparmor.d/groups/gnome/gsd-media-keys | 3 +-- apparmor.d/groups/gnome/gsd-power | 1 - apparmor.d/groups/gnome/gsd-wacom | 1 - apparmor.d/groups/gnome/localsearch | 5 ++--- apparmor.d/groups/gnome/mutter-x11-frames | 1 - apparmor.d/groups/gnome/nautilus | 2 +- apparmor.d/groups/gnome/ptyxis | 1 - apparmor.d/groups/gnome/ptyxis-agent | 2 +- apparmor.d/groups/gnome/seahorse | 1 - apparmor.d/groups/gnome/tracker-extract | 5 ++--- apparmor.d/groups/gnome/tracker-miner | 5 ++--- apparmor.d/groups/ubuntu/apport-gtk | 1 - apparmor.d/groups/ubuntu/check-new-release-gtk | 1 - apparmor.d/groups/ubuntu/livepatch-notification | 1 - apparmor.d/groups/ubuntu/software-properties-gtk | 1 - .../groups/ubuntu/ubuntu-advantage-notification | 1 - apparmor.d/groups/ubuntu/update-manager | 1 - apparmor.d/groups/ubuntu/update-notifier | 1 - apparmor.d/profiles-a-f/atril | 1 - apparmor.d/profiles-a-f/calibre | 1 - apparmor.d/profiles-a-f/engrampa | 3 +-- apparmor.d/profiles-a-f/file-roller | 2 -- apparmor.d/profiles-g-l/gimp | 1 + apparmor.d/profiles-g-l/libreoffice | 5 ++--- apparmor.d/profiles-m-r/remmina | 2 +- apparmor.d/profiles-s-z/spice-vdagent | 1 - apparmor.d/profiles-s-z/spotify | 1 - apparmor.d/profiles-s-z/superproductivity | 2 +- apparmor.d/profiles-s-z/terminator | 1 - apparmor.d/profiles-s-z/virt-manager | 2 ++ 68 files changed, 57 insertions(+), 88 deletions(-) create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable new file mode 100644 index 000000000..603ef709b --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=@{busname}, label=gvfsd), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner index 71c0dd157..7090afe24 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2025 Alexandre Pujol +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index f0dd20f47..b9f36cf6c 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -10,7 +10,6 @@ include include include - include include include include diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index 3fdab031b..b326138d6 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -10,7 +10,7 @@ include profile ibus-daemon @{exec_path} flags=(attach_disconnected) { include include - include + include include include diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index 817d63175..bac225ebc 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -11,7 +11,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { include include include - include + include include include diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index e900fc3f5..8bdc3c79c 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -11,7 +11,7 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { include include include - include + include include signal (receive) set=term peer=ibus-daemon, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 34d881a8a..0973fce49 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -12,7 +12,6 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index 5233f8603..b1f1445b3 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -10,7 +10,7 @@ include profile ibus-memconf @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 698eeedb6..cf7b40190 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -13,7 +13,6 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 4ef675aef..3fee701a8 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -14,7 +14,6 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 9688df798..35199d859 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -18,7 +18,6 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers b/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers index 62adb343b..2fa8cc01f 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers @@ -10,7 +10,7 @@ include profile xdg-desktop-portal-rewrite-launchers @{exec_path} { include include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index cf488af63..1b818267f 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -11,7 +11,6 @@ profile xdg-user-dirs-gtk-update @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index a0fb366ab..59b3c5d40 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -13,9 +13,9 @@ profile deja-dup-monitor @{exec_path} { include include include - include - include - include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index adf2aa264..1b9051a4a 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -13,7 +13,7 @@ profile evolution-addressbook-factory @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 174cb323f..9f8c51a75 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -12,7 +12,6 @@ profile evolution-alarm-notify @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 2ee416bd9..87cce8fbc 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -12,8 +12,8 @@ profile evolution-calendar-factory @{exec_path} { include include include - include - include + include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 38122b7c0..0732646b5 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -10,7 +10,7 @@ include profile evolution-source-registry @{exec_path} { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index eb76f1207..3652dd6e9 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -19,8 +19,7 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 872fc6858..2173e3d62 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -14,7 +14,6 @@ profile gnome-calendar @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 7ce936e52..b5ae5672a 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -12,7 +12,6 @@ profile gnome-characters @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index bdffedb72..92886c887 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -12,7 +12,6 @@ profile gnome-clocks @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index b4128b1af..c27f32fec 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -16,7 +16,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index 21a326fe6..aeb59295f 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -14,7 +14,6 @@ profile gnome-control-center-goa-helper @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index 51c8f5107..6d24e72c1 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -11,7 +11,6 @@ profile gnome-control-center-search-provider @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index 519a248d8..55d49e250 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -13,7 +13,7 @@ profile gnome-disk-image-mounter @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 400b28b6e..f56af9f67 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -21,10 +21,9 @@ profile gnome-extension-ding @{exec_path} { include include include - include - include - include - include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 7af7b8b2f..8ac7830cc 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -21,10 +21,10 @@ profile gnome-extension-gsconnect @{exec_path} { include include include - include - include - include - include + include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 40b8bc9b5..7f4b818e3 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -15,7 +15,6 @@ profile gnome-initial-setup @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index d8853aa3b..55e95d006 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -29,7 +29,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 247436318..0b1602fbb 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -13,7 +13,6 @@ profile gnome-software @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 8bcb629a9..152b28ff7 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -10,9 +10,8 @@ include profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { include include - include - include - include + include + include include include diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index cda4568c1..7a9bad4da 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -14,7 +14,6 @@ profile gnome-terminal-server @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 8176d6c7c..b7c138285 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -12,7 +12,6 @@ profile goa-daemon @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service index 3992811c2..4509a6159 100644 --- a/apparmor.d/groups/gnome/goa-identity-service +++ b/apparmor.d/groups/gnome/goa-identity-service @@ -11,7 +11,7 @@ profile goa-identity-service @{exec_path} { include include include - include + include #aa:dbus own bus=session name=org.gnome.Identity diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 1b12a68cd..a0b3fac6b 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -16,7 +16,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 35714fa0b..8d8b9fc1b 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -12,7 +12,6 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 80f19f93a..f4f2830b8 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -16,7 +16,6 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 32869cdbc..9f6f70fbc 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -18,8 +18,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index f3be82dfd..a6165ddcf 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -22,7 +22,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 484dda29d..50da29b5f 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -14,7 +14,6 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 66420cace..ea1566757 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -11,9 +11,8 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { include include include - include - include - include + include + include include include include diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 92e619e5c..f50bdbd9b 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -13,7 +13,6 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index a91a154a7..07abe1c08 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -18,7 +18,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index ac47b5460..3195d7f03 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/ptyxis profile ptyxis @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index 2735e0c5d..6418193a6 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -10,7 +10,7 @@ include profile ptyxis-agent @{exec_path} { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 96b60ab72..090a9cbe7 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -15,7 +15,6 @@ profile seahorse @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 3f9f49281..e200ecb42 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -10,9 +10,8 @@ include profile tracker-extract @{exec_path} flags=(attach_disconnected) { include include - include - include - include + include + include include include include diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index e7cdc1a38..85b7b0d53 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -11,9 +11,8 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include - include - include - include + include + include include include include diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index b6815adea..0cd509473 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -14,7 +14,6 @@ profile apport-gtk @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index d0e5c8f1e..5df19d897 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -13,7 +13,6 @@ profile check-new-release-gtk @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index 4d5ecb46a..e003054a5 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -12,7 +12,6 @@ profile livepatch-notification @{exec_path} { include include include - include include include diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 5111a0278..2f6398f1e 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -16,7 +16,6 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index bf3d4c6c0..093fdbed7 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -12,7 +12,6 @@ profile ubuntu-advantage-notification @{exec_path} { include include include - include include include diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index d242ae0d6..a874ca346 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -18,7 +18,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 70d980713..f66345b67 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -15,7 +15,6 @@ profile update-notifier @{exec_path} { include include include - include include include include diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index 284c35911..c95f6be55 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -13,7 +13,6 @@ profile atril @{exec_path} { include include include - include include include include diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre index bba3dfedb..60843b0a6 100644 --- a/apparmor.d/profiles-a-f/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -16,7 +16,6 @@ profile calibre @{exec_path} { include include include - include include include include diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index c302ff400..8137edd8d 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -13,8 +13,7 @@ profile engrampa @{exec_path} { include include include - include - include + include include include include diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 5ec394807..3d13b813f 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -9,8 +9,6 @@ include @{exec_path} = @{bin}/file-roller profile file-roller @{exec_path} { include - include - include include include include diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index 67b625d62..ad324e153 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -11,6 +11,7 @@ profile gimp @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 63f348f9b..bc6516fc2 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -18,9 +18,8 @@ profile libreoffice @{exec_path} { include include include - include - include - include + include + include include include include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 90db69a13..b8b361e12 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -16,7 +16,7 @@ profile remmina @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 158ea6a7f..18e3fc248 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -18,7 +18,6 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 8917fa3a2..f3c4acf4f 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -24,7 +24,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index ee8ee627b..a7adf91fa 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -23,7 +23,7 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 59c78396d..e9baf97e1 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -13,7 +13,6 @@ profile terminator @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index f820d2953..9802ecd5a 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -16,6 +16,8 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { include include include + include + include include include include From 1fba94a197d93e9032a4f99dbe46eca3afaba671 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 18:14:30 +0200 Subject: [PATCH 962/977] feat(profile): update gvfs services to the abs changes. --- .../groups/gvfs/gvfs-afc-volume-monitor | 2 +- .../groups/gvfs/gvfs-goa-volume-monitor | 4 +-- .../groups/gvfs/gvfs-gphoto2-volume-monitor | 2 +- .../groups/gvfs/gvfs-mtp-volume-monitor | 2 +- .../groups/gvfs/gvfs-udisks2-volume-monitor | 4 +-- apparmor.d/groups/gvfs/gvfsd | 8 +++-- apparmor.d/groups/gvfs/gvfsd-admin | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-afc | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-afp | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-afp-browse | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-archive | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-burn | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-cdda | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-computer | 9 ++++++ apparmor.d/groups/gvfs/gvfsd-dav | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-dnssd | 26 +++-------------- apparmor.d/groups/gvfs/gvfsd-ftp | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-fuse | 16 ++++------ apparmor.d/groups/gvfs/gvfsd-google | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-gphoto2 | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-http | 24 +++++---------- apparmor.d/groups/gvfs/gvfsd-localtest | 3 ++ apparmor.d/groups/gvfs/gvfsd-metadata | 6 +++- apparmor.d/groups/gvfs/gvfsd-mtp | 16 ++++++++-- apparmor.d/groups/gvfs/gvfsd-network | 26 +++-------------- apparmor.d/groups/gvfs/gvfsd-nfs | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-recent | 19 +++--------- apparmor.d/groups/gvfs/gvfsd-sftp | 29 ++++++------------- apparmor.d/groups/gvfs/gvfsd-smb | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-smb-browse | 18 +++++------- apparmor.d/groups/gvfs/gvfsd-trash | 22 ++++---------- apparmor.d/groups/gvfs/gvfsd-wsdd | 24 +++------------ 32 files changed, 237 insertions(+), 166 deletions(-) diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index 7f50d8b45..32136d710 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -17,7 +17,7 @@ profile gvfs-afc-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index 3f2fb0138..017a66e84 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -17,12 +17,12 @@ profile gvfs-goa-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), dbus send bus=session path=/org/gnome/OnlineAccounts interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=goa-daemon), + peer=(name=@{busname}, label=goa-daemon), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index dd03254b1..ece97e688 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -21,7 +21,7 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index 6fbbc6092..fd3b38012 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -20,7 +20,7 @@ profile gvfs-mtp-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 4ed214b71..80f7f86a9 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -12,7 +12,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -35,7 +35,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index c124c5855..e3e3edfae 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -18,20 +18,22 @@ profile gvfsd @{exec_path} { #aa:dbus own bus=session name=org.gtk.vfs.Daemon #aa:dbus own bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker + # The server side of abstractions/bus/session/org.gtk.vfs.Mountable dbus send bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount - peer=(name=:*, label=gvfsd-*), + peer=(name=@{busname}, label=gvfsd-*), + # The server side of abstractions/bus/session/org.gtk.vfs.Spawner dbus receive bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned - peer=(name=:*, label=gvfsd-*), + peer=(name=@{busname}, label=gvfsd-*), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index 44248cbe3..5a1fd1c82 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-admin profile gvfsd-admin @{exec_path} { include + include + include + include + include include include @@ -19,6 +23,13 @@ profile gvfsd-admin @{exec_path} { capability fowner, capability setuid, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, #aa:lint ignore=too-wide diff --git a/apparmor.d/groups/gvfs/gvfsd-afc b/apparmor.d/groups/gvfs/gvfsd-afc index 68d4b689e..da231f469 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afc +++ b/apparmor.d/groups/gvfs/gvfsd-afc @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afc profile gvfsd-afc @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-afp b/apparmor.d/groups/gvfs/gvfsd-afp index eeaaec059..db6fe5a48 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afp +++ b/apparmor.d/groups/gvfs/gvfsd-afp @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afp profile gvfsd-afp @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-afp-browse b/apparmor.d/groups/gvfs/gvfsd-afp-browse index 48680f12f..a39e25785 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afp-browse +++ b/apparmor.d/groups/gvfs/gvfsd-afp-browse @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afp-browse profile gvfsd-afp-browse @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-archive b/apparmor.d/groups/gvfs/gvfsd-archive index 918841320..68b1e7765 100644 --- a/apparmor.d/groups/gvfs/gvfsd-archive +++ b/apparmor.d/groups/gvfs/gvfsd-archive @@ -10,9 +10,20 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-archive profile gvfsd-archive @{exec_path} { include + include + include + include + include include include + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{HOME}/**.{tar,tar.gz,zip} r, diff --git a/apparmor.d/groups/gvfs/gvfsd-burn b/apparmor.d/groups/gvfs/gvfsd-burn index b70fa7110..09062241a 100644 --- a/apparmor.d/groups/gvfs/gvfsd-burn +++ b/apparmor.d/groups/gvfs/gvfsd-burn @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-burn profile gvfsd-burn @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-cdda b/apparmor.d/groups/gvfs/gvfsd-cdda index 0648f5dc0..356f8dcd3 100644 --- a/apparmor.d/groups/gvfs/gvfsd-cdda +++ b/apparmor.d/groups/gvfs/gvfsd-cdda @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-cdda profile gvfsd-cdda @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer index 6eebca738..667b448c4 100644 --- a/apparmor.d/groups/gvfs/gvfsd-computer +++ b/apparmor.d/groups/gvfs/gvfsd-computer @@ -11,9 +11,18 @@ include profile gvfsd-computer @{exec_path} { include include + include + include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label=gvfs-afc-volume-monitor + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav index 77e1a2f6f..b335724cb 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dav +++ b/apparmor.d/groups/gvfs/gvfsd-dav @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-dav profile gvfsd-dav @{exec_path} { include + include + include + include + include include include include @@ -24,6 +28,13 @@ profile gvfsd-dav @{exec_path} { network inet6 dgram, network netlink raw, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index a4eb42821..aad9de3a0 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -12,32 +12,14 @@ profile gvfsd-dnssd @{exec_path} { include include include - include - include + include + include + include include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=:*, label=gvfsd), - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=:*, label=gvfsd), - - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member={MountLocation,LookupMount,RegisterMount} - peer=(name="@{busname}", label=gvfsd), - - dbus receive bus=session path=/ - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfsd-ftp b/apparmor.d/groups/gvfs/gvfsd-ftp index 5b7c833a5..3b36fc4f1 100644 --- a/apparmor.d/groups/gvfs/gvfsd-ftp +++ b/apparmor.d/groups/gvfs/gvfsd-ftp @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-ftp profile gvfsd-ftp @{exec_path} { include + include + include + include + include include include include @@ -20,6 +24,13 @@ profile gvfsd-ftp @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index 4741b0f31..f67068f49 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -11,7 +11,9 @@ include profile gvfsd-fuse @{exec_path} { include include - include + include + include + include include capability sys_admin, @@ -20,21 +22,13 @@ profile gvfsd-fuse @{exec_path} { unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterFuse - peer=(name=@{busname}, label=gvfsd), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session path=/ + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=@{busname}, label=gnome-shell), - dbus send bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=@{busname}, label=gvfsd-sftp), - @{exec_path} mr, @{bin}/fusermount{,3} rCx -> fusermount, diff --git a/apparmor.d/groups/gvfs/gvfsd-google b/apparmor.d/groups/gvfs/gvfsd-google index eb80f3a7a..819e84c39 100644 --- a/apparmor.d/groups/gvfs/gvfsd-google +++ b/apparmor.d/groups/gvfs/gvfsd-google @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-google profile gvfsd-google @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-gphoto2 b/apparmor.d/groups/gvfs/gvfsd-gphoto2 index 688f03c27..0544000c0 100644 --- a/apparmor.d/groups/gvfs/gvfsd-gphoto2 +++ b/apparmor.d/groups/gvfs/gvfsd-gphoto2 @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-gphoto2 profile gvfsd-gphoto2 @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index f51ef2afe..2678bde40 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -11,9 +11,11 @@ include profile gvfsd-http @{exec_path} { include include - include + include + include + include include - include + # include include include include @@ -25,25 +27,15 @@ profile gvfsd-http @{exec_path} { network netlink raw, unix type=stream peer=(label=gnome-shell), + unix type=stream peer=(label=gnome-extension-gsconnect), #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_http + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name=:*, label=gvfsd), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-localtest b/apparmor.d/groups/gvfs/gvfsd-localtest index 5ffbabb40..d1af3c60c 100644 --- a/apparmor.d/groups/gvfs/gvfsd-localtest +++ b/apparmor.d/groups/gvfs/gvfsd-localtest @@ -10,6 +10,9 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-localtest profile gvfsd-localtest @{exec_path} { include + include + include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index f6f3820bb..8565856d9 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -11,6 +11,9 @@ include profile gvfsd-metadata @{exec_path} { include include + include + include + include include network netlink raw, @@ -18,11 +21,12 @@ profile gvfsd-metadata @{exec_path} { signal (receive) set=(usr1) peer=pacman, #aa:dbus own bus=session name=org.gtk.vfs.Metadata path=/org/gtk/vfs/{m,M}etadata + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index 3c747b8b3..8d5ad78c5 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-mtp profile gvfsd-mtp @{exec_path} { include + include + include + include + include include include include @@ -19,10 +23,18 @@ profile gvfsd-mtp @{exec_path} { network netlink raw, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, - owner @{HOME}/{,**} rw, # FIXME: ? - owner @{MOUNTS}/{,**} rw, + owner @{HOME}/ r, + owner @{HOME}/** rw, + owner @{MOUNTS}/** rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index 46f543fa4..7874686bc 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -11,38 +11,20 @@ include profile gvfsd-network @{exec_path} { include include - include - include + include + include + include include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name="@{busname}", label=gvfsd), - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name="@{busname}", label=gvfsd), - - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member={MountLocation,LookupMount,RegisterMount} - peer=(name="@{busname}", label=gvfsd), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=@{busname}, label=gnome-shell), - dbus send bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=@{busname}), - @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-nfs b/apparmor.d/groups/gvfs/gvfsd-nfs index 575d9de39..aae859d73 100644 --- a/apparmor.d/groups/gvfs/gvfsd-nfs +++ b/apparmor.d/groups/gvfs/gvfsd-nfs @@ -10,12 +10,23 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-nfs profile gvfsd-nfs @{exec_path} { include + include + include + include + include include network inet stream, network inet6 stream, network netlink raw, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index 1219c8cbd..ca59d75cd 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -11,27 +11,16 @@ include profile gvfsd-recent @{exec_path} { include include - include - include + include + include + include include include include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name="@{busname}", label=gvfsd), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name="@{busname}", label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name="@{busname}", label=gvfsd), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp index 1019a1525..862ef88aa 100644 --- a/apparmor.d/groups/gvfs/gvfsd-sftp +++ b/apparmor.d/groups/gvfs/gvfsd-sftp @@ -11,32 +11,21 @@ include profile gvfsd-sftp @{exec_path} { include include - include + include + include + include include include include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - #aa:dbus talk bus=session name=org.gtk.vfs.{M,m}ountTracker label=gvfsd + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=@{busname}), - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=@{busname}, label=gvfsd), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=@{busname}, label=gvfsd), - - dbus send bus=session path=/org/gtk/gvfs/mountop/@{int} - interface=org.gtk.vfs.MountOperation - member={AskQuestion,AskPassword} - peer=(name=@{busname}), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb b/apparmor.d/groups/gvfs/gvfsd-smb index 24891e9c3..9d99a43af 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb +++ b/apparmor.d/groups/gvfs/gvfsd-smb @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-smb profile gvfsd-smb @{exec_path} { include + include + include + include + include include include @@ -19,6 +23,13 @@ profile gvfsd-smb @{exec_path} { network inet dgram, network inet6 dgram, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, /etc/samba/smb.conf r, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index a90cddc50..66099563e 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -11,7 +11,9 @@ include profile gvfsd-smb-browse @{exec_path} { include include - include + include + include + include include include include @@ -23,16 +25,12 @@ profile gvfsd-smb-browse @{exec_path} { network inet6 dgram, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_smb_browse + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name="@{busname}", label=gvfsd), - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name="@{busname}", label=gvfsd), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index e13f870c7..070c41a84 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -11,7 +11,9 @@ include profile gvfsd-trash @{exec_path} { include include - include + include + include + include include include include @@ -21,26 +23,12 @@ profile gvfsd-trash @{exec_path} { network inet6 stream, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name="@{busname}", label=gvfsd), - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name="@{busname}", label=gvfsd), - - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name="@{busname}", label=gvfsd), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="@{busname}", label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 7f4c20718..4ea39c7d0 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -11,32 +11,16 @@ profile gvfsd-wsdd @{exec_path} { include include include - include - include + include + include + include include network inet dgram, # ip=127.0.0.1 peer=(ip=127.0.0.*, port=53), network netlink raw, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_wsdd - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name="@{busname}", label=gvfsd), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name="@{busname}", label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name="@{busname}", label=gvfsd), - - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=@{busname}, label=gvfsd-network), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable From 14ec69cd150a8926d52c5e9495edb46e37923c5b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 18:38:02 +0200 Subject: [PATCH 963/977] profile(abs): rewrite the way we manage accessibility - Add some missing dbus access - Split bus access in abstractions - Use trough the new accessibility abs. --- apparmor.d/abstractions/accessibility | 15 +++++ .../abstractions/bus/accessibility/org.a11y | 65 +++++++++++++++++++ apparmor.d/abstractions/bus/org.a11y | 63 ------------------ apparmor.d/abstractions/bus/session/org.a11y | 29 +++++++++ 4 files changed, 109 insertions(+), 63 deletions(-) create mode 100644 apparmor.d/abstractions/accessibility create mode 100644 apparmor.d/abstractions/bus/accessibility/org.a11y delete mode 100644 apparmor.d/abstractions/bus/org.a11y create mode 100644 apparmor.d/abstractions/bus/session/org.a11y diff --git a/apparmor.d/abstractions/accessibility b/apparmor.d/abstractions/accessibility new file mode 100644 index 000000000..5bd8c98e7 --- /dev/null +++ b/apparmor.d/abstractions/accessibility @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow communication with Assistive Technology Service Provider Interface (AT-SPI + + abi , + + include + include + include + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/accessibility/org.a11y b/apparmor.d/abstractions/bus/accessibility/org.a11y new file mode 100644 index 000000000..0145fc494 --- /dev/null +++ b/apparmor.d/abstractions/bus/accessibility/org.a11y @@ -0,0 +1,65 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2017 Canonical Ltd +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + # Allow the accessibility services in the user session to send us any events + + dbus receive bus=accessibility + peer=(label="@{p_at_spi2_registryd}"), + + # Allow querying for capabilities and registering + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member=NotifyListenersSync + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + # org.a11y.atspi is not designed for application isolation and these rules + # can be used to send change events for other processes. + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Event.Object + member=ChildrenChanged + peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Accessible + member=Get* + peer=(label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int} + interface=org.a11y.atspi.Event.Object + member={ChildrenChanged,PropertyChange,StateChanged,TextCaretMoved} + peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/cache + interface=org.a11y.atspi.Cache + member={AddAccessible,RemoveAccessible} + peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y deleted file mode 100644 index c99f5f8bd..000000000 --- a/apparmor.d/abstractions/bus/org.a11y +++ /dev/null @@ -1,63 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - # Accessibility bus - - dbus receive bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=EventListenerDeregistered - peer=(name="@{busname}", label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), - - dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name="@{busname}", label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry), - - # Session bus - - dbus send bus=session path=/org/a11y/bus - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label="@{p_dbus_accessibility}"), - - dbus send bus=session path=/org/a11y/bus - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), - - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=Get - peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), - - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.a11y b/apparmor.d/abstractions/bus/session/org.a11y new file mode 100644 index 000000000..8f517fe99 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.a11y @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label="@{p_dbus_accessibility}"), + + dbus send bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=Get + peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), + + include if exists + +# vim:syntax=apparmor From af6fbd2bfdf5a7d158a08f159c534867f5ccc1d2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 19:15:43 +0200 Subject: [PATCH 964/977] feat(profile): set accessibility use. --- apparmor.d/abstractions/accessibility | 2 +- apparmor.d/abstractions/app/firefox | 1 - apparmor.d/abstractions/app/open | 4 +--- apparmor.d/abstractions/common/app | 2 -- apparmor.d/abstractions/common/gnome | 2 -- apparmor.d/abstractions/desktop | 1 + apparmor.d/abstractions/gnome-strict | 1 + apparmor.d/abstractions/kde-strict | 1 + apparmor.d/abstractions/lxqt | 3 ++- apparmor.d/abstractions/xfce | 1 + apparmor.d/groups/bluetooth/blueman | 1 - apparmor.d/groups/bus/dbus-accessibility | 2 +- apparmor.d/groups/bus/ibus-extension-gtk3 | 2 -- apparmor.d/groups/bus/ibus-x11 | 2 -- apparmor.d/groups/flatpak/flatpak | 2 -- .../groups/freedesktop/polkit-gnome-authentication-agent | 1 - .../groups/freedesktop/polkit-kde-authentication-agent | 2 -- apparmor.d/groups/freedesktop/xdg-dbus-proxy | 3 +-- apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome | 2 -- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 2 -- apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update | 1 - apparmor.d/groups/gnome/evolution-alarm-notify | 2 -- apparmor.d/groups/gnome/gnome-control-center | 2 -- apparmor.d/groups/gnome/gnome-control-center-goa-helper | 2 -- .../groups/gnome/gnome-control-center-print-renderer | 2 -- apparmor.d/groups/gnome/gnome-disk-image-mounter | 2 -- apparmor.d/groups/gnome/gnome-extension-ding | 2 -- apparmor.d/groups/gnome/gnome-extension-gsconnect | 2 -- apparmor.d/groups/gnome/gnome-initial-setup | 2 -- apparmor.d/groups/gnome/gnome-session-binary | 2 -- apparmor.d/groups/gnome/gnome-shell | 3 --- apparmor.d/groups/gnome/gnome-terminal-server | 2 -- apparmor.d/groups/gnome/gsd-color | 2 -- apparmor.d/groups/gnome/gsd-keyboard | 2 -- apparmor.d/groups/gnome/gsd-media-keys | 2 -- apparmor.d/groups/gnome/gsd-power | 2 -- apparmor.d/groups/gnome/gsd-wacom | 2 -- apparmor.d/groups/gnome/gsd-xsettings | 2 -- apparmor.d/groups/gnome/loupe | 2 -- apparmor.d/groups/gnome/mutter-x11-frames | 2 -- apparmor.d/groups/gnome/nautilus | 2 -- apparmor.d/groups/gnome/seahorse | 2 -- apparmor.d/groups/kde/DiscoverNotifier | 2 -- apparmor.d/groups/kde/baloorunner | 2 -- apparmor.d/groups/kde/gmenudbusmenuproxy | 2 -- apparmor.d/groups/kde/kaccess | 2 -- apparmor.d/groups/kde/kactivitymanagerd | 1 - apparmor.d/groups/kde/kde-powerdevil | 2 -- apparmor.d/groups/kde/kded | 4 +--- apparmor.d/groups/kde/kglobalacceld | 2 -- apparmor.d/groups/kde/konsole | 2 -- apparmor.d/groups/kde/kscreen_backend_launcher | 2 -- apparmor.d/groups/kde/ksmserver | 1 - apparmor.d/groups/kde/ksmserver-logout-greeter | 2 -- apparmor.d/groups/kde/ksplashqml | 2 -- apparmor.d/groups/kde/kstart | 1 - apparmor.d/groups/kde/kwalletd | 2 -- apparmor.d/groups/kde/kwin_wayland | 2 -- apparmor.d/groups/kde/kwin_x11 | 1 - apparmor.d/groups/kde/plasmashell | 2 -- apparmor.d/groups/kde/systemsettings | 2 -- apparmor.d/groups/kde/xembedsniproxy | 2 -- apparmor.d/groups/lxqt/lxqt-globalkeysd | 1 - apparmor.d/groups/lxqt/lxqt-session | 1 - apparmor.d/groups/network/mullvad-gui | 2 -- apparmor.d/groups/systemd/busctl | 2 -- apparmor.d/groups/ubuntu/apport-gtk | 2 -- apparmor.d/groups/ubuntu/check-new-release-gtk | 2 -- apparmor.d/groups/ubuntu/livepatch-notification | 2 -- apparmor.d/groups/ubuntu/software-properties-gtk | 2 -- apparmor.d/groups/ubuntu/ubuntu-advantage-notification | 2 -- apparmor.d/groups/ubuntu/update-manager | 2 -- apparmor.d/groups/ubuntu/update-notifier | 2 -- apparmor.d/groups/xfce/thunar | 1 - apparmor.d/groups/xfce/thunar-volman | 1 - apparmor.d/groups/xfce/xfce-clipman-settings | 1 - apparmor.d/groups/xfce/xfce-notifyd | 1 - apparmor.d/groups/xfce/xfce-panel | 1 - apparmor.d/groups/xfce/xfce-power-manager | 1 - apparmor.d/groups/xfce/xfce-screensaver | 1 - apparmor.d/groups/xfce/xfce-session | 1 - apparmor.d/groups/xfce/xfce-terminal | 1 - apparmor.d/groups/xfce/xfdesktop | 1 - apparmor.d/groups/xfce/xfsettingsd | 1 - apparmor.d/groups/xfce/xfwm | 1 - apparmor.d/profiles-a-f/alacarte | 2 -- apparmor.d/profiles-a-f/atril | 7 +------ apparmor.d/profiles-a-f/calibre | 2 -- apparmor.d/profiles-a-f/engrampa | 2 -- apparmor.d/profiles-a-f/evince | 2 -- apparmor.d/profiles-a-f/evince-previewer | 2 +- apparmor.d/profiles-g-l/kerneloops-applet | 2 -- apparmor.d/profiles-g-l/libreoffice | 2 -- apparmor.d/profiles-m-r/qbittorrent | 2 -- apparmor.d/profiles-m-r/remmina | 2 -- apparmor.d/profiles-m-r/rustdesk | 2 -- apparmor.d/profiles-s-z/YACReaderLibrary | 1 - apparmor.d/profiles-s-z/simple-scan | 2 -- apparmor.d/profiles-s-z/spice-vdagent | 2 -- apparmor.d/profiles-s-z/spotify | 4 +--- apparmor.d/profiles-s-z/superproductivity | 2 -- apparmor.d/profiles-s-z/terminator | 2 -- apparmor.d/profiles-s-z/transmission | 2 -- apparmor.d/profiles-s-z/virt-manager | 2 -- apparmor.d/profiles-s-z/vlc | 3 --- apparmor.d/profiles-s-z/wireshark | 1 - 106 files changed, 14 insertions(+), 185 deletions(-) diff --git a/apparmor.d/abstractions/accessibility b/apparmor.d/abstractions/accessibility index 5bd8c98e7..894ee467e 100644 --- a/apparmor.d/abstractions/accessibility +++ b/apparmor.d/abstractions/accessibility @@ -2,7 +2,7 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Allow communication with Assistive Technology Service Provider Interface (AT-SPI +# Allow communication with Assistive Technology Service Provider Interface (AT-SPI) abi , diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 7630b8576..0648e68d1 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -22,7 +22,6 @@ include include include - include include include include diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 3d91de235..8dffc39b9 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -7,8 +7,8 @@ abi , + include include - include include # We cannot use `@{open_path} mrix,` here because it includes: @@ -31,8 +31,6 @@ # if @{DE} == kde include - include - include include include diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 091cfbbb4..28badc6db 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -14,10 +14,8 @@ include include - include include include - include include include include diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index b9f36cf6c..6dcb26860 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -6,9 +6,7 @@ abi , - include include - include include include include diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 316e7374e..66742f02a 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -9,6 +9,7 @@ abi , + include include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index a3afccb76..47efde306 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -4,6 +4,7 @@ abi , + include include include include diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index f00594038..17952414c 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -4,6 +4,7 @@ abi , + include include include include diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt index ba7347d8c..8d83aefdc 100644 --- a/apparmor.d/abstractions/lxqt +++ b/apparmor.d/abstractions/lxqt @@ -4,8 +4,9 @@ abi , - include + include include + include include include include diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index eaf50f6d0..c7e464236 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -4,6 +4,7 @@ abi , + include include include include diff --git a/apparmor.d/groups/bluetooth/blueman b/apparmor.d/groups/bluetooth/blueman index 469fb24a0..08a553c1d 100644 --- a/apparmor.d/groups/bluetooth/blueman +++ b/apparmor.d/groups/bluetooth/blueman @@ -11,7 +11,6 @@ include profile blueman @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index c254fcd2d..910ae0008 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -11,7 +11,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 0973fce49..2fa49e50f 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -9,9 +9,7 @@ include @{exec_path} = @{lib}/{,ibus/}ibus-extension-gtk3 profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { include - include include - include include include include diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index cf7b40190..ce1c2b108 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -10,9 +10,7 @@ include profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include include - include include - include include include include diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 3fee701a8..341db555e 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -9,10 +9,8 @@ include @{exec_path} = @{bin}/flatpak profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) { include - include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent index f1ca0fd31..bb48d0c5b 100644 --- a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent @@ -13,7 +13,6 @@ include profile polkit-gnome-authentication-agent @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 5e7a75a8d..8a08f02d0 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -11,10 +11,8 @@ include @{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9] profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,mediate_deleted) { include - include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index fafdea3a5..031f03ac4 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -9,11 +9,10 @@ include @{exec_path} = @{bin}/xdg-dbus-proxy profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { include + include include - include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index b6c77f336..95daf2935 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -9,10 +9,8 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gnome profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include - include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 35199d859..d1ae86e15 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -9,10 +9,8 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gtk profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include - include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index 1b818267f..feb1b9bd6 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xdg-user-dirs-gtk-update profile xdg-user-dirs-gtk-update @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 9f8c51a75..501685b22 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -9,9 +9,7 @@ include @{exec_path} = @{lib}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify profile evolution-alarm-notify @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index c27f32fec..9f78fb4fd 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -11,10 +11,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index aeb59295f..8b813d260 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -10,10 +10,8 @@ include profile gnome-control-center-goa-helper @{exec_path} { include include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 59679deb8..cbd1f1a75 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -9,9 +9,7 @@ include @{exec_path} = @{lib}/gnome-control-center-print-renderer profile gnome-control-center-print-renderer @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index 55d49e250..d9959691b 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -9,10 +9,8 @@ include @{exec_path} = @{bin}/gnome-disk-image-mounter profile gnome-disk-image-mounter @{exec_path} { include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index f56af9f67..9f848be8e 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -13,11 +13,9 @@ include profile gnome-extension-ding @{exec_path} { include include - include include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 8ac7830cc..2592eb77e 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -13,10 +13,8 @@ include profile gnome-extension-gsconnect @{exec_path} { include include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 7f4b818e3..7439e0fb6 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -9,10 +9,8 @@ include @{exec_path} = @{lib}/gnome-initial-setup profile gnome-initial-setup @{exec_path} { include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index f4c61c5c6..5359a70df 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -9,10 +9,8 @@ include @{exec_path} = @{lib}/gnome-session-binary profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 55e95d006..a82278a6c 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -10,15 +10,12 @@ include profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include include include include include include include - include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 7a9bad4da..fe380dadd 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -10,9 +10,7 @@ include profile gnome-terminal-server @{exec_path} { include include - include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index a0b3fac6b..0acdbaf38 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -10,10 +10,8 @@ include profile gsd-color @{exec_path} flags=(attach_disconnected) { include include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index f4f2830b8..b700a7df9 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -10,10 +10,8 @@ include profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 9f6f70fbc..3ca105656 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -10,10 +10,8 @@ include profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index a6165ddcf..d20ad65d0 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -10,11 +10,9 @@ include profile gsd-power @{exec_path} flags=(attach_disconnected) { include include - include include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 50da29b5f..0bb1d50d1 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -10,9 +10,7 @@ include profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include include - include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 7618dc3b6..84abb82e0 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -9,10 +9,8 @@ include @{exec_path} = @{lib}/gsd-xsettings profile gsd-xsettings @{exec_path} { include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index cabcca062..ea55ee902 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -9,10 +9,8 @@ include @{exec_path} = @{bin}/loupe profile loupe @{exec_path} flags=(attach_disconnected) { include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index f50bdbd9b..d5c83a31b 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -10,9 +10,7 @@ include profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { include include - include include - include include include include diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 07abe1c08..d3906051c 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -9,11 +9,9 @@ include @{exec_path} = @{bin}/nautilus profile nautilus @{exec_path} flags=(attach_disconnected) { include - include include include include - include include include include diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 090a9cbe7..c34526ee1 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -10,10 +10,8 @@ include profile seahorse @{exec_path} { include include - include include include - include include include include diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 0965396ab..b5e1b4ae8 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -10,10 +10,8 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}DiscoverNotifier profile DiscoverNotifier @{exec_path} { include - include include include - include include include include diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index 64372f497..33660a776 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -10,9 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloorunner profile baloorunner @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index f63a83295..dbca9fcf5 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/gmenudbusmenuproxy profile gmenudbusmenuproxy @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 8258d1bde..1fdb4b920 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -10,9 +10,7 @@ include profile kaccess @{exec_path} { include include - include include - include include include include diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index ead285e5f..1cc6b41d1 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -11,7 +11,6 @@ include profile kactivitymanagerd @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index f40c86e03..7d6daeda6 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -11,10 +11,8 @@ include profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) { include include - include include include - include include include include diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index ec5a1ee36..678c64e71 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -11,14 +11,12 @@ profile kded @{exec_path} { include include #aa:only apt include - include include include - include - include include include include + include include include include diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index b9c09d0c6..156bdf928 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/kglobalaccel5 @{lib}/kglobalacceld profile kglobalacceld @{exec_path} { include - include include - include include #aa:dbus own bus=session name=org.kde.KGlobalAccel path=/kglobalaccel diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index fa55e177d..446d8a08d 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -11,9 +11,7 @@ include profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include include - include include include include diff --git a/apparmor.d/groups/kde/kscreen_backend_launcher b/apparmor.d/groups/kde/kscreen_backend_launcher index 00b4c9630..e44ee1f83 100644 --- a/apparmor.d/groups/kde/kscreen_backend_launcher +++ b/apparmor.d/groups/kde/kscreen_backend_launcher @@ -10,9 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kscreen_backend_launcher profile kscreen_backend_launcher @{exec_path} { include - include include - include include include diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index f4d54c295..09a228e29 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -11,7 +11,6 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index e46237c2a..711da6e9d 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -11,10 +11,8 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}ksmserver-logout-greeter profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { include - include include include - include include include include diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index ea80e28cd..770625988 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/ksplashqml profile ksplashqml @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/kde/kstart b/apparmor.d/groups/kde/kstart index fa0f88f75..04d084d0c 100644 --- a/apparmor.d/groups/kde/kstart +++ b/apparmor.d/groups/kde/kstart @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/kstart profile kstart @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index baaad7dcb..0a685d8e5 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -11,9 +11,7 @@ include profile kwalletd @{exec_path} { include include - include include - include include include include diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index e2e3ecfe0..224835ac2 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -10,10 +10,8 @@ include profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include include include - include include include include diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index ac80b3b18..8cc233ff2 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/kwin_x11 profile kwin_x11 @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index cc9907266..600d1be48 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -11,10 +11,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include - include include include - include include include include diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index a78225b67..9558a6528 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -10,9 +10,7 @@ include profile systemsettings @{exec_path} { include include - include include - include include include include diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index 93259822e..5c36f579e 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/xembedsniproxy profile xembedsniproxy @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/lxqt/lxqt-globalkeysd b/apparmor.d/groups/lxqt/lxqt-globalkeysd index 8729b1abb..a9a75aa90 100644 --- a/apparmor.d/groups/lxqt/lxqt-globalkeysd +++ b/apparmor.d/groups/lxqt/lxqt-globalkeysd @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/lxqt-globalkeysd profile lxqt-globalkeysd @{exec_path} { include - include include include diff --git a/apparmor.d/groups/lxqt/lxqt-session b/apparmor.d/groups/lxqt/lxqt-session index 085b444b1..910ea7c5f 100644 --- a/apparmor.d/groups/lxqt/lxqt-session +++ b/apparmor.d/groups/lxqt/lxqt-session @@ -11,7 +11,6 @@ include profile lxqt-session @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 639d3ce4b..132e25e6d 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -15,9 +15,7 @@ include @{exec_path} = @{lib_dirs}/mullvad-gui profile mullvad-gui @{exec_path} flags=(attach_disconnected) { include - include include - include include network inet stream, diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index 04ed76e72..eed7080f8 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -9,10 +9,8 @@ include @{exec_path} = @{bin}/busctl profile busctl @{exec_path} flags=(attach_disconnected) { include - include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 0cd509473..6d90cadda 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -11,9 +11,7 @@ profile apport-gtk @{exec_path} { include include include - include include - include include include include diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 5df19d897..2b7b2b4ee 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -10,9 +10,7 @@ include profile check-new-release-gtk @{exec_path} { include include - include include - include include include include diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index e003054a5..fb8eb259e 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -9,9 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/livepatch-notification profile livepatch-notification @{exec_path} { include - include include - include include include diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 2f6398f1e..836adbb55 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -11,10 +11,8 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include include include - include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index 093fdbed7..a44e226bc 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -9,9 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/ubuntu-advantage-notification profile ubuntu-advantage-notification @{exec_path} { include - include include - include include include diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index a874ca346..873f06b67 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -11,10 +11,8 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include - include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index f66345b67..06e851b45 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -11,10 +11,8 @@ profile update-notifier @{exec_path} { include include include - include include include - include include include include diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index 2fcd83048..10096bce2 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/thunar profile thunar @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/xfce/thunar-volman b/apparmor.d/groups/xfce/thunar-volman index fc73a14c9..41e098548 100644 --- a/apparmor.d/groups/xfce/thunar-volman +++ b/apparmor.d/groups/xfce/thunar-volman @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/thunar-volman profile thunar-volman @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-clipman-settings b/apparmor.d/groups/xfce/xfce-clipman-settings index 9e74d8046..021a377b8 100644 --- a/apparmor.d/groups/xfce/xfce-clipman-settings +++ b/apparmor.d/groups/xfce/xfce-clipman-settings @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfce4-clipman-settings profile xfce-clipman-settings @{exec_path} { include - include include include diff --git a/apparmor.d/groups/xfce/xfce-notifyd b/apparmor.d/groups/xfce/xfce-notifyd index c594b8ed3..be813a84d 100644 --- a/apparmor.d/groups/xfce/xfce-notifyd +++ b/apparmor.d/groups/xfce/xfce-notifyd @@ -10,7 +10,6 @@ include @{exec_path} = @{lib}/{,@{multiarch}/}xfce4/notifyd/xfce4-notifyd profile xfce-notifyd @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-panel b/apparmor.d/groups/xfce/xfce-panel index b04ed2eb9..00c5d8700 100644 --- a/apparmor.d/groups/xfce/xfce-panel +++ b/apparmor.d/groups/xfce/xfce-panel @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfce4-panel @{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0 profile xfce-panel @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-power-manager b/apparmor.d/groups/xfce/xfce-power-manager index 91be9eede..11ccca455 100644 --- a/apparmor.d/groups/xfce/xfce-power-manager +++ b/apparmor.d/groups/xfce/xfce-power-manager @@ -10,7 +10,6 @@ include profile xfce-power-manager @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-screensaver b/apparmor.d/groups/xfce/xfce-screensaver index 2c0f13bc1..e9e19cca5 100644 --- a/apparmor.d/groups/xfce/xfce-screensaver +++ b/apparmor.d/groups/xfce/xfce-screensaver @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfce4-screensaver profile xfce-screensaver @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session index beddcce1f..be0f5c73d 100644 --- a/apparmor.d/groups/xfce/xfce-session +++ b/apparmor.d/groups/xfce/xfce-session @@ -11,7 +11,6 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-terminal b/apparmor.d/groups/xfce/xfce-terminal index 8d2f06a75..0f8836326 100644 --- a/apparmor.d/groups/xfce/xfce-terminal +++ b/apparmor.d/groups/xfce/xfce-terminal @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfce4-terminal profile xfce-terminal @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/xfce/xfdesktop b/apparmor.d/groups/xfce/xfdesktop index ff36e8459..6bc5ec15c 100644 --- a/apparmor.d/groups/xfce/xfdesktop +++ b/apparmor.d/groups/xfce/xfdesktop @@ -10,7 +10,6 @@ include profile xfdesktop @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/xfce/xfsettingsd b/apparmor.d/groups/xfce/xfsettingsd index 22db3f80d..d3f88c196 100644 --- a/apparmor.d/groups/xfce/xfsettingsd +++ b/apparmor.d/groups/xfce/xfsettingsd @@ -10,7 +10,6 @@ include profile xfsettingsd @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/xfce/xfwm b/apparmor.d/groups/xfce/xfwm index 7ecd2c8fe..c41e5254f 100644 --- a/apparmor.d/groups/xfce/xfwm +++ b/apparmor.d/groups/xfce/xfwm @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfwm4 profile xfwm @{exec_path} { include - include include include include diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte index b4cfb56e6..87908dc9e 100644 --- a/apparmor.d/profiles-a-f/alacarte +++ b/apparmor.d/profiles-a-f/alacarte @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/alacarte profile alacarte @{exec_path} flags=(attach_disconnected) { include - include include - include include include include diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index c95f6be55..55502dd3e 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -10,18 +10,13 @@ include @{exec_path} = @{bin}/atril{,-*} profile atril @{exec_path} { include - include include - include include include - include - include - include + include include include include - include network netlink raw, diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre index 60843b0a6..281d15718 100644 --- a/apparmor.d/profiles-a-f/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -12,9 +12,7 @@ include @{exec_path} += @{bin}/lrs2lrf @{bin}/lrf2lrs @{bin}/lrfviewer @{bin}/web2disk profile calibre @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 8137edd8d..3e650962f 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -10,9 +10,7 @@ include @{exec_path} = @{bin}/engrampa profile engrampa @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index e07c91f3d..d6969807f 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/evince @{lib}/evinced profile evince @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/profiles-a-f/evince-previewer b/apparmor.d/profiles-a-f/evince-previewer index 1597c35af..dcd28ddc9 100644 --- a/apparmor.d/profiles-a-f/evince-previewer +++ b/apparmor.d/profiles-a-f/evince-previewer @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/evince-previewer profile evince-previewer @{exec_path} { include - include + include include include include diff --git a/apparmor.d/profiles-g-l/kerneloops-applet b/apparmor.d/profiles-g-l/kerneloops-applet index 758ead716..d9d556879 100644 --- a/apparmor.d/profiles-g-l/kerneloops-applet +++ b/apparmor.d/profiles-g-l/kerneloops-applet @@ -10,10 +10,8 @@ include @{exec_path} = @{bin}/kerneloops-applet profile kerneloops-applet @{exec_path} { include - include include include - include include include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index bc6516fc2..cc2ee8c2a 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -12,10 +12,8 @@ profile libreoffice @{exec_path} { include include include - include include include - include include include include diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index 5d9cba087..e0d430443 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -10,10 +10,8 @@ include @{exec_path} = @{bin}/qbittorrent profile qbittorrent @{exec_path} { include - include include include - include include include include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index b8b361e12..80e58fd7c 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -11,10 +11,8 @@ profile remmina @{exec_path} { include include include - include include include - include include include include diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk index acdad5640..3e6791ddc 100644 --- a/apparmor.d/profiles-m-r/rustdesk +++ b/apparmor.d/profiles-m-r/rustdesk @@ -10,9 +10,7 @@ include profile rustdesk @{exec_path} { include include - include include - include include include include diff --git a/apparmor.d/profiles-s-z/YACReaderLibrary b/apparmor.d/profiles-s-z/YACReaderLibrary index 38336fbc7..e6c231df3 100644 --- a/apparmor.d/profiles-s-z/YACReaderLibrary +++ b/apparmor.d/profiles-s-z/YACReaderLibrary @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/YACReaderLibrary profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted) { include - include include include include diff --git a/apparmor.d/profiles-s-z/simple-scan b/apparmor.d/profiles-s-z/simple-scan index f79b284fb..a005708db 100644 --- a/apparmor.d/profiles-s-z/simple-scan +++ b/apparmor.d/profiles-s-z/simple-scan @@ -9,8 +9,6 @@ include @{exec_path} = @{bin}/simple-scan profile simple-scan @{exec_path} { include - include - include include include include diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 18e3fc248..2af3f99ae 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -11,10 +11,8 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include include include - include include include - include include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index f3c4acf4f..a3c4b822a 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -17,11 +17,9 @@ include profile spotify @{exec_path} flags=(attach_disconnected) { include include - include include include - include - include + include include include include diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index a7adf91fa..b84322ae0 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -16,10 +16,8 @@ include profile superproductivity @{exec_path} flags=(attach_disconnected) { include include - include include include - include include include include diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index e9baf97e1..e8a2533b9 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -10,9 +10,7 @@ include profile terminator @{exec_path} flags=(attach_disconnected) { include include - include include - include include include include diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission index 78d67787d..9c4a8e673 100644 --- a/apparmor.d/profiles-s-z/transmission +++ b/apparmor.d/profiles-s-z/transmission @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/transmission-{gtk,qt} profile transmission @{exec_path} flags=(attach_disconnected) { include - include include - include include include include diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 9802ecd5a..92dc977d9 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -12,10 +12,8 @@ include profile virt-manager @{exec_path} flags=(attach_disconnected) { include include - include include include - include include include include diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index 7e9c31866..bda3010fa 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -11,10 +11,7 @@ include profile vlc @{exec_path} { include include - include include - include - include include include include diff --git a/apparmor.d/profiles-s-z/wireshark b/apparmor.d/profiles-s-z/wireshark index c29543d6b..a07d6bad1 100644 --- a/apparmor.d/profiles-s-z/wireshark +++ b/apparmor.d/profiles-s-z/wireshark @@ -11,7 +11,6 @@ include @{exec_path} = @{bin}/wireshark profile wireshark @{exec_path} { include - include include include include From efa28446f930af3032645b0b9e3197f2d439e6e3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 19:23:43 +0200 Subject: [PATCH 965/977] feat(abs): add bus-session to electron As it is a layer 2 abstraction, we can safelly add it. --- apparmor.d/abstractions/common/electron | 1 + apparmor.d/groups/network/mullvad-gui | 1 - apparmor.d/profiles-a-f/cider | 8 ++------ apparmor.d/profiles-a-f/discord | 1 - apparmor.d/profiles-a-f/element-desktop | 1 - apparmor.d/profiles-a-f/freetube | 1 - apparmor.d/profiles-m-r/protonmail | 1 - apparmor.d/profiles-s-z/session-desktop | 1 - apparmor.d/profiles-s-z/signal-desktop | 2 +- apparmor.d/profiles-s-z/spotify | 1 - apparmor.d/profiles-s-z/superproductivity | 2 +- 11 files changed, 5 insertions(+), 15 deletions(-) diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 253eab72b..dd4976f5e 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -20,6 +20,7 @@ abi , + include include include include diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 132e25e6d..133e4bc00 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -15,7 +15,6 @@ include @{exec_path} = @{lib_dirs}/mullvad-gui profile mullvad-gui @{exec_path} flags=(attach_disconnected) { include - include include network inet stream, diff --git a/apparmor.d/profiles-a-f/cider b/apparmor.d/profiles-a-f/cider index 2b203e989..be59811a1 100644 --- a/apparmor.d/profiles-a-f/cider +++ b/apparmor.d/profiles-a-f/cider @@ -15,15 +15,11 @@ include @{exec_path} = @{bin}/{C,c}ider @{lib_dirs}/Cider profile cider @{exec_path} { include - include - include + include + include include - include include include - include - include - include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index e12c25b9d..0991a243e 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -17,7 +17,6 @@ include profile discord @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index f87486af3..59cfa3577 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -16,7 +16,6 @@ include profile element-desktop @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index 958f9b5ee..be75567cd 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -17,7 +17,6 @@ include profile freetube @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail index f5548f696..8a6a2982e 100644 --- a/apparmor.d/profiles-m-r/protonmail +++ b/apparmor.d/profiles-m-r/protonmail @@ -16,7 +16,6 @@ include @{exec_path} = @{bin}/proton-mail /opt/proton-mail/Proton* profile protonmail @{exec_path} flags=(attach_disconnected) { include - include include include diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop index cafccd791..4fd9dff69 100644 --- a/apparmor.d/profiles-s-z/session-desktop +++ b/apparmor.d/profiles-s-z/session-desktop @@ -16,7 +16,6 @@ include profile session-desktop @{exec_path} { include include - include include include include diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index 4abe053f6..53f3d20b1 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -17,7 +17,7 @@ include profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index a3c4b822a..f70d4e7c9 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -17,7 +17,6 @@ include profile spotify @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index b84322ae0..838944aa8 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -16,7 +16,7 @@ include profile superproductivity @{exec_path} flags=(attach_disconnected) { include include - include + include include include include From 59bdb157cf260eb2dd46651e063c2e226bbe401f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:00:12 +0200 Subject: [PATCH 966/977] feat(abs): add the mediakeys abs. --- .../bus/{ => session}/org.gnome.SettingsDaemon.MediaKeys | 0 apparmor.d/profiles-a-f/evince | 2 +- apparmor.d/profiles-s-z/spotify | 4 +--- 3 files changed, 2 insertions(+), 4 deletions(-) rename apparmor.d/abstractions/bus/{ => session}/org.gnome.SettingsDaemon.MediaKeys (100%) diff --git a/apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys b/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys similarity index 100% rename from apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys rename to apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index d6969807f..89087df4b 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -16,6 +16,7 @@ profile evince @{exec_path} { include include include + include include include include @@ -28,7 +29,6 @@ profile evince @{exec_path} { #aa:dbus own bus=session name=org.gnome.evince - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label="@{p_gsd_media_keys}" #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} rix, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index f70d4e7c9..052757da2 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -18,14 +18,12 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include - include include - include include - include include include include + include include include include From 4526e96318610985fd66ff7cd5626a63410666da Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:03:22 +0200 Subject: [PATCH 967/977] feat(abs): add the gtk-strict abs. --- apparmor.d/abstractions/gtk-strict | 74 ++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 apparmor.d/abstractions/gtk-strict diff --git a/apparmor.d/abstractions/gtk-strict b/apparmor.d/abstractions/gtk-strict new file mode 100644 index 000000000..0bf0ab41c --- /dev/null +++ b/apparmor.d/abstractions/gtk-strict @@ -0,0 +1,74 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + include + include + include + include + + @{lib}/{,@{multiarch}/}gtk-2.0/{,**} mr, + @{lib}/{,@{multiarch}/}gtk-3.0/{,**} mr, + @{lib}/{,@{multiarch}/}gtk-4.0/{,**} mr, + + /usr/share/gtksourceview-2.0/{,**} r, + /usr/share/gtksourceview-3.0/{,**} r, + /usr/share/gtksourceview-4/{,**} r, + /usr/share/gtksourceview-5/{,**} r, + + /usr/share/gtk-2.0/ r, + /usr/share/gtk-2.0/gtkrc r, + + /usr/share/gtk-3.0/ r, + /usr/share/gtk-3.0/settings.ini r, + + /usr/share/gtk-4.0/ r, + /usr/share/gtk-4.0/settings.ini r, + + /etc/gtk/gtkrc r, + + /etc/gtk-2.0/ r, + /etc/gtk-2.0/gtkrc r, + + /etc/gtk-3.0/ r, + /etc/gtk-3.0/*.conf r, + /etc/gtk-3.0/settings.ini r, + + /etc/gtk-4.0/ r, + /etc/gtk-4.0/*.conf r, + /etc/gtk-4.0/settings.ini r, + + owner @{HOME}/.gtk r, + owner @{HOME}/.gtkrc r, + owner @{HOME}/.gtkrc-2.0 r, + owner @{HOME}/.gtk-bookmarks r, + + owner @{user_cache_dirs}/gtk-4.0/ rw, + owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/{,*} rw, + owner @{user_cache_dirs}/gtkrc r, + owner @{user_cache_dirs}/gtkrc-2.0 r, + + owner @{user_config_dirs}/gtk-2.0/ rw, + owner @{user_config_dirs}/gtk-2.0/gtkfilechooser.ini* rw, + + owner @{user_config_dirs}/gtk-3.0/ rw, + owner @{user_config_dirs}/gtk-3.0/bookmarks r, + owner @{user_config_dirs}/gtk-3.0/colors.css r, + owner @{user_config_dirs}/gtk-3.0/gtk.css r, + owner @{user_config_dirs}/gtk-3.0/servers r, + owner @{user_config_dirs}/gtk-3.0/settings.ini r, + owner @{user_config_dirs}/gtk-3.0/window_decorations.css r, + + owner @{user_config_dirs}/gtk-4.0/ rw, + owner @{user_config_dirs}/gtk-4.0/bookmarks r, + owner @{user_config_dirs}/gtk-4.0/colors.css r, + owner @{user_config_dirs}/gtk-4.0/gtk.css r, + owner @{user_config_dirs}/gtk-4.0/servers r, + owner @{user_config_dirs}/gtk-4.0/settings.ini r, + owner @{user_config_dirs}/gtk-4.0/window_decorations.css r, + + include if exists + +# vim:syntax=apparmor From f3a4372966569d58fd20addc9c2d00a493af85f9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:08:51 +0200 Subject: [PATCH 968/977] refractor(profile): bus/org.bluez -> bus/system/org.bluez. --- apparmor.d/abstractions/app/chromium | 1 + apparmor.d/abstractions/bus/{ => system}/org.bluez | 2 +- apparmor.d/groups/freedesktop/pulseaudio | 2 +- apparmor.d/groups/freedesktop/upowerd | 2 +- apparmor.d/groups/freedesktop/wireplumber | 3 +-- apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/network/NetworkManager | 2 +- apparmor.d/profiles-a-f/fwupd | 2 +- apparmor.d/profiles-m-r/mpris-proxy | 3 +-- apparmor.d/profiles-s-z/spotify | 1 + 10 files changed, 10 insertions(+), 9 deletions(-) rename apparmor.d/abstractions/bus/{ => system}/org.bluez (96%) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 1635741ed..313f51687 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -31,6 +31,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/bus/org.bluez b/apparmor.d/abstractions/bus/system/org.bluez similarity index 96% rename from apparmor.d/abstractions/bus/org.bluez rename to apparmor.d/abstractions/bus/system/org.bluez index 461ad9f94..acaa7bb36 100644 --- a/apparmor.d/abstractions/bus/org.bluez +++ b/apparmor.d/abstractions/bus/system/org.bluez @@ -36,6 +36,6 @@ member=RegisterApplication peer=(name=org.bluez, label="@{p_bluetoothd}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 346ae7257..206958062 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -16,7 +16,7 @@ profile pulseaudio @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index d58385831..201e49f3c 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -11,7 +11,7 @@ include profile upowerd @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index fc9029ef3..90eb46dc4 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -12,10 +12,9 @@ profile wireplumber @{exec_path} { include include include - include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index a82278a6c..f46a8461d 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -27,6 +27,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 2959441c4..fca80465d 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -11,7 +11,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 8447bff3e..65793364d 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -11,7 +11,7 @@ include profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include - include + include include include include diff --git a/apparmor.d/profiles-m-r/mpris-proxy b/apparmor.d/profiles-m-r/mpris-proxy index 2f31aea79..3a5dfffb6 100644 --- a/apparmor.d/profiles-m-r/mpris-proxy +++ b/apparmor.d/profiles-m-r/mpris-proxy @@ -11,8 +11,7 @@ profile mpris-proxy @{exec_path} { include include include - include - include + include #aa:dbus own bus=session name=org.mpris.MediaPlayer2 dbus receive bus=session path=/ diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 052757da2..d1a60a8c7 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -21,6 +21,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include include include From 48aeefa0a306efd28dfa5c83fa73e2e14639ea13 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:13:37 +0200 Subject: [PATCH 969/977] fix: linting issue. --- .../abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys b/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys index 3a461a85a..93d830828 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys +++ b/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys @@ -18,6 +18,6 @@ interface=org.gnome.SettingsDaemon.MediaKeys peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys), - include if exists + include if exists # vim:syntax=apparmor From 5559670a37d611bcb053f26a6d0588498442b97f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:37:47 +0200 Subject: [PATCH 970/977] feat(abs): add mediakeys --- apparmor.d/abstractions/mediakeys | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 apparmor.d/abstractions/mediakeys diff --git a/apparmor.d/abstractions/mediakeys b/apparmor.d/abstractions/mediakeys new file mode 100644 index 000000000..ecf839cda --- /dev/null +++ b/apparmor.d/abstractions/mediakeys @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow requesting interest in receiving media key events. This tells Gnome +# settings that our application should be notified when key events we are +# interested in are pressed, and allows us to receive those events. + + abi , + + include + + include if exists + +# vim:syntax=apparmor From 8c66d39a1e64c721ebb6f6c1421922d70abc0e3c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:39:38 +0200 Subject: [PATCH 971/977] feat(profile): merge dpkg-script-* profile into dpkg-scripts. --- apparmor.d/groups/apt/dpkg-script-apparmor | 74 --------------------- apparmor.d/groups/apt/dpkg-script-kmod | 18 ----- apparmor.d/groups/apt/dpkg-script-linux | 56 ---------------- apparmor.d/groups/apt/dpkg-script-systemd | 77 ---------------------- apparmor.d/groups/apt/dpkg-scripts | 5 +- 5 files changed, 4 insertions(+), 226 deletions(-) delete mode 100644 apparmor.d/groups/apt/dpkg-script-apparmor delete mode 100644 apparmor.d/groups/apt/dpkg-script-kmod delete mode 100644 apparmor.d/groups/apt/dpkg-script-linux delete mode 100644 apparmor.d/groups/apt/dpkg-script-systemd diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor deleted file mode 100644 index 73a4f6c46..000000000 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ /dev/null @@ -1,74 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# TODO: merge with dpkg-scripts - -abi , - -include - -@{exec_path} = /var/lib/dpkg/info/apparmor* -profile dpkg-script-apparmor @{exec_path} { - include - include - - capability dac_read_search, - - @{exec_path} mrix, - - @{bin}/{,e}grep ix, - @{bin}/cat ix, - @{bin}/chmod ix, - @{bin}/mkdir ix, - - @{bin}/deb-systemd-helper Px, - @{bin}/dpkg-maintscript-helper Px, - @{bin}/dpkg Px -> child-dpkg, - @{bin}/deb-systemd-invoke Px, - @{bin}/dpkg-divert ix, - @{bin}/systemctl Cx -> systemctl, - @{sbin}/apparmor_parser Px, - - /usr/share/apparmor.d/** rw, - - /etc/apparmor.d/** rw, - - /var/lib/dpkg/diversions rw, - /var/lib/dpkg/diversions-new rw, - /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions, - - /var/lib/dpkg/info/*.list r, - /var/lib/dpkg/info/format r, - /var/lib/dpkg/status r, - /var/lib/dpkg/triggers/File r, - /var/lib/dpkg/triggers/Unincorp r, - /var/lib/dpkg/updates/ r, - /var/lib/dpkg/updates/@{int} r, - - profile systemctl { - include - include - - capability net_admin, - capability sys_resource, - capability dac_override, - capability dac_read_search, - - signal send set=(cont term) peer=systemd-tty-ask-password-agent, - - @{bin}/systemd-tty-ask-password-agent rix, - - @{run}/user/@{uid}/systemd/ask-password/ rw, - @{run}/user/@{uid}/systemd/ask-password-block/{,*} rw, - - owner @{run}/systemd/ask-password/ rw, - owner @{run}/systemd/ask-password-block/{,*} rw, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-kmod b/apparmor.d/groups/apt/dpkg-script-kmod deleted file mode 100644 index f900bba17..000000000 --- a/apparmor.d/groups/apt/dpkg-script-kmod +++ /dev/null @@ -1,18 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /var/lib/dpkg/info/kmod* -profile dpkg-script-kmod @{exec_path} { - include - - @{exec_path} mrix, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux deleted file mode 100644 index af578be50..000000000 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ /dev/null @@ -1,56 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /var/lib/dpkg/info/linux* -profile dpkg-script-linux @{exec_path} { - include - include - - capability dac_read_search, - - @{exec_path} mrix, - - @{bin}/cat ix, - @{bin}/mkdir ix, - @{bin}/rm ix, - @{bin}/run-parts ix, - @{bin}/stty ix, - - @{bin}/deb-systemd-helper Px, - @{bin}/deb-systemd-invoke Px, - @{bin}/dpkg-maintscript-helper Px, - @{bin}/dpkg-trigger Px, - @{bin}/kmod Px, - @{bin}/linux-check-removal Px, - @{bin}/linux-update-symlinks Px, - @{bin}/systemctl Cx -> systemctl, - - /usr/share/{update,reboot}-notifier/notify-reboot-required Px, - /etc/kernel/{,header_}postinst.d/* Px, - /etc/kernel/postrm.d/* Px, - /etc/kernel/preinst.d/* Px, - /etc/kernel/prerm.d/* Px, - - /etc/kernel/*.d/ r, - - @{lib}/linux/triggers/* w, - @{lib}/modules/*/.fresh-install w, - - profile systemctl { - include - include - - capability net_admin, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd deleted file mode 100644 index 6c76e6f70..000000000 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ /dev/null @@ -1,77 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /var/lib/dpkg/info/systemd* -profile dpkg-script-systemd @{exec_path} { - include - include - - capability dac_read_search, - - @{exec_path} mrix, - - @{coreutils_path} rix, - @{bin}/bootctl Px, - @{bin}/deb-systemd-helper Px, - @{bin}/deb-systemd-invoke Px, - @{bin}/dpkg Cx -> dpkg, - @{bin}/dpkg-divert Px, - @{bin}/dpkg-maintscript-helper Px, - @{bin}/journalctl Px, - @{bin}/kernel-install mrPx, - @{bin}/systemctl Cx -> systemctl, - @{bin}/systemd-machine-id-setup Px, - @{bin}/systemd-sysusers Px, - @{bin}/systemd-tmpfiles Px, - @{lib}/systemd/systemd-sysctl Px, - @{sbin}/pam-auth-update Px, - - /etc/systemd/system/*.wants/ rw, - /etc/systemd/system/*.wants/* rw, - - /etc/pam.d/sed@{rand6} rw, - /etc/pam.d/common-password rw, - - @{efi}/ r, - - /var/lib/systemd/{,*} rw, - /var/log/journal/ rw, - - profile dpkg { - include - include - include - - capability dac_read_search, - - @{bin}/dpkg mr, - - /etc/dpkg/dpkg.cfg r, - /etc/dpkg/dpkg.cfg.d/{,*} r, - - include if exists - } - - profile systemctl { - include - include - - capability net_admin, - capability sys_resource, - - signal send set=(cont term) peer=systemd-tty-ask-password-agent, - - @{bin}/systemd-tty-ask-password-agent Px, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index acde577de..2434c9db9 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -63,8 +63,10 @@ profile dpkg-scripts @{exec_path} { /*/ r, @{bin}/ r, @{bin}/* w, + @{sbin}/ r, + @{sbin}/* w, @{lib}/ r, - @{lib}/** w, + @{lib}/** wl -> @{lib}/**, /opt/*/** rw, #aa:lint ignore=too-wide @@ -80,6 +82,7 @@ profile dpkg-scripts @{exec_path} { /tmp/grub.@{rand10} rw, /tmp/sed@{rand6} rw, /tmp/tmp.@{rand10} rw, + /tmp/updateppds.@{rand6} rw, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/mountinfo r, From d2e941163fb0221c0ddc1e99a492e65e490dc364 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:43:39 +0200 Subject: [PATCH 972/977] feat(abs): add mpris --- .../{ => session}/org.mpris.MediaPlayer2.Player | 4 ++-- apparmor.d/abstractions/mpris | 17 +++++++++++++++++ apparmor.d/profiles-s-z/spotify | 4 +--- apparmor.d/profiles-s-z/vlc | 4 +--- 4 files changed, 21 insertions(+), 8 deletions(-) rename apparmor.d/abstractions/bus/{ => session}/org.mpris.MediaPlayer2.Player (89%) create mode 100644 apparmor.d/abstractions/mpris diff --git a/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player b/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player similarity index 89% rename from apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player rename to apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player index d71b7ac1e..b2b934074 100644 --- a/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player +++ b/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2023-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -33,6 +33,6 @@ member=Seeked peer=(name=org.freedesktop.DBus), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mpris b/apparmor.d/abstractions/mpris new file mode 100644 index 000000000..f06c8560e --- /dev/null +++ b/apparmor.d/abstractions/mpris @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow operating as an MPRIS player. + + abi , + + include + + # Allow binding to the well-known DBus mpris interface based on the app's name + # See: https://specifications.freedesktop.org/mpris-spec/latest/ + #aa:dbus own bus=session name=org.mpris.MediaPlayer2.@{profile_name} + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index d1a60a8c7..b04432e39 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -25,6 +25,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -35,8 +36,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.mpris.MediaPlayer2.spotify - #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell #aa:dbus talk bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys @@ -46,7 +45,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { member=RetrieveSecret peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), - @{exec_path} mrix, @{sh_path} mr, diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index bda3010fa..05866296d 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -22,6 +22,7 @@ profile vlc @{exec_path} { include include include + include include include include @@ -35,9 +36,6 @@ profile vlc @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.mpris.MediaPlayer2.vlc - #aa:dbus talk bus=session name=org.mpris.MediaPlayer2.Player label=unconfined - @{exec_path} mrix, @{open_path} rPx -> child-open-help, From 5492ab1c4ecef1c09b007bbe05c29eee1c4faa7e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:48:25 +0200 Subject: [PATCH 973/977] feat(profile): rewrite the gjs profile. --- apparmor.d/groups/gnome/gjs | 133 ++++++++++++++++++++++++ apparmor.d/groups/gnome/gjs-console | 108 ------------------- apparmor.d/groups/gnome/gnome-extension | 29 ++++++ apparmor.d/groups/gnome/gnome-shell | 2 +- 4 files changed, 163 insertions(+), 109 deletions(-) create mode 100644 apparmor.d/groups/gnome/gjs delete mode 100644 apparmor.d/groups/gnome/gjs-console create mode 100644 apparmor.d/groups/gnome/gnome-extension diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs new file mode 100644 index 000000000..f726ab66b --- /dev/null +++ b/apparmor.d/groups/gnome/gjs @@ -0,0 +1,133 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# GNOME JavaScript interpreter. It is used to run some gnome internal app +# as well as third party extensions. +# +# Therefore, by default, some extension are confined under this profile. To fix +# this, the various programs using gjs must never run gjs as module, they need +# to run it as executable with a specific script. +# +# This currently concerns: +# - gnome-extension-ding (used to not be started as a module) +# - org.gnome.ScreenSaver (simple dbus service) +# - org.gnome.Shell.Extensions (full UI app, requires gnome-strict, graphics, ...) +# - org.gnome.Shell.Notifications (simple dbus service) +# - org.gnome.Shell.Screencast (simple dbus service) + +abi , + +include + +@{exec_path} = @{bin}/gjs-console +profile gjs @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + + # Only needed by org.gnome.Shell.Extensions + include + include + + # Only needed by gnome-extension-ding + include + include + include + include + include + include + include + include + + unix type=stream peer=(label=gnome-shell), + + signal receive set=(term hup) peer=gdm, + + #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions + #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface+=org.gtk.Actions + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus* + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus* + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + #aa:dbus own bus=session name=org.gnome.Shell.Screencast + #aa:dbus talk bus=session name=org.gnome.Mutter.ScreenCast label=gnome-shell + + #aa:dbus own bus=session name=org.freedesktop.Notifications + #aa:dbus own bus=session name=org.gnome.ScreenSaver + #aa:dbus own bus=session name=org.gnome.Shell.Extensions + #aa:dbus own bus=session name=org.gnome.Shell.Notifications + + @{exec_path} mrix, + + # gnome-extension-ding + @{sh_path} rix, + @{bin}/env rix, + @{bin}/gnome-control-center rPx, + @{bin}/nautilus rPx, + + @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, + @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, + @{lib}/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, + + /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, + @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, + + /usr/share/dconf/profile/gdm r, + /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/gnome-shell/{,**} r, + /usr/share/xkeyboard-config-2/{,**} r, + /usr/share/thumbnailers/{,**} r, + + owner @{gdm_cache_dirs}/gstreamer-1.0/registry.@{arch}.bin r, + owner @{gdm_config_dirs}/dconf/user r, + owner @{GDM_HOME}/greeter-dconf-defaults r, + + owner @{user_cache_dirs}/gstreamer-1.0/ rw, + owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, + + owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, + owner @{user_share_dirs}/nautilus/scripts/ r, + + owner @{user_desktop_dirs}/ r, + owner @{user_templates_dirs}/ r, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + /dev/ r, + /dev/dri/ r, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + profile gstreamer { + include + include + include + include + include + + network (bind create getattr setopt getopt) netlink raw, + + @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner mr, + @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner mr, + @{lib}/gstreamer-1.0/gst-plugin-scanner mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console deleted file mode 100644 index 6d6d6ea85..000000000 --- a/apparmor.d/groups/gnome/gjs-console +++ /dev/null @@ -1,108 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# TODO: GNOME JavaScript interpreter. It is used to run some gnome internal app -# as well as third party extensions. Therefore, by default, some extension are -# confined under this profile. The resulting profile is quite broad. -# This architecture needs to be rethinked. - -abi , - -include - -@{exec_path} = @{bin}/gjs-console -profile gjs-console @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - - network netlink raw, - - unix type=stream peer=(label=gnome-shell), - - signal receive set=(term hup) peer=gdm*, - - #aa:dbus own bus=session name=org.freedesktop.Notifications - #aa:dbus own bus=session name=org.gnome.ScreenSaver - #aa:dbus own bus=session name=org.gnome.Shell.Extensions - #aa:dbus own bus=session name=org.gnome.Shell.Notifications - #aa:dbus own bus=session name=org.gnome.Shell.Screencast - - #aa:dbus talk bus=session name=org.gnome.Mutter.ScreenCast label=gnome-shell - - dbus send bus=session path=/org/gnome/Shell - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gnome/Shell - interface=org.gnome.Shell.Extensions - member=ListExtensions - peer=(name=:*, label=gnome-shell), - - @{exec_path} mr, - - @{bin}/ r, - @{bin}/* PUx, - @{lib}/** PUx, - - /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, - @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, - - /etc/openni2/OpenNI.ini r, - - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/gnome-shell/{,**} r, - /usr/share/thumbnailers/{,**} r, - - /tmp/ r, - /var/tmp/ r, - - owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwl, - owner @{gdm_cache_dirs}/gstreamer-1.0/ rw, - owner @{gdm_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - owner @{gdm_config_dirs}/dconf/user r, - owner @{GDM_HOME}/greeter-dconf-defaults r, - - owner @{HOME}/ r, - - owner @{user_cache_dirs}/gstreamer-1.0/ rw, - owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, - owner @{user_share_dirs}/nautilus/scripts/ r, - - owner @{user_desktop_dirs}/ r, - owner @{user_templates_dirs}/ r, - - owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - - /dev/ r, - /dev/tty rw, - - deny @{user_share_dirs}/gvfs-metadata/* r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-extension b/apparmor.d/groups/gnome/gnome-extension new file mode 100644 index 000000000..e13eca832 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-extension @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# gjs started from gnome-shell should (in theory) only run gnome extensions. + +abi , + +include + +@{exec_path} = @{bin}/gjs-console +profile gnome-extension { + include + include + include + include + include + include + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index f46a8461d..24c069e72 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -162,7 +162,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/unzip rix, @{bin}/flatpak rPx, - @{bin}/gjs-console rPx, + @{bin}/gjs-console rPx -> gnome-extension, @{bin}/glib-compile-schemas rPx, @{bin}/ibus-daemon rPx, @{bin}/sensors rPx, From b76fe7c3429e4323834953d2e2d08e1b65e8a244 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:57:37 +0200 Subject: [PATCH 974/977] refractor(profile): move org.gnome.SessionManager This is the stage 1 of rewriting access to the session manager. --- apparmor.d/abstractions/app/chromium | 2 +- .../{ => session}/org.gnome.SessionManager | 22 +++++++++---------- apparmor.d/groups/bus/at-spi2-registryd | 2 +- apparmor.d/groups/bus/dbus-accessibility | 2 +- .../groups/freedesktop/xdg-desktop-portal-gtk | 2 +- apparmor.d/groups/gnome/gnome-keyring-daemon | 2 +- apparmor.d/groups/gnome/gsd-a11y-settings | 2 +- apparmor.d/groups/gnome/gsd-color | 2 +- apparmor.d/groups/gnome/gsd-datetime | 2 +- apparmor.d/groups/gnome/gsd-housekeeping | 2 +- apparmor.d/groups/gnome/gsd-keyboard | 2 +- apparmor.d/groups/gnome/gsd-media-keys | 2 +- apparmor.d/groups/gnome/gsd-power | 2 +- .../groups/gnome/gsd-print-notifications | 1 - apparmor.d/groups/gnome/gsd-printer | 5 +++-- apparmor.d/groups/gnome/gsd-rfkill | 2 +- apparmor.d/groups/gnome/gsd-screensaver-proxy | 2 +- apparmor.d/groups/gnome/gsd-sharing | 2 +- apparmor.d/groups/gnome/gsd-smartcard | 2 +- apparmor.d/groups/gnome/gsd-sound | 4 ++-- apparmor.d/groups/gnome/gsd-usb-protection | 3 +++ apparmor.d/groups/gnome/gsd-wacom | 2 +- apparmor.d/groups/gnome/gsd-xsettings | 5 ++--- apparmor.d/groups/gnome/nautilus | 2 +- apparmor.d/groups/ubuntu/apport | 2 +- apparmor.d/profiles-a-f/evince | 2 +- apparmor.d/profiles-a-f/filezilla | 2 +- apparmor.d/profiles-a-f/freetube | 2 +- apparmor.d/profiles-g-l/libreoffice | 2 +- apparmor.d/profiles-s-z/superproductivity | 2 +- apparmor.d/profiles-s-z/totem | 2 +- 31 files changed, 45 insertions(+), 45 deletions(-) rename apparmor.d/abstractions/bus/{ => session}/org.gnome.SessionManager (61%) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 313f51687..dcb29fecb 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -30,7 +30,7 @@ include include include - include + include include include include diff --git a/apparmor.d/abstractions/bus/org.gnome.SessionManager b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager similarity index 61% rename from apparmor.d/abstractions/bus/org.gnome.SessionManager rename to apparmor.d/abstractions/bus/session/org.gnome.SessionManager index a532b67f2..4c641776b 100644 --- a/apparmor.d/abstractions/bus/org.gnome.SessionManager +++ b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager @@ -1,48 +1,46 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# FIXME: Too large, restrict it. - abi , - #aa:dbus common bus=session name=org.gnome.SessionManager label=gnome-session-binary + #aa:dbus common bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}" dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={RegisterClient,IsSessionRunning} - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={Inhibit,Uninhibit} - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={Setenv,IsSessionRunning} - peer=(name=org.gnome.SessionManager, label=gnome-session-binary), + peer=(name=org.gnome.SessionManager, label="{gnome-session-binary,gnome-session-service}"), dbus receive bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded} - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), dbus send bus=session path=/org/gnome/SessionManager/Client@{int} interface=org.gnome.SessionManager.ClientPrivate member=EndSessionResponse - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), dbus receive bus=session path=/org/gnome/SessionManager/Client@{int} interface=org.gnome.SessionManager.ClientPrivate member={CancelEndSession,QueryEndSession,EndSession,Stop} - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), dbus receive bus=session path=/org/gnome/SessionManager/Presence interface=org.gnome.SessionManager.Presence member=StatusChanged - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd index 26311b575..fec6d7897 100644 --- a/apparmor.d/groups/bus/at-spi2-registryd +++ b/apparmor.d/groups/bus/at-spi2-registryd @@ -13,7 +13,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include include include - include + include include signal receive set=term peer=gdm, diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index 910ae0008..c9b9a1538 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -12,7 +12,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index d1ae86e15..b7906c5e2 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -14,7 +14,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 595b3fd48..e39ef0dc0 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -15,7 +15,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { include include include - include + include capability ipc_lock, diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index 34ce2884d..22aaba164 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -10,7 +10,7 @@ include profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 0acdbaf38..1a52321b1 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -13,7 +13,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index af1784e68..0364f3f2b 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -10,7 +10,7 @@ include profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 8d8b9fc1b..497462a03 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -11,7 +11,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index b700a7df9..be27a873e 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -13,7 +13,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 3ca105656..b299ab7ff 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -15,7 +15,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index d20ad65d0..d3ac6b456 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -19,7 +19,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 5d037961f..22ec520cb 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -11,7 +11,6 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index b85a40f04..a768c8d1e 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -9,10 +9,11 @@ include @{exec_path} = @{lib}/gsd-printer profile gsd-printer @{exec_path} flags=(attach_disconnected) { include - include include include - include + include + include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index 5f1c13d9d..7283c5c00 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -15,7 +15,7 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { include include include - include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index 546a252d7..ac2f9229d 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -11,7 +11,7 @@ profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { include include include - include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index b6d90d5e3..9d432ae13 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -12,7 +12,7 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index d42fb486b..5143b9984 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -10,7 +10,7 @@ include profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 2b64ddf06..ff2d30766 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -12,8 +12,8 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { include include include - include - include + include + include include include diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 59e67d9bf..bcdb353a8 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -10,6 +10,9 @@ include profile gsd-usb-protection @{exec_path} { include include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 0bb1d50d1..3d4f2cb05 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -11,7 +11,7 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 84abb82e0..20151eec0 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -13,10 +13,9 @@ profile gsd-xsettings @{exec_path} { include include include - include + include include - include - include + include include include include diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index d3906051c..c405a3bf8 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -15,7 +15,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 255dc551a..211dda9cc 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -11,7 +11,7 @@ profile apport @{exec_path} flags=(attach_disconnected) { include include include - include + include include include diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 89087df4b..10b5ad4af 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -12,7 +12,7 @@ profile evince @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla index 78781ba28..16bafb886 100644 --- a/apparmor.d/profiles-a-f/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -11,7 +11,7 @@ include profile filezilla @{exec_path} { include include - include + include include include include diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index be75567cd..b820f249c 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -17,7 +17,7 @@ include profile freetube @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index cc2ee8c2a..7e4feed45 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -15,7 +15,7 @@ profile libreoffice @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index 838944aa8..f812fc570 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -20,7 +20,7 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index d8b464956..d1e429d45 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -10,7 +10,7 @@ include profile totem @{exec_path} flags=(attach_disconnected) { include include - include + include include include include From e6e0cc07102a54a8557c155ffb817b0608339a48 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:59:12 +0200 Subject: [PATCH 975/977] fix(profile): missing updated bus abstraction paths. --- apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome | 3 +-- apparmor.d/groups/virt/libvirtd | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 95daf2935..30b415204 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -14,8 +14,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include include include diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 23e8e20d1..378449352 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -19,7 +19,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include From 6a77b7ed8b9683ebcaf92470b64cc33deca9b9d8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 21:07:43 +0200 Subject: [PATCH 976/977] fix(profile): missing updated bus abstraction paths. --- apparmor.d/abstractions/mediakeys | 2 +- apparmor.d/groups/gnome/gjs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/mediakeys b/apparmor.d/abstractions/mediakeys index ecf839cda..d9aafa764 100644 --- a/apparmor.d/abstractions/mediakeys +++ b/apparmor.d/abstractions/mediakeys @@ -8,7 +8,7 @@ abi , - include + include include if exists diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index f726ab66b..de9d25a14 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -115,7 +115,7 @@ profile gjs @{exec_path} flags=(attach_disconnected) { include include include - include + include include network (bind create getattr setopt getopt) netlink raw, From 9db6bf4a3583a94d4109e0b0eb9d95e121fc8119 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 16 Sep 2025 20:42:35 +0200 Subject: [PATCH 977/977] feat(abs): add the themes abs. fix #860 --- apparmor.d/abstractions/desktop | 1 + apparmor.d/abstractions/gnome-strict | 1 + apparmor.d/abstractions/kde-strict | 1 + apparmor.d/abstractions/lxqt | 1 + apparmor.d/abstractions/themes | 14 ++++++++++++++ apparmor.d/abstractions/xfce | 1 + 6 files changed, 19 insertions(+) create mode 100644 apparmor.d/abstractions/themes diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 66742f02a..c4abbd574 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -18,6 +18,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 47efde306..227377f3a 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -13,6 +13,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 17952414c..79e97b23f 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -13,6 +13,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt index 8d83aefdc..913ab3eb3 100644 --- a/apparmor.d/abstractions/lxqt +++ b/apparmor.d/abstractions/lxqt @@ -10,6 +10,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/themes b/apparmor.d/abstractions/themes new file mode 100644 index 000000000..13fe70bc6 --- /dev/null +++ b/apparmor.d/abstractions/themes @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + /usr/share/themes/{,**} r, + + owner @{HOME}/.themes/{,**} r, + owner @{user_share_dirs}/themes/{,**} r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index c7e464236..df13363fc 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -8,6 +8,7 @@ include include include + include include include include