diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b07fc8990..90b709a31 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -3,16 +3,31 @@ name: Ubuntu on: [push, pull_request, workflow_dispatch] jobs: + check: + runs-on: ubuntu-24.04 + steps: + - name: Check out repository code + uses: actions/checkout@v4 + + - name: Install linter dependencies + run: | + pipx install rust-just + echo "$HOME/.local/bin" >> $GITHUB_PATH + + - name: Run basic profile linter check + run: | + just check + build: runs-on: ${{ matrix.os }} + needs: check strategy: matrix: - os: - - ubuntu-24.04 - - ubuntu-22.04 - mode: - - default - - full-system-policy + include: + - os: ubuntu-24.04 + mode: default + - os: ubuntu-24.04 + mode: full-system-policy steps: - name: Check out repository code uses: actions/checkout@v4 @@ -23,12 +38,14 @@ jobs: sudo apt-get install -y \ devscripts debhelper config-package-dev \ auditd apparmor-profiles apparmor-utils + pipx install rust-just + echo "$HOME/.local/bin" >> $GITHUB_PATH sudo rm /etc/apparmor.d/usr.lib.snapd.snap-confine.real - name: Build the apparmor.d package run: | if [[ ${{ matrix.mode }} == full-system-policy ]]; then - echo -e "\noverride_dh_auto_build:\n\tmake full" >> debian/rules + sed -e "s/just complain/just fsp-complain/" -i debian/rules fi bash dists/build.sh dpkg @@ -37,13 +54,10 @@ jobs: - name: Reload AppArmor run: | - sudo systemctl restart apparmor.service || true - sudo systemctl status apparmor.service - - - name: Ensure compatibility with some AppArmor userspace tools - if: matrix.os != 'ubuntu-24.04' - run: | - sudo aa-enforce /etc/apparmor.d/aa-notify + if ! sudo systemctl restart apparmor.service; then + sudo journalctl -xeu apparmor.service + exit 1 + fi - name: Show AppArmor log and rules run: | @@ -64,6 +78,7 @@ jobs: tests: runs-on: ubuntu-24.04 needs: build + if: github.ref_name == 'dev' || github.event_name == 'workflow_dispatch' steps: - name: Check out repository code uses: actions/checkout@v4 @@ -83,17 +98,52 @@ jobs: sudo apt-get install -y \ apparmor-profiles apparmor-utils \ bats bats-support + pipx install rust-just + echo "$HOME/.local/bin" >> $GITHUB_PATH - name: Install apparmor.d run: | sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true sudo systemctl restart apparmor.service + sudo systemctl daemon-reload + systemctl --user daemon-reload - - name: Run the bats integration tests + - name: Restart some services to ensure they are confined run: | - make bats + services=( + containerd cron + dbus docker + ModemManager multipathd + networkd-dispatcher + packagekit polkit + snapd + systemd-journald systemd-hostnamed systemd-logind systemd-networkd + systemd-resolved systemd-udevd + udisks2 + ) + sudo systemctl daemon-reload + for service in "${services[@]}"; do + sudo systemctl restart "$service" || systemctl status "$service.service" || true + done + systemctl restart --user dbus || systemctl status --user "dbus.service" || true + sudo ps auxZ | grep -v '\[.*\]' + sudo aa-log -s --raw + + - name: Install integration dependencies + run: | + just init + find /usr/sbin/ -type f + + - name: Run the integration tests + run: | + just integration - name: Show final AppArmor logs if: always() run: | sudo aa-log -s --raw + + - name: Show final processes security context + if: always() + run: | + sudo ps auxZ | grep -v '\[.*\]' diff --git a/.gitignore b/.gitignore index d888d6d5c..077d62cbf 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,7 @@ # Build .build .logs +.pkg tests/tldr tests/tldr.tar.gz diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 960dd2884..80dc69c7b 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -24,13 +24,13 @@ bash: script: - shellcheck --shell=bash PKGBUILD dists/build.sh dists/docker.sh tests/check.sh - tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh + tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh golangci-lint: stage: lint image: golangci/golangci-lint script: - - golangci-lint run --exclude-dirs pkg/paths + - golangci-lint run packer: stage: lint @@ -54,7 +54,6 @@ tests: image: golang coverage: '/Coverage: \d+.\d+/' script: - - apt update && apt install -y rsync - cp tests/journalctl /usr/bin/journalctl - chmod 755 /usr/bin/journalctl - mkdir -p /var/log/audit/ @@ -67,7 +66,7 @@ check: stage: test image: registry.gitlab.com/roddhjav/builders/archlinux script: - - make check + - just check # Package Build # ------------- @@ -85,13 +84,12 @@ archlinux: debian: stage: build - image: registry.gitlab.com/roddhjav/builders/debian + image: registry.gitlab.com/roddhjav/builders/debian:trixie script: - sudo chown -R build:build /builds/ - git config --global --add safe.directory $CI_PROJECT_DIR - mkdir -p "$PKGDEST" - - sudo apt-get update -q && sudo apt-get install -y config-package-dev rsync - - sudo apt-get install -y -t bookworm-backports golang-go + - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl - bash dists/build.sh dpkg artifacts: expire_in: 1 day @@ -100,12 +98,13 @@ debian: ubuntu: stage: build - image: registry.gitlab.com/roddhjav/builders/ubuntu + image: registry.gitlab.com/roddhjav/builders/ubuntu:24.04 + variables: + GOFLAGS: "-buildvcs=false" script: - - sudo chown -R ubuntu:ubuntu /builds/ - git config --global --add safe.directory $CI_PROJECT_DIR - mkdir -p "$PKGDEST" - - sudo apt-get update -q && sudo apt-get install -y config-package-dev rsync golang-go + - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl - bash dists/build.sh dpkg artifacts: expire_in: 1 day @@ -117,14 +116,14 @@ whonix: variables: DISTRIBUTION: whonix before_script: - - echo "\noverride_dh_auto_build:\n\tmake full" >> debian/rules + - sed -e "s/just complain/just fsp-complain/" -i debian/rules opensuse: stage: build image: registry.gitlab.com/roddhjav/builders/opensuse script: - mkdir -p "$PKGDEST" - - sudo zypper install -y distribution-release golang-packaging rsync apparmor-profiles + - sudo zypper install -y distribution-release golang-packaging apparmor-profiles - bash dists/build.sh rpm artifacts: expire_in: 1 day @@ -147,7 +146,7 @@ preprocess-archlinux: preprocess-debian: stage: preprocess - image: debian + image: debian:trixie dependencies: - debian script: @@ -167,7 +166,7 @@ preprocess-ubuntu: - dpkg --install $PKGDEST/* - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null -preprocess-whonix: +.preprocess-whonix: extends: preprocess-debian dependencies: - whonix diff --git a/.golangci.yaml b/.golangci.yaml index 7718ccda2..6861d253d 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -1,5 +1,15 @@ --- -linters-settings: - staticcheck: - checks: ["all", "-SA1019" ] +version: "2" +linters: + settings: + staticcheck: + checks: + - all + - -SA1019 + - -ST1000 + exclusions: + paths: + - pkg/paths + - tests/cmd/ + diff --git a/Justfile b/Justfile new file mode 100644 index 000000000..64e333079 --- /dev/null +++ b/Justfile @@ -0,0 +1,399 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Usage: `just` +# See https://apparmor.pujol.io/development/ for more information. + +# Build settings +destdir := "/" +build := ".build" +pkgdest := `pwd` / ".pkg" +pkgname := "apparmor.d" + +# Admin username +username := "user" + +# Default admin password +password := "user" + +# Disk size of the VM to build +disk_size := "40G" + +# Virtual machine CPU +vcpus := "6" + +# Virtual machine RAM +ram := "4096" + +# Path to the ssh key +ssh_keyname := "id_ed25519" +ssh_privatekey := home_dir() / ".ssh/" + ssh_keyname +ssh_publickey := ssh_privatekey + ".pub" + +# Where the VM are stored +vm := home_dir() / ".vm" + +# Where the VM images are stored +base_dir := home_dir() / ".libvirt/base" + +# Where the packer temporary output is stored +output_dir := base_dir / "packer" + +# SSH options +sshopt := "-i " + ssh_privatekey + " -o IdentitiesOnly=yes -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" + +# Libvirt connection address +c := "--connect=qemu:///system" + +# VM prefix +prefix := "aa-" + +# Show this help message +help: + @just --list --unsorted + @printf "\n%s\n" "See https://apparmor.pujol.io/development/ for more information." + +# Build the go programs +[group('build')] +build: + @go build -o {{build}}/ ./cmd/aa-log + @go build -o {{build}}/ ./cmd/prebuild + +# Prebuild the profiles in enforced mode +[group('build')] +enforce: build + @./{{build}}/prebuild --buildir {{build}} + +# Prebuild the profiles in enforce mode (test) +enforce-test: build + @./{{build}}/prebuild --buildir {{build}} --test + +# Prebuild the profiles in complain mode +[group('build')] +complain: build + ./{{build}}/prebuild --buildir {{build}} --complain + +# Prebuild the profiles in complain mode (test) +complain-test: build + @./{{build}}/prebuild --buildir {{build}} --complain --test + +# Prebuild the profiles in FSP mode +[group('build')] +fsp: build + @./{{build}}/prebuild --buildir {{build}} --full + +# Prebuild the profiles in FSP mode (complain) +[group('build')] +fsp-complain: build + @./{{build}}/prebuild --buildir {{build}} --complain --full + +# Prebuild the profiles in FSP mode (debug) +[group('build')] +fsp-debug: build + @./{{build}}/prebuild --buildir {{build}} --complain --full --debug + +# Install prebuild profiles +[group('install')] +install: + #!/usr/bin/env bash + set -eu -o pipefail + install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log + mapfile -t share < <(find "{{build}}/share" -type f -not -name "*.md" -printf "%P\n") + for file in "${share[@]}"; do + install -Dm0644 "{{build}}/share/$file" "{{destdir}}/usr/share/$file" + done + mapfile -t aa < <(find "{{build}}/apparmor.d" -type f -printf "%P\n") + for file in "${aa[@]}"; do + install -Dm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" + done + mapfile -t links < <(find "{{build}}/apparmor.d" -type l -printf "%P\n") + for file in "${links[@]}"; do + mkdir -p "{{destdir}}/etc/apparmor.d/disable" + cp -d "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" + done + for file in "{{build}}/systemd/system/"*; do + service="$(basename "$file")" + install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/system/$service.d/apparmor.conf" + done + for file in "{{build}}/systemd/user/"*; do + service="$(basename "$file")" + install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf" + done + +# Locally install prebuild profiles +[group('install')] +local +names: + #!/usr/bin/env bash + set -eu -o pipefail + install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log + mapfile -t abs < <(find "{{build}}/apparmor.d/abstractions" -type f -printf "%P\n") + for file in "${abs[@]}"; do + install -Dm0644 "{{build}}/apparmor.d/abstractions/$file" "{{destdir}}/etc/apparmor.d/abstractions/$file" + done; + mapfile -t tunables < <(find "{{build}}/apparmor.d/tunables" -type f -printf "%P\n") + for file in "${tunables[@]}"; do + install -Dm0644 "{{build}}/apparmor.d/tunables/$file" "{{destdir}}/etc/apparmor.d/tunables/$file" + done; + echo "Warning: profile dependencies fallback to unconfined." + for file in {{names}}; do + grep -Ei 'rPx|rpx' "{{build}}/apparmor.d/$file" || true + sed -i -e "s/rPx/rPUx/g" "{{build}}/apparmor.d/$file" + install -Dvm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" + done; + systemctl restart apparmor || sudo journalctl -xeu apparmor.service + +# Prebuild, install, and load a dev profile +[group('install')] +dev name: + go run ./cmd/prebuild --complain --file `find apparmor.d -iname {{name}}` + sudo install -Dm644 {{build}}/apparmor.d/{{name}} /etc/apparmor.d/{{name}} + sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service + +# Build & install apparmor.d on Arch based systems +[group('packages')] +pkg: + @makepkg --syncdeps --install --cleanbuild --force --noconfirm + +# Build & install apparmor.d on Debian based systems +[group('packages')] +dpkg: + @bash dists/build.sh dpkg + @sudo dpkg -i {{pkgdest}}/{{pkgname}}_*.deb + +# Build & install apparmor.d on OpenSUSE based systems +[group('packages')] +rpm: + @bash dists/build.sh rpm + @sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm + +# Run the unit tests +[group('tests')] +tests: + @go test ./cmd/... -v -cover -coverprofile=coverage.out + @go test ./pkg/... -v -cover -coverprofile=coverage.out + @go tool cover -func=coverage.out + +# Run the linters +[group('linter')] +lint: + golangci-lint run + packer fmt tests/packer/ + packer validate --syntax-only tests/packer/ + shellcheck --shell=bash \ + PKGBUILD dists/build.sh dists/docker.sh tests/check.sh \ + tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \ + debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm + +# Run style checks on the profiles +[group('linter')] +check: + @bash tests/check.sh + +# Generate the man pages +[group('docs')] +man: + @pandoc -t man -s -o share/man/man8/aa-log.8 share/man/man8/aa-log.md + +# Build the documentation +[group('docs')] +docs: + @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict + +# Serve the documentation +[group('docs')] +serve: + @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve + +# Remove all build artifacts +clean: + @rm -rf \ + debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \ + {{pkgdest}}/{{pkgname}}* {{build}} coverage.out + +# Build the package in a clean OCI container +[group('packages')] +package dist: + #!/usr/bin/env bash + set -eu -o pipefail + dist="{{dist}}" + version="" + if [[ $dist =~ ubuntu([0-9]+) ]]; then + version="${BASH_REMATCH[1]}.04" + dist="ubuntu" + elif [[ $dist == debian* ]]; then + version="trixie" + dist="debian" + fi + bash dists/docker.sh $dist $version + +# Build the VM image +[group('vm')] +img dist flavor: (package dist) + @mkdir -p {{base_dir}} + packer build -force \ + -var dist={{dist}} \ + -var flavor={{flavor}} \ + -var prefix={{prefix}} \ + -var username={{username}} \ + -var password={{password}} \ + -var ssh_publickey={{ssh_publickey}} \ + -var disk_size={{disk_size}} \ + -var cpus={{vcpus}} \ + -var ram={{ram}} \ + -var base_dir={{base_dir}} \ + -var output_dir={{output_dir}} \ + tests/packer/ + +# Create the machine +[group('vm')] +create dist flavor: + @cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 + @virt-install {{c}} \ + --import \ + --name {{prefix}}{{dist}}-{{flavor}} \ + --vcpus {{vcpus}} \ + --ram {{ram}} \ + --machine q35 \ + {{ if dist == "archlinux" { "" } else { "--boot uefi" } }} \ + --memorybacking source.type=memfd,access.mode=shared \ + --disk path={{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2,format=qcow2,bus=virtio \ + --filesystem "`pwd`,0a31bc478ef8e2461a4b1cc10a24cc4",accessmode=passthrough,driver.type=virtiofs \ + --os-variant "`just _get_osinfo {{dist}}`" \ + --graphics spice \ + --audio id=1,type=spice \ + --sound model=ich9 \ + --noautoconsole + +# Start a machine +[group('vm')] +up dist flavor: + @virsh {{c}} start {{prefix}}{{dist}}-{{flavor}} + +# Stops the machine +[group('vm')] +halt dist flavor: + @virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}} + +# Reboot the machine +[group('vm')] +reboot dist flavor: + @virsh {{c}} reboot {{prefix}}{{dist}}-{{flavor}} + +# Destroy the machine +[group('vm')] +destroy dist flavor: + @virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true + @virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram + @rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 + +# Connect to the machine +[group('vm')] +ssh dist flavor: + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` + +# Mount the shared directory on the machine +[group('vm')] +mount dist flavor: + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ + sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4' + +# Unmout the shared directory on the machine +[group('vm')] +umount dist flavor: + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ + sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true' + +# List the machines +[group('vm')] +list: + @printf "{{BOLD}} %-4s %-22s %s{{NORMAL}}\n" "Id" "Distribution-Flavor" "State" + @virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g' + +# List the VM images +[group('vm')] +images: + #!/usr/bin/env bash + set -eu -o pipefail + mkdir -p {{base_dir}} + ls -lh {{base_dir}} | awk ' + BEGIN { + printf("{{BOLD}}%-18s %-10s %-5s %s{{NORMAL}}\n", "Distribution", "Flavor", "Size", "Date") + } + { + if ($9 ~ /^{{prefix}}.*\.qcow2$/) { + split($9, arr, "-|\\.") + printf("%-18s %-10s %-5s %s %s %s\n", arr[2], arr[3], $5, $6, $7, $8) + } + } + ' + +# List the VM images that can be created +[group('vm')] +available: + #!/usr/bin/env bash + set -eu -o pipefail + ls -lh tests/cloud-init | awk ' + BEGIN { + printf("{{BOLD}}%-18s %s{{NORMAL}}\n", "Distribution", "Flavor") + } + { + if ($9 ~ /^.*\.user-data.yml$/) { + split($9, arr, "-|\\.") + printf("%-18s %s\n", arr[1], arr[2]) + } + } + ' + +# Install dependencies for the integration tests +[group('tests')] +init: + @bash tests/requirements.sh + +# Run the integration tests +[group('tests')] +integration name="": + bats --recursive --timing --print-output-on-failure tests/integration/{{name}} + +# Install dependencies for the integration tests (machine) +[group('tests')] +tests-init dist flavor: + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ + just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init + +# Synchronize the integration tests (machine) +[group('tests')] +tests-sync dist flavor: + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ + rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/ + +# Re-synchronize the integration tests (machine) +[group('tests')] +tests-resync dist flavor: (mount dist flavor) \ + (tests-sync dist flavor) \ + (umount dist flavor) + +# Run the integration tests (machine) +[group('tests')] +tests-run dist flavor name="": (tests-resync dist flavor) + ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ + bats --recursive --pretty --timing --print-output-on-failure \ + /home/{{username}}/Projects/tests/integration/{{name}} + +_get_ip dist flavor: + @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \ + head -1 | \ + grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}' + +_get_osinfo dist: + #!/usr/bin/env python3 + osinfo = { + "archlinux": "archlinux", + "debian12": "debian12", + "debian13": "debian13", + "ubuntu22": "ubuntu22.04", + "ubuntu24": "ubuntu24.04", + "ubuntu25": "ubuntu25.04", + "opensuse": "opensusetumbleweed", + } + print(osinfo.get("{{dist}}", "{{dist}}")) diff --git a/Makefile b/Makefile deleted file mode 100644 index 846c33629..000000000 --- a/Makefile +++ /dev/null @@ -1,156 +0,0 @@ -#!/usr/bin/make -f -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -DESTDIR ?= / -BUILD ?= .build -PKGDEST ?= ${PWD}/.pkg -PKGNAME := apparmor.d -PROFILE = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*))) -PROFILES = profiles-apparmor.d profiles-other $(patsubst dists/packages/%,profiles-%,$(basename $(wildcard dists/packages/*.conf))) - -.PHONY: all -all: build - @./${BUILD}/prebuild --complain - -.PHONY: build -build: - @go build -o ${BUILD}/ ./cmd/aa-log - @go build -o ${BUILD}/ ./cmd/prebuild - -.PHONY: enforce -enforce: build - @./${BUILD}/prebuild - -.PHONY: full -full: build - @./${BUILD}/prebuild --complain --full - -.PHONY: packages -packages: clean build - @./${BUILD}/prebuild --complain --packages - -# Install apparmor.d -.PHONY: install -install: install-bin install-share install-systemd profiles-apparmor.d - -# Install apparmor.d.base -.PHONY: install-base -install-base: install-bin install-share install-systemd profiles-base - -.PHONY: install-bin -install-bin: - @install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log - -.PHONY: install-share -install-share: - @for file in $(shell find "${BUILD}/share" -type f -not -name "*.md" -printf "%P\n"); do \ - install -Dm0644 "${BUILD}/share/$${file}" "${DESTDIR}/usr/share/$${file}"; \ - done; - -.PHONY: install-systemd -install-systemd: - @for file in ${BUILD}/systemd/system/*; do \ - service="$$(basename "$${file}")"; \ - install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/system/$${service}.d/apparmor.conf"; \ - done; - @for file in ${BUILD}/systemd/user/*; do \ - service="$$(basename "$${file}")"; \ - install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \ - done - -# Install all profiles for a given (sub)package -.PHONY: $(PROFILES) -$(PROFILES): - @for file in $(shell find "${BUILD}/$(patsubst profiles-%,%,$@)" -type f -printf "%P\n"); do \ - install -Dm0644 "${BUILD}/$(patsubst profiles-%,%,$@)/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ - done; - @for file in $(shell find "${BUILD}/$(patsubst profiles-%,%,$@)" -type l -printf "%P\n"); do \ - mkdir -p "${DESTDIR}/etc/apparmor.d/disable"; \ - cp -d "${BUILD}/$(patsubst profiles-%,%,$@)/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ - done; - -# Partial install (not recommended) -.PHONY: $(PROFILE) -$(PROFILE): install-bin - @for file in $(shell find ${BUILD}/apparmor.d/abstractions/ -type f -printf "%P\n"); do \ - install -Dm0644 "${BUILD}/apparmor.d/abstractions/$${file}" "${DESTDIR}/etc/apparmor.d/abstractions/$${file}"; \ - done; - @for file in $(shell find ${BUILD}/apparmor.d/tunables/ -type f -printf "%P\n"); do \ - install -Dm0644 "${BUILD}/apparmor.d/tunables/$${file}" "${DESTDIR}/etc/apparmor.d/tunables/$${file}"; \ - done; - @echo "Warning: profile dependencies fallback to unconfined." - @for file in ${@}; do \ - grep 'rPx' "${BUILD}/apparmor.d/$${file}"; \ - sed -i -e "s/rPx/rPUx/g" "${BUILD}/apparmor.d/$${file}"; \ - install -Dvm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ - done; - @systemctl restart apparmor || sudo journalctl -xeu apparmor.service - -.PHONY: dev -name ?= -dev: - @go run ./cmd/prebuild --complain --file $(shell find apparmor.d -iname ${name}) - @sudo install -Dm644 ${BUILD}/apparmor.d/${name} /etc/apparmor.d/${name} - @sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service - -.PHONY: package -dist ?= archlinux -package: - @bash dists/docker.sh ${dist} - -.PHONY: pkg -pkg: - @makepkg --syncdeps --install --cleanbuild --force --noconfirm - -.PHONY: dpkg -dpkg: - @bash dists/build.sh dpkg - @sudo dpkg -i ${PKGDEST}/${PKGNAME}_*.deb - -.PHONY: rpm -rpm: - @bash dists/build.sh rpm - @sudo rpm -ivh --force ${PKGDEST}/${PKGNAME}-*.rpm - -.PHONY: tests -tests: - @go test ./cmd/... -v -cover -coverprofile=coverage.out - @go test ./pkg/... -v -cover -coverprofile=coverage.out - @go tool cover -func=coverage.out - -.PHONY: lint -lint: - @golangci-lint run - @make --directory=tests lint - @shellcheck --shell=bash \ - PKGBUILD dists/build.sh dists/docker.sh tests/check.sh \ - tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh \ - debian/${PKGNAME}.postinst debian/${PKGNAME}.postrm - -.PHONY: check -check: - @bash tests/check.sh - -.PHONY: bats -bats: - @bats --print-output-on-failure tests/bats/ - -.PHONY: manual -manual: - @pandoc -t man -s -o root/usr/share/man/man8/aa-log.8 root/usr/share/man/man8/aa-log.md - -.PHONY: docs -docs: - @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict - -.PHONY: serve -serve: - @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve - -.PHONY: clean -clean: - @rm -rf \ - debian/.debhelper debian/debhelper* debian/*.debhelper debian/${PKGNAME} \ - .pkg/${PKGNAME}* ${BUILD} coverage.out diff --git a/PKGBUILD b/PKGBUILD index fe4c6a2cb..a68ba817d 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -5,18 +5,20 @@ pkgbase=apparmor.d pkgname=( - apparmor.d apparmor.d.base - apparmor.d.other + apparmor.d + # apparmor.d.enforced + # apparmor.d.fsp apparmor.d.fsp.enforced + # apparmor.d.server apparmor.d.server.enforced + # apparmor.d.server.fsp apparmor.d.server.fsp.enforced ) pkgver=0.0001 pkgrel=1 -pkgdesc="Full set of apparmor profiles (base)" -arch=("any") +pkgdesc="Full set of apparmor profiles" +arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') url="https://github.com/roddhjav/apparmor.d" -license=('GPL2') -depends=('apparmor') -makedepends=('go' 'git' 'rsync') -conflicts=("$pkgbase-git" "$pkgbase") +license=('GPL-2.0-only') +depends=('apparmor>=4.1.0' 'apparmor<5.0.0') +makedepends=('go' 'git' 'rsync' 'just') pkgver() { cd "$srcdir/$pkgbase" @@ -33,28 +35,99 @@ build() { export CGO_CFLAGS="${CFLAGS}" export CGO_CXXFLAGS="${CXXFLAGS}" export CGO_LDFLAGS="${LDFLAGS}" + export GOPATH="${srcdir}" export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw" - make BUILD=.buid.all DISTRIBUTION=arch - make packages DISTRIBUTION=arch + export DISTRIBUTION=arch + local -A modes=( + # Mapping of modes to just build target. + [default]=complain + # [enforced]=enforce + # [fsp]=fsp-complain + # [fsp.enforced]=fsp + # [server]=server-complain + # [server.enforced]=server + # [server.fsp]=server-fsp-complain + # [server.fsp.enforced]=server-fsp + ) + for mode in "${!modes[@]}"; do + just build=".build/$mode" "${modes[$mode]}" + done +} + +_conflicts() { + local mode="$1" + local pattern=".$mode" + if [[ "$mode" == "default" ]]; then + pattern="" + else + echo "$pkgbase" + fi + for pkg in "${pkgname[@]}"; do + if [[ "$pkg" == "${pkgbase}${pattern}" ]]; then + continue + fi + echo "$pkg" + done +} + +_install() { + local mode="${1:?}" + cd "$srcdir/$pkgbase" + just build=".build/$mode" destdir="$pkgdir" install } package_apparmor.d() { - pkgdesc="Full set of apparmor profiles" - arch=("$CARCH") - conflicts=("${pkgname[@]:1}") - cd "$srcdir/$pkgbase" - make install BUILD=.buid.all DESTDIR="$pkgdir" + mode=default + pkgdesc="$pkgdesc (complain mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode } -package_apparmor.d.base() { - arch=("$CARCH") - cd "$srcdir/$pkgbase" - make install-base DESTDIR="$pkgdir" +package_apparmor.d.enforced() { + mode=enforced + pkgdesc="$pkgdesc (enforced mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode } -package_apparmor.d.other() { - pkgdesc="Full set of apparmor profiles (other)" - depends=(apparmor.d.base) - cd "$srcdir/$pkgbase" - make profiles-other DESTDIR="$pkgdir" +package_apparmor.d.fsp() { + mode="fsp" + pkgdesc="$pkgdesc (FSP mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.fsp.enforced() { + mode="fsp.enforced" + pkgdesc="$pkgdesc (FSP enforced mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.server() { + mode="server" + pkgdesc="$pkgdesc (server complain mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.server.enforced() { + mode="server.enforced" + pkgdesc="$pkgdesc (server enforced mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.server.fsp() { + mode="server.fsp" + pkgdesc="$pkgdesc (server FSP complain mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.server.fsp.enforced() { + mode="server.fsp.enforced" + pkgdesc="$pkgdesc (server FSP enforced mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode } diff --git a/README.md b/README.md index 7aed183da..c1c7726c5 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ # apparmor.d -[![][workflow]][action] [![][build]][project] [![][quality]][goreportcard] [![][matrix]][matrix-link] +[![][workflow]][action] [![][build]][project] [![][quality]][goreportcard] [![][matrix]][matrix-link] [![][play]][play-link] **Full set of AppArmor profiles** @@ -35,8 +35,11 @@ * Gnome (GDM) * KDE (SDDM) * XFCE (Lightdm) *(work in progress)* -- Fully tested *(work in progress)* +- [Fully tested](https://apparmor.pujol.io/development/tests/) +**Demo** + +You want to try this project, or you are curious about the advanced usage and security it can provide without installing it on your machine. You can try it online on my AppArmor play machine at https://play.pujol.io/ > This project is originally based on the work from [Morfikov][upstream] and aims to extend it to more Linux distributions and desktop environments. @@ -59,6 +62,10 @@ Building the largest set of AppArmor profiles: - [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* - [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* +Lessons learned while making an AppArmor Play machine: + +- [Linux Security Summit North America (LSS-NA 2025)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2025.sched.com/event/1zalf/lessons-learned-while-making-an-apparmor-play-machine-alexandre-pujol-linagora), [Video](https://www.youtube.com/watch?v=zCSl8honRI0))* + ## Installation Please see [apparmor.pujol.io/install](https://apparmor.pujol.io/install) @@ -93,6 +100,8 @@ and thus has the same license (GPL2). [goreportcard]: https://goreportcard.com/report/github.com/roddhjav/apparmor.d [matrix]: https://img.shields.io/badge/Matrix-%23apparmor.d-blue?style=flat-square&logo=matrix [matrix-link]: https://matrix.to/#/#apparmor.d:matrix.org +[play]: https://img.shields.io/badge/Live_Demo-play.pujol.io-blue?style=flat-square +[play-link]: https://play.pujol.io [android_model]: https://arxiv.org/pdf/1904.05572 [clipos]: https://clip-os.org/en/ diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index 4c506da69..a92058206 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -4,25 +4,25 @@ abi , - # The unix socket to use to connect to the display - unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), - unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), - unix type=stream addr="@/tmp/.ICE-unix/[0-9]*", - unix type=stream addr="@/tmp/.X11-unix/X[0-9]*", + unix (connect, receive, send) type=stream peer=(addr=@/tmp/.ICE-unix/@{int}), + unix (connect, receive, send) type=stream peer=(addr=@/tmp/.X11-unix/X@{int}), + unix type=stream addr=@/tmp/.ICE-unix/@{int}, + unix type=stream addr=@/tmp/.X11-unix/X@{int}, /usr/share/X11/{,**} r, /usr/share/xsessions/{,*.desktop} r, # Available Xsessions + /usr/share/xkeyboard-config-2/{,**} r, /etc/X11/cursors/{,**} r, - owner @{HOME}/.ICEauthority rw, # ICEauthority files required for X authentication, per user + owner @{HOME}/.ICEauthority r, # ICEauthority files required for X authentication, per user owner @{HOME}/.Xauthority rw, # Xauthority files required for X connections, per user owner @{HOME}/.xsession-errors rw, - /tmp/.ICE-unix/* rw, + /tmp/.ICE-unix/@{int} rw, /tmp/.X@{int}-lock rw, - /tmp/.X11-unix/* rw, + /tmp/.X11-unix/X@{int} rw, owner @{tmp}/xauth_@{rand6} rl -> @{tmp}/#@{int}, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, # Xwayland diff --git a/apparmor.d/abstractions/accessibility b/apparmor.d/abstractions/accessibility new file mode 100644 index 000000000..894ee467e --- /dev/null +++ b/apparmor.d/abstractions/accessibility @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow communication with Assistive Technology Service Provider Interface (AT-SPI) + + abi , + + include + include + include + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/amdgpu b/apparmor.d/abstractions/amdgpu new file mode 100644 index 000000000..181d86864 --- /dev/null +++ b/apparmor.d/abstractions/amdgpu @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Kernel Fusion Driver for AMD GPUs + + abi , + + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, + + @{sys}/devices/virtual/kfd/kfd/dev r, + @{sys}/devices/virtual/kfd/kfd/topology/ r, + @{sys}/devices/virtual/kfd/kfd/topology/generation_id r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/caches/@{int}/properties r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/gpu_id r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/io_links/@{int}/properties r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/mem_banks/@{int}/properties r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, + @{sys}/devices/virtual/kfd/kfd/topology/system_properties r, + @{sys}/devices/virtual/kfd/kfd/uevent r, + @{sys}/module/amdgpu/initstate r, + + /dev/kfd rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/ansible b/apparmor.d/abstractions/ansible new file mode 100644 index 000000000..579783096 --- /dev/null +++ b/apparmor.d/abstractions/ansible @@ -0,0 +1,11 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + owner @{HOME}/.ansible/tmp/ansible-tmp-*/* rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root index 5d2f74363..7f7e2a673 100644 --- a/apparmor.d/abstractions/app-launcher-root +++ b/apparmor.d/abstractions/app-launcher-root @@ -5,13 +5,11 @@ abi , - @{bin}/** PUx, - /usr/local/{s,}bin/** PUx, + include - @{bin}/ r, - / r, - /usr/ r, - /usr/local/{s,}bin/ r, + @{bin}/** PUx, + @{sbin}/** PUx, + /usr/local/{s,}bin/** PUx, include if exists diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user index 800de5106..3f35d5882 100644 --- a/apparmor.d/abstractions/app-launcher-user +++ b/apparmor.d/abstractions/app-launcher-user @@ -5,6 +5,8 @@ abi , + include + @{bin}/** PUx, /opt/*/** PUx, /usr/share/** PUx, @@ -18,13 +20,7 @@ @{thunderbird_path} Px, @{offices_path} PUx, - @{bin}/ r, - / r, - /usr/ r, - /usr/local/bin/ r, - - @{user_bin_dirs}/ r, - @{user_bin_dirs}/** PUx, + @{user_bin_dirs}/** PUx, include if exists diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index d257797eb..e0c8d3d59 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -18,6 +18,7 @@ # Labeled programs @{archive_viewers_path} PUx, + @{backup_path} PUx, @{browsers_path} Px, @{document_viewers_path} PUx, @{emails_path} PUx, @@ -25,6 +26,7 @@ @{help_path} Px, @{image_viewers_path} PUx, @{offices_path} PUx, + @{terminal_path} Px, @{text_editors_path} PUx, # Others @@ -33,17 +35,19 @@ @{bin}/discord{,-ptb} Px, @{bin}/draw.io PUx, @{bin}/dropbox Px, + @{bin}/ebook-edit PUx, @{bin}/element-desktop Px, @{bin}/extension-manager Px, @{bin}/filezilla Px, @{bin}/flameshot Px, - @{bin}/gimp* PUx, - @{bin}/gnome-calculator PUx, + @{bin}/gimp{,-3.0} Px, + @{bin}/gnome-calculator Px, @{bin}/gnome-disk-image-mounter Px, @{bin}/gnome-disks Px, + @{bin}/gnome-session-quit Px, @{bin}/gnome-software Px, @{bin}/gwenview PUx, - @{bin}/kgx Px, + @{bin}/keepassxc Px, @{bin}/qbittorrent Px, @{bin}/qpdfview Px, @{bin}/smplayer Px, @@ -51,15 +55,12 @@ @{bin}/telegram-desktop Px, @{bin}/transmission-gtk Px, @{bin}/viewnior PUx, - @{bin}/vlc PUx, + @{bin}/vlc Px, @{bin}/xbrlapi Px, #aa:only opensuse @{lib}/YaST2/** PUx, - # Backup - @{lib}/deja-dup/deja-dup-monitor PUx, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 0bae4e0d2..dcb29fecb 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -2,6 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: name +# NEEDS-VARIABLE: domain +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: config_dirs +# NEEDS-VARIABLE: cache_dirs # Full set of rules for all chromium based browsers. It works as a *function* # and requires some variables to be provided as *arguments* and set in the @@ -20,39 +25,32 @@ abi , include + include include include - include - include include - include - include - include - include include - include - include - include + include + include + include + include include include - include + include + include include - include + include include + include + include + include + include include include include + include include include - include - - userns, - - capability setgid, - capability setuid, - capability sys_admin, - capability sys_chroot, - capability sys_ptrace, network inet dgram, network inet6 dgram, @@ -78,7 +76,7 @@ @{lib_dirs}/chrome-sandbox rPx, # Desktop integration - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/xdg-desktop-menu rPx, @{bin}/xdg-email rPx, @{bin}/xdg-icon-resource rPx, @@ -86,16 +84,11 @@ @{bin}/xdg-open rPx -> child-open, @{bin}/xdg-settings rPx, - # Installing/removing extensions & applications - @{bin}/{,e}grep rix, - @{bin}/basename rix, - @{bin}/cat rix, - @{bin}/cut rix, - @{bin}/mkdir rix, - @{bin}/mktemp rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/touch rix, + # Installing/removing extensions, applications, and stacked xdg menus + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{coreutils_path} ix, # For storing passwords externally @{bin}/keepassxc-proxy rix, # as a temporary solution - see issue #128 @@ -115,23 +108,14 @@ /etc/@{name}/{,**} r, /etc/fstab r, - /etc/{,opensc/}opensc.conf r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, / r, owner @{HOME}/ r, - owner @{HOME}/.pki/ rw, - owner @{HOME}/.pki/nssdb/ rw, - owner @{HOME}/.pki/nssdb/pkcs11.txt rw, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - - owner @{user_config_dirs}/gtk-3.0/servers r, - owner @{user_share_dirs}/.@{domain}.@{rand6} rw, owner @{user_cache_dirs}/gtk-3.0/**/*.cache r, + owner @{user_config_dirs}/gtk-3.0/servers r, + + owner @{user_share_dirs}/icons/hicolor/.xdg-icon-resource-dummy w, owner @{config_dirs}/ rw, owner @{config_dirs}/** rwk, @@ -141,7 +125,7 @@ owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/menus/applications-merged/ r, - owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r, + owner @{user_config_dirs}/menus/applications-merged/*.menu rw, # For importing data (bookmarks, cookies, etc) from Firefox # owner @{HOME}/.mozilla/firefox/profiles.ini r, @@ -155,10 +139,8 @@ /tmp/ r, /var/tmp/ r, - owner @{tmp}/.@{domain}.@{rand6} rw, - owner @{tmp}/.@{domain}.@{rand6}/{,**} rw, owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw, - owner @{tmp}/scoped_dir@{rand6}/{,**} rw, + owner @{tmp}/tmp.@{rand10} rw, owner @{tmp}/tmp.@{rand6} rw, owner @{tmp}/tmp.@{rand6}/ rw, owner @{tmp}/tmp.@{rand6}/** rwk, @@ -166,9 +148,6 @@ owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw, owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw, - /dev/shm/ r, - owner /dev/shm/.@{domain}.@{rand6} rw, - @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{sys}/bus/ r, @@ -176,16 +155,12 @@ @{sys}/class/**/ r, @{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r, @{sys}/devices/@{pci}/boot_vga r, - @{sys}/devices/@{pci}/report_descriptor r, @{sys}/devices/**/uevent r, - @{sys}/devices/system/cpu/kernel_max r, - @{sys}/devices/virtual/**/report_descriptor r, - @{sys}/devices/virtual/dmi/id/{sys_vendor,product_name} r, - @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/ r, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/statm r, @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/pressure/{memory,cpu,io} r, @{PROC}/sys/fs/inotify/max_user_watches r, @@ -194,21 +169,17 @@ owner @{PROC}/@{pid}/clear_refs w, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/environ r, - owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_{,score_}adj rw, - owner @{PROC}/@{pid}/setgroups w, - owner @{PROC}/@{pid}/statm r, + owner @{PROC}/@{pid}/smaps_rollup r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, - owner @{PROC}/@{pid}/uid_map w, /dev/ r, - /dev/hidraw@{int} rw, /dev/tty rw, owner /dev/tty@{int} rw, diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index 1d501eb9f..b33dbc7f4 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -10,11 +10,12 @@ include @{sh_path} rix, - @{bin}/nvim mix, + @{bin}/nvim mrix, @{bin}/sensible-editor mr, - @{bin}/vim{,.*} mix, - @{bin}/which{,.debianutils} ix, + @{bin}/vim* mrix, + @{bin}/which{,.debianutils} rix, + /usr/share/doc/{,**} r, /usr/share/nvim/{,**} r, /usr/share/terminfo/** r, /usr/share/vim/{,**} r, @@ -24,6 +25,8 @@ /etc/xdg/nvim/* r, owner @{HOME}/.selected_editor r, + owner @{HOME}/.vim/{after/,}spell/{,**} rw, + owner @{HOME}/.vim/** r, owner @{HOME}/.viminf@{c}{,.tmp} rw, owner @{HOME}/.vimrc r, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 2a2f612b7..0648e68d1 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -2,6 +2,10 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: name +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: config_dirs +# NEEDS-VARIABLE: cache_dirs # Full set of rules for all firefox based browsers. It works as a *function* # and requires some variables to be provided as *arguments* and set in the @@ -18,17 +22,21 @@ include include include - include include include + include + include + include include include include + include include include - include + include include include + include include include include @@ -64,7 +72,7 @@ @{lib_dirs}/plugin-container rPx, # Desktop integration - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/@{name}/{,**} r, /usr/share/doc/{,**} r, @@ -72,7 +80,6 @@ /usr/share/webext/{,**} r, /usr/share/xul-ext/kwallet5/* r, - /etc/{,opensc/}opensc.conf r, /etc/@{name}/{,**} r, /etc/fstab r, /etc/lsb-release r, @@ -92,16 +99,22 @@ owner @{cache_dirs}/ rw, owner @{cache_dirs}/** rwk, - /tmp/ r, + /tmp/ rw, /var/tmp/ r, owner @{tmp}/@{name}/ rw, owner @{tmp}/@{name}/* rwk, + owner @{tmp}/@{rand6}.tmp rw, owner @{tmp}/firefox/ rw, owner @{tmp}/firefox/* rwk, + owner @{tmp}/mozilla* rw, + owner @{tmp}/mozilla*/ rw, + owner @{tmp}/mozilla*/* rwk, + owner @{tmp}/remote-settings-startup-bundle- rw, + owner @{tmp}/remote-settings-startup-bundle-.tmp rw, owner @{tmp}/Temp-@{uuid}/ rw, owner @{tmp}/Temp-@{uuid}/* rwk, owner @{tmp}/tmp-*.xpi rw, - owner @{tmp}/tmpaddon r, + owner @{tmp}/tmpaddon rw, owner @{tmp}/tmpaddon-@{int} r, owner /dev/shm/org.chromium.@{rand6} rw, @@ -124,8 +137,10 @@ @{sys}/devices/**/uevent r, @{sys}/devices/power/events/energy-* r, @{sys}/devices/power/type r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_sku r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r, @{PROC}/@{pid}/net/arp r, @@ -149,7 +164,6 @@ owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 /dev/ r, - /dev/hidraw@{int} rw, /dev/tty rw, /dev/video@{int} rw, owner /dev/tty@{int} rw, # File Inherit diff --git a/apparmor.d/abstractions/app/fusermount b/apparmor.d/abstractions/app/fusermount new file mode 100644 index 000000000..a394e2528 --- /dev/null +++ b/apparmor.d/abstractions/app/fusermount @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# Minimal set of rules for fusermount subprofiles. Path to mount/unmount should +# be defined in the calling profile. + + abi , + + include + include + + capability dac_override, + capability dac_read_search, + capability sys_admin, # To mount anything + + @{bin}/fusermount{,3} mr, + + @{bin}/mount rix, + @{bin}/umount rix, + + @{etc_ro}/fuse{,3}.conf r, + + @{run}/mount/utab r, + @{run}/mount/utab.* rwk, + + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/mounts r, + + /dev/fuse rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/kmod b/apparmor.d/abstractions/app/kmod index 25a0c0c38..b6beeb7f6 100644 --- a/apparmor.d/abstractions/app/kmod +++ b/apparmor.d/abstractions/app/kmod @@ -7,13 +7,7 @@ include - @{bin}/depmod mr, - @{bin}/insmod mr, - @{bin}/kmod mr, - @{bin}/lsmod mr, - @{bin}/modinfo mr, - @{bin}/modprobe mr, - @{bin}/rmmod mr, + @{bin}/kmod mr, @{lib}/modprobe.d/ r, @{lib}/modprobe.d/*.conf r, diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 256eb5a6d..8dffc39b9 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -3,19 +3,44 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Full set of rules for child-open-* profiles. +# Full set of rules for desktop generic open-* used in child-open-* profiles. abi , + include + include include - @{open_path} mrix, + # We cannot use `@{open_path} mrix,` here because it includes: + # @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop + # And `@{multiarch}` has a wildcard that cannot be merged and that will generate + # "has merged rule with conflicting x modifiers" error when used with other + # wilcard over PUx transition. + @{bin}/exo-open mrix, + @{bin}/xdg-open mrix, + @{bin}/gio mrix, + @{bin}/kde-open mrix, + @{bin}/gio-launch-desktop mrix, + @{lib}/gio-launch-desktop mrix, - @{sh_path} r, @{bin}/env rix, + @{sh_path} r, /dev/tty rw, + # if @{DE} == kde + + include + include + include + + owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + + @{PROC}/sys/kernel/random/boot_id r, + + # fi + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/pager b/apparmor.d/abstractions/app/pager new file mode 100644 index 000000000..30acc5612 --- /dev/null +++ b/apparmor.d/abstractions/app/pager @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# Minimal set of rules for pagers. + + abi , + + include + + capability dac_override, + capability dac_read_search, + + signal receive set=(stop, cont, term, kill), + + @{bin}/ r, + @{pager_path} mrix, + + @{system_share_dirs}/terminfo/{,**} r, + /usr/share/file/misc/** r, + /usr/share/nvim/{,**} r, + + @{etc_ro}/lesskey.bin r, + + @{HOME}/.lesshst r, + + owner @{HOME}/ r, + owner @{HOME}/.lesshs* rw, + owner @{HOME}/.terminfo/@{int}/* r, + owner @{user_cache_dirs}/lesshs* rw, + owner @{user_state_dirs}/ r, + owner @{user_state_dirs}/lesshs* rw, + + /dev/tty@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep index 211c2710d..f563712ca 100644 --- a/apparmor.d/abstractions/app/pgrep +++ b/apparmor.d/abstractions/app/pgrep @@ -19,10 +19,13 @@ @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, + @{PROC}/@{pid}/status r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/stat r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/tty/drivers r, @{PROC}/uptime r, include if exists diff --git a/apparmor.d/abstractions/app/pkexec b/apparmor.d/abstractions/app/pkexec index 65d34ec6a..87b3ea842 100644 --- a/apparmor.d/abstractions/app/pkexec +++ b/apparmor.d/abstractions/app/pkexec @@ -30,6 +30,8 @@ /etc/shells r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/loginuid r, owner /dev/tty@{int} rw, diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index 385ded540..1c47490cd 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -3,7 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Minimal set of rules for sudo. Interactive sudo need more rules. +# Minimal set of rules for sudo. abi , @@ -24,10 +24,10 @@ network netlink raw, # PAM - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.logi1.Manager - member=CreateSession - peer=(name=org.freedesktop.login1, label=systemd-logind), + unix type=stream addr=@@{udbus}/bus/sudo/system, + + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus (send receive) bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd.Manager diff --git a/apparmor.d/abstractions/app/systemctl b/apparmor.d/abstractions/app/systemctl index 7857f9921..b707add4d 100644 --- a/apparmor.d/abstractions/app/systemctl +++ b/apparmor.d/abstractions/app/systemctl @@ -10,10 +10,13 @@ ptrace read peer=@{p_systemd}, - unix bind type=stream addr=@@{hex16}/bus/systemctl/, + unix bind type=stream addr=@@{udbus}/bus/systemctl/, + unix bind type=stream addr=@@{udbus}/bus/systemctl/system, @{bin}/systemctl mr, + @{att}/@{run}/systemd/private rw, + owner @{run}/systemd/private rw, @{PROC}/1/cgroup r, diff --git a/apparmor.d/abstractions/app/udevadm b/apparmor.d/abstractions/app/udevadm index e8414d026..d659143d6 100644 --- a/apparmor.d/abstractions/app/udevadm +++ b/apparmor.d/abstractions/app/udevadm @@ -11,7 +11,8 @@ /etc/udev/udev.conf r, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/** r, diff --git a/apparmor.d/abstractions/common/apt b/apparmor.d/abstractions/apt similarity index 72% rename from apparmor.d/abstractions/common/apt rename to apparmor.d/abstractions/apt index 5dd8b26bc..25106ad6e 100644 --- a/apparmor.d/abstractions/common/apt +++ b/apparmor.d/abstractions/apt @@ -6,7 +6,9 @@ abi , /usr/share/dpkg/cputable r, + /usr/share/dpkg/ostable r, /usr/share/dpkg/tupletable r, + /usr/share/dpkg/varianttable r, /etc/apt/apt.conf r, /etc/apt/apt.conf.d/{,*} r, @@ -18,6 +20,9 @@ /etc/apt/sources.list.d/ r, /etc/apt/sources.list.d/*.{sources,list} r, + /etc/apt/trusted.gpg r, + /etc/apt/trusted.gpg.d/{,*} r, + /var/lib/apt/lists/{,**} r, /var/lib/apt/extended_states r, @@ -25,11 +30,14 @@ /var/cache/apt/srcpkgcache.bin r, /var/lib/dpkg/status r, - /var/lib/ubuntu-advantage/apt-esm/{,**} r, + /var/lib/ubuntu-advantage/apt-esm/{,**} r, #aa:only ubuntu owner @{tmp}/#@{int} rw, owner @{tmp}/clearsigned.message.* rw, - include if exists + #aa:only test + /tmp/autopkgtest.@{rand6}/** rwk, + + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 33c422bb0..8741942ff 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -3,11 +3,21 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no - # Do not use it manually, it is automatically included in profiles when it is required. + # Do not use it manually, It automatically replaces the base abstraction in a + # profile with the attach_disconnected flag set and the re-attached path enabled. abi , - deny @{att}/apparmor/.null rw, + include + + @{att}/@{run}/systemd/journal/dev-log w, + @{att}/@{run}/systemd/journal/socket w, + @{att}/@{run}/systemd/journal/stdout rw, + + @{att}/dev/null rw, + + /apparmor/.null rw, + @{att}/apparmor/.null rw, include if exists diff --git a/apparmor.d/abstractions/attached/consoles b/apparmor.d/abstractions/attached/consoles index bf76e4a43..f306c2273 100644 --- a/apparmor.d/abstractions/attached/consoles +++ b/apparmor.d/abstractions/attached/consoles @@ -3,10 +3,26 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no + # Do not use it manually, It automatically replaces the consoles abstraction in a + # profile with the attach_disconnected flag set and the re-attached path enabled. + abi , - @{att}/dev/tty@{int} rw, - owner @{att}/dev/pts/@{int} rw, + # There are the common ways to refer to consoles + /dev/console rw, + /dev/tty rw, + /dev/tty@{u8} rw, + @{att}/dev/tty rw, + @{att}/dev/tty@{u8} rw, + + # These entries are a bit unfortunate; /dev/tty will always be + # associated with the controlling terminal by the kernel, but if a + # program uses the /dev/pts/ interface, it actually has access to + # -all- xterm, sshd, etc, terminals on the system. + /dev/pts/ r, + owner /dev/pts/@{u16} rw, + @{att}/pts/ r, + owner @{att}/dev/pts/@{u16} rw, include if exists diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index d847c732c..1ebdf4c76 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -11,6 +11,7 @@ /usr/share/openal/hrtf/{,**} r, /usr/share/pipewire/client-rt.conf r, /usr/share/pipewire/client.conf r, + /usr/share/pipewire/jack.conf r, /usr/share/sounds/{,**} r, /etc/alsa/conf.d/{,**} r, @@ -20,6 +21,7 @@ /etc/openal/alsoft.conf r, /etc/pipewire/client{,-rt}.conf r, /etc/pipewire/client{,-rt}.conf.d/{,**} r, + /etc/pipewire/jack.conf.d/{,**} r, /etc/pulse/client.conf r, /etc/pulse/client.conf.d/{,**} r, /etc/wildmidi/wildmidi.cfg r, @@ -55,11 +57,19 @@ owner @{run}/user/@{uid}/pulse/ rw, owner @{run}/user/@{uid}/pulse/native rw, + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/+sound:card@{int} r, # For sound card + + @{sys}/class/ r, @{sys}/class/sound/ r, /dev/shm/ r, owner /dev/shm/pulse-shm-@{int} rw, + /dev/snd/controlC@{int} r, + /dev/snd/pcmC@{int}D@{int}[cp] r, + /dev/snd/timer r, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/audio-server b/apparmor.d/abstractions/audio-server index 10bcef426..a7f89b91b 100644 --- a/apparmor.d/abstractions/audio-server +++ b/apparmor.d/abstractions/audio-server @@ -9,11 +9,6 @@ include - @{run}/udev/data/+sound:card@{int} r, # for sound card - - @{sys}/class/ r, - @{sys}/class/sound/ r, - @{PROC}/asound/** rw, /dev/admmidi* rw, diff --git a/apparmor.d/abstractions/authentication.d/complete b/apparmor.d/abstractions/authentication.d/complete index ef54e6e78..a4ed65e8c 100644 --- a/apparmor.d/abstractions/authentication.d/complete +++ b/apparmor.d/abstractions/authentication.d/complete @@ -3,9 +3,10 @@ # SPDX-License-Identifier: GPL-2.0-only @{bin}/pam-tmpdir-helper rPx, + @{lib}/pam-tmpdir/pam-tmpdir-helper rPx, #aa:only abi3 - @{bin}/unix_chkpwd rPx, + @{sbin}/unix_chkpwd rPx, #aa:only whonix @{lib}/security-misc/pam-abort-on-locked-password rPx, diff --git a/apparmor.d/abstractions/avahi-observe b/apparmor.d/abstractions/avahi-observe new file mode 100644 index 000000000..aac14fa7d --- /dev/null +++ b/apparmor.d/abstractions/avahi-observe @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2016 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows domain, record, service, and service type browsing as well as address, +# host and service resolving + + abi , + + include + + include + include + include + include + include + include + include + + @{run}/avahi-daemon/socket rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict new file mode 100644 index 000000000..22ca5ec5e --- /dev/null +++ b/apparmor.d/abstractions/base-strict @@ -0,0 +1,132 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + # Do not use it manually, It automatically replaces the base abstraction in + # profiles when the re-attached mode is enabled. + + # For now, it is only a restructuring of the base abstraction with awareness + # of the apparmor.d architecture. + + abi , + + include + include + include + include + + # Allow us to signal ourselves + signal peer=@{profile_name}, + + # Checking for PID existence is quite common so add it by default for now + signal (receive, send) set=exists, + + #aa:exclude RBAC + # Allow unconfined processes to send us signals by default + signal receive peer=unconfined, + + # Systemd: allow to receive any signal from the systemd profiles stack + signal receive peer=@{p_systemd}, + signal receive peer=@{p_systemd_user}, + + # Htop like programs can send any signal to any process + signal receive peer=btop, + signal receive peer=htop, + signal receive peer=top, + signal receive set=(cont,term,kill,stop) peer=gnome-system-monitor, + + # Allow to receive termination signal from manager such as sudo, login, shutdown or systemd + signal receive peer=su, + signal receive peer=sudo, + signal receive set=(cont,term,kill,stop) peer=gnome-shell, + signal receive set=(cont,term,kill,stop) peer=login, + signal receive set=(cont,term,kill,stop) peer=openbox, + signal receive set=(cont,term,kill,stop) peer=systemd-shutdown, + signal receive set=(cont,term,kill,stop) peer=xinit, + + # Allow other processes to read our /proc entries, futexes, perf tracing and + # kcmp for now (they will need 'read' in the first place). Administrators can + # override with: + # deny ptrace readby ... + ptrace readby, + + # Allow other processes to trace us by default (they will need 'trace' in + # the first place). Administrators can override with: + # deny ptrace tracedby ... + ptrace tracedby, + + # Allow us to ptrace read ourselves + ptrace read peer=@{profile_name}, + + # Allow us to create and use abstract and anonymous sockets + unix peer=(label=@{profile_name}), + + # Allow unconfined processes to us via unix sockets + unix receive peer=(label=unconfined), + + # Allow communication to children and stacked profiles + signal peer=@{profile_name}//*, + signal peer=@{profile_name}//&*, + unix type=stream peer=(label=@{profile_name}//*), + + # Allow us to create abstract and anonymous sockets + unix create, + + # Allow us to getattr, getopt, setop and shutdown on unix sockets + unix (getattr, getopt, setopt, shutdown), + + # Allow all programs to use common libraries + @{lib}/** r, + @{lib}/**.so* m, + @{lib}/@{multiarch}/**.so* m, + @{lib}/@{multiarch}/** r, + + # Some applications will display license information + /usr/share/common-licenses/** r, + + # Allow access to the uuidd daemon (this daemon is a thin wrapper around + # time and getrandom()/{,u}random and, when available, runs under an + # unprivilged, dedicated user). + @{run}/uuidd/request r, + + # Transparent hugepage support + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + # Systemd's equivalent of /dev/log + @{run}/systemd/journal/dev-log w, + + # Systemd native journal API (see sd_journal_print(4)) + @{run}/systemd/journal/socket w, + + # Nested containers and anything using systemd-cat need this. 'r' shouldn't + # be required but applications fail without it. journald doesn't leak + # anything when reading so this is ok. + @{run}/systemd/journal/stdout rw, + + # Allow determining the highest valid capability of the running kernel + @{PROC}/sys/kernel/cap_last_cap r, + + # Controls how core dump files are named + @{PROC}/sys/kernel/core_pattern r, + + # Sometimes used to determine kernel/user interfaces to use + @{PROC}/sys/kernel/version r, + + # Harmless and frequently used + /dev/null rw, + /dev/random r, + /dev/urandom r, + /dev/zero rw, + + # The __canary_death_handler function writes a time-stamped log + # message to /dev/log for logging by syslogd. So, /dev/log, timezones, + # and localisations of date should be available EVERYWHERE, so + # StackGuard, FormatGuard, etc., alerts can be properly logged. + /dev/log w, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index 3e10a94f5..d89688b70 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -3,36 +3,33 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - # Allow to receive some signals from new well-known profiles - signal (receive) peer=btop, - signal (receive) peer=htop, - signal (receive) peer=sudo, - signal (receive) peer=top, - signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown, - signal (receive) set=(cont,term) peer=@{p_systemd_user}, - signal (receive) set=(cont,term) peer=@{p_systemd}, - signal (receive) set=(hup term) peer=login, - signal (receive) set=(hup) peer=xinit, - signal (receive) set=(term,kill) peer=gnome-shell, - signal (receive) set=(term,kill) peer=gnome-system-monitor, - signal (receive) set=(term,kill) peer=openbox, - signal (receive) set=(term,kill) peer=su, + # Systemd: allow to receive any signal from the systemd profiles stack + signal receive peer=@{p_systemd}, + signal receive peer=@{p_systemd_user}, - ptrace (readby) peer=systemd-coredump, + # Allow to receive some signals from new well-known profiles + signal receive peer=btop, + signal receive peer=htop, + signal receive peer=pkill, + signal receive peer=sudo, + signal receive peer=top, + signal receive set=(cont,term,kill,stop) peer=systemd-shutdown, + signal receive set=(hup term) peer=login, + signal receive set=(hup) peer=xinit, + signal receive set=(term,kill) peer=gnome-shell, + signal receive set=(term,kill) peer=gnome-system-monitor, + signal receive set=(term,kill) peer=openbox, + signal receive set=(term,kill) peer=su, + + ptrace readby peer=@{p_systemd_coredump}, @{etc_rw}/localtime r, /etc/locale.conf r, - # mesa 24.2 introduced a shader disk cache which opens quite a lot of fd. - # They are not closed and get inherited by child programs. Denying it can cause - # crash, so we are allowing it globally while the issue is beeing fixed in mesa. - owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.db rw, - owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.idx rw, - @{sys}/devices/system/cpu/possible r, @{PROC}/sys/kernel/core_pattern r, - deny /apparmor/.null rw, + /apparmor/.null rw, # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bash-strict b/apparmor.d/abstractions/bash-strict index 9ea35f8c2..cd4a7c8a7 100644 --- a/apparmor.d/abstractions/bash-strict +++ b/apparmor.d/abstractions/bash-strict @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction is only required when an interactive shell is started. +# This abstraction is only required when .bashrc is loaded (e.g. interactive shell). # Classic shell scripts do not need it. abi , diff --git a/apparmor.d/abstractions/bus-accessibility b/apparmor.d/abstractions/bus-accessibility index ee0a16b99..70850b2ba 100644 --- a/apparmor.d/abstractions/bus-accessibility +++ b/apparmor.d/abstractions/bus-accessibility @@ -7,12 +7,7 @@ dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label=dbus-accessibility), - - dbus send bus=accessibility path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-accessibility), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), owner @{run}/user/@{uid}/at-spi/ rw, owner @{run}/user/@{uid}/at-spi/bus rw, diff --git a/apparmor.d/abstractions/bus-session b/apparmor.d/abstractions/bus-session index 811787bad..a1226d8e7 100644 --- a/apparmor.d/abstractions/bus-session +++ b/apparmor.d/abstractions/bus-session @@ -4,19 +4,12 @@ abi , - unix (bind, listen) type=stream addr="@/tmp/dbus-*", - unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*", - unix (connect, send, receive, accept) type=stream peer=(addr="@/tmp/dbus-*"), + unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/session, - dbus send bus=session path=/org/freedesktop/DBus + dbus send bus=session path=/org/freedesktop/{dbus,DBus} interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label=dbus-session), - - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/abstractions/bus-system b/apparmor.d/abstractions/bus-system index 0bfe96818..d05c018c7 100644 --- a/apparmor.d/abstractions/bus-system +++ b/apparmor.d/abstractions/bus-system @@ -4,17 +4,15 @@ abi , + unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/system, + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-system), - - @{run}/dbus/system_bus_socket rw, + @{run}/dbus/system_bus_socket rw, + @{att}/@{run}/dbus/system_bus_socket rw, include if exists diff --git a/apparmor.d/abstractions/bus/accessibility/org.a11y b/apparmor.d/abstractions/bus/accessibility/org.a11y new file mode 100644 index 000000000..0145fc494 --- /dev/null +++ b/apparmor.d/abstractions/bus/accessibility/org.a11y @@ -0,0 +1,65 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2017 Canonical Ltd +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + # Allow the accessibility services in the user session to send us any events + + dbus receive bus=accessibility + peer=(label="@{p_at_spi2_registryd}"), + + # Allow querying for capabilities and registering + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member=NotifyListenersSync + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + # org.a11y.atspi is not designed for application isolation and these rules + # can be used to send change events for other processes. + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Event.Object + member=ChildrenChanged + peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Accessible + member=Get* + peer=(label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int} + interface=org.a11y.atspi.Event.Object + member={ChildrenChanged,PropertyChange,StateChanged,TextCaretMoved} + peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/cache + interface=org.a11y.atspi.Cache + member={AddAccessible,RemoveAccessible} + peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/accessibility/own b/apparmor.d/abstractions/bus/accessibility/own new file mode 100644 index 000000000..d1eab1ce7 --- /dev/null +++ b/apparmor.d/abstractions/bus/accessibility/own @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# Do not use it manually, It is automatically included in a profile by the +# `aa:dbus own` directive. + +# Allow owning a name on DBus public bus + + abi , + + dbus send bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), + + dbus send bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/ca.desrt.dconf.Writer b/apparmor.d/abstractions/bus/ca.desrt.dconf.Writer new file mode 100644 index 000000000..9bad3655d --- /dev/null +++ b/apparmor.d/abstractions/bus/ca.desrt.dconf.Writer @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/ca/desrt/dconf/Writer/user + interface=ca.desrt.dconf.Writer + member=Change + peer=(name=ca.desrt.dconf), # no peer's labels + + dbus receive bus=session path=/ca/desrt/dconf/Writer/user + interface=ca.desrt.dconf.Writer + member=Notify + peer=(name=@{busname}, label=dconf-service), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/com.canonical.dbusmenu b/apparmor.d/abstractions/bus/com.canonical.dbusmenu index c5f74a6de..61ce81111 100644 --- a/apparmor.d/abstractions/bus/com.canonical.dbusmenu +++ b/apparmor.d/abstractions/bus/com.canonical.dbusmenu @@ -4,6 +4,10 @@ abi , + dbus send bus=session path=/com/canonical/unity/launcherentry/** + interface=com.canonical.dbusmenu + member={GetGroupProperties,GetLayout} + peer=(name=@{busname}, label=nautilus), include if exists diff --git a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 index 4b7d6c89d..7989ea4c5 100644 --- a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 +++ b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 @@ -4,14 +4,11 @@ abi , - dbus send bus=system path=/fi/w1/wpa_supplicant1 - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name="@{busname}", label=wpa-supplicant), + #aa:dbus common bus=system name=fi.w1.wpa_supplicant1 label=wpa-supplicant dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=org.freedesktop.DBus.Properties - member={GetAll,Set} + member=Set peer=(name="@{busname}", label=wpa-supplicant), dbus send bus=system path=/fi/w1/wpa_supplicant1 @@ -39,16 +36,6 @@ member={BSSAdded,BSSRemoved,NetworkAdded,NetworkRemoved,NetworkSelected,ScanDone,PropertiesChanged} peer=(name="@{busname}", label=wpa-supplicant), - dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name="@{busname}", label=wpa-supplicant), - - dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}/BSSs/@{int} - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name="@{busname}", label=wpa-supplicant), - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles index 4da873247..7e7560992 100644 --- a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles +++ b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles @@ -4,10 +4,7 @@ abi , - dbus send bus=system path=/net/hadess/PowerProfiles - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=power-profiles-daemon), + #aa:dbus common bus=system name=net.hadess.PowerProfiles label="@{p_power_profiles_daemon}" include if exists diff --git a/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl b/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl index 7f68d2d06..df65417da 100644 --- a/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl +++ b/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl @@ -4,10 +4,7 @@ abi , - dbus send bus=system path=/net/hadess/SwitcherooControl - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=switcheroo-control), + #aa:dbus common bus=system name=net.hadess.SwitcherooControl label=switcheroo-control include if exists diff --git a/apparmor.d/abstractions/bus/net.reactivated.Fprint b/apparmor.d/abstractions/bus/net.reactivated.Fprint index 41735f1be..0241fc889 100644 --- a/apparmor.d/abstractions/bus/net.reactivated.Fprint +++ b/apparmor.d/abstractions/bus/net.reactivated.Fprint @@ -4,10 +4,12 @@ abi , + #aa:dbus common bus=system name=net.reactivated.Fprint label="@{p_fprintd}" + dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager member={GetDevices,GetDefaultDevice} - peer=(name="@{busname}", label=fprintd), + peer=(name="@{busname}", label="@{p_fprintd}"), dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager @@ -17,7 +19,7 @@ dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager member={GetDevices,GetDefaultDevice} - peer=(name=net.reactivated.Fprint, label=fprintd), + peer=(name=net.reactivated.Fprint, label="@{p_fprintd}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y deleted file mode 100644 index 357c06473..000000000 --- a/apparmor.d/abstractions/bus/org.a11y +++ /dev/null @@ -1,48 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - # Accessibility bus - - dbus receive bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=EventListenerDeregistered - peer=(name="@{busname}", label=at-spi2-registryd), - - dbus send bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), - - dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), - - dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name="@{busname}", label=at-spi2-registryd), - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), - - # Session bus - - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus, label=dbus-accessibility), - - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Accounts b/apparmor.d/abstractions/bus/org.freedesktop.Accounts index f2048c80e..e77f17b88 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Accounts +++ b/apparmor.d/abstractions/bus/org.freedesktop.Accounts @@ -4,30 +4,27 @@ abi , + #aa:dbus common bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts - member={FindUserByName,ListCachedUsers} - peer=(name="@{busname}", label=accounts-daemon), - - dbus send bus=system path=/org/freedesktop/Accounts{,/User@{uid}} - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=accounts-daemon), + member={FindUserByName,ListCachedUsers,FindUserById} + peer=(name="{@{busname},org.freedesktop.Accounts}", label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User member=*Changed - peer=(name="@{busname}", label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member=UserAdded - peer=(name="@{busname}", label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.DBus.Properties member=*Changed - peer=(name="@{busname}", label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index ccf5b30a9..4ddf95af3 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -4,25 +4,42 @@ abi , + #aa:dbus common bus=system name=org.freedesktop.Avahi label="@{p_avahi_daemon}" + dbus send bus=system path=/ interface=org.freedesktop.DBus.Peer member=Ping - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi), dbus send bus=system path=/ interface=org.freedesktop.Avahi.Server member={GetAPIVersion,GetState,Service*New} - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), dbus send bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser member=Free - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser - member={ItemNew,AllForNow,CacheExhausted} - peer=(name="@{busname}", label=avahi-daemon), + member={ItemNew,ItemRemove,AllForNow,CacheExhausted} + peer=(name="@{busname}", label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=StateChanged + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member=Found + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager deleted file mode 100644 index 205557ad5..000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ /dev/null @@ -1,29 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager - member=GetDevices - peer=(name="@{busname}", label=colord), - - dbus send bus=system path=/org/freedesktop/ColorManager{,/**} - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=colord), - - dbus send bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager - member=CreateDevice - peer=(name="@{busname}", label=colord), - - dbus receive bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager - member={DeviceAdded,DeviceRemoved} - peer=(name="@{busname}", label=colord), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 index 101e493ab..a08c98b26 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 @@ -4,15 +4,12 @@ abi , - dbus send bus=session path=/org/freedesktop/FileManager1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=nautilus), + #aa:dbus common bus=session name=org.freedesktop.FileManager1 label=nautilus - dbus receive bus=session path=/org/freedesktop/FileManager1 - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="@{busname}", label=nautilus), + dbus send bus=session path=/org/freedesktop/FileManager1 + interface=org.freedesktop.FileManager1 + member=ShowItems + peer=(name=org.freedesktop.FileManager1, label=nautilus), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 index 17ea4e45a..9957c7b67 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 @@ -4,35 +4,26 @@ abi , - dbus send bus=system path=/org/freedesktop/GeoClue2/Manager - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=geoclue), - + #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" dbus send bus=system path=/org/freedesktop/GeoClue2/Agent interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=org.freedesktop.DBus, label=geoclue), + peer=(name=org.freedesktop.DBus, label="@{p_geoclue}"), dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name="@{busname}", label=geoclue), + peer=(name="@{busname}", label="@{p_geoclue}"), dbus send bus=system path=/org/freedesktop/GeoClue2/Manager interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name="@{busname}", label=geoclue), + peer=(name="@{busname}", label="@{p_geoclue}"), dbus send bus=system path=/org/freedesktop/GeoClue2/Manager interface=org.freedesktop.GeoClue2.Manager member=AddAgent - peer=(name="@{busname}", label=geoclue), - - dbus receive bus=system path=/org/freedesktop/GeoClue2/Manager - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="@{busname}", label=geoclue), + peer=(name="@{busname}", label="@{p_geoclue}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 index 5c514d54c..4f53ba497 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 @@ -4,20 +4,17 @@ abi , - dbus send bus=system path=/org/freedesktop/ModemManager1 - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=org.freedesktop.ModemManager1, label=ModemManager), + #aa:dbus common bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" dbus send bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="@{busname}", label=ModemManager), + peer=(name=org.freedesktop.ModemManager1, label="@{p_ModemManager}"), dbus send bus=system path=/org/freedesktop/ModemManager1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=ModemManager), + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name="@{busname}", label="@{p_ModemManager}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager index af2b6d2b9..a22a235fb 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager @@ -4,14 +4,11 @@ abi , + #aa:dbus common bus=system name=org.freedesktop.NetworkManager label=NetworkManager + dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), - - dbus send bus=system path=/org/freedesktop/NetworkManager{,/**} - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} + member={GetManagedObjects,InterfacesRemoved} peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager @@ -29,19 +26,9 @@ member=GetSettings peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), - dbus send bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), - dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member=InterfacesAdded - peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), - - dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**} - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged + member={InterfacesAdded,InterfacesRemoved} peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager @@ -64,6 +51,11 @@ member=Updated peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), + dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} + interface=org.freedesktop.NetworkManager.Connection.Active + member=StateChanged + peer=(name=@{busname}, label=NetworkManager), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/org.freedesktop.Notifications deleted file mode 100644 index eee09ffad..000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.Notifications +++ /dev/null @@ -1,29 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=gjs-console), - - dbus send bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member={GetCapabilities,GetServerInformation,Notify} - peer=(name="@{busname}", label=gjs-console), - - dbus receive bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member={GetAll,NotificationClosed,CloseNotification} - peer=(name="@{busname}", label=gjs-console), - - dbus receive bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member=Notify - peer=(name=org.freedesktop.DBus, label=gjs-console), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit index b65bc1ef5..a4f9ba9b9 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit +++ b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit @@ -2,17 +2,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow communication with PackageKit transactions. Transactions are exported +# with random object paths that currently take the form /@{int}_@{hex8}. + abi , - dbus send bus=system path=/org/freedesktop/PackageKit - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=packagekitd), + #aa:dbus common bus=system name=org.freedesktop.PackageKit label=packagekitd - dbus send bus=system path=/org/freedesktop/PackageKit - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.freedesktop.PackageKit, label=packagekitd), dbus send bus=system path=/org/freedesktop/PackageKit interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -21,7 +17,15 @@ dbus send bus=system path=/org/freedesktop/PackageKit interface=org.freedesktop.PackageKit member=StateHasChanged - peer=(name=org.freedesktop.PackageKit, label=packagekitd), + peer=(name=org.freedesktop.PackageKit), + + dbus send bus=system path=/@{int}_@{hex8} + interface=org.freedesktop.PackageKit.Transaction + peer=(label=packagekitd), + + dbus receive bus=system path=/@{int}_@{hex8} + interface=org.freedesktop.PackageKit.Transaction + peer=(label=packagekitd), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 index ab9e373ab..2a4e8c1e5 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 @@ -2,36 +2,26 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Can talk to polkitd's CheckAuthorization API + abi , + #aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" + dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=Changed - peer=(name="@{busname}", label=polkitd), - - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=polkitd), + peer=(name="@{busname}", label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority - member=CheckAuthorization - peer=(name=org.freedesktop.PolicyKit1, label=polkitd), + member={CheckAuthorization,CancelCheckAuthorization} + peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority - member=CheckAuthorization - peer=(name="@{busname}", label=polkitd), - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=CheckAuthorization - peer=(name=org.freedesktop.PolicyKit1), - - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name="@{busname}", label=polkitd), + member=RegisterAuthenticationAgentWithOptions + peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 index ff2906932..f66fdb20a 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 @@ -2,32 +2,25 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow setting realtime priorities. + abi , + #aa:dbus common bus=system name=org.freedesktop.RealtimeKit1 label="@{p_rtkit_daemon}" dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.DBus.Properties member=Get peer=(name=org.freedesktop.RealtimeKit1), dbus send bus=system path=/org/freedesktop/RealtimeKit1 - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="@{busname}", label=rtkit-daemon), + interface=org.freedesktop.RealtimeKit1 + member={MakeThreadHighPriority,MakeThreadRealtime} + peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"), dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 - member=MakeThread* - peer=(name="@{busname}", label=rtkit-daemon), - - dbus send bus=system path=/org/freedesktop/RealtimeKit1 - interface=org.freedesktop.RealtimeKit1 - member=MakeThread* - peer=(name=org.freedesktop.RealtimeKit1), - - dbus send bus=system path=/org/freedesktop/RealtimeKit1 - interface=org.freedesktop.RealtimeKit1 - member=MakeThread* - peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon), + member={MakeThreadHighPriorityWithPID,MakeThreadRealtimeWithPID} + peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver deleted file mode 100644 index 43ed93af6..000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=session path=/ScreenSaver - interface=org.freedesktop.ScreenSaver - member={Inhibit,UnInhibit} - peer=(name=org.freedesktop.ScreenSaver), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files b/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files index 48fa7e394..c55736c1e 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files +++ b/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files @@ -7,12 +7,12 @@ dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint interface=org.freedesktop.DBus.Peer member=Ping - peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner), + peer=(name=org.freedesktop.Tracker3.Miner.Files, label="{localsearch,tracker-miner}"), dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint interface=org.freedesktop.Tracker3.Endpoint member=Query - peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner), + peer=(name=org.freedesktop.Tracker3.Miner.Files, label="{localsearch,tracker-miner}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 index 30abb2199..c97e83d71 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 @@ -4,16 +4,13 @@ abi , + #aa:dbus common bus=system name=org.freedesktop.UDisks2 label=udisksd + dbus send bus=system path=/org/freedesktop/UDisks2 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), - dbus send bus=system path=/org/freedesktop/UDisks2/** - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), - dbus send bus=system path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -29,16 +26,6 @@ member=Introspect peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), - dbus send bus=system path=/org/freedesktop/UDisks2/drives{,/*} - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), - - dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/* - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), - dbus receive bus=system path=/org/freedesktop/UDisks2 interface=org.freedesktop.DBus.ObjectManager member=InterfacesAdded @@ -49,11 +36,6 @@ member=Completed peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), - dbus receive bus=system path=/org/freedesktop/UDisks2/block_devices/* - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower deleted file mode 100644 index 369448079..000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ /dev/null @@ -1,48 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=system path=/org/freedesktop/UPower - interface=org.freedesktop.UPower - member=EnumerateDevices - peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), - - dbus send bus=system path=/org/freedesktop/UPower{,/**} - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), - dbus send bus=system path=/org/freedesktop/UPower{,/**} - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name=org.freedesktop.UPower, label=upowerd), - - dbus send bus=system path=/org/freedesktop/UPower - interface=org.freedesktop.DBus.Properties - member=GetDisplayDevice - peer=(name=org.freedesktop.UPower, label=upowerd), - - dbus send bus=system path=/org/freedesktop/UPower/devices/* - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), - - dbus send bus=system path=/org/freedesktop/UPower{,/**} - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), - - dbus receive bus=system path=/org/freedesktop/UPower - interface=org.freedesktop.UPower - member=DeviceAdded - peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), - - dbus receive bus=system path=/org/freedesktop/UPower/devices/* - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles b/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles new file mode 100644 index 000000000..45e88b103 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles @@ -0,0 +1,11 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor b/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor index f6019eedb..0f371f79b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor +++ b/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor @@ -4,15 +4,7 @@ abi , - dbus send bus=session path=/org/freedesktop/background/monitor - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=xdg-desktop-portal), - - dbus receive bus=session path=/org/freedesktop/background/monitor - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="@{busname}", label=xdg-desktop-portal), + #aa:dbus common bus=session name=org.freedesktop.background.Monitor label=xdg-desktop-portal include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 index 8957c4cdd..165e3ae6e 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 @@ -4,14 +4,11 @@ abi , - dbus send bus=system path=/org/freedesktop/hostname1 - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="{@{busname},org.freedesktop.hostname1}", label=systemd-hostnamed), + #aa:dbus common bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties - member={Get,GetAll} + member=Get peer=(name=org.freedesktop.hostname1), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore index c4e4a5fbf..22886c8a5 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore +++ b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore @@ -4,16 +4,18 @@ abi , - dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=xdg-permission-store), + #aa:dbus common bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore interface=org.freedesktop.impl.portal.PermissionStore member=Lookup peer=(name="@{busname}", label=xdg-permission-store), + dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.impl.portal.PermissionStore + member=Lookup + peer=(name=org.freedesktop.impl.portal.PermissionStore, label=xdg-permission-store), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1 b/apparmor.d/abstractions/bus/org.freedesktop.login1 index 77271fe23..ad368ed98 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1 @@ -4,35 +4,22 @@ abi , - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), - - dbus receive bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={Inhibit,CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend,CreateSession,GetSessionByPID} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), dbus receive bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager - member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareFor*} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), - - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + member={SessionNew,SessionRemoved,UserNew,UserRemoved,SeatNew,PrepareFor*} + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member=PauseDeviceComplete - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session index 4affc3d22..f60c69301 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session @@ -4,40 +4,22 @@ abi , + #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=GetSession - peer=(name="@{busname}", label=systemd-logind), - - dbus send bus=system path=/org/freedesktop/login1{,session/*,seat/*} - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), - - dbus send bus=system path=/org/freedesktop/login1/session/* - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="@{busname}", label=systemd-logind), + peer=(name="@{busname}", label="@{p_systemd_logind}"), dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness,SetLockedHint,SetIdleHint} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), - - dbus send bus=system path=/org/freedesktop/login1/seat/* - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), - - dbus receive bus=system path=/org/freedesktop/login1/session/* - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="@{busname}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), dbus receive bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member={PauseDevice,Unlock} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.network1 b/apparmor.d/abstractions/bus/org.freedesktop.network1 index 56460a52b..7583a3e9d 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.network1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.network1 @@ -4,10 +4,7 @@ abi , - dbus send bus=system path=/org/freedesktop/network1 - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.network1, label=systemd-networkd), + #aa:dbus common bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop index 1561491cc..4778dd6dc 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop @@ -4,30 +4,57 @@ abi , + #aa:dbus common bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.DBus.Properties - member={Get,GetAll,Read} + member=Read peer=(name="{@{busname},org.freedesktop.portal.Desktop}", label=xdg-desktop-portal), + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=xdg-desktop-portal), + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member={Read,ReadAll} - peer=(name="@{busname}", label=xdg-desktop-portal), + peer=(name=@{busname}, label=xdg-desktop-portal), dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member=SettingChanged - peer=(name="@{busname}", label=xdg-desktop-portal), + peer=(name=@{busname}, label=xdg-desktop-portal), - dbus receive bus=session path=/org/freedesktop/portal/desktop + dbus receive bus=session path=/org/freedesktop/portal/desktop{,/**} interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name="@{busname}", label=xdg-desktop-portal), + peer=(name=@{busname}, label=xdg-desktop-portal), dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Settings member={Read,ReadAll} - peer=(name="@{busname}", label=xdg-desktop-portal), + peer=(name=@{busname}, label=xdg-desktop-portal), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.host.portal.Registry + member=Register + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + + dbus receive bus=session path=/org/freedesktop/portal/desktop/** + interface=org.freedesktop.portal.Request + member=Response + peer=(name=@{busname}, label=xdg-desktop-portal), + + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Inhibit + member={StateChanged,CreateMonitor} + peer=(name=@{busname}, label=xdg-desktop-portal), + + dbus receive bus=session path=/org/freedesktop/portal/desktop/session/** + interface=org.freedesktop.impl.portal.Session + member=Close + peer=(name=@{busname}, label=xdg-desktop-portal), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 deleted file mode 100644 index 7714a871b..000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=system path=/org/freedesktop/resolve1 - interface=org.freedesktop.resolve1.Manager - member={SetLink*,ResolveHostname} - peer=(name="{@{busname},org.freedesktop.resolve1}", label=systemd-resolved), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.secrets b/apparmor.d/abstractions/bus/org.freedesktop.secrets index 0b169a04e..e30e7b1c2 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.secrets +++ b/apparmor.d/abstractions/bus/org.freedesktop.secrets @@ -4,15 +4,12 @@ abi , - dbus send bus=session path=/org/freedesktop/secrets{,/**} - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=gnome-keyring-daemon), + #aa:dbus common bus=session name=org.freedesktop.secrets label=gnome-keyring-daemon dbus send bus=session path=/org/freedesktop/secrets interface=org.freedesktop.Secret.Service - member={OpenSession,GetSecrets,SearchItems,ReadAlias} - peer=(name="@{busname}", label=gnome-keyring-daemon), + member={OpenSession,GetSecrets,SearchItems,Unlock,ReadAlias} + peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), dbus send bus=session path=/org/freedesktop/secrets/aliases/default interface=org.freedesktop.Secret.Collection @@ -24,11 +21,6 @@ member=ItemCreated peer=(name="@{busname}", label=gnome-keyring-daemon), - dbus receive bus=session path=/org/freedesktop/secrets/collection/login - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="@{busname}", label=gnome-keyring-daemon), - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 index 115aefd78..167e66d65 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 @@ -4,14 +4,16 @@ abi , + #aa:dbus common bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" + dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} + interface=org.freedesktop.systemd1.Manager + member={GetUnit,GetUnitByPIDFD,StartUnit,StartTransientUnit} peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), - dbus send bus=session path=/org/freedesktop/systemd1 + dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager - member={GetUnit,StartUnit,StartTransientUnit} + member=ListUnitsByPatterns peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), dbus send bus=session path=/org/freedesktop/systemd1 diff --git a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 index 443d35eed..8f6118355 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 @@ -4,21 +4,7 @@ abi , - dbus send bus=system path=/org/freedesktop/timedate1 - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.timedate1, label=systemd-timedated), - - # FIXME: should be under the systemd-timedated label - dbus send bus=system path=/org/freedesktop/timedate1 - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.timedate1, label=unconfined), - - dbus send bus=system path=/org/freedesktop/timedate1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=systemd-timedated), + #aa:dbus common bus=system name=org.freedesktop.timedate1 label="@{p_systemd_timedated}" include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig b/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig index 605e90311..f275850cd 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig @@ -4,6 +4,8 @@ abi , + #aa:dbus common bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig interface=org.gnome.Mutter.DisplayConfig member={GetResources,GetCrtcGamma} @@ -14,16 +16,6 @@ member=GetCurrentState peer=(name="{@{busname},org.gnome.Mutter.DisplayConfig}", label=gnome-shell), - dbus send bus=session path=/org/gnome/Mutter/DisplayConfig - interface=org.freedesktop.DBus.Properties - member={GetAll,PropertiesChanged} - peer=(name="@{busname}", label=gnome-shell), - - dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="@{busname}", label=gnome-shell), - dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig interface=org.gnome.Mutter.DisplayConfig member=MonitorsChanged diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor index 68769f2c9..d1ff350fc 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor @@ -4,6 +4,8 @@ abi , + #aa:dbus common bus=session name=org.gnome.Mutter.IdleMonitor label=gnome-shell + dbus send bus=session path=/org/gnome/Mutter/IdleMonitor interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects @@ -11,8 +13,8 @@ dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor - member={AddIdleWatch,AddUserActiveWatch,RemoveWatch} - peer=(name="@{busname}", label=gnome-shell), + member={AddIdleWatch,AddUserActiveWatch,RemoveWatch,GetIdletime} + peer=(name="{@{busname},org.gnome.Mutter.IdleMonitor}", label=gnome-shell), dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor diff --git a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 b/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 deleted file mode 100644 index 185937e70..000000000 --- a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 +++ /dev/null @@ -1,24 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=session path=/org/gnome/Nautilus/FileOperations2 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=nautilus), - - dbus send bus=session path=/org/gnome/Nautilus/FileOperations2 - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name="@{busname}", label=nautilus), - - dbus receive bus=session path=/org/gnome/Nautilus/FileOperations2 - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="@{busname}", label=nautilus), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver deleted file mode 100644 index ba13aa7d2..000000000 --- a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver +++ /dev/null @@ -1,24 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=session path=/org/gnome/ScreenSaver - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=gjs-console), - - dbus send bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - member=GetActive - peer=(name="@{busname}", label=gjs-console), - - dbus receive bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - member={ActiveChanged,WakeUpScreen} - peer=(name="@{busname}", label=gjs-console), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.SessionManager b/apparmor.d/abstractions/bus/org.gnome.SessionManager deleted file mode 100644 index c683eddac..000000000 --- a/apparmor.d/abstractions/bus/org.gnome.SessionManager +++ /dev/null @@ -1,66 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# FIXME: Too large, restrict it. - - abi , - - dbus send bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={RegisterClient,IsSessionRunning} - peer=(name="@{busname}", label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={Setenv,IsSessionRunning} - peer=(name=org.gnome.SessionManager, label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded} - peer=(name="@{busname}", label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="@{busname}", label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager/Client@{int} - interface=org.gnome.SessionManager.ClientPrivate - member=EndSessionResponse - peer=(name="@{busname}", label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager/Client@{int} - interface=org.gnome.SessionManager.ClientPrivate - member={CancelEndSession,QueryEndSession,EndSession,Stop} - peer=(name="@{busname}", label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager/Client@{int} - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager/Client@{int} - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="@{busname}", label=gnome-session-binary), - - dbus receive bus=session path=/org/gnome/SessionManager/Presence - interface=org.gnome.SessionManager.Presence - member=StatusChanged - peer=(name="@{busname}", label=gnome-session-binary), - - dbus send bus=session path=/org/gnome/SessionManager - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.gnome.SessionManager, label=gnome-session-binary), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect index efe53af62..b53acf610 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect +++ b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect @@ -4,15 +4,7 @@ abi , - dbus send bus=session path=/org/gnome/Shell/Introspect - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=gnome-shell), - - dbus send bus=session path=/org/gnome/Shell/Introspect - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.gnome.Shell.Introspect, label=gnome-shell), + #aa:dbus common bus=session name=org.gnome.Shell.Introspect label=gnome-shell dbus send bus=session path=/org/gnome/Shell/Introspect interface=org.gnome.Shell.Introspect @@ -24,11 +16,6 @@ member={RunningApplicationsChanged,WindowsChanged} peer=(name="@{busname}", label=gnome-shell), - dbus receive bus=session path=/org/gnome/Shell/Introspect - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="@{busname}", label=gnome-shell), - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 new file mode 100644 index 000000000..ae8b68448 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell + + dbus receive bus=session path=/org/gnome/Characters/SearchProvider + interface=org.gnome.Shell.SearchProvider2 + member={GetInitialResultSet,GetSubsearchResultSet,GetResultMetas} + peer=(name=@{busname}, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Characters/SearchProvider + interface=org.gnome.Shell.SearchProvider2 + member=*Cancel + peer=(name=@{busname}, label=gnome-shell), + + include if exists + +# vim:syntax=apparmor + diff --git a/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter b/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter new file mode 100644 index 000000000..0816b046f --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow accessing the GNOME crypto services prompt APIs as used by +# applications using libgcr (such as pinentry-gnome3) for secure pin +# entry to unlock GPG keys etc. See: +# https://developer.gnome.org/gcr/unstable/GcrPrompt.html +# https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html +# https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711 + + abi , + + unix type=stream peer=(label=gnome-keyring-daemon), + + dbus send bus=session path=/org/gnome/keyring/Prompter + interface=org.gnome.keyring.internal.Prompter + member={BeginPrompting,PerformPrompt,StopPrompting} + peer=(name=@{busname}, label=pinentry-*), + + dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int} + interface=org.gnome.keyring.internal.Prompter.Callback + member={PromptReady,PromptDone} + peer=(name=@{busname}, label=pinentry-*), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon deleted file mode 100644 index e813f5c4f..000000000 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member={GetConnection,ListMonitorImplementations,ListMountableInfo} - peer=(name="@{busname}", label=gvfsd), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata deleted file mode 100644 index 80daa4927..000000000 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata +++ /dev/null @@ -1,19 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=session path=/org/gtk/vfs/metadata - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=gvfsd-metadata), - - dbus receive bus=session path=/org/gtk/vfs/metadata - interface=org.gtk.vfs.Metadata - member=AttributeChanged - peer=(name="@{busname}", label=gvfsd-metadata), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher index 5217a50f5..90a78d2ed 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher @@ -2,22 +2,52 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow to display Status Notifier Items in the KDE Plasma systray + abi , - dbus send bus=session path=/StatusNotifierWatcher - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell), - - dbus send bus=session path=/StatusNotifierWatcher - interface=org.kde.StatusNotifierWatcher - member=RegisterStatusNotifierItem - peer=(name="{:*,org.kde.StatusNotifierWatcher}", label=gnome-shell), + #aa-dbus common bus=session name=org.kde.StatusNotifierWatcher label=gnome-shell dbus send bus=session path=/StatusNotifierWatcher interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell), + peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), + + dbus receive bus=session path=/StatusNotifierItem + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(label="@{pp_app_indicator}"), + + + dbus send bus=session path=/{StatusNotifierItem/menu,org/ayatana/NotificationItem/*/Menu} + interface=com.canonical.dbusmenu + member={LayoutUpdated,ItemsPropertiesUpdated} + peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), + + dbus receive bus=session path=/{StatusNotifierItem,StatusNotifierItem/menu,org/ayatana/NotificationItem/**} + interface={org.freedesktop.DBus.Properties,com.canonical.dbusmenu} + member={Get*,AboutTo*,Event*} + peer=(label="@{pp_app_indicator}"), + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.kde.StatusNotifierWatcher + member=RegisterStatusNotifierItem + peer=(label="@{pp_app_indicator}"), + + dbus receive bus=session path=/StatusNotifierItem + interface=org.kde.StatusNotifierItem + member={ProvideXdgActivationToken,Activate} + peer=(label="@{pp_app_indicator}"), + + dbus receive bus=session path=/MenuBar + interface=com.canonical.dbusmenu + member={AboutToShow,GetLayout,Event} + peer=(label="@{pp_app_indicator}"), include if exists diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher b/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher new file mode 100644 index 000000000..ca2bf92c8 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow use of snapd's internal xdg-open + + abi , + + dbus send bus=session path=/ + interface=com.canonical.SafeLauncher + member=OpenURL + peer=(name=@{busname}, label=snap), + + dbus send bus=session path=/io/snapcraft/Launcher + interface=io.snapcraft.Launcher + member={OpenURL,OpenFile} + peer=(name=@{busname}, label=snap), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher b/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher new file mode 100644 index 000000000..704d9010d --- /dev/null +++ b/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Can identify and launch other snaps. + + abi , + + dbus send bus=session path=/io/snapcraft/PrivilegedDesktopLauncher + interface=io.snapcraft.PrivilegedDesktopLauncher + member=OpenDesktopEntry + peer=(name=io.snapcraft.Launcher, label=snap), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.Settings b/apparmor.d/abstractions/bus/session/io.snapcraft.Settings new file mode 100644 index 000000000..c50753cd6 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/io.snapcraft.Settings @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow use of snapd's internal 'xdg-settings' + + abi , + + dbus send bus=session path=/io/snapcraft/Settings + interface=io.snapcraft.Settings + member={Check,CheckSub,Get,GetSub,Set,SetSub} + peer=(name=io.snapcraft.Settings, label=snap), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.a11y b/apparmor.d/abstractions/bus/session/org.a11y new file mode 100644 index 000000000..8f517fe99 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.a11y @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label="@{p_dbus_accessibility}"), + + dbus send bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=Get + peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal b/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal new file mode 100644 index 000000000..e7c0f9cef --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow access to the IBus portal + + abi , + + dbus send bus=session path=/org/freedesktop/IBus + interface=org.freedesktop.IBus.Portal + member=CreateInputContext + peer=(name=org.freedesktop.portal.IBus), + + dbus send bus=session path=/org/freedesktop/IBus/InputContext_@{int} + interface=org.freedesktop.IBus.InputContext + peer=(label=ibus-daemon), + + dbus receive bus=session path=/org/freedesktop/IBus/InputContext_@{int} + interface=org.freedesktop.IBus.InputContext + peer=(label=ibus-daemon), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications new file mode 100644 index 000000000..b51c4bdcb --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.freedesktop.Notifications label="@{pp_notification}" + + dbus send bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.Notifications + member={GetCapabilities,GetServerInformation,Notify,CloseNotification} + peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), + + dbus receive bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.Notifications + member={ActionInvoked,NotificationClosed,NotificationReplied} + peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver new file mode 100644 index 000000000..ee837b886 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow checking status, activating and locking the screensaver + + abi , + + dbus send bus=session path=/ScreenSaver + interface=org.freedesktop.ScreenSaver + member={Inhibit,UnInhibit} + peer=(name=org.freedesktop.ScreenSaver), + + dbus send bus=session path=/{,org/freedesktop/}ScreenSaver + interface=org.freedesktop.ScreenSaver + member={GetActive,GetActiveTime,Lock,SetActive} + peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"), + + dbus receive bus=session path=/org/freedesktop/ScreenSaver + interface=org.freedesktop.ScreenSaver + member={ActiveChanged,WakeUpScreen} + peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Secret b/apparmor.d/abstractions/bus/session/org.freedesktop.Secret new file mode 100644 index 000000000..8ded1b6d7 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Secret @@ -0,0 +1,49 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2017 Canonical Ltd +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Provide full access to the secret-service API: +# - https://standards.freedesktop.org/secret-service/) +# +# The secret-service allows managing (add/delete/lock/etc) collections and +# (add/delete/etc) items within collections. The API also has the concept of +# aliases for collections which is typically used to access the default +# collection. While it would be possible for an application developer to use a +# snap-specific collection and mediate by object path, application developers +# are meant to instead to treat collections (typically the default collection) +# as a database of key/value attributes each with an associated secret that +# applications may query. Because AppArmor does not mediate member data, +# typical and recommended usage of the API does not allow for application +# isolation. For details, see: +# - https://standards.freedesktop.org/secret-service/ch03.html +# + + abi , + + #aa:dbus common bus=session name=org.freedesktop.{S,s}ecret label=gnome-keyring-daemon + + dbus send bus=session path=/org/freedesktop/secrets{,/**} + interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session} + peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), + + dbus receive bus=session path=/org/freedesktop/secrets{,/**} + interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session} + peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), + + dbus send bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gnome-keyring-daemon), + dbus send bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.Secret.Service + member=ReadAlias + peer=(name=org.freedesktop.secrets, label=gnome-keyring-daemon), + dbus send bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.Secret.Service + member=SearchItems + peer=(name=@{busname}, label=gnome-keyring-daemon), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings new file mode 100644 index 000000000..01cf21c46 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Settings + member=Read + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Settings + member=ReadAll + peer=(name=@{busname}, label=xdg-desktop-portal), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session b/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 similarity index 51% rename from apparmor.d/abstractions/bus/org.freedesktop.systemd1-session rename to apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 index 97db8023f..0c8185be6 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 @@ -4,21 +4,23 @@ abi , - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name=org.freedesktop.systemd1), - - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"), + #aa:dbus common bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=GetUnit peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"), - include if exists + dbus send bus=session path=/org/freedesktop/systemd1/unit/app_* + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), + + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=StartTransientUnit + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), + + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 b/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 similarity index 52% rename from apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 rename to apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 index 120330ac1..f69667e08 100644 --- a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 +++ b/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 @@ -4,16 +4,13 @@ abi , - dbus send bus=session path=/org/gnome/ArchiveManager1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=file-roller), + #aa:dbus common bus=session name=org.gnome.ArchiveManager1 label="@{p_file_roller}" dbus send bus=session path=/org/gnome/ArchiveManager1 interface=org.gnome.ArchiveManager1 member=GetSupportedTypes - peer=(name="@{busname}", label=file-roller), + peer=(name="@{busname}", label="@{p_file_roller}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 similarity index 52% rename from apparmor.d/abstractions/bus/org.kde.StatusNotifierItem rename to apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 index 43947d52a..8a3e7d74e 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem +++ b/apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 @@ -4,6 +4,8 @@ abi , - include if exists + #aa:dbus common bus=session name=org.gnome.Nautilus.FileOperations2 label=nautilus + + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver b/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver new file mode 100644 index 000000000..27c456637 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow checking status, activating and locking the screensaver (GNOME version) + + abi , + + dbus send bus=session path=/{,org/gnome/}ScreenSaver + interface=org.gnome.ScreenSaver + member={GetActive,GetActiveTime,Lock,SetActive} + peer=(name=@{busname}, label=gjs-console), + + dbus receive bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member={ActiveChanged,WakeUpScreen} + peer=(name=@{busname}, label=gjs-console), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gnome.SessionManager b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager new file mode 100644 index 000000000..4c641776b --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager @@ -0,0 +1,46 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}" + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={RegisterClient,IsSessionRunning} + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={Inhibit,Uninhibit} + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={Setenv,IsSessionRunning} + peer=(name=org.gnome.SessionManager, label="{gnome-session-binary,gnome-session-service}"), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded} + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + + dbus send bus=session path=/org/gnome/SessionManager/Client@{int} + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + + dbus receive bus=session path=/org/gnome/SessionManager/Client@{int} + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + + dbus receive bus=session path=/org/gnome/SessionManager/Presence + interface=org.gnome.SessionManager.Presence + member=StatusChanged + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys b/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys new file mode 100644 index 000000000..93d830828 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow requesting interest in receiving media key events. This tells Gnome +# settings that our application should be notified when key events we are +# interested in are pressed, and allows us to receive those events. + + abi , + + # DBus.Properties: read all properties from the interface + dbus send bus=session path=/org/gnome/SettingsDaemon/MediaKeys + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys), + + dbus (receive, send) bus=session path=/org/gnome/SettingsDaemon/MediaKeys + interface=org.gnome.SettingsDaemon.MediaKeys + peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Actions b/apparmor.d/abstractions/bus/session/org.gtk.Actions new file mode 100644 index 000000000..899f244a8 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.Actions @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gnome-shell), + + dbus receive bus=session + interface=org.gtk.Actions + member={Activate,DescribeAll,SetState}, + + dbus send bus=session + interface=org.gtk.Actions + member=Changed, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Menus b/apparmor.d/abstractions/bus/session/org.gtk.Menus new file mode 100644 index 000000000..b21c08067 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.Menus @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session + interface=org.gtk.Menus + member={Start,End} + peer=(name=@{busname}), + + dbus send bus=session + interface=org.gtk.Menus + member=Changed, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler b/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler new file mode 100644 index 000000000..3fce0d719 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/gtk/MountOperationHandler + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gnome-shell), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Notifications b/apparmor.d/abstractions/bus/session/org.gtk.Notifications new file mode 100644 index 000000000..151c642a8 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.Notifications @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.gtk.Notifications label=gnome-shell + + dbus send bus=session path=/org/gtk/Notifications + interface=org.gtk.Notifications + member={AddNotification,RemoveNotification} + peer=(name=org.gtk.Notifications, label=gnome-shell), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor b/apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor similarity index 91% rename from apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor rename to apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor index 9060c8c15..b8160dcb2 100644 --- a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor +++ b/apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor @@ -19,6 +19,6 @@ member={VolumeAdded,DriveDisconnected,DriveConnected,DriveChanged} peer=(name="@{busname}", label=gvfs-*-volume-monitor), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Settings b/apparmor.d/abstractions/bus/session/org.gtk.Settings new file mode 100644 index 000000000..9d2dd282a --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.Settings @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gsd-xsettings), + dbus receive bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label=gsd-xsettings), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon new file mode 100644 index 000000000..edf954ac5 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Each daemon (main and for mounts) implement this. + + abi , + + dbus send bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member={GetConnection,ListMonitorImplementations,ListMountableInfo} + peer=(name=@{busname}, label=gvfsd), + + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata new file mode 100644 index 000000000..9f1a77daf --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=system name=org.gtk.vfs.Metadata path=/org/gtk/vfs/metadata label=gvfsd-metadata + dbus send bus=session path=/org/gtk/vfs/metadata + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gvfsd-metadata), + + dbus send bus=session path=/org/gtk/vfs/metadata + interface=org.gtk.vfs.Metadata + member={Set,Move,GetTreeFromDevice,Remove} + peer=(name=@{busname}, label=gvfsd-metadata), + + dbus receive bus=session path=/org/gtk/vfs/metadata + interface=org.gtk.vfs.Metadata + member=AttributeChanged + peer=(name=@{busname}, label=gvfsd-metadata), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation new file mode 100644 index 000000000..54dfc837f --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session path=/org/gtk/gvfs/mountop/@{int} + interface=org.gtk.vfs.MountOperation + member={AskPassword,AskQuestion} + peer=(name=@{busname}, label=gvfsd-*), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker similarity index 68% rename from apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker rename to apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker index 1c80ca6ea..107c3dc13 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker @@ -2,11 +2,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# The mount tracking interface. + abi , dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker - member=ListMountableInfo + member=LookupMount peer=(name="@{busname}", label=gvfsd), dbus send bus=session path=/org/gtk/vfs/mounttracker @@ -14,11 +16,16 @@ member=ListMounts2 peer=(name="@{busname}", label=gvfsd), - dbus receive bus=session path=/org/gtk/vfs/mounttracker + dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker - member=Mounted + member=ListMountableInfo peer=(name="@{busname}", label=gvfsd), - include if exists + dbus receive bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member={Mounted,Unmounted} + peer=(name="@{busname}", label=gvfsd), + + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable new file mode 100644 index 000000000..603ef709b --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=@{busname}, label=gvfsd), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner new file mode 100644 index 000000000..7090afe24 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=@{busname}, label=gvfsd), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem new file mode 100644 index 000000000..d017d44e3 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + include + + dbus bind bus=session name=org.kde.StatusNotifierItem-@{int}, + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.kde.StatusNotifierWatcher + member=RegisterStatusNotifierItem + peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), + + dbus send bus=session path=/StatusNotifierItem + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), + + dbus send bus=session path=/{StatusNotifierItem,org/ayatana/NotificationItem/*} + interface=org.kde.StatusNotifierItem + member={NewAttentionIcon,NewIcon,NewIconThemePath,NewOverlayIcon,NewStatus,NewTitle,NewToolTip} + peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.kde.kwalletd b/apparmor.d/abstractions/bus/session/org.kde.kwalletd similarity index 50% rename from apparmor.d/abstractions/bus/org.kde.kwalletd rename to apparmor.d/abstractions/bus/session/org.kde.kwalletd index 1ae5a1ace..0afce1cdf 100644 --- a/apparmor.d/abstractions/bus/org.kde.kwalletd +++ b/apparmor.d/abstractions/bus/session/org.kde.kwalletd @@ -1,9 +1,9 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player b/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player new file mode 100644 index 000000000..b2b934074 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + # DBus.Properties: read all properties from the interface + dbus send bus=system path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}), + + # DBus.Properties: receive property changed events + dbus receive bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}), + + # DBus.Introspectable: allow clients to introspect the service + dbus send bus=system path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}), + + dbus receive bus=session path=/org/mpris/MediaPlayer2 + interface=org.mpris.MediaPlayer2.Player + member={Seeked,Next,PlayPause} + peer=(name=@{busname}), + + # https://specifications.freedesktop.org/mpris-spec/latest/Player_Interface.html#Signal:Seeked + dbus send bus=session path=/org/mpris/MediaPlayer2 + interface=org.mpris.MediaPlayer2.Player + member=Seeked + peer=(name=org.freedesktop.DBus), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/own b/apparmor.d/abstractions/bus/session/own new file mode 100644 index 000000000..d975ebb48 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/own @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# Do not use it manually, It is automatically included in a profile by the +# `aa:dbus own` directive. + +# Allow owning a name on DBus public bus + + abi , + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.bluez b/apparmor.d/abstractions/bus/system/org.bluez similarity index 54% rename from apparmor.d/abstractions/bus/org.bluez rename to apparmor.d/abstractions/bus/system/org.bluez index 7b709ab9b..acaa7bb36 100644 --- a/apparmor.d/abstractions/bus/org.bluez +++ b/apparmor.d/abstractions/bus/system/org.bluez @@ -4,46 +4,38 @@ abi , + #aa:dbus common bus=system name=org.bluez label="@{p_bluetoothd}" + dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager - member=InterfacesRemoved - peer=(name="{@{busname},org.bluez}", label=bluetoothd), - - dbus receive bus=system path=/org/bluez/hci@{int}{,/**} - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="{@{busname},org.bluez}", label=bluetoothd), + member={InterfacesAdded,InterfacesRemoved} + peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="{@{busname},org.bluez}", label=bluetoothd), + peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez interface=org.bluez.AgentManager@{int} member={RegisterAgent,RequestDefaultAgent,UnregisterAgent} - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez interface=org.bluez.ProfileManager@{int} member=RegisterProfile - peer=(name=org.bluez, label=bluetoothd), - - dbus send bus=system path=/org/bluez/hci@{int} - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name="{@{busname},org.bluez}", label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez/hci@{int} interface=org.bluez.BatteryProviderManager@{int} member=RegisterProfile - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez/hci@{int} interface=org.bluez.Media@{int} member=RegisterApplication - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver new file mode 100644 index 000000000..f6a1a251c --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Address resolving + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=AddressResolverNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/AddressResolver@{int} + interface=org.freedesktop.Avahi.AddressResolver + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/AddressResolver@{int} + interface=org.freedesktop.Avahi.AddressResolver + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser new file mode 100644 index 000000000..39f5e4496 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Domain browsing + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=DomainBrowserNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/DomainBrowser@{int} + interface=org.freedesktop.Avahi.DomainBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/DomainBrowser@{int} + interface=org.freedesktop.Avahi.DomainBrowser + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver new file mode 100644 index 000000000..403a4db0f --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Hostname resolving + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=HostNameResolverNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/HostNameResolver@{int} + interface=org.freedesktop.Avahi.HostNameResolver + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/HostNameResolver@{int} + interface=org.freedesktop.Avahi.HostNameResolver + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser new file mode 100644 index 000000000..bff079b13 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Record browsing + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=RecordBrowserNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/RecordBrowser@{int} + interface=org.freedesktop.Avahi.RecordBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/RecordBrowser@{int} + interface=org.freedesktop.Avahi.RecordBrowser + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server new file mode 100644 index 000000000..bfc87b3cc --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + # Allow service introspection + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + # Allow accessing DBus properties and resolving + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member={Get*,Resolve*,IsNSSSupportAvailable} + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + # Allow receiving anything from the Avahi server + dbus receive bus=system + interface=org.freedesktop.Avahi.Server + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser new file mode 100644 index 000000000..6a3b1510d --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=ServiceBrowserNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/ServiceBrowser@{int} + interface=org.freedesktop.Avahi.ServiceBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} + interface=org.freedesktop.Avahi.ServiceBrowser + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver new file mode 100644 index 000000000..d90e9ca14 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Service resolving + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=ServiceResolverNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser new file mode 100644 index 000000000..93affdc51 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Service type browsing + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=ServiceTypeBrowserNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/ServiceTypeBrowser@{int} + interface=org.freedesktop.Avahi.ServiceTypeBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} + interface=org.freedesktop.Avahi.ServiceTypeBrowser + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager new file mode 100644 index 000000000..4b5dcc746 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow for color managed applications to communicate with colord + + abi , + + #aa:dbus common bus=system name=org.freedesktop.ColorManager label="@{p_colord}" + + dbus send bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member=GetDevices + peer=(name="@{busname}", label="@{p_colord}"), + + dbus send bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member={CreateProfile,CreateDevice,DeleteDevice} + peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), + + dbus receive bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member={DeviceAdded,DeviceRemoved} + peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), + + dbus (receive, send) bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member={FindDeviceByProperty,FindDeviceById} + peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.UPower b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower new file mode 100644 index 000000000..aa6a61371 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Can query UPower for power devices, history and statistics. + + abi , + + #aa:dbus common bus=system name=org.freedesktop.UPower label="@{p_upowerd}" + + # Find all devices monitored by UPower + dbus send bus=system path=/org/freedesktop/UPower + interface=org.freedesktop.UPower + member=EnumerateDevices + peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), + + dbus send bus=system path=/org/freedesktop/UPower + interface=org.freedesktop.DBus.Properties + member={GetDisplayDevice,GetCriticalAction} + peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"), + + dbus send bus=system path=/org/freedesktop/UPower/devices/** + interface=org.freedesktop.UPower.Device + member={GetHistory,Refresh} + peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"), + + dbus receive bus=system path=/org/freedesktop/UPower + interface=org.freedesktop.UPower + member={DeviceAdded,DeviceRemoved} + peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.locale1 b/apparmor.d/abstractions/bus/system/org.freedesktop.locale1 similarity index 59% rename from apparmor.d/abstractions/bus/org.freedesktop.locale1 rename to apparmor.d/abstractions/bus/system/org.freedesktop.locale1 index 50218ced3..e2377a14b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.locale1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.locale1 @@ -4,15 +4,11 @@ abi , - dbus send bus=system path=/org/freedesktop/locale1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label=systemd-localed), dbus send bus=system path=/org/freedesktop/locale1 interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=org.freedesktop.locale1), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.DisplayManager b/apparmor.d/abstractions/bus/system/org.gnome.DisplayManager similarity index 60% rename from apparmor.d/abstractions/bus/org.gnome.DisplayManager rename to apparmor.d/abstractions/bus/system/org.gnome.DisplayManager index 107868836..4833b1512 100644 --- a/apparmor.d/abstractions/bus/org.gnome.DisplayManager +++ b/apparmor.d/abstractions/bus/system/org.gnome.DisplayManager @@ -1,14 +1,16 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2023-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , + #aa:dbus common bus=system name=org.gnome.DisplayManager label=gdm + dbus send bus=system path=/org/gnome/DisplayManager/Manager interface=org.gnome.DisplayManager.Manager member=RegisterDisplay peer=(name="@{busname}", label=gdm), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/own b/apparmor.d/abstractions/bus/system/own new file mode 100644 index 000000000..2b1130b32 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/own @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# Do not use it manually, It is automatically included in a profile by the +# `aa:dbus own` directive. + +# Allow owning a name on DBus public bus + + abi , + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/camera b/apparmor.d/abstractions/camera new file mode 100644 index 000000000..0f5cff363 --- /dev/null +++ b/apparmor.d/abstractions/camera @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows access to all cameras + + abi , + + # Allow detection of cameras. Leaks plugged in USB device info + @{sys}/bus/usb/devices/ r, + @{sys}/devices/@{pci}/usb@{int}/**/busnum r, + @{sys}/devices/@{pci}/usb@{int}/**/devnum r, + @{sys}/devices/@{pci}/usb@{int}/**/idProduct r, + @{sys}/devices/@{pci}/usb@{int}/**/idVendor r, + @{sys}/devices/@{pci}/usb@{int}/**/interface r, + @{sys}/devices/@{pci}/usb@{int}/**/modalias r, + @{sys}/devices/@{pci}/usb@{int}/**/speed r, + + @{sys}/class/video4linux/ r, + @{sys}/devices/**/video4linux/** r, + @{sys}/devices/**/video4linux/video@{int}/ r, + @{sys}/devices/**/video4linux/video@{int}/uevent r, + + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/c81:@{int} r, # For video4linux + + # VideoCore cameras (shared device with VideoCore/EGL) + /dev/vchiq rw, + + # Access to video /dev devices + /dev/video@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 4cb47c9d2..28badc6db 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -2,6 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: att # Common rules for applications sandboxed using bwrap. @@ -12,40 +13,41 @@ abi , include - include + include include include - include + include include include include + include include include include include include include + include include + include include + include + include + include + include include - include dbus bus=accessibility, dbus bus=session, dbus bus=system, - /usr/cache/** r, - /usr/local/{,**} r, + /usr/** rk, /usr/share/** rk, /etc/{,**} r, - / r, /.* r, - /*/ r, - @{bin}/ r, @{lib}/ r, - /usr/local/bin/ r, owner /_@{int}_/ w, owner /@{uuid}/ w, owner /var/cache/ldconfig/{,**} rw, @@ -58,32 +60,32 @@ @{MOUNTS}/** rwl, owner @{HOME}/ r, owner @{HOME}/.var/app/** rmix, - owner @{HOME}/** rwlk -> @{HOME}/**, + owner @{HOME}/** rwmlk -> @{HOME}/**, owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, - owner @{user_games_dirs}/** rm, + owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore=too-wide + owner @{user_games_dirs}/** rmix, - owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, + #aa:lint ignore=too-wide owner @{tmp}/** rmwk, owner /dev/shm/** rwlk -> /dev/shm/**, + owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket. @{run}/host/{,**} r, @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket. @{run}/utmp rk, - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{sys}/ r, @{sys}/block/ r, @{sys}/bus/ r, @{sys}/bus/*/devices/ r, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/class/*/ r, @{sys}/devices/** r, + @{sys}/devices/virtual/dmi/id/bios_version k, @{sys}/fs/cgroup/user.slice/* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/* r, @@ -95,11 +97,13 @@ @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/comm rk, @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/maps r, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/net/** r, @{PROC}/@{pid}/smaps r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, + @{PROC}/@{pid}/status r, @{PROC}/@{pid}/task/@{tid}/stat r, @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/bus/pci/devices r, @@ -115,6 +119,7 @@ @{PROC}/sys/kernel/sched_autogroup_enabled r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/sys/net/core/bpf_jit_enable r, + @{PROC}/sys/net/core/somaxconn r, @{PROC}/uptime r, @{PROC}/version r, @{PROC}/zoneinfo r, @@ -125,19 +130,23 @@ owner @{PROC}/@{pid}/fd/@{int} rw, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/io r, + owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/net/if_inet6 r, owner @{PROC}/@{pid}/oom_score_adj rw, owner @{PROC}/@{pid}/pagemap r, + owner @{PROC}/@{pid}/smaps_rollup r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/hidraw@{int} rw, - /dev/input/ r, - /dev/input/event@{int} rw, + @{att}/dev/dri/card@{int} rw, + @{att}/dev/dri/renderD128 rw, + @{att}/dev/dri/renderD129 rw, + owner @{att}/dev/shm/@{uuid} r, + /dev/ptmx rw, /dev/pts/ptmx rw, /dev/tty rw, diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index b5b119d0f..2d3ab179f 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -1,6 +1,7 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: att # A minimal set of rules for sandboxed programs using bwrap. # A profile using this abstraction still needs to set: @@ -38,14 +39,20 @@ pivot_root oldroot=/newroot/ /newroot/, pivot_root oldroot=/tmp/oldroot/ /tmp/, - owner / r, owner /newroot/{,**} w, owner /tmp/newroot/ w, owner /tmp/oldroot/ w, - @{PROC}/sys/kernel/overflowgid r, - @{PROC}/sys/kernel/overflowuid r, + @{att}/ r, + @{att}/@{run}/.userns r, + + @{PROC}/sys/kernel/overflowgid r, + @{PROC}/sys/kernel/overflowuid r, + @{PROC}/sys/user/max_user_namespaces r, + @{PROC}/sys/kernel/seccomp/actions_avail r, + owner @{PROC}/@{pid}/fd/ r, + @{att}/@{PROC}/sys/user/max_user_namespaces rw, owner @{att}/@{PROC}/@{pid}/cgroup r, owner @{att}/@{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 9fba7b8bb..23f4544a3 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -2,17 +2,29 @@ # Copyright (C) 2022 Mikhail Morfikov # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: domain # This abstraction is for chromium based application. Chromium based browsers -# need to use abstractions/chromium instead. +# need to use abstractions/app/chromium instead. + +# It works as a *function* and requires a variable to be provided as *arguments* +# and set in the header of the calling profile. Example: +# +# @{domain} = org.chromium.Chromium +# abi , userns, + # Required for dropping into PID namespace. Keep in mind that until the + # process drops this capability it can escape confinement, but once it + # drops CAP_SYS_ADMIN we are ok. + capability sys_admin, + + # All of these are for sanely dropping from root and chrooting capability setgid, # If kernel.unprivileged_userns_clone = 1 capability setuid, # If kernel.unprivileged_userns_clone = 1 - capability sys_admin, capability sys_chroot, capability sys_ptrace, @@ -22,19 +34,26 @@ owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw, + owner @{user_share_dirs}/.@{domain}.@{rand6} rw, - /tmp/ r, - /var/tmp/ r, - owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/{,**} rw, + owner @{tmp}/.@{domain}.@{rand6} rw, + owner @{tmp}/.@{domain}.@{rand6}/ rw, + owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie rw, + owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket rw, owner @{tmp}/scoped_dir@{rand6}/ rw, - owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w, - owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w, - owner @{tmp}/scoped_dir@{rand6}/SS w, + owner @{tmp}/scoped_dir@{rand6}/SingletonCookie rw, + owner @{tmp}/scoped_dir@{rand6}/SingletonSocket rw, + owner @{tmp}/scoped_dir@{rand6}/SS rw, /dev/shm/ r, - owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + owner /dev/shm/.@{domain}.@{rand6} rw, + + @{sys}/devices/system/cpu/kernel_max r, + @{sys}/devices/virtual/tty/tty@{int}/active r, + + # Allow getting the manufacturer and model of the computer where chromium is currently running. + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/setgroups w, diff --git a/apparmor.d/abstractions/common/debconf b/apparmor.d/abstractions/common/debconf new file mode 100644 index 000000000..1d9a6d145 --- /dev/null +++ b/apparmor.d/abstractions/common/debconf @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + include + include + include + + @{sh_path} rix, + @{bin}/locale ix, + @{bin}/whiptail Px, + + /usr/share/debconf/frontend rix, + /usr/share/debconf/confmodule r, + + /etc/debconf.conf r, + + /var/ r, + /var/cache/ r, + /var/cache/debconf/ r, + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 8134f8681..dd4976f5e 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -1,33 +1,34 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: name +# NEEDS-VARIABLE: domain +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: config_dirs +# NEEDS-VARIABLE: cache_dirs # Minimal set of rules for all electron based UI application. It works as a # *function* and requires some variables to be provided as *arguments* and set # in the header of the calling profile. Example: # # @{name} = spotify -# @{lib_dirs} = /opt/@{name} +# @{domain} = org.chromium.chromium +# @{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/ # @{config_dirs} = @{user_config_dirs}/@{name} # @{cache_dirs} = @{user_cache_dirs}/@{name} # abi , + include + include include include + include include include include - userns, - - capability setgid, # If kernel.unprivileged_userns_clone = 1 - capability setuid, # If kernel.unprivileged_userns_clone = 1 - capability sys_admin, - capability sys_chroot, - capability sys_ptrace, - @{bin}/electron rix, @{bin}/electron@{int} rix, @{lib}/electron@{int}/{,**} r, @@ -47,49 +48,29 @@ owner @{cache_dirs}/ rw, owner @{cache_dirs}/** rwlk -> @{cache_dirs}/**, - owner @{HOME}/.pki/ rw, - owner @{HOME}/.pki/nssdb/ rw, - owner @{HOME}/.pki/nssdb/pkcs11.txt rw, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner @{user_config_dirs}/electron-flags.conf r, - owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw, - owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/ rw, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonCookie w, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonSocket w, - owner @{tmp}/scoped_dir@{rand6}/ rw, - owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w, - owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w, - owner @{tmp}/scoped_dir@{rand6}/SS w, - - /dev/shm/ r, - owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, - - @{sys}/devices/system/cpu/kernel_max r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/virtual/tty/tty@{int}/active r, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, @{PROC}/ r, @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/oom_score_adj rw, - owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/status r, - owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index 3b4a982f1..2198c8537 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -6,9 +6,9 @@ # wine, proton, game launchers should use this abstraction. # This abstraction uses the following tunables: -# - @{XDG_GAMESSTUDIO_DIR} for game studio and game engines specific directories +# - @{XDG_GAMESSTUDIO_DIR}/ for game studio and game engines specific directories # (Default: @{XDG_GAMESSTUDIO_DIR}="unity3d") -# - @{user_games_dirs} for user specific game directories (eg: steam storage dir) +# - @{user_games_dirs}/ for user specific game directories (eg: steam storage dir) abi , @@ -17,8 +17,10 @@ include include include + include include include + include @{bin}/uname rix, @{bin}/xdg-settings rPx, @@ -66,9 +68,6 @@ owner /dev/shm/mono.@{int} rw, owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw, - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{sys}/ r, @{sys}/bus/ r, @{sys}/class/ r, @@ -79,7 +78,6 @@ @{sys}/devices/@{pci}/net/*/carrier r, @{sys}/devices/**/input@{int}/ r, @{sys}/devices/**/input@{int}/**/{vendor,product} r, - @{sys}/devices/**/input@{int}/capabilities/* r, @{sys}/devices/**/input/input@{int}/ r, @{sys}/devices/**/uevent r, @{sys}/devices/system/ r, @@ -108,11 +106,7 @@ /dev/ r, /dev/hidraw@{int} rw, - /dev/input/ r, - /dev/input/event@{int} rw, - /dev/input/js@{int} rw, /dev/tty rw, - /dev/uinput rw, include if exists diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index ccb5de8b3..6dcb26860 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -6,9 +6,8 @@ abi , - include include - include + include include include include @@ -32,6 +31,7 @@ owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists diff --git a/apparmor.d/abstractions/common/steam-game b/apparmor.d/abstractions/common/steam-game index b60e74a10..851588220 100644 --- a/apparmor.d/abstractions/common/steam-game +++ b/apparmor.d/abstractions/common/steam-game @@ -1,6 +1,9 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: app_dirs +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: share_dirs abi , diff --git a/apparmor.d/abstractions/common/systemd b/apparmor.d/abstractions/common/systemd index df138bf6c..f4a10076e 100644 --- a/apparmor.d/abstractions/common/systemd +++ b/apparmor.d/abstractions/common/systemd @@ -8,6 +8,7 @@ ptrace read peer=@{p_systemd}, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, + @{sys}/fs/cgroup/system.slice/@{profile_name}.service/ r, @{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw, @{PROC}/1/cgroup r, diff --git a/apparmor.d/abstractions/consoles.d/complete b/apparmor.d/abstractions/consoles.d/complete new file mode 100644 index 000000000..b8b7ad90f --- /dev/null +++ b/apparmor.d/abstractions/consoles.d/complete @@ -0,0 +1,8 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + # There are the common ways to refer to consoles + /dev/tty@{u8} rw, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/crypto.d/complete b/apparmor.d/abstractions/crypto.d/complete index a163af66d..8fb84d261 100644 --- a/apparmor.d/abstractions/crypto.d/complete +++ b/apparmor.d/abstractions/crypto.d/complete @@ -4,7 +4,15 @@ include + # FIPS-140-2 versions of some crypto libraries need to access their + # associated integrity verification file, or they will abort. + @{lib}/.lib*.so*.hmac r, + @{lib}/@{multiarch}/.lib*.so*.hmac r, + @{etc_ro}/gnutls/config r, @{etc_ro}/gnutls/pkcs11.conf r, + # Used to determine if Linux is running in FIPS mode + @{PROC}/sys/crypto/fips_enabled r, + # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dbus-accessibility-strict.d/complete b/apparmor.d/abstractions/dbus-accessibility-strict.d/complete new file mode 100644 index 000000000..f71f7d869 --- /dev/null +++ b/apparmor.d/abstractions/dbus-accessibility-strict.d/complete @@ -0,0 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + include + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dbus-session-strict.d/complete b/apparmor.d/abstractions/dbus-session-strict.d/complete new file mode 100644 index 000000000..8d82bd277 --- /dev/null +++ b/apparmor.d/abstractions/dbus-session-strict.d/complete @@ -0,0 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + include + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dbus-strict.d/complete b/apparmor.d/abstractions/dbus-strict.d/complete new file mode 100644 index 000000000..d35c7822a --- /dev/null +++ b/apparmor.d/abstractions/dbus-strict.d/complete @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + @{run}/dbus/system_bus_socket rw, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dconf-write b/apparmor.d/abstractions/dconf-write index e84ffcb2e..72a943527 100644 --- a/apparmor.d/abstractions/dconf-write +++ b/apparmor.d/abstractions/dconf-write @@ -8,8 +8,9 @@ abi , include + include - owner @{user_config_dirs}/glib-2.0/settings/keyfile w, + owner @{user_config_dirs}/glib-2.0/settings/keyfile w, # When GSETTINGS_BACKEND=keyfile owner @{run}/user/@{uid}/dconf/ w, owner @{run}/user/@{uid}/dconf/user w, diff --git a/apparmor.d/abstractions/dconf.d/complete b/apparmor.d/abstractions/dconf.d/complete index ed8fa33e6..1796c7ca0 100644 --- a/apparmor.d/abstractions/dconf.d/complete +++ b/apparmor.d/abstractions/dconf.d/complete @@ -2,19 +2,9 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus send bus=session path=/ca/desrt/dconf/Writer/user - interface=ca.desrt.dconf.Writer - member=Change - peer=(name=ca.desrt.dconf), # no peer's labels - - dbus receive bus=session path=/ca/desrt/dconf/Writer/user - interface=ca.desrt.dconf.Writer - member=Notify - peer=(name=:*, label=dconf-service), - /usr/share/dconf/profile/gdm r, - owner @{user_config_dirs}/glib-2.0/settings/keyfile r, + owner @{user_config_dirs}/glib-2.0/settings/keyfile r, # When GSETTINGS_BACKEND=keyfile owner @{run}/user/@{uid}/dconf/ r, diff --git a/apparmor.d/abstractions/deny-sensitive-home b/apparmor.d/abstractions/deny-sensitive-home index 4291762a4..68c013a51 100644 --- a/apparmor.d/abstractions/deny-sensitive-home +++ b/apparmor.d/abstractions/deny-sensitive-home @@ -34,7 +34,7 @@ deny @{HOME}/@{XDG_SSH_DIR}/{,**} mrwkl, deny @{run}/user/@{uid}/keyring** mrwkl, deny @{user_config_dirs}/*-store/{,**} mrwkl, - deny @{user_password_store_dirs}/{,**} mrwkl, + deny @{user_passwordstore_dirs}/{,**} mrwkl, deny @{user_share_dirs}/kwalletd/{,**} mrwkl, # Privacy violations diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 743dfaf2d..c4abbd574 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -9,10 +9,17 @@ abi , + include + include include - include - include + include + include + include + include include + include + include + include include include include @@ -22,18 +29,13 @@ dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), - /usr/{local/,}share/ r, - /usr/{local/,}share/glib-@{version}/schemas/** r, - /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, + @{system_share_dirs}/gvfs/remote-volume-monitors/{,*} r, /etc/gnome/* r, - /etc/xdg/{,*-}mimeapps.list r, - /var/cache/gio-@{version}/gnome-mimeapps.list r, - - / r, # deny? + / r, owner @{user_share_dirs}/gnome-shell/session.gvdb rw, @@ -52,7 +54,7 @@ owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*.@{rand6} rwlk, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}* rwlk, owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/dolphinrc r, @@ -63,6 +65,9 @@ owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, + owner @{user_config_dirs}/session/ rw, + owner @{user_config_dirs}/session/@{profile_name}* rwlk, + owner @{user_config_dirs}/session/#@{int} rw, owner @{user_config_dirs}/trashrc r, # else if @{DE} == xfce @@ -75,7 +80,7 @@ # end /usr/share/desktop-base/{,**} r, - /usr/share/hwdata/*.ids r, + /usr/share/hwdata/*.ids r, # FIXME: a bit too wide /usr/share/icu/@{int}.@{int}/*.dat r, include if exists diff --git a/apparmor.d/abstractions/desktop-files b/apparmor.d/abstractions/desktop-files new file mode 100644 index 000000000..9c0a8b941 --- /dev/null +++ b/apparmor.d/abstractions/desktop-files @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{system_share_dirs}/applications/{,**} r, + @{system_share_dirs}/*ubuntu/applications/{,**} r, + @{system_share_dirs}/gnome/applications/{,**} r, + @{system_share_dirs}/xfce4/applications/{,**} r, + + /etc/gnome/defaults.list r, + /etc/xfce4/defaults.list r, + /etc/xdg/menus/ r, + /etc/xdg/menus/applications-merged/{,**} r, + + /var/lib/snapd/desktop/applications/{,**} r, + + owner @{user_share_dirs}/applications/{,**} r, + + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/{,**} r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/devices-u2f b/apparmor.d/abstractions/devices-u2f new file mode 100644 index 000000000..c707d66e0 --- /dev/null +++ b/apparmor.d/abstractions/devices-u2f @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows access to Universal 2nd Factor (U2F) devices + + abi , + + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) + + # Needed for dynamic assignment of U2F devices + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + + @{sys}/devices/**/i2c*/**/report_descriptor r, + @{sys}/devices/**/usb@{int}/**/report_descriptor r, + + # Allow raw access HDI (Human Interface Devices) wich is how U2F devices are exposed + /dev/hidraw@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/devices-usb b/apparmor.d/abstractions/devices-usb index 1a85a0100..3361f10ec 100644 --- a/apparmor.d/abstractions/devices-usb +++ b/apparmor.d/abstractions/devices-usb @@ -3,26 +3,22 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow raw access to all connected USB devices + abi , - /dev/ r, - /dev/bus/usb/ r, - /dev/bus/usb/@{int}/ r, - /dev/bus/usb/@{int}/@{int} rwk, + include - @{sys}/class/ r, - @{sys}/class/usbmisc/ r, + @{PROC}/tty/drivers r, - @{sys}/bus/ r, - @{sys}/bus/usb/ r, - @{sys}/bus/usb/devices/{,**} r, + /dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} wk, - @{sys}/devices/**/usb@{int}/{,**} rw, + # Allow access to all ttyUSB devices too + /dev/ttyACM@{int} wk, + /dev/ttyUSB@{int} wk, - # Udev data about usb devices (~equal to content of lsusb -v) - @{run}/udev/data/+usb:* r, - @{run}/udev/data/c16[6,7]:@{int} r, # USB modems - @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters + # Allow raw access to USB printers (i.e. for receipt printers in POS systems). + /dev/usb/lp@{int} wk, include if exists diff --git a/apparmor.d/abstractions/devices-usb-read b/apparmor.d/abstractions/devices-usb-read new file mode 100644 index 000000000..ea3131d59 --- /dev/null +++ b/apparmor.d/abstractions/devices-usb-read @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow detection of usb devices. Leaks plugged in USB device info + + abi , + + @{sys}/class/ r, + @{sys}/class/usbmisc/ r, + + @{sys}/bus/ r, + @{sys}/bus/usb/ r, + @{sys}/bus/usb/devices/ r, + @{sys}/devices/**/usb@{int}/ r, + @{sys}/devices/**/usb@{int}/** r, + + # Udev data about usb devices (~equal to content of lsusb -v) + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/b180:@{int} r, # USB block devices + @{run}/udev/data/c16{6,7}:@{d} r, # ACM USB modems + @{run}/udev/data/c18{0,8,9}:@{int} r, # USB character devices + + /dev/ r, + /dev/bus/usb/ r, + /dev/bus/usb/@{int}/ r, + /dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 62e24b70d..e33ec2c3f 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -44,6 +44,12 @@ @{sys}/devices/virtual/block/loop@{int}/ r, @{sys}/devices/virtual/block/loop@{int}/** r, + # Xen PVH devices + @{sys}/devices/vbd-@{int}/block/** r, + + # Channel subsystem for IBM Z + @{sys}/devices/css@{int}/** r, + # LUKS/LVM (device-mapper) devices /dev/dm-@{int} rk, /dev/mapper/{,*} r, @@ -75,6 +81,11 @@ # CD-ROM /dev/sr@{int} rk, + # MD RAID devices + /dev/md@{int} rk, + @{sys}/devices/virtual/block/md@{int}/ r, + @{sys}/devices/virtual/block/md@{int}/** r, + # Lookup block device by major:minor numbers # See: https://apparmor.pujol.io/development/internal/#udev-rules @@ -85,17 +96,18 @@ @{run}/udev/data/b2:@{int} r, # for /dev/fd* @{run}/udev/data/b7:@{int} r, # for /dev/loop* @{run}/udev/data/b8:@{int} r, # for /dev/sd* + @{run}/udev/data/b9:@{int} r, # for /dev/md* @{run}/udev/data/b11:@{int} r, # for /dev/sr* @{run}/udev/data/b43:@{int} r, # for /dev/nbd* @{run}/udev/data/b179:@{int} r, # for /dev/mmcblk* @{run}/udev/data/b230:@{int} r, # for /dev/zvol* - @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 to 254 - @{run}/udev/data/b25[0-4]:@{int} r, + @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 + @{run}/udev/data/b25[0-4]:@{int} r, # to 254 @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{run}/udev/data/+usb:* r, # for disk over usb hub + @{run}/udev/data/+usb:* r, # Identifies all USB devices include if exists diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write index ce0a05dd5..a52518042 100644 --- a/apparmor.d/abstractions/disks-write +++ b/apparmor.d/abstractions/disks-write @@ -41,6 +41,9 @@ # CD-ROM /dev/sr@{int} w, + # MD RAID devices + /dev/md@{int} w, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dri b/apparmor.d/abstractions/dri index dd8f7b55a..128da00d0 100644 --- a/apparmor.d/abstractions/dri +++ b/apparmor.d/abstractions/dri @@ -28,8 +28,11 @@ @{sys}/devices/@{pci}/uevent r, @{sys}/devices/@{pci}/vendor r, + # Allow access to all cards /dev/dri/ r, /dev/dri/card@{int} rw, + + # Video Acceleration API /dev/dri/renderD128 rw, /dev/dri/renderD129 rw, diff --git a/apparmor.d/abstractions/fish b/apparmor.d/abstractions/fish index 2ae6ab93d..65f97f9f2 100644 --- a/apparmor.d/abstractions/fish +++ b/apparmor.d/abstractions/fish @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction is only required when an interactive shell is started. +# This abstraction is only required when zshrc is loaded (e.g. interactive shell). # Classic shell scripts do not need it. abi , diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete index 4724c694a..df445cef5 100644 --- a/apparmor.d/abstractions/freedesktop.org.d/complete +++ b/apparmor.d/abstractions/freedesktop.org.d/complete @@ -16,11 +16,16 @@ /opt/*/**.{desktop,png} r, /etc/gnome/defaults.list r, - /etc/xfce4/defaults.list r, + /etc/xfce4/defaults.list r, /var/lib/snapd/desktop/applications/{,**} r, /var/lib/snapd/desktop/icons/{,**} r, owner @{HOME}/.icons/{,**} r, + owner @{user_share_dirs}/#@{int} rw, + owner @{user_share_dirs}/recently-used.xbel rw, + owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl, + owner @{user_share_dirs}/recently-used.xbel.lock rwk, + # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/glibc b/apparmor.d/abstractions/glibc new file mode 100644 index 000000000..8536470bd --- /dev/null +++ b/apparmor.d/abstractions/glibc @@ -0,0 +1,47 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + # Used by Glibc when binding to ephemeral ports + @{etc_ro}/bindresvport.blacklist r, + + # Depending on which Glibc routine uses this file, base may not be the + # best place -- but many profiles require it, and it is quite harmless. + @{PROC}/sys/kernel/ngroups_max r, + + # Glibc's sysconf(3) routine to determine free memory, etc + @{sys}/devices/system/cpu/ r, + @{sys}/devices/system/cpu/online r, + @{sys}/devices/system/cpu/possible r, + @{PROC}/cpuinfo r, + @{PROC}/meminfo r, + @{PROC}/stat r, + + # Glibc's *printf protections read the maps file + owner @{PROC}/@{pid}/auxv r, + owner @{PROC}/@{pid}/maps r, + owner @{PROC}/@{pid}/status r, + + # @{PROC}/@{pid}/map_files/ contains the same info than @{PROC}/@{pid}/maps, + # but in a format that is simpler to manage, because it doesn't require to + # parse the text data inside a file, but just reading the contents of + # a directory. + owner @{PROC}/@{pid}/map_files/ r, + + # Glibc statvfs + @{PROC}/filesystems r, + + # Glibc malloc (man 5 proc) + @{PROC}/sys/vm/overcommit_memory r, + + # Recent glibc uses /dev/full in preference to /dev/null for programs + # that don't have open fds at exec() + /dev/full rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 9862ca5e7..227377f3a 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -4,9 +4,17 @@ abi , + include + include include - include - include + include + include + include + include + include + include + include + include include include include @@ -14,20 +22,15 @@ dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), /usr/share/desktop-base/{,**} r, /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, - /usr/{local/,}share/ r, - /usr/{local/,}share/glib-@{int}.@{int}/schemas/** r, - /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, + @{system_share_dirs}/gvfs/remote-volume-monitors/{,*} r, /etc/gnome/* r, - /etc/xdg/{,*-}mimeapps.list r, - - /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, / r, diff --git a/apparmor.d/abstractions/gnome.d/complete b/apparmor.d/abstractions/gnome.d/complete index 90f705ac7..3d4b47f9f 100644 --- a/apparmor.d/abstractions/gnome.d/complete +++ b/apparmor.d/abstractions/gnome.d/complete @@ -2,12 +2,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - include + include dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), + member=Introspect + peer=(name=@{busname}, label=gnome-shell), /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics index 37f6be70e..c4edd09b4 100644 --- a/apparmor.d/abstractions/graphics +++ b/apparmor.d/abstractions/graphics @@ -13,13 +13,22 @@ /etc/libva.conf r, @{sys}/bus/pci/devices/ r, - @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/* r, + + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/id r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/level r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/size r, + @{sys}/devices/system/cpu/cpu@{int}/cpu_capacity r, @{sys}/devices/system/cpu/cpu@{int}/online r, - @{sys}/devices/system/cpu/cpu@{int}/topology/* r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/* r, + @{sys}/devices/system/cpu/cpu@{int}/topology/core_cpus r, + @{sys}/devices/system/cpu/cpu@{int}/topology/physical_package_id r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_max_freq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, @{sys}/devices/system/cpu/present r, + @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, + @{sys}/devices/system/node/node@{int}/cpumap r, include if exists diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full index 1f2b0ffd2..de5f865b5 100644 --- a/apparmor.d/abstractions/graphics-full +++ b/apparmor.d/abstractions/graphics-full @@ -4,11 +4,11 @@ abi , + include include + include /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 - /dev/nvidia-uvm rw, - /dev/nvidia-uvm-tools rw, include if exists diff --git a/apparmor.d/abstractions/gschemas b/apparmor.d/abstractions/gschemas new file mode 100644 index 000000000..21a4d860c --- /dev/null +++ b/apparmor.d/abstractions/gschemas @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{system_share_dirs}/ r, + @{system_share_dirs}/glib-2.0/schemas/ r, + @{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 1cf8869c4..5a14b6f7a 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -32,11 +32,11 @@ # If one is blocked the next is used instead. # The orcexec file is placed under /home/user/ also when the /tmp/ dir is mounted with the noexec flag. owner @{run}/user/@{uid}/orcexec.@{rand6} mrw, - #owner /tmp/orcexec.* mrw, + owner @{tmp}/orcexec.@{rand6} mrw, #owner @{HOME}/orcexec.* mrw, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+usb:* r, # For /dev/bus/usb/** + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c189:@{int} r, # For USB serial converters @@ -52,14 +52,19 @@ @{sys}/devices/@{pci}/config r, @{sys}/devices/@{pci}/descriptors r, @{sys}/devices/@{pci}/devnum r, + @{sys}/devices/@{pci}/numa_node r, @{sys}/devices/@{pci}/speed r, @{sys}/devices/@{pci}/uevent r, @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/devices/system/node/node@{int}/meminfo r, + @{PROC}/devices r, + /dev/ r, /dev/bus/usb/ r, /dev/dri/ r, + /dev/nvidia-uvm rw, include if exists diff --git a/apparmor.d/abstractions/gtk-strict b/apparmor.d/abstractions/gtk-strict new file mode 100644 index 000000000..0bf0ab41c --- /dev/null +++ b/apparmor.d/abstractions/gtk-strict @@ -0,0 +1,74 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + include + include + include + include + + @{lib}/{,@{multiarch}/}gtk-2.0/{,**} mr, + @{lib}/{,@{multiarch}/}gtk-3.0/{,**} mr, + @{lib}/{,@{multiarch}/}gtk-4.0/{,**} mr, + + /usr/share/gtksourceview-2.0/{,**} r, + /usr/share/gtksourceview-3.0/{,**} r, + /usr/share/gtksourceview-4/{,**} r, + /usr/share/gtksourceview-5/{,**} r, + + /usr/share/gtk-2.0/ r, + /usr/share/gtk-2.0/gtkrc r, + + /usr/share/gtk-3.0/ r, + /usr/share/gtk-3.0/settings.ini r, + + /usr/share/gtk-4.0/ r, + /usr/share/gtk-4.0/settings.ini r, + + /etc/gtk/gtkrc r, + + /etc/gtk-2.0/ r, + /etc/gtk-2.0/gtkrc r, + + /etc/gtk-3.0/ r, + /etc/gtk-3.0/*.conf r, + /etc/gtk-3.0/settings.ini r, + + /etc/gtk-4.0/ r, + /etc/gtk-4.0/*.conf r, + /etc/gtk-4.0/settings.ini r, + + owner @{HOME}/.gtk r, + owner @{HOME}/.gtkrc r, + owner @{HOME}/.gtkrc-2.0 r, + owner @{HOME}/.gtk-bookmarks r, + + owner @{user_cache_dirs}/gtk-4.0/ rw, + owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/{,*} rw, + owner @{user_cache_dirs}/gtkrc r, + owner @{user_cache_dirs}/gtkrc-2.0 r, + + owner @{user_config_dirs}/gtk-2.0/ rw, + owner @{user_config_dirs}/gtk-2.0/gtkfilechooser.ini* rw, + + owner @{user_config_dirs}/gtk-3.0/ rw, + owner @{user_config_dirs}/gtk-3.0/bookmarks r, + owner @{user_config_dirs}/gtk-3.0/colors.css r, + owner @{user_config_dirs}/gtk-3.0/gtk.css r, + owner @{user_config_dirs}/gtk-3.0/servers r, + owner @{user_config_dirs}/gtk-3.0/settings.ini r, + owner @{user_config_dirs}/gtk-3.0/window_decorations.css r, + + owner @{user_config_dirs}/gtk-4.0/ rw, + owner @{user_config_dirs}/gtk-4.0/bookmarks r, + owner @{user_config_dirs}/gtk-4.0/colors.css r, + owner @{user_config_dirs}/gtk-4.0/gtk.css r, + owner @{user_config_dirs}/gtk-4.0/servers r, + owner @{user_config_dirs}/gtk-4.0/settings.ini r, + owner @{user_config_dirs}/gtk-4.0/window_decorations.css r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index ac702a70f..0b69d8ee1 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -2,32 +2,9 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus send bus=session - interface=org.gtk.Actions - member=DescribeAll - peer=(name=:*), - dbus send bus=session - interface=org.gtk.Actions - member=DescribeAll - peer=(label=gnome-shell), - - dbus receive bus=session - interface=org.gtk.Actions - member=Changed - peer=(name=:*), - dbus receive bus=session - interface=org.gtk.Actions - member=Changed - peer=(label=gnome-shell), - - dbus send bus=session path=/org/gtk/Settings - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gsd-xsettings), - dbus receive bus=session path=/org/gtk/Settings - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=gsd-xsettings), + include + include + include @{lib}/{,@{multiarch}/}gtk*/** mr, diff --git a/apparmor.d/abstractions/ibus.d/complete b/apparmor.d/abstractions/ibus.d/complete index 33d034b5a..3ecd8c36d 100644 --- a/apparmor.d/abstractions/ibus.d/complete +++ b/apparmor.d/abstractions/ibus.d/complete @@ -8,6 +8,7 @@ type=stream peer=(addr="@/tmp/ibus/dbus-????????"), + #aa:lint ignore=tunables # abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{user_cache_dirs}) # This should use this, but due to LP: #1856738 we cannot #unix (connect, receive, send) @@ -16,11 +17,15 @@ unix (connect, receive, send) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????"), - unix (connect, send, receive, accept, bind, listen) type=stream addr="@/home/*/.cache/ibus/dbus-????????", + dbus receive bus=session path=/org/freedesktop/IBus + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=@{busname}, label=ibus-daemon), + owner @{user_cache_dirs}/ibus/dbus-@{rand8} rw, # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/icons b/apparmor.d/abstractions/icons new file mode 100644 index 000000000..6a721b837 --- /dev/null +++ b/apparmor.d/abstractions/icons @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{system_share_dirs}/icons/{,**} r, + @{system_share_dirs}/pixmaps/{,**} r, + + /opt/**/share/icons/{,**} r, + /opt/*/**.desktop r, + /opt/*/**/*.png r, + + /var/lib/snapd/desktop/icons/{,**} r, + + owner @{HOME}/.icons/{,**} r, + + owner @{user_share_dirs}/icons/{,**} r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/input b/apparmor.d/abstractions/input new file mode 100644 index 000000000..57905fd0c --- /dev/null +++ b/apparmor.d/abstractions/input @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Canonical Ltd +# Copyright (C) 2022-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow reading and writing to raw input devices + + abi , + + # network netlink raw, + + # Allow reading for supported event reports for all input devices. See + # https://www.kernel.org/doc/Documentation/input/event-codes.txt + @{sys}/devices/**/input@{int}/capabilities/* r, + + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + + /dev/input/ r, + /dev/input/event@{int} rw, + /dev/input/mice rw, + /dev/input/mouse@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/java b/apparmor.d/abstractions/java new file mode 100644 index 000000000..91472d21e --- /dev/null +++ b/apparmor.d/abstractions/java @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + /usr/share/java/{,**} r, + + /etc/java/{,**} r, + /etc/java-*/{,**} r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/kde-open5.d/complete b/apparmor.d/abstractions/kde-open5.d/complete index 37038b129..adeb9a4bb 100644 --- a/apparmor.d/abstractions/kde-open5.d/complete +++ b/apparmor.d/abstractions/kde-open5.d/complete @@ -6,6 +6,6 @@ owner @{user_config_dirs}/menus/{,**} r, - owner @{run}/user/@{uid}/kioclient*.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 282ae1974..79e97b23f 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -4,9 +4,17 @@ abi , + include + include include - include + include + include + include + include include + include + include + include include include include @@ -19,6 +27,7 @@ /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/knotifications{5,6}/*.notifyrc r, + /usr/share/kubuntu-default-settings/{,**} r, #aa:only ubuntu /etc/xdg/baloofilerc r, /etc/xdg/kcminputrc r, @@ -27,7 +36,7 @@ owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*.@{rand6} rwlk, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}* rwlk, owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/dolphinrc r, @@ -38,8 +47,13 @@ owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, + owner @{user_config_dirs}/session/ rw, + owner @{user_config_dirs}/session/*_* rwlk, + owner @{user_config_dirs}/session/#@{int} rw, owner @{user_config_dirs}/trashrc r, + owner @{user_share_dirs}/#@{int} rw, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/ld b/apparmor.d/abstractions/ld new file mode 100644 index 000000000..21ac745e2 --- /dev/null +++ b/apparmor.d/abstractions/ld @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + # ld.so.cache and ld are used to load shared libraries. + # As such, they can be used everywhere + + abi , + + /opt/*-linux-uclibc/lib/ld-uClibc*so* mr, + + @{etc_ro}/ld.so.cache mr, + @{etc_ro}/ld.so.conf r, + @{etc_ro}/ld.so.conf.d/ r, + @{etc_ro}/ld.so.conf.d/*.conf r, + @{etc_ro}/ld.so.preload r, + @{etc_ro}/ld-musl-*.path r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/locale b/apparmor.d/abstractions/locale new file mode 100644 index 000000000..873c303f5 --- /dev/null +++ b/apparmor.d/abstractions/locale @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{etc_ro}/locale.alias r, + @{etc_ro}/locale.conf r, + @{etc_ro}/locale/** r, + @{etc_ro}/localtime r, + @{etc_rw}/localtime r, + + /usr/share/**/locale/** r, + /usr/share/locale-bundle/** r, + /usr/share/locale-langpack/** r, + /usr/share/locale/ r, + /usr/share/locale/** r, + /usr/share/X11/locale/** r, + /usr/share/zoneinfo{,-icu}/ r, + /usr/share/zoneinfo{,-icu}/** r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt index f20c24a32..913ab3eb3 100644 --- a/apparmor.d/abstractions/lxqt +++ b/apparmor.d/abstractions/lxqt @@ -4,11 +4,13 @@ abi , - include + include include + include include - include + include include + include include include include diff --git a/apparmor.d/abstractions/mapping/login b/apparmor.d/abstractions/mapping/login new file mode 100644 index 000000000..7ccc2d678 --- /dev/null +++ b/apparmor.d/abstractions/mapping/login @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal set of rules for login based hat mapping. + + abi , + + include + include + include + include + + capability audit_write, + capability chown, + capability fowner, + capability setgid, + capability setuid, + capability fsetid, + + deny capability net_admin, + + network netlink raw, + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member=ReleaseSession + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + + @{etc_ro}/security/group.conf r, + @{etc_ro}/security/limits.conf r, + @{etc_ro}/security/limits.d/{,*} r, + @{etc_ro}/security/pam_env.conf r, + + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, + @{etc_ro}/security/capability.conf r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mapping/shadow b/apparmor.d/abstractions/mapping/shadow new file mode 100644 index 000000000..5bf542c17 --- /dev/null +++ b/apparmor.d/abstractions/mapping/shadow @@ -0,0 +1,11 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal set of rules for shadow based hat mapping. + + abi , + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mapping/sshd b/apparmor.d/abstractions/mapping/sshd new file mode 100644 index 000000000..0f7512710 --- /dev/null +++ b/apparmor.d/abstractions/mapping/sshd @@ -0,0 +1,58 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal set of rules for sshd based hat mapping. Similar to sshd-session + + abi , + + include + include + include + include + include + + capability audit_write, + capability chown, + capability dac_read_search, + capability fowner, + capability fsetid, + capability kill, + capability setgid, + capability setuid, + capability sys_resource, + + # sshd doesn't require net_admin. libpam-systemd tries to + # use it if available to set the send/receive buffers size, + # but will fall back to a non-privileged version if it fails. + deny capability net_admin, + + network inet stream, + network inet6 stream, + network netlink raw, + + signal receive set=exists peer=@{p_systemd_journald}, + signal receive set=hup peer=@{p_systemd}, + + unix bind type=stream addr=@@{udbus}/bus/sshd-session/system, + unix bind type=stream addr=@@{udbus}/bus/sshd/system, + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + + /etc/motd r, + /etc/locale.conf r, + + @{run}/motd.dynamic rw, + @{run}/motd.dynamic.new rw, + + @{PROC}/1/limits r, + + /dev/ptmx rw, + /dev/pts/@{int} k, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mapping/sudo b/apparmor.d/abstractions/mapping/sudo new file mode 100644 index 000000000..3347a91af --- /dev/null +++ b/apparmor.d/abstractions/mapping/sudo @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal set of rules for su/sudo based hat mapping. + + abi , + + capability audit_write, + capability setgid, + capability setuid, + + network netlink raw, + + @{etc_ro}/login.defs r, + /etc/passwd r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/media-control b/apparmor.d/abstractions/media-control new file mode 100644 index 000000000..1cdcf66f2 --- /dev/null +++ b/apparmor.d/abstractions/media-control @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows access to media controller such as microphones, and video capture hardware. +# See: https://www.kernel.org/doc/Documentation/userspace-api/media/mediactl/media-controller-intro.rst + + abi , + + # Control of media devices + /dev/media@{int} rwk, + + # Access to V4L subnodes configuration + # See https://www.kernel.org/doc/html/v4.12/media/uapi/v4l/dev-subdev.html + /dev/v4l-subdev@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mediakeys b/apparmor.d/abstractions/mediakeys new file mode 100644 index 000000000..d9aafa764 --- /dev/null +++ b/apparmor.d/abstractions/mediakeys @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow requesting interest in receiving media key events. This tells Gnome +# settings that our application should be notified when key events we are +# interested in are pressed, and allows us to receive those events. + + abi , + + include + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index 8ac3ad7f3..02a48114c 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -2,6 +2,20 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + # Fallback location when @{user_cache_dirs} is not available + /var/cache/mesa_shader_cache_db/ rw, + /var/cache/mesa_shader_cache_db/index rw, + /var/cache/mesa_shader_cache_db/marker rw, + /var/cache/mesa_shader_cache_db/part@{int}/ rw, + /var/cache/mesa_shader_cache_db/part@{int}/mesa_cache.db rwk, + /var/cache/mesa_shader_cache_db/part@{int}/mesa_cache.idx rwk, + /var/cache/mesa_shader_cache/ rw, + /var/cache/mesa_shader_cache/@{hex2}/ rw, + /var/cache/mesa_shader_cache/@{hex2}/@{hex38} rw, + /var/cache/mesa_shader_cache/@{hex2}/@{hex38}.tmp rwk, + /var/cache/mesa_shader_cache/index rw, + /var/cache/mesa_shader_cache/marker rw, + # Extra Mesa rules for desktop environments owner @{desktop_cache_dirs}/ w, owner @{desktop_cache_dirs}/mesa_shader_cache_db/ rw, @@ -26,4 +40,8 @@ owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.db rwk, owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.idx rwk, + @{PROC}/sys/dev/xe/observation_paranoid r, + + /dev/udmabuf rw, # In upstream, but not released yet + # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mime b/apparmor.d/abstractions/mime new file mode 100644 index 000000000..9a70edaf8 --- /dev/null +++ b/apparmor.d/abstractions/mime @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{system_share_dirs}/ r, + @{system_share_dirs}/mime/{,**} r, + + /etc/mime.types r, + /etc/xdg/{,*-}mimeapps.list r, + + /var/cache/gio-@{version}/{,*-}-mimeapps.list r, + + owner @{user_config_dirs}/mimeapps.list r, + + owner @{user_share_dirs}/mime/{,**} r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mpris b/apparmor.d/abstractions/mpris new file mode 100644 index 000000000..f06c8560e --- /dev/null +++ b/apparmor.d/abstractions/mpris @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow operating as an MPRIS player. + + abi , + + include + + # Allow binding to the well-known DBus mpris interface based on the app's name + # See: https://specifications.freedesktop.org/mpris-spec/latest/ + #aa:dbus own bus=session name=org.mpris.MediaPlayer2.@{profile_name} + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/notifications b/apparmor.d/abstractions/notifications new file mode 100644 index 000000000..81d5cc94c --- /dev/null +++ b/apparmor.d/abstractions/notifications @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + include + include + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index 6069ddd9a..a14691a9c 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -6,31 +6,52 @@ @{bin}/nvidia-modprobe Px -> child-modprobe-nvidia, + /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so{,.*} mr, + /usr/share/nvidia/nvidia-application-profiles-* r, /etc/nvidia/nvidia-application-profiles-* r, /etc/vdpau_wrapper.cfg r, - owner @{HOME}/.cache/nvidia/ w, - owner @{HOME}/.cache/nvidia/GLCache/ rw, - owner @{HOME}/.cache/nvidia/GLCache/** rwk, + owner @{HOME}/.nv/ w, owner @{HOME}/.nv/ComputeCache/ w, owner @{HOME}/.nv/ComputeCache/** rw, owner @{HOME}/.nv/ComputeCache/index rwk, owner @{HOME}/.nv/nvidia-application-profiles-* r, + @{user_cache_dirs}/nvidia/GLCache/@{hex32}/ rw, + owner @{user_cache_dirs}/nvidia/ w, + owner @{user_cache_dirs}/nvidia/GLCache/ rw, + owner @{user_cache_dirs}/nvidia/GLCache/** rwk, + + @{sys}/devices/@{pci}/numa_node r, @{sys}/devices/system/memory/block_size_bytes r, @{sys}/module/nvidia/version r, - @{PROC}/driver/nvidia/params r, - @{PROC}/sys/vm/max_map_count r, - @{PROC}/sys/vm/mmap_min_addr r, - @{PROC}/modules r, - owner @{PROC}/@{pid}/comm r, + @{PROC}/driver/nvidia/capabilities/mig/monitor r, + @{PROC}/driver/nvidia/gpus/@{pci_id}/information r, + @{PROC}/driver/nvidia/params r, + @{PROC}/modules r, + @{PROC}/sys/vm/max_map_count r, + @{PROC}/sys/vm/mmap_min_addr r, - /dev/char/195:@{int} w, # Nvidia graphics devices + @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/comm r, + owner @{PROC}/@{pid}/task/@{tid}/comm r, + + /dev/char/195:@{u8} w, # Nvidia graphics devices + + # Nvidia proprietary modset driver /dev/nvidia-modeset rw, + + # Nvidia graphics devices /dev/nvidia@{int} rw, + + # Nvidia's Unified Memory driver + /dev/nvidia-uvm rw, + /dev/nvidia-uvm-tools rw, + + # Nvidia's control device /dev/nvidiactl rw, deny owner @{HOME}/.nv/.local/share/gvfs-metadata/* r, diff --git a/apparmor.d/abstractions/nvidia.d/complete b/apparmor.d/abstractions/nvidia.d/complete index ef9d0c40d..e00385efd 100644 --- a/apparmor.d/abstractions/nvidia.d/complete +++ b/apparmor.d/abstractions/nvidia.d/complete @@ -8,6 +8,6 @@ /etc/nvidia/nvidia-application-profiles* r, - /dev/char/195:@{int} rw, # Nvidia graphics devices + /dev/char/195:@{u8} rw, # Nvidia graphics devices # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/oneapi b/apparmor.d/abstractions/oneapi new file mode 100644 index 000000000..17225ef03 --- /dev/null +++ b/apparmor.d/abstractions/oneapi @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Intel oneAPI compiler libraries + + abi , + + /opt/intel/oneapi/{compiler,lib,mkl}/**/ r, + /opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/openssl.d/complete b/apparmor.d/abstractions/openssl.d/complete new file mode 100644 index 000000000..600a030e5 --- /dev/null +++ b/apparmor.d/abstractions/openssl.d/complete @@ -0,0 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + /usr/share/ssl/ r, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/path b/apparmor.d/abstractions/path new file mode 100644 index 000000000..dee241b29 --- /dev/null +++ b/apparmor.d/abstractions/path @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Common directories in $PATH, used by launchers and interactive shells. + + abi , + + @{bin}/ r, + @{bin}/*/ r, + @{sbin}/ r, + @{sbin}/*/ r, + + / r, + /usr/ r, + /usr/local/bin/ r, + /usr/local/sbin/ r, + + @{user_bin_dirs}/ r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/pcscd b/apparmor.d/abstractions/pcscd new file mode 100644 index 000000000..33a981279 --- /dev/null +++ b/apparmor.d/abstractions/pcscd @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows interacting with PC/SC Smart Card Daemon + + abi , + + # Configuration file for OPENSC + /etc/opensc.conf r, + /etc/opensc/opensc.conf r, + + # Socket for communication between PCSCD and PS/SC API library + @{run}/pcscd/pcscd.comm rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/perl.d/complete b/apparmor.d/abstractions/perl.d/complete new file mode 100644 index 000000000..0031356a1 --- /dev/null +++ b/apparmor.d/abstractions/perl.d/complete @@ -0,0 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + @{bin}/perl rix, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/python.d/complete b/apparmor.d/abstractions/python.d/complete index 9f8d13eb5..e372c312c 100644 --- a/apparmor.d/abstractions/python.d/complete +++ b/apparmor.d/abstractions/python.d/complete @@ -4,7 +4,7 @@ # SPDX-License-Identifier: GPL-2.0-only @{bin}/ r, - @{python_path} r, + @{python_path} rm, owner @{user_lib_dirs}/@{python_name}/ r, owner @{user_lib_dirs}/@{python_name}/**.{egg,py,pyi,pth} r, diff --git a/apparmor.d/abstractions/recently-used b/apparmor.d/abstractions/recently-used new file mode 100644 index 000000000..66a80867b --- /dev/null +++ b/apparmor.d/abstractions/recently-used @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + owner @{HOME}/.recently-used.xbel rw, + owner @{HOME}/.recently-used.xbel.@{rand6} rwl, + owner @{HOME}/.recently-used.xbel.lock rwk, + + owner @{user_share_dirs}/#@{int} rw, + owner @{user_share_dirs}/recently-used.xbel rw, + owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl, + owner @{user_share_dirs}/recently-used.xbel.lock rwk, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/screensaver b/apparmor.d/abstractions/screensaver new file mode 100644 index 000000000..1a9369091 --- /dev/null +++ b/apparmor.d/abstractions/screensaver @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow checking status, activating and locking the screensaver + + abi , + + include if exists + include if exists + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/secrets-service b/apparmor.d/abstractions/secrets-service new file mode 100644 index 000000000..083672cc9 --- /dev/null +++ b/apparmor.d/abstractions/secrets-service @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2017 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Provide full access to the secret-service API: +# - https://standards.freedesktop.org/secret-service/) +# +# The secret-service allows managing (add/delete/lock/etc) collections and +# (add/delete/etc) items within collections. The API also has the concept of +# aliases for collections which is typically used to access the default +# collection. While it would be possible for an application developer to use a +# snap-specific collection and mediate by object path, application developers +# are meant to instead to treat collections (typically the default collection) +# as a database of key/value attributes each with an associated secret that +# applications may query. Because AppArmor does not mediate member data, +# typical and recommended usage of the API does not allow for application +# isolation. For details, see: +# - https://standards.freedesktop.org/secret-service/ch03.html +# + + abi , + + include + include + + dbus send bus=session path=/org/gnome/keyring/daemon + interface=org.gnome.keyring.Daemon + member=GetEnvironment + peer=(name=org.gnome.keyring, label=gnome-keyring-daemon), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/sqlite b/apparmor.d/abstractions/sqlite new file mode 100644 index 000000000..690417f87 --- /dev/null +++ b/apparmor.d/abstractions/sqlite @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# SQlite temporary files (hexadecimal from 12 to 16 characters) + + abi , + + owner /var/tmp/etilqs_@{hex12} rw, + owner /var/tmp/etilqs_@{hex12}@{h} rw, + owner /var/tmp/etilqs_@{hex12}@{hex2} rw, + owner /var/tmp/etilqs_@{hex15} rw, + owner /var/tmp/etilqs_@{hex16} rw, + + owner @{tmp}/etilqs_@{hex12} rw, + owner @{tmp}/etilqs_@{hex12}@{h} rw, + owner @{tmp}/etilqs_@{hex12}@{hex2} rw, + owner @{tmp}/etilqs_@{hex15} rw, + owner @{tmp}/etilqs_@{hex16} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/themes b/apparmor.d/abstractions/themes new file mode 100644 index 000000000..13fe70bc6 --- /dev/null +++ b/apparmor.d/abstractions/themes @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + /usr/share/themes/{,**} r, + + owner @{HOME}/.themes/{,**} r, + owner @{user_share_dirs}/themes/{,**} r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/thumbnails-cache-write b/apparmor.d/abstractions/thumbnails-cache-write index 5e64fc66f..e3b559418 100644 --- a/apparmor.d/abstractions/thumbnails-cache-write +++ b/apparmor.d/abstractions/thumbnails-cache-write @@ -10,7 +10,7 @@ owner @{user_cache_dirs}/thumbnails/ w, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/ w, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png wl, - owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png.@{rand6} w, + owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png.@{rand6} wl, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/#@{int} w, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/ w, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/*.png w, diff --git a/apparmor.d/abstractions/tpm b/apparmor.d/abstractions/tpm new file mode 100644 index 000000000..ef7b30a2b --- /dev/null +++ b/apparmor.d/abstractions/tpm @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2016-2017 Canonical Ltd +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Communication to the system TPM chip over /dev/tpm@{int} and kernel TPM +# resource manager /dev/tpmrm@{int} + + abi , + + /dev/tpm@{int} rw, + /dev/tpmrm@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/uinput b/apparmor.d/abstractions/uinput new file mode 100644 index 000000000..b97d1eb8a --- /dev/null +++ b/apparmor.d/abstractions/uinput @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2020 Canonical Ltd +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow write access to the uinput device for emulating input devices from +# userspace for sending input events. + + abi , + + /dev/uinput rw, + /dev/input/uinput rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/upower-observe b/apparmor.d/abstractions/upower-observe new file mode 100644 index 000000000..67478bb6d --- /dev/null +++ b/apparmor.d/abstractions/upower-observe @@ -0,0 +1,13 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Can query UPower for power devices, history and statistics. + + abi , + + include + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/user-dirs b/apparmor.d/abstractions/user-dirs new file mode 100644 index 000000000..189f8eb38 --- /dev/null +++ b/apparmor.d/abstractions/user-dirs @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + /etc/xdg/user-dirs.conf r, + /etc/xdg/user-dirs.defaults r, + + owner @{user_config_dirs}/user-dirs.dirs r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/user-read-strict b/apparmor.d/abstractions/user-read-strict index f7eb186b5..9626bb0bc 100644 --- a/apparmor.d/abstractions/user-read-strict +++ b/apparmor.d/abstractions/user-read-strict @@ -8,6 +8,7 @@ abi , owner @{HOME}/ r, + owner @{HOME}/[^.]* rk, owner @{MOUNTS}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} rk, diff --git a/apparmor.d/abstractions/user-write-strict b/apparmor.d/abstractions/user-write-strict index 026825b27..88d52203e 100644 --- a/apparmor.d/abstractions/user-write-strict +++ b/apparmor.d/abstractions/user-write-strict @@ -8,6 +8,7 @@ abi , owner @{HOME}/ r, + owner @{HOME}/[^.]* wl, owner @{MOUNTS}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} wl, diff --git a/apparmor.d/abstractions/vulkan-strict b/apparmor.d/abstractions/vulkan-strict index edb258288..d4dd2fae6 100644 --- a/apparmor.d/abstractions/vulkan-strict +++ b/apparmor.d/abstractions/vulkan-strict @@ -19,6 +19,7 @@ owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/.goutputstream-@{rand6} rw, owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/@{uuid}.@{int} rw, owner @{user_cache_dirs}/radv_builtin_shaders{32,64} r, # Vulkan radv shaders cache + owner @{user_cache_dirs}/radv_builtin_shaders{32,64}@{rand6} w, owner @{user_share_dirs}/vulkan/ rw, owner @{user_share_dirs}/vulkan/implicit_layer.d/ rw, diff --git a/apparmor.d/abstractions/vulkan.d/complete b/apparmor.d/abstractions/vulkan.d/complete index 8e5b68c08..67f83516e 100644 --- a/apparmor.d/abstractions/vulkan.d/complete +++ b/apparmor.d/abstractions/vulkan.d/complete @@ -1,4 +1,5 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only /etc/glvnd/egl_vendor.d/{,*.json} r, diff --git a/apparmor.d/abstractions/webkit b/apparmor.d/abstractions/webkit new file mode 100644 index 000000000..c9a275250 --- /dev/null +++ b/apparmor.d/abstractions/webkit @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal set of rules for webkit GTK UI. + + abi , + + mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info, + + @{bin}/xdg-dbus-proxy rix, # TODO: stack me + + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, + + owner /bindfile@{rand6} rw, + owner @{att}/.flatpak-info r, + + owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw, + + owner @{run}/user/@{uid}/.flatpak/ w, + owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw, + + owner @{run}/user/@{uid}/webkitgtk/ w, + owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, + + @{sys}/firmware/acpi/pm_profile r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/wine b/apparmor.d/abstractions/wine new file mode 100644 index 000000000..145cd763a --- /dev/null +++ b/apparmor.d/abstractions/wine @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Basic set of resources for wine regardless of the installation method (system or through a game launcher). + + abi , + + owner @{user_share_dirs}/applications/wine/ rw, + owner @{user_share_dirs}/applications/wine/**/ rw, + + owner @{att}/@{tmp}/.wine-@{uid}/ rw, + owner @{att}/@{tmp}/.wine-@{uid}/** rwk, + owner @{att}/@{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex}/tmpmap-@{hex8} m, + + owner /dev/shm/wine-@{hex6}-fsync rw, + owner /dev/shm/wine-@{hex6}@{h}-fsync rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index 3046c8f6d..df13363fc 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -4,9 +4,11 @@ abi , + include include include - include + include + include include include include diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index a22895c91..7c734a45b 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -3,31 +3,48 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction is only required when an interactive shell is started. +# This abstraction is only required when zshrc is loaded (e.g. interactive shell). # Classic shell scripts do not need it. abi , @{lib}/@{multiarch}/zsh/@{int}/zsh/*.so mr, - /usr/share/zsh/{,**} r, /usr/local/share/zsh/{,**} r, + /usr/share/oh-my-zsh/{,**} r, + /usr/share/zsh-theme-*/{,**} r, + /usr/share/zsh/{,**} r, /etc/zsh/* r, - owner @{HOME}/.zshrc r, - owner @{HOME}/.zshenv r, + owner @{HOME}/.zcompdump-* rw, owner @{HOME}/.zsh_history rw, owner @{HOME}/.zsh_history.LOCK rwk, + owner @{HOME}/.zsh_history.new rw, + owner @{HOME}/.zshenv r, + owner @{HOME}/.zshrc r, owner @{HOME}/.oh-my-zsh/{,**} r, owner @{HOME}/.oh-my-zsh/log/update.lock/ w, - owner @{HOME}/.zcompdump-* rw, + owner @{user_cache_dirs}/oh-my-zsh/{,**} r, + owner @{user_cache_dirs}/p10k-@{user}/{,**} rw, + owner @{user_cache_dirs}/p10k-dump-@{user}.zsh{,.*} rw, + owner @{user_cache_dirs}/p10k-instant-prompt-@{user}.zsh{,.*} rw, owner @{user_config_dirs}/zsh/.zcompdump-* rw, owner @{user_config_dirs}/zsh/{,**} r, + owner @{user_share_dirs}/zsh/history rw, + owner @{user_share_dirs}/zsh/history.LOCK rwk, + owner @{user_share_dirs}/zsh/history.new rw, + + owner @{tmp}/gitstatus.POWERLEVEL9K.*.fifo rw, + owner @{tmp}/gitstatus.POWERLEVEL9K.*.lock rwk, + + @{PROC}/version r, + owner @{PROC}/@{pid}/loginuid r, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/bwrap b/apparmor.d/groups/_full/bwrap deleted file mode 100644 index 0a4b9efdf..000000000 --- a/apparmor.d/groups/_full/bwrap +++ /dev/null @@ -1,56 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Default profile for bwrap. - -abi , - -include - -@{exec_path} = @{bin}/bwrap -profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) { - include - include - include - include - include - - capability dac_override, - capability dac_read_search, - capability sys_resource, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - - ptrace peer=bwrap//&bwrap-app, - - signal peer=bwrap//&bwrap-app, - signal (receive) set=(kill), - - @{bin}/** rm, - @{lib}/** rm, - /opt/*/** rm, - /usr/share/*/* rm, - - @{bin}/** Px -> bwrap//&bwrap-app, - @{bin}/xdg-dbus-proxy Px -> bwrap//&xdg-dbus-proxy, - # @{lib}/** Px -> bwrap//&bwrap-app, - /opt/*/** Px -> bwrap//&bwrap-app, - /usr/share/*/* Px -> bwrap//&bwrap-app, - - /usr/.ref rk, - - /bindfile@{rand6} rw, - - owner /var/cache/ w, - - owner @{run}/ld-so-cache-dir/* rw, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/bwrap-app b/apparmor.d/groups/_full/bwrap-app deleted file mode 100644 index b6d45478a..000000000 --- a/apparmor.d/groups/_full/bwrap-app +++ /dev/null @@ -1,36 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Default profile for user sandboxed application - -abi , - -include - -profile bwrap-app flags=(attach_disconnected,mediate_deleted) { - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - ptrace peer=bwrap//&bwrap-app, - - signal peer=bwrap//&bwrap-app, - - @{bin}/** rmix, - @{lib}/** rmix, - /opt/*/** rmix, - /usr/share/*/* rmix, - - owner /var/cache/ w, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default deleted file mode 100644 index acdfc0bff..000000000 --- a/apparmor.d/groups/_full/default +++ /dev/null @@ -1,122 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Default profile for unconfined programs - -abi , - -include - -@{exec_path} = /** -profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { - include - include - include - include - include - include - include - include - include - include - include - include - include - - capability dac_override, - capability dac_read_search, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink dgram, - network netlink raw, - - signal receive set=hup, - - @{bin}/bwrap rPx -> bwrap, - @{bin}/pipewire-pulse rPx -> systemd//&pipewire-pulse, - @{bin}/pulseaudio rPx -> systemd//&pulseaudio, - @{bin}/su rPx -> default-sudo, - @{bin}/sudo rPx -> default-sudo, - @{bin}/systemctl rix, - @{coreutils_path} rix, - @{shells_path} rix, - - @{pager_path} rPx -> child-pager, - -# @{open_path} rPx -> child-open, - - audit @{bin}/** Pix, - audit @{lib}/** Pix, - audit /opt/*/** Pix, - audit /usr/share/*/* Pix, - - @{bin}/{,**} r, - @{lib}/{,**} r, - /usr/share/** r, - - /etc/xdg/** r, - - # Full access to user's data - / r, - /*/ r, - @{MOUNTDIRS}/ r, - @{MOUNTS}/ r, - @{MOUNTS}/** rwl, - owner @{HOME}/{,**} rwlk, - owner @{run}/user/@{uid}/{,**} rw, - owner @{tmp}/{,**} rwk, - owner @{run}/user/@{uid}/{,**} rwlk, - - @{run}/motd.dynamic.new rw, - - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - - @{sys}/ r, - @{sys}/bus/ r, - @{sys}/bus/pci/devices/ r, - @{sys}/class/ r, - @{sys}/class/drm/ r, - @{sys}/class/hidraw/ r, - @{sys}/class/input/ r, - @{sys}/class/power_supply/ r, - @{sys}/devices/**/input@{int}/ r, - @{sys}/devices/**/input@{int}/capabilities/* r, - @{sys}/devices/**/input/input@{int}/ r, - @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/firmware/acpi/pm_profile r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, - - @{PROC}/cmdline r, - @{PROC}/sys/kernel/seccomp/actions_avail r, - @{PROC}/zoneinfo r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/gid_map w, - owner @{PROC}/@{pid}/limits r, - owner @{PROC}/@{pid}/loginuid r, - owner @{PROC}/@{pid}/mem r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/oom_{,score_}adj rw, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pids}/cmdline r, - owner @{PROC}/@{pids}/environ r, - owner @{PROC}/@{pids}/task/ r, - - /dev/ r, - /dev/ptmx rwk, - /dev/tty rwk, - owner /dev/tty@{int} rw, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/default-sudo b/apparmor.d/groups/_full/default-sudo deleted file mode 100644 index 609191970..000000000 --- a/apparmor.d/groups/_full/default-sudo +++ /dev/null @@ -1,42 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -profile default-sudo { - include - include - - capability chown, - capability mknod, - capability sys_ptrace, - - network inet dgram, - network inet6 dgram, - - ptrace (read), - - @{bin}/su mr, - - @{bin}/** Px, - @{lib}/** Px, - /opt/*/** Px, - - /var/db/sudo/lectured/ r, - /var/lib/extrausers/shadow r, - /var/lib/sudo/lectured/ r, - owner /var/db/sudo/lectured/@{uid} rw, - owner /var/lib/sudo/lectured/* rw, - - owner @{HOME}/.sudo_as_admin_successful rw, - - @{run}/ r, - @{run}/systemd/sessions/* r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd new file mode 100644 index 000000000..ccdbf338b --- /dev/null +++ b/apparmor.d/groups/_full/sd @@ -0,0 +1,256 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd (as PID 1) profile. + +# sd is a profile for SystemD-executor run as root, it is used to run all services +# files and to encapsulate stacked services profiles (hence the short name). +# It aims at reducing the size of the systemd profile. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sd.d directory + +abi , + +include + +@{exec_path} = @{bin}/systemd-executor +profile sd flags=(attach_disconnected,mediate_deleted,complain) { + include + include + include + include + include + include + include + include + + userns, + + capability audit_control, + capability audit_write, + capability bpf, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, + capability kill, + capability linux_immutable, + capability mknod, + capability net_admin, + capability net_bind_service, + capability net_raw, + capability perfmon, + capability setfcap, + capability setgid, + capability setpcap, + capability setuid, + capability sys_admin, + capability sys_nice, + capability sys_ptrace, + capability sys_rawio, + capability sys_resource, + capability sys_time, + capability sys_tty_config, + capability syslog, + + network alg seqpacket, + network bluetooth, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 raw, + network inet6 stream, + network netlink raw, + network packet dgram, + network packet raw, + network qipcrtr dgram, + + mount -> @{run}/systemd/mount-rootfs/{,**}, + mount -> @{run}/systemd/namespace-@{rand6}/{,**}, + mount options=(rw move) /dev/shm/ -> @{run}/credentials/*/, + mount options=(rw rshared) -> /, + mount options=(rw rslave) -> /, + mount options=(rw rslave) -> /dev/, + mount options=(rw slave) -> @{run}/systemd/incoming/, + mount fstype=tmpfs options=(rw nodev noexec nosuid nosymfollow) tmpfs -> /dev/shm/, + mount fstype=tmpfs options=(rw nodev strictatime) tmpfs -> @{run}/systemd/unit-private-tmp/, + + remount /dev/shm/, + remount @{run}/systemd/mount-rootfs/{,**}, + + umount /, + umount /dev/shm/, + umount @{run}/systemd/mount-rootfs/{,**}, + umount @{run}/systemd/namespace-@{rand6}/{,**}, + + pivot_root oldroot=/run/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, + + change_profile, + + mqueue (read getattr) type=posix /, + + signal peer=sd//&*, + signal receive peer=@{p_systemd}, + signal send, + + ptrace read, + + unix type=dgram peer=(label=@{p_systemd}), + unix type=dgram peer=(label=systemd-timesyncd), + unix type=stream, + + dbus bus=system, + + @{exec_path} mr, + + @{bin}/** mPx, + @{sbin}/** mPx, + @{lib}/** Px, + /etc/cron.*/* Px, + /etc/init.d/* Px, + /etc/update-motd.d/* Px, + /usr/share/*/** Px, + + # Systemd user: systemd --user + @{lib}/systemd/systemd px -> systemd-user, + + # Mount operations from services and systemd + @{bin}/mount Px -> sd-mount, + @{bin}/umount Px -> sd-umount, + + # Unit services using systemctl + @{bin}/systemctl Cx -> systemctl, + + # Unit services + @{bin}/kill Cx -> kill, + + # Used by very basic services, ideally should be replaced by a unit profiles + @{sh_path} ix, + @{bin}/false ix, + @{bin}/true ix, + + # Required due to stacked profiles + @{bin}/find ix, + @{bin}/gzip ix, + @{bin}/install ix, + @{bin}/readlink ix, + @{lib}/colord-sane ix, + @{lib}/systemd/systemd-nsresourcework ix, + @{lib}/systemd/systemd-userwork ix, + @{sbin}/grpck ix, + @{sbin}/pwck ix, + + / r, + @{att}/ r, + @{bin}/{,**} r, + @{lib}/{,**} r, + @{sbin}/{,*} r, + /usr/local/{,**} r, + /usr/share/** r, + /etc/*/ w, + /etc/** rk, + /home/ r, + + @{efi}/ r, + @{efi}/** rw, + + @{att}/var/lib/systemd/*/ r, + + /var/cache/*/ rw, + /var/cache/*/** rwk, + /var/lib/*/ rw, + /var/lib/*/** rwk, + /var/lib/systemd/*/ r, + /var/log/ r, + /var/log/** rw, + /var/log/journal/** rwl -> /var/log/journal/**, + + @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r, + + @{att}/@{run}/systemd/io.systemd.ManagedOOM rw, + @{att}/@{run}/systemd/notify rw, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{att}/@{run}/systemd/userdb/io.systemd.Home rw, + @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, + + @{run}/ rw, + @{run}/* rw, + @{run}/*/ rw, + @{run}/*/* rw, + @{run}/systemd/{,**} rw, + owner @{run}/*/** rw, + + @{run}/udev/**/ r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + + @{sys}/** r, + @{sys}/fs/bpf/systemd/{,**} w, + @{sys}/firmware/efi/efivars/** w, + @{sys}/fs/cgroup/{,**} w, + + @{PROC}/@{pids}/attr/apparmor/exec w, + @{PROC}/@{pids}/attr/current r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/fdinfo/@{int} r, + @{PROC}/@{pids}/gid_map w, + @{PROC}/@{pids}/limits r, + @{PROC}/@{pids}/loginuid rw, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/oom_score_adj rw, + @{PROC}/@{pids}/sessionid r, + @{PROC}/@{pids}/setgroups r, + @{PROC}/@{pids}/setgroups w, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, + @{PROC}/@{pids}/uid_map r, + @{PROC}/@{pids}/uid_map w, + @{PROC}/cmdline r, + @{PROC}/interrupts r, + @{PROC}/irq/@{int}/node r, + @{PROC}/irq/@{int}/smp_affinity r, + @{PROC}/kmsg r, + @{PROC}/modules r, + @{PROC}/pressure/* r, + @{PROC}/swaps r, + @{PROC}/sys/** r, + @{PROC}/sys/kernel/random/write_wakeup_threshold w, + @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/sysvipc/* r, + @{PROC}/version_signature r, + + /dev/** rwk, + + profile systemctl flags=(attach_disconnected,mediate_deleted,complain) { + include + include + + include if exists + include if exists + } + + profile kill flags=(attach_disconnected,mediate_deleted,complain) { + include + + signal send, + + @{bin}/kill mr, + + include if exists + } + + include if exists + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/sd-mount b/apparmor.d/groups/_full/sd-mount new file mode 100644 index 000000000..1572a8f6d --- /dev/null +++ b/apparmor.d/groups/_full/sd-mount @@ -0,0 +1,71 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd (as PID 1) profile. + +# sd-mount is a subprofile of sd responsible to handle mounting operation. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sd-mount.d directory + +abi , + +include + +@{exec_path} = @{bin}/mount +profile sd-mount flags=(complain) { + include + include + + capability dac_read_search, + capability sys_admin, + + mount -> @{efi}/, + mount -> @{HOME}/{,**}, + mount -> @{HOMEDIRS}/, + mount -> @{MOUNTDIRS}/, + mount -> @{MOUNTS}/{,**}, + mount fstype=binfmt_misc options=(rw nodev noexec nosuid) binfmt_misc -> @{PROC}/sys/fs/binfmt_misc/, + mount fstype=configfs options=(rw nodev noexec nosuid) configfs -> @{sys}/kernel/config/, + mount fstype=debugfs options=(rw nodev noexec nosuid) debugfs -> @{sys}/kernel/debug/, + mount fstype=fusectl options=(rw nodev noexec nosuid) fusectl -> @{sys}/fs/fuse/connections/, + mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, + mount fstype=mqueue options=(rw nodev noexec nosuid) -> /dev/mqueue/, + mount fstype=squashfs options=(ro nodev) /dev/loop@{int} -> /snap/*/@{int}/, + mount fstype=tmpfs options=(rw nodev noexec nosuid) tmpfs -> @{run}/lock/, + mount fstype=tmpfs options=(rw nodev nosuid strictatime) tmpfs -> /tmp/, + mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/, + + mount options=(rw move) -> @{efi}, + mount options=(rw move) -> @{HOME}/{,**}, + mount options=(rw move) -> @{HOMEDIRS}/, + mount options=(rw move) -> @{MOUNTDIRS}/, + mount options=(rw move) -> @{MOUNTS}/{,**}, + mount options=(rw move) -> @{sys}/fs/fuse/connections/, + mount options=(rw move) -> @{sys}/kernel/config/, + mount options=(rw move) -> @{sys}/kernel/debug/, + mount options=(rw move) -> @{sys}/kernel/tracing/, + mount options=(rw move) -> /dev/hugepages/, + mount options=(rw move) -> /dev/mqueue/, + mount options=(rw move) -> /tmp/, + + @{exec_path} mr, + + /var/lib/snapd/snaps/*.snap r, + + @{run}/ r, + owner @{run}/mount/ rw, + owner @{run}/mount/utab{,.*} rwk, + + @{PROC}/@{pid}/mountinfo r, + + /dev/loop-control rw, + + include if exists + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/sd-umount b/apparmor.d/groups/_full/sd-umount new file mode 100644 index 000000000..e5d67f0a9 --- /dev/null +++ b/apparmor.d/groups/_full/sd-umount @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd (as PID 1) profile. + +# sd-umount is a subprofile of sd responsible to handle unmounting operation. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sd-umount.d directory + +abi , + +include + +@{exec_path} = @{bin}/umount +profile sd-umount flags=(complain) { + include + + capability sys_admin, + + umount @{efi}, + + @{exec_path} mr, + + @{PROC}/@{pid}/mountinfo r, + + include if exists + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu new file mode 100644 index 000000000..f9c50b65f --- /dev/null +++ b/apparmor.d/groups/_full/sdu @@ -0,0 +1,141 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd-user profile. + +# sdu is a profile for SystemD-executor run as User, it is used to run all services +# files and to encapsulate stacked services profiles (hence the short name). +# It aims at reducing the size of the systemd-user profile. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sdu.d directory + +abi , + +include + +@{exec_path} = @{bin}/systemd-executor +profile sdu flags=(attach_disconnected,mediate_deleted) { + include + include + include + include + include + include + include + + network netlink raw, + + change_profile, + + ptrace read, + + unix type=dgram peer=(label=@{p_systemd_user}), + + dbus bus=session, + + @{exec_path} mr, + + @{bin}/** mPx, + @{sbin}/** mPx, + @{lib}/** Px, + /etc/cron.*/* Px, + /opt/*/** Px, + /usr/share/*/** Px, + + # Unit services using systemctl + @{bin}/systemctl Cx -> systemctl, + + # Shell based user unit services + @{sh_path} Cx -> shell, + + # Dbus needs to be started without environment scrubbing + @{bin}/dbus-broker px -> dbus-session, + @{bin}/dbus-broker-launch px -> dbus-session, + @{bin}/dbus-daemon px -> dbus-session, + @{lib}/dbus-1.0/dbus-daemon-launch-helper px -> dbus-session, + + / r, + @{bin}/* r, + @{sbin}/* r, + /usr/share/** r, + + owner @{desktop_local_dirs}/ w, + owner @{desktop_local_dirs}/state/ w, + owner @{desktop_local_dirs}/state/wireplumber/{,**} rw, + + owner @{run}/user/@{uid}/pipewire-@{int} rw, + owner @{run}/user/@{uid}/pipewire-@{int}-manager rw, + owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk, + owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, + owner @{run}/user/@{uid}/pulse/pid rw, + + owner @{user_state_dirs}/wireplumber/ rw, + owner @{user_state_dirs}/wireplumber/stream-properties rw, + owner @{user_state_dirs}/wireplumber/stream-properties.@{rand6} rw, + + @{run}/systemd/users/@{uid} r, + @{run}/systemd/users/@{int} r, + + @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) + @{run}/udev/data/c81:@{int} r, # For video4linux + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + + @{sys}/bus/ r, + @{sys}/bus/media/devices/ r, + @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r, + @{sys}/devices/**/device:*/{,**/}path r, + @{sys}/devices/**/sound/**/pcm_class r, + @{sys}/devices/**/sound/**/uevent r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/meminfo r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/sound/seq/uevent r, + @{sys}/devices/virtual/sound/timer/uevent r, + + @{sys}/module/apparmor/parameters/enabled r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, + + @{PROC}/pressure/* r, + @{PROC}/sys/fs/nr_open r, + owner @{PROC}/@{pid}/attr/apparmor/exec w, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/oom_score_adj rw, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + /dev/kmsg w, + + deny capability net_admin, + + profile shell flags=(attach_disconnected,mediate_deleted,complain) { + include + + @{sh_path} mr, + @{bin}/systemctl Px -> sdu//systemctl, + + include if exists + } + + profile systemctl flags=(attach_disconnected,mediate_deleted,complain) { + include + include + + owner @{run}/user/@{uid}/systemd/private rw, + + deny capability net_admin, + + include if exists + include if exists + } + + include if exists + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index 9e1737a2a..d1ee8fd1f 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -11,24 +11,47 @@ # Distributions and other programs can add rules in the usr/systemd.d directory -# TODO: rework this to get a controlled environment: (cf security model) +# Overall architecture of the systemd profiles: +# systemd # PID 1, entrypoint, requires "Early policy" +# ├── systemd # To restart itself +# ├── systemd-generators-* # Systemd system and environment generators +# └── sd # Internal service starter and config handler, handles all services +# ├── Px or px, # Any service with profile +# ├── Px -> # Any service without profile defined in the unit file (see systemd/full/systemd) +# ├── &* # Stacked service as defined in the unit file (see systemd/full/systemd) +# ├── sd-mount # Handles all mounts from services +# ├── sd//systemctl # Internal system systemctl +# └── systemd-user # Profile for 'systemd --user' +# ├── systemd-user # To restart itself +# ├── systemd-user-generators-* # Systemd user and environment generators +# └── sdu # Handles all user services +# ├── Px or px, # Any user service with profile +# ├── Px -> # Any user service without profile defined in the unit file (see systemd/full/systemd) +# ├── &* # Stacked user service as defined in the unit file (see systemd/full/systemd) +# └── sdu//systemctl # Internal user systemctl + +# Advantages: +# - Differentiate systemd (PID 1) and `system --user` +# - Keep `systemd` and systemd-user as mininal as possible, and transition to less privileged profiles. +# - Allow the executor profiles to handled stacked profiles. +# - Most additions need to be done in the `sd`/`sdu` profile, not in `systemd`/`systemd-user`. +# - Dedicated `sd-mount` profile for most mount from the unit services. + + +# TODO: rework this to get a controlled environment: # - No global allow anymore: in high security environments, we must manage the list # of program/service that can be started by systemd and ensure that they are all # listed and confined. Programs not listed will not be able to start. # - Outside common systemd service, the list may have to be automatically # generated at install time, in `/etc/apparmor.d/usr/systemd.d/exec` -# - Stop disabling nnp flags in systemd dropin files. -# - Each systemd services in `systemd-service` (when the service is more complex than foo.service -> Exec=/usr/bin/foo) -# need they own profile, profile name configured as a dropin unit file. -# - When this is done: the fallback profile as root will not be needed. abi , include -profile systemd flags=(attach_disconnected,mediate_deleted) { +@{exec_path} = @{lib}/systemd/systemd +profile systemd flags=(attach_disconnected,mediate_deleted,complain) { include - include include include include @@ -43,16 +66,13 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { capability dac_read_search, capability fowner, capability fsetid, - capability mknod, + capability kill, capability net_admin, + capability net_bind_service, capability perfmon, - capability setfcap, - capability setgid, capability setpcap, - capability setuid, capability sys_admin, - capability sys_chroot, - capability sys_nice, + capability sys_boot, capability sys_ptrace, capability sys_resource, capability sys_tty_config, @@ -62,194 +82,124 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { network inet6 dgram, network inet6 stream, network netlink raw, + network vsock stream, mount fstype=autofs systemd-1 -> @{PROC}/sys/fs/binfmt_misc/, - mount fstype=autofs systemd-1 -> /efi/, - mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, - mount fstype=proc options=(rw nosuid nodev noexec) proc -> @{run}/systemd/namespace-@{rand6}/, - mount fstype=sysfs options=(rw nosuid nodev noexec) sysfs -> @{run}/systemd/namespace-@{rand6}/, - mount fstype=tmpfs tmpfs -> /dev/shm/, + mount fstype=autofs systemd-1 -> @{efi}/, mount fstype=tmpfs tmpfs -> /tmp/, - mount fstype=tmpfs options=(rw nosuid nodev noexec strictatime) tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/, - mount fstype=tmpfs options=(rw nosuid nodev noexec) tmpfs -> /dev/shm/, - mount fstype=tmpfs options=(rw nosuid noexec strictatime) tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/, - mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**, - mount options=(rw bind) /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**, - mount options=(rw bind) @{run}/systemd/propagate/*/ -> @{run}/systemd/mount-rootfs/@{run}/systemd/incoming/, - mount options=(rw move) -> @{sys}/fs/fuse/connections/, - mount options=(rw move) -> @{sys}/kernel/config/, - mount options=(rw move) -> @{sys}/kernel/debug/, - mount options=(rw move) -> @{sys}/kernel/tracing/, - mount options=(rw move) -> /dev/hugepages/, - mount options=(rw move) -> /dev/mqueue/, - mount options=(rw move) -> /efi/, - mount options=(rw move) -> /tmp/, - mount options=(rw move) @{run}/systemd/namespace-@{rand6}/{,**} -> @{run}/systemd/mount-rootfs/{,**}, - mount options=(rw rbind) -> @{run}/systemd/mount-rootfs/{,**}, - mount options=(rw rbind) -> @{run}/systemd/unit-root/{,**}, - mount options=(rw rshared) -> /, mount options=(rw rslave) -> /, - mount options=(rw rslave) -> /dev/, - mount options=(rw slave) -> @{run}/systemd/incoming/, remount @{HOME}/{,**}, remount @{HOMEDIRS}/, remount @{MOUNTDIRS}/, remount @{MOUNTS}/{,**}, - remount @{run}/systemd/mount-rootfs/{,**}, - remount @{run}/systemd/unit-root/{,**}, - remount /, remount /snap/{,**}, - remount options=(ro noexec noatime bind) /var/snap/{,**}, - remount options=(ro nosuid bind) /dev/, - remount options=(ro nosuid nodev bind) /dev/hugepages/, - remount options=(ro nosuid nodev bind) /var/, - remount options=(ro nosuid nodev noexec bind) /boot/, - remount options=(ro nosuid nodev noexec bind) /dev/mqueue/, - remount options=(ro nosuid nodev noexec bind) /efi/, - remount options=(ro nosuid noexec bind) /dev/pts/, + remount options=(ro bind nodev noexec nosuid) /dev/mqueue/, + remount options=(ro bind nodev nosuid) /dev/hugepages/, + remount options=(ro bind noexec nosuid) /dev/pts/, + remount options=(ro bind nosuid) /dev/, + remount options=(ro bind) @{efi}/, + remount options=(ro bind) /, - umount /, - umount /dev/shm/, umount @{PROC}/sys/fs/binfmt_misc/, - umount @{run}/systemd/mount-rootfs/{,**}, - umount @{run}/systemd/namespace-@{rand6}/{,**}, - umount @{run}/systemd/unit-root/{,**}, + umount @{run}/credentials/*/, - pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, - pivot_root oldroot=@{run}/systemd/unit-root/ @{run}/systemd/unit-root/, + mqueue (read getattr) type=posix /, - change_profile, - - signal (receive) set=(rtmin+23) peer=plymouthd, - signal (receive) set=(term, hup, cont), - signal (send), + signal send, ptrace (read, readby), - unix (send) type=dgram, - - unix (receive) type=dgram addr=none peer=(label=systemd-timesyncd, addr=none), - unix (send, receive, connect) type=stream addr=none peer=(label=plymouthd, addr=@/org/freedesktop/plymouthd), + unix type=dgram, + unix type=stream, #aa:dbus own bus=system name=org.freedesktop.systemd1 - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=GetConnectionUnixUser - peer=(name=org.freedesktop.DBus, label=dbus-system), + @{exec_path} mrix, + @{sh_path} mr, - @{bin}/** Px, - @{lib}/** Px, - /etc/cron.*/* Px, - /etc/init.d/* Px, - /usr/share/*/** Px, + # Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.) + @{lib}/systemd/systemd-executor mPx -> sd, - # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.) - @{lib}/systemd/systemd-executor ix, - - # Systemd user: systemd --user - @{lib}/systemd/systemd px -> systemd-user, - - # Unit services using systemctl - @{bin}/systemctl Cx -> systemctl, - - # Unit services - @{bin}/mount ix, - - # Shell based systemd unit services - @{bin}/ldconfig Px -> systemd-service, - @{bin}/mandb Px -> systemd-service, - @{bin}/savelog Px -> systemd-service, - @{coreutils_path} Px -> systemd-service, - @{sh_path} Px -> systemd-service, - - # Systemd profiles that need be stacked - #aa:stack systemd-networkd systemd-oomd systemd-resolved systemd-timesyncd - @{lib}/systemd/systemd-networkd Px -> systemd//&systemd-networkd, - @{lib}/systemd/systemd-oomd Px -> systemd//&systemd-oomd, - @{lib}/systemd/systemd-resolved Px -> systemd//&systemd-resolved, - @{lib}/systemd/systemd-timesyncd Px -> systemd//&systemd-timesyncd, - - @{lib}/ r, - / r, - /*/ r, - /boot/efi/ r, - /snap/*/@{int}/ r, - /var/cache/*/ r, - /var/lib/*/ r, - /var/tmp/ r, + # Systemd system generators. Profiles must exist + @{lib}/netplan/generate mPx, + @{lib}/systemd/system-environment-generators/* mPx, + @{lib}/systemd/system-generators/* mPx, + @{etc_ro}/environment r, + @{etc_ro}/environment.d/{,**} r, + /etc/acpi/events/{,**} r, /etc/binfmt.d/{,**} r, /etc/conf.d/{,**} r, - /etc/credstore.encrypted/{,**} r, - /etc/credstore/{,**} r, - /etc/environment r, - /etc/environment.d/{,**} r, + /etc/default/{,**} r, /etc/machine-id r, /etc/modules-load.d/{,**} r, + /etc/networkd-dispatcher/{,**} r, /etc/systemd/{,**} r, + /etc/systemd/system/** w, /etc/udev/hwdb.d/{,**} r, - /var/lib/systemd/{,**} rw, + #aa:only pacman + # It is unclear why this is needed here and not in sd + /etc/pacman.d/gnupg/S.dirmngr w, + /etc/pacman.d/gnupg/S.gpg-agent w, + /etc/pacman.d/gnupg/S.gpg-agent.browser w, + /etc/pacman.d/gnupg/S.gpg-agent.extra w, + /etc/pacman.d/gnupg/S.gpg-agent.ssh w, + /etc/pacman.d/gnupg/S.keyboxd w, + + @{efi}/ r, + /snap/*/@{int}/ r, + + /tmp/ r, + /var/tmp/ r, + owner /tmp/systemd-private-*/{,**} rw, owner /var/tmp/systemd-private-*/{,**} rw, - /tmp/namespace-dev-@{rand6}/{,**} rw, - /tmp/systemd-private-*/{,**} rw, + @{att}/@{run}/systemd/journal/dev-log r, + @{att}/@{run}/systemd/journal/socket r, + @{att}/@{run}/systemd/notify r, @{run}/ rw, + @{run}/* rw, @{run}/*/ rw, @{run}/*/* rw, - @{run}/auditd.pid r, @{run}/credentials/{,**} rw, - @{run}/initctl rw, @{run}/systemd/{,**} rw, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+leds:*backlight* r, - - @{run}/udev/data/+module:configfs r, - @{run}/udev/data/+module:fuse r, + @{run}/udev/data/+module:* r, # Identifies kernel modules loaded by udev @{run}/udev/data/c4:@{int} r, # For TTY devices + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{run}/udev/tags/systemd/ r, + @{sys}/**/uevent r, @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/power_supply/ r, - @{sys}/class/sound/ r, - @{sys}/devices/@{pci}/** r, - @{sys}/devices/**/net/** r, - @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/tty/console/active r, + @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw, @{sys}/fs/cgroup/{,**} rw, @{sys}/fs/fuse/connections/ r, @{sys}/fs/pstore/ r, @{sys}/kernel/**/ r, - @{sys}/module/**/uevent r, @{sys}/module/apparmor/parameters/enabled r, + @{sys}/module/vt/parameters/default_utf8 r, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/coredump_filter r, - @{PROC}/@{pid}/environ r, @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/gid_map rw, - @{PROC}/@{pid}/loginuid rw, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/setgroups rw, @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/uid_map rw, @{PROC}/cmdline r, @{PROC}/devices r, @{PROC}/pressure/* r, @@ -257,30 +207,33 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{PROC}/sys/fs/binfmt_misc/ r, @{PROC}/sys/fs/nr_open r, @{PROC}/sys/kernel/* r, - @{PROC}/sysvipc/{shm,sem,msg} r, - owner @{PROC}/@{pid}/limits r, - owner @{PROC}/@{pid}/oom_score_adj rw, + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sysvipc/msg r, + @{PROC}/sysvipc/sem r, + @{PROC}/sysvipc/shm r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/1/coredump_filter r, + owner @{PROC}/1/fdinfo/@{int} r, + owner @{PROC}/1/gid_map r, + owner @{PROC}/1/oom_score_adj rw, + owner @{PROC}/1/setgroups r, + owner @{PROC}/1/uid_map r, /dev/autofs r, + /dev/dri/card@{int} rw, + /dev/initctl w, + /dev/input/ r, /dev/kmsg w, + /dev/tty rw, + /dev/tty@{int} rw, owner /dev/console rwk, - owner /dev/dri/card@{int} rw, owner /dev/hugepages/ rw, - owner /dev/initctl rw, owner /dev/input/event@{int} rw, owner /dev/mqueue/ rw, owner /dev/rfkill rw, - owner /dev/shm/ rw, + owner /dev/shm/ r, owner /dev/ttyS@{int} rwk, - profile systemctl { - include - include - - include if exists - include if exists - } - include if exists include if exists } diff --git a/apparmor.d/groups/_full/systemd-service b/apparmor.d/groups/_full/systemd-service deleted file mode 100644 index e6c4a4b7b..000000000 --- a/apparmor.d/groups/_full/systemd-service +++ /dev/null @@ -1,72 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Profile for generic systemd unit services. Only used by tiny systemd services -# that start a shell or use context specific programs. - -# It does not specify an attachment path because it is intended to be used only -# via "Px -> systemd-service" exec transitions from the systemd profile. - -abi , - -include - -profile systemd-service flags=(attach_disconnected) { - include - include - include - - capability chown, - capability fsetid, - - @{bin}/ldconfig rix, - @{bin}/savelog rix, - @{bin}/systemctl rix, - @{bin}/gzip rix, - @{coreutils_path} rix, - @{sh_path} rmix, - - # ifup@.service - @{bin}/ifup rPx, - - # shadow.service - @{bin}/pwck rPx, - @{bin}/grpck rPx, - - @{bin}/grub-editenv rPx, - @{bin}/ibus-daemon rPx, - - @{bin}/* r, - @{lib}/ r, - - /var/cache/ldconfig/{,**} rw, - - /boot/grub/grubenv rw, - /boot/grub/ w, - - /var/log/ r, - /var/log/dmesg rw, - /var/log/dmesg.* rwl -> /var/log/dmesg, - - # man-db.service - /usr/{,local/}share/man/{,**} r, - /etc/manpath.config r, - /var/cache/man/{,**} rwk, - - # snapd.system-shutdown.service - @{run}/initramfs/shutdown rw, - @{run}/initramfs/ rw, - - # cockpit.socket - @{run}/cockpit/@{rand8} rw, - @{run}/cockpit/motd w, - - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index 32228f21b..b3d751be1 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -11,14 +11,12 @@ # Distributions and other programs can add rules in the usr/systemd-user.d directory -# TODO: rework this to get a controlled environment. cf comments in systemd profile. - abi , include @{exec_path} = @{lib}/systemd/systemd -profile systemd-user flags=(attach_disconnected,mediate_deleted) { +profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) { include include include @@ -27,91 +25,61 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { network netlink raw, - signal send set=(term, cont, kill), - signal receive set=hup peer=@{p_systemd}, + signal send, - ptrace read peer=@{p_systemd}, + ptrace read, - unix bind type=stream addr=@@{hex16}/bus/systemd/bus-system, - unix bind type=stream addr=@@{hex16}/bus/systemd/bus-api-user, + unix type=dgram peer=(label=@{p_sdu}), + + unix bind type=stream addr=@@{udbus}/bus/systemd/bus-system, + unix bind type=stream addr=@@{udbus}/bus/systemd/bus-api-user, #aa:dbus own bus=session name=org.freedesktop.systemd1 - @{exec_path} mr, + @{exec_path} mrix, - @{bin}/** Px, - @{lib}/** Px, - /etc/cron.*/* Px, - /opt/*/** Px, - /usr/share/*/** Px, + # Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.) + @{lib}/systemd/systemd-executor mPx -> sdu, - # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.) - @{lib}/systemd/systemd-executor ix, - - # Unit services using systemctl - @{bin}/systemctl Cx -> systemctl, - - # Shell based ystemd unit services - @{coreutils_path} Px -> systemd-user-service, - @{sh_path} Px -> systemd-user-service, - - # Dbus needs to be started without environment scrubbing - @{bin}/dbus-broker px -> dbus-session, - @{bin}/dbus-broker-launch px -> dbus-session, - @{bin}/dbus-daemon px -> dbus-session, - @{lib}/dbus-1.0/dbus-daemon-launch-helper px -> dbus-session, - - # Audio profiles need to be stacked - #aa:stack pipewire pipewire-media-session pipewire-pulse pulseaudio wireplumber - @{bin}/pipewire Px -> systemd-user//&pipewire, - @{bin}/pipewire-media-session Px -> systemd-user//&pipewire-media-session, - @{bin}/pipewire-pulse Px -> systemd-user//&pipewire-pulse, - @{bin}/pulseaudio Px -> systemd-user//&pulseaudio, - @{bin}/wireplumber Px -> systemd-user//&wireplumber, - - /usr/ r, - /usr/share/defaults/**.conf r, + # Systemd user generators. Profiles must exist + @{lib}/systemd/user-environment-generators/* Px, + @{lib}/systemd/user-generators/* Px, + @{etc_ro}/environment r, /etc/systemd/user.conf r, /etc/systemd/user.conf.d/{,**} r, /etc/systemd/user/{,**} r, - / r, - - owner @{HOME}/.local/ w, - owner @{user_config_dirs}/systemd/user/{,**} rw, - @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/ rw, owner @{run}/user/@{uid}/** rwkl, @{run}/mount/utab r, @{run}/systemd/notify w, + @{run}/systemd/oom/io.systemd.ManagedOOM rw, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+leds:*backlight* r, - @{run}/udev/data/+module:configfs r, - @{run}/udev/data/+module:fuse r, - @{run}/udev/data/b254:@{int} r, # for /dev/zram* + @{run}/udev/data/+module:* r, # Identifies kernel modules loaded by udev @{run}/udev/data/c4:@{int} r, # For TTY devices @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features + @{run}/udev/data/c116:@{int} r, # for ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{run}/udev/tags/systemd/ r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/**/uevent r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r, - @{sys}/module/apparmor/parameters/enabled r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/stat r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/stat r, @{PROC}/cmdline r, @{PROC}/pressure/* r, @{PROC}/swaps r, @@ -120,27 +88,25 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{PROC}/sys/kernel/overflowgid r, @{PROC}/sys/kernel/overflowuid r, @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/threads-max r, - owner @{PROC}/@{pid}/coredump_filter r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/gid_map r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/oom_score_adj rw, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/uid_map r, owner @{PROC}/@{pids}/fd/ r, - owner @{PROC}/@{pids}/oom_score_adj rw, - /dev/tty rw, - - profile systemctl { - include - include - - include if exists - include if exists - } + deny capability bpf, + deny capability dac_override, + deny capability dac_read_search, + deny capability mknod, + deny capability net_admin, + deny capability perfmon, + deny capability sys_admin, + deny capability sys_boot, + deny capability sys_resource, include if exists include if exists diff --git a/apparmor.d/groups/_full/systemd-user-service b/apparmor.d/groups/_full/systemd-user-service deleted file mode 100644 index d65846f82..000000000 --- a/apparmor.d/groups/_full/systemd-user-service +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Profile for generic systemd unit services. Only used by tiny systemd services -# that start a shell or use context specific programs. - -# It does not specify an attachment path because it is intended to be used only -# via "Px -> systemd-user-service" exec transitions from the systemd-user profile. - -abi , - -include - -profile systemd-user-service flags=(complain) { - include - include - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/akonadi/akonadi_akonotes_resource b/apparmor.d/groups/akonadi/akonadi_akonotes_resource index f0145d670..0471cd8f4 100644 --- a/apparmor.d/groups/akonadi/akonadi_akonotes_resource +++ b/apparmor.d/groups/akonadi/akonadi_akonotes_resource @@ -15,7 +15,7 @@ profile akonadi_akonotes_resource @{exec_path} { @{exec_path} mr, - owner @{user_config_dirs}/akonadi_akonotes_resource_[0-9]rc r, + owner @{user_config_dirs}/akonadi_akonotes_resource_@{int}rc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, diff --git a/apparmor.d/groups/akonadi/akonadi_contacts_resource b/apparmor.d/groups/akonadi/akonadi_contacts_resource index c3e5dc716..58c7443fc 100644 --- a/apparmor.d/groups/akonadi/akonadi_contacts_resource +++ b/apparmor.d/groups/akonadi/akonadi_contacts_resource @@ -17,7 +17,7 @@ profile akonadi_contacts_resource @{exec_path} { /usr/share/akonadi/plugins/serializer/{,*.desktop} r, - owner @{user_config_dirs}/akonadi_contacts_resource_[0-9]rc r, + owner @{user_config_dirs}/akonadi_contacts_resource_@{int}rc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, diff --git a/apparmor.d/groups/akonadi/akonadi_ical_resource b/apparmor.d/groups/akonadi/akonadi_ical_resource index 5f37f797c..2a5c95729 100644 --- a/apparmor.d/groups/akonadi/akonadi_ical_resource +++ b/apparmor.d/groups/akonadi/akonadi_ical_resource @@ -15,9 +15,9 @@ profile akonadi_ical_resource @{exec_path} { @{exec_path} mr, - owner @{user_cache_dirs}/akonadi_ical_resource_[0-9]/{,*} rwl, + owner @{user_cache_dirs}/akonadi_ical_resource_@{int}/{,*} rwl, - owner @{user_config_dirs}/akonadi_ical_resource_[0-9]rc rwl, + owner @{user_config_dirs}/akonadi_ical_resource_@{int}rc rwl, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, diff --git a/apparmor.d/groups/akonadi/akonadi_maildir_resource b/apparmor.d/groups/akonadi/akonadi_maildir_resource index fc518e4f7..be9621437 100644 --- a/apparmor.d/groups/akonadi/akonadi_maildir_resource +++ b/apparmor.d/groups/akonadi/akonadi_maildir_resource @@ -19,11 +19,11 @@ profile akonadi_maildir_resource @{exec_path} { owner @{user_mail_dirs}/{,**} rw, - owner @{user_config_dirs}/akonadi_maildir_resource_[0-9]rc r, + owner @{user_config_dirs}/akonadi_maildir_resource_@{int}rc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, - owner @{user_share_dirs}/akonadi_maildir_resource_[0-9]/{,**} rw, + owner @{user_share_dirs}/akonadi_maildir_resource_@{int}/{,**} rw, owner @{user_share_dirs}/akonadi/{,**} rwk, owner @{user_share_dirs}/local-mail*/{,**} rw, diff --git a/apparmor.d/profiles-a-f/aa-enabled b/apparmor.d/groups/apparmor/aa-enabled similarity index 100% rename from apparmor.d/profiles-a-f/aa-enabled rename to apparmor.d/groups/apparmor/aa-enabled diff --git a/apparmor.d/profiles-a-f/aa-enforce b/apparmor.d/groups/apparmor/aa-enforce similarity index 79% rename from apparmor.d/profiles-a-f/aa-enforce rename to apparmor.d/groups/apparmor/aa-enforce index da4d63460..1f8368045 100644 --- a/apparmor.d/profiles-a-f/aa-enforce +++ b/apparmor.d/groups/apparmor/aa-enforce @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/aa-enforce @{bin}/aa-complain @{bin}/aa-audit @{bin}/aa-disable +@{exec_path} = @{sbin}/aa-enforce @{sbin}/aa-complain @{sbin}/aa-audit @{sbin}/aa-disable profile aa-enforce @{exec_path} { include include @@ -16,8 +16,8 @@ profile aa-enforce @{exec_path} { @{exec_path} mr, - @{bin}/ r, - @{bin}/apparmor_parser rPx, + @{sbin}/ r, + @{sbin}/apparmor_parser rPx, /usr/share/terminfo/** r, @@ -31,7 +31,7 @@ profile aa-enforce @{exec_path} { owner /var/lib/snapd/apparmor/{,**} rw, owner @{tmp}/@{rand8} rw, - owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, + owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/groups/apparmor/aa-log similarity index 56% rename from apparmor.d/profiles-a-f/aa-log rename to apparmor.d/groups/apparmor/aa-log index 39c42d435..1a3e0aeff 100644 --- a/apparmor.d/profiles-a-f/aa-log +++ b/apparmor.d/groups/apparmor/aa-log @@ -16,21 +16,32 @@ profile aa-log @{exec_path} { @{exec_path} mr, - @{bin}/journalctl rix, - - /etc/machine-id r, - /var/lib/dbus/machine-id r, + @{bin}/journalctl rCx -> journalctl, /var/log/audit/* r, /var/log/syslog* r, - /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex32}/{,*} r, - - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - /dev/tty@{int} rw, + profile journalctl { + include + include + + capability sys_resource, + + @{bin}/journalctl mr, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/{,*} r, + + @{PROC}/sys/kernel/random/boot_id r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify new file mode 100644 index 000000000..07706d052 --- /dev/null +++ b/apparmor.d/groups/apparmor/aa-notify @@ -0,0 +1,112 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/aa-notify +profile aa-notify @{exec_path} { + include + include + include + include + include + include + include + + capability setgid, + capability setuid, + capability sys_ptrace, + + ptrace read, + + @{exec_path} mr, + + @{bin}/gtk-launch ix, + @{bin}/pkexec Cx -> pkexec, + @{bin}/xdg-mime Px, + @{open_path} Cx -> open, + + @{bin}/ r, + + /usr/share/apparmor/** r, + /usr/share/terminfo/** r, + + @{etc_ro}/inputrc r, + @{etc_ro}/inputrc.keys r, + /etc/apparmor.d/{,**} r, + /etc/apparmor/*.conf r, + + /var/log/audit/audit.log r, + + owner @{HOME}/.inputrc r, + owner @{HOME}/.terminfo/@{int}/dumb r, + + owner @{tmp}/@{word8} rw, + owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, + + @{PROC}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/cmdline r, + + profile open { + include + include + + @{editor_ui_path} rPx -> aa-notify//editor, + + include if exists + } + + profile editor { + include + include + include + include + include + + @{editor_ui_path} rix, + @{open_path} rPx -> child-open-help, + + /etc/apparmor.d/{,**} r, + + owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw, + + owner @{PROC}/@{pid}/mountinfo r, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + include if exists + } + + profile pkexec { + include + include + include + + ptrace read peer=aa-notify, + + @{sbin}/apparmor_parser Px, + @{lib}/@{python_name}/site-packages/apparmor/update_profile.py ix, + + /usr/share/apparmor/** r, + /usr/share/terminfo/** r, + + @{etc_ro}/inputrc r, + @{etc_ro}/inputrc.keys r, + + /etc/apparmor.d/ r, + /etc/apparmor.d/** rw, + /etc/apparmor/* r, + + @{PROC}/@{pid}/mounts r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/aa-status b/apparmor.d/groups/apparmor/aa-status similarity index 81% rename from apparmor.d/profiles-a-f/aa-status rename to apparmor.d/groups/apparmor/aa-status index a48dc693c..9badb78c1 100644 --- a/apparmor.d/profiles-a-f/aa-status +++ b/apparmor.d/groups/apparmor/aa-status @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/aa-status @{bin}/apparmor_status +@{exec_path} = @{sbin}/aa-status @{sbin}/apparmor_status profile aa-status @{exec_path} { include include @@ -22,8 +22,8 @@ profile aa-status @{exec_path} { @{sys}/module/apparmor/parameters/enabled r, @{PROC}/ r, - @{PROC}/@{pids}/attr/apparmor/current r, - @{PROC}/@{pids}/attr/current r, + @{PROC}/@{pid}/attr/apparmor/current r, + @{PROC}/@{pid}/attr/current r, owner @{PROC}/@{pid}/mounts r, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-a-f/aa-teardown b/apparmor.d/groups/apparmor/aa-teardown similarity index 93% rename from apparmor.d/profiles-a-f/aa-teardown rename to apparmor.d/groups/apparmor/aa-teardown index b625ad8c6..059766181 100644 --- a/apparmor.d/profiles-a-f/aa-teardown +++ b/apparmor.d/groups/apparmor/aa-teardown @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/aa-teardown +@{exec_path} = @{sbin}/aa-teardown profile aa-teardown @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/aa-unconfined b/apparmor.d/groups/apparmor/aa-unconfined similarity index 88% rename from apparmor.d/profiles-a-f/aa-unconfined rename to apparmor.d/groups/apparmor/aa-unconfined index 08c401270..7308a5ef0 100644 --- a/apparmor.d/profiles-a-f/aa-unconfined +++ b/apparmor.d/groups/apparmor/aa-unconfined @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/aa-unconfined +@{exec_path} = @{sbin}/aa-unconfined profile aa-unconfined @{exec_path} flags=(attach_disconnected) { include include @@ -21,7 +21,7 @@ profile aa-unconfined @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{bin}/netstat Px, - @{bin}/ss Px, + @{sbin}/ss Px, /usr/share/terminfo/** r, @@ -29,7 +29,7 @@ profile aa-unconfined @{exec_path} flags=(attach_disconnected) { @{etc_ro}/inputrc r, owner @{tmp}/@{rand8} rw, - owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, + owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, owner /var/tmp/@{rand8} rw, @{PROC}/ r, diff --git a/apparmor.d/profiles-a-f/apparmor.systemd b/apparmor.d/groups/apparmor/apparmor.systemd similarity index 76% rename from apparmor.d/profiles-a-f/apparmor.systemd rename to apparmor.d/groups/apparmor/apparmor.systemd index 75394f5de..f58512a02 100644 --- a/apparmor.d/profiles-a-f/apparmor.systemd +++ b/apparmor.d/groups/apparmor/apparmor.systemd @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/apparmor/apparmor.systemd -profile apparmor.systemd @{exec_path} flags=(complain) { +profile apparmor.systemd @{exec_path} { include include include @@ -19,14 +19,14 @@ profile apparmor.systemd @{exec_path} flags=(complain) { @{sh_path} rix, @{bin}/{,e}grep rix, - @{bin}/aa-status rPx, - @{bin}/apparmor_parser rPx, + @{sbin}/aa-status rPx, + @{sbin}/apparmor_parser rPx, @{bin}/getconf rix, @{bin}/ls rix, @{bin}/sed rix, @{bin}/cat rix, @{bin}/sort rix, - @{bin}/sysctl rix, + @{sbin}/sysctl rCx -> sysctl, @{bin}/systemd-detect-virt rPx, @{bin}/xargs rix, @@ -43,10 +43,19 @@ profile apparmor.systemd @{exec_path} flags=(complain) { @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mounts r, @{PROC}/mounts r, - @{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r, /dev/tty rw, + profile sysctl { + include + + @{sbin}/sysctl mr, + + @{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r, + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/groups/apparmor/apparmor_parser similarity index 83% rename from apparmor.d/profiles-a-f/apparmor_parser rename to apparmor.d/groups/apparmor/apparmor_parser index b2c181042..a5769931c 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/groups/apparmor/apparmor_parser @@ -6,9 +6,9 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} -@{exec_path} = @{bin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser +@{exec_path} = @{sbin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser profile apparmor_parser @{exec_path} flags=(attach_disconnected) { include include @@ -17,6 +17,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{lib_dirs}/@{multiarch}/** mr, @{lib_dirs}/snapd/apparmor.d/{,**} r, @{lib_dirs}/snapd/apparmor/{,**} r, @@ -45,6 +46,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, deny network netlink raw, # file_inherit + /opt/Mullvad*/resources/apparmor_mullvad r, # FIXME: WTF you thing you are doing mullvad? include if exists } diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 19f187cc3..8581fe724 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -7,13 +7,12 @@ abi , include -@{exec_path} = @{bin}/apt @{bin}/apt-get @{bin}/aptd +@{exec_path} = @{bin}/apt @{bin}/apt-get @{sbin}/aptd profile apt @{exec_path} flags=(attach_disconnected) { include - include + include include include - include include include include @@ -34,16 +33,24 @@ profile apt @{exec_path} flags=(attach_disconnected) { signal (send) peer=apt-methods-*, - unix (bind) type=stream addr=@@{hex16}/bus/apt/system, + unix bind type=stream addr=@@{udbus}/bus/apt-get/system, + unix bind type=stream addr=@@{udbus}/bus/apt/system, + + unix type=stream peer=(label=@{p_snap}), unix (send, receive) type=stream peer=(label=apt-esm-json-hook), unix (send, receive) type=stream peer=(label=snapd), #aa:dbus own bus=system name=org.debian.apt - dbus send bus=system path=/org/freedesktop/DBus/Bus - interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser} - peer=(name=org.freedesktop.DBus, label=dbus-system), + #aa:dbus talk bus=system name=org.freedesktop.PackageKit label=packagekitd + dbus send bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.freedesktop.PackageKit), + dbus send bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.PackageKit + member=StateHasChanged + peer=(name=org.freedesktop.PackageKit), dbus send bus=system interface=org.freedesktop.DBus.Introspectable @@ -51,15 +58,16 @@ profile apt @{exec_path} flags=(attach_disconnected) { peer=(name="{:*,org.freedesktop.DBus}"), @{exec_path} mr, + @{python_path} mr, @{bin}/ r, @{sh_path} rix, @{bin}/{,e}grep rix, + @{bin}/cat rix, @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/id rix, - @{bin}/ischroot rix, @{bin}/test rix, @{bin}/touch rix, @@ -72,14 +80,15 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/df rPx, @{bin}/dmesg rPx, @{bin}/dpkg rPx, - @{bin}/dpkg-preconfigure rPx, @{bin}/dpkg-source rcx -> dpkg-source, @{bin}/etckeeper rPx, + @{bin}/ischroot rPx, @{bin}/localepurge rPx, @{bin}/ps rPx, - @{bin}/snap rPUx, - @{bin}/systemctl rCx -> systemctl, + @{bin}/snap rPx, + @{bin}/systemctl rCx -> systemctl, @{bin}/update-command-not-found rPx, + @{sbin}/dpkg-preconfigure rPx, @{lib}/cnf-update-db rPx, @{lib}/needrestart/apt-pinvoke rPx, @{lib}/zsys-system-autosnapshot rPx, @@ -128,6 +137,9 @@ profile apt @{exec_path} flags=(attach_disconnected) { /var/lib/update-notifier/dpkg-run-stamp rw, /var/log/apt/{,**} rw, + /var/log/ubuntu-advantage-apt-hook.log w, + + @{efi}/ r, # For package building @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, @@ -135,6 +147,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { /tmp/ r, /tmp/apt-changelog-*/ w, /tmp/apt-changelog-*/*.changelog w, + /tmp/apt-tmp-index.@{rand6} rw, owner @{tmp}/apt-changelog-*/.apt-acquire-privs-test.* rw, owner @{tmp}/apt-dpkg-install-*/ rw, owner @{tmp}/apt-dpkg-install-*/@{int}-*.deb w, @@ -161,18 +174,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { profile pager { include - include - - capability dac_read_search, - - @{bin}/ r, - @{sh_path} rix, - @{pager_path} rmix, - @{bin}/which{,.debianutils} rix, - - /root/ r, # For shell pwd - - owner @{HOME}/.less* rw, + include owner @{tmp}/apt-changelog-*/ r, owner @{tmp}/apt-changelog-*/*.changelog r, @@ -186,10 +188,10 @@ profile apt @{exec_path} flags=(attach_disconnected) { include @{bin}/dpkg-source mr, - @{bin}/perl r, @{bin}/bunzip2 rix, @{bin}/chmod rix, + @{bin}/bzip2 rix, @{bin}/gunzip rix, @{bin}/gzip rix, @{bin}/patch rix, @@ -197,7 +199,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/tar rix, @{bin}/xz rix, - /etc/dpkg/origins/debian r, + /etc/dpkg/origins/* r, owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, owner @{HOME}/** rwkl -> @{HOME}/**, diff --git a/apparmor.d/groups/apt/apt-cache b/apparmor.d/groups/apt/apt-cache index 1251fe449..afd34f7e5 100644 --- a/apparmor.d/groups/apt/apt-cache +++ b/apparmor.d/groups/apt/apt-cache @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-cache profile apt-cache @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-cdrom b/apparmor.d/groups/apt/apt-cdrom index a99b964c7..0ce146261 100644 --- a/apparmor.d/groups/apt/apt-cdrom +++ b/apparmor.d/groups/apt/apt-cdrom @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-cdrom profile apt-cdrom @{exec_path} flags=(complain) { include - include + include include capability dac_read_search, diff --git a/apparmor.d/groups/apt/apt-config b/apparmor.d/groups/apt/apt-config index 505a4b037..834bcbd8c 100644 --- a/apparmor.d/groups/apt/apt-config +++ b/apparmor.d/groups/apt/apt-config @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-config profile apt-config @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-extracttemplates b/apparmor.d/groups/apt/apt-extracttemplates index 2e41b10bf..6fbfad65b 100644 --- a/apparmor.d/groups/apt/apt-extracttemplates +++ b/apparmor.d/groups/apt/apt-extracttemplates @@ -7,11 +7,11 @@ abi , include -@{exec_path} = @{bin}/apt-extracttemplates +@{exec_path} = @{bin}/apt-extracttemplates @{lib}/apt/apt-extracttemplates profile apt-extracttemplates @{exec_path} { include + include include - include capability dac_read_search, diff --git a/apparmor.d/groups/apt/apt-file b/apparmor.d/groups/apt/apt-file index 7ee51cfed..6551f21a7 100644 --- a/apparmor.d/groups/apt/apt-file +++ b/apparmor.d/groups/apt/apt-file @@ -10,11 +10,10 @@ include @{exec_path} = @{bin}/apt-file profile apt-file @{exec_path} { include - include + include include @{exec_path} r, - @{bin}/perl r, @{bin}/fgrep rix, @{bin}/{,e}grep rix, diff --git a/apparmor.d/groups/apt/apt-forktracer b/apparmor.d/groups/apt/apt-forktracer index 2fbb5d95b..3eec09d60 100644 --- a/apparmor.d/groups/apt/apt-forktracer +++ b/apparmor.d/groups/apt/apt-forktracer @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-forktracer profile apt-forktracer @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-helper b/apparmor.d/groups/apt/apt-helper index 5a2d7dd55..18b6d7241 100644 --- a/apparmor.d/groups/apt/apt-helper +++ b/apparmor.d/groups/apt/apt-helper @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/apt/apt-helper profile apt-helper @{exec_path} { include - include + include @{exec_path} mr, @@ -25,6 +25,8 @@ profile apt-helper @{exec_path} { capability net_admin, + ptrace read peer=@{p_systemd}, + include if exists } diff --git a/apparmor.d/groups/apt/apt-listbugs b/apparmor.d/groups/apt/apt-listbugs index 403573a9d..a60457ec8 100644 --- a/apparmor.d/groups/apt/apt-listbugs +++ b/apparmor.d/groups/apt/apt-listbugs @@ -23,7 +23,7 @@ profile apt-listbugs @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/ruby[0-9].@{int} rix, + @{bin}/ruby@{int}.@{int} rix, @{sh_path} rix, @{bin}/logname rix, @@ -34,7 +34,7 @@ profile apt-listbugs @{exec_path} { # shared object file): ignored. @{bin}/dpkg-query rpx, - /usr/local/lib/site_ruby/[0-9].[0-9].[0-9]/**.rb r, + /usr/local/lib/site_ruby/@{d}.@{d}.@{d}/**.rb r, /usr/share/rubygems-integration/*/specifications/ r, /usr/share/rubygems-integration/*/specifications/*.gemspec rwk, @@ -53,7 +53,7 @@ profile apt-listbugs @{exec_path} { include include capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/groups/apt/apt-listbugs-migratepins b/apparmor.d/groups/apt/apt-listbugs-migratepins index 6a261aab9..d7089b76a 100644 --- a/apparmor.d/groups/apt/apt-listbugs-migratepins +++ b/apparmor.d/groups/apt/apt-listbugs-migratepins @@ -14,7 +14,7 @@ profile apt-listbugs-migratepins @{exec_path} { include @{exec_path} r, - @{bin}/ruby[0-9].@{int} rix, + @{bin}/ruby@{int}.@{int} rix, /usr/share/rubygems-integration/*/specifications/ r, /usr/share/rubygems-integration/*/specifications/*.gemspec rwk, diff --git a/apparmor.d/groups/apt/apt-listbugs-prefclean b/apparmor.d/groups/apt/apt-listbugs-prefclean index 4e0fea86f..7dc4ea09e 100644 --- a/apparmor.d/groups/apt/apt-listbugs-prefclean +++ b/apparmor.d/groups/apt/apt-listbugs-prefclean @@ -14,7 +14,7 @@ profile apt-listbugs-prefclean @{exec_path} { include @{exec_path} r, - @{bin}/ruby[0-9].@{int} rix, + @{bin}/ruby@{int}.@{int} rix, @{bin}/date rix, @{bin}/cat rix, diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index 89cf63067..0ee42f5a4 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -14,10 +14,10 @@ profile apt-listchanges @{exec_path} { include include - #capability sys_tty_config, + capability dac_read_search, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, @@ -26,11 +26,11 @@ profile apt-listchanges @{exec_path} { # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - @{bin}/dpkg-deb rpx, - # - @{pager_path} rCx -> pager, - # Send results using email - @{bin}/exim4 rPx, + @{bin}/dpkg-deb px, + + @{pager_path} Cx -> pager, + @{bin}/dpkg Px -> child-dpkg, + @{sbin}/exim4 Px, # Send results using email /usr/share/apt-listchanges/{,**} r, @@ -50,51 +50,17 @@ profile apt-listchanges @{exec_path} { /var/cache/apt/archives/ r, - owner @{PROC}/@{pid}/fd/ r, - /tmp/ r, - owner @{tmp}/* rw, - owner @{tmp}/apt-listchanges*/ rw, - owner @{tmp}/apt-listchanges*/**/ rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/changelog.gz rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/changelog.Debian*.gz rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/NEWS.Debian.gz rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog.gz rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog/changelog_to_file rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog/simple_changelog rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/*/*-local/debian/changelog rw, - - # The following is needed when apt-listchanges uses debcconf GUI frontends. - include - include - include - include - capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/hostname rix, - owner @{PROC}/@{pid}/mounts r, - @{HOME}/.Xauthority r, + owner @{tmp}/@{word8} rw, + owner @{tmp}/apt-listchanges@{word8}/ rw, + owner @{tmp}/apt-listchanges@{word8}/** rw, + owner @{PROC}/@{pid}/fd/ r, profile pager { include - include + include - capability dac_read_search, - #capability sys_tty_config, - - @{pager_path} mrix, - - @{bin}/ r, - @{sh_path} rix, - @{bin}/which{,.debianutils} rix, - - owner @{HOME}/.less* rw, - - # For shell pwd - /root/ r, - - /tmp/ r, owner @{tmp}/apt-listchanges-tmp*.txt r, include if exists diff --git a/apparmor.d/groups/apt/apt-mark b/apparmor.d/groups/apt/apt-mark index 4af469c30..c174267f5 100644 --- a/apparmor.d/groups/apt/apt-mark +++ b/apparmor.d/groups/apt/apt-mark @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-mark profile apt-mark @{exec_path} { include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-cdrom b/apparmor.d/groups/apt/apt-methods-cdrom index 9cf47e758..96ce36a72 100644 --- a/apparmor.d/groups/apt/apt-methods-cdrom +++ b/apparmor.d/groups/apt/apt-methods-cdrom @@ -19,10 +19,10 @@ profile apt-methods-cdrom @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-copy b/apparmor.d/groups/apt/apt-methods-copy index 6d906bf80..e2878e108 100644 --- a/apparmor.d/groups/apt/apt-methods-copy +++ b/apparmor.d/groups/apt/apt-methods-copy @@ -20,10 +20,10 @@ profile apt-methods-copy @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-file b/apparmor.d/groups/apt/apt-methods-file index 6d3e9d408..781f9714e 100644 --- a/apparmor.d/groups/apt/apt-methods-file +++ b/apparmor.d/groups/apt/apt-methods-file @@ -20,18 +20,19 @@ profile apt-methods-file @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=synaptic, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=synaptic, @{exec_path} mr, @{lib}/apt/apt-helper rix, - /etc/apt/apt.conf.d/{,*} r, + /etc/apt/apt-mirrors.txt r, /etc/apt/apt.conf r, + /etc/apt/apt.conf.d/{,*} r, /etc/apt/mirrors/* r, /usr/share/dpkg/cputable r, diff --git a/apparmor.d/groups/apt/apt-methods-ftp b/apparmor.d/groups/apt/apt-methods-ftp index 47c679ea1..e753b4cf8 100644 --- a/apparmor.d/groups/apt/apt-methods-ftp +++ b/apparmor.d/groups/apt/apt-methods-ftp @@ -19,10 +19,10 @@ profile apt-methods-ftp @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index 4b2a15773..5f3654f6e 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -20,11 +20,12 @@ profile apt-methods-gpgv @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=synaptic, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=role_*, + signal receive peer=synaptic, @{exec_path} mr, @@ -84,6 +85,7 @@ profile apt-methods-gpgv @{exec_path} { owner @{tmp}/apt-key-gpghome.*/ rw, owner @{tmp}/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, owner @{tmp}/apt.{conf,sig,data}.* rw, + owner @{tmp}/apt.@{rand6}.gpg rw, @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 0638120ba..77a418b07 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/apt/methods/http{,s} -profile apt-methods-http @{exec_path} { +profile apt-methods-http @{exec_path} flags=(attach_disconnected) { include include include @@ -23,14 +23,16 @@ profile apt-methods-http @{exec_path} { network inet6 stream, network netlink raw, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=synaptic, - signal (receive) peer=ubuntu-advantage, - signal (receive) peer=unattended-upgrade, - signal (receive) peer=update-manager, + signal receive peer=@{p_apt_news}, + signal receive peer=@{p_packagekitd}, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=role_*, + signal receive peer=synaptic, + signal receive peer=ubuntu-advantage, + signal receive peer=unattended-upgrade, + signal receive peer=update-manager, ptrace (read), @@ -69,7 +71,10 @@ profile apt-methods-http @{exec_path} { owner @{tmp}/aptitude-root.*/aptitude-download-* rw, owner @{tmp}/apt-changelog-*/*.changelog rw, - @{run}/ubuntu-advantage/aptnews.json rw, + @{run}/ubuntu-advantage/aptnews.json rw, + owner @{run}/ubuntu-advantage/apt-news/aptnews.json rw, + + @{run}/systemd/resolve/io.systemd.Resolve rw, @{PROC}/1/cgroup r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/apt/apt-methods-mirror b/apparmor.d/groups/apt/apt-methods-mirror index 5acecd67a..025a1c01b 100644 --- a/apparmor.d/groups/apt/apt-methods-mirror +++ b/apparmor.d/groups/apt/apt-methods-mirror @@ -20,14 +20,15 @@ profile apt-methods-mirror @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=synaptic, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=synaptic, @{exec_path} mr, + /etc/apt/apt-mirrors.txt r, /etc/apt/mirrors/* r, # For shell pwd diff --git a/apparmor.d/groups/apt/apt-methods-rred b/apparmor.d/groups/apt/apt-methods-rred index 85da35efc..1aadac2ec 100644 --- a/apparmor.d/groups/apt/apt-methods-rred +++ b/apparmor.d/groups/apt/apt-methods-rred @@ -20,11 +20,11 @@ profile apt-methods-rred @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, - signal (receive) set=(int) peer=packagekitd, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, + signal receive set=(int) peer=@{p_packagekitd}, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-rsh b/apparmor.d/groups/apt/apt-methods-rsh index 95d70b31f..1b76551b9 100644 --- a/apparmor.d/groups/apt/apt-methods-rsh +++ b/apparmor.d/groups/apt/apt-methods-rsh @@ -19,10 +19,10 @@ profile apt-methods-rsh @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-sqv b/apparmor.d/groups/apt/apt-methods-sqv new file mode 100644 index 000000000..0dcd7da0d --- /dev/null +++ b/apparmor.d/groups/apt/apt-methods-sqv @@ -0,0 +1,43 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/apt/methods/sqv +profile apt-methods-sqv @{exec_path} { + include + include + include + + # To handle the _apt user + capability setgid, + capability setuid, + + signal receive set=int peer=apt, + signal receive set=int peer=packagekitd, + + @{exec_path} mr, + + @{bin}/sqv ix, + + /usr/share/apt/default-sequoia.config r, + /usr/share/keyrings/debian-archive-keyring.gpg r, + /usr/share/keyrings/debian-archive-keyring.pgp r, + + owner /var/lib/apt/lists/{,**} r, + + owner /tmp/apt.data.@{rand6} rw, + owner /tmp/apt.sig.@{rand6} rw, + owner /tmp/apt.sqverr.@{rand6} rw, + owner /tmp/apt.sqvout.@{rand6} rw, + + @{PROC}/@{pid}/fd/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/apt-methods-store b/apparmor.d/groups/apt/apt-methods-store index 4c414f07c..a6875a432 100644 --- a/apparmor.d/groups/apt/apt-methods-store +++ b/apparmor.d/groups/apt/apt-methods-store @@ -20,11 +20,12 @@ profile apt-methods-store @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=synaptic, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=role_*, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-overlay b/apparmor.d/groups/apt/apt-overlay index 4ba9e57d7..7f59635eb 100644 --- a/apparmor.d/groups/apt/apt-overlay +++ b/apparmor.d/groups/apt/apt-overlay @@ -30,7 +30,6 @@ profile apt-overlay @{exec_path} { /root/ r, owner @{PROC}/@{pids}/loginuid r, - owner @{PROC}/@{pids}/maps r, include if exists } diff --git a/apparmor.d/groups/apt/apt-show-versions b/apparmor.d/groups/apt/apt-show-versions index 7885afca4..514b952ff 100644 --- a/apparmor.d/groups/apt/apt-show-versions +++ b/apparmor.d/groups/apt/apt-show-versions @@ -10,12 +10,11 @@ include @{exec_path} = @{bin}/apt-show-versions profile apt-show-versions @{exec_path} { include + include include include - include @{exec_path} r, - @{bin}/perl r, @{sh_path} rix, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily index 04907876e..4f0d4e36b 100644 --- a/apparmor.d/groups/apt/apt-systemd-daily +++ b/apparmor.d/groups/apt/apt-systemd-daily @@ -25,7 +25,7 @@ profile apt-systemd-daily @{exec_path} { @{bin}/env rix, @{bin}/find rix, @{bin}/flock rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gzip rix, @{bin}/ls rix, @{bin}/mv rix, @@ -37,7 +37,7 @@ profile apt-systemd-daily @{exec_path} { @{bin}/touch rix, @{bin}/uniq rix, @{bin}/wc rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/xargs rix, @{bin}/apt-config rPx, diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index 972123a06..b3f411c84 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -10,9 +10,9 @@ include @{exec_path} = @{bin}/aptitude{,-curses} profile aptitude @{exec_path} flags=(complain) { include + include include include - include # To remove the following errors: # W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory @@ -75,7 +75,7 @@ profile aptitude @{exec_path} flags=(complain) { @{bin}/apt-listbugs rPx, @{bin}/apt-listchanges rPx, @{bin}/apt-show-versions rPx, - @{bin}/dpkg-preconfigure rPx, + @{sbin}/dpkg-preconfigure rPx, @{bin}/debtags rPx, @{bin}/localepurge rPx, @{bin}/appstreamcli rPx, @@ -112,8 +112,8 @@ profile aptitude @{exec_path} flags=(complain) { owner @{tmp}/aptitudebug.*/** rwk, /var/lib/apt-xapian-index/index r, - /var/cache/apt-xapian-index/index.[0-9]/*.glass r, - /var/cache/apt-xapian-index/index.[0-9]/iamglass r, + /var/cache/apt-xapian-index/index.@{int}/*.glass r, + /var/cache/apt-xapian-index/index.@{int}/iamglass r, /var/lib/dpkg/** r, /var/lib/dpkg/lock{,-frontend} rwk, @@ -169,20 +169,10 @@ profile aptitude @{exec_path} flags=(complain) { profile pager { include - include + include - @{bin}/ r, - @{editor_path} mrix, - @{sh_path} rix, - - @{bin}/which{,.debianutils} rix, - - owner @{HOME}/.less* rw, owner @{tmp}/aptitude-*.@{pid}:*/aptitude-download-* rw, - # For shell pwd - /root/ r, - include if exists } diff --git a/apparmor.d/groups/apt/aptitude-changelog-parser b/apparmor.d/groups/apt/aptitude-changelog-parser index 91a47110a..cde501bd5 100644 --- a/apparmor.d/groups/apt/aptitude-changelog-parser +++ b/apparmor.d/groups/apt/aptitude-changelog-parser @@ -13,7 +13,6 @@ profile aptitude-changelog-parser @{exec_path} { include @{exec_path} r, - @{bin}/perl r, /etc/dpkg/origins/debian r, diff --git a/apparmor.d/groups/apt/aptitude-create-state-bundle b/apparmor.d/groups/apt/aptitude-create-state-bundle index c700e325f..a2f5e2050 100644 --- a/apparmor.d/groups/apt/aptitude-create-state-bundle +++ b/apparmor.d/groups/apt/aptitude-create-state-bundle @@ -16,7 +16,7 @@ profile aptitude-create-state-bundle @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/tar rix, @{bin}/bzip2 rix, @{bin}/gzip rix, diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index e6c0fdee6..6d09e34c0 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -12,20 +12,21 @@ include @{exec_path} += @{lib}/command-not-found profile command-not-found @{exec_path} { include - include + include include include include + capability dac_read_search, + @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/snap rPUx, - - @{lib}/python3/dist-packages/CommandNotFound/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, + @{bin}/lsb_release rPx, + @{bin}/snap rPx, @{lib}/ r, + @{lib}/@{python_name}/dist-packages/CommandNotFound/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int}@{int} w, /usr/share/command-not-found/{,**} r, diff --git a/apparmor.d/groups/apt/deb-systemd-helper b/apparmor.d/groups/apt/deb-systemd-helper new file mode 100644 index 000000000..d6e89f9a0 --- /dev/null +++ b/apparmor.d/groups/apt/deb-systemd-helper @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/deb-systemd-helper +profile deb-systemd-helper @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{bin}/systemctl rCx -> systemctl, + + /etc/systemd/system/{,**} rw, + /etc/systemd/user/{,**} rw, + + /var/lib/systemd/deb-systemd-helper-enabled/{,**} rw, + /var/lib/systemd/deb-systemd-helper-masked/{,**} rw, + /var/lib/systemd/deb-systemd-user-helper-enabled/{,**} rw, + + profile systemctl { + include + include + + capability net_admin, + + /etc/ r, + /etc/systemd/ r, + /etc/systemd/system/ r, + /etc/systemd/system/* rw, + /etc/systemd/system/*.wants/ rw, + /etc/systemd/system/*.wants/* rw, + /etc/systemd/user/ r, + /etc/systemd/user/*.wants/ rw, + /etc/systemd/user/*.wants/* rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/deb-systemd-invoke b/apparmor.d/groups/apt/deb-systemd-invoke new file mode 100644 index 000000000..824d3b4dd --- /dev/null +++ b/apparmor.d/groups/apt/deb-systemd-invoke @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/deb-systemd-invoke +profile deb-systemd-invoke @{exec_path} { + include + include + include + + capability net_admin, + capability sys_resource, + + ptrace read peer=@{p_systemd}, + + signal send set=(cont term) peer=systemd-tty-ask-password-agent, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/systemctl rix, #aa:lint ignore=transition + @{bin}/systemd-tty-ask-password-agent Px, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/debconf-apt-progress b/apparmor.d/groups/apt/debconf-apt-progress index 4ddcca5ca..1d88c829b 100644 --- a/apparmor.d/groups/apt/debconf-apt-progress +++ b/apparmor.d/groups/apt/debconf-apt-progress @@ -10,45 +10,12 @@ include @{exec_path} = @{bin}/debconf-apt-progress profile debconf-apt-progress @{exec_path} flags=(complain) { include - include + include @{exec_path} r, - @{bin}/perl r, @{bin}/apt-get rPx, - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, - - - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - @{bin}/perl r, - - @{bin}/debconf-apt-progress rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - # The following is needed when debconf uses dialog/whiptail frontend. - @{bin}/whiptail rPx, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - /etc/shadow r, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/apt/debconf-escape b/apparmor.d/groups/apt/debconf-escape new file mode 100644 index 000000000..c64401bb0 --- /dev/null +++ b/apparmor.d/groups/apt/debconf-escape @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/debconf-escape +profile debconf-escape @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend new file mode 100644 index 000000000..0a7706fe1 --- /dev/null +++ b/apparmor.d/groups/apt/debconf-frontend @@ -0,0 +1,74 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/debconf/frontend +profile debconf-frontend @{exec_path} flags=(complain) { + include + include + include + include + include + include + + capability dac_read_search, + + @{exec_path} r, + + @{bin}/hostname ix, + @{bin}/lsb_release Px, + @{bin}/stty ix, + @{sbin}/update-secureboot-policy Px, + + # Debconf apps + @{bin}/adequate Px, + @{bin}/debconf-apt-progress Px, + @{bin}/linux-check-removal Px, + @{bin}/ucf Px, + @{sbin}/aspell-autobuildhash Px, + @{sbin}/pam-auth-update Px, + @{lib}/tasksel/tasksel-debconf Px -> tasksel, + /usr/share/debian-security-support/check-support-status.hook Px, + + # Grub + @{lib}/grub/grub-multi-install Px, + /usr/share/grub/grub-check-signatures Px, + + # Package maintainer's scripts + /var/lib/dpkg/info/*.@{dpkg_script_ext} Px, + /var/lib/dpkg/info/*.control r, + /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px -> dpkg-scripts, + + # DKMS scipts + @{lib}/dkms/common.postinst rPUx, + @{lib}/dkms/dkms-* rPUx, + @{lib}/dkms/dkms_* rPUx, + + /etc/libpaper.d/texlive-base rPUx, + + /usr/share/debconf/{,**} r, + + /etc/inputrc r, + /etc/shadow r, + + owner /var/cache/debconf/* rwk, + + owner @{tmp}/file* w, + owner @{tmp}/tmp.@{rand10} rw, + owner @{tmp}/updateppds.@{rand6} rw, + + @{HOME}/.Xauthority r, + + @{run}/user/@{uid}/pk-debconf-socket rw, + + owner @{PROC}/@{pid}/mounts r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/debconf-show b/apparmor.d/groups/apt/debconf-show index b00cecd1b..ed9cf9094 100644 --- a/apparmor.d/groups/apt/debconf-show +++ b/apparmor.d/groups/apt/debconf-show @@ -14,7 +14,6 @@ profile debconf-show @{exec_path} { include @{exec_path} r, - @{bin}/perl r, @{bin}/locale rix, diff --git a/apparmor.d/groups/apt/debsecan b/apparmor.d/groups/apt/debsecan index ee29b4923..c67b1dfb5 100644 --- a/apparmor.d/groups/apt/debsecan +++ b/apparmor.d/groups/apt/debsecan @@ -21,13 +21,13 @@ profile debsecan @{exec_path} { network inet6 stream, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, # Send results using email - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, /etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf r, diff --git a/apparmor.d/groups/apt/debsign b/apparmor.d/groups/apt/debsign index 68d0d4184..635076069 100644 --- a/apparmor.d/groups/apt/debsign +++ b/apparmor.d/groups/apt/debsign @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/debsign profile debsign @{exec_path} { include + include @{exec_path} r, @@ -27,7 +28,6 @@ profile debsign @{exec_path} { @{bin}/md5sum rix, @{bin}/mktemp rix, @{bin}/mv rix, - @{bin}/perl rix, @{bin}/rm rix, @{bin}/sed rix, @{bin}/sha{1,256,512}sum rix, diff --git a/apparmor.d/groups/apt/debsums b/apparmor.d/groups/apt/debsums index 01e9ac152..8c0087770 100644 --- a/apparmor.d/groups/apt/debsums +++ b/apparmor.d/groups/apt/debsums @@ -12,28 +12,20 @@ profile debsums @{exec_path} { include include - # Needed to read files owned by other users than root. capability dac_read_search, @{exec_path} r, @{sh_path} rix, - @{bin}/{m,g,}awk rix, + @{bin}/{m,g,}awk ix, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - @{bin}/dpkg-query rpx, + @{bin}/dpkg-query px, # - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/dpkg-divert rPx -> child-dpkg-divert, - - /etc/dpkg/dpkg.cfg.d/{,*} r, - /etc/dpkg/dpkg.cfg r, - - /etc/locale.nopurge r, - - /var/lib/dpkg/info/* r, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/dpkg-divert Px -> child-dpkg-divert, # For shell pwd / r, @@ -45,7 +37,7 @@ profile debsums @{exec_path} { /etc/{,**} r, /var/lib/{,**} r, /opt/{,**} r, - /boot/{,**} r, + @{efi}/{,**} r, /lib*/{,**} r, include if exists diff --git a/apparmor.d/groups/apt/debtags b/apparmor.d/groups/apt/debtags index 8bda4efff..53e5964bd 100644 --- a/apparmor.d/groups/apt/debtags +++ b/apparmor.d/groups/apt/debtags @@ -10,14 +10,14 @@ include @{exec_path} = @{bin}/debtags profile debtags @{exec_path} { include + include include - include include #capability sys_tty_config, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index dd87414bf..986c6f188 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -18,46 +18,39 @@ profile dpkg @{exec_path} { capability fowner, capability fsetid, capability setgid, + capability sys_ptrace, + + ptrace read peer=apt, @{exec_path} mr, - @{sh_path} rix, - @{bin}/cat rix, - @{bin}/rm rix, + @{sh_path} rix, + @{bin}/cat ix, + @{bin}/deb-systemd-helper Px, + @{bin}/deb-systemd-invoke Px, + @{bin}/rm ix, - @{bin}/deb-systemd-helper rix, - @{bin}/deb-systemd-invoke rix, - @{bin}/dpkg-deb rpx, - @{bin}/dpkg-query rpx, - @{bin}/dpkg-split rPx, - @{bin}/systemctl rCx -> systemctl, - @{lib}/needrestart/dpkg-status rPx, - /usr/share/debian-security-support/check-support-status.hook rPx, - - @{pager_path} rPx -> child-pager, + @{bin}/dpkg-deb px, + @{bin}/dpkg-query px, + @{bin}/dpkg-split px, + @{bin}/systemctl Cx -> systemctl, + @{lib}/needrestart/dpkg-status Px, + @{pager_path} Px -> child-pager, + /usr/share/debian-security-support/check-support-status.hook Px, # Package maintainer's scripts - # Move it to a child profile once more transitions will be available - /var/lib/dpkg/info/*.{config,templates} rPUx, - /var/lib/dpkg/info/*.{preinst,postinst} rPUx, - /var/lib/dpkg/info/*.{prerm,postrm} rPUx, - /var/lib/dpkg/tmp.ci/{config,templates} rPUx, - /var/lib/dpkg/tmp.ci/{preinst,postinst} rPUx, - /var/lib/dpkg/tmp.ci/{prerm,postrm} rPUx, - #/var/lib/dpkg/info/*.{config,templates} rCx -> scripts, - #/var/lib/dpkg/info/*.{preinst,postinst} rCx -> scripts, - #/var/lib/dpkg/info/*.{prerm,postrm} rCx -> scripts, - #/var/lib/dpkg/tmp.ci/{config,templates} rCx -> scripts, - #/var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts, - #/var/lib/dpkg/tmp.ci/{prerm,postrm} rCx -> scripts, + /var/lib/dpkg/info/*.@{dpkg_script_ext} Px, + /var/lib/dpkg/info/*.control r, + /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, # For shell pwd /root/ r, + #aa:lint ignore=too-wide # Install/update packages / r, /*{,/} rw, - /boot/** rwl -> /boot/**, + @{efi}/** rwl -> @{efi}/**, /etc/** rwl -> /etc/**, /opt/** rwl -> /opt/**, /srv/** rwl -> /srv/**, diff --git a/apparmor.d/groups/apt/dpkg-architecture b/apparmor.d/groups/apt/dpkg-architecture index a58257271..b1a23f222 100644 --- a/apparmor.d/groups/apt/dpkg-architecture +++ b/apparmor.d/groups/apt/dpkg-architecture @@ -16,10 +16,9 @@ profile dpkg-architecture @{exec_path} { capability dac_read_search, @{exec_path} r, - /usr/bin/perl r, - @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, - @{lib}/llvm-[0-9]*/bin/clang rix, + @{bin}/{,@{multiarch}-}gcc-[0-9]* ix, + @{lib}/llvm-[0-9]*/bin/clang ix, @{bin}/ccache rCx -> ccache, @{bin}/dpkg rPx -> child-dpkg, @@ -28,9 +27,7 @@ profile dpkg-architecture @{exec_path} { /etc/debian_version r, - # file_inherit - owner @{tmp}/* rw, - + audit owner @{tmp}/* rw, profile ccache { include diff --git a/apparmor.d/groups/apt/dpkg-buildflags b/apparmor.d/groups/apt/dpkg-buildflags index e7558acdf..1a4055f77 100644 --- a/apparmor.d/groups/apt/dpkg-buildflags +++ b/apparmor.d/groups/apt/dpkg-buildflags @@ -13,12 +13,14 @@ profile dpkg-buildflags @{exec_path} flags=(complain) { include @{exec_path} r, - @{bin}/perl r, - /etc/dpkg/origins/debian r, + /usr/share/lto-disabled-list/lto-disabled-list r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, + /usr/share/dpkg/abitable r, + + /etc/dpkg/origins/* r, owner @{user_config_dirs}/dpkg/buildflags.conf r, diff --git a/apparmor.d/groups/apt/dpkg-checkbuilddeps b/apparmor.d/groups/apt/dpkg-checkbuilddeps index e7542aadd..297a45f84 100644 --- a/apparmor.d/groups/apt/dpkg-checkbuilddeps +++ b/apparmor.d/groups/apt/dpkg-checkbuilddeps @@ -10,18 +10,22 @@ include @{exec_path} = @{bin}/dpkg-checkbuilddeps profile dpkg-checkbuilddeps @{exec_path} flags=(complain) { include + include include @{exec_path} r, - @{bin}/perl r, - /etc/dpkg/origins/debian r, - - /var/lib/dpkg/status r, + @{bin}/dpkg rPx, + @{bin}/@{multiarch}gcc-@{int} mrix, + /usr/share/dpkg/ostable r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, + /etc/dpkg/origins/* r, + + /var/lib/dpkg/status r, + # For package building owner @{user_build_dirs}/**/debian/control r, diff --git a/apparmor.d/groups/apt/dpkg-db-backup b/apparmor.d/groups/apt/dpkg-db-backup new file mode 100644 index 000000000..8e99e70c5 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-db-backup @@ -0,0 +1,42 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/dpkg/dpkg-db-backup +profile dpkg-db-backup @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/basename rix, + @{bin}/cmp rix, + @{bin}/cp rix, + @{bin}/date rix, + @{bin}/dirname rix, + @{bin}/gzip rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/savelog rix, + @{bin}/tar rix, + @{bin}/touch rix, + + /usr/share/dpkg/{,**} r, + + /var/lib/dpkg/ r, + /var/lib/dpkg/alternatives/{,*} r, + /var/lib/dpkg/diversions r, + /var/lib/dpkg/statoverride r, + + /var/backups/{,**} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-divert b/apparmor.d/groups/apt/dpkg-divert index 6712b8b7c..e2d386804 100644 --- a/apparmor.d/groups/apt/dpkg-divert +++ b/apparmor.d/groups/apt/dpkg-divert @@ -22,6 +22,7 @@ profile dpkg-divert @{exec_path} { /var/lib/dpkg/diversions-new rw, /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions, + #aa:lint ignore=too-wide /etc/** rw, include if exists diff --git a/apparmor.d/groups/apt/dpkg-genbuildinfo b/apparmor.d/groups/apt/dpkg-genbuildinfo index 4e22ecf19..b9853ca32 100644 --- a/apparmor.d/groups/apt/dpkg-genbuildinfo +++ b/apparmor.d/groups/apt/dpkg-genbuildinfo @@ -17,7 +17,6 @@ profile dpkg-genbuildinfo @{exec_path} { @{exec_path} r, - @{bin}/perl r, /usr/local/bin/ r, /usr/local/etc/ r, /usr/local/include/ r, diff --git a/apparmor.d/groups/apt/dpkg-genchanges b/apparmor.d/groups/apt/dpkg-genchanges index 73be1b913..7c7ad1681 100644 --- a/apparmor.d/groups/apt/dpkg-genchanges +++ b/apparmor.d/groups/apt/dpkg-genchanges @@ -14,7 +14,6 @@ profile dpkg-genchanges @{exec_path} flags=(complain) { include @{exec_path} r, - @{bin}/perl r, /etc/dpkg/origins/debian r, diff --git a/apparmor.d/groups/apt/dpkg-maintscript-helper b/apparmor.d/groups/apt/dpkg-maintscript-helper new file mode 100644 index 000000000..aa9232c73 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-maintscript-helper @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/dpkg-maintscript-helper +profile dpkg-maintscript-helper @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/basename rix, + @{bin}/dpkg rCx -> dpkg, + + /usr/share/dpkg/sh/* r, + + profile dpkg { + include + include + include + + capability dac_read_search, + + @{bin}/dpkg mr, + @{bin}/dpkg-query rpx, + + /etc/dpkg/dpkg.cfg r, + /etc/dpkg/dpkg.cfg.d/{,*} r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index cf957ab4f..2e32af979 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -7,43 +7,60 @@ abi , include -@{exec_path} = @{bin}/dpkg-preconfigure +@{exec_path} = @{sbin}/dpkg-preconfigure profile dpkg-preconfigure @{exec_path} { include include - include include + include + include - #capability sys_tty_config, + capability dac_read_search, @{exec_path} r, - @{bin}/perl r, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{,g,m}awk rix, - @{bin}/cat rix, - @{bin}/dialog rix, - @{bin}/expr rix, - @{bin}/locale rix, - @{bin}/sed rix, - @{bin}/sort rix, - @{bin}/stty rix, - @{bin}/tr rix, + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{,g,m}awk ix, + @{bin}/cat ix, + @{bin}/debconf-escape Px, + @{bin}/dialog ix, + @{bin}/expr ix, + @{bin}/find ix, + @{bin}/head ix, + @{bin}/locale ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/sed ix, + @{bin}/sort ix, + @{bin}/stty ix, + @{bin}/tr ix, + @{bin}/uniq ix, + @{bin}/which{,.debianutils} rix, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/apt-extracttemplates rPx, - @{bin}/whiptail rPx, + @{bin}/apt-extracttemplates Px, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/findmnt Px, + @{bin}/whiptail Px, + @{lib}/apt/apt-extracttemplates Px, /usr/share/debconf/confmodule r, + /usr/share/dictionaries-common/{,*} r, + /etc/cloud/cloud.cfg.d/90_dpkg.cfg r, /etc/debconf.conf r, /etc/default/grub r, + /etc/default/mdadm r, /etc/inputrc r, + /etc/locale.gen r, + /etc/mdadm/mdadm.conf r, /etc/shadow r, + /etc/ssh/sshd_config r, + /etc/X11/Xwrapper.config r, - owner @{tmp}/*.template.* rw, - owner @{tmp}/*.config.* rwPUx, + /var/lib/locales/supported.d/{,*} r, + + /var/cache/debconf/tmp.ci/ w, /var/lib/dbus/machine-id r, owner /var/cache/debconf/ rw, @@ -53,24 +70,17 @@ profile dpkg-preconfigure @{exec_path} { owner /var/cache/debconf/tmp.ci/*.config.@{rand6} w, owner /var/cache/debconf/tmp.ci/*.passwords.@{rand6} w, owner /var/cache/debconf/tmp.ci/*.template.@{rand6} w, + owner /var/cache/dictionaries-common/flag-wordlist-new w, owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + owner @{tmp}/*.template.* rw, + owner @{tmp}/*.config.* rwPUx, + @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, @{run}/user/@{uid}/pk-debconf-socket rw, owner @{PROC}/@{pid}/fd/ r, - # The following is needed when dpkg-preconfigure uses debcconf GUI frontends. - include - include - include - include - capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/hostname rix, - @{HOME}/.Xauthority r, - owner @{PROC}/@{pid}/mounts r, - include if exists } diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts new file mode 100644 index 000000000..2434c9db9 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -0,0 +1,188 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/** +profile dpkg-scripts @{exec_path} { + include + include + include + include + + capability chown, + capability dac_read_search, + capability fowner, + capability fsetid, + capability setgid, + capability setuid, + + @{exec_path} mrix, + + # Common program found in maintainer scripts + @{sh_path} rix, + @{coreutils_path} rix, + @{python_path} rix, + @{bin}/run-parts rix, + + @{bin}/envsubst ix, + @{bin}/file ix, + @{bin}/getent ix, + @{bin}/gzip ix, + @{bin}/helpztags ix, + @{bin}/setpriv ix, + @{bin}/tput ix, + @{bin}/zcat ix, + @{lib}/ubuntu-advantage/cloud-id-shim.sh ix, + @{lib}/ubuntu-advantage/postinst-migrations.sh ix, + + @{bin}/dbus-send Cx -> bus, + @{bin}/kmod Cx -> kmod, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/systemctl Cx -> systemctl, + @{sbin}/invoke-rc.d Cx -> rc, + @{sbin}/ldconfig Cx -> ldconfig, + @{sbin}/ldconfig.real Cx -> ldconfig, + @{sbin}/update-rc.d Cx -> rc, + + #aa:lint ignore=too-wide + # Maintainer scripts can legitimately start/restart anything + # PU is only used as a safety fallback. + @{bin}/** PUx, + @{sbin}/** PUx, + @{lib}/** PUx, + /etc/** PUx, + /usr/share/** PUx, + + #aa:lint ignore=too-wide + # Maintainer's scripts can update a lot of files + / r, + /*/ r, + @{bin}/ r, + @{bin}/* w, + @{sbin}/ r, + @{sbin}/* w, + @{lib}/ r, + @{lib}/** wl -> @{lib}/**, + /opt/*/** rw, + + #aa:lint ignore=too-wide + /etc/ r, + /etc/** rw, + /usr/share/*/{,**} rw, + /usr/local/share/*/{,**} rw, + /var/** rw, + @{run}/** rw, + @{efi}/grub/* rw, + + /tmp/fmtutil.@{rand8} rw, + /tmp/grub.@{rand10} rw, + /tmp/sed@{rand6} rw, + /tmp/tmp.@{rand10} rw, + /tmp/updateppds.@{rand6} rw, + + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/mountinfo r, + + profile bus { + include + include + include + + capability dac_read_search, + + dbus send bus=system path=/ + interface=org.freedesktop.DBus + member=ReloadConfig + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + include if exists + } + + profile kmod { + include + include + + include if exists + } + + profile systemctl { + include + include + + capability net_admin, + capability sys_ptrace, + capability sys_resource, + + signal send set=(cont term) peer=systemd-tty-ask-password-agent, + + ptrace read peer=@{p_systemd}, + + @{bin}/systemd-tty-ask-password-agent Px, + @{pager_path} Px -> child-pager, + + /etc/machine-id r, + + /var/lib/systemd/catalog/database r, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + + @{run}/utmp rk, + + include if exists + } + + profile rc { + include + include + include + + @{sbin}/update-rc.d mr, + @{sbin}/invoke-rc.d mr, + + @{coreutils_path} rix, + @{sh_path} rix, + @{bin}/systemctl rPx -> dpkg-scripts//systemctl, + + /etc/ r, + /etc/init.d/* r, + /etc/rc@{c}.d/ r, + /etc/rc@{c}.d/* rw, + /etc/rc@{int}.d/ r, + /etc/rc@{int}.d/* rw, + + include if exists + } + + profile ldconfig { + include + include + + @{sh_path} rix, + @{sbin}/ldconfig mrix, + @{sbin}/ldconfig.real rix, + + @{lib}/ r, + /usr/local/ r, + /usr/local/lib/ r, + + /var/cache/ldconfig/ rw, + owner /var/cache/ldconfig/aux-cache* rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-statoverride b/apparmor.d/groups/apt/dpkg-statoverride new file mode 100644 index 000000000..804e1675b --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-statoverride @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/dpkg-statoverride +profile dpkg-statoverride @{exec_path} flags=(complain) { + include + include + include + + @{exec_path} mr, + + /var/lib/dpkg/statoverride r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-vendor b/apparmor.d/groups/apt/dpkg-vendor index aee717257..70d2199f2 100644 --- a/apparmor.d/groups/apt/dpkg-vendor +++ b/apparmor.d/groups/apt/dpkg-vendor @@ -13,7 +13,6 @@ profile dpkg-vendor @{exec_path} { include @{exec_path} r, - /usr/bin/perl r, /etc/dpkg/origins/* r, diff --git a/apparmor.d/groups/apt/querybts b/apparmor.d/groups/apt/querybts index 5c46246a2..87967d164 100644 --- a/apparmor.d/groups/apt/querybts +++ b/apparmor.d/groups/apt/querybts @@ -10,14 +10,14 @@ include @{exec_path} = @{bin}/querybts profile querybts @{exec_path} { include - include - include + include include + include include + include include include include - include network inet dgram, network inet6 dgram, @@ -26,12 +26,12 @@ profile querybts @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, @{bin}/stty rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{open_path} rPx -> child-open-browsers, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index 8681e46d8..a6584a23d 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/reportbug profile reportbug @{exec_path} { include - include + include include include include @@ -28,9 +28,9 @@ profile reportbug @{exec_path} { @{exec_path} r, @{bin}/ r, - @{bin}/python3.@{int} r, + @{python_path} r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/selinuxenabled rix, @{sh_path} rix, @{bin}/aa-enabled rix, @@ -40,14 +40,14 @@ profile reportbug @{exec_path} { @{bin}/stty rix, /usr/share/reportbug/handle_bugscript rix, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, @{bin}/apt-cache rPx, @{bin}/debconf-show rPx, @{bin}/debsums rPx, @{bin}/dlocate rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg-query rpx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{pager_path} rPx -> child-pager, @{bin}/systemctl rCx -> systemctl, @{lib}/firefox/firefox rPUx, # App allowed to open @@ -57,12 +57,12 @@ profile reportbug @{exec_path} { @{bin}/run-parts rCx -> run-parts, @{open_path} rPx -> child-open, - @{lib}/python3/dist-packages/pylocales/locales.db rk, + @{lib}/@{python_name}/dist-packages/pylocales/locales.db rk, /usr/share/bug/*/{control,presubj} r, + #aa:lint ignore=too-wide /etc/** r, - /etc/reportbug.conf r, owner @{HOME}/ r, # For shell pwd owner @{HOME}/.reportbugrc{,~} rw, diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index 4189c7170..c48286299 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/synaptic @{bin}/synaptic-pkexec profile synaptic @{exec_path} { include - include + include include include include @@ -45,9 +45,9 @@ profile synaptic @{exec_path} { @{bin}/deborphan rPx, @{bin}/debtags rPx, @{bin}/dpkg rPx, - @{bin}/dpkg-preconfigure rPx, + @{sbin}/dpkg-preconfigure rPx, @{bin}/localepurge rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/pkexec rCx -> pkexec, @{bin}/ps rPx, @{bin}/software-properties-gtk rPx, @@ -77,8 +77,8 @@ profile synaptic @{exec_path} { /var/cache/apt/ r, /var/cache/apt/** rwk, - /var/cache/apt-xapian-index/index.[0-9]/*.glass r, - /var/cache/apt-xapian-index/index.[0-9]/iamglass r, + /var/cache/apt-xapian-index/index.@{int}/*.glass r, + /var/cache/apt-xapian-index/index.@{int}/iamglass r, /var/lib/apt-xapian-index/index r, /var/lib/dpkg/** r, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index e4f6b61ea..d2da77bc3 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -10,13 +10,14 @@ include @{exec_path} = @{bin}/unattended-upgrade profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { include - include + include include include include include include include + include include capability chown, @@ -29,43 +30,57 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { capability setuid, capability sys_nice, + network inet dgram, + network inet6 dgram, network netlink raw, - signal (send) peer=apt-methods-http, + signal send peer=apt-methods-http, - unix type=stream addr=@@{hex16}/bus/unattended-upgr/system, + unix type=stream addr=@@{udbus}/bus/unattended-upgr/system, + + #aa:dbus own bus=system name=com.ubuntu.UnattendedUpgrade @{exec_path} mr, @{bin}/ r, @{sh_path} rix, - @{bin}/echo rix, - @{bin}/gdbus rix, - @{bin}/ischroot rix, - @{bin}/python3.@{int} rix, - @{bin}/test rix, - @{bin}/touch rix, - @{bin}/uname rix, + @{python_path} rix, + @{bin}/echo ix, + @{bin}/gdbus ix, + @{bin}/md5sum ix, + @{bin}/tar ix, + @{bin}/test ix, + @{bin}/touch ix, + @{bin}/uname ix, - @{bin}/apt-listchanges rPx, - @{bin}/dpkg rPx, - @{bin}/dpkg-preconfigure rPx, - @{bin}/etckeeper rPx, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/on_ac_power rPx, - @{bin}/sendmail rPUx, - @{lib}/apt/methods/http{,s} rPx, - @{lib}/needrestart/apt-pinvoke rPx, - @{lib}/update-notifier/update-motd-updates-available rPx, - @{lib}/zsys-system-autosnapshot rPx, + @{bin}/apt-listchanges Px, + @{bin}/df Px, + @{bin}/dmesg Px, + @{bin}/dpkg Px, + @{bin}/dpkg-deb px, + @{bin}/dpkg-divert Px, + @{bin}/etckeeper Px, + @{bin}/ischroot Px, + @{bin}/lsb_release Px, + @{sbin}/dpkg-preconfigure Px, + @{sbin}/on_ac_power Px, + @{sbin}/sendmail Px, + @{lib}/apt/methods/http{,s} Px, + @{lib}/needrestart/apt-pinvoke Px, + @{lib}/update-notifier/update-motd-updates-available Px, + @{lib}/zsys-system-autosnapshot Px, /usr/share/distro-info/* r, + /usr/share/dbus-1/interfaces/*UnattendedUpgrade*.xml r, + @{etc_ro}/login.defs r, + @{etc_ro}/security/capability.conf r, + /etc/apport/report-ignore/{,**} r, /etc/apt/*.list r, /etc/apt/apt.conf.d/{,**} r, /etc/debian_version r, - /etc/default/grub.d/* r, + /etc/default/{,**} r, /etc/dpkg/origins/{,debian,ubuntu} r, /etc/fwupd/{,**} r, /etc/grub.d/* r, @@ -79,14 +94,20 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/pki/fwupd-metadata/{,**} r, /etc/pki/fwupd/{,**} r, /etc/profile.d/* r, - /etc/security/capability.conf r, + /etc/ssh/moduli r, + @{etc_ro}/ssh/sshd_config r, + @{etc_ro}/ssh/sshd_config.d/{,*} r, + /etc/ufw/{,**} r, /etc/update-manager/{,**} r, - /etc/update-motd.d/* r, - /etc/vmware-tools/* r, + /etc/update-motd.d/{,**} r, + /etc/vim/{,**} r, + /etc/vmware-tools/{,**} r, /var/log/unattended-upgrades/{,**} rw, + /var/crash/*.crash rw, /var/lib/apt/periodic/unattended-upgrades-stamp w, + /var/lib/dpkg/info/{,*} r, /var/lib/dpkg/lock rwk, /var/lib/dpkg/lock-frontend rwk, /var/lib/dpkg/updates/ r, @@ -97,8 +118,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /var/lib/apt/lists/ rw, /var/lib/apt/lists/partial/ rw, /var/lib/apt/periodic/ w, - /var/log/apt/{term,history}.log w, - /var/log/apt/eipp.log.xz w, + /var/log/apt/*.log* rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/unattended-upgrades.lock rwk, @@ -107,6 +127,10 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { owner @{tmp}/apt-dpkg-install-*/{,*} rw, + @{PROC}/@{pid}/attr/current r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/mounts r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index cd35bb5ae..f7b94d68d 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/unattended-upgrades/unattended-upgrade-shutdown profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -17,10 +18,13 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/ischroot rix, + @{bin}/ischroot Px, + + @{lib}/@{python_name}/**/__pycache__/ w, + @{lib}/@{python_name}/**/__pycache__/**.pyc w, + @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, /usr/share/unattended-upgrades/{,*} r, - /etc/apt/apt.conf.d/{,*} r, owner /var/log/unattended-upgrades/*.log* rw, diff --git a/apparmor.d/groups/apt/update-apt-xapian-index b/apparmor.d/groups/apt/update-apt-xapian-index index 15af33d88..6ea4f19fb 100644 --- a/apparmor.d/groups/apt/update-apt-xapian-index +++ b/apparmor.d/groups/apt/update-apt-xapian-index @@ -10,17 +10,21 @@ include @{exec_path} = @{bin}/update-apt-xapian-index profile update-apt-xapian-index @{exec_path} { include - include + include + include include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, - @{bin}/dpkg rPx -> child-dpkg, + @{bin}/dpkg Px -> child-dpkg, /usr/share/apt-xapian-index/{,**} r, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + /var/cache/apt-xapian-index/ rw, /var/cache/apt-xapian-index/** rwk, @@ -30,15 +34,9 @@ profile update-apt-xapian-index @{exec_path} { /var/cache/apt/ r, /var/cache/apt/** rwk, - owner @{PROC}/@{pid}/fd/ r, - /var/lib/debtags/package-tags r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # file_inherit - owner /dev/tty@{int} rw, + owner @{PROC}/@{pid}/fd/ r, include if exists } diff --git a/apparmor.d/groups/avahi/avahi-browse b/apparmor.d/groups/avahi/avahi-browse index 47c22d72d..805d54b2b 100644 --- a/apparmor.d/groups/avahi/avahi-browse +++ b/apparmor.d/groups/avahi/avahi-browse @@ -11,14 +11,10 @@ include profile avahi-browse @{exec_path} { include include - include + include + include include - dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} - interface=org.freedesktop.Avahi.ServiceTypeBrowser - member={ItemNew,AllForNow,CacheExhausted} - peer=(name=:*, label=avahi-daemon), - @{exec_path} mr, @{lib}/@{multiarch}/avahi/service-types.db rwk, diff --git a/apparmor.d/groups/avahi/avahi-resolve b/apparmor.d/groups/avahi/avahi-resolve index ff2cae183..d45cffca3 100644 --- a/apparmor.d/groups/avahi/avahi-resolve +++ b/apparmor.d/groups/avahi/avahi-resolve @@ -11,19 +11,11 @@ include profile avahi-resolve @{exec_path} { include include - include + include + include + include include - dbus send bus=system path=/Client@{int}/AddressResolver@{int} - interface=org.freedesktop.Avahi.AddressResolver - member={Free,HostNameResolverNew} - peer=(name=:*, label=avahi-daemon), - - dbus receive bus=system path=/Client@{int}/AddressResolver@{int} - interface=org.freedesktop.Avahi.AddressResolver - member={Failure,Found} - peer=(name=:*, label=avahi-daemon), - @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/avahi/avahi-set-host-name b/apparmor.d/groups/avahi/avahi-set-host-name index dd9eaba6c..45df7ce93 100644 --- a/apparmor.d/groups/avahi/avahi-set-host-name +++ b/apparmor.d/groups/avahi/avahi-set-host-name @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2022 Jeroen Rijken +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,6 +10,8 @@ include @{exec_path} = @{bin}/avahi-set-host-name profile avahi-set-host-name @{exec_path} { include + include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/groups/bluetooth/blueman similarity index 100% rename from apparmor.d/profiles-a-f/blueman rename to apparmor.d/groups/bluetooth/blueman diff --git a/apparmor.d/profiles-a-f/blueman-mechanism b/apparmor.d/groups/bluetooth/blueman-mechanism similarity index 87% rename from apparmor.d/profiles-a-f/blueman-mechanism rename to apparmor.d/groups/bluetooth/blueman-mechanism index aae5d53cd..9b4800210 100644 --- a/apparmor.d/profiles-a-f/blueman-mechanism +++ b/apparmor.d/groups/bluetooth/blueman-mechanism @@ -10,6 +10,8 @@ include @{exec_path} = @{lib}/blueman-mechanism @{lib}/blueman/blueman-mechanism profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { include + include + include include include @@ -35,9 +37,9 @@ profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { /dev/rfkill rw, # For network AP - #@{bin}/ip rix, - #@{bin}/xtables-nft-multi rix, - #@{bin}/dnsmasq rPx, + #@{sbin}/ip rix, + #@{sbin}/xtables-nft-multi rix, + #@{sbin}/dnsmasq rPx, #@{bin}/dhclient rPx, # @{PROC}/sys/net/ipv4/ip_forward w, # @{PROC}/sys/net/ipv4/conf/ r, diff --git a/apparmor.d/profiles-a-f/blueman-rfcomm-watcher b/apparmor.d/groups/bluetooth/blueman-rfcomm-watcher similarity index 86% rename from apparmor.d/profiles-a-f/blueman-rfcomm-watcher rename to apparmor.d/groups/bluetooth/blueman-rfcomm-watcher index 516f14bdd..2d52a6e01 100644 --- a/apparmor.d/profiles-a-f/blueman-rfcomm-watcher +++ b/apparmor.d/groups/bluetooth/blueman-rfcomm-watcher @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{lib}/blueman-rfcomm-watcher +@{exec_path} = @{lib}/blueman-rfcomm-watcher @{lib}/blueman/blueman-rfcomm-watcher profile blueman-rfcomm-watcher @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/bluemoon b/apparmor.d/groups/bluetooth/bluemoon similarity index 100% rename from apparmor.d/profiles-a-f/bluemoon rename to apparmor.d/groups/bluetooth/bluemoon diff --git a/apparmor.d/profiles-a-f/bluetoothctl b/apparmor.d/groups/bluetooth/bluetoothctl similarity index 75% rename from apparmor.d/profiles-a-f/bluetoothctl rename to apparmor.d/groups/bluetooth/bluetoothctl index 01565b4ff..0b075581b 100644 --- a/apparmor.d/profiles-a-f/bluetoothctl +++ b/apparmor.d/groups/bluetooth/bluetoothctl @@ -10,9 +10,17 @@ include @{exec_path} = @{bin}/bluetoothctl profile bluetoothctl @{exec_path} { include + include + include + + network bluetooth raw, + + #aa:dbus talk bus=system name=org.bluez label="@{p_bluetoothd}" @{exec_path} mr, + /usr/share/terminfo/** r, + /etc/inputrc r, owner @{user_cache_dirs}/ rw, diff --git a/apparmor.d/profiles-a-f/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd similarity index 75% rename from apparmor.d/profiles-a-f/bluetoothd rename to apparmor.d/groups/bluetooth/bluetoothd index ee7efdcfd..12c8e2e80 100644 --- a/apparmor.d/profiles-a-f/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -12,6 +12,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { include include include + include # Needed for configuring HCI interfaces capability net_admin, @@ -25,20 +26,15 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.bluez - dbus receive bus=system path=/ + dbus send bus=system path=/{,MediaEndpoint} interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label="{brave,NetworkManager,pulseaudio,upowerd}"), - - dbus send bus=system path=/MediaEndpoint - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label=pulseaudio), + peer=(name=@{busname}), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager - member=InterfacesRemoved - peer=(name=org.freedesktop.DBus, label="{jwupd,NetworkManager,pulseaudio,upowerd}"), + member={InterfacesRemoved,InterfacesAdded} + peer=(name=org.freedesktop.DBus), @{exec_path} mr, @@ -50,7 +46,8 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { @{run}/sdp rw, owner @{run}/systemd/notify w, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{sys}/devices/@{pci}/rfkill@{int}/name r, @{sys}/devices/@{pci}/**/{uevent,name} r, @@ -61,7 +58,6 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/hostname r, /dev/uhid rw, - /dev/uinput rw, /dev/rfkill rw, /dev/hidraw@{int} rw, diff --git a/apparmor.d/profiles-m-r/obex-folder-listing b/apparmor.d/groups/bluetooth/obex-folder-listing similarity index 100% rename from apparmor.d/profiles-m-r/obex-folder-listing rename to apparmor.d/groups/bluetooth/obex-folder-listing diff --git a/apparmor.d/profiles-m-r/obexautofs b/apparmor.d/groups/bluetooth/obexautofs similarity index 87% rename from apparmor.d/profiles-m-r/obexautofs rename to apparmor.d/groups/bluetooth/obexautofs index e50fadddf..980349086 100644 --- a/apparmor.d/profiles-m-r/obexautofs +++ b/apparmor.d/groups/bluetooth/obexautofs @@ -36,20 +36,13 @@ profile obexautofs @{exec_path} { profile fusermount { include - include - - capability sys_admin, + include mount fstype={fuse,fuse.obexautofs} -> @{HOME}/*/, mount fstype={fuse,fuse.obexautofs} -> @{HOME}/*/*/, - @{bin}/fusermount{,3} mr, - - /etc/fuse.conf r, - - @{PROC}/@{pid}/mounts r, - - /dev/fuse rw, + umount @{HOME}/*/, + umount @{HOME}/*/*/, include if exists } diff --git a/apparmor.d/profiles-m-r/obexctl b/apparmor.d/groups/bluetooth/obexctl similarity index 100% rename from apparmor.d/profiles-m-r/obexctl rename to apparmor.d/groups/bluetooth/obexctl diff --git a/apparmor.d/profiles-m-r/obexd b/apparmor.d/groups/bluetooth/obexd similarity index 74% rename from apparmor.d/profiles-m-r/obexd rename to apparmor.d/groups/bluetooth/obexd index 3da9b4f5d..3ea17a4e5 100644 --- a/apparmor.d/profiles-m-r/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -10,8 +10,9 @@ include @{exec_path} = @{lib}/bluetooth/obexd profile obexd @{exec_path} { include - include include + include + include include network bluetooth stream, @@ -22,7 +23,12 @@ profile obexd @{exec_path} { dbus receive bus=system path=/org/bluez/obex/@{uuid} interface=org.bluez.Profile1 member=Release - peer=(name=:*, label=bluetoothd), + peer=(name=:*, label="@{p_bluetoothd}"), + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @@ -31,6 +37,8 @@ profile obexd @{exec_path} { owner @{HOME}/bluetooth/* rw, + @{run}/systemd/users/@{uid} r, + include if exists } diff --git a/apparmor.d/profiles-m-r/obexfs b/apparmor.d/groups/bluetooth/obexfs similarity index 82% rename from apparmor.d/profiles-m-r/obexfs rename to apparmor.d/groups/bluetooth/obexfs index 5a9d0dfbf..e486349d3 100644 --- a/apparmor.d/profiles-m-r/obexfs +++ b/apparmor.d/groups/bluetooth/obexfs @@ -27,26 +27,17 @@ profile obexfs @{exec_path} { /dev/fuse rw, - profile fusermount { include - include - - # To mount anything: - capability sys_admin, + include network bluetooth stream, - @{bin}/fusermount{,3} mr, - - /etc/fuse.conf r, - - /dev/fuse rw, - mount fstype={fuse,fuse.obexfs} -> @{HOME}/*/, mount fstype={fuse,fuse.obexfs} -> @{HOME}/*/*/, - @{PROC}/@{pid}/mounts r, + umount @{HOME}/*/, + umount @{HOME}/*/*/, include if exists } diff --git a/apparmor.d/profiles-m-r/obexpush-atd b/apparmor.d/groups/bluetooth/obexpush-atd similarity index 100% rename from apparmor.d/profiles-m-r/obexpush-atd rename to apparmor.d/groups/bluetooth/obexpush-atd diff --git a/apparmor.d/profiles-m-r/obexpushd b/apparmor.d/groups/bluetooth/obexpushd similarity index 100% rename from apparmor.d/profiles-m-r/obexpushd rename to apparmor.d/groups/bluetooth/obexpushd diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index cc3d18b58..4c38e0ce5 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -14,11 +14,13 @@ include @{cache_dirs} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} @{exec_path} = @{lib_dirs}/@{name} -profile brave @{exec_path} { +profile brave @{exec_path} flags=(attach_disconnected) { include include - unix (send, receive) type=stream peer=(label=brave-crashpad-handler), + # unix (send, receive) type=stream peer=(label=brave//&brave-crashpad-handler), + + signal receive peer=brave//&brave-crashpad-handler, #aa:dbus own bus=session name=org.mpris.MediaPlayer2.brave path=/org/mpris/MediaPlayer2 diff --git a/apparmor.d/groups/browsers/chromium-sandbox b/apparmor.d/groups/browsers/chromium-sandbox index 98ebf5b62..f32af44ca 100644 --- a/apparmor.d/groups/browsers/chromium-sandbox +++ b/apparmor.d/groups/browsers/chromium-sandbox @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/chromium/chrome-sandbox -profile chromium-sandbox @{exec_path} { +profile chromium-sandbox @{exec_path} flags=(attach_disconnected) { include capability dac_override, diff --git a/apparmor.d/groups/browsers/chromium-wrapper b/apparmor.d/groups/browsers/chromium-wrapper index dea35ae1a..d29dcc630 100644 --- a/apparmor.d/groups/browsers/chromium-wrapper +++ b/apparmor.d/groups/browsers/chromium-wrapper @@ -45,6 +45,7 @@ profile chromium-wrapper @{exec_path} flags=(attach_disconnected) { # Silencer deny @{user_share_dirs}/gvfs-metadata/* r, + deny @{user_share_dirs}/gnome-shell/session.gvdb rw, include if exists } diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index 98f21f472..45a32868e 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -12,6 +12,7 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -19,6 +20,7 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_override, @@ -28,39 +30,28 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info, - @{exec_path} mr, @{open_path} rPx -> child-open, @{bin}/bwrap rix, - @{bin}/xdg-dbus-proxy rix, - @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKit{Web,Network}Process rix, /usr/share/enchant*/{,**} r, - owner /bindfile@{rand6} rw, - owner @{att}/.flatpak-info r, + owner @{HOME}/.ephy-download-@{rand6} rw, + owner @{HOME}/.ephy-web-app-icon-@{rand6} rw, owner @{user_config_dirs}/glib-2.0/ w, owner @{user_config_dirs}/glib-2.0/settings/ w, + owner @{user_share_dirs}/org.gnome.Epiphany.WebApp_@{hex}/{,**} rw, + owner @{tmp}/ContentRuleList@{rand6} rw, owner @{tmp}/epiphany-*-@{rand6}/{,**} rw, owner @{tmp}/Serialized@{rand9} rw, owner @{tmp}/WebKit-Media-@{rand6} rw, - owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/.flatpak/ w, - owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw, - owner @{run}/user/@{uid}/webkitgtk/ w, - owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/firmware/acpi/pm_profile r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-org.gnome.Epiphany-@{int}.scope/memory.* r, @{PROC}/@{pid}/cgroup r, @@ -71,8 +62,6 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { deny @{user_share_dirs}/gvfs-metadata/* r, - /dev/video@{int} rw, - include if exists } diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 27eb0d54d..f9ba190a3 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -7,8 +7,8 @@ abi , include -@{name} = firefox{,.sh,-esr,-bin} -@{lib_dirs} = @{lib}/@{name} /opt/@{name} +@{name} = firefox{,-esr,-bin} +@{lib_dirs} = @{lib}/firefox{,-esr,-beta,-devedition,-nightly} /opt/@{name} @{config_dirs} = @{HOME}/.mozilla/ @{cache_dirs} = @{user_cache_dirs}/mozilla/ @@ -21,13 +21,17 @@ profile firefox @{exec_path} flags=(attach_disconnected) { signal send set=(term, kill) peer=firefox//&keepassxc-proxy, + unix type=seqpacket addr=@gecko-crash-helper-pipe.@{int}, + unix type=seqpacket peer=(label=firefox-crashhelper), + #aa:dbus own bus=session name=org.mozilla.firefox #aa:dbus own bus=session name=org.mpris.MediaPlayer2.firefox path=/org/mpris/MediaPlayer2 @{exec_path} mrix, - @{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest, - @{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest, + @{lib_dirs}/crashhelper rPx -> firefox//&firefox-crashhelper, + @{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest, + @{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, @@ -38,15 +42,17 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{bin}/gnome-software rPx, @{bin}/kreadconfig{,5} rPx, @{bin}/plasma-browser-integration-host rPx, + @{bin}/speech-dispatcher rPx, @{bin}/update-mime-database rPx, @{lib}/gvfsd-metadata rPx, @{lib}/mozilla/kmozillahelper rPUx, @{open_path} rPx -> child-open, # Common extensions + @{bin}/browserpass rPx, + @{bin}/keepassxc-proxy rPx -> firefox//&keepassxc-proxy, + @{lib}/browserpass/browserpass-native rPx, /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx, - @{bin}/browserpass rPx, - @{bin}/keepassxc-proxy rPx -> firefox//&keepassxc-proxy, owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r, owner @{user_config_dirs}/ibus/bus/ r, @@ -59,13 +65,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw, owner @{tmp}/.xfsm-ICE-@{rand6} rw, - owner @{tmp}/@{rand6}.tmp r, - owner @{tmp}/@{rand8}.txt w, - owner @{tmp}/* w, # file downloads (to anywhere) + owner @{tmp}/@{rand8}.* rw, # file downloads (to anywhere) + owner @{tmp}/@{uuid}.zip{,.tmp} rw, owner @{tmp}/Mozilla@{uuid}-cachePurge-{@{hex15},@{hex16}} rwk, - owner @{tmp}/mozilla* rw, - owner @{tmp}/mozilla*/ rw, - owner @{tmp}/mozilla*/* rwk, owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-{@{hex15},@{hex16}} rwk, owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/.parentlock k, owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/{**,} rw, diff --git a/apparmor.d/groups/browsers/firefox-crashhelper b/apparmor.d/groups/browsers/firefox-crashhelper new file mode 100644 index 000000000..8ffdccb67 --- /dev/null +++ b/apparmor.d/groups/browsers/firefox-crashhelper @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = firefox{,.sh,-esr,-bin} +@{lib_dirs} = @{lib}/@{name} /opt/@{name} +@{config_dirs} = @{HOME}/.mozilla/ +@{cache_dirs} = @{user_cache_dirs}/mozilla/ + +@{exec_path} = @{lib_dirs}/crashhelper +profile firefox-crashhelper @{exec_path} flags=(attach_disconnected) { + include + + unix type=seqpacket peer=(label=firefox), + + @{exec_path} mr, + + owner "@{config_dirs}/firefox/Crash Reports/" rw, + owner "@{config_dirs}/firefox/Crash Reports/crash_helper_server.log" rw, + + # file_inherit + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index 1c418eef4..8feccaa93 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -28,22 +28,23 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - @{exec_path} mr, + @{exec_path} mrix, @{bin}/curl rix, @{bin}/mv rix, @{lib_dirs}/minidump-analyzer rPx, - @{bin}/mv rix, - owner "@{config_dirs}/firefox/Crash Reports/{,**}" rw, owner @{config_dirs}/firefox/*.*/crashes/{,**} rw, owner @{config_dirs}/firefox/*.*/crashes/events/@{uuid} rw, owner @{config_dirs}/firefox/*.*/extensions/*.xpi r, owner @{config_dirs}/firefox/*.*/minidumps/{,**} rw, owner @{config_dirs}/firefox/*.*/minidumps//@{uuid}.{dmp,extra} r, + owner @{config_dirs}/firefox/*.*/prefs.js r, + owner @{config_dirs}/firefox/*.*/storage-sync-v2.sqlite-shm r, owner @{config_dirs}/firefox/*.*/storage/default/* r, + owner @{config_dirs}/firefox/Profile*/*.sqlite-shm r, owner @{cache_dirs}/firefox/*.*/** r, @@ -54,10 +55,14 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { owner /dev/shm/org.mozilla.ipc.@{int}.@{int} r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, /dev/dri/card@{int} rw, /dev/dri/renderD128 rw, + /dev/nvidia@{int} r, + /dev/nvidiactl r, # Silencer deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest index 97e5645b9..f9470a59b 100644 --- a/apparmor.d/groups/browsers/firefox-glxtest +++ b/apparmor.d/groups/browsers/firefox-glxtest @@ -16,11 +16,13 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) { include include include - include include + include @{exec_path} mr, + / r, + owner @{cache_dirs}/firefox/*/startupCache/scriptCache-* r, owner @{cache_dirs}/firefox/*/startupCache/startupCache* r, diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper index efcad72f8..ade169f25 100644 --- a/apparmor.d/groups/browsers/firefox-kmozillahelper +++ b/apparmor.d/groups/browsers/firefox-kmozillahelper @@ -27,16 +27,11 @@ profile firefox-kmozillahelper @{exec_path} { /usr/share/kservices{5,6}/{,**} r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, - owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, owner @{user_config_dirs}/kmozillahelperrc r, owner @{user_config_dirs}/kmozillahelperrc.@{rand6} rwl, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_share_dirs}/kservices5/ r, owner @{user_share_dirs}/kservices5/searchproviders/ r, @@ -44,7 +39,7 @@ profile firefox-kmozillahelper @{exec_path} { owner @{run}/user/@{uid}/kmozillahelper@{rand6}.@{int}.kioworker.socket wl, owner @{run}/user/@{uid}/xauth_@{rand6} rl, - @{run}/udev/data/+usb:* r, # For /dev/bus/usb/** + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** diff --git a/apparmor.d/groups/browsers/opera-crashreporter b/apparmor.d/groups/browsers/opera-crashreporter index 01661215a..eb67ede59 100644 --- a/apparmor.d/groups/browsers/opera-crashreporter +++ b/apparmor.d/groups/browsers/opera-crashreporter @@ -17,7 +17,7 @@ profile opera-crashreporter @{exec_path} { include include include - include + include include ptrace (trace, read) peer=opera, diff --git a/apparmor.d/groups/browsers/torbrowser-glxtest b/apparmor.d/groups/browsers/torbrowser-glxtest index 4939edfbf..2d8697259 100644 --- a/apparmor.d/groups/browsers/torbrowser-glxtest +++ b/apparmor.d/groups/browsers/torbrowser-glxtest @@ -17,11 +17,13 @@ profile torbrowser-glxtest @{exec_path} flags=(attach_disconnected) { include include include - include include + include @{exec_path} mr, + / r, + owner @{PROC}/@{pid}/cmdline r, deny @{config_dirs}/.parentlock rw, diff --git a/apparmor.d/groups/browsers/torbrowser-launcher b/apparmor.d/groups/browsers/torbrowser-launcher index 0f6273107..4969a14c3 100644 --- a/apparmor.d/groups/browsers/torbrowser-launcher +++ b/apparmor.d/groups/browsers/torbrowser-launcher @@ -32,7 +32,7 @@ profile torbrowser-launcher @{exec_path} flags=(attach_disconnected) { @{bin}/gpg{,2} Cx -> gpg, @{bin}/gpgconf Cx -> gpg, @{bin}/gpgsm Cx -> gpg, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/sed ix, @{bin}/tail ix, diff --git a/apparmor.d/groups/browsers/torbrowser-start b/apparmor.d/groups/browsers/torbrowser-start index 58bb31ac8..ce6a3678c 100644 --- a/apparmor.d/groups/browsers/torbrowser-start +++ b/apparmor.d/groups/browsers/torbrowser-start @@ -22,7 +22,7 @@ profile torbrowser-start @{exec_path} { @{bin}/expr ix, @{bin}/file ix, @{bin}/getconf ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/id ix, @{bin}/ln ix, @{bin}/mkdir ix, diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd index 8ead7a4e0..fec6d7897 100644 --- a/apparmor.d/groups/bus/at-spi2-registryd +++ b/apparmor.d/groups/bus/at-spi2-registryd @@ -10,16 +10,17 @@ include @{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi2-registryd profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include - include + include include include - include + include include - signal (receive) set=(term) peer=gdm, + signal receive set=term peer=gdm, + signal receive set=hup peer=gdm-session-worker, #aa:dbus own bus=accessibility name=org.a11y.atspi - #aa:dbus talk bus=session name=org.a11y.{B,b}us label=dbus-accessibility + #aa:dbus talk bus=session name=org.a11y.{B,b}us label="@{p_dbus_accessibility}" dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index 1a4b83e2e..c9b9a1538 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -9,12 +9,13 @@ include @{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include - include include include - include - include + include + include + include include + include include network inet dgram, @@ -23,16 +24,23 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - signal (receive) set=(term hup kill) peer=dbus-session, - signal (receive) set=(term hup kill) peer=gdm{,-session-worker}, + signal receive set=(term hup kill) peer=dbus-session, + signal receive set=(term hup kill) peer=gdm{,-session-worker}, + signal receive set=(term hup kill) peer=gnome-session-binary, + + unix type=stream addr=none peer=(label=xorg, addr=@/tmp/.X11-unix/X0), #aa:dbus own bus=accessibility name=org.freedesktop.DBus #aa:dbus own bus=session name=org.a11y.{B,b}us + dbus receive bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=Hello + peer=(name=@{busname}), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mrix, @@ -46,7 +54,6 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/defaults/at-spi2/{,**} r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/machine-id r, /var/lib/dbus/machine-id r, @@ -65,11 +72,12 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/module/apparmor/parameters/enabled r, + @{PROC}/@{pid}/cmdline r, @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_score_adj r, diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index ecec3cb49..27e228e2c 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -30,7 +30,11 @@ profile dbus-session flags=(attach_disconnected) { signal (send) set=(term hup kill) peer=dconf-service, signal (send) set=(term hup kill) peer=xdg-*, - #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{d,D}Bus} + #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} + dbus receive bus=session + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name="{@{busname},org.freedesktop.DBus}"), @{exec_path} mrix, @@ -70,8 +74,9 @@ profile dbus-session flags=(attach_disconnected) { @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/oom_score_adj r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/oom_score_adj r, /dev/ptmx rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index 6ef4e44ea..1b62a1086 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -16,7 +16,7 @@ include profile dbus-system flags=(attach_disconnected) { include include - include + include include include @@ -31,13 +31,23 @@ profile dbus-system flags=(attach_disconnected) { network bluetooth stream, network bluetooth seqpacket, - ptrace (read) peer=@{p_systemd}, + ptrace read peer=@{p_systemd}, - #aa:dbus own bus=system name=org.freedesktop.DBus + #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus} + dbus receive bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name="{@{busname},org.freedesktop.DBus}"), + + dbus receive bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Activator + member=ActivationFailure + peer=(name=@{busname}, label="@{p_systemd}"), @{exec_path} mrix, @{bin}/** PUx, + @{sbin}/** PUx, @{lib}/** PUx, /usr/share/*/** PUx, @@ -59,6 +69,7 @@ profile dbus-system flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, + @{run}/systemd/notify w, @{run}/systemd/users/@{int} r, @@ -66,19 +77,22 @@ profile dbus-system flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/module/apparmor/parameters/enabled r, - @{PROC}/@{pid}/attr/apparmor/current r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/mounts r, - @{PROC}/@{pid}/oom_score_adj r, + @{PROC}/@{pids}/attr/apparmor/current r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/mounts r, + @{PROC}/@{pids}/oom_score_adj r, + @{PROC}/@{pids}/status r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_score_adj rw, @{att}/dev/dri/card@{int} rw, @{att}/dev/input/event@{int} rw, + @{att}/dev/pts/ptmx rw, include if exists } diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index dca91e5f2..b326138d6 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -10,7 +10,7 @@ include profile ibus-daemon @{exec_path} flags=(attach_disconnected) { include include - include + include include include @@ -55,6 +55,7 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/fd/ r, + owner @{att}/dev/tty@{int} rw, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index 8746e3795..bac225ebc 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -11,13 +11,12 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { include include include + include include include - signal (receive) set=term peer=ibus-daemon, - - unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon), - unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon), + signal receive set=kill peer=@{p_systemd_user}, + signal receive set=term peer=ibus-daemon, dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index ab3b2b2fd..8bdc3c79c 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -9,8 +9,9 @@ include @{exec_path} = @{lib}/{,ibus/}ibus-engine-simple profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { include + include include - include + include include signal (receive) set=term peer=ibus-daemon, @@ -28,8 +29,6 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/bus/ibus-engine-table b/apparmor.d/groups/bus/ibus-engine-table index 5182b0dca..abe0d22c0 100644 --- a/apparmor.d/groups/bus/ibus-engine-table +++ b/apparmor.d/groups/bus/ibus-engine-table @@ -14,7 +14,7 @@ profile ibus-engine-table @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, /usr/share/ibus-table/engine/{,**} r, /usr/share/ibus-table/tables/ r, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 34d881a8a..2fa49e50f 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -9,10 +9,7 @@ include @{exec_path} = @{lib}/{,ibus/}ibus-extension-gtk3 profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { include - include include - include - include include include include diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index 803f28a4a..b1f1445b3 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -10,7 +10,8 @@ include profile ibus-memconf @{exec_path} flags=(attach_disconnected) { include include - include + include + include include include @@ -27,8 +28,6 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index 5d96f359e..6ea4891a7 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -15,11 +15,12 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.freedesktop.portal.IBus + #aa:dbus own bus=session name=org.freedesktop.IBus dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @@ -27,6 +28,7 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, + owner @{att}/dev/tty@{int} rw, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 1096594aa..ce1c2b108 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -9,10 +9,8 @@ include @{exec_path} = @{lib}/{,ibus/}ibus-x11 profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include - include + include include - include - include include include include @@ -42,8 +40,6 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/profiles-a-f/filecap b/apparmor.d/groups/cap/filecap similarity index 100% rename from apparmor.d/profiles-a-f/filecap rename to apparmor.d/groups/cap/filecap diff --git a/apparmor.d/profiles-m-r/netcap b/apparmor.d/groups/cap/netcap similarity index 100% rename from apparmor.d/profiles-m-r/netcap rename to apparmor.d/groups/cap/netcap diff --git a/apparmor.d/profiles-m-r/pscap b/apparmor.d/groups/cap/pscap similarity index 100% rename from apparmor.d/profiles-m-r/pscap rename to apparmor.d/groups/cap/pscap diff --git a/apparmor.d/groups/children/child-dpkg b/apparmor.d/groups/children/child-dpkg index 24df581f9..0a97bacd2 100644 --- a/apparmor.d/groups/children/child-dpkg +++ b/apparmor.d/groups/children/child-dpkg @@ -14,7 +14,7 @@ abi , include @{exec_path} = @{bin}/dpkg -profile child-dpkg { +profile child-dpkg flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/children/child-dpkg-divert b/apparmor.d/groups/children/child-dpkg-divert index 6ea41a9e8..ddfff5fc2 100644 --- a/apparmor.d/groups/children/child-dpkg-divert +++ b/apparmor.d/groups/children/child-dpkg-divert @@ -22,6 +22,7 @@ profile child-dpkg-divert { /var/lib/dpkg/arch r, /var/lib/dpkg/status r, /var/lib/dpkg/updates/ r, + /var/lib/dpkg/updates/@{int} r, /var/lib/dpkg/triggers/File r, /var/lib/dpkg/triggers/Unincorp r, /var/lib/dpkg/diversions r, diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index 8681e91f4..8e991cee7 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -19,7 +19,6 @@ include @{exec_path} = @{bin}/nvidia-modprobe profile child-modprobe-nvidia flags=(attach_disconnected) { include - include include capability chown, @@ -35,8 +34,6 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/config r, - @{PROC}/sys/kernel/modprobe r, - @{PROC}/devices r, @{PROC}/driver/nvidia/capabilities/mig/config r, @{PROC}/driver/nvidia/capabilities/mig/monitor r, @@ -44,7 +41,7 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { @{PROC}/modules r, owner /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 - owner /dev/char/195:@{int} w, # Nvidia graphics devices + owner /dev/char/195:@{u8} w, # Nvidia graphics devices /dev/nvidia-modeset w, /dev/nvidia-uvm w, diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open index 6804326aa..84b1d1ea1 100644 --- a/apparmor.d/groups/children/child-open +++ b/apparmor.d/groups/children/child-open @@ -19,7 +19,7 @@ abi , include -profile child-open flags=(attach_disconnected) { +profile child-open flags=(attach_disconnected,mediate_deleted) { include include include diff --git a/apparmor.d/groups/children/child-open-any b/apparmor.d/groups/children/child-open-any index ea21f8487..446627e85 100644 --- a/apparmor.d/groups/children/child-open-any +++ b/apparmor.d/groups/children/child-open-any @@ -11,13 +11,10 @@ abi , include -profile child-open-any flags=(attach_disconnected) { +profile child-open-any flags=(attach_disconnected,mediate_deleted) { include - include - - @{open_path} mr, - - @{sh_path} r, + include + include @{bin}/** PUx, @{lib}/** PUx, @@ -26,14 +23,6 @@ profile child-open-any flags=(attach_disconnected) { /usr/local/bin/** PUx, /usr/share/** PUx, - @{bin}/ r, - @{user_bin_dirs}/ r, - / r, - /usr/ r, - /usr/local/bin/ r, - - /dev/tty rw, - include if exists include if exists } diff --git a/apparmor.d/groups/children/child-open-browsers b/apparmor.d/groups/children/child-open-browsers index 6873ea2fc..473276bff 100644 --- a/apparmor.d/groups/children/child-open-browsers +++ b/apparmor.d/groups/children/child-open-browsers @@ -15,7 +15,7 @@ abi , include -profile child-open-browsers flags=(attach_disconnected) { +profile child-open-browsers flags=(attach_disconnected,mediate_deleted) { include include diff --git a/apparmor.d/groups/children/child-open-editor b/apparmor.d/groups/children/child-open-editor new file mode 100644 index 000000000..16d3dc868 --- /dev/null +++ b/apparmor.d/groups/children/child-open-editor @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# This profile is designed to be used in a child profile to limit what +# confined application can invoke via open helper. + +# This version of child-open only allow to open text editor. + +# Note: This profile does not specify an attachment path because it is +# intended to be used only via "Px -> child-open-browsers" exec transitions +# from other profiles. + +abi , + +include + +profile child-open-editor flags=(attach_disconnected,mediate_deleted) { + include + include + + @{editor_ui_path} PUx, + + include if exists + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/children/child-open-help b/apparmor.d/groups/children/child-open-help index d70cd920a..1150d16d3 100644 --- a/apparmor.d/groups/children/child-open-help +++ b/apparmor.d/groups/children/child-open-help @@ -6,7 +6,7 @@ abi , include -profile child-open-help { +profile child-open-help flags=(attach_disconnected,mediate_deleted) { include include diff --git a/apparmor.d/groups/children/child-open-strict b/apparmor.d/groups/children/child-open-strict index 98bbdcdb9..4296f03af 100644 --- a/apparmor.d/groups/children/child-open-strict +++ b/apparmor.d/groups/children/child-open-strict @@ -11,13 +11,15 @@ abi , include -profile child-open-strict { +profile child-open-strict flags=(attach_disconnected,mediate_deleted) { include include @{browsers_path} Px, @{file_explorers_path} Px, + @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mrix, + include if exists include if exists } diff --git a/apparmor.d/groups/children/child-pager b/apparmor.d/groups/children/child-pager index e904f96dd..8e60bce47 100644 --- a/apparmor.d/groups/children/child-pager +++ b/apparmor.d/groups/children/child-pager @@ -15,30 +15,7 @@ include profile child-pager flags=(attach_disconnected) { include - include - - capability dac_override, - capability dac_read_search, - - signal (receive) set=(stop, cont, term, kill), - - @{bin}/ r, - @{pager_path} mr, - - @{system_share_dirs}/terminfo/{,**} r, - /usr/share/file/misc/** r, - /usr/share/nvim/{,**} r, - - @{HOME}/.lesshst r, - - owner @{HOME}/ r, - owner @{HOME}/.lesshs* rw, - owner @{HOME}/.terminfo/@{int}/* r, - owner @{user_cache_dirs}/lesshs* rw, - owner @{user_state_dirs}/ r, - owner @{user_state_dirs}/lesshs* rw, - - /dev/tty@{int} rw, + include include if exists } diff --git a/apparmor.d/groups/children/user_confined b/apparmor.d/groups/children/user_confined deleted file mode 100644 index c4d3c9fed..000000000 --- a/apparmor.d/groups/children/user_confined +++ /dev/null @@ -1,31 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow confined users to read, write, lock and link to their own files -# anywhere, and execute from some places. - -abi , - -include - -profile user_confined flags=(complain) { - include - include - include - include - - deny capability sys_ptrace, - - @{bin}/** Pixmr, - - owner /** rwkl, - owner @{HOMEDIRS}/bin/** ixmr, - owner @{user_bin_dirs}/** ixmr, - - @{PROC}/** r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/children/user_default b/apparmor.d/groups/children/user_default deleted file mode 100644 index 2853a8deb..000000000 --- a/apparmor.d/groups/children/user_default +++ /dev/null @@ -1,32 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# By default, allow users to read, lock and link to their own files anywhere, -# but only write to files in their home directory. Only allow limited execution -# of files. - -abi , - -include - -profile user_default flags=(complain) { - include - include - include - include - - deny capability sys_ptrace, - - @{bin}/** Pixmr, - - owner /** rkl, - owner @{HOMEDIRS}/ w, - owner @{HOMEDIRS}/** w, - - @{PROC}/** r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/children/user_unconfined b/apparmor.d/groups/children/user_unconfined deleted file mode 100644 index db410d6a2..000000000 --- a/apparmor.d/groups/children/user_unconfined +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -profile user_unconfined flags=(attach_disconnected,mediate_deleted) { - capability, - network, - mount, - remount, - umount, - pivot_root, - ptrace, - signal, - dbus, - unix, - file, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/anacron b/apparmor.d/groups/cron/anacron similarity index 79% rename from apparmor.d/profiles-a-f/anacron rename to apparmor.d/groups/cron/anacron index 3e7c9d092..3acfc14fd 100644 --- a/apparmor.d/profiles-a-f/anacron +++ b/apparmor.d/groups/cron/anacron @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/anacron +@{exec_path} = @{sbin}/anacron profile anacron @{exec_path} { include include @@ -17,7 +17,7 @@ profile anacron @{exec_path} { @{sh_path} rix, @{bin}/run-parts rCx -> run-parts, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, / r, /etc/anacrontab r, @@ -26,7 +26,9 @@ profile anacron @{exec_path} { @{HOME}/ r, - /tmp/file* rw, + @{tmp}/file@{rand6} rw, + /tmp/anacron-@{rand6} rw, + /tmp/anacron-@{rand6}@{c} rw, profile run-parts { include @@ -39,6 +41,9 @@ profile anacron @{exec_path} { owner @{tmp}/#@{int} rw, owner @{tmp}/file@{rand6} rw, + /tmp/anacron-@{rand6} rw, + /tmp/anacron-@{rand6}@{c} rw, + include if exists } diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index 4ce618ef7..e91f9b419 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/cron +@{exec_path} = @{sbin}/cron profile cron @{exec_path} flags=(attach_disconnected) { include include @@ -25,20 +25,14 @@ profile cron @{exec_path} flags=(attach_disconnected) { network netlink raw, - ptrace (read) peer=unconfined, - @{exec_path} mr, - @{sh_path} rix, - @{bin}/nice rix, - @{bin}/ionice rix, - @{bin}/exim4 rPx, - @{bin}/run-parts rCx -> run-parts, # could even be rix, as long as we are not - # using the run-parts profile we are good - - @{lib}/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx, - @{lib}/sysstat/debian-sa1 rPUx, - /usr/share/rsync/scripts/rrsync rPUx, + @{sh_path} rix, + @{sbin}/exim4 rPx, + @{bin}/ionice rix, + @{bin}/nice rix, + @{bin}/run-parts rCx -> run-parts, + @{lib}/sysstat/debian-sa1 rPx, /etc/cron.d/{,*} r, /etc/crontab r, diff --git a/apparmor.d/groups/cron/cron-anacron b/apparmor.d/groups/cron/cron-anacron index 15d1b9737..91c531618 100644 --- a/apparmor.d/groups/cron/cron-anacron +++ b/apparmor.d/groups/cron/cron-anacron @@ -12,7 +12,7 @@ profile cron-anacron @{exec_path} { @{exec_path} r, - @{bin}/anacron rPx, + @{sbin}/anacron rPx, @{sh_path} rix, @{bin}/cat rix, @{bin}/date rix, diff --git a/apparmor.d/groups/cron/cron-apport b/apparmor.d/groups/cron/cron-apport index 61aeaf881..1579115a7 100644 --- a/apparmor.d/groups/cron/cron-apport +++ b/apparmor.d/groups/cron/cron-apport @@ -18,7 +18,7 @@ profile cron-apport @{exec_path} { / r, /var/crash/ r, - /var/crash/*.crash w, + /var/crash/* w, include if exists } diff --git a/apparmor.d/groups/cron/cron-apt b/apparmor.d/groups/cron/cron-apt index 29294fa53..0d5d5a081 100644 --- a/apparmor.d/groups/cron/cron-apt +++ b/apparmor.d/groups/cron/cron-apt @@ -46,7 +46,7 @@ profile cron-apt @{exec_path} { @{bin}/apt-get rPx, @{bin}/apt-file rPx, @{bin}/aptitude{,-curses} rPx, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, /usr/share/cron-apt/{,*} r, diff --git a/apparmor.d/groups/cron/cron-apt-compat b/apparmor.d/groups/cron/cron-apt-compat index 2aaa6b142..fcf5e4430 100644 --- a/apparmor.d/groups/cron/cron-apt-compat +++ b/apparmor.d/groups/cron/cron-apt-compat @@ -14,7 +14,7 @@ profile cron-apt-compat @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, @{bin}/apt-config rPx, @{lib}/apt/apt.systemd.daily rPx, diff --git a/apparmor.d/groups/cron/cron-apt-xapian-index b/apparmor.d/groups/cron/cron-apt-xapian-index index 2c3f90a9a..15f93efec 100644 --- a/apparmor.d/groups/cron/cron-apt-xapian-index +++ b/apparmor.d/groups/cron/cron-apt-xapian-index @@ -14,15 +14,14 @@ profile cron-apt-xapian-index @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/{,e}grep rix, - @{bin}/nice rix, @{bin}/ionice rix, @{bin}/ r, @{bin}/update-apt-xapian-index rPx, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, # For shell pwd / r, diff --git a/apparmor.d/groups/cron/cron-aptitude b/apparmor.d/groups/cron/cron-aptitude index 76657dc94..82b33e8ab 100644 --- a/apparmor.d/groups/cron/cron-aptitude +++ b/apparmor.d/groups/cron/cron-aptitude @@ -17,7 +17,7 @@ profile cron-aptitude @{exec_path} { @{bin}/cp rix, @{bin}/date rix, @{bin}/basename rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/dirname rix, @{bin}/rm rix, @{bin}/mv rix, diff --git a/apparmor.d/groups/cron/cron-cracklib b/apparmor.d/groups/cron/cron-cracklib index ede030682..9399b6ed4 100644 --- a/apparmor.d/groups/cron/cron-cracklib +++ b/apparmor.d/groups/cron/cron-cracklib @@ -15,7 +15,7 @@ profile cron-cracklib @{exec_path} { @{sh_path} rix, @{bin}/logger rix, - @{bin}/update-cracklib rPx, + @{sbin}/update-cracklib rPx, /etc/cracklib/cracklib.conf r, diff --git a/apparmor.d/groups/cron/cron-debtags b/apparmor.d/groups/cron/cron-debtags index 3e6c182a7..ea9086948 100644 --- a/apparmor.d/groups/cron/cron-debtags +++ b/apparmor.d/groups/cron/cron-debtags @@ -12,9 +12,9 @@ profile cron-debtags @{exec_path} { include @{exec_path} r, - @{sh_path} rix, - /usr/bin/debtags rPx, + @{sh_path} rix, + @{bin}/debtags rPx, include if exists } diff --git a/apparmor.d/groups/cron/cron-exim4-base b/apparmor.d/groups/cron/cron-exim4-base index 42f2f0823..784dfae19 100644 --- a/apparmor.d/groups/cron/cron-exim4-base +++ b/apparmor.d/groups/cron/cron-exim4-base @@ -34,13 +34,13 @@ profile cron-exim4-base @{exec_path} { @{bin}/hostname rix, @{bin}/xargs rix, @{bin}/find rix, - @{bin}/eximstats rix, + @{sbin}/eximstats rix, - @{bin}/exim4 rPx, - @{bin}/exim_tidydb rix, + @{sbin}/exim4 rPx, + @{sbin}/exim_tidydb rix, - @{bin}/start-stop-daemon rix, - @{bin}/runuser rix, + @{sbin}/start-stop-daemon rix, + @{sbin}/runuser rix, /etc/default/exim4 r, diff --git a/apparmor.d/groups/cron/cron-ipset-autoban-save b/apparmor.d/groups/cron/cron-ipset-autoban-save index 601368446..8b5891eed 100644 --- a/apparmor.d/groups/cron/cron-ipset-autoban-save +++ b/apparmor.d/groups/cron/cron-ipset-autoban-save @@ -15,7 +15,7 @@ profile cron-ipset-autoban-save @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/ipset rix, + @{sbin}/ipset rix, /etc/peerblock/autoban rw, diff --git a/apparmor.d/groups/cron/cron-logrotate b/apparmor.d/groups/cron/cron-logrotate index abe3542f6..36044b2f3 100644 --- a/apparmor.d/groups/cron/cron-logrotate +++ b/apparmor.d/groups/cron/cron-logrotate @@ -14,7 +14,7 @@ profile cron-logrotate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/logrotate rPx, + @{sbin}/logrotate rPx, @{bin}/logger rix, diff --git a/apparmor.d/groups/cron/cron-man-db b/apparmor.d/groups/cron/cron-man-db index 8629f7be2..709f843e8 100644 --- a/apparmor.d/groups/cron/cron-man-db +++ b/apparmor.d/groups/cron/cron-man-db @@ -20,7 +20,7 @@ profile cron-man-db @{exec_path} { @{sh_path} rix, @{bin}/{,e}grep rix, - @{bin}/start-stop-daemon rix, + @{sbin}/start-stop-daemon rix, @{bin}/xargs rix, @{bin}/find rix, diff --git a/apparmor.d/groups/cron/cron-mlocate b/apparmor.d/groups/cron/cron-mlocate index 852e85141..f91956bcd 100644 --- a/apparmor.d/groups/cron/cron-mlocate +++ b/apparmor.d/groups/cron/cron-mlocate @@ -15,7 +15,7 @@ profile cron-mlocate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/true rix, @{bin}/flock rix, @{bin}/nocache rix, @@ -23,7 +23,7 @@ profile cron-mlocate @{exec_path} { @{bin}/nice rix, @{bin}/updatedb.mlocate rPx, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, @{run}/mlocate.daily.lock rwk, diff --git a/apparmor.d/groups/cron/cron-ntp b/apparmor.d/groups/cron/cron-ntp index 17ab7f745..7221cc6e1 100644 --- a/apparmor.d/groups/cron/cron-ntp +++ b/apparmor.d/groups/cron/cron-ntp @@ -14,7 +14,7 @@ profile cron-ntp @{exec_path} { @{sh_path} rix, @{bin}/cat rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/sed rix, include if exists diff --git a/apparmor.d/groups/cron/cron-plocate b/apparmor.d/groups/cron/cron-plocate index 7080658c3..7f52d1a14 100644 --- a/apparmor.d/groups/cron/cron-plocate +++ b/apparmor.d/groups/cron/cron-plocate @@ -15,7 +15,7 @@ profile cron-plocate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/true rix, @{bin}/flock rix, @{bin}/nocache rix, @@ -23,7 +23,7 @@ profile cron-plocate @{exec_path} { @{bin}/nice rix, @{bin}/updatedb.plocate rPx, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, @{run}/plocate.daily.lock rwk, diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest index dd50a7494..44d3a546f 100644 --- a/apparmor.d/groups/cron/cron-popularity-contest +++ b/apparmor.d/groups/cron/cron-popularity-contest @@ -18,7 +18,7 @@ profile cron-popularity-contest @{exec_path} { @{bin}/cat rix, @{bin}/date rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/logger rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @@ -29,11 +29,11 @@ profile cron-popularity-contest @{exec_path} { # To send reports via TOR @{bin}/torify rix, @{bin}/torsocks rix, - @{bin}/getcap rix, + @{sbin}/getcap rix, /usr/share/popularity-contest/popcon-upload rCx -> popcon-upload, @{bin}/gpg{,2} rCx -> gpg, - @{bin}/runuser rCx -> runuser, + @{sbin}/runuser rCx -> runuser, @{bin}/savelog rCx -> savelog, /usr/share/popularity-contest/ r, @@ -74,7 +74,7 @@ profile cron-popularity-contest @{exec_path} { @{bin}/mv rix, @{bin}/rm rix, @{bin}/touch rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{sh_path} rix, /var/log/ r, @@ -93,7 +93,7 @@ profile cron-popularity-contest @{exec_path} { include include - @{bin}/runuser mr, + @{sbin}/runuser mr, @{sh_path} rix, @{bin}/popularity-contest rPx, @@ -141,7 +141,6 @@ profile cron-popularity-contest @{exec_path} { network inet6 stream, network netlink raw, - @{bin}/perl r, @{bin}/gzip rix, /usr/share/popularity-contest/popcon-upload r, diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index ccc948b01..d240454f5 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -28,10 +28,10 @@ profile crontab @{exec_path} { @{sh_path} rix, @{editor_path} rCx -> editor, + @{etc_ro}/environment r, + @{etc_ro}/security/*.conf r, /etc/cron.{allow,deny} r, - /etc/environment r, /etc/pam.d/* r, - /etc/security/*.conf r, /var/spool/cron/ r, /var/spool/cron/** rw, diff --git a/apparmor.d/profiles-a-f/cups-backend-beh b/apparmor.d/groups/cups/cups-backend-beh similarity index 95% rename from apparmor.d/profiles-a-f/cups-backend-beh rename to apparmor.d/groups/cups/cups-backend-beh index e2dbc1b51..1e9fe5b78 100644 --- a/apparmor.d/profiles-a-f/cups-backend-beh +++ b/apparmor.d/groups/cups/cups-backend-beh @@ -13,6 +13,7 @@ profile cups-backend-beh @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-bluetooth b/apparmor.d/groups/cups/cups-backend-bluetooth similarity index 95% rename from apparmor.d/profiles-a-f/cups-backend-bluetooth rename to apparmor.d/groups/cups/cups-backend-bluetooth index ada4926ce..78ffbac77 100644 --- a/apparmor.d/profiles-a-f/cups-backend-bluetooth +++ b/apparmor.d/groups/cups/cups-backend-bluetooth @@ -13,6 +13,7 @@ profile cups-backend-bluetooth @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-brf b/apparmor.d/groups/cups/cups-backend-brf similarity index 95% rename from apparmor.d/profiles-a-f/cups-backend-brf rename to apparmor.d/groups/cups/cups-backend-brf index 27e98efc3..6d50b284f 100644 --- a/apparmor.d/profiles-a-f/cups-backend-brf +++ b/apparmor.d/groups/cups/cups-backend-brf @@ -15,6 +15,7 @@ profile cups-backend-brf @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-dnssd b/apparmor.d/groups/cups/cups-backend-dnssd similarity index 82% rename from apparmor.d/profiles-a-f/cups-backend-dnssd rename to apparmor.d/groups/cups/cups-backend-dnssd index f45b99216..877200660 100644 --- a/apparmor.d/profiles-a-f/cups-backend-dnssd +++ b/apparmor.d/groups/cups/cups-backend-dnssd @@ -9,11 +9,12 @@ include @{exec_path} = @{lib}/cups/backend/dnssd profile cups-backend-dnssd @{exec_path} { include - include + include @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-hp b/apparmor.d/groups/cups/cups-backend-hp similarity index 95% rename from apparmor.d/profiles-a-f/cups-backend-hp rename to apparmor.d/groups/cups/cups-backend-hp index 636121553..cd9af3d7f 100644 --- a/apparmor.d/profiles-a-f/cups-backend-hp +++ b/apparmor.d/groups/cups/cups-backend-hp @@ -13,6 +13,7 @@ profile cups-backend-hp @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-implicitclass b/apparmor.d/groups/cups/cups-backend-implicitclass similarity index 95% rename from apparmor.d/profiles-a-f/cups-backend-implicitclass rename to apparmor.d/groups/cups/cups-backend-implicitclass index ba85c62fa..c71295f83 100644 --- a/apparmor.d/profiles-a-f/cups-backend-implicitclass +++ b/apparmor.d/groups/cups/cups-backend-implicitclass @@ -13,6 +13,7 @@ profile cups-backend-implicitclass @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-ipp b/apparmor.d/groups/cups/cups-backend-ipp similarity index 95% rename from apparmor.d/profiles-a-f/cups-backend-ipp rename to apparmor.d/groups/cups/cups-backend-ipp index b473ecaa3..8d61f4072 100644 --- a/apparmor.d/profiles-a-f/cups-backend-ipp +++ b/apparmor.d/groups/cups/cups-backend-ipp @@ -13,6 +13,7 @@ profile cups-backend-ipp @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-lpd b/apparmor.d/groups/cups/cups-backend-lpd similarity index 95% rename from apparmor.d/profiles-a-f/cups-backend-lpd rename to apparmor.d/groups/cups/cups-backend-lpd index af2901be0..89b62b569 100644 --- a/apparmor.d/profiles-a-f/cups-backend-lpd +++ b/apparmor.d/groups/cups/cups-backend-lpd @@ -13,6 +13,7 @@ profile cups-backend-lpd @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-mdns b/apparmor.d/groups/cups/cups-backend-mdns similarity index 95% rename from apparmor.d/profiles-a-f/cups-backend-mdns rename to apparmor.d/groups/cups/cups-backend-mdns index 0b9cce0da..9e5dfbe0f 100644 --- a/apparmor.d/profiles-a-f/cups-backend-mdns +++ b/apparmor.d/groups/cups/cups-backend-mdns @@ -13,6 +13,7 @@ profile cups-backend-mdns @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-parallel b/apparmor.d/groups/cups/cups-backend-parallel similarity index 95% rename from apparmor.d/profiles-a-f/cups-backend-parallel rename to apparmor.d/groups/cups/cups-backend-parallel index a985e5042..b4340b2ed 100644 --- a/apparmor.d/profiles-a-f/cups-backend-parallel +++ b/apparmor.d/groups/cups/cups-backend-parallel @@ -13,6 +13,7 @@ profile cups-backend-parallel @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-pdf b/apparmor.d/groups/cups/cups-backend-pdf similarity index 92% rename from apparmor.d/profiles-a-f/cups-backend-pdf rename to apparmor.d/groups/cups/cups-backend-pdf index 7782ecb11..21da6bf93 100644 --- a/apparmor.d/profiles-a-f/cups-backend-pdf +++ b/apparmor.d/groups/cups/cups-backend-pdf @@ -14,9 +14,10 @@ profile cups-backend-pdf @{exec_path} { include capability chown, + capability dac_override, + capability dac_read_search, capability setgid, capability setuid, - capability dac_override, unix peer=(label=cupsd), @@ -24,16 +25,17 @@ profile cups-backend-pdf @{exec_path} { @{sh_path} rix, @{bin}/cp rix, - @{bin}/gs rix, + @{bin}/gs{,.bin} rix, @{bin}/gsc rix, @{lib}/ghostscript/** mr, /usr/share/ghostscript/{,**} r, - /etc/papersize r, /etc/cups/ r, /etc/cups/cups-pdf.conf r, /etc/cups/ppd/*.ppd r, + /etc/papersize r, + /etc/paperspecs r, /var/log/cups/cups-pdf*_log w, /var/spool/cups-pdf/{,**} rw, diff --git a/apparmor.d/profiles-a-f/cups-backend-serial b/apparmor.d/groups/cups/cups-backend-serial similarity index 95% rename from apparmor.d/profiles-a-f/cups-backend-serial rename to apparmor.d/groups/cups/cups-backend-serial index 3959a091d..26811ab59 100644 --- a/apparmor.d/profiles-a-f/cups-backend-serial +++ b/apparmor.d/groups/cups/cups-backend-serial @@ -13,6 +13,7 @@ profile cups-backend-serial @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, /dev/ttyS@{int} w, diff --git a/apparmor.d/profiles-a-f/cups-backend-snmp b/apparmor.d/groups/cups/cups-backend-snmp similarity index 96% rename from apparmor.d/profiles-a-f/cups-backend-snmp rename to apparmor.d/groups/cups/cups-backend-snmp index 5badd529a..816f6c25b 100644 --- a/apparmor.d/profiles-a-f/cups-backend-snmp +++ b/apparmor.d/groups/cups/cups-backend-snmp @@ -19,6 +19,7 @@ profile cups-backend-snmp @{exec_path} { /etc/cups/snmp.conf r, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-socket b/apparmor.d/groups/cups/cups-backend-socket similarity index 95% rename from apparmor.d/profiles-a-f/cups-backend-socket rename to apparmor.d/groups/cups/cups-backend-socket index 3efcf183b..f8f36a056 100644 --- a/apparmor.d/profiles-a-f/cups-backend-socket +++ b/apparmor.d/groups/cups/cups-backend-socket @@ -13,6 +13,7 @@ profile cups-backend-socket @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-backend-usb b/apparmor.d/groups/cups/cups-backend-usb similarity index 96% rename from apparmor.d/profiles-a-f/cups-backend-usb rename to apparmor.d/groups/cups/cups-backend-usb index fa21e0204..7d9dbd237 100644 --- a/apparmor.d/profiles-a-f/cups-backend-usb +++ b/apparmor.d/groups/cups/cups-backend-usb @@ -21,6 +21,7 @@ profile cups-backend-usb @{exec_path} { /etc/cups/ppd/*.ppd r, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/profiles-a-f/cups-browsed b/apparmor.d/groups/cups/cups-browsed similarity index 62% rename from apparmor.d/profiles-a-f/cups-browsed rename to apparmor.d/groups/cups/cups-browsed index 41d22ed9b..ca1dc9630 100644 --- a/apparmor.d/profiles-a-f/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -6,19 +6,20 @@ abi , include -@{exec_path} = @{bin}/cups-browsed -profile cups-browsed @{exec_path} { +@{exec_path} = @{sbin}/cups-browsed +profile cups-browsed @{exec_path} flags=(attach_disconnected) { include include - include include + include + include + include include include include capability net_admin, capability net_bind_service, - capability sys_nice, network inet dgram, network inet6 dgram, @@ -26,26 +27,30 @@ profile cups-browsed @{exec_path} { network inet6 stream, network netlink raw, - dbus receive bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=StateChanged - peer=(name=:*, label=avahi-daemon), + #aa:dbus talk bus=system name=org.cups.cupsd.Notifier label=cups-notifier-dbus dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member=CheckPermissions - peer=(name=:*, label=NetworkManager), + peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, + @{bin}/ippfind rPx, + /usr/share/cups/locale/{,**} r, /etc/cups/{,**} r, - /var/cache/cups/{,**} rw, /var/log/cups/{,**} rw, + /var/cache/cups/{,**} rw, + owner /var/cache/cups-browsed/{,**} rw, + + owner @{tmp}/@{hex} rw, + @{run}/cups/certs/* r, + @{run}/avahi-daemon/socket rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/profiles-a-f/cups-notifier-dbus b/apparmor.d/groups/cups/cups-notifier-dbus similarity index 92% rename from apparmor.d/profiles-a-f/cups-notifier-dbus rename to apparmor.d/groups/cups/cups-notifier-dbus index 6e3b38490..fa31b726d 100644 --- a/apparmor.d/profiles-a-f/cups-notifier-dbus +++ b/apparmor.d/groups/cups/cups-notifier-dbus @@ -16,6 +16,8 @@ profile cups-notifier-dbus @{exec_path} { signal (receive) set=(term) peer=cupsd, + #aa:dbus own bus=system name=org.cups.cupsd.Notifier + @{exec_path} mr, owner /var/spool/cups/tmp/cups-dbus-notifier-lockfile rw, diff --git a/apparmor.d/profiles-a-f/cups-notifier-mailto b/apparmor.d/groups/cups/cups-notifier-mailto similarity index 100% rename from apparmor.d/profiles-a-f/cups-notifier-mailto rename to apparmor.d/groups/cups/cups-notifier-mailto diff --git a/apparmor.d/profiles-a-f/cups-notifier-rss b/apparmor.d/groups/cups/cups-notifier-rss similarity index 100% rename from apparmor.d/profiles-a-f/cups-notifier-rss rename to apparmor.d/groups/cups/cups-notifier-rss diff --git a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism b/apparmor.d/groups/cups/cups-pk-helper-mechanism similarity index 96% rename from apparmor.d/profiles-a-f/cups-pk-helper-mechanism rename to apparmor.d/groups/cups/cups-pk-helper-mechanism index 89d55c2f1..89d517631 100644 --- a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism +++ b/apparmor.d/groups/cups/cups-pk-helper-mechanism @@ -26,7 +26,7 @@ profile cups-pk-helper-mechanism @{exec_path} { /etc/cups/ppd/*.ppd r, - owner @{tmp}/[a-z0-9]* rw, + owner @{tmp}/@{int} rw, @{run}/cups/cups.sock rw, diff --git a/apparmor.d/profiles-a-f/cupsd b/apparmor.d/groups/cups/cupsd similarity index 87% rename from apparmor.d/profiles-a-f/cupsd rename to apparmor.d/groups/cups/cupsd index f65fc8349..ec0bbfd67 100644 --- a/apparmor.d/profiles-a-f/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -6,13 +6,13 @@ abi , include -@{exec_path} = @{bin}/cupsd +@{exec_path} = @{sbin}/cupsd profile cupsd @{exec_path} flags=(attach_disconnected) { include include include - include - include + include + include include include @@ -29,7 +29,9 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { capability setuid, capability wake_alarm, + network inet dgram, network inet stream, + network inet6 dgram, network inet6 stream, network appletalk dgram, @@ -50,14 +52,14 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cp rix, - @{bin}/grep rix, - @{bin}/gs rix, + @{bin}/{,e}grep rix, + @{bin}/gs{,.bin} rix, @{bin}/gsc rix, @{bin}/hostname rix, @{bin}/ippfind rix, @{bin}/mktemp rix, @{bin}/printenv rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/rm rix, @{bin}/sed rix, @{bin}/smbspool rPx, @@ -90,6 +92,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{run}/cups/{,**} rw, @{run}/systemd/notify w, + @{run}/avahi-daemon/socket rw, @{sys}/module/apparmor/parameters/enabled r, diff --git a/apparmor.d/groups/cups/ippfind b/apparmor.d/groups/cups/ippfind new file mode 100644 index 000000000..fe4347237 --- /dev/null +++ b/apparmor.d/groups/cups/ippfind @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ippfind +profile ippfind @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{bin}/echo rix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/cups/print-backends-cups b/apparmor.d/groups/cups/print-backends-cups new file mode 100644 index 000000000..6ab6007cb --- /dev/null +++ b/apparmor.d/groups/cups/print-backends-cups @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/@{multiarch}/print-backends/cups +profile print-backends-cups @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/display-manager/lightdm b/apparmor.d/groups/display-manager/lightdm index 04accbbf0..e0e0bd794 100644 --- a/apparmor.d/groups/display-manager/lightdm +++ b/apparmor.d/groups/display-manager/lightdm @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/lightdm profile lightdm @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -36,15 +37,21 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=xfce-session, signal (send) set=(term) peer=xorg, + #aa:dbus own bus=system name=org.freedesktop.DisplayManager + @{exec_path} mrix, - @{bin}/rm rix, + @{sh_path} rix, + @{bin}/{,e,f}grep rix, + @{bin}/df rix, + @{bin}/rm rix, @{bin}/lightdm-*-greeter rPUx, @{bin}/startx rPx, @{bin}/Xorg rPx, @{bin}/plymouth rPx, @{bin}/gnome-keyring-daemon rPx, + @{bin}/lightdm-session rPx, @{lib}/security-misc/* rPx, #aa:only whonix @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, @@ -56,11 +63,11 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xgreeters/{,**} r, + @{etc_ro}/environment r, + @{etc_ro}/security/limits.d/{,*} r, /etc/default/locale r, - /etc/environment r, /etc/lightdm/{,**} r, /etc/machine-id r, - /etc/security/limits.d/{,*} r, /etc/shells r, /var/cache/lightdm/dmrc/*.dmrc* rw, @@ -81,6 +88,7 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/uid_map r, + owner @{PROC}/@{pid}/mountinfo r, /dev/tty@{int} r, diff --git a/apparmor.d/groups/display-manager/lightdm-session b/apparmor.d/groups/display-manager/lightdm-session new file mode 100644 index 000000000..ea7d62be2 --- /dev/null +++ b/apparmor.d/groups/display-manager/lightdm-session @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lightdm-session +profile lightdm-session @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/im-launch rPx, + + @{sh_path} rix, + @{bin}/mktemp rix, + @{bin}/expr rix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/display-manager/x11-xsession b/apparmor.d/groups/display-manager/x11-xsession index 445531691..361a30b26 100644 --- a/apparmor.d/groups/display-manager/x11-xsession +++ b/apparmor.d/groups/display-manager/x11-xsession @@ -34,7 +34,7 @@ profile x11-xsession @{exec_path} { @{bin}/tail rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/dbus-update-activation-environment rCx -> dbus, diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index cfdaeed3f..df17e0d9f 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -10,6 +10,7 @@ include profile xdm-xsession @{exec_path} { include include + include include include include @@ -20,12 +21,12 @@ profile xdm-xsession @{exec_path} { @{bin}/basename rix, @{bin}/cat rix, - @{bin}/checkproc rix, + @{sbin}/checkproc rix, @{bin}/dirname rix, @{bin}/fortune rPUx, @{bin}/gpg-agent rPx, @{bin}/gpg-connect-agent rPx, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/locale rix, @{bin}/manpath rix, @{bin}/readlink rix, @@ -58,7 +59,6 @@ profile xdm-xsession @{exec_path} { @{HOME}/.xinitrc rPix, # TODO: rCx @{lib}/xinit/xinitrc rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mc/mc.sh r, /usr/share/terminfo/{,**} r, diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/groups/filesystem/btrfs similarity index 98% rename from apparmor.d/profiles-a-f/btrfs rename to apparmor.d/groups/filesystem/btrfs index 82742fd4a..40149588d 100644 --- a/apparmor.d/profiles-a-f/btrfs +++ b/apparmor.d/groups/filesystem/btrfs @@ -25,8 +25,8 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { / r, /.snapshots/ r, - /boot/ r, - /boot/**/ r, + @{efi}/ r, + @{efi}/**/ r, /home/ r, /opt/ r, /root/ r, diff --git a/apparmor.d/profiles-a-f/btrfs-convert b/apparmor.d/groups/filesystem/btrfs-convert similarity index 92% rename from apparmor.d/profiles-a-f/btrfs-convert rename to apparmor.d/groups/filesystem/btrfs-convert index 2dccbf1fd..22715c857 100644 --- a/apparmor.d/profiles-a-f/btrfs-convert +++ b/apparmor.d/groups/filesystem/btrfs-convert @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/btrfs-convert +@{exec_path} = @{sbin}/btrfs-convert profile btrfs-convert @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/btrfs-find-root b/apparmor.d/groups/filesystem/btrfs-find-root similarity index 92% rename from apparmor.d/profiles-a-f/btrfs-find-root rename to apparmor.d/groups/filesystem/btrfs-find-root index eef4b6823..cec2bbb61 100644 --- a/apparmor.d/profiles-a-f/btrfs-find-root +++ b/apparmor.d/groups/filesystem/btrfs-find-root @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/btrfs-find-root +@{exec_path} = @{sbin}/btrfs-find-root profile btrfs-find-root @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/btrfs-image b/apparmor.d/groups/filesystem/btrfs-image similarity index 93% rename from apparmor.d/profiles-a-f/btrfs-image rename to apparmor.d/groups/filesystem/btrfs-image index 6f18ac095..48be7c381 100644 --- a/apparmor.d/profiles-a-f/btrfs-image +++ b/apparmor.d/groups/filesystem/btrfs-image @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/btrfs-image +@{exec_path} = @{sbin}/btrfs-image profile btrfs-image @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/btrfs-map-logical b/apparmor.d/groups/filesystem/btrfs-map-logical similarity index 100% rename from apparmor.d/profiles-a-f/btrfs-map-logical rename to apparmor.d/groups/filesystem/btrfs-map-logical diff --git a/apparmor.d/profiles-a-f/btrfs-select-super b/apparmor.d/groups/filesystem/btrfs-select-super similarity index 100% rename from apparmor.d/profiles-a-f/btrfs-select-super rename to apparmor.d/groups/filesystem/btrfs-select-super diff --git a/apparmor.d/profiles-a-f/btrfstune b/apparmor.d/groups/filesystem/btrfstune similarity index 94% rename from apparmor.d/profiles-a-f/btrfstune rename to apparmor.d/groups/filesystem/btrfstune index f8fa4a047..24a8ef46e 100644 --- a/apparmor.d/profiles-a-f/btrfstune +++ b/apparmor.d/groups/filesystem/btrfstune @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/btrfstune +@{exec_path} = @{sbin}/btrfstune profile btrfstune @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/fsck.btrfs b/apparmor.d/groups/filesystem/fsck.btrfs similarity index 92% rename from apparmor.d/profiles-a-f/fsck.btrfs rename to apparmor.d/groups/filesystem/fsck.btrfs index f8ac9419d..512265788 100644 --- a/apparmor.d/profiles-a-f/fsck.btrfs +++ b/apparmor.d/groups/filesystem/fsck.btrfs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fsck.btrfs +@{exec_path} = @{sbin}/fsck.btrfs profile fsck.btrfs @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/fsck.fat b/apparmor.d/groups/filesystem/fsck.fat similarity index 87% rename from apparmor.d/profiles-a-f/fsck.fat rename to apparmor.d/groups/filesystem/fsck.fat index fd944532f..0e7df947d 100644 --- a/apparmor.d/profiles-a-f/fsck.fat +++ b/apparmor.d/groups/filesystem/fsck.fat @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fsck.fat @{bin}/fsck.msdos @{bin}/fsck.vfat @{bin}/dosfsck +@{exec_path} = @{sbin}/fsck.fat @{sbin}/fsck.msdos @{sbin}/fsck.vfat @{sbin}/dosfsck profile fsck.fat @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/lvm b/apparmor.d/groups/filesystem/lvm similarity index 91% rename from apparmor.d/profiles-g-l/lvm rename to apparmor.d/groups/filesystem/lvm index cff4ce186..ad4645bff 100644 --- a/apparmor.d/profiles-g-l/lvm +++ b/apparmor.d/groups/filesystem/lvm @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/lvm +@{exec_path} = @{sbin}/lvm profile lvm @{exec_path} flags=(attach_disconnected) { include include @@ -23,12 +23,14 @@ profile lvm @{exec_path} flags=(attach_disconnected) { ptrace (read), + mqueue getattr type=posix /, mqueue r type=posix /, @{exec_path} rm, @{etc_rw}/lvm/** rwkl, /etc/multipath.conf r, + /etc/multipath/* r, @{run}/lock/ rw, @{run}/lock/lvm/ rw, @@ -47,6 +49,7 @@ profile lvm @{exec_path} flags=(attach_disconnected) { /dev/**/ r, /dev/mapper/control rw, + /dev/root r, include if exists } diff --git a/apparmor.d/profiles-g-l/lvmconfig b/apparmor.d/groups/filesystem/lvmconfig similarity index 91% rename from apparmor.d/profiles-g-l/lvmconfig rename to apparmor.d/groups/filesystem/lvmconfig index 5e5a0d1dd..39224c22f 100644 --- a/apparmor.d/profiles-g-l/lvmconfig +++ b/apparmor.d/groups/filesystem/lvmconfig @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/lvmconfig +@{exec_path} = @{sbin}/lvmconfig profile lvmconfig @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/lvmdump b/apparmor.d/groups/filesystem/lvmdump similarity index 92% rename from apparmor.d/profiles-g-l/lvmdump rename to apparmor.d/groups/filesystem/lvmdump index 6a443fc57..5e90ffeee 100644 --- a/apparmor.d/profiles-g-l/lvmdump +++ b/apparmor.d/groups/filesystem/lvmdump @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/lvmdump +@{exec_path} = @{sbin}/lvmdump profile lvmdump @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/lvmpolld b/apparmor.d/groups/filesystem/lvmpolld similarity index 88% rename from apparmor.d/profiles-g-l/lvmpolld rename to apparmor.d/groups/filesystem/lvmpolld index fdc3bad3f..cce01b0d0 100644 --- a/apparmor.d/profiles-g-l/lvmpolld +++ b/apparmor.d/groups/filesystem/lvmpolld @@ -6,14 +6,14 @@ abi , include -@{exec_path} = @{bin}/lvmpolld +@{exec_path} = @{sbin}/lvmpolld profile lvmpolld @{exec_path} { include include include @{exec_path} rm, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/umount rPx, @{run}/lvmpolld.pid rwk, diff --git a/apparmor.d/profiles-m-r/mke2fs b/apparmor.d/groups/filesystem/mke2fs similarity index 81% rename from apparmor.d/profiles-m-r/mke2fs rename to apparmor.d/groups/filesystem/mke2fs index acf88197f..90df8ecb1 100644 --- a/apparmor.d/profiles-m-r/mke2fs +++ b/apparmor.d/groups/filesystem/mke2fs @@ -7,9 +7,10 @@ abi , include -@{exec_path} = @{bin}/mke2fs @{bin}/mkfs.ext2 @{bin}/mkfs.ext3 @{bin}/mkfs.ext4 +@{exec_path} = @{sbin}/mke2fs @{sbin}/mkfs.ext2 @{sbin}/mkfs.ext3 @{sbin}/mkfs.ext4 profile mke2fs @{exec_path} { include + include include include @@ -19,7 +20,7 @@ profile mke2fs @{exec_path} { # To check for badblocks @{sh_path} rix, - @{bin}/badblocks rPx, + @{sbin}/badblocks rPx, /usr/share/file/misc/magic.mgc r, @@ -34,6 +35,8 @@ profile mke2fs @{exec_path} { owner @{run}/blkid/blkid.tab{,-@{rand6}} rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, + owner @{tmp}/.guestfs-@{uid}/appliance.d.@{rand8}/@{user} rw, + @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-m-r/mkfs-btrfs b/apparmor.d/groups/filesystem/mkfs-btrfs similarity index 94% rename from apparmor.d/profiles-m-r/mkfs-btrfs rename to apparmor.d/groups/filesystem/mkfs-btrfs index 1e6c95838..54c83e559 100644 --- a/apparmor.d/profiles-m-r/mkfs-btrfs +++ b/apparmor.d/groups/filesystem/mkfs-btrfs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/mkfs.btrfs +@{exec_path} = @{sbin}/mkfs.btrfs profile mkfs-btrfs @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/mkfs-fat b/apparmor.d/groups/filesystem/mkfs-fat similarity index 100% rename from apparmor.d/profiles-m-r/mkfs-fat rename to apparmor.d/groups/filesystem/mkfs-fat diff --git a/apparmor.d/profiles-m-r/mkntfs b/apparmor.d/groups/filesystem/mkntfs similarity index 100% rename from apparmor.d/profiles-m-r/mkntfs rename to apparmor.d/groups/filesystem/mkntfs diff --git a/apparmor.d/profiles-m-r/mkswap b/apparmor.d/groups/filesystem/mkswap similarity index 94% rename from apparmor.d/profiles-m-r/mkswap rename to apparmor.d/groups/filesystem/mkswap index 4a818cd58..fa30030f3 100644 --- a/apparmor.d/profiles-m-r/mkswap +++ b/apparmor.d/groups/filesystem/mkswap @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/mkswap +@{exec_path} = @{sbin}/mkswap profile mkswap @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/groups/filesystem/mount similarity index 100% rename from apparmor.d/profiles-m-r/mount rename to apparmor.d/groups/filesystem/mount diff --git a/apparmor.d/profiles-m-r/mount-cifs b/apparmor.d/groups/filesystem/mount-cifs similarity index 69% rename from apparmor.d/profiles-m-r/mount-cifs rename to apparmor.d/groups/filesystem/mount-cifs index 78651ba23..a6c8d01e3 100644 --- a/apparmor.d/profiles-m-r/mount-cifs +++ b/apparmor.d/groups/filesystem/mount-cifs @@ -7,42 +7,52 @@ abi , include -@{exec_path} = @{bin}/mount.cifs +@{exec_path} = @{sbin}/mount.cifs profile mount-cifs @{exec_path} flags=(complain) { include + include include - # To mount anything. capability sys_admin, - - # (#FIXME#) capability setpcap, + capability dac_read_search, + network inet dgram, network inet stream, + network inet6 dgram, network inet6 stream, network netlink raw, + mount fstype=cifs -> @{HOME}/*/, + mount fstype=cifs -> @{HOME}/*/*/, + mount fstype=cifs -> @{MOUNTDIRS}/, + mount fstype=cifs -> @{MOUNTS}/, + mount fstype=cifs -> @{MOUNTS}/*/, + mount fstype=cifs -> @{MOUNTS}/*/*/, + + umount @{HOME}/*/, + umount @{HOME}/*/*/, + umount @{MOUNTDIRS}/, + umount @{MOUNTS}/, + umount @{MOUNTS}/*/, + umount @{MOUNTS}/*/*/, + @{exec_path} mr, @{bin}/systemd-ask-password rPUx, /etc/fstab r, + /etc/sync-credentials r, owner @{HOME}/.smbcredentials r, # Mount points + @{HOME}/*/ r, + @{HOME}/*/*/ r, @{MOUNTDIRS}/ r, @{MOUNTS}/ r, @{MOUNTS}/*/ r, - - # Allow to mount smb/cifs disks only under the /media/ dirs - mount fstype=cifs -> @{MOUNTDIRS}/, - mount fstype=cifs -> @{MOUNTS}/, - mount fstype=cifs -> @{MOUNTS}/*/, - - umount @{MOUNTDIRS}/, - umount @{MOUNTS}/, - umount @{MOUNTS}/*/, + @{MOUNTS}/*/*/ r, include if exists } diff --git a/apparmor.d/profiles-m-r/mount-nfs b/apparmor.d/groups/filesystem/mount-nfs similarity index 96% rename from apparmor.d/profiles-m-r/mount-nfs rename to apparmor.d/groups/filesystem/mount-nfs index 26f3e2d57..f670b62d7 100644 --- a/apparmor.d/profiles-m-r/mount-nfs +++ b/apparmor.d/groups/filesystem/mount-nfs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/mount.nfs +@{exec_path} = @{sbin}/mount.nfs profile mount-nfs @{exec_path} flags=(complain) { include include @@ -42,7 +42,7 @@ profile mount-nfs @{exec_path} flags=(complain) { @{sh_path} rix, @{bin}/flock rix, - @{bin}/start-statd rix, + @{sbin}/start-statd rix, @{bin}/systemctl rCx -> systemctl, /etc/fstab r, diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/groups/filesystem/mount-zfs similarity index 100% rename from apparmor.d/profiles-m-r/mount-zfs rename to apparmor.d/groups/filesystem/mount-zfs diff --git a/apparmor.d/profiles-m-r/mtools b/apparmor.d/groups/filesystem/mtools similarity index 100% rename from apparmor.d/profiles-m-r/mtools rename to apparmor.d/groups/filesystem/mtools diff --git a/apparmor.d/profiles-m-r/nfsdcld b/apparmor.d/groups/filesystem/nfsdcld similarity index 94% rename from apparmor.d/profiles-m-r/nfsdcld rename to apparmor.d/groups/filesystem/nfsdcld index be122a3cb..23ecc576e 100644 --- a/apparmor.d/profiles-m-r/nfsdcld +++ b/apparmor.d/groups/filesystem/nfsdcld @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/nfsdcld +@{exec_path} = @{sbin}/nfsdcld profile nfsdcld @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/ntfs-3g b/apparmor.d/groups/filesystem/ntfs-3g similarity index 95% rename from apparmor.d/profiles-m-r/ntfs-3g rename to apparmor.d/groups/filesystem/ntfs-3g index d94d7a0f2..e4749177c 100644 --- a/apparmor.d/profiles-m-r/ntfs-3g +++ b/apparmor.d/groups/filesystem/ntfs-3g @@ -34,6 +34,8 @@ profile ntfs-3g @{exec_path} flags=(attach_disconnected) { mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/, mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/, + mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> /tmp/fsa/*/, # fsarchiver + umount @{MOUNTDIRS}/, umount @{MOUNTS}/, umount @{MOUNTS}/*/, diff --git a/apparmor.d/profiles-m-r/ntfs-3g-probe b/apparmor.d/groups/filesystem/ntfs-3g-probe similarity index 100% rename from apparmor.d/profiles-m-r/ntfs-3g-probe rename to apparmor.d/groups/filesystem/ntfs-3g-probe diff --git a/apparmor.d/profiles-m-r/ntfscat b/apparmor.d/groups/filesystem/ntfscat similarity index 100% rename from apparmor.d/profiles-m-r/ntfscat rename to apparmor.d/groups/filesystem/ntfscat diff --git a/apparmor.d/profiles-m-r/ntfsclone b/apparmor.d/groups/filesystem/ntfsclone similarity index 95% rename from apparmor.d/profiles-m-r/ntfsclone rename to apparmor.d/groups/filesystem/ntfsclone index c239e81af..c6443bf7a 100644 --- a/apparmor.d/profiles-m-r/ntfsclone +++ b/apparmor.d/groups/filesystem/ntfsclone @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ntfsclone +@{exec_path} = @{sbin}/ntfsclone profile ntfsclone @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfscluster b/apparmor.d/groups/filesystem/ntfscluster similarity index 100% rename from apparmor.d/profiles-m-r/ntfscluster rename to apparmor.d/groups/filesystem/ntfscluster diff --git a/apparmor.d/profiles-m-r/ntfscmp b/apparmor.d/groups/filesystem/ntfscmp similarity index 100% rename from apparmor.d/profiles-m-r/ntfscmp rename to apparmor.d/groups/filesystem/ntfscmp diff --git a/apparmor.d/profiles-m-r/ntfscp b/apparmor.d/groups/filesystem/ntfscp similarity index 96% rename from apparmor.d/profiles-m-r/ntfscp rename to apparmor.d/groups/filesystem/ntfscp index 2e36046ba..f3bc38b6a 100644 --- a/apparmor.d/profiles-m-r/ntfscp +++ b/apparmor.d/groups/filesystem/ntfscp @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ntfscp +@{exec_path} = @{sbin}/ntfscp profile ntfscp @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfsdecrypt b/apparmor.d/groups/filesystem/ntfsdecrypt similarity index 100% rename from apparmor.d/profiles-m-r/ntfsdecrypt rename to apparmor.d/groups/filesystem/ntfsdecrypt diff --git a/apparmor.d/profiles-m-r/ntfsfallocate b/apparmor.d/groups/filesystem/ntfsfallocate similarity index 100% rename from apparmor.d/profiles-m-r/ntfsfallocate rename to apparmor.d/groups/filesystem/ntfsfallocate diff --git a/apparmor.d/profiles-m-r/ntfsfix b/apparmor.d/groups/filesystem/ntfsfix similarity index 100% rename from apparmor.d/profiles-m-r/ntfsfix rename to apparmor.d/groups/filesystem/ntfsfix diff --git a/apparmor.d/profiles-m-r/ntfsinfo b/apparmor.d/groups/filesystem/ntfsinfo similarity index 100% rename from apparmor.d/profiles-m-r/ntfsinfo rename to apparmor.d/groups/filesystem/ntfsinfo diff --git a/apparmor.d/profiles-m-r/ntfslabel b/apparmor.d/groups/filesystem/ntfslabel similarity index 93% rename from apparmor.d/profiles-m-r/ntfslabel rename to apparmor.d/groups/filesystem/ntfslabel index 471aefaa1..5d4089a44 100644 --- a/apparmor.d/profiles-m-r/ntfslabel +++ b/apparmor.d/groups/filesystem/ntfslabel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ntfslabel +@{exec_path} = @{sbin}/ntfslabel profile ntfslabel @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfsls b/apparmor.d/groups/filesystem/ntfsls similarity index 100% rename from apparmor.d/profiles-m-r/ntfsls rename to apparmor.d/groups/filesystem/ntfsls diff --git a/apparmor.d/profiles-m-r/ntfsmove b/apparmor.d/groups/filesystem/ntfsmove similarity index 100% rename from apparmor.d/profiles-m-r/ntfsmove rename to apparmor.d/groups/filesystem/ntfsmove diff --git a/apparmor.d/profiles-m-r/ntfsrecover b/apparmor.d/groups/filesystem/ntfsrecover similarity index 100% rename from apparmor.d/profiles-m-r/ntfsrecover rename to apparmor.d/groups/filesystem/ntfsrecover diff --git a/apparmor.d/profiles-m-r/ntfsresize b/apparmor.d/groups/filesystem/ntfsresize similarity index 93% rename from apparmor.d/profiles-m-r/ntfsresize rename to apparmor.d/groups/filesystem/ntfsresize index 5c7d5c835..3eac37d70 100644 --- a/apparmor.d/profiles-m-r/ntfsresize +++ b/apparmor.d/groups/filesystem/ntfsresize @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ntfsresize +@{exec_path} = @{sbin}/ntfsresize profile ntfsresize @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfssecaudit b/apparmor.d/groups/filesystem/ntfssecaudit similarity index 100% rename from apparmor.d/profiles-m-r/ntfssecaudit rename to apparmor.d/groups/filesystem/ntfssecaudit diff --git a/apparmor.d/profiles-m-r/ntfstruncate b/apparmor.d/groups/filesystem/ntfstruncate similarity index 100% rename from apparmor.d/profiles-m-r/ntfstruncate rename to apparmor.d/groups/filesystem/ntfstruncate diff --git a/apparmor.d/profiles-m-r/ntfsundelete b/apparmor.d/groups/filesystem/ntfsundelete similarity index 94% rename from apparmor.d/profiles-m-r/ntfsundelete rename to apparmor.d/groups/filesystem/ntfsundelete index 4d96d1dbd..9f68cba7a 100644 --- a/apparmor.d/profiles-m-r/ntfsundelete +++ b/apparmor.d/groups/filesystem/ntfsundelete @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ntfsundelete +@{exec_path} = @{sbin}/ntfsundelete profile ntfsundelete @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/ntfsusermap b/apparmor.d/groups/filesystem/ntfsusermap similarity index 100% rename from apparmor.d/profiles-m-r/ntfsusermap rename to apparmor.d/groups/filesystem/ntfsusermap diff --git a/apparmor.d/profiles-m-r/ntfswipe b/apparmor.d/groups/filesystem/ntfswipe similarity index 100% rename from apparmor.d/profiles-m-r/ntfswipe rename to apparmor.d/groups/filesystem/ntfswipe diff --git a/apparmor.d/profiles-s-z/udiskie b/apparmor.d/groups/filesystem/udiskie similarity index 80% rename from apparmor.d/profiles-s-z/udiskie rename to apparmor.d/groups/filesystem/udiskie index 014955032..53b726c23 100644 --- a/apparmor.d/profiles-s-z/udiskie +++ b/apparmor.d/groups/filesystem/udiskie @@ -11,19 +11,15 @@ include profile udiskie @{exec_path} { include include - include - include + include include - include - include + include include - include include - include - include + include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{open_path} rPx -> child-open, diff --git a/apparmor.d/profiles-s-z/udiskie-info b/apparmor.d/groups/filesystem/udiskie-info similarity index 92% rename from apparmor.d/profiles-s-z/udiskie-info rename to apparmor.d/groups/filesystem/udiskie-info index 855c5b54c..b59b91472 100644 --- a/apparmor.d/profiles-s-z/udiskie-info +++ b/apparmor.d/groups/filesystem/udiskie-info @@ -13,9 +13,10 @@ profile udiskie-info @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, - /usr/bin/ r, + @{bin}/ r, + @{sbin}/ r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, diff --git a/apparmor.d/profiles-s-z/udiskie-mount b/apparmor.d/groups/filesystem/udiskie-mount similarity index 92% rename from apparmor.d/profiles-s-z/udiskie-mount rename to apparmor.d/groups/filesystem/udiskie-mount index a57a6091f..3ec9e422a 100644 --- a/apparmor.d/profiles-s-z/udiskie-mount +++ b/apparmor.d/groups/filesystem/udiskie-mount @@ -13,9 +13,10 @@ profile udiskie-mount @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, - /usr/bin/ r, + @{bin}/ r, + @{sbin}/ r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, diff --git a/apparmor.d/profiles-s-z/udiskie-umount b/apparmor.d/groups/filesystem/udiskie-umount similarity index 92% rename from apparmor.d/profiles-s-z/udiskie-umount rename to apparmor.d/groups/filesystem/udiskie-umount index 8fe075f94..01271bdc6 100644 --- a/apparmor.d/profiles-s-z/udiskie-umount +++ b/apparmor.d/groups/filesystem/udiskie-umount @@ -13,9 +13,10 @@ profile udiskie-umount @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, - /usr/bin/ r, + @{bin}/ r, + @{sbin}/ r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, diff --git a/apparmor.d/profiles-s-z/udisksctl b/apparmor.d/groups/filesystem/udisksctl similarity index 100% rename from apparmor.d/profiles-s-z/udisksctl rename to apparmor.d/groups/filesystem/udisksctl diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/groups/filesystem/udisksd similarity index 77% rename from apparmor.d/profiles-s-z/udisksd rename to apparmor.d/groups/filesystem/udisksd index b89d9c72f..91d4a8569 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -19,6 +19,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability fowner, capability fsetid, + capability ipc_lock, capability net_admin, capability setgid, capability setuid, @@ -48,6 +49,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { mount options=(rw move) -> @{MOUNTS}/, mount options=(rw move) -> @{MOUNTS}/*/, + mount fstype=vfat -> @{efi}/, + # Allow mounting on temporary mount point mount -> @{run}/udisks2/temp-mount-*/, mount / -> @{MOUNTS}/*/, @@ -56,36 +59,32 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { umount @{MOUNTS}/, umount @{MOUNTS}/*/, umount @{run}/udisks2/temp-mount-*/, + umount @{efi}/, umount /media/cdrom@{int}/, signal receive set=int peer=@{p_systemd}, #aa:dbus own bus=system name=org.freedesktop.UDisks2 - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd - - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" @{exec_path} mr, @{sh_path} rix, @{bin}/umount rix, - @{bin}/dmidecode rPx, - @{bin}/dumpe2fs rPx, + @{sbin}/dmidecode rPx, + @{sbin}/dumpe2fs rPx, @{bin}/eject rPx, - @{bin}/fsck.fat rPx, - @{bin}/lvm rPUx, - @{bin}/mke2fs rPx, - @{bin}/mkfs.* rPx, + @{sbin}/fsck.fat rPx, + @{sbin}/lvm rPUx, + @{sbin}/mke2fs rPx, + @{sbin}/mkfs.* rPx, @{bin}/mount.exfat-fuse rPUx, @{bin}/ntfs-3g rPx, @{bin}/ntfsfix rPx, - @{bin}/sfdisk rPx, - @{bin}/sgdisk rPx, + @{sbin}/sfdisk rPx, + @{sbin}/sgdisk rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-escape rPx, @{bin}/xfs_* rPUx, @@ -113,21 +112,26 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{run}/cryptsetup/ r, @{run}/cryptsetup/L* rwk, + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+scsi:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+scsi:* r, # For SCSI devices. Block-storage for SATA, SAS, USB, iSCSI + @{run}/udev/data/+vmbus:* r, # For Hyper-V devices, (network adapters, storage controllers, and other virtual devices) @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/bus/scsi/devices/ r, @{sys}/class/ r, @{sys}/class/nvme-subsystem/ r, @{sys}/class/nvme/ r, - @{sys}/devices/@{pci}/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w, - @{sys}/devices/@{pci}/{ata,usb,mmc}[0-9]/{,**/}remove rw, - @{sys}/devices/@{pci}/uevent r, + @{sys}/devices/@{pci}/{ata,usb,mmc,virtio}@{int}/{,**/}uevent w, + @{sys}/devices/@{pci}/{ata,usb,mmc}@{int}/{,**/}remove rw, + @{sys}/devices/@{pci}/uevent rw, + @{sys}/devices/**/net/*/ r, + @{sys}/devices/**/uevent r, @{sys}/devices/virtual/bdi/**/read_ahead_kb r, @{sys}/devices/virtual/block/*/{,**} rw, @{sys}/devices/virtual/block/loop@{int}/uevent rw, diff --git a/apparmor.d/profiles-s-z/umount.udisks2 b/apparmor.d/groups/filesystem/umount.udisks2 similarity index 91% rename from apparmor.d/profiles-s-z/umount.udisks2 rename to apparmor.d/groups/filesystem/umount.udisks2 index 4e842c7fb..752a1d5d3 100644 --- a/apparmor.d/profiles-s-z/umount.udisks2 +++ b/apparmor.d/groups/filesystem/umount.udisks2 @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/umount.udisks2 +@{exec_path} = @{sbin}/umount.udisks2 profile umount.udisks2 @{exec_path} flags=(complain) { include diff --git a/apparmor.d/profiles-a-f/firewall-applet b/apparmor.d/groups/firewall/firewall-applet similarity index 85% rename from apparmor.d/profiles-a-f/firewall-applet rename to apparmor.d/groups/firewall/firewall-applet index 17fca1462..bd144b7e2 100644 --- a/apparmor.d/profiles-a-f/firewall-applet +++ b/apparmor.d/groups/firewall/firewall-applet @@ -17,10 +17,13 @@ profile firewall-applet @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/ r, - @{bin}/python3.@{int} r, + @{python_path} r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/cgroup r, + + owner @{user_config_dirs}/firewall/applet.conf rwkl, include if exists } diff --git a/apparmor.d/profiles-a-f/firewall-config b/apparmor.d/groups/firewall/firewall-config similarity index 100% rename from apparmor.d/profiles-a-f/firewall-config rename to apparmor.d/groups/firewall/firewall-config diff --git a/apparmor.d/profiles-a-f/firewalld b/apparmor.d/groups/firewall/firewalld similarity index 64% rename from apparmor.d/profiles-a-f/firewalld rename to apparmor.d/groups/firewall/firewalld index 142b25cde..57a0baa20 100644 --- a/apparmor.d/profiles-a-f/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -6,10 +6,9 @@ abi , include -@{exec_path} = @{bin}/firewalld +@{exec_path} = @{sbin}/firewalld profile firewalld @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -21,7 +20,6 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { capability net_admin, capability net_raw, capability setpcap, - capability sys_module, network inet raw, network inet6 raw, @@ -30,19 +28,20 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.fedoraproject.FirewallD1 @{exec_path} mr, + @{python_path} r, @{bin}/ r, - @{bin}/alts rix, - @{bin}/ebtables-legacy rix, - @{bin}/ebtables-legacy-restore rix, - @{bin}/false rix, - @{bin}/ipset rix, - @{bin}/kmod rix, - @{bin}/modprobe rix, - @{bin}/xtables-legacy-multi rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/ r, + @{bin}/alts ix, + @{bin}/false ix, + @{bin}/kmod Cx -> kmod, + @{bin}/ebtables-legacy ix, + @{bin}/ebtables-legacy-restore ix, + @{sbin}/ipset ix, + @{sbin}/xtables-legacy-multi ix, + @{sbin}/xtables-nft-multi mix, - /usr/local/lib/python3.@{int}/dist-packages/ r, + /usr/local/lib/@{python_name}/dist-packages/ r, /usr/share/iproute2/{,**} r, /usr/share/libalternatives/{,**} r, @@ -56,18 +55,25 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { /var/log/firewalld rw, @{run}/firewalld/{,*} rw, - @{run}/modprobe.d/{,*.conf} r, @{run}/xtables.lock rwk, - @{sys}/module/compression r, - @{sys}/module/*/initstate r, - - @{PROC}/sys/kernel/modprobe r, @{PROC}/sys/net/ipv{4,6}/ip_forward rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pids}/net/ip_tables_names r, + profile kmod flags=(attach_disconnected) { + include + include + + capability sys_module, + + @{sys}/module/compression r, + @{sys}/module/nf_*/initstate r, + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/nft b/apparmor.d/groups/firewall/nft similarity index 96% rename from apparmor.d/profiles-m-r/nft rename to apparmor.d/groups/firewall/nft index 292b22043..2392829c8 100644 --- a/apparmor.d/profiles-m-r/nft +++ b/apparmor.d/groups/firewall/nft @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/nft +@{exec_path} = @{sbin}/nft profile nft @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/ufw b/apparmor.d/groups/firewall/ufw similarity index 55% rename from apparmor.d/profiles-s-z/ufw rename to apparmor.d/groups/firewall/ufw index b7e5f0c79..39517ee6c 100644 --- a/apparmor.d/profiles-s-z/ufw +++ b/apparmor.d/groups/firewall/ufw @@ -7,10 +7,10 @@ abi , include -@{exec_path} = @{bin}/ufw +@{exec_path} = @{sbin}/ufw profile ufw @{exec_path} flags=(attach_disconnected) { include - include + include include include @@ -29,14 +29,15 @@ profile ufw @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/ r, - @{bin}/cat ix, - @{bin}/env r, - @{bin}/python3.@{int} ix, - @{bin}/sysctl ix, - @{bin}/xtables-legacy-multi ix, - @{bin}/xtables-nft-multi ix, - @{lib}/ufw/ufw-init ix, + @{python_path} rix, + @{sbin}/ r, + @{bin}/cat rix, + @{bin}/env r, + @{bin}/kmod rCx -> kmod, + @{lib}/ufw/ufw-init rPx, + @{sbin}/sysctl rCx -> sysctl, + @{sbin}/xtables-legacy-multi rix, + @{sbin}/xtables-nft-multi rix, /etc/default/ufw rw, /etc/ufw/ rw, @@ -56,6 +57,33 @@ profile ufw @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/net/ipv{4,6}/** rw, @{PROC}/sys/kernel/modprobe r, + profile kmod flags=(attach_disconnected) { + include + include + + capability sys_module, + + @{sys}/module/compression r, + @{sys}/module/*/initstate r, + + include if exists + } + + profile sysctl { + include + include + + capability net_admin, + + @{sbin}/sysctl mr, + + /etc/ufw/sysctl.conf r, + + @{PROC}/sys/net/ipv{4,6}/** rw, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/firewall/ufw-init b/apparmor.d/groups/firewall/ufw-init new file mode 100644 index 000000000..fcb9d8b6c --- /dev/null +++ b/apparmor.d/groups/firewall/ufw-init @@ -0,0 +1,74 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/ufw/ufw-init +profile ufw-init @{exec_path} { + include + include + + capability dac_override, + capability dac_read_search, + capability net_admin, + capability net_raw, + + network inet dgram, + network inet raw, + network inet6 dgram, + network inet6 raw, + network netlink raw, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/echo rix, + @{sbin}/sysctl rCx -> sysctl, + @{sbin}/xtables-legacy-multi rix, + @{sbin}/xtables-nft-multi rix, + @{bin}/kmod rCx -> kmod, + + /etc/default/ufw r, + /etc/ufw/* r, + + @{run}/xtables.lock rwk, + + @{PROC}/@{pid}/net/ip_tables_names r, + @{PROC}/sys/kernel/modprobe r, + + profile kmod { + include + include + + capability sys_module, + + @{run}/xtables.lock r, + + @{sys}/module/compression r, + @{sys}/module/x_tables/initstate r, + + include if exists + } + + profile sysctl { + include + include + + capability net_admin, + + @{sbin}/sysctl mr, + + /etc/ufw/sysctl.conf r, + + @{PROC}/sys/net/ipv{4,6}/** rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/groups/flatpak/flatpak similarity index 58% rename from apparmor.d/profiles-a-f/flatpak rename to apparmor.d/groups/flatpak/flatpak index 7368d7c3b..341db555e 100644 --- a/apparmor.d/profiles-a-f/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -11,7 +11,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain include include include - include + include include include include @@ -37,6 +37,26 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain signal send peer=flatpak-app, + unix type=seqpacket peer=(label=flatpak-system-helper), + unix type=stream peer=(label=flatpak//fusermount), + + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.Flatpak.SystemHelper label=flatpak-system-helper + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" + + #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper + #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=ReloadConfig + peer=(name=org.freedesktop.DBus, label=dbus-session//&unconfined), + + dbus send bus=system path=/org/freedesktop/Flatpak/SystemHelper + interface=org.freedesktop.Flatpak.SystemHelper + member=GetRevokefsFd + peer=(name=org.freedesktop.Flatpak.SystemHelper), + @{exec_path} mr, @{bin}/bwrap rPx -> flatpak-app, @@ -46,37 +66,54 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain @{bin}/gpgsm rCx -> gpg, @{lib}/revokefs-fuse rix, + @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, + @{lib}/polkit-agent-helper-[0-9] rPx, + /usr/share/flatpak/{,**} r, /etc/flatpak/{,**} r, /etc/pulse/client.conf r, - / r, + @{att}/ r, /var/lib/flatpak/{,**} rwlk, /var/tmp/#@{int} rw, /var/tmp/flatpak-cache-@{rand6}/{,**/} r, - owner /var/tmp/flatpak-cache-@{rand6}/{,**} rwk, + owner /var/tmp/flatpak-cache-@{rand6}/ rw, + owner /var/tmp/flatpak-cache-@{rand6}/** rwlk -> /var/tmp/flatpak-cache-@{rand6}/**, owner @{HOME}/.var/ w, owner @{HOME}/.var/app/{,**} rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/logs/* rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, - owner @{user_documents_dirs}/ rw, + # Can create dotfile directories for any app + owner @{user_cache_dirs}/*/ w, + owner @{user_config_dirs}/*/ w, + owner @{user_share_dirs}/*/ w, + owner @{user_games_dirs}/{,**/} w, + owner @{user_documents_dirs}/ w, + @{user_config_dirs}/dconf/user r, owner @{user_cache_dirs}/flatpak/{,**} rw, owner @{user_config_dirs}/pulse/client.conf r, owner @{user_config_dirs}/user-dirs.dirs r, @{user_share_dirs}/flatpak/{,**} r, owner @{user_share_dirs}/ r, - owner @{user_share_dirs}/flatpak/{,**} rwl, + owner @{user_share_dirs}/flatpak/ rw, + owner @{user_share_dirs}/flatpak/** rwlk, owner @{tmp}/#@{int} rw, owner @{tmp}/ostree-gpg-@{rand6}/{,**} rw, + owner @{tmp}/remote-summary-sig.@{rand6} rw, + owner @{tmp}/remote-summary.@{rand6} rw, owner /dev/shm/flatpak*/{,**} rw, - @{run}/.userns r, + @{run}/.userns r, + @{att}/@{run}/.userns r, + @{run}/user/@{uid}/.dbus-proxy/ w, @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/.dbus-proxy/* rw, @@ -105,36 +142,34 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain capability dac_read_search, - @{bin}/gpg{,2} mr, - @{bin}/gpgconf mr, - @{bin}/gpgsm mr, + @{bin}/gpg{,2} mr, + @{bin}/gpgconf mr, + @{bin}/gpgsm mr, + @{bin}/gpg-agent rix, + @{lib}/gnupg/scdaemon rix, @{HOME}/@{XDG_GPG_DIR}/*.conf r, owner @{tmp}/ostree-gpg-@{rand6}/ rw, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, + owner @{PROC}/@{pid}/fd/ r, + include if exists } profile fusermount { include - include - include + include - capability sys_admin, + capability setuid, + + unix type=seqpacket peer=(label=flatpak-system-helper), + unix type=stream peer=(label=flatpak), mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, - @{bin}/fusermount{,3} mr, - - /etc/fuse.conf r, - - @{PROC}/@{pids}/mounts r, - - /dev/fuse rw, - include if exists } diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app similarity index 90% rename from apparmor.d/profiles-a-f/flatpak-app rename to apparmor.d/groups/flatpak/flatpak-app index e332f50ca..e6be7ef4f 100644 --- a/apparmor.d/profiles-a-f/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -41,12 +41,16 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix stream, - ptrace (read), + ptrace read, ptrace trace peer=flatpak-app, signal receive peer=flatpak, signal receive set=(int term) peer=flatpak-portal, - signal receive set=(int) peer=flatpak-session-helper, + signal receive set=(int term) peer=flatpak-session-helper, + + unix type=seqpacket peer=(label=dbus-session), + # unix type=seqpacket peer=(label=unconfined), + unix type=seqpacket peer=(label=xdg-dbus-proxy), @{bin}/** rmix, @{lib}/** rmix, @@ -57,6 +61,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/*/**/@{bin}/** rmix, /var/lib/flatpak/app/*/**/@{lib}/** rmix, + @{run}/flatpak/app/*/.org.chromium.Chromium.@{rand6} rm, @{run}/flatpak/app/*/**so* rm, @{run}/parent/@{bin}/** rmix, @{run}/parent/@{lib}/** rmix, @@ -81,9 +86,9 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/{,**} r, /var/lib/flatpak/exports/** rw, - /var/tmp/etilqs_@{hex16} rw, - @{run}/.userns r, + owner @{att}/@{HOME}/.var/app/** rwlkmix, + @{run}/parent/** r, @{run}/parent/app/.ref rk, @{run}/parent/usr/.ref rk, @@ -93,6 +98,8 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { owner @{run}/ld-so-cache-dir/* rw, owner @{run}/user/ r, + /dev/ntsync r, + include if exists include if exists } diff --git a/apparmor.d/profiles-a-f/flatpak-oci-authenticator b/apparmor.d/groups/flatpak/flatpak-oci-authenticator similarity index 100% rename from apparmor.d/profiles-a-f/flatpak-oci-authenticator rename to apparmor.d/groups/flatpak/flatpak-oci-authenticator diff --git a/apparmor.d/profiles-a-f/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal similarity index 67% rename from apparmor.d/profiles-a-f/flatpak-portal rename to apparmor.d/groups/flatpak/flatpak-portal index 8a8d2b901..97f9f4911 100644 --- a/apparmor.d/profiles-a-f/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -10,6 +10,9 @@ include profile flatpak-portal @{exec_path} flags=(attach_disconnected) { include include + include + include + include include capability sys_ptrace, @@ -22,23 +25,24 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.portal.Flatpak + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{bin}/flatpak rPx, - /usr/share/mime/mime.cache r, /usr/share/xdg-desktop-portal/portals/{,*.portal} r, - /var/lib/flatpak/exports/share/mime/mime.cache r, - - owner @{att}/ r, + owner /att/**/ r, owner @{att}/.flatpak-info r, - owner @{HOME}/.var/app/*/**/.ref rw, - owner @{HOME}/.var/app/*/**/logs/* rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/logs/* rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, owner @{user_config_dirs}/user-dirs.dirs r, - owner @{user_share_dirs}/mime/mime.cache r, owner @{run}/user/@{uid}/.flatpak/@{int}/* r, owner @{run}/user/@{uid}/.flatpak/@{int}-private/* r, diff --git a/apparmor.d/profiles-a-f/flatpak-session-helper b/apparmor.d/groups/flatpak/flatpak-session-helper similarity index 92% rename from apparmor.d/profiles-a-f/flatpak-session-helper rename to apparmor.d/groups/flatpak/flatpak-session-helper index 162e3b448..8a8f5afb7 100644 --- a/apparmor.d/profiles-a-f/flatpak-session-helper +++ b/apparmor.d/groups/flatpak/flatpak-session-helper @@ -21,6 +21,11 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.Flatpak + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{shells_path} rUx -> user_unconfined, diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper similarity index 74% rename from apparmor.d/profiles-a-f/flatpak-system-helper rename to apparmor.d/groups/flatpak/flatpak-system-helper index 2268de064..0bd74bdcb 100644 --- a/apparmor.d/profiles-a-f/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -9,12 +9,16 @@ include @{exec_path} = @{lib}/flatpak-system-helper profile flatpak-system-helper @{exec_path} { include + include + include + include include include include capability chown, capability dac_override, + capability dac_read_search, capability fowner, capability net_admin, capability setgid, @@ -22,9 +26,15 @@ profile flatpak-system-helper @{exec_path} { capability sys_nice, capability sys_ptrace, - ptrace (read), + ptrace read, + + unix type=seqpacket peer=(label=dbus-system), + unix type=seqpacket peer=(label=flatpak), + unix type=seqpacket peer=(label=flatpak//fusermount), + unix type=seqpacket peer=(label=unconfined), #aa:dbus own bus=system name=org.freedesktop.Flatpak.SystemHelper + #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon @{exec_path} mr, @@ -37,7 +47,7 @@ profile flatpak-system-helper @{exec_path} { /etc/flatpak/{,**} r, /etc/machine-id r, - /usr/share/mime/mime.cache r, + /usr/share/flatpak/remotes.d/{,**} r, /usr/share/flatpak/triggers/ r, /var/lib/flatpak/{,**} rwkl, @@ -47,7 +57,11 @@ profile flatpak-system-helper @{exec_path} { owner /{var/,}tmp/ostree-gpg-@{rand6}/ rw, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, - @{PROC}/@{pid}/stat r, + @{tmp}/remote-summary-sig.@{rand6} r, + @{tmp}/remote-summary.@{rand6} r, + + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, diff --git a/apparmor.d/profiles-a-f/flatpak-validate-icon b/apparmor.d/groups/flatpak/flatpak-validate-icon similarity index 100% rename from apparmor.d/profiles-a-f/flatpak-validate-icon rename to apparmor.d/groups/flatpak/flatpak-validate-icon diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index 539a2a57d..85e277198 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -25,20 +25,15 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.Accounts - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), - @{exec_path} mr, - @{bin}/adduser rPx, + @{sbin}/adduser rPx, @{bin}/cat rix, @{bin}/chage rPx, @{bin}/passwd rPx, - @{bin}/chpasswd rPx, - @{bin}/userdel rPx, - @{bin}/usermod rPx, + @{sbin}/chpasswd rPx, + @{sbin}/userdel rPx, + @{sbin}/usermod rPx, @{bin}/locale rPUx, /usr/share/language-tools/language-validate rPx, diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/groups/freedesktop/boltd similarity index 91% rename from apparmor.d/profiles-a-f/boltd rename to apparmor.d/groups/freedesktop/boltd index b70b72088..5b72f8427 100644 --- a/apparmor.d/profiles-a-f/boltd +++ b/apparmor.d/groups/freedesktop/boltd @@ -25,8 +25,9 @@ profile boltd @{exec_path} flags=(attach_disconnected) { owner @{run}/boltd/{,**} rw, - @{run}/systemd/notify rw, - @{run}/udev/data/+thunderbolt:* r, + @{att}/@{run}/systemd/notify w, + + @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. @{sys}/bus/ r, @{sys}/bus/thunderbolt/devices/ r, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index ffdfe08a0..c069b7afd 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -11,9 +11,11 @@ include profile colord @{exec_path} flags=(attach_disconnected) { include include - include include + include + include include + include include network inet dgram, @@ -22,12 +24,8 @@ profile colord @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.ColorManager - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), - @{exec_path} mrix, + @{lib}/colord-sane ix, /etc/machine-id r, /etc/sane.d/{,**} r, @@ -35,11 +33,8 @@ profile colord @{exec_path} flags=(attach_disconnected) { /etc/udev/hwdb.bin r, /usr/share/color/icc/{,**} r, - /usr/share/mime/mime.cache r, /usr/share/snmp/mibs/{,*} r, - @{system_share_dirs}/mime/mime.cache r, - owner /var/lib/colord/.cache/ rw, owner /var/lib/colord/.cache/** rw, owner /var/lib/colord/{mapping,storage}.db{,-journal} rwk, @@ -49,8 +44,8 @@ profile colord @{exec_path} flags=(attach_disconnected) { owner /var/lib/snmp/mibs/{iana,ietf}/ r, owner /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r, - @{att}/@{desktop_share_dirs}/icc/edid-*.icc r, - @{att}/@{user_share_dirs}/icc/edid-*.icc r, + @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r, @{run}/systemd/sessions/* r, @@ -63,7 +58,9 @@ profile colord @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/{vendor,model,type} r, @{sys}/devices/@{pci}/drm/card@{int}/**/{enabled,edid} r, @{sys}/devices/@{pci}/uevent r, - @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{PROC}/sys/dev/parport/ r, @{PROC}/sys/dev/parport/parport@{int}/base-addr r, diff --git a/apparmor.d/groups/freedesktop/cpupower b/apparmor.d/groups/freedesktop/cpupower index b9811b1a6..2d58faffe 100644 --- a/apparmor.d/groups/freedesktop/cpupower +++ b/apparmor.d/groups/freedesktop/cpupower @@ -28,15 +28,10 @@ profile cpupower @{exec_path} { @{sys}/devices/system/cpu/{cpufreq,cpuidle}/** r, @{sys}/devices/system/cpu/cpu@{int}/{cpufreq,cpuidle}/ r, @{sys}/devices/system/cpu/cpu@{int}/{cpufreq,cpuidle}/** r, - - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{min,max}_freq rw, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_setspeed rw, @{sys}/devices/system/cpu/cpu@{int}/cpuidle/state@{int}/disable rw, - - @{sys}/devices/system/cpu/cpu@{int}/topology/{physical_package_id,core_id} r, - @{sys}/devices/system/cpu/cpu@{int}/online r, + @{sys}/devices/system/cpu/cpu@{int}/topology/{physical_package_id,core_id} r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/* rw, /dev/cpu/@{int}/msr r, diff --git a/apparmor.d/groups/freedesktop/dconf b/apparmor.d/groups/freedesktop/dconf index be4972f04..20b453df4 100644 --- a/apparmor.d/groups/freedesktop/dconf +++ b/apparmor.d/groups/freedesktop/dconf @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/dconf profile dconf @{exec_path} flags=(attach_disconnected) { include + include include capability sys_nice, diff --git a/apparmor.d/groups/freedesktop/dconf-service b/apparmor.d/groups/freedesktop/dconf-service index ccebcad74..da950506a 100644 --- a/apparmor.d/groups/freedesktop/dconf-service +++ b/apparmor.d/groups/freedesktop/dconf-service @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/{,dconf/}dconf-service profile dconf-service @{exec_path} flags=(attach_disconnected) { include + include include include @@ -38,8 +39,6 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) { @{PROC}/cmdline r, - /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/freedesktop/fc-list b/apparmor.d/groups/freedesktop/fc-list index ffe996c52..6254b2456 100644 --- a/apparmor.d/groups/freedesktop/fc-list +++ b/apparmor.d/groups/freedesktop/fc-list @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fc-list +@{exec_path} = @{bin}/fc-list @{bin}/fc-match @{bin}/fc-pattern profile fc-list @{exec_path} { include include diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index ec1633a9e..04eeba521 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -11,9 +11,12 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { include include include - include include include + include + include + include + include include include include @@ -26,15 +29,8 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.GeoClue2 - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), - @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/geoclue/{,**} r, /etc/sysconfig/proxy r, diff --git a/apparmor.d/groups/freedesktop/iio-sensor-proxy b/apparmor.d/groups/freedesktop/iio-sensor-proxy index d7122bdbb..1201e1277 100644 --- a/apparmor.d/groups/freedesktop/iio-sensor-proxy +++ b/apparmor.d/groups/freedesktop/iio-sensor-proxy @@ -18,7 +18,7 @@ profile iio-sensor-proxy @{exec_path} { @{exec_path} mr, - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/c13:@{int} r, # For /dev/input/* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/freedesktop/pacat b/apparmor.d/groups/freedesktop/pacat new file mode 100644 index 000000000..8329b7924 --- /dev/null +++ b/apparmor.d/groups/freedesktop/pacat @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pacat +profile pacat @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + owner @{user_music_dirs}/{,**} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index f6f4c12aa..04b08ecc4 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -14,8 +14,9 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { include include include + include + include include - include capability sys_ptrace, @@ -25,11 +26,6 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.pulseaudio.Server - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-session), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -45,13 +41,14 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { /etc/pipewire/{,**} r, / r, - @{att}/ r, + /att/**/ r, owner @{att}/.flatpak-info r, owner @{user_config_dirs}/pipewire/{,**} r, owner @{tmp}/librnnoise-@{int}.so rm, + @{run}/snapd.socket rw, owner @{run}/user/@{uid}/pipewire-@{int} rw, owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk, owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, @@ -67,10 +64,9 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,bios_vendor,board_vendor} r, @{sys}/module/apparmor/parameters/enabled r, + owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, - include if exists } diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index 212898a84..83ee32baa 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -14,20 +14,15 @@ profile pipewire-media-session @{exec_path} { include include include + include include include - include network bluetooth raw, network bluetooth seqpacket, network bluetooth stream, network netlink raw, - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=GetConnectionUnixProcessID - peer=(name=org.freedesktop.DBus, label=dbus-session), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse index 530fa97db..e6e6e59c5 100644 --- a/apparmor.d/groups/freedesktop/pipewire-pulse +++ b/apparmor.d/groups/freedesktop/pipewire-pulse @@ -11,15 +11,21 @@ include profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { include include + include + include + include include capability sys_ptrace, - ptrace (read), + ptrace read, + + #aa:dbus own bus=session name=org.pulseaudio.Server @{exec_path} mr, @{bin}/pactl rix, + @{bin}/pipewire mr, /usr/share/pipewire/{,**} r, @@ -38,6 +44,9 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/module/apparmor/parameters/enabled r, + + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/pkla-admin-identities b/apparmor.d/groups/freedesktop/pkla-admin-identities new file mode 100644 index 000000000..778dd131c --- /dev/null +++ b/apparmor.d/groups/freedesktop/pkla-admin-identities @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pkla-admin-identities +profile pkla-admin-identities @{exec_path} { + include + include + + @{exec_path} mr, + + /etc/polkit-1/localauthority.conf.d/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/pkla-check-authorization b/apparmor.d/groups/freedesktop/pkla-check-authorization new file mode 100644 index 000000000..ff5b72f71 --- /dev/null +++ b/apparmor.d/groups/freedesktop/pkla-check-authorization @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pkla-check-authorization +profile pkla-check-authorization @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/plymouth-set-default-theme b/apparmor.d/groups/freedesktop/plymouth-set-default-theme index bd5a34dcd..da13572e5 100644 --- a/apparmor.d/groups/freedesktop/plymouth-set-default-theme +++ b/apparmor.d/groups/freedesktop/plymouth-set-default-theme @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/plymouth-set-default-theme +@{exec_path} = @{sbin}/plymouth-set-default-theme profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) { include include @@ -15,7 +15,7 @@ profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{m,g,}awk rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/plymouth rPx, /usr/share/plymouth/{,**} r, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 8e5933073..0a2390661 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -6,12 +6,13 @@ abi , include -@{exec_path} = @{bin}/plymouthd +@{exec_path} = @{sbin}/plymouthd profile plymouthd @{exec_path} { include include include include + include capability checkpoint_restore, capability dac_override, diff --git a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent index 94bc7ece6..bb48d0c5b 100644 --- a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent @@ -12,11 +12,19 @@ include @{exec_path} += @{lib}/polkit-gnome/polkit-gnome-authentication-agent-1 profile polkit-gnome-authentication-agent @{exec_path} { include + include + include + include include include + signal (send) set=(term) peer=polkit-agent-helper, + @{exec_path} mr, + @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, + @{lib}/polkit-agent-helper-[0-9] rPx, + @{PROC}/@{pid}/cgroup r, include if exists diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index f53f4d164..8a08f02d0 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -11,6 +11,8 @@ include @{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9] profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,mediate_deleted) { include + include + include include include include @@ -26,6 +28,9 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected, signal (send) set=(term, kill) peer=polkit-agent-helper, + #aa:dbus own bus=session name=org.kde.polkit-kde-authentication-agent-@{int} + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd + @{exec_path} mr, @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 804020b7b..206958062 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -14,17 +14,21 @@ profile pulseaudio @{exec_path} { include include include - include - include include include + include + include + include + include + include include include + include include include - include include include + include include ptrace (trace) peer=@{profile_name}, @@ -47,26 +51,11 @@ profile pulseaudio @{exec_path} { member=Introspect peer=(name=:*, label=gnome-shell), - dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} - interface=org.freedesktop.Avahi.ServiceResolver - member=Found - peer=(name=:*, label=avahi-daemon), - - dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} - interface=org.freedesktop.Avahi.ServiceBrowser - member=ItemRemove - peer=(name=:*, label=avahi-daemon), - dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects peer=(name=org.bluez), - dbus send bus=system path=/Client@{int}/ServiceResolver@{int} - interface=org.freedesktop.Avahi.ServiceResolver - member={Found,Free} - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), - @{exec_path} mrix, @{lib}/pulse/gsettings-helper rix, @@ -82,9 +71,9 @@ profile pulseaudio @{exec_path} { owner @{desktop_cache_dirs}/gstreamer-1.0/ rw, owner @{desktop_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - owner @{desktop_config_dirs}/dconf/user r, - owner @{desktop_config_dirs}/pulse/{,**} rw, - owner @{desktop_config_dirs}/pulse/cookie k, + owner @{desktop_config_dirs}/dconf/user r, + owner @{desktop_config_dirs}/pulse/{,**} rw, + owner @{desktop_config_dirs}/pulse/cookie k, owner @{HOME}/.pulse/{,**} rw, owner @{user_config_dirs}/ w, @@ -105,7 +94,6 @@ profile pulseaudio @{exec_path} { @{sys}/devices/**/sound/**/{uevent,pcm_class} r, @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r, - @{sys}/devices/virtual/video4linux/video@{int}/uevent r, deny @{sys}/module/apparmor/parameters/enabled r, @@ -113,9 +101,6 @@ profile pulseaudio @{exec_path} { owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/cmdline r, - /dev/media@{int} r, - /dev/video@{int} rw, - # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/freedesktop/update-desktop-database b/apparmor.d/groups/freedesktop/update-desktop-database index ebf0ad6a3..90be74ecf 100644 --- a/apparmor.d/groups/freedesktop/update-desktop-database +++ b/apparmor.d/groups/freedesktop/update-desktop-database @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/update-desktop-database profile update-desktop-database @{exec_path} flags=(attach_disconnected) { include - include + include include include @@ -25,6 +25,8 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) { @{system_share_dirs}/applications/.mimeinfo.cache.* rw, @{system_share_dirs}/applications/mimeinfo.cache w, + /usr/share/byobu/desktop/* r, + /var/lib/snapd/desktop/applications/.mimeinfo.cache.* rw, /var/lib/snapd/desktop/applications/mimeinfo.cache w, diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower index 1cb7c9583..83652914f 100644 --- a/apparmor.d/groups/freedesktop/upower +++ b/apparmor.d/groups/freedesktop/upower @@ -10,9 +10,10 @@ include @{exec_path} = @{bin}/upower profile upower @{exec_path} { include + include + include - # Needed? - audit capability sys_nice, + #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}" @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index f832d285e..201e49f3c 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -11,8 +11,9 @@ include profile upowerd @{exec_path} flags=(attach_disconnected) { include include - include + include include + include include network netlink raw, @@ -27,15 +28,15 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { /var/lib/upower/ r, /var/lib/upower/history-*.dat{,.*} rw, - @{run}/udev/data/ r, - @{run}/udev/data/+acpi:* r, # for acpi - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+i2c:* r, + @{run}/udev/data/ r, # Lists all udev data files + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for serial mice - @{run}/udev/data/+power_supply* r, + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @@ -56,6 +57,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/power_supply/**/* r, @{sys}/devices/**/uevent r, @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/misc/uhid/*/input/input@{int}/name r, /dev/input/event* r, diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/groups/freedesktop/wireplumber similarity index 68% rename from apparmor.d/profiles-s-z/wireplumber rename to apparmor.d/groups/freedesktop/wireplumber index 87b4e27ca..90eb46dc4 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -9,28 +9,36 @@ include @{exec_path} = @{bin}/wireplumber profile wireplumber @{exec_path} { include - include include include include + include include - include + include + include include + include include - include + include network bluetooth raw, network bluetooth seqpacket, network bluetooth stream, network netlink raw, - #aa:dbus own bus=session name=org.freedesktop.ReserveDevice1.Audio0 + #aa:dbus own bus=session name=org.freedesktop.ReserveDevice1.Audio@{int} + #aa:dbus own bus=session name=org.pipewire.Telephony dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), + dbus receive bus=system path=/midi{,server@{int}} + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label="@{p_bluetoothd}"), + @{exec_path} mr, /opt/intel/oneapi/{compiler,lib,mkl}/**/ r, @@ -41,8 +49,8 @@ profile wireplumber @{exec_path} { /usr/share/wireplumber/{,**} r, owner @{desktop_local_dirs}/ w, - owner @{desktop_local_dirs}/state/ w, - owner @{desktop_local_dirs}/state/wireplumber/{,**} rw, + owner @{desktop_state_dirs}/ w, + owner @{desktop_state_dirs}/wireplumber/{,**} rw, owner @{HOME}/.local/ w, owner @{user_state_dirs}/ w, @@ -50,29 +58,37 @@ profile wireplumber @{exec_path} { owner @{user_config_dirs}/wireplumber/{,**} r, owner @{run}/user/@{uid}/pipewire-@{int} rw, + owner @{run}/user/@{uid}/pipewire-@{int}-manager rw, + + /dev/shm/lttng-ust-wait-@{int} rw, + owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw, + owner /dev/shm/lttng-ust-wait-@{int}-@{int} rw, @{run}/systemd/users/@{uid} r, @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) - @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, @{sys}/bus/media/devices/ r, - @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r, @{sys}/devices/**/device:*/{,**/}path r, @{sys}/devices/**/sound/**/pcm_class r, @{sys}/devices/**/sound/**/uevent r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{PROC}/1/cgroup r, + @{PROC}/1/status r, + @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, + /dev/udmabuf rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/wmname b/apparmor.d/groups/freedesktop/wmname new file mode 100644 index 000000000..1d2c7aa23 --- /dev/null +++ b/apparmor.d/groups/freedesktop/wmname @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/wmname +profile wmname @{exec_path} { + include + include + + @{exec_path} mr, + owner @{HOME}/.Xauthority r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index e51f21e1e..031f03ac4 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -9,18 +9,20 @@ include @{exec_path} = @{bin}/xdg-dbus-proxy profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { include - include - include + include + include include include - include - include + include include include include network unix stream, + #aa:dbus talk bus=session name=org.freedesktop.portal.Flatpak label=flatpak-portal + #aa:dbus talk bus=session name=org.freedesktop.portal.Request path=/org/freedesktop/portal/desktop label=xdg-desktop-portal + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime member=MakeThread* @@ -28,8 +30,9 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - owner @{HOME}/.var/app/*/.local/share/*/logs/* rw, - owner @{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, + owner @{att}/@{HOME}/.var/app/** r, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/logs/* rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-icon b/apparmor.d/groups/freedesktop/xdg-desktop-icon index ba699bdbd..a6200a2b2 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-icon +++ b/apparmor.d/groups/freedesktop/xdg-desktop-icon @@ -39,6 +39,7 @@ profile xdg-desktop-icon @{exec_path} { include include include + include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 53218d821..ec2cc86be 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -10,7 +10,6 @@ include profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include - include include include include @@ -18,7 +17,10 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include include + include + include include + include include include include @@ -32,22 +34,29 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { ptrace read, signal receive set=term peer=gdm, + signal receive set=hup peer=gdm-session-worker, #aa:dbus own bus=session name=org.freedesktop.portal.Desktop path=/org/freedesktop/portal/desktop interface={org.freedesktop.DBus.Properties,org.freedesktop{,.impl}.portal.{Settings,Background}} dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime member=MakeThread* - peer=(name=:*), + peer=(name=@{busname}), + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.host.portal.Registry + member=Register + peer=(name=@{busname}), + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.NetworkMonitor + member=GetStatus + peer=(name=@{busname}, label=snap.*), #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Inhibit label=xdg-desktop-portal-gtk + #aa:dbus talk bus=session name=org.freedesktop.FileManager1 label=nautilus + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-session), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -60,10 +69,11 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{bin}/kreadconfig{,5} rPx, @{lib}/xdg-desktop-portal-validate-icon rPx, - @{open_path} rPx -> child-open, + @{open_path} mrPx -> child-open, / r, @{att}/.flatpak-info r, + owner /att/**/ r, /usr/share/dconf/profile/gdm r, /usr/share/xdg-desktop-portal/** r, @@ -75,11 +85,14 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/user-dirs.dirs r, + # The portal can receive any user file as it is a file chooser for UI app. + owner @{HOME}/** r, @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/xdg-desktop-portal/* r, + owner @{user_share_dirs}/xdg-desktop-portal/{,**} rw, - owner @{tmp}/icon* rw, + owner @{tmp}/icon@{rand6} rw, owner @{run}/user/@{uid}/.flatpak/{,*/*} r, @@ -89,6 +102,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/sys_vendor r, @{PROC}/ r, + @{PROC}/@{pids}/status r, @{PROC}/*/ r, @{PROC}/1/cgroup r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 17d26e3b1..30b415204 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -9,31 +9,47 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gnome profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include - include include include - include include include include - include + include + include include include include include include include + include include network unix stream, - signal (receive) set=term peer=gdm, - signal (receive) set=(hup term) peer=gdm-session-worker, + signal receive set=term peer=gdm, + signal receive set=(hup term) peer=gdm-session-worker, #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gnome #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell + #aa:dbus talk bus=session name=org.gnome.Settings.GlobalShortcutsProvider label=gnome-control-center-global-shortcuts-provider #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell + #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label="gvfs-*-volume-monitor" + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Background + member=RunningApplicationsChanged + peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), + + dbus send bus=session path=/org/gnome/Shell + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gnome-shell), + dbus receive bus=session path=/org/gnome/Shell + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @@ -44,11 +60,13 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/gdm/greeter/applications/{,**} r, /usr/share/thumbnailers/{,**} r, owner @{desktop_cache_dirs}/dconf/user r, owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, owner @{desktop_config_dirs}/dconf/user r, + owner @{desktop_share_dirs}/applications/{,**} r, owner @{DESKTOP_HOME}/greeter-dconf-defaults r, owner @{HOME}/ r, @@ -58,12 +76,18 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, + owner @{tmp}/gtkprint_ppd_@{rand6} rw, + owner @{tmp}/gtkprint@{rand6} r, + owner @{tmp}/xdg-desktop-portal-gnome@{rand6} rw, + + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{run}/mount/utab r, owner @{PROC}/@{pid}/ r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/status r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index d4fa3dc1d..b7906c5e2 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -9,59 +9,48 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gtk profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include - include - include include include - include include include include - include - include + include include - include + include include include include include include + include + include include include signal receive set=term peer=gdm, - - unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell), + signal receive set=hup peer=gdm-session-worker, #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gtk + #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Settings label=xdg-desktop-portal + dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Settings peer=(name=:*), - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Settings - member=SettingChanged - peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), - - dbus send bus=session path=/org/gtk/Notifications - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), @{exec_path} mr, /usr/share/gdm/greeter-dconf-defaults r, - / r, + / r, + owner /att/**/ r, owner /var/lib/xkb/server-@{int}.xkm rw, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} r, owner @{gdm_config_dirs}/dconf/user r, + owner /var/lib/gdm3/greeter-dconf-defaults r, owner @{tmp}/runtime-*/xauth_@{rand6} r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index 309248e18..bd5981dcf 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -10,10 +10,13 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}xdg-desktop-portal-kde profile xdg-desktop-portal-kde @{exec_path} { include + include + include include include include include + include network inet dgram, network inet6 dgram, @@ -21,18 +24,43 @@ profile xdg-desktop-portal-kde @{exec_path} { network inet6 stream, network netlink raw, + signal send set=term peer=kioworker, + @{exec_path} mr, #aa:exec kioworker + /usr/share/plasma/look-and-feel/** r, + /usr/share/thumbnailers/{,**} r, + + /etc/fstab r, + /etc/xdg/dolphinrc r, + + / r, + + owner @{HOME}/ r, + owner @{desktop_config_dirs}/user-dirs.dirs r, + owner @{user_cache_dirs}/xdg-desktop-portal-kde/{,**} rw, + owner @{user_config_dirs}/autostart/org.kde.*.desktop r, owner @{user_config_dirs}/breezerc r, + owner @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/xdg-desktop-portal-kderc{,.*} rwlk, + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc rw, + owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc.@{rand6} rwlk, + owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc.lock rwk, + + owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/xdg-desktop-portal-kde@{rand6}.*.socket rw, + owner @{PROC}/@{pid}/mountinfo r, + + /dev/shm/ r, /dev/tty r, include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers b/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers index 62adb343b..2fa8cc01f 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers @@ -10,7 +10,7 @@ include profile xdg-desktop-portal-rewrite-launchers @{exec_path} { include include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon b/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon new file mode 100644 index 000000000..2c6c37538 --- /dev/null +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/xdg-desktop-portal-validate-icon +profile xdg-desktop-portal-validate-icon @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability dac_override, + + @{exec_path} mrix, + + @{bin}/bwrap ix, + + owner @{tmp}/icon@{rand6} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index d47b830e0..84c0fce42 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -9,10 +9,11 @@ include @{exec_path} = @{lib}/xdg-document-portal profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { include - include include include + include include + include include capability sys_admin, @@ -22,13 +23,15 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { mount fstype=fuse.portal -> @{run}/user/@{uid}/doc/, - signal (receive) set=(term) peer=gdm, + signal receive set=term peer=gdm, + signal receive set=hup peer=gdm-session-worker, ptrace (read), unix (send receive) type=stream peer=(label=xdg-document-portal//fusermount), - #aa:dbus own bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents + #aa:dbus own bus=session name=org.freedesktop.portal.{Documents,FileTransfer} path=/org/freedesktop/portal/documents + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -37,10 +40,12 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/flatpak rPUx, + @{bin}/flatpak rPx, @{bin}/fusermount{,3} rCx -> fusermount, + @{bin}/snap rPx, - owner @{att}/ r, + / r, + owner /att/**/ r, owner @{att}/.flatpak-info r, owner @{HOME}/ r, @@ -61,10 +66,12 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { profile fusermount flags=(attach_disconnected) { include - include + include + include - capability sys_admin, capability dac_read_search, + capability dac_override, + capability setuid, mount options=(rw, rprivate) -> /, mount options=(rw, rbind) @{run}/user/@{uid}/ -> /, @@ -74,17 +81,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { unix (send receive) type=stream peer=(label=xdg-document-portal), - @{bin}/fusermount{,3} mr, - - /etc/fuse{,3}.conf r, - owner @{run}/user/@{uid}/doc/ rw, - @{PROC}/@{pids}/mounts r, - - /dev/fuse rw, - @{att}/dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index 15b73a2d1..9e6dbc2e0 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -59,6 +59,12 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { /dev/tty rw, + # file_inherit + deny /opt/*/** r, + deny owner @{user_config_dirs}/*/** rw, + deny owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, + deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + profile bus flags=(complain) { include include diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 298bc059d..3b15d9688 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -9,14 +9,15 @@ include @{exec_path} = @{lib}/xdg-permission-store profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { include - include + include include include capability sys_nice, - signal (receive) set=(term hup kill) peer=dbus-session, - signal (receive) set=(term hup kill) peer=gdm, + signal receive set=(term hup kill) peer=dbus-session, + signal receive set=(term hup kill) peer=gdm, + signal receive set=(term hup kill) peer=gdm-session-worker, #aa:dbus own bus=session name=org.freedesktop.impl.portal.PermissionStore @@ -42,9 +43,11 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/flatpak/db/ rw, owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/flatpak/db/background rw, + owner @{user_share_dirs}/flatpak/db/desktop-used-apps rw, owner @{user_share_dirs}/flatpak/db/devices rw, owner @{user_share_dirs}/flatpak/db/documents rw, owner @{user_share_dirs}/flatpak/db/notifications rw, + owner @{user_share_dirs}/flatpak/db/screencast r, include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-screensaver b/apparmor.d/groups/freedesktop/xdg-screensaver index c142d137d..dd7d17118 100644 --- a/apparmor.d/groups/freedesktop/xdg-screensaver +++ b/apparmor.d/groups/freedesktop/xdg-screensaver @@ -12,6 +12,7 @@ profile xdg-screensaver @{exec_path} flags=(complain) { include include include + include @{exec_path} r, @@ -27,7 +28,6 @@ profile xdg-screensaver @{exec_path} flags=(complain) { @{bin}/lockfile ix, @{bin}/mktemp ix, @{bin}/mv ix, - @{bin}/perl ix, @{bin}/readlink ix, @{bin}/realpath ix, @{bin}/rm ix, diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index 870d4cfe4..fd05bcee9 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -8,14 +8,14 @@ abi , include @{exec_path} = @{bin}/xdg-settings -profile xdg-settings @{exec_path} { +profile xdg-settings @{exec_path} flags=(attach_disconnected) { include include include @{exec_path} r, - @{sh_path} rix, + @{sh_path} mr, @{bin}/{,e}grep rix, @{bin}/basename rix, @{bin}/cat ix, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index 8892bd1ce..feb1b9bd6 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -9,14 +9,20 @@ include @{exec_path} = @{bin}/xdg-user-dirs-gtk-update profile xdg-user-dirs-gtk-update @{exec_path} { include - include + include + include + include + include @{exec_path} mr, + @{bin}/xdg-user-dirs-update Px, + owner @{user_config_dirs}/gtk-3.0/bookmarks* rw, - owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.locale r, + owner @{tmp}/dirs-@{rand6} rw, + include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-update index 7177703a9..09c66d6ac 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-update @@ -9,13 +9,11 @@ include @{exec_path} = @{bin}/xdg-user-dirs-update profile xdg-user-dirs-update @{exec_path} { include + include include @{exec_path} mr, - /etc/xdg/user-dirs.conf r, - /etc/xdg/user-dirs.defaults r, - owner @{desktop_config_dirs}/ rw, owner @{desktop_config_dirs}/user-dirs.dirs{,*} rw, owner @{desktop_config_dirs}/user-dirs.locale rw, diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp index dde1fe8c1..a99e12b7a 100644 --- a/apparmor.d/groups/freedesktop/xkbcomp +++ b/apparmor.d/groups/freedesktop/xkbcomp @@ -10,13 +10,14 @@ include @{exec_path} = @{bin}/xkbcomp profile xkbcomp @{exec_path} flags=(attach_disconnected) { include - include + include include include include unix (send,receive) type=stream addr=none peer=(label=gnome-shell), unix (send,receive) type=stream addr=none peer=(label=xwayland), + unix (send,receive) type=stream addr=none peer=(label=kwin_wayland), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 0f23d583c..bfec4405c 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -45,6 +45,11 @@ profile xorg @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/login1/session/* + interface=org.freedesktop.login1.Session + member=ReleaseControl + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + @{exec_path} mrix, @{sh_path} rix, @@ -87,17 +92,17 @@ profile xorg @{exec_path} flags=(attach_disconnected) { owner @{tmp}/server-* rwk, owner @{tmp}/serverauth.* r, - @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi* r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for touchpad? @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb* r, # for USB mouse and keyboard + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @@ -116,6 +121,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, @{sys}/devices/@{pci}/backlight/**/brightness rw, @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/resource@{int} rw, @{sys}/devices/**/{uevent,name,id,config} r, @{sys}/devices/**/hid r, @{sys}/devices/**/power_supply/**/{type,online} r, @@ -127,8 +133,9 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{PROC}/ioports r, @{PROC}/mtrr rw, + /dev/ r, /dev/fb@{int} rw, - /dev/input/event@{int} rw, + @{att}/dev/input/event@{int} rw, /dev/input/mouse@{int} rw, /dev/shm/#@{int} rw, /dev/shm/shmfd-* rw, diff --git a/apparmor.d/groups/freedesktop/xrandr b/apparmor.d/groups/freedesktop/xrandr index fc1935c4b..ed9e7a030 100644 --- a/apparmor.d/groups/freedesktop/xrandr +++ b/apparmor.d/groups/freedesktop/xrandr @@ -12,8 +12,12 @@ profile xrandr @{exec_path} { include include + capability dac_read_search, + @{exec_path} mr, + @{run}/sddm/xauth_@{rand6} r, + owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/freedesktop/xsetroot b/apparmor.d/groups/freedesktop/xsetroot index bc1291ef4..c0ddcb359 100644 --- a/apparmor.d/groups/freedesktop/xsetroot +++ b/apparmor.d/groups/freedesktop/xsetroot @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/xsetroot profile xsetroot @{exec_path} { include + include include capability dac_read_search, @@ -18,10 +19,6 @@ profile xsetroot @{exec_path} { @{exec_path} mr, - /usr/share/icons/{,**} r, - - owner @{HOME}/.icons/** r, - owner @{user_share_dirs}/sddm/xorg-session.log w, owner @{user_share_dirs}/sddm/wayland-session.log w, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index 05fb5a6fa..a8950dbc6 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -6,9 +6,10 @@ abi , include -@{exec_path} = @{bin}/Xwayland +@{exec_path} = @{bin}/Xwayland profile xwayland @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -19,7 +20,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup) peer=kwin_wayland, signal (receive) set=(term hup) peer=login, - unix type=stream addr=none peer=(label=gnome-shell, addr=none), + unix type=stream peer=(label=gnome-shell), + unix type=stream peer=(label=kwin_wayland), @{exec_path} mrix, @@ -29,6 +31,11 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { /usr/share/fonts/{,**} r, /usr/share/ghostscript/fonts/{,**} r, + / r, + + owner @{desktop_cache_dirs}/nvidia/GLCache/ rw, + owner @{desktop_cache_dirs}/nvidia/GLCache/** rwk, + owner @{tmp}/server-@{int}.xkm rwk, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, owner @{run}/user/@{uid}/server-@{int}.xkm rw, @@ -36,9 +43,6 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cmdline r, - @{att}/dev/tty@{int} rw, - /dev/tty rw, - include if exists } diff --git a/apparmor.d/groups/gnome-extension/batteryhealthchargingctl b/apparmor.d/groups/gnome-extension/batteryhealthchargingctl new file mode 100644 index 000000000..4b1f7a138 --- /dev/null +++ b/apparmor.d/groups/gnome-extension/batteryhealthchargingctl @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/batteryhealthchargingctl{,-@{user}} +@{exec_path} += /usr/local/bin/batteryhealthchargingctl{,-@{user}} +profile batteryhealthchargingctl @{exec_path} { + include + include + + capability dac_read_search, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/env rix, + @{bin}/cmp rix, + @{bin}/cut rix, + @{bin}/pkaction rix, + @{bin}/sed rix, + @{bin}/sort rix, + + /etc/polkit-1/rules.d/*.batteryhealthcharging.setthreshold-@{user}.rules r, + + @{user_share_dirs}/gnome-shell/extensions/Battery-Health-Charging@maniacx.github.com/resources/** r, + + @{sys}/class/power_supply/ r, + @{sys}/devices/**/power_supply/BAT@{int}/charge_control_end_threshold w, + @{sys}/devices/**/power_supply/BAT@{int}/charge_control_start_threshold w, + @{sys}/devices/**/power_supply/BAT@{int}/charge_types rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/chrome-gnome-shell b/apparmor.d/groups/gnome/chrome-gnome-shell index 8c6372ba5..944d5e1d5 100644 --- a/apparmor.d/groups/gnome/chrome-gnome-shell +++ b/apparmor.d/groups/gnome/chrome-gnome-shell @@ -10,6 +10,7 @@ include profile chrome-gnome-shell @{exec_path} { include include + include include include include @@ -23,8 +24,6 @@ profile chrome-gnome-shell @{exec_path} { @{exec_path} mr, @{bin}/ r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{PROC}/@{pid}/mounts r, deny @{HOME}/.* r, diff --git a/apparmor.d/groups/gnome/decibels b/apparmor.d/groups/gnome/decibels new file mode 100644 index 000000000..2bb38dfd5 --- /dev/null +++ b/apparmor.d/groups/gnome/decibels @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/decibels @{bin}/org.gnome.Decibels +profile decibels @{exec_path} { + include + include + include + include + include + + @{exec_path} mr, + + @{bin}/gjs-console rix, + + @{open_path} rPx -> child-open-help, + + /usr/share/org.gnome.Decibels/{,**} r, + + owner @{user_music_dirs}/{,**} r, + owner @{user_pictures_dirs}/{,**} r, + owner @{user_torrents_dirs}/{,**} r, + owner @{user_videos_dirs}/{,**} r, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index b7fc6a5b0..59b3c5d40 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -13,27 +13,54 @@ profile deja-dup-monitor @{exec_path} { include include include - include - include + include + include + include include + include + include + include network netlink raw, #aa:dbus own bus=session name=org.gnome.DejaDup.Monitor - #aa:dbus talk bus=session name=org.gnome.DejaDup label=deja-dup + #aa:dbus talk bus=session name=org.gnome.DejaDup interface+=org.gtk.Actions label=deja-dup + + dbus send bus=session path=/org/gnome/DejaDup + interface=org.gtk.Actions + member=Activate + peer=(name=org.gnome.DejaDup), dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=:*, label=NetworkManager), + dbus send bus=system path=/org/freedesktop/UPower/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=power-profiles-daemon), + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, + @{bin}/chrt rix, + @{bin}/ionice rix, + @{bin}/deja-dup Px, + + /usr/share/gvfs/remote-volume-monitors/{,**} r, /var/tmp/ r, /tmp/ r, + @{run}/mount/utab r, + + owner @{PROC}/@{pid}/mountinfo r, + include if exists } diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider index 88ec63ea7..2168382e0 100644 --- a/apparmor.d/groups/gnome/epiphany-search-provider +++ b/apparmor.d/groups/gnome/epiphany-search-provider @@ -29,10 +29,12 @@ profile epiphany-search-provider @{exec_path} { @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, owner @{user_cache_dirs}/epiphany/{,**} rwk, + owner @{user_config_dirs}/epiphany/{,**} rw, owner @{user_share_dirs}/epiphany/{,**} rwk, + owner @{tmp}/ContentRuleList-@{rand6} rw, owner @{tmp}/ContentRuleList@{rand6} rw, - owner @{tmp}/Serialized* rw, + owner @{tmp}/SerializedNFA-@{rand6} rw, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/firmware/acpi/pm_profile r, diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 9f18395f2..1b9051a4a 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -11,10 +11,11 @@ profile evolution-addressbook-factory @{exec_path} { include include include - include + include include - include + include include + include include include include @@ -26,10 +27,13 @@ profile evolution-addressbook-factory @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} + #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookCursor + #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookFactory + #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookView dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* - peer=(name=:*), + peer=(name=@{busname}), dbus send bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* @@ -37,12 +41,12 @@ profile evolution-addressbook-factory @{exec_path} { dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=evolution-*), + peer=(name=@{busname}, label=evolution-*), dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=evolution-source-registry), + peer=(name=@{busname}, label=evolution-source-registry), dbus send bus=session path=/org/gnome/evolution/dataserver/** interface=org.freedesktop.DBus.Properties @@ -52,12 +56,16 @@ profile evolution-addressbook-factory @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/evolution/dataserver/** + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=obexd), @{exec_path} mr, @{exec_path}-subprocess rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icu/@{int}.@{int}/*.dat r, owner @{user_share_dirs}/evolution/{,**} rwk, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index ce8f799bb..501685b22 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -9,10 +9,7 @@ include @{exec_path} = @{lib}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify profile evolution-alarm-notify @{exec_path} { include - include include - include - include include include include @@ -37,6 +34,8 @@ profile evolution-alarm-notify @{exec_path} { /etc/timezone r, + owner @{user_share_dirs}/evolution/datetime-formats.ini r, + include if exists } diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index f856a06d2..87cce8fbc 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -12,8 +12,10 @@ profile evolution-calendar-factory @{exec_path} { include include include - include + include + include include + include include include include @@ -57,11 +59,6 @@ profile evolution-calendar-factory @{exec_path} { member=Complete peer=(name=org.freedesktop.DBus, label=gnome-calendar), - dbus send bus=session path=/org/gtk/vfs/metadata - interface=org.gtk.vfs.Metadata - member=Move - peer=(name=:*, label=gvfsd-metadata), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -70,14 +67,12 @@ profile evolution-calendar-factory @{exec_path} { @{exec_path} mr, @{exec_path}-subprocess rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{user_cache_dirs}/evolution/calendar/{,**} rwk, owner @{user_cache_dirs}/evolution/tasks/{,**} rwk, owner @{user_share_dirs}/evolution/calendar/{,**} rwk, - owner @{user_share_dirs}/evolution/tasks/system/ w, - owner @{user_share_dirs}/evolution/tasks/system/tasks.ics* rw, + owner @{user_share_dirs}/evolution/memos/system/{,**} rw, + owner @{user_share_dirs}/evolution/tasks/system/{,**} rw, owner @{user_share_dirs}/gvfs-metadata/{,*} r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 379ea5bef..0732646b5 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -10,10 +10,12 @@ include profile evolution-source-registry @{exec_path} { include include - include + include include + include include include + include include network inet stream, @@ -46,8 +48,6 @@ profile evolution-source-registry @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{user_cache_dirs}/evolution/{,**} rwk, owner @{user_config_dirs}/evolution/sources/{,*} rw, owner @{user_share_dirs}/evolution/{,**} r, diff --git a/apparmor.d/groups/gnome/gcr-prompter b/apparmor.d/groups/gnome/gcr-prompter index a1e323c87..6bcbd1cc0 100644 --- a/apparmor.d/groups/gnome/gcr-prompter +++ b/apparmor.d/groups/gnome/gcr-prompter @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gcr-prompter profile gcr-prompter @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index b0f5e81a5..3f958cb7e 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/gdm{3,} +@{exec_path} = @{sbin}/gdm @{sbin}/gdm3 profile gdm @{exec_path} flags=(attach_disconnected) { include include @@ -17,9 +17,11 @@ profile gdm @{exec_path} flags=(attach_disconnected) { capability chown, capability dac_override, capability dac_read_search, + capability fowner, capability fsetid, capability kill, capability net_admin, + capability sys_admin, capability sys_nice, capability sys_tty_config, @@ -34,13 +36,8 @@ profile gdm @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.gnome.DisplayManager - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon - - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser} - peer=(name=org.freedesktop.DBus, label=dbus-system), + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" @{exec_path} mr, @@ -50,7 +47,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{bin}/plymouth rPx, @{bin}/prime-switch rPUx, @{bin}/sleep rix, - @{bin}/systemd-cat rPx, + @{bin}/systemd-cat rix, @{lib}/{,gdm/}gdm-session-worker rPx, /etc/gdm{3,}/PrimeOff/Default rix, @@ -58,6 +55,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { /usr/share/wayland-sessions/*.desktop r, /usr/share/xsessions/*.desktop r, + /etc/.pwd.lock rwk, /etc/default/locale r, /etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/daemon.conf r, @@ -70,18 +68,17 @@ profile gdm @{exec_path} flags=(attach_disconnected) { /var/log/gdm{3,}/ rw, - owner @{GDM_HOME}/block-initial-setup rw, + @{GDM_HOME}/ rw, + @{GDM_HOME}/** rw, - @{run}/gdm{3,}/greeter/ rw, - @{run}/systemd/seats/seat@{int} r, - @{run}/systemd/sessions/* r, - @{run}/systemd/users/@{uid} r, - owner @{run}/gdm{3,}.pid rw, - owner @{run}/gdm{3,}/ rw, - owner @{run}/gdm{3,}/custom.conf r, - owner @{run}/gdm{3,}/dbus/ w, - owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w, - owner @{run}/gdm{3,}/gdm.pid rw, + @{run}/gdm{,3}/ rw, + owner @{run}/gdm{,3}.pid rw, + owner @{run}/gdm{,3}/dbus/ rw, + owner @{run}/gdm{,3}/dbus/dbus-@{rand8} rw, + + @{run}/systemd/seats/seat@{int} r, + @{run}/systemd/sessions/* r, + @{run}/systemd/users/@{uid} r, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @@ -92,7 +89,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/virtual/tty/tty@{int}/active r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cgroup.events r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cgroup.events r, @{PROC}/@{pid}/cgroup r, @{PROC}/1/environ r, diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index dc11e8169..c5e6d4cd5 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -18,13 +18,15 @@ profile gdm-generate-config @{exec_path} { capability setgid, capability setuid, + # ptrace read, + @{exec_path} mr, @{sh_path} rix, @{bin}/dconf rix, @{bin}/install rix, - @{bin}/pgrep rix, - @{bin}/pkill rix, + @{bin}/pgrep rCx -> &pgrep, + @{bin}/pkill rCx -> &pgrep, @{bin}/setpriv rix, @{bin}/setsid rix, @@ -32,8 +34,7 @@ profile gdm-generate-config @{exec_path} { /usr/share/gdm{3,}/{,**} r, /var/lib/ r, - @{GDM_HOME}/ r, - owner @{GDM_HOME}/ rw, + @{GDM_HOME}/ rw, owner @{GDM_HOME}/greeter-dconf-defaults rw, owner @{GDM_HOME}/greeter-dconf-defaults.@{rand6} rw, @@ -41,11 +42,22 @@ profile gdm-generate-config @{exec_path} { @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, + @{PROC}/tty/drivers r, @{PROC}/uptime r, + profile pgrep { + include + include + + @{bin}/pkill mr, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/gnome/gdm-prime-defaut b/apparmor.d/groups/gnome/gdm-prime-defaut index 189e166f2..eea0ee3b3 100644 --- a/apparmor.d/groups/gnome/gdm-prime-defaut +++ b/apparmor.d/groups/gnome/gdm-prime-defaut @@ -12,6 +12,9 @@ profile gdm-prime-defaut @{exec_path} flags=(complain) { @{exec_path} mr, + @{sh_path} r, + @{bin}/prime-offload ix, + include if exists } diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index 4e3440656..5d2e3e21e 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -11,14 +11,15 @@ profile gdm-session @{exec_path} { include include include - include - include + include + include - signal (receive) set=(hup term) peer=gdm-session-worker, - signal (receive) set=(term) peer=gdm, - signal (send) set=(term) peer=dbus-session, - signal (send) set=(term) peer=gnome-session-binary, - signal (send) set=(term) peer=xorg, + signal receive set=(hup term) peer=gdm-session-worker, + signal receive set=(term) peer=gdm, + signal send set=(term) peer=dbus-session, + signal send set=(term) peer=gnome-session-binary, + signal send set=(term) peer=xorg, + signal send set=term peer=gnome-session, dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 4ca2b21b6..3bab1b134 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -31,30 +31,31 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { network netlink raw, network unix stream, - signal (receive) set=term peer=gdm, - signal (send) set=(hup term) peer=gdm-session, - signal (send) set=hup peer=at-spi*, - signal (send) set=hup peer=dbus-accessibility, - signal (send) set=hup peer=dbus-session, - signal (send) set=hup peer=dconf-service, - signal (send) set=hup peer=gjs-console, - signal (send) set=hup peer=gnome-*, - signal (send) set=hup peer=gsd-*, - signal (send) set=hup peer=ibus-*, - signal (send) set=hup peer=mutter-x11-frames, - signal (send) set=hup peer=tracker-miner, - signal (send) set=hup peer=xdg-*, - signal (send) set=hup peer=xorg, - signal (send) set=hup peer=xwayland, + signal receive set=term peer=gdm, + signal send set=(hup term) peer=gdm-session, + signal send set=hup peer=at-spi*, + signal send set=hup peer=dbus-accessibility, + signal send set=hup peer=dbus-session, + signal send set=hup peer=dconf-service, + signal send set=hup peer=gjs-console, + signal send set=hup peer=gnome-*, + signal send set=hup peer=gsd-*, + signal send set=hup peer=ibus-*, + signal send set=hup peer=mutter-x11-frames, + signal send set=hup peer=tracker-miner, + signal send set=hup peer=xdg-*, + signal send set=hup peer=xorg, + signal send set=hup peer=xwayland, - unix (bind) type=stream addr=@@{hex16}/bus/gdm-session-wor/system, + unix bind type=stream addr=@@{udbus}/bus/gdm-session-wor/system, - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label="@{p_systemd_homed}" dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={*Session,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{exec_path} mrix, @@ -98,6 +99,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { /.fscrypt/protectors/ r, owner /.fscrypt/protectors/@{hex16} r, + #aa:lint ignore=tunables /home/ r, /home/.fscrypt/policies/ r, owner /home/.fscrypt/policies/@{hex32} r, @@ -107,6 +109,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/ w, + @{run}/cockpit/active.issue r, @{run}/cockpit/inactive.motd r, owner @{run}/systemd/seats/seat@{int} r, owner @{run}/user/@{uid}/keyring/control rw, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 03e77816c..2882c3d9e 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -11,6 +11,7 @@ profile gdm-xsession @{exec_path} { include include include + include include include @@ -51,7 +52,6 @@ profile gdm-xsession @{exec_path} { @{etc_ro}/X11/xdm/Xsession rPx, @{lib}/gnome-session-binary rPx, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/im-config/data/{,*} r, /usr/share/im-config/xinputrc.common r, diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 5e013012e..3652dd6e9 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -18,6 +18,8 @@ include profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { include include + include + include include include include @@ -30,6 +32,8 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { @{bin}/gnome-terminal rPUx, @{lib}/gio-launch-desktop rix, + @{lib}/*/** rPx, + @{lib}/* rPx, owner @{HOME}/{,**} rw, diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs new file mode 100644 index 000000000..de9d25a14 --- /dev/null +++ b/apparmor.d/groups/gnome/gjs @@ -0,0 +1,133 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# GNOME JavaScript interpreter. It is used to run some gnome internal app +# as well as third party extensions. +# +# Therefore, by default, some extension are confined under this profile. To fix +# this, the various programs using gjs must never run gjs as module, they need +# to run it as executable with a specific script. +# +# This currently concerns: +# - gnome-extension-ding (used to not be started as a module) +# - org.gnome.ScreenSaver (simple dbus service) +# - org.gnome.Shell.Extensions (full UI app, requires gnome-strict, graphics, ...) +# - org.gnome.Shell.Notifications (simple dbus service) +# - org.gnome.Shell.Screencast (simple dbus service) + +abi , + +include + +@{exec_path} = @{bin}/gjs-console +profile gjs @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + + # Only needed by org.gnome.Shell.Extensions + include + include + + # Only needed by gnome-extension-ding + include + include + include + include + include + include + include + include + + unix type=stream peer=(label=gnome-shell), + + signal receive set=(term hup) peer=gdm, + + #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions + #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface+=org.gtk.Actions + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus* + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus* + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + #aa:dbus own bus=session name=org.gnome.Shell.Screencast + #aa:dbus talk bus=session name=org.gnome.Mutter.ScreenCast label=gnome-shell + + #aa:dbus own bus=session name=org.freedesktop.Notifications + #aa:dbus own bus=session name=org.gnome.ScreenSaver + #aa:dbus own bus=session name=org.gnome.Shell.Extensions + #aa:dbus own bus=session name=org.gnome.Shell.Notifications + + @{exec_path} mrix, + + # gnome-extension-ding + @{sh_path} rix, + @{bin}/env rix, + @{bin}/gnome-control-center rPx, + @{bin}/nautilus rPx, + + @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, + @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, + @{lib}/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, + + /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, + @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, + + /usr/share/dconf/profile/gdm r, + /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/gnome-shell/{,**} r, + /usr/share/xkeyboard-config-2/{,**} r, + /usr/share/thumbnailers/{,**} r, + + owner @{gdm_cache_dirs}/gstreamer-1.0/registry.@{arch}.bin r, + owner @{gdm_config_dirs}/dconf/user r, + owner @{GDM_HOME}/greeter-dconf-defaults r, + + owner @{user_cache_dirs}/gstreamer-1.0/ rw, + owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, + + owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, + owner @{user_share_dirs}/nautilus/scripts/ r, + + owner @{user_desktop_dirs}/ r, + owner @{user_templates_dirs}/ r, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + /dev/ r, + /dev/dri/ r, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + profile gstreamer { + include + include + include + include + include + + network (bind create getattr setopt getopt) netlink raw, + + @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner mr, + @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner mr, + @{lib}/gstreamer-1.0/gst-plugin-scanner mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console deleted file mode 100644 index 20d5e48d5..000000000 --- a/apparmor.d/groups/gnome/gjs-console +++ /dev/null @@ -1,93 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# TODO: GNOME JavaScript interpreter. It is used to run some gnome internal app -# as well as third party extensions. Therefore, by default, some extension are -# confined under this profile. The resulting profile is quite broad. -# This architecture needs to be rethinked. - -abi , - -include - -@{exec_path} = @{bin}/gjs-console -profile gjs-console @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - include - include - include - include - include - include - - network netlink raw, - - signal (receive) set=(term hup) peer=gdm*, - - #aa:dbus own bus=session name=org.freedesktop.Notifications - #aa:dbus own bus=session name=org.gnome.ScreenSaver - #aa:dbus own bus=session name=org.gnome.Shell.Extensions - #aa:dbus own bus=session name=org.gnome.Shell.Notifications - #aa:dbus own bus=session name=org.gnome.Shell.Screencast - - #aa:dbus talk bus=session name=org.gnome.Mutter.ScreenCast label=gnome-shell - - dbus send bus=session path=/org/gnome/Shell - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gnome/Shell - interface=org.gnome.Shell.Extensions - member=ListExtensions - peer=(name=:*, label=gnome-shell), - - @{exec_path} mr, - - @{bin}/ r, - @{bin}/* PUx, - @{lib}/** PUx, - - /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, - @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, - - /etc/openni2/OpenNI.ini r, - - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/gnome-shell/{,**} r, - - /tmp/ r, - /var/tmp/ r, - - owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwl, - owner @{gdm_cache_dirs}/gstreamer-1.0/ rw, - owner @{gdm_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - owner @{gdm_config_dirs}/dconf/user r, - owner @{GDM_HOME}/greeter-dconf-defaults r, - - owner @{HOME}/ r, - - owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, - owner @{user_cache_dirs}/gstreamer-1.0/ rw, - owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - - /dev/ r, - /dev/tty rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes index 0a5abe0a9..cd46dd069 100644 --- a/apparmor.d/groups/gnome/gnome-boxes +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -13,10 +13,12 @@ profile gnome-boxes @{exec_path} { include include include + include include include include include + include include include include @@ -32,9 +34,11 @@ profile gnome-boxes @{exec_path} { @{open_path} rPx -> child-open, - @{bin}/virtqemud rPUx, + @{bin}/qemu-img rix, @{bin}/virsh rCx -> virsh, + @{bin}/virtqemud rPUx, + /usr/share/ladspa/rdf/{,*} r, /usr/share/osinfo/{,**} r, /usr/share/gnome-boxes/{,**} r, @@ -54,14 +58,21 @@ profile gnome-boxes @{exec_path} { owner @{user_config_dirs}/gnome-boxes/ rw, owner @{user_config_dirs}/gnome-boxes/** rwk, + owner @{user_share_dirs}/gnome-boxes/ rw, + owner @{user_share_dirs}/gnome-boxes/** rwk, + owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/*.iso-@{rand6} rw, owner @{tmp}/*.svg-@{rand6} rw, + owner @{run}/user/@{uid}/libvirt/ rw, owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, @{run}/mount/utab r, + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + + @{sys}/devices/@{pci}/usb@{int}/** r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-dbus*org.gnome.Boxes.slice/*/memory.* r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, @@ -69,6 +80,7 @@ profile gnome-boxes @{exec_path} { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/gnome/gnome-browser-connector-host b/apparmor.d/groups/gnome/gnome-browser-connector-host index d31811152..e95762b6a 100644 --- a/apparmor.d/groups/gnome/gnome-browser-connector-host +++ b/apparmor.d/groups/gnome/gnome-browser-connector-host @@ -11,15 +11,14 @@ profile gnome-browser-connector-host @{exec_path} { include include include + include @{exec_path} mr, @{bin}/env rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, - @{lib}/python3.@{int}/site-packages/gnome_browser_connector/__pycache__/{,**} rw, - - /usr/share/glib-2.0/schemas/gschemas.compiled r, + @{lib}/@{python_name}/site-packages/gnome_browser_connector/__pycache__/{,**} rw, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 2e553d9f4..4ab9b165f 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -7,9 +7,10 @@ abi , include @{exec_path} = @{bin}/gnome-calculator -profile gnome-calculator @{exec_path} { +profile gnome-calculator @{exec_path} flags=(attach_disconnected) { include include + include include # Needed to get currency exchange rates @@ -19,6 +20,8 @@ profile gnome-calculator @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.gnome.Calculator + @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-calculator-search-provider b/apparmor.d/groups/gnome/gnome-calculator-search-provider index 2eaacdefb..8400f03c1 100644 --- a/apparmor.d/groups/gnome/gnome-calculator-search-provider +++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider @@ -17,12 +17,14 @@ profile gnome-calculator-search-provider @{exec_path} { signal (send) set=kill peer=unconfined, - #aa:dbus own bus=session name=org.gnome.Calculator.SearchProvider interface=org.gnome.Shell.SearchProvider2 + #aa:dbus own bus=session name=org.gnome.Calculator.SearchProvider interface+=org.gnome.Shell.SearchProvider2 @{exec_path} mrix, @{bin}/* rPUx, + owner @{user_cache_dirs}/gnome-calculator/* r, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 97309c1a7..2173e3d62 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -23,19 +23,19 @@ profile gnome-calendar @{exec_path} { #aa:dbus own bus=session name=org.gnome.Calendar + #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar path=/org/gnome/evolution/dataserver/ label=evolution-calendar-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarFactory label=evolution-calendar-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarView label=evolution-calendar-factory - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source label=evolution-source-registry - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Sources@{int} label=evolution-source-registry + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source path=/org/gnome/evolution/dataserver/ label=evolution-source-registry + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.SourceManager label=evolution-source-registry + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Subprocess label=evolution-calendar-factory #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color - #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label=geoclue - - dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label=evolution-source-registry), + #aa:dbus talk bus=session name=org.gnome.Shell.SearchProvider2 path=/org/gnome/Calendar/SearchProvider label=gnome-shell @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 9ae8a7b8a..b5ae5672a 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -11,11 +11,12 @@ profile gnome-characters @{exec_path} { include include include + include include include include - #aa:dbus own bus=session name=org.gnome.Characters interface=org.gnome.Shell.SearchProvider2 + #aa:dbus own bus=session name=org.gnome.Characters @{exec_path} mr, @@ -27,8 +28,6 @@ profile gnome-characters @{exec_path} { /usr/share/xml/iso-codes/{,**} r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/task/@{tid}/stat r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index fd6ded04f..92886c887 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -10,16 +10,16 @@ include profile gnome-clocks @{exec_path} { include include - include + include include - include include include include network netlink raw, - #aa:dbus own bus=session name=org.gnome.clocks + #aa:dbus own bus=session name=org.gnome.clocks interface+=org.gtk.Actions + #aa:dbus own bus=session name=org.gnome.clocks.SearchProvider interface+=org.gnome.Shell.SearchProvider2 @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 00bc15f19..9f78fb4fd 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -10,17 +10,17 @@ include profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include - include + include include include - include include - include + include include include include include include + include include include include @@ -32,39 +32,59 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - signal (send) set=(kill) peer=unconfined, - signal (send) set=(kill) peer=passwd, - - unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon), + signal send set=kill peer=unconfined, + signal send set=kill peer=passwd, #aa:dbus own bus=session name=org.gnome.Settings + #aa:dbus own bus=session name=org.bluez.obex.Agent1 + #aa:dbus talk bus=session name=org.bluez.AgentManager1 label=bluetoothd + #aa:dbus talk bus=session name=org.bluez.obex label=obexd + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color + #aa:dbus talk bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}" + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label="gsd-*" #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell - #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed + #aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences + #aa:dbus talk bus=system name=net.hadess.SwitcherooControl label=switcheroo-control + #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label="@{p_fprintd}" + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.bolt1 label=boltd + #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord + #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager - #aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" + #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" + #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd + #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}" + #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} + + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, @{bin}/@{shells} rUx, @{bin}/gcm-viewer rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/locale rix, @{bin}/sed rix, - @{bin}/tecla rix, + @{bin}/tecla rPx, @{bin}/bwrap rCx -> bwrap, @{bin}/gkbd-keyboard-display rPx, @{bin}/gnome-software rPx, - @{bin}/openvpn rPx, + @{sbin}/openvpn rPx, @{bin}/passwd rPx, @{bin}/pkexec rCx -> pkexec, @{bin}/software-properties-gtk rPx, - @{bin}/usermod rPx, + @{sbin}/usermod rPx, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @{lib}/cups/backend/snmp rPx, @{lib}/gnome-control-center-goa-helper rPx, @@ -74,7 +94,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-any, - /opt/**/share/icons/{,**} r, /snap/*/@{int}/**.png r, /usr/share/backgrounds/{,**} r, /usr/share/cups/data/testprint r, @@ -90,10 +109,10 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/wallpapers/{,**} r, /usr/share/xml/iso-codes/{,**} r, + @{etc_ro}/security/pwquality.conf r, + @{etc_ro}/security/pwquality.conf.d/{,**} r, /etc/machine-info r, /etc/rygel.conf r, - /etc/security/pwquality.conf r, - /etc/security/pwquality.conf.d/{,**} r, /etc/fstab r, /etc/machine-id r, @@ -111,12 +130,14 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_cache_dirs}/gnome-control-center/{,**} rw, + owner @{user_cache_dirs}/thumbnails/fail/gnome-thumbnail-factory/@{hex32}.png.@{rand6} rw, owner @{user_config_dirs}/background rw, owner @{user_config_dirs}/gnome-control-center/{,**} rw, owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, + owner @{user_config_dirs}/mimeapps.list w, + owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw, owner @{user_games_dirs}/**.png r, @@ -143,7 +164,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/bus/ r, @{sys}/class/ r, @@ -176,8 +197,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/task/*/comm rw, /dev/ r, - /dev/media@{int} r, - /dev/video@{int} rw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, @@ -193,6 +212,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { profile pkexec { include include + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index 1fa7d7050..8b813d260 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -9,12 +9,9 @@ include @{exec_path} = @{lib}/gnome-control-center-goa-helper profile gnome-control-center-goa-helper @{exec_path} { include - include + include include include - include - include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 59679deb8..cbd1f1a75 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -9,9 +9,7 @@ include @{exec_path} = @{lib}/gnome-control-center-print-renderer profile gnome-control-center-print-renderer @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index 3dfd1bf03..6d24e72c1 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -10,11 +10,12 @@ include profile gnome-control-center-search-provider @{exec_path} { include include + include include include include - #aa:dbus own bus=session name=org.gnome.Settings.SearchProvider + #aa:dbus own bus=session name=org.gnome.Settings.SearchProvider interface+=org.gnome.Shell.SearchProvider2 @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers index 436d82443..8c637920b 100644 --- a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers +++ b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers @@ -27,6 +27,9 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) { owner @{tmp}/gnome-desktop-thumbnailer.png w, owner @{tmp}/gsf-thumbnailer-@{rand6} rw, + owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw, + owner /dev/shm/lttng-ust-wait-@{int} rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index 379a887b3..d9959691b 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -9,10 +9,15 @@ include @{exec_path} = @{bin}/gnome-disk-image-mounter profile gnome-disk-image-mounter @{exec_path} { include + include + include + include include include include + #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd + @{exec_path} mr, # Allow to mount user files diff --git a/apparmor.d/groups/gnome/gnome-extension b/apparmor.d/groups/gnome/gnome-extension new file mode 100644 index 000000000..e13eca832 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-extension @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# gjs started from gnome-shell should (in theory) only run gnome extensions. + +abi , + +include + +@{exec_path} = @{bin}/gjs-console +profile gnome-extension { + include + include + include + include + include + include + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index f74afdeac..9f848be8e 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -9,48 +9,40 @@ include @{share_dirs} = /usr/share/gnome-shell/extensions/ding@rastersoft.com @{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/ding@rastersoft.com -@{exec_path} = @{share_dirs}/{,app/}ding.js +@{exec_path} = @{share_dirs}/app/{ding,createThumbnail}.js profile gnome-extension-ding @{exec_path} { include include - include include include include - include include - include - include - include - include - include - include - include + include + include + include + include + include include include include + include unix (send,receive) type=stream addr=none peer=(label=gnome-shell), - #aa:dbus own bus=session name=com.rastersoft.ding interface=org.gtk.Actions - #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface=org.gtk.Actions + #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions + #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface+=org.gtk.Actions dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus* - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus* - peer=(name=org.freedesktop.DBus, label=dbus-system), - - dbus send bus=session path=/org/gtk/vfs/metadata - interface=org.gtk.vfs.Metadata - member=Set - peer=(name=:*, label=gvfsd-metadata), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, @@ -63,8 +55,8 @@ profile gnome-extension-ding @{exec_path} { @{share_dirs}/{,**} r, /usr/share/thumbnailers/{,*.thumbnailer} r, - owner @{HOME}/@{XDG_TEMPLATES_DIR}/ r, - owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, + owner @{user_desktop_dirs}/ r, + owner @{user_templates_dirs}/ r, owner @{user_share_dirs}/nautilus/scripts/ r, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 4c4b00c5d..2592eb77e 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -9,18 +9,27 @@ include @{share_dirs} = /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io @{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io -@{exec_path} = @{share_dirs}/service/daemon.js +@{exec_path} = @{share_dirs}/service/daemon.js @{share_dirs}/gsconnect-preferences profile gnome-extension-gsconnect @{exec_path} { include include - include include include + include + include + include + include + include + include + include + include include include include + include include include + include network inet dgram, network inet6 dgram, @@ -28,6 +37,10 @@ profile gnome-extension-gsconnect @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect interface+=org.gtk.{Actions,Menus} + + dbus eavesdrop bus=session, + @{exec_path} mr, @{sh_path} rix, @@ -36,8 +49,9 @@ profile gnome-extension-gsconnect @{exec_path} { @{bin}/openssl rix, @{bin}/ssh-add rix, - @{bin}/ssh-keygen rPx, - @{bin}/xdg-screensaver rPx, + @{bin}/dconf rPx, + @{bin}/ssh-keygen rPx, + @{bin}/xdg-screensaver rPx, @{lib}/gio/modules/*.so* rm, @{lib}/girepository-1.0/* r, @@ -53,15 +67,22 @@ profile gnome-extension-gsconnect @{exec_path} { owner @{user_config_dirs}/mimeapps.list w, owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, - owner @{run}/user/@{uid}/gsconnect/ w, + owner @{HOME}/.mozilla/firefox/firefox-mpris/@{word}.png r, + + owner @{tmp}/.org.chromium.Chromium.@{rand6} r, + + owner @{run}/user/@{uid}/gsconnect/{,**} rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + owner @{run}/user/@{uid}/keyring/ssh rw, @{sys}/devices/virtual/dmi/id/chassis_type r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/task/@{tid}/stat r, + deny @{user_share_dirs}/gvfs-metadata/* r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app index f1e229b59..0a65c95f2 100644 --- a/apparmor.d/groups/gnome/gnome-extensions-app +++ b/apparmor.d/groups/gnome/gnome-extensions-app @@ -22,7 +22,6 @@ profile gnome-extensions-app @{exec_path} { /usr/share/terminfo/** r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/task/@{tid}/stat r, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/gnome-firmware b/apparmor.d/groups/gnome/gnome-firmware index af44afbec..706c16e87 100644 --- a/apparmor.d/groups/gnome/gnome-firmware +++ b/apparmor.d/groups/gnome/gnome-firmware @@ -20,8 +20,8 @@ profile gnome-firmware @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/ - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.fwupd label="@{p_fwupd}" path=/ + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index d27ccb8bb..7439e0fb6 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -9,13 +9,10 @@ include @{exec_path} = @{lib}/gnome-initial-setup profile gnome-initial-setup @{exec_path} { include - include include include - include include include - include include include include @@ -29,7 +26,12 @@ profile gnome-initial-setup @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.gnome.InitialSetup interface=org.gtk.Actions + #aa:dbus own bus=session name=org.gnome.InitialSetup interface+=org.gtk.Actions + + dbus send bus=system path=/com/canonical/UbuntuAdvantage/Manager + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=com.canonical.UbuntuAdvantage), @{exec_path} mr, @@ -41,13 +43,14 @@ profile gnome-initial-setup @{exec_path} { @{bin}/xrandr rPx, @{lib}/gnome-initial-setup-goa-helper rix, + @{lib}/@{multiarch}/ld-linux-*.so* rix, /usr/share/dconf/profile/gdm r, /usr/share/gnome-initial-setup/{,**} r, /usr/share/xml/iso-codes/{,**} r, - /etc/security/pwquality.conf r, - /etc/security/pwquality.conf.d/{,**} r, + @{etc_ro}/security/pwquality.conf r, + @{etc_ro}/security/pwquality.conf.d/{,**} r, /etc/timezone r, /etc/gdm{,3}/custom.conf r, @@ -73,6 +76,10 @@ profile gnome-initial-setup @{exec_path} { @{run}/systemd/sessions/@{int} r, @{run}/systemd/users/@{uid} r, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/gnome-initial-setup-first-login.service/memory.* r, @{sys}/devices/virtual/dmi/id/bios_vendor r, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index d0b84c1be..e39ef0dc0 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -10,20 +10,24 @@ include @{exec_path} = @{bin}/gnome-keyring-daemon profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { include - include + include include include include include - include + include capability ipc_lock, - signal (receive) set=(term) peer=gdm, - signal (send) set=(term) peer=ssh-agent, + signal receive set=(term) peer=gdm, + signal send set=(term) peer=ssh-agent, + + unix type=stream peer=(label=snap.*), #aa:dbus own bus=session name=org.gnome.keyring #aa:dbus own bus=session name=org.freedesktop.{S,s}ecret{,s} + #aa:dbus own bus=session name=org.freedesktop.impl.portal.Secret path=/org/freedesktop/portal/desktop + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Request path=/org/freedesktop/portal/desktop/ label=xdg-desktop-portal dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -33,7 +37,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=GetSession - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-maps b/apparmor.d/groups/gnome/gnome-maps index 294d6229a..705857391 100644 --- a/apparmor.d/groups/gnome/gnome-maps +++ b/apparmor.d/groups/gnome/gnome-maps @@ -45,7 +45,6 @@ profile gnome-maps @{exec_path} { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 82be211fc..2f9795ceb 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -17,6 +17,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { include include include + include include network inet stream, @@ -33,8 +34,8 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{bin}/env r, - @{bin}/python3.@{int} rix, - @{lib}/python3.@{int}/site-packages/gnomemusic/__pycache__/{,**} rw, + @{python_path} rix, + @{lib}/@{python_name}/site-packages/gnomemusic/__pycache__/{,**} rw, /usr/share/grilo-plugins/grl-lua-factory/{,*} r, /usr/share/org.gnome.Music/{,**} r, @@ -51,8 +52,6 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw, - owner /var/tmp/etilqs_@{hex15} rw, - owner /var/tmp/etilqs_@{hex16} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gnome/gnome-photos-thumbnailer b/apparmor.d/groups/gnome/gnome-photos-thumbnailer index 0182e9dad..31d9b7987 100644 --- a/apparmor.d/groups/gnome/gnome-photos-thumbnailer +++ b/apparmor.d/groups/gnome/gnome-photos-thumbnailer @@ -9,12 +9,11 @@ include @{exec_path} = @{lib}/gnome-photos-thumbnailer profile gnome-photos-thumbnailer @{exec_path} { include + include include @{exec_path} mr, - /usr/share/mime/mime.cache r, - owner @{user_pictures_dirs}/{,**} r, owner @{user_cache_dirs}/babl/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index 19e448b1b..c3631ddb7 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -15,11 +15,15 @@ profile gnome-remote-desktop-daemon @{exec_path} { include include include + include + network inet dgram, network inet stream, + network inet6 dgram, network inet6 stream, + network netlink raw, - #aa:dbus own bus=session name=org.gnome.RemoteDesktop + #aa:dbus own bus=system name=org.gnome.RemoteDesktop #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index cf17391bc..257e91c0a 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -9,17 +9,29 @@ include @{exec_path} = @{bin}/gnome-session profile gnome-session @{exec_path} { include + include include + include + include include include + signal receive set=term peer=gdm, + signal receive set=term peer=gdm-session, + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mrix, @{shells_path} rix, @{bin}/cat rix, + @{bin}/find rix, @{bin}/gettext rix, @{bin}/gettext.sh r, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/head rix, @{bin}/id rix, @{bin}/locale rix, @@ -27,11 +39,13 @@ profile gnome-session @{exec_path} { @{bin}/manpath rix, @{bin}/readlink rix, @{bin}/realpath rix, + @{bin}/run-parts rix, @{bin}/sed rix, @{bin}/tput rix, @{bin}/tr rix, @{bin}/tty rix, - @{bin}/uname rPx, + @{bin}/uname rix, + @{bin}/xargs rix, @{bin}/dpkg-query rpx, @{bin}/flatpak rCx -> flatpak, @@ -56,7 +70,12 @@ profile gnome-session @{exec_path} { /etc/X11/xinit/xinputrc r, /etc/X11/Xsession.d/*im-config_launch r, + owner @{HOME}/ r, + + owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 42c1265ae..5359a70df 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -9,18 +9,16 @@ include @{exec_path} = @{lib}/gnome-session-binary profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include - include include include - include include - include include - include + include include include include include + include network inet stream, network inet6 stream, @@ -28,16 +26,16 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - signal (receive) set=(term, hup) peer=gdm*, - signal (send) set=(term) peer=gsd-*, + signal receive set=(term, hup) peer=gdm*, + signal send set=(term) peer=gsd-*, #aa:dbus own bus=session name=org.gnome.SessionManager - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID,UpdateActivationEnvironment} - peer=(name=org.freedesktop.DBus label=dbus-session), + member=UpdateActivationEnvironment + peer=(name=org.freedesktop.DBus label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager @@ -60,15 +58,18 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter/autostart/{,*.desktop} r, /usr/share/gnome-session/hardware-compatibility r, /usr/share/gnome-session/sessions/*.session r, + /usr/share/gnome-shell/extensions/ r, /usr/share/gnome-shell/extensions/*/metadata.json r, /usr/share/gnome/autostart/{,*.desktop} r, @{etc_ro}/xdg/autostart/{,*.desktop} r, owner @{gdm_cache_dirs}/gdm/Xauthority r, + owner @{gdm_config_dirs}/ rw, owner @{gdm_config_dirs}/dconf/user rw, owner @{gdm_config_dirs}/gnome-session/ rw, owner @{gdm_config_dirs}/gnome-session/saved-session/ rw, + owner @{gdm_config_dirs}/user-dirs.dirs r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_share_dirs}/applications/{,**} r, @@ -102,7 +103,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { profile open flags=(attach_disconnected) { include - include + include include @{bin}/env rix, diff --git a/apparmor.d/groups/gnome/gnome-session-check b/apparmor.d/groups/gnome/gnome-session-check new file mode 100644 index 000000000..44755aef2 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-session-check @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/gnome-session-check-* +profile gnome-session-check @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{lib}/gnome-session-check-accelerated-gl-helper ix, + @{lib}/gnome-session-check-accelerated-gles-helper ix, + + /usr/share/gnome-session/hardware-compatibility r, + + @{PROC}/cmdline r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index a2dd6d908..24c069e72 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -10,41 +10,39 @@ include profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include include include + include include include include - include - include include include include include - include - include - include - include + include include - include include include - include include - include - include + include + include + include + include include include include include include include + include include + include include + include include include - include + include capability sys_nice, capability sys_ptrace, @@ -56,16 +54,14 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix stream, - ptrace (read), - ptrace (readby) peer=pipewire, + ptrace read, - signal (receive) set=(term, hup) peer=gdm*, - signal (send), + signal receive set=(term, hup) peer=gdm*, + signal send, unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), unix (send,receive) type=stream addr=none peer=(label=xkbcomp), unix (send,receive) type=stream addr=none peer=(label=xwayland), - unix (send,receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon), # Owned by gnome-shell @@ -74,60 +70,58 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=org.gnome.Shell #aa:dbus own bus=session name=com.canonical.{U,u}nity + #aa:dbus own bus=session name=com.canonical.dbusmenu path=/{,com/canonical/dbusmenu} + #aa:dbus own bus=session name=com.canonical.Shell.PermissionPrompting #aa:dbus own bus=session name=com.rastersoft.dingextension #aa:dbus own bus=session name=org.ayatana.NotificationItem + #aa:dbus own bus=session name=org.freedesktop.a11y.Manager + #aa:dbus own bus=session name=org.gnome.Shell #aa:dbus own bus=session name=org.gtk.Actions path=/** #aa:dbus own bus=session name=org.gtk.MountOperationHandler #aa:dbus own bus=session name=org.gtk.Notifications + #aa:dbus own bus=session name=org.kde.StatusNotifierItem path=/ #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher + # Talk with gnome-shell - #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + # The strategy with dbus rules in this profile is first to declare all communications + # needed on buses and to limit them only to their profiles in apparmor.d. As such, + # only dbus directive is used for this. Later, some communications could be + # restricted. + + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd + #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" + #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label="@{p_power_profiles_daemon}" #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding + #aa:dbus talk bus=session name=org.freedesktop.Notifications label=gjs + #aa:dbus talk bus=session name=org.freedesktop.ScreenSaver label=gsd-screensaver-proxy + #aa:dbus talk bus=session name=org.gnome.* label=gnome-* + #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label=* + #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console - #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - # System bus - - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=RegisterAuthenticationAgent - peer=(name=:*, label=polkitd), - dbus receive bus=system path=/org/freedesktop/PolicyKit1/AuthenticationAgent - interface=org.freedesktop.PolicyKit1.AuthenticationAgent - member=BeginAuthentication - peer=(name=:*, label=polkitd), - - dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager - interface=org.freedesktop.NetworkManager.AgentManager - member={RegisterWithCapabilities,Unregister} - peer=(name=:*, label=NetworkManager), - - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames} - peer=(name=org.freedesktop.DBus, label=dbus-system), - # Session bus - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames} - peer=(name=org.freedesktop.DBus, label=dbus-session), + dbus send bus=session path=/org/gnome/** + peer=(name=org.gnome.*), + dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/ interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetNameOwner,ListNames} - peer=(name=org.freedesktop.DBus, label=dbus-session), + member={GetNameOwner,ListNames} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.a11y.atspi.Socket @@ -157,38 +151,40 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus send bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*), + peer=(name=@{busname}), dbus send bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=org.freedesktop.DBus, label=dbus-session), - - dbus send bus=session path=/org/gnome/*/SearchProvider - interface=org.gnome.Shell.SearchProvider2 - peer=(name=@{busname}), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), @{exec_path} mr, @{bin}/unzip rix, - @{bin}/gjs-console rPx, + @{bin}/flatpak rPx, + @{bin}/gjs-console rPx -> gnome-extension, @{bin}/glib-compile-schemas rPx, @{bin}/ibus-daemon rPx, + @{bin}/sensors rPx, + @{bin}/tecla rPx, @{bin}/Xwayland rPx, + @{bin}/nvidia-smi rPx, # FIXME; for extension only + @{lib}/@{multiarch}/glib-2.0/glib-compile-schemas rPx, @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/mutter-x11-frames rPx, #aa:exec polkit-agent-helper @{sh_path} rCx -> shell, - @{lib}/gio-launch-desktop rCx -> open, + @{bin}/pkexec rCx -> pkexec, @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open, + @{lib}/gio-launch-desktop rCx -> open, + @{python_path} rCx -> python, @{user_share_dirs}/gnome-shell/extensions/*/** rPUx, /usr/share/gnome-shell/extensions/*/** rPUx, - /opt/**/share/icons/{,**} r, - /snap/*/@{uid}/**.png r, - /usr/share/**.{png,jpg,svg} r, + /snap/*/@{uid}/**.@{image_ext} r, + /usr/share/**.@{image_ext} r, /usr/share/**/icons/{,**} r, /usr/share/backgrounds/{,**} r, /usr/share/byobu/desktop/byobu* r, @@ -198,10 +194,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter/applications/{,**} r, /usr/share/libgweather/Locations.xml r, - /usr/share/libinput*/ r, - /usr/share/libinput*/{,**/}@{int2}-*.quirks r, - /usr/share/libinput*/libinput/ r, + /usr/share/libinput*/{,**} r, /usr/share/libwacom/{,*.stylus,*.tablet} r, + /usr/share/poppler/{,**} r, /usr/share/wallpapers/** r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xml/iso-codes/{,**} r, @@ -229,6 +224,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{gdm_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw, owner @{gdm_cache_dirs}/ibus/dbus-@{rand8} rw, owner @{gdm_cache_dirs}/libgweather/ r, + owner @{gdm_cache_dirs}/nvidia/GLCache/ rw, + owner @{gdm_cache_dirs}/nvidia/GLCache/** rwk, owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/ibus/ rw, owner @{gdm_config_dirs}/ibus/bus/ rw, @@ -236,30 +233,38 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{gdm_config_dirs}/pulse/ rw, owner @{gdm_config_dirs}/pulse/client.conf r, owner @{gdm_config_dirs}/pulse/cookie rwk, + owner @{gdm_local_dirs}/ w, + owner @{gdm_share_dirs}/ w, owner @{gdm_share_dirs}/applications/{,**} r, owner @{gdm_share_dirs}/gnome-shell/{,**} rw, owner @{gdm_share_dirs}/icc/ rw, - owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{gdm_share_dirs}/icc/.goutputstream-@{rand6} rw, + owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{HOME}/.face r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, + owner @{HOME}/.mozilla/native-messaging-hosts/ rw, + owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.*.json{,.@{rand6}} rw, owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw, - owner @{HOME}/.var/app/**.{png,jpg,svg} r, + owner @{HOME}/.var/app/**.@{image_ext} r, owner @{HOME}/.var/app/**/ r, owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw, - owner @{user_games_dirs}/**.{png,jpg,svg} r, - owner @{user_music_dirs}/**.{png,jpg,svg} r, + owner @{user_games_dirs}/**.@{image_ext} r, + owner @{user_music_dirs}/**.@{image_ext} r, owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw, + owner @{user_config_dirs}/**/NativeMessagingHosts/ rw, + owner @{user_config_dirs}/**/NativeMessagingHosts/org.gnome.shell.*.json{,.@{rand6}} rw, owner @{user_config_dirs}/background r, owner @{user_config_dirs}/ibus/ w, owner @{user_config_dirs}/monitors.xml{,~} rwl, owner @{user_config_dirs}/tiling-assistant/{,**} rw, owner @{user_share_dirs}/backgrounds/{,**} rw, + owner @{user_share_dirs}/dbus-1/services/ r, + owner @{user_share_dirs}/dbus-1/services/org.gnome.Shell.*.service{,.@{rand6}} rw, owner @{user_share_dirs}/desktop-directories/{,**} r, owner @{user_share_dirs}/gnome-shell/{,**} rw, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, @@ -267,22 +272,25 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/icc/ rw, owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, + owner @{user_share_dirs}/icons/**/org.gnome.Shell.*.svg{,.@{rand6}} w, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r, owner @{user_cache_dirs}/gnome-boxes/*.png r, owner @{user_cache_dirs}/gnome-photos/{,**} r, owner @{user_cache_dirs}/gnome-screenshot/{,**} rw, owner @{user_cache_dirs}/gnome-software/icons/{,**} r, + owner @{user_cache_dirs}/gsconnect/@{hex32} r, owner @{user_cache_dirs}/libgweather/{,**} rw, owner @{user_cache_dirs}/media-art/{,**} r, owner @{user_cache_dirs}/vlc/**/*.jpg r, + owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, @{run}/gdm{3,}/dbus/dbus-@{rand8} rw, owner @{run}/user/@{uid}/app/*/*.@{rand6} r, owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw, + owner @{run}/user/@{uid}/snap.*/wayland-cursor-shared-@{rand6} rw, owner @{run}/user/@{uid}/systemd/notify rw, owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, @@ -291,6 +299,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /tmp/.X@{int}-lock rw, /tmp/dbus-@{rand8} rw, owner @{tmp}/.org.chromium.Chromium.@{rand6} r, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/ r, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/status_icon_@{int}.png r, owner @{tmp}/@{rand6}.shell-extension.zip rw, owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, @@ -304,19 +314,18 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/tags/seat/ r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+dmi:id r, # for motherboard info - @{run}/udev/data/+acpi* r, + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb* r, # for USB mouse and keyboard - @{run}/udev/data/+i2c:* r, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/**/uevent r, @{sys}/bus/ r, @@ -325,7 +334,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/class/net/ r, @{sys}/class/power_supply/ r, @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/gpu_busy_percent r, @{sys}/devices/@{pci}/input@{int}/{properties,name} r, + @{sys}/devices/@{pci}/mem_info_vram_* r, @{sys}/devices/@{pci}/net/*/statistics/collisions r, @{sys}/devices/@{pci}/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/@{pci}/net/*/statistics/tx_{bytes,errors,packets} r, @@ -339,6 +350,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/platform/**/input@{int}/{properties,name} r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/net/*/statistics/collisions r, @{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r, @@ -367,7 +380,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, - /dev/media@{int} rw, /dev/tty@{int} rw, @{att}/dev/dri/card@{int} rw, @{att}/dev/input/event@{int} rw, @@ -377,12 +389,14 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { capability sys_ptrace, - ptrace (read), + ptrace read, @{sh_path} mr, - @{bin}/pmap rix, - @{bin}/grep rix, + @{bin}/cat rix, + @{bin}/{,e}grep rix, + @{bin}/kmod rPx -> gnome-shell//lsmod, + @{bin}/pmap rix, @{sys}/devices/system/node/ r, @@ -395,6 +409,38 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include if exists } + profile lsmod flags=(attach_disconnected,mediate_deleted) { + include + include + + @{sys}/module/{,**} r, + + include if exists + } + + profile pkexec { + include + include + + ptrace read peer=gnome-shell, + + @{bin}/pkexec mr, + + /usr/local/bin/batteryhealthchargingctl{,-@{user}} rPx, + @{bin}/batteryhealthchargingctl{,-@{user}} rPx, + + include if exists + } + + profile python { + include + include + + # /usr/share/gnome-shell/extensions/{,**} + + include if exists + } + profile open flags=(attach_disconnected,mediate_deleted,complain) { include include diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 2f3e51670..37bb7b374 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -11,6 +11,7 @@ profile gnome-shell-calendar-server @{exec_path} { include include include + include include #aa:dbus own bus=session name=org.gnome.Shell.CalendarServer @@ -35,8 +36,6 @@ profile gnome-shell-calendar-server @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/sysconfig/clock r, /etc/timezone r, diff --git a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer index 51d5b43cf..56e448fd8 100644 --- a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer +++ b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer @@ -10,11 +10,10 @@ include profile gnome-shell-hotplug-sniffer @{exec_path} { include include + include @{exec_path} mr, - /usr/share/mime/mime.cache r, - @{MOUNTS}/**/ r, @{MOUNTS}/** r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index a75cfee63..0b1602fbb 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -9,11 +9,14 @@ include @{exec_path} = @{bin}/gnome-software profile gnome-software @{exec_path} { include - include + include + include + include + include + include include - include - include include + include include include @@ -26,11 +29,22 @@ profile gnome-software @{exec_path} { mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, + #aa:dbus own bus=session name=org.freedesktop.PackageKit + #aa:dbus own bus=session name=org.gnome.Software interface+=org.freedesktop.Application + + #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/@{int}_@{hex8} label="@{p_packagekitd}" + + dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.PolicyKit1.Authority + member=Changed + peer=(name=@{busname}, label=polkitd), + @{exec_path} mr, @{bin}/baobab rPUx, @{bin}/bwrap rPx -> flatpak-app, @{bin}/fusermount{,3} rCx -> fusermount, + @{bin}/gnome-control-center rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, @@ -39,6 +53,8 @@ profile gnome-software @{exec_path} { /usr/share/app-info/{,**} r, /usr/share/appdata/{,**} r, + /usr/share/byobu/desktop/{,**} r, + /usr/share/flatpak/remotes.d/ r, /usr/share/metainfo/{,**} r, /usr/share/swcatalog/{,**} r, /usr/share/xml/iso-codes/{,**} r, @@ -70,15 +86,11 @@ profile gnome-software @{exec_path} { /var/tmp/flatpak-cache-*/** rwkl, /var/tmp/#@{int} rw, - / r, - owner @{HOME}/.var/app/{,**} rw, owner @{user_download_dirs}/*.flatpakref r, owner @{user_cache_dirs}/flatpak/{,**} rwl, - owner @{user_cache_dirs}/gnome-software/ rw, - owner @{user_cache_dirs}/gnome-software/** rwlk -> @{user_cache_dirs}/gnome-software/**, owner @{user_config_dirs}/flatpak/{,**} r, owner @{user_config_dirs}/pulse/*.conf r, @@ -93,7 +105,6 @@ profile gnome-software @{exec_path} { owner @{user_share_dirs}/flatpak/overrides/* r, owner @{user_share_dirs}/flatpak/repo/ rw, owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**, - owner @{user_share_dirs}/gnome-software/{,**} rw, owner @{tmp}/ostree-gpg-@{rand6}/ rw, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, @@ -122,10 +133,7 @@ profile gnome-software @{exec_path} { @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fdinfo/@{int} r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/fuse rw, @@ -163,21 +171,13 @@ profile gnome-software @{exec_path} { profile fusermount { include - include + include - capability sys_admin, + capability setuid, mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, - @{bin}/fusermount{,3} mr, - - /etc/fuse.conf r, - - @{PROC}/@{pids}/mounts r, - - /dev/fuse rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 92cbd369e..152b28ff7 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -9,10 +9,10 @@ include @{exec_path} = @{bin}/gnome-system-monitor profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { include - include - include - include - include + include + include + include + include include capability sys_ptrace, @@ -21,9 +21,9 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - ptrace (read), + ptrace read, - signal (send) set=(kill term cont stop), + signal send set=(kill term cont stop), #aa:dbus own bus=session name=org.gnome.SystemMonitor @@ -35,8 +35,8 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{bin}/sed rix, @{bin}/tr rix, - /usr/share/gnome-system-monitor/{,**} r, - /usr/share/firefox-esr/browser/chrome/icons/default/*.png r, + /usr/share/byobu/desktop/{,**} r, + /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, / r, @@ -74,12 +74,11 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/smaps r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/wchan r, @{PROC}/diskstats r, @{PROC}/vmstat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index d96c20c36..fe380dadd 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -10,22 +10,19 @@ include profile gnome-terminal-server @{exec_path} { include include - include include - include include - include include include include - signal (send) set=(hup) peer=htop, - signal (send) set=(term hup kill) peer=unconfined, + signal send set=(hup) peer=htop, + signal send set=(term hup kill) peer=unconfined, - ptrace (read) peer=htop, - ptrace (read) peer=unconfined, + ptrace read peer=htop, + ptrace read peer=unconfined, - #aa:dbus own bus=session name=org.gnome.Terminal interface=org.gtk.Actions + #aa:dbus own bus=session name=org.gnome.Terminal interface+=org.gtk.Actions dbus receive bus=session path=/org/gnome/Terminal/SearchProvider interface=org.gnome.Shell.SearchProvider2 @@ -38,15 +35,17 @@ profile gnome-terminal-server @{exec_path} { @{exec_path} mr, + @{lib}/gnome-terminal-preferences ix, + # The shell is not confined on purpose. - @{bin}/@{shells} rUx, + @{bin}/@{shells} Ux, # Some CLI program can be launched directly from Gnome Shell - @{bin}/htop rPx, - @{bin}/micro rPUx, - @{bin}/nvtop rPx, + @{bin}/htop Px, + @{bin}/micro PUx, + @{bin}/nvtop Px, - @{open_path} rPx -> child-open, + @{open_path} Px -> child-open, /etc/shells r, diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index 22823753b..8aa950e2c 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -10,11 +10,14 @@ include profile gnome-text-editor @{exec_path} { include include + include include include + include include include + #aa:dbus own bus=session name=org.gnome.TextEditor #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index d104e75c6..7f93b7864 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -21,22 +21,21 @@ profile gnome-tweaks @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{bin}/env r, @{bin}/ps rPx, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{open_path} rPx -> child-open-help, - @{lib}/python3.@{int}/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w, + @{lib}/@{python_name}/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w, /etc/xdg/autostart/{,**} r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_config_dirs}/autostart/ rw, - owner @{user_config_dirs}/autostart/*.desktop r, + owner @{user_config_dirs}/autostart/*.desktop rw, owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini* rw, owner @{user_share_dirs}/backgrounds/{,**} r, owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r, - owner @{user_share_dirs}/recently-used.xbel* rw, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/groups/gnome/gnome-weather b/apparmor.d/groups/gnome/gnome-weather index c73ff0a19..fe2bf69b2 100644 --- a/apparmor.d/groups/gnome/gnome-weather +++ b/apparmor.d/groups/gnome/gnome-weather @@ -31,7 +31,6 @@ profile gnome-weather @{exec_path} { @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, deny owner @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 8176d6c7c..b7c138285 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -12,7 +12,6 @@ profile goa-daemon @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service index 3992811c2..4509a6159 100644 --- a/apparmor.d/groups/gnome/goa-identity-service +++ b/apparmor.d/groups/gnome/goa-identity-service @@ -11,7 +11,7 @@ profile goa-identity-service @{exec_path} { include include include - include + include #aa:dbus own bus=session name=org.gnome.Identity diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index cfbaa6269..22aaba164 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -9,10 +9,11 @@ include @{exec_path} = @{lib}/gsd-a11y-settings profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include - include include - include + include + include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -27,7 +28,6 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, @{gdm_config_dirs}/dconf/user r, @{GDM_HOME}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 6ff47dcd1..1a52321b1 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -9,14 +9,11 @@ include @{exec_path} = @{lib}/gsd-color profile gsd-color @{exec_path} flags=(attach_disconnected) { include - include - include + include include include - include include - include - include + include include include include @@ -28,7 +25,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Color - #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord + #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties @@ -45,10 +42,10 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/icc/ rw, - owner @{gdm_share_dirs}/icc/edid-*.icc rw, + owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{user_share_dirs}/icc/ rw, - owner @{user_share_dirs}/icc/edid-*.icc rw, + owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, include if exists } diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index 984f7c189..0364f3f2b 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -9,10 +9,11 @@ include @{exec_path} = @{lib}/gsd-datetime profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include - include include - include + include + include include + include include network inet dgram, @@ -34,7 +35,6 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-settings-daemon/datetime/backward r, owner @{GDM_HOME}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index 6e8ae0d90..00ca93f19 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -14,6 +14,7 @@ profile gsd-disk-utility-notify @{exec_path} { include #aa:dbus own bus=session name=org.gnome.Disks.NotificationMonitor + #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 288c29af8..497462a03 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -10,12 +10,13 @@ include profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include - include include - include - include + include + include + include include include + include include signal (receive) set=(term, hup) peer=gdm*, @@ -23,10 +24,10 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Housekeeping - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=Subscribe + peer=(name=org.freedesktop.systemd1), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 87560b6f9..be27a873e 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -9,14 +9,11 @@ include @{exec_path} = @{lib}/gsd-keyboard profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include - include - include + include include include - include - include - include - include + include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 3c2ef3dac..b299ab7ff 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -9,22 +9,20 @@ include @{exec_path} = @{lib}/gsd-media-keys profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include - include include - include include include - include include include - include include - include - include + include + include + include include include include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -38,27 +36,22 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=PowerOff - peer=(name=:*, label=systemd-logind), + peer=(name=@{busname}, label="@{p_systemd_logind}"), dbus send bus=session path=/ interface=org.freedesktop.DBus member=ListNames - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/gnome/SettingsDaemon/Power interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=gsd-power), + peer=(name=@{busname}, label=gsd-power), dbus receive bus=session path=/org/gnome/SettingsDaemon/Power interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=gsd-power), - - dbus send bus=session path=/org/mpris/MediaPlayer2 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*), + peer=(name=@{busname}, label=gsd-power), @{exec_path} mr, @@ -71,15 +64,13 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, - owner @{user_share_dirs}/recently-used.xbel{,.*} rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{run}/udev/data/+sound:card@{int} r, # For sound card @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # For /dev/bus/usb/** - @{sys}/devices/**/usb[0-9]/{,**} r, + @{sys}/devices/**/usb@{int}/{,**} r, @{sys}/devices/@{pci}/sound/**/uevent r, @{sys}/devices/platform/**/uevent r, @{sys}/devices/virtual/**/uevent r, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 97b31d6c5..d3ac6b456 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -9,26 +9,25 @@ include @{exec_path} = @{lib}/gsd-power profile gsd-power @{exec_path} flags=(attach_disconnected) { include - include include - include include include include - include include include include include - include + include include - include - include - include + include + include include include include include + include + include + include network inet stream, network netlink raw, @@ -38,16 +37,22 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Power #aa:dbus talk bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell + #aa:dbus talk bus=session name=org.gnome.Shell.Brightness label=gnome-shell dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight interface=org.freedesktop.UPower.KbdBacklight member=GetBrightness - peer=(name=:*, label=upowerd), + peer=(name=@{busname}, label="@{p_upowerd}"), dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=gsd-xsettings), + peer=(name=@{busname}, label=gsd-xsettings), + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member=Suspend + peer=(name=@{busname}, label="@{p_systemd_logind}"), @{exec_path} mr, @@ -57,9 +62,9 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, - @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 2c8319bd8..22ec520cb 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -9,29 +9,36 @@ include @{exec_path} = @{lib}/gsd-print-notifications profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include - include include include - include - include + include + include + include + include + include include include network inet stream, network inet6 stream, - signal (receive) set=(term, hup) peer=gdm*, - signal (send) set=(hup) peer=gsd-printer, + signal receive set=(term, hup) peer=gdm*, + signal send set=(hup) peer=gsd-printer, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.PrintNotifications # dbus receive bus=system path=/org/cups/cupsd/Notifier # interface=org.cups.cupsd.Notifier, + dbus receive bus=system path=/org/cups/cupsd/Notifier + interface=org.cups.cupsd.Notifier + member={ServerStarted,PrinterDeleted,PrinterStateChanged,PrinterStopped,PrinterAdded} + peer=(name=@{busname}, label=cups-notifier-dbus), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @{lib}/gsd-printer rPx, diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index 9e67c8c72..a768c8d1e 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -9,10 +9,11 @@ include @{exec_path} = @{lib}/gsd-printer profile gsd-printer @{exec_path} flags=(attach_disconnected) { include - include include include - include + include + include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index 1fd4157ec..7283c5c00 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -9,13 +9,13 @@ include @{exec_path} = @{lib}/gsd-rfkill profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { include - include + include include include include include include - include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index 1ac54d0fe..ac2f9229d 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -9,9 +9,9 @@ include @{exec_path} = @{lib}/gsd-screensaver-proxy profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { include - include + include include - include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 871e10abc..9d432ae13 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -9,12 +9,13 @@ include @{exec_path} = @{lib}/gsd-sharing profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include - include include include include - include + include + include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -30,11 +31,15 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=:*, label=gnome-shell), + dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/3 + interface=org.freedesktop.NetworkManager.VPN.Connection + member=VpnStateChanged + peer=(name=@{busname}, label=NetworkManager), + @{exec_path} mr, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index f93f0313b..5143b9984 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -9,12 +9,14 @@ include @{exec_path} = @{lib}/gsd-smartcard profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include - include include - include + include + include include + include include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -29,9 +31,7 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/{,opensc/}opensc.conf r, /etc/tpm2-tss/* rk, /var/tmp/ r, diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 8c5e7891a..ff2d30766 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -9,14 +9,15 @@ include @{exec_path} = @{lib}/gsd-sound profile gsd-sound @{exec_path} flags=(attach_disconnected) { include - include + include include include - include - include + include + include include + include - signal (receive) set=(term, hup) peer=gdm*, + signal receive set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Sound @@ -29,7 +30,6 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 2359c9f39..bcdb353a8 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -10,13 +10,21 @@ include profile gsd-usb-protection @{exec_path} { include include + include + include + include include + include + include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection - @{exec_path} mr, + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), - /usr/share/glib-2.0/schemas/gschemas.compiled r, + @{exec_path} mr, include if exists } diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index f9c4ffb33..3d4f2cb05 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -9,12 +9,9 @@ include @{exec_path} = @{lib}/gsd-wacom profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include - include - include + include include - include - include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-wwan b/apparmor.d/groups/gnome/gsd-wwan index ab2b2b089..3a5ee53df 100644 --- a/apparmor.d/groups/gnome/gsd-wwan +++ b/apparmor.d/groups/gnome/gsd-wwan @@ -10,10 +10,17 @@ include profile gsd-wwan @{exec_path} { include include + include include + include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Wwan + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 51bcf2e10..20151eec0 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -9,15 +9,13 @@ include @{exec_path} = @{lib}/gsd-xsettings profile gsd-xsettings @{exec_path} { include - include include include - include include include - include + include include - include + include include include include @@ -33,17 +31,25 @@ profile gsd-xsettings @{exec_path} { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.XSettings #aa:dbus own bus=session name=org.gtk.Settings - dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} - interface=org.freedesktop.Accounts.User - member=SetInputSources - peer=(name=:*, label=accounts-daemon), + #aa:dbus talk bus=session name=org.gnome.Mutter.X11 label=gnome-shell dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetId - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + + dbus receive bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.Accounts + member={UserAdded,UserDeleted} + peer=(name=@{busname}, label="@{p_accounts_daemon}"), + + dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} + interface=org.freedesktop.Accounts.User + member=SetInputSources + peer=(name=@{busname}, label="@{p_accounts_daemon}"), @{exec_path} mr, + @{sh_path} mr, @{bin}/cat rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index c9177de5c..f843d6c14 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -17,7 +17,7 @@ profile kgx @{exec_path} { capability sys_ptrace, - ptrace (read), + ptrace read, @{exec_path} mr, @@ -25,20 +25,21 @@ profile kgx @{exec_path} { @{bin}/@{shells} rUx, # Some CLI program can be launched directly from Gnome Shell - @{bin}/btop rPUx, - @{bin}/htop rPx, - @{bin}/micro rPUx, - @{bin}/nvtop rPx, - @{bin}/nvtop rPx, - @{bin}/vim rUx, + @{bin}/btop PUx, + @{bin}/htop Px, + @{bin}/micro PUx, + @{bin}/nvtop Px, + @{bin}/nvtop Px, + @{bin}/vim Ux, - @{open_path} rPx -> child-open-help, + @{open_path} Px -> child-open-help, owner @{tmp}/#@{int} rw, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch new file mode 100644 index 000000000..ea1566757 --- /dev/null +++ b/apparmor.d/groups/gnome/localsearch @@ -0,0 +1,80 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/localsearch @{lib}/localsearch-3 +profile localsearch @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + + network netlink raw, + + #aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Files + #aa:dbus own bus=session name=org.freedesktop.LocalSearch3 + + dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=@{busname}, label=nautilus), + dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint + interface=org.freedesktop.Tracker3.Endpoint + member=Query + peer=(name=@{busname}, label=nautilus), + + @{exec_path} mr, + + @{lib}/localsearch-extractor-3 ix, # nnp + + /usr/share/localsearch3/{,**} r, + /usr/share/osinfo/{,**} r, + /usr/share/poppler/{,**} r, + + /etc/fstab r, + + # Allow to search user files + owner @{HOME}/ r, + owner @{HOME}/{,**} r, + owner @{MOUNTS}/{,**} r, + owner @{tmp}/*/{,**} r, + + owner @{user_cache_dirs}/tracker3/ rw, + owner @{user_cache_dirs}/tracker3/files/ rw, + owner @{user_cache_dirs}/tracker3/files/** rwk, + + owner @{GDM_HOME}/ r, + owner @{GDM_HOME}/*/ r, + owner @{gdm_cache_dirs}/tracker3/{,**} rwk, + owner @{gdm_config_dirs}/user-dirs.dirs r, + + @{run}/mount/utab r, + + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + + @{PROC}/sys/fs/fanotify/max_user_marks r, + @{PROC}/sys/fs/inotify/max_user_watches r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/localsearch-control b/apparmor.d/groups/gnome/localsearch-control new file mode 100644 index 000000000..354f85009 --- /dev/null +++ b/apparmor.d/groups/gnome/localsearch-control @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/localsearch-control-3 +profile localsearch-control @{exec_path} { + include + include + + #aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Files.Control + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/localsearch-writeback b/apparmor.d/groups/gnome/localsearch-writeback new file mode 100644 index 000000000..7d50726c0 --- /dev/null +++ b/apparmor.d/groups/gnome/localsearch-writeback @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/localsearch-writeback-3 +profile localsearch-writeback @{exec_path} { + include + include + + #aa:dbus own bus=session name=org.freedesktop.LocalSearch3.Writeback + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index fb7bef34a..ea55ee902 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -9,18 +9,31 @@ include @{exec_path} = @{bin}/loupe profile loupe @{exec_path} flags=(attach_disconnected) { include + include + include + include include include include include + include include include include - signal (send) set=(kill) peer=loupe//bwrap, + unix type=stream peer=(label=loupe//bwrap), + + signal send set=kill peer=loupe//bwrap, + + #aa:dbus own bus=session name=org.gnome.Loupe interface+=org.freedesktop.Application #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + dbus send bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=@{p_systemd_hostnamed}), + @{exec_path} mr, @{bin}/bwrap rCx -> bwrap, @@ -30,7 +43,10 @@ profile loupe @{exec_path} flags=(attach_disconnected) { / r, - @{run}/mount/utab r, + owner @{user_cache_dirs}/glycin/{,**} rw, + + @{run}/mount/utab r, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @@ -40,6 +56,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny @{user_share_dirs}/gvfs-metadata/* r, @@ -48,10 +65,14 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include - signal (receive) set=(kill) peer=loupe, + unix type=stream peer=(label=loupe), + + signal receive set=kill peer=loupe, @{bin}/bwrap mr, - @{lib}/glycin-loaders/*/glycin-image-rs rix, + @{lib}/glycin-loaders/*/glycin-* rix, + + owner @{PROC}/@{pid}/fd/ r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 8a48b97a2..d5c83a31b 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -9,11 +9,9 @@ include @{exec_path} = @{lib}/mutter-x11-frames profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { include - include - include + include include - include - include + include include include include @@ -28,7 +26,8 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r, + owner @{gdm_cache_dirs}//fontconfig/ rw, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rwl, owner @{gdm_config_dirs}/dconf/user r, @{sys}/devices/@{pci}/boot_vga r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index e4990a3e3..c405a3bf8 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -9,16 +9,14 @@ include @{exec_path} = @{bin}/nautilus profile nautilus @{exec_path} flags=(attach_disconnected) { include - include include include include - include include include include - include - include + include + include include include include @@ -28,27 +26,52 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { mqueue r type=posix /, - #aa:dbus own bus=session name=org.gnome.Nautilus interface=org.gtk.{Application,Actions} - #aa:dbus own bus=session name=org.freedesktop.FileManager1 + unix type=stream peer=(label=gnome-shell), + #aa:dbus own bus=session name=org.freedesktop.FileManager1 + #aa:dbus own bus=session name=org.gnome.Nautilus interface+=org.gtk.{Application,Actions} + #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2 + + #aa:dbus talk bus=session name=org.freedesktop.Application path=/ label="*" + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome + #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell - #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + + dbus send bus=session path=/org/gnome/Mutter/ServiceChannel + interface=org.gnome.Mutter.ServiceChannel + member=OpenWaylandServiceConnection + peer=(name=@{busname}, label=gnome-shell), dbus (send, receive) bus=session path=/org/gtk/Application/CommandLine interface=org.gtk.private.CommandLine member=Print - peer=(name=:*, label=nautilus), + peer=(name=@{busname}, label=nautilus), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=ListActivatableNames - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/dbus interface=org.freedesktop.DBus member=NameHasOwner - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + + dbus send bus=session + interface=org.freedesktop.Application + member=Open, + + dbus send bus=session path=/org/gnome/Nautilus + interface=org.gtk.Application + member={CommandLine,DescribeAll} + peer=(name=org.gnome.Nautilus, label=nautilus), @{exec_path} mr, @@ -57,7 +80,9 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{bin}/file-roller rPx, @{bin}/firejail rPUx, @{bin}/net rPUx, - @{bin}/tracker3 rPUx, + + @{bin}/* r, + @{lib}/@{multiarch}/glib-2.0/gio-launch-desktop m, @{open_path} rPx -> child-open, @@ -72,6 +97,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { /var/cache/fontconfig/ rw, + #aa:lint ignore=too-wide # Full access to user's data / r, /*/ r, @@ -88,7 +114,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { owner @{tmp}/** rw, # Silence non user's data - deny /boot/{,**} r, + deny @{efi}/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, deny /tmp/.* rw, @@ -108,6 +134,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index 2d06a9ab3..e1bde2238 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -7,17 +7,18 @@ abi , include @{exec_path} = @{lib}/org.gnome.NautilusPreviewer -profile org.gnome.NautilusPreviewer @{exec_path} { +profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { include include + include include include include include include + include include include - include network netlink raw, @@ -39,12 +40,11 @@ profile org.gnome.NautilusPreviewer @{exec_path} { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{sys}/devices/system/node/node@{int}/cpumap r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.NautilusPreviewer.slice/*/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, @{PROC}/1/cgroup r, - @{PROC}/devices r, @{PROC}/zoneinfo r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, @@ -53,9 +53,6 @@ profile org.gnome.NautilusPreviewer @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm w, owner @{PROC}/@{pid}/task/@{tid}/stat r, - /dev/media@{int} r, - /dev/nvidia-uvm rw, - include if exists } diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers new file mode 100644 index 000000000..6c4fe6f12 --- /dev/null +++ b/apparmor.d/groups/gnome/papers @@ -0,0 +1,67 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/papers +profile papers @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + + #aa:dbus own bus=session name=org.gnome.Papers interface+=org.freedesktop.Application + + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + + dbus send bus=session path=/org/freedesktop/portal/desktop/session/1_4509/gtk1155412026 + interface=org.freedesktop.portal.Session + member=Close + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + + @{exec_path} mr, + + @{open_path} Cx -> open, + + /usr/share/poppler/{,**} r, + + /etc/passwd r, + + owner @{user_share_dirs}/gvfs-metadata/{,*} r, + + owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, + owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, + owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db-journal rw, + + /tmp/ r, + /var/tmp/ r, + owner @{tmp}/.goutputstream-@{rand6} rw, + owner @{tmp}/papers-@{int}/{,**} rw, + owner @{tmp}/gtkprint_@{rand6} rw, + owner @{tmp}/gtkprint@{rand6} rw, + + @{run}/mount/utab r, + + owner @{PROC}/@{pid}/mountinfo r, + + profile open { + include + include + + @{browsers_path} Px, + @{help_path} Px, + @{bin}/papers Px, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis new file mode 100644 index 000000000..3195d7f03 --- /dev/null +++ b/apparmor.d/groups/gnome/ptyxis @@ -0,0 +1,44 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ptyxis +profile ptyxis @{exec_path} { + include + include + include + include + + unix type=stream peer=(label=ptyxis-agent), + + #aa:dbus own bus=session name=org.gnome.Ptyxis interface+=org.freedesktop.Application + + @{exec_path} mr, + + @{lib}/ptyxis-agent Px, + @{open_path} Px -> child-open-help, + + /etc/shells r, + + owner @{user_cache_dirs}/org.gnome.Ptyxis/ rw, + owner @{user_cache_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_cache_dirs}/org.gnome.Ptyxis/**, + + owner @{user_config_dirs}/org.gnome.Ptyxis/ rw, + owner @{user_config_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_config_dirs}/org.gnome.Ptyxis/**, + owner @{user_config_dirs}/ubuntu-xdg-terminals.list r, + + owner @{user_share_dirs}/org.gnome.Ptyxis/ rw, + owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**, + + owner /tmp/#@{int} rw, + + /dev/ptmx rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent new file mode 100644 index 000000000..6418193a6 --- /dev/null +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -0,0 +1,64 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/ptyxis-agent +profile ptyxis-agent @{exec_path} { + include + include + include + include + include + include + include + + signal send set=hup peer=@{p_systemd}, + + ptrace read, + + unix type=stream peer=(label=ptyxis), + + @{exec_path} mr, + + @{bin}/podman Px, + @{bin}/systemd-run Cx -> shell, + + owner @{user_share_dirs}/containers/ w, + owner @{user_share_dirs}/containers/storage/ w, + owner @{user_share_dirs}/containers/storage/overlay-containers/ w, + + @{PROC}/@{pid}/cmdline r, + + /dev/ptmx rw, + + profile shell { + include + include + + signal send, + + unix bind type=stream addr=@@{udbus}/bus/systemd-run/, + + @{bin}/systemd-run mr, + + # The shell is not confined on purpose. + @{bin}/@{shells} Ux, + + # Some CLI program can be launched directly from Gnome Shell + @{bin}/htop Px, + @{bin}/micro PUx, + @{bin}/nvtop Px, + + owner @{run}/user/@{uid}/systemd/private rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 921f6aa30..c34526ee1 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -9,19 +9,18 @@ include @{exec_path} = @{bin}/seahorse profile seahorse @{exec_path} { include - include + include include include - include - include include - include include include include + include + include include - #aa:dbus own bus=session name=org.gnome.seahorse.Application + #aa:dbus own bus=session name=org.gnome.seahorse.Application interface+=org.gnome.Shell.SearchProvider2 @{exec_path} mr, @@ -33,7 +32,6 @@ profile seahorse @{exec_path} { /etc/pki/trust/blocklist/ r, /etc/gcrypt/hwf.deny r, - /etc/{,opensc/}opensc.conf r, owner @{HOME}/@{XDG_SSH_DIR}/{,**} r, diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index d519dca6e..b31532cae 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -9,15 +9,22 @@ include @{exec_path} = @{bin}/session-migration profile session-migration @{exec_path} { include + include + include + include + include @{exec_path} mr, - @{sh_path} rix, - @{bin}/gsettings rPx, - /usr/share/session-migration/scripts/*.sh rix, + @{sh_path} rix, + @{python_path} rix, + @{bin}/dconf rPx, + @{bin}/gsettings rPx, + /usr/share/session-migration/scripts/* rix, /usr/share/session-migration/{,**} r, + owner @{gdm_share_dirs}/ w, owner @{gdm_share_dirs}/session_migration-* rw, owner @{user_share_dirs}/session_migration-* rw, diff --git a/apparmor.d/profiles-s-z/snap-bootstrap b/apparmor.d/groups/gnome/tecla similarity index 52% rename from apparmor.d/profiles-s-z/snap-bootstrap rename to apparmor.d/groups/gnome/tecla index 95cc306fc..082c6c925 100644 --- a/apparmor.d/profiles-s-z/snap-bootstrap +++ b/apparmor.d/groups/gnome/tecla @@ -1,18 +1,19 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = @{lib}/snapd/snap-bootstrap -profile snap-bootstrap @{exec_path} { +@{exec_path} = @{bin}/tecla +profile tecla @{exec_path} { include + include @{exec_path} mr, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 02237d932..e200ecb42 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -10,9 +10,9 @@ include profile tracker-extract @{exec_path} flags=(attach_disconnected) { include include - include - include - include + include + include + include include include include @@ -20,6 +20,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { include include include + include include network netlink raw, @@ -28,12 +29,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Extract - #aa:dbus talk bus=session name=org.freedesktop.Tracker3 label=tracker-miner interface=org.freedesktop.DBus.Peer - - dbus send bus=session path=/org/gtk/vfs/metadata - interface=org.gtk.vfs.Metadata - member={GetTreeFromDevice,Remove} - peer=(name=:*, label=gvfsd-metadata), + #aa:dbus talk bus=session name=org.freedesktop.Tracker3 label=tracker-miner interface+=org.freedesktop.DBus.Peer @{exec_path} mr, @@ -75,11 +71,9 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} r, - /dev/video@{int} rw, - # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index e10d81bb2..85b7b0d53 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -11,16 +11,18 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include - include - include - include - include + include + include + include include include include include include + include include + include + include network netlink raw, @@ -63,11 +65,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/applications/ r, - owner /var/tmp/etilqs_@{hex15} rw, - owner /var/tmp/etilqs_@{hex16} rw, - owner @{tmp}/etilqs_@{hex15} rw, - owner @{tmp}/etilqs_@{hex16} rw, - # Allow to search user files owner @{HOME}/{,**} r, owner @{MOUNTS}/{,**} r, @@ -90,8 +87,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, - /dev/video@{int} rw, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index f0dd3b46c..1f2fc39d3 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -7,14 +7,16 @@ abi , include @{exec_path} = @{bin}/yelp @{bin}/gnome-help -profile yelp @{exec_path} { +profile yelp @{exec_path} flags=(attach_disconnected) { include include + include include network netlink raw, - #aa:dbus own bus=session name=org.gnome.Yelp + #aa:dbus own bus=accessibility name=org.gnome.Yelp + #aa:dbus own bus=session name=org.gnome.Yelp interface+=org.gtk.Actions @{exec_path} mr, @{open_path} rPx -> child-open-help, @@ -28,7 +30,9 @@ profile yelp @{exec_path} { /etc/xml/{,**} r, - @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/firmware/acpi/pm_profile r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.slice/*/memory.* r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.current r, diff --git a/apparmor.d/groups/gpg/dirmngr b/apparmor.d/groups/gpg/dirmngr index 167e8757c..2fbdfb086 100644 --- a/apparmor.d/groups/gpg/dirmngr +++ b/apparmor.d/groups/gpg/dirmngr @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/dirmngr profile dirmngr @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 247c6e4ac..40c23b660 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -29,15 +29,17 @@ profile gpg @{exec_path} { @{lib}/{,gnupg/}scdaemon rPx, /usr/share/terminfo/** r, + /usr/share/keyrings/** rw, #aa:only apt + /usr/share/pacman/keyrings/** r, #aa:only pacman /etc/inputrc r, #aa:only pacman - /etc/pacman.d/gnupg/gpg.conf r, - /etc/pacman.d/gnupg/pubring.gpg r, - /etc/pacman.d/gnupg/trustdb.gpg r, + /etc/pacman.d/gnupg/ rw, + /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, #aa:only apt + /etc/apt/trusted.gpg.d/{,*} r, owner /etc/apt/keyrings/ rw, owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**, @@ -69,6 +71,7 @@ profile gpg @{exec_path} { owner /tmp/@{int}@{int} rw, owner @{run}/user/@{uid}/gnupg/d.*/ rw, + owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/gpg/gpgsm b/apparmor.d/groups/gpg/gpgsm index bfa71cf53..2ef1a9d4a 100644 --- a/apparmor.d/groups/gpg/gpgsm +++ b/apparmor.d/groups/gpg/gpgsm @@ -23,11 +23,11 @@ profile gpgsm @{exec_path} { /etc/gcrypt/hwf.deny r, - deny /usr/bin/.gnupg/ w, + owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, + deny @{bin}/.gnupg/ w, include if exists } diff --git a/apparmor.d/groups/gpg/keyboxd b/apparmor.d/groups/gpg/keyboxd index a6eadd904..51ec8b134 100644 --- a/apparmor.d/groups/gpg/keyboxd +++ b/apparmor.d/groups/gpg/keyboxd @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gnupg/keyboxd profile keyboxd @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon index e88f34d4b..729455f7f 100644 --- a/apparmor.d/groups/gpg/scdaemon +++ b/apparmor.d/groups/gpg/scdaemon @@ -16,6 +16,7 @@ profile scdaemon @{exec_path} { network netlink raw, signal (send) peer=gpg-agent, + signal send set=usr2 peer=unconfined, @{exec_path} mr, @@ -24,7 +25,7 @@ profile scdaemon @{exec_path} { owner /etc/pacman.d/gnupg/S.scdaemon rw, owner @{HOME}/@{XDG_GPG_DIR}/scdaemon.conf r, - owner @{HOME}/@{XDG_GPG_DIR}common.conf r, + owner @{HOME}/@{XDG_GPG_DIR}/common.conf r, owner @{HOME}/@{XDG_GPG_DIR}/reader_@{int}.status rw, owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, diff --git a/apparmor.d/groups/grub/grub-check-signatures b/apparmor.d/groups/grub/grub-check-signatures index 1a1110091..f09ba540d 100644 --- a/apparmor.d/groups/grub/grub-check-signatures +++ b/apparmor.d/groups/grub/grub-check-signatures @@ -9,20 +9,17 @@ include @{exec_path} = /usr/share/grub/grub-check-signatures profile grub-check-signatures @{exec_path} { include - include + include @{exec_path} mr, - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}//mktemp rix, - @{bin}//od rix, + @{bin}/{m,g,}awk ix, + @{bin}/mktemp ix, + @{bin}/od ix, - /usr/share/debconf/frontend rPx, + owner @{tmp}/tmp.@{rand10}/ rw, - /usr/share/debconf/confmodule r, - - owner @{tmp}/tmp.*/ rw, + @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, include if exists } diff --git a/apparmor.d/groups/grub/grub-editenv b/apparmor.d/groups/grub/grub-editenv index 6bdc7362a..29f9bf8f7 100644 --- a/apparmor.d/groups/grub/grub-editenv +++ b/apparmor.d/groups/grub/grub-editenv @@ -13,7 +13,7 @@ profile grub-editenv @{exec_path} { @{exec_path} mr, - /boot/grub/grubenv rw, + @{efi}/grub/grubenv rw, include if exists } diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index 83e30cbf6..e3ed75334 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/grub-install +@{exec_path} = @{sbin}/grub-install profile grub-install @{exec_path} flags=(complain) { include include @@ -19,26 +19,34 @@ profile grub-install @{exec_path} flags=(complain) { @{exec_path} mr, @{sh_path} rix, - @{bin}/efibootmgr rix, + @{sbin}/efibootmgr rix, @{bin}/kmod rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/udevadm rPx, /usr/share/grub/{,**} r, + /usr/share/locale-langpack/{,**} r, /etc/default/grub.d/{,**} r, /etc/default/grub r, - /boot/efi/EFI/ubuntu/* w, - /boot/efi/EFI/BOOT/{,**} rw, - /boot/EFI/*/grubx*.efi rw, - /boot/grub/{,**} rw, + @{efi}/ r, + @{efi}/EFI/ r, + @{efi}/EFI/*/grubx*.efi rw, + @{efi}/EFI/BOOT/{,**} rw, + @{efi}/EFI/ubuntu/* w, + @{efi}/grub/{,**} rw, + @{sys}/devices/**/hid r, + @{sys}/devices/**/path r, + @{sys}/devices/**/uid r, + @{sys}/firmware/efi/ r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/BootCurrent-@{uuid} r, - @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, + @{sys}/firmware/efi/efivars/BootOrder-@{uuid} rw, @{sys}/firmware/efi/efivars/Timeout-@{uuid} r, + @{sys}/firmware/efi/fw_platform_size r, @{sys}/firmware/efi/w_platform_size r, @{PROC}/devices r, diff --git a/apparmor.d/groups/grub/grub-macbless b/apparmor.d/groups/grub/grub-macbless index c2571ea73..17e71a25c 100644 --- a/apparmor.d/groups/grub/grub-macbless +++ b/apparmor.d/groups/grub/grub-macbless @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/grub-macbless +@{exec_path} = @{sbin}/grub-macbless profile grub-macbless @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 2a60d69c5..5b62fa30c 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/grub-mkconfig +@{exec_path} = @{sbin}/grub-mkconfig @{sbin}/grub2-mkconfig profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { include include @@ -21,25 +21,25 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/{e,f,}grep rix, @{bin}/{m,g,}awk rix, @{bin}/basename rix, - @{bin}/btrfs rPx, + @{sbin}/btrfs rPx, @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cut rix, @{bin}/date rix, @{bin}/dirname rix, - @{bin}/dmsetup rPUx, + @{sbin}/dmsetup rPx, @{bin}/dpkg rPx, @{bin}/find rix, @{bin}/findmnt rPx, @{bin}/gettext rix, @{bin}/grub-editenv rPx, @{bin}/grub-mkrelpath rPx, - @{bin}/grub-probe rPx, + @{sbin}/grub-probe rPx, @{bin}/grub-script-check rPx, @{bin}/head rix, @{bin}/id rPx, @{bin}/ls rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/mktemp rix, @{bin}/mount rPx, @{bin}/mountpoint rix, @@ -56,7 +56,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/tr rix, @{bin}/umount rPx, @{bin}/uname rix, - @{bin}/which{.debianutils,} rix, + @{bin}/which{,.debianutils} rix, @{bin}/zfs rPx, @{bin}/zpool rPx, /etc/grub.d/{,**} rix, @@ -65,6 +65,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{lib}/grub/grub-sort-version rPx, @{lib}/libostree/grub[0-9]-@{int}_ostree rix, + /usr/share/desktop-base/*/grub/* r, /usr/share/grub/{,**} r, /usr/share/terminfo/** r, @@ -80,8 +81,8 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { /.zfs/snapshot/*/etc/fstab r, /.zfs/snapshot/*/etc/machine-id r, - /boot/{,**} r, - /boot/grub/{,**} rw, + @{efi}/{,**} r, + @{efi}/grub/{,**} rw, /tmp/grub-*.@{rand10}/{,**} rw, diff --git a/apparmor.d/groups/grub/grub-mkdevicemap b/apparmor.d/groups/grub/grub-mkdevicemap index 533f9780b..ca9f3ad3c 100644 --- a/apparmor.d/groups/grub/grub-mkdevicemap +++ b/apparmor.d/groups/grub/grub-mkdevicemap @@ -6,13 +6,20 @@ abi , include -@{exec_path} = @{bin}/grub-mkdevicemap +@{exec_path} = @{sbin}/grub-mkdevicemap profile grub-mkdevicemap @{exec_path} { include include + include + + capability sys_admin, @{exec_path} mr, + @{PROC}/devices r, + + /dev/mapper/control rw, + include if exists } diff --git a/apparmor.d/groups/grub/grub-mkrelpath b/apparmor.d/groups/grub/grub-mkrelpath index a60a6aaba..d4508b4c5 100644 --- a/apparmor.d/groups/grub/grub-mkrelpath +++ b/apparmor.d/groups/grub/grub-mkrelpath @@ -21,12 +21,12 @@ profile grub-mkrelpath @{exec_path} { / r, /usr/share/grub/* r, - /boot/ r, - /boot/grub/themes/{,**} r, + @{efi}/ r, + @{efi}/grub/themes/{,**} r, /tmp/grub-btrfs.*/@snapshots/@{int}/snapshot/boot/ r, /tmp/grub-btrfs.*/@/.snapshots/@{int}/snapshot/boot/ r, - /tmp/grub-btrfs.*/@_backup_@{int}/boot/ r, + /tmp/grub-btrfs.*/@_backup_*/boot/ r, /tmp/grub-btrfs.*/ r, @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install index 94c4c7e2b..d900ec2f6 100644 --- a/apparmor.d/groups/grub/grub-multi-install +++ b/apparmor.d/groups/grub/grub-multi-install @@ -13,7 +13,7 @@ profile grub-multi-install @{exec_path} { @{exec_path} mr, - @{bin}/grub-install rPx, + @{sbin}/grub-install rPx, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/cat rix, @@ -24,12 +24,12 @@ profile grub-multi-install @{exec_path} { @{bin}/sort rix, @{bin}/touch rix, @{bin}/udevadm rPx, - /usr/share/debconf/frontend rPx, + /usr/share/debconf/frontend rix, - /usr/lib/terminfo/x/xterm-256color r, + @{lib}/terminfo/x/xterm-256color r, /usr/share/debconf/confmodule r, - /boot/grub/grub.cfg rw, + @{efi}/grub/grub.cfg rw, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index 80d517deb..c767d2f02 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/grub-probe +@{exec_path} = @{sbin}/grub-probe profile grub-probe @{exec_path} { include include @@ -19,39 +19,24 @@ profile grub-probe @{exec_path} { @{exec_path} mr, /{usr/,}{local/,}{s,}bin/zpool rPx, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/lvm rPx, + @{bin}/lsb_release rPx, + @{sbin}/lvm rPx, @{bin}/udevadm rPx, /usr/share/grub/* r, / r, - /boot/ r, - /boot/grub/themes/{,**} r, + @{efi}/ r, + @{efi}/grub/ r, + @{efi}/grub/themes/{,**} r, @{PROC}/@{pids}/mountinfo r, @{PROC}/devices r, - /dev/*vg*/ r, - /dev/bsg/ r, - /dev/bus/ r, - /dev/bus/usb/ r, - /dev/bus/usb/@{int}/ r, - /dev/char/ r, - /dev/cpu/ r, - /dev/cpu/@{int}/ r, - /dev/dma_heap/ r, - /dev/dri/ r, - /dev/dri/by-path/ r, - /dev/hugepages/ r, - /dev/input/ r, - /dev/input/by-id/ r, - /dev/input/by-path/ r, - /dev/mapper/control rw, - /dev/mqueue/ r, - /dev/shm/ r, - /dev/snd/ r, - /dev/snd/by-path/ r, + /dev/**/ r, + /dev/mapper/control w, + + deny mqueue (read, getattr) type=posix /, include if exists } diff --git a/apparmor.d/groups/grub/grub-reboot b/apparmor.d/groups/grub/grub-reboot index 7d94a22af..310b416bf 100644 --- a/apparmor.d/groups/grub/grub-reboot +++ b/apparmor.d/groups/grub/grub-reboot @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/grub-reboot +@{exec_path} = @{sbin}/grub-reboot profile grub-reboot @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-script-check b/apparmor.d/groups/grub/grub-script-check index 93b344cf8..9961a778e 100644 --- a/apparmor.d/groups/grub/grub-script-check +++ b/apparmor.d/groups/grub/grub-script-check @@ -13,7 +13,7 @@ profile grub-script-check @{exec_path} { @{exec_path} mr, - /boot/grub/grub* rw, + @{efi}/grub/grub* rw, include if exists } diff --git a/apparmor.d/groups/grub/grub-set-default b/apparmor.d/groups/grub/grub-set-default index 11c78024b..9e3c96464 100644 --- a/apparmor.d/groups/grub/grub-set-default +++ b/apparmor.d/groups/grub/grub-set-default @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/grub-set-default +@{exec_path} = @{sbin}/grub-set-default profile grub-set-default @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-sort-version b/apparmor.d/groups/grub/grub-sort-version index 5e65fe835..6ece8a60b 100644 --- a/apparmor.d/groups/grub/grub-sort-version +++ b/apparmor.d/groups/grub/grub-sort-version @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/grub/grub-sort-version profile grub-sort-version @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/grub/update-grub b/apparmor.d/groups/grub/update-grub index 03df05295..d4460a3cf 100644 --- a/apparmor.d/groups/grub/update-grub +++ b/apparmor.d/groups/grub/update-grub @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/update-grub{2,} +@{exec_path} = @{sbin}/update-grub profile update-grub @{exec_path} { include include @@ -14,8 +14,9 @@ profile update-grub @{exec_path} { capability dac_read_search, @{exec_path} mr, - @{sh_path} rix, - @{bin}/grub-mkconfig rPx, + + @{sh_path} rix, + @{sbin}/grub-mkconfig rPx, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index c1058c158..32136d710 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -12,12 +12,12 @@ profile gvfs-afc-volume-monitor @{exec_path} { include include - #aa:dbus own bus=session name=org.gtk.vfs.AfcVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.AfcVolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index 1b5f74ae3..017a66e84 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -12,17 +12,17 @@ profile gvfs-goa-volume-monitor @{exec_path} { include include - #aa:dbus own bus=session name=org.gtk.vfs.GoaVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.GoaVolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), dbus send bus=session path=/org/gnome/OnlineAccounts interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=goa-daemon), + peer=(name=@{busname}, label=goa-daemon), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index f2b534635..ece97e688 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -16,12 +16,12 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} { network netlink raw, - #aa:dbus own bus=session name=org.gtk.vfs.GPhoto2VolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.GPhoto2VolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index d71b71523..fd3b38012 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -15,12 +15,12 @@ profile gvfs-mtp-volume-monitor @{exec_path} { network netlink raw, - #aa:dbus own bus=session name=org.gtk.vfs.MTPVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.MTPVolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index ccbe15fd1..80f7f86a9 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -12,7 +12,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -29,13 +29,13 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { ptrace (read), - #aa:dbus own bus=session name=org.gtk.vfs.UDisks2VolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.UDisks2VolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index c5c4dc3c1..e3e3edfae 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -18,25 +18,28 @@ profile gvfsd @{exec_path} { #aa:dbus own bus=session name=org.gtk.vfs.Daemon #aa:dbus own bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker + # The server side of abstractions/bus/session/org.gtk.vfs.Mountable dbus send bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount - peer=(name=:*, label=gvfsd-*), + peer=(name=@{busname}, label=gvfsd-*), + # The server side of abstractions/bus/session/org.gtk.vfs.Spawner dbus receive bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned - peer=(name=:*, label=gvfsd-*), + peer=(name=@{busname}, label=gvfsd-*), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @{sh_path} rix, @{lib}/{,gvfs/}gvfsd-* rpx, + @{bin}/pkexec rCx -> pkexec, /usr/share/gvfs/{,**} r, @@ -45,6 +48,17 @@ profile gvfsd @{exec_path} { owner @{PROC}/@{pid}/fd/ r, + profile pkexec { + include + include + + ptrace read peer=gvfsd, + + @{lib}/{,gvfs/}gvfsd-admin rPx, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index 7a1584d48..5a1fd1c82 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -10,9 +10,38 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-admin profile gvfsd-admin @{exec_path} { include + include + include + include + include + include + include + + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setuid, + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, + #aa:lint ignore=too-wide + # Full access to system's data, but no write access to sensitive system directories + / r, + /*/ r, + /*/** rw, + deny @{sys}/** w, + deny @{PROC}/** w, + deny @{efi}/** w, + deny /dev/** w, + include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-afc b/apparmor.d/groups/gvfs/gvfsd-afc index 68d4b689e..da231f469 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afc +++ b/apparmor.d/groups/gvfs/gvfsd-afc @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afc profile gvfsd-afc @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-afp b/apparmor.d/groups/gvfs/gvfsd-afp index eeaaec059..db6fe5a48 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afp +++ b/apparmor.d/groups/gvfs/gvfsd-afp @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afp profile gvfsd-afp @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-afp-browse b/apparmor.d/groups/gvfs/gvfsd-afp-browse index 48680f12f..a39e25785 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afp-browse +++ b/apparmor.d/groups/gvfs/gvfsd-afp-browse @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afp-browse profile gvfsd-afp-browse @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-archive b/apparmor.d/groups/gvfs/gvfsd-archive index 918841320..68b1e7765 100644 --- a/apparmor.d/groups/gvfs/gvfsd-archive +++ b/apparmor.d/groups/gvfs/gvfsd-archive @@ -10,9 +10,20 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-archive profile gvfsd-archive @{exec_path} { include + include + include + include + include include include + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{HOME}/**.{tar,tar.gz,zip} r, diff --git a/apparmor.d/groups/gvfs/gvfsd-burn b/apparmor.d/groups/gvfs/gvfsd-burn index b70fa7110..09062241a 100644 --- a/apparmor.d/groups/gvfs/gvfsd-burn +++ b/apparmor.d/groups/gvfs/gvfsd-burn @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-burn profile gvfsd-burn @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-cdda b/apparmor.d/groups/gvfs/gvfsd-cdda index 0648f5dc0..356f8dcd3 100644 --- a/apparmor.d/groups/gvfs/gvfsd-cdda +++ b/apparmor.d/groups/gvfs/gvfsd-cdda @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-cdda profile gvfsd-cdda @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer index e756c8440..667b448c4 100644 --- a/apparmor.d/groups/gvfs/gvfsd-computer +++ b/apparmor.d/groups/gvfs/gvfsd-computer @@ -10,6 +10,19 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-computer profile gvfsd-computer @{exec_path} { include + include + include + include + include + + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} + #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label=gvfs-afc-volume-monitor + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav index 77e1a2f6f..b335724cb 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dav +++ b/apparmor.d/groups/gvfs/gvfsd-dav @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-dav profile gvfsd-dav @{exec_path} { include + include + include + include + include include include include @@ -24,6 +28,13 @@ profile gvfsd-dav @{exec_path} { network inet6 dgram, network netlink raw, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index 2f3b8d8f2..aad9de3a0 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -12,26 +12,19 @@ profile gvfsd-dnssd @{exec_path} { include include include - include - include + include + include + include + include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker label=gvfsd + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=:*, label=gvfsd-network), - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=:*, label=gvfsd), - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=:*, label=gvfsd), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-ftp b/apparmor.d/groups/gvfs/gvfsd-ftp index 5b7c833a5..3b36fc4f1 100644 --- a/apparmor.d/groups/gvfs/gvfsd-ftp +++ b/apparmor.d/groups/gvfs/gvfsd-ftp @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-ftp profile gvfsd-ftp @{exec_path} { include + include + include + include + include include include include @@ -20,6 +24,13 @@ profile gvfsd-ftp @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index 375040ec3..f67068f49 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -11,7 +11,9 @@ include profile gvfsd-fuse @{exec_path} { include include - include + include + include + include include capability sys_admin, @@ -20,45 +22,35 @@ profile gvfsd-fuse @{exec_path} { unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterFuse - peer=(name=:*, label=gvfsd), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session path=/ + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @{bin}/fusermount{,3} rCx -> fusermount, + owner @{run}/user/@{uid}/gvfsd-fuse/ rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} w, + @{PROC}/sys/fs/pipe-max-size r, /dev/fuse rw, profile fusermount { include - include + include - capability dac_read_search, - capability sys_admin, # To mount anything + capability setuid, mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/, umount @{run}/user/@{uid}/**/, unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse), - @{bin}/fusermount{,3} mr, - - /etc/fuse{,3}.conf r, - /etc/machine-id r, - - @{PROC}/@{pid}/mounts r, - - /dev/fuse rw, - include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-google b/apparmor.d/groups/gvfs/gvfsd-google index eb80f3a7a..819e84c39 100644 --- a/apparmor.d/groups/gvfs/gvfsd-google +++ b/apparmor.d/groups/gvfs/gvfsd-google @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-google profile gvfsd-google @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-gphoto2 b/apparmor.d/groups/gvfs/gvfsd-gphoto2 index 688f03c27..0544000c0 100644 --- a/apparmor.d/groups/gvfs/gvfsd-gphoto2 +++ b/apparmor.d/groups/gvfs/gvfsd-gphoto2 @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-gphoto2 profile gvfsd-gphoto2 @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 2fe0a1e2b..2678bde40 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -11,8 +11,11 @@ include profile gvfsd-http @{exec_path} { include include + include + include + include include - include + # include include include include @@ -23,20 +26,16 @@ profile gvfsd-http @{exec_path} { network inet6 dgram, network netlink raw, - #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_http + unix type=stream peer=(label=gnome-shell), + unix type=stream peer=(label=gnome-extension-gsconnect), - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name=:*, label=gvfsd), + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_http + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-localtest b/apparmor.d/groups/gvfs/gvfsd-localtest index 5ffbabb40..d1af3c60c 100644 --- a/apparmor.d/groups/gvfs/gvfsd-localtest +++ b/apparmor.d/groups/gvfs/gvfsd-localtest @@ -10,6 +10,9 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-localtest profile gvfsd-localtest @{exec_path} { include + include + include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index f6f3820bb..8565856d9 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -11,6 +11,9 @@ include profile gvfsd-metadata @{exec_path} { include include + include + include + include include network netlink raw, @@ -18,11 +21,12 @@ profile gvfsd-metadata @{exec_path} { signal (receive) set=(usr1) peer=pacman, #aa:dbus own bus=session name=org.gtk.vfs.Metadata path=/org/gtk/vfs/{m,M}etadata + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index 3c747b8b3..8d5ad78c5 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-mtp profile gvfsd-mtp @{exec_path} { include + include + include + include + include include include include @@ -19,10 +23,18 @@ profile gvfsd-mtp @{exec_path} { network netlink raw, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, - owner @{HOME}/{,**} rw, # FIXME: ? - owner @{MOUNTS}/{,**} rw, + owner @{HOME}/ r, + owner @{HOME}/** rw, + owner @{MOUNTS}/** rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index 87851fc16..7874686bc 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -11,39 +11,22 @@ include profile gvfsd-network @{exec_path} { include include + include + include + include include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=:*, label=gvfsd), - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=:*, label=gvfsd), - - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member={MountLocation,LookupMount,RegisterMount} - peer=(name=:*, label=gvfsd), - - dbus send bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=:*, label=gvfsd-dnssd), - - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=:*, label=gnome-control-center), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-nfs b/apparmor.d/groups/gvfs/gvfsd-nfs index 575d9de39..aae859d73 100644 --- a/apparmor.d/groups/gvfs/gvfsd-nfs +++ b/apparmor.d/groups/gvfs/gvfsd-nfs @@ -10,12 +10,23 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-nfs profile gvfsd-nfs @{exec_path} { include + include + include + include + include include network inet stream, network inet6 stream, network netlink raw, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index 03586b291..ca59d75cd 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -11,33 +11,27 @@ include profile gvfsd-recent @{exec_path} { include include - include - include + include + include + include include include include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name=:*, label=gvfsd), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, # Full access to user's data - owner @{HOME}/{,**} rw, # FIXME: ? - owner @{MOUNTS}/{,**} rw, + owner @{HOME}/{,**} r, + owner @{MOUNTS}/{,**} r, owner @{HOME}/.zshenv r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp index cabee57c2..862ef88aa 100644 --- a/apparmor.d/groups/gvfs/gvfsd-sftp +++ b/apparmor.d/groups/gvfs/gvfsd-sftp @@ -10,15 +10,29 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-sftp profile gvfsd-sftp @{exec_path} { include + include + include + include + include include include include + include + + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @{bin}/ssh rPx, owner @{run}/user/@{uid}/gvfsd-sftp/ rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} w, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb b/apparmor.d/groups/gvfs/gvfsd-smb index 24891e9c3..9d99a43af 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb +++ b/apparmor.d/groups/gvfs/gvfsd-smb @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-smb profile gvfsd-smb @{exec_path} { include + include + include + include + include include include @@ -19,6 +23,13 @@ profile gvfsd-smb @{exec_path} { network inet dgram, network inet6 dgram, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, /etc/samba/smb.conf r, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index f285a3c15..66099563e 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -11,8 +11,11 @@ include profile gvfsd-smb-browse @{exec_path} { include include - include + include + include + include include + include include network netlink raw, @@ -22,21 +25,15 @@ profile gvfsd-smb-browse @{exec_path} { network inet6 dgram, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_smb_browse + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=:*, label=gvfsd), - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=:*, label=gvfsd), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/samba/* r, /var/cache/samba/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 683d271a8..070c41a84 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -11,6 +11,9 @@ include profile gvfsd-trash @{exec_path} { include include + include + include + include include include include @@ -20,31 +23,12 @@ profile gvfsd-trash @{exec_path} { network inet6 stream, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=:*, label="{gnome-shell,nautilus}"), - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=:*, label=gvfsd), - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=:*, label=gvfsd), - - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name=:*, label=gvfsd), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index f971b5f6a..4ea39c7d0 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -9,16 +9,33 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-wsdd profile gvfsd-wsdd @{exec_path} { include + include + include + include + include + include + include + network inet dgram, # ip=127.0.0.1 peer=(ip=127.0.0.*, port=53), network netlink raw, + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_wsdd + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, - @{bin}/env r, + @{bin}/env mr, @{bin}/wsdd rPx, + @{run}/avahi-daemon/socket rw, @{run}/mount/utab r, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + owner @{run}/user/@{uid}/gvfsd/wsdd rw, include if exists } diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index 3a25c0a5a..cd3270e49 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -14,6 +14,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_ptrace, @@ -25,30 +26,31 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/hyprland/{,*} r, + /usr/share/hypr{,land}/{,*} r, /usr/share/libinput/{,*} r, owner @{user_cache_dirs}/hyprland/{,**} rw, owner @{user_config_dirs}/hypr/** r, owner @{user_share_dirs}/hyprpm/** mr, + owner @{user_share_dirs}/hyprland/** rw, owner @{run}/user/@{uid}/gamescope-* rw, owner @{run}/user/@{uid}/.hyprpaper_* rw, owner @{run}/user/@{uid}/.hyprpicker_* rw, owner @{run}/user/@{uid}/hypr/{,**} rw, - owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + owner @{att}/dev/shm/.org.chromium.Chromium.@{rand6} rw, @{run}/systemd/sessions/@{int} r, - @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi:id r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb* r, # for USB mouse and keyboard + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* @@ -60,6 +62,9 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/environ r, + @{att}/dev/dri/card@{int} rw, + @{att}/dev/input/event@{int} rw, + /dev/input/event@{int} rw, /dev/tty r, owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/hyprland/hyprlock b/apparmor.d/groups/hyprland/hyprlock index b17c0c66a..fab1c2a2e 100644 --- a/apparmor.d/groups/hyprland/hyprlock +++ b/apparmor.d/groups/hyprland/hyprlock @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/hyprlock -profile hyprlock @{exec_path} { +profile hyprlock @{exec_path} flags=(attach_disconnected) { include include include @@ -19,7 +19,7 @@ profile hyprlock @{exec_path} { @{exec_path} mr, - /etc/security/faillock.conf r, + @{etc_ro}/security/faillock.conf r, /etc/shells r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r, diff --git a/apparmor.d/groups/hyprland/hyprpaper b/apparmor.d/groups/hyprland/hyprpaper index 3cb8dca92..6d0674d9f 100644 --- a/apparmor.d/groups/hyprland/hyprpaper +++ b/apparmor.d/groups/hyprland/hyprpaper @@ -9,12 +9,11 @@ include @{exec_path} = @{bin}/hyprpaper profile hyprpaper @{exec_path} flags=(attach_disconnected) { include + include include @{exec_path} mr, - /usr/share/icons/** r, - owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r, owner @{user_config_dirs}/hypr/hyprpaper.conf r, diff --git a/apparmor.d/groups/hyprland/hyprpicker b/apparmor.d/groups/hyprland/hyprpicker index 78375c8b2..7becc5fb6 100644 --- a/apparmor.d/groups/hyprland/hyprpicker +++ b/apparmor.d/groups/hyprland/hyprpicker @@ -9,14 +9,14 @@ include @{exec_path} = @{bin}/hyprpicker profile hyprpicker @{exec_path} { include + include @{exec_path} mr, @{bin}/wl-copy Px, - /usr/share/icons/** r, - owner @{run}/user/@{uid}/.hyprpicker* rw, owner /dev/shm/wlroots-@{rand6} r, + owner /dev/shm/@{uuid} r, owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/hyprland/hyprpm b/apparmor.d/groups/hyprland/hyprpm index 3a5878808..149128b1e 100644 --- a/apparmor.d/groups/hyprland/hyprpm +++ b/apparmor.d/groups/hyprland/hyprpm @@ -11,7 +11,6 @@ profile hyprpm @{exec_path} { include include include - include network inet dgram, network inet stream, diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 197f90f88..b5e1b4ae8 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -10,6 +10,8 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}DiscoverNotifier profile DiscoverNotifier @{exec_path} { include + include + include include include include @@ -23,14 +25,20 @@ profile DiscoverNotifier @{exec_path} { network netlink dgram, network netlink raw, + #aa:dbus own bus=session name=org.kde.discover.notifier + + #aa:dbus talk bus=system name=org.freedesktop.PackageKit label=packagekitd + @{exec_path} mr, @{bin}/apt-config rPx, + @{bin}/plasma-discover rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, + /usr/share/flatpak/remotes.d/{,**} r, /usr/share/metainfo/{,**} r, /etc/machine-id r, @@ -41,7 +49,7 @@ profile DiscoverNotifier @{exec_path} { /var/cache/swcatalog/cache/ w, /var/cache/swcatalog/xml/{,**} r, - owner @{user_cache_dirs}/appstream/ r, + owner @{user_cache_dirs}/appstream/ rw, owner @{user_cache_dirs}/appstream/** rw, owner @{user_cache_dirs}/flatpak/{,**} rw, diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 9a2f4c961..29447e22a 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -42,29 +42,10 @@ profile baloo @{exec_path} { owner @{user_share_dirs}/baloo/{,**} rwk, - @{run}/udev/data/+acpi:* r, # for acpi - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+dmi:* r, # For motherboard info - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, - @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/+sound:card@{int} r, # for sound card + @{run}/mount/utab r, - @{run}/udev/data/c1:@{int} r, # For RAM disk - @{run}/udev/data/c4:@{int} r, # For TTY devices - @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices - @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features - @{run}/udev/data/c13:@{int} r, # For /dev/input/* - @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* - @{run}/udev/data/c89:@{int} r, # For I2C bus interface - @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c202:@{int} r, # CPU model-specific registers - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index e3fca1f8f..33660a776 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloorunner profile baloorunner @{exec_path} { include + include include include include @@ -28,33 +29,8 @@ profile baloorunner @{exec_path} { /tmp/ r, - @{run}/udev/data/+acpi:* r, # for acpi - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+dmi* r, # for motherboard info - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+i2c:* r, - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, - @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/+sound:card@{int} r, # for sound card - - @{run}/udev/data/c1:@{int} r, # For RAM disk - @{run}/udev/data/c4:@{int} r, # For TTY devices - @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices - @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features - @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c13:@{int} r, # For /dev/input/* - @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters - @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* - @{run}/udev/data/c89:@{int} r, # For I2C bus interface - @{run}/udev/data/c202:@{int} r, # CPU model-specific registers - @{run}/udev/data/c203:@{int} r, # CPU CPUID information - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 8465da560..022c0beec 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -21,15 +21,23 @@ profile dolphin @{exec_path} { include include include + include network netlink raw, - signal (send) set=(term) peer=kioworker, + signal send set=hup peer=@{p_systemd}, + signal send set=term peer=kioworker, + + ptrace read peer=@{p_systemd}, + ptrace read peer=okular, @{exec_path} mr, + @{lib}/libheif/ r, + @{lib}/libheif/*.so* mr, + @{bin}/ldd rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{lib}/{,@{multiarch}/}utempter/utempter rPx, @{thunderbird_path} rPx, @@ -40,13 +48,13 @@ profile dolphin @{exec_path} { /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, /usr/share/misc/termcap r, + /usr/share/thumbnailers/{,**} r, /etc/fstab r, + /etc/exports r, /etc/machine-id r, /etc/xdg/arkrc r, /etc/xdg/dolphinrc r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, /etc/xdg/ui/ui_standards.rc r, # Full access to user's data @@ -62,7 +70,7 @@ profile dolphin @{exec_path} { owner @{tmp}/{,**} rw, # Silence non user's data - deny /boot/{,**} r, + deny @{efi}/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, deny /tmp/.* rw, @@ -70,39 +78,46 @@ profile dolphin @{exec_path} { owner @{user_share_dirs}/dolphin/ rw, owner @{user_share_dirs}/dolphin/** rwkl -> @{user_share_dirs}/dolphin/#@{int}, - owner @{user_share_dirs}/recently-used.xbel{,.*} rwlk, + owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/dolphinrc rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/dolphinrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/dolphinrc.lock rwk, owner @{user_config_dirs}/kde.org/#@{int} rw, - owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.*} rwlk -> @{user_config_dirs}/kde.org/#@{int}, owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.lock rwk, - - owner @{user_config_dirs}/session/ rw, - owner @{user_config_dirs}/session/#@{int} rw, - owner @{user_config_dirs}/session/dolphin_* rwlk -> @{user_config_dirs}/session/#@{int}, + owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.*} rwlk -> @{user_config_dirs}/kde.org/#@{int}, + owner @{user_config_dirs}/knfsshare.{,.@{rand6}} rwk, + owner @{user_config_dirs}/knfsshare.lock rwk, owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc rwl -> @{user_cache_dirs}/dolphin/qmlcache/#@{int}, owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/dolphin/qmlcache/#@{int}, owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk -> @{user_state_dirs}/#@{int}, + owner @{tmp}/dolphin.@{rand6}{,.lock} rwlk, + @{run}/issue r, @{run}/mount/utab r, owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + @{sys}/bus/ r, @{sys}/bus/*/devices/ r, + @{sys}/class/*/ r, + @{sys}/devices/**/uevent r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, @{sys}/devices/virtual/block/dm-@{int}/uevent r, - /dev/tty r, + /dev/tty rw, include if exists } diff --git a/apparmor.d/groups/kde/drkonqi b/apparmor.d/groups/kde/drkonqi index 961c18cfe..e04180ff4 100644 --- a/apparmor.d/groups/kde/drkonqi +++ b/apparmor.d/groups/kde/drkonqi @@ -23,18 +23,36 @@ profile drkonqi @{exec_path} { @{exec_path} mr, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/plasmashell r, + @{bin}/lsb_release rPx, /usr/share/drkonqi/{,**} r, + /etc/machine-id r, + + / r, + owner @{user_cache_dirs}/drkonqi/ rw, owner @{user_cache_dirs}/drkonqi/** rwlk -> @{user_cache_dirs}/drkonqi/**, owner @{user_cache_dirs}/kcrash-metadata/* w, + owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/drkonqirc r, + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}.journal r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/remote/ r, + /dev/tty r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + include if exists } diff --git a/apparmor.d/groups/kde/drkonqi-coredump-cleanup b/apparmor.d/groups/kde/drkonqi-coredump-cleanup index c74276b95..199dd9c8f 100644 --- a/apparmor.d/groups/kde/drkonqi-coredump-cleanup +++ b/apparmor.d/groups/kde/drkonqi-coredump-cleanup @@ -14,7 +14,8 @@ profile drkonqi-coredump-cleanup @{exec_path} { @{exec_path} mr, @{user_cache_dirs}/kcrash-metadata/ r, - owner @{user_cache_dirs}/kcrash-metadata/plasmashell.@{hex32}.@{int4}.ini w, + owner @{user_cache_dirs}/kcrash-metadata/plasmashell.@{hex32}.@{int4}.ini rw, + owner @{user_cache_dirs}/kcrash-metadata/@{int}.ini rw, include if exists } diff --git a/apparmor.d/groups/kde/drkonqi-coredump-processor b/apparmor.d/groups/kde/drkonqi-coredump-processor index e07a6c1d4..359352383 100644 --- a/apparmor.d/groups/kde/drkonqi-coredump-processor +++ b/apparmor.d/groups/kde/drkonqi-coredump-processor @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}drkonqi-coredump-processor profile drkonqi-coredump-processor @{exec_path} { include + include include capability dac_override, @@ -24,9 +25,9 @@ profile drkonqi-coredump-processor @{exec_path} { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/system.journal r, - /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/system@*.journal* r, /{run,var}/log/journal/@{hex32}/user-@{uid}.journal r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@*.journal* r, /{run,var}/log/journal/remote/ r, include if exists diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index d9879941b..dbca9fcf5 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -9,8 +9,8 @@ include @{exec_path} = @{bin}/gmenudbusmenuproxy profile gmenudbusmenuproxy @{exec_path} { include + include include - include include include diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 42c1400ef..1fdb4b920 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -10,23 +10,23 @@ include profile kaccess @{exec_path} { include include + include include include include + #aa:dbus own bus=session name=org.kde.kaccess + #aa:dbus talk bus=session name=org.kde.kglobalaccel path=/kglobalaccel label=kglobalacceld + @{exec_path} mr, @{bin}/gsettings rPx, - /usr/share/icons/{,**} r, - /etc/machine-id r, owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kaccessrc r, - owner @{user_share_dirs}/mime/generic-icons r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index fdc0730c4..1cc6b41d1 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kactivitymanagerd profile kactivitymanagerd @{exec_path} { include + include include include include @@ -18,6 +19,9 @@ profile kactivitymanagerd @{exec_path} { include include + #aa:dbus own bus=session name=org.kde.ActivityManager path=/ActivityManager + #aa:dbus own bus=session name=org.kde.runners.activities + @{exec_path} mr, /etc/xdg/menus/{,*/} r, @@ -38,7 +42,6 @@ profile kactivitymanagerd @{exec_path} { owner @{user_share_dirs}/kactivitymanagerd/{,**} rwlk, owner @{user_share_dirs}/kservices{5,6}/{,**} r, - owner @{user_share_dirs}/recently-used.xbel r, owner @{user_share_dirs}/user-places.xbel r, owner @{run}/user/@{uid}/#@{int} rw, diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac index 661090bc1..e9ae78457 100644 --- a/apparmor.d/groups/kde/kalendarac +++ b/apparmor.d/groups/kde/kalendarac @@ -25,6 +25,7 @@ profile kalendarac @{exec_path} { owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/akonadi-firstrunrc r, + owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/akonadiconnectionrc r, owner @{user_config_dirs}/emaildefaults r, owner @{user_config_dirs}/emailidentities r, @@ -33,6 +34,11 @@ profile kalendarac @{exec_path} { owner @{user_config_dirs}/kalendaracrc.lock rwk, owner @{user_config_dirs}/kmail2rc r, + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/kalendaracstaterc rw, + owner @{user_state_dirs}/kalendaracstaterc.@{rand6} rwl, + owner @{user_state_dirs}/kalendaracstaterc.lock rwk, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kauth-backlighthelper b/apparmor.d/groups/kde/kauth-backlighthelper index 61308e83b..cc844ce17 100644 --- a/apparmor.d/groups/kde/kauth-backlighthelper +++ b/apparmor.d/groups/kde/kauth-backlighthelper @@ -16,6 +16,8 @@ profile kauth-backlighthelper @{exec_path} { capability net_admin, + #aa:dbus own bus=system name=org.kde.powerdevil.backlighthelper + @{exec_path} mr, /usr/share/icu/@{int}.@{int}/*.dat r, diff --git a/apparmor.d/groups/kde/kauth-chargethresholdhelper b/apparmor.d/groups/kde/kauth-chargethresholdhelper index 44a6d0239..119b5508d 100644 --- a/apparmor.d/groups/kde/kauth-chargethresholdhelper +++ b/apparmor.d/groups/kde/kauth-chargethresholdhelper @@ -9,14 +9,18 @@ include @{exec_path} = @{lib}/{,kf6/}kauth/{,libexec/}chargethresholdhelper profile kauth-chargethresholdhelper @{exec_path} { include + include include + include + + #aa:dbus own bus=system name=org.kde.powerdevil.chargethresholdhelper + #aa:dbus talk bus=system name=org.kde.kf5auth path=/ label=kde-powerdevil @{exec_path} mr, /usr/share/icu/@{int}.@{int}/*.dat r, @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/power_supply/** r, @{sys}/devices/**/power_supply/** r, include if exists diff --git a/apparmor.d/groups/kde/kauth-discretegpuhelper b/apparmor.d/groups/kde/kauth-discretegpuhelper index f03dfb007..8fcec5a2c 100644 --- a/apparmor.d/groups/kde/kauth-discretegpuhelper +++ b/apparmor.d/groups/kde/kauth-discretegpuhelper @@ -9,8 +9,12 @@ include @{exec_path} = @{lib}/{,kf6/}kauth/{,libexec/}discretegpuhelper profile kauth-discretegpuhelper @{exec_path} { include + include + include include + #aa:dbus own bus=system name=org.kde.powerdevil.discretegpuhelper + @{exec_path} mr, /usr/share/icu/@{int}.@{int}/*.dat r, diff --git a/apparmor.d/groups/kde/kauth-kded-smart-helper b/apparmor.d/groups/kde/kauth-kded-smart-helper index 6483fe39f..2e60e6a0a 100644 --- a/apparmor.d/groups/kde/kauth-kded-smart-helper +++ b/apparmor.d/groups/kde/kauth-kded-smart-helper @@ -15,14 +15,18 @@ profile kauth-kded-smart-helper @{exec_path} { #aa:dbus own bus=system name=org.kde.kded.smart + dbus receive bus=system path=/ + interface=org.kde.kf5auth + member=performAction + peer=(name=@{busname}, label=kded), dbus send bus=system path=/ interface=org.kde.kf5auth member=remoteSignal - peer=(name=org.freedesktop.DBus, label=kded5), + peer=(name=org.freedesktop.DBus, label=kded), @{exec_path} mr, - @{bin}/smartctl rPx, + @{sbin}/smartctl rPx, /usr/share/icu/@{int}.@{int}/*.dat r, diff --git a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper index 5ae1f5f12..afecd8d53 100644 --- a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper +++ b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper @@ -13,7 +13,7 @@ profile kauth-kinfocenter-dmidecode-helper @{exec_path} { @{exec_path} mr, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, include if exists } diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index 93378bf76..59f60c285 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -10,9 +10,11 @@ include profile kcminit @{exec_path} { include include - include + include include + #aa:dbus own bus=session name=org.kde.{KCM,kcm}init path=/kcminit + @{exec_path} mr, @{bin}/xrdb rPx, @@ -26,6 +28,8 @@ profile kcminit @{exec_path} { owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/gtkrc-2.0{,.@{rand6}} rwl, owner @{user_config_dirs}/gtkrc{,.@{rand6}} rwl, + owner @{user_config_dirs}/kcminputrc{,.@{rand6}} rwl, + owner @{user_config_dirs}/kcminputrc.lock rwk, owner @{user_config_dirs}/kgammarc r, owner @{user_config_dirs}/touchpadrc r, owner @{user_config_dirs}/touchpadxlibinputrc r, diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index e152325ed..6a01748fd 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -12,7 +12,6 @@ profile kconf_update @{exec_path} { include include include - include include include include @@ -25,21 +24,22 @@ profile kconf_update @{exec_path} { @{sh_path} rix, @{bin}/{,p}grep rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/qtpaths rix, @{bin}/sed rix, @{bin}/qtchooser rPx, @{lib}/kconf_update_bin/* rix, @{lib}/@{multiarch}/kconf_update_bin/* rix, + @{lib}/qt6/bin/qtpaths rix, /usr/share/kconf_update/*.py rix, /usr/share/kconf_update/*.sh rix, /usr/share/kconf_update/{,**} r, /usr/share/kglobalaccel/org.kde.krunner.desktop r, - /etc/xdg/konsolerc r, - /etc/xdg/ui/ui_standards.rc r, + /etc/xdg/*rc r, + /etc/xdg/ui/*rc r, /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index d37b53ddd..7d6daeda6 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -11,22 +11,37 @@ include profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) { include include + include + include + include + include include include include include + include capability wake_alarm, network netlink raw, + #aa:dbus own bus=system name=org.freedesktop.Policy.Power + #aa:dbus own bus=system name=org.kde.kf5auth path=/ + + #aa:dbus own bus=session name=local.org_kde_powerdevil + #aa:dbus own bus=session name=org.freedesktop.PowerManagement + #aa:dbus own bus=session name=org.kde.Solid.PowerManagement + + #aa:dbus talk bus=session name=org.kde.KWin path=/ label="kwin_{wayland,x11}" + @{exec_path} mrix, @{sh_path} rix, @{bin}/find rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/kcminit rPx, @{bin}/sed rix, + @{bin}/uname rPx, @{bin}/xargs rix, @{lib}/drkonqi rPx, @@ -45,10 +60,13 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) owner @{user_config_dirs}/powermanagementprofilesrc.lock rwk, owner @{user_config_dirs}/powermanagementprofilesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + + @{run}/mount/utab r, owner @{run}/user/@{uid}kcrash_@{int} rw, + @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** + @{sys}/bus/ r, @{sys}/bus/i2c/devices/ r, @{sys}/class/ r, @@ -59,19 +77,22 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness r, @{sys}/devices/@{pci}/card@{int}/*/dpms r, @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness r, + @{sys}/devices/@{pci}/drm/card@{int}/**/*_id r, @{sys}/devices/@{pci}/drm/card@{int}/**/dev r, + @{sys}/devices/@{pci}/drm/card@{int}/**/name r, @{sys}/devices/@{pci}/drm/card@{int}/*/dpms r, @{sys}/devices/@{pci}/drm/card@{int}/*/edid r, @{sys}/devices/@{pci}/drm/card@{int}/*/enabled r, @{sys}/devices/@{pci}/drm/card@{int}/*/status r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, - @{sys}/devices/@{pci}/i2c-@{int}/**/dev r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/**/dev r, @{sys}/devices/**/ r, - @{sys}/devices/i2c-@{int}/name r, - @{sys}/devices/platform/**/i2c-@{int}/**/name r, - @{sys}/devices/platform/*/i2c-@{int}/name r, + @{sys}/devices/i2c-*/name r, + @{sys}/devices/platform/**/i2c-*/**/name r, + @{sys}/devices/platform/*/i2c-*/name r, @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, /dev/i2c-@{int} rwk, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 0ff08d02f..678c64e71 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -9,52 +9,84 @@ include @{exec_path} = @{bin}/kded5 @{bin}/kded6 profile kded @{exec_path} { include + include #aa:only apt include + include include - include + include include + include + include include include include include - include include include include + include include capability sys_ptrace, network inet dgram, + network inet stream, network inet6 dgram, - network netlink raw, + network inet6 stream, network netlink dgram, + network netlink raw, - ptrace (read), + ptrace read, signal send set=hup peer=xsettingsd, signal send set=term peer=kioworker, + # Owned by KDE + #aa:dbus own bus=system name=com.redhat.NewPrinterNotification + + #aa:dbus own bus=session name=org.gtk.Settings + #aa:dbus own bus=session name=org.kde.DistroReleaseNotifier + #aa:dbus own bus=session name=org.kde.GtkConfig + #aa:dbus own bus=session name=org.kde.kappmenu + #aa:dbus own bus=session name=org.kde.kcookiejar5 + #aa:dbus own bus=session name=org.kde.kded5 + #aa:dbus own bus=session name=org.kde.keyboard + #aa:dbus own bus=session name=org.kde.KeyboardLayouts + #aa:dbus own bus=session name=org.kde.plasmanetworkmanagement + #aa:dbus own bus=session name=org.kde.plasmashell.accentColor + #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher + #aa:dbus own bus=session name=org.kde.Wacom + #aa:dbus own bus=session name=org.kubuntu.NotificationHelper + #aa:dbus own bus=session name=org.kubuntu.restrictedInstall + + # Talk with KDE + #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd + #aa:dbus talk bus=session name=org.kde.NightColor path=/ColorCorrect label="{kwin_wayland,kwin_x11}" + #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/ label="{kglobalacceld,kwin_wayland}" + dbus receive bus=system path=/ interface=org.kde.kf5auth member=remoteSignal - peer=(name=:*, label=kauth-kded-smart-helper), + peer=(name=@{busname}, label=kauth-kded-smart-helper), dbus send bus=system path=/ interface=org.kde.kf5auth member=performAction - peer=(name="{:*,org.kde.kded.smart}", label=kauth-kded-smart-helper), + peer=(name="{@{busname},org.kde.kded.smart}", label=kauth-kded-smart-helper), @{exec_path} mrix, + @{python_path} rix, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/flatpak rPx, @{bin}/kcminit rPx, + @{bin}/lsb_release rPx, @{bin}/pgrep rCx -> pgrep, @{bin}/plasma-welcome rPUx, - @{bin}/python3.@{int} rix, @{bin}/setxkbmap rix, @{bin}/xmodmap rPUx, @{bin}/xrdb rPx, @@ -66,30 +98,44 @@ profile kded @{exec_path} { #aa:exec kconf_update /usr/share/color-schemes/{,**} r, + /usr/share/distro-info/{,**} r, + /usr/share/distro-release-notifier/{,**} r, /usr/share/kconf_update/ r, /usr/share/kded{5,6}/{,**} r, /usr/share/kf{5,6}/kcookiejar/* r, /usr/share/khotkeys/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, + /usr/share/ubuntu-release-upgrader/{,*} r, /etc/fstab r, /etc/xdg/accept-languages.codes r, /etc/xdg/kde* r, /etc/xdg/kioslaverc r, /etc/xdg/menus/{,**} r, + /etc/update-manager/{,**} r, /etc/machine-id r, /var/lib/dbus/machine-id r, / r, + @{efi}/ r, + + owner /var/lib/update-manager/meta-release-lts rw, owner @{HOME}/ r, owner @{HOME}/.gtkrc-2.0 rw, + owner @{HOME}/.var/ w, + owner @{HOME}/.var/app/ w, + owner @{HOME}/.var/app/org.mozilla.firefox/**/ w, + owner @{HOME}/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/org.kde.plasma.browser_integration.json w, + owner @{HOME}/.var/app/org.mozilla.firefox/plasma-browser-integration-host w, + @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasmashell/ rw, owner @{user_cache_dirs}/plasmashell/** rwlk -> @{user_cache_dirs}/plasmashell/**, + owner @{user_cache_dirs}/update-manager-core/meta-release-lts rw, @{user_config_dirs}/kcookiejarrc.lock rwk, @{user_config_dirs}/kcookiejarrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, @@ -120,7 +166,7 @@ profile kded @{exec_path} { owner @{user_share_dirs}/user-places.xbel r, owner @{user_state_dirs}/#@{int} rw, - owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk, + owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk -> @{user_state_dirs}/#@{int}, @{run}/mount/utab r, @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @@ -134,6 +180,9 @@ profile kded @{exec_path} { @{sys}/class/leds/ r, + @{run}/udev/data/b8:@{int} r, # for /dev/sd* + @{run}/udev/data/b259:@{int} r, # Block Extended Major + @{PROC}/ r, @{PROC}/@{pids}/cmdline/ r, @{PROC}/@{pids}/fd/ r, @@ -152,8 +201,6 @@ profile kded @{exec_path} { include include - @{PROC}/tty/drivers r, - include if exists } diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index 9da19046d..156bdf928 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -9,8 +9,11 @@ include @{exec_path} = @{bin}/kglobalaccel5 @{lib}/kglobalacceld profile kglobalacceld @{exec_path} { include + include include + #aa:dbus own bus=session name=org.kde.KGlobalAccel path=/kglobalaccel + @{exec_path} mr, @{bin}/kstart rPx, @@ -18,15 +21,11 @@ profile kglobalacceld @{exec_path} { /usr/share/kglobalaccel/{,**} r, /etc/machine-id r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, owner @{user_config_dirs}/kglobalshortcutsrc* rwl, owner @{user_config_dirs}/khotkeysrc r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod index f6a7ba95a..571581059 100644 --- a/apparmor.d/groups/kde/kiod +++ b/apparmor.d/groups/kde/kiod @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kiod{5,6} profile kiod @{exec_path} { include + include include include include @@ -19,9 +20,6 @@ profile kiod @{exec_path} { @{exec_path} mr, - /usr/share/icons/breeze/index.theme r, - /usr/share/mime/{,**} r, - owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/ksslcertificatemanager rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/ksslcertificatemanager.lock rwk, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 37dd3eeae..0fc81a764 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/kf5/kioslave5 @{lib}/@{multiarch}/{,libexec/}kf5/kioslave5 profile kioworker @{exec_path} { include + include include include include @@ -26,10 +27,13 @@ profile kioworker @{exec_path} { network netlink raw, network netlink dgram, - signal (receive) set=term peer=dolphin, - signal (receive) set=term peer=firefox-kmozillahelper, - signal (receive) set=term peer=plasma-discover, - signal (receive) set=term peer=plasmashell, + signal receive set=term peer=dolphin, + signal receive set=term peer=firefox-kmozillahelper, + signal receive set=term peer=plasma-discover, + signal receive set=term peer=plasmashell, + signal receive set=term peer=xdg-desktop-portal-kde, + + #aa:dbus talk bus=session name=org.kde.kded5 path=/kded label=kded @{exec_path} mr, @@ -37,13 +41,15 @@ profile kioworker @{exec_path} { @{lib}/libheif/*.so* rm, @{bin}/wrestool rPUx, + @{bin}/gs{,.bin} rix, #aa:exec kio_http_cache_cleaner - /usr/share/kio_desktop/directory.desktop r, + /usr/share/kio_desktop/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes{5,6}/*.desktop r, /usr/share/remoteview/* r, + /usr/share/thumbnailers/{,**} r, /etc/fstab r, /etc/xdg/kioslaverc r, @@ -54,6 +60,8 @@ profile kioworker @{exec_path} { /*/ r, @{bin}/ r, @{bin}/* r, + @{sbin}/ r, + @{sbin}/* r, @{lib}/ r, @{MOUNTDIRS}/ r, @{MOUNTS}/ r, @@ -63,7 +71,7 @@ profile kioworker @{exec_path} { owner @{tmp}/{,**} rw, # Silence non user's data - deny /boot/{,**} r, + deny @{efi}/{,**} r, deny /etc/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, @@ -91,6 +99,7 @@ profile kioworker @{exec_path} { owner @{run}/user/@{uid}/kio_*.socket rwl -> @{run}/user/@{uid}/#@{int}, owner @{run}/user/@{uid}/kioworker*.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 17ed13f27..446d8a08d 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -11,7 +11,6 @@ include profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include include include include @@ -22,6 +21,8 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal (send) set=(hup), + #aa:dbus own bus=session name=org.kde.konsole-@{int} + @{exec_path} mr, @{bin}/@{shells} rUx, @{browsers_path} rPx, @@ -53,7 +54,9 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kbookmarkrc r, owner @{user_config_dirs}/konsole.notifyrc r, - owner @{user_config_dirs}/konsolerc{,*} rwlk, + owner @{user_config_dirs}/konsolerc rwl, + owner @{user_config_dirs}/konsolerc.@{rand6} rwl, + owner @{user_config_dirs}/konsolerc.lock rwk, owner @{user_config_dirs}/konsolesshconfig rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.lock rwk, @@ -74,8 +77,11 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/#@{int} rw, owner @{tmp}/konsole.@{rand6} rw, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/stat r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.konsole-@{int}.scope/** rw, + + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/cgroup r, /dev/ptmx rw, diff --git a/apparmor.d/groups/kde/kscreen_backend_launcher b/apparmor.d/groups/kde/kscreen_backend_launcher index 5e09b0cbe..e44ee1f83 100644 --- a/apparmor.d/groups/kde/kscreen_backend_launcher +++ b/apparmor.d/groups/kde/kscreen_backend_launcher @@ -10,8 +10,13 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kscreen_backend_launcher profile kscreen_backend_launcher @{exec_path} { include + include + include include + #aa:dbus own bus=session name=org.kde.KScreen + #aa:dbus talk bus=system name=org.kde.kf5auth path=/ label=kde-powerdevil + @{exec_path} mr, /dev/tty r, diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index 79e2b4c59..192d3f957 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -13,24 +13,24 @@ profile kscreenlocker_greet @{exec_path} { include include include - include include - include + include include include include include include include + include network netlink raw, + ptrace read peer=ksmserver, + signal (receive) set=(term) peer=kwin_wayland, signal (receive) set=(usr1, term) peer=ksmserver, signal (send) peer=kcheckpass, - unix (send,receive) type=stream peer=(label="ksmserver",addr=none), - dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int} interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -41,7 +41,7 @@ profile kscreenlocker_greet @{exec_path} { @{lib}/libheif/ r, @{lib}/libheif/*.so* rm, - @{bin}/unix_chkpwd rPx, + @{sbin}/unix_chkpwd rPx, @{lib}/@{multiarch}/libexec/kcheckpass rPx, /usr/share/plasma/** r, @@ -51,12 +51,13 @@ profile kscreenlocker_greet @{exec_path} { /usr/share/xsessions/{,*.desktop} r, /usr/share/hunspell/* r, - /{usr/,}etc/environment r, - /{usr/,}etc/login.defs r, - /{usr/,}etc/login.defs.d/ r, - /{usr/,}etc/security/*.conf r, + @{etc_ro}/environment r, + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, + @{etc_ro}/security/*.conf r, /etc/fstab r, /etc/machine-id r, + /etc/os-release r, /etc/pam.d/* r, /etc/shells r, /etc/xdg/kscreenlockerrc r, @@ -100,9 +101,11 @@ profile kscreenlocker_greet @{exec_path} { @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, + @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/loginuid r, + @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 61cd67246..09a228e29 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -11,6 +11,8 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include + include include include include @@ -20,7 +22,13 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { ptrace (read) peer=kbuildsycoca5, - unix (send, receive) type=stream peer=(label="kscreenlocker_greet",addr=none), + #aa:dbus own bus=session name=org.freedesktop.ScreenSaver + #aa:dbus own bus=session name=org.kde.ksmserver path=/KSMServer + #aa:dbus own bus=session name=org.kde.KSMServerInterface path=/KSMServer + #aa:dbus own bus=session name=org.kde.screensaver + + #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/ label=kglobalacceld + #aa:dbus talk bus=session name=org.kde.KWin.Session path=/Session label=kwin_wayland @{exec_path} mr, @@ -51,9 +59,6 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/ksmserverrc rw, owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl, owner @{user_config_dirs}/ksmserverrc.lock rwk, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, - owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw, owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index 01fe51783..711da6e9d 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -9,8 +9,10 @@ include @{exec_path} = @{bin}/ksmserver-logout-greeter @{exec_path} += @{lib}/@{multiarch}/{,libexec/}ksmserver-logout-greeter -profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) { +profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { include + include + include include include include @@ -18,6 +20,11 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) { include include + #aa:dbus own bus=session name=org.kde.LogoutPrompt path=/LogoutPrompt + + #aa:dbus talk bus=session name=org.kde.LogoutPrompt path=/Shutdown label=plasma-shutdown + #aa:dbus talk bus=session name=org.kde.KWin label=kwin_wayland + @{exec_path} mr, @{lib}/os-release r, @@ -53,7 +60,6 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/dev/i915/perf_stream_paranoid r, owner @{PROC}/@{pid}/exe r, - owner @{PROC}/@{pid}/status r, include if exists } diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index be59fe842..770625988 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -9,16 +9,22 @@ include @{exec_path} = @{bin}/ksplashqml profile ksplashqml @{exec_path} { include + include include include include include + ptrace read peer=startplasma, + + #aa:dbus own bus=session name=org.kde.KSplash path=/KSplash + @{exec_path} mr, @{lib}/libheif/ r, @{lib}/libheif/*.so* rm, + /usr/share/color-schemes/* r, /usr/share/plasma/** r, /etc/machine-id r, diff --git a/apparmor.d/groups/kde/kstart b/apparmor.d/groups/kde/kstart index fa0f88f75..04d084d0c 100644 --- a/apparmor.d/groups/kde/kstart +++ b/apparmor.d/groups/kde/kstart @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/kstart profile kstart @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index c4e25e9ff..0a685d8e5 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -11,14 +11,17 @@ include profile kwalletd @{exec_path} { include include + include include include include - include include include include + #aa:dbus own bus=session name=org.freedesktop.secrets + #aa:dbus own bus=session name=org.kde.kwalletd5 + @{exec_path} mr, @{bin}/gpgconf rCx -> gpg, @@ -39,6 +42,8 @@ profile kwalletd @{exec_path} { owner @{user_share_dirs}/kwalletd/ rw, owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int}, + owner @{run}/user/@{uid}/kwallet{5,6}.socket rw, + owner @{tmp}/kwalletd5.* rw, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/kde/kwalletmanager b/apparmor.d/groups/kde/kwalletmanager index dc64cbb9e..5ffcafd4f 100644 --- a/apparmor.d/groups/kde/kwalletmanager +++ b/apparmor.d/groups/kde/kwalletmanager @@ -36,9 +36,6 @@ profile kwalletmanager @{exec_path} { owner @{user_config_dirs}/kwalletrc rw, owner @{user_config_dirs}/kwalletrc.* rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwalletrc.lock rwk, - owner @{user_config_dirs}/session/#@{int} rw, - owner @{user_config_dirs}/session/kwalletmanager5_* rwl -> @{user_config_dirs}/session/#@{int}, - owner @{user_config_dirs}/session/kwalletmanager5_*.lock rwk, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 24d86bec6..224835ac2 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -7,9 +7,11 @@ abi , include @{exec_path} = @{bin}/kwin_wayland -profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { +profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + include + include include include include @@ -19,17 +21,30 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { capability sys_nice, capability sys_ptrace, - ptrace (read), - - signal (receive) set=term peer=sddm, - signal (receive) set=(kill, term) peer=kwin_wayland_wrapper, - signal (send) set=(kill, term) peer=xwayland, - network netlink raw, + ptrace read, + + signal receive set=term peer=sddm, + signal receive set=(kill, term) peer=kwin_wayland_wrapper, + signal send set=(kill, term) peer=xwayland, + + unix type=stream peer=(label=xkbcomp), + unix type=stream peer=(label=xwayland), + + #aa:dbus own bus=session name=org.freedesktop.ScreenSaver + #aa:dbus own bus=session name=org.kde.kglobalaccel path=/kglobalaccel + #aa:dbus own bus=session name=org.kde.KWin + #aa:dbus own bus=session name=org.kde.NightColor path=/ColorCorrect + #aa:dbus own bus=session name=org.kde.screensaver + + #aa:dbus talk bus=session name=org.kde.ActivityManager path=/ActivityManager label=kactivitymanagerd + @{exec_path} mr, /etc/xdg/Xwayland-session.d/00-at-spi Cx -> at-spi, + /etc/xdg/Xwayland-session.d/00-pulseaudio-x11 Cx -> pulseaudio, + /etc/xdg/Xwayland-session.d/10-ibus-x11 Cx -> ibus, #aa:exec kscreenlocker_greet /usr/share/color-schemes/*.colors r, @@ -37,6 +52,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { /usr/share/kglobalaccel/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,*.desktop} r, + /usr/share/kwin-wayland/{,**} r, /usr/share/kwin/{,**} r, /usr/share/libinput-*/{,**} r, /usr/share/libinput/{,**} r, @@ -44,11 +60,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { /usr/share/plasma/desktoptheme/** r, /etc/pipewire/client.conf.d/ r, - /etc/xdg/kscreenlockerrc r, - /etc/xdg/menus/{,applications.menu} r, - /etc/xdg/menus/applications-merged/ r, - /etc/xdg/plasmarc r, - /etc/xdg/Xwayland-session.d/{,*} r, + /etc/xdg/** r, /etc/machine-id r, /var/lib/dbus/machine-id r, @@ -92,7 +104,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwinrulesrc r, owner @{user_config_dirs}/kxkbrc r, - owner @{user_config_dirs}/menus/{,applications-merged/} r, + owner @{user_config_dirs}/menus/** r, owner @{user_config_dirs}/plasmarc r, owner @{user_config_dirs}/session/* r, @@ -113,14 +125,15 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{run}/udev/data/+acpi:* r, # for ACPI + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi:* r, # for motherboard info - @{run}/udev/data/+hid:* r, # for HID subsystem + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+serio:* r, # for touchpad @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb:* r, + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @@ -137,6 +150,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { profile at-spi { include + include @{sh_path} r, @{bin}/busctl rix, @@ -151,6 +165,35 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { include if exists } + profile pulseaudio { + include + include + + @{sh_path} rix, + @{bin}/pactl Px, + + /etc/xdg/Xwayland-session.d/00-pulseaudio-x11 r, + + owner @{HOME}/ r, + + include if exists + } + + profile ibus { + include + include + + @{sh_path} r, + @{lib}/{,ibus/}ibus-x11 rPx, + + /etc/xdg/Xwayland-session.d/10-ibus-x11 r, + + /home/ r, + owner @{HOME}/ r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/kde/kwin_wayland_wrapper b/apparmor.d/groups/kde/kwin_wayland_wrapper index 1a7573d77..a7ce4c2fe 100644 --- a/apparmor.d/groups/kde/kwin_wayland_wrapper +++ b/apparmor.d/groups/kde/kwin_wayland_wrapper @@ -9,11 +9,14 @@ include @{exec_path} = @{bin}/kwin_wayland_wrapper profile kwin_wayland_wrapper @{exec_path} { include + include include include signal (send) set=(term, kill) peer=kwin_wayland, + #aa:dbus own bus=session name=org.kde.KWinWrapper + @{exec_path} mr, @{bin}/kwin_wayland rPx, diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index e05e443ff..8cc233ff2 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/kwin_x11 profile kwin_x11 @{exec_path} { include + include include include include @@ -22,15 +23,24 @@ profile kwin_x11 @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.kde.KWin + #aa:dbus own bus=session name=org.kde.NightColor path=/ColorCorrect + + #aa:dbus talk bus=session name=org.kde.ActivityManager label=kactivitymanagerd + #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/kglobalaccel label=kglobalacceld + @{exec_path} mrix, @{sh_path} rix, + @{bin}/kdialog rix, @{lib}/kwin_killer_helper rix, #aa:exec drkonqi + /usr/share/kwin-x11/{,**} r, /usr/share/kwin/{,**} r, /usr/share/plasma/desktoptheme/{,**} r, + /usr/share/sounds/*/stereo/*.oga r, /etc/machine-id r, /etc/xdg/plasmarc r, @@ -47,6 +57,7 @@ profile kwin_x11 @{exec_path} { owner @{user_cache_dirs}/session/#@{int} rw, owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/kaccessrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kwinoutputconfig.json rw, owner @{user_config_dirs}/kwinrc.lock rwk, @@ -54,8 +65,6 @@ profile kwin_x11 @{exec_path} { owner @{user_config_dirs}/kwinrulesrc r, owner @{user_config_dirs}/kxkbrc r, owner @{user_config_dirs}/plasmarc r, - owner @{user_config_dirs}/session/#@{int} rw, - owner @{user_config_dirs}/session/kwin_* rwk, owner @{user_share_dirs}/kwin/scripts/ r, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index fe1c5d8da..a2ffad26f 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -23,6 +23,8 @@ profile okular @{exec_path} { network netlink raw, + ptrace read peer=@{p_systemd}, + signal send set=term peer=kioworker, @{exec_path} mr, @@ -42,8 +44,6 @@ profile okular @{exec_path} { /etc/fstab r, /etc/xdg/dolphinrc r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, / r, @{MOUNTS}/ r, @@ -51,31 +51,27 @@ profile okular @{exec_path} { owner @{user_cache_dirs}/okular/{,**} rw, owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/KDE/*.conf r, + owner @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/kservicemenurc r, + owner @{user_config_dirs}/kwalletrc r, + owner @{user_config_dirs}/okular-generator-popplerrc r, owner @{user_config_dirs}/okularpartrc rw, owner @{user_config_dirs}/okularpartrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/okularpartrc.lock rwk, owner @{user_config_dirs}/okularrc rw, owner @{user_config_dirs}/okularrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/okularrc.lock rwk, - owner @{user_config_dirs}/okular-generator-popplerrc r, - owner @{user_config_dirs}/KDE/*.conf r, - owner @{user_config_dirs}/kioslaverc r, - owner @{user_config_dirs}/kservicemenurc r, - owner @{user_config_dirs}/kwalletrc r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/kxmlgui{5,6}/okular/{,*} r, owner @{user_share_dirs}/okular/ rw, owner @{user_share_dirs}/okular/** rwlk -> @{user_share_dirs}/okular/**, - owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl -> @{user_share_dirs}/#@{int}, - owner @{user_share_dirs}/recently-used.xbel.lock rk, owner @{user_share_dirs}/user-places.xbel r, owner @{user_state_dirs}/#@{int} rw, owner @{user_state_dirs}/okularstaterc rw, - owner @{user_state_dirs}/okularstaterc.@{rand6} rwl -> @{user_state_dirs}/#@{int}, + owner @{user_state_dirs}/okularstaterc.@{rand6} rwlk -> @{user_state_dirs}/#@{int}, owner @{user_state_dirs}/okularstaterc.lock rwk, owner @{tmp}/#@{int} rw, @@ -88,13 +84,14 @@ profile okular @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, profile gpg { include include @{bin}/gpg{,2} mr, - @{bin}/gpgcon mr, + @{bin}/gpgconf mr, @{bin}/gpgsm mr, owner @{HOME}/@{XDG_GPG_DIR}/*.conf r, diff --git a/apparmor.d/groups/kde/plasma-browser-integration-host b/apparmor.d/groups/kde/plasma-browser-integration-host index dce3545f7..e17d4c5f1 100644 --- a/apparmor.d/groups/kde/plasma-browser-integration-host +++ b/apparmor.d/groups/kde/plasma-browser-integration-host @@ -21,16 +21,10 @@ profile plasma-browser-integration-host @{exec_path} { @{exec_path} mr, - /etc/xdg/menus/applications-merged/ r, - /usr/share/kservices{5,6}/{,**} r, - /etc/xdg/menus/ r, /etc/xdg/taskmanagerrulesrc r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, - owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, diff --git a/apparmor.d/groups/kde/plasma_session b/apparmor.d/groups/kde/plasma_session index 1fbeda384..5d3812594 100644 --- a/apparmor.d/groups/kde/plasma_session +++ b/apparmor.d/groups/kde/plasma_session @@ -36,7 +36,6 @@ profile plasma_session @{exec_path} { /etc/xdg/autostart/ r, /etc/xdg/autostart/*.desktop r, - /etc/xdg/menus/ r, owner @{user_config_dirs}/kdedefaults/ksplashrc r, owner @{user_config_dirs}/plasma-welcomerc r, diff --git a/apparmor.d/groups/kde/plasma_waitforname b/apparmor.d/groups/kde/plasma_waitforname index a509135af..d32122a8a 100644 --- a/apparmor.d/groups/kde/plasma_waitforname +++ b/apparmor.d/groups/kde/plasma_waitforname @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/plasma_waitforname profile plasma_waitforname @{exec_path} { include + include include include diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 0d8a5d8cb..600d1be48 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -13,8 +13,9 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include + include include - include + include include include include @@ -27,6 +28,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include + include userns, @@ -39,9 +41,26 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { network netlink dgram, network netlink raw, - ptrace (read), + ptrace read, - signal (send), + signal send, + + #aa:dbus own bus=session name=com.canonical.Unity + #aa:dbus own bus=session name=org.freedesktop.Notifications + #aa:dbus own bus=session name=org.kde.JobViewServer + #aa:dbus own bus=session name=org.kde.klipper + #aa:dbus own bus=session name=org.kde.kuiserver + #aa:dbus own bus=session name=org.kde.plasmashell path=/PlasmaShell + #aa:dbus own bus=session name=org.kde.StatusNotifierHost-@{int} + + #aa:dbus talk bus=session name=org.kde.kdeconnect path=/ label=kdeconnectd + #aa:dbus talk bus=session name=org.kde.KeyboardLayouts path=/Layouts label=kded + #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/kglobalaccel label="{kglobalacceld,kwin_wayland}" + #aa:dbus talk bus=session name=org.kde.KSplash path=/KSplash label=ksplashqml + #aa:dbus talk bus=session name=org.kde.KWin path=/ label="kwin_{wayland,x11}" + #aa:dbus talk bus=session name=org.kde.NightColor path=/ColorCorrect label="kwin_{wayland,x11}" + #aa:dbus talk bus=session name=org.kde.Solid.PowerManagement label=kde-powerdevil + #aa:dbus talk bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher label=kded @{exec_path} mr, @@ -49,16 +68,14 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{lib}/libheif/{,**} mr, @{bin}/dolphin rPx, - @{bin}/ksysguardd rix, + @{bin}/ksysguardd rPUx, @{bin}/plasma-discover rPUx, @{bin}/xrdb rPx, @{lib}/kf{5,6}/kdesu{,d} rix, #aa:exec kioworker - /opt/**/share/icons/{,**} r, - /opt/*/**/*.desktop r, - /opt/*/**/*.png r, + /snap/*/@{uid}/**.@{image_ext} r, /usr/share/*/icons/{,**} r, /usr/share/akonadi/{,**} r, /usr/share/desktop-directories/kf5-*.directory r, @@ -72,6 +89,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /usr/share/metainfo/{,**} r, /usr/share/plasma/{,**} r, /usr/share/plasma5support/** r, + /usr/share/qalculate/{,**} r, /usr/share/rider/{,**} r, /usr/share/solid/actions/{,**} r, /usr/share/swcatalog/{,**} r, @@ -81,7 +99,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /etc/appstream.conf r, /etc/fstab r, - /etc/ksysguarddrc r, /etc/machine-id r, /etc/os-release r, /etc/sensors.d/ r, @@ -93,6 +110,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{MOUNTS}/ r, @{HOME}/ r, + owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, owner @{HOME}/.var/app/**.{png,jpg,svg} r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, @@ -137,10 +155,12 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_config_dirs}/kcookiejarrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kdiff3fileitemactionrc r, + owner @{user_config_dirs}/kiorc r, owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/klaunchrc r, owner @{user_config_dirs}/klipperrc r, owner @{user_config_dirs}/kmail2.notifyrc r, + owner @{user_config_dirs}/knfsshare r, owner @{user_config_dirs}/korganizerrc r, owner @{user_config_dirs}/krunnerrc r, owner @{user_config_dirs}/ksmserverrc r, @@ -156,7 +176,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw, owner @{user_share_dirs}/kio/servicemenus/{,**} r, - owner @{user_share_dirs}/klipper/{,*} rwl, + owner @{user_share_dirs}/klipper/{,**} rwlk, owner @{user_share_dirs}/konsole/ r, owner @{user_share_dirs}/kpeople/persondb rwk, owner @{user_share_dirs}/kpeoplevcard/ r, @@ -170,13 +190,15 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/plasma_icons/*.desktop r, owner @{user_share_dirs}/plasma/{,**} r, owner @{user_share_dirs}/plasmashell/** rwkl -> @{user_share_dirs}/plasmashell/**, + owner @{user_share_dirs}/qalculate/{,**} r, owner @{user_share_dirs}/user-places.xbel{,*} rwl, owner @{user_share_dirs}/wallpapers/{,**} rw, owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/plasma/* r, owner @{user_state_dirs}/plasmashellstaterc rw, - owner @{user_state_dirs}/plasmashellstaterc.lock rwk, owner @{user_state_dirs}/plasmashellstaterc.@{rand6} rwl, + owner @{user_state_dirs}/plasmashellstaterc.lock rwk, /tmp/.mount_nextcl@{rand6}/{,*} r, owner @{tmp}/#@{int} rw, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 5e024adfd..1b8930f06 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -14,12 +14,12 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include include include + include include capability audit_write, @@ -40,66 +40,73 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { ptrace (trace) peer=@{profile_name}, signal (receive) set=(hup) peer=@{p_systemd}, + signal (send) set=(kill, term) peer=labwc, + signal (send) set=(kill, term) peer=lxqt-session, signal (send) set=(kill, term) peer=startplasma, signal (send) set=(kill, term) peer=xorg, signal (send) set=(kill, term) peer=xsetroot, signal (send) set=(term) peer=kwin_wayland, signal (send) set=(term) peer=sddm-greeter, signal (send) set=(term) peer=startplasma-wayland, + signal (send) set=(term) peer=startlxqtwayland, - dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=kscreenlocker-greet), + unix type=stream addr=@@{udbus}/bus/sddm-helper/system, - dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label=systemd-logind), + #aa:dbus own bus=system name=org.freedesktop.DisplayManager - dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int} - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.freedesktop.DBus, label=kscreenlocker-greet), + #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label="@{p_systemd_homed}" + #aa:dbus talk bus=system name=org.freedesktop.login1 interface=org.freedesktop.login1.Manager label="@{p_systemd_logind}" @{exec_path} mr, @{lib}/@{multiarch}/sddm/sddm-helper rix, @{lib}/plasma-dbus-run-session-if-needed rix, @{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed rix, - @{lib}/sddm/sddm-helper rix, - @{lib}/sddm/sddm-helper-start-wayland rix, - @{lib}/sddm/sddm-helper-start-x11user rix, + @{lib}/{,sddm/}sddm-helper rix, + @{lib}/{,sddm/}sddm-helper-start-wayland rix, + @{lib}/{,sddm/}sddm-helper-start-x11user rix, @{shells_path} rix, + @{bin}/{,e}grep rix, + @{bin}/basename rix, @{bin}/cat rix, - @{bin}/checkproc rix, + @{bin}/date rix, + @{bin}/dirname rix, @{bin}/disable-paste rix, + @{bin}/id rix, @{bin}/locale rix, @{bin}/manpath rix, @{bin}/mktemp rix, @{bin}/pidof rix, @{bin}/readlink rix, @{bin}/realpath rix, + @{bin}/sed rix, @{bin}/tr rix, @{bin}/tty rix, @{bin}/uname rix, @{bin}/xdm r, @{bin}/xmodmap rix, + @{sbin}/checkproc rix, @{bin}/dbus-run-session rPx -> dbus-session, @{bin}/dbus-update-activation-environment rPx -> dbus-session, @{bin}/flatpak rPx, @{bin}/gnome-keyring-daemon rPx, + @{bin}/Hyprland rPx, + @{bin}/ksecretd rPUx, @{bin}/kwalletd{5,6} rPx, @{bin}/kwin_wayland rPx, + @{bin}/labwc rPx, @{bin}/sddm-greeter{,-qt6} rPx, + @{bin}/startlxqt rPx, + @{bin}/startlxqtwayland rPx, @{bin}/startplasma-wayland rPx, @{bin}/startplasma-x11 rPx, @{bin}/sway rPUx, @{bin}/systemctl rCx -> systemctl, @{bin}/xauth rCx -> xauth, @{bin}/Xorg rPx, + @{bin}/xrandr rPx, @{bin}/xrdb rPx, @{bin}/xset rPx, @{bin}/xsetroot rPx, @@ -107,7 +114,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{etc_ro}/sddm/Xsession rPx, @{etc_ro}/X11/xdm/Xsession rPx, - /usr/etc/X11/xdm/Xsetup rix, + @{etc_ro}/X11/xdm/Xsetup rix, /usr/share/sddm/scripts/wayland-session rix, /usr/share/sddm/scripts/Xsession rix, /usr/share/sddm/scripts/Xsetup rix, @@ -122,9 +129,9 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { /etc/X11/xinit/xinitrc.d/{,*} r, - /{usr/,}etc/environment r, - /{usr/,}etc/security/limits.d/{,*.conf} r, - /{usr/,}etc/X11/Xmodmap r, + @{etc_ro}/environment r, + @{etc_ro}/security/limits.d/{,*.conf} r, + @{etc_ro}/X11/Xmodmap r, /etc/debuginfod/{,*} r, /etc/manpath.config r, /etc/default/locale r, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index f2c133cec..47383bb75 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -13,16 +13,21 @@ profile sddm-greeter @{exec_path} { include include include - include include include include include include include + include network netlink raw, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=ListActivatableNames + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + @{exec_path} mr, @{lib}/libheif/ r, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index b5cceee95..0e9290d53 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -25,9 +25,11 @@ profile sddm-xsession @{exec_path} { @{bin}/chmod rix, @{bin}/csh rix, @{bin}/date rix, + @{bin}/dpkg-query rpx, @{bin}/fish rix, + @{bin}/gettext rix, @{bin}/gettext.sh r, - @{bin}/gpgconf rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, @{bin}/id rix, @{bin}/locale rix, @{bin}/locale-check rix, @@ -40,12 +42,13 @@ profile sddm-xsession @{exec_path} { @{bin}/tcsh rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which{,.*} rix, - @{bin}/zsh rix, + @{bin}/tr rix, + @{bin}/which{,.debianutils} rix, @{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/flatpak rPx, @{bin}/numlockx rPx, + @{bin}/xbrlapi rPx, @{bin}/xhost rPx, @{bin}/xrdb rPx, /etc/X11/Xsession rPx, @@ -60,7 +63,9 @@ profile sddm-xsession @{exec_path} { @{system_share_dirs}/im-config/data/{,*} r, @{system_share_dirs}/im-config/xinputrc.common r, + @{system_share_dirs}/libdebuginfod-common/debuginfod.sh r, + /etc/debuginfod/{,**} r, /etc/default/{,*} r, /etc/X11/{,**} r, @@ -71,7 +76,7 @@ profile sddm-xsession @{exec_path} { owner @{tmp}/xsess-env-* rw, owner @{tmp}/file* rw, - audit owner @{tmp}/tmp.* rw, + owner @{tmp}/tmp.@{rand10} rw, owner @{PROC}/@{pid}/loginuid r, @@ -90,6 +95,16 @@ profile sddm-xsession @{exec_path} { profile dbus { include + include + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=UpdateActivationEnvironment + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=SetEnvironment + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), @{bin}/dbus-update-activation-environment mr, @@ -123,6 +138,8 @@ profile sddm-xsession @{exec_path} { @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{HOME}/.xsession-errors w, + /dev/tty@{int} rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index f10e80d7f..64e332dc5 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -11,17 +11,22 @@ profile startplasma @{exec_path} { include include include + include + include include include signal (receive) set=(hup) peer=@{p_systemd}, signal (receive) set=(term) peer=sddm, + #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" + #aa:dbus talk bus=session name=org.kde.KSplash path=/KSplash label=ksplashqml + @{exec_path} mr, @{sh_path} rix, @{bin}/env rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/kapplymousetheme rPUx, @{bin}/kdeinit5_shutdown rPUx, @{bin}/ksplashqml rPUx, @@ -31,18 +36,17 @@ profile startplasma @{exec_path} { @{lib}/@{multiarch}/libexec/plasma-sourceenv.sh r, + /usr/share/byobu/desktop/{,**} r, /usr/share/color-schemes/{,**} r, /usr/share/desktop-directories/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, /usr/share/plasma/{,**} r, - /etc/locale.alias r, /etc/machine-id r, /etc/xdg/menus/{,**} r, /etc/xdg/plasma-workspace/env/{,*} r, - - /var/lib/flatpak/exports/share/mime/ r, + /etc/xdg/plasmarc r, @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/#@{int} rwk, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index e68d248b6..9558a6528 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -23,6 +23,9 @@ profile systemsettings @{exec_path} { signal send set=term peer=kioworker, + #aa:dbus own bus=session name=org.kde.internal.KSettingsWidget_kcm_networkmanagement + #aa:dbus own bus=session name=org.kde.systemsettings + @{exec_path} mr, @{sh_path} rix, @@ -57,7 +60,6 @@ profile systemsettings @{exec_path} { /etc/fstab r, /etc/machine-id r, - /etc/xdg/menus/{,applications-merged/} r, /etc/xdg/plasmanotifyrc r, /etc/xdg/ui/ui_standards.rc r, /var/lib/dbus/machine-id r, @@ -76,6 +78,7 @@ profile systemsettings @{exec_path} { owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/ksvg-elements.lock rwlk, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, + owner @{user_cache_dirs}/plasma-svgelements r, owner @{user_cache_dirs}/systemsettings/ rw, owner @{user_cache_dirs}/systemsettings/** rwlk -> @{user_cache_dirs}/systemsettings/**, @@ -90,8 +93,6 @@ profile systemsettings @{exec_path} { owner @{user_config_dirs}/kinfocenterrc* rwlk, owner @{user_config_dirs}/libaccounts-glib/ rw, owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/session/ rw, owner @{user_config_dirs}/session/** rwlk, owner @{user_config_dirs}/systemsettingsrc.lock rwk, diff --git a/apparmor.d/groups/kde/wayland-session b/apparmor.d/groups/kde/wayland-session index 124cf2fda..c07b06815 100644 --- a/apparmor.d/groups/kde/wayland-session +++ b/apparmor.d/groups/kde/wayland-session @@ -9,23 +9,37 @@ include @{exec_path} = @{etc_ro}/sddm/wayland-session profile wayland-session @{exec_path} { include + include include @{exec_path} mr, - @{shells_path} rix, - @{bin}/id rix, + @{shells_path} rix, + @{bin}/cat ix, + @{bin}/dpkg-query px, + @{bin}/gettext ix, + @{bin}/gettext.sh r, + @{bin}/id ix, + @{bin}/locale ix, + @{bin}/locale-check ix, + @{bin}/sed ix, + @{bin}/tr ix, - @{lib}/plasma-dbus-run-session-if-needed rix, - @{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed rix, - @{bin}/startplasma-wayland rPx, + @{bin}/startplasma-wayland Px, + @{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed ix, + @{lib}/plasma-dbus-run-session-if-needed ix, + /usr/share/im-config/{,**} r, + /usr/share/libdebuginfod-common/debuginfod.sh r, + + /etc/debuginfod/{,**} r, + /etc/default/im-config r, /etc/machine-id r, + /etc/X11/xinit/xinputrc r, + /etc/X11/Xsession.d/*im-config_launch r, owner @{user_share_dirs}/sddm/wayland-session.log rw, - /dev/tty rw, - include if exists } diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index 969a82f6c..5c36f579e 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -9,10 +9,12 @@ include @{exec_path} = @{bin}/xembedsniproxy profile xembedsniproxy @{exec_path} { include + include include include include include + include @{exec_path} mr, @@ -21,6 +23,8 @@ profile xembedsniproxy @{exec_path} { owner @{tmp}/xauth_@{rand6} r, + owner @{run}/user/@{uid}/iceauth_@{rand6} r, + @{run}/user/@{uid}/xauth_@{rand6} rl, include if exists diff --git a/apparmor.d/groups/kde/xsettingsd b/apparmor.d/groups/kde/xsettingsd index 7cebbb43c..1adbf1d9f 100644 --- a/apparmor.d/groups/kde/xsettingsd +++ b/apparmor.d/groups/kde/xsettingsd @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/xsettingsd profile xsettingsd @{exec_path} { include + include signal (receive) set=hup peer=kded, diff --git a/apparmor.d/groups/lxqt/lxqt-about b/apparmor.d/groups/lxqt/lxqt-about new file mode 100644 index 000000000..8f5830453 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-about @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-about +profile lxqt-about @{exec_path} { + include + include + + @{exec_path} mr, + + /usr/share/desktop-directories/{,**} r, + + /etc/xdg/menus/lxqt-applications.menu r, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-file-associations b/apparmor.d/groups/lxqt/lxqt-config-file-associations new file mode 100644 index 000000000..4232f1c70 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-file-associations @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-file-associations +profile lxqt-config-file-associations @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + owner @{user_config_dirs}/ r, + owner @{user_config_dirs}/mimeapps* rwk, + owner @{user_config_dirs}/lxqt-* rwk, + owner @{user_config_dirs}/lxqt/ r, + owner @{user_config_dirs}/lxqt/#@{int} rwk, + owner @{user_config_dirs}/lxqt/lxqt-config-file-associations.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-config-file-associations.conf kl -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/lxqt-config-file-associations.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/#@{int} rwk, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-locale b/apparmor.d/groups/lxqt/lxqt-config-locale new file mode 100644 index 000000000..c7c868c18 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-locale @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-locale +profile lxqt-config-locale @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + owner @{user_config_dirs}/lxqt/* r, + owner @{user_config_dirs}/lxqt/#@{int} rw, + owner @{user_config_dirs}/lxqt/lxqt-config.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/lxqt-config-locale.conf l -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/lxqt-config-locale.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/lxqt-config-locale.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/lxqt-config-locale.conf.lock rwk, + owner @{user_config_dirs}/lxqt/session.conf.lock rwk, + owner @{user_config_dirs}/lxqt/session.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/session.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-notificationd b/apparmor.d/groups/lxqt/lxqt-config-notificationd new file mode 100644 index 000000000..63b2eb673 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-notificationd @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-notificationd +profile lxqt-config-notificationd @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + /var/lib/dbus/machine-id r, + + owner @{user_config_dirs}/lxqt/#@{int} rw, + owner @{user_config_dirs}/lxqt/notifications.conf.lock rwk, + owner @{user_config_dirs}/lxqt/notifications.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/notifications.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/#@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-powermanagement b/apparmor.d/groups/lxqt/lxqt-config-powermanagement new file mode 100644 index 000000000..4b96ccb36 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-powermanagement @@ -0,0 +1,43 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-powermanagement +profile lxqt-config-powermanagement @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + owner @{user_config_dirs}/lxqt/#@{int} rw, + owner @{user_config_dirs}/lxqt/lxqt-powermanagement.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-powermanagement.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/lxqt-powermanagement.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + + @{sys}/class/leds/ r, + @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/backlight/**/brightness rw, + @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/drm/card@{int}/**/brightness rw, + @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-printer b/apparmor.d/groups/lxqt/lxqt-config-printer new file mode 100644 index 000000000..f4c38e94d --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-printer @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-printer +profile lxqt-config-printer @{exec_path} { + include + include + + @{exec_path} mr, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-globalkeysd b/apparmor.d/groups/lxqt/lxqt-globalkeysd new file mode 100644 index 000000000..a9a75aa90 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-globalkeysd @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-globalkeysd +profile lxqt-globalkeysd @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{open_path} rPx -> child-open-help, + @{bin}/screengrab rPx, + @{bin}/lxqt-config-brightness rPx, + + /usr/share/lxqt/globalkeyshortcuts.conf rw, + + /var/lib/dbus/machine-id r, + + owner @{user_config_dirs}/lxqt/ r, + owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.lock wrk, + owner @{user_config_dirs}/lxqt/#@{int} wr, + owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-leave b/apparmor.d/groups/lxqt/lxqt-leave new file mode 100644 index 000000000..e76d81f54 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-leave @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-leave +profile lxqt-leave @{exec_path} { + include + include + + @{exec_path} mr, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-panel b/apparmor.d/groups/lxqt/lxqt-panel new file mode 100644 index 000000000..f817be69d --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-panel @@ -0,0 +1,93 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-panel +profile lxqt-panel @{exec_path} { + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + network packet dgram, + + @{exec_path} mr, + + @{bin}/exo-open rix, + @{lib}/gio-launch-desktop rix, + @{bin}/nm-applet rPx, + @{bin}/nm-connection-editor rPx, + @{bin}/ControlPanel rPx, + + @{bin}/sudo rCx -> root, + + @{lib}/lxqt-panel/*.so mr, # LXQT-Plugins + @{lib}/lxqt-config/*.so mr, # LXQT-Plugins + + /usr/share/desktop-directories/{,**} r, + /usr/share/lxqt/{,**} r, + + /etc/fstab r, + /etc/udev/udev.conf r, + /etc/machine-id r, + /etc/xdg/lxqt-qtxdg.conf r, + /etc/xdg/menus/**.menu r, + /etc/xdg/menus/applications-merged/ r, + /etc/xdg/ui/uistandards.rc r, + + /var/lib/dbus/machine-id r, + + owner @{HOME}/Desktop/*.desktop rw, + owner @{HOME}/Desktop/#@{int} rw, + owner @{HOME}/Desktop/*.desktop l -> @{HOME}/Desktop/#@{int}, + + owner @{user_config_dirs}/menus/*.menu rw, + owner @{user_config_dirs}/menus/applications-merged/ r, + owner @{user_config_dirs}/share/desktop-directories/*.directory r, + owner @{user_config_dirs}/share/gvfs-metadata/{,*} r, + owner @{user_config_dirs}/lxqt/#@{int} rw, + owner @{user_config_dirs}/lxqt/panel.conf rw, + owner @{user_config_dirs}/lxqt/panel.conf.lock rwk, + owner @{user_config_dirs}/lxqt/panel.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/panel.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/pulse/{,**} rwk, + + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + + @{sys}/class/i2c-adapter/ r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, + + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/net/dev r, + owner @{PROC}/@{pid}/mounts r, + + /dev/tty rw, + /dev/tty@{int} rw, + /dev/pts/@{int} rw, + /dev/snd/controlC@{int} rw, + + profile root { + include + include + + @{bin}/lsblk rPx, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-runner b/apparmor.d/groups/lxqt/lxqt-runner new file mode 100644 index 000000000..5783c1fa0 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-runner @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-runner +profile lxqt-runner @{exec_path} { + include + include + + @{exec_path} mr, + + /usr/share/desktop-directories/ r, + /usr/share/desktop-directories/{,**} r, + + /etc/xdg/menus/lxqt-applications.menu r, + + owner @{user_config_dirs}/lxqt/lxqt-runner.conf.lock rwk, + owner @{user_config_dirs}/lxqt/#@{int} rw, + owner @{user_config_dirs}/lxqt/lxqt-runner.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-session b/apparmor.d/groups/lxqt/lxqt-session new file mode 100644 index 000000000..910ea7c5f --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-session @@ -0,0 +1,96 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-session +profile lxqt-session @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + + network netlink raw, + + signal (send), + signal (receive) set=(kill, term) peer=startlxqt, + signal (receive) set=(kill, term) peer=sddm, + + ptrace (read), + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/sed rix, + @{bin}/readlink rix, + @{bin}/dirname rix, + @{bin}/system-config-printer-applet rPx, + @{bin}/dbus-update-activation-environment rCx -> dbus, + @{bin}/systemctl rCx -> systemctl, + + @{bin}/pavucontrol rPx, + @{lib}/geoclue-2.0/demos/agent rPx, + @{bin}/nm-connection-editor rPx, + @{bin}/nm-applet rPx, + @{bin}/openbox rix, + @{bin}/dconf-editor rPx, + @{bin}/setxkbmap rix, + @{bin}/start-pulseaudio-x11 rPx, + @{bin}/xrdb rPx, + @{bin}/xdg-user-dirs-update rPx, + + /usr/share/ r, + /usr/share/cursors/ r, + /usr/share/backintime/common/* r, + /usr/share/desktop-directories/* r, + /usr/share/system-config-printer/* r, + + /etc/xdg/ r, + /etc/xdg/autostart/ r, + /etc/xdg/autostart/*.desktop r, + /etc/xdg/menus/lxqt-* r, + /etc/xdg/openbox/* r, + /etc/udev/udev.conf r, + + owner @{user_config_dirs}/autostart/ r, + owner @{user_config_dirs}/autostart/*.desktop r, + owner @{user_cache_dirs}/openbox/ rw, + owner @{user_cache_dirs}/openbox/sessions/ rw, + owner @{user_cache_dirs}/openbox/openbox.log rwk, + owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, + owner @{user_config_dirs}/openbox/rc.xml r, + + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + + @{PROC}/ r, + @{PROC}/uptime r, + @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/stat r, + + /dev/tty rw, + + profile systemctl { + include + include + + include if exists + } + profile dbus { + include + include + + @{bin}/dbus-update-activation-environment mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/startlxqt b/apparmor.d/groups/lxqt/startlxqt new file mode 100644 index 000000000..3ae907116 --- /dev/null +++ b/apparmor.d/groups/lxqt/startlxqt @@ -0,0 +1,79 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/startlxqt +profile startlxqt @{exec_path} { + include + include + include + include + + signal (receive) set=(term) peer=sddm, + + @{exec_path} mr, + + @{bin}/xrdb rPx, + @{bin}/xsetroot rPx, + @{bin}/xprop rpx, + @{bin}/mkdir rix, + @{sh_path} rix, + @{bin}/lxqt-session rPx, + + @{bin}/systemctl rCx -> systemctl, + @{bin}/dbus-update-activation-environment rCx -> dbus, + + /usr/share/color-schemes/{,**} r, + /usr/share/desktop-directories/{,**} r, + /usr/share/kservices5/{,**} r, + + /etc/machine-id r, + /etc/xdg/menus/{,**} r, + + @{HOME}/ r, + + owner @{user_cache_dirs}/#@{int} rw, + @{user_cache_dirs}/ksycoca5_* rwkl -> @{user_cache_dirs}/#@{int}, + + owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/lxqt/ rw, + owner @{user_config_dirs}/menus/{,**} r, + + owner @{user_share_dirs}/kservices5/{,**} r, + owner @{user_share_dirs}/sddm/wayland-session.log rw, + owner @{user_share_dirs}/sddm/xorg-session.log rw, + + owner /tmp/#@{int} rw, + owner /tmp/startlxqt.@{rand6} rwl -> /tmp/#@{int}, + + owner @{run}/user/@{uid}/ r, + + /dev/tty rw, + /dev/tty@{int} rw, + + include if exists + + profile systemctl flags=(attach_disconnected) { + include + include + + include if exists + } + + profile dbus { + include + + @{bin}/dbus-update-activation-environment mr, + + owner @{HOME}/.xsession-errors w, + + include if exists + } +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 8ac535f16..22b94effd 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/ModemManager +@{exec_path} = @{sbin}/ModemManager profile ModemManager @{exec_path} flags=(attach_disconnected) { include include @@ -14,9 +14,10 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { include include include - include + include capability net_admin, + capability sys_admin, network qipcrtr dgram, network netlink raw, @@ -25,14 +26,18 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+usb:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+pnp:* r, # For Plug and Play devices (legacy hardware, sound cards, etc.) + @{run}/udev/data/+serial*:* r, # For serial devices (modems, serial ports, etc.) + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+vmbus:* r, # For Hyper-V devices, (network adapters, storage controllers, and other virtual devices) @{run}/udev/data/c16[6,7]:@{int} r, # USB modems @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @@ -43,9 +48,8 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/tty/ r, @{sys}/class/wwan/ r, + @{sys}/devices/**/net/*/ r, @{sys}/devices/**/uevent r, - @{sys}/devices/@{pci}/revision r, - @{sys}/devices/virtual/net/*/ r, @{sys}/devices/virtual/tty/*/ r, include if exists diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index e20ea48b3..fca80465d 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -6,12 +6,12 @@ abi , include -@{exec_path} = @{bin}/NetworkManager +@{exec_path} = @{sbin}/NetworkManager profile NetworkManager @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -43,44 +43,58 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.NetworkManager + #aa:dbus talk bus=system name=fi.w1.wpa_supplicant1 label=wpa-supplicant #aa:dbus talk bus=system name=org.fedoraproject.FirewallD1 label=firewalld #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher - #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" + dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*), + peer=(name=@{busname}), - dbus receive bus=system path=/ - interface=org.freedesktop.DBus.ObjectManager - member=InterfacesRemoved - peer=(name=:*, label=bluetoothd), - - dbus send bus=system path=/ + dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=bluetoothd), + peer=(name=@{busname}, label=gnome-control-center), + + + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=nm-online), + + dbus send bus=system path=/org/freedesktop/nm_dispatcher + interface=org.freedesktop.nm_dispatcher + member=Action2 + peer=(name=org.freedesktop.nm_dispatcher), + + dbus send bus=system path=/uk/org/thekelleys/dnsmasq + interface=org.freedesktop.NetworkManager.dnsmasq + member=SetServersEx + peer=(name=@{busname}, label=dnsmasq), dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member=InterfacesAdded - peer=(name=org.freedesktop.DBus, label=nm-online), + member={InterfacesAdded,InterfacesRemoved} + peer=(name=org.freedesktop.DBus), - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=cockpit-bridge), @{exec_path} mr, @{sh_path} rix, - @{bin}/nft rix, + @{sbin}/nft rix, - @{bin}/dnsmasq rPx, + @{sbin}/dnsmasq rPx, @{bin}/kmod rPx, @{bin}/netconfig rPUx, - @{bin}/resolvconf rPx, + @{sbin}/resolvconf rPx, + @{bin}/resolvectl rPx, @{bin}/systemctl rCx -> systemctl, @{lib}/{,NetworkManager/}nm-daemon-helper rPx, @{lib}/{,NetworkManager/}nm-dhcp-helper rPx, @@ -92,9 +106,14 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx, /usr/share/netplan/netplan.script rPx, + @{lib}/netplan/@{int2}-network-manager-all.yaml w, + /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, /usr/share/iproute2/{,**} r, + /etc/netplan/ r, + /etc/netplan/90-NM-@{uuid}.yaml r, + @{att}/ r, /etc/ r, @@ -104,6 +123,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { /etc/network/interfaces.d/{,*} r, /etc/NetworkManager/{,**} r, /etc/NetworkManager/system-connections/{,**} w, + @{etc_rw}/netplan/90-NM-@{uuid}.yaml w, @{etc_rw}/resolv.conf rw, @{etc_rw}/resolv.conf.[0-9A-Z]* rw, @@ -117,21 +137,24 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/rfkill/ r, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/resolve/io.systemd.Resolve rw, + @{run}/netplan/ r, @{run}/network/ifstate r, @{run}/NetworkManager/{,**} rw, @{run}/nm-*.pid rw, @{run}/nscd/db* rwl, @{run}/systemd/users/@{uid} r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power + @{run}/udev/data/n@{int} r, # For network interfaces - @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/net/{,**} r, @{sys}/devices/@{pci}/net/*/{,**} r, @{sys}/devices/@{pci}/usb@{int}/**/net/{,**} r, + @{sys}/devices/**/@{uuid}/net/*/{,**} r, + @{sys}/devices/**/uevent r, + @{sys}/devices/virtual/net/{,**} r, @{PROC}/@{pids}/stat r, @{PROC}/1/environ r, @@ -141,6 +164,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, + /dev/net/tun rw, /dev/rfkill rw, profile systemctl { diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd index ebb861971..7bcd9efba 100644 --- a/apparmor.d/groups/network/dhcpcd +++ b/apparmor.d/groups/network/dhcpcd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/dhcpcd +@{exec_path} = @{sbin}/dhcpcd profile dhcpcd @{exec_path} flags=(attach_disconnected) { include include @@ -35,10 +35,13 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { @{bin}/chmod rix, @{bin}/cmp rix, @{bin}/mkdir rix, + @{sbin}/resolvconf rPx, @{bin}/rm rix, @{bin}/sed rix, @{lib}/dhcpcd/dhcpcd-run-hooks rix, + /usr/share/dhcpcd/{,**} r, + /etc/dhcpcd.conf r, /etc/resolv.conf rw, @@ -46,7 +49,7 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { @{run}/dhcpcd/** rwk, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/@{pci}/uevent r, @{sys}/devices/virtual/dmi/id/product_uuid r, diff --git a/apparmor.d/groups/network/iwd b/apparmor.d/groups/network/iwd index 50827e77e..13edaaf16 100644 --- a/apparmor.d/groups/network/iwd +++ b/apparmor.d/groups/network/iwd @@ -21,21 +21,27 @@ profile iwd @{exec_path} { network netlink raw, network netlink dgram, network alg seqpacket, + network packet dgram, @{exec_path} mr, + @{sbin}/resolvconf rPx, /etc/iwd/{,**} r, /var/lib/iwd/{,**} rw, - @{sys}/devices/@{pci}/ieee80211/phy[0-9]/* r, + @{sys}/devices/@{pci}/ieee80211/phy@{int}/* r, @{sys}/devices/@{pci}/modalias r, @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/arp_* rw, @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/drop_* rw, @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/ndisc_* rw, + @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/accept_ra rw, + @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/optimistic_dad rw, @{PROC}/sys/net/ipv{4,6}/conf/wlp*/arp_* rw, @{PROC}/sys/net/ipv{4,6}/conf/wlp*/drop_* rw, @{PROC}/sys/net/ipv{4,6}/conf/wlp*/ndisc_* rw, + @{PROC}/sys/net/ipv{4,6}/conf/wlp*/accept_ra rw, + @{PROC}/sys/net/ipv{4,6}/conf/wlp*/optimistic_dad rw, /dev/rfkill rw, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index ee98720b6..d5c93fc5c 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -10,6 +10,7 @@ include @{exec_path} += /opt/Mullvad*/resources/mullvad-daemon profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { include + include include capability dac_override, @@ -29,7 +30,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { network netlink raw, network netlink dgram, - mount fstype=cgroup -> /sys/fs/cgroup/net_cls/, + mount fstype=cgroup -> @{sys}/fs/cgroup/net_cls/, @{exec_path} mr, @@ -39,7 +40,8 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { "/opt/Mullvad VPN/resources/*.so*" mr, "/opt/Mullvad VPN/resources/*" r, - /etc/mullvad-vpn/{,*} r, + /etc/mullvad-vpn/ rw, + /etc/mullvad-vpn/* r, /etc/mullvad-vpn/@{uuid} rw, /etc/mullvad-vpn/*.json rw, @{etc_rw}/resolv.conf rw, @@ -49,16 +51,21 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { owner /var/log/mullvad-vpn/{,*} rw, owner /var/log/private/mullvad-vpn/*.log rw, + owner @{tmp}/@{uuid} rw, + owner @{tmp}/talpid-openvpn-@{uuid} rw, + @{run}/NetworkManager/resolv.conf r, owner @{run}/mullvad-vpn rw, @{sys}/fs/cgroup/net_cls/ w, @{sys}/fs/cgroup/net_cls/mullvad-exclusions/ w, @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw, + @{sys}/fs/cgroup/system.slice/cpu.max r, + @{sys}/fs/cgroup/system.slice/mullvad-daemon.service/cpu.max r, + @{sys}/fs/cgroup/system.slice/mullvad-early-boot-blocking.service/cpu.max r, - owner @{tmp}/@{uuid} rw, - owner @{tmp}/talpid-openvpn-@{uuid} rw, - + @{PROC}/@{pid}/cgroup r, + @{PROC}/sys/net/ipv{4,6}/conf/all/arp_ignore rw, @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 6075f14b2..133e4bc00 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -7,6 +7,7 @@ abi , include @{name} = Mullvad?VPN +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -23,17 +24,15 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { network netlink raw, @{exec_path} mrix, - @{sh_path} rix, + @{sh_path} rix, - @{bin}/gsettings rix, + @{bin}/gsettings rPx, @{open_path} rPx -> child-open-browsers, - owner @{user_cache_dirs}/dconf/user rw, - - owner @{tmp}/.org.chromium.Chromium.@{rand6}/@{name}*.png rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/mullvad-vpn rw, + /dev/tty rw, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan similarity index 54% rename from apparmor.d/groups/network/netplan.script rename to apparmor.d/groups/network/netplan index 53297493e..a0fad0a93 100644 --- a/apparmor.d/groups/network/netplan.script +++ b/apparmor.d/groups/network/netplan @@ -7,14 +7,17 @@ abi , include @{exec_path} = /usr/share/netplan/netplan.script -profile netplan.script @{exec_path} flags=(attach_disconnected) { +profile netplan @{exec_path} flags=(attach_disconnected) { include + include include include + #aa;dbus owb bus=system name=io.netplan.Netplan + @{exec_path} mr, - @{lib}/netplan/generate rix, + @{lib}/netplan/generate rPx, @{bin}/udevadm rCx -> udevadm, @{bin}/systemctl rCx -> systemctl, @@ -22,25 +25,20 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { /etc/netplan/{,*} r, - @{run}/NetworkManager/conf.d/10-globally-managed-devices.conf{,.@{rand6}} rw, - @{run}/NetworkManager/system-connections/ rw, - @{run}/NetworkManager/system-connections/netplan-*.nmconnection{,.@{rand6}} rw, - @{run}/systemd/system/ r, - @{run}/systemd/system/netplan-* rw, - @{run}/systemd/system/systemd-networkd.service.wants/ rw, - @{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw, - @{run}/udev/rules.d/ r, - @{run}/udev/rules.d/90-netplan.rules{,.@{rand6}} rw, + @{run}/netplan/ r, profile udevadm { include include - @{run}/udev/control rw, + capability net_admin, + + @{att}/@{run}/udev/control rw, + @{run}/udev/rules.d/90-netplan.rules rw, @{run}/udev/rules.d/90-netplan.rules.@{rand6} rw, - include if exists + include if exists } profile systemctl { @@ -49,10 +47,14 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { capability net_admin, - include if exists + ptrace read peer=@{p_systemd}, + + @{run}/udev/control rw, + + include if exists } - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/network/netplan-generate b/apparmor.d/groups/network/netplan-generate new file mode 100644 index 000000000..cea17b81c --- /dev/null +++ b/apparmor.d/groups/network/netplan-generate @@ -0,0 +1,72 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/netplan/generate +profile netplan-generate @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability chown, + + network netlink raw, + + @{exec_path} mr, + + @{bin}/systemctl rCx -> systemctl, + + /etc/netplan/{,*} r, + + @{run}/NetworkManager/ rw, + @{run}/NetworkManager/conf.d/ rw, + @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf rw, + @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf.@{rand6} rw, + @{run}/NetworkManager/conf.d/netplan.conf rw, + @{run}/NetworkManager/conf.d/netplan.conf.@{rand6} rw, + @{run}/NetworkManager/system-connections/ rw, + @{run}/NetworkManager/system-connections/* rw, + + @{run}/systemd/generator/multi-user.target.wants/ w, + @{run}/systemd/generator/multi-user.target.wants/systemd-networkd.service w, + @{run}/systemd/generator/netplan.stamp w, + @{run}/systemd/generator/network-online.target.wants/ w, + @{run}/systemd/generator/network-online.target.wants/systemd-networkd-wait-online.service w, + @{run}/systemd/network/ rw, + @{run}/systemd/network/@{int}-netplan{,-*}.{network,link}{,.@{rand6}} rw, + @{run}/systemd/system/ r, + @{run}/systemd/system/netplan-* rw, + @{run}/systemd/system/systemd-networkd-wait-online.service.d/ rw, + @{run}/systemd/system/systemd-networkd-wait-online.service.d/@{int}-netplan.conf{,.@{rand6}} rw, + @{run}/systemd/system/systemd-networkd.service.wants/ rw, + @{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw, + + @{run}/udev/rules.d/ rw, + @{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw, + + @{run}/netplan/ r, + + @{run}/udev/rules.d/ r, + @{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw, + + @{sys}/devices/**/net/*/address r, + + profile systemctl { + include + include + + capability net_admin, + + @{att}/@{run}/systemd/private rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher index de8f9ccb0..8b4d53b1c 100644 --- a/apparmor.d/groups/network/networkd-dispatcher +++ b/apparmor.d/groups/network/networkd-dispatcher @@ -16,16 +16,18 @@ profile networkd-dispatcher @{exec_path} { dbus receive bus=system path=/org/freedesktop/network1{,/link/*} interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=systemd-networkd), + peer=(name=:*, label="@{p_systemd_networkd}"), @{exec_path} mr, @{bin}/ r, - @{bin}/networkctl rPx, + @{bin}/chronyc rPUx, @{bin}/ls rix, + @{bin}/networkctl rPx, @{bin}/sed rix, @{lib}/networkd-dispatcher/routable.d/postfix rix, + @{lib}/NetworkManager/dispatcher.d/@{int}-chrony-onoffline rix, /etc/networkd-dispatcher/{,**} r, diff --git a/apparmor.d/groups/network/nm-dhcp-helper b/apparmor.d/groups/network/nm-dhcp-helper index 5e93bdbf5..3e232154e 100644 --- a/apparmor.d/groups/network/nm-dhcp-helper +++ b/apparmor.d/groups/network/nm-dhcp-helper @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/{,NetworkManager/}nm-dhcp-helper profile nm-dhcp-helper @{exec_path} { include - include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 40984f7fa..029a5e39a 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -26,7 +26,12 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=NetworkManager), + peer=(name=@{busname}, label=NetworkManager), + + dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} + interface=org.freedesktop.NetworkManager.Settings.Connection + member=GetSettings + peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, @@ -36,22 +41,22 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{bin}/chown rix, @{bin}/chronyc rPUx, @{bin}/date rix, - @{bin}/gawk rix, - @{bin}/grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/{,e}grep rix, @{bin}/id rix, - @{bin}/invoke-rc.d rCx -> invoke-rc, + @{sbin}/invoke-rc.d rCx -> invoke-rc, @{bin}/logger rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/netconfig rPUx, @{bin}/nmcli rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/readlink rix, @{bin}/rm rix, @{bin}/run-parts rCx -> run-parts, @{bin}/sed rix, @{bin}/systemctl rCx -> systemctl, - @{bin}/systemd-cat rPx, + @{bin}/systemd-cat rix, @{bin}/tr rix, /usr/share/tlp/tlp-readconfs rPUx, @@ -101,7 +106,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { profile invoke-rc { include - @{bin}/invoke-rc.d rm, + @{sbin}/invoke-rc.d rm, @{sh_path} rix, @{bin}/basename rix, @{bin}/ls rix, diff --git a/apparmor.d/groups/network/nm-online b/apparmor.d/groups/network/nm-online index 27a511dc4..710d3115b 100644 --- a/apparmor.d/groups/network/nm-online +++ b/apparmor.d/groups/network/nm-online @@ -11,16 +11,17 @@ profile nm-online @{exec_path} { include include include + include dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} interface=org.freedesktop.NetworkManager.Connection.Active member=StateChanged - peer=(name=:*, label=NetworkManager), + peer=(name=@{busname}, label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} interface=org.freedesktop.NetworkManager.Settings.Connection member=GetSettings - peer=(name=:*, label=NetworkManager), + peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, diff --git a/apparmor.d/groups/network/nm-openvpn-service b/apparmor.d/groups/network/nm-openvpn-service index 675c14679..943386f61 100644 --- a/apparmor.d/groups/network/nm-openvpn-service +++ b/apparmor.d/groups/network/nm-openvpn-service @@ -20,7 +20,7 @@ profile nm-openvpn-service @{exec_path} { @{sh_path} rix, @{bin}/kmod rPx, - @{bin}/openvpn rPx, + @{sbin}/openvpn rPx, @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx, diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index a964ab958..b4da14960 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -9,19 +9,37 @@ include @{exec_path} = @{bin}/nmcli profile nmcli @{exec_path} { include + include + include capability dac_read_search, capability sys_nice, + #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesAdded + peer=(name=@{busname}, label=NetworkManager), + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesRemoved + peer=(name=@{busname}, label=NetworkManager), + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=NetworkManager), + @{exec_path} mr, @{pager_path} rPx -> child-pager, + /etc/netplan/* r, + owner @{HOME}/.nm-vpngate/*.ovpn r, owner @{HOME}/.cert/nm-openvpn/*.pem rw, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/virtual/net/{,**} r, @{sys}/devices/@{pci}/net/*/{,**} r, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index 532c65f78..2a513b84e 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -22,22 +22,17 @@ abi , include -@{exec_path} = @{bin}/openvpn +@{exec_path} = @{sbin}/openvpn profile openvpn @{exec_path} flags=(attach_disconnected) { include include - # Needed to remove the following errors: - # ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1) - # Exiting due to fatal error - capability net_admin, - - # These are needed when user/group are set in a OpenVPN config file - capability setuid, - capability setgid, - - capability dac_read_search, capability dac_override, + capability dac_read_search, + capability net_admin, # create tun + capability setgid, # when user/group are set in a OpenVPN config file + capability setuid, + capability sys_module, network inet dgram, network inet6 dgram, @@ -71,6 +66,8 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/net/route r, + /dev/net/tun rw, + profile update-resolv { include include @@ -85,10 +82,10 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{bin}/cut rix, @{bin}/ip rix, @{bin}/which{,.debianutils} rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, /etc/iproute2/rt_tables r, - /etc/iproute2/rt_tables.d/ r, + /etc/iproute2/rt_tables.d/{,*} r, include if exists } @@ -111,7 +108,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{bin}/cut rix, @{bin}/env rix, @{bin}/ip rix, - @{bin}/nft rix, + @{sbin}/nft rix, @{bin}/sed rix, /etc/iproute2/rt_realms r, diff --git a/apparmor.d/groups/network/rpcbind b/apparmor.d/groups/network/rpcbind index f9dcac8d1..0650470ac 100644 --- a/apparmor.d/groups/network/rpcbind +++ b/apparmor.d/groups/network/rpcbind @@ -1,17 +1,27 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2023 Jeroen Rijken +# Copyright (C) 2025 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = @{bin}/rpcbind +@{exec_path} = @{sbin}/rpcbind profile rpcbind @{exec_path} flags=(complain) { include + include + + capability setgid, + capability setuid, @{exec_path} rm, + /etc/netconfig r, + + @{run}/rpcbind.lock rwkl, + @{run}/rpcbind/*.xdr rwkl, + include if exists } diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index ac29b0b28..8162dff1e 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -31,13 +31,13 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { ptrace (read), - #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" @{exec_path} mr, @{bin}/ip rix, @{bin}/resolvectl rPx, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/network/wg b/apparmor.d/groups/network/wg index 781a52f7a..0b0315e33 100644 --- a/apparmor.d/groups/network/wg +++ b/apparmor.d/groups/network/wg @@ -7,8 +7,9 @@ abi , include @{exec_path} = @{bin}/wg -profile wg @{exec_path} { +profile wg @{exec_path} flags=(attach_disconnected) { include + include capability net_admin, capability net_bind_service, diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick index c7ea6b1bd..33de68147 100644 --- a/apparmor.d/groups/network/wg-quick +++ b/apparmor.d/groups/network/wg-quick @@ -7,8 +7,11 @@ abi , include @{exec_path} = @{bin}/wg-quick -profile wg-quick @{exec_path} { +profile wg-quick @{exec_path} flags=(attach_disconnected) { include + include + include + include capability dac_read_search, capability net_admin, @@ -20,31 +23,39 @@ profile wg-quick @{exec_path} { @{sh_path} rix, @{bin}/cat rix, @{bin}/ip rPx, - @{bin}/nft rix, + @{bin}/mv rix, + @{sbin}/nft rix, @{bin}/readlink rix, - @{bin}/resolvconf rPx, - @{bin}/resolvectl rPUx, + @{sbin}/resolvconf rPx, + @{bin}/resolvectl rPx, + @{bin}/rm rix, @{bin}/sort rix, @{bin}/stat rix, - @{bin}/sysctl rix, + @{bin}/sync rix, + @{sbin}/sysctl rCx -> sysctl, @{bin}/wg rPx, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, /usr/share/terminfo/** r, /etc/iproute2/group r, /etc/iproute2/rt_realms r, /etc/resolvconf/interface-order r, - /etc/wireguard/*.conf r, + /etc/wireguard/{,**} rw, @{sys}/module/wireguard r, - @{PROC}/sys/net/ipv4/conf/all/src_valid_mark w, + @{PROC}/@{pid}/net/ip_tables_names r, - /dev/tty rw, + profile sysctl flags=(attach_disconnected) { + include - # Force the use as root - deny @{bin}/sudo x, + @{sbin}/sysctl mr, + + @{PROC}/sys/net/ipv4/conf/all/src_valid_mark w, + + include if exists + } include if exists } diff --git a/apparmor.d/groups/pacman/archlinux-java b/apparmor.d/groups/pacman/archlinux-java index fe83e168d..38cd95d0a 100644 --- a/apparmor.d/groups/pacman/archlinux-java +++ b/apparmor.d/groups/pacman/archlinux-java @@ -14,8 +14,8 @@ profile archlinux-java @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/basename rix, - @{bin}/bash rix, @{bin}/dirname rix, @{bin}/find rix, @{bin}/id rix, diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index a7a7bf225..df9af9fef 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -30,7 +30,7 @@ profile aurpublish @{exec_path} { @{bin}/gettext rix, @{bin}/git rPx, @{bin}/gpg{,2} rCx -> gpg, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/makepkg rix, @{bin}/mkdir rix, @{bin}/mktemp rix, diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg index d5abc07db..84136638c 100644 --- a/apparmor.d/groups/pacman/makepkg +++ b/apparmor.d/groups/pacman/makepkg @@ -11,6 +11,7 @@ profile makepkg @{exec_path} { include include include + include include include include @@ -28,14 +29,22 @@ profile makepkg @{exec_path} { file, - @{bin}/gpg{,2} Cx -> gpg, - @{bin}/gpgconf Cx -> gpg, - @{bin}/gpgsm Cx -> gpg, - @{bin}/sudo Cx -> sudo, + @{pager_path} Px -> child-pager, + @{bin}/gpg{,2} Cx -> gpg, + @{bin}/gpgconf Cx -> gpg, + @{bin}/gpgsm Cx -> gpg, + @{bin}/lsb_release Px, + @{bin}/sudo Cx -> sudo, + + deny capability sys_ptrace, + deny ptrace read, profile gpg { include include + include + + network netlink raw, @{bin}/gpg{,2} mr, @{bin}/gpgconf mr, @@ -66,8 +75,8 @@ profile makepkg @{exec_path} { owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw, owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } @@ -80,8 +89,9 @@ profile makepkg @{exec_path} { ptrace read, - signal send set=winch peer=pacman, - signal send set=winch peer=pacman//systemctl, + signal send set=(term winch) peer=pacman, + signal send set=(term winch) peer=pacman//systemctl, + signal send set=(term winch) peer=systemd-tty-ask-password-agent, @{bin}/pacman Px, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index a9902e54b..165b42c02 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -28,11 +28,11 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{bin}/bsdtar rix, @{bin}/fc-match rix, @{bin}/findmnt rPx, - @{bin}/fsck rix, + @{sbin}/fsck rix, @{bin}/getent rix, @{bin}/gzip rix, @{bin}/hexdump rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/ldd rix, @{bin}/loadkeys rix, @{bin}/objcopy rix, @@ -42,13 +42,11 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{bin}/zcat rix, @{bin}/zstd rix, - @{bin}/{depmod,insmod} rPx, - @{bin}/{kmod,lsmod} rPx, - @{bin}/{modinfo,rmmod} rPx, - @{bin}/modprobe rPx, + @{bin}/kmod rPx, @{bin}/plymouth rPx, - @{bin}/plymouth-set-default-theme rPx, + @{sbin}/plymouth-set-default-theme rPx, @{bin}/sbctl rPx, + @{bin}/sync rPx, @{lib}/initcpio/busybox rix, @{lib}/initcpio/post/** rix, @@ -61,7 +59,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /etc/mkinitcpio.conf r, /etc/mkinitcpio.conf.d/{,**} r, /etc/mkinitcpio.d/{,**} r, - /etc/modprobe.d/{,*} r, + /etc/modprobe.d/{,**} r, /etc/os-release r, /etc/plymouth/plymouthd.conf r, /etc/vconsole.conf r, @@ -83,9 +81,11 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { # Manage /boot / r, - /boot/ r, - /boot/initramfs-*.img* rw, - /boot/vmlinuz-* r, + @{efi}/ r, + @{efi}/@{hex32}/{,**} rw, + @{efi}/EFI/{,**} rw, + @{efi}/initramfs-*.img* rw, + @{efi}/vmlinuz-* r, /usr/share/systemd/bootctl/** r, diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache index f537afdb3..d68c0b832 100644 --- a/apparmor.d/groups/pacman/paccache +++ b/apparmor.d/groups/pacman/paccache @@ -16,8 +16,8 @@ profile paccache @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{sh_path} rix, @{bin}/{m,g,}awk rix, - @{bin}/bash rix, @{bin}/cat rix, @{bin}/gettext rix, @{bin}/gpg{,2} rix, @@ -36,10 +36,14 @@ profile paccache @{exec_path} flags=(attach_disconnected) { /etc/pacman.conf r, /etc/pacman.d/{,**} r, + /etc/pacman.d/gnupg/** rwlk -> /etc/pacman.d/gnupg/**, /var/cache/pacman/pkg/{,*} rw, /var/lib/pacman/{,**} r, + @{HOME}/@{XDG_GPG_DIR}/gpg.conf r, + @{HOME}/@{XDG_GPG_DIR}/gpgsm.conf r, + owner @{PROC}/@{pid}/fd/ r, /dev/tty rw, diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index 64a813bf4..eef992666 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -19,26 +19,22 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/cat rix, - @{bin}/cmp rix, - @{bin}/find rix, - @{bin}/locate rix, - @{bin}/pacman rix, - @{bin}/pacman-conf rPx, - @{bin}/pacsort rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/tput rix, - @{bin}/vim rix, - - owner @{HOME}/.viminfo{,.tmp} rw, - - owner @{user_cache_dirs}/vim/{,**} rw, + @{bin}/{m,g,}awk ix, + @{bin}/cat ix, + @{bin}/cmp ix, + @{bin}/find ix, + @{bin}/locate ix, + @{bin}/pacman ix, + @{bin}/pacman-conf Px, + @{bin}/pacsort ix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/tput ix, + @{editor_path} Cx -> editor, # packages files / r, - /boot/{,**} r, + @{efi}/{,**} r, /etc/{,**} rw, /opt/{,**} r, /srv/{,**} r, @@ -48,6 +44,15 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { /dev/tty rw, /dev/pts/@{int} rw, + profile editor { + include + include + + /etc/** rw, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 1c7015b1f..41b45c9d0 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -12,6 +12,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { include include include + include include capability audit_write, @@ -26,6 +27,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { capability setfcap, capability setgid, capability setuid, + capability sys_admin, capability sys_chroot, capability sys_ptrace, capability sys_resource, @@ -39,80 +41,63 @@ profile pacman @{exec_path} flags=(attach_disconnected) { ptrace read, - signal send set=usr1 peer=gvfsd, - signal receive set=winch peer=makepkg//sudo, + signal send, + signal receive set=(term winch) peer=makepkg//sudo, @{exec_path} mrix, - @{bin}/gpg{,2} rCx -> gpg, - @{bin}/gpgconf rCx -> gpg, - @{bin}/gpgsm rCx -> gpg, + # Pacman's keyring + @{bin}/gpg{,2} Cx -> gpg, + @{bin}/gpgconf Cx -> gpg, + @{bin}/gpgsm Cx -> gpg, - # Pacman hooks & install scripts - @{sh_path} rix, - @{coreutils_path} rix, - @{bin}/appstreamcli rPx, - @{bin}/arch-audit rPx, - @{bin}/archlinux-java rPx, - @{bin}/bootctl rPx, - @{bin}/cert-sync rPx, - @{bin}/checkrebuild rPUx, - @{bin}/dconf rPx, - @{bin}/dot rix, - @{bin}/fc-cache{,-32} rPx, - @{bin}/filecap rix, - @{bin}/gdbus rix, - @{bin}/gdk-pixbuf-query-loaders rPx, - @{bin}/getent rix, - @{bin}/gettext rix, - @{bin}/ghc-pkg-@{version} rix, - @{bin}/gio-querymodules rPx, - @{bin}/glib-compile-schemas rPx, - @{bin}/groupadd rPx, - @{bin}/gtk-query-immodules-{2,3}.0 rPx, - @{bin}/gtk{,4}-update-icon-cache rPx, - @{bin}/iconvconfig rix, - @{bin}/install-catalog rPx, - @{bin}/install-info rPx, - @{bin}/iscsi-iname rix, - @{bin}/journalctl rPx, - @{bin}/killall rix, - @{bin}/ldconfig rix, - @{bin}/locale-gen rPx, - @{bin}/mkinitcpio rPx, - @{bin}/needrestart rPx, - @{bin}/pacdiff rPx, - @{bin}/pacman-key rPx, - @{bin}/perl rix, - @{bin}/pkgfile rPUx, - @{bin}/pkill rix, - @{bin}/rsync rix, - @{bin}/sbctl rPx, - @{bin}/setcap rix, - @{bin}/setfacl rix, - @{bin}/sysctl rPx, - @{bin}/systemctl rCx -> systemctl, - @{bin}/systemd-* rPx, - @{bin}/tput rix, - @{bin}/update-ca-trust rPx, - @{bin}/update-desktop-database rPx, - @{bin}/update-grub rPx, - @{bin}/update-mime-database rPx, - @{bin}/vercmp rix, - @{bin}/xmlcatalog rix, - @{lib}/systemd/systemd-* rPx, - @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} rix, - @{lib}/vlc/vlc-cache-gen rPx, - /opt/Mullvad*/resources/mullvad-setup rPx, - /usr/share/code-features/patch.py rPx, - /usr/share/code-marketplace/patch.py rPx, - /usr/share/libalpm/scripts/* rPUx, - /usr/share/texmf-dist/scripts/texlive/mktexlsr rPUx, + # Common program found in hooks & install scripts + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/dot ix, + @{bin}/filecap ix, + @{bin}/getent ix, + @{bin}/gettext ix, + @{bin}/gzip ix, + @{bin}/rsync ix, + @{bin}/setfacl ix, + @{bin}/tput ix, + @{bin}/vercmp ix, + @{bin}/which{,.debianutils} ix, + @{bin}/xmlcatalog ix, + @{sbin}/iconvconfig ix, + @{sbin}/iscsi-iname ix, + @{sbin}/setcap ix, + + @{bin}/dbus-send Cx -> bus, + @{bin}/gdbus Cx -> bus, + @{bin}/killall Cx -> pkill, + @{bin}/kmod Cx -> kmod, + @{bin}/pkill Cx -> pkill, + @{bin}/systemctl Cx -> systemctl, + @{sbin}/ldconfig Cx -> ldconfig, + + #aa:lint ignore=too-wide + # Hooks & install scripts can legitimately start/restart anything + # PU is only used as a safety fallback. + @{bin}/** PUx, + @{sbin}/** PUx, + /opt/*/** PUx, + /etc/** PUx, + /usr/share/** PUx, + + @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} Px, + @{lib}/systemd/systemd-* Px, + @{lib}/vlc/vlc-cache-gen Px, + + # For shell pwd, keept as it can annoy users to see error in pacman output + /**/ r, # Install/update packages + #aa:lint ignore=too-wide / r, /*{,/} rw, - /boot/** rwl -> /boot/**, + @{efi}/** rwl -> @{efi}/**, /etc/** rwl -> /etc/**, /opt/** rwl -> /opt/**, /srv/** rwl -> /srv/**, @@ -134,8 +119,8 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/stat r, - @{PROC}/1/environ r, @{PROC}/sys/kernel/osrelease r, @{PROC}/tty/drivers r, @{PROC}/uptime r, @@ -145,11 +130,6 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /dev/tty@{int} rw, owner /dev/pts/@{int} rw, - # Silencer, - deny @{HOME}/ r, - deny @{HOME}/**/ r, - deny /tmp/ r, - profile gpg { include include @@ -186,7 +166,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { include if exists } - profile systemctl { + profile systemctl flags=(attach_disconnected) { include include @@ -194,20 +174,79 @@ profile pacman @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability sys_resource, + ptrace read peer=@{p_systemd}, + signal send set=cont peer=child-pager, - signal receive set=winch peer=makepkg//sudo, + signal send set=(cont term) peer=systemd-tty-ask-password-agent, + signal receive set=(term winch) peer=makepkg//sudo, @{pager_path} rPx -> child-pager, + @{bin}/systemd-tty-ask-password-agent rPx, /etc/machine-id r, /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/*.journal* r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, include if exists } + profile bus { + include + include + include + + @{bin}/gdbus rix, + + include if exists + } + + profile pkill { + include + include + + @{bin}/killall mr, + @{bin}/pkill mr, + + include if exists + } + + profile kmod { + include + include + + include if exists + } + + profile ldconfig { + include + include + + @{sh_path} rix, + @{sbin}/ldconfig mrix, + + @{lib}/ r, + /usr/local/ r, + /usr/local/lib/ r, + + /opt/cuda/**/@{lib}/ r, + /opt/cuda/**/@{lib}/@{multiarch}/ r, + + /etc/ld.so.cache rw, + /etc/ld.so.cache~ rw, + + /var/cache/ldconfig/ rw, + owner /var/cache/ldconfig/aux-cache* rw, + + include if exists + } + include if exists include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code index 3a6bbd7fe..3e916efe3 100644 --- a/apparmor.d/groups/pacman/pacman-hook-code +++ b/apparmor.d/groups/pacman/pacman-hook-code @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /usr/share/code-{features,marketplace}/patch.py +@{exec_path} = /usr/share/code-{features,marketplace}{,-insiders}/patch.py profile pacman-hook-code @{exec_path} { include include @@ -16,12 +16,13 @@ profile pacman-hook-code @{exec_path} { @{exec_path} mr, @{bin}/env r, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{lib}/code/product.json rw, + @{lib}/code/out/vs/code/electron-utility/sharedProcess/sharedProcessMain.js w, - /usr/share/code-{features,marketplace}/{,*} r, - /usr/share/code-{features,marketplace}/cache.json rw, + /usr/share/code-{features,marketplace}{,-insiders}/{,*} r, + /usr/share/code-{features,marketplace}{,-insiders}/cache.json rw, include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-dconf b/apparmor.d/groups/pacman/pacman-hook-dconf index b5a330d75..c49eb08e9 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dconf +++ b/apparmor.d/groups/pacman/pacman-hook-dconf @@ -14,7 +14,7 @@ profile pacman-hook-dconf @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/rm rix, @{bin}/dconf rPx, diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod index 45336a100..0dae14351 100644 --- a/apparmor.d/groups/pacman/pacman-hook-depmod +++ b/apparmor.d/groups/pacman/pacman-hook-depmod @@ -14,14 +14,13 @@ profile pacman-hook-depmod @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/basename rix, - @{bin}/bash rix, - @{bin}/depmod rPx, @{bin}/kmod rPx, @{bin}/rm rix, @{bin}/rmdir rix, - /usr/lib/modules/*/{,**} rw, + @{lib}/modules/*/{,**} rw, /dev/tty rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-dkms b/apparmor.d/groups/pacman/pacman-hook-dkms index a039db414..a8a54c151 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dkms +++ b/apparmor.d/groups/pacman/pacman-hook-dkms @@ -19,7 +19,7 @@ profile pacman-hook-dkms @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/dkms rPx, + @{sbin}/dkms rPx, @{bin}/kmod rPx, @{bin}/nproc rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-fontconfig b/apparmor.d/groups/pacman/pacman-hook-fontconfig index de0d33e16..3b29e01ea 100644 --- a/apparmor.d/groups/pacman/pacman-hook-fontconfig +++ b/apparmor.d/groups/pacman/pacman-hook-fontconfig @@ -14,7 +14,7 @@ profile pacman-hook-fontconfig @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/ln rix, @{bin}/rm rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-gio b/apparmor.d/groups/pacman/pacman-hook-gio index 5aa612a3c..17218158e 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gio +++ b/apparmor.d/groups/pacman/pacman-hook-gio @@ -14,14 +14,14 @@ profile pacman-hook-gio @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/rmdir rix, @{bin}/gio-querymodules rPx, @{lib}/gio/modules/giomodule.cache{,.[0-9A-Z]*} rw, @{lib}/gtk-{3,4}.0/**/*/ rw, - /usr/lib/gio/modules/ rw, + @{lib}/gio/modules/ rw, /dev/tty rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk b/apparmor.d/groups/pacman/pacman-hook-gtk index ce7b931ca..e6aa28627 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gtk +++ b/apparmor.d/groups/pacman/pacman-hook-gtk @@ -14,7 +14,7 @@ profile pacman-hook-gtk @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/rm rix, @{bin}/rmdir rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index 9ee488fbc..48ce25ab2 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -16,7 +16,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/cmp rix, @{bin}/compgen rix, @{bin}/env rix, @@ -36,11 +36,11 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { /etc/mkinitcpio.d/*.preset{,.pacsave} rw, / r, - /boot/ r, - /boot/efi/boot/boot*.efi rw, - /boot/initramfs-*-fallback.img rw, - /boot/initramfs-*.img rw, - /boot/vmlinuz-* rw, + @{efi}/ r, + @{efi}/EFI/boot/boot*.efi rw, + @{efi}/initramfs-*-fallback.img rw, + @{efi}/initramfs-*.img rw, + @{efi}/vmlinuz-* rw, /dev/tty rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove index 7c0006153..6378ca991 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove @@ -15,7 +15,7 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/cmp rix, @{bin}/mv rix, @{bin}/rm rix, @@ -24,9 +24,9 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} { /usr/share/mkinitcpio/*.preset r, /etc/mkinitcpio.d/*.preset rw, - /boot/vmlinuz-* rw, - /boot/initramfs-*.img rw, - /boot/initramfs-*-fallback.img rw, + @{efi}/vmlinuz-* rw, + @{efi}/initramfs-*.img rw, + @{efi}/initramfs-*-fallback.img rw, /dev/tty rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-perl b/apparmor.d/groups/pacman/pacman-hook-perl index 1254f97e2..aa2be8b09 100644 --- a/apparmor.d/groups/pacman/pacman-hook-perl +++ b/apparmor.d/groups/pacman/pacman-hook-perl @@ -9,19 +9,18 @@ include @{exec_path} = /usr/share/libalpm/scripts/detect-old-perl-modules.sh profile pacman-hook-perl @{exec_path} { include + include capability dac_read_search, capability mknod, @{exec_path} mr, - @{bin}/perl rix, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/find rix, @{bin}/pacman rPx, @{bin}/sed rix, - - @{lib}/perl@{int}/{,**} r, + @{bin}/wc rix, /dev/tty rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index 2c32024a2..860fb34ea 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -44,6 +44,13 @@ profile pacman-hook-systemd @{exec_path} { include capability net_admin, + capability sys_resource, + + ptrace read peer=@{p_systemd}, + + signal send set=(cont, term) peer=systemd-tty-ask-password-agent, + + @{bin}/systemd-tty-ask-password-agent Px, include if exists } diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 287bc026a..1e1204c27 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -16,15 +16,15 @@ profile pacman-key @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/{m,g,}awk rix, @{bin}/basename rix, - @{bin}/bash rix, @{bin}/chmod rix, @{bin}/gettext rix, - @{bin}/gpg{,2} rCx -> gpg, - @{bin}/grep rix, + @{bin}/gpg{,2} rCx -> &gpg, + @{bin}/{,e}grep rix, @{bin}/ngettext rix, - @{bin}/pacman-conf rPx, + @{bin}/pacman-conf rPx -> &pacman-conf, @{bin}/touch rix, @{bin}/tput rix, @{bin}/vercmp rix, @@ -34,7 +34,8 @@ profile pacman-key @{exec_path} { /usr/share/pacman/keyrings/{,*} r, /usr/share/terminfo/** r, - /etc/pacman.d/gnupg/* rw, + /etc/pacman.d/gnupg/ rw, + /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, /dev/tty rw, @@ -59,7 +60,7 @@ profile pacman-key @{exec_path} { /etc/pacman.d/gnupg/ rw, /etc/pacman.d/gnupg/** rwkl, - @{HOME}/.gnupg/gpg.conf r, + @{HOME}/@{XDG_GPG_DIR}/gpg.conf r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/pacman/yay b/apparmor.d/groups/pacman/yay index e101fc06f..42932cc2e 100644 --- a/apparmor.d/groups/pacman/yay +++ b/apparmor.d/groups/pacman/yay @@ -25,6 +25,7 @@ profile yay @{exec_path} { @{bin}/git Cx -> git, @{bin}/gpg{,2} Cx -> gpg, @{bin}/makepkg Px, + @{bin}/pacman Px, @{bin}/pacman-conf Px, @{bin}/sudo Cx -> sudo, @@ -84,6 +85,7 @@ profile yay @{exec_path} { @{bin}/gpg{,2} mr, @{bin}/gpg-agent rPx, + @{bin}/dirmngr rPx, owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/groups/polkit/pkexec similarity index 94% rename from apparmor.d/profiles-m-r/pkexec rename to apparmor.d/groups/polkit/pkexec index c7bfbcefa..8c6d868da 100644 --- a/apparmor.d/profiles-m-r/pkexec +++ b/apparmor.d/groups/polkit/pkexec @@ -21,13 +21,13 @@ profile pkexec @{exec_path} { @{exec_path} mr, @{bin}/* PUx, + @{sbin}/* PUx, @{lib}/** PUx, /opt/*/** PUx, /usr/share/** PUx, /etc/default/locale r, - @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-m-r/pkttyagent b/apparmor.d/groups/polkit/pkttyagent similarity index 95% rename from apparmor.d/profiles-m-r/pkttyagent rename to apparmor.d/groups/polkit/pkttyagent index de0eeef33..436447aef 100644 --- a/apparmor.d/profiles-m-r/pkttyagent +++ b/apparmor.d/groups/polkit/pkttyagent @@ -18,8 +18,8 @@ profile pkttyagent @{exec_path} { capability sys_nice, capability audit_write, - ptrace (read), - signal (send,receive), + ptrace read, + signal (send, receive), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper similarity index 73% rename from apparmor.d/groups/freedesktop/polkit-agent-helper rename to apparmor.d/groups/polkit/polkit-agent-helper index bb6e457ff..f761ecf29 100644 --- a/apparmor.d/groups/freedesktop/polkit-agent-helper +++ b/apparmor.d/groups/polkit/polkit-agent-helper @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] @{exec_path} += @{lib}/polkit-agent-helper-[0-9] -profile polkit-agent-helper @{exec_path} { +profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { include include include @@ -25,20 +25,22 @@ profile polkit-agent-helper @{exec_path} { network netlink raw, - signal (receive) set=(term, kill) peer=gnome-shell, - signal (receive) set=(term, kill) peer=pkexec, - signal (receive) set=(term, kill) peer=pkttyagent, - signal (receive) set=(term, kill) peer=polkit-*-authentication-agent, + signal receive set=(term kill) peer=gnome-shell, + signal receive set=(term kill) peer=pkexec, + signal receive set=(term kill) peer=pkttyagent, + signal receive set=(term kill) peer=polkit-*-authentication-agent, + + unix bind type=stream addr=@@{udbus}/bus/polkit-agent-he/system, dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=polkitd), + peer=(name=@{busname}, label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=AuthenticationAgentResponse2 - peer=(name=:*, label=polkitd), + peer=(name=@{busname}, label="@{p_polkitd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/polkit/polkitd similarity index 68% rename from apparmor.d/groups/freedesktop/polkitd rename to apparmor.d/groups/polkit/polkitd index 089e61744..fa00311cd 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -7,10 +7,11 @@ abi , include -@{exec_path} = @{lib}/{,polkit-1/}polkitd +@{exec_path} = @{lib}/polkitd @{lib}/polkit-1/polkitd profile polkitd @{exec_path} flags=(attach_disconnected) { include include + include include capability setgid, @@ -19,18 +20,19 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { capability sys_ptrace, audit capability net_admin, - ptrace (read), + ptrace read, #aa:dbus own bus=system name=org.freedesktop.PolicyKit1 - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} - peer=(name=org.freedesktop.DBus, label=dbus-system), + dbus send bus=system path=/org/kde/PolicyKit1/AuthenticationAgent + interface=org.freedesktop.PolicyKit1.AuthenticationAgent + member=BeginAuthentication + peer=(name=@{busname}, label=polkit-kde-authentication-agent), @{exec_path} mr, - @{bin}/pkla-check-authorization rPUx, + @{bin}/pkla-check-authorization rPx, + @{bin}/pkla-admin-identities rPx, /etc/machine-id r, @@ -53,13 +55,19 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { /var/lib/polkit{,-1}/localauthority/{,**} r, owner /var/lib/polkit{,-1}/.cache/ rw, + @{att}/@{run}/systemd/notify w, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{att}/@{run}/systemd/userdb/io.systemd.Home rw, + @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, + @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pids}/fdinfo/@{int} r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/task/@{tid}/stat r, @{PROC}/1/environ r, @{PROC}/cmdline r, @@ -67,9 +75,6 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fdinfo/@{int} r, - # Silencer - deny /.cache/ rw, - include if exists } diff --git a/apparmor.d/groups/procps/free b/apparmor.d/groups/procps/free new file mode 100644 index 000000000..56075ae1c --- /dev/null +++ b/apparmor.d/groups/procps/free @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/free +profile free @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/groups/procps/htop similarity index 93% rename from apparmor.d/profiles-g-l/htop rename to apparmor.d/groups/procps/htop index 08b58ebd2..ef14d9ca9 100644 --- a/apparmor.d/profiles-g-l/htop +++ b/apparmor.d/groups/procps/htop @@ -20,14 +20,15 @@ profile htop @{exec_path} { network netlink raw, - signal (send), - signal (receive) set=(hup) peer=gnome-terminal-server, + signal send, + signal receive set=hup peer=gnome-terminal-server, - ptrace (read), + ptrace read, @{exec_path} mr, @{bin}/lsof rix, + @{bin}/strace rix, /usr/share/terminfo/** r, @@ -38,58 +39,13 @@ profile htop @{exec_path} { owner @{user_config_dirs}/htop/ rw, owner @{user_config_dirs}/htop/* rw, - owner @{PROC}/@{pid}/smaps_rollup r, - - @{PROC}/ r, - @{PROC}/diskstats r, - @{PROC}/loadavg r, - @{PROC}/pressure/cpu r, - @{PROC}/pressure/io r, - @{PROC}/pressure/memory r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/pid_max r, - @{PROC}/sys/kernel/sched_autogroup_enabled r, - @{PROC}/tty/drivers r, - @{PROC}/uptime r, - - @{PROC}/@{pids}/ r, - @{PROC}/@{pids}/attr/current r, - @{PROC}/@{pids}/autogroup rw, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/environ r, - @{PROC}/@{pids}/io r, - @{PROC}/@{pids}/mounts r, - @{PROC}/@{pids}/net/dev r, - @{PROC}/@{pids}/oom_{,score_}adj r, - @{PROC}/@{pids}/oom_score r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/statm r, - @{PROC}/@{pids}/wchan r, - - @{PROC}/@{pids}/task/ r, - @{PROC}/@{pids}/task/@{tid}/ r, - @{PROC}/@{pids}/task/@{tid}/attr/current r, - @{PROC}/@{pids}/task/@{tid}/cgroup r, - @{PROC}/@{pids}/task/@{tid}/cmdline r, - @{PROC}/@{pids}/task/@{tid}/comm r, - @{PROC}/@{pids}/task/@{tid}/environ r, - @{PROC}/@{pids}/task/@{tid}/io r, - @{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r, - @{PROC}/@{pids}/task/@{tid}/oom_score r, - @{PROC}/@{pids}/task/@{tid}/stat r, - @{PROC}/@{pids}/task/@{tid}/statm r, - @{PROC}/@{pids}/task/@{tid}/status r, - @{PROC}/@{pids}/task/@{tid}/wchan r, - @{sys}/bus/dax/devices/ r, @{sys}/bus/i2c/devices/ r, @{sys}/bus/soc/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/devices/**/hwmon@{int}/**/ r, @@ -100,8 +56,8 @@ profile htop @{exec_path} { @{sys}/devices/**/hwmon/**/{name,temp*} r, @{sys}/devices/**/power_supply/**/{uevent,type,online} r, @{sys}/devices/*/name r, - @{sys}/devices/i2c-@{int}/name r, - @{sys}/devices/platform/*/i2c-@{int}/name r, + @{sys}/devices/i2c-*/name r, + @{sys}/devices/platform/*/i2c-*/name r, @{sys}/devices/system/cpu/cpu@{int}/** r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_{cur,min,max}_freq r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, @@ -129,8 +85,54 @@ profile htop @{exec_path} { @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r, + @{PROC}/ r, + @{PROC}/diskstats r, + @{PROC}/loadavg r, + @{PROC}/pressure/cpu r, + @{PROC}/pressure/io r, + @{PROC}/pressure/memory r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/sched_autogroup_enabled r, + @{PROC}/tty/drivers r, + @{PROC}/uptime r, + + @{PROC}/@{pids}/ r, + @{PROC}/@{pids}/attr/current r, + @{PROC}/@{pids}/autogroup rw, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/maps r, + @{PROC}/@{pids}/mounts r, + @{PROC}/@{pids}/net/dev r, + @{PROC}/@{pids}/oom_{,score_}adj r, + @{PROC}/@{pids}/oom_score r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, + @{PROC}/@{pids}/wchan r, + + @{PROC}/@{pids}/task/ r, + @{PROC}/@{pids}/task/@{tid}/ r, + @{PROC}/@{pids}/task/@{tid}/attr/current r, + @{PROC}/@{pids}/task/@{tid}/cgroup r, + @{PROC}/@{pids}/task/@{tid}/cmdline r, + @{PROC}/@{pids}/task/@{tid}/comm r, + @{PROC}/@{pids}/task/@{tid}/environ r, + @{PROC}/@{pids}/task/@{tid}/io r, + @{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r, + @{PROC}/@{pids}/task/@{tid}/oom_score r, + @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/@{pids}/task/@{tid}/statm r, + @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/@{pids}/task/@{tid}/wchan r, + @{PROC}/cmdline r, owner @{PROC}/@{pid}/cpuset r, + owner @{PROC}/@{pid}/smaps_rollup r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/procps/pgrep b/apparmor.d/groups/procps/pgrep new file mode 100644 index 000000000..d10c1e772 --- /dev/null +++ b/apparmor.d/groups/procps/pgrep @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pgrep +profile pgrep @{exec_path} flags=(attach_disconnected) { + include + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snap-repair b/apparmor.d/groups/procps/pidof similarity index 53% rename from apparmor.d/profiles-s-z/snap-repair rename to apparmor.d/groups/procps/pidof index fe9be759a..3413eb6c3 100644 --- a/apparmor.d/profiles-s-z/snap-repair +++ b/apparmor.d/groups/procps/pidof @@ -1,18 +1,18 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = @{lib}/snapd/snap-repair -profile snap-repair @{exec_path} { +@{exec_path} = @{bin}/pidof +profile pidof @{exec_path} { include @{exec_path} mr, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/ps b/apparmor.d/groups/procps/ps similarity index 98% rename from apparmor.d/profiles-m-r/ps rename to apparmor.d/groups/procps/ps index 1d9ae50cb..7663cbf5d 100644 --- a/apparmor.d/profiles-m-r/ps +++ b/apparmor.d/groups/procps/ps @@ -34,6 +34,7 @@ profile ps @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/loginuid r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/task/ r, @{PROC}/@{pids}/task/@{tid}/cmdline r, @{PROC}/@{pids}/task/@{tid}/stat r, diff --git a/apparmor.d/profiles-s-z/sysctl b/apparmor.d/groups/procps/sysctl similarity index 89% rename from apparmor.d/profiles-s-z/sysctl rename to apparmor.d/groups/procps/sysctl index 6dd12a023..9275c7054 100644 --- a/apparmor.d/profiles-s-z/sysctl +++ b/apparmor.d/groups/procps/sysctl @@ -8,20 +8,23 @@ abi , include -@{exec_path} = @{bin}/sysctl +@{exec_path} = @{sbin}/sysctl profile sysctl @{exec_path} { include include capability net_admin, capability sys_admin, + capability sys_ptrace, capability sys_resource, @{exec_path} mr, /etc/sysctl.conf r, /etc/sysctl.d/{,**} r, - /usr/lib/sysctl.d/{,**} r, + @{lib}/sysctl.d/{,**} r, + + /etc/ufw/sysctl.conf r, # Add support for ufw @{PROC}/sys/ r, @{PROC}/sys/** rw, @@ -30,8 +33,6 @@ profile sysctl @{exec_path} { deny network inet6 stream, deny network inet stream, - /etc/ufw/sysctl.conf r, # Add support for ufw - include if exists } diff --git a/apparmor.d/profiles-s-z/top b/apparmor.d/groups/procps/top similarity index 100% rename from apparmor.d/profiles-s-z/top rename to apparmor.d/groups/procps/top diff --git a/apparmor.d/profiles-s-z/uptime b/apparmor.d/groups/procps/uptime similarity index 93% rename from apparmor.d/profiles-s-z/uptime rename to apparmor.d/groups/procps/uptime index 904ebe415..3da204a38 100644 --- a/apparmor.d/profiles-s-z/uptime +++ b/apparmor.d/groups/procps/uptime @@ -15,6 +15,8 @@ profile uptime @{exec_path} { @{exec_path} mr, + @{run}/systemd/sessions/@{int} r, + @{PROC}/uptime r, @{PROC}/loadavg r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/procps/vmstat b/apparmor.d/groups/procps/vmstat new file mode 100644 index 000000000..1276222a2 --- /dev/null +++ b/apparmor.d/groups/procps/vmstat @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/vmstat +profile vmstat @{exec_path} { + include + include + + @{exec_path} mr, + + @{sys}/block/ r, + @{sys}/devices/system/node/ r, + + @{PROC}/diskstats r, + @{PROC}/slabinfo r, + @{PROC}/uptime r, + @{PROC}/vmstat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/w b/apparmor.d/groups/procps/w similarity index 93% rename from apparmor.d/profiles-s-z/w rename to apparmor.d/groups/procps/w index 3745015c1..2445034e9 100644 --- a/apparmor.d/profiles-s-z/w +++ b/apparmor.d/groups/procps/w @@ -16,7 +16,7 @@ profile w @{exec_path} { capability sys_ptrace, - ptrace (read), + ptrace read, @{exec_path} mr, @@ -24,7 +24,7 @@ profile w @{exec_path} { @{sys}/devices/system/node/node@{int}/meminfo r, @{run}/systemd/sessions/ r, - @{run}/systemd/sessions/@{int} r, + @{run}/systemd/sessions/* r, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/profiles-a-f/chage b/apparmor.d/groups/shadow/chage similarity index 97% rename from apparmor.d/profiles-a-f/chage rename to apparmor.d/groups/shadow/chage index a89e204a8..43f34a703 100644 --- a/apparmor.d/profiles-a-f/chage +++ b/apparmor.d/groups/shadow/chage @@ -20,7 +20,7 @@ profile chage @{exec_path} { @{exec_path} mr, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,shadow} rw, /etc/{passwd,shadow}.@{pid} w, diff --git a/apparmor.d/profiles-a-f/chpasswd b/apparmor.d/groups/shadow/chpasswd similarity index 74% rename from apparmor.d/profiles-a-f/chpasswd rename to apparmor.d/groups/shadow/chpasswd index fb8438cc1..5e84f31b4 100644 --- a/apparmor.d/profiles-a-f/chpasswd +++ b/apparmor.d/groups/shadow/chpasswd @@ -6,20 +6,26 @@ abi , include -@{exec_path} = @{bin}/chpasswd +@{exec_path} = @{sbin}/chpasswd profile chpasswd @{exec_path} { include + include include include + capability audit_write, capability chown, capability fsetid, + capability net_admin, capability setuid, + network netlink raw, + @{exec_path} mr, + @{etc_ro}/login.defs r, + /etc/.pwd.lock wk, - /etc/login.defs r, /etc/passwd rw, /etc/passwd.@{int} w, /etc/passwd.lock l -> /etc/passwd.@{int}, @@ -31,6 +37,11 @@ profile chpasswd @{exec_path} { /etc/shadow.lock w, /etc/shadow+ rw, + /etc/pam.d/* r, + /etc/security/pwquality.conf r, + + @{PROC}/@{pid}/loginuid r, + include if exists } diff --git a/apparmor.d/profiles-g-l/gpasswd b/apparmor.d/groups/shadow/gpasswd similarity index 97% rename from apparmor.d/profiles-g-l/gpasswd rename to apparmor.d/groups/shadow/gpasswd index 8afdff8db..ab2d21860 100644 --- a/apparmor.d/profiles-g-l/gpasswd +++ b/apparmor.d/groups/shadow/gpasswd @@ -29,7 +29,7 @@ profile gpasswd @{exec_path} { owner @{PROC}/@{pid}/loginuid r, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{group,gshadow} rw, /etc/{group,gshadow}.@{pid} w, diff --git a/apparmor.d/profiles-g-l/groupadd b/apparmor.d/groups/shadow/groupadd similarity index 94% rename from apparmor.d/profiles-g-l/groupadd rename to apparmor.d/groups/shadow/groupadd index 9450974a1..2d135007a 100644 --- a/apparmor.d/profiles-g-l/groupadd +++ b/apparmor.d/groups/shadow/groupadd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/groupadd +@{exec_path} = @{sbin}/groupadd profile groupadd @{exec_path} { include include @@ -22,7 +22,7 @@ profile groupadd @{exec_path} { @{exec_path} mr, @{bin}/nscd rix, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{group,gshadow} rw, /etc/{group,gshadow}- w, diff --git a/apparmor.d/profiles-g-l/groupdel b/apparmor.d/groups/shadow/groupdel similarity index 94% rename from apparmor.d/profiles-g-l/groupdel rename to apparmor.d/groups/shadow/groupdel index 99b7fddaa..8f8b28239 100644 --- a/apparmor.d/profiles-g-l/groupdel +++ b/apparmor.d/groups/shadow/groupdel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/groupdel +@{exec_path} = @{sbin}/groupdel profile groupdel @{exec_path} { include include @@ -25,7 +25,7 @@ profile groupdel @{exec_path} { @{exec_path} mr, @{bin}/nscd rix, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{group,gshadow} rw, /etc/{group,gshadow}.@{pid} w, diff --git a/apparmor.d/profiles-g-l/groupmod b/apparmor.d/groups/shadow/groupmod similarity index 95% rename from apparmor.d/profiles-g-l/groupmod rename to apparmor.d/groups/shadow/groupmod index 4b9b0446a..34bf046cd 100644 --- a/apparmor.d/profiles-g-l/groupmod +++ b/apparmor.d/groups/shadow/groupmod @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/groupmod +@{exec_path} = @{sbin}/groupmod profile groupmod @{exec_path} { include include @@ -24,7 +24,7 @@ profile groupmod @{exec_path} { @{exec_path} mr, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,gshadow,group} rw, /etc/{passwd,gshadow,group}.@{pid} w, diff --git a/apparmor.d/profiles-g-l/grpck b/apparmor.d/groups/shadow/grpck similarity index 94% rename from apparmor.d/profiles-g-l/grpck rename to apparmor.d/groups/shadow/grpck index 5fad8960c..1e47307e4 100644 --- a/apparmor.d/profiles-g-l/grpck +++ b/apparmor.d/groups/shadow/grpck @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/grpck +@{exec_path} = @{sbin}/grpck profile grpck @{exec_path} flags=(attach_disconnected) { include include @@ -18,7 +18,7 @@ profile grpck @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{gshadow,group} rw, /etc/{gshadow,group}.@{pid} rw, diff --git a/apparmor.d/profiles-g-l/lastlog b/apparmor.d/groups/shadow/lastlog similarity index 95% rename from apparmor.d/profiles-g-l/lastlog rename to apparmor.d/groups/shadow/lastlog index 392aba362..0cb62819f 100644 --- a/apparmor.d/profiles-g-l/lastlog +++ b/apparmor.d/groups/shadow/lastlog @@ -17,8 +17,9 @@ profile lastlog @{exec_path} { @{exec_path} mr, + @{etc_ro}/login.defs r, + /var/log/lastlog r, - /etc/login.defs r, include if exists } diff --git a/apparmor.d/profiles-m-r/newgidmap b/apparmor.d/groups/shadow/newgidmap similarity index 91% rename from apparmor.d/profiles-m-r/newgidmap rename to apparmor.d/groups/shadow/newgidmap index 4a7196fc2..6fa555504 100644 --- a/apparmor.d/profiles-m-r/newgidmap +++ b/apparmor.d/groups/shadow/newgidmap @@ -18,6 +18,8 @@ profile newgidmap @{exec_path} { @{exec_path} mr, + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, /etc/subgid r, @{PROC}/@{pids}/ r, diff --git a/apparmor.d/profiles-m-r/newuidmap b/apparmor.d/groups/shadow/newuidmap similarity index 91% rename from apparmor.d/profiles-m-r/newuidmap rename to apparmor.d/groups/shadow/newuidmap index 549eb06ef..6a53bf5c1 100644 --- a/apparmor.d/profiles-m-r/newuidmap +++ b/apparmor.d/groups/shadow/newuidmap @@ -18,6 +18,8 @@ profile newuidmap @{exec_path} { @{exec_path} mr, + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, /etc/subuid r, @{PROC}/@{pids}/ r, diff --git a/apparmor.d/profiles-m-r/passwd b/apparmor.d/groups/shadow/passwd similarity index 100% rename from apparmor.d/profiles-m-r/passwd rename to apparmor.d/groups/shadow/passwd diff --git a/apparmor.d/profiles-m-r/pwck b/apparmor.d/groups/shadow/pwck similarity index 91% rename from apparmor.d/profiles-m-r/pwck rename to apparmor.d/groups/shadow/pwck index 0c9e1ac0a..456a15af4 100644 --- a/apparmor.d/profiles-m-r/pwck +++ b/apparmor.d/groups/shadow/pwck @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/pwck +@{exec_path} = @{sbin}/pwck profile pwck @{exec_path} flags=(attach_disconnected) { include include @@ -16,7 +16,8 @@ profile pwck @{exec_path} flags=(attach_disconnected) { @{bin}/nscd rix, - /etc/login.defs r, + @{etc_ro}/login.defs r, + /etc/.pwd.lock wk, /etc/passwd rw, /etc/passwd.@{int} rw, diff --git a/apparmor.d/profiles-s-z/useradd b/apparmor.d/groups/shadow/useradd similarity index 93% rename from apparmor.d/profiles-s-z/useradd rename to apparmor.d/groups/shadow/useradd index 42ab87607..b10487cf2 100644 --- a/apparmor.d/profiles-s-z/useradd +++ b/apparmor.d/groups/shadow/useradd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/useradd +@{exec_path} = @{sbin}/useradd profile useradd @{exec_path} { include include @@ -25,12 +25,12 @@ profile useradd @{exec_path} { @{exec_path} mr, @{bin}/nscd rix, - @{bin}/usermod rPx, + @{sbin}/usermod rPx, @{bin}/pam_tally2 rCx -> pam_tally2, /etc/default/useradd r, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw, /etc/{passwd,shadow,gshadow,group,subuid,subgid}- w, @@ -53,9 +53,10 @@ profile useradd @{exec_path} { # To create user dirs and copy files from /etc/skel/ to them @{HOME}/ rw, - @{HOME}/.* w, + @{HOME}/** wl, + @{HOME}/**/ r, /var/lib/*/{,*} rw, - /etc/skel/{,.*} r, + /etc/skel/{,.**} r, profile pam_tally2 { include diff --git a/apparmor.d/profiles-s-z/userdel b/apparmor.d/groups/shadow/userdel similarity index 96% rename from apparmor.d/profiles-s-z/userdel rename to apparmor.d/groups/shadow/userdel index 05df64874..589c726d0 100644 --- a/apparmor.d/profiles-s-z/userdel +++ b/apparmor.d/groups/shadow/userdel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/userdel +@{exec_path} = @{sbin}/userdel profile userdel @{exec_path} flags=(attach_disconnected) { include include @@ -26,7 +26,7 @@ profile userdel @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw, /etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w, diff --git a/apparmor.d/profiles-s-z/usermod b/apparmor.d/groups/shadow/usermod similarity index 96% rename from apparmor.d/profiles-s-z/usermod rename to apparmor.d/groups/shadow/usermod index c0f8f0e45..b59260a25 100644 --- a/apparmor.d/profiles-s-z/usermod +++ b/apparmor.d/groups/shadow/usermod @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/usermod +@{exec_path} = @{sbin}/usermod profile usermod @{exec_path} flags=(attach_disconnected) { include include @@ -28,7 +28,7 @@ profile usermod @{exec_path} flags=(attach_disconnected) { @{bin}/nscd rix, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/subuid r, /etc/{passwd,shadow,gshadow,group} rw, diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap new file mode 100644 index 000000000..9530b8594 --- /dev/null +++ b/apparmor.d/groups/snap/snap @@ -0,0 +1,217 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{bin_dirs} = @{bin}/ /snap/{snapd,core}/{,x}@{int}@{bin} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} + +@{exec_path} = @{bin_dirs}/snap +profile snap @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + + capability chown, + capability dac_override, + capability dac_read_search, + capability setuid, + capability sys_admin, + capability sys_ptrace, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + ptrace read peer=snap.*, + + unix (send, receive) type=stream peer=(label=apt), + + mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/, + + #aa:dbus own bus=session name=io.snapcraft.Launcher + #aa:dbus own bus=session name=io.snapcraft.SessionAgent + #aa:dbus own bus=session name=io.snapcraft.Settings + + #aa:dbus talk bus=session name=io.snapcraft.PrivilegedDesktopLauncher label=snap.snap-store.* + #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" + #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" + + dbus send bus=session path=/org/freedesktop/portal/documents + interface=org.freedesktop.portal.Documents + member=GetMountPoint + peer=(name=org.freedesktop.portal.Documents, label="{xdg-document-portal,unconfined}"), + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + + @{exec_path} mrix, + + @{sh_path} mr, + @{bin}/mount rix, + @{bin}/getent rix, + + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/systemctl rCx -> systemctl, + @{bin}/systemd-run rCx -> run, # Start snap from the cli + @{bin}/unsquashfs rCx -> unsquashfs, + @{bin}/xdg-settings rCx -> xdg-settings, + + @{bin_dirs}/xdelta3 ix, + @{lib_dirs}/** mr, + @{lib_dirs}/snapd/snap-confine rPx, + @{lib_dirs}/snapd/snap-seccomp rPx, + @{lib_dirs}/snapd/snapd rPx, + + /etc/fstab r, + + /var/lib/snapd/{,**} rwk, + /var/cache/snapd/commands.db rwk, + /var/cache/snapd/names r, + + @{DESKTOP_HOME}/snap/{,**} rw, + /snap/{,**} rw, + + @{HOME}/ r, + @{HOME}/.snap.mkdir-new/ rw, + @{HOME}/.snap/{,**} rw, + @{HOME}/snap/{,**} rw, + + @{user_pkg_dirs}/** r, + + owner @{tmp}/read-file@{int}/unpack/{,**} w, + owner @{tmp}/snapd-auto-import-mount-@{int}/ rw, + + @{run}/user/@{uid}/bus rw, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, + owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/snapd-session-agent.socket rw, + owner @{run}/user/@{uid}/systemd/notify rw, + + @{run}/mount/utab r, + @{run}/snapd.socket rw, + + @{sys}/fs/cgroup/cgroup.controllers r, + @{sys}/kernel/security/apparmor/features/{,**} r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/cgroups r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/random/uuid r, + @{PROC}/sys/kernel/seccomp/actions_avail r, + @{PROC}/version r, + @{PROC}/@{pid}/attr/apparmor/current r, + owner @{PROC}/@{pid}/mounts r, + + /dev/tty@{int} rw, + /dev/ttyS@{int} rw, + + /apparmor/.null rw, + + # file_inherit, safe to deny + deny owner @{user_share_dirs}/gvfs-metadata/* r, + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, + + profile gpg { + include + + @{bin}/gpg{,2} mr, + + @{bin}/dirmngr rix, + @{bin}/gpg-agent rix, + @{bin}/gpg-connect-agent rix, + + owner @{HOME}/.snap/gnupg/ rw, + owner @{HOME}/.snap/gnupg/** rwkl, + + include if exists + } + + profile xdg-settings { + include + include + + @{bin}/xdg-settings mr, + + @{sh_path} r, + @{bin}/{,e}grep rix, + @{bin}/basename rix, + @{bin}/cat ix, + @{bin}/cut rix, + @{bin}/head ix, + @{bin}/mkdir ix, + @{bin}/mktemp ix, + @{bin}/mv ix, + @{bin}/readlink ix, + @{bin}/realpath rix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/sleep ix, + @{bin}/sort ix, + @{bin}/touch ix, + @{bin}/tr ix, + @{bin}/uname ix, + @{bin}/wc ix, + + @{bin}/xdg-mime Px, + + include if exists + } + + profile run { + include + + unix bind type=stream addr=@@{udbus}/bus/systemd-run/, + + @{bin}/systemd-run mr, + + owner @{run}/user/@{uid}/systemd/private rw, + + include if exists + } + + profile systemctl { + include + include + include + + capability net_admin, + + network unix stream, + network (send receive) netlink raw, + + @{run}/systemd/notify w, + owner @{run}/user/@{uid}/systemd/notify rw, + owner @{run}/user/@{uid}/systemd/private rw, + + include if exists + } + + profile unsquashfs { + include + + @{bin}/unsquashfs mr, + + /**.snap r, + + owner /tmp/read-file@{int}/unpack/{,**} w, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snap-device-helper b/apparmor.d/groups/snap/snap-device-helper similarity index 100% rename from apparmor.d/profiles-s-z/snap-device-helper rename to apparmor.d/groups/snap/snap-device-helper diff --git a/apparmor.d/profiles-s-z/snap-discard-ns b/apparmor.d/groups/snap/snap-discard-ns similarity index 88% rename from apparmor.d/profiles-s-z/snap-discard-ns rename to apparmor.d/groups/snap/snap-discard-ns index f1f6f9d67..0ccb3f1c7 100644 --- a/apparmor.d/profiles-s-z/snap-discard-ns +++ b/apparmor.d/groups/snap/snap-discard-ns @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-discard-ns profile snap-discard-ns @{exec_path} { @@ -20,6 +20,7 @@ profile snap-discard-ns @{exec_path} { umount @{run}/snapd/ns/*.mnt, @{exec_path} mr, + @{lib_dirs}/**.so* mr, / r, @{run}/ r, diff --git a/apparmor.d/profiles-s-z/snap-failure b/apparmor.d/groups/snap/snap-failure similarity index 89% rename from apparmor.d/profiles-s-z/snap-failure rename to apparmor.d/groups/snap/snap-failure index a4f89f558..bed3a2d12 100644 --- a/apparmor.d/profiles-s-z/snap-failure +++ b/apparmor.d/groups/snap/snap-failure @@ -6,13 +6,14 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-failure profile snap-failure @{exec_path} { include @{exec_path} mr, + @{lib_dirs}/**.so* mr, @{bin}/systemctl rCx -> systemctl, @{lib_dirs}/snapd/snapd rPx, diff --git a/apparmor.d/profiles-s-z/snap-seccomp b/apparmor.d/groups/snap/snap-seccomp similarity index 62% rename from apparmor.d/profiles-s-z/snap-seccomp rename to apparmor.d/groups/snap/snap-seccomp index 235ef2080..90c1724be 100644 --- a/apparmor.d/profiles-s-z/snap-seccomp +++ b/apparmor.d/groups/snap/snap-seccomp @@ -6,25 +6,32 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-seccomp -profile snap-seccomp @{exec_path} { +profile snap-seccomp @{exec_path} flags=(attach_disconnected) { include include include + capability dac_read_search, + network netlink raw, @{exec_path} mr, - @{lib_dirs}/**.so* mr, + @{bin}/getent rix, + /var/lib/snapd/seccomp/bpf/{,**} rw, owner @{PROC}/@{pids}/mountinfo r, - deny @{user_share_dirs}/gvfs-metadata/* r, + /apparmor/.null rw, + + # file_inherit, safe to deny + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, + deny owner @{user_share_dirs}/gvfs-metadata/* r, include if exists } diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns similarity index 62% rename from apparmor.d/profiles-s-z/snap-update-ns rename to apparmor.d/groups/snap/snap-update-ns index 3021a1ad7..5d08a4240 100644 --- a/apparmor.d/profiles-s-z/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-update-ns profile snap-update-ns @{exec_path} { @@ -18,24 +18,46 @@ profile snap-update-ns @{exec_path} { network netlink raw, - mount -> /boot/, + mount -> @{efi}/, mount -> /snap/**, mount -> /tmp/.snap/**, mount -> /usr/**, mount -> /var/lib/dhcp/, + + umount @{lib}/@{multiarch}/webkit2gtk-@{version}/, umount /snap/**, + umount /tmp/.snap/**, + umount /usr/share/xml/iso-codes/, umount /var/lib/dhcp/, @{exec_path} mr, + @{lib_dirs}/**.so* mr, + + @{lib}/@{multiarch}/webkit2gtk-@{version}/ w, + + /usr/share/xml/ r, + /usr/share/xml/iso-codes/ rw, /var/lib/snapd/mount/{,*} r, / r, /tmp/ r, + @{lib}/ r, + /usr/ r, + /usr/local/ r, + /usr/local/share/ r, + /usr/local/share/doc/ rw, + /usr/local/share/fonts/ rw, + /usr/share/ r, + /usr/share/drirc.d w, + /usr/share/X11/ r, + /usr/share/X11/XErrorDB w, owner /snap/{,**} rw, owner /var/ rw, + owner /var/lib/ rw, + owner /var/lib/snapd/ rw, owner /var/snap/ rw, owner /var/snap/**/ rw, @@ -46,6 +68,7 @@ profile snap-update-ns @{exec_path} { @{sys}/fs/cgroup/{,**/} r, @{sys}/fs/cgroup/system.slice/snap.*.service/cgroup.freeze rw, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.scope/cgroup.freeze rw, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.freeze rw, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/groups/snap/snapd similarity index 64% rename from apparmor.d/profiles-s-z/snapd rename to apparmor.d/groups/snap/snapd index d51c65d4d..87e535b3f 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/groups/snap/snapd @@ -6,8 +6,8 @@ abi , include -@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin} -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{bin_dirs} = @{bin}/ /snap/{snapd,core}/{,x}@{int}@{bin} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd profile snapd @{exec_path} { @@ -34,7 +34,6 @@ profile snapd @{exec_path} { capability setuid, capability sys_admin, capability sys_ptrace, - capability sys_resource, network inet stream, network inet6 stream, @@ -47,40 +46,45 @@ profile snapd @{exec_path} { umount /tmp/syscheck-mountpoint-@{int}/, umount /snap/*/*/, - ptrace (read) peer=snap, - ptrace (read) peer=@{p_systemd}, + ptrace read peer=@{p_systemd}, + ptrace read peer=snap{,.*}, - unix (bind) type=stream addr=@@{hex16}/bus/systemctl/, + signal send set=kill peer=snapd//journalctl, dbus send bus=system path=/org/freedesktop/ interface=org.freedesktop.login1.Manager member={SetWallMessage,ScheduleShutdown} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + + dbus send bus=system path=/org/freedesktop/timedate1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.timedate1), @{exec_path} mrix, - @{bin}/adduser rPx, - @{bin}/groupadd rPx, - @{bin}/hostnamectl rPx, - @{bin}/ssh-keygen rPx, - @{bin}/useradd rPx, - @{sh_path} rix, - @{bin}/apparmor_parser rPx, + @{sbin}/adduser rPx, + @{sbin}/apparmor_parser rPx, @{bin}/cp rix, + @{bin}/getent rix, + @{sbin}/groupadd rPx, @{bin}/gzip rix, - @{bin}/journalctl rPx, + @{bin}/hostnamectl rPx, + @{bin}/journalctl rCx -> journalctl, @{bin}/kmod rPx, @{bin}/mount rix, - @{bin}/runuser rCx -> runuser, + @{sbin}/runuser rCx -> runuser, + @{bin}/ssh-keygen rPx, @{bin}/sync rix, - @{bin}/systemctl rix, + @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/tar rix, @{bin}/udevadm rPx, @{bin}/umount rix, @{bin}/unsquashfs rix, @{bin}/update-desktop-database rPx, + @{sbin}/useradd rPx, @{bin_dirs}/fc-cache-* mr, @{bin_dirs}/snap rPUx, @@ -93,21 +97,24 @@ profile snapd @{exec_path} { @{lib_dirs}/snapd/snap-update-ns rPx, /usr/share/bash-completion/{,**} r, - /usr/share/dbus-1/{system,session}.d/{,snapd*} r, + /usr/share/dbus-1/{system,session}.d/ rw, + /usr/share/dbus-1/{system,session}.d/snapd* rw, /usr/share/dbus-1/services/*snap* r, - /usr/share/polkit-1/actions/{,**/} r, + /usr/share/polkit-1/actions/{,**} r, + /usr/share/polkit-1/actions/snap.*.policy* rw, + @{etc_ro}/environment r, /etc/apparmor.d/*snapd.snap* r, /etc/dbus-1/system.d/{,**/} r, - /etc/environment r, /etc/fstab r, /etc/mime.types r, /etc/modprobe.d/{,**/} r, /etc/modules-load.d/{,**/} r, /etc/modules-load.d/*snap* rw, + /etc/polkit-1/rules.d/{,**/} r, /etc/systemd/system/{,**/} r, /etc/systemd/system/snap* rw, - /etc/systemd/user/{,**/} r, + /etc/systemd/user/{,**/} rw, /etc/systemd/user/**/*snap* rw, /etc/systemd/user/*snap* rw, /etc/udev/rules.d/{,*snap*} rw, @@ -127,8 +134,8 @@ profile snapd @{exec_path} { /tmp/syscheck-mountpoint-@{int}/{,**} rw, /tmp/syscheck-squashfs-@{int} rw, - /boot/ r, - /boot/grub/grubenv r, + @{efi}/ r, + @{efi}/grub/grubenv r, / r, /home/ r, @@ -142,9 +149,11 @@ profile snapd @{exec_path} { @{run}/user/ r, @{run}/user/@{uid}/ r, + @{run}/user/@{uid}/snap.*/{,**} rw, @{run}/user/@{uid}/snapd-session-agent.socket rw, @{run}/user/snap.*/{,**} rw, + @{run}/mount/utab.act rk, @{run}/snapd*.socket rw, @{run}/snapd/{,**} rw, @{run}/snapd/lock/*.lock rwk, @@ -152,17 +161,15 @@ profile snapd @{exec_path} { @{run}/systemd/private rw, @{sys}/fs/cgroup/{,*/} r, - @{sys}/fs/cgroup/system.slice/{,**/} r, - @{sys}/fs/cgroup/user.slice/ r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r, + @{sys}/fs/cgroup/*.slice/ r, + @{sys}/fs/cgroup/*.slice/{,**/} r, + @{sys}/fs/cgroup/*.slice/**/cgroup.procs r, + @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/kernel/kexec_loaded r, @{sys}/kernel/security/apparmor/.notify r, @{sys}/kernel/security/apparmor/features/{,**} r, @{sys}/kernel/security/apparmor/profiles r, - @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r, - @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/stat r, @@ -175,10 +182,62 @@ profile snapd @{exec_path} { /dev/loop-control rw, + profile systemctl { + include + include + + capability net_admin, + capability sys_resource, + + network netlink raw, + + ptrace read peer=@{p_systemd}, + + /etc/systemd/system/{,**/} r, + /etc/systemd/system/snap* rw, + /etc/systemd/user/{,**/} rw, + /etc/systemd/user/**/*snap* rw, + /etc/systemd/user/*snap* rw, + + @{run}/systemd/notify rw, + + include if exists + } + + profile journalctl { + include + include + + capability net_admin, + capability sys_resource, + + network netlink raw, + + signal receive set=kill peer=snapd, + + @{bin}/journalctl mr, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/{,*} r, + + @{run}/systemd/notify w, + + include if exists + } + profile runuser { include - @{bin}/runuser mr, + @{sbin}/runuser mr, + + @{sh_path} ix, + @{bin}/gzip ix, + @{bin}/tar ix, + + owner @{HOME}/snap/*/{,**} r, include if exists } diff --git a/apparmor.d/profiles-s-z/snapd-aa-prompt-listener b/apparmor.d/groups/snap/snapd-aa-prompt-listener similarity index 85% rename from apparmor.d/profiles-s-z/snapd-aa-prompt-listener rename to apparmor.d/groups/snap/snapd-aa-prompt-listener index 5620fc975..37730ba6f 100644 --- a/apparmor.d/profiles-s-z/snapd-aa-prompt-listener +++ b/apparmor.d/groups/snap/snapd-aa-prompt-listener @@ -6,13 +6,14 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-aa-prompt-listener profile snapd-aa-prompt-listener @{exec_path} { include @{exec_path} mrix, + @{lib_dirs}/**.so* mr, @{lib_dirs}/snapd/info r, diff --git a/apparmor.d/profiles-s-z/snapd-aa-prompt-ui b/apparmor.d/groups/snap/snapd-aa-prompt-ui similarity index 84% rename from apparmor.d/profiles-s-z/snapd-aa-prompt-ui rename to apparmor.d/groups/snap/snapd-aa-prompt-ui index 14354cfb9..99dc98efe 100644 --- a/apparmor.d/profiles-s-z/snapd-aa-prompt-ui +++ b/apparmor.d/groups/snap/snapd-aa-prompt-ui @@ -6,13 +6,14 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-aa-prompt-ui profile snapd-aa-prompt-ui @{exec_path} { include @{exec_path} mrix, + @{lib_dirs}/**.so* mr, @{lib_dirs}/snapd/info r, diff --git a/apparmor.d/profiles-s-z/snapd-apparmor b/apparmor.d/groups/snap/snapd-apparmor similarity index 83% rename from apparmor.d/profiles-s-z/snapd-apparmor rename to apparmor.d/groups/snap/snapd-apparmor index e7a3b4946..47b939fa0 100644 --- a/apparmor.d/profiles-s-z/snapd-apparmor +++ b/apparmor.d/groups/snap/snapd-apparmor @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-apparmor profile snapd-apparmor @{exec_path} { @@ -15,8 +15,9 @@ profile snapd-apparmor @{exec_path} { @{exec_path} mrix, @{bin}/systemd-detect-virt rPx, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, + @{lib_dirs}/** mr, @{lib_dirs}/snapd/apparmor_parser rPx -> apparmor_parser, @{lib_dirs}/snapd/info r, diff --git a/apparmor.d/groups/ssh/sftp-server b/apparmor.d/groups/ssh/sftp-server index 3deddb092..a0fc3e2f8 100644 --- a/apparmor.d/groups/ssh/sftp-server +++ b/apparmor.d/groups/ssh/sftp-server @@ -6,8 +6,7 @@ abi , include -@{exec_path} = @{lib}/openssh/sftp-server -@{exec_path} += @{lib}/ssh/sftp-server +@{exec_path} = @{lib}/{openssh,ssh}/sftp-server profile sftp-server @{exec_path} { include include diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 69f594f7a..0d6826490 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -11,21 +11,25 @@ include profile ssh @{exec_path} { include include + include + include include - signal (receive) set=(term) peer=gnome-keyring-daemon, - network inet stream, network inet6 stream, network inet dgram, network inet6 dgram, network netlink raw, + signal receive set=term peer=gnome-keyring-daemon, + signal send set=hup peer=unconfined, + @{exec_path} mrix, @{bin}/@{shells} rUx, + @{bin}/ssh.hmac r, - @{lib}/ssh/ssh-sk-helper rPx -> ssh-sk-helper, + @{lib}/{,ssh/}ssh-sk-helper rix, @{etc_ro}/ssh/ssh_config r, @{etc_ro}/ssh/ssh_config.d/{,*} r, @@ -33,22 +37,32 @@ profile ssh @{exec_path} { @{etc_ro}/ssh/sshd_config.d/{,*} r, /etc/machine-id r, - owner @{HOME}/@{XDG_SSH_DIR}/ r, - owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r, - owner @{HOME}/@{XDG_SSH_DIR}/config r, + owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rwl, owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_*_*_* wl, owner @{user_projects_dirs}/**/ssh/{,*} r, owner @{user_projects_dirs}/**/config r, - owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, + owner @{tmp}/krb5cc_* rwk, + audit owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, + + owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, + owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, owner @{run}/user/@{uid}/keyring/ssh rw, + @{sys}/ r, + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/hidraw/ r, + @{sys}/class/hidraw/hidraw@{int} r, + owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/fd/ r, + /dev/hidraw@{int} rwk, + include if exists } diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index 72d6618e6..9fc2900b4 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -13,12 +13,14 @@ profile ssh-agent @{exec_path} { include signal receive set=term peer=cockpit-bridge, + signal receive set=term peer=cockpit-session, signal receive set=term peer=gnome-keyring-daemon, @{exec_path} mr, @{sh_path} rix, @{bin}/gpg-agent rPx, + @{bin}/im-launch rPx, owner @{HOME}/@{XDG_SSH_DIR}/ rw, owner @{HOME}/@{XDG_SSH_DIR}/* r, diff --git a/apparmor.d/groups/ssh/ssh-agent-launch b/apparmor.d/groups/ssh/ssh-agent-launch index 7e0422c5a..86bd0866f 100644 --- a/apparmor.d/groups/ssh/ssh-agent-launch +++ b/apparmor.d/groups/ssh/ssh-agent-launch @@ -15,7 +15,7 @@ profile ssh-agent-launch @{exec_path} { @{sh_path} rix, @{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/getopt rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ssh-agent rPx, /etc/X11/Xsession.options r, @@ -27,7 +27,7 @@ profile ssh-agent-launch @{exec_path} { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=UpdateActivationEnvironment - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index 05a21d41f..738268b0a 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -8,7 +8,6 @@ abi , include @{exec_path} = @{bin}/ssh-keygen - profile ssh-keygen @{exec_path} { include include @@ -16,12 +15,16 @@ profile ssh-keygen @{exec_path} { @{exec_path} mr, + @{lib}/{,ssh/}ssh-sk-helper rPx -> ssh-sk-helper, + + /etc/ssh/moduli rw, /etc/ssh/ssh_host_*_key* rw, - owner @{HOME}/@{XDG_SSH_DIR}/ w, - owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} rw, + owner @{HOME}/@{XDG_SSH_DIR}/ rw, + owner @{HOME}/@{XDG_SSH_DIR}/* rwl -> @{HOME}/@{XDG_SSH_DIR}/*, - /tmp/snapd@{int}/*_*{,.pub} w, + owner /tmp/snapd@{int}/*_*{,.pub} w, + owner /tmp/snapd@{int}/*.key{,.pub} w, /dev/tty@{int} rw, /dev/ttyS@{int} rw, diff --git a/apparmor.d/groups/ssh/ssh-sk-helper b/apparmor.d/groups/ssh/ssh-sk-helper index d913e2a2d..ff9de97c3 100644 --- a/apparmor.d/groups/ssh/ssh-sk-helper +++ b/apparmor.d/groups/ssh/ssh-sk-helper @@ -6,9 +6,10 @@ abi , include -@{exec_path} = @{lib}/ssh/ssh-sk-helper +@{exec_path} = @{lib}/{,ssh/}ssh-sk-helper profile ssh-sk-helper flags=(complain) { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 2f704fb37..633076ad6 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -15,7 +15,7 @@ abi , include -@{exec_path} = @{bin}/sshd +@{exec_path} = @{sbin}/sshd profile sshd @{exec_path} flags=(attach_disconnected) { include include @@ -25,12 +25,14 @@ profile sshd @{exec_path} flags=(attach_disconnected) { include include include + include #aa:only RBAC capability audit_write, capability chown, - capability dac_read_search, capability dac_override, + capability dac_read_search, capability fowner, + capability fsetid, capability kill, capability net_bind_service, capability setgid, @@ -49,25 +51,33 @@ profile sshd @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - signal (receive) set=(hup) peer=@{p_systemd}, + unix type=stream peer=(label=sshd-session), - ptrace (read,trace) peer=@{p_systemd}, + signal receive set=hup peer=@{p_systemd}, - unix (bind) type=stream addr=@@{hex16}/bus/sshd/system, + ptrace (read trace) peer=@{p_systemd}, dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + + dbus send bus=system path=/org/freedesktop/home1 + interface=org.freedesktop.home1.Manager + member=GetUserRecordByName + peer=(name=org.freedesktop.home1, label="@{p_systemd_homed}"), @{exec_path} mrix, - @{bin}/@{shells} rUx, - @{bin}/false rix, - @{bin}/nologin rPx, - @{bin}/passwd rPx, - @{lib}/openssh/sftp-server rPx, - @{lib}/ssh/sshd-session rix, + @{sbin}/sshd.hmac r, + + @{bin}/@{shells} Ux, #aa:exclude RBAC + @{bin}/false ix, + @{sbin}/nologin Px, + @{bin}/passwd Px, + @{lib}/{openssh,ssh}/sftp-server Px, + @{lib}/{openssh,ssh}/sshd-auth Px, + @{lib}/{openssh,ssh}/sshd-session Px, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, @@ -94,7 +104,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { owner @{user_download_dirs}/{,**} rwl, owner @{user_sync_dirs}/{,**} rwl, - owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, + @{HOME}/@{XDG_SSH_DIR}/authorized_keys* r, owner @{user_cache_dirs}/{,motd*} rw, @{att}/@{run}/systemd/sessions/@{int}.ref rw, @@ -107,7 +117,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { owner @{run}/sshd{,.init}.pid wl, @{sys}/fs/cgroup/*/user/*/@{int}/ rw, - @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-*.scope/ rw, + @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-@{word}.scope/ rw, @{PROC}/@{pids}/fd/ r, @{PROC}/1/environ r, diff --git a/apparmor.d/groups/ssh/sshd-auth b/apparmor.d/groups/ssh/sshd-auth new file mode 100644 index 000000000..c1601b813 --- /dev/null +++ b/apparmor.d/groups/ssh/sshd-auth @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/{openssh,ssh}/sshd-auth +profile sshd-auth @{exec_path} { + include + include + + capability setgid, + capability setuid, + capability sys_chroot, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + @{sbin}/sshd.hmac r, + + /etc/gss/mech.d/{,*} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ssh/sshd-session b/apparmor.d/groups/ssh/sshd-session new file mode 100644 index 000000000..ab86f3ad1 --- /dev/null +++ b/apparmor.d/groups/ssh/sshd-session @@ -0,0 +1,92 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/{openssh,ssh}/sshd-session +profile sshd-session @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include #aa:only RBAC + + capability audit_write, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, + capability kill, + capability setgid, + capability setuid, + capability sys_chroot, + capability sys_resource, + + # sshd doesn't require net_admin. libpam-systemd tries to + # use it if available to set the send/receive buffers size, + # but will fall back to a non-privileged version if it fails. + deny capability net_admin, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + unix type=stream peer=(label=sshd), + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + + dbus send bus=system path=/org/freedesktop/home1 + interface=org.freedesktop.home1.Manager + member=GetUserRecordByName + peer=(name=org.freedesktop.home1, label="@{p_systemd_homed}"), + + @{exec_path} mr, + + @{bin}/@{shells} Ux, #aa:exclude RBAC + @{bin}/userdbctl Px, + @{lib}/{openssh,ssh}/sshd-auth Px, + + @{etc_rw}/motd r, + @{etc_rw}/motd.d/{,**} r, + /etc/machine-id r, + /etc/motd r, + + /var/lib/lastlog/ r, + /var/lib/lastlog/lastlog2.db rwk, + /var/lib/lastlog/lastlog2.db-journal rw, + + /var/lib/wtmpdb/ w, + + owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, + + owner @{user_cache_dirs}/{,motd*} rw, + + @{att}/@{run}/systemd/sessions/@{int}.ref w, + + @{run}/cockpit/active.issue r, + @{run}/motd.d/{,*} r, + @{run}/motd.dynamic rw, + @{run}/motd.dynamic.new rw, + + @{PROC}/1/limits r, + owner @{PROC}/@{pid}/loginuid rw, + owner @{PROC}/@{pid}/uid_map r, + + /dev/ptmx rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ssh/sshfs b/apparmor.d/groups/ssh/sshfs index a367b0f7a..ee6a2f903 100644 --- a/apparmor.d/groups/ssh/sshfs +++ b/apparmor.d/groups/ssh/sshfs @@ -13,8 +13,12 @@ profile sshfs @{exec_path} flags=(complain) { mount fstype=fuse.sshfs -> @{HOME}/*/, mount fstype=fuse.sshfs -> @{HOME}/*/*/, + mount fstype=fuse.sshfs -> @{MOUNTDIRS}/, + mount fstype=fuse.sshfs -> @{MOUNTS}/, + mount fstype=fuse.sshfs -> @{MOUNTS}/*/, + mount fstype=fuse.sshfs -> @{MOUNTS}/*/*/, - unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount",addr=none), + unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount"), @{exec_path} mr, @@ -27,23 +31,24 @@ profile sshfs @{exec_path} flags=(complain) { profile fusermount flags=(complain) { include - include - - capability sys_admin, + include mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/, mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/*/, + mount fstype={fuse,fuse.sshfs} -> @{MOUNTDIRS}/, + mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/, + mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/*/, + mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/*/*/, + + umount @{HOME}/*/, + umount @{HOME}/*/*/, + umount @{MOUNTDIRS}/, + umount @{MOUNTS}/, + umount @{MOUNTS}/*/, + umount @{MOUNTS}/*/*/, unix (connect, send, receive) type=stream peer=(label="sshfs",addr=none), - @{bin}/fusermount{,3} mr, - - /etc/fuse.conf r, - - @{PROC}/@{pid}/mounts r, - - /dev/fuse rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/groups/steam/steam similarity index 93% rename from apparmor.d/profiles-s-z/steam rename to apparmor.d/groups/steam/steam index 252c89869..e3fcb1931 100644 --- a/apparmor.d/profiles-s-z/steam +++ b/apparmor.d/groups/steam/steam @@ -21,10 +21,12 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{domain} = org.chromium.Chromium +@{runtime_name} = sniper soldier +@{runtime} = SteamLinuxRuntime_@{runtime_name} steam-runtime-steamrt @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation -@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} -@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} +@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} steamrt64 +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @{lib_dirs}/steam-runtime-steamrt @{app_dirs} = @{share_dirs}/steamapps/common/ @{exec_path} = @{share_dirs}/steam.sh @@ -39,6 +41,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include capability sys_ptrace, @@ -67,7 +70,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{open_path} rPx -> child-open, @{bin}/getopt rix, @{bin}/journalctl rPx -> systemctl, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/ldd rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsof rix, @@ -109,6 +112,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-logger rix, @{runtime_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix, + @{runtime_dirs}/pressure-vessel/@{bin}/pv-* rix, @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rcx -> web, @{runtime_dirs}/run{,.sh} rix, @@ -174,6 +178,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/steam/** rwk, owner @{tmp}/steam@{rand6}/{,**} rw, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, + owner @{tmp}/steam@{rand6} rwk, owner @{att}/dev/shm/ValveIPCSHM_@{uid} rw, owner /dev/shm/fossilize-*-@{int}-@{int} rw, @@ -188,7 +193,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/ r, @{sys}/bus/ r, @@ -241,7 +246,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/input/ r, - /dev/uinput w, deny /opt/** r, @@ -275,7 +279,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/getopt rix, @{bin}/gzip rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/localedef rix, @{bin}/readlink rix, @{bin}/true rix, @@ -292,6 +296,8 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/host/@{lib}/** rix, @{share_dirs}/config/cefdata/WidevineCdm/**/linux_*/libwidevinecdm.so mr, + @{share_dirs}/config/htmlcache/WidevineCdm/**/linux_*/libwidevinecdm.so mr, + @{share_dirs}/linux{32,64}/steamclient.so mr, @{runtime_dirs}/var/tmp-@{rand6}/usr/.ref w, @@ -302,12 +308,15 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{lib}/ r, /usr/local/lib/ r, /var/tmp/ r, + /home/ r, owner /bindfile@{rand6} rw, owner /var/cache/ldconfig/aux-cache* rw, owner /var/pressure-vessel/ldso/* rw, + owner @{HOME}/ r, + owner @{lib_dirs}/.cef-* wk, owner @{share_dirs}/{,**} r, @@ -317,6 +326,8 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{share_dirs}/public/** k, @{tmp}/ r, + owner @{tmp}/.com.valvesoftware.Steam.@{rand6} rw, + owner @{tmp}/.com.valvesoftware.Steam.@{rand6}/{,**} rw, owner @{tmp}/#@{int} rw, owner @{tmp}/dumps/ rw, owner @{tmp}/dumps/** rwk, @@ -324,6 +335,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**, owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw, + owner /dev/shm/.com.valvesoftware.Steam.@{rand6} rw, owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw, owner /dev/shm/u@{uid}-Shm_@{hex6} rw, owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, @@ -341,10 +353,9 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/**/report_descriptor r, @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/usb@{int}/**/{idVendor,idProduct,interface} r, - @{sys}/devices/system/cpu/kernel_max r, - @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/ r, + @{PROC}/version r, @{PROC}/@{pid}/stat r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, @@ -360,6 +371,8 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { /dev/hidraw@{int} rw, /dev/tty rw, + @{att}/dev/dri/renderD128 rw, + include if exists } @@ -370,6 +383,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { capability dac_override, capability dac_read_search, + capability sys_ptrace, unix receive type=stream, diff --git a/apparmor.d/profiles-s-z/steam-fossilize b/apparmor.d/groups/steam/steam-fossilize similarity index 91% rename from apparmor.d/profiles-s-z/steam-fossilize rename to apparmor.d/groups/steam/steam-fossilize index e3e7f87e2..a5dd65b7c 100644 --- a/apparmor.d/profiles-s-z/steam-fossilize +++ b/apparmor.d/groups/steam/steam-fossilize @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -39,11 +39,13 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) { @{sys}/devices/system/node/node@{int}/cpumap r, - @{PROC}/@{pids}/statm r, + @{PROC}/@{pid}/statm r, @{PROC}/pressure/io r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + deny network inet stream, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists diff --git a/apparmor.d/profiles-s-z/steam-game-native b/apparmor.d/groups/steam/steam-game-native similarity index 95% rename from apparmor.d/profiles-s-z/steam-game-native rename to apparmor.d/groups/steam/steam-game-native index ca80801d7..ba06d56a4 100644 --- a/apparmor.d/profiles-s-z/steam-game-native +++ b/apparmor.d/groups/steam/steam-game-native @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} diff --git a/apparmor.d/profiles-s-z/steam-game-proton b/apparmor.d/groups/steam/steam-game-proton similarity index 72% rename from apparmor.d/profiles-s-z/steam-game-proton rename to apparmor.d/groups/steam/steam-game-proton index dfa8b84da..1b094c2a3 100644 --- a/apparmor.d/profiles-s-z/steam-game-proton +++ b/apparmor.d/groups/steam/steam-game-proton @@ -6,7 +6,8 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime_name} = sniper soldier +@{runtime} = SteamLinuxRuntime_@{runtime_name} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -18,6 +19,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { include include include + include capability dac_override, capability dac_read_search, @@ -34,18 +36,24 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { @{exec_path} mr, @{bin}/bwrap mrix, + @{sh_path} rix, + @{bin}/cat rix, + @{bin}/env rix, @{bin}/chmod rix, @{bin}/fc-match rix, @{bin}/getopt rix, @{bin}/gzip rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, + @{bin}/ln rix, @{bin}/localedef rix, - @{bin}/python3.@{int} rix, + @{bin}/mkdir rix, @{bin}/readlink rix, + @{bin}/rm rix, @{bin}/steam-runtime-launcher-interface-@{int} rix, @{bin}/steam-runtime-system-info rix, @{bin}/steam-runtime-urlopen rix, @{bin}/true rix, + @{python_path} rix, @{open_path} rix, @{lib_dirs}/** mr, @@ -53,9 +61,17 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { @{lib}/pressure-vessel/from-host/@{lib}/** rix, @{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, + # TODO stack with steam ? rpx -> steam-game-proton&//steam, + @{runtime_dirs}/run.sh rix, + @{runtime_dirs}/@{arch}@{bin}/steam-runtime-identify-library-abi rix, + @{runtime_dirs}/@{arch}@{bin}/steam-runtime-launcher-interface-@{int} rix, + @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/run.sh rix, + @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/@{arch}@{bin}/steam-runtime-identify-library-abi rix, + @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/@{arch}@{bin}/steam-runtime-launcher-interface-@{int} rix, + @{app_dirs}/** mrix, - @{run}/host/@{bin}/ldconfig rix, + @{run}/host/@{sbin}/ldconfig rix, @{run}/host/@{bin}/localedef rix, @{run}/host/@{lib}/** mr, @@ -71,27 +87,21 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { owner "@{app_dirs}/Steamworks Shared/runasadmin.vdf" rw, owner @{app_dirs}/@{runtime}/var/tmp-@{rand6}/usr/.ref rwk, + owner @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/* rw, owner @{app_dirs}/Proton*/** rwkl, owner @{share_dirs}/*.dll r, owner @{share_dirs}/bin/ r, + owner @{share_dirs}/installscriptevalutor_log.txt rw, owner @{share_dirs}/legacycompat/ r, owner @{share_dirs}/legacycompat/** mr, owner @{share_dirs}/steamapps/compatdata/{,**} rwk, - owner @{user_share_dirs}/applications/wine/ rw, - owner @{user_share_dirs}/applications/wine/**/ rw, - - owner @{tmp}/.wine-@{uid}/ rw, - owner @{tmp}/.wine-@{uid}/** rwk, owner @{tmp}/glx-icds-@{rand6}/{,**} w, owner @{tmp}/pressure-vessel-*-@{rand6}/ rw, owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} w, - owner /dev/shm/wine-@{hex6}-fsync rw, - owner /dev/shm/wine-@{hex6}@{h}-fsync rw, - @{run}/host/fonts/{,**} r, @{run}/host/share/{,**} r, @{run}/host/usr/{,**} r, diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/groups/steam/steam-gameoverlayui similarity index 95% rename from apparmor.d/profiles-s-z/steam-gameoverlayui rename to apparmor.d/groups/steam/steam-gameoverlayui index 0cd837135..278b47e98 100644 --- a/apparmor.d/profiles-s-z/steam-gameoverlayui +++ b/apparmor.d/groups/steam/steam-gameoverlayui @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -49,6 +49,8 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) { owner @{share_dirs}/resource/{,**} rk, owner @{share_dirs}/userdata/@{int}/{,**} rk, + owner @{att}/dev/shm/ValveIPCSHM_@{uid} rw, + owner /dev/shm/u@{uid}-Shm_@{hex} rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, owner /dev/shm/ValveIPCSHM_@{uid} rw, diff --git a/apparmor.d/profiles-s-z/steam-launch b/apparmor.d/groups/steam/steam-launch similarity index 66% rename from apparmor.d/profiles-s-z/steam-launch rename to apparmor.d/groups/steam/steam-launch index 977248c96..321c9c9c5 100644 --- a/apparmor.d/profiles-s-z/steam-launch +++ b/apparmor.d/groups/steam/steam-launch @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -22,23 +22,37 @@ profile steam-launch @{exec_path} { @{exec_path} mr, @{sh_path} rix, + @{bin}/cat rix, @{bin}/cmp rix, @{bin}/cp rix, @{bin}/dirname rix, @{bin}/env rix, @{bin}/id rix, @{bin}/readlink rix, + @{bin}/rm rix, + @{bin}/rmdir rix, @{lib}/steam/steam rix, @{lib}/steam/bin_steam.sh rix, @{share_dirs}/steam.sh rPx, - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote rPx, + @{lib_dirs}/** mr, + + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote rPx, + @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/* r, + @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-logger rix, /usr/ r, /usr/local/ r, owner @{share_dirs}/bootstrap.tar.xz rw, + owner @{share_dirs}/logs/ r, + owner @{share_dirs}/logs/* rwk, + + owner @{run}/user/@{uid}/srt-fifo.@{rand6}/ rw, + owner @{run}/user/@{uid}/srt-fifo.@{rand6}/fifo rw, + + owner @{PROC}/@{pid}/fd/@{int} rw, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/steam-launcher b/apparmor.d/groups/steam/steam-launcher similarity index 94% rename from apparmor.d/profiles-s-z/steam-launcher rename to apparmor.d/groups/steam/steam-launcher index 0bd8c67d3..e73b30d1a 100644 --- a/apparmor.d/profiles-s-z/steam-launcher +++ b/apparmor.d/groups/steam/steam-launcher @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} diff --git a/apparmor.d/profiles-s-z/steam-runtime b/apparmor.d/groups/steam/steam-runtime similarity index 91% rename from apparmor.d/profiles-s-z/steam-runtime rename to apparmor.d/groups/steam/steam-runtime index 2a3e839ff..543324c0f 100644 --- a/apparmor.d/profiles-s-z/steam-runtime +++ b/apparmor.d/groups/steam/steam-runtime @@ -6,7 +6,8 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime_name} = sniper soldier +@{runtime} = SteamLinuxRuntime_@{runtime_name} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -50,16 +51,17 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) { @{lib}/ r, @{lib_dirs}/ r, + owner @{HOME}/ r, owner @{HOME}/.steam/steam.pipe r, owner @{app_dirs}/*/ r, owner @{app_dirs}/config/config.vdf{,.*} rw, owner @{app_dirs}/@{runtime}/** r, owner @{app_dirs}/@{runtime}/pressure-vessel/** rwk, - owner @{app_dirs}/@{runtime}/sniper_platform_*/** rwk, + owner @{app_dirs}/@{runtime}/@{runtime_name}_platform_*/** rwk, owner @{app_dirs}/@{runtime}/var/** rwk, owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/pressure-vessel/**, - owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/sniper_platform_*/**, + owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/@{runtime_name}_platform_*/**, owner @{share_dirs}/config/config.vdf{,.*} rw, owner @{share_dirs}/steamapps/appmanifest_* rw, @@ -78,6 +80,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/stat r, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/steam-runtime-steam-remote b/apparmor.d/groups/steam/steam-runtime-steam-remote similarity index 94% rename from apparmor.d/profiles-s-z/steam-runtime-steam-remote rename to apparmor.d/groups/steam/steam-runtime-steam-remote index 93a93e892..b7d5f2b15 100644 --- a/apparmor.d/profiles-s-z/steam-runtime-steam-remote +++ b/apparmor.d/groups/steam/steam-runtime-steam-remote @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} diff --git a/apparmor.d/profiles-s-z/steamerrorreporter b/apparmor.d/groups/steam/steamerrorreporter similarity index 93% rename from apparmor.d/profiles-s-z/steamerrorreporter rename to apparmor.d/groups/steam/steamerrorreporter index 27fe69be9..d438c604d 100644 --- a/apparmor.d/profiles-s-z/steamerrorreporter +++ b/apparmor.d/groups/steam/steamerrorreporter @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -34,8 +34,6 @@ profile steamerrorreporter @{exec_path} flags=(attach_disconnected) { owner @{tmp}/dumps/ r, owner @{tmp}/dumps/*_log.txt rw, - owner @{PROC}/@{pid}/status r, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-generator-bless-boot b/apparmor.d/groups/systemd-generators/systemd-generator-bless-boot similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-bless-boot rename to apparmor.d/groups/systemd-generators/systemd-generator-bless-boot diff --git a/apparmor.d/groups/systemd/systemd-generator-cloud-init b/apparmor.d/groups/systemd-generators/systemd-generator-cloud-init similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-cloud-init rename to apparmor.d/groups/systemd-generators/systemd-generator-cloud-init diff --git a/apparmor.d/groups/systemd/systemd-generator-cryptsetup b/apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-cryptsetup rename to apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup diff --git a/apparmor.d/groups/systemd/systemd-generator-debug b/apparmor.d/groups/systemd-generators/systemd-generator-debug similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-debug rename to apparmor.d/groups/systemd-generators/systemd-generator-debug diff --git a/apparmor.d/groups/systemd/systemd-generator-ds-identify b/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify similarity index 90% rename from apparmor.d/groups/systemd/systemd-generator-ds-identify rename to apparmor.d/groups/systemd-generators/systemd-generator-ds-identify index 6b42e55ed..daa877efe 100644 --- a/apparmor.d/groups/systemd/systemd-generator-ds-identify +++ b/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify @@ -12,15 +12,16 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) { include include - ptrace (read) peer=@{p_systemd}, + ptrace read peer=@{p_systemd}, @{exec_path} mr, @{sh_path} rix, - @{bin}/blkid rPx, + @{bin}/{,e}grep rix, @{bin}/systemd-detect-virt rPx, @{bin}/tr rix, @{bin}/uname rix, + @{sbin}/blkid rPx, /etc/cloud/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-generator-environment-arch b/apparmor.d/groups/systemd-generators/systemd-generator-environment-arch similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-environment-arch rename to apparmor.d/groups/systemd-generators/systemd-generator-environment-arch diff --git a/apparmor.d/groups/systemd/systemd-generator-environment-flatpak b/apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-environment-flatpak rename to apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak diff --git a/apparmor.d/profiles-s-z/snapd-core-fixup b/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd similarity index 53% rename from apparmor.d/profiles-s-z/snapd-core-fixup rename to apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd index 0e33aaea0..b18bd6bd5 100644 --- a/apparmor.d/profiles-s-z/snapd-core-fixup +++ b/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd @@ -6,13 +6,13 @@ abi , include -@{exec_path} = @{lib}/snapd/snapd.core-fixup.sh -profile snapd-core-fixup @{exec_path} { +@{exec_path} = @{lib}/systemd/system-environment-generators/snapd-env-generator +profile systemd-generator-environment-snapd @{exec_path} flags=(attach_disconnected) { include @{exec_path} mr, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery b/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery new file mode 100644 index 000000000..1af9fe22f --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/friendly-recovery +profile systemd-generator-friendly-recovery @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/cat rix, + + @{PROC}/cmdline r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-generator-fstab b/apparmor.d/groups/systemd-generators/systemd-generator-fstab similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-fstab rename to apparmor.d/groups/systemd-generators/systemd-generator-fstab diff --git a/apparmor.d/groups/systemd/systemd-generator-getty b/apparmor.d/groups/systemd-generators/systemd-generator-getty similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-getty rename to apparmor.d/groups/systemd-generators/systemd-generator-getty diff --git a/apparmor.d/groups/systemd/systemd-generator-gpt-auto b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto similarity index 97% rename from apparmor.d/groups/systemd/systemd-generator-gpt-auto rename to apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto index 0d6c09c6b..4bf0092d0 100644 --- a/apparmor.d/groups/systemd/systemd-generator-gpt-auto +++ b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto @@ -17,8 +17,7 @@ profile systemd-generator-gpt-auto @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, / r, - /boot/ r, - /efi/ r, + @{efi}/ r, /etc/fstab r, /usr/ r, diff --git a/apparmor.d/groups/systemd/systemd-generator-hibernate-resume b/apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-hibernate-resume rename to apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-import b/apparmor.d/groups/systemd-generators/systemd-generator-import new file mode 100644 index 000000000..de3753aaf --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-import @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-import-generator +profile systemd-generator-import @{exec_path} flags=(attach_disconnected) { + include + + capability sys_ptrace, + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + / r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-generator-integritysetup b/apparmor.d/groups/systemd-generators/systemd-generator-integritysetup similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-integritysetup rename to apparmor.d/groups/systemd-generators/systemd-generator-integritysetup diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-openvpn b/apparmor.d/groups/systemd-generators/systemd-generator-openvpn new file mode 100644 index 000000000..780c63d56 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-openvpn @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/openvpn-generator +profile systemd-generator-openvpn @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/ls ix, + @{bin}/mkdir ix, + + /etc/default/openvpn r, + /etc/openvpn/ r, + + @{run}/systemd/generator/openvpn.service.wants/{,**} w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-generator-ostree b/apparmor.d/groups/systemd-generators/systemd-generator-ostree similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-ostree rename to apparmor.d/groups/systemd-generators/systemd-generator-ostree diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-rc-local b/apparmor.d/groups/systemd-generators/systemd-generator-rc-local new file mode 100644 index 000000000..3e8bec6c5 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-rc-local @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-rc-local-generator +profile systemd-generator-rc-local @{exec_path} flags=(attach_disconnected) { + include + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-generator-run b/apparmor.d/groups/systemd-generators/systemd-generator-run similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-run rename to apparmor.d/groups/systemd-generators/systemd-generator-run diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-snapd b/apparmor.d/groups/systemd-generators/systemd-generator-snapd new file mode 100644 index 000000000..8544a7938 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-snapd @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/snapd-generator +profile systemd-generator-snapd @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + + @{PROC}/1/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ssh b/apparmor.d/groups/systemd-generators/systemd-generator-ssh new file mode 100644 index 000000000..0f6aa11d9 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-ssh @@ -0,0 +1,52 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-ssh-generator +profile systemd-generator-ssh @{exec_path} flags=(attach_disconnected) { + include + + capability net_admin, + + network vsock stream, + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + @{sbin}/sshd r, + + @{run}/ r, + @{run}/systemd/ r, + @{run}/systemd/generator/ r, + @{run}/systemd/generator/sockets.target.wants/ rw, + @{run}/systemd/generator/sockets.target.wants/*.socket w, + @{run}/systemd/generator/sshd-*.service w, + @{run}/systemd/generator/sshd-*.socket rw, + @{run}/systemd/system/ r, + @{run}/systemd/transient/ r, + + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/firmware/dmi/entries/*/raw r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + /dev/vsock r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket b/apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket new file mode 100644 index 000000000..f08df7d90 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/sshd-socket-generator +profile systemd-generator-sshd-socket @{exec_path} { + include + include + + network inet dgram, + network inet6 dgram, + network netlink raw, + + @{exec_path} mr, + + @{etc_ro}/ssh/sshd_config r, + @{etc_ro}/ssh/sshd_config.d/{,*} r, + + @{run}/systemd/generator/ssh.socket.d/{,*} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-generator-system-update b/apparmor.d/groups/systemd-generators/systemd-generator-system-update similarity index 90% rename from apparmor.d/groups/systemd/systemd-generator-system-update rename to apparmor.d/groups/systemd-generators/systemd-generator-system-update index 557e4ab6e..9767a2e72 100644 --- a/apparmor.d/groups/systemd/systemd-generator-system-update +++ b/apparmor.d/groups/systemd-generators/systemd-generator-system-update @@ -13,7 +13,8 @@ profile systemd-generator-system-update @{exec_path} flags=(attach_disconnected) @{exec_path} mr, - @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/status r, include if exists } diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-sysv b/apparmor.d/groups/systemd-generators/systemd-generator-sysv new file mode 100644 index 000000000..fc290fca4 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-sysv @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-sysv-generator +profile systemd-generator-sysv @{exec_path} flags=(attach_disconnected) { + include + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + /etc/init.d/{,**} r, + /etc/rc@{int}.d/{,**} r, + + @{run}/systemd/generator.late/** w, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 new file mode 100644 index 000000000..ee5d924cc --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-tpm2-generator +profile systemd-generator-tpm2 @{exec_path} flags=(attach_disconnected) { + include + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + @{sys}/class/tpmrm/ r, + @{sys}/devices/**/tpm/tpm@{int}/tpm_version_major r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-generator-user-autostart b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart similarity index 85% rename from apparmor.d/groups/systemd/systemd-generator-user-autostart rename to apparmor.d/groups/systemd-generators/systemd-generator-user-autostart index c42548ef5..ff4c74664 100644 --- a/apparmor.d/groups/systemd/systemd-generator-user-autostart +++ b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart @@ -7,17 +7,16 @@ abi , include @{exec_path} = @{lib}/systemd/user-generators/systemd-xdg-autostart-generator -profile systemd-generator-user-autostart @{exec_path} { +profile systemd-generator-user-autostart @{exec_path} flags=(attach_disconnected) { include include + include include capability net_admin, @{exec_path} mr, - @{system_share_dirs}/applications/*.desktop r, - @{etc_ro}/xdg/autostart/{,*.desktop} r, owner @{user_config_dirs}/autostart/{,*.desktop} r, diff --git a/apparmor.d/groups/systemd/systemd-generator-user-environment b/apparmor.d/groups/systemd-generators/systemd-generator-user-environment similarity index 90% rename from apparmor.d/groups/systemd/systemd-generator-user-environment rename to apparmor.d/groups/systemd-generators/systemd-generator-user-environment index db128405f..27db22078 100644 --- a/apparmor.d/groups/systemd/systemd-generator-user-environment +++ b/apparmor.d/groups/systemd-generators/systemd-generator-user-environment @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/user-environment-generators/* -profile systemd-generator-user-environment @{exec_path} { +profile systemd-generator-user-environment @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-generator-veritysetup b/apparmor.d/groups/systemd-generators/systemd-generator-veritysetup similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-veritysetup rename to apparmor.d/groups/systemd-generators/systemd-generator-veritysetup diff --git a/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service b/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service new file mode 100644 index 000000000..1b585c0cc --- /dev/null +++ b/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# /bin/bash -c 'read args <&3; echo "args=$args"; \ +# exec /usr/bin/cloud-init devel hotplug-hook $args; \ +# exit 0' + +abi , + +include + +profile cloud-init-hotplugd.service { + include + + @{sh_path} ix, + @{bin}/cloud-init Px, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/debug-shell.service b/apparmor.d/groups/systemd-service/debug-shell.service new file mode 100644 index 000000000..9f8e235cf --- /dev/null +++ b/apparmor.d/groups/systemd-service/debug-shell.service @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStart=/usr/bin/bash + +abi , + +include + +profile debug-shell.service { + include + + all, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/dmesg.service b/apparmor.d/groups/systemd-service/dmesg.service new file mode 100644 index 000000000..0a46f6ed9 --- /dev/null +++ b/apparmor.d/groups/systemd-service/dmesg.service @@ -0,0 +1,63 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStartPre=-/usr/bin/savelog -m640 -q -p -n -c 5 /var/log/dmesg +# ExecStart=/bin/journalctl --boot 0 --dmesg --output short-monotonic --quiet --no-pager --no-hostname +# ExecStartPost=/bin/chgrp adm /var/log/dmesg +# ExecStartPost=/bin/chmod 0640 /var/log/dmesg + +abi , + +include + +profile dmesg.service flags=(attach_disconnected) { + include + include + + capability chown, + capability fsetid, + capability sys_admin, + + ptrace read peer=@{p_systemd}, + + @{sh_path} r, + @{bin}/basename ix, + @{bin}/chgrp rix, + @{bin}/chmod rix, + @{bin}/chown ix, + @{bin}/date ix, + @{bin}/dirname ix, + @{bin}/gzip ix, + @{bin}/gzip ix, + @{bin}/journalctl r, + @{bin}/ln ix, + @{bin}/mv ix, + @{bin}/rm ix, + @{bin}/savelog rix, + @{bin}/touch ix, + + /etc/machine-id r, + + /var/log/ r, + /var/log/dmesg rw, + /var/log/dmesg.* rwl -> /var/log/dmesg, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* rw, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* rw, + + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/boot_id r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/grub-common.service b/apparmor.d/groups/systemd-service/grub-common.service new file mode 100644 index 000000000..fc4de5edc --- /dev/null +++ b/apparmor.d/groups/systemd-service/grub-common.service @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStartPre=/bin/sh -c '[ -s /boot/grub/grubenv ] || rm -f /boot/grub/grubenv; mkdir -p /boot/grub' +# ExecStart=grub-editenv /boot/grub/grubenv unset recordfail +# ExecStartPost=/bin/sh -c 'if grub-editenv /boot/grub/grubenv list | grep -q initrdless_boot_fallback_triggered=1; then echo "grub: GRUB_FORCE_PARTUUID set, initrdless boot paniced, fallback triggered."; fi' + +abi , + +include + +profile grub-common.service { + include + + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/grub-editenv rix, + @{bin}/mkdir ix, + @{bin}/rm ix, + + @{efi}/grub/ w, + @{efi}/grub/grubenv rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/ldconfig.service b/apparmor.d/groups/systemd-service/ldconfig.service new file mode 100644 index 000000000..f7d193e9e --- /dev/null +++ b/apparmor.d/groups/systemd-service/ldconfig.service @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# /sbin/ldconfig -X + +abi , + +include + +profile ldconfig.service { + include + + @{lib}/ r, + @{sbin}/ldconfig r, + + /var/cache/ldconfig/aux-cache rw, + /var/cache/ldconfig/aux-cache~ rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/man-db.service b/apparmor.d/groups/systemd-service/man-db.service new file mode 100644 index 000000000..c3bfa7c32 --- /dev/null +++ b/apparmor.d/groups/systemd-service/man-db.service @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStart=+/usr/bin/install -d -o man -g man -m 0755 /var/cache/man +# ExecStart=/usr/bin/find /var/cache/man -type f -name *.gz -atime +6 -delete +# ExecStart=/usr/bin/mandb --quiet + +abi , + +include + +profile man-db.service flags=(attach_disconnected) { + include + include + + @{bin}/find ix, + @{bin}/install ix, + @{bin}/mandb r, + + /usr/{,local/}share/man/{,**} r, + + /etc/man_db.conf r, + /etc/manpath.config r, + + /usr/share/man/{,**} r, + /usr/local/man/{,**} r, + /usr/local/share/man/{,**} r, + + /usr/{,share/}man/{,**} r, + /usr/local/{,share/}man/{,**} r, + + /usr/share/**/man/man@{u8}/*.@{int}.gz r, + + owner /var/cache/man/ rw, + owner /var/cache/man/** rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/secureboot-db.service b/apparmor.d/groups/systemd-service/secureboot-db.service new file mode 100644 index 000000000..a951747be --- /dev/null +++ b/apparmor.d/groups/systemd-service/secureboot-db.service @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c +# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f +# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f +# ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose + +abi , + +include + +profile secureboot-db.service flags=(complain) { + include + + @{bin}/chattr ix, + @{bin}/sbkeysync PUx, + + @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, + @{sys}/firmware/efi/efivars/db-@{uuid} rw, + @{sys}/firmware/efi/efivars/dbx-@{uuid} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/shadow.service b/apparmor.d/groups/systemd-service/shadow.service new file mode 100644 index 000000000..95f780b89 --- /dev/null +++ b/apparmor.d/groups/systemd-service/shadow.service @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +profile shadow.service flags=(attach_disconnected) { + include + include + + @{sh_path} rix, + @{sbin}/grpck Px -> &grpck, + @{sbin}/pwck Px -> &pwck, + + /etc/machine-id r, + /etc/shadow r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/snapd.system-shutdown.service b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service new file mode 100644 index 000000000..ce819a791 --- /dev/null +++ b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# /bin/mount /run -o remount,exec +# /bin/mkdir -p /run/initramfs +# /bin/cp /usr/lib/snapd/system-shutdown /run/initramfs/shutdown + +abi , + +include + +profile snapd.system-shutdown.service { + include + + @{bin}/cp ix, + @{bin}/mkdir ix, + @{bin}/mount ix, + + @{lib}/snapd/system-shutdown r, + + @{run}/initramfs/ rw, + @{run}/initramfs/shutdown rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/system-update-cleanup.service b/apparmor.d/groups/systemd-service/system-update-cleanup.service new file mode 100644 index 000000000..4166cb76c --- /dev/null +++ b/apparmor.d/groups/systemd-service/system-update-cleanup.service @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStart=rm -fv /system-update /etc/system-update + +abi , + +include + +profile system-update-cleanup.service { + include + + @{bin}/rm ix, + + /etc/system-update w, + /system-update w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/usb_modeswitch.service b/apparmor.d/groups/systemd-service/usb_modeswitch.service new file mode 100644 index 000000000..00a62c933 --- /dev/null +++ b/apparmor.d/groups/systemd-service/usb_modeswitch.service @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +profile usb_modeswitch.service { + include + + @{sbin}/usb_modeswitch_dispatcher ix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 05655d308..70a91197f 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -7,35 +7,34 @@ abi , include @{exec_path} = @{bin}/bootctl -profile bootctl @{exec_path} { +profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include include + capability linux_immutable, capability mknod, capability net_admin, + capability sys_rawio, + capability sys_resource, - signal (send) peer=child-pager, + signal send peer=child-pager, - ptrace (read) peer=unconfined, + ptrace read peer=unconfined, @{exec_path} mr, @{pager_path} rPx -> child-pager, - /{boot,efi}/ r, - /{boot,efi}/EFI/{,**} r, - /{boot,efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw, - /{boot,efi}/EFI/BOOT/BOOTX64.EFI w, - /{boot,efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw, - /{boot,efi}/EFI/systemd/systemd-boot*.efi w, - /{boot,efi}/loader/.#bootctlrandom-seed@{hex} rw, - /{boot,efi}/loader/.#entries.srel* w, - /{boot,efi}/loader/{,**} r, - /{boot,efi}/loader/entries.srel w, - /{boot,efi}/loader/random-seed w, + @{efi}/ r, + @{efi}/@{hex32}/ rw, + @{efi}/EFI/{,**} rwl, + @{efi}/loader/ rw, + @{efi}/loader/** rwl -> @{efi}/loader/#@{int}, + /etc/kernel/.#entry-token@{hex16} rw, + /etc/kernel/entry-token rw, /etc/machine-id r, /etc/machine-info r, @@ -43,14 +42,15 @@ profile bootctl @{exec_path} { @{sys}/class/tpmrm/ r, + @{sys}/devices/pnp@{int}/**/tpm/tpm@{int}/tpm_version_major r, @{sys}/devices/virtual/dmi/id/{board_vendor,bios_vendor} r, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, @{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/AuditMode-@{uuid} r, - @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} r, - @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, + @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, + @{sys}/firmware/efi/efivars/BootOrder-@{uuid} rw, @{sys}/firmware/efi/efivars/DeployedMode-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r, @@ -60,8 +60,8 @@ profile bootctl @{exec_path} { @{sys}/firmware/efi/efivars/LoaderFirmwareType-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderImageIdentifier-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r, - @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} r, - @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw, + @{sys}/firmware/efi/efivars/OsIndications-@{uuid} rw, @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index dcb60493e..eed7080f8 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -7,12 +7,10 @@ abi , include @{exec_path} = @{bin}/busctl -profile busctl @{exec_path} { +profile busctl @{exec_path} flags=(attach_disconnected) { include - include include include - include include include include @@ -20,11 +18,11 @@ profile busctl @{exec_path} { capability net_admin, capability sys_ptrace, - ptrace (read), + ptrace read, - unix (bind) type=stream addr=@@{hex16}/bus/busctl/busctl, + unix bind type=stream addr=@@{udbus}/bus/busctl/busctl, - signal (send) set=(cont) peer=child-pager, + signal send set=cont peer=child-pager, dbus eavesdrop bus=accessibility, dbus eavesdrop bus=session, @@ -33,19 +31,40 @@ profile busctl @{exec_path} { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Monitoring member=BecomeMonitor - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionCredentials,ListNames,ListActivatableNames} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Monitoring + member=BecomeMonitor + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionCredentials,ListNames,ListActivatableNames} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + + dbus send bus=system + interface=org.freedesktop.DBus.Introspectable + member=Introspect, + dbus send bus=system + interface=org.freedesktop.DBus.Properties + member={GetAll,Get}, @{exec_path} mr, @{pager_path} rPx -> child-pager, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fdinfo/@{int} r, - owner @{PROC}/@{pid}/loginuid r, - owner @{PROC}/@{pid}/sessionid r, + @{PROC}/@{pid}/attr/current r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/loginuid r, + @{PROC}/@{pid}/sessionid r, + @{PROC}/@{pid}/stat r, include if exists } diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index d81933f5e..06969ef47 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -10,6 +10,9 @@ include @{exec_path} = @{bin}/coredumpctl profile coredumpctl @{exec_path} flags=(complain) { include + include + include + include include capability dac_read_search, @@ -31,9 +34,7 @@ profile coredumpctl @{exec_path} flags=(complain) { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/system.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/* r, owner @{tmp}/*.coredump w, owner @{tmp}/core.* w, @@ -67,7 +68,7 @@ profile coredumpctl @{exec_path} flags=(complain) { @{PROC}/@{pids}/fd/ r, - include if exists + include if exists } include if exists diff --git a/apparmor.d/groups/systemd/homectl b/apparmor.d/groups/systemd/homectl new file mode 100644 index 000000000..3c962e309 --- /dev/null +++ b/apparmor.d/groups/systemd/homectl @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/homectl +profile homectl @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + + capability net_admin, + capability sys_resource, + + signal send peer=child-pager, + + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" + + @{exec_path} mr, + + @{bin}/pkttyagent rpx, + + @{pager_path} rPx -> child-pager, + + /etc/machine-id r, + + owner @{PROC}/@{pids}/cgroup r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl index 65e6ed11f..6b29e260d 100644 --- a/apparmor.d/groups/systemd/hostnamectl +++ b/apparmor.d/groups/systemd/hostnamectl @@ -10,11 +10,16 @@ include profile hostnamectl @{exec_path} { include include + include include capability net_admin, - #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed + #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" + dbus send bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.hostname1), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index 3c5595345..c852b3756 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -20,19 +20,27 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_resource, - signal (receive) set=(term) peer=cockpit-bridge, - signal (send) peer=child-pager, + network netlink raw, + + signal receive set=kill peer=snapd, + signal receive set=term peer=cockpit-bridge, + signal send peer=child-pager, @{exec_path} mr, @{pager_path} rPx -> child-pager, + @{bin}/* r, + @{sbin}/* r, + /var/lib/dbus/machine-id r, /etc/machine-id r, /var/lib/systemd/catalog/database rw, /var/lib/systemd/catalog/.#database* rw, + /var/log/dmesg w, + /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/system.journal* r, @@ -47,6 +55,7 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { @{run}/host/container-manager r, @{run}/systemd/journal/io.systemd.journal rw, + @{run}/systemd/notify rw, @{PROC}/sys/fs/nr_open r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index 2cac865a4..9792fb75f 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -7,18 +7,30 @@ abi , include @{exec_path} = @{bin}/localectl -profile localectl @{exec_path} { +profile localectl @{exec_path} flags=(attach_disconnected) { include include + include capability net_admin, + signal send set=cont peer=child-pager, + + #aa:dbus talk bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}" + dbus send bus=system path=/org/freedesktop/locale1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.locale1), + @{exec_path} mr, @{pager_path} rPx -> child-pager, + @{bin}/pkttyagent rPx, /usr/share/kbd/keymaps/{,**} r, + owner @{PROC}/@{pid}/cgroup r, + include if exists } diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl index 5386662c0..f516d16db 100644 --- a/apparmor.d/groups/systemd/loginctl +++ b/apparmor.d/groups/systemd/loginctl @@ -7,26 +7,46 @@ abi , include @{exec_path} = @{bin}/loginctl -profile loginctl @{exec_path} { +profile loginctl @{exec_path} flags=(attach_disconnected) { include - include include + include include + include + include capability net_admin, capability sys_resource, signal send set=cont peer=child-pager, - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @{exec_path} mr, @{pager_path} rPx -> child-pager, + @{bin}/ssh rPx, + + /etc/machine-id r, + + @{run}/log/journal/ r, + + /var/lib/systemd/catalog/database r, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, @{PROC}/sys/fs/nr_open r, owner @{PROC}/@{pid}/cgroup r, + /dev/rfkill r, + include if exists } diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index dee55195d..a0d1471f9 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -11,6 +11,7 @@ include profile networkctl @{exec_path} flags=(attach_disconnected) { include include + include capability net_admin, capability sys_module, @@ -24,14 +25,13 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { ptrace (read) peer=@{p_systemd}, - unix (bind) type=stream addr=@@{hex16}/bus/networkctl/system, + unix (bind) type=stream addr=@@{udbus}/bus/networkctl/system, - #aa:dbus talk bus=system name=org.freedesktop.network1 label=systemd-networkd - # No label available - dbus send bus=system path=/org/freedesktop/network@{int} + #aa:dbus talk bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" + dbus send bus=system path=/org/freedesktop/network1{,/**} interface=org.freedesktop.DBus.Properties member=Get - peer=(name=org.freedesktop.network@{int}), + peer=(name=org.freedesktop.network1), @{exec_path} mr, @@ -51,17 +51,21 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { /{run,var}/log/journal/@{hex32}/system.journal* r, /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, + @{att}/@{run}/systemd/netif/io.systemd.Network rw, + + @{run}/systemd/netif/links/ r, @{run}/systemd/netif/leases/@{int} r, @{run}/systemd/netif/links/@{int} r, @{run}/systemd/netif/state r, @{run}/systemd/notify w, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/**/net/**/uevent r, @{PROC}/1/cgroup r, @{PROC}/cmdline r, + @{PROC}/sys/fs/nr_open r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl new file mode 100644 index 000000000..3013d8ae6 --- /dev/null +++ b/apparmor.d/groups/systemd/resolvectl @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/resolvectl +profile resolvectl @{exec_path} flags=(attach_disconnected) { + include + include + include + include + + capability net_admin, + + network inet raw, + network inet6 raw, + network netlink raw, + + signal send set=cont peer=child-pager, + + unix bind type=stream addr=@@{udbus}/bus/resolvconf/system, + + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" + + #aa:dbus talk bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" + dbus send bus=system path=/org/freedesktop/network1 + interface=org.freedesktop.network1.Manager + member=SetLinkDNSEx + peer=(name=org.freedesktop.network1), + + @{exec_path} mr, + + @{pager_path} rPx -> child-pager, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 09d432b2f..3ae0a7143 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -22,6 +22,8 @@ profile systemd-analyze @{exec_path} { signal (send) peer=child-pager, + unix bind type=stream addr=@@{udbus}/bus/systemd-analyze/system, + #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @{exec_path} mr, @@ -45,7 +47,8 @@ profile systemd-analyze @{exec_path} { @{run}/systemd/system/ r, @{run}/systemd/transient/ r, @{run}/systemd/userdb/io.systemd.DynamicUser w, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{run}/udev/tags/systemd/ r, @{sys}/devices/**/uevent r, @@ -59,6 +62,7 @@ profile systemd-analyze @{exec_path} { @{sys}/firmware/efi/efivars/LoaderTimeExecUSec-@{uuid} r, @{PROC}/swaps r, + @{PROC}/sys/fs/nr_open r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/systemd/systemd-backlight b/apparmor.d/groups/systemd/systemd-backlight index f67cb301c..b5a966f37 100644 --- a/apparmor.d/groups/systemd/systemd-backlight +++ b/apparmor.d/groups/systemd/systemd-backlight @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-backlight -profile systemd-backlight @{exec_path} { +profile systemd-backlight @{exec_path} flags=(attach_disconnected) { include include @@ -18,8 +18,8 @@ profile systemd-backlight @{exec_path} { /var/lib/systemd/backlight/*backlight* rw, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+leds:*backlight* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. + @{run}/udev/data/+leds:*backlight* r, # For keyboard backlights, mouse LEDs, etc. @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{sys}/bus/ r, diff --git a/apparmor.d/groups/systemd/systemd-binfmt b/apparmor.d/groups/systemd/systemd-binfmt index d34bbe4cb..5e3406ea9 100644 --- a/apparmor.d/groups/systemd/systemd-binfmt +++ b/apparmor.d/groups/systemd/systemd-binfmt @@ -16,11 +16,12 @@ profile systemd-binfmt @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/* r, + @{sbin}/* r, # Config file locations /etc/binfmt.d/{,*.conf} r, @{run}/binfmt.d/{,*.conf} r, - /usr/lib/binfmt.d/{,*.conf} r, + @{lib}/binfmt.d/{,*.conf} r, @{PROC}/sys/fs/binfmt_misc/register w, @{PROC}/sys/fs/binfmt_misc/status w, diff --git a/apparmor.d/groups/systemd/systemd-cat b/apparmor.d/groups/systemd/systemd-cat index 967d776d2..fd202c181 100644 --- a/apparmor.d/groups/systemd/systemd-cat +++ b/apparmor.d/groups/systemd/systemd-cat @@ -9,14 +9,13 @@ include @{exec_path} = @{bin}/systemd-cat profile systemd-cat @{exec_path} { include + include + include capability net_admin, @{exec_path} mr, - @{bin}/cat rix, - @{bin}/echo rix, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-cgls b/apparmor.d/groups/systemd/systemd-cgls index d0ded5ee7..33191171e 100644 --- a/apparmor.d/groups/systemd/systemd-cgls +++ b/apparmor.d/groups/systemd/systemd-cgls @@ -9,8 +9,17 @@ include @{exec_path} = @{bin}/systemd-cgls profile systemd-cgls @{exec_path} { include + include + include + include - ptrace (read), + capability sys_ptrace, + + ptrace read, + + signal send set=cont peer=child-pager, + + unix bind type=stream addr=@@{udbus}/bus/systemd-cgls/system, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 2e841dc51..061b93ffd 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -33,13 +33,26 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{lib}/** r, / r, @{bin}/* r, + @{sbin}/* r, /opt/** r, + /usr/share/*/** r, + @{user_lib_dirs}/** r, + /snap/*/@{int}/opt/** r, + /snap/*/@{int}/usr/** r, /etc/systemd/coredump.conf r, /etc/systemd/coredump.conf.d/{,**} r, + owner @{HOME}/**.so* r, + /var/lib/systemd/coredump/{,**} rwl, + owner @{run}/user/@{uid}/snap.*/.org.chromium.Chromium.@{rand6} r, + + @{att}/@{run}/systemd/coredump rw, + @{run}/systemd/coredump rw, + + @{PROC}/@{pids}/auxv r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/comm r, @@ -47,9 +60,11 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/fdinfo/@{int} r, @{PROC}/@{pids}/limits r, + @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/ns/ r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/setgroups r, include if exists diff --git a/apparmor.d/groups/systemd/systemd-cryptsetup b/apparmor.d/groups/systemd/systemd-cryptsetup index f8950c1fe..fdddebe03 100644 --- a/apparmor.d/groups/systemd/systemd-cryptsetup +++ b/apparmor.d/groups/systemd/systemd-cryptsetup @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/systemd-cryptsetup @{lib}/systemd/systemd-cryptsetup -profile systemd-cryptsetup @{exec_path} { +profile systemd-cryptsetup @{exec_path} flags=(attach_disconnected) { include include include @@ -31,6 +31,8 @@ profile systemd-cryptsetup @{exec_path} { @{sys}/devices/virtual/bdi/*/read_ahead_kb r, @{sys}/fs/ r, + @{run}/systemd/ask-password/ r, + @{PROC}/devices r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/systemd/systemd-delta b/apparmor.d/groups/systemd/systemd-delta index 7cf546a56..311636d95 100644 --- a/apparmor.d/groups/systemd/systemd-delta +++ b/apparmor.d/groups/systemd/systemd-delta @@ -10,11 +10,11 @@ include profile systemd-delta @{exec_path} { include - signal (send) peer=child-pager, + signal send peer=child-pager, @{exec_path} mr, - @{bin}/less rPx -> child-pager, + @{pager_path} rPx -> child-pager, /etc/binfmt.d/{,**} r, /etc/modprobe.d/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 35f4afbc4..9b49c20fc 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -11,16 +11,16 @@ include profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { include include - include - capability net_admin, + capability sys_ptrace, - network netlink raw, + ptrace read peer=@{p_systemd}, @{exec_path} mr, @{run}/cloud-init/ds-identify.log w, @{run}/host/container-manager r, + @{run}/systemd/container r, @{run}/systemd/notify w, @{sys}/devices/virtual/dmi/id/bios_vendor r, @@ -29,6 +29,23 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/firmware/dmi/entries/*/raw r, + @{sys}/firmware/uv/prot_virt_guest r, + @{sys}/hypervisor/properties/features r, + @{sys}/hypervisor/type r, + + @{PROC}/1/environ r, + @{PROC}/device-tree/ r, + @{PROC}/device-tree/compatible r, + @{PROC}/device-tree/hypervisor/compatible r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sysinfo r, + @{PROC}/xen/capabilities r, + + /dev/cpu/@{int}/msr r, + + deny capability net_admin, + deny capability perfmon, + deny network (send receive) netlink raw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect index 7dc10fd46..1bbb91858 100644 --- a/apparmor.d/groups/systemd/systemd-dissect +++ b/apparmor.d/groups/systemd/systemd-dissect @@ -27,11 +27,11 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) { signal send set=cont peer=child-pager, - ptrace read peer=unconfined, + ptrace read peer=@{p_systemd}, @{exec_path} mr, - @{bin}/fsck rPx, + @{sbin}/fsck rPx, @{pager_path} rPx -> child-pager, # Location of file system OS images diff --git a/apparmor.d/groups/systemd/systemd-escape b/apparmor.d/groups/systemd/systemd-escape index 4a542497f..469ccc945 100644 --- a/apparmor.d/groups/systemd/systemd-escape +++ b/apparmor.d/groups/systemd/systemd-escape @@ -10,7 +10,6 @@ include profile systemd-escape @{exec_path} { include include - include @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-fsck b/apparmor.d/groups/systemd/systemd-fsck index a7290dc48..4836c9747 100644 --- a/apparmor.d/groups/systemd/systemd-fsck +++ b/apparmor.d/groups/systemd/systemd-fsck @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-fsck -profile systemd-fsck @{exec_path} { +profile systemd-fsck @{exec_path} flags=(attach_disconnected) { include include include @@ -19,9 +19,9 @@ profile systemd-fsck @{exec_path} { @{exec_path} mr, - @{bin}/e2fsck rPx, - @{bin}/fsck rPx, - @{bin}/fsck.* rPx, + @{sbin}/e2fsck rPx, + @{sbin}/fsck rPx, + @{sbin}/fsck.* rPx, owner @{run}/systemd/quotacheck w, owner @{run}/systemd/fsck.progress rw, diff --git a/apparmor.d/groups/systemd/systemd-fsckd b/apparmor.d/groups/systemd/systemd-fsckd index 33a433a09..7abde7c90 100644 --- a/apparmor.d/groups/systemd/systemd-fsckd +++ b/apparmor.d/groups/systemd/systemd-fsckd @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-fsckd -profile systemd-fsckd @{exec_path} { +profile systemd-fsckd @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index 5fe748abd..c53be3a35 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -14,6 +14,8 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { include include + userns, + capability chown, capability dac_override, capability dac_read_search, @@ -24,6 +26,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { capability setpcap, capability setuid, capability sys_admin, + capability sys_ptrace, capability sys_resource, network inet dgram, @@ -32,17 +35,27 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { network inet6 raw, network netlink raw, - mount options=(rw, rslave) -> @{run}/, - mount /dev/dm-@{int} -> @{run}/systemd/user-home-mount/, + mount -> @{run}/systemd/user-home-mount/, + mount options=(rw private) -> @{run}/systemd/user-home-mount/, + mount options=(rw rslave) -> @{run}/, + + umount @{run}/systemd/user-home-mount/, + + signal (send receive) set=kill peer=systemd-homed//&systemd-homework, + + ptrace read peer=systemd-homed//&systemd-homework, + + unix bind type=stream addr=@@{udbus}/bus/systemd-homed/system, #aa:dbus own bus=system name=org.freedesktop.home1 + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd @{exec_path} mr, - @{lib}/systemd/systemd-homework rPx, - @{bin}/mkfs.btrfs rPx, - @{bin}/mkfs.fat rPx, - @{bin}/mke2fs rPx, + @{lib}/systemd/systemd-homework rPx -> &systemd-homework, + @{sbin}/mkfs.btrfs rPx, + @{sbin}/mkfs.fat rPx, + @{sbin}/mke2fs rPx, /etc/machine-id r, /etc/systemd/homed.conf r, @@ -61,6 +74,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{run}/systemd/home/{,**} rw, @{run}/systemd/userdb/io.systemd.home r, @{run}/systemd/user-home-mount/{,**} rw, + @{run}/systemd/notify w, @{sys}/bus/ r, @{sys}/fs/ r, @@ -71,9 +85,12 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cgroup r, @{PROC}/devices r, @{PROC}/pressure/* r, + @{PROC}/swaps r, + @{PROC}/sys/fs/nr_open r, @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/uid_map w, /dev/loop-control rwk, diff --git a/apparmor.d/groups/systemd/systemd-homework b/apparmor.d/groups/systemd/systemd-homework index f0fe98a16..b81c196f8 100644 --- a/apparmor.d/groups/systemd/systemd-homework +++ b/apparmor.d/groups/systemd/systemd-homework @@ -7,14 +7,68 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-homework -profile systemd-homework @{exec_path} { +profile systemd-homework @{exec_path} flags=(attach_disconnected) { include - include include + include + include + + userns, + + capability chown, + capability fowner, + capability fsetid, + capability setfcap, + capability setgid, + capability setuid, + capability sys_admin, + capability sys_resource, + + network netlink raw, + + mount options=(rw rslave) -> @{run}/, + mount -> @{run}/systemd/user-home-mount/, + + umount @{run}/systemd/user-home-mount/, + + signal (send receive) set=kill peer=systemd-homed//&systemd-homework, + + ptrace read peer=systemd-homed//&systemd-homework, @{exec_path} mr, + @{sbin}/mkfs.btrfs rPx, + @{sbin}/mkfs.fat rPx, + @{sbin}/mke2fs rPx, + /etc/machine-id r, + /etc/skel/{,**} r, + + /var/cache/systemd/home/{,**} rw, + + @{HOMEDIRS}/ r, + @{HOMEDIRS}/.#homework@{user}.* rw, + @{HOMEDIRS}/@{user}.home rw, + + @{run}/ r, + @{run}/cryptsetup/ r, + @{run}/cryptsetup/* rwk, + @{run}/systemd/user-home-mount/ rw, + @{run}/systemd/user-home-mount/@{user}/{,**} rw, + + @{sys}/fs/ r, + + @{PROC}/devices r, + @{PROC}/swaps r, + @{PROC}/sys/fs/nr_open r, + owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/uid_map w, + + /dev/loop-control rwk, + /dev/loop@{int} rw, + /dev/mapper/control rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index a169a59d6..8fae34b29 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -18,15 +18,10 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { network unix stream, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-hostnam/system, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-hostnam/system, #aa:dbus own bus=system name=org.freedesktop.hostname1 - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=GetConnectionUnixUser - peer=(name=org.freedesktop.DBus, label=dbus-system), - @{exec_path} mr, @{etc_rw}/.#hostname* rw, @@ -37,8 +32,9 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { /etc/machine-info rw, /etc/os-release r, + @{att}/@{run}/systemd/notify rw, + @{run}/systemd/default-hostname rw, - @{run}/systemd/notify rw, @{run}/udev/data/+dmi:* r, # for motherboard info @{sys}/devices/virtual/dmi/id/ r, @@ -48,6 +44,8 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_serial r, + @{sys}/devices/virtual/dmi/id/product_uuid r, @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/uevent r, diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb index 9b6203e92..ae64274c6 100644 --- a/apparmor.d/groups/systemd/systemd-hwdb +++ b/apparmor.d/groups/systemd/systemd-hwdb @@ -16,10 +16,10 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{exec_path} mr, @{lib}/udev/#@{int} rwl, - @{lib}/udev/.#hwdb.bin@{hex16} wl -> @{lib}/udev/#@{int}, + @{lib}/udev/.#hwdb.bin{@{hex16},@{rand6}} wl -> @{lib}/udev/#@{int}, @{lib}/udev/hwdb.bin w, - /etc/udev/.#hwdb.bin@{hex16} wl -> /etc/udev/#@{int}, + /etc/udev/.#hwdb.bin{@{hex16},@{rand6}} wl -> /etc/udev/#@{int}, /etc/udev/hwdb.bin w, /etc/udev/hwdb.d/{,*} r, diff --git a/apparmor.d/groups/systemd/systemd-inhibit b/apparmor.d/groups/systemd/systemd-inhibit index 2be38e6ba..ae475ff48 100644 --- a/apparmor.d/groups/systemd/systemd-inhibit +++ b/apparmor.d/groups/systemd/systemd-inhibit @@ -14,7 +14,7 @@ profile systemd-inhibit @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_resource, - signal receive set=term peer=packagekitd, + signal receive set=term peer=@{p_packagekitd}, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-initctl b/apparmor.d/groups/systemd/systemd-initctl new file mode 100644 index 000000000..05f32a7f6 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-initctl @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/systemd-initctl +profile systemd-initctl @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability net_admin, + + unix type=stream addr=@@{udbus}/bus/systemd-initctl/, + + @{exec_path} mr, + + @{run}/initctl rw, + @{run}/systemd/notify rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index cc1f541dd..e0a8a2e47 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-journald -profile systemd-journald @{exec_path} { +profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -28,7 +28,7 @@ profile systemd-journald @{exec_path} { network netlink raw, - ptrace (read), + ptrace read, @{exec_path} mr, @@ -46,20 +46,20 @@ profile systemd-journald @{exec_path} { @{run}/host/container-manager r, @{run}/utmp rk, - @{run}/udev/data/+acpi:* r, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+ieee80211:* r, + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+ieee80211:* r, # For Wi-Fi devices, such as wireless network cards and access points. @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+mdio_bus:* r, - @{run}/udev/data/+pci:* r, - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+scsi:* r, - @{run}/udev/data/+sdio:* r, - @{run}/udev/data/+thunderbolt:* r, - @{run}/udev/data/+usb-serial:* r, - @{run}/udev/data/+usb:* r, - @{run}/udev/data/+virtio:* r, + @{run}/udev/data/+mdio_bus:* r, # For Management Data Input/Output (Ethernet PHY (physical layer) devices) + @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+scsi:* r, # For SCSI devices. Block-storage for SATA, SAS, USB, iSCSI + @{run}/udev/data/+sdio:* r, # For Secure Digital Input Output devices, such as Wi-Fi, Bluetooth cards, GPS and NFC modules. + @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. + @{run}/udev/data/+usb-serial:* r, # For USB to serial adapters + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+virtio:* r, # For paravirtualized devices (network interfaces, block devices, console) @{run}/udev/data/b254:@{int} r, # for /dev/zram* @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c1:@{int} r, # For RAM disk @@ -82,6 +82,7 @@ profile systemd-journald @{exec_path} { @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/loginuid r, @{PROC}/@{pids}/sessionid r, + @{PROC}/@{pids}/status r, @{PROC}/pressure/* r, @{PROC}/sys/kernel/hostname r, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 48318da8f..cefab3890 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -14,27 +14,46 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { include include - unix (bind) type=stream addr=@@{hex16}/bus/systemd-localed/system, + unix bind type=stream addr=@@{udbus}/bus/systemd-localed/system, #aa:dbus own bus=system name=org.freedesktop.locale1 + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=Reload + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), @{exec_path} mr, + @{bin}/cat ix, + @{bin}/gzip ix, + @{bin}/localedef ix, + @{bin}/rm ix, + @{bin}/sort ix, + @{sbin}/locale-gen rPx, + + /usr/share/i18n/{,**} r, /usr/share/kbd/keymaps/{,**} r, /usr/share/systemd/*-map r, /usr/share/X11/xkb/{,**} r, + /usr/share/xkeyboard-config-2/{,**} r, + /etc/ r, + /etc/.#locale.conf@{hex16} rw, + /etc/.#locale.gen@{hex16} rw, /etc/.#vconsole.conf* rw, /etc/default/.#locale* rw, /etc/default/keyboard r, /etc/default/locale rw, - /etc/locale.conf r, + /etc/locale.conf rw, + /etc/locale.gen rw, + /etc/nsswitch.conf r, + /etc/passwd r, /etc/vconsole.conf rw, - /etc/X11/xorg.conf.d/ r, - /etc/X11/xorg.conf.d/.#*.confd* rw, + /etc/X11/xorg.conf.d/ rw, + /etc/X11/xorg.conf.d/.#*.conf@{hex} rw, /etc/X11/xorg.conf.d/*.conf rw, - @{run}/systemd/notify rw, + @{att}/@{run}/systemd/notify rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 53dd0acf8..6b102829d 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -12,11 +12,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { include include include + include include include include include - include capability chown, capability dac_override, @@ -27,9 +27,10 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { network netlink raw, + mqueue getattr type=posix /, mqueue r type=posix /, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-logind/system, + unix bind type=stream addr=@@{udbus}/bus/systemd-logind/system, #aa:dbus own bus=system name=org.freedesktop.login1 @@ -40,11 +41,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(label=ksmserver-logout-greeter), - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetConnectionCredentials} - peer=(name=org.freedesktop.DBus, label=dbus-system), - @{exec_path} mr, /etc/machine-id r, @@ -54,13 +50,12 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { /etc/systemd/sleep.conf.d/{,**} r, / r, - /boot/{,**} r, - /efi/{,**} r, + @{efi}/{,**} r, /swap.img r, /swap/swapfile r, /swapfile r, - /var/lib/systemd/linger/ r, + /var/lib/systemd/linger/{,@{user}} rw, @{run}/.#nologin* rw, @{run}/credentials/getty@tty@{int}.service/ r, @@ -73,15 +68,15 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/udev/tags/uaccess/ r, @{run}/udev/static_node-tags/uaccess/ r, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+drivers:* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. + @{run}/udev/data/+drivers:* r, # For drivers loaded in the system @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, - @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+wakeup:* r, + @{run}/udev/data/+wakeup:* r, # For wakeup events (e.g., from sleep or hibernation) @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # For /dev/input/* @@ -94,10 +89,13 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{att}/@{run}/systemd/notify w, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, + @{run}/systemd/inhibit/ rw, @{run}/systemd/inhibit/.#* rw, @{run}/systemd/inhibit/@{int}{,.ref} rw, - @{run}/systemd/notify rw, @{run}/systemd/seats/ rw, @{run}/systemd/seats/.#seat* rw, @{run}/systemd/seats/seat@{int} rw, @@ -126,12 +124,13 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{sys}/module/vt/parameters/default_utf8 r, @{sys}/power/{state,resume_offset,resume,disk} r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/sessionid r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/sessionid r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, @{PROC}/1/cmdline r, @{PROC}/pressure/* r, @{PROC}/swaps r, @@ -139,10 +138,12 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fdinfo/@{int} r, /dev/dri/card@{int} rw, - /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) - /dev/mqueue/ r, - /dev/tty@{int} rw, - owner /dev/shm/{,**/} rw, + @{att}/dev/dri/card@{int} rw, + + /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) + /dev/mqueue/ r, + /dev/tty@{int} rw, + /dev/shm/{,**/} rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index 5f60b5676..a2115a926 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -17,7 +17,7 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) { capability sys_admin, capability sys_chroot, - ptrace (read), + ptrace read, mount options=(rw rshared) -> /, mount options=(rw rslave) -> /, @@ -25,11 +25,13 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{att}/ r, / r, /etc/ r, /etc/machine-id rw, /var/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index 3a111f7f3..520080082 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -7,9 +7,10 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-machined -profile systemd-machined @{exec_path} { +profile systemd-machined @{exec_path} flags=(attach_disconnected) { include include + include include include @@ -21,6 +22,7 @@ profile systemd-machined @{exec_path} { capability kill, capability mknod, capability setgid, + capability setuid, capability sys_admin, capability sys_chroot, capability sys_ptrace, @@ -31,26 +33,47 @@ profile systemd-machined @{exec_path} { network inet6 dgram, network netlink raw, + signal send set=rtmin+6 peer=systemd-nspawn, + + ptrace read peer=systemd-nspawn, + + unix type=stream addr=@@{udbus}/bus/systemd-machine/system, + #aa:dbus own bus=system name=org.freedesktop.machine1 #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @{exec_path} mr, - /var/lib/machines/{,**} rw, /etc/machine-id r, + / r, + @{att}/ r, + + owner /var/lib/machines/ rw, + owner /var/lib/machines/** rwk, + + owner @{run}/systemd/nspawn/ w, + owner @{run}/systemd/nspawn/locks/ w, + owner @{run}/systemd/nspawn/locks/** rwk, + @{run}/systemd/machine/{,**} rw, @{run}/systemd/machines/{,**} rw, @{run}/systemd/notify w, @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/gid_map r, + @{PROC}/@{pid}/setgroups r, + @{PROC}/@{pid}/uid_map r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, @{PROC}/pressure/memory r, /dev/ptmx rw, /dev/pts/@{int} rw, + /dev/pts/ptmx rw, + /dev/vsock r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-makefs b/apparmor.d/groups/systemd/systemd-makefs index 8556e51d7..74a824411 100644 --- a/apparmor.d/groups/systemd/systemd-makefs +++ b/apparmor.d/groups/systemd/systemd-makefs @@ -17,8 +17,8 @@ profile systemd-makefs @{exec_path} { @{exec_path} mr, - @{bin}/mkfs.* rPx, - @{bin}/mkswap rPx, + @{sbin}/mkfs.* rPx, + @{sbin}/mkswap rPx, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-modules-load b/apparmor.d/groups/systemd/systemd-modules-load index abb437f83..3f778244b 100644 --- a/apparmor.d/groups/systemd/systemd-modules-load +++ b/apparmor.d/groups/systemd/systemd-modules-load @@ -8,11 +8,12 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-modules-load -profile systemd-modules-load @{exec_path} { +profile systemd-modules-load @{exec_path} flags=(attach_disconnected) { include include capability net_admin, + capability perfmon, capability sys_module, @{exec_path} mr, @@ -23,6 +24,9 @@ profile systemd-modules-load @{exec_path} { /etc/modules-load.d/ r, /etc/modules-load.d/*.conf r, + @{run}/modprobe.d/ r, + @{run}/modprobe.d/*.conf r, + @{sys}/devices/@{pci}/config r, @{sys}/module/*/initstate r, @{sys}/module/compression r, diff --git a/apparmor.d/groups/systemd/systemd-network-generator b/apparmor.d/groups/systemd/systemd-network-generator index e22d89629..ceebbc5c2 100644 --- a/apparmor.d/groups/systemd/systemd-network-generator +++ b/apparmor.d/groups/systemd/systemd-network-generator @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-network-generator -profile systemd-network-generator @{exec_path} { +profile systemd-network-generator @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index f38564ae1..ccb6d9629 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -14,10 +14,12 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { include include + capability bpf, capability net_admin, capability net_bind_service, capability net_broadcast, capability net_raw, + capability sys_admin, network inet dgram, network inet6 dgram, @@ -27,7 +29,9 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { network packet dgram, network packet raw, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-network/bus-api-network, + unix bind type=stream addr=@@{udbus}/bus/systemd-network/bus-api-network, + + signal receive set=usr2 peer=@{p_systemd}, #aa:dbus own bus=system name=org.freedesktop.network1 @@ -38,39 +42,52 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.hostname1 member=SetHostname - peer=(name=org.freedesktop.hostname1, label=systemd-hostnamed), + peer=(name=org.freedesktop.hostname1, label="@{p_systemd_hostnamed}"), @{exec_path} mr, /var/lib/dbus/machine-id r, /etc/machine-id r, - /etc/systemd/networkd.conf r, + /etc/systemd/network.conf r, /etc/systemd/network/{,**} r, + /etc/systemd/networkd.conf r, + /etc/systemd/networkd.conf.d/{,**} r, /etc/networkd-dispatcher/carrier.d/{,*} r, @{att}/ r, + @{att}/@{run}/systemd/notify rw, + + @{run}/mount/utab r, + @{run}/systemd/resolve/resolv.conf r, owner @{att}/var/lib/systemd/network/ r, + owner /var/lib/systemd/network/ rw, + owner /var/lib/systemd/network/** rwk, + @{run}/systemd/network/ r, @{run}/systemd/network/*.network r, - @{run}/systemd/notify rw, owner @{run}/systemd/netif/** rw, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces + @{sys}/devices/@{pci}/ r, @{sys}/devices/@{pci}/rfkill@{int}/* r, @{sys}/devices/**/net/** r, - @{sys}/devices/@{pci}/ r, @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/fs/cgroup/ r, + @{sys}/kernel/btf/vmlinux r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/pressure/* r, - @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/@{pid}/cgroup r, + @{PROC}/pressure/* r, + @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/version_signature r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, + owner @{PROC}/@{pid}/mountinfo r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-networkd-wait-online b/apparmor.d/groups/systemd/systemd-networkd-wait-online index 0d5e40730..c36b5af39 100644 --- a/apparmor.d/groups/systemd/systemd-networkd-wait-online +++ b/apparmor.d/groups/systemd/systemd-networkd-wait-online @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-networkd-wait-online -profile systemd-networkd-wait-online @{exec_path} flags=(complain) { +profile systemd-networkd-wait-online @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-nsresourced b/apparmor.d/groups/systemd/systemd-nsresourced new file mode 100644 index 000000000..97dcb3b05 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-nsresourced @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/systemd-nsresourced +profile systemd-nsresourced @{exec_path} flags=(attach_disconnected) { + include + include + + capability bpf, + capability perfmon, + capability sys_resource, + + signal receive set=usr2 peer=systemd-nsresourced//&systemd-nsresourcework, + + @{exec_path} mr, + + @{lib}/systemd/systemd-nsresourcework ix, # no new privs + + @{run}/systemd/nsresource/ rw, + @{run}/systemd/nsresource/** rw, + + @{sys}/devices/kprobe/type r, + @{sys}/fs/bpf/ r, + @{sys}/fs/bpf/systemd/ rw, + @{sys}/fs/bpf/systemd/userns-restrict/{,**} rw, + @{sys}/fs/cgroup/system.slice/systemd-nsresourced.service/memory.pressure rw, + @{sys}/kernel/btf/vmlinux r, + @{sys}/kernel/security/lsm r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/pressure/* r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-nsresourcework b/apparmor.d/groups/systemd/systemd-nsresourcework new file mode 100644 index 000000000..5b8d53398 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-nsresourcework @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/systemd-nsresourcework +profile systemd-nsresourcework @{exec_path} { + include + + capability sys_resource, + + signal send set=usr2 peer=systemd-nsresourced, + + @{exec_path} mr, + + @{run}/systemd/nsresource/registry/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index e5dce916c..ce61dba23 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -15,7 +15,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { capability dac_override, capability kill, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-oomd/bus-api-oom, + unix bind type=stream addr=@@{udbus}/bus/systemd-oomd/bus-api-oom, #aa:dbus own bus=system name=org.freedesktop.oom1 @@ -24,9 +24,11 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { /etc/systemd/oomd.conf r, /etc/systemd/oomd.conf.d/{,**} r, + @{att}/@{run}/systemd/notify w, + @{att}/@{run}/systemd/io.systemd.ManagedOOM rw, + @{run}/systemd/io.system.ManagedOOM rw, @{run}/systemd/io.systemd.ManagedOOM rw, - @{run}/systemd/notify rw, @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/memory.* r, diff --git a/apparmor.d/groups/systemd/systemd-path b/apparmor.d/groups/systemd/systemd-path index 747527776..0d061d845 100644 --- a/apparmor.d/groups/systemd/systemd-path +++ b/apparmor.d/groups/systemd/systemd-path @@ -10,11 +10,10 @@ include profile systemd-path @{exec_path} { include include + include @{exec_path} mr, - owner @{user_config_dirs}/user-dirs.dirs r, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-random-seed b/apparmor.d/groups/systemd/systemd-random-seed index be33d39cd..86ea02a0d 100644 --- a/apparmor.d/groups/systemd/systemd-random-seed +++ b/apparmor.d/groups/systemd/systemd-random-seed @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-random-seed -profile systemd-random-seed @{exec_path} { +profile systemd-random-seed @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index 8c63a1d5a..73213160b 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-remount-fs -profile systemd-remount-fs @{exec_path} { +profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) { include include include @@ -17,18 +17,19 @@ profile systemd-remount-fs @{exec_path} { capability sys_resource, mount options=(rw, remount) -> /, - mount options=(rw, remount) -> /proc/, + mount options=(rw, remount) -> @{PROC}/, @{exec_path} mr, @{bin}/mount rix, + @{etc_ro}/blkid.conf r, + @{etc_ro}/blkid.conf.d/{,**} r, /etc/fstab r, @{run}/host/container-manager r, @{run}/mount/utab rw, - @{run}/mount/utab.@{rand6} rw, - @{run}/mount/utab.lock rwk, + @{run}/mount/utab.* rwk, @{sys}/devices/virtual/block/dm-@{int}/dm/name r, diff --git a/apparmor.d/groups/systemd/systemd-resolve b/apparmor.d/groups/systemd/systemd-resolve deleted file mode 100644 index f716aa3af..000000000 --- a/apparmor.d/groups/systemd/systemd-resolve +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/resolvectl -@{exec_path} += @{bin}/systemd-resolve -profile systemd-resolve @{exec_path} { - include - - capability mknod, - capability net_admin, - - network netlink raw, - - @{exec_path} mr, - - @{PROC}/ r, - owner @{PROC}/@{pids}/fd/ r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index 4f9f965f5..8f4b5bc57 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -31,18 +31,14 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.resolve1 - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), - @{exec_path} mr, /etc/systemd/resolved.conf r, /etc/systemd/resolved.conf.d/{,*} r, + @{att}/@{run}/systemd/notify w, + @{run}/systemd/netif/links/* r, - @{run}/systemd/notify rw, @{run}/systemd/resolve/{,**} rw, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill index ff9e2d540..34e7255ab 100644 --- a/apparmor.d/groups/systemd/systemd-rfkill +++ b/apparmor.d/groups/systemd/systemd-rfkill @@ -8,11 +8,12 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-rfkill -profile systemd-rfkill @{exec_path} { +profile systemd-rfkill @{exec_path} flags=(attach_disconnected) { include include capability net_admin, + capability sys_admin, capability sys_ptrace, network netlink raw, @@ -22,7 +23,7 @@ profile systemd-rfkill @{exec_path} { /var/lib/systemd/rfkill/* rw, @{run}/systemd/notify rw, - @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power @{sys}/devices/**/rfkill@{int}/{uevent,name} r, diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index 34916ecc6..a55bf752d 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-sleep -profile systemd-sleep @{exec_path} { +profile systemd-sleep @{exec_path} flags=(attach_disconnected) { include include include @@ -19,6 +19,8 @@ profile systemd-sleep @{exec_path} { @{exec_path} mr, + @{sh_path} mr, + @{lib}/systemd/system-sleep/grub2.sleep rPx, @{lib}/systemd/system-sleep/hdparm rPx, @{lib}/systemd/system-sleep/nvidia rPx, diff --git a/apparmor.d/groups/systemd/systemd-sleep-grub b/apparmor.d/groups/systemd/systemd-sleep-grub index b2b42bf44..38be5772f 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-grub +++ b/apparmor.d/groups/systemd/systemd-sleep-grub @@ -14,7 +14,7 @@ profile systemd-sleep-grub @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/uname rix, /etc/sysconfig/bootloader r, diff --git a/apparmor.d/groups/systemd/systemd-sleep-hdparm b/apparmor.d/groups/systemd/systemd-sleep-hdparm index 71008c96d..5b9c51dbe 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-hdparm +++ b/apparmor.d/groups/systemd/systemd-sleep-hdparm @@ -11,6 +11,9 @@ profile systemd-sleep-hdparm @{exec_path} { include @{exec_path} mr, + @{sh_path} r, + + @{lib}/pm-utils/power.d/*hdparm-apm ix, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-nvidia b/apparmor.d/groups/systemd/systemd-sleep-nvidia index 4ebb4851f..2ca5d7474 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-nvidia +++ b/apparmor.d/groups/systemd/systemd-sleep-nvidia @@ -11,6 +11,7 @@ profile systemd-sleep-nvidia @{exec_path} { include include + capability perfmon, capability sys_admin, capability sys_tty_config, diff --git a/apparmor.d/groups/systemd/systemd-sleep-sysstat b/apparmor.d/groups/systemd/systemd-sleep-sysstat index 94e2e8daf..e29a41a7a 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-sysstat +++ b/apparmor.d/groups/systemd/systemd-sleep-sysstat @@ -12,6 +12,9 @@ profile systemd-sleep-sysstat @{exec_path} { @{exec_path} mr, + @{lib}/sysstat/sa{1,2} Px, + @{lib}/sysstat/debian-sa{1,2} Px, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-tlp b/apparmor.d/groups/systemd/systemd-sleep-tlp index 60a28d4af..fc9a51067 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-tlp +++ b/apparmor.d/groups/systemd/systemd-sleep-tlp @@ -13,7 +13,7 @@ profile systemd-sleep-tlp @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/tlp rPUx, + @{sbin}/tlp rPUx, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-upgrades b/apparmor.d/groups/systemd/systemd-sleep-upgrades index 4f2cce637..c2c107b1f 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-upgrades +++ b/apparmor.d/groups/systemd/systemd-sleep-upgrades @@ -11,6 +11,7 @@ profile systemd-sleep-upgrades @{exec_path} { include @{exec_path} mr, + @{sh_path} r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-stdio-bridge b/apparmor.d/groups/systemd/systemd-stdio-bridge new file mode 100644 index 000000000..5f3bc2e36 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-stdio-bridge @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/systemd-stdio-bridge +profile systemd-stdio-bridge @{exec_path} flags=(attach_disconnected) { + include + include + include + + signal send set=term peer=@{p_systemd}, + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-sulogin-shell b/apparmor.d/groups/systemd/systemd-sulogin-shell index 094366391..5ccf33219 100644 --- a/apparmor.d/groups/systemd/systemd-sulogin-shell +++ b/apparmor.d/groups/systemd/systemd-sulogin-shell @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-sulogin-shell -profile systemd-sulogin-shell @{exec_path} { +profile systemd-sulogin-shell @{exec_path} flags=(attach_disconnected) { include include @@ -18,7 +18,7 @@ profile systemd-sulogin-shell @{exec_path} { @{exec_path} mr, - @{bin}/sulogin rPx, + @{sbin}/sulogin rPx, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sysctl b/apparmor.d/groups/systemd/systemd-sysctl index 454105011..87e0ede5c 100644 --- a/apparmor.d/groups/systemd/systemd-sysctl +++ b/apparmor.d/groups/systemd/systemd-sysctl @@ -25,7 +25,7 @@ profile systemd-sysctl @{exec_path} flags=(attach_disconnected) { @{run}/sysctl.d/{,*.conf} r, /etc/sysctl.conf r, /etc/sysctl.d/{,*.conf} r, - /usr/lib/sysctl.d/{,*.conf} r, + @{lib}/sysctl.d/{,*.conf} r, @{PROC}/sys/** rw, diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers index e1ca76d57..2d250f63c 100644 --- a/apparmor.d/groups/systemd/systemd-sysusers +++ b/apparmor.d/groups/systemd/systemd-sysusers @@ -16,12 +16,16 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { capability fsetid, capability net_admin, + signal send set=cont peer=child-pager, + @{exec_path} mr, + @{pager_path} rPx -> child-pager, + # Config file locations /etc/sysusers.d/{,*.conf} r, @{run}/sysusers.d/{,*.conf} r, - /usr/lib/sysusers.d/{,*.conf} r, + @{lib}/sysusers.d/{,*.conf} r, # Where the users can be created, /home/{,*} rw, @@ -40,6 +44,8 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { /etc/.#{group,gshadow}@{hex} rw, /etc/.pwd.lock rwk, + owner @{PROC}/@{pid}/cgroup r, + /dev/tty@{int} rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index e2b6caaa7..b65f2b7af 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -15,7 +15,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { capability sys_time, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-timedat/system, + unix bind type=stream addr=@@{udbus}/bus/systemd-timedat/system, #aa:dbus own bus=system name=org.freedesktop.timedate1 @@ -23,6 +23,14 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member={DisableUnitFiles,EnableUnitFiles} + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member={JobRemoved,Reload,StartUnit,StopUnit} + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), @{exec_path} mr, @@ -35,7 +43,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { /etc/.#timezone* rw, /etc/timezone rw, - @{run}/systemd/notify rw, + @{att}/@{run}/systemd/notify rw, /dev/rtc@{int} r, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index de544c9d7..2ac7f09fb 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -21,8 +21,8 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-timesyn/bus-api-timesync, - unix (send, receive) type=dgram addr=none peer=(label=@{p_systemd}, addr=none), + unix (bind) type=stream addr=@@{udbus}/bus/systemd-timesyn/bus-api-timesync, + unix (send, receive) type=dgram addr=none peer=(label=@{p_sd}, addr=none), #aa:dbus own bus=system name=org.freedesktop.timesync1 @@ -34,9 +34,10 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { owner /var/lib/systemd/timesync/clock rw, + @{att}/@{run}/systemd/notify rw, + @{run}/resolvconf/*.conf r, @{run}/systemd/netif/state r, - @{run}/systemd/notify rw, @{run}/systemd/timesyncd.conf.d/{,**} r, owner @{run}/systemd/timesync/synchronized rw, diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles index f591ef9f7..0e1e404ab 100644 --- a/apparmor.d/groups/systemd/systemd-tmpfiles +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -30,7 +30,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { # Config file locations /etc/tmpfiles.d/{,*.conf} r, @{run}/tmpfiles.d/{,*.conf} r, - /usr/lib/tmpfiles.d/{,*.conf} r, + @{lib}/tmpfiles.d/{,*.conf} r, @{user_config_dirs}/user-tmpfiles.d/{,*.conf} r, @{run}/user/@{uid}/user-tmpfiles.d/{,*.conf} r, @{user_share_dirs}/user-tmpfiles.d/{,*.conf} r, @@ -42,7 +42,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { /etc/{,**} rw, /home/ rw, /opt/{,**} rw, - /run/{,**} rw, + @{run}/{,**} rw, /srv/{,**} rw, /tmp/{,**} rwk, /usr/{,**} rw, @@ -51,7 +51,10 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/security/{,**} rw, @{sys}/class/net/ r, + @{sys}/devices/system/cpu/cpufreq/ r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor w, @{sys}/devices/system/cpu/microcode/reload w, + @{sys}/module/pcie_aspm/parameters/policy w, @{PROC}/@{pid}/net/unix r, @{PROC}/1/cmdline r, diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index 3e2129d39..b318bf3dd 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -13,17 +13,28 @@ profile systemd-tty-ask-password-agent @{exec_path} { include capability dac_override, + capability dac_read_search, capability net_admin, capability sys_resource, - signal (receive) set=(term cont) peer=*//systemctl, - signal (receive) set=(term cont) peer=default, - signal (receive) set=(term cont) peer=logrotate, + signal receive set=(term cont winch) peer=@{p_logrotate}, + signal receive set=(term cont winch) peer=*//systemctl, + signal receive set=(term cont winch) peer=deb-systemd-invoke, + signal receive set=(term cont winch) peer=default, + signal receive set=(term cont winch) peer=machinectl, + signal receive set=(term cont winch) peer=makepkg//sudo, + signal receive set=(term cont winch) peer=role_*, + signal receive set=(term cont winch) peer=rpm, @{exec_path} mrix, @{run}/systemd/ask-password-block/{,*} rw, @{run}/systemd/ask-password/{,*} rw, + + @{run}/user/@{uid}/ w, + @{run}/user/@{uid}/systemd/ w, + @{run}/user/@{uid}/systemd/ask-password/ rw, + @{run}/utmp rk, @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index dae5ae67e..cb9592d47 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -8,11 +8,12 @@ abi , include @{exec_path} = @{bin}/udevadm @{lib}/systemd/systemd-udevd -profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { +profile systemd-udevd @{exec_path} flags=(attach_disconnected) { include include include include + include capability chown, capability dac_override, @@ -21,6 +22,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { capability fsetid, capability mknod, capability net_admin, + capability perfmon, capability sys_admin, capability sys_module, capability sys_ptrace, @@ -33,52 +35,56 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { network inet6 dgram, network netlink raw, + unix type=stream addr=@@{udbus}/bus/udevadm/, + @{exec_path} mrix, - @{sh_path} rix, - @{coreutils_path} rix, - @{pager_path} rPx -> child-pager, - @{bin}/*-print-pci-ids rix, - @{bin}/alsactl rPUx, - @{bin}/ddcutil rPx, - @{bin}/dmsetup rPUx, - @{bin}/ethtool rix, - @{bin}/issue-generator rPx, - @{bin}/kmod rPx, - @{bin}/logger rix, - @{bin}/ls rix, - @{bin}/lvm rPx, - @{bin}/mknod rix, - @{bin}/multipath rPx, - @{bin}/nfsrahead rix, - @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, - @{bin}/perl rix, - @{bin}/setfacl rix, - @{bin}/sg_inq rix, - @{bin}/snap rPUx, - @{bin}/systemctl rCx -> systemctl, - @{bin}/systemd-run rix, - @{bin}/unshare rix, + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/logger rix, + @{bin}/ls rix, + @{bin}/mknod rix, + @{bin}/nfsrahead rix, + @{bin}/setfacl rix, + @{bin}/sg_inq rix, + @{bin}/systemd-run rix, # TODO: rCx -> run, + @{bin}/unshare rix, + @{sbin}/ethtool rix, + + @{bin}/ddcutil rPx, + @{bin}/kmod rCx -> kmod, + @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, + @{bin}/snap rPx, + @{bin}/systemctl rCx -> systemctl, + @{bin}/vmmouse_detect rPx, + @{pager_path} rPx -> child-pager, + @{sbin}/alsactl rPx, + @{sbin}/dmsetup rPx, + @{sbin}/issue-generator rPx, + @{sbin}/kdump-config rPx, + @{sbin}/lvm rPx, + @{sbin}/multipath rPx, + @{sbin}/u-d-c-print-pci-ids rPx, @{lib}/crda/* rPUx, @{lib}/gdm-runtime-config rPx, @{lib}/nfsrahead rPUx, - @{lib}/open-iscsi/net-interface-handler rPUx, + @{lib}/open-iscsi/net-interface-handler rPx, @{lib}/pm-utils/power.d/* rPUx, @{lib}/snapd/snap-device-helper rPx, @{lib}/systemd/systemd-* rPx, @{lib}/udev/* rPUx, /usr/share/hplip/config_usb_printer.py rPUx, - /etc/console-setup/*.sh rPUx, - /etc/network/cloud-ifupdown-helper rPUx, + /etc/console-setup/*.sh rPUx, + /etc/network/cloud-ifupdown-helper rPUx, /etc/default/* r, /etc/machine-id r, /etc/nfs.conf rk, /etc/udev/{,**} r, - /etc/udev/.#hwdb.bin* rw, + /etc/udev/.#hwdb.bin{@{hex16},@{rand6}} rw, /etc/udev/hwdb.bin rw, /etc/modprobe.d/ r, @@ -92,8 +98,12 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{run}/systemd/network/ r, @{run}/systemd/network/*.link rw, @{run}/systemd/notify rw, + @{run}/systemd/private rw, @{run}/systemd/seats/seat@{int} r, + @{att}/@{run}/systemd/notify w, + @{att}/@{run}/udev/control rw, + @{run}/udev/ rw, @{run}/udev/** rwk, @@ -114,6 +124,21 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { /dev/ rw, /dev/** rwk, + profile kmod flags=(attach_disconnected,complain) { + include + include + + capability sys_module, + + @{sh_path} rix, + @{bin}/kmod ix, + + @{sys}/module/*/initstate r, + @{sys}/module/compression r, + + include if exists + } + profile systemctl flags=(attach_disconnected,complain) { include include @@ -121,8 +146,6 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { capability net_admin, capability sys_ptrace, - # / r, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-update-done b/apparmor.d/groups/systemd/systemd-update-done index c17be7ab2..e7a44d01d 100644 --- a/apparmor.d/groups/systemd/systemd-update-done +++ b/apparmor.d/groups/systemd/systemd-update-done @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-update-done -profile systemd-update-done @{exec_path} { +profile systemd-update-done @{exec_path} flags=(attach_disconnected) { include capability net_admin, diff --git a/apparmor.d/groups/systemd/systemd-update-utmp b/apparmor.d/groups/systemd/systemd-update-utmp index 8703709c4..82025859b 100644 --- a/apparmor.d/groups/systemd/systemd-update-utmp +++ b/apparmor.d/groups/systemd/systemd-update-utmp @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-update-utmp -profile systemd-update-utmp @{exec_path} { +profile systemd-update-utmp @{exec_path} flags=(attach_disconnected) { include include include @@ -17,7 +17,7 @@ profile systemd-update-utmp @{exec_path} { network netlink raw, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-update-/, + unix bind type=stream addr=@@{udbus}/bus/systemd-update-/, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index 84dfb27ee..363b9a32d 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-user-runtime-dir -profile systemd-user-runtime-dir @{exec_path} { +profile systemd-user-runtime-dir @{exec_path} flags=(attach_disconnected) { include include include @@ -25,7 +25,7 @@ profile systemd-user-runtime-dir @{exec_path} { mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/, umount @{run}/user/@{uid}/, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-user-ru/system, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-user-ru/system, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-user-sessions b/apparmor.d/groups/systemd/systemd-user-sessions index 6f16b2f19..8de32dfe2 100644 --- a/apparmor.d/groups/systemd/systemd-user-sessions +++ b/apparmor.d/groups/systemd/systemd-user-sessions @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-user-sessions -profile systemd-user-sessions @{exec_path} { +profile systemd-user-sessions @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index a38e455f3..f9fad3693 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -25,9 +25,16 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted) @{lib}/systemd/systemd-userwork rix, + /etc/gshadow r, /etc/shadow r, + /etc/machine-id r, + @{att}/@{run}/systemd/notify w, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{att}/@{run}/systemd/userdb/io.systemd.Home rw, + @{att}/@{run}/systemd/userdb/io.systemd.Machine rw, + @{run}/systemd/userdb/{,**} rw, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-userwork b/apparmor.d/groups/systemd/systemd-userwork index 29641fd74..2521c655e 100644 --- a/apparmor.d/groups/systemd/systemd-userwork +++ b/apparmor.d/groups/systemd/systemd-userwork @@ -18,6 +18,7 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /etc/gshadow r, /etc/machine-id r, /etc/shadow r, diff --git a/apparmor.d/groups/systemd/systemd-vconsole-setup b/apparmor.d/groups/systemd/systemd-vconsole-setup index 5f28050c1..8c99d606c 100644 --- a/apparmor.d/groups/systemd/systemd-vconsole-setup +++ b/apparmor.d/groups/systemd/systemd-vconsole-setup @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-vconsole-setup -profile systemd-vconsole-setup @{exec_path} { +profile systemd-vconsole-setup @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/userdbctl b/apparmor.d/groups/systemd/userdbctl index b4081eacb..fa7c13297 100644 --- a/apparmor.d/groups/systemd/userdbctl +++ b/apparmor.d/groups/systemd/userdbctl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/userdbctl -profile userdbctl @{exec_path} { +profile userdbctl @{exec_path} flags=(attach_disconnected) { include include include @@ -21,11 +21,15 @@ profile userdbctl @{exec_path} { @{pager_path} rPx -> child-pager, - /etc/shadow r, /etc/gshadow r, + /etc/shadow r, + + /etc/machine-id r, @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/gid_map r, + owner @{PROC}/@{pid}/setgroups r, owner @{PROC}/@{pid}/uid_map r, include if exists diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator index f6406811d..193bfc9b6 100644 --- a/apparmor.d/groups/systemd/zram-generator +++ b/apparmor.d/groups/systemd/zram-generator @@ -11,30 +11,37 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { include include - capability sys_module, - @{exec_path} mr, - @{bin}/kmod rix, + @{bin}/kmod rCx -> kmod, @{bin}/systemd-detect-virt rPx, @{lib}/systemd/systemd-makefs rPx, /etc/systemd/zram-generator.conf r, - /etc/modprobe.d/{,**} r, owner @{run}/systemd/generator/{,*/}var-cache-makepkg.mount rw, owner @{run}/systemd/generator/dev-zram@{int}.swap rw, owner @{run}/systemd/generator/swap.target.wants/{,dev-zram@{int}.swap} rw, owner @{run}/systemd/generator/systemd-zram-setup@zram@{int}.service.d/{,*.conf} rw, - @{sys}/block/zram@{int}/{disksize,reset} rw, - @{sys}/devices/virtual/block/zram@{int}/{disksize,reset,comp_algorithm} rw, - @{sys}/module/compression r, + @{sys}/block/zram@{int}/* rw, + @{sys}/devices/virtual/block/zram@{int}/* rw, @{PROC}/crypto r, owner /dev/pts/@{int} rw, + profile kmod flags=(attach_disconnected) { + include + include + + capability sys_module, + + @{sys}/module/compression r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index cd0187119..211dda9cc 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -9,48 +9,72 @@ include @{exec_path} = /usr/share/apport/apport profile apport @{exec_path} flags=(attach_disconnected) { include - include + include include - include + include include include capability chown, capability dac_read_search, + capability fowner, capability fsetid, capability setgid, capability setuid, capability sys_ptrace, - ptrace (read) peer=gnome-shell, - ptrace (read) peer=snap.cups.cupsd, - ptrace (read) peer=tracker-extract, + ptrace read, @{exec_path} mr, - @{bin}/gdbus rix, @{bin}/{,e,f}grep rix, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/dpkg-divert rPx -> child-dpkg-divert, + @{bin}/dpkg rPx -> &child-dpkg, + @{bin}/dpkg-divert rPx -> &child-dpkg-divert, + @{bin}/gdbus rix, + @{bin}/md5sum rix, /usr/share/apport/{,**} r, + @{etc_ro}/login.defs r, /etc/apport/report-ignore/{,**} r, + /etc/dpkg/dpkg.cfg r, + /etc/dpkg/dpkg.cfg.d/{,**} r, + + /var/lib/dpkg/info/ r, + /var/lib/dpkg/info/*.list r, + /var/lib/dpkg/info/*.md5sums r, + /var/lib/dpkg/diversions r, + /var/lib/dpkg/triggers/* r, + /var/lib/dpkg/updates/ r, + + /var/lib/systemd/coredump/*.zst r, /var/crash/ rw, /var/crash/*.@{uid}.crash rw, + owner /var/cache/apt/pkgcache.bin.@{rand6} rw, owner /var/log/apport.log rw, - @{run}/apport.lock rwk, + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + @{run}/apport.lock rwk, + @{run}/log/journal/ r, + + @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/stat r, @{PROC}/sys/fs/suid_dumpable w, @{PROC}/sys/kernel/core_pattern w, @{PROC}/sys/kernel/core_pipe_limit w, owner @{PROC}/@{pid}/attr/current r, owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, include if exists } diff --git a/apparmor.d/groups/ubuntu/apport-checkreports b/apparmor.d/groups/ubuntu/apport-checkreports index 665b3eaca..5e39988fd 100644 --- a/apparmor.d/groups/ubuntu/apport-checkreports +++ b/apparmor.d/groups/ubuntu/apport-checkreports @@ -14,15 +14,15 @@ profile apport-checkreports @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/python3.@{int} r, + @{python_path} r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, /usr/share/apport/ r, + @{etc_ro}/login.defs r, /etc/apt/apt.conf.d/{,**} r, /etc/default/apport r, - /etc/login.defs r, /var/crash/ r, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 0121dd46d..6d90cadda 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -9,14 +9,12 @@ include @{exec_path} = /usr/share/apport/apport-gtk profile apport-gtk @{exec_path} { include + include include - include include - include - include - include include include + include include include include @@ -29,10 +27,12 @@ profile apport-gtk @{exec_path} { network inet6 stream, network inet dgram, network inet6 dgram, + network netlink raw, @{exec_path} mr, @{sh_path} rix, + @{python_path} rix, @{bin}/{f,}grep rix, @{bin}/apt-cache rPx, @{bin}/cut rix, @@ -41,22 +41,26 @@ profile apport-gtk @{exec_path} { @{bin}/dpkg-query rpx, @{bin}/gdb rCx -> gdb, @{bin}/gsettings rPx, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/journalctl rPx, - @{bin}/killall5 rix, @{bin}/kmod rPx, @{bin}/ldd rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/md5sum rix, @{bin}/pkexec rCx -> pkexec, + @{bin}/readlink rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/uname rix, @{bin}/which{,.debianutils} rix, + @{sbin}/killall5 rix, @{lib}/{,colord/}colord-sane rPx, @{lib}/@{multiarch}/ld*.so* rix, /usr/share/apport/root_info_wrapper rix, + @{bin}/* r, + @{sbin}/* r, + /usr/share/apport/{,**} r, /usr/share/apport/general-hooks/*.py r, @@ -79,9 +83,10 @@ profile apport-gtk @{exec_path} { /var/crash/ rw, owner /var/crash/*.@{uid}.{crash,upload} rw, + @{run}/cloud-init/cloud.cfg r, @{run}/snapd.socket rw, - owner @{tmp}/@{rand8} rw, + owner @{tmp}/@{word8} rw, owner @{tmp}/apport_core_@{rand8} rw, owner @{tmp}/launchpadlib.cache.@{rand8}/ rw, owner @{tmp}/tmp@{rand8}/{,**} rw, @@ -110,7 +115,6 @@ profile apport-gtk @{exec_path} { /usr/share/gdb/python/{,**/}__pycache__/{,**} rw, /usr/share/gdb/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/{,**} r, /usr/share/terminfo/** r, /usr/share/themes/{,**} r, @@ -135,6 +139,15 @@ profile apport-gtk @{exec_path} { include include + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.systemd1, label=unconfined), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=GetUnitFileState + peer=(name=org.freedesktop.systemd1, label=unconfined), + include if exists } diff --git a/apparmor.d/groups/ubuntu/apt-esm-hook b/apparmor.d/groups/ubuntu/apt-esm-hook index a04fc771d..2555d0373 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-hook @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/ubuntu-advantage/apt-esm-hook profile apt-esm-hook @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook index 2dcf50743..e8f03807d 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-json-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/ubuntu-advantage/apt-esm-json-hook profile apt-esm-json-hook @{exec_path} { include - include + include include unix (receive, send) type=stream peer=(label=apt), @@ -22,7 +22,7 @@ profile apt-esm-json-hook @{exec_path} { /var/lib/ubuntu-advantage/apt-esm/{,**} rw, /var/log/ubuntu-advantage-apt-hook.log w, - @{run}/cloud-init/cloud-id-nocloud r, + @{run}/cloud-init/cloud-id-* r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/ubuntu/apt_news b/apparmor.d/groups/ubuntu/apt_news new file mode 100644 index 000000000..91c8b29cc --- /dev/null +++ b/apparmor.d/groups/ubuntu/apt_news @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/ubuntu-advantage/apt_news.py +profile apt_news @{exec_path} flags=(attach_disconnected) { + include + include + include + include + + capability chown, + capability fowner, + capability kill, + capability setgid, + capability setuid, + + signal send set=int peer=apt-methods-*, + + @{exec_path} mr, + + @{lib}/apt/methods/* Px, + + /etc/ubuntu-advantage/uaclient.conf r, + + @{run}/ubuntu-advantage/ rw, + @{run}/ubuntu-advantage/apt-news/{,**} rw, + + owner @{run}/ubuntu-advantage/apt-news/** rw, + + @{PROC}/@{pid}/fd/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index b2fe83f6b..2b7b2b4ee 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -9,11 +9,8 @@ include @{exec_path} = @{lib}/ubuntu-release-upgrader/check-new-release-gtk profile check-new-release-gtk @{exec_path} { include - include - include + include include - include - include include include include @@ -29,11 +26,11 @@ profile check-new-release-gtk @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx, - @{bin}/ischroot rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/ischroot rPx, + @{bin}/lsb_release rPx, - @{lib}/python3/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, - @{lib}/python3/dist-packages/gi/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, + @{lib}/@{python_name}/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, + @{lib}/@{python_name}/dist-packages/gi/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, /usr/share/distro-info/{,**} r, /usr/share/ubuntu-release-upgrader/{,**} r, diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index c5c31edd3..a80a4f729 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -15,20 +15,14 @@ profile cron-ubuntu-fan @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/fanctl rix, - @{bin}/flock rix, - @{bin}/grep rix, - @{bin}/id rix, + @{sbin}/fanctl rPx, + @{bin}/{,e}grep rix, @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/sed rix, - @{bin}/touch rix, /etc/network/fan r, - @{run}/ubuntu-fan/ rw, - @{run}/ubuntu-fan/.lock rwk, - include if exists } diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade index 86c211f24..e9c4c9ab3 100644 --- a/apparmor.d/groups/ubuntu/do-release-upgrade +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/do-release-upgrade profile do-release-upgrade @{exec_path} { include - include + include include include include @@ -26,8 +26,8 @@ profile do-release-upgrade @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/ischroot rPx, + @{bin}/lsb_release rPx, /usr/share/distro-info/*.csv r, /usr/share/ubuntu-release-upgrader/{,**} r, diff --git a/apparmor.d/groups/ubuntu/esm_cache b/apparmor.d/groups/ubuntu/esm_cache new file mode 100644 index 000000000..53238564a --- /dev/null +++ b/apparmor.d/groups/ubuntu/esm_cache @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/ubuntu-advantage/esm_cache.py +profile esm_cache @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/fanctl b/apparmor.d/groups/ubuntu/fanctl new file mode 100644 index 000000000..ef278da63 --- /dev/null +++ b/apparmor.d/groups/ubuntu/fanctl @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/fanctl +profile fanctl @{exec_path} flags=(attach_disconnected) { + include + + network netlink raw, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/flock ix, + @{bin}/id ix, + @{bin}/touch ix, + @{bin}/mkdir ix, + @{bin}/ip ix, + @{bin}/sed ix, + + /etc/network/fan r, + + @{run}/ubuntu-fan/ rw, + @{run}/ubuntu-fan/.lock rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/hwe-support-status b/apparmor.d/groups/ubuntu/hwe-support-status index 3b4280e33..c85fb9966 100644 --- a/apparmor.d/groups/ubuntu/hwe-support-status +++ b/apparmor.d/groups/ubuntu/hwe-support-status @@ -9,13 +9,13 @@ include @{exec_path} = @{bin}/hwe-support-status profile hwe-support-status @{exec_path} { include - include + include include @{exec_path} mr, @{bin}/dpkg rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/distro-info/{,**} r, diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages index 0023b48cb..5e4b09ce3 100644 --- a/apparmor.d/groups/ubuntu/list-oem-metapackages +++ b/apparmor.d/groups/ubuntu/list-oem-metapackages @@ -9,15 +9,15 @@ include @{exec_path} = @{lib}/update-notifier/list-oem-metapackages profile list-oem-metapackages @{exec_path} { include + include include - include @{exec_path} mr, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, - @{lib}/python3/dist-packages/UbuntuDrivers/__pycache__/*.cpython-@{int}.pyc.@{int} rw, + @{lib}/@{python_name}/dist-packages/UbuntuDrivers/__pycache__/*.cpython-@{int}.pyc.@{int} rw, /etc/machine-id r, diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index 4d5ecb46a..fb8eb259e 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -9,10 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/livepatch-notification profile livepatch-notification @{exec_path} { include - include include - include - include include include diff --git a/apparmor.d/groups/ubuntu/package-data-downloader b/apparmor.d/groups/ubuntu/package-data-downloader index 0e6641977..1703d27cd 100644 --- a/apparmor.d/groups/ubuntu/package-data-downloader +++ b/apparmor.d/groups/ubuntu/package-data-downloader @@ -9,10 +9,13 @@ include @{exec_path} = @{lib}/update-notifier/package-data-downloader profile package-data-downloader @{exec_path} { include - include + include + include include include + capability dac_read_search, + @{exec_path} mr, /var/lib/update-notifier/package-data-downloads/{,**} rw, diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked index 7398fc404..8cf3ed885 100644 --- a/apparmor.d/groups/ubuntu/package-system-locked +++ b/apparmor.d/groups/ubuntu/package-system-locked @@ -17,7 +17,7 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) { network inet dgram, network inet6 dgram, - mqueue r type=posix /, + mqueue (read,getattr) type=posix /, ptrace (read), diff --git a/apparmor.d/groups/ubuntu/release-upgrade-motd b/apparmor.d/groups/ubuntu/release-upgrade-motd index 08a54df0a..b5d7d2885 100644 --- a/apparmor.d/groups/ubuntu/release-upgrade-motd +++ b/apparmor.d/groups/ubuntu/release-upgrade-motd @@ -22,6 +22,8 @@ profile release-upgrade-motd @{exec_path} { /var/lib/ubuntu-release-upgrader/release-upgrade-available rw, + @{run}/motd.dynamic.new w, + /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index 93fd9ffcc..72e016573 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/software-properties/software-properties-dbus profile software-properties-dbus @{exec_path} { include - include + include include include include @@ -19,18 +19,23 @@ profile software-properties-dbus @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), dbus receive bus=system interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=software-properties-gtk), + peer=(name=@{busname}, label=software-properties-gtk), + + dbus receive bus=system path=/ + interface=com.ubuntu.SoftwareProperties + member=Reload + peer=(name=@{busname}, label=software-properties-gtk), @{exec_path} mr, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/env rix, @{bin}/apt-key rPx, # Changing trusted keys - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /etc/apt/apt.conf.d/10periodic w, /etc/apt/sources.list{,.save} rw, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 4715f570c..836adbb55 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -7,13 +7,12 @@ abi , include @{exec_path} = @{bin}/software-properties-gtk -profile software-properties-gtk @{exec_path} { +profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include - include - include + include + include include include - include include include include @@ -21,26 +20,27 @@ profile software-properties-gtk @{exec_path} { include #aa:dbus own bus=session name=com.ubuntu.SoftwareProperties + #aa:dbus talk bus=system name=com.canonical.UbuntuAdvantage label=ubuntu-advantage-desktop-daemon + #aa:dbus talk bus=system name=com.ubuntu.SoftwareProperties path=/ label=software-properties-dbus @{exec_path} mr, @{bin}/ r, @{sh_path} rix, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/aplay rPx, @{bin}/apt-key rPx, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/ischroot rPx, + @{bin}/lsb_release rPx, @{bin}/ubuntu-advantage rPx, /usr/share/distro-info/*.csv r, /usr/share/pixmaps/ r, /usr/share/python-apt/{,**} r, /usr/share/software-properties/{,**} r, - /usr/share/themes/{,**} r, /usr/share/ubuntu-drivers-common/detect/{,**} r, /usr/share/X11/xkb/{,**} r, /usr/share/xml/iso-codes/{,**} r, @@ -57,6 +57,10 @@ profile software-properties-gtk @{exec_path} { owner @{tmp}/tmp@{word8}/ rw, owner @{tmp}/tmp@{word8}/apt.conf rw, + /dev/shm/ r, + owner /dev/shm/sem.@{rand6} rwl -> /dev/shm/sem.@{rand6}, + owner /dev/shm/sem.mp-@{rand8} rwl -> /dev/shm/sem.@{rand6}, + owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, @{sys}/devices/ r, @@ -70,6 +74,7 @@ profile software-properties-gtk @{exec_path} { owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, # Silencer deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 58323b8ff..8f673e261 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -24,7 +24,7 @@ profile subiquity-console-conf @{exec_path} { @{sh_path} rix, @{bin}/cat rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/mv rix, @@ -35,10 +35,10 @@ profile subiquity-console-conf @{exec_path} { @{bin}/journalctl rCx -> journalctl, @{bin}/ssh-keygen rPx, - @{bin}/sshd rPx, + @{sbin}/sshd rPx, @{bin}/snap rPUx, - /usr/lib/snapd/snap-recovery-chooser rPUx, - /usr/share/netplan/netplan.script rPUx, # TODO: rPx, + @{lib}/snapd/snap-recovery-chooser rPUx, + /usr/share/netplan/netplan.script rPx, /usr/share/subiquity/{,**} r, /usr/share/subiquity/console-conf-tui rix, @@ -53,13 +53,13 @@ profile subiquity-console-conf @{exec_path} { @{run}/snapd-recovery-chooser-triggered r, @{run}/snapd.socket rw, - @{run}/udev/data/+acpi:* r, + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi:* r, # For motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+sound:card@{int} r, # For sound card @{run}/udev/data/c1:@{int} r, # For RAM disk @@ -74,7 +74,7 @@ profile subiquity-console-conf @{exec_path} { @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/**/devices/ r, @{sys}/*/*/ r, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index 7d797bd97..4ede61bc8 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/ubuntu-advantage profile ubuntu-advantage @{exec_path} { include - include + include include include include @@ -29,13 +29,12 @@ profile ubuntu-advantage @{exec_path} { @{exec_path} mr, - @{bin}/ischroot rix, - @{bin}/apt rPx, @{bin}/apt-cache rPx, @{bin}/apt-config rPx, @{bin}/apt-get rPx, @{bin}/dpkg rPx -> child-dpkg, + @{bin}/ischroot rPx, @{bin}/ps rPx, @{bin}/snap rPUx, @{bin}/systemctl rCx -> systemctl, @@ -53,15 +52,18 @@ profile ubuntu-advantage @{exec_path} { /etc/machine-id r, + owner @{user_cache_dirs}/ubuntu-pro/{,**} rw, + owner @{tmp}/tmp[0-9a-z]*/apt.conf r, owner @{tmp}/[0-9a-z]*{,/} rw, owner @{tmp}/[0-9a-z]*/apt-helper-output rw, @{run}/ubuntu-advantage/{,**} rw, - @{PROC}/version_signature r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mounts r, + @{PROC}/1/cgroup r, + @{PROC}/version_signature r, owner @{PROC}/@{pid}/fd/ r, profile systemctl { diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index bf3d4c6c0..a44e226bc 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -9,10 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/ubuntu-advantage-notification profile ubuntu-advantage-notification @{exec_path} { include - include include - include - include include include diff --git a/apparmor.d/groups/ubuntu/ubuntu-fan-net b/apparmor.d/groups/ubuntu/ubuntu-fan-net new file mode 100644 index 000000000..ab83ebed4 --- /dev/null +++ b/apparmor.d/groups/ubuntu/ubuntu-fan-net @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/ubuntu-fan/fan-net +profile ubuntu-fan-net @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} mr, + @{bin}/{m,g,}awk ix, + @{bin}/kmod Cx -> kmod, + @{bin}/{,e}grep ix, + @{bin}/networkctl Px, + @{sbin}/fanctl Px, + + profile kmod { + include + include + + capability sys_module, + + @{sys}/module/compression r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/ubuntu-report b/apparmor.d/groups/ubuntu/ubuntu-report index 19273f449..65fa3eaa0 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-report +++ b/apparmor.d/groups/ubuntu/ubuntu-report @@ -21,7 +21,7 @@ profile ubuntu-report @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, - owner @{user_cache_dirs}/ubuntu-report/{,*} r, + owner @{user_cache_dirs}/ubuntu-report/{,*} rw, include if exists } diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 119ac517c..873f06b67 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -9,23 +9,20 @@ include @{exec_path} = @{bin}/update-manager profile update-manager @{exec_path} flags=(attach_disconnected) { include + include include - include include include - include include include include - include - include - include include include include include include include + include network inet dgram, network inet6 dgram, @@ -44,16 +41,16 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/dpkg rPx -> child-dpkg, @{bin}/hwe-support-status rPx, - @{bin}/ischroot rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/ischroot rPx, + @{bin}/lsb_release rPx, @{bin}/snap rPUx, @{bin}/software-properties-gtk rPx, @{bin}/uname rix, @{lib}/apt/methods/http{,s} rPx, - @{lib}/python3/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, - @{lib}/python3/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, - @{lib}/python3/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, + @{lib}/@{python_name}/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, + @{lib}/@{python_name}/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, + @{lib}/@{python_name}/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, /usr/share/distro-info/{,**} r, /usr/share/ubuntu-release-upgrader/{,**} r, @@ -63,7 +60,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { /etc/ubuntu-advantage/uaclient.conf r, /etc/update-manager/{,**} r, - /boot/ r, + @{efi}/ r, /var/lib/dpkg/info/*.list r, /var/lib/dpkg/updates/ r, diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot index 86ac61f41..c244f2902 100644 --- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot +++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot @@ -12,19 +12,21 @@ profile update-motd-fsck-at-reboot @{exec_path} { @{exec_path} mr, - @{bin}/dumpe2fs rPx, + @{sbin}/dumpe2fs rPx, @{sh_path} rix, @{bin}/{m,g,}awk rix, @{bin}/cat rix, @{bin}/cut rix, @{bin}/date rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/id rix, @{bin}/mount rCx -> mount, @{bin}/stat rix, /var/lib/update-notifier/fsck-at-reboot rw, + @{run}/motd.dynamic.new w, + @{PROC}/uptime r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index b0101504c..09775cb6f 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/update-motd-updates-available profile update-motd-updates-available @{exec_path} { include - include + include include include include @@ -18,7 +18,7 @@ profile update-motd-updates-available @{exec_path} { @{exec_path} mr, - @{bin}/python3.@{int} r, + @{python_path} r, @{sh_path} rix, @{bin}/apt-config rPx, @@ -26,8 +26,8 @@ profile update-motd-updates-available @{exec_path} { @{bin}/dirname rix, @{bin}/dpkg rPx -> child-dpkg, @{bin}/find rix, - @{bin}/ischroot rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/ischroot rPx, + @{bin}/lsb_release rPx, @{bin}/mktemp rix, @{bin}/mv rix, @{bin}/rm rix, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 36fae9ce3..06e851b45 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -9,33 +9,36 @@ include @{exec_path} = @{bin}/update-notifier profile update-notifier @{exec_path} { include + include include - include include include - include - include include - include include include include + include include - unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-api-user, + unix (bind) type=stream addr=@@{udbus}/bus/systemd/bus-api-user, #aa:dbus talk bus=system name=org.debian.apt label=apt - #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell + #aa:dbus talk bus=session name=org.ayatana.NotificationItem interface+=org.kde.StatusNotifierItem label=gnome-shell + + dbus receive bus=system path=/com/ubuntu/UnattendedUpgrade/Pending + interface=com.ubuntu.UnattendedUpgrade.Pending + member=Finished + peer=(name=@{busname}, label=unattended-upgrade), @{exec_path} mr, @{sh_path} rix, @{bin}/ionice rix, - @{bin}/ischroot rix, @{bin}/nice rix, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/ischroot rPx, + @{bin}/lsb_release rPx, @{bin}/pkexec rCx -> pkexec, @{bin}/snap rPUx, @{bin}/software-properties-gtk rPx, @@ -48,8 +51,9 @@ profile update-notifier @{exec_path} { @{lib}/update-notifier/package-system-locked rPx, /usr/share/apport/apport-checkreports rPx, /usr/share/apport/apport-gtk rPx, + @{open_path} Cx -> open, - @{lib}/python3.@{int}/dist-packages/{apt,gi}/**/__pycache__/{,**} rw, + @{lib}/@{python_name}/dist-packages/{apt,gi}/**/__pycache__/{,**} rw, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, @@ -85,9 +89,6 @@ profile update-notifier @{exec_path} { profile systemctl { include include - include - - unix (bind) type=stream addr=@@{hex16}/bus/systemctl/system, dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager @@ -97,6 +98,13 @@ profile update-notifier @{exec_path} { include if exists } + profile open { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash new file mode 100644 index 000000000..4926c0b1c --- /dev/null +++ b/apparmor.d/groups/ubuntu/update-notifier-crash @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/update-notifier/update-notifier-crash +profile update-notifier-crash @{exec_path} { + include + include + + @{exec_path} mr, + + @{bin}/{,e}grep ix, + @{bin}/groups Px, + @{bin}/systemctl Cx -> systemctl, + @{bin}/which{,.debianutils} rix, + @{sh_path} mr, + /usr/share/apport/apport-checkreports Px, + + owner @{HOME}/ r, + + profile systemctl { + include + include + + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=GetUnitFileState + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lsusb b/apparmor.d/groups/usb/lsusb similarity index 77% rename from apparmor.d/profiles-g-l/lsusb rename to apparmor.d/groups/usb/lsusb index b628b3668..a10659292 100644 --- a/apparmor.d/profiles-g-l/lsusb +++ b/apparmor.d/groups/usb/lsusb @@ -7,13 +7,14 @@ abi , include -@{exec_path} = @{bin}/lsusb +@{exec_path} = @{bin}/lsusb @{bin}/lsusb.py profile lsusb @{exec_path} { include include - include + include capability net_admin, + capability sys_admin, network netlink raw, @@ -21,6 +22,8 @@ profile lsusb @{exec_path} { /etc/udev/hwdb.bin r, + /dev/bus/usb/@{int}/@{int} w, + include if exists } diff --git a/apparmor.d/profiles-s-z/usb-devices b/apparmor.d/groups/usb/usb-devices similarity index 96% rename from apparmor.d/profiles-s-z/usb-devices rename to apparmor.d/groups/usb/usb-devices index c67b78faf..59ff12feb 100644 --- a/apparmor.d/profiles-s-z/usb-devices +++ b/apparmor.d/groups/usb/usb-devices @@ -22,6 +22,7 @@ profile usb-devices @{exec_path} { @{bin}/{,e}grep rix, @{bin}/basename rix, @{bin}/cat rix, + @{bin}/sed rix, @{bin}/cut rix, @{bin}/find rix, @{bin}/readlink rix, diff --git a/apparmor.d/profiles-s-z/usbguard b/apparmor.d/groups/usb/usbguard similarity index 100% rename from apparmor.d/profiles-s-z/usbguard rename to apparmor.d/groups/usb/usbguard diff --git a/apparmor.d/profiles-s-z/usbguard-applet-qt b/apparmor.d/groups/usb/usbguard-applet-qt similarity index 86% rename from apparmor.d/profiles-s-z/usbguard-applet-qt rename to apparmor.d/groups/usb/usbguard-applet-qt index a76398dd9..558b9093c 100644 --- a/apparmor.d/profiles-s-z/usbguard-applet-qt +++ b/apparmor.d/groups/usb/usbguard-applet-qt @@ -10,22 +10,21 @@ include @{exec_path} = @{bin}/usbguard-applet-qt profile usbguard-applet-qt @{exec_path} { include - include - include - include - include - include - include - include - include + include include + include + include include + include # Needed? ptrace (read), @{exec_path} mr, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + owner @{user_config_dirs}/USBGuard/ rw, owner @{user_config_dirs}/USBGuard/* rwkl -> @{user_config_dirs}/USBGuard/#@{int}, @@ -37,11 +36,6 @@ profile usbguard-applet-qt @{exec_path} { owner @{PROC}/@{pid}/cmdline r, - /usr/share/hwdata/pnp.ids r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - include if exists } diff --git a/apparmor.d/profiles-s-z/usbguard-daemon b/apparmor.d/groups/usb/usbguard-daemon similarity index 100% rename from apparmor.d/profiles-s-z/usbguard-daemon rename to apparmor.d/groups/usb/usbguard-daemon diff --git a/apparmor.d/profiles-s-z/usbguard-dbus b/apparmor.d/groups/usb/usbguard-dbus similarity index 100% rename from apparmor.d/profiles-s-z/usbguard-dbus rename to apparmor.d/groups/usb/usbguard-dbus diff --git a/apparmor.d/profiles-s-z/usbguard-notifier b/apparmor.d/groups/usb/usbguard-notifier similarity index 100% rename from apparmor.d/profiles-s-z/usbguard-notifier rename to apparmor.d/groups/usb/usbguard-notifier diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/groups/utils/agetty similarity index 88% rename from apparmor.d/profiles-a-f/agetty rename to apparmor.d/groups/utils/agetty index 9e6db414e..9ae450196 100644 --- a/apparmor.d/profiles-a-f/agetty +++ b/apparmor.d/groups/utils/agetty @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/agetty +@{exec_path} = @{sbin}/agetty profile agetty @{exec_path} { include include @@ -20,19 +20,20 @@ profile agetty @{exec_path} { network netlink raw, + signal receive set=hup peer=@{p_systemd}, + @{exec_path} mr, @{bin}/login rPx, + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, @{etc_rw}/issue r, /{,usr/}lib/os-release r, /{etc,run,lib,usr/lib}/issue r, /{etc,run,lib,usr/lib}/issue.d/{,*} r, /etc/inittab r, - /etc/login.defs r, - /etc/login.defs.d/{,*} r, /etc/os-release r, - /usr/etc/login.defs r, @{run}/credentials/getty@tty@{int}.service/ r, @{run}/credentials/serial-getty@ttyS@{int}.service/ r, diff --git a/apparmor.d/profiles-a-f/blkid b/apparmor.d/groups/utils/blkid similarity index 90% rename from apparmor.d/profiles-a-f/blkid rename to apparmor.d/groups/utils/blkid index 903e2cb62..4105a7419 100644 --- a/apparmor.d/profiles-a-f/blkid +++ b/apparmor.d/groups/utils/blkid @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/blkid +@{exec_path} = @{sbin}/blkid profile blkid @{exec_path} flags=(attach_disconnected) { include include @@ -34,18 +34,20 @@ profile blkid @{exec_path} flags=(attach_disconnected) { @{run}/blkid/blkid.tab{,-@{rand6}} rw, @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, - @{run}/cloud-init/ds-identify.log w, # file_inherit - @{PROC}/@{pid}/mounts r, @{PROC}/partitions r, @{PROC}/swaps r, # Other possible location of the cache file + /dev/.blkid.tab.old rwl -> /dev/.blkid.tab, /dev/.blkid.tab{,-@{rand6}} rw, /dev/blkid.tab.old rwl -> /dev/blkid.tab, owner /dev/tty@{int} rw, + # file_inherit + deny @{run}/cloud-init/ds-identify.log w, + include if exists } diff --git a/apparmor.d/profiles-a-f/blockdev b/apparmor.d/groups/utils/blockdev similarity index 86% rename from apparmor.d/profiles-a-f/blockdev rename to apparmor.d/groups/utils/blockdev index 88059a4c5..0c5e7b17c 100644 --- a/apparmor.d/profiles-a-f/blockdev +++ b/apparmor.d/groups/utils/blockdev @@ -7,10 +7,10 @@ abi , include -@{exec_path} = @{bin}/blockdev +@{exec_path} = @{sbin}/blockdev profile blockdev @{exec_path} { include - include + include capability sys_admin, diff --git a/apparmor.d/profiles-a-f/chfn b/apparmor.d/groups/utils/chfn similarity index 87% rename from apparmor.d/profiles-a-f/chfn rename to apparmor.d/groups/utils/chfn index 7201d1a7a..45b50c7ad 100644 --- a/apparmor.d/profiles-a-f/chfn +++ b/apparmor.d/groups/utils/chfn @@ -10,19 +10,16 @@ include @{exec_path} = @{bin}/chfn profile chfn @{exec_path} { include + include + include include include - include include - # To write records to the kernel auditing log. capability audit_write, - - # To set the right permission to the files in the /etc/ dir. capability chown, capability fsetid, - - # chfn is a SETUID binary + capability net_admin, capability setuid, network netlink raw, diff --git a/apparmor.d/profiles-a-f/chsh b/apparmor.d/groups/utils/chsh similarity index 80% rename from apparmor.d/profiles-a-f/chsh rename to apparmor.d/groups/utils/chsh index 61885ed4e..e3581be31 100644 --- a/apparmor.d/profiles-a-f/chsh +++ b/apparmor.d/groups/utils/chsh @@ -10,33 +10,33 @@ include @{exec_path} = @{bin}/chsh profile chsh @{exec_path} { include - include include + include + include include + include - # To write records to the kernel auditing log. capability audit_write, - - # To set the right permission to the files in the /etc/ dir. capability chown, capability fsetid, - - # gpasswd is a SETUID binary + capability net_admin, capability setuid, network netlink raw, - @{exec_path} mr, + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" - owner @{PROC}/@{pid}/loginuid r, + @{exec_path} mr, /etc/shells r, + /etc/.chsh.@{rand6} rw, /etc/passwd rw, /etc/passwd- w, - /etc/passwd+ rw, /etc/passwd.@{pid} w, /etc/passwd.lock wl -> /etc/passwd.@{pid}, + /etc/passwd.OLD wl -> /etc/passwd, + /etc/passwd+ rw, /etc/shadow r, @@ -44,6 +44,8 @@ profile chsh @{exec_path} { # modify the /etc/passwd or /etc/shadow password database. /etc/.pwd.lock rwk, + owner @{PROC}/@{pid}/loginuid r, + include if exists } diff --git a/apparmor.d/profiles-a-f/df b/apparmor.d/groups/utils/df similarity index 90% rename from apparmor.d/profiles-a-f/df rename to apparmor.d/groups/utils/df index 1a823e4db..baceace65 100644 --- a/apparmor.d/profiles-a-f/df +++ b/apparmor.d/groups/utils/df @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/df -profile df @{exec_path} { +profile df @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/dmesg b/apparmor.d/groups/utils/dmesg similarity index 87% rename from apparmor.d/profiles-a-f/dmesg rename to apparmor.d/groups/utils/dmesg index 68fa13298..2976d1316 100644 --- a/apparmor.d/profiles-a-f/dmesg +++ b/apparmor.d/groups/utils/dmesg @@ -8,16 +8,17 @@ abi , include @{exec_path} = @{bin}/dmesg -profile dmesg @{exec_path} { +profile dmesg @{exec_path} flags=(attach_disconnected) { include include capability dac_read_search, + capability sys_admin, capability syslog, @{exec_path} mr, - @{sh_path} rix, + @{sh_path} rix, @{pager_path} rPx -> child-pager, /usr/share/terminfo/** r, diff --git a/apparmor.d/profiles-a-f/eject b/apparmor.d/groups/utils/eject similarity index 100% rename from apparmor.d/profiles-a-f/eject rename to apparmor.d/groups/utils/eject diff --git a/apparmor.d/profiles-a-f/findmnt b/apparmor.d/groups/utils/findmnt similarity index 100% rename from apparmor.d/profiles-a-f/findmnt rename to apparmor.d/groups/utils/findmnt diff --git a/apparmor.d/profiles-a-f/fsck b/apparmor.d/groups/utils/fsck similarity index 91% rename from apparmor.d/profiles-a-f/fsck rename to apparmor.d/groups/utils/fsck index 5d0588026..e2537b21c 100644 --- a/apparmor.d/profiles-a-f/fsck +++ b/apparmor.d/groups/utils/fsck @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fsck +@{exec_path} = @{sbin}/fsck profile fsck @{exec_path} flags=(attach_disconnected) { include include @@ -18,15 +18,15 @@ profile fsck @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/e2fsck rPx, - @{bin}/fsck.* rPx, + @{sbin}/e2fsck rPx, + @{sbin}/fsck.* rPx, /etc/fstab r, # When a mount dir is passed to fsck as an argument. @{HOME}/ r, @{MOUNTS}/ r, - /boot/ r, + @{efi}/ r, @{run}/mount/utab r, @{run}/systemd/fsck.progress rw, diff --git a/apparmor.d/profiles-a-f/fstrim b/apparmor.d/groups/utils/fstrim similarity index 78% rename from apparmor.d/profiles-a-f/fstrim rename to apparmor.d/groups/utils/fstrim index a55337659..87bd7fad5 100644 --- a/apparmor.d/profiles-a-f/fstrim +++ b/apparmor.d/groups/utils/fstrim @@ -6,8 +6,8 @@ abi , include -@{exec_path} = @{bin}/fstrim -profile fstrim @{exec_path} { +@{exec_path} = @{sbin}/fstrim +profile fstrim @{exec_path} flags=(attach_disconnected) { include include @@ -22,10 +22,11 @@ profile fstrim @{exec_path} { @{MOUNTDIRS}/ r, @{MOUNTS}/ r, / r, - /boot/ r, - /boot/efi/ r, + @{efi}/ r, /var/ r, + @{PROC}/@{pid}/mountinfo r, + include if exists } diff --git a/apparmor.d/groups/utils/hwclock b/apparmor.d/groups/utils/hwclock new file mode 100644 index 000000000..d1433a605 --- /dev/null +++ b/apparmor.d/groups/utils/hwclock @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/hwclock +profile hwclock @{exec_path} { + include + include + + capability audit_write, + capability sys_time, + + network netlink raw, + + @{exec_path} mr, + + /etc/adjtime rw, + + @{sys}/devices/pnp@{int}/*/rtc/rtc@{int}/{,*} r, + + /dev/rtc@{int} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/locale-gen b/apparmor.d/groups/utils/locale-gen similarity index 93% rename from apparmor.d/profiles-g-l/locale-gen rename to apparmor.d/groups/utils/locale-gen index b9254171a..5366f1403 100644 --- a/apparmor.d/profiles-g-l/locale-gen +++ b/apparmor.d/groups/utils/locale-gen @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/locale-gen +@{exec_path} = @{sbin}/locale-gen profile locale-gen @{exec_path} { include include @@ -18,6 +18,7 @@ profile locale-gen @{exec_path} { @{exec_path} mr, @{sh_path} rix, + @{bin}/{e,}grep rix, @{bin}/cat rix, @{bin}/gzip rix, @{bin}/localedef rix, diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/groups/utils/login similarity index 79% rename from apparmor.d/profiles-g-l/login rename to apparmor.d/groups/utils/login index cbaac35b7..cf9663e8e 100644 --- a/apparmor.d/profiles-g-l/login +++ b/apparmor.d/groups/utils/login @@ -14,6 +14,7 @@ profile login @{exec_path} flags=(attach_disconnected) { include include include + include #aa:only RBAC capability audit_write, capability chown, @@ -30,41 +31,40 @@ profile login @{exec_path} flags=(attach_disconnected) { network netlink raw, - signal (send) set=(hup term), - - unix type=stream addr=@@{hex16}/bus/login/system, + signal send set=(hup term), ptrace read, - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @{exec_path} mr, - @{bin}/@{shells} rUx, + @{shells_path} Ux, #aa:exclude RBAC @{etc_ro}/environment r, + @{etc_ro}/security/group.conf r, + @{etc_ro}/security/limits.conf r, @{etc_ro}/security/limits.d/{,*} r, + @{etc_ro}/security/pam_env.conf r, /etc/default/locale r, /etc/legal r, /etc/machine-id r, /etc/motd r, /etc/motd.d/ r, - /etc/security/group.conf r, - /etc/security/limits.conf r, - /etc/security/pam_env.conf r, /etc/shells r, /var/lib/faillock/@{user} rwk, + /var/lib/lastlog/ r, /var/log/btmp{,.@{int}} r, owner @{user_cache_dirs}/motd.legal-displayed rw, + @{att}/@{run}/systemd/sessions/@{int}.ref w, + @{run}/credentials/getty@tty@{int}.service/ r, - @{run}/dbus/system_bus_socket rw, @{run}/faillock/@{user} rwk, @{run}/motd.d/{,*} r, @{run}/motd.dynamic{,.new} rw, - @{run}/systemd/sessions/*.ref rw, @{PROC}/@{pids}/cgroup r, @{PROC}/1/limits r, diff --git a/apparmor.d/profiles-g-l/losetup b/apparmor.d/groups/utils/losetup similarity index 65% rename from apparmor.d/profiles-g-l/losetup rename to apparmor.d/groups/utils/losetup index fd2472dce..9b32074ba 100644 --- a/apparmor.d/profiles-g-l/losetup +++ b/apparmor.d/groups/utils/losetup @@ -6,22 +6,27 @@ abi , include -@{exec_path} = @{bin}/losetup +@{exec_path} = @{sbin}/losetup profile losetup @{exec_path} { include include + include capability dac_override, capability dac_read_search, - unix (receive) type=stream, + unix receive type=stream, @{exec_path} mr, - @{sys}/devices/**/usb[0-9]/{,**} r, + @{user_img_dirs}/** rw, + @{user_vm_dirs}/** rw, + + @{sys}/block/ r, + @{sys}/devices/virtual/block/loop@{int}/{,**} r, /dev/loop-control rw, - /dev/loop[0-9]* rw, + /dev/loop@{int} rw, include if exists } diff --git a/apparmor.d/profiles-g-l/lsblk b/apparmor.d/groups/utils/lsblk similarity index 92% rename from apparmor.d/profiles-g-l/lsblk rename to apparmor.d/groups/utils/lsblk index 7559e4e48..6fc1d5bb2 100644 --- a/apparmor.d/profiles-g-l/lsblk +++ b/apparmor.d/groups/utils/lsblk @@ -27,6 +27,7 @@ profile lsblk @{exec_path} flags=(attach_disconnected) { # File Inherit deny network inet stream, deny network inet6 stream, + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, include if exists } diff --git a/apparmor.d/profiles-g-l/lscpu b/apparmor.d/groups/utils/lscpu similarity index 100% rename from apparmor.d/profiles-g-l/lscpu rename to apparmor.d/groups/utils/lscpu diff --git a/apparmor.d/groups/utils/lsfd b/apparmor.d/groups/utils/lsfd new file mode 100644 index 000000000..96e497ea6 --- /dev/null +++ b/apparmor.d/groups/utils/lsfd @@ -0,0 +1,69 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsfd +profile lsfd @{exec_path} flags=(attach_disconnected) { + include + include + + capability bpf, + capability checkpoint_restore, + capability dac_read_search, + capability net_admin, + capability sys_admin, + capability sys_chroot, + capability sys_ptrace, + capability sys_resource, + capability syslog, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 raw, + network inet6 stream, + network inet6 stream, + network netlink dgram, + network netlink raw, + network packet dgram, + + ptrace read, + ptrace trace, + + mqueue (read create delete getattr) type=posix /.lsfd-mqueue-nodev-test:@{int}, + + @{exec_path} mr, + + / r, + @{att}/ r, + + owner @{att}/.lsfd-mqueue-nodev-test:@{int} rw, + + @{run}/ r, + @{run}/netns/ r, + + @{sys}/kernel/cpu_byteorder r, + + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/net/* r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/syscall r, + @{PROC}/@{pid}/task/ r, + @{PROC}/devices r, + @{PROC}/misc r, + @{PROC}/partitions r, + @{PROC}/tty/drivers r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/lsipc b/apparmor.d/groups/utils/lsipc new file mode 100644 index 000000000..7677a8a03 --- /dev/null +++ b/apparmor.d/groups/utils/lsipc @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsipc +profile lsipc @{exec_path} { + include + include + + @{exec_path} mr, + + @{PROC}/sys/fs/mqueue/msg_max r, + @{PROC}/sys/fs/mqueue/msgsize_max r, + @{PROC}/sys/fs/mqueue/queues_max r, + @{PROC}/sys/kernel/msgmax r, + @{PROC}/sys/kernel/msgmnb r, + @{PROC}/sys/kernel/msgmni r, + @{PROC}/sys/kernel/sem r, + @{PROC}/sys/kernel/shmall r, + @{PROC}/sys/kernel/shmmax r, + @{PROC}/sys/kernel/shmmni r, + @{PROC}/sysvipc/msg r, + @{PROC}/sysvipc/sem r, + @{PROC}/sysvipc/shm r, + + /dev/mqueue/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/lslocks b/apparmor.d/groups/utils/lslocks new file mode 100644 index 000000000..44d2e1d01 --- /dev/null +++ b/apparmor.d/groups/utils/lslocks @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lslocks +profile lslocks @{exec_path} flags=(attach_disconnected) { + include + + capability dac_read_search, + capability sys_ptrace, + + ptrace read, + + @{exec_path} mr, + + @{sys}/devices/**/block/** r, + + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/locks r, + owner @{PROC}/@{pid}/ r, + owner @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/lslogins b/apparmor.d/groups/utils/lslogins new file mode 100644 index 000000000..7393b47c0 --- /dev/null +++ b/apparmor.d/groups/utils/lslogins @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lslogins +profile lslogins @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/.pwd.lock w, + /etc/.pwd.lock wk, + /etc/login.defs r, + /etc/shadow r, + + /var/log/lastlog r, + /var/log/wtmp rk, + + @{run}/systemd/userdb/ r, + + @{PROC}/ r, + @{PROC}/sys/kernel/random/boot_id r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/lsns b/apparmor.d/groups/utils/lsns new file mode 100644 index 000000000..7fbf56896 --- /dev/null +++ b/apparmor.d/groups/utils/lsns @@ -0,0 +1,44 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsns +profile lsns @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability net_admin, + capability sys_ptrace, + capability dac_read_search, + + network, + + ptrace read, + ptrace trace, + + @{exec_path} mr, + + @{att}/ r, + + @{run}/*/netns/** r, + @{run}/*/ns/** r, + + @{sys}/devices/**/block/** r, + + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lspci b/apparmor.d/groups/utils/lspci similarity index 83% rename from apparmor.d/profiles-g-l/lspci rename to apparmor.d/groups/utils/lspci index 3f0fe5d95..c6ac0fdcd 100644 --- a/apparmor.d/profiles-g-l/lspci +++ b/apparmor.d/groups/utils/lspci @@ -13,11 +13,13 @@ profile lspci @{exec_path} flags=(attach_disconnected) { include include + capability dac_read_search, capability sys_admin, - @{exec_path} mr, + network inet dgram, + network inet6 dgram, - /app/lib/libzypak-preload-host*.so rm, + @{exec_path} mr, /usr/share/hwdata/pci.ids r, /usr/share/misc/pci.ids r, @@ -35,6 +37,7 @@ profile lspci @{exec_path} flags=(attach_disconnected) { @{sys}/bus/pci/devices/ r, @{sys}/bus/pci/slots/ r, @{sys}/bus/pci/slots/@{int}-@{int}/address r, + @{sys}/bus/pci/slots/@{int}/address r, @{sys}/devices/@{pci}/** r, @{sys}/module/compression r, @@ -42,7 +45,9 @@ profile lspci @{exec_path} flags=(attach_disconnected) { @{PROC}/cmdline r, @{PROC}/ioports r, - deny @{user_share_dirs}/gvfs-metadata/* r, + # file_inherit + deny owner @{user_share_dirs}/gvfs-metadata/* r, + deny owner @{user_cache_dirs}/*/** rw, include if exists } diff --git a/apparmor.d/groups/utils/lsscsi b/apparmor.d/groups/utils/lsscsi new file mode 100644 index 000000000..f0e7b4df2 --- /dev/null +++ b/apparmor.d/groups/utils/lsscsi @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsscsi +profile lsscsi @{exec_path} { + include + include + + @{exec_path} mr, + + / r, + + /dev/ r, + /dev/** r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/newgrp b/apparmor.d/groups/utils/newgrp similarity index 96% rename from apparmor.d/profiles-m-r/newgrp rename to apparmor.d/groups/utils/newgrp index ebd15d4b6..1452f34fc 100644 --- a/apparmor.d/profiles-m-r/newgrp +++ b/apparmor.d/groups/utils/newgrp @@ -23,9 +23,9 @@ profile newgrp @{exec_path} { @{bin}/@{shells} rUx, - /etc/{passwd,group,shadow,gshadow} r, + @{etc_ro}/login.defs r, - /etc/login.defs r, + /etc/{passwd,group,shadow,gshadow} r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/profiles-m-r/nologin b/apparmor.d/groups/utils/nologin similarity index 93% rename from apparmor.d/profiles-m-r/nologin rename to apparmor.d/groups/utils/nologin index 3ee32cf34..795a1aa35 100644 --- a/apparmor.d/profiles-m-r/nologin +++ b/apparmor.d/groups/utils/nologin @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/nologin +@{exec_path} = @{sbin}/nologin profile nologin @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/pstree b/apparmor.d/groups/utils/pstree similarity index 100% rename from apparmor.d/profiles-m-r/pstree rename to apparmor.d/groups/utils/pstree diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/groups/utils/su similarity index 61% rename from apparmor.d/profiles-s-z/su rename to apparmor.d/groups/utils/su index 02a212150..e5293021c 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/groups/utils/su @@ -8,25 +8,26 @@ abi , include @{exec_path} = @{bin}/su -profile su @{exec_path} { +profile su @{exec_path} flags=(attach_disconnected) { include include include + include #aa:only RBAC capability chown, # pseudo-terminal - signal (send) set=(term,kill), - signal (receive) set=(int,quit,term), - signal (receive) set=(cont,hup) peer=sudo, - - unix (bind) type=dgram, + signal send set=(term kill), + signal receive set=(int quit term), + signal receive set=(cont hup) peer=sudo, @{exec_path} mr, - @{bin}/@{shells} rUx, - @{bin}/nologin rPx, + @{bin}/@{shells} Ux, #aa:exclude RBAC + @{sbin}/nologin Px, @{etc_ro}/default/su r, + /etc/default/locale r, + /etc/environment r, @{HOME}/.xauth@{rand6} rw, diff --git a/apparmor.d/profiles-s-z/sulogin b/apparmor.d/groups/utils/sulogin similarity index 80% rename from apparmor.d/profiles-s-z/sulogin rename to apparmor.d/groups/utils/sulogin index 556808aeb..2af869dab 100644 --- a/apparmor.d/profiles-s-z/sulogin +++ b/apparmor.d/groups/utils/sulogin @@ -6,12 +6,15 @@ abi , include -@{exec_path} = @{bin}/sulogin +@{exec_path} = @{sbin}/sulogin profile sulogin @{exec_path} { include + include include + capability checkpoint_restore, capability sys_admin, + capability sys_tty_config, @{exec_path} mr, @@ -22,9 +25,6 @@ profile sulogin @{exec_path} { @{PROC}/consoles r, - /dev/ r, - /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/swaplabel b/apparmor.d/groups/utils/swaplabel similarity index 93% rename from apparmor.d/profiles-s-z/swaplabel rename to apparmor.d/groups/utils/swaplabel index 05dc5783a..16abf153d 100644 --- a/apparmor.d/profiles-s-z/swaplabel +++ b/apparmor.d/groups/utils/swaplabel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/swaplabel +@{exec_path} = @{sbin}/swaplabel profile swaplabel @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/swapon b/apparmor.d/groups/utils/swapon similarity index 92% rename from apparmor.d/profiles-s-z/swapon rename to apparmor.d/groups/utils/swapon index 83d2c6a3b..dd4aec8e2 100644 --- a/apparmor.d/profiles-s-z/swapon +++ b/apparmor.d/groups/utils/swapon @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/swapon @{bin}/swapoff +@{exec_path} = @{sbin}/swapon @{sbin}/swapoff profile swapon @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/sync b/apparmor.d/groups/utils/sync similarity index 73% rename from apparmor.d/profiles-s-z/sync rename to apparmor.d/groups/utils/sync index 907def2b1..9b47b4df2 100644 --- a/apparmor.d/profiles-s-z/sync +++ b/apparmor.d/groups/utils/sync @@ -13,9 +13,8 @@ profile sync @{exec_path} { @{exec_path} mr, - # Common paths where sync is used to flush all write operations on a single file to disk - # TODO: /** rw, ? - /boot/initrd-*-default rw, + # All paths where sync can be used to flush all write operations on a single file to disk + /{,**} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/umount b/apparmor.d/groups/utils/umount similarity index 100% rename from apparmor.d/profiles-s-z/umount rename to apparmor.d/groups/utils/umount diff --git a/apparmor.d/profiles-s-z/uname b/apparmor.d/groups/utils/uname similarity index 100% rename from apparmor.d/profiles-s-z/uname rename to apparmor.d/groups/utils/uname diff --git a/apparmor.d/profiles-s-z/users b/apparmor.d/groups/utils/users similarity index 100% rename from apparmor.d/profiles-s-z/users rename to apparmor.d/groups/utils/users diff --git a/apparmor.d/profiles-s-z/uuidd b/apparmor.d/groups/utils/uuidd similarity index 70% rename from apparmor.d/profiles-s-z/uuidd rename to apparmor.d/groups/utils/uuidd index 56b89fa2a..52f52b4a2 100644 --- a/apparmor.d/profiles-s-z/uuidd +++ b/apparmor.d/groups/utils/uuidd @@ -6,18 +6,24 @@ abi , include -@{exec_path} = @{bin}/uuidd +@{exec_path} = @{sbin}/uuidd profile uuidd @{exec_path} flags=(attach_disconnected) { include include + capability dac_override, + network inet dgram, @{exec_path} mr, owner /var/lib/libuuid/clock.txt rwk, + owner /var/lib/libuuid/clock-cont.txt rwk, - @{att}/@{run}/uuidd/request w, + @{att}/@{run}/uuidd/request rw, + + @{run}/uuidd/request rw, + @{run}/uuidd/uuidd.pid rwk, include if exists } diff --git a/apparmor.d/profiles-s-z/uuidgen b/apparmor.d/groups/utils/uuidgen similarity index 100% rename from apparmor.d/profiles-s-z/uuidgen rename to apparmor.d/groups/utils/uuidgen diff --git a/apparmor.d/profiles-s-z/whereis b/apparmor.d/groups/utils/whereis similarity index 97% rename from apparmor.d/profiles-s-z/whereis rename to apparmor.d/groups/utils/whereis index 32d4ffa51..36e457998 100644 --- a/apparmor.d/profiles-s-z/whereis +++ b/apparmor.d/groups/utils/whereis @@ -15,6 +15,7 @@ profile whereis @{exec_path} { @{exec_path} mr, @{bin}/{,*/} r, + @{sbin}/{,*/} r, @{lib}/ r, @{lib}/go-*/bin/ r, /usr/{local/,}games/ r, diff --git a/apparmor.d/profiles-s-z/who b/apparmor.d/groups/utils/who similarity index 81% rename from apparmor.d/profiles-s-z/who rename to apparmor.d/groups/utils/who index 3da07f89d..d9ca9e164 100644 --- a/apparmor.d/profiles-s-z/who +++ b/apparmor.d/groups/utils/who @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/who +@{exec_path} = @{bin}/{,gnu}who profile who @{exec_path} { include include @@ -18,6 +18,10 @@ profile who @{exec_path} { @{exec_path} mr, + @{run}/systemd/sessions/* r, + + # file_inherit + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny owner @{user_share_dirs}/zed/**/data.mdb rw, diff --git a/apparmor.d/groups/systemd/zramctl b/apparmor.d/groups/utils/zramctl similarity index 77% rename from apparmor.d/groups/systemd/zramctl rename to apparmor.d/groups/utils/zramctl index 9dbf23243..29428a96f 100644 --- a/apparmor.d/groups/systemd/zramctl +++ b/apparmor.d/groups/utils/zramctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/zramctl +@{exec_path} = @{sbin}/zramctl profile zramctl @{exec_path} { include include @@ -14,10 +14,12 @@ profile zramctl @{exec_path} { @{exec_path} mr, @{sys}/devices/virtual/block/zram@{int}/ r, - @{sys}/devices/virtual/block/zram@{int}/comp_algorithm r, + @{sys}/devices/virtual/block/zram@{int}/comp_algorithm rw, @{sys}/devices/virtual/block/zram@{int}/disksize r, + @{sys}/devices/virtual/block/zram@{int}/disksize w, @{sys}/devices/virtual/block/zram@{int}/max_comp_streams r, @{sys}/devices/virtual/block/zram@{int}/mm_stat r, + @{sys}/devices/virtual/block/zram@{int}/reset w, @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico index a6c9149d2..9015d2157 100644 --- a/apparmor.d/groups/virt/cni-calico +++ b/apparmor.d/groups/virt/cni-calico @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/cni/calico /opt/cni/bin/calico profile cni-calico @{exec_path} flags=(attach_disconnected) { include + include capability sys_admin, capability net_admin, @@ -32,8 +33,6 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) { /var/log/calico/cni/ r, /var/log/calico/cni/*.log rw, - /usr/share/mime/globs2 r, - @{run}/calico/ rw, @{run}/calico/ipam.lock rwk, @{run}/netns/cni-@{uuid} r, diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap index 73ad13cb1..0f2692ecf 100644 --- a/apparmor.d/groups/virt/cni-portmap +++ b/apparmor.d/groups/virt/cni-portmap @@ -15,7 +15,7 @@ profile cni-portmap @{exec_path} { network netlink raw, @{exec_path} mr, - @{bin}/xtables-nft-multi rPx -> cni-xtables-nft, + @{sbin}/xtables-nft-multi rPx -> cni-xtables-nft, @{PROC}/sys/net/ipv{4,6}/conf/cali[0-9a-z]*/route_localnet rw, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index 1766cd2fb..d8c71803d 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -9,7 +9,12 @@ include @{exec_path} = @{bin}/cockpit-bridge profile cockpit-bridge @{exec_path} { include + include + include + include + include include + include include include @@ -26,12 +31,17 @@ profile cockpit-bridge @{exec_path} { ptrace read, - signal send set=term peer=cockpit-bridge//sudo, signal send set=term peer=cockpit-pcp, signal send set=term peer=dbus-daemon, signal send set=term peer=journalctl, signal send set=term peer=ssh-agent, signal send set=term peer=unconfined, + signal (send receive) set=term peer=cockpit-bridge//sudo, + + #aa:dbus talk bus=session name=org.libvirt label=libvirt-dbus + #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/** label=packagekitd + #aa:dbus talk bus=system name=org.freedesktop.systemd1 label=@{p_systemd} + #aa:dbus talk bus=system name=org.libvirt label=libvirt-dbus @{exec_path} mr, @@ -39,12 +49,12 @@ profile cockpit-bridge @{exec_path} { @{bin}/date ix, @{bin}/find ix, @{bin}/ip ix, - @{bin}/python3.@{int} ix, + @{python_path} ix, @{bin}/test ix, @{bin}/file ix, @{bin}/chage Px, - @{bin}/dmidecode Px, + @{sbin}/dmidecode Px, @{bin}/findmnt Px, @{bin}/journalctl Px, @{bin}/last Px, @@ -67,9 +77,9 @@ profile cockpit-bridge @{exec_path} { /usr/share/file/** r, /usr/share/iproute2/* r, + @{etc_ro}/login.defs r, /etc/cockpit/{,**} r, /etc/httpd/conf/mime.types r, - /etc/login.defs r, /etc/machine-id r, /etc/mime.types r, /etc/motd r, @@ -114,7 +124,7 @@ profile cockpit-bridge @{exec_path} { include include - signal (send receive) set=term peer=cockpit-bridge, + signal (send receive) set=(cont hup term) peer=cockpit-bridge, @{bin}/cockpit-bridge Px, @{lib}/cockpit/cockpit-askpass Px, @@ -126,6 +136,8 @@ profile cockpit-bridge @{exec_path} { include include + @{run}/udev/data/n@{int} r, # For network interfaces + include if exists } diff --git a/apparmor.d/groups/virt/cockpit-certificate-helper b/apparmor.d/groups/virt/cockpit-certificate-helper index ac9dd5f6f..303fd074c 100644 --- a/apparmor.d/groups/virt/cockpit-certificate-helper +++ b/apparmor.d/groups/virt/cockpit-certificate-helper @@ -21,6 +21,7 @@ profile cockpit-certificate-helper @{exec_path} { @{bin}/openssl rix, @{bin}/rm rix, @{bin}/sscg rix, + @{bin}/sync rix, @{bin}/tr rix, /etc/machine-id r, diff --git a/apparmor.d/groups/virt/cockpit-desktop b/apparmor.d/groups/virt/cockpit-desktop index c2a7455ce..bb1ba03bf 100644 --- a/apparmor.d/groups/virt/cockpit-desktop +++ b/apparmor.d/groups/virt/cockpit-desktop @@ -10,6 +10,8 @@ include profile cockpit-desktop @{exec_path} { include + userns, + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index 67ecd800e..ba51fc8a5 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -10,14 +10,17 @@ include profile cockpit-session @{exec_path} flags=(attach_disconnected) { include include + include include include capability audit_write, + capability chown, capability dac_read_search, capability net_admin, capability setgid, capability setuid, + capability sys_resource, network netlink raw, @@ -26,6 +29,8 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { @{shells_path} rix, @{bin}/cockpit-bridge rPx, @{lib}/cockpit/cockpit-pcp rPx, + @{bin}/ssh-agent rPx, + @{bin}/ssh-add rix, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, @@ -36,17 +41,21 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { /etc/motd.d/ r, /etc/shells r, - @{run}/cockpit/active.motd r, - @{run}/cockpit/inactive.motd r, + @{att}/@{run}/systemd/sessions/*.ref rw, + + @{run}/cockpit/* r, @{run}/faillock/@{user} rwk, @{run}/motd.d/{,*} r, - @{run}/systemd/sessions/*.ref rw, @{run}/utmp rwk, /var/log/btmp rw, /var/log/lastlog rw, /var/log/wtmp rwk, + /var/lib/lastlog/ r, + /var/lib/lastlog/lastlog2.db rwk, + /var/lib/lastlog/lastlog2.db-journal rw, + owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/uid_map r, @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/virt/cockpit-tls b/apparmor.d/groups/virt/cockpit-tls index 0037b132c..8a345588a 100644 --- a/apparmor.d/groups/virt/cockpit-tls +++ b/apparmor.d/groups/virt/cockpit-tls @@ -17,6 +17,9 @@ profile cockpit-tls @{exec_path} flags=(attach_disconnected) { /etc/cockpit/ws-certs.d/{,**} r, + @{att}/@{run}/cockpit/wsinstance/https@@{hex64}.sock rw, + @{att}/@{run}/cockpit/wsinstance/https-factory.sock rw, + owner @{run}/cockpit/tls/{,**} rw, include if exists diff --git a/apparmor.d/groups/virt/cockpit-ws b/apparmor.d/groups/virt/cockpit-ws index c78f63a63..d4fb299fe 100644 --- a/apparmor.d/groups/virt/cockpit-ws +++ b/apparmor.d/groups/virt/cockpit-ws @@ -7,16 +7,23 @@ abi , include @{exec_path} = @{lib}/cockpit/cockpit-ws -profile cockpit-ws @{exec_path} { +profile cockpit-ws @{exec_path} flags=(attach_disconnected) { include + include + include @{exec_path} mr, + @{sh_path} rix, @{lib}/cockpit/cockpit-session rPx, /usr/share/cockpit/{,**} r, + /etc/cockpit/ws-certs.d/{,**} r, /usr/share/pixmaps/{,**} r, - /etc/cockpit/ws-certs.d/ r, + /usr/share/plymouth/{,**} r, + + @{run}/cockpit/session rw, + @{run}/cockpit/wsinstance/https@@{hex64}.sock r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/virt/cockpit-wsinstance-factory b/apparmor.d/groups/virt/cockpit-wsinstance-factory index b14a1e36f..248ca43e8 100644 --- a/apparmor.d/groups/virt/cockpit-wsinstance-factory +++ b/apparmor.d/groups/virt/cockpit-wsinstance-factory @@ -9,11 +9,25 @@ include @{exec_path} = @{lib}/cockpit/cockpit-wsinstance-factory profile cockpit-wsinstance-factory @{exec_path} { include + include capability net_admin, + unix bind type=stream addr=@@{udbus}/bus/cockpit-wsinsta/system, + + dbus receive bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=JobRemoved + peer=(name=@{busname}, label="@{p_systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=StartUnit + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + @{exec_path} mr, + @{run}/cockpit/wsinstance/https-factory.sock w, + include if exists } diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 627515640..95d332a45 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -46,7 +46,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, @{bin}/containerd-shim-runc-v2 rPx, @{bin}/kmod rPx, @{bin}/unpigz rPUx, @@ -83,23 +83,24 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{run}/docker/containerd/{,**} rwk, @{run}/netns/ w, @{run}/netns/cni-@{uuid} rw, + @{run}/nri/ w, + @{run}/nri/nri.sock rw, @{run}/systemd/notify w, - /tmp/cri-containerd.apparmor.d@{int} rwl, - /tmp/ctd-volume@{int}/{,**} rw, - owner @{tmp}/** rwkl, - owner /var/tmp/** rwkl, + /tmp/cri-containerd.apparmor.d@{int} rwl, + /tmp/ctd-volume@{int}/{,**} rw, @{sys}/fs/cgroup/kubepods/** r, @{sys}/kernel/security/apparmor/profiles r, @{sys}/module/apparmor/parameters/enabled r, + @{PROC}/@{pid}/task/@{tid}/mountinfo r, @{PROC}/@{pid}/task/@{tid}/ns/net rw, @{PROC}/sys/net/core/somaxconn r, - owner @{PROC}/@{pids}/attr/current r, - owner @{PROC}/@{pids}/cgroup r, - owner @{PROC}/@{pids}/mountinfo r, - owner @{PROC}/@{pids}/uid_map r, + owner @{PROC}/@{pid}/attr/current r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/uid_map r, /dev/bsg/ r, /dev/bus/ r, diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 index bff45ca39..04b355a48 100644 --- a/apparmor.d/groups/virt/containerd-shim-runc-v2 +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -25,12 +25,12 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { signal (send) set=kill peer=cri-containerd.apparmor.d, signal (receive) set=kill peer=containerd, - mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, - umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, + mount -> @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, + umount @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, @{exec_path} mrix, - @{bin}/runc rPUx, + @{sbin}/runc rPx, /tmp/runc-process@{int} rw, /tmp/pty@{int}/ rw, @@ -50,11 +50,14 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/kubepods/{,**} rw, @{sys}/kernel/mm/hugepages/ r, + @{PROC}/@{pid}/task/@{tid}/mountinfo r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/oom_score_adj rw, @{PROC}/sys/net/core/somaxconn r, + @{att}/dev/pts/ptmx rw, + include if exists } diff --git a/apparmor.d/groups/virt/docker-proxy b/apparmor.d/groups/virt/docker-proxy index 2861514aa..9a8cbe379 100644 --- a/apparmor.d/groups/virt/docker-proxy +++ b/apparmor.d/groups/virt/docker-proxy @@ -15,8 +15,9 @@ profile docker-proxy @{exec_path} { network inet stream, network inet6 stream, + network netlink raw, - signal (receive) set=int peer=dockerd, + signal receive set=int peer=dockerd, @{exec_path} mr, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 2ea35f7b9..0a214ccd1 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/dockerd +@{exec_path} = @{bin}/dockerd @{sbin}/dockerd #aa:lint ignore=sbin profile dockerd @{exec_path} flags=(attach_disconnected) { include include @@ -21,34 +21,32 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { capability kill, capability mknod, capability net_admin, + capability net_bind_service, + capability net_raw, capability setfcap, capability sys_admin, capability sys_chroot, capability sys_ptrace, network inet dgram, + network inet raw, network inet stream, network inet6 dgram, network inet6 stream, network netlink raw, + network packet dgram, mount /tmp/containerd-mount@{int}/, - mount /var/lib/docker/buildkit/**/, - mount /var/lib/docker/overlay2/**/, - mount /var/lib/docker/tmp/buildkit-mount@{int}/, - mount fstype=overlay overlay -> /var/lib/docker/rootfs/overlayfs/@{hex64}/, - mount options=(rw bind) -> /run/docker/netns/*, - mount options=(rw rbind) -> /var/lib/docker/tmp/docker-builder@{int}/, - mount options=(rw rbind) /var/lib/docker/volumes/**/- -> /var/lib/docker/rootfs/overlayfs/**/, + mount /var/lib/docker/**/, + mount options=(rw bind) -> @{run}/docker/netns/*, mount options=(rw rprivate) -> /.pivot_root@{int}/, - mount options=(rw rprivate) -> /var/lib/docker/rootfs/overlayfs/@{hex64}/var/lib/buildkit/, mount options=(rw rslave) -> /, remount /tmp/containerd-mount@{int10}/, remount /var/lib/docker/**/, umount /.pivot_root@{int}/, - umount /run/docker/netns/*, + umount @{run}/docker/netns/*, umount /tmp/containerd-mount@{int}/, umount /var/lib/docker/**/, @@ -66,34 +64,48 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, @{bin}/containerd rPx, - @{bin}/docker-init rix, + @{bin}/docker-init rCx -> init, + @{lib}/docker/docker-init rCx -> init, @{bin}/docker-proxy rPx, - @{bin}/kmod rPx, + @{bin}/tini-static rCx -> tini, + @{bin}/git rCx -> git, + @{bin}/kmod rCx -> kmod, @{bin}/ps rPx, - @{bin}/runc rUx, + @{sbin}/runc rUx, + @{bin}/runc rUx, #aa:lint ignore=sbin @{bin}/unpigz rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rCx -> nft, + @{sbin}/xtables-legacy-multi rCx -> nft, # Docker needs full access of the containers it manages. # TODO: should be in a sub profile started with pivot_root, not supported yet. - /{,**} rwl, + /{,**} rwl, #aa:only apt + + @{att}/@{lib}/containerd/** rw, + @{att}/var/lib/docker/{,**} rwk, /etc/docker/{,**} r, @{att}/ r, - owner @{att}/@{lib}/containerd/** rw, owner @{lib}/docker/overlay2/*/work/{,**} rw, owner /var/lib/containerd/** rw, owner /var/lib/docker/{,**} rwk, owner /var/lib/docker/tmp/qemu-check@{int}/check rix, + /tmp/build/ w, + /tmp/containerd-mount@{int}/{,**} rw, + + @{run}/systemd/notify rw, + + @{run}/containerd/containerd.sock rw, + owner @{run}/docker.pid rw, owner @{run}/docker/ rw, owner @{run}/docker/** rwlk, - owner @{run}/docker.pid rw, + @{sys}/devices/virtual/net/** r, @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/cpuset.cpus.effective r, @{sys}/fs/cgroup/cpuset.mems.effective r, @@ -103,6 +115,9 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{PROC}/1/cgroup r, @{PROC}/1/environ r, @{PROC}/cmdline r, + @{PROC}/pressure/cpu r, + @{PROC}/pressure/io r, + @{PROC}/pressure/memory r, @{PROC}/sys/kernel/keys/root_maxkeys r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/threads-max r, @@ -116,13 +131,73 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/net/ip_tables_names r, owner @{PROC}/@{pid}/task/@{tid}/mountinfo r, owner @{PROC}/@{pid}/uid_map r, /dev/ r, /dev/**/ r, + profile nft flags=(attach_disconnected) { + include + + capability net_admin, + capability net_raw, + + network inet raw, + network inet6 raw, + network netlink raw, + + @{sbin}/xtables-nft-multi rix, + @{sbin}/xtables-legacy-multi rix, + @{bin}/kmod rPx -> dockerd//kmod, + + @{PROC}/@{pid}/net/ip{,6}_tables_names r, + @{PROC}/sys/kernel/modprobe r, + + @{run}/xtables.lock rwk, + + include if exists + } + + profile kmod { + include + include + + capability sys_module, + + @{run}/xtables.lock r, + + @{sys}/module/compression r, + @{sys}/module/*/initstate r, + + include if exists + } + + profile tini { + include + + @{bin}/tini-static mr, + + include if exists + } + + profile init flags=(attach_disconnected) { + include + + @{bin}/docker-init mr, + @{lib}/docker/docker-init mr, + + include if exists + } + + profile git flags=(attach_disconnected) { + include + + @{bin}/git mr, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 96e50ba35..59c4b9473 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -62,13 +62,12 @@ profile k3s @{exec_path} flags=(attach_disconnected) { @{bin}/systemd-run rix, @{bin}/{nano,emacs,ed} rPUx, @{bin}/vim{,.basic} rPUx, - @{bin}/xtables-nft-multi rPx -> cni-xtables-nft, + @{sbin}/xtables-nft-multi rPx -> cni-xtables-nft, @{lib}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix, /var/lib/rancher/k3s/data/@{hex}/bin/* rix, @{lib}/kubernetes/kubelet-plugins/volume/exec/{,**} r, - /usr/share/mime/globs2 r, /etc/machine-id r, /etc/rancher/{,**} rw, @@ -159,7 +158,7 @@ profile k3s @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/ r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user-runtime-dir@@{uid}.service/ r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**/} r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{,**/} r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{,**/} r, @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r, diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus index 44d24f1ae..971cdf55e 100644 --- a/apparmor.d/groups/virt/libvirt-dbus +++ b/apparmor.d/groups/virt/libvirt-dbus @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/libvirt-dbus +@{exec_path} = @{sbin}/libvirt-dbus profile libvirt-dbus @{exec_path} { include include @@ -16,18 +16,26 @@ profile libvirt-dbus @{exec_path} { #aa:dbus own bus=session name=org.libvirt #aa:dbus own bus=system name=org.libvirt + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, - @{bin}/libvirtd rPx, + @{sbin}/libvirtd rPx, @{bin}/virtqemud rPx, /usr/share/dbus-1/interfaces/org.libvirt.*.xml r, owner @{user_cache_dirs}/libvirt/libvirtd.lock rwk, - @{run}/user/@{uid}/libvirt/ rw, - @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, - @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, + @{run}/libvirt/libvirt-sock rw, + + @{run}/user/@{uid}/libvirt/ rw, + @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, + @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, + owner @{run}/user/@{uid}/libvirt/libvirt-sock rw, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node*/meminfo r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index db6d5d377..378449352 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -14,13 +14,16 @@ abi , include -@{exec_path} = @{bin}/libvirtd +@{exec_path} = @{sbin}/libvirtd profile libvirtd @{exec_path} flags=(attach_disconnected) { include + include + include + include include - include include include + include include capability audit_write, @@ -46,12 +49,12 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { capability sys_pacct, capability sys_ptrace, capability sys_rawio, - capability sys_resource, + capability sys_resource, # Needed for vfio - network inet stream, network inet dgram, - network inet6 stream, + network inet stream, network inet6 dgram, + network inet6 stream, network netlink raw, network packet dgram, network packet raw, @@ -85,10 +88,16 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper), unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none), unix (send, receive) type=stream addr=none peer=(label=unconfined), + unix (send, receive) type=stream addr=none peer=(label=virt-manager), # Allow changing to our UUID-based named profiles change_profile -> libvirt-@{uuid}, + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{lib}/libvirt/libvirt_iohelper rix, @@ -103,26 +112,26 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{lib}/xen-common/bin/xen-toolstack rPUx, @{lib}/xen/bin/* rPUx, - @{bin}/dmidecode rPx, - @{bin}/dnsmasq rPx, - @{bin}/kmod rPx, - @{bin}/lvm rPUx, + @{sbin}/dmidecode rPx, + @{sbin}/dnsmasq rPx, + @{bin}/kmod rCx -> kmod, + @{sbin}/lvm rPUx, @{bin}/mdevctl rPx, @{bin}/swtpm rPx, @{bin}/swtpm_ioctl rPx, @{bin}/swtpm_setup rPx, @{bin}/udevadm rPx, @{bin}/virtiofsd rux, # TODO: WIP - @{bin}/virtlogd rPx, + @{sbin}/virtlogd rPx, @{sh_path} rix, @{bin}/ip rix, - @{bin}/nft rix, + @{sbin}/nft rix, @{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper @{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper - @{bin}/tc rix, + @{sbin}/tc rix, @{bin}/xmllint rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, @{lib}/libvirt/virt-aa-helper rPx, /etc/libvirt/hooks/** rPUx, @@ -133,7 +142,6 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /usr/share/hwdata/* r, /usr/share/iproute2/{,**} r, /usr/share/libvirt/{,**} r, - /usr/share/mime/mime.cache r, /usr/share/misc/pci.ids r, /usr/share/qemu/{,**} r, @@ -144,7 +152,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /etc/xml/catalog r, /var/cache/libvirt/{,**} rw, - /var/lib/libvirt/{,**} rwk, + /var/lib/libvirt/ rw, + /var/lib/libvirt/** rwk, /var/log/swtpm/libvirt/{,**} rw, # User VM images and share @@ -153,6 +162,11 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{user_vm_dirs}/{,**} rwk, @{user_publicshare_dirs}/{,**} rwk, + owner @{user_config_dirs}/libvirt/{,**} rwk, + + owner @{run}/user/@{uid}/libvirt/ rw, + owner @{run}/user/@{uid}/libvirt/** rwk, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{run}/libvirt/ rw, @@ -162,35 +176,9 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/notify w, @{run}/utmp rk, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+dmi:* r, # for motherboard info - @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, - @{run}/udev/data/+input:input@{int} r, # For mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, - @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/+sound:card@{int} r, # For sound card - @{run}/udev/data/+thunderbolt:* r, - @{run}/udev/data/c1:@{int} r, # For RAM disk - @{run}/udev/data/c6:@{int} r, # For parallel printer devices /dev/lp* - @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features - @{run}/udev/data/c13:@{int} r, # For /dev/input/* - @{run}/udev/data/c21:@{int} r, # Generic SCSI access - @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* - @{run}/udev/data/c81:@{int} r, # For video4linux - @{run}/udev/data/c89:@{int} r, # For I2C bus interface - @{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash - @{run}/udev/data/c99:@{int} r, # For raw parallel ports /dev/parport* - @{run}/udev/data/c108:@{int} r, # For /dev/ppp - @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c202:@{int} r, # CPU model-specific registers - @{run}/udev/data/c203:@{int} r, # CPU CPUID information - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/bus/[a-z]*/devices/ r, @{sys}/bus/pci/drivers_probe w, @@ -247,6 +235,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{PROC}/devices r, @{PROC}/mtrr w, @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/uptime r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, @@ -264,12 +253,19 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /dev/vhost-net rw, # Force the use of virt-aa-helper - audit deny @{bin}/apparmor_parser rwxl, + audit deny @{sbin}/apparmor_parser rwxl, audit deny @{etc_rw}/apparmor.d/libvirt/** wxl, audit deny @{sys}/kernel/security/apparmor/features rwxl, audit deny @{sys}/kernel/security/apparmor/matching rwxl, audit deny @{sys}/kernel/security/apparmor/.* rwxl, + profile kmod { + include + include + + include if exists + } + profile qemu_bridge_helper { include @@ -288,7 +284,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /etc/qemu/{,**} r, - owner @{PROC}/@{pids}/status r, + @{PROC}/@{pids}/status r, /dev/net/tun rw, diff --git a/apparmor.d/groups/virt/virt-aa-helper b/apparmor.d/groups/virt/virt-aa-helper index c10f44922..b49368f07 100644 --- a/apparmor.d/groups/virt/virt-aa-helper +++ b/apparmor.d/groups/virt/virt-aa-helper @@ -19,16 +19,36 @@ profile virt-aa-helper @{exec_path} { @{exec_path} mr, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, - /etc/apparmor.d/libvirt/* r, + @{etc_rw}/apparmor.d/libvirt/* r, @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} rw, + @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid}.files rw, /etc/libnl{,-3}/classid r, # Allow reading libnl's classid file # System VM images /var/lib/libvirt/images/{,**} r, - /var/lib/nova/instances/_base/* r, + + # Openstack Nova base images & snapshots (LP: #907269 #1244694 #1644507) + /var/lib/nova/images/{,**} r, + /var/lib/nova/instances/_base/{,**} r, + /var/lib/nova/instances/snapshots/{,**} r, + /var/snap/nova-hypervisor/common/instances/_base/{,**} r, + /var/snap/nova-hypervisor/common/instances/snapshots/{,**} r, + + # Eucalyptus disks & loader (LP: #564914 #637544) + /var/lib/eucalyptus/instances/**/disk* r, + /var/lib/eucalyptus/instances/**/loader* r, + + # For uvtool + /var/lib/uvtool/libvirt/images/{,**} r, + + # For multipass + /var/snap/multipass/common/data/multipassd/vault/instances/{,**} r, + + # Common mount directories + @{MOUNTDIRS}/{,**} r, # User VM images @{user_share_dirs}/ r, @@ -45,7 +65,6 @@ profile virt-aa-helper @{exec_path} { @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/net/psched r, deny @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/status r, # For gl enabled graphics /dev/dri/{,*} r, diff --git a/apparmor.d/groups/virt/virtiofsd b/apparmor.d/groups/virt/virtiofsd index 905e2c170..ae7ac5fa9 100644 --- a/apparmor.d/groups/virt/virtiofsd +++ b/apparmor.d/groups/virt/virtiofsd @@ -6,8 +6,8 @@ abi , include -@{exec_path} = @{lib}/{,qemu/}virtiofsd @{bin}/virtiofsd -profile virtiofsd @{exec_path} { +@{exec_path} = @{lib}/virtiofsd @{lib}/qemu/virtiofsd @{bin}/virtiofsd +profile virtiofsd @{exec_path} flags=(attach_disconnected) { include userns, @@ -31,13 +31,13 @@ profile virtiofsd @{exec_path} { mount options=(rw, rbind) -> @{user_publicshare_dirs}/, mount options=(rw, rbind) -> @{user_vm_dirs}/, - mount options=(rw, rbind) -> @{user_vm_shares}/, + mount options=(rw, rbind) -> @{user_vmshare_dirs}/, umount /, pivot_root @{user_publicshare_dirs}/, # TODO: -> pivoted, pivot_root @{user_vm_dirs}/, - pivot_root @{user_vm_shares}/, + pivot_root @{user_vmshare_dirs}/, signal (receive) set=term peer=libvirtd, @@ -50,7 +50,7 @@ profile virtiofsd @{exec_path} { @{user_publicshare_dirs}/{,**} r, @{user_vm_dirs}/{,**} r, - @{user_vm_shares}/{,**} r, + @{user_vmshare_dirs}/{,**} r, owner @{run}/libvirt/qemu/*.pid rw, diff --git a/apparmor.d/groups/virt/virtlockd b/apparmor.d/groups/virt/virtlockd index ea9336cef..ef28e59e9 100644 --- a/apparmor.d/groups/virt/virtlockd +++ b/apparmor.d/groups/virt/virtlockd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/virtlockd +@{exec_path} = @{sbin}/virtlockd profile virtlockd @{exec_path} { include diff --git a/apparmor.d/groups/virt/virtlogd b/apparmor.d/groups/virt/virtlogd index 44bf06ba0..d362ad108 100644 --- a/apparmor.d/groups/virt/virtlogd +++ b/apparmor.d/groups/virt/virtlogd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/virtlogd +@{exec_path} = @{sbin}/virtlogd profile virtlogd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/virt/virtnetworkd b/apparmor.d/groups/virt/virtnetworkd index 42e13ef64..2d7df07b6 100644 --- a/apparmor.d/groups/virt/virtnetworkd +++ b/apparmor.d/groups/virt/virtnetworkd @@ -18,7 +18,7 @@ profile virtnetworkd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/dnsmasq rPx, + @{sbin}/dnsmasq rPx, /etc/libvirt/*.conf r, diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index 0b48d63fd..fb593068e 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -44,17 +44,18 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/utmp rk, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. + @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. @{run}/udev/data/+dmi:* r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) + @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power @{run}/udev/data/+sound:card@{int} r, # For sound card - @{run}/udev/data/+thunderbolt:* r, + @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @@ -70,17 +71,17 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c203:@{int} r, # CPU CPUID information @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/**/ r, + @{sys}/devices/@{pci}/net/{,**} r, + @{sys}/devices/@{pci}/numa_node r, + @{sys}/devices/@{pci}/resource r, + @{sys}/devices/@{pci}/sriov_totalvfs r, @{sys}/devices/@{pci}/vpd r, @{sys}/devices/**/{class,revision,subsystem_vendor,subsystem_device} r, @{sys}/devices/**/{config,device,vendor} r, @{sys}/devices/**/uevent r, - @{sys}/devices/@{pci}/net/{,**} r, - @{sys}/devices/@{pci}/net/*/{duplex,address,speed,operstate} r, - @{sys}/devices/@{pci}/numa_node r, - @{sys}/devices/@{pci}/sriov_totalvfs r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/virtual/dmi/id/{product_name,product_serial,product_uuid,sys_vendor,board_vendor,bios_vendor,bios_date,bios_version,product_version} r, diff --git a/apparmor.d/groups/virt/xtables b/apparmor.d/groups/virt/xtables index 71f75b642..a10b75dde 100644 --- a/apparmor.d/groups/virt/xtables +++ b/apparmor.d/groups/virt/xtables @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/xtables-nft-multi @{bin}/xtables-legacy-multi +@{exec_path} = @{sbin}/xtables-nft-multi @{sbin}/xtables-legacy-multi profile xtables { include include diff --git a/apparmor.d/groups/whonix/anondate b/apparmor.d/groups/whonix/anondate index d39517569..325535cce 100644 --- a/apparmor.d/groups/whonix/anondate +++ b/apparmor.d/groups/whonix/anondate @@ -19,10 +19,10 @@ profile anondate @{exec_path} { @{bin}/cat rix, @{bin}/cp rix, @{bin}/date rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/minimum-unixtime-show rix, @{bin}/rm rix, - @{bin}/systemd-cat rPx, + @{bin}/systemd-cat rix, @{bin}/tee rix, @{bin}/timeout rix, @{bin}/tor-circuit-established-check rix, diff --git a/apparmor.d/groups/whonix/pam-info b/apparmor.d/groups/whonix/pam-info index 51053ccee..23ab3aeb4 100644 --- a/apparmor.d/groups/whonix/pam-info +++ b/apparmor.d/groups/whonix/pam-info @@ -14,8 +14,8 @@ profile pam-info @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/faillock rix, - @{bin}/grep rix, + @{sbin}/faillock rix, + @{bin}/{,e}grep rix, @{bin}/str_replace rix, @{bin}/wc rix, @{bin}/whoami rix, diff --git a/apparmor.d/groups/whonix/rads b/apparmor.d/groups/whonix/rads index e76570b34..8bdeb2c13 100644 --- a/apparmor.d/groups/whonix/rads +++ b/apparmor.d/groups/whonix/rads @@ -19,8 +19,8 @@ profile rads @{exec_path} { @{bin}/cat rix, @{bin}/chvt rix, @{bin}/free rix, - @{bin}/gawk rix, - @{bin}/grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/{,e}grep rix, @{bin}/mkdir rix, @{bin}/rm rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/whonix/sdwdate b/apparmor.d/groups/whonix/sdwdate index d34f8087c..1e4850e7a 100644 --- a/apparmor.d/groups/whonix/sdwdate +++ b/apparmor.d/groups/whonix/sdwdate @@ -30,7 +30,7 @@ profile sdwdate @{exec_path} flags=(attach_disconnected) { @{bin}/touch rix, @{lib}/helper-scripts/* rix, @{bin}/url_to_unixtime rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{lib}/helper-scripts/ r, @{lib}/sdwdate/ r, diff --git a/apparmor.d/groups/whonix/sdwdate-gui b/apparmor.d/groups/whonix/sdwdate-gui index 23c0a6df4..84a6fb379 100644 --- a/apparmor.d/groups/whonix/sdwdate-gui +++ b/apparmor.d/groups/whonix/sdwdate-gui @@ -28,7 +28,7 @@ profile sdwdate-gui @{exec_path} { @{lib}/sdwdate-gui/log-viewer rix, @{lib}/helper-scripts/* rix, - @{lib}/python3/dist-packages/sdwdate_gui/__pycache__/ rw, + @{lib}/@{python_name}/dist-packages/sdwdate_gui/__pycache__/ rw, @{lib}/sdwdate-gui/ r, diff --git a/apparmor.d/groups/whonix/systemcheck-canary b/apparmor.d/groups/whonix/systemcheck-canary index 4130d9cd9..17bedc43b 100644 --- a/apparmor.d/groups/whonix/systemcheck-canary +++ b/apparmor.d/groups/whonix/systemcheck-canary @@ -14,7 +14,7 @@ profile systemcheck-canary @{exec_path} { @{exec_path} mr, @{bin}/sleep rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/whoami rix, @{bin}/cat rix, @{bin}/date rix, diff --git a/apparmor.d/groups/whonix/torbrowser-wrapper b/apparmor.d/groups/whonix/torbrowser-wrapper index fc20ad0fb..c86d91099 100644 --- a/apparmor.d/groups/whonix/torbrowser-wrapper +++ b/apparmor.d/groups/whonix/torbrowser-wrapper @@ -20,7 +20,7 @@ profile torbrowser-wrapper @{exec_path} { @{bin}/basename ix, @{bin}/cp ix, @{bin}/dirname ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/id ix, @{bin}/mkdir ix, @{bin}/mktemp ix, diff --git a/apparmor.d/groups/whonix/whonix-firewalld b/apparmor.d/groups/whonix/whonix-firewalld index 01e1cb418..08322714f 100644 --- a/apparmor.d/groups/whonix/whonix-firewalld +++ b/apparmor.d/groups/whonix/whonix-firewalld @@ -29,7 +29,7 @@ profile whonix-firewalld @{exec_path} { @{bin}/rm rix, @{bin}/touch rix, @{bin}/whonix-*-firewall rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, @{bin}/qubesdb-read rPUx, @{bin}/qubesdb-cmd rPUx, diff --git a/apparmor.d/groups/xfce/startxfce b/apparmor.d/groups/xfce/startxfce index 8d91581cb..110da187b 100644 --- a/apparmor.d/groups/xfce/startxfce +++ b/apparmor.d/groups/xfce/startxfce @@ -19,6 +19,7 @@ profile startxfce @{exec_path} { @{bin}/mkdir rix, @{bin}/id rix, + @{bin}/xdg-user-dirs-update rPx, @{bin}/xfce4-session rPx, @{bin}/xrdb rPx, @{bin}/systemctl rCx -> systemctl, @@ -27,6 +28,8 @@ profile startxfce @{exec_path} { /etc/X11/xinit/xinitrc.d/{,**} r, /etc/xdg/xfce4/{,**} r, + owner @{HOME}/.Xdefaults r, + profile systemctl flags=(attach_disconnected) { include include @@ -36,6 +39,7 @@ profile startxfce @{exec_path} { profile dbus { include + include @{bin}/dbus-update-activation-environment mr, diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index d8f04d49c..10096bce2 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -7,8 +7,9 @@ abi , include @{exec_path} = @{bin}/thunar -profile thunar @{exec_path} { +profile thunar @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -17,6 +18,10 @@ profile thunar @{exec_path} { network netlink raw, + #aa:dbus own bus=session name=org.xfce.Thunar + #aa:dbus own bus=session name=org.xfce.FileManager + #aa:dbus own bus=session name=org.freedesktop.FileManager1 + @{exec_path} mr, @{bin}/thunar-volman rPx, @@ -30,6 +35,7 @@ profile thunar @{exec_path} { /etc/fstab r, /etc/timezone r, + /etc/xdg/{,xdg-xubuntu/}Thunar/{,**} r, # Full access to user's data / r, @@ -43,15 +49,20 @@ profile thunar @{exec_path} { owner @{run}/user/@{uid}/{,**} rw, owner @{tmp}/{,**} rw, + @{run}/mount/utab r, + + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + + owner @{PROC}/@{pid}/mountinfo r, + # Silence non user's data - deny /boot/{,**} r, + deny @{efi}/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, deny /tmp/.* rw, deny /tmp/.*/{,**} rw, - owner @{PROC}/@{pid}/mountinfo r, - profile dbus { include include diff --git a/apparmor.d/groups/xfce/thunar-volman b/apparmor.d/groups/xfce/thunar-volman index 350255834..41e098548 100644 --- a/apparmor.d/groups/xfce/thunar-volman +++ b/apparmor.d/groups/xfce/thunar-volman @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/thunar-volman profile thunar-volman @{exec_path} { include + include include include diff --git a/apparmor.d/groups/xfce/tumblerd b/apparmor.d/groups/xfce/tumblerd index 99971abb8..3ba81c688 100644 --- a/apparmor.d/groups/xfce/tumblerd +++ b/apparmor.d/groups/xfce/tumblerd @@ -9,18 +9,30 @@ include @{exec_path} = @{lib}/{,@{multiarch}/}tumbler-1/tumblerd profile tumblerd @{exec_path} { include + include + include + include include include include + #aa:dbus own bus=session name=org.freedesktop.thumbnails.Cache1 + #aa:dbus own bus=session name=org.freedesktop.thumbnails.Manager1 + #aa:dbus own bus=session name=org.freedesktop.thumbnails.Thumbnailer1 + @{exec_path} mr, + @{bin}/gdk-pixbuf-thumbnailer rPx, + /usr/share/backgrounds/xfce/{,**} r, /usr/share/thumbnailers/{,**} r, /etc/fstab r, /etc/xdg/tumbler/* r, + owner /tmp/tumbler-@{rand6}.png r, + owner /tmp/tumbler-@{rand6}.??? w, + owner @{PROC}/@{pid}/mountinfo r, /dev/ r, diff --git a/apparmor.d/groups/xfce/xfce-clipman b/apparmor.d/groups/xfce/xfce-clipman new file mode 100644 index 000000000..270f7266f --- /dev/null +++ b/apparmor.d/groups/xfce/xfce-clipman @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2025 Sighy Brantler +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xfce4-clipman +profile xfce-clipman @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /etc/xdg/xfce4/panel/xfce4-clipman-actions.xml r, + + owner @{user_cache_dirs}/xfce4/clipman/ r, + owner @{user_cache_dirs}/xfce4/clipman/* rw, + + owner @{user_config_dirs}/autostart/ r, + owner @{user_config_dirs}/autostart/xfce4-clipman-plugin-autostart.desktop rw, + owner @{user_config_dirs}/autostart/xfce4-clipman-plugin-autostart.desktop.@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/xfce/xfce-clipman-settings b/apparmor.d/groups/xfce/xfce-clipman-settings index 248d60b7e..021a377b8 100644 --- a/apparmor.d/groups/xfce/xfce-clipman-settings +++ b/apparmor.d/groups/xfce/xfce-clipman-settings @@ -9,8 +9,11 @@ include @{exec_path} = @{bin}/xfce4-clipman-settings profile xfce-clipman-settings @{exec_path} { include + include include + #aa:dbus own bus=session name=org.xfce.clipman.settings + @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/xfce/xfce-notifyd b/apparmor.d/groups/xfce/xfce-notifyd index f5c80e07c..be813a84d 100644 --- a/apparmor.d/groups/xfce/xfce-notifyd +++ b/apparmor.d/groups/xfce/xfce-notifyd @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/{,@{multiarch}/}xfce4/notifyd/xfce4-notifyd profile xfce-notifyd @{exec_path} { include + include include include include @@ -22,6 +23,9 @@ profile xfce-notifyd @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.xfce.Notifyd + #aa:dbus own bus=session name=org.freedesktop.Notifications + @{exec_path} mr, owner @{user_cache_dirs}/xfce4/notifyd/ rw, diff --git a/apparmor.d/groups/xfce/xfce-panel b/apparmor.d/groups/xfce/xfce-panel index 7b192ffc5..00c5d8700 100644 --- a/apparmor.d/groups/xfce/xfce-panel +++ b/apparmor.d/groups/xfce/xfce-panel @@ -9,12 +9,21 @@ include @{exec_path} = @{bin}/xfce4-panel @{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0 profile xfce-panel @{exec_path} { include + include + include + include + include include include include include include + ptrace (read) peer=xfce-terminal, + + #aa:dbus own bus=session name=org.xfce.Panel + #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher + @{exec_path} mr, @{bin}/exo-open rix, @@ -26,6 +35,7 @@ profile xfce-panel @{exec_path} { @{bin}/sudo rCx -> root, /usr/share/desktop-directories/{,**} r, + /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, /usr/share/livecheck/** r, /usr/share/xfce4/{,**} r, @@ -33,15 +43,20 @@ profile xfce-panel @{exec_path} { /etc/machine-id r, /etc/timezone r, /etc/xdg/menus/{,**} r, - /etc/xdg/xfce4/{,**} r, + /etc/xdg/{,xdg-xubuntu/}xfce4/{,**} r, owner @{user_cache_dirs}/xfce4/notifyd/icons/ rw, + owner @{user_cache_dirs}/xfce4-indicator-plugin.log w, owner @{user_config_dirs}/xfce4/panel/{,**} rw, + owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} w, + @{PROC}/cmdline r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, + deny @{user_share_dirs}/gvfs-metadata/{,*} r, + profile root { include include diff --git a/apparmor.d/groups/xfce/xfce-power-manager b/apparmor.d/groups/xfce/xfce-power-manager index 1c2a0263d..11ccca455 100644 --- a/apparmor.d/groups/xfce/xfce-power-manager +++ b/apparmor.d/groups/xfce/xfce-power-manager @@ -9,9 +9,15 @@ include @{exec_path} = @{bin}/xfce4-power-manager profile xfce-power-manager @{exec_path} flags=(attach_disconnected) { include + include + include + include include include + #aa:dbus own bus=session name=org.xfce.PowerManager + #aa:dbus own bus=session name=org.freedesktop.PowerManagement + @{exec_path} mr, @{bin}/xfpm-power-backlight-helper rPx, diff --git a/apparmor.d/groups/xfce/xfce-screensaver b/apparmor.d/groups/xfce/xfce-screensaver index e486ac6d9..e9e19cca5 100644 --- a/apparmor.d/groups/xfce/xfce-screensaver +++ b/apparmor.d/groups/xfce/xfce-screensaver @@ -9,11 +9,14 @@ include @{exec_path} = @{bin}/xfce4-screensaver profile xfce-screensaver @{exec_path} flags=(attach_disconnected) { include + include include include include include + #aa:dbus own bus=session name=org.xfce.ScreenSaver + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/xfce/xfce-sensors b/apparmor.d/groups/xfce/xfce-sensors index e7ee1080b..c1bd98111 100644 --- a/apparmor.d/groups/xfce/xfce-sensors +++ b/apparmor.d/groups/xfce/xfce-sensors @@ -16,7 +16,7 @@ profile xfce-sensors @{exec_path} { @{sys}/class/hwmon/ r, @{sys}/class/power_supply/ r, @{sys}/class/thermal/ r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/devices/**/hwmon@{int}/**/ r, diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session index 17007122e..be0f5c73d 100644 --- a/apparmor.d/groups/xfce/xfce-session +++ b/apparmor.d/groups/xfce/xfce-session @@ -9,6 +9,9 @@ include @{exec_path} = @{bin}/xfce4-session profile xfce-session @{exec_path} flags=(attach_disconnected) { include + include + include + include include include include @@ -16,6 +19,8 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term) peer=lightdm, + #aa:dbus own bus=session name=org.xfce.SessionManager + @{exec_path} mr, @{sh_path} rix, @@ -33,6 +38,7 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { @{lib}/msgcollector/msgdispatcher_xdg_autostart rPx, @{lib}/sdwdate-gui/start-maybe rPx, @{lib}/setup-wizard-dist/setup-dist_check_for_start rPx, + @{lib}/xapps/sn-watcher/xapp-sn-watcher rPUx, /usr/share/kde-power-savings-disable-in-vms/{,**} r, /usr/share/kde-screen-locker-disable-in-vms/{,**} r, @@ -48,11 +54,15 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { /etc/xdg/autostart/*.desktop r, owner @{user_cache_dirs}/sessions/{,**} rw, + owner @{user_config_dirs}/autostart/ r, + owner @{user_config_dirs}/autostart/*.desktop r, owner @{tmp}/.xfsm-ICE-@{rand6} rw, owner @{PROC}/@{pid}/stat r, + @{sys}/class/i2c-adapter/ r, + /dev/tty rw, profile systemctl flags=(attach_disconnected) { diff --git a/apparmor.d/groups/xfce/xfce-terminal b/apparmor.d/groups/xfce/xfce-terminal index 342ffd3b4..0f8836326 100644 --- a/apparmor.d/groups/xfce/xfce-terminal +++ b/apparmor.d/groups/xfce/xfce-terminal @@ -9,11 +9,19 @@ include @{exec_path} = @{bin}/xfce4-terminal profile xfce-terminal @{exec_path} { include + include + include + include include include + include include include + signal send, + + #aa:dbus own bus=session name=org.xfce.Terminal5 + @{exec_path} mr, @{open_path} rPx -> child-open-help, @@ -26,7 +34,10 @@ profile xfce-terminal @{exec_path} { @{bin}/micro rPUx, @{bin}/nvtop rPx, + @{editor_path} rPUx, + /usr/share/ r, + /usr/share/desktop-base/profiles/xdg-config/ r, /usr/share/xfce4/ r, /usr/share/xfce4/terminal/{,**} r, @@ -34,6 +45,7 @@ profile xfce-terminal @{exec_path} { /etc/xdg/ r, /etc/xdg/xfce4/ r, + owner @{user_config_dirs}/xfce4/ r, owner @{user_config_dirs}/xfce4/terminal/{,**} r, owner @{tmp}/#@{int} rw, diff --git a/apparmor.d/groups/xfce/xfconfd b/apparmor.d/groups/xfce/xfconfd index 0ab17ac5c..9cd273544 100644 --- a/apparmor.d/groups/xfce/xfconfd +++ b/apparmor.d/groups/xfce/xfconfd @@ -10,11 +10,14 @@ include @{exec_path} = @{lib}/{,@{multiarch}/}xfce4/xfconf/xfconfd profile xfconfd @{exec_path} { include + include include + #aa:dbus own bus=session name=org.xfce.Xfconf + @{exec_path} mr, - /etc/xdg/xfce4/xfconf/** r, + /etc/xdg/{,xdg-xubuntu/}xfce4/xfconf/** r, owner @{HOME}/ r, diff --git a/apparmor.d/groups/xfce/xfdesktop b/apparmor.d/groups/xfce/xfdesktop index d19e3de63..6bc5ec15c 100644 --- a/apparmor.d/groups/xfce/xfdesktop +++ b/apparmor.d/groups/xfce/xfdesktop @@ -10,14 +10,22 @@ include profile xfdesktop @{exec_path} { include include + include + include include include include + #aa:dbus own bus=session name=org.xfce.xfdesktop + @{exec_path} mr, @{bin}/xfce4-mime-helper rix, + /etc/xdg/{,xdg-xubuntu/}xfce4/helpers.rc r, + /etc/xdg/menus/{,*.menu} r, + /usr/share/xfce4/helpers/{,*.desktop} r, + /usr/share/desktop-directories/{,*.directory} r, /usr/share/backgrounds/xfce/{,**} r, /etc/fstab r, diff --git a/apparmor.d/groups/xfce/xfsettingsd b/apparmor.d/groups/xfce/xfsettingsd index 3eec3377f..d3f88c196 100644 --- a/apparmor.d/groups/xfce/xfsettingsd +++ b/apparmor.d/groups/xfce/xfsettingsd @@ -10,8 +10,13 @@ include profile xfsettingsd @{exec_path} { include include + include + include + include include + #aa:dbus own bus=session name=org.xfce.SettingsDaemon + @{exec_path} mr, /etc/xdg/autostart/xfsettingsd.desktop r, diff --git a/apparmor.d/groups/xfce/xfwm b/apparmor.d/groups/xfce/xfwm index d7af2ccb9..c41e5254f 100644 --- a/apparmor.d/groups/xfce/xfwm +++ b/apparmor.d/groups/xfce/xfwm @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/xfwm4 profile xfwm @{exec_path} { include + include include include include diff --git a/apparmor.d/mappings/login/base b/apparmor.d/mappings/login/base new file mode 100644 index 000000000..f74b90418 --- /dev/null +++ b/apparmor.d/mappings/login/base @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# It is used by login to run pre login scripts (as root) such as the motd. +# After the login, Apparmor libpam will transition to the roles defined in +# other files under + + @{shells_path} rCx -> shell, + + profile shell flags=(attach_disconnected) { + include + include + include + + @{shells_path} rix, + @{bin}/env rix, + @{bin}/run-parts rix, #aa:only apt + + #aa:only apt + /etc/update-motd.d/ r, + /etc/update-motd.d/* rPx, + /usr/share/landscape/landscape-sysinfo.wrapper rPx, + + @{run}/motd.dynamic.new rw, #aa:only apt + + include if exists + } + +# vim:syntax=apparmor diff --git a/apparmor.d/mappings/sshd/base b/apparmor.d/mappings/sshd/base new file mode 100644 index 000000000..dd9218d9c --- /dev/null +++ b/apparmor.d/mappings/sshd/base @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# It is used by login to run pre login scripts (as root) such as the motd. +# After the login, Apparmor libpam will transition to the roles defined in +# other files under + + @{shells_path} rCx -> shell, + + profile shell flags=(attach_disconnected) { + include + include + include + + @{shells_path} rix, + @{bin}/env rix, + @{bin}/run-parts rix, #aa:only apt + + #aa:only apt + /etc/update-motd.d/ r, + /etc/update-motd.d/* rPx, + /usr/share/landscape/landscape-sysinfo.wrapper rPx, + + @{run}/motd.dynamic.new rw, #aa:only apt + + include if exists + } + +# vim:syntax=apparmor diff --git a/apparmor.d/mappings/sudo/base b/apparmor.d/mappings/sudo/base new file mode 100644 index 000000000..95e395501 --- /dev/null +++ b/apparmor.d/mappings/sudo/base @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# It is used by su/sudo to run pre login scripts (as root) such as the motd. +# After the login, Apparmor libpam will transition to the roles defined in +# other files under + + @{shells_path} rCx -> shell, + + profile shell flags=(attach_disconnected) { + include + include + include + + @{shells_path} rix, + @{bin}/env rix, + @{bin}/run-parts rix, #aa:only apt + + #aa:only apt + /etc/update-motd.d/ r, + /etc/update-motd.d/* rPx, + /usr/share/landscape/landscape-sysinfo.wrapper rPx, + + @{run}/motd.dynamic.new rw, #aa:only apt + + include if exists + } + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify deleted file mode 100644 index 7e901509f..000000000 --- a/apparmor.d/profiles-a-f/aa-notify +++ /dev/null @@ -1,49 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/aa-notify -profile aa-notify @{exec_path} { - include - include - include - include - include - - capability setgid, - capability setuid, - capability sys_ptrace, - - ptrace read, - - @{exec_path} mr, - - @{bin}/ r, - - /usr/share/terminfo/** r, - - @{etc_ro}/inputrc r, - @{etc_ro}/inputrc.keys r, - /etc/apparmor.d/{,**} r, - /etc/apparmor/*.conf r, - - /var/log/audit/audit.log r, - - owner @{HOME}/.inputrc r, - owner @{HOME}/.terminfo/@{int}/dumb r, - - owner @{tmp}/@{rand8} rw, - owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, - - @{PROC}/ r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/cmdline r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/acpi b/apparmor.d/profiles-a-f/acpi index 2914180e6..3b42be234 100644 --- a/apparmor.d/profiles-a-f/acpi +++ b/apparmor.d/profiles-a-f/acpi @@ -19,7 +19,6 @@ profile acpi @{exec_path} flags=(complain) { @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/virtual/thermal/{,**} r, - include if exists } diff --git a/apparmor.d/profiles-a-f/acpi-powerbtn b/apparmor.d/profiles-a-f/acpi-powerbtn index 796194146..fd1d0af03 100644 --- a/apparmor.d/profiles-a-f/acpi-powerbtn +++ b/apparmor.d/profiles-a-f/acpi-powerbtn @@ -13,11 +13,10 @@ profile acpi-powerbtn flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{e,}grep rix, - @{bin}/killall5 rix, + @{sbin}/killall5 rix, @{bin}/pgrep rix, @{bin}/pinky rix, @{bin}/sed rix, - @{bin}/shutdown rix, /etc/acpi/powerbtn.sh rix, @{bin}/dbus-send Cx -> bus, diff --git a/apparmor.d/profiles-a-f/acpid b/apparmor.d/profiles-a-f/acpid index 5bf6c433a..4985bca3a 100644 --- a/apparmor.d/profiles-a-f/acpid +++ b/apparmor.d/profiles-a-f/acpid @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/acpid +@{exec_path} = @{sbin}/acpid profile acpid @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index 9103b25b3..039518b51 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/add{user,group} +@{exec_path} = @{sbin}/adduser profile adduser @{exec_path} { include include @@ -24,7 +24,6 @@ profile adduser @{exec_path} { capability sys_admin, # For logger @{exec_path} r, - @{bin}/perl r, @{sh_path} rix, @{bin}/find rix, @@ -34,12 +33,12 @@ profile adduser @{exec_path} { @{bin}/chage rPx, @{bin}/chfn rPx, @{bin}/gpasswd rPx, - @{bin}/groupadd rPx, - @{bin}/groupdel rPx, + @{sbin}/groupadd rPx, + @{sbin}/groupdel rPx, @{bin}/passwd rPx, - @{bin}/useradd rPx, - @{bin}/userdel rPx, - @{bin}/usermod rPx, + @{sbin}/useradd rPx, + @{sbin}/userdel rPx, + @{sbin}/usermod rPx, /etc/{group,passwd,shadow} r, /etc/adduser.conf r, diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index 6f2e1d5c7..7025f9787 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -17,9 +17,8 @@ profile adequate @{exec_path} flags=(complain) { #capability sys_tty_config, @{exec_path} r, - @{bin}/perl r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, # It wants to ldd all binaries/libs in packages. @{bin}/ldd rCx -> ldd, @@ -55,14 +54,12 @@ profile adequate @{exec_path} flags=(complain) { @{bin}/* mr, /usr/games/* mr, - @{lib}{,x}/** mr, @{lib}/@{multiarch}/** mr, /usr/share/** r, /opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} mr, @{lib}/@{multiarch}/ld-*.so rix, - @{lib}{,x}32/ld-*.so rix, include if exists } @@ -74,7 +71,6 @@ profile adequate @{exec_path} flags=(complain) { include /usr/share/debconf/frontend r, - @{bin}/perl r, @{bin}/adequate rPx, @@ -92,7 +88,7 @@ profile adequate @{exec_path} flags=(complain) { include include capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte index 7ebb3b629..87908dc9e 100644 --- a/apparmor.d/profiles-a-f/alacarte +++ b/apparmor.d/profiles-a-f/alacarte @@ -7,16 +7,17 @@ abi , include @{exec_path} = @{bin}/alacarte -profile alacarte @{exec_path} { +profile alacarte @{exec_path} flags=(attach_disconnected) { include + include include include include @{exec_path} mr, - @{bin}/python3.@{int} rix, + @{python_path} rix, - @{lib}/python3.@{int}/site-packages/Alacarte/{,**/}__pycache__/*.cpython-@{int}.*.pyc.@{int} w, + @{lib}/@{python_name}/site-packages/Alacarte/{,**/}__pycache__/*.cpython-@{int}.*.pyc.@{int} w, /usr/share/alacarte/{,**} r, /usr/share/desktop-directories/{,**} r, @@ -30,6 +31,11 @@ profile alacarte @{exec_path} { owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-a-f/alsactl b/apparmor.d/profiles-a-f/alsactl index b2b97a62a..adf0d5cd3 100644 --- a/apparmor.d/profiles-a-f/alsactl +++ b/apparmor.d/profiles-a-f/alsactl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/alsactl +@{exec_path} = @{sbin}/alsactl profile alsactl @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/amule b/apparmor.d/profiles-a-f/amule index b54e62022..ce600200a 100644 --- a/apparmor.d/profiles-a-f/amule +++ b/apparmor.d/profiles-a-f/amule @@ -27,7 +27,7 @@ profile amule @{exec_path} { # @{open_path} rPx -> child-open, @{exec_path} mr, - @{bin}/uname rPx, + @{bin}/uname rix, @{sh_path} rix, @{system_share_dirs}/amule/{,**} r, owner @{HOME}/.aMule/{,**} rwk, diff --git a/apparmor.d/profiles-a-f/anyremote b/apparmor.d/profiles-a-f/anyremote index b7e4a127b..43ecdb0cd 100644 --- a/apparmor.d/profiles-a-f/anyremote +++ b/apparmor.d/profiles-a-f/anyremote @@ -41,7 +41,7 @@ profile anyremote @{exec_path} { @{bin}/tail rix, @{bin}/tr rix, @{bin}/wc rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/convert-im6.q16 rCx -> imagemagic, @{bin}/killall rCx -> killall, @@ -81,8 +81,8 @@ profile anyremote @{exec_path} { /usr/share/anyremote/cfg-data/Icons/common/*.png r, - /usr/share/ImageMagick-[0-9]/*.xml rw, - /etc/ImageMagick-[0-9]/*.xml r, + /usr/share/ImageMagick-@{int}/*.xml rw, + /etc/ImageMagick-@{int}/*.xml r, owner @{HOME}/.anyRemote/*.png rw, owner @{HOME}/.kde/share/apps/amarok/albumcovers/cache/* r, diff --git a/apparmor.d/profiles-a-f/aplay b/apparmor.d/profiles-a-f/aplay index fb4f2cb85..eba042635 100644 --- a/apparmor.d/profiles-a-f/aplay +++ b/apparmor.d/profiles-a-f/aplay @@ -19,6 +19,8 @@ profile aplay @{exec_path} flags=(complain) { owner @{HOME}/.Xauthority r, + /dev/snd/controlC@{int} rw, + include if exists } diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index 36ca9555f..f2231479d 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -24,6 +24,7 @@ profile appstreamcli @{exec_path} flags=(complain) { /usr/share/app-info/{,**} r, /usr/share/appdata/ r, + /usr/share/byobu/desktop/{,**} r, /usr/share/gvfs/remote-volume-monitors/{,**} r, /usr/share/metainfo/ r, /usr/share/metainfo/*.{metainfo,appdata}.xml r, diff --git a/apparmor.d/profiles-a-f/arandr b/apparmor.d/profiles-a-f/arandr index e260321e6..77bf1bf96 100644 --- a/apparmor.d/profiles-a-f/arandr +++ b/apparmor.d/profiles-a-f/arandr @@ -19,7 +19,7 @@ profile arandr @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/xrandr rPx, diff --git a/apparmor.d/profiles-a-f/archivemount b/apparmor.d/profiles-a-f/archivemount index 64f25e181..d445df0e2 100644 --- a/apparmor.d/profiles-a-f/archivemount +++ b/apparmor.d/profiles-a-f/archivemount @@ -24,33 +24,19 @@ profile archivemount @{exec_path} { owner @{HOME}/*/ r, owner @{HOME}/*/*/ r, - mount fstype=fuse.archivemount -> @{HOME}/*/, - mount fstype=fuse.archivemount -> @{HOME}/*/*/, - - /dev/fuse rw, - profile fusermount { include - include - - # To mount anything: - capability sys_admin, - - @{bin}/fusermount{,3} mr, + include mount fstype={fuse,fuse.archivemount} -> @{HOME}/*/, mount fstype={fuse,fuse.archivemount} -> @{HOME}/*/*/, - /dev/fuse rw, + umount @{HOME}/*/, + umount @{HOME}/*/*/, - /etc/fuse.conf r, - - owner @{HOME}/ r, /**.{tar,tar.gz,zip} r, /**.{TAR,TAR.GZ,ZIP} r, - @{PROC}/@{pid}/mounts r, - include if exists } diff --git a/apparmor.d/profiles-a-f/aspell b/apparmor.d/profiles-a-f/aspell index 16b5b6f6d..629caca10 100644 --- a/apparmor.d/profiles-a-f/aspell +++ b/apparmor.d/profiles-a-f/aspell @@ -16,7 +16,7 @@ profile aspell @{exec_path} flags=(complain) { /usr/share/aspell/{,*} r, - /usr/lib/aspell/{,*} r, + @{lib}/aspell/{,*} r, /var/lib/aspell/{,*} r, /var/lib/aspell/*.rws rw, diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash index 769f15cf0..14feb75df 100644 --- a/apparmor.d/profiles-a-f/aspell-autobuildhash +++ b/apparmor.d/profiles-a-f/aspell-autobuildhash @@ -7,14 +7,13 @@ abi , include -@{exec_path} = @{bin}/aspell-autobuildhash +@{exec_path} = @{sbin}/aspell-autobuildhash profile aspell-autobuildhash @{exec_path} flags=(complain) { include include include @{exec_path} r, - @{bin}/perl r, @{sh_path} rix, @{bin}/basename rix, @@ -33,8 +32,8 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { /usr/share/aspell/{,*} r, - /usr/lib/aspell/{,*} r, - /usr/lib/aspell/*.rws rw, + @{lib}/aspell/{,*} r, + @{lib}/aspell/*.rws rw, /var/lib/aspell/ r, /var/lib/aspell/* rw, @@ -47,9 +46,8 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { include /usr/share/debconf/frontend r, - @{bin}/perl r, - @{bin}/aspell-autobuildhash rPx, + @{sbin}/aspell-autobuildhash rPx, @{sh_path} rix, @{bin}/stty rix, @@ -64,7 +62,7 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { include include capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index f8d39c8f5..783d210fb 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/atd +@{exec_path} = @{sbin}/atd profile atd @{exec_path} { include include @@ -20,15 +20,15 @@ profile atd @{exec_path} { capability setuid, capability sys_resource, - signal (receive) set=hup peer=at, + signal receive set=hup peer=at, - ptrace (read) peer=unconfined, + ptrace read peer=unconfined, @{exec_path} mr, @{sh_path} rix, - @{bin}/sendmail rPUx, - @{bin}/exim4 rPx, + @{sbin}/sendmail rPUx, + @{sbin}/exim4 rPx, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/ r, diff --git a/apparmor.d/profiles-a-f/atftpd b/apparmor.d/profiles-a-f/atftpd index dc7f2bf36..2444bd128 100644 --- a/apparmor.d/profiles-a-f/atftpd +++ b/apparmor.d/profiles-a-f/atftpd @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/atftpd profile atftpd @{exec_path} { include - include + include # For libwrap (TCP Wrapper) support include @@ -18,6 +18,12 @@ profile atftpd @{exec_path} { capability setgid, capability setuid, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, # FTP dirs (add "w" if you need write permissions and hence upload files) diff --git a/apparmor.d/profiles-a-f/atool b/apparmor.d/profiles-a-f/atool index 99cb0fed6..2782aacc0 100644 --- a/apparmor.d/profiles-a-f/atool +++ b/apparmor.d/profiles-a-f/atool @@ -19,9 +19,9 @@ profile atool @{exec_path} { @{bin}/7z rix, @{bin}/arc rix, @{bin}/arj rix, - @{bin}/bzip2 rix, - @{bin}/bzip2 rix, @{bin}/bzip rix, + @{bin}/bzip2 rix, + @{bin}/bzip2 rix, @{bin}/compress rix, @{bin}/cpio rix, @{bin}/gunzip rix, @@ -30,16 +30,15 @@ profile atool @{exec_path} { @{bin}/jar rix, @{bin}/lha rix, @{bin}/lrunzip rix, + @{bin}/lrz rix, @{bin}/lrzcat rix, @{bin}/lrzip rix, - @{bin}/lrz rix, @{bin}/lrztar rix, @{bin}/lrzuntar rix, @{bin}/lzip rix, @{bin}/lzma rix, @{bin}/lzop rix, @{bin}/lzop rix, - @{lib}/p7zip/7z rix, @{bin}/rar rix, @{bin}/tar rix, @{bin}/unace rix, @@ -48,6 +47,7 @@ profile atool @{exec_path} { @{bin}/unzip rix, @{bin}/xz rix, @{bin}/zip rix, + @{lib}/p7zip/7z rix, /etc/atool.conf r, owner @{HOME}/.atoolrc r, diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index 284c35911..55502dd3e 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -10,19 +10,13 @@ include @{exec_path} = @{bin}/atril{,-*} profile atril @{exec_path} { include - include include - include - include include include - include - include - include + include include include include - include network netlink raw, diff --git a/apparmor.d/profiles-a-f/auditctl b/apparmor.d/profiles-a-f/auditctl index d6881f3e7..762273a9f 100644 --- a/apparmor.d/profiles-a-f/auditctl +++ b/apparmor.d/profiles-a-f/auditctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/auditctl +@{exec_path} = @{sbin}/auditctl profile auditctl @{exec_path} flags=(attach_disconnected) { include diff --git a/apparmor.d/profiles-a-f/auditd b/apparmor.d/profiles-a-f/auditd index 92afa1d08..41fb158c0 100644 --- a/apparmor.d/profiles-a-f/auditd +++ b/apparmor.d/profiles-a-f/auditd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/auditd +@{exec_path} = @{sbin}/auditd profile auditd @{exec_path} flags=(attach_disconnected) { include include @@ -27,6 +27,8 @@ profile auditd @{exec_path} flags=(attach_disconnected) { /var/log/audit/{,**} rw, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + owner @{run}/auditd.pid rwl, owner @{run}/auditd.state rw, diff --git a/apparmor.d/profiles-a-f/augenrules b/apparmor.d/profiles-a-f/augenrules index 7a515c1ba..5ae84876b 100644 --- a/apparmor.d/profiles-a-f/augenrules +++ b/apparmor.d/profiles-a-f/augenrules @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/augenrules +@{exec_path} = @{sbin}/augenrules profile augenrules @{exec_path} flags=(attach_disconnected) { include include @@ -16,7 +16,7 @@ profile augenrules @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{,e,f}grep rix, @{bin}/{,g,m}awk rix, - @{bin}/auditctl rPx, + @{sbin}/auditctl rPx, @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cmp rix, diff --git a/apparmor.d/profiles-a-f/badblocks b/apparmor.d/profiles-a-f/badblocks index e0f686b90..ff3a710c3 100644 --- a/apparmor.d/profiles-a-f/badblocks +++ b/apparmor.d/profiles-a-f/badblocks @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/badblocks +@{exec_path} = @{sbin}/badblocks profile badblocks @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/baobab b/apparmor.d/profiles-a-f/baobab index 1f9f14dc1..654e40117 100644 --- a/apparmor.d/profiles-a-f/baobab +++ b/apparmor.d/profiles-a-f/baobab @@ -19,11 +19,12 @@ profile baobab @{exec_path} { @{open_path} rPx -> child-open-help, + #aa:lint ignore=too-wide # As a directory tree analyzer it needs full access to the filesystem / r, /** r, - deny /boot/{,**} r, + deny @{efi}/{,**} r, include if exists } diff --git a/apparmor.d/profiles-a-f/biosdecode b/apparmor.d/profiles-a-f/biosdecode index 8010b380a..87457a129 100644 --- a/apparmor.d/profiles-a-f/biosdecode +++ b/apparmor.d/profiles-a-f/biosdecode @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/biosdecode +@{exec_path} = @{sbin}/biosdecode profile biosdecode @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/birdtray b/apparmor.d/profiles-a-f/birdtray index c63a8de7c..771560c6b 100644 --- a/apparmor.d/profiles-a-f/birdtray +++ b/apparmor.d/profiles-a-f/birdtray @@ -40,7 +40,7 @@ profile birdtray @{exec_path} { owner @{HOME}/.thunderbird/*.*/{Imap,}Mail/**/*.msf r, owner @{user_config_dirs}/ulduzsoft/ rw, - owner @{user_config_dirs}/ulduzsoft/* rwkl -> /home/morfik/.config/ulduzsoft/*, + owner @{user_config_dirs}/ulduzsoft/* rwkl -> @{user_config_dirs}/ulduzsoft/*, owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#@{int}, diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate index ad575351f..bff816339 100644 --- a/apparmor.d/profiles-a-f/blkdeactivate +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -7,18 +7,20 @@ abi , include -@{exec_path} = @{bin}/blkdeactivate +@{exec_path} = @{sbin}/blkdeactivate profile blkdeactivate @{exec_path} flags=(complain) { include include @{exec_path} rm, - @{bin}/dmsetup rPUx, - @{bin}/grep rix, + @{sh_path} rix, + @{sbin}/dmsetup rPx, + @{bin}/{,e}grep rix, + @{bin}/touch rix, @{bin}/lsblk rPx, - @{bin}/lvm rPx, - @{bin}/multipathd rPx, + @{sbin}/lvm rPx, + @{sbin}/multipathd rPx, @{bin}/sort rix, @{bin}/umount rPx, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index dbf6c228d..544be3be0 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -27,12 +27,13 @@ profile borg @{exec_path} { @{exec_path} r, @{bin}/ r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/{,@{multiarch}-}ld.bfd rix, @{bin}/cat rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/uname rix, + @{bin}/ip rix, @{bin}/ccache rCx -> ccache, @{bin}/fusermount{,3} rCx -> fusermount, @@ -95,10 +96,7 @@ profile borg @{exec_path} { profile fusermount { include - include - include - - capability sys_admin, + include mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/, mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/*/, @@ -106,17 +104,9 @@ profile borg @{exec_path} { umount @{MOUNTS}/, umount @{MOUNTS}/*/, - @{bin}/fusermount{,3} mr, - - /etc/fuse.conf r, - @{MOUNTS}/ r, @{MOUNTS}/*/ r, - @{PROC}/@{pids}/mounts r, - - /dev/fuse rw, - include if exists } diff --git a/apparmor.d/profiles-a-f/briar-desktop b/apparmor.d/profiles-a-f/briar-desktop index a0b57a38b..1cfda03d9 100644 --- a/apparmor.d/profiles-a-f/briar-desktop +++ b/apparmor.d/profiles-a-f/briar-desktop @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Roman Beslik +# Copyright (C) 2024-2025 Roman Beslik # SPDX-License-Identifier: GPL-2.0-only abi , @@ -34,6 +34,7 @@ profile briar-desktop @{exec_path} { @{system_share_dirs}/java/briar-desktop.jar r, /etc/java*/{,**} r, + /etc/machine-id r, owner @{HOME}/.briar/desktop/{,**} rw, owner @{HOME}/.briar/desktop/db/db.mv.db k, @@ -57,10 +58,11 @@ profile briar-desktop @{exec_path} { owner @{tmp}/jna@{u64}.tmp mrw, @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{cpu,memory}.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r, @{sys}/kernel/mm/{hugepages/,transparent_hugepage/enabled} r, @{PROC}/cgroups r, + @{PROC}/asound/version r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/coredump_filter rw, @@ -78,7 +80,7 @@ profile briar-desktop @{exec_path} { profile jspawnhelper flags=(attach_disconnected) { include - @{bin}/ldconfig ix, + @{sbin}/ldconfig ix, owner @{HOME}/.briar/desktop/tor/tor Px -> briar-desktop-tor, @{system_share_dirs}/java/briar-desktop.jar r, diff --git a/apparmor.d/profiles-a-f/briar-desktop-tor b/apparmor.d/profiles-a-f/briar-desktop-tor index af98f9fc7..ae818d1df 100644 --- a/apparmor.d/profiles-a-f/briar-desktop-tor +++ b/apparmor.d/profiles-a-f/briar-desktop-tor @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Roman Beslik +# Copyright (C) 2024-2025 Roman Beslik # SPDX-License-Identifier: GPL-2.0-only abi , @@ -13,11 +13,13 @@ profile briar-desktop-tor { network inet6 stream, network netlink raw, + signal send set=term peer=briar-desktop-tor//lyrebird, signal send set=term peer=briar-desktop-tor//obfs4proxy, signal send set=term peer=briar-desktop-tor//snowflake, owner @{HOME}/.briar/desktop/tor/.tor/{,**} rw, owner @{HOME}/.briar/desktop/tor/.tor/lock k, + owner @{HOME}/.briar/desktop/tor/lyrebird Cx -> lyrebird, owner @{HOME}/.briar/desktop/tor/obfs4proxy Cx -> obfs4proxy, owner @{HOME}/.briar/desktop/tor/snowflake Cx -> snowflake, owner @{HOME}/.briar/desktop/tor/tor r, @@ -27,6 +29,25 @@ profile briar-desktop-tor { include if exists + profile lyrebird { + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + signal receive set=term peer=briar-desktop-tor, + + owner @{HOME}/.briar/desktop/tor/lyrebird mr, + @{PROC}/sys/net/core/somaxconn r, + + include if exists + } + profile obfs4proxy { include diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index 86da0e6a7..c896e96f8 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/browserpass +@{exec_path} = @{bin}/browserpass @{lib}/browserpass/browserpass-native profile browserpass @{exec_path} flags=(attach_disconnected) { include include @@ -22,7 +22,7 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.mozilla/firefox/@{rand8}.*/extensions/* r, owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/startupCache/scriptCache-*.bin r, owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/startupCache/startupCache.*.little r, - owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/safebrowsing-updating/google[0-9]/goog-phish-proto-@{int}.vlpset rw, + owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/safebrowsing-updating/google@{d}/goog-phish-proto-@{int}.vlpset rw, owner @{tmp}/mozilla-temp-@{int} r, owner @{PROC}/@{pid}/mountinfo r, @@ -48,8 +48,8 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner @{user_password_store_dirs}/ rw, - owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, + owner @{user_passwordstore_dirs}/ rw, + owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, owner @{user_projects_dirs}/**/*-store/ rw, owner @{user_projects_dirs}/**/*-store/** rwkl -> @{user_projects_dirs}/**/*-store/**, owner @{user_config_dirs}/*-store/ rw, diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/profiles-a-f/btop index bab483dde..bac8aea75 100644 --- a/apparmor.d/profiles-a-f/btop +++ b/apparmor.d/profiles-a-f/btop @@ -10,15 +10,16 @@ include profile btop @{exec_path} { include include - include include + capability kill, + capability perfmon, capability sys_ptrace, network netlink raw, - signal (send), - ptrace (read), + signal send, + ptrace read, @{exec_path} mr, @@ -27,33 +28,42 @@ profile btop @{exec_path} { /etc/fstab r, owner @{user_config_dirs}/btop/{,**} rw, + owner @{user_state_dirs}/btop.log rw, @{sys}/bus/pci/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/**/stat r, + @{sys}/devices/@{pci}/ r, + @{sys}/devices/@{pci}/{,**}/ r, @{sys}/devices/@{pci}/net/*/{,**} r, + @{sys}/devices/@{pci}/nvme/nvme@{int}/ r, + @{sys}/devices/@{pci}/stat r, @{sys}/devices/@{pci}/usb@{int}/**/power_supply/** r, @{sys}/devices/**/hwmon@{int}/{,*} r, @{sys}/devices/**/power_supply/{AC,BAT@{int}}/{,**} r, + @{sys}/devices/*/events/{,*} r, + @{sys}/devices/platform/*/ r, + @{sys}/devices/power/{,**} r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, @{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/devices/virtual/block/dm-@{int}/stat r, @{sys}/devices/virtual/net/{,**} r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,} r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,*} r, - @{PROC} r, - @{PROC}/@{pid}/statm r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/io r, - @{PROC}/@{pids}/stat r, - @{PROC}/devices r, - @{PROC}/driver/nvidia/capabilities/mig/monitor r, - @{PROC}/loadavg r, - @{PROC}/spl/kstat/zfs/arcstats r, - @{PROC}/uptime r, - owner @{PROC}/@{pid}/mounts r, + @{PROC} r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/mounts r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/task/@{tid}/comm rw, + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/config r, + @{PROC}/driver/nvidia/capabilities/mig/monitor r, + @{PROC}/loadavg r, + @{PROC}/spl/kstat/zfs/arcstats r, + @{PROC}/uptime r, /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} rw, diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre index 6d71ed28d..281d15718 100644 --- a/apparmor.d/profiles-a-f/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -12,12 +12,10 @@ include @{exec_path} += @{bin}/lrs2lrf @{bin}/lrf2lrs @{bin}/lrfviewer @{bin}/web2disk profile calibre @{exec_path} { include - include include - include - include include include + include include include include @@ -35,11 +33,13 @@ profile calibre @{exec_path} { capability sys_ptrace, + network inet dgram, network inet stream, + network inet6 dgram, network inet6 stream, network netlink raw, - unix (send, receive) type=stream peer=(addr=none, label=xorg), + # unix (send, receive) type=stream peer=(addr=none, label=xorg), unix (bind, listen) type=stream addr="@*-calibre-gui.socket", unix (bind) type=stream addr="@calibre-*", @@ -47,9 +47,10 @@ profile calibre @{exec_path} { @{sh_path} rix, @{python_path} rix, + @{bin}/env r, @{bin}/file rix, - @{bin}/ldconfig{,.real} rix, @{bin}/uname rix, + @{sbin}/ldconfig{,.real} rix, @{lib}/{,@{multiarch}/}qt{5,6}{,/libexec/}QtWebEngineProcess rix, @{bin}/pdftoppm rPUx, # (#FIXME#) @@ -61,6 +62,7 @@ profile calibre @{exec_path} { /usr/share/calibre/{,**} r, /etc/fstab r, + /etc/httpd/conf/mime.types r, /etc/inputrc r, /etc/magic r, /etc/mime.types r, @@ -68,10 +70,15 @@ profile calibre @{exec_path} { owner @{HOME}/ r, owner "@{HOME}/Calibre Library/{,**}" rw, owner "@{HOME}/Calibre Library/metadata.db" rwk, - owner @{user_documents_dirs}/{,**} rwl, + owner @{user_books_dirs}/{,**} rwl, + owner @{user_books_dirs}/Calibre/** rwk, + owner @{user_documents_dirs}/{,**} rwl, + owner @{user_documents_dirs}/Calibre/** rwk, owner @{user_torrents_dirs}/{,**} rwl, + owner @{user_torrents_dirs}/Calibre/** rwk, owner @{user_work_dirs}/{,**} rwl, + owner @{user_work_dirs}/Calibre/** rwk, owner @{user_config_dirs}/calibre/ rw, owner @{user_config_dirs}/calibre/** rwk, @@ -82,10 +89,11 @@ profile calibre @{exec_path} { owner @{user_cache_dirs}/calibre/ rw, owner @{user_cache_dirs}/calibre/** rwkl -> @{user_cache_dirs}/calibre/**, - owner @{tmp}/calibre_*_tmp_*/{,**} rw, - owner @{tmp}/calibre-*/{,**} rw, - owner @{tmp}/@{int}-*/ rw, - owner @{tmp}/@{int}-*/** rwl, + owner @{tmp}/@{rand8} rw, + audit owner @{tmp}/@{int}-*/ rw, + audit owner @{tmp}/@{int}-*/** rwl, + audit owner @{tmp}/calibre_@{rand8}_tmp_*/{,**} rw, + audit owner @{tmp}/calibre-@{rand8}/{,**} rw, owner /dev/shm/#@{int} rw, @@ -108,6 +116,7 @@ profile calibre @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/status r, + /dev/tty r, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/profiles-a-f/cctk b/apparmor.d/profiles-a-f/cctk index 40c5199b3..af7436f39 100644 --- a/apparmor.d/profiles-a-f/cctk +++ b/apparmor.d/profiles-a-f/cctk @@ -11,6 +11,7 @@ profile cctk @{exec_path} { include include + capability dac_read_search, capability mknod, capability sys_admin, capability sys_rawio, diff --git a/apparmor.d/profiles-a-f/cfdisk b/apparmor.d/profiles-a-f/cfdisk index 9cacb9324..ee8d277f2 100644 --- a/apparmor.d/profiles-a-f/cfdisk +++ b/apparmor.d/profiles-a-f/cfdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/cfdisk +@{exec_path} = @{sbin}/cfdisk profile cfdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/cgdisk b/apparmor.d/profiles-a-f/cgdisk index 0f91c1e85..8f3f11af0 100644 --- a/apparmor.d/profiles-a-f/cgdisk +++ b/apparmor.d/profiles-a-f/cgdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/cgdisk +@{exec_path} = @{sbin}/cgdisk profile cgdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/cgrulesengd b/apparmor.d/profiles-a-f/cgrulesengd index 08b1d83b5..6f31a43d5 100644 --- a/apparmor.d/profiles-a-f/cgrulesengd +++ b/apparmor.d/profiles-a-f/cgrulesengd @@ -12,19 +12,9 @@ profile cgrulesengd @{exec_path} { include include - # For creating Unix domain sockets/IPC sockets: - # socket(AF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR) = 3 - # ... - # bind(3, {sa_family=AF_NETLINK, nl_pid=13284, nl_groups=0x000001}, 12) = -1 EPERM (Operation - # not permitted) - capability net_admin, - - # To remove the following errors: - # readlink("/proc/12/exe", 0x7ffc9fa85cd0, 4096) = -1 EACCES (Permission denied) - capability sys_ptrace, - - # To be able to read the /proc/ files of all processes in the system. capability dac_read_search, + capability net_admin, + capability sys_ptrace, network netlink dgram, @@ -32,22 +22,22 @@ profile cgrulesengd @{exec_path} { @{exec_path} mr, - @{sys}/fs/cgroup/**/tasks w, + + /etc/cgconfig.conf r, + /etc/cgconfig.d/{,*} r, + + /etc/cgrules.conf r, + /etc/cgrules.d/{,*} r, + + owner @{run}/cgred.socket w, + + @{sys}/fs/cgroup/** rw, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/task/ r, - owner @{PROC}/@{pid}/mounts r, @{PROC}/cgroups r, - - @{sys}/fs/cgroup/unified/cgroup.controllers r, - - owner @{run}/cgred.socket w, - - /etc/cgconfig.conf r, - /etc/cgrules.conf r, - /etc/cgconfig.d/ r, - + owner @{PROC}/@{pid}/mounts r, include if exists } diff --git a/apparmor.d/profiles-a-f/check-bios-nx b/apparmor.d/profiles-a-f/check-bios-nx index 775e3f640..c44b6eaa5 100644 --- a/apparmor.d/profiles-a-f/check-bios-nx +++ b/apparmor.d/profiles-a-f/check-bios-nx @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/check-bios-nx +@{exec_path} = @{sbin}/check-bios-nx profile check-bios-nx @{exec_path} { include include @@ -25,7 +25,7 @@ profile check-bios-nx @{exec_path} { @{bin}/kmod rCx -> kmod, - @{bin}/rdmsr rPx, + @{sbin}/rdmsr rPx, owner @{PROC}/@{pid}/fd/@{int} rw, diff --git a/apparmor.d/profiles-a-f/check-support-status b/apparmor.d/profiles-a-f/check-support-status index 313fa6c54..07baedfae 100644 --- a/apparmor.d/profiles-a-f/check-support-status +++ b/apparmor.d/profiles-a-f/check-support-status @@ -70,7 +70,6 @@ profile check-support-status @{exec_path} { include @{bin}/debconf-escape r, - @{bin}/perl r, owner @{tmp}/debian-security-support.postinst.*/output r, diff --git a/apparmor.d/profiles-a-f/check-support-status-hook b/apparmor.d/profiles-a-f/check-support-status-hook index 5eb0eda0f..8101b3008 100644 --- a/apparmor.d/profiles-a-f/check-support-status-hook +++ b/apparmor.d/profiles-a-f/check-support-status-hook @@ -24,10 +24,10 @@ profile check-support-status-hook @{exec_path} { @{bin}/mktemp rix, @{bin}/rm rix, - @{bin}/adduser rPx, + @{sbin}/adduser rPx, @{bin}/check-support-status rPx, @{bin}/debconf-escape rCx -> debconf-escape, - @{bin}/runuser rCx -> runuser, + @{sbin}/runuser rCx -> runuser, # Think what to do about this (#FIXME#) /usr/share/debconf/frontend rPx, @@ -53,7 +53,6 @@ profile check-support-status-hook @{exec_path} { include @{bin}/debconf-escape r, - @{bin}/perl r, /tmp/ r, owner @{tmp}/debian-security-support.postinst.*/output r, @@ -68,7 +67,6 @@ profile check-support-status-hook @{exec_path} { include /usr/share/debconf/frontend r, - @{bin}/perl r, /usr/share/debian-security-support/ r, /usr/share/debian-security-support/check-support-status.hook rPx, @@ -86,7 +84,7 @@ profile check-support-status-hook @{exec_path} { include include capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, @@ -113,7 +111,7 @@ profile check-support-status-hook @{exec_path} { # To write records to the kernel auditing log. capability audit_write, - @{bin}/runuser mr, + @{sbin}/runuser mr, @{sh_path} rix, diff --git a/apparmor.d/profiles-a-f/cheese b/apparmor.d/profiles-a-f/cheese new file mode 100644 index 000000000..33b933be2 --- /dev/null +++ b/apparmor.d/profiles-a-f/cheese @@ -0,0 +1,57 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Roman Beslik +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/cheese +profile cheese @{exec_path} { + include + include + include + include + include + include + include + include + include + include + + network netlink raw, + + @{exec_path} mr, + + @{bin}/bwrap Px -> gnome-desktop-thumbnailers, + @{open_path} rPx -> child-open-help, + + @{system_share_dirs}/gnome-video-effects/{,*.effect} r, + @{system_share_dirs}/ladspa/rdf/{,**} r, + @{system_share_dirs}/thumbnailers/{,*.thumbnailer} r, + + /etc/machine-id r, + + owner @{HOME}/ r, # file save dialog + owner @{user_pictures_dirs}/{,**} rw, + owner @{user_videos_dirs}/{,**} rw, + + owner @{user_cache_dirs}/gnome-desktop-thumbnailer/gstreamer-1.0/ r, + + owner @{tmp}/flatpak-seccomp-@{rand6} rw, + owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw, + + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/chronyd b/apparmor.d/profiles-a-f/chronyd index 155d82f07..e4a986c8a 100644 --- a/apparmor.d/profiles-a-f/chronyd +++ b/apparmor.d/profiles-a-f/chronyd @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{bin}/chronyd +@{exec_path} = @{sbin}/chronyd profile chronyd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/cider b/apparmor.d/profiles-a-f/cider new file mode 100644 index 000000000..be59811a1 --- /dev/null +++ b/apparmor.d/profiles-a-f/cider @@ -0,0 +1,57 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = {C,c}ider sh.cider.genten +@{domain} = sh.cider.genten org.chromium.Chromium +@{lib_dirs} = @{lib}/cider +@{cache_dirs} = @{user_cache_dirs}/@{name} +@{config_dirs} = @{user_config_dirs}/@{name} + +@{exec_path} = @{bin}/{C,c}ider @{lib_dirs}/Cider +profile cider @{exec_path} { + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mrix, + + @{lib_dirs}/ r, + @{lib_dirs}/** r, + @{lib_dirs}/libffmpeg.so mr, + @{lib_dirs}/chrome-sandbox rPx, + + @{bin}/xdg-settings rPx, + + owner @{user_config_dirs}/sh.cider.genten/ rw, + owner @{user_config_dirs}/sh.cider.genten/** rwk, + owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/_platform_specific/linux_@{arch}/libwidevinecdm.so mr, + + @{PROC}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/ r, + @{PROC}/@{pid}/task/@{tid}/status r, + @{PROC}/sys/fs/inotify/max_user_watches r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pid}/statm r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index 7c5486c50..263bb5794 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -24,14 +24,14 @@ profile claws-mail @{exec_path} flags=(complain) { @{exec_path} mr, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgsm rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @{bin}/orage rPUx, - @{bin}/exim4 rPUx, + @{sbin}/exim4 rPUx, @{bin}/geany rPUx, /usr/share/publicsuffix/*.dafsa r, diff --git a/apparmor.d/profiles-a-f/cmus b/apparmor.d/profiles-a-f/cmus index c3916890f..750fe9345 100644 --- a/apparmor.d/profiles-a-f/cmus +++ b/apparmor.d/profiles-a-f/cmus @@ -18,6 +18,9 @@ profile cmus @{exec_path} { /etc/machine-id r, + / r, + owner @{HOME}/ r, # For pwd + owner @{user_music_dirs}/{,**} r, owner @{user_config_dirs}/ r, diff --git a/apparmor.d/profiles-a-f/code-extension-git-askpass b/apparmor.d/profiles-a-f/code-extension-git-askpass index 5a31889b9..674432b2e 100644 --- a/apparmor.d/profiles-a-f/code-extension-git-askpass +++ b/apparmor.d/profiles-a-f/code-extension-git-askpass @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{lib}/code/extensions/git/dist/askpass.sh +@{exec_path} = @{lib}/code/extensions/git/dist/askpass.sh @{lib}/code/extensions/git/dist/ssh-askpass.sh profile code-extension-git-askpass @{exec_path} { include @@ -23,7 +23,7 @@ profile code-extension-git-askpass @{exec_path} { /usr/share/terminfo/** r, - owner @{tmp}/tmp.* rw, + owner @{tmp}/tmp.@{rand10} rw, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/conky b/apparmor.d/profiles-a-f/conky index 3c059abcf..9e4372e1d 100644 --- a/apparmor.d/profiles-a-f/conky +++ b/apparmor.d/profiles-a-f/conky @@ -104,7 +104,7 @@ profile conky @{exec_path} { deny ptrace (trace, read), # Display the hard disk model name - @{sys}/devices/@{pci}/{usb,ata}[0-9]/**/model r, + @{sys}/devices/@{pci}/{usb,ata}@{int}/**/model r, @{sys}/block/{s,v}d[a-z]/device/model r, # Display the disk write/read speed @{PROC}/diskstats r, diff --git a/apparmor.d/profiles-a-f/console-setup b/apparmor.d/profiles-a-f/console-setup index d3aaddf7f..aa0a56648 100644 --- a/apparmor.d/profiles-a-f/console-setup +++ b/apparmor.d/profiles-a-f/console-setup @@ -12,9 +12,11 @@ profile console-setup @{exec_path} { @{exec_path} mr, - @{bin}/uname rPx, + @{sh_path} r, + @{bin}/uname rix, @{bin}/mkdir rix, + @{run}/console-setup/ rw, @{run}/console-setup/boot_completed w, include if exists diff --git a/apparmor.d/profiles-a-f/console-setup-cached b/apparmor.d/profiles-a-f/console-setup-cached new file mode 100644 index 000000000..332f05341 --- /dev/null +++ b/apparmor.d/profiles-a-f/console-setup-cached @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/console-setup/cached_setup_font.sh /etc/console-setup/cached_setup_terminal.sh +profile console-setup-cached @{exec_path} { + include + include + + capability sys_tty_config, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/gzip rix, + @{bin}/ls ix, + @{bin}/mkdir ix, + @{bin}/setfont ix, + + /usr/share/consolefonts/{,**} r, + + @{run}/console-setup/ w, + @{run}/console-setup/font-loaded w, + + /dev/ r, + /dev/tty rw, + /dev/tty@{int} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/console-setup-keyboard b/apparmor.d/profiles-a-f/console-setup-keyboard new file mode 100644 index 000000000..1f4045e2e --- /dev/null +++ b/apparmor.d/profiles-a-f/console-setup-keyboard @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/console-setup/keyboard-setup.sh /etc/console-setup/cached_setup_keyboard.sh +profile console-setup-keyboard @{exec_path} { + include + include + + capability sys_tty_config, + + @{exec_path} mrix, + + @{sh_path} rix, + @{bin}/gzip rix, + @{bin}/kbd_mode rix, + @{bin}/loadkeys rix, + + /etc/console-setup/{,**} r, + + /dev/tty@{int} rw, + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/convertall b/apparmor.d/profiles-a-f/convertall index 8c38f85a3..52e80cc54 100644 --- a/apparmor.d/profiles-a-f/convertall +++ b/apparmor.d/profiles-a-f/convertall @@ -20,7 +20,7 @@ profile convertall @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, /usr/share/convertall/{,**} r, /usr/share/doc/convertall/{,*} r, diff --git a/apparmor.d/profiles-a-f/cpuid b/apparmor.d/profiles-a-f/cpuid index c374d4685..332c1735c 100644 --- a/apparmor.d/profiles-a-f/cpuid +++ b/apparmor.d/profiles-a-f/cpuid @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/cpuid profile cpuid @{exec_path} { include + include capability mknod, diff --git a/apparmor.d/profiles-a-f/cracklib-packer b/apparmor.d/profiles-a-f/cracklib-packer index cc183f527..4db396fa0 100644 --- a/apparmor.d/profiles-a-f/cracklib-packer +++ b/apparmor.d/profiles-a-f/cracklib-packer @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/cracklib-packer +@{exec_path} = @{sbin}/cracklib-packer profile cracklib-packer @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/crda b/apparmor.d/profiles-a-f/crda index 50d34bad4..d3b6cba6f 100644 --- a/apparmor.d/profiles-a-f/crda +++ b/apparmor.d/profiles-a-f/crda @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/crda +@{exec_path} = @{sbin}/crda profile crda @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/ddclient b/apparmor.d/profiles-a-f/ddclient index c16629d6d..0928f0da4 100644 --- a/apparmor.d/profiles-a-f/ddclient +++ b/apparmor.d/profiles-a-f/ddclient @@ -15,7 +15,6 @@ profile ddclient @{exec_path} { include @{exec_path} r, - @{bin}/perl r, @{sh_path} rix, @{bin}/logger rix, diff --git a/apparmor.d/profiles-a-f/ddcutil b/apparmor.d/profiles-a-f/ddcutil index c752dcbb8..d8cb23a5c 100644 --- a/apparmor.d/profiles-a-f/ddcutil +++ b/apparmor.d/profiles-a-f/ddcutil @@ -21,14 +21,15 @@ profile ddcutil @{exec_path} { @{bin}/find rix, @{bin}/sed rix, @{bin}/xargs rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, / r, owner @{user_cache_dirs}/ddcutil/ rw, owner @{user_cache_dirs}/ddcutil/** rwlk, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/ r, @{sys}/bus/ r, diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index 4f60099a9..2e7723995 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -7,21 +7,22 @@ abi , include +@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/deltachat-desktop @{lib}/deltachat /opt/DeltaChat/ @{exec_path} = @{bin}/deltachat-desktop @{lib_dirs}/deltachat-desktop profile deltachat-desktop @{exec_path} { include + include include include - include - include include + include include + include include include include - include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser index 1f2e86579..3f749a24b 100644 --- a/apparmor.d/profiles-a-f/deluser +++ b/apparmor.d/profiles-a-f/deluser @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/del{user,group} +@{exec_path} = @{sbin}/deluser profile deluser @{exec_path} { include include @@ -18,20 +18,20 @@ profile deluser @{exec_path} { capability dac_override, @{exec_path} r, - @{bin}/perl r, @{sh_path} rix, @{bin}/crontab rPx, @{bin}/gpasswd rPx, - @{bin}/groupdel rPx, + @{sbin}/groupdel rPx, @{bin}/mount rCx -> mount, - @{bin}/userdel rPx, + @{sbin}/userdel rPx, /etc/adduser.conf r, /etc/deluser.conf r, owner /etc/shadow r, + #aa:lint ignore=too-wide # This is for the "--remove-all-files" flag, which it used to remove all files owned by the user # that's going to be deleted. Basically it scans all the files in the system in each dir and look # for matches. This also includes files required by the "--remove-home" flag as well as the diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index b650498cf..9d84a4065 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -10,13 +10,19 @@ include @{exec_path} = @{bin}/dhclient-script profile dhclient-script @{exec_path} { include - include + include include capability net_admin, capability sys_admin, audit capability sys_module, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, @{sh_path} mrix, @@ -36,22 +42,22 @@ profile dhclient-script @{exec_path} { @{bin}/ping rPx, @{bin}/printenv rix, @{bin}/readlink rix, - @{bin}/resolvconf rPx, + @{sbin}/resolvconf rPx, @{bin}/rm rix, @{bin}/run-parts rCx -> run-parts, @{bin}/sed rix, - @{bin}/sysctl rix, + @{sbin}/sysctl rCx -> sysctl, @{bin}/tr rix, @{bin}/xxd rix, + @{etc_rw}/resolv.conf rw, + @{etc_rw}/resolv.conf.dhclient-new.@{pid} rw, + @{etc_rw}/samba/dhcp.conf{,.new} rw, /etc/default/ddclient r, /etc/dhcp/{,**} r, /etc/fstab r, /etc/iproute2/rt_tables r, /etc/iproute2/rt_tables.d/{,*} r, - @{etc_rw}/resolv.conf rw, - @{etc_rw}/resolv.conf.dhclient-new.@{pid} rw, - @{etc_rw}/samba/dhcp.conf{,.new} rw, /var/lib/dhcp/dhclient.leases r, /var/lib/samba/dhcp.conf{,.new} rw, @@ -65,7 +71,16 @@ profile dhclient-script @{exec_path} { @{sys}/devices/virtual/dmi/id/board_vendor r, owner @{PROC}/@{pid}/loginuid r, - @{PROC}/sys/net/ipv6/conf/*/stable_secret w, + + profile sysctl { + include + + @{sbin}/sysctl mr, + + @{PROC}/sys/net/ipv6/conf/*/stable_secret w, + + include if exists + } profile run-parts { include diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index 53038a6d7..0991a243e 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -8,18 +8,18 @@ abi , include @{name} = discord +@{domain} = org.chromium.Chromium @{lib_dirs} = /usr/share/@{name} /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{user_config_dirs}/discordptb @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{bin}/discord{,-ptb} @{lib_dirs}/Discord{,PTB} -profile discord @{exec_path} { +profile discord @{exec_path} flags=(attach_disconnected) { include include - include - include include include + include include include @@ -31,13 +31,15 @@ profile discord @{exec_path} { @{exec_path} mrix, @{sh_path} rix, - @{bin}/lsb_release rPx -> lsb_release, @{lib_dirs}/chrome-sandbox rix, @{lib_dirs}/chrome_crashpad_handler rix, + @{bin}/lsb_release rPx, + @{bin}/xdg-mime rPx, @{open_path} rPx -> child-open-strict, + /etc/ r, /etc/lsb-release r, owner @{user_videos_dirs}/{,**} rwl, @@ -46,14 +48,16 @@ profile discord @{exec_path} { owner @{config_dirs}/@{version}/modules/** m, owner "@{tmp}/Discord Crashes/" rw, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw, owner @{tmp}/discord.sock rw, owner @{tmp}/net-export/ rw, owner @{run}/user/@{uid}/discord-ipc-@{int} rw, + owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/task/@{tid}/comm r, + deny ptrace read, + include if exists } diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index ecf1d1c64..8d5ff99b6 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{bin}/dkms +@{exec_path} = @{sbin}/dkms profile dkms @{exec_path} flags=(attach_disconnected) { include include @@ -28,29 +28,39 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{coreutils_path} rix, @{bin}/as rix, @{bin}/bc rix, + @{bin}/clang-@{version} rix, + @{bin}/g++ rix, @{bin}/gcc rix, @{bin}/getconf rix, + @{bin}/hostname rix, @{bin}/kill rix, @{bin}/kmod rCx -> kmod, @{bin}/ld rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/ld.lld rix, + @{bin}/llvm-objcopy rix, + @{bin}/lsb_release rPx, @{bin}/make rix, @{bin}/objcopy rix, @{bin}/pahole rix, @{bin}/readelf rix, @{bin}/rpm rPUx, @{bin}/strip rix, - @{bin}/update-secureboot-policy rPUx, + @{bin}/xz rix, @{bin}/zstd rix, + @{sbin}/update-secureboot-policy rPUx, @{lib}/gcc/@{multiarch}/@{version}/* rix, @{lib}/linux-kbuild-*/scripts/** rix, @{lib}/linux-kbuild-*/tools/objtool/objtool rix, @{lib}/llvm-[0-9]*/bin/clang rix, + @{lib}/modules/*/build/arch/x86/** rix, + @{lib}/modules/*/build/include/** rix, @{lib}/modules/*/build/scripts/** rix, @{lib}/modules/*/build/tools/** rix, + @{lib}/os-release rix, /var/lib/dkms/**/build/* rix, + /var/lib/dkms/vboxhost/*/build/** rw, /var/lib/dkms/**/configure rix, /var/lib/dkms/**/dkms.postbuild rix, @@ -97,6 +107,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, + /dev/pts/@{int} rw, + profile kmod { include include @@ -104,7 +116,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{lib}/modules/*/modules.* rw, /var/lib/dkms/**/module/*.ko* r, - owner /boot/System.map-* r, + owner @{efi}/System.map-* r, owner @{tmp}/tmp.@{rand10} r, diff --git a/apparmor.d/profiles-a-f/dkms-autoinstaller b/apparmor.d/profiles-a-f/dkms-autoinstaller index ffce30921..2d799987f 100644 --- a/apparmor.d/profiles-a-f/dkms-autoinstaller +++ b/apparmor.d/profiles-a-f/dkms-autoinstaller @@ -15,7 +15,7 @@ profile dkms-autoinstaller @{exec_path} { @{exec_path} rm, @{sh_path} rix, - @{bin}/dkms rPx, + @{sbin}/dkms rPx, @{bin}/echo rix, @{bin}/plymouth rix, @{bin}/readlink rix, diff --git a/apparmor.d/profiles-a-f/dlocate b/apparmor.d/profiles-a-f/dlocate index 9f78af639..f7d1e915e 100644 --- a/apparmor.d/profiles-a-f/dlocate +++ b/apparmor.d/profiles-a-f/dlocate @@ -55,7 +55,7 @@ profile dlocate @{exec_path} { @{bin}/md5sum mr, # For the md5 check - /boot/** r, + @{efi}/** r, /usr/** r, include if exists diff --git a/apparmor.d/profiles-a-f/dmeventd b/apparmor.d/profiles-a-f/dmeventd index 0484cf99d..984545508 100644 --- a/apparmor.d/profiles-a-f/dmeventd +++ b/apparmor.d/profiles-a-f/dmeventd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/dmeventd +@{exec_path} = @{sbin}/dmeventd profile dmeventd @{exec_path} flags=(complain) { include diff --git a/apparmor.d/profiles-a-f/dmidecode b/apparmor.d/profiles-a-f/dmidecode index aba455535..680d25992 100644 --- a/apparmor.d/profiles-a-f/dmidecode +++ b/apparmor.d/profiles-a-f/dmidecode @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/dmidecode +@{exec_path} = @{sbin}/dmidecode profile dmidecode @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/dmsetup b/apparmor.d/profiles-a-f/dmsetup index d532bb8cf..eb9d1dc19 100644 --- a/apparmor.d/profiles-a-f/dmsetup +++ b/apparmor.d/profiles-a-f/dmsetup @@ -6,9 +6,10 @@ abi , include -@{exec_path} = @{bin}/dmsetup +@{exec_path} = @{sbin}/dmsetup profile dmsetup @{exec_path} { include + include include capability sys_admin, diff --git a/apparmor.d/profiles-a-f/dracut-install b/apparmor.d/profiles-a-f/dracut-install new file mode 100644 index 000000000..e99760a73 --- /dev/null +++ b/apparmor.d/profiles-a-f/dracut-install @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/dracut/dracut-install +profile dracut-install @{exec_path} { + include + include + + @{exec_path} mr, + + @{bin}/cp rix, + + /etc/modprobe.d/{,**} r, + + @{sys}/devices/platform/{,**/} r, + @{sys}/devices/platform/**/modalias r, + @{sys}/module/compression r, + + @{PROC}/cmdline r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/profiles-a-f/dropbox index 065fe92c5..57487b15c 100644 --- a/apparmor.d/profiles-a-f/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -16,13 +16,14 @@ include profile dropbox @{exec_path} { include include - include include include include include + include include include + include include @{exec_path} mr, @@ -32,14 +33,14 @@ profile dropbox @{exec_path} { @{bin}/readlink rix, @{bin}/dirname rix, @{bin}/uname rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/python3.@{int} rix, @{lib}/llvm-[0-9]*/bin/clang rix, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, @{bin}/{,@{multiarch}-}objdump rix, @{open_path} rPx -> child-open-strict, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, owner @{HOME}/ r, owner @{config_dirs}/ rw, @@ -61,7 +62,6 @@ profile dropbox @{exec_path} { # Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead owner @{tmp}/dropbox-antifreeze-* rw, owner @{tmp}/#@{int} rw, - owner /var/tmp/etilqs_@{hex16} rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/profiles-a-f/dumpcap b/apparmor.d/profiles-a-f/dumpcap index 634aebd02..a1050aa94 100644 --- a/apparmor.d/profiles-a-f/dumpcap +++ b/apparmor.d/profiles-a-f/dumpcap @@ -10,16 +10,14 @@ include @{exec_path} = @{bin}/dumpcap profile dumpcap @{exec_path} { include + include + include include - include - include # To capture packekts capability net_raw, capability net_admin, - signal (receive) peer=wireshark, - network inet dgram, network inet6 dgram, network netlink raw, @@ -27,6 +25,8 @@ profile dumpcap @{exec_path} { network packet raw, network bluetooth raw, + signal (receive) peer=wireshark, + dbus (eavesdrop) bus=session, @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/dumpe2fs b/apparmor.d/profiles-a-f/dumpe2fs index eb3d4d61a..a4184a358 100644 --- a/apparmor.d/profiles-a-f/dumpe2fs +++ b/apparmor.d/profiles-a-f/dumpe2fs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/dumpe2fs @{bin}/e2mmpstatus +@{exec_path} = @{sbin}/dumpe2fs @{sbin}/e2mmpstatus profile dumpe2fs @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/e2fsck b/apparmor.d/profiles-a-f/e2fsck index be5d26b9f..c120a3590 100644 --- a/apparmor.d/profiles-a-f/e2fsck +++ b/apparmor.d/profiles-a-f/e2fsck @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/e2fsck @{bin}/fsck.ext2 @{bin}/fsck.ext3 @{bin}/fsck.ext4 +@{exec_path} = @{sbin}/e2fsck @{sbin}/fsck.ext2 @{sbin}/fsck.ext3 @{sbin}/fsck.ext4 profile e2fsck @{exec_path} { include include @@ -21,7 +21,7 @@ profile e2fsck @{exec_path} { # To check for badblocks @{sh_path} rix, - @{bin}/badblocks rPx, + @{sbin}/badblocks rPx, /usr/share/file/misc/magic.mgc r, diff --git a/apparmor.d/profiles-a-f/e2image b/apparmor.d/profiles-a-f/e2image index b099f1ccf..c7238f262 100644 --- a/apparmor.d/profiles-a-f/e2image +++ b/apparmor.d/profiles-a-f/e2image @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/e2image +@{exec_path} = @{sbin}/e2image profile e2image @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/e2scrub b/apparmor.d/profiles-a-f/e2scrub new file mode 100644 index 000000000..2e7e88487 --- /dev/null +++ b/apparmor.d/profiles-a-f/e2scrub @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/e2scrub +profile e2scrub @{exec_path} flags=(complain) { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/e2scrub_all b/apparmor.d/profiles-a-f/e2scrub_all index 25fab12c7..e5d13f1de 100644 --- a/apparmor.d/profiles-a-f/e2scrub_all +++ b/apparmor.d/profiles-a-f/e2scrub_all @@ -6,19 +6,20 @@ abi , include -@{exec_path} = @{bin}/e2scrub_all +@{exec_path} = @{sbin}/e2scrub_all profile e2scrub_all @{exec_path} flags=(attach_disconnected) { include include include + capability setuid, capability sys_admin, capability sys_rawio, @{exec_path} mr, - @{sh_path} r, - @{bin}/readlink rix, + @{sh_path} mr, + @{bin}/readlink ix, /etc/e2scrub.conf r, diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index 05a900889..59cfa3577 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -7,6 +7,7 @@ abi , include @{name} = {E,e}lement +@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -15,11 +16,11 @@ include profile element-desktop @{exec_path} flags=(attach_disconnected) { include include - include - include + include include include include + include include network inet dgram, @@ -30,11 +31,9 @@ profile element-desktop @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} r, - @{open_path} rPx -> child-open-strict, - #aa:stack X xdg-settings @{bin}/xdg-settings rPx -> element-desktop//&xdg-settings, + @{open_path} Px -> child-open-strict, /usr/share/webapps/element/{,**} r, diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index c302ff400..3e650962f 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -10,11 +10,8 @@ include @{exec_path} = @{bin}/engrampa profile engrampa @{exec_path} { include - include include - include - include - include + include include include include diff --git a/apparmor.d/profiles-a-f/etckeeper b/apparmor.d/profiles-a-f/etckeeper index 023d13b47..5c4108094 100644 --- a/apparmor.d/profiles-a-f/etckeeper +++ b/apparmor.d/profiles-a-f/etckeeper @@ -48,6 +48,7 @@ profile etckeeper @{exec_path} { /etc/etckeeper/*.d/* rix, /etc/etckeeper/daily rix, + #aa:lint ignore=too-wide /etc/ rw, /etc/** rwkl -> /etc/**, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 2638ad0e3..10b5ad4af 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -9,15 +9,14 @@ include @{exec_path} = @{bin}/evince @{lib}/evinced profile evince @{exec_path} { include - include include - include include include - include + include include include include + include include include include @@ -30,7 +29,6 @@ profile evince @{exec_path} { #aa:dbus own bus=session name=org.gnome.evince - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} rix, @@ -44,13 +42,14 @@ profile evince @{exec_path} { /usr/share/poppler/{,**} r, /usr/share/thumbnailers/{,*} r, - owner @{user_share_dirs}/ r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_config_dirs}/evince/{,*} rw, + owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/*.pdf r, - owner @{tmp}/evince-*/{,**} rw, - owner @{tmp}/gtkprint* rw, + owner @{tmp}/evince-@{int}/{,**} rw, + owner @{tmp}/gtkprint_@{rand6} rw, + owner @{tmp}/gtkprint@{rand6} rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-a-f/evince-previewer b/apparmor.d/profiles-a-f/evince-previewer index 1597c35af..dcd28ddc9 100644 --- a/apparmor.d/profiles-a-f/evince-previewer +++ b/apparmor.d/profiles-a-f/evince-previewer @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/evince-previewer profile evince-previewer @{exec_path} { include - include + include include include include diff --git a/apparmor.d/profiles-a-f/evince-thumbnailer b/apparmor.d/profiles-a-f/evince-thumbnailer index 95fdba512..6fbabaf28 100644 --- a/apparmor.d/profiles-a-f/evince-thumbnailer +++ b/apparmor.d/profiles-a-f/evince-thumbnailer @@ -9,10 +9,10 @@ include @{exec_path} = @{bin}/evince-thumbnailer profile evince-thumbnailer @{exec_path} flags=(attach_disconnected) { include + include @{exec_path} mr, - /usr/share/mime/mime.cache r, /usr/share/poppler/{,**} r, owner @{tmp}/gnome-desktop-file-to-thumbnail.pdf r, diff --git a/apparmor.d/profiles-a-f/execute-dcut b/apparmor.d/profiles-a-f/execute-dcut index 41d2324f6..817ba6215 100644 --- a/apparmor.d/profiles-a-f/execute-dcut +++ b/apparmor.d/profiles-a-f/execute-dcut @@ -13,7 +13,7 @@ profile execute-dcut @{exec_path} flags=(complain) { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, include if exists } diff --git a/apparmor.d/profiles-a-f/execute-dput b/apparmor.d/profiles-a-f/execute-dput index 0decde05c..7161c5900 100644 --- a/apparmor.d/profiles-a-f/execute-dput +++ b/apparmor.d/profiles-a-f/execute-dput @@ -15,7 +15,7 @@ profile execute-dput @{exec_path} flags=(complain) { @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{sh_path} rix, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/profiles-a-f/exim4 b/apparmor.d/profiles-a-f/exim4 index 98364f0f1..3af283014 100644 --- a/apparmor.d/profiles-a-f/exim4 +++ b/apparmor.d/profiles-a-f/exim4 @@ -7,8 +7,8 @@ abi , include -@{exec_path} = @{bin}/exim4 -profile exim4 @{exec_path} { +@{exec_path} = @{sbin}/exim4 +profile exim4 @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-a-f/exo-compose-mail b/apparmor.d/profiles-a-f/exo-compose-mail index 3e1f92742..e03e35403 100644 --- a/apparmor.d/profiles-a-f/exo-compose-mail +++ b/apparmor.d/profiles-a-f/exo-compose-mail @@ -13,7 +13,6 @@ profile exo-compose-mail @{exec_path} { include @{exec_path} r, - @{bin}/perl r, # Mail clients @{bin}/thunderbird rPx, diff --git a/apparmor.d/profiles-a-f/f3fix b/apparmor.d/profiles-a-f/f3fix index 4d743fbb7..a2cfe43c5 100644 --- a/apparmor.d/profiles-a-f/f3fix +++ b/apparmor.d/profiles-a-f/f3fix @@ -21,7 +21,7 @@ profile f3fix @{exec_path} { @{sh_path} rix, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, @{bin}/udevadm rCx -> udevadm, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-a-f/fail2ban-client b/apparmor.d/profiles-a-f/fail2ban-client index 7fae1218c..d432bee94 100644 --- a/apparmor.d/profiles-a-f/fail2ban-client +++ b/apparmor.d/profiles-a-f/fail2ban-client @@ -15,7 +15,7 @@ profile fail2ban-client @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/ r, - @{bin}/python3.@{int} r, + @{python_path} r, /etc/fail2ban/{,**} r, diff --git a/apparmor.d/profiles-a-f/fail2ban-server b/apparmor.d/profiles-a-f/fail2ban-server index e858c2d8e..629208bc6 100644 --- a/apparmor.d/profiles-a-f/fail2ban-server +++ b/apparmor.d/profiles-a-f/fail2ban-server @@ -20,11 +20,11 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, @{bin}/iptables rix, @{bin}/ r, - @{bin}/python3.@{int} r, + @{python_path} r, /etc/fail2ban/{,**} r, diff --git a/apparmor.d/profiles-a-f/fatlabel b/apparmor.d/profiles-a-f/fatlabel index c7ac0d399..c8bdedaa3 100644 --- a/apparmor.d/profiles-a-f/fatlabel +++ b/apparmor.d/profiles-a-f/fatlabel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fatlabel +@{exec_path} = @{sbin}/fatlabel profile fatlabel @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/fatresize b/apparmor.d/profiles-a-f/fatresize index e299a109b..6f4c86647 100644 --- a/apparmor.d/profiles-a-f/fatresize +++ b/apparmor.d/profiles-a-f/fatresize @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fatresize +@{exec_path} = @{sbin}/fatresize profile fatresize @{exec_path} { include include @@ -21,7 +21,7 @@ profile fatresize @{exec_path} { @{sh_path} rix, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, @{bin}/udevadm rCx -> udevadm, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-a-f/fdisk b/apparmor.d/profiles-a-f/fdisk index e6a7aeebf..bab152574 100644 --- a/apparmor.d/profiles-a-f/fdisk +++ b/apparmor.d/profiles-a-f/fdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fdisk +@{exec_path} = @{sbin}/fdisk profile fdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/ffmpeg b/apparmor.d/profiles-a-f/ffmpeg index 6e47ec8cb..8633444d8 100644 --- a/apparmor.d/profiles-a-f/ffmpeg +++ b/apparmor.d/profiles-a-f/ffmpeg @@ -28,6 +28,7 @@ profile ffmpeg @{exec_path} { /var/lib/dbus/machine-id r, owner @{HOME}/.Xauthority r, + owner @{HOME}/.spotdl/** rw, # For spotdl owner @{user_music_dirs}/** rw, owner @{user_videos_dirs}/** rw, @@ -36,7 +37,7 @@ profile ffmpeg @{exec_path} { owner @{tmp}/vidcutter/** rw, # TMP files for apps using ffmpeg @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node[0-9]/meminfo r, + @{sys}/devices/system/node/node@{int}/meminfo r, include if exists } diff --git a/apparmor.d/profiles-a-f/ffplay b/apparmor.d/profiles-a-f/ffplay index 6d3e1972d..4152ed49a 100644 --- a/apparmor.d/profiles-a-f/ffplay +++ b/apparmor.d/profiles-a-f/ffplay @@ -11,10 +11,9 @@ include profile ffplay @{exec_path} { include include - include + include include include - include network inet stream, network inet6 stream, @@ -30,7 +29,7 @@ profile ffplay @{exec_path} { owner @{user_videos_dirs}/** rw, @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node[0-9]/meminfo r, + @{sys}/devices/system/node/node@{int}/meminfo r, include if exists } diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 0c5a18e83..3d13b813f 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/file-roller profile file-roller @{exec_path} { include - include include include include @@ -25,20 +24,9 @@ profile file-roller @{exec_path} { @{bin}/rm rix, # Archivers - @{bin}/7z rix, - @{bin}/7zz rix, - @{bin}/ar rix, - @{bin}/bzip2 rix, - @{bin}/cpio rix, - @{bin}/gzip rix, - @{bin}/tar rix, - @{bin}/unrar-nonfree rix, - @{bin}/unzip rix, - @{bin}/xz rix, - @{bin}/zip rix, - @{bin}/zstd rix, - @{lib}/p7zip/7z rix, + @{archive_path} rix, + #aa:lint ignore=too-wide # Full access to user's data @{MOUNTS}/** rw, owner @{HOME}/** rw, diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla index be734ed50..16bafb886 100644 --- a/apparmor.d/profiles-a-f/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -11,12 +11,12 @@ include profile filezilla @{exec_path} { include include - include - include + include include include include include + include include include include @@ -29,6 +29,7 @@ profile filezilla @{exec_path} { network netlink raw, signal send set=(term, kill) peer=fzsftp, + signal send set=(term, kill) peer=fzputtygen, @{exec_path} mr, @@ -36,7 +37,8 @@ profile filezilla @{exec_path} { @{bin}/uname rix, @{bin}/fzsftp rPx, # When using SFTP protocol - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/fzputtygen rPUx, + @{bin}/lsb_release rPx, /usr/share/filezilla/{,**} r, diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd new file mode 100644 index 000000000..7ce69ab64 --- /dev/null +++ b/apparmor.d/profiles-a-f/finalrd @@ -0,0 +1,82 @@ + +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/finalrd +profile finalrd @{exec_path} { + include + include + + capability dac_read_search, + capability sys_admin, + capability sys_chroot, + + remount options=(rw nodev nosuid relatime remount) @{run}/, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/cp ix, + @{bin}/dirname ix, + @{bin}/env ix, + @{bin}/find ix, + @{bin}/{,e}grep ix, + @{bin}/ln ix, + @{bin}/mkdir ix, + @{bin}/mount ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/rm ix, + @{bin}/run-parts ix, + @{bin}/sed ix, + @{bin}/touch ix, + @{sbin}/ldconfig{,.real} ix, + + @{bin}/ldd Cx -> ldd, + @{bin}/systemd-tmpfiles Px, + @{lib}/@{multiarch}/ld-linux-*so* Cx -> ldd, + @{lib}/systemd/systemd-shutdown Px, + /usr/share/finalrd/*.finalrd ix, + + @{bin}/{,*} r, + @{lib}/{,*} r, + @{sbin}/{,*} r, + + /usr/share/finalrd/{,**} r, + /usr/share/initramfs-tools/hook-functions r, + + /etc/fstab r, + /etc/iscsi/initiatorname.iscsi r, + /etc/iscsi/iscsid.conf r, + + / r, + + @{run}/ r, + @{run}/finalrd-libs.conf rw, + @{run}/initramfs/{,**} rw, + @{run}/mount/ r, + @{run}/mount/utab r, + + @{PROC}/@{pid}/mountinfo r, + + profile ldd { + include + include + include + + @{bin}/* mr, + @{sbin}/* mr, + @{lib}/@{multiarch}/ld-linux-*so* mrix, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/firecfg b/apparmor.d/profiles-a-f/firecfg index a3aba8af1..d8086715a 100644 --- a/apparmor.d/profiles-a-f/firecfg +++ b/apparmor.d/profiles-a-f/firecfg @@ -19,11 +19,13 @@ profile firecfg @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, + + @{etc_ro}/login.defs r, - /etc/login.defs r, /etc/firejail/firejail.users r, /etc/firejail/firecfg.config r, + /etc/firejail/firecfg.d/{,*} r, /usr/local/bin/ r, /usr/local/bin/* rw, @@ -32,10 +34,14 @@ profile firecfg @{exec_path} flags=(attach_disconnected) { /usr/share/applications/ r, /usr/share/applications/*.desktop r, @{user_share_dirs}/applications/ r, - @{user_share_dirs}/applications/*.desktop rw, - /dev/tty rw, + @{user_config_dirs}/firejail/{,*} r, + + /dev/tty rw, + /dev/tty@{int} rw, + owner /dev/pts/@{int} rw, + include if exists } diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate index b1c485408..a07976ce9 100644 --- a/apparmor.d/profiles-a-f/foliate +++ b/apparmor.d/profiles-a-f/foliate @@ -15,6 +15,7 @@ profile foliate @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_override, @@ -30,31 +31,17 @@ profile foliate @{exec_path} flags=(attach_disconnected) { @{bin}/bwrap rix, @{bin}/gjs-console rix, - @{bin}/xdg-dbus-proxy rix, @{bin}/speech-dispatcher rPx, @{open_path} rPx -> child-open-help, - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, - /usr/share/com.github.johnfactotum.Foliate/{,**} r, - owner /bindfile@{rand6} rw, - owner /.flatpak-info r, - owner @{user_books_dirs}/{,**} r, owner @{user_torrents_dirs}/{,**} r, owner @{user_cache_dirs}/com.github.johnfactotum.Foliate/{,**} rwlk, owner @{user_share_dirs}/com.github.johnfactotum.Foliate/{,**} rwlk, - owner @{run}/user/@{uid}/.flatpak/ w, - owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw, - owner @{run}/user/@{uid}/webkitgtk/ w, - owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, - @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-dbus*org.gnome.Nautilus.slice/dbus*org.gnome.Nautilus@*.service/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-com.github.johnfactotum.Foliate-@{int}.scope/memory.* r, @@ -64,7 +51,6 @@ profile foliate @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/smaps r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/profiles-a-f/font-manager b/apparmor.d/profiles-a-f/font-manager index 81c53aafd..56941f60b 100644 --- a/apparmor.d/profiles-a-f/font-manager +++ b/apparmor.d/profiles-a-f/font-manager @@ -11,11 +11,9 @@ include profile font-manager @{exec_path} { include include + include include - include - include include - include include include diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index b3034dfef..8a5f9c01a 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -15,6 +15,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { include capability net_admin, + capability sys_admin, capability sys_nice, network netlink raw, @@ -29,12 +30,10 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/systemd/journal/socket rw, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/class/hidraw/ r, - @{sys}/devices/@{pci}/hidraw/hidraw@{int}/uevent r, - @{sys}/devices/virtual/**/hidraw/hidraw@{int}/uevent r, + @{sys}/devices/**/hidraw/hidraw@{int}/uevent r, include if exists } diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 7f14df0e0..a7222a664 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -13,6 +13,7 @@ profile fractal @{exec_path} flags=(attach_disconnected) { include include include + include include network inet dgram, @@ -21,22 +22,46 @@ profile fractal @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + signal send set=kill peer=fractal//bwrap, + @{exec_path} mr, @{open_path} rPx -> child-open-help, + @{bin}/bwrap rCx -> bwrap, + /usr/share/glycin-loaders/{,**} r, /usr/share/xml/iso-codes/{,**} r, owner @{tmp}/.@{rand6} rw, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, + owner @{run}/user/@{uid}/fractal/{,**} rw, + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, /dev/ r, + profile bwrap flags=(attach_disconnected) { + include + include + + signal receive set=kill peer=fractal, + + @{bin}/bwrap mr, + @{lib}/glycin-loaders/*/glycin-* rix, + + owner @{run}/user/@{uid}/fractal/.tmp@{rand6} r, + + owner @{PROC}/@{pid}/fd/ r, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index 295cbe760..b820f249c 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -8,6 +8,7 @@ abi , include @{name} = {F,f}ree{T,t}ube{,-vue} +@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/@{name} /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -16,12 +17,12 @@ include profile freetube @{exec_path} flags=(attach_disconnected) { include include - include - include - include + include include include + include include + include network inet dgram, network inet6 dgram, @@ -33,10 +34,11 @@ profile freetube @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{open_path} rPx -> child-open-strict, - #aa:stack X xdg-settings @{bin}/xdg-settings rPx -> freetube//&xdg-settings, + @{open_path} rPx -> child-open-strict, + + deny @{sys}/devices/@{pci}/usb@{int}/** r, include if exists } diff --git a/apparmor.d/profiles-a-f/fritzing b/apparmor.d/profiles-a-f/fritzing index 18b990bbc..c57323c6a 100644 --- a/apparmor.d/profiles-a-f/fritzing +++ b/apparmor.d/profiles-a-f/fritzing @@ -10,16 +10,13 @@ include @{exec_path} = @{bin}/fritzing{,.real} profile fritzing @{exec_path} { include - include - include - include - include - include - include - include + include include - include + include + include + include include + include network inet dgram, network inet6 dgram, @@ -30,26 +27,25 @@ profile fritzing @{exec_path} { @{exec_path} mrix, + /usr/share/fritzing/{,**} r, + /usr/share/hwdata/pnp.ids r, + + /etc/debian_version r, + /etc/fstab r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, + owner @{user_config_dirs}/Fritzing/ rw, owner @{user_config_dirs}/Fritzing/** rwkl -> @{user_config_dirs}/Fritzing/**, owner @{HOME}/@{XDG_DOCUMENTS_DIR}/Fritzing/ rw, owner @{HOME}/@{XDG_DOCUMENTS_DIR}/Fritzing/** rw, - /usr/share/fritzing/{,**} r, + owner @{run}/lock/LCK..ttyACM[0-9]* rwk, - /usr/share/hwdata/pnp.ids r, - - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - - /etc/fstab r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - /etc/debian_version r, + @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c166:@{int} r, # for /dev/ttyACM[0-9]* @{sys}/bus/ r, @{sys}/class/ r, @@ -57,15 +53,13 @@ profile fritzing @{exec_path} { @{sys}/devices/**/tty*/uevent r, @{sys}/devices/**/tty/**/uevent r, - @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* - @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/c166:@{int} r, # for /dev/ttyACM[0-9]* + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, /dev/ttyS@{int} rw, /dev/ttyACM@{int} rw, - owner @{run}/lock/LCK..ttyACM[0-9]* rwk, - include if exists } diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend deleted file mode 100644 index ac8a6a5a8..000000000 --- a/apparmor.d/profiles-a-f/frontend +++ /dev/null @@ -1,130 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /usr/share/debconf/frontend -profile frontend @{exec_path} flags=(complain) { - include - include - include - include - include - include - include - include - - capability dac_read_search, - - @{exec_path} r, - @{bin}/perl r, - - @{sh_path} rix, - @{bin}/hostname rix, - @{bin}/locale rix, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/stty rix, - @{bin}/update-secureboot-policy rPx, - - # debconf apps - @{bin}/adequate rPx, - @{bin}/aspell-autobuildhash rPx, - @{bin}/debconf-apt-progress rPx, - @{bin}/linux-check-removal rPx, - @{bin}/pam-auth-update rPx, - @{bin}/ucf rPx, - @{bin}/whiptail rPx, - @{lib}/tasksel/tasksel-debconf rPx -> tasksel, - /usr/share/debian-security-support/check-support-status.hook rPx, - - # Grub - @{lib}/grub/grub-multi-install rPx, - /usr/share/grub/grub-check-signatures rPx, - - # Run the package maintainer's scripts - # What to do with it? Maintainer scripts can use lots of tools. (#FIXME#) - #/var/lib/dpkg/info/*.{config,templates} rPUx, - #/var/lib/dpkg/info/*.{preinst,postinst} rPUx, - #/var/lib/dpkg/info/*.{prerm,postrm} rPUx, - /var/lib/dpkg/info/*.control r, - #/var/lib/dpkg/tmp.ci/{config,templates} rPUx, - #/var/lib/dpkg/tmp.ci/{preinst,postinst} rPUx, - #/var/lib/dpkg/tmp.ci/{prerm,postrm} rPUx, - /var/lib/dpkg/tmp.ci/control r, - /var/lib/dpkg/info/*.{config,templates} rCx -> scripts, - /var/lib/dpkg/info/*.{preinst,postinst} rCx -> scripts, - /var/lib/dpkg/info/*.{prerm,postrm} rCx -> scripts, - /var/lib/dpkg/tmp.ci/{config,templates} rCx -> scripts, - /var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts, - /var/lib/dpkg/tmp.ci/{prerm,postrm} rCx -> scripts, - - # DKMS scipts - # What to do with it? (#FIXME#) - @{lib}/dkms/common.postinst rPUx, - @{lib}/dkms/dkms-* rPUx, - @{lib}/dkms/dkms_* rPUx, - - /usr/share/debconf/{,**} r, - - /etc/debconf.conf r, - /etc/inputrc r, - /etc/shadow r, - - owner @{tmp}/file* w, - owner /var/cache/debconf/* rwk, - - @{HOME}/.Xauthority r, - - @{run}/user/@{uid}/pk-debconf-socket rw, - - owner @{PROC}/@{pid}/mounts r, - - profile scripts flags=(complain) { - include - include - - capability dac_read_search, - - /var/lib/dpkg/info/*.config r, - /var/lib/dpkg/info/*.{preinst,postinst} r, - /var/lib/dpkg/info/*.{prerm,postrm} r, - /var/lib/dpkg/tmp.ci/config r, - /var/lib/dpkg/tmp.ci/{preinst,postinst} r, - /var/lib/dpkg/tmp.ci/{prerm,postrm} r, - - / r, - - @{bin}/ r, - @{bin}/* rPUx, - - @{lib}/ r, - @{lib}/** rPUx, - - /usr/share/ r, - /usr/share/** rPUx, - - /etc/init.d/ r, - /etc/init.d/* rPUx, - - /etc/ r, - /etc/** rw, - /var/ r, - /var/** rw, - @{sys}/ r, - @{sys}/**/ r, - @{run}/ r, - @{run}/** rw, - /tmp/ r, - owner @{tmp}/** rw, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fuse-overlayfs b/apparmor.d/profiles-a-f/fuse-overlayfs index da61184a3..91b279d20 100644 --- a/apparmor.d/profiles-a-f/fuse-overlayfs +++ b/apparmor.d/profiles-a-f/fuse-overlayfs @@ -10,14 +10,21 @@ include profile fuse-overlayfs @{exec_path} { include - capability sys_admin, + capability chown, capability dac_override, capability dac_read_search, - capability chown, + capability fowner, + capability setfcap, + capability setuid, + capability sys_admin, + + mount fstype=fuse.* options=(rw,nodev,noatime) @{user_share_dirs}/containers/storage/overlay/**/merged/ -> **, + mount fstype=fuse.overlayfs options=(rw,nodev,noatime) fuse-overlayfs -> @{user_share_dirs}/containers/storage/overlay/**/merged/, @{exec_path} mr, - mount fstype=fuse.* options=(rw,nodev,noatime) @{user_share_dirs}/containers/storage/overlay/**/merged/ -> **, + @{bin}/mount rix, + @{bin}/umount rix, owner @{user_share_dirs}/containers/storage/overlay/{,**} rwl, diff --git a/apparmor.d/profiles-a-f/fuseiso b/apparmor.d/profiles-a-f/fuseiso index ed2bcc936..75d19a0d5 100644 --- a/apparmor.d/profiles-a-f/fuseiso +++ b/apparmor.d/profiles-a-f/fuseiso @@ -36,27 +36,17 @@ profile fuseiso @{exec_path} { profile fusermount { include - include - - # To mount anything: - capability sys_admin, - - capability dac_read_search, + include mount fstype={fuse,fuse.fuseiso} -> @{HOME}/*/, mount fstype={fuse,fuse.fuseiso} -> @{HOME}/*/*/, mount fstype={fuse,fuse.fuseiso} -> @{user_cache_dirs}/**/, - @{bin}/fusermount{,3} mr, + umount @{HOME}/*/, + umount @{HOME}/*/*/, + umount @{user_cache_dirs}/**/, - /etc/fuse.conf r, - - # Image files to be mounted - owner @{user_img_dirs}/{,**} r, - - @{PROC}/@{pid}/mounts r, - - /dev/fuse rw, + owner @{user_img_dirs}/{,**} r, # Image files to be mounted include if exists } diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount index 2bad1d773..a84b85322 100644 --- a/apparmor.d/profiles-a-f/fusermount +++ b/apparmor.d/profiles-a-f/fusermount @@ -10,10 +10,7 @@ include @{exec_path} = @{bin}/fusermount{,3} profile fusermount @{exec_path} { include - include - - capability dac_read_search, - capability sys_admin, + include # Be able to mount ISO images mount fstype={fuse,fuse.*} -> @{HOME}/*/, @@ -33,10 +30,10 @@ profile fusermount @{exec_path} { umount /tmp/.mount_*/, umount @{run}/user/@{uid}/*/, umount /var/tmp/flatpak-cache-*/*/, + umount /tmp/fsa/*/, # fsarchiver @{exec_path} mr, - /etc/fuse.conf r, /etc/machine-id r, /var/tmp/flatpak-cache-*/*/ r, @@ -51,10 +48,6 @@ profile fusermount @{exec_path} { @{run}/user/@{uid}/doc/ r, - @{PROC}/@{pid}/mounts r, - - /dev/fuse rw, - include if exists } diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 6cee42be9..65793364d 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -11,15 +11,16 @@ include profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include - include + include include include - include - include include - include + include include + include include + include + include capability dac_override, capability dac_read_search, @@ -38,16 +39,14 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { network netlink raw, #aa:dbus own bus=system name=org.freedesktop.fwupd path=/ + #aa:dbus talk bus=system name=org.bluez.GattCharacteristic1 label=bluetoothd + #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd + #aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), - - dbus send bus=system path=/org/freedesktop/UDisks2/Manager - interface=org.freedesktop.UDisks2.Manager - member=GetBlockDevices - peer=(name=:*, label=udisksd), + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesAdded + peer=(name=@{busname}, label=bluetoothd), @{exec_path} mr, @@ -58,8 +57,9 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{bin}/gpgsm rCx -> gpg, /usr/share/fwupd/{,**} r, - /usr/share/hwdata/*.ids r, - /usr/share/mime/mime.cache r, + /usr/share/hwdata/* r, + /usr/share/libdrm/*.ids r, + /usr/share/misc/*.ids r, /etc/fwupd/{,**} rw, /etc/lsb-release r, @@ -69,36 +69,39 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /etc/machine-id r, /var/lib/dbus/machine-id r, - /boot/{,**} r, - /boot/EFI/*/.goutputstream-@{rand6} rw, - /boot/EFI/*/fw/fwupd-*.cap{,.*} rw, - /boot/EFI/*/fwupdx@{int}.efi rw, + @{efi}/{,**} r, + @{efi}/EFI/*/.goutputstream-@{rand6} rw, + @{efi}/EFI/*/fw/fwupd-*.cap{,.*} rw, + @{efi}/EFI/*/fwupdx@{int}.efi rw, @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r, - /var/lib/flatpak/exports/share/mime/mime.cache r, - /var/tmp/etilqs_@{hex16} rw, + @{MOUNTDIRS}/*/{,@{efi}/} r, + @{MOUNTDIRS}/*/{,@{efi}/}EFI/{,**} r, + owner /var/cache/fwupd/ rw, owner /var/cache/fwupd/** rwk, owner /var/lib/fwupd/ rw, owner /var/lib/fwupd/** rwk, - # In order to get to this file, the attach_disconnected flag has to be set + @{att}/@{user_cache_dirs}/gnome-software/fwupd/{,**} r, owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r, owner @{user_cache_dirs}/gnome-software/fwupd/{,**} r, @{sys}/**/ r, @{sys}/devices/** r, + @{sys}/**/uevent r, @{sys}/firmware/acpi/** r, @{sys}/firmware/dmi/tables/DMI r, @{sys}/firmware/dmi/tables/smbios_entry_point r, @{sys}/firmware/efi/** r, @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/BootNext-@{uuid} rw, + @{sys}/firmware/efi/efivars/dbx-@{uuid} rw, @{sys}/firmware/efi/efivars/fwupd-* rw, + @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, @{sys}/kernel/security/lockdown r, @{sys}/kernel/security/tpm@{int}/binary_bios_measurements r, - @{sys}/**/uevent r, @{sys}/power/mem_sleep r, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @@ -107,7 +110,9 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{run}/motd.d/@{int}-fwupd* rw, @{run}/motd.d/fwupd/{,**} rw, @{run}/mount/utab r, - @{run}/udev/data/* r, + + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/mountinfo r, @@ -129,9 +134,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /dev/mei@{int} rw, /dev/mem r, /dev/mtd@{int} rw, - /dev/sd[a-z]* r, - /dev/tpm@{int} rw, - /dev/tpmrm@{int} rw, /dev/wmi/* r, profile gpg flags=(attach_disconnected,complain) { diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index f599bbc1f..2d781a734 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -27,18 +27,24 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - #aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/ + #aa:dbus talk bus=system name=org.freedesktop.fwupd label="@{p_fwupd}" path=/ @{exec_path} mr, @{bin}/dbus-launch Cx -> bus, @{bin}/pkttyagent Px, + /usr/share/terminfo/** r, + + /etc/inputrc r, /etc/machine-id r, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw, + owner /var/lib/fwupd/ w, + owner /var/lib/fwupd/.cache/ w, + @{user_cache_dirs}/dconf/user rw, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/fwupd/ rw, diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim index 1de493892..561e1af61 100644 --- a/apparmor.d/profiles-g-l/gajim +++ b/apparmor.d/profiles-g-l/gajim @@ -33,7 +33,7 @@ profile gajim @{exec_path} { @{bin}/ r, @{sh_path} rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/uname rix, # To play sounds @@ -73,7 +73,7 @@ profile gajim @{exec_path} { owner @{user_cache_dirs}/gajim/** rwk, owner @{user_cache_dirs}/farstream/ rw, - owner @{user_cache_dirs}/farstream/codecs.audio.x86_64.cache{,.tmp@{rand6}} rw, + owner @{user_cache_dirs}/farstream/codecs.audio.@{arch}.cache{,.tmp@{rand6}} rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, @@ -86,7 +86,7 @@ profile gajim @{exec_path} { # Silencer deny /usr/share/gajim/** w, - deny /usr/lib/python3/dist-packages/** w, + deny @{lib}/@{python_name}/dist-packages/** w, profile ccache { include diff --git a/apparmor.d/profiles-g-l/gamemoded b/apparmor.d/profiles-g-l/gamemoded index 8f5067b77..eb2d3fc1e 100644 --- a/apparmor.d/profiles-g-l/gamemoded +++ b/apparmor.d/profiles-g-l/gamemoded @@ -57,8 +57,8 @@ profile gamemoded @{exec_path} flags=(attach_disconnected) { @{lib}/gamemode/gpuclockctl ix, @{lib}/gamemode/procsysctl ix, - /etc/security/limits.d/ r, - /etc/security/limits.d/@{int}-gamemode.conf r, + @{etc_ro}/security/limits.d/ r, + @{etc_ro}/security/limits.d/@{int}-gamemode.conf r, /etc/shells r, @{sys}/devices/@{pci}/power_dpm_force_performance_level rw, diff --git a/apparmor.d/profiles-g-l/ganyremote b/apparmor.d/profiles-g-l/ganyremote index e9f4d4e30..727bf8cdf 100644 --- a/apparmor.d/profiles-g-l/ganyremote +++ b/apparmor.d/profiles-g-l/ganyremote @@ -22,7 +22,7 @@ profile ganyremote @{exec_path} { network inet6 stream, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, @@ -30,7 +30,7 @@ profile ganyremote @{exec_path} { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/id rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/tr rix, @{bin}/{m,g,}awk rix, diff --git a/apparmor.d/profiles-g-l/gdisk b/apparmor.d/profiles-g-l/gdisk index 1357b03b6..b49e20570 100644 --- a/apparmor.d/profiles-g-l/gdisk +++ b/apparmor.d/profiles-g-l/gdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/gdisk +@{exec_path} = @{sbin}/gdisk profile gdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders index b64c34a4b..04c9a33f2 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders @@ -18,8 +18,10 @@ profile gdk-pixbuf-query-loaders @{exec_path} { @{exec_path} mr, - @{lib}/gdk-pixbuf-[0-9].@{int}/{,*}/loaders.cache.* rw, - @{lib}/gdk-pixbuf-[0-9].@{int}/*/loaders.cache rw, + @{lib}/@{multiarch}/gdk-pixbuf-@{version}/@{version}/ w, + @{lib}/@{multiarch}/gdk-pixbuf-@{version}/@{version}/loaders.cache w, + @{lib}/gdk-pixbuf-@{version}/{,*}/loaders.cache.* rw, + @{lib}/gdk-pixbuf-@{version}/@{version}/loaders.cache rw, /usr/share/gvfs/remote-volume-monitors/{,**} r, diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer new file mode 100644 index 000000000..d3df6f5f3 --- /dev/null +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/gdk-pixbuf-thumbnailer +profile gdk-pixbuf-thumbnailer @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/ghc-pkg b/apparmor.d/profiles-g-l/ghc-pkg index df6613042..3ccfdec4a 100644 --- a/apparmor.d/profiles-g-l/ghc-pkg +++ b/apparmor.d/profiles-g-l/ghc-pkg @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/ghc-pkg{,-*} +@{exec_path} = @{bin}/ghc-pkg{,-*} @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} profile ghc-pkg @{exec_path} { include include @@ -26,6 +26,8 @@ profile ghc-pkg @{exec_path} { @{sys}/devices/system/node/ r, + @{PROC}/@{pid}/task/@{tid}/comm rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index a9be29bec..ad324e153 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -11,8 +11,12 @@ profile gimp @{exec_path} { include include include + include + include include include + include + include include include @@ -23,21 +27,36 @@ profile gimp @{exec_path} { @{exec_path} mr, - @{lib}/gimp/*/plug-ins/** rix, + @{python_path} rix, + @{bin}/env rix, + @{bin}/gimp-debug-tool-3.0 rix, + @{bin}/gimp-script-fu-interpreter-* rix, + @{bin}/gjs-console rix, + @{bin}/lua rix, + @{lib}/gimp/@{version}/extensions/*/* rix, + @{lib}/gimp/*/plug-ins/** rix, @{bin}/xsane-gimp rPx, @{open_path} rPx -> child-open-help, + @{lib}/gimp/@{version}/plug-ins/python-console/__pycache__/{,*} w, + /usr/share/gimp/{,**} r, /usr/share/mypaint-data/{,**} r, + /usr/share/poppler/{,**} r, /usr/share/xml/iso-codes/{,**} r, + /etc/fstab r, /etc/gimp/{,**} r, + owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw, + owner @{user_documents_dirs}/{,**} rw, owner @{user_pictures_dirs}/{,**} rw, owner @{user_work_dirs}/{,**} rw, + owner @{user_cache_dirs}//thumbnails/normal/gimp-thumb* rw, owner @{user_cache_dirs}/babl/{,**} rw, owner @{user_cache_dirs}/gegl-*/{,**} r, owner @{user_cache_dirs}/gegl-*/{,**} r, @@ -52,6 +71,19 @@ profile gimp @{exec_path} { owner @{tmp}/gimp/{,**} rw, + @{run}/mount/utab r, + + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + include if exists } diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 71bace3c3..01b491b98 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -38,6 +38,7 @@ profile git @{exec_path} flags=(attach_disconnected) { deny /usr/local/games/ r, deny /var/lib/flatpak/exports/bin/ r, deny owner @{HOME}/.go/bin/ r, + deny owner @{HOME}/bin/ r, deny owner @{user_bin_dirs}/ r, # These are needed for "git submodule update" @@ -64,6 +65,7 @@ profile git @{exec_path} flags=(attach_disconnected) { @{pager_path} rPx -> child-pager, + @{bin}/gh rPUx, @{bin}/man rPx, @{bin}/meld rPUx, @{lib}/code/extensions/git/dist/askpass.sh rPx, @@ -115,6 +117,8 @@ profile git @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.git_vtag_tmp@{rand6} r, + owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists @@ -132,17 +136,20 @@ profile git @{exec_path} flags=(attach_disconnected) { network netlink raw, @{bin}/ssh mr, + @{bin}/ksshaskpass ix, + @{lib}/code/extensions/git/dist/ssh-askpass.sh Px, @{etc_ro}/ssh/ssh_config.d/{,*} r, @{etc_ro}/ssh/ssh_config r, - owner @{HOME}/@{XDG_SSH_DIR}/* r, + owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw, owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_* rwl, owner @{tmp}/git@*:@{int} rwl -> @{tmp}/git@*:@{int}.*, owner @{tmp}/ssh-*/agent.@{int} rw, + owner @{run}/user/@{uid}/keyring/ssh rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/gitg b/apparmor.d/profiles-g-l/gitg index ff5e12444..d668fbfd2 100644 --- a/apparmor.d/profiles-g-l/gitg +++ b/apparmor.d/profiles-g-l/gitg @@ -10,10 +10,10 @@ include profile gitg @{exec_path} { include include - include include include include + include include network inet dgram, diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index e5cbf1959..aabde9cef 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -6,18 +6,25 @@ abi , include -@{exec_path} = /usr/share/zsh-theme-powerlevel[0-9]*k/gitstatus/usrbin/gitstatusd{,-*} +@{exec_path} = @{user_cache_dirs}/gitstatus/gitstatusd{,-*} +@{exec_path} += /usr/share/zsh-theme-powerlevel{9,10}k/gitstatus/usrbin/gitstatusd{,-*} profile gitstatusd @{exec_path} { include + include + + signal receive set=term peer=*//shell, + signal receive set=term peer={,vs}code, @{exec_path} mr, owner @{user_projects_dirs}/{,**} r, - owner @{user_projects_dirs}/**/.git/.gitstatus.@{rand6}/{,**} rw, + owner @{user_projects_dirs}/**/.git/{,**/}.gitstatus.@{rand6}/{,**} rw, owner @{HOME}/.gitconfig r, owner @{user_config_dirs}/git/{,*} r, + owner @{tmp}/gitstatus.POWERLEVEL9K.*.fifo r, + # Silencer deny capability dac_read_search, deny capability dac_override, diff --git a/apparmor.d/profiles-g-l/glib-compile-schemas b/apparmor.d/profiles-g-l/glib-compile-schemas index fcabd84c3..59c56bb12 100644 --- a/apparmor.d/profiles-g-l/glib-compile-schemas +++ b/apparmor.d/profiles-g-l/glib-compile-schemas @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/glib-compile-schemas +@{exec_path} = @{bin}/glib-compile-schemas @{lib}/@{multiarch}/glib-2.0/glib-compile-schemas profile glib-compile-schemas @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/glxgears b/apparmor.d/profiles-g-l/glxgears index 1e27790df..cfd9f0dac 100644 --- a/apparmor.d/profiles-g-l/glxgears +++ b/apparmor.d/profiles-g-l/glxgears @@ -25,6 +25,7 @@ profile glxgears @{exec_path} { @{exec_path} mr, owner @{HOME}/.Xauthority r, + owner @{run}/user/@{uid}/xauth_@{rand6} r, include if exists } diff --git a/apparmor.d/profiles-g-l/gparted b/apparmor.d/profiles-g-l/gparted index 93e65f0a2..d74945777 100644 --- a/apparmor.d/profiles-g-l/gparted +++ b/apparmor.d/profiles-g-l/gparted @@ -7,42 +7,36 @@ abi , include -@{exec_path} = @{bin}/gparted -profile gparted @{exec_path} { +@{exec_path} = @{sbin}/gparted +profile gparted @{exec_path} flags=(attach_disconnected) { include + include - ptrace (read), + ptrace read, @{exec_path} r, - @{bin}/ r, + @{bin}/ r, + @{coreutils_path} rix, @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{m,g,}awk rix, - @{bin}/cut rix, - @{bin}/id rix, - @{bin}/ls rix, - @{bin}/mkdir rix, - @{bin}/pidof rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/touch rix, - @{bin}/gpartedbin rPx, + @{sbin}/killall5 rCx -> killall, + @{bin}/systemctl rCx -> systemctl, + @{bin}/udevadm rCx -> udevadm, + + @{bin}/pidof rPx, + @{bin}/pkexec rPx, + @{bin}/ps rPx, + @{bin}/xhost rPx, + + @{sbin}/gpartedbin rPx, @{lib}/gparted/gpartedbin rPx, @{lib}/gpartedbin rPx, @{lib}/{,udisks2/}udisks2-inhibit rix, + @{run}/udev/rules.d/ rw, - @{run}/udev/rules.d/90-udisks-inhibit.rules rw, - - @{bin}/udevadm rCx -> udevadm, - @{bin}/killall5 rCx -> killall, - - @{bin}/ps rPx, - @{bin}/xhost rPx, - @{bin}/pkexec rPx, - @{bin}/systemctl rCx -> systemctl, + @{run}/udev/rules.d/@{int}-*.rules rw, # For shell pwd / r, @@ -57,7 +51,6 @@ profile gparted @{exec_path} { # file_inherit owner /dev/tty@{int} rw, - profile udevadm { include include @@ -78,13 +71,11 @@ profile gparted @{exec_path} { ptrace (read), - @{bin}/killall5 mr, + @{sbin}/killall5 mr, - # The /proc/ dir is needed to avoid the following error: - # /proc: Permission denied - @{PROC}/ r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/cmdline r, + @{PROC}/ r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/cmdline r, include if exists } @@ -93,6 +84,8 @@ profile gparted @{exec_path} { include include + capability net_admin, + include if exists } diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index e56bb5733..35dc03584 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -7,14 +7,16 @@ abi , include -@{exec_path} = @{bin}/gpartedbin @{lib}/{,gparted/}gpartedbin -profile gpartedbin @{exec_path} { +@{exec_path} = @{sbin}/gpartedbin @{lib}/{,gparted/}gpartedbin +profile gpartedbin @{exec_path} flags=(attach_disconnected) { include include include include include + include + capability dac_override, capability dac_read_search, capability ipc_lock, capability sys_admin, @@ -28,43 +30,45 @@ profile gpartedbin @{exec_path} { @{sh_path} rix, - @{bin}/blkid rPx, - @{bin}/dmidecode rPx, - @{bin}/hdparm rPx, + @{sbin}/blkid rPx, + @{sbin}/dmidecode rPx, + @{sbin}/hdparm rPx, @{bin}/kmod rPx, @{bin}/mount rCx -> mount, @{bin}/udevadm rCx -> udevadm, @{bin}/umount rCx -> umount, - @{bin}/btrfs rPx, - @{bin}/btrfstune rPx, - @{bin}/dmraid rPUx, - @{bin}/dmsetup rPUx, - @{bin}/dumpe2fs rPx, - @{bin}/e2fsck rPx, - @{bin}/e2image rPx, - @{bin}/fsck.btrfs rPx, - @{bin}/fsck.fat rPx, - @{bin}/lvm rPUx, - @{bin}/mdadm rPUx, - @{bin}/mke2fs rPx, - @{bin}/mkfs.* rPx, - @{bin}/mkntfs rPx, - @{bin}/mkswap rPx, + @{sbin}/btrfs rPx, + @{sbin}/btrfstune rPx, + @{sbin}/dmraid rPUx, + @{sbin}/dmsetup rPUx, + @{sbin}/dumpe2fs rPx, + @{sbin}/e2fsck rPx, + @{sbin}/e2image rPx, + @{sbin}/fsck.* rPUx, + @{sbin}/lvm rPUx, + @{sbin}/mdadm rPUx, + @{sbin}/mke2fs rPx, + @{sbin}/mkfs.* rPUx, + @{sbin}/mkntfs rPx, + @{sbin}/mkswap rPx, @{bin}/mtools rPx, @{bin}/ntfsinfo rPx, - @{bin}/ntfslabel rPx, - @{bin}/ntfsresize rPx, - @{bin}/resize2fs rPx, - @{bin}/swaplabel rPx, - @{bin}/swapoff rPx, - @{bin}/swapon rPx, - @{bin}/tune2fs rPx, - @{bin}/xfs_io rPUx, + @{sbin}/ntfslabel rPx, + @{sbin}/ntfsresize rPx, + @{sbin}/resize2fs rPx, + @{sbin}/swaplabel rPx, + @{sbin}/swapoff rPx, + @{sbin}/swapon rPx, + @{bin}/tune.* rPUx, + @{sbin}/tune2fs rPx, + @{sbin}/xfs_io rPUx, @{open_path} rPx -> child-open, + /etc/fstab r, + @{HOME}/.Xauthority r, owner @{HOME}/*.htm w, @@ -88,7 +92,7 @@ profile gpartedbin @{exec_path} { mount /dev/{s,v}d[a-z]*@{int} -> /tmp/gparted-*/, - mount /dev/{s,v}d[a-z]*@{int} -> /boot/, + mount /dev/{s,v}d[a-z]*@{int} -> @{efi}/, mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/, mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/*/, @@ -104,7 +108,7 @@ profile gpartedbin @{exec_path} { umount /tmp/gparted-*/, - umount /boot/, + umount @{efi}/, umount @{MOUNTS}/, umount @{MOUNTS}/*/, diff --git a/apparmor.d/profiles-g-l/gpo b/apparmor.d/profiles-g-l/gpo index 4088f51fb..46ff3eec5 100644 --- a/apparmor.d/profiles-g-l/gpo +++ b/apparmor.d/profiles-g-l/gpo @@ -11,10 +11,11 @@ include profile gpo @{exec_path} { include include - include include - include + include + include include + include network inet dgram, network inet6 dgram, @@ -22,7 +23,7 @@ profile gpo @{exec_path} { network inet6 stream, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, @@ -36,8 +37,6 @@ profile gpo @{exec_path} { owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, - owner /var/tmp/etilqs_@{hex16} rw, - owner @{PROC}/@{pid}/fd/ r, include if exists diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder index ec1adabe4..e60034172 100644 --- a/apparmor.d/profiles-g-l/gpodder +++ b/apparmor.d/profiles-g-l/gpodder @@ -14,6 +14,7 @@ profile gpodder @{exec_path} { include include include + include include include @@ -24,7 +25,7 @@ profile gpodder @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, @@ -47,8 +48,6 @@ profile gpodder @{exec_path} { owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, - owner /var/tmp/etilqs_@{hex16} rw, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-g-l/gpodder-migrate2tres b/apparmor.d/profiles-g-l/gpodder-migrate2tres index 11896a26c..55033d107 100644 --- a/apparmor.d/profiles-g-l/gpodder-migrate2tres +++ b/apparmor.d/profiles-g-l/gpodder-migrate2tres @@ -13,7 +13,7 @@ profile gpodder-migrate2tres @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{sh_path} rix, diff --git a/apparmor.d/profiles-g-l/gpu-manager b/apparmor.d/profiles-g-l/gpu-manager index 8cc49acdf..0ad848c50 100644 --- a/apparmor.d/profiles-g-l/gpu-manager +++ b/apparmor.d/profiles-g-l/gpu-manager @@ -16,15 +16,16 @@ profile gpu-manager @{exec_path} { @{exec_path} mr, - @{sh_path} rix, - @{bin}/grep rix, + @{sh_path} rix, + @{bin}/{,e}grep rix, /etc/modprobe.d/{,**} r, - /usr/lib/modprobe.d/{,**} r, + @{lib}/modprobe.d/{,**} r, /var/lib/ubuntu-drivers-common/* rw, /var/log/gpu-manager.log w, + /var/log/gpu-manager-switch.log w, @{sys}/devices/@{pci}/boot_vga r, @{sys}/module/compression r, diff --git a/apparmor.d/profiles-g-l/grim b/apparmor.d/profiles-g-l/grim new file mode 100644 index 000000000..5717837ec --- /dev/null +++ b/apparmor.d/profiles-g-l/grim @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/grim +profile grim @{exec_path} { + include + include + include + + @{exec_path} mr, + + owner @{HOME}/@{int8}_**_grim.png w, + + owner /dev/shm/grim-@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 4ac891769..9b8eca8ee 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -7,14 +7,15 @@ abi , include @{exec_path} = @{bin}/gsettings -profile gsettings @{exec_path} { +profile gsettings @{exec_path} flags=(attach_disconnected) { include include + include include + include @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, @@ -22,7 +23,13 @@ profile gsettings @{exec_path} { owner @{desktop_config_dirs}/dconf/user rw, owner @{DESKTOP_HOME}/greeter-dconf-defaults r, - /dev/tty@{int} rw, + # file_inherit + deny network netlink raw, + deny /etc/nsswitch.conf r, + deny /etc/passwd r, + deny /opt/*/** r, + deny owner @{user_config_dirs}/[^d]*/** rw, # all but dconf + deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, include if exists } diff --git a/apparmor.d/profiles-g-l/gsmartcontrol b/apparmor.d/profiles-g-l/gsmartcontrol index 5d04e33fb..988c547f0 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol +++ b/apparmor.d/profiles-g-l/gsmartcontrol @@ -20,7 +20,7 @@ profile gsmartcontrol @{exec_path} { @{bin}/dbus-launch Cx -> bus, @{bin}/dbus-send Cx -> bus, - @{bin}/smartctl Px, + @{sbin}/smartctl Px, @{bin}/xterm Cx -> terminal, /etc/fstab r, @@ -67,7 +67,7 @@ profile gsmartcontrol @{exec_path} { capability setuid, @{bin}/xterm mr, - @{bin}/update-smart-drivedb rPx, + @{sbin}/update-smart-drivedb rPx, /usr/include/X11/bitmaps/vlines2 r, diff --git a/apparmor.d/profiles-g-l/gsmartcontrol-root b/apparmor.d/profiles-g-l/gsmartcontrol-root index 10c1f445b..4fdb1084b 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol-root +++ b/apparmor.d/profiles-g-l/gsmartcontrol-root @@ -15,7 +15,7 @@ profile gsmartcontrol-root @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/pkexec rCx -> pkexec, diff --git a/apparmor.d/profiles-g-l/gtk-query-immodules b/apparmor.d/profiles-g-l/gtk-query-immodules index 46aece91a..e6d37db44 100644 --- a/apparmor.d/profiles-g-l/gtk-query-immodules +++ b/apparmor.d/profiles-g-l/gtk-query-immodules @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/gtk-query-immodules-{2,3}.0 +@{exec_path} = @{bin}/gtk-query-immodules-* @{lib}/@{multiarch}/libgtk-*/gtk-query-immodules-* profile gtk-query-immodules @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/gtk-update-icon-cache b/apparmor.d/profiles-g-l/gtk-update-icon-cache index b1a6779ae..b709511e2 100644 --- a/apparmor.d/profiles-g-l/gtk-update-icon-cache +++ b/apparmor.d/profiles-g-l/gtk-update-icon-cache @@ -12,6 +12,8 @@ profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) { include include + capability fowner, + @{exec_path} mr, @{system_share_dirs}/icons/{,**/} r, diff --git a/apparmor.d/profiles-g-l/gtk-youtube-viewer b/apparmor.d/profiles-g-l/gtk-youtube-viewer index 029e542ee..0b9075bc1 100644 --- a/apparmor.d/profiles-g-l/gtk-youtube-viewer +++ b/apparmor.d/profiles-g-l/gtk-youtube-viewer @@ -25,7 +25,6 @@ profile gtk-youtube-viewer @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/perl r, @{sh_path} rix, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index f91887297..5d78a90e3 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -38,15 +38,15 @@ profile hardinfo @{exec_path} { @{bin}/locale rix, @{bin}/make rix, @{bin}/perl rix, - @{bin}/python3.@{int} rix, - @{bin}/route rix, - @{bin}/ruby[0-9].@{int} rix, + @{python_path} rix, + @{sbin}/route rix, + @{bin}/ruby@{int}.@{int} rix, @{bin}/strace rix, @{bin}/tr rix, @{bin}/valgrind{,.bin} rix, @{lib}/@{multiarch}/valgrind/memcheck-*-linux rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{open_path} rPx -> child-open, @{bin}/ccache rCx -> ccache, @{bin}/kmod rCx -> kmod, @@ -58,7 +58,7 @@ profile hardinfo @{exec_path} { @{bin}/netstat rPx, @{bin}/qtchooser rPx, - @{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/javac rCx -> javac, + @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/bin/javac rCx -> javac, /usr/share/gdb/python/ r, /usr/share/gdb/python/** r, @@ -132,9 +132,8 @@ profile hardinfo @{exec_path} { include include - @{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/* mr, - - @{lib}/jvm/java-[0-9]*-openjdk-amd64/lib/** mr, + @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/bin/* mr, + @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/lib/** mr, /etc/java-[0-9]*-openjdk/** r, diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged index 910e9a2f0..527629202 100644 --- a/apparmor.d/profiles-g-l/haveged +++ b/apparmor.d/profiles-g-l/haveged @@ -9,7 +9,7 @@ abi , include -@{exec_path} = @{bin}/haveged +@{exec_path} = @{sbin}/haveged profile haveged @{exec_path} { include @@ -20,10 +20,9 @@ profile haveged @{exec_path} { @{sys}/devices/system/cpu/cpu@{int}/cache/ r, @{sys}/devices/system/cpu/cpu@{int}/cache/index*/{type,size,level} r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/random/poolsize r, - @{PROC}/sys/kernel/random/write_wakeup_threshold w, - owner @{PROC}/@{pid}/status r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/poolsize r, + @{PROC}/sys/kernel/random/write_wakeup_threshold w, /dev/random w, diff --git a/apparmor.d/profiles-g-l/hddtemp b/apparmor.d/profiles-g-l/hddtemp index e96a45237..55d2abb5d 100644 --- a/apparmor.d/profiles-g-l/hddtemp +++ b/apparmor.d/profiles-g-l/hddtemp @@ -10,32 +10,20 @@ include @{exec_path} = @{bin}/hddtemp profile hddtemp @{exec_path} { include + include + include - # To remove the following errors: - # /dev/sda: Permission denied + capability sys_admin, capability sys_rawio, - # There's the following error in strace: - # ioctl(3, HDIO_DRIVE_CMD, 0x7ffdfeafc074) = -1 EACCES (Permission denied) - # This should be covered by CAP_SYS_RAWIO instead. - # (see: https://www.kernel.org/doc/Documentation/ioctl/hdio.rst) - # It looks like hddtemp works just fine without it. - deny capability sys_admin, - network inet stream, network inet6 stream, @{exec_path} mr, - # Monitored hard drives - /dev/sd[a-z]* r, - # Database file that allows hddtemp to recognize supported drives /etc/hddtemp.db r, - # Needed when the hddtemp daemon is started in the TCP/IP mode - /etc/gai.conf r, - include if exists } diff --git a/apparmor.d/profiles-g-l/hdparm b/apparmor.d/profiles-g-l/hdparm index 606540bb9..53e520509 100644 --- a/apparmor.d/profiles-g-l/hdparm +++ b/apparmor.d/profiles-g-l/hdparm @@ -7,12 +7,12 @@ abi , include -@{exec_path} = @{bin}/hdparm +@{exec_path} = @{sbin}/hdparm profile hdparm @{exec_path} flags=(complain) { include + include include include - include # To remove the following errors: # re-writing sector *: BLKFLSBUF failed: Permission denied diff --git a/apparmor.d/profiles-g-l/homebank b/apparmor.d/profiles-g-l/homebank index cb459919f..7fbe74040 100644 --- a/apparmor.d/profiles-g-l/homebank +++ b/apparmor.d/profiles-g-l/homebank @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/homebank -profile homebank @{exec_path} { +profile homebank @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-g-l/host b/apparmor.d/profiles-g-l/host index cb9f8d2d9..ab0cf0cba 100644 --- a/apparmor.d/profiles-g-l/host +++ b/apparmor.d/profiles-g-l/host @@ -18,13 +18,15 @@ profile host @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, + network netlink raw, @{exec_path} mr, - owner @{PROC}/@{pids}/task/@{tid}/comm rw, - @{sys}/kernel/mm/transparent_hugepage/enabled r, + @{PROC}/version_signature r, + owner @{PROC}/@{pids}/task/@{tid}/comm rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/hostname b/apparmor.d/profiles-g-l/hostname index 326d156ef..7e87173cc 100644 --- a/apparmor.d/profiles-g-l/hostname +++ b/apparmor.d/profiles-g-l/hostname @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/{hostname,domainname,ypdomainname,nisdomainname,nisdomainname} -profile hostname @{exec_path} { +profile hostname @{exec_path} flags=(attach_disconnected) { include include include @@ -16,11 +16,14 @@ profile hostname @{exec_path} { capability sys_admin, network inet dgram, + network inet6 dgram, # network ip=127.0.0.1:53, TODO: abi 4.0 network netlink raw, @{exec_path} mr, + owner /dev/tty@{int} rw, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index 6bb737ca0..fd9c3dfa0 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/hugo profile hugo @{exec_path} { include + include include include @@ -26,7 +27,6 @@ profile hugo @{exec_path} { @{lib}/go/bin/go rix, /usr/share/git{,-core}/{,**} r, - /usr/share/mime/{,**} r, /usr/share/terminfo/** r, /etc/mime.types r, @@ -37,10 +37,17 @@ profile hugo @{exec_path} { owner @{user_cache_dirs}/hugo_cache/{,**} rwkl, + owner @{user_config_dirs}/git/*config r, + owner @{user_config_dirs}/go/telemetry/mode r, + owner @{tmp}/hugo_cache/{,**} rwkl, owner @{tmp}/go-codehost-@{int} rw, - @{PROC}/sys/net/core/somaxconn r, + @{sys}/kernel/mm/hugepages/ r, + + @{PROC}/sys/net/core/somaxconn r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, include if exists } diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index f5c1ecdd6..739073201 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -11,7 +11,6 @@ include profile hw-probe @{exec_path} flags=(attach_disconnected) { include include - include capability sys_admin, @@ -19,13 +18,12 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { network inet6 dgram, @{exec_path} rm, - @{bin}/perl r, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/{m,g,}awk rix, @{bin}/dd rix, - @{bin}/efibootmgr rix, + @{sbin}/efibootmgr rix, @{bin}/efivar rix, @{bin}/find rix, @{bin}/md5sum rix, @@ -35,35 +33,26 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/tar rix, @{bin}/uname rix, + @{bin}/vulkaninfo rPUx, @{bin}/acpi rPx, @{bin}/amixer rPx, @{bin}/aplay rPx, - @{bin}/biosdecode rPx, @{bin}/cpuid rPx, @{bin}/cpupower rPx, @{bin}/curl rCx -> curl, @{bin}/df rPx, - @{bin}/dkms rPx, @{bin}/dmesg rPx, - @{bin}/dmidecode rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/edid-decode rPx, - @{bin}/ethtool rCx -> netconfig, - @{bin}/fdisk rPx, @{bin}/glxgears rPx, @{bin}/glxinfo rPx, @{bin}/hciconfig rPx, - @{bin}/hdparm rPx, - @{bin}/hwinfo rPx, @{bin}/i2cdetect rPx, - @{bin}/ifconfig rCx -> netconfig, @{bin}/inxi rPx, - @{bin}/iw rCx -> netconfig, - @{bin}/iwconfig rCx -> netconfig, @{bin}/journalctl rCx -> journalctl, @{bin}/killall rCx -> killall, - @{bin}/kmod rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/kmod rCx -> kmod, + @{bin}/lsb_release rPx, @{bin}/lsblk rPx, @{bin}/lscpu rPx, @{bin}/lspci rPx, @@ -71,10 +60,8 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/memtester rPx, @{bin}/nmcli rPx, @{bin}/pacman rCx -> pacman, - @{bin}/rfkill rPx, @{bin}/rpm rCx -> rpm, @{bin}/sensors rPx, - @{bin}/smartctl rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-analyze rPx, @{bin}/udevadm rCx -> udevadm, @@ -84,12 +71,23 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/xdpyinfo rPx, @{bin}/xinput rPx, @{bin}/xrandr rPx, + @{sbin}/biosdecode rPx, + @{sbin}/dkms rPx, + @{sbin}/dmidecode rPx, + @{sbin}/fdisk rPx, + @{sbin}/hdparm rPx, + @{bin}/boltctl rPUx, + @{sbin}/hwinfo rPx, + @{sbin}/rfkill rPx, + @{sbin}/smartctl rPx, /etc/modprobe.d/{,*.conf} r, + @{efi}/EFI/{,**} r, + owner @{HOME}/HW_PROBE/{,**} rw, - audit owner @{tmp}/*/ rw, + owner @{tmp}/@{rand10}/ rw, owner @{tmp}/*/cpu_perf rw, @{sys}/class/drm/ r, @@ -99,19 +97,34 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/* r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/* r, - @{sys}/module/*/ r, - @{sys}/module/*/{coresize,refcnt} r, - @{sys}/module/*/holders/ r, @{PROC}/bus/input/devices r, @{PROC}/cmdline r, @{PROC}/interrupts r, @{PROC}/ioports r, - @{PROC}/modules r, @{PROC}/scsi/scsi r, /dev/{,**} r, + profile kmod { + include + include + + capability syslog, + + @{sys}/module/{,**} r, + + include if exists + } + + profile curl flags=(attach_disconnected) { + include + + @{bin}/curl mr, + + include if exists + } + profile pacman flags=(attach_disconnected) { include include @@ -159,9 +172,12 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{run}/log/ rw, /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, /{run,var}/log/journal/@{hex32}/system.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, owner @{PROC}/@{pid}/stat r, @@ -192,31 +208,6 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { include if exists } - profile netconfig flags=(attach_disconnected) { - include - - # Not needed - deny capability net_admin, - deny capability net_raw, - - network inet dgram, - network inet6 dgram, - network ipx dgram, - network ax25 dgram, - network appletalk dgram, - network netlink raw, - - @{bin}/iw mr, - @{bin}/ifconfig mr, - @{bin}/iwconfig mr, - @{bin}/ethtool mr, - - owner @{PROC}/@{pid}/net/if_inet6 r, - owner @{PROC}/@{pid}/net/dev r, - - include if exists - } - profile systemctl flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index e7bf2937c..314975208 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/hwinfo +@{exec_path} = @{sbin}/hwinfo profile hwinfo @{exec_path} { include include @@ -27,9 +27,10 @@ profile hwinfo @{exec_path} { @{bin}/kmod rCx -> kmod, @{bin}/udevadm rCx -> udevadm, - @{bin}/acpidump rPUx, + @{sbin}/acpidump rPUx, + @{bin}/lsscsi rPx, - @{bin}/dmraid rPUx, + @{sbin}/dmraid rPUx, /usr/share/hwinfo/{,**} r, @@ -39,7 +40,7 @@ profile hwinfo @{exec_path} { @{sys}/bus/{,**/} r, @{sys}/class/*/ r, - @{sys}/devices/@{pci}/** r, + @{sys}/devices/@{pci}/{,**} r, @{sys}/devices/**/{modalias,uevent} r, @{sys}/devices/**/input/**/dev r, @{sys}/devices/virtual/net/*/{type,carrier,address} r, @@ -70,9 +71,12 @@ profile hwinfo @{exec_path} { include include + capability sys_module, + owner @{tmp}/hwinfo*.txt rw, @{sys}/devices/@{pci}/drm/card@{int}/ r, + @{sys}/module/compression r, include if exists } diff --git a/apparmor.d/profiles-g-l/hypnotix b/apparmor.d/profiles-g-l/hypnotix index be18726a0..ce1ad519b 100644 --- a/apparmor.d/profiles-g-l/hypnotix +++ b/apparmor.d/profiles-g-l/hypnotix @@ -31,10 +31,10 @@ profile hypnotix @{exec_path} { network netlink raw, @{exec_path} rix, - @{bin}/python3.@{int} r, + @{python_path} r, @{sh_path} rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/mkdir rix, @{bin}/xdg-screensaver rPx, diff --git a/apparmor.d/profiles-g-l/i2cdetect b/apparmor.d/profiles-g-l/i2cdetect index 5ce4da0bb..f101c56e6 100644 --- a/apparmor.d/profiles-g-l/i2cdetect +++ b/apparmor.d/profiles-g-l/i2cdetect @@ -13,8 +13,13 @@ profile i2cdetect @{exec_path} { @{exec_path} mr, + @{sys}/class/i2c-dev/ r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, + owner @{PROC}/@{pid}/mounts r, + /dev/i2c-@{int} rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/i3lock-fancy b/apparmor.d/profiles-g-l/i3lock-fancy index 78c5081d6..b192856d2 100644 --- a/apparmor.d/profiles-g-l/i3lock-fancy +++ b/apparmor.d/profiles-g-l/i3lock-fancy @@ -52,8 +52,8 @@ profile i3lock-fancy @{exec_path} { @{bin}/import-im6.q16 mr, @{bin}/scrot mr, - /usr/share/ImageMagick-[0-9]/*.xml r, - /etc/ImageMagick-[0-9]/*.xml r, + /usr/share/ImageMagick-@{int}/*.xml r, + /etc/ImageMagick-@{int}/*.xml r, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-g-l/iceauth b/apparmor.d/profiles-g-l/iceauth index 03c8650dd..d46374984 100644 --- a/apparmor.d/profiles-g-l/iceauth +++ b/apparmor.d/profiles-g-l/iceauth @@ -16,7 +16,7 @@ profile iceauth @{exec_path} { owner @{tmp}/.xfsm-ICE-@{rand6} r, owner @{tmp}/user/@{uid}/.xfsm-ICE-@{rand6} r, - owner @{run}/user/@{uid}/ICEauthority rl -> @{run}/user/@{uid}/ICEauthority-n, + owner @{run}/user/@{uid}/ICEauthority rwl -> @{run}/user/@{uid}/ICEauthority-n, owner @{run}/user/@{uid}/ICEauthority-c w, owner @{run}/user/@{uid}/ICEauthority-l wl -> @{run}/user/@{uid}/ICEauthority-c, owner @{run}/user/@{uid}/ICEauthority-n rw, diff --git a/apparmor.d/profiles-g-l/ifconfig b/apparmor.d/profiles-g-l/ifconfig index 5bebad691..48181e130 100644 --- a/apparmor.d/profiles-g-l/ifconfig +++ b/apparmor.d/profiles-g-l/ifconfig @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ifconfig +@{exec_path} = @{sbin}/ifconfig profile ifconfig @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/iftop b/apparmor.d/profiles-g-l/iftop new file mode 100644 index 000000000..232aff538 --- /dev/null +++ b/apparmor.d/profiles-g-l/iftop @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/iftop +profile iftop @{exec_path} { + include + include + include + + capability net_raw, + + network inet dgram, + network inet6 dgram, + network netlink raw, + network packet raw, + + @{exec_path} mr, + + /usr/share/terminfo/** r, + + owner @{HOME}/.iftoprc r, + + # When running in promiscuous mode + @{sys}/devices/**/net/*/statistics/* r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index aac25b811..3c641f8e1 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -20,7 +20,7 @@ profile ifup @{exec_path} { @{sh_path} rix, @{bin}/ip rix, - @{bin}/route rix, + @{sbin}/route rix, @{bin}/seq rix, @{bin}/sleep rix, @{bin}/wc rix, @@ -32,7 +32,7 @@ profile ifup @{exec_path} { @{bin}/run-parts rCx -> run-parts, @{bin}/kmod rCx -> kmod, - @{bin}/sysctl rCx -> sysctl, + @{sbin}/sysctl rCx -> sysctl, /etc/network/interfaces r, /etc/network/interfaces.d/{,*} r, @@ -110,7 +110,7 @@ profile ifup @{exec_path} { capability net_admin, capability sys_admin, - @{bin}/sysctl mr, + @{sbin}/sysctl mr, @{PROC}/sys/ r, @{PROC}/sys/** r, diff --git a/apparmor.d/profiles-g-l/im-launch b/apparmor.d/profiles-g-l/im-launch index c5c4aa276..04abb7e0c 100644 --- a/apparmor.d/profiles-g-l/im-launch +++ b/apparmor.d/profiles-g-l/im-launch @@ -22,6 +22,7 @@ profile im-launch @{exec_path} { @{bin}/sed rix, @{bin}/sleep rix, @{bin}/startplasma-x11 rPx, + @{bin}/startxfce4 rPx, @{bin}/true rix, @{bin}/uim-toolbar-gtk3 rPUx, @{bin}/uim-xim rPUx, diff --git a/apparmor.d/profiles-g-l/initd-kexec b/apparmor.d/profiles-g-l/initd-kexec index 074b4e735..199483f4f 100644 --- a/apparmor.d/profiles-g-l/initd-kexec +++ b/apparmor.d/profiles-g-l/initd-kexec @@ -19,7 +19,7 @@ profile initd-kexec @{exec_path} { @{bin}/tput rix, @{bin}/echo rix, - @{bin}/kexec rPx, + @{sbin}/kexec rPx, @{bin}/run-parts rCx -> run-parts, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/profiles-g-l/initd-kexec-load b/apparmor.d/profiles-g-l/initd-kexec-load index 1b27d1a4e..522d003f3 100644 --- a/apparmor.d/profiles-g-l/initd-kexec-load +++ b/apparmor.d/profiles-g-l/initd-kexec-load @@ -25,7 +25,7 @@ profile initd-kexec-load @{exec_path} { @{bin}/readlink rix, @{bin}/tput rix, - @{bin}/kexec rPx, + @{sbin}/kexec rPx, @{bin}/run-parts rCx -> run-parts, @{bin}/systemctl rCx -> systemctl, @@ -36,7 +36,7 @@ profile initd-kexec-load @{exec_path} { @{sys}/kernel/kexec_loaded r, - owner /boot/grub/{grub.cfg,grubenv} r, + owner @{efi}/grub/{grub.cfg,grubenv} r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-g-l/install-catalog b/apparmor.d/profiles-g-l/install-catalog index b1a56c41d..6a26d4dea 100644 --- a/apparmor.d/profiles-g-l/install-catalog +++ b/apparmor.d/profiles-g-l/install-catalog @@ -16,7 +16,7 @@ profile install-catalog @{exec_path} { @{sh_path} rix, @{bin}/basename rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/mv rix, @{bin}/rm rix, @{bin}/sed rix, diff --git a/apparmor.d/profiles-g-l/install-printerdriver b/apparmor.d/profiles-g-l/install-printerdriver index 8ea351857..facd2fa3b 100644 --- a/apparmor.d/profiles-g-l/install-printerdriver +++ b/apparmor.d/profiles-g-l/install-printerdriver @@ -16,7 +16,7 @@ profile install-printerdriver @{exec_path} flags=(complain) { @{exec_path} mrix, @{sh_path} rix, - @{bin}/python3.@{int} r, + @{python_path} r, /usr/share/system-config-printer/{,**} r, diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index eafcab799..e80875ca2 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -20,7 +20,6 @@ profile inxi @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/perl r, @{bin}/ r, @{sh_path} rix, @@ -44,11 +43,11 @@ profile inxi @{exec_path} { # shared object file): ignored. @{bin}/dpkg-query rpx, - @{bin}/blockdev rPx, + @{sbin}/blockdev rPx, @{bin}/compton rPx, @{bin}/df rPx, @{bin}/dig rPx, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, @{bin}/glxinfo rPx, @{bin}/hddtemp rPx, @{bin}/lsblk rPx, @@ -57,7 +56,7 @@ profile inxi @{exec_path} { @{bin}/openbox rPx, @{bin}/ps rPx, @{bin}/sensors rPx, - @{bin}/smartctl rPx, + @{sbin}/smartctl rPx, @{bin}/sudo rPx, @{bin}/uptime rPx, @{bin}/who rPx, diff --git a/apparmor.d/profiles-g-l/ioping b/apparmor.d/profiles-g-l/ioping index 1ff3615f1..0cb507e36 100644 --- a/apparmor.d/profiles-g-l/ioping +++ b/apparmor.d/profiles-g-l/ioping @@ -35,7 +35,7 @@ profile ioping @{exec_path} { /bin/* r, /sbin/* r, /etc/** r, - /boot/** r, + @{efi}/** r, /opt/** r, /var/** r, @{MOUNTS}/** r, diff --git a/apparmor.d/profiles-g-l/iotop b/apparmor.d/profiles-g-l/iotop index c53b4656d..8ea787ea6 100644 --- a/apparmor.d/profiles-g-l/iotop +++ b/apparmor.d/profiles-g-l/iotop @@ -10,32 +10,28 @@ include @{exec_path} = @{bin}/iotop profile iotop @{exec_path} { include - include include + include - # Needed? - audit deny capability net_admin, - - # To set processes' priorities capability sys_nice, - @{exec_path} r, - @{bin}/python3.@{int} r, + network netlink raw, - @{bin}/file rix, + @{exec_path} r, @{bin}/ r, + @{bin}/file rix, + @{python_path} r, + + /etc/magic r, @{PROC}/ r, - @{PROC}/vmstat r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/task/ r, @{PROC}/sys/kernel/pid_max r, - - # For file - /etc/magic r, + @{PROC}/vmstat r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, include if exists } diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index 1c870d94e..0a27c4b59 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -20,25 +20,31 @@ profile ip @{exec_path} flags=(attach_disconnected) { network netlink raw, - mount options=(rw, bind, rshared) -> /{var/,}run/netns/, - mount options=(rw, rslave) -> /, - mount options=(rw, bind) / -> /{var/,}run/netns/*, - mount options=(rw, bind) /etc/netns/firefox/resolv.conf -> /etc/resolv.conf, - mount fstype=sysfs -> /sys/, + mount fstype=sysfs -> @{sys}, + mount options=(rw bind) / -> @{run}/netns/*, + mount options=(rw rbind) @{run}/netns/ -> @{run}/netns/, + mount options=(rw, bind) @{att}/ -> @{run}/netns/*, + mount options=(rw, bind) /etc/netns/*/resolv.conf -> /etc/resolv.conf, + mount options=(rw, rshared) -> @{run}/netns/, + mount options=(rw, rslave) -> /, umount @{run}/netns/*, - umount /sys/, + umount @{sys}, @{exec_path} mrix, - @{sh_path} rix, - / r, + # To run command with 'ip netns exec' + @{shells_path} rUx, + @{bin}/sudo rPx, + + @{att}/ r, /etc/iproute2/{,**} r, /etc/netns/*/ r, /usr/share/iproute2/{,**} r, + @{run}/netns/ r, @{run}/netns/* rw, owner @{run}/netns/ rwk, diff --git a/apparmor.d/profiles-g-l/ipcalc b/apparmor.d/profiles-g-l/ipcalc index ff7f1c799..c6dfa762a 100644 --- a/apparmor.d/profiles-g-l/ipcalc +++ b/apparmor.d/profiles-g-l/ipcalc @@ -13,7 +13,6 @@ profile ipcalc @{exec_path} { include @{exec_path} r, - @{bin}/perl r, include if exists } diff --git a/apparmor.d/profiles-g-l/irqbalance b/apparmor.d/profiles-g-l/irqbalance index fec2d7c93..022dc92d5 100644 --- a/apparmor.d/profiles-g-l/irqbalance +++ b/apparmor.d/profiles-g-l/irqbalance @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/irqbalance +@{exec_path} = @{sbin}/irqbalance profile irqbalance @{exec_path} flags=(attach_disconnected) { include diff --git a/apparmor.d/profiles-g-l/ischroot b/apparmor.d/profiles-g-l/ischroot new file mode 100644 index 000000000..8c18782f9 --- /dev/null +++ b/apparmor.d/profiles-g-l/ischroot @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ischroot +profile ischroot @{exec_path} flags=(attach_disconnected) { + include + include + + @{exec_path} mr, + + /var/lib/update-notifier/tmp.@{rand10} w, + + @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index 3602a1a1e..093cd7100 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/issue-generator +@{exec_path} = @{sbin}/issue-generator profile issue-generator @{exec_path} { include include @@ -19,6 +19,7 @@ profile issue-generator @{exec_path} { @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cmp rix, + @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/mv rix, @{bin}/rm rix, @@ -28,9 +29,9 @@ profile issue-generator @{exec_path} { /etc/sysconfig/issue-generator r, @{run}/agetty.reload w, - @{run}/issue r, + @{run}/issue rw, @{run}/issue.@{rand10} rw, - @{run}/issue.d/{,**} r, + @{run}/issue.d/{,**} rw, /dev/tty rw, diff --git a/apparmor.d/profiles-g-l/iw b/apparmor.d/profiles-g-l/iw index 8639b8aad..631b0b9d1 100644 --- a/apparmor.d/profiles-g-l/iw +++ b/apparmor.d/profiles-g-l/iw @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/iw +@{exec_path} = @{sbin}/iw profile iw @{exec_path} { include @@ -21,7 +21,7 @@ profile iw @{exec_path} { @{exec_path} mr, - @{sys}/devices/@{pci}/ieee80211/phy[0-9]*/index r, + @{sys}/devices/@{pci}/ieee80211/phy@{int}/index r, # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-g-l/iwconfig b/apparmor.d/profiles-g-l/iwconfig index 962b4ab23..ec6b9a46b 100644 --- a/apparmor.d/profiles-g-l/iwconfig +++ b/apparmor.d/profiles-g-l/iwconfig @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/iwconfig +@{exec_path} = @{sbin}/iwconfig profile iwconfig @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/iwlist b/apparmor.d/profiles-g-l/iwlist index 298c94688..b89af77b9 100644 --- a/apparmor.d/profiles-g-l/iwlist +++ b/apparmor.d/profiles-g-l/iwlist @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/iwlist +@{exec_path} = @{sbin}/iwlist profile iwlist @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/jami-gnome b/apparmor.d/profiles-g-l/jami-gnome deleted file mode 100644 index 3a1e504a8..000000000 --- a/apparmor.d/profiles-g-l/jami-gnome +++ /dev/null @@ -1,61 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/jami-gnome -profile jami-gnome @{exec_path} { - include - include - include - include - include - include - include - include - include - include - include - - network netlink raw, - - @{exec_path} mr, - - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, - - /usr/share/ring/{,**} r, - /usr/share/sounds/jami-gnome/{,**} r, - - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/jami-gnome/ rw, - owner @{user_cache_dirs}/jami-gnome/** rw, - - owner @{user_share_dirs}/jami/ rw, - owner @{user_share_dirs}/jami/** rwkl -> @{user_share_dirs}/jami/, - - owner @{user_config_dirs}/autostart/jami-gnome.desktop w, - - owner @{user_share_dirs}/ r, - owner @{user_share_dirs}/webkitgtk/deviceidhashsalts/1/ r, - owner @{user_share_dirs}/webkitgtk/databases/indexeddb/v0 w, - owner @{user_share_dirs}/webkitgtk/databases/indexeddb/v1/ w, - - @{sys}/firmware/acpi/pm_profile r, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/fs/cgroup/** r, - - owner @{PROC}/@{pid}/statm r, - owner @{PROC}/@{pid}/smaps r, - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/cgroup r, - @{PROC}/zoneinfo r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/jmtpfs b/apparmor.d/profiles-g-l/jmtpfs index eb51b1239..618ac14e7 100644 --- a/apparmor.d/profiles-g-l/jmtpfs +++ b/apparmor.d/profiles-g-l/jmtpfs @@ -18,8 +18,7 @@ profile jmtpfs @{exec_path} { @{bin}/fusermount{,3} rCx -> fusermount, - owner @{tmp}/tmp* rw, - owner @{tmp}/#@{int} rw, + /etc/magic r, # Mount points owner @{HOME}/*/ r, @@ -27,36 +26,20 @@ profile jmtpfs @{exec_path} { owner @{user_cache_dirs}/*/mtp{,-@{int}}/ rw, - mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/, - mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/*/, - mount fstype={fuse,fuse.jmtpfs} -> @{user_cache_dirs}/*/*/, - - /etc/magic r, - - /dev/fuse rw, - + owner @{tmp}/tmp* rw, + owner @{tmp}/#@{int} rw, profile fusermount { include - include - - # To mount anything: - capability sys_admin, - - # - capability dac_read_search, - - @{bin}/fusermount{,3} mr, + include mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/, mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/*/, mount fstype={fuse,fuse.jmtpfs} -> @{user_cache_dirs}/*/*/, - /etc/fuse.conf r, - - /dev/fuse rw, - - @{PROC}/@{pid}/mounts r, + umount @{HOME}/*/, + umount @{HOME}/*/*/, + umount @{user_cache_dirs}/*/*/, include if exists } diff --git a/apparmor.d/profiles-g-l/kanyremote b/apparmor.d/profiles-g-l/kanyremote index 0e27fa5ae..91eb37c58 100644 --- a/apparmor.d/profiles-g-l/kanyremote +++ b/apparmor.d/profiles-g-l/kanyremote @@ -31,7 +31,7 @@ profile kanyremote @{exec_path} { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/id rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/tr rix, @{bin}/{m,g,}awk rix, @{bin}/head rix, diff --git a/apparmor.d/profiles-g-l/kconfig-hardened-check b/apparmor.d/profiles-g-l/kconfig-hardened-check index 743da77a1..947cfabd1 100644 --- a/apparmor.d/profiles-g-l/kconfig-hardened-check +++ b/apparmor.d/profiles-g-l/kconfig-hardened-check @@ -13,13 +13,13 @@ profile kconfig-hardened-check @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, # The usual kernel config locations - /boot/config-* r, + @{efi}/config-* r, @{PROC}/config.gz r, # This is for kernels, which are built manually diff --git a/apparmor.d/profiles-g-l/kdestroy b/apparmor.d/profiles-g-l/kdestroy new file mode 100644 index 000000000..ccc0a2b25 --- /dev/null +++ b/apparmor.d/profiles-g-l/kdestroy @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/kdestroy +profile kdestroy @{exec_path} { + include + include + + #Allow root to destroy other users' creds cache + capability dac_override, + + @{exec_path} mr, + + #Credentials cache + /tmp/krb5cc_* rwk, + /tmp/tkt* rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config new file mode 100644 index 000000000..75c536612 --- /dev/null +++ b/apparmor.d/profiles-g-l/kdump-config @@ -0,0 +1,110 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/kdump-config +profile kdump-config @{exec_path} flags=(attach_disconnected) { + include + + capability sys_admin, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/cmp ix, + @{bin}/cp ix, + @{bin}/cut ix, + @{bin}/file ix, + @{bin}/find ix, + @{bin}/flock ix, + @{bin}/hexdump ix, + @{bin}/ln ix, + @{bin}/logger ix, + @{bin}/plymouth Px, + @{bin}/readlink ix, + @{bin}/rev ix, + @{bin}/rm ix, + @{bin}/run-parts ix, + @{bin}/sed ix, + @{bin}/systemctl Cx -> systemctl, + @{bin}/uname ix, + @{sbin}/kexec Cx -> kexec, + @{sbin}/sysctl Cx -> sysctl, + + /etc/kernel/postinst.d/kdump-tools rPx, + + /etc/kdump/{,**} r, + /etc/default/kdump-tools r, + /etc/magic r, + + / r, + @{efi}/ r, + + /var/crash/kdump_lock wk, + /var/crash/kexec_cmd w, + /var/lib/kdump/{,**} rw, + + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + + @{sys}/firmware/efi/efivars/ r, + @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, + @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, + @{sys}/kernel/kexec_crash_loaded r, + + @{PROC}/cmdline r, + @{PROC}/iomem r, + + profile systemctl flags=(attach_disconnected) { + include + include + + capability net_admin, + capability sys_ptrace, + + ptrace read peer=@{p_systemd}, + + include if exists + } + + profile sysctl { + include + + @{sbin}/sysctl mr, + + @{PROC}/sys/kernel/panic_on_oops rw, + + include if exists + } + + profile kexec { + include + + capability sys_admin, + capability sys_boot, + + @{sbin}/kexec mr, + + @{efi}/* r, + + owner /var/lib/kdump/* r, + + @{PROC}/iomem r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kdump-tools-init b/apparmor.d/profiles-g-l/kdump-tools-init new file mode 100644 index 000000000..7767831a8 --- /dev/null +++ b/apparmor.d/profiles-g-l/kdump-tools-init @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/init.d/kdump-tools +profile kdump-tools-init @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + @{sh_path} mr, + + @{bin}/cat ix, + @{bin}/plymouth Px, + @{bin}/run-parts ix, + @{bin}/systemctl Cx -> systemctl, + @{sbin}/kdump-config Px, + + /etc/default/kdump-tools r, + + @{PROC}/cmdline r, + + profile systemctl flags=(attach_disconnected) { + include + include + + capability net_admin, + + ptrace read peer=@{p_systemd}, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kdump_mem_estimator b/apparmor.d/profiles-g-l/kdump_mem_estimator new file mode 100644 index 000000000..5f85af3fe --- /dev/null +++ b/apparmor.d/profiles-g-l/kdump_mem_estimator @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/kdump-tools/kdump_mem_estimator +profile kdump_mem_estimator @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/cat ix, + @{bin}/mkdir ix, + @{bin}/uname ix, + @{bin}/systemctl Cx -> systemctl, + @{bin}/uname ix, + + owner /var/lib/kdump/mem* w, + + profile systemctl { + include + include + + capability net_admin, + + ptrace read peer=@{p_systemd}, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index f48113b02..de95d3c9f 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -48,10 +48,10 @@ profile keepassxc @{exec_path} { owner @{HOME}/@{XDG_SSH_DIR}/ r, owner @{HOME}/@{XDG_SSH_DIR}/* r, - owner @{user_password_store_dirs}/ r, - owner @{user_password_store_dirs}/*.csv rw, - owner @{user_password_store_dirs}/*.kdbx* rwl -> @{KP_DB}/#@{int}, - owner @{user_password_store_dirs}/#@{int} rw, + owner @{user_passwordstore_dirs}/ r, + owner @{user_passwordstore_dirs}/*.csv rw, + owner @{user_passwordstore_dirs}/*.kdbx* rwl -> @{user_passwordstore_dirs}/#@{int}, + owner @{user_passwordstore_dirs}/#@{int} rw, owner @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, owner @{user_config_dirs}/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, @@ -83,12 +83,13 @@ profile keepassxc @{exec_path} { owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w, owner @{run}/user/@{uid}/org.keepassxc.KeePassXC/ w, - @{PROC}/@{pids}/comm r, - @{PROC}/modules r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny @{PROC}/sys/kernel/random/boot_id r, - deny owner @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/stat r, + @{PROC}/modules r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, /dev/shm/#@{int} rw, /dev/tty rw, diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel new file mode 100644 index 000000000..c46b5556e --- /dev/null +++ b/apparmor.d/profiles-g-l/kernel @@ -0,0 +1,80 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/kernel/{,header_}postinst.d/* /etc/kernel/postrm.d/* +@{exec_path} += /etc/kernel/preinst.d/* /etc/kernel/prerm.d/* +profile kernel @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/{,m,g}awk rix, + @{bin}/cat rix, + @{bin}/chmod rix, + @{bin}/cut rix, + @{bin}/dirname rix, + @{bin}/kmod rCx -> kmod, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/rmdir rix, + @{bin}/sed rix, + @{bin}/sort rix, + @{bin}/touch rix, + @{bin}/tr rix, + @{bin}/uname rix, + @{bin}/which{,.debianutils} rix, + + @{bin}/apt-config rPx, + @{bin}/bootctl rPx, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/kernel-install rPx, + @{bin}/systemd-detect-virt rPx, + @{bin}/update-alternatives rPx, + @{lib}/dkms/dkms_autoinstaller rPx, + @{sbin}/dkms rPx, + @{sbin}/update-grub rPx, + @{sbin}/update-initramfs rPx, + + @{lib}/modules/*/updates/ w, + @{lib}/modules/*/updates/dkms/ w, + + /etc/kernel/header_postinst.d/* r, + /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r, + + # For shell pwd + / r, + @{efi}/ r, + + /etc/apt/apt.conf.d/ r, + /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, + + @{run}/reboot-required w, + @{run}/reboot-required.pkgs rw, + + @{PROC}/devices r, + @{PROC}/cmdline r, + + profile kmod { + include + include + + capability sys_module, + + @{sys}/module/compression r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index 07c058124..dede5da41 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -11,22 +11,20 @@ include profile kernel-install @{exec_path} { include include + include include + capability sys_rawio, + capability sys_resource, + + ptrace read peer=@{p_systemd}, + @{exec_path} r, @{sh_path} rix, - - @{bin}/mountpoint rix, - @{bin}/sort rix, - @{bin}/rm rix, - @{bin}/mkdir rix, - @{bin}/cp rix, - @{bin}/chown rix, - @{bin}/chmod rix, - @{bin}/basename rix, - - @{pager_path} rPx -> child-pager, + @{coreutils_path} rix, @{bin}/kmod rCx -> kmod, + @{bin}/mountpoint rix, + @{pager_path} rPx -> child-pager, @{lib}/kernel/install.d/ r, @{lib}/kernel/install.d/@{int2}-*.install rix, @@ -37,27 +35,39 @@ profile kernel-install @{exec_path} { @{lib}/os-release r, /etc/kernel/cmdline r, /etc/kernel/tries r, + /etc/kernel/entry-token r, /etc/machine-id r, /etc/os-release r, /var/lib/dbus/machine-id r, @{lib}/modules/*/modules.* w, - owner /boot/{vmlinuz,initrd.img}-* r, - owner /boot/[a-f0-9]*/*/ rw, - owner /boot/[a-f0-9]*/*/{linux,initrd} w, - owner /boot/loader/ rw, - owner /boot/loader/entries/ rw, - owner /boot/loader/entries/*.conf w, + / r, + + @{efi}/@{hex32}/** rw, + @{efi}/loader/entries.srel r, + owner @{efi}/{vmlinuz,initrd.img}-* r, + owner @{efi}/loader/ rw, + owner @{efi}/loader/entries/ rw, + owner @{efi}/loader/entries/*.conf w, + + owner /tmp/kernel-install.staging.@{rand6}/{,**} rw, owner @{tmp}/sh-thd.* rw, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/1/environ r, @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, profile kmod { include include + @{lib}/modules/*/modules.* w, + + @{sys}/module/compression r, + include if exists } diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump new file mode 100644 index 000000000..eb17c5355 --- /dev/null +++ b/apparmor.d/profiles-g-l/kernel-postinst-kdump @@ -0,0 +1,62 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/kernel/postinst.d/kdump-tools +profile kernel-postinst-kdump @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/cp rix, + @{bin}/du rix, + @{bin}/find rix, + @{bin}/kmod rCx -> kmod, + @{bin}/ischroot rPx, + @{bin}/linux-version rPx, + @{bin}/mkdir rix, + @{bin}/mktemp rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/sync rix, + @{bin}/cut rix, + @{sbin}/mkinitramfs rPx, + + / r, + + /etc/initramfs-tools/{,**} r, + + owner /var/lib/kdump/** rw, + + owner /tmp/tmp.@{rand10}/ rw, + owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, + + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + + profile kmod { + include + include + + @{sys}/module/*/ r, + @{sys}/module/*/coresize r, + @{sys}/module/*/holders/ r, + @{sys}/module/*/refcnt r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kerneloops b/apparmor.d/profiles-g-l/kerneloops index 815fa4e38..70c8b9460 100644 --- a/apparmor.d/profiles-g-l/kerneloops +++ b/apparmor.d/profiles-g-l/kerneloops @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/kerneloops +@{exec_path} = @{sbin}/kerneloops profile kerneloops @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/kerneloops-applet b/apparmor.d/profiles-g-l/kerneloops-applet index 8f5e66cbc..d9d556879 100644 --- a/apparmor.d/profiles-g-l/kerneloops-applet +++ b/apparmor.d/profiles-g-l/kerneloops-applet @@ -10,8 +10,10 @@ include @{exec_path} = @{bin}/kerneloops-applet profile kerneloops-applet @{exec_path} { include - include + include + include include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/kexec b/apparmor.d/profiles-g-l/kexec index 102b75d83..09c414430 100644 --- a/apparmor.d/profiles-g-l/kexec +++ b/apparmor.d/profiles-g-l/kexec @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/kexec +@{exec_path} = @{sbin}/kexec profile kexec @{exec_path} flags=(complain) { include @@ -15,7 +15,7 @@ profile kexec @{exec_path} flags=(complain) { @{exec_path} mr, - owner /boot/{initrd.img,vmlinuz}-* r, + owner @{efi}/{initrd.img,vmlinuz}-* r, @{sys}/firmware/memmap/ r, @{sys}/firmware/memmap/@{int}/{start,end,type} r, diff --git a/apparmor.d/profiles-g-l/kinit b/apparmor.d/profiles-g-l/kinit new file mode 100644 index 000000000..706a11c10 --- /dev/null +++ b/apparmor.d/profiles-g-l/kinit @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/kinit +profile kinit @{exec_path} { + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + #User keytab file + /var/lib/krb5/user/@{uid}/client.keytab r, + + #Credentials cache + /tmp/krb5cc_* rwk, + /tmp/tkt* rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/klist b/apparmor.d/profiles-g-l/klist new file mode 100644 index 000000000..f21f34295 --- /dev/null +++ b/apparmor.d/profiles-g-l/klist @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/klist +profile klist @{exec_path} { + include + include + + #Allow root to list other users' creds cache + capability dac_override, + capability dac_read_search, + + @{exec_path} mr, + + #User keytab file + /var/lib/krb5/user/@{uid}/client.keytab rk, + + #Credentials cache + /tmp/krb5cc_* rk, + /tmp/tkt* rk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 08fc10c22..1d67b5678 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/{kmod,lsmod,depmod,insmod,rmmod,modinfo,modprobe} profile kmod @{exec_path} flags=(attach_disconnected) { include - include + include include capability dac_read_search, @@ -28,17 +28,13 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{bin}/basename rix, @{bin}/false rix, @{bin}/id rix, - @{bin}/sysctl rPx, + @{sbin}/sysctl rCx -> sysctl, @{bin}/true rix, - @{lib}/modprobe.d/{,*.conf} r, @{lib}/modules/*/modules.* rw, @{run}/modprobe.d/{,*.conf} r, - /etc/depmod.d/{,**} r, - /etc/modprobe.d/{,*.conf} r, - /tmp/**/*.ko{,.zst} r, /usr/src/*/*.ko r, /var/lib/dkms/**/module/*.ko r, @@ -48,7 +44,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) { owner /var/tmp/*modules*/{,**} rw, owner /var/tmp/dracut.*/{,**} rw, - owner /boot/System.map-* r, + owner @{efi}/System.map-* r, owner @{tmp}/mkinitcpio.*/{,**} rw, # For local kernel build @@ -66,14 +62,23 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{sys}/module/{,**} r, - @{PROC}/cmdline r, - @{PROC}/modules r, - /dev/tty@{int} rw, deny @{user_share_dirs}/gvfs-metadata/* r, deny unix (receive) type=stream, + profile sysctl { + include + + @{sbin}/sysctl mr, + + /etc/sysctl.conf r, + /etc/sysctl.d/{,**} r, + @{lib}/sysctl.d/{,**} r, + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-g-l/kodi b/apparmor.d/profiles-g-l/kodi index fc6a6ede5..9d6c9d1c2 100644 --- a/apparmor.d/profiles-g-l/kodi +++ b/apparmor.d/profiles-g-l/kodi @@ -30,11 +30,11 @@ profile kodi @{exec_path} { @{bin}/df rix, @{bin}/dirname rix, @{bin}/find rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/mv rix, @{bin}/uname rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/kodi/{,**} r, /usr/share/publicsuffix/* r, @@ -50,7 +50,8 @@ profile kodi @{exec_path} { owner @{HOME}/core w, owner @{HOME}/kodi_crashlog-@{int}_@{int}.log w, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/**/ r, @{sys}/devices/@{pci}/usb@{int}/{bDeviceClass,idProduct,idVendor} r, diff --git a/apparmor.d/profiles-g-l/kvm-ok b/apparmor.d/profiles-g-l/kvm-ok index eb3d1cc80..f62e9ddf9 100644 --- a/apparmor.d/profiles-g-l/kvm-ok +++ b/apparmor.d/profiles-g-l/kvm-ok @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/kvm-ok +@{exec_path} = @{sbin}/kvm-ok profile kvm-ok @{exec_path} { include @@ -20,7 +20,7 @@ profile kvm-ok @{exec_path} { @{bin}/kmod rCx -> kmod, - @{bin}/rdmsr rPx, + @{sbin}/rdmsr rPx, #/proc/cpuinfo r, #/dev/kvm r, diff --git a/apparmor.d/profiles-g-l/labwc b/apparmor.d/profiles-g-l/labwc index 93234bf52..ab624f099 100644 --- a/apparmor.d/profiles-g-l/labwc +++ b/apparmor.d/profiles-g-l/labwc @@ -38,12 +38,11 @@ profile labwc @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/**/uevent r, - @{run}/udev/data/+acpi:* r, # for ? + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for touchpad? @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 52252882d..47cbb22a2 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/landscape-sysinfo profile landscape-sysinfo @{exec_path} { include + include include include @@ -20,19 +21,24 @@ profile landscape-sysinfo @{exec_path} { network inet6 dgram, network netlink raw, - ptrace (read), + ptrace read, @{exec_path} mr, - @{bin}/who rix, + @{bin}/who rPx, + + @{lib}/@{python_name}/**/__pycache__/ w, + @{lib}/@{python_name}/**/__pycache__/**.pyc w, + @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, /var/log/landscape/{,**} rw, + @{run}/systemd/sessions/{,*} r, @{run}/utmp rwk, @{sys}/class/hwmon/ r, @{sys}/class/thermal/ r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,*} r, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper index e5c739bd5..056b2d83c 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper +++ b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper @@ -9,12 +9,14 @@ include @{exec_path} = /usr/share/landscape/landscape-sysinfo.wrapper profile landscape-sysinfo.wrapper @{exec_path} { include + include capability dac_override, capability fowner, capability fsetid, @{exec_path} mr, + @{python_path} mr, @{sh_path} rix, @{bin}/bc rix, @@ -23,7 +25,7 @@ profile landscape-sysinfo.wrapper @{exec_path} { @{bin}/cut rix, @{bin}/date rix, @{bin}/find rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/landscape-sysinfo rPx, / r, @@ -31,6 +33,8 @@ profile landscape-sysinfo.wrapper @{exec_path} { /var/lib/landscape/landscape-sysinfo.cache rw, + @{run}/motd.dynamic.new w, + @{PROC}/loadavg r, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-g-l/language-validate b/apparmor.d/profiles-g-l/language-validate index bf999b79e..3d7383aef 100644 --- a/apparmor.d/profiles-g-l/language-validate +++ b/apparmor.d/profiles-g-l/language-validate @@ -15,10 +15,9 @@ profile language-validate @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/locale rix, - /usr/share/locale-langpack/{,*} r, /usr/share/language-tools/{,*} r, include if exists diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 2198ad925..7e4feed45 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -11,13 +11,20 @@ include profile libreoffice @{exec_path} { include include + include include + include + include + include + include + include include include include include include include + include include include include @@ -30,14 +37,14 @@ profile libreoffice @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.libreoffice.LibreOfficeIpc0 + #aa:dbus own bus=session name=org.libreoffice interface+=org.gtk.Actions @{exec_path} mr, @{sh_path} rix, @{bin}/basename rix, @{bin}/dirname rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ls rix, @{bin}/paperconf rix, @{bin}/sed rix, @@ -49,11 +56,12 @@ profile libreoffice @{exec_path} { @{bin}/gpgconf rPx, @{bin}/gpgsm rPx, + @{lib}/jvm/java*/bin/java rix, + @{lib}/jvm/java*/lib/** rm, @{lib}/libreoffice/program/javaldx rix, @{lib}/libreoffice/program/oosplash rix, @{lib}/libreoffice/program/soffice.bin rix, - @{lib}/jvm/java*/bin/java rix, - @{lib}/jvm/java*/lib/** rm, + @{lib}/libreoffice/program/xpdfimport rix, @{lib}/libreoffice/{,**} rm, @{lib}/libreoffice/share/uno_packages/cache/stamp.sys w, @@ -67,37 +75,47 @@ profile libreoffice @{exec_path} { /usr/share/mythes/{,**} r, /usr/share/thumbnailers/{,**} r, - /etc/java{,@{version}}-openjdk/{,**} r, + /etc/cups/ppd/*.ppd r, + /etc/java{,-}{,@{version}}-openjdk/{,**} r, /etc/libreoffice/{,**} r, + /etc/papersize r, /etc/paperspecs r, /etc/xdg/* r, + /var/tmp/ r, + owner /var/spool/libreoffice/uno_packages/cache/stamp.sys w, + owner @{user_cache_dirs}/libreoffice/{,**} rw, + + owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/libreoffice/ rw, owner @{user_config_dirs}/libreoffice/** rwk, - owner @{user_config_dirs}/soffice.*.lock rwk, owner @{user_config_dirs}/plasma_workspace.notifyrc r, - owner @{user_config_dirs}/kservicemenurc r, + owner @{user_config_dirs}/soffice.*.lock rwk, + owner @{user_config_dirs}/soffice.binrc r, owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/user-places.xbel r, - owner @{tmp}/ r, - owner @{tmp}/@{rand6} rwk, - owner @{tmp}/*.tmp/{,**} rwk, - owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} w, + @{tmp}/ r, owner @{tmp}/.java_pid@{int}{,.tmp} rw, + owner @{tmp}/@{hex} rw, + owner @{tmp}/@{rand6} rwk, + owner @{tmp}/@{u64} rw, + owner @{tmp}/*.tmp/{,**} rwk, owner @{tmp}/hsperfdata_@{user}/ rw, owner @{tmp}/hsperfdata_@{user}/@{int} rwk, + owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} rw, owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, @{sys}/devices/virtual/block/**/queue/rotational r, @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/transparent_hugepage/enabled r, @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{cpu,memory}.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/**/memory.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r, diff --git a/apparmor.d/profiles-g-l/light-locker b/apparmor.d/profiles-g-l/light-locker index 8d2fcdcc8..60189d911 100644 --- a/apparmor.d/profiles-g-l/light-locker +++ b/apparmor.d/profiles-g-l/light-locker @@ -11,19 +11,12 @@ include profile light-locker @{exec_path} { include include - include - include - include + include include - include include - include @{exec_path} mr, - @{PROC}/1/cgroup r, - owner @{PROC}/@{pid}/cgroup r, - # when locking the screen and switching/closing sessions @{run}/systemd/sessions/* r, @@ -33,6 +26,9 @@ profile light-locker @{exec_path} { @{sys}/devices/@{pci}/subsystem_vendor r, @{sys}/devices/@{pci}/subsystem_device r, + @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/cgroup r, + # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index a0c184032..f2895299f 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -8,46 +8,15 @@ abi , include @{exec_path} = @{bin}/linux-check-removal -profile linux-check-removal @{exec_path} flags=(complain) { +profile linux-check-removal @{exec_path} { include - include - include + include - @{exec_path} r, - @{bin}/perl r, + @{exec_path} rmix, - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, + @{bin}/stty rix, - - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - @{bin}/perl r, - - @{bin}/linux-check-removal rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - # The following is needed when debconf uses dialog/whiptail frontend. - @{bin}/whiptail rPx, - owner @{tmp}/file* w, - - /usr/share/debconf/confmodule r, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - include if exists - } + /etc/shadow r, include if exists } diff --git a/apparmor.d/profiles-g-l/linux-update-symlinks b/apparmor.d/profiles-g-l/linux-update-symlinks new file mode 100644 index 000000000..b97a0305b --- /dev/null +++ b/apparmor.d/profiles-g-l/linux-update-symlinks @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/linux-update-symlinks +profile linux-update-symlinks @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/kernel-img.conf r, + + @{efi}/ r, + @{efi}/* rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/linux-version b/apparmor.d/profiles-g-l/linux-version index 1a8ffbb0d..c718b6495 100644 --- a/apparmor.d/profiles-g-l/linux-version +++ b/apparmor.d/profiles-g-l/linux-version @@ -14,9 +14,8 @@ profile linux-version @{exec_path} { include @{exec_path} r, - @{bin}/perl r, - /boot/ r, + @{efi}/ r, include if exists } diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq index 0e18eab1b..ff2ffe6b8 100644 --- a/apparmor.d/profiles-g-l/linuxqq +++ b/apparmor.d/profiles-g-l/linuxqq @@ -7,6 +7,7 @@ abi , include @{name} = QQ +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/QQ/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -14,10 +15,9 @@ include @{exec_path} = @{bin}/linuxqq @{lib_dirs}/qq profile linuxqq @{exec_path} flags=(attach_disconnected) { include - include + include include include - include network netlink raw, network netlink dgram, @@ -29,7 +29,7 @@ profile linuxqq @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{sh_path} r, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{lib_dirs}/chrome_crashpad_handler ix, @{lib_dirs}/resources/app/{,**} m, @{open_path} rPx -> child-open-strict, diff --git a/apparmor.d/profiles-g-l/localsend b/apparmor.d/profiles-g-l/localsend new file mode 100644 index 000000000..ad2e23fc6 --- /dev/null +++ b/apparmor.d/profiles-g-l/localsend @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/localsend +profile localsend @{exec_path} { + include + include + include + include + include + include + +# --system-talk-name=org.freedesktop.NetworkManager +# - --system-talk-name=org.freedesktop.hostname1 +# --talk-name=org.kde.StatusNotifierWatcher + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 7990fb27d..781a01a27 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/logrotate +@{exec_path} = @{sbin}/logrotate profile logrotate @{exec_path} flags=(attach_disconnected) { include include @@ -21,8 +21,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { capability setgid, capability setuid, - signal (send) set=(hup), - signal (send) set=(term cont) peer=systemd-tty-ask-password-agent, + signal send set=hup, + signal send set=(term cont) peer=systemd-tty-ask-password-agent, @{exec_path} mr, @@ -30,9 +30,9 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cat rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gzip rix, - @{bin}/invoke-rc.d rix, + @{sbin}/invoke-rc.d rix, @{bin}/kill rix, @{bin}/ls rix, @{bin}/setfacl rix, @@ -80,6 +80,13 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, + ptrace read peer=@{p_systemd}, + + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=KillUnit + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + @{run}/utmp rk, include if exists diff --git a/apparmor.d/profiles-g-l/lsb-release b/apparmor.d/profiles-g-l/lsb-release new file mode 100644 index 000000000..5214632dc --- /dev/null +++ b/apparmor.d/profiles-g-l/lsb-release @@ -0,0 +1,47 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Note: named "lsb-release" to not conflict with upstreamed "lsb_release" that +# does attach @{bin}/lsb_release. + +abi , + +include + +@{exec_path} = @{bin}/lsb_release +profile lsb-release @{exec_path} flags=(attach_disconnected) { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/ r, + @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/cut rix, + @{bin}/find rix, + @{bin}/getopt rix, + @{bin}/head rix, + @{bin}/sed rix, + @{bin}/tr rix, + + #aa:only apt + @{bin}/dpkg-query px, + + @{etc_ro}/ r, + @{etc_ro}/*-release r, + @{etc_ro}/lsb-release r, + @{etc_ro}/lsb-release.d/{,*} r, + + # file_inherit + deny /opt/*/** r, + deny owner @{user_config_dirs}/*/** r, + deny owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, + deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lynx b/apparmor.d/profiles-g-l/lynx index 0fce66a96..a9613e7c1 100644 --- a/apparmor.d/profiles-g-l/lynx +++ b/apparmor.d/profiles-g-l/lynx @@ -33,8 +33,7 @@ profile lynx @{exec_path} { /etc/mailcap r, /etc/mime.types r, - owner @{tmp}/lynxXXXX*/ rw, - owner @{tmp}/lynxXXXX*/*TMP.html{,.gz} rw, + owner @{tmp}/lynxXXXX*/{,**} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks new file mode 100644 index 000000000..89a57310f --- /dev/null +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -0,0 +1,97 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/initramfs-tools/hooks/** /etc/initramfs-tools/hooks/** +profile initramfs-hooks @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/cpio ix, + @{bin}/dpkg Px, + @{bin}/fc-cache ix, + @{bin}/ischroot Px, + @{bin}/ldd Cx -> ldd, + @{bin}/plymouth Px, + @{bin}/update-alternatives Px, + @{lib}/dracut/dracut-install Px, + @{lib}/initramfs-tools/bin/busybox ix, + @{lib}/klibc/bin/fstype ix, + @{sbin}/blkid Px, + @{sbin}/cryptsetup PUx, + @{sbin}/dmsetup Px, + @{sbin}/iucode_tool ix, + /usr/share/mdadm/mkconf Px, + + @{bin}/* mr, + @{sbin}/* mr, + @{lib}/ r, + @{lib}/** mr, + + /usr/share/*/initramfs/{,**} r, + /usr/share/initramfs-tools/{,**} r, + /usr/share/plymouth/{,**} r, + + /etc/console-setup/{,**} r, + /etc/cryptsetup-initramfs/{,**} r, + /etc/crypttab r, + /etc/default/* r, + /etc/fstab r, + /etc/iscsi/*.iscsi r, + /etc/lvm/{,**} r, + /etc/mdadm/mdadm.conf r, + /etc/systemd/network/{,**} r, + /etc/udev/{,**} r, + + / r, + @{efi}/config-* r, + + /var/tmp/ r, + /var/tmp/modules_@{rand6} rw, + owner /var/tmp/mkinitramfs_@{rand6} rw, + owner /var/tmp/mkinitramfs_@{rand6}/ rw, + owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + owner /var/tmp/mkinitramfs-@{rand6} rw, + owner /var/tmp/mkinitramfs-*_@{rand6} rw, + + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, + + @{sys}/firmware/efi/efivars/ r, + + @{PROC}/@{pid}/mounts r, + @{PROC}/cmdline r, + @{PROC}/swaps r, + + profile ldd { + include + include + include + + @{bin}/* mr, + @{sbin}/* mr, + + @{lib}/@{multiarch}/ld-linux-*so* mrix, + @{lib}/ld-linux.so* mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/initramfs-scripts b/apparmor.d/profiles-m-r/initramfs-scripts new file mode 100644 index 000000000..d280c145a --- /dev/null +++ b/apparmor.d/profiles-m-r/initramfs-scripts @@ -0,0 +1,56 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/initramfs-tools/scripts/** /etc/initramfs-tools/scripts/** +profile initramfs-scripts @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{coreutils_path} rix, + @{sbin}/blkid Px, + @{bin}/dd ix, + @{bin}/debconf-escape Px, + @{bin}/ischroot Px, + @{bin}/ldd Cx -> ldd, + @{bin}/plymouth Px, + @{bin}/update-alternatives Px, + @{lib}/dracut/dracut-install Px, + @{lib}/initramfs-tools/bin/busybox Px, + /usr/share/mdadm/mkconf Px, + + /usr/share/initramfs-tools/{,**} r, + + /etc/cryptsetup-initramfs/{,**} r, + /etc/crypttab r, + /etc/default/console-setup r, + /etc/fstab r, + /etc/initramfs-tools/{,**} r, + /etc/mdadm/mdadm.conf r, + /etc/udev/rules.d/{,**} r, + + /var/tmp/modules_@{rand6} rw, + owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + + profile ldd { + include + include + + @{bin}/ldd mr, + @{lib}/@{multiarch}/ld-linux-*so* mrix, + @{lib}/ld-linux.so* mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb index 4826337d0..551a6fec0 100644 --- a/apparmor.d/profiles-m-r/mandb +++ b/apparmor.d/profiles-m-r/mandb @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/mandb -profile mandb @{exec_path} flags=(complain) { +profile mandb @{exec_path} { include include include @@ -17,12 +17,11 @@ profile mandb @{exec_path} flags=(complain) { @{exec_path} mr, + @{bin}/bzip2 rix, + /etc/man_db.conf r, /etc/manpath.config r, - /var/cache/man/ r, - /var/cache/man/** rwk, - /usr/share/man/{,**} r, /usr/local/man/{,**} r, /usr/local/share/man/{,**} r, @@ -32,6 +31,9 @@ profile mandb @{exec_path} flags=(complain) { /usr/share/**/man/man@{u8}/*.@{int}.gz r, + owner /var/cache/man/ rw, + owner /var/cache/man/** rwk, + owner @{user_share_dirs}/man/** rwk, include if exists diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm new file mode 100644 index 000000000..b0397eb8d --- /dev/null +++ b/apparmor.d/profiles-m-r/mdadm @@ -0,0 +1,57 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# Copyright (C) 2025 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/mdadm +profile mdadm @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability dac_read_search, + capability sys_admin, + capability mknod, + capability net_admin, + + network netlink raw, + + mqueue (read getattr) type=posix /, + + @{exec_path} mr, + + @{sh_path} rix, + @{sbin}/sendmail rPUx, + + /etc/{,mdadm/}mdadm.conf r, + /etc/{,mdadm/}mdadm.conf.d/* r, + + @{run}/initctl r, + @{run}/mdadm/* rwk, + + /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, + + @{sys}/bus/pci/drivers/*/ r, + @{sys}/devices/@{pci}/class r, + @{sys}/devices/@{pci}/device r, + @{sys}/devices/@{pci}/vendor r, + @{sys}/devices/virtual/block/md*/** rw, + @{sys}/module/md_mod/** rw, + + @{PROC}/@{pid}/fd/ r, + @{PROC}/cmdline r, + @{PROC}/kcore r, + @{PROC}/partitions r, + @{PROC}/mdstat rw, + + /dev/**/ r, + /dev/.tmp.md.* rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mdadm-mkconf b/apparmor.d/profiles-m-r/mdadm-mkconf new file mode 100644 index 000000000..120138905 --- /dev/null +++ b/apparmor.d/profiles-m-r/mdadm-mkconf @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/mdadm/mkconf +profile mdadm-mkconf @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/date ix, + @{bin}/cat ix, + @{bin}/sed ix, + @{sbin}/mdadm Px, + + /etc/default/mdadm r, + /etc/mdadm/mdadm.conf r, + + / r, + + /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, + /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mdevctl b/apparmor.d/profiles-m-r/mdevctl index f1b5034e6..408947c83 100644 --- a/apparmor.d/profiles-m-r/mdevctl +++ b/apparmor.d/profiles-m-r/mdevctl @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/mdevctl profile mdevctl @{exec_path} { include + include @{exec_path} mr, @@ -18,8 +19,6 @@ profile mdevctl @{exec_path} { @{sys}/class/mdev_bus/ r, @{sys}/devices/@{pci}/mdev_supported_types/{,**} r, - @{PROC}/@{pids}/maps r, - include if exists } diff --git a/apparmor.d/profiles-m-r/metadata-cleaner b/apparmor.d/profiles-m-r/metadata-cleaner index 0de151536..808427d85 100644 --- a/apparmor.d/profiles-m-r/metadata-cleaner +++ b/apparmor.d/profiles-m-r/metadata-cleaner @@ -9,23 +9,19 @@ include @{exec_path} = @{bin}/metadata-cleaner profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { include - include - include - include + include include include include include @{exec_path} mr, - @{bin}/python3.@{int} rix, + @{python_path} rix, - @{bin}/bwrap rCx -> bwrap, - @{open_path} rPx -> child-open-help, + @{bin}/bwrap Cx -> bwrap, + @{open_path} Px -> child-open-help, - /usr/share/metadata-cleaner/{,**} r, /usr/share/metadata-cleaner/src/metadatacleaner/{,*/}__pycache__/ w, - /usr/share/poppler/{,**} r, /etc/httpd/conf/mime.types r, @@ -38,10 +34,8 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { @{run}/mount/utab r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny owner @{user_share_dirs}/gvfs-metadata/* r, deny owner @{user_cache_dirs}/thumbnails/** r, @@ -51,7 +45,7 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { include include - signal (receive) set=(kill) peer=metadata-cleaner, + signal receive set=(kill) peer=metadata-cleaner, @{bin}/bwrap mr, @{bin}/vendor_perl/exiftool rix, diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index d6823da9b..32950dbc4 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -10,23 +10,13 @@ include @{exec_path} = @{bin}/mimetype @{bin}/*_perl/mimetype profile mimetype @{exec_path} { include + include include @{exec_path} r, - /usr/bin/perl r, - - /usr/share/mime/**.xml r, - /usr/share/mime/globs r, - /usr/share/mime/aliases r, - /usr/share/mime/magic r, - - owner @{user_share_dirs}/mime/**.xml r, - owner @{user_share_dirs}/mime/globs r, - owner @{user_share_dirs}/mime/aliases r, - owner @{user_share_dirs}/mime/magic r, # To read files - /** r, + owner /** r, #aa:lint ignore=too-wide include if exists } diff --git a/apparmor.d/profiles-m-r/mission-control b/apparmor.d/profiles-m-r/mission-control index b8e79c0dc..bf6c55093 100644 --- a/apparmor.d/profiles-m-r/mission-control +++ b/apparmor.d/profiles-m-r/mission-control @@ -10,13 +10,13 @@ include profile mission-control @{exec_path} flags=(attach_disconnected) { include include + include network netlink raw, @{exec_path} mr, /usr/share/telepathy/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{user_share_dirs}/telepathy/ rw, owner @{user_share_dirs}/telepathy/mission-control/ rw, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 774dfa9f8..d94e5aa44 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{bin}/mkinitramfs +@{exec_path} = @{sbin}/mkinitramfs profile mkinitramfs @{exec_path} { include include @@ -19,11 +19,10 @@ profile mkinitramfs @{exec_path} { capability fsetid, @{exec_path} r, - @{sh_path} rix, + @{sh_path} rix, - @{bin}/ r, - @{lib}/ r, - @{lib}64/ r, + @{bin}/ r, + @{lib}/ r, @{bin}/{,e}grep rix, @{bin}/basename rix, @@ -34,6 +33,7 @@ profile mkinitramfs @{exec_path} { @{bin}/cpio rix, @{bin}/dirname rix, @{bin}/env rix, + @{bin}/find rix, @{bin}/getopt rix, @{bin}/gzip rix, @{bin}/id rix, @@ -43,37 +43,43 @@ profile mkinitramfs @{exec_path} { @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/readlink rix, + @{bin}/realpath rix, @{bin}/rm rix, @{bin}/rmdir rix, @{bin}/sed rix, @{bin}/sort rix, + @{bin}/stat rix, @{bin}/touch rix, @{bin}/tr rix, @{bin}/tsort rix, + @{bin}/uname rix, @{bin}/uniq rix, @{bin}/xargs rix, @{bin}/xz rix, @{bin}/zstd rix, @{lib}/dracut/dracut-install rix, + @{sbin}/blkid rPx, - @{bin}/find rCx -> find, @{bin}/kmod rCx -> kmod, - @{bin}/ldconfig rCx -> ldconfig, + @{sbin}/ldconfig rCx -> ldconfig, @{bin}/ldd rCx -> ldd, + @{lib}/@{multiarch}/ld-linux-*so* rCx -> ldd, @{lib}/ld-linux.so* rCx -> ldd, @{bin}/dpkg rPx -> child-dpkg, @{bin}/linux-version rPx, - # What to do with it? (#FIXME#) - /usr/share/initramfs-tools/hooks/* rPUx, - /usr/share/initramfs-tools/scripts/*/* rPUx, - /etc/initramfs-tools/hooks/* rPUx, - /etc/initramfs-tools/scripts/*/* rPUx, + @{lib}/initramfs-tools/hooks/** rPx, + /etc/initramfs-tools/hooks/** rPx, + /etc/initramfs-tools/scripts/** rPx, + /usr/share/initramfs-tools/hooks/** rPx, + /usr/share/initramfs-tools/scripts/** rPx, /usr/share/initramfs-tools/{,**} r, /etc/initramfs-tools/{,**} r, + /etc/xattr.conf r, + # For shell pwd / r, /etc/ r, @@ -81,22 +87,44 @@ profile mkinitramfs @{exec_path} { /etc/modprobe.d/{,*.conf} r, - /boot/ r, - owner /boot/config-* r, - owner /boot/initrd.img-*.new rw, + @{efi}/ r, + owner @{efi}/config-* r, + owner @{efi}/initrd.img-*.new rw, - /var/tmp/ r, - /var/tmp/modules_@{rand6} rw, - /var/tmp/mkinitramfs_@{rand6}/@{lib}/modules/*/modules.{order,builtin} rw, - owner /var/tmp/mkinitramfs_@{rand6} rw, - owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_*/**, - owner /var/tmp/mkinitramfs-@{rand6} rw, + owner /var/lib/kdump/initramfs-tools/** rw, + owner /var/lib/kdump/initrd.* rw, - @{sys}/devices/platform/ r, - @{sys}/devices/platform/**/ r, - @{sys}/devices/platform/**/modalias r, + /var/tmp/ r, + /var/tmp/mkinitramfs_@{rand6}/** w, + /var/tmp/modules_@{rand6} rw, + /var/tmp/mkinitramfs_@{rand6} rw, + /var/tmp/mkinitramfs_@{rand6}/ rw, + /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + /var/tmp/mkinitramfs-@{rand6} rw, + /var/tmp/mkinitramfs-*_@{rand6} rw, + + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** w, + owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, + + @{sys}/bus/ r, + @{sys}/bus/*/drivers/ r, + @{sys}/devices/ r, + @{sys}/devices/**/ r, + @{sys}/devices/**/modalias r, + @{sys}/devices/**/uevent r, @{sys}/module/compression r, + @{sys}/module/firmware_class/parameters/path r, + @{sys}/class/ r, + @{sys}/class/*/ r, + @{sys}/bus/platform/drivers/simple-framebuffer/ r, + + @{PROC}/@{pid}/mounts r, @{PROC}/cmdline r, @{PROC}/modules r, owner @{PROC}/@{pid}/fd/ r, @@ -106,15 +134,14 @@ profile mkinitramfs @{exec_path} { include include - @{bin}/ldd mr, - - @{sh_path} rix, - @{bin}/kmod mr, - @{lib}/initramfs-tools/bin/* mr, - + @{sh_path} rix, @{lib}/@{multiarch}/ld-*.so* rix, @{lib}/ld-*.so{,.2} rix, + @{bin}/* mr, + @{sbin}/* mr, + @{lib}/** mr, + include if exists } @@ -124,56 +151,33 @@ profile mkinitramfs @{exec_path} { capability sys_chroot, - @{bin}/ldconfig mr, + @{sbin}/ldconfig mr, @{sh_path} rix, - @{bin}/ldconfig.real rix, + @{sbin}/ldconfig.real rix, - owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf r, - owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf.d/{,*.conf} r, - - owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/ r, - owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/@{multiarch}/ r, - owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/@{multiarch}/*.so* rw, - owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/*.so* rw, - - owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.cache{,~} rw, - - owner /var/tmp/mkinitramfs_@{rand6}/var/cache/ldconfig/ rw, - owner /var/tmp/mkinitramfs_@{rand6}/var/cache/ldconfig/aux-cache{,~} rw, + owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, include if exists } - profile find { - include - include - - @{bin}/find mr, - - # pwd dir - / r, - /etc/ r, - /root/ r, - - /usr/share/initramfs-tools/scripts/{,**/} r, - /etc/initramfs-tools/scripts/{,**/} r, - - owner /var/tmp/mkinitramfs_@{rand6}/{,**/} r, - - include if exists - } - profile kmod { include include owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/ r, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/modules.* rw, - owner /var/tmp/mkinitramfs_@{rand6}usr/lib/modules/*/updates/{,**} r, + owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/updates/{,**} r, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/{,**/} r, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/**/*.ko* r, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/ r, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/modules.* rw, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/updates/{,**} r, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/{,**/} r, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/**/*.ko* r, + @{sys}/module/compression r, include if exists diff --git a/apparmor.d/profiles-m-r/mkosi b/apparmor.d/profiles-m-r/mkosi new file mode 100644 index 000000000..f6489a501 --- /dev/null +++ b/apparmor.d/profiles-m-r/mkosi @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# This profile is large on purpose: +# - It is required to have a profile for mkosi to allow userns. +# - Mkosi uses a lot of different binaries and scripts inside sandbox. +# - Using the unconfined flag would Pix everything, we do not want that as the +# transitioned profile would have to account for mkosi paths too. + +abi , + +include + +@{exec_path} = @{bin}/mkosi @{user_share_dirs}/pipx/venvs/*/bin/mkosi +profile mkosi @{exec_path} flags=(attach_disconnected,mediate_deleted) { + include + + all, + userns, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mkvtoolnix-gui b/apparmor.d/profiles-m-r/mkvtoolnix-gui index 835e1a391..4e0ace19a 100644 --- a/apparmor.d/profiles-m-r/mkvtoolnix-gui +++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui @@ -10,19 +10,15 @@ include @{exec_path} = @{bin}/mkvtoolnix-gui profile mkvtoolnix-gui @{exec_path} { include - include + include include - include - include - include - include + include include - include include include + include include include - include signal (send) set=(term, kill) peer=mkvmerge, diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index cd2ddc0e6..90bf73cf3 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -17,9 +17,9 @@ profile modprobed-db @{exec_path} { @{bin}/cat rix, @{bin}/cp rix, @{bin}/cut rix, - @{bin}/gawk rix, + @{bin}/{m,g,}awk rix, @{bin}/getent rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/logname rix, @{bin}/md5sum rix, @{bin}/rm rix, diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix index e847db872..6cbef400b 100644 --- a/apparmor.d/profiles-m-r/monitorix +++ b/apparmor.d/profiles-m-r/monitorix @@ -10,10 +10,11 @@ include @{exec_path} = @{bin}/monitorix profile monitorix @{exec_path} { include - include - include - include + include include + include + include + include capability net_admin, capability chown, @@ -28,80 +29,76 @@ profile monitorix @{exec_path} { network inet stream, network inet6 stream, - ptrace (read), + ptrace read, - signal (receive) set=(hup) peer=logroate, + signal receive set=(hup) peer=logroate, @{exec_path} mr, @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/df rix, - @{bin}/cat rix, - @{bin}/tail rix, - @{bin}/{m,g,}awk rix, - @{bin}/free rix, - @{bin}/ss rix, - @{bin}/who rix, - @{bin}/lvm rix, - @{bin}/xtables-nft-multi rix, - @{bin}/sensors rix, - @{bin}/getconf rix, - @{bin}/ps rix, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{bin}/cat ix, + @{bin}/df ix, + @{bin}/free ix, + @{bin}/getconf ix, + @{bin}/ps Px, + @{bin}/sensors Px, + @{bin}/tail ix, + @{bin}/who Px, + @{sbin}/lvm Px, + @{sbin}/ss Px, + @{sbin}/xtables-nft-multi ix, - /etc/monitorix/monitorix.conf r, - /etc/monitorix/conf.d/ r, - /etc/monitorix/conf.d/@{int2}-*.conf r, + /var/lib/monitorix/www/cgi/monitorix.cgi ix, + + /etc/monitorix/{,**} r, + + /var/lib/monitorix/ rw, + /var/lib/monitorix/** rwk, /var/log/monitorix w, /var/log/monitorix-* w, - owner @{run}/monitorix.pid w, - - /var/lib/monitorix/*.rrd* rwk, - /var/lib/monitorix/www/** rw, - /var/lib/monitorix/www/cgi/monitorix.cgi rwix, + /srv/http/monitorix/ rw, + /srv/http/monitorix/** rwk, / r, /tmp/ r, - /etc/shadow r, - /dev/tty r, + owner @{run}/monitorix.pid w, @{run}/utmp rk, - @{PROC}/ r, - @{PROC}/swaps r, - @{PROC}/diskstats r, - @{PROC}/loadavg r, - @{PROC}/sys/kernel/random/entropy_avail r, - @{PROC}/uptime r, - @{PROC}/interrupts r, - @{PROC}/sys/fs/dentry-state r, - @{PROC}/sys/fs/file-nr r, - @{PROC}/sys/fs/inode-nr r, - @{PROC}/sys/kernel/osrelease r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/net/dev r, - owner @{PROC}/@{pid}/net/ip_tables_names r, - owner @{PROC}/@{pid}/net/ip6_tables_names r, - @{PROC}/@{pid}/net/udp{,6} r, - @{PROC}/@{pid}/net/tcp{,6} r, - @{PROC}/sys/kernel/pid_max r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/fdinfo/ r, - @{PROC}/@{pids}/io r, - @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/class/hwmon/ r, @{sys}/devices/**/thermal*/{,**} r, @{sys}/devices/**/hwmon*/{,**} r, - /etc/sensors3.conf r, - /etc/sensors.d/ r, + @{PROC}/ r, + @{PROC}/@{pid}/net/dev r, + @{PROC}/@{pid}/net/tcp{,6} r, + @{PROC}/@{pid}/net/udp{,6} r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/fdinfo/ r, + @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/stat r, + @{PROC}/diskstats r, + @{PROC}/interrupts r, + @{PROC}/loadavg r, + @{PROC}/swaps r, + @{PROC}/sys/fs/dentry-state r, + @{PROC}/sys/fs/file-nr r, + @{PROC}/sys/fs/inode-nr r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/random/entropy_avail r, + @{PROC}/uptime r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/net/ip_tables_names r, + owner @{PROC}/@{pid}/net/ip6_tables_names r, include if exists } diff --git a/apparmor.d/profiles-m-r/motd b/apparmor.d/profiles-m-r/motd new file mode 100644 index 000000000..de742b2c9 --- /dev/null +++ b/apparmor.d/profiles-m-r/motd @@ -0,0 +1,102 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/update-motd.d/* +profile motd @{exec_path} { + include + include + include + + capability net_admin, + + network inet6 stream, + network inet6 stream, + + @{exec_path} mr, + @{bin}/ r, + + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/cloud-id rix, + @{bin}/systemctl rCx -> systemctl, + @{bin}/hostname rPx, + @{bin}/snap rPx, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/systemd-detect-virt rPx, + @{bin}/wget rCx -> wget, + + @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx, + @{lib}/update-notifier/update-motd-fsck-at-reboot rPx, + @{lib}/update-notifier/update-motd-reboot-required rix, + /usr/share/unattended-upgrades/update-motd-unattended-upgrades rix, + /usr/share/update-notifier/notify-updates-outdated rPx, + + / r, + /etc/cloud/cloud.cfg r, + /etc/cloud/cloud.cfg.d/{,*} r, + /etc/default/motd-news r, + /etc/lsb-release r, + /etc/update-motd.d/* r, + /etc/wgetrc r, + + /var/cache/motd-news rw, + /var/lib/update-notifier/updates-available r, + /var/lib/ubuntu-advantage/messages/motd-esm-announce r, + /var/lib/cloud/instances/nocloud/cloud-config.txt r, + + /tmp/tmp.@{rand10} rw, + + @{run}/cloud-init/cloud.cfg r, + @{run}/motd.d/{,*} r, + @{run}/motd.dynamic.new rw, + @{run}/reboot-required r, + + @{PROC}/@{pids}/mounts r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + + /dev/tty@{int} rw, + + profile wget { + include + include + include + + capability net_admin, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{bin}/wget mr, + + /etc/wgetrc r, + + /tmp/tmp.@{rand10} rw, + + include if exists + } + + profile systemctl { + include + include + + capability net_admin, + capability sys_ptrace, + + @{run}/systemd/private rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mpris-proxy b/apparmor.d/profiles-m-r/mpris-proxy new file mode 100644 index 000000000..3a5dfffb6 --- /dev/null +++ b/apparmor.d/profiles-m-r/mpris-proxy @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/mpris-proxy +profile mpris-proxy @{exec_path} { + include + include + include + include + + #aa:dbus own bus=session name=org.mpris.MediaPlayer2 + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mpsyt b/apparmor.d/profiles-m-r/mpsyt index 9a138ff50..a66fc287f 100644 --- a/apparmor.d/profiles-m-r/mpsyt +++ b/apparmor.d/profiles-m-r/mpsyt @@ -24,10 +24,10 @@ profile mpsyt @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/tset rix, @{bin}/uname rix, diff --git a/apparmor.d/profiles-m-r/mullvad-setup b/apparmor.d/profiles-m-r/mullvad-setup index 77ac07045..bc20a0f9a 100644 --- a/apparmor.d/profiles-m-r/mullvad-setup +++ b/apparmor.d/profiles-m-r/mullvad-setup @@ -13,6 +13,12 @@ profile mullvad-setup @{exec_path} { @{exec_path} mr, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/profiles-m-r/multipath b/apparmor.d/profiles-m-r/multipath index 409834fbc..588f4b6b1 100644 --- a/apparmor.d/profiles-m-r/multipath +++ b/apparmor.d/profiles-m-r/multipath @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/multipath +@{exec_path} = @{sbin}/multipath profile multipath @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-m-r/multipathd b/apparmor.d/profiles-m-r/multipathd index 14bb16caf..bbb6a87a6 100644 --- a/apparmor.d/profiles-m-r/multipathd +++ b/apparmor.d/profiles-m-r/multipathd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/multipathd +@{exec_path} = @{sbin}/multipathd profile multipathd @{exec_path} { include include @@ -20,7 +20,8 @@ profile multipathd @{exec_path} { network netlink raw, - unix (send, receive, connect) type=stream peer=(addr="@/org/kernel/linux/storage/multipathd"), + unix type=stream peer=(addr="@/org/kernel/linux/storage/multipathd"), + unix type=stream addr=@/org/kernel/linux/storage/multipathd, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mumble b/apparmor.d/profiles-m-r/mumble index 48ed42d84..a85eb6790 100644 --- a/apparmor.d/profiles-m-r/mumble +++ b/apparmor.d/profiles-m-r/mumble @@ -30,7 +30,7 @@ profile mumble @{exec_path} { @{exec_path} mrix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{browsers_path} rPx, @{open_path} rPx -> child-open, diff --git a/apparmor.d/profiles-m-r/mumble-overlay b/apparmor.d/profiles-m-r/mumble-overlay index 8d17ef3d6..86792860c 100644 --- a/apparmor.d/profiles-m-r/mumble-overlay +++ b/apparmor.d/profiles-m-r/mumble-overlay @@ -16,7 +16,7 @@ profile mumble-overlay @{exec_path} { @{sh_path} rix, @{bin}/file rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/glxgears rPx, diff --git a/apparmor.d/profiles-m-r/murmurd b/apparmor.d/profiles-m-r/murmurd index 9d7663ebb..e0bd8d976 100644 --- a/apparmor.d/profiles-m-r/murmurd +++ b/apparmor.d/profiles-m-r/murmurd @@ -10,7 +10,7 @@ include profile murmurd @{exec_path} { include include - include + include include include @@ -29,7 +29,7 @@ profile murmurd @{exec_path} { @{exec_path} mr, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /etc/mumble-server.ini r, diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt index fb1e94c1f..a91aba241 100644 --- a/apparmor.d/profiles-m-r/mutt +++ b/apparmor.d/profiles-m-r/mutt @@ -62,6 +62,7 @@ profile mutt @{exec_path} { owner @{HOME}/.mutthistory rwk, owner @{HOME}/.muttrc* r, owner @{HOME}/.signature r, # Mutt signature file + owner @{HOME}/ r, # User mbox # Could be a file or dir depending on mbox_type variable @@ -91,11 +92,14 @@ profile mutt @{exec_path} { @{bin}/w3m mrix, @{bin}/lynx mrix, - owner @{HOME}/.w3m/* rw, + owner @{HOME}/.w3m/{,**} rw, owner @{user_mail_dirs}/{,**} r, owner @{user_mail_dirs}/tmp/{,**} rw, owner /{var/,}tmp/mutt* rw, + owner /tmp/w3m-@{rand6} rw, + owner /tmp/w3m-@{rand6}/{,**} rw, + include if exists } @@ -111,19 +115,7 @@ profile mutt @{exec_path} { profile pager { include - include - - @{pager_path} mr, - - /usr/share/terminfo/** r, - /usr/share/file/misc/magic.mgc r, - - owner @{HOME}/ r, - owner @{HOME}/.lesshs* rw, - owner @{HOME}/.terminfo/@{int}/* r, - owner @{user_cache_dirs}/lesshs* rw, - owner @{user_state_dirs}/ r, - owner @{user_state_dirs}/lesshs* rw, + include # This is the file that holds the message owner /{var/,}tmp/mutt* rw, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 37a1c90a3..a09008ac3 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -6,62 +6,54 @@ abi , include -@{exec_path} = @{bin}/needrestart +@{exec_path} = @{sbin}/needrestart profile needrestart @{exec_path} flags=(attach_disconnected) { include - include - include - include + include include - include capability checkpoint_restore, capability dac_read_search, - capability kill, capability sys_ptrace, - ptrace (read), - - mqueue r type=posix /, + ptrace read, @{exec_path} mrix, @{sh_path} rix, @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, - @{bin}/locale rix, - @{bin}/python3.@{int} rix, - @{bin}/sed rix, @{bin}/stty rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, - @{bin}/udevadm rPx, - @{bin}/unix_chkpwd rPx, - @{bin}/whiptail rPx, - @{bin}/who rix, - @{lib}/needrestart/iucode-scan-versions rPx, - /usr/share/debconf/frontend rix, + @{bin}/udevadm rCx -> udevadm, + @{bin}/who rPx, + @{lib}/needrestart/* rPx, + @{python_path} rix, + @{sbin}/unix_chkpwd rPx, - @{bin}/networkd-dispatcher r, - @{bin}/gettext.sh r, - /usr/share/needrestart/{,**} r, - /usr/share/unattended-upgrades/unattended-upgrade-shutdown r, + @{etc_ro}/needrestart/hook.d/* rPx, + @{etc_ro}/needrestart/notify.d/* rPx, + @{etc_ro}/needrestart/restart.d/* rPx, - /etc/debconf.conf r, /etc/init.d/* r, /etc/needrestart/{,**} r, - /etc/needrestart/*.d/* rix, /etc/shadow r, / r, - /boot/ r, - /boot/intel-ucode.img r, - /boot/vmlinuz* r, + @{efi}/ r, + @{efi}/* r, + /opt/*/** r, + @{bin}/* r, + @{lib}/** r, + @{sbin}/** r, + @{att}/@{lib}/** r, + /usr/share/** r, + /var/lib/*/** r, - owner /var/lib/juju/agents/{,**} r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + @{run}/systemd/sessions/* r, - owner @{run}/sshd.pid r, + /tmp/@{word10}/ rw, @{PROC}/ r, @{PROC}/@{pids}/cgroup r, @@ -69,11 +61,14 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/fd/ r, /dev/ r, /dev/**/ r, + deny mqueue type=posix /, + profile systemctl { include include @@ -81,13 +76,20 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { capability sys_resource, capability net_admin, - signal send set=term peer=systemd-tty-ask-password-agent, + signal send set=(cont term) peer=systemd-tty-ask-password-agent, @{bin}/systemd-tty-ask-password-agent Px, include if exists } + profile udevadm { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke index 0a9e1dc33..b70a49be8 100644 --- a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke +++ b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke @@ -7,21 +7,25 @@ abi , include @{exec_path} = @{lib}/needrestart/apt-pinvoke -profile needrestart-apt-pinvoke @{exec_path} { +profile needrestart-apt-pinvoke @{exec_path} flags=(attach_disconnected) { include include include include + capability dac_read_search, + @{exec_path} mr, @{sh_path} rix, @{bin}/dbus-send rix, - @{bin}/needrestart rPx, + @{sbin}/needrestart rPx, @{bin}/rm rix, @{run}/needrestart/{,**} rw, + /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart-hook b/apparmor.d/profiles-m-r/needrestart-hook new file mode 100644 index 000000000..c8c9a12c4 --- /dev/null +++ b/apparmor.d/profiles-m-r/needrestart-hook @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{etc_ro}/needrestart/hook.d/* +profile needrestart-hook @{exec_path} { + include + include + include + + @{exec_path} mr, + @{sh_path} rix, + + @{bin}/dpkg-query px, + + /tmp/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index 75b150042..3c826cd74 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -12,20 +12,23 @@ profile needrestart-iucode-scan-versions @{exec_path} { @{exec_path} mr, - @{bin}/iucode_tool rix, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/bsdtar rix, @{bin}/cat rix, + @{sbin}/iucode_tool rix, /usr/share/misc/ r, + /usr/share/misc/amd-microcode* r, /usr/share/misc/intel-microcode* r, + /etc/default/amd-microcode r, /etc/default/intel-microcode r, /etc/needrestart/iucode.sh r, - /boot/intel-ucode.img r, - /boot/early_ucode.cpio r, + @{efi}/amd-ucode.img r, + @{efi}/intel-ucode.img r, + @{efi}/early_ucode.cpio r, @{sys}/devices/system/cpu/cpu@{int}/microcode/processor_flags r, diff --git a/apparmor.d/profiles-m-r/needrestart-notify b/apparmor.d/profiles-m-r/needrestart-notify new file mode 100644 index 000000000..82465ceb2 --- /dev/null +++ b/apparmor.d/profiles-m-r/needrestart-notify @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{etc_ro}/needrestart/notify.d/* +profile needrestart-notify @{exec_path} { + include + include + + capability dac_read_search, + capability sys_ptrace, + + ptrace read, + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/fold ix, + @{bin}/gettext.sh r, + @{bin}/mail Px, + @{bin}/notify-send Px, + @{bin}/sed ix, + + /etc/needrestart/notify.conf r, + + @{PROC}/@{pid}/environ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-restart b/apparmor.d/profiles-m-r/needrestart-restart new file mode 100644 index 000000000..964ff1a74 --- /dev/null +++ b/apparmor.d/profiles-m-r/needrestart-restart @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{etc_ro}/needrestart/restart.d/* +profile needrestart-restart @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/systemctl Cx -> systemctl, + @{sh_path} r, + + /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + + profile systemctl { + include + include + + capability net_admin, + capability sys_ptrace, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version new file mode 100644 index 000000000..3828f9228 --- /dev/null +++ b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/needrestart/vmlinuz-get-version +profile needrestart-vmlinuz-get-version @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/bzip2 rix, + @{bin}/{,e}grep rix, + @{bin}/gunzip rix, + @{bin}/gzip rix, + @{bin}/lzop rix, + @{bin}/mktemp rix, + @{bin}/rm rix, + @{bin}/tail rix, + @{bin}/tr rix, + @{bin}/which{,.debianutils} rPx, + @{bin}/xz rix, + + @{efi}/amd-ucode.img r, + @{efi}/intel-ucode.img r, + @{efi}/vmlinuz* r, + + owner @{tmp}/tmp.@{rand10} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nemo b/apparmor.d/profiles-m-r/nemo index e3edb99c3..c7c9160d7 100644 --- a/apparmor.d/profiles-m-r/nemo +++ b/apparmor.d/profiles-m-r/nemo @@ -21,7 +21,12 @@ profile nemo @{exec_path} { @{exec_path} mr, + @{open_path} rPx -> child-open, + + @{bin}/gdk-pixbuf-thumbnailer rPx, + /usr/share/nemo/** r, + /usr/share/thumbnailers/{,*.thumbnailer} r, # Full access to user's data / r, diff --git a/apparmor.d/profiles-m-r/netstat b/apparmor.d/profiles-m-r/netstat index e19884997..a23a095e9 100644 --- a/apparmor.d/profiles-m-r/netstat +++ b/apparmor.d/profiles-m-r/netstat @@ -13,12 +13,18 @@ include profile netstat @{exec_path} { include include - include + include capability dac_read_search, capability sys_ptrace, capability syslog, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + ptrace (trace,read), @{exec_path} rmix, diff --git a/apparmor.d/profiles-m-r/nvidia-settings b/apparmor.d/profiles-m-r/nvidia-settings index 9e5944bff..893770a4b 100644 --- a/apparmor.d/profiles-m-r/nvidia-settings +++ b/apparmor.d/profiles-m-r/nvidia-settings @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/nvidia-settings -profile nvidia-settings @{exec_path} { +profile nvidia-settings @{exec_path} flags=(attach_disconnected) { include include include @@ -21,8 +21,18 @@ profile nvidia-settings @{exec_path} { @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/config r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/cpumap r, - @{PROC}/devices r, + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/config r, + @{PROC}/driver/nvidia/capabilities/mig/monitor r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 + /dev/nvidia-caps/ rw, + /dev/nvidia-caps/nvidia-cap@{int} r, include if exists } diff --git a/apparmor.d/profiles-m-r/nvidia-smi b/apparmor.d/profiles-m-r/nvidia-smi index 143808f76..eb42bd59b 100644 --- a/apparmor.d/profiles-m-r/nvidia-smi +++ b/apparmor.d/profiles-m-r/nvidia-smi @@ -21,12 +21,11 @@ profile nvidia-smi @{exec_path} { @{PROC}/driver/nvidia/capabilities/mig/config r, @{PROC}/driver/nvidia/capabilities/mig/monitor r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-caps/ rw, - /dev/nvidia-caps/nvidia-cap@{int} r, - /dev/nvidia-uvm rw, - /dev/nvidia-uvm-tools r, + /dev/nvidia-caps/nvidia-cap@{int} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index 88a164c00..fc51b5b9e 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -10,7 +10,7 @@ include profile nvtop @{exec_path} flags=(attach_disconnected) { include include - include + include include capability sys_ptrace, @@ -31,20 +31,29 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, + @{sys}/devices/@{pci}/ r, + @{sys}/devices/@{pci}/current_link_{speed,width} r, @{sys}/devices/@{pci}/enable r, + @{sys}/devices/@{pci}/hwmon/hwmon@{int}/fan@{int}_{enable,max} r, + @{sys}/devices/@{pci}/hwmon/hwmon@{int}/power@{int}_cap r, + @{sys}/devices/@{pci}/hwmon/hwmon@{int}/pwm@{int} r, + @{sys}/devices/@{pci}/hwmon/hwmon@{int}/pwm@{int}_{enable,max} r, + @{sys}/devices/@{pci}/hwmon/hwmon@{int}/temp@{int}_crit r, + @{sys}/devices/@{pci}/max_link_{speed,width} r, + @{sys}/devices/@{pci}/pcie_bw r, @{sys}/devices/system/node/node@{int}/cpumap r, - @{PROC}/ r, - @{PROC}/@{pids}/ r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/fd/ r, - @{PROC}/@{pids}/fdinfo/ r, - @{PROC}/@{pids}/fdinfo/@{int} r, - @{PROC}/@{pids}/stat r, - @{PROC}/devices r, - @{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r, + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/stat r, + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/dri/ r, /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} rw, diff --git a/apparmor.d/profiles-m-r/obamenu b/apparmor.d/profiles-m-r/obamenu index b0c4d88c6..9d9ed2a94 100644 --- a/apparmor.d/profiles-m-r/obamenu +++ b/apparmor.d/profiles-m-r/obamenu @@ -13,7 +13,7 @@ profile obamenu @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/ r, diff --git a/apparmor.d/profiles-m-r/obconf b/apparmor.d/profiles-m-r/obconf index 7b11aaac5..d283466f5 100644 --- a/apparmor.d/profiles-m-r/obconf +++ b/apparmor.d/profiles-m-r/obconf @@ -11,7 +11,7 @@ include profile obconf @{exec_path} { include include - include + include include include include diff --git a/apparmor.d/profiles-m-r/ollama b/apparmor.d/profiles-m-r/ollama index 7b5521802..73447e33e 100644 --- a/apparmor.d/profiles-m-r/ollama +++ b/apparmor.d/profiles-m-r/ollama @@ -38,8 +38,15 @@ profile ollama @{exec_path} flags=(attach_disconnected) { owner @{tmp}/ollama@{int}/{,**} rw, owner @{tmp}/ollama@{int}/runners/{,**} mr, + @{sys}/devices/@{pci}/drm/card@{int}/ r, + @{sys}/devices/@{pci}/drm/card@{int}/*/ r, + @{sys}/devices/@{pci}/mem_info_vram_total r, + @{sys}/devices/@{pci}/mem_info_vram_used r, @{sys}/devices/@{pci}/numa_node r, @{sys}/devices/system/node/node@{int}/cpumap r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, @{PROC}/devices r, @{PROC}/sys/net/core/somaxconn r, diff --git a/apparmor.d/profiles-m-r/on-ac-power b/apparmor.d/profiles-m-r/on-ac-power index c92d4d849..d6426f717 100644 --- a/apparmor.d/profiles-m-r/on-ac-power +++ b/apparmor.d/profiles-m-r/on-ac-power @@ -7,17 +7,19 @@ abi , include -@{exec_path} = @{bin}/on_ac_power +@{exec_path} = @{sbin}/on_ac_power profile on-ac-power @{exec_path} { include @{exec_path} r, @{sh_path} rix, + @{bin}/{,e}grep rix, @{bin}/{m,g,}awk rix, @{bin}/cat rix, @{sys}/class/power_supply/ r, + @{sys}/class/typec/ r, @{sys}/devices/**/power_supply/**/{online,type} r, @{PROC}/pmu/info r, diff --git a/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler b/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler new file mode 100644 index 000000000..2593b78ac --- /dev/null +++ b/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/open-iscsi/net-interface-handler +profile open-iscsi-net-interface-handler @{exec_path} flags=(complain) { + include + + @{exec_path} mr, + @{sh_path} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/openbox b/apparmor.d/profiles-m-r/openbox index d136ee08f..899290792 100644 --- a/apparmor.d/profiles-m-r/openbox +++ b/apparmor.d/profiles-m-r/openbox @@ -58,7 +58,7 @@ profile openbox @{exec_path} { @{lib}/@{multiarch}/openbox-xdg-autostart rix, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, # Apps allowed to run @{bin}/* rPUx, @@ -75,7 +75,7 @@ profile openbox @{exec_path} { /etc/xdg/autostart/{,*} r, # Silencer - deny @{lib}/python3/** w, + deny @{lib}/@{python_name}/** w, deny owner @{user_lib_dirs}/python*/site-packages/ r, # file_inherit diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index c058003ff..f9e5b2058 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -15,30 +15,35 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability sys_admin, + mount options=(rprivate, rw) -> /, + mount options=(rw, nosuid, nodev) -> /var/lib/os-prober/mount/, + umount /var/lib/os-prober/mount/, + mqueue (read getattr) type=posix /, + @{exec_path} mrix, @{sh_path} rix, @{bin}/{e,f,}grep rix, - @{bin}/blkid rPx, - @{bin}/btrfs rPx, + @{sbin}/blkid rPx, + @{sbin}/btrfs rPx, @{bin}/cat rix, @{bin}/cut rix, - @{bin}/dmraid rPUx, + @{sbin}/dmraid rPUx, @{bin}/find rix, @{bin}/grub-mount rPx, - @{bin}/grub-probe rPx, + @{sbin}/grub-probe rPx, @{bin}/head rix, @{bin}/kmod rPx, @{bin}/logger rix, @{bin}/ls rix, @{bin}/lsblk rPx, - @{bin}/lvm rPx, + @{sbin}/lvm rPx, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/mount rix, - @{bin}/multipath rPx, + @{sbin}/multipath rPx, @{bin}/readlink rix, @{bin}/rm rix, @{bin}/rmdir rix, @@ -46,7 +51,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { @{bin}/udevadm rPx, @{bin}/umount rix, @{bin}/uname rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{lib}/newns rix, @{lib}/os-prober/* rix, @{lib}/os-probes/{,**} rix, @@ -58,9 +63,9 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { @{MOUNTS}/ r, / r, - /boot/{efi/,} r, - /boot/{efi/,}EFI/ r, - /boot/{efi/,}EFI/**/ r, + @{efi}/ r, + @{efi}/EFI/ r, + @{efi}/EFI/**/ r, owner @{tmp}/os-prober.*/{,**} rw, diff --git a/apparmor.d/profiles-m-r/ouch b/apparmor.d/profiles-m-r/ouch index d0b75aae7..d0bb4a1ed 100644 --- a/apparmor.d/profiles-m-r/ouch +++ b/apparmor.d/profiles-m-r/ouch @@ -15,12 +15,18 @@ profile ouch @{exec_path} { @{exec_path} mr, owner @{HOME}/.tmp@{rand6}/{,**} rw, + owner @{HOME}/.tmp-ouch@{rand6}/{,**} rw, + + owner /tmp/ w, + owner /tmp/.tmp@{rand6}/{,**} rw, + owner /tmp/.tmp-ouch@{rand6}/{,**} rw, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, include if exists } diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index b97c5e9a8..e5b54c34e 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -9,11 +9,11 @@ include @{exec_path} = @{lib}/packagekitd profile packagekitd @{exec_path} flags=(attach_disconnected) { include + include #aa:only apt include include include include - include #aa:only apt include include @@ -38,12 +38,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { signal send set=int peer=apt-methods-*, signal send set=term peer=systemd-inhibit, - #aa:dbus own bus=system name=org.freedesktop.PackageKit - - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + #aa:dbus own bus=system name=org.freedesktop.PackageKit path=/** @{exec_path} mr, @@ -56,8 +51,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/gzip rix, - @{bin}/ischroot rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/repo2solv rix, @{bin}/tar rix, @{bin}/test rix, @@ -69,6 +63,8 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/fc-cache rPx, @{bin}/glib-compile-schemas rPx, @{bin}/install-info rPx, + @{bin}/ischroot rPx, + @{bin}/rpm rPUx, #aa:only opensuse @{bin}/rpmdb2solv rPUx, #aa:only opensuse @{bin}/systemd-inhibit rPx, @{bin}/update-desktop-database rPx, @@ -78,10 +74,11 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile /usr/share/libalpm/scripts/* rPx, + #aa:lint ignore=too-wide # Install/update packages / r, /*{,/} rw, - /boot/** rwl -> /boot/**, + @{efi}/** rwl -> @{efi}/**, /etc/** rwl -> /etc/**, /opt/** rwl -> /opt/**, /srv/** rwl -> /srv/**, diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index e2846f8e6..947fb2f4e 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -7,61 +7,24 @@ abi , include -@{exec_path} = @{bin}/pam-auth-update +@{exec_path} = @{sbin}/pam-auth-update profile pam-auth-update @{exec_path} flags=(complain) { include - include - include + include - @{exec_path} mr, - @{bin}/perl r, + @{exec_path} mrix, - @{bin}/md5sum rix, - @{bin}/cp rix, + @{bin}/cp ix, + @{bin}/md5sum ix, + @{bin}/stty ix, - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, - - /etc/pam.d/* rw, - /var/lib/pam/* rw, /usr/share/pam{,-configs}/{,*} r, + /etc/pam.d/* rw, + /etc/shadow r, - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - @{bin}/perl r, - - @{bin}/pam-auth-update rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - # The following is needed when debconf uses GUI frontends. - include - include - include - include - capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/hostname rix, - owner @{PROC}/@{pid}/mounts r, - @{HOME}/.Xauthority r, - - /etc/shadow r, - - include if exists - } + /var/lib/dpkg/info/libpam-runtime.templates r, + /var/lib/pam/* rw, include if exists } diff --git a/apparmor.d/profiles-m-r/pam-tmpdir-helper b/apparmor.d/profiles-m-r/pam-tmpdir-helper index 510c2abad..fc767e5b3 100644 --- a/apparmor.d/profiles-m-r/pam-tmpdir-helper +++ b/apparmor.d/profiles-m-r/pam-tmpdir-helper @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/pam-tmpdir-helper +@{exec_path} = @{bin}/pam-tmpdir-helper @{lib}/pam-tmpdir/pam-tmpdir-helper profile pam-tmpdir-helper @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/pam/mappings b/apparmor.d/profiles-m-r/pam/mappings deleted file mode 100644 index cbcb539ed..000000000 --- a/apparmor.d/profiles-m-r/pam/mappings +++ /dev/null @@ -1,72 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# See more at: https://gitlab.com/apparmor/apparmor/wikis/Pam_apparmor_example - -# This file contains the mappings from users to roles for the binaries -# confined with AppArmor and configured for use with libpam-apparmor. Users -# without a mapping will not be able to login. -# -# The default hat is a confined user. The hat contains only the permissions -# necessary to transition to the user's login shell. All other permissions have -# been moved into the default_user profile. -^DEFAULT { - include - include - - capability dac_override, - capability setgid, - capability setuid, - - /etc/default/su r, - @{etc_ro}/environment r, - - @{shells_path} rPx -> user_default, - - include if exists -} - -# USER is a confined user. The hat contains only the permissions necessary -# to transition to gray's login shell. All other permissions have been -# moved into the confined_user profile. -^USER { - include - include - - capability dac_override, - capability audit_write, - capability setgid, - capability setuid, - - @{shells_path} rPx -> user_confined, - - /etc/default/su r, - @{etc_ro}/environment r, - - include if exists -} - -# Don't confine members whose primary group is 'admin' who are not specifically -# confined. Systems without this special primary group may want to define an -# unconfined 'root' hat in this manner (depending on site policy). -^root { - include - include - include - - capability dac_override, - capability audit_write, - capability setgid, - capability setuid, - - @{shells_path} rUx, - - /etc/default/su r, - @{etc_ro}/environment r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/parted b/apparmor.d/profiles-m-r/parted index 4a98dbae8..1ae7f5478 100644 --- a/apparmor.d/profiles-m-r/parted +++ b/apparmor.d/profiles-m-r/parted @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/parted +@{exec_path} = @{sbin}/parted profile parted @{exec_path} { include include @@ -22,7 +22,7 @@ profile parted @{exec_path} { @{sh_path} rix, @{bin}/udevadm rCx -> udevadm, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, /etc/inputrc r, diff --git a/apparmor.d/profiles-m-r/partprobe b/apparmor.d/profiles-m-r/partprobe index 6a0a6c9cf..79e4b0ffb 100644 --- a/apparmor.d/profiles-m-r/partprobe +++ b/apparmor.d/profiles-m-r/partprobe @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/partprobe +@{exec_path} = @{sbin}/partprobe profile partprobe @{exec_path} { include include @@ -23,7 +23,7 @@ profile partprobe @{exec_path} { @{sh_path} rix, @{bin}/udevadm rCx -> udevadm, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, @{PROC}/devices r, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 0736f98c4..30f92c964 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -24,7 +24,7 @@ profile pass @{exec_path} { @{bin}/env r, @{bin}/find ix, @{bin}/getopt ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/head ix, @{bin}/mkdir ix, @{bin}/mktemp ix, @@ -40,7 +40,7 @@ profile pass @{exec_path} { @{bin}/tr ix, @{bin}/tree ix, @{bin}/tty ix, - @{bin}/which ix, + @{bin}/which{,.debianutils} rix, @{bin}/git Cx -> git, @{bin}/gpg{2,} Cx -> gpg, @@ -53,13 +53,13 @@ profile pass @{exec_path} { # Pass extensions @{bin}/oathtool ix, # pass-otp - @{bin}/python3.@{int} Px -> pass-import, # pass-import, pass-audit + @{python_path} Px -> pass-import, # pass-import, pass-audit @{bin}/qrencode PUx, # pass-otp @{bin}/tomb PUx, # pass-tomb /usr/share/terminfo/** r, - owner @{user_password_store_dirs}/{,**} rw, + owner @{user_passwordstore_dirs}/{,**} rw, owner /dev/shm/pass.@{rand}/{,*} rw, @{sys}/devices/system/node/ r, @@ -88,7 +88,7 @@ profile pass @{exec_path} { /tmp/ r, - owner @{user_password_store_dirs}/{,**/} r, + owner @{user_passwordstore_dirs}/{,**/} r, owner /dev/shm/pass.@{rand}/{,*} rw, @@ -120,8 +120,8 @@ profile pass @{exec_path} { owner @{HOME}/.gitconfig r, owner @{user_config_dirs}/git/{,*} r, - owner @{user_password_store_dirs}/ rw, - owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, + owner @{user_passwordstore_dirs}/ rw, + owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature owner /dev/shm/pass.@{rand}/.git_vtag_tmp@{rand6} rw, @@ -142,10 +142,11 @@ profile pass @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner @{user_password_store_dirs}/ rw, - owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, + owner @{user_passwordstore_dirs}/ rw, + owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, owner /dev/shm/pass.@{rand}/* rw, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature + owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index bb2bc9107..8d55dd156 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -24,16 +24,16 @@ profile pass-import @{exec_path} { @{bin}/ r, @{bin}/gcc rix, # TODO: Test deny @{bin}/ld rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/pass rPx, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{lib}/gcc/**/collect2 rix, @{lib}/python{2.[4-7],3,3.@{int}}/** w, # TODO: Test deny /usr/share/file/misc/magic.mgc r, - owner @{user_password_store_dirs}/{,**} rw, + owner @{user_passwordstore_dirs}/{,**} rw, owner @{tmp}/[a-zA-Z0-9]* rw, diff --git a/apparmor.d/profiles-m-r/passimd b/apparmor.d/profiles-m-r/passimd index 4e64e5fb9..c0aafeaf9 100644 --- a/apparmor.d/profiles-m-r/passimd +++ b/apparmor.d/profiles-m-r/passimd @@ -26,9 +26,7 @@ profile passimd @{exec_path} flags=(attach_disconnected) { /etc/passim.conf r, - /var/lib/passim/{,**} r, - /var/lib/passim/data/{,**} rw, - + owner /var/lib/passim/{,**} rw, owner /var/log/passim/* rw, @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-m-r/pcb-gtk b/apparmor.d/profiles-m-r/pcb-gtk index e736299fa..2923f70cd 100644 --- a/apparmor.d/profiles-m-r/pcb-gtk +++ b/apparmor.d/profiles-m-r/pcb-gtk @@ -10,13 +10,9 @@ include @{exec_path} = @{bin}/pcb-gtk profile pcb-gtk @{exec_path} { include - include - include - include + include include - include - include - include + include include include @@ -24,7 +20,7 @@ profile pcb-gtk @{exec_path} { /usr/share/pcb/ListLibraryContents.sh rix, - @{bin}/dash rix, + @{sh_path} rix, @{bin}/cat rix, @{bin}/tr rix, diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd index 984b566cf..d5bcc4293 100644 --- a/apparmor.d/profiles-m-r/pcscd +++ b/apparmor.d/profiles-m-r/pcscd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/pcscd +@{exec_path} = @{sbin}/pcscd profile pcscd @{exec_path} { include include @@ -16,13 +16,13 @@ profile pcscd @{exec_path} { network netlink raw, - ptrace (read) peer=@{p_systemd_user}, - ptrace (read) peer=gsd-smartcard, - ptrace (read) peer=keepassxc, - ptrace (read) peer=pkcs11-register, - ptrace (read) peer=rngd, - ptrace (read) peer=scdaemon, - ptrace (read) peer=veracrypt, + ptrace read peer=@{p_systemd_user}, + ptrace read peer=gsd-smartcard, + ptrace read peer=keepassxc, + ptrace read peer=pkcs11-register, + ptrace read peer=rngd, + ptrace read peer=scdaemon, + ptrace read peer=veracrypt, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/pidof b/apparmor.d/profiles-m-r/pidof index 2a7b63038..76b9942fb 100644 --- a/apparmor.d/profiles-m-r/pidof +++ b/apparmor.d/profiles-m-r/pidof @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/pidof -profile pidof @{exec_path} { +profile pidof @{exec_path} flags=(attach_disconnected) { include include @@ -28,7 +28,7 @@ profile pidof @{exec_path} { @{PROC}/sys/kernel/osrelease r, @{PROC}/uptime r, - owner /dev/tty@{int} rw, + /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/pinentry-curses b/apparmor.d/profiles-m-r/pinentry-curses index a3ec65c45..c14b41027 100644 --- a/apparmor.d/profiles-m-r/pinentry-curses +++ b/apparmor.d/profiles-m-r/pinentry-curses @@ -17,6 +17,8 @@ profile pinentry-curses @{exec_path} { /usr/share/terminfo/** r, + owner /dev/tty@{int} r, + include if exists } diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3 index f332ef21f..b60d929e2 100644 --- a/apparmor.d/profiles-m-r/pinentry-gnome3 +++ b/apparmor.d/profiles-m-r/pinentry-gnome3 @@ -9,9 +9,12 @@ include @{exec_path} = @{bin}/pinentry-gnome3 profile pinentry-gnome3 @{exec_path} { include + include + include include + include - signal (receive) set=(int) peer=gpg-agent, + signal receive set=int, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/pinentry-gtk-2 b/apparmor.d/profiles-m-r/pinentry-gtk similarity index 53% rename from apparmor.d/profiles-m-r/pinentry-gtk-2 rename to apparmor.d/profiles-m-r/pinentry-gtk index 49e9ac307..d07a64a5a 100644 --- a/apparmor.d/profiles-m-r/pinentry-gtk-2 +++ b/apparmor.d/profiles-m-r/pinentry-gtk @@ -7,21 +7,20 @@ abi , include -@{exec_path} = @{bin}/pinentry-gtk-2 -profile pinentry-gtk-2 @{exec_path} { +@{exec_path} = @{bin}/pinentry-gtk{,-2} +profile pinentry-gtk @{exec_path} { include - include - include + include include - include + include @{exec_path} mr, - /usr/share/gtk-2.0/gtkrc r, + @{PROC}/@{pid}/cmdline r, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, + owner /dev/tty@{int} r, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pinentry-qt b/apparmor.d/profiles-m-r/pinentry-qt index 3c5ec0a94..66729769f 100644 --- a/apparmor.d/profiles-m-r/pinentry-qt +++ b/apparmor.d/profiles-m-r/pinentry-qt @@ -17,6 +17,8 @@ profile pinentry-qt @{exec_path} { include include + ptrace read peer=gpg-agent, + @{exec_path} mr, /etc/machine-id r, diff --git a/apparmor.d/profiles-m-r/pkcs11-register b/apparmor.d/profiles-m-r/pkcs11-register index 989f6ec8b..d775cafe5 100644 --- a/apparmor.d/profiles-m-r/pkcs11-register +++ b/apparmor.d/profiles-m-r/pkcs11-register @@ -9,11 +9,10 @@ include @{exec_path} = @{bin}/pkcs11-register profile pkcs11-register @{exec_path} { include + include @{exec_path} mr, - /etc/{,opensc/}opensc.conf r, - owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, owner @{HOME}/.mozilla/firefox/profiles.ini r, owner @{HOME}/.pki/nssdb/pkcs11.txt r, diff --git a/apparmor.d/profiles-m-r/pokemmo b/apparmor.d/profiles-m-r/pokemmo index 111b157c5..324b08f17 100644 --- a/apparmor.d/profiles-m-r/pokemmo +++ b/apparmor.d/profiles-m-r/pokemmo @@ -37,7 +37,7 @@ profile pokemmo @{exec_path} flags=(attach_disconnected) { @{bin}/java ix, @{bin}/perl ix, - @{bin}/which ix, + @{bin}/which{,.debianutils} ix, @{lib}/jvm/java-@{int}-openjdk/bin/java ix, # Installer diff --git a/apparmor.d/profiles-m-r/pollinate b/apparmor.d/profiles-m-r/pollinate new file mode 100644 index 000000000..5a10cc9e2 --- /dev/null +++ b/apparmor.d/profiles-m-r/pollinate @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pollinate +profile pollinate @{exec_path} { + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/curl rix, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/dpkg-query rpx, + @{bin}/hostname rix, + @{bin}/logger rix, + @{bin}/systemd-detect-virt rPx, + @{bin}/xxd rix, + + /etc/cloud/build.info r, + /etc/default/pollinate r, + /etc/lsb-release r, + /etc/pollinate/{,**} r, + + owner /var/cache/pollinate/seeded w, + + owner /tmp/pollinate.@{rand12}/{,**} rw, + + @{PROC}/uptime r, + + /dev/urandom w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/popularity-contest b/apparmor.d/profiles-m-r/popularity-contest index ba9d813c2..0bbd727ae 100644 --- a/apparmor.d/profiles-m-r/popularity-contest +++ b/apparmor.d/profiles-m-r/popularity-contest @@ -21,7 +21,6 @@ profile popularity-contest @{exec_path} { ptrace (read), @{exec_path} r, - @{bin}/perl r, @{sh_path} rix, @{bin}/env rix, @@ -42,7 +41,7 @@ profile popularity-contest @{exec_path} { /var/lib/ r, /var/lib/dpkg/info/{,*.list} r, /var/log/ r, - /var/log/popularity-contest.[0-9]* w, + /var/log/popularity-contest.@{int} w, /var/log/popularity-contest.new w, owner @{tmp}/#@{int} rw, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index b39682804..e4e923159 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -13,6 +13,7 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_read_search, capability net_admin, @@ -27,21 +28,23 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { /var/lib/power-profiles-daemon/{,**} rw, - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) + @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{sys}/bus/ r, @{sys}/bus/platform/devices/ r, @{sys}/class/ r, + @{sys}/class/drm/ r, @{sys}/class/power_supply/ r, + @{sys}/devices/**/status r, @{sys}/devices/**/power_supply/*/scope r, @{sys}/devices/**/uevent r, @{sys}/devices/system/cpu/*_pstate/{no_turbo,turbo_pct} r, - @{sys}/devices/system/cpu/*_pstate/status r, @{sys}/devices/system/cpu/cpu@{int}/power/energy_perf_bias rw, @{sys}/devices/system/cpu/cpufreq/ r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/* rw, @{sys}/firmware/acpi/platform_profile* rw, @{sys}/firmware/acpi/pm_profile* rw, diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail index c6d309a94..8a6a2982e 100644 --- a/apparmor.d/profiles-m-r/protonmail +++ b/apparmor.d/profiles-m-r/protonmail @@ -8,28 +8,29 @@ abi , include @{name} = proton-mail "Proton Mail" +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{bin}/proton-mail /opt/proton-mail/Proton* -profile protonmail @{exec_path} flags=(complain) { +profile protonmail @{exec_path} flags=(attach_disconnected) { include - include - include include + include network inet stream, network inet dgram, network inet6 dgram, network netlink raw, - ptrace read peer=xdg-settings, + ptrace read peer=protonmail//&xdg-settings, @{exec_path} mrix, - @{bin}/xdg-settings Px, - @{open_path} Px -> child-open, + #aa:stack X xdg-settings + @{bin}/xdg-settings rPx -> protonmail//&xdg-settings, + @{open_path} Px -> child-open, owner @{user_config_dirs}/ibus/bus/ r, @@ -38,7 +39,6 @@ profile protonmail @{exec_path} flags=(complain) { owner @{tmp}/gtkprint_ppd_@{rand6} rw, include if exists - } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index 4de73d718..a9bd819e3 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -5,17 +5,19 @@ # To force the use of the Gnome Keyring or Kwallet secret-service, add the # following lines in your local/protonmail-bridge-core file: # deny @{bin}/pass x, -# deny owner @{user_password_store_dirs}/** r, +# deny owner @{user_passwordstore_dirs}/** r, abi , include @{exec_path} = @{lib}/protonmail/bridge/bridge -profile protonmail-bridge-core @{exec_path} { +profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { include + include include include + include network inet dgram, network inet6 dgram, @@ -25,13 +27,16 @@ profile protonmail-bridge-core @{exec_path} { @{exec_path} mr, - @{bin}/pass rCx -> pass, + @{bin}/pass Cx -> pass, + + @{lib}/protonmail/bridge/bridge-gui ix, /etc/lsb-release r, /etc/machine-id r, + /etc/os-release r, - owner @{user_password_store_dirs}/docker-credential-helpers/{,**} r, - owner @{user_password_store_dirs}/protonmail-credentials/{,**} r, + owner @{user_passwordstore_dirs}/docker-credential-helpers/{,**} r, + owner @{user_passwordstore_dirs}/protonmail-credentials/{,**} r, owner @{user_cache_dirs}/protonmail/{,**} rwk, owner @{user_config_dirs}/protonmail/{,**} rwk, @@ -40,15 +45,12 @@ profile protonmail-bridge-core @{exec_path} { owner "@{user_config_dirs}/autostart/Proton Mail Bridge.desktop" rw, owner @{tmp}/bridge@{int} rw, - owner @{tmp}/etilqs_@{hex16} rw, - owner /var/tmp/etilqs_@{hex16} rw, @{PROC}/ r, @{PROC}/1/cgroup r, @{PROC}/sys/net/core/somaxconn r, - deny @{bin}/pass x, - deny owner @{user_password_store_dirs}/** r, + deny owner @{user_passwordstore_dirs}/** r, profile pass { include @@ -70,12 +72,13 @@ profile protonmail-bridge-core @{exec_path} { @{bin}/tail rix, @{bin}/tree rix, @{bin}/tty rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, - owner @{user_password_store_dirs}/ r, - owner @{user_password_store_dirs}/.gpg-id r, - owner @{user_password_store_dirs}/protonmail-credentials/{,**} rw, - deny owner @{user_password_store_dirs}/**/ r, + owner @{user_passwordstore_dirs}/ r, + owner @{user_passwordstore_dirs}/.gpg-id r, + owner @{user_passwordstore_dirs}/docker-credential-helpers/{,**} rw, + owner @{user_passwordstore_dirs}/protonmail-credentials/{,**} rw, + deny owner @{user_passwordstore_dirs}/**/ r, /dev/tty rw, diff --git a/apparmor.d/profiles-m-r/ps-mem b/apparmor.d/profiles-m-r/ps-mem index da5753161..08b286b5a 100644 --- a/apparmor.d/profiles-m-r/ps-mem +++ b/apparmor.d/profiles-m-r/ps-mem @@ -17,7 +17,7 @@ profile ps-mem @{exec_path} { ptrace (read), @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 33435fa8d..2ff7b4e71 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -18,6 +18,7 @@ profile psi @{exec_path} { include include include + include include include include @@ -34,7 +35,7 @@ profile psi @{exec_path} { @{bin}/aplay rCx -> aplay, @{bin}/gpg{,2} rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{open_path} rPx -> child-open, @{lib}/firefox/firefox rPUx, @@ -54,7 +55,6 @@ profile psi @{exec_path} { owner @{user_share_dirs}/psi/** rwk, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{hex16} rw, owner @{tmp}/Psi.* rwl -> /tmp/#@{int}, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index 32c05e55b..f72147cc6 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -18,6 +18,7 @@ profile psi-plus @{exec_path} { include include include + include include include include @@ -34,7 +35,7 @@ profile psi-plus @{exec_path} { @{bin}/aplay rCx -> aplay, @{bin}/gpg{,2} rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{open_path} rPx -> child-open, @{lib}/firefox/firefox rPUx, @@ -54,7 +55,6 @@ profile psi-plus @{exec_path} { owner @{user_share_dirs}/psi+/** rwk, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{hex16} rw, owner @{tmp}/Psi+.* rwl -> /tmp/#@{int}, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile new file mode 100644 index 000000000..105264ec2 --- /dev/null +++ b/apparmor.d/profiles-m-r/pycompile @@ -0,0 +1,52 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/py{,3}compile @{bin}/py{,3}clean +profile pycompile @{exec_path} flags=(attach_disconnected,complain) { + include + include + include + include + + capability dac_override, + capability dac_read_search, + + @{exec_path} mr, + @{python_path} rix, + + @{bin}/dpkg rCx -> dpkg, + + @{lib}/@{python_name}/**/__pycache__/ w, + @{lib}/@{python_name}/**/__pycache__/*.pyc w, + @{lib}/@{python_name}/**/__pycache__/*.pyc.* w, + + /usr/share/python3/{,**} r, + + / r, + @{bin}/ r, + + profile dpkg { + include + include + include + + capability dac_read_search, + + @{bin}/dpkg mr, + @{bin}/dpkg-query rpx, + + /etc/dpkg/dpkg.cfg.d/{,*} r, + /etc/dpkg/dpkg.cfg r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index a5fcbb91e..e0d430443 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -10,10 +10,8 @@ include @{exec_path} = @{bin}/qbittorrent profile qbittorrent @{exec_path} { include - include include include - include include include include @@ -29,7 +27,7 @@ profile qbittorrent @{exec_path} { include include - signal send set=(term, kill) peer=qbittorrent//python3, + signal send set=(term, kill) peer=qbittorrent//python, network inet dgram, network inet6 dgram, @@ -68,7 +66,7 @@ profile qbittorrent @{exec_path} { @{exec_path} mr, @{open_path} rPx -> child-open, - @{bin}/python3.@{int} rCx -> python, # For "search engine" + @{python_path} rCx -> python, # For "search engine" # Allowed apps to open @{bin}/ebook-viewer rPx, @@ -129,9 +127,9 @@ profile qbittorrent @{exec_path} { network inet6 stream, network netlink raw, - @{bin}/python3.@{int} r, + @{python_path} r, - owner @{user_share_dirs}/{,data/}qBittorrent/nova[0-9]/{,**} rw, + owner @{user_share_dirs}/{,data/}qBittorrent/nova@{int}/{,**} rw, owner @{user_torrents_dirs}/** r, diff --git a/apparmor.d/profiles-m-r/qdbus b/apparmor.d/profiles-m-r/qdbus index fa67bad97..6816079ac 100644 --- a/apparmor.d/profiles-m-r/qdbus +++ b/apparmor.d/profiles-m-r/qdbus @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/qdbus @{lib}/qt{5,6}/bin/qdbus profile qdbus @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 5bf8fceb8..f8fd84d3f 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -6,41 +6,39 @@ abi , include -@{exec_path} = @{bin}/qemu-ga +@{exec_path} = @{sbin}/qemu-ga @{bin}/qemu-ga #aa:lint ignore=sbin profile qemu-ga @{exec_path} { include - include - - capability mknod, - capability net_admin, - capability sys_ptrace, - - network inet stream, - network inet6 stream, - network netlink raw, - - ptrace (read) peer=@{p_systemd}, - - unix type=stream addr=@@{hex16}/bus/shutdown/system, - - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind @{exec_path} mr, - @{bin}/systemctl rix, + @{bin}/systemctl Cx -> systemctl, /etc/qemu/qemu-ga.conf r, - owner @{run}/qga.state* rw, + owner @{run}/qga.state rw, + owner @{run}/qga.state.@{rand6} rw, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, - @{PROC}/sys/vm/max_map_count r, - owner @{PROC}/@{pid}/net/dev r, + @{PROC}/sys/vm/max_map_count r, /dev/vport@{int}p@{int} rw, + profile systemctl { + include + include + + capability net_admin, + + unix type=stream addr=@@{udbus}/bus/shutdown/system, + + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss index 89395f8b5..73b8f7488 100644 --- a/apparmor.d/profiles-m-r/quiterss +++ b/apparmor.d/profiles-m-r/quiterss @@ -18,6 +18,7 @@ profile quiterss @{exec_path} { include include include + include include include @@ -47,7 +48,6 @@ profile quiterss @{exec_path} { owner @{tmp}/qtsingleapp-quiter-@{int}-@{int} rw, owner @{tmp}/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk, - owner /var/tmp/etilqs_@{hex16} rw, @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-m-r/rdmsr b/apparmor.d/profiles-m-r/rdmsr index 47dd9beab..81f43b3e6 100644 --- a/apparmor.d/profiles-m-r/rdmsr +++ b/apparmor.d/profiles-m-r/rdmsr @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/rdmsr +@{exec_path} = @{sbin}/rdmsr profile rdmsr @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index f59880046..80e58fd7c 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -10,41 +10,47 @@ include profile remmina @{exec_path} { include include - include + include include include - include - include include - include - include - include + include include include include + include include include + include + include include + include include network inet stream, network inet6 stream, + network inet dgram, + network inet6 dgram, network netlink raw, - #aa:dbus own bus=session name=org.remmina.Remmina + #aa:dbus own bus=session name=org.remmina.Remmina interface+=org.gtk.Actions #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - @{exec_path} r, + @{exec_path} rm, + + @{open_path} rPx -> child-open-browsers, /usr/share/remmina/{,**} r, /usr/share/themes/{,**} r, - /etc/timezone r, + /etc/fstab r, /etc/ssh/ssh_config r, /etc/ssh/ssh_config.d/{,*} r, + /etc/timezone r, - owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, + owner @{HOME}/@{XDG_SSH_DIR}/config r, + owner @{HOME}/@{XDG_SSH_DIR}/known_hosts r, owner @{user_cache_dirs}/org.remmina.Remmina/{,**} rw, owner @{user_cache_dirs}/remmina/{,**} rw, @@ -58,6 +64,9 @@ profile remmina @{exec_path} { owner @{run}/user/@{uid}/keyring/ssh rw, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/meminfo r, + include if exists } diff --git a/apparmor.d/profiles-m-r/repo b/apparmor.d/profiles-m-r/repo index a1fd7b3b3..5ad84fb15 100644 --- a/apparmor.d/profiles-m-r/repo +++ b/apparmor.d/profiles-m-r/repo @@ -27,7 +27,7 @@ profile repo @{exec_path} { @{bin}/curl rix, @{bin}/env rix, @{bin}/git rix, - @{bin}/python3.@{int} rix, + @{python_path} rix, @{bin}/uname rix, @{lib}/git{,-core}/git* rix, diff --git a/apparmor.d/profiles-m-r/resize2fs b/apparmor.d/profiles-m-r/resize2fs index 7b28a1d22..38d482326 100644 --- a/apparmor.d/profiles-m-r/resize2fs +++ b/apparmor.d/profiles-m-r/resize2fs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/resize2fs +@{exec_path} = @{sbin}/resize2fs profile resize2fs @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/resolvconf b/apparmor.d/profiles-m-r/resolvconf index c050ce970..8e39c7620 100644 --- a/apparmor.d/profiles-m-r/resolvconf +++ b/apparmor.d/profiles-m-r/resolvconf @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/resolvconf +@{exec_path} = @{sbin}/resolvconf profile resolvconf @{exec_path} { include include @@ -26,7 +26,7 @@ profile resolvconf @{exec_path} { @{bin}/systemctl rCx -> systemctl, @{lib}/resolvconf/list-records rix, - /usr/lib/resolvconf/{,**} r, + @{lib}/resolvconf/{,**} r, @{etc_rw}/resolv.conf.bak rw, @{etc_rw}/resolv.conf rw, diff --git a/apparmor.d/profiles-m-r/rfkill b/apparmor.d/profiles-m-r/rfkill index 041a03e07..c65298b27 100644 --- a/apparmor.d/profiles-m-r/rfkill +++ b/apparmor.d/profiles-m-r/rfkill @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/rfkill +@{exec_path} = @{sbin}/rfkill profile rfkill @{exec_path} { include @@ -15,8 +15,8 @@ profile rfkill @{exec_path} { /dev/rfkill rw, - @{sys}/devices/@{pci}/rfkill[0-9]/{name,type} r, - @{sys}/devices/platform/**/rfkill/rfkill[0-9]/{name,type} r, + @{sys}/devices/@{pci}/rfkill@{int}/{name,type} r, + @{sys}/devices/platform/**/rfkill/rfkill@{int}/{name,type} r, include if exists } diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index 8ae73c5d0..2e548d40c 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -7,11 +7,12 @@ abi , include -@{exec_path} = @{bin}/rngd +@{exec_path} = @{sbin}/rngd profile rngd @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_read_search, capability net_admin, @@ -24,7 +25,6 @@ profile rngd @{exec_path} flags=(attach_disconnected) { /etc/conf.d/rngd r, /etc/machine-id r, - /etc/{,opensc/}opensc.conf r, /var/lib/dbus/machine-id r, @{sys}/devices/virtual/misc/hw_random/rng_available r, diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index b4ae4b211..c5e5ac051 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -7,33 +7,32 @@ abi , include -# Debugging the syslogger can be difficult if it can't write to the file -# that the kernel is logging denials to. In these cases, you can do the -# following: -# watch -n 1 'dmesg | tail -5' - -@{exec_path} = @{bin}/rsyslogd +@{exec_path} = @{sbin}/rsyslogd profile rsyslogd @{exec_path} { include - include + include - capability chown, # For creating new log files and changing their owner/group - capability net_admin, # For remote logs - capability setgid, # For downgrading privileges + capability dac_override, + capability dac_read_search, + capability setgid, capability setuid, capability sys_nice, + capability sys_tty_config, capability syslog, + network inet dgram, + network inet6 dgram, + + signal receive set=hup peer=@{p_systemd}, + @{exec_path} mr, + @{sh_path} mr, @{lib}/@{multiarch}/rsyslog/*.so mr, /etc/rsyslog.conf r, /etc/rsyslog.d/{,**} r, - /etc/CA/*.crt r, - /etc/CA/*.key r, - /var/log/** rw, /var/spool/rsyslog/ r, /var/spool/rsyslog/** rw, @@ -46,6 +45,7 @@ profile rsyslogd @{exec_path} { @{PROC}/cmdline r, @{PROC}/kmsg r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, include if exists } diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon index ddb62cb5f..68837a52d 100644 --- a/apparmor.d/profiles-m-r/rtkit-daemon +++ b/apparmor.d/profiles-m-r/rtkit-daemon @@ -23,11 +23,6 @@ profile rtkit-daemon @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.RealtimeKit1 - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), - @{exec_path} mr, # When applying policies to processes diff --git a/apparmor.d/profiles-m-r/rtkitctl b/apparmor.d/profiles-m-r/rtkitctl index 9417c93b1..733573d6b 100644 --- a/apparmor.d/profiles-m-r/rtkitctl +++ b/apparmor.d/profiles-m-r/rtkitctl @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/rtkitctl +@{exec_path} = @{sbin}/rtkitctl profile rtkitctl @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index c20b305e1..e5d44e13a 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -4,12 +4,6 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -# TODO: Rewrite this profile. Most of the rule should be confined directly by the calling profile -# Possible confinement depending of profile architecture: -# - As rix, -# - As rCx -> run-parts, -# - As rPx -> foo-run-parts, - abi , include @@ -25,7 +19,7 @@ profile run-parts @{exec_path} { @{exec_path} mrix, @{sh_path} rix, - @{bin}/anacron rix, + @{sbin}/anacron rix, @{bin}/cat rix, @{bin}/date rix, @{bin}/nice rix, @@ -38,6 +32,7 @@ profile run-parts @{exec_path} { /etc/anacrontab r, /etc/conf.d/snapper{,**} r, /etc/default/* r, + /etc/profile.d/{,**} r, /etc/snapper/configs/root r, # Crontab @@ -112,36 +107,24 @@ profile run-parts @{exec_path} { # Motd /etc/update-motd.d/ r, - /etc/update-motd.d/* rCx -> motd, + /etc/update-motd.d/* rPx, # Kernel - /etc/kernel/header_postinst.d/ r, - /etc/kernel/header_postinst.d/dkms rCx -> kernel, - - /etc/kernel/postinst.d/ r, - /etc/kernel/postinst.d/apt-auto-removal rCx -> kernel, - /etc/kernel/postinst.d/dkms rCx -> kernel, - /etc/kernel/postinst.d/initramfs-tools rCx -> kernel, - /etc/kernel/postinst.d/unattended-upgrades rCx -> kernel, - /etc/kernel/postinst.d/zz-update-grub rCx -> kernel, - /etc/kernel/postinst.d/zz-shim rCx -> kernel, - /etc/kernel/postinst.d/xx-update-initrd-links rCx -> kernel, - + /etc/kernel/{,header_}postinst.d/ r, + /etc/kernel/{,header_}postinst.d/* rPx, /etc/kernel/postrm.d/ r, - /etc/kernel/postrm.d/initramfs-tools rCx -> kernel, - /etc/kernel/postrm.d/zz-update-grub rCx -> kernel, - + /etc/kernel/postrm.d/* rPx, /etc/kernel/preinst.d/ r, - /etc/kernel/preinst.d/intel-microcode rCx -> kernel, - + /etc/kernel/preinst.d/* rPx, /etc/kernel/prerm.d/ r, - /etc/kernel/prerm.d/dkms rCx -> kernel, + /etc/kernel/prerm.d/* rPx, + # Finalrd /usr/share/finalrd/ r, - /usr/share/finalrd/mdadm.finalrd rPUx, - /usr/share/finalrd/open-iscsi.finalrd rPUx, + /usr/share/finalrd/mdadm.finalrd rPUx, + /usr/share/finalrd/open-iscsi.finalrd rPUx, - /usr/share/landscape/landscape-sysinfo.wrapper rPUx, + /usr/share/landscape/landscape-sysinfo.wrapper rPx, /root/ r, @@ -151,108 +134,12 @@ profile run-parts @{exec_path} { owner @{tmp}/$anacron@{rand6} rw, owner @{tmp}/file@{rand6} rw, - owner @{sys}/class/power_supply/ r, + owner @{sys}/class/power_supply/ r, + + @{run}/motd.dynamic.new w, /dev/tty@{int} rw, - profile motd { - include - include - - @{sh_path} rix, - @{bin}/{e,}grep rix, - @{bin}/cat rix, - @{bin}/cut rix, - @{bin}/find rix, - @{bin}/head rix, - @{bin}/id rix, - @{bin}/sort rix, - @{bin}/tr rix, - @{bin}/uname rix, - - @{bin}/snap rPUx, - @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx, - @{lib}/update-notifier/update-motd-fsck-at-reboot rPx, - @{lib}/update-notifier/update-motd-reboot-required rix, - /usr/share/unattended-upgrades/update-motd-unattended-upgrades rix, - /usr/share/update-notifier/notify-updates-outdated rPx, - - / r, - /etc/default/motd-news r, - /etc/lsb-release r, - /etc/update-motd.d/* r, - - /var/cache/motd-news rw, - /var/lib/update-notifier/updates-available r, - /var/lib/ubuntu-advantage/messages/motd-esm-announce r, - - @{run}/motd.d/{,*} r, - - @{PROC}/@{pids}/mounts r, - - /dev/tty@{int} rw, - - include if exists - } - - profile kernel { - include - include - include - - capability sys_module, - - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{,m,g}awk rix, - @{bin}/cat rix, - @{bin}/chmod rix, - @{bin}/cut rix, - @{bin}/dirname rix, - @{bin}/kmod rix, - @{bin}/mv rix, - @{bin}/rm rix, - @{bin}/rmdir rix, - @{bin}/sed rix, - @{bin}/sort rix, - @{bin}/touch rix, - @{bin}/tr rix, - @{bin}/uname rix, - @{bin}/which{,.debianutils} rix, - - @{bin}/apt-config rPx, - @{bin}/dkms rPx, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/systemd-detect-virt rPx, - @{bin}/update-alternatives rPx, - @{bin}/update-grub rPUx, - @{bin}/update-initramfs rPx, - @{lib}/dkms/dkms_autoinstaller rPx, - - @{lib}/modules/*/updates/ w, - @{lib}/modules/*/updates/dkms/ w, - - /etc/kernel/header_postinst.d/* r, - /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r, - - # For shell pwd - / r, - /boot/ r, - - /etc/apt/apt.conf.d/ r, - /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, - /etc/modprobe.d/ r, - /etc/modprobe.d/*.conf r, - - @{run}/reboot-required w, - @{run}/reboot-required.pkgs rw, - - @{PROC}/devices r, - @{PROC}/cmdline r, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-m-r/runit-helper b/apparmor.d/profiles-m-r/runit-helper new file mode 100644 index 000000000..94b3816c9 --- /dev/null +++ b/apparmor.d/profiles-m-r/runit-helper @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/runit-helper/runit-helper +profile runit-helper @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/mkdir rix, + + @{run}/runit/ rw, + @{run}/runit/supervise/ w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/runuser b/apparmor.d/profiles-m-r/runuser index 9931c07fb..4bd569955 100644 --- a/apparmor.d/profiles-m-r/runuser +++ b/apparmor.d/profiles-m-r/runuser @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/runuser +@{exec_path} = @{sbin}/runuser profile runuser @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk index 004c29d64..3e6791ddc 100644 --- a/apparmor.d/profiles-m-r/rustdesk +++ b/apparmor.d/profiles-m-r/rustdesk @@ -10,9 +10,7 @@ include profile rustdesk @{exec_path} { include include - include include - include include include include @@ -36,7 +34,7 @@ profile rustdesk @{exec_path} { @{bin}/ls rix, @{bin}/sudo rCx -> sudo, - @{bin}/python3.@{int} rCx -> python, + @{python_path} rCx -> python, @{sh_path} rCx -> shell, /etc/gdm{,3}/custom.conf r, @@ -64,7 +62,7 @@ profile rustdesk @{exec_path} { include @{bin}/rustdesk rPx, - @{bin}/python3.@{int} rPx -> rustdesk//python, + @{python_path} rPx -> rustdesk//python, include if exists } @@ -76,11 +74,11 @@ profile rustdesk @{exec_path} { capability dac_read_search, capability dac_override, - @{bin}/python3.@{int} r, + @{python_path} r, @{sh_path} rix, @{bin}/chmod rix, - @{bin}/uname rPx, + @{bin}/uname rix, /usr/share/rustdesk/files/pynput_service.py rix, /usr/share/[rR]ust[dD]esk/files/{,**} r, diff --git a/apparmor.d/profiles-s-z/YACReader b/apparmor.d/profiles-s-z/YACReader index de55bf829..3552b6dc0 100644 --- a/apparmor.d/profiles-s-z/YACReader +++ b/apparmor.d/profiles-s-z/YACReader @@ -39,6 +39,8 @@ profile YACReader @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/profiles-s-z/YACReaderLibrary b/apparmor.d/profiles-s-z/YACReaderLibrary index 38336fbc7..e6c231df3 100644 --- a/apparmor.d/profiles-s-z/YACReaderLibrary +++ b/apparmor.d/profiles-s-z/YACReaderLibrary @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/YACReaderLibrary profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted) { include - include include include include diff --git a/apparmor.d/profiles-s-z/s3fs b/apparmor.d/profiles-s-z/s3fs index dab3593b6..aaf34d49c 100644 --- a/apparmor.d/profiles-s-z/s3fs +++ b/apparmor.d/profiles-s-z/s3fs @@ -38,10 +38,7 @@ profile s3fs @{exec_path} { profile fusermount { include - include - - capability dac_read_search, - capability sys_admin, + include network inet stream, network inet6 stream, @@ -52,19 +49,11 @@ profile s3fs @{exec_path} { umount @{MOUNTS}/, umount @{MOUNTS}/*/, - @{bin}/fusermount{,3} mr, - - /etc/fuse.conf r, - @{MOUNTS}/ r, @{MOUNTS}/*/ r, owner @{tmp}/s3fstmp.* rw, - @{PROC}/@{pids}/mounts r, - - /dev/fuse rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl index 4c5d62597..a4fdbac88 100644 --- a/apparmor.d/profiles-s-z/sbctl +++ b/apparmor.d/profiles-s-z/sbctl @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/sbctl profile sbctl @{exec_path} { include + include capability dac_read_search, capability linux_immutable, @@ -24,6 +25,9 @@ profile sbctl @{exec_path} { /{boot,efi}/EFI/{,**} rw, /{boot,efi}/vmlinuz-linux* rw, @{lib}/fwupd/efi/{,**} rw, + @{lib}/systemd/boot/efi/systemd-boot*.efi.signed rw, + + @{sys}/devices/virtual/dmi/id/* r, @{sys}/firmware/efi/efivars/db-@{uuid} rw, @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, @@ -31,8 +35,6 @@ profile sbctl @{exec_path} { @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, - /dev/pts/@{int} rw, - # File Inherit deny network inet stream, deny network inet6 stream, diff --git a/apparmor.d/profiles-s-z/scrcpy b/apparmor.d/profiles-s-z/scrcpy index 3d33e8a3e..83af575dd 100644 --- a/apparmor.d/profiles-s-z/scrcpy +++ b/apparmor.d/profiles-s-z/scrcpy @@ -25,7 +25,6 @@ profile scrcpy @{exec_path} { @{bin}/adb rPx, /usr/share/scrcpy/{,*} r, - /usr/share/icons/{,**} r, /etc/machine-id r, diff --git a/apparmor.d/profiles-s-z/secure-time-sync b/apparmor.d/profiles-s-z/secure-time-sync index 51016373d..9c3f6d9df 100644 --- a/apparmor.d/profiles-s-z/secure-time-sync +++ b/apparmor.d/profiles-s-z/secure-time-sync @@ -23,7 +23,7 @@ profile secure-time-sync @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/curl rix, @{bin}/date rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/id rPx, @{bin}/sed rix, diff --git a/apparmor.d/profiles-s-z/sensors b/apparmor.d/profiles-s-z/sensors index fd839099e..ca2d43a65 100644 --- a/apparmor.d/profiles-s-z/sensors +++ b/apparmor.d/profiles-s-z/sensors @@ -18,19 +18,12 @@ profile sensors @{exec_path} { /etc/sensors.d/{,*} r, /etc/sensors3.conf r, + @{sys}/bus/i2c/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/**/hwmon*/{,**/} r, - @{sys}/devices/**/hwmon*/{in[0-9]_label,in[0-9]_min,in[0-9]_max} r, - @{sys}/devices/**/hwmon*/{name,temp*,*_input} r, - @{sys}/devices/**/hwmon*/**/{name,temp*,*_input} r, - @{sys}/devices/**/hwmon/hwmon@{int}/power@{int}_crit r, - @{sys}/devices/**/hwmon/hwmon@{int}/fan@{int}_{label,max,min} r, - @{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-@{int}/name r, + @{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-*/name r, @{sys}/devices/@{pci}/name r, - @{sys}/devices/platform/**/power_supply/**/hwmon@{int}/curr1_max r, - @{sys}/devices/virtual/hwmon/hwmon@{int}/ r, - @{sys}/devices/virtual/hwmon/hwmon@{int}/{name,temp*} r, + @{sys}/devices/**/hwmon*/{,**} r, # file_inherit deny @{PROC}/@{pid}/net/dev r, diff --git a/apparmor.d/profiles-s-z/sensors-detect b/apparmor.d/profiles-s-z/sensors-detect index e3eca4e22..d21cf6f56 100644 --- a/apparmor.d/profiles-s-z/sensors-detect +++ b/apparmor.d/profiles-s-z/sensors-detect @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/sensors-detect +@{exec_path} = @{sbin}/sensors-detect profile sensors-detect @{exec_path} { include include @@ -27,7 +27,7 @@ profile sensors-detect @{exec_path} { @{sys}/bus/pci/devices/ r, @{sys}/class/i2c-adapter/ r, @{sys}/devices/@{pci}/{class,vendor,device} r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/devices/@{pci}/modalias r, @{sys}/devices/virtual/dmi/id/board_{version,vendor,name} r, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop index 4817f330a..4fd9dff69 100644 --- a/apparmor.d/profiles-s-z/session-desktop +++ b/apparmor.d/profiles-s-z/session-desktop @@ -7,6 +7,7 @@ abi , include @{name} = {S,s}ession +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -15,10 +16,9 @@ include profile session-desktop @{exec_path} { include include - include - include include include + include include network inet dgram, diff --git a/apparmor.d/profiles-s-z/setpci b/apparmor.d/profiles-s-z/setpci index 72c9b8a93..019e89e23 100644 --- a/apparmor.d/profiles-s-z/setpci +++ b/apparmor.d/profiles-s-z/setpci @@ -16,6 +16,7 @@ profile setpci @{exec_path} flags=(complain) { @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/** r, + @{sys}/devices/@{pci}/config w, include if exists } diff --git a/apparmor.d/profiles-s-z/setvtrgb b/apparmor.d/profiles-s-z/setvtrgb index 6c9a3fe62..7fdfddcbb 100644 --- a/apparmor.d/profiles-s-z/setvtrgb +++ b/apparmor.d/profiles-s-z/setvtrgb @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/setvtrgb +@{exec_path} = @{sbin}/setvtrgb profile setvtrgb @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/sfdisk b/apparmor.d/profiles-s-z/sfdisk index 0009d52cb..05ab2273f 100644 --- a/apparmor.d/profiles-s-z/sfdisk +++ b/apparmor.d/profiles-s-z/sfdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/sfdisk +@{exec_path} = @{sbin}/sfdisk profile sfdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/sgdisk b/apparmor.d/profiles-s-z/sgdisk index ecc6abcdb..4e68816d7 100644 --- a/apparmor.d/profiles-s-z/sgdisk +++ b/apparmor.d/profiles-s-z/sgdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/sgdisk +@{exec_path} = @{sbin}/sgdisk profile sgdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index b905e8f3a..53f3d20b1 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -8,20 +8,24 @@ abi , include @{name} = signal-desktop{,-beta} +@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/signal-desktop /opt/Signal{,?Beta} @{config_dirs} = @{user_config_dirs}/Signal{,?Beta} @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{lib_dirs}/@{name} -profile signal-desktop @{exec_path} { +profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include - include - include + include include + include include - include + include + include + include include + include network inet dgram, network inet6 dgram, @@ -29,31 +33,19 @@ profile signal-desktop @{exec_path} { network inet6 stream, network netlink raw, + ptrace read peer=signal-desktop//&xdg-settings, + @{exec_path} mrix, - @{bin}/getconf rix, - @{open_path} rPx -> child-open-strict, + @{lib_dirs}/chrome_crashpad_handler rix, + @{lib_dirs}/chrome-sandbox rPx, #aa:stack X xdg-settings @{bin}/xdg-settings rPx -> signal-desktop//&xdg-settings, - - audit @{lib_dirs}/chrome-sandbox rPx, - @{lib_dirs}/chrome_crashpad_handler rix, + @{open_path} rPx -> child-open-strict, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - - @{PROC}/@{pid}/fd/ r, - @{PROC}/vmstat r, - - /dev/tty rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox index b9efca35a..51c625d53 100644 --- a/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox +++ b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox @@ -18,6 +18,7 @@ profile signal-desktop-chrome-sandbox @{exec_path} { capability sys_admin, capability sys_chroot, + capability dac_override, @{exec_path} mr, @@ -27,6 +28,9 @@ profile signal-desktop-chrome-sandbox @{exec_path} { @{PROC}/@{pid}/oom_adj w, @{PROC}/@{pid}/oom_score_adj w, + # Silencer + deny /dev/pts/@{int} rw, # file_inherit + include if exists } diff --git a/apparmor.d/profiles-s-z/simple-scan b/apparmor.d/profiles-s-z/simple-scan new file mode 100644 index 000000000..a005708db --- /dev/null +++ b/apparmor.d/profiles-s-z/simple-scan @@ -0,0 +1,43 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/simple-scan +profile simple-scan @{exec_path} { + include + include + include + include + + network inet dgram, + network inet6 dgram, + network netlink raw, + + @{exec_path} mr, + + @{open_path} rPx -> child-open-help, + + /usr/share/snmp/{,**} r, + + /etc/sane.d/{,**} r, + + @{sys}/bus/scsi/devices/ r, + @{sys}/devices/virtual/dmi/id/board_name r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/board_version r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + + @{PROC}/scsi/scsi r, + + /dev/video@{int} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sing-box b/apparmor.d/profiles-s-z/sing-box index 9f395735e..1890510ae 100644 --- a/apparmor.d/profiles-s-z/sing-box +++ b/apparmor.d/profiles-s-z/sing-box @@ -12,7 +12,6 @@ include profile sing-box @{exec_path} { include include - include capability net_bind_service, diff --git a/apparmor.d/profiles-s-z/slurp b/apparmor.d/profiles-s-z/slurp new file mode 100644 index 000000000..740af9b7b --- /dev/null +++ b/apparmor.d/profiles-s-z/slurp @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/slurp +profile slurp @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/icons/{,**} r, + + # often used in combination with grim screen cature tool + owner /dev/shm/grim-@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/smartctl b/apparmor.d/profiles-s-z/smartctl index 4af40c8ab..d025d160b 100644 --- a/apparmor.d/profiles-s-z/smartctl +++ b/apparmor.d/profiles-s-z/smartctl @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/smartctl +@{exec_path} = @{sbin}/smartctl profile smartctl @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/smartd b/apparmor.d/profiles-s-z/smartd index d0f9c28fd..60a77a782 100644 --- a/apparmor.d/profiles-s-z/smartd +++ b/apparmor.d/profiles-s-z/smartd @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{bin}/smartd +@{exec_path} = @{sbin}/smartd profile smartd @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap deleted file mode 100644 index 912ab1a8b..000000000 --- a/apparmor.d/profiles-s-z/snap +++ /dev/null @@ -1,117 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin} -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} - -@{exec_path} = @{bin_dirs}/snap -profile snap @{exec_path} { - include - include - include - include - include - include - - capability dac_read_search, - capability setuid, - capability sys_admin, - - network netlink raw, - - unix (send, receive) type=stream peer=(label=apt), - - mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/, - - #aa:dbus own bus=session name=io.snapcraft.Launcher - #aa:dbus own bus=session name=io.snapcraft.Settings - - #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" - - dbus send bus=session path=/org/freedesktop/portal/documents - interface=org.freedesktop.portal.Documents - member=GetMountPoint - peer=(name=org.freedesktop.portal.Documents, label="{xdg-document-portal,unconfined}"), - - @{exec_path} mrix, - - @{bin}/mount rix, - - @{bin}/gpg{,2} rCx -> gpg, - @{bin}/systemctl rCx -> systemctl, - - @{lib_dirs}/snapd/snap-confine rPx, - @{lib_dirs}/snapd/snap-seccomp rPx, - @{lib_dirs}/snapd/snapd rPx, - - /etc/fstab r, - - /var/lib/snapd/{,**} rwk, - /var/cache/snapd/commands.db rwk, - /var/cache/snapd/names r, - - @{DESKTOP_HOME}/snap/{,**} rw, - @{HOME}/snap/{,**} rw, - /snap/{,**} rw, - - owner @{tmp}/snapd-auto-import-mount-@{int}/ rw, - - @{run}/user/@{uid}/bus rw, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, - owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{run}/user/@{uid}/snapd-session-agent.socket rw, - owner @{run}/user/@{uid}/systemd/notify rw, - - @{run}/mount/utab r, - @{run}/snapd.socket rw, - - @{sys}/kernel/security/apparmor/features/{,**} r, - - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/mountinfo r, - @{PROC}/cgroups r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/random/uuid r, - @{PROC}/sys/kernel/seccomp/actions_avail r, - @{PROC}/version r, - owner @{PROC}/@{pid}/mounts r, - - /dev/tty@{int} rw, - /dev/ttyS@{int} rw, - - deny @{user_share_dirs}/gvfs-metadata/* r, - - profile gpg { - include - - @{bin}/gpg{,2} mr, - - @{bin}/dirmngr rix, - @{bin}/gpg-agent rix, - @{bin}/gpg-connect-agent rix, - - owner @{HOME}/.snap/gnupg/ rw, - owner @{HOME}/.snap/gnupg/** rwkl, - - include if exists - } - - profile systemctl { - include - include - include - - network unix stream, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker deleted file mode 100644 index e70a5c499..000000000 --- a/apparmor.d/profiles-s-z/spectre-meltdown-checker +++ /dev/null @@ -1,184 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /{,usr/}{,local/}bin/spectre-meltdown-checker{,.sh} -profile spectre-meltdown-checker @{exec_path} { - include - include - - # Needed to read the /dev/cpu/@{int}/msr device - capability sys_rawio, - - # Needed to read system logs - capability syslog, - - # Used by readlink - capability sys_ptrace, - ptrace (read), - - @{exec_path} r, - - @{bin}/ r, - @{bin}/{,@{multiarch}-}objdump rix, - @{bin}/{,@{multiarch}-}readelf rix, - @{bin}/{,@{multiarch}-}strings rix, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{,g,m}awk rix, - @{bin}/base64 rix, - @{bin}/basename rix, - @{bin}/bunzip2 rix, - @{bin}/cat rix, - @{bin}/ccache rCx -> ccache, - @{bin}/cut rix, - @{bin}/date rix, - @{bin}/dd rix, - @{bin}/dirname rix, - @{bin}/dmesg rix, - @{bin}/find rix, - @{bin}/gunzip rix, - @{bin}/gzip rix, - @{bin}/head rix, - @{bin}/id rix, - @{bin}/iucode_tool rix, - @{bin}/kmod rCx -> kmod, - @{bin}/lzop rix, - @{bin}/mktemp rix, - @{bin}/mount rix, - @{bin}/nproc rix, - @{bin}/od rix, - @{bin}/perl rix, - @{bin}/pgrep rCx -> pgrep, - @{bin}/rdmsr rix, - @{bin}/readlink rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/seq rix, - @{bin}/sort rix, - @{bin}/stat rix, - @{bin}/tail rix, - @{bin}/tr rix, - @{bin}/uname rix, - @{bin}/unzip rix, - @{bin}/xargs rix, - @{bin}/xz rix, - @{bin}/zstd rix, - - # To fetch MCE.db from the MCExtractor project - @{bin}/wget rCx -> mcedb, - @{bin}/sqlite3 rCx -> mcedb, - owner @{tmp}/mcedb-* rw, - owner @{tmp}/smc-* rw, - owner @{tmp}/{,smc-}intelfw-*/ rw, - owner @{tmp}/{,smc-}intelfw-*/fw.zip rw, - owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/ rw, - owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/** rw, - - owner @{HOME}/.mcedb rw, - - /tmp/ r, - owner @{tmp}/{config,kernel}-* rw, - - owner /dev/cpu/@{int}/cpuid r, - owner /dev/cpu/@{int}/msr rw, - owner /dev/kmsg r, - - /boot/ r, - /boot/{config,vmlinuz,System.map}-* r, - - @{sys}/devices/system/cpu/vulnerabilities/* r, - @{sys}/module/kvm_intel/parameters/ept r, - - @{PROC}/ r, - @{PROC}/config.gz r, - @{PROC}/cmdline r, - @{PROC}/kallsyms r, - @{PROC}/modules r, - - # find and denoise - @{PROC}/@{pids}/{status,exe} r, - @{PROC}/@{pids}/fd/ r, - @{PROC}/*/ r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # For shell pwd - /root/ r, - /etc/ r, - - profile ccache { - include - - @{bin}/ccache mr, - - @{lib}/llvm-[0-9]*/bin/clang rix, - @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, - @{bin}/{,@{multiarch}-}g++-[0-9]* rix, - - /media/ccache/*/** rw, - - /etc/debian_version r, - - include if exists - } - - profile pgrep { - include - include - - include if exists - } - - profile mcedb { - include - include - include - include - - deny capability net_admin, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{bin}/wget mr, - @{bin}/sqlite3 mr, - - /etc/wgetrc r, - owner @{HOME}/.wget-hsts rwk, - owner @{HOME}/.mcedb rw, - - /tmp/ r, - owner @{tmp}/{,smc-}mcedb-* rwk, - owner @{tmp}/{,smc-}intelfw-*/fw.zip rw, - - /usr/share/publicsuffix/public_suffix_list.* r, - - include if exists - } - - profile kmod { - include - include - - capability sys_module, - - owner @{sys}/module/cpuid/** r, - owner @{sys}/module/msr/** r, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/speech-dispatcher b/apparmor.d/profiles-s-z/speech-dispatcher index 13ed65c09..0267d6889 100644 --- a/apparmor.d/profiles-s-z/speech-dispatcher +++ b/apparmor.d/profiles-s-z/speech-dispatcher @@ -20,15 +20,21 @@ profile speech-dispatcher @{exec_path} { @{exec_path} mr, @{sh_path} ix, + @{lib}/speech-dispatcher-modules/* ix, @{lib}/speech-dispatcher/** r, @{lib}/speech-dispatcher/speech-dispatcher-modules/* ix, /etc/machine-id r, /etc/speech-dispatcher/{,**} r, + owner @{user_config_dirs}/speech-dispatcher/{,**} r, + owner @{run}/user/@{uid}/speech-dispatcher/ rw, owner @{run}/user/@{uid}/speech-dispatcher/** rwk, + owner /dev/shm/sem.@{rand6} rw, + owner /dev/shm/sem.speechd-modules-dummy-@{int} rwl -> /dev/shm/sem.@{rand6}, + include if exists } diff --git a/apparmor.d/profiles-s-z/speedtest b/apparmor.d/profiles-s-z/speedtest index f31818354..7e9728fc9 100644 --- a/apparmor.d/profiles-s-z/speedtest +++ b/apparmor.d/profiles-s-z/speedtest @@ -21,7 +21,7 @@ profile speedtest @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/file rix, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 04837d871..2af3f99ae 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -9,21 +9,19 @@ include @{exec_path} = @{bin}/spice-vdagent profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include - include include include - include include include - include include include include - include - include - include + include include + include + include include + include dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime @@ -38,7 +36,6 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, owner @{desktop_config_dirs}/user-dirs.dirs r, - owner @{user_config_dirs}/user-dirs.dirs r, @{run}/spice-vdagentd/spice-vdagent-sock rw, @@ -47,6 +44,8 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/task/@{tid}/comm rw, + /dev/udmabuf rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index bebfbe419..33957504c 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -6,11 +6,12 @@ abi , include -@{exec_path} = @{bin}/spice-vdagentd +@{exec_path} = @{sbin}/spice-vdagentd profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_nice, @@ -24,7 +25,6 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cgroup r, - /dev/uinput rw, /dev/vport@{int}p@{int} rw, include if exists diff --git a/apparmor.d/profiles-s-z/spotdl b/apparmor.d/profiles-s-z/spotdl new file mode 100644 index 000000000..be31bb0d0 --- /dev/null +++ b/apparmor.d/profiles-s-z/spotdl @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 tpaau-17DB +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/spotdl +profile spotdl @{exec_path} { + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + + @{exec_path} mr, + @{python_path} r, + + @{bin}/ffmpeg rPx, + @{bin}/ffprobe rPx, + + owner @{user_music_dirs}/{,**} rwk, + + owner @{HOME}/.spotdl/** rw, + + owner @{user_cache_dirs}/spotdl/{,**} rw, + owner @{user_config_dirs}/spotdl/{,**} rw, + + owner @{PROC}/@{pid}/fd/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 8ccbbf0f1..b04432e39 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -8,7 +8,8 @@ abi , include @{name} = spotify -@{lib_dirs} = /opt/spotify/ +@{domain} = org.chromium.Chromium +@{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -16,7 +17,18 @@ include profile spotify @{exec_path} flags=(attach_disconnected) { include include + include + include + include + include + include include + include + include + include + include + include + include network inet dgram, network inet6 dgram, @@ -24,16 +36,30 @@ profile spotify @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell + #aa:dbus talk bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Secret + member=RetrieveSecret + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + @{exec_path} mrix, - @{bin}/grep rix, + @{sh_path} mr, + @{bin}/{,e}grep rix, @{open_path} rPx -> child-open-strict, + /usr/local/lib/spotify-adblock.so mr, + /etc/machine-id r, /etc/spotify-adblock/* r, /var/lib/dbus/machine-id r, + owner @{HOME}/.tmp rw, + owner @{user_music_dirs}/{,**} r, owner @{user_config_dirs}/spotify-adblock/* r, @@ -41,17 +67,15 @@ profile spotify @{exec_path} flags=(attach_disconnected) { owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm, owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw, + owner @{tmp}/.@{domain}.@{rand6}/{,**} rw, + @{PROC}/@{pid}/net/unix r, @{PROC}/pressure/* r, owner @{PROC}/@{pid}/clear_refs w, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/tty rw, - deny @{sys}/bus/ r, - deny @{sys}/bus/*/devices/ r, - deny @{sys}/class/*/ r, - deny @{sys}/devices/@{pci}/usb@{int}/** r, deny @{user_share_dirs}/gvfs-metadata/* r, include if exists diff --git a/apparmor.d/profiles-s-z/ss b/apparmor.d/profiles-s-z/ss index 3b55547be..2ce6b6b4d 100644 --- a/apparmor.d/profiles-s-z/ss +++ b/apparmor.d/profiles-s-z/ss @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/ss +@{exec_path} = @{sbin}/ss profile ss @{exec_path} { include include @@ -24,8 +24,8 @@ profile ss @{exec_path} { /etc/iproute2/{,**} r, - owner @{tmp}/*.ss rw, - owner @{HOME}/*.ss rw, + owner @{tmp}/*.ss rw, + owner @{HOME}/*.ss rw, @{sys}/fs/cgroup/{,**/} r, diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index 6a337a66b..ae22e1f1d 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -21,6 +21,7 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include @@ -68,9 +69,8 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/.*/s rw, owner @{tmp}/*= w, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{hex16} rw, - owner @{tmp}/kdsingleapp-daemonspudguy-strawberry w, - owner @{tmp}/kdsingleapp-daemonspudguy-strawberry.lock rwk, + owner @{tmp}/kdsingleapp-*-strawberry w, + owner @{tmp}/kdsingleapp-*-strawberry.lock rwk, owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, owner @{tmp}/strawberry-cover-@{rand6}.jpg rwl -> @{tmp}/#@{int}, owner @{tmp}/strawberry*[0-9] w, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index ca9f66d27..b2074ba04 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -21,17 +21,9 @@ profile sudo @{exec_path} flags=(attach_disconnected) { network inet dgram, network inet6 dgram, - ptrace (read), + ptrace read, - signal (send,receive) peer=cockpit-bridge, - signal (send) peer=@{p_systemd}, - signal (send) set=(cont,hup,winch) peer=su, - signal (send) set=(winch) peer=child-pager, - signal (send) set=(winch) peer=journalctl, - signal (send) set=(winch) peer=pacman, - signal (send) set=(winch, hup, term) peer=rpm, - - unix bind type=stream addr=@@{hex16}/bus/sudo/system/, + signal send set=(winch, hup, term), @{bin}/@{shells} rUx, @{lib}/** PUx, diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index c0b940478..f812fc570 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -6,7 +6,8 @@ abi , include -@{name} = super{p,P}roductivity +@{name} = super{p,P}roductivity Super?Productivity +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -15,8 +16,15 @@ include profile superproductivity @{exec_path} flags=(attach_disconnected) { include include - include + include + include + include + include + include + include + include include + include network inet stream, network inet6 stream, diff --git a/apparmor.d/profiles-s-z/swayimg b/apparmor.d/profiles-s-z/swayimg new file mode 100644 index 000000000..a3ed158b1 --- /dev/null +++ b/apparmor.d/profiles-s-z/swayimg @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/swayimg +profile swayimg @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + owner @{user_config_dirs}/swayimg/** r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index e1b9ab7de..eecb98b28 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -12,6 +12,7 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { include capability net_admin, + capability sys_admin, capability sys_nice, network netlink raw, diff --git a/apparmor.d/profiles-s-z/swtpm b/apparmor.d/profiles-s-z/swtpm index 783e58237..369046b6b 100644 --- a/apparmor.d/profiles-s-z/swtpm +++ b/apparmor.d/profiles-s-z/swtpm @@ -14,11 +14,11 @@ profile swtpm @{exec_path} { @{exec_path} mr, - /var/lib/libvirt/swtpm/@{uuid}/tpm2/.lock wk, - /var/lib/libvirt/swtpm/@{uuid}/tpm2/*.permall rw, - /var/log/swtpm/libvirt/qemu/*-swtpm.log w, + owner /var/lib/libvirt/swtpm/@{uuid}/tpm2/.lock wk, + owner /var/lib/libvirt/swtpm/@{uuid}/tpm2/* rw, + /tmp/.swtpm_setup.pidfile.* rw, /tmp/@{int}/.lock rwk, /tmp/@{int}/TMP* rw, diff --git a/apparmor.d/profiles-s-z/swtpm_setup b/apparmor.d/profiles-s-z/swtpm_setup index 08ee1532e..5795ddfcc 100644 --- a/apparmor.d/profiles-s-z/swtpm_setup +++ b/apparmor.d/profiles-s-z/swtpm_setup @@ -21,9 +21,9 @@ profile swtpm_setup @{exec_path} { /var/log/swtpm/{,**} w, /var/lib/libvirt/swtpm/@{uuid}/tpm2/ r, - owner @{tmp}/swtpm_setup.certs.*/ w, - owner @{tmp}/swtpm_setup.certs.*/*.cert rw, - owner @{tmp}/.swtpm_setup.pidfile* rw, + owner @{tmp}/.swtpm_setup.pidfile.@{rand6} rw, + owner @{tmp}/swtpm_setup.certs.@{rand6}/ w, + owner @{tmp}/swtpm_setup.certs.@{rand6}/*.cert rw, include if exists } diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid index 821a3fd63..fc30c5fd6 100644 --- a/apparmor.d/profiles-s-z/syncoid +++ b/apparmor.d/profiles-s-z/syncoid @@ -15,7 +15,7 @@ profile syncoid @{exec_path} flags=(complain) { @{exec_path} mr, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/mbuffer rix, @{bin}/perl rix, @{bin}/ps rPx, @@ -25,8 +25,6 @@ profile syncoid @{exec_path} flags=(complain) { /etc/mbuffer.rc r, - @{PROC}/@{pids}/maps r, - include if exists } diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index f668f5a00..d504b0c15 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -10,7 +10,10 @@ include @{exec_path} = @{bin}/syncthing profile syncthing @{exec_path} { include + include + include include + include include network inet dgram, @@ -24,22 +27,21 @@ profile syncthing @{exec_path} { @{open_path} rPx -> child-open, @{bin}/ip rix, - /usr/share/mime/{,**} r, - - /etc/mime.types r, - - owner @{HOME}/ r, - owner @{HOME}/@{XDG_DATA_DIR}/syncthing/{,**} rwk, - owner @{user_config_dirs}/syncthing/{,**} rwk, - owner @{user_state_dirs}/syncthing/{,**} rwk, + @{HOME}/ r, + @{HOME}/** rwk, /home/ r, @{user_sync_dirs}/{,**} rw, @{PROC}/@{pids}/net/route r, + @{PROC}/bus/pci/devices r, + @{PROC}/modules r, + @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/net/core/somaxconn r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/statm r, include if exists } diff --git a/apparmor.d/profiles-s-z/sysstat-sa b/apparmor.d/profiles-s-z/sysstat-sa new file mode 100644 index 000000000..9dcc199bc --- /dev/null +++ b/apparmor.d/profiles-s-z/sysstat-sa @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/sysstat/sa{1,2} @{lib}/sysstat/debian-sa{1,2} +profile sysstat-sa @{exec_path} { + include + include + + @{exec_path} mr, + @{bin}/ r, + + @{sh_path} rix, + @{bin}/date ix, + @{bin}/find ix, + @{bin}/{,e}grep ix, + @{bin}/rm ix, + @{bin}/sar.sysstat ix, + @{bin}/xargs ix, + @{lib}/sysstat/sadc Px, + + /etc/sysstat/sysstat r, + + /var/log/sysstat/ r, + /var/log/sysstat/** rw, + + @{tmp}/#@{int} rw, + + @{PROC}/@{pid}/fd/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sysstat-sadc b/apparmor.d/profiles-s-z/sysstat-sadc new file mode 100644 index 000000000..7d9143938 --- /dev/null +++ b/apparmor.d/profiles-s-z/sysstat-sadc @@ -0,0 +1,52 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/sysstat/sadc +profile sysstat-sadc @{exec_path} { + include + include + + capability sys_admin, + + @{exec_path} mr, + + /etc/sensors.d/{,**} r, + /etc/sensors3.conf r, + + /var/log/sysstat/{,**} rwk, + + @{sys}/bus/i2c/devices/ r, + @{sys}/class/fc_host/ r, + @{sys}/class/hwmon/ r, + @{sys}/class/i2c-adapter/ r, + @{sys}/devices/@{pci}/net/*/duplex r, + @{sys}/devices/**/hwmon@{int}/ r, + @{sys}/devices/**/name r, + @{sys}/devices/**/net/*/duplex r, + @{sys}/devices/**/net/*/speed r, + @{sys}/devices/virtual/net/*/duplex r, + @{sys}/devices/virtual/net/*/speed r, + + @{PROC}/@{pid}/net/* r, + @{PROC}/diskstats r, + @{PROC}/loadavg r, + @{PROC}/pressure/cpu r, + @{PROC}/pressure/io r, + @{PROC}/pressure/memory r, + @{PROC}/sys/fs/dentry-state r, + @{PROC}/sys/fs/file-nr r, + @{PROC}/sys/fs/inode-state r, + @{PROC}/sys/kernel/pty/nr r, + @{PROC}/tty/driver/serial r, + @{PROC}/uptime r, + @{PROC}/vmstat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index 4db5c6f92..84f6d52d3 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -28,7 +28,7 @@ profile system-config-printer @{exec_path} flags=(complain) { @{exec_path} mrix, @{sh_path} rix, - @{bin}/python3.@{int} r, + @{python_path} r, @{lib}/cups/*/* rPUx, /usr/share/hplip/query.py rPUx, diff --git a/apparmor.d/profiles-s-z/system-config-printer-applet b/apparmor.d/profiles-s-z/system-config-printer-applet index 0197e3c3b..71892b04e 100644 --- a/apparmor.d/profiles-s-z/system-config-printer-applet +++ b/apparmor.d/profiles-s-z/system-config-printer-applet @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/system-config-printer-applet /usr/share/system-config-printer/applet.py profile system-config-printer-applet @{exec_path} { include + include include include @@ -19,7 +20,7 @@ profile system-config-printer-applet @{exec_path} { @{exec_path} mrix, @{sh_path} rix, - @{bin}/python3.@{int} r, + @{python_path} r, /usr/share/system-config-printer/{,**} r, diff --git a/apparmor.d/profiles-s-z/tasksel b/apparmor.d/profiles-s-z/tasksel index bc2779d51..8a33649a0 100644 --- a/apparmor.d/profiles-s-z/tasksel +++ b/apparmor.d/profiles-s-z/tasksel @@ -10,75 +10,33 @@ include @{exec_path} = @{bin}/tasksel profile tasksel @{exec_path} flags=(complain) { include - include + include @{exec_path} r, - @{bin}/perl r, - @{sh_path} rix, - @{bin}/tempfile rix, - @{lib}/tasksel/tasksel-debconf rix, - - @{lib}/tasksel/tests/* rCx -> tasksel-tests, - - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, + @{bin}/tempfile ix, + @{lib}/tasksel/tasksel-debconf ix, + @{lib}/tasksel/tests/* Cx -> tasksel-tests, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - @{bin}/dpkg-query rpx, + @{bin}/dpkg-query px, # - @{bin}/apt-cache rPx, + @{bin}/apt-cache Px, + @{bin}/debconf-apt-progress Px, - @{bin}/debconf-apt-progress rPx, - - /usr/share/tasksel/** r, - - /usr/share/debconf/confmodule r, - - owner @{tmp}/file* w, + /usr/share/tasksel/{,**} r, profile tasksel-tests flags=(complain) { include - @{lib}/tasksel/tests/* r, @{sh_path} rix, + @{lib}/tasksel/tests/* r, include if exists } - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - @{bin}/perl r, - - @{bin}/tasksel rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - # The following is needed when debconf uses dialog/whiptail frontend. - @{bin}/whiptail rPx, - owner @{tmp}/file* w, - - /usr/share/debconf/confmodule r, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - /etc/shadow r, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-s-z/telegram-desktop b/apparmor.d/profiles-s-z/telegram-desktop index d967f4229..c1544af72 100644 --- a/apparmor.d/profiles-s-z/telegram-desktop +++ b/apparmor.d/profiles-s-z/telegram-desktop @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/telegram-desktop +@{exec_path} = @{bin}/telegram-desktop @{bin}/Telegram profile telegram-desktop @{exec_path} { include include @@ -35,10 +35,11 @@ profile telegram-desktop @{exec_path} { network netlink dgram, network netlink raw, - @{exec_path} mr, + @{exec_path} mrix, @{sh_path} rix, @{open_path} rPx -> child-open-strict, + @{bin}/systemd-detect-virt rPx, owner @{user_share_dirs}/TelegramDesktop/ rw, owner @{user_share_dirs}/TelegramDesktop/** rwlk -> @{user_share_dirs}/TelegramDesktop/**, diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index e5a8f80d9..e8a2533b9 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -9,9 +9,8 @@ include @{exec_path} = @{bin}/terminator profile terminator @{exec_path} flags=(attach_disconnected) { include - include + include include - include include include include @@ -27,10 +26,15 @@ profile terminator @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=net.tenshu.Terminator@{hex} + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=StartTransientUnit + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), + @{exec_path} mr, @{bin}/ r, - @{bin}/python3.@{int} rix, + @{python_path} rix, # The shell is not confined on purpose. @{bin}/@{shells} rUx, diff --git a/apparmor.d/profiles-s-z/texstudio b/apparmor.d/profiles-s-z/texstudio new file mode 100644 index 000000000..52e9e53e6 --- /dev/null +++ b/apparmor.d/profiles-s-z/texstudio @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/texstudio +profile texstudio @{exec_path} { + include + include + include + include + include + include + include + + @{exec_path} mr, + + @{bin}/pdflatex ix, + @{bin}/pdftex ix, + @{bin}/kpsewhich ix, + @{bin}/gsettings ix, + @{bin}/which{,.debianutils} ix, + + /usr/share/texmf-dist/{,**} r, + /usr/share/doc/texstudio/{,**} r, + /usr/share/hunspell/{,**} r, + /usr/share/texstudio/{,**} r, + /usr/share/poppler/{,**} r, + + /etc/texmf/{,**} r, + /etc/machine-id r, + + /var/lib/texmf/{,**} r, + + owner @{user_config_dirs}/texstudio/{,**} rwlk, + owner /tmp/qtsingleapp-TeXstu-** rw, + owner /tmp/qtsingleapp-TeXstu-**-lockfile rwk, + + ## silencer + deny owner /usr/share/hunspell/en_US-large.ign w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tftp b/apparmor.d/profiles-s-z/tftp index 33f6fe6dc..bb0a1c37b 100644 --- a/apparmor.d/profiles-s-z/tftp +++ b/apparmor.d/profiles-s-z/tftp @@ -10,9 +10,15 @@ include @{exec_path} = @{bin}/tftp profile tftp @{exec_path} { include - include + include include + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, include if exists diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index fe30e6da8..4c27ee2ca 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -8,12 +8,12 @@ abi , include -@{exec_path} = @{bin}/thermald +@{exec_path} = @{sbin}/thermald profile thermald @{exec_path} flags=(attach_disconnected) { include include include - include + include capability sys_boot, @@ -24,8 +24,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) { /etc/thermald/{,*} r, owner @{run}/thermald/ rw, - owner @{run}/thermald/thd_preference.conf rw, - owner @{run}/thermald/thd_preference.conf.save w, + owner @{run}/thermald/** rw, owner @{run}/thermald/thermald.pid rwk, @{sys}/class/hwmon/ r, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index f4fb49f8f..da163c2ae 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -13,7 +13,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name}/ @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} -profile thunderbird @{exec_path} { +profile thunderbird @{exec_path} flags=(attach_disconnected) { include include include @@ -23,8 +23,8 @@ profile thunderbird @{exec_path} { @{exec_path} mrix, - @{lib_dirs}/glxtest rPx, - @{lib_dirs}/vaapitest rPx, + @{lib_dirs}/glxtest rPx -> thunderbird//&thunderbird-glxtest, + @{lib_dirs}/vaapitest rPx -> thunderbird//&thunderbird-vaapitest, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, @@ -37,6 +37,9 @@ profile thunderbird @{exec_path} { # Desktop integration @{open_path} rPx -> child-open, + # Extensions + @{bin}/SysTray-X rPUx, + /usr/share/lightning/{,**} r, owner /var/mail/** rwk, @@ -52,9 +55,11 @@ profile thunderbird @{exec_path} { owner @{tmp}/MozillaMailnews/ rw, owner @{tmp}/MozillaMailnews/*.msf rw, - owner @{tmp}/nsemail.eml rw, - owner @{tmp}/nsma rw, + owner @{tmp}/nscopy.tmp rw, + owner @{tmp}/nsemail{,-@{int}}.eml rw, + owner @{tmp}/nsma{,-@{int}} rw, owner @{tmp}/pid-@{pid}/{,**} w, + owner @{tmp}/remote-settings-startup-bundle- rw, /dev/urandom w, diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest index 626896a09..53fdb1ffd 100644 --- a/apparmor.d/profiles-s-z/thunderbird-glxtest +++ b/apparmor.d/profiles-s-z/thunderbird-glxtest @@ -11,15 +11,19 @@ include @{config_dirs} = @{HOME}/.@{name}/ @{exec_path} = @{lib_dirs}/glxtest -profile thunderbird-glxtest @{exec_path} { +profile thunderbird-glxtest @{exec_path} flags=(attach_disconnected) { include include include - include include + include + + network netlink raw, @{exec_path} mr, + / r, + owner @{config_dirs}/*/.parentlock rw, owner @{tmp}/thunderbird/.parentlock rw, diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp new file mode 100644 index 000000000..1592d3aee --- /dev/null +++ b/apparmor.d/profiles-s-z/tlp @@ -0,0 +1,120 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# Copyright (C) 2024 Barmogund +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/tlp +profile tlp @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + + capability dac_read_search, + capability sys_nice, + capability sys_rawio, + capability sys_tty_config, + + network netlink raw, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/cat rix, + @{bin}/chmod rix, + @{bin}/cp rix, + @{sbin}/ethtool rix, + @{bin}/flock rix, + @{bin}/{,e}grep rix, + @{sbin}/hdparm rPx, + @{bin}/head rix, + @{bin}/id rPx, + @{sbin}/iw rPx, + @{bin}/logger rix, + @{bin}/mktemp rix, + @{bin}/readlink rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/sort rix, + @{bin}/systemctl rCx -> systemctl, + @{bin}/touch rix, + @{bin}/tr rix, + @{bin}/udevadm rCx -> udevadm, + @{bin}/uname rix, + @{bin}/timeout rix, + /usr/share/tlp/tlp-readconfs rix, + + / r, + + /etc/tlp.d/ r, + /etc/tlp.d/** rw, + /etc/tlp.conf rw, + + /usr/share/tlp/{,**} r, + + /var/lib/tlp/{,**} rw, + /var/lib/power-profiles-daemon/state.ini rw, + + owner /tmp/tlp-run.conf_tmp@{rand6} rw, + + owner @{run}/tlp/{,**} rw, + owner @{run}/tlp/lock_tlp rwk, + + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + + @{sys}/bus/pci/devices/ r, + @{sys}/bus/pci/drivers/*/ r, + @{sys}/bus/platform/devices/ r, + @{sys}/class/drm/ r, + @{sys}/class/net/ r, + @{sys}/class/power_supply/ r, + @{sys}/devices/@{pci}/ r, + @{sys}/devices/@{pci}/{,**/}power/control w, + @{sys}/devices/@{pci}/**/host@{int}/**/link_power_management_policy w, + @{sys}/devices/@{pci}/class r, + @{sys}/devices/**/net/**/uevent r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/net/**/uevent r, + @{sys}/firmware/acpi/platform_profile* rw, + @{sys}/firmware/acpi/pm_profile* rw, + @{sys}/module/*/parameters/power_save rw, + @{sys}/module/*/parameters/power_save_controller rw, + @{sys}/module/pcie_aspm/parameters/policy rw, + + owner @{PROC}/sys/fs/xfs/xfssyncd_centisecs rw, + owner @{PROC}/sys/kernel/nmi_watchdog rw, + owner @{PROC}/sys/vm/dirty_*_centisecs rw, + owner @{PROC}/sys/vm/laptop_mode rw, + + profile systemctl { + include + include + + capability net_admin, + + include if exists + } + + profile udevadm { + include + include + + @{run}/tlp/lock_tlp rw, # file_inherit + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb index 0b35cff02..df4258b8c 100644 --- a/apparmor.d/profiles-s-z/tomb +++ b/apparmor.d/profiles-s-z/tomb @@ -21,13 +21,14 @@ profile tomb @{exec_path} { capability sys_rawio, signal send set=cont peer=gpg, + signal send set=cont peer=pinentry-*, ptrace read peer=@{p_systemd_user}, @{exec_path} mr, @{bin}/{,e,f}grep rix, - @{bin}/awk rix, + @{bin}/{m,g,}awk rix, @{bin}/basename rix, @{bin}/cat rix, @{bin}/chmod rix, @@ -41,14 +42,13 @@ profile tomb @{exec_path} { @{bin}/env rix, @{bin}/file rix, @{bin}/findmnt rix, - @{bin}/gawk rix, @{bin}/getent rix, @{bin}/gettext rix, + @{bin}/head rix, @{bin}/hostname rix, @{bin}/id rix, @{bin}/kill rix, @{bin}/locate rix, - @{bin}/losetup rix, @{bin}/ls rix, @{bin}/lsof rix, @{bin}/mkdir rix, @@ -65,24 +65,25 @@ profile tomb @{exec_path} { @{bin}/touch rix, @{bin}/tr rix, @{bin}/zsh rix, + @{sbin}/losetup rix, - @{bin}/btrfs rPx, - @{bin}/cryptsetup rPUx, - @{bin}/e2fsc rPUx, - @{bin}/fsck rPx, + @{sbin}/btrfs rPx, + @{sbin}/cryptsetup rPUx, + @{sbin}/e2fsck rPx, + @{sbin}/fsck rPx, @{bin}/gpg{,2} rPx, @{bin}/lsblk rPx, - @{bin}/mkfs.* rPUx, + @{sbin}/mkfs.* rPUx, @{bin}/mount rPx, @{bin}/pinentry rPx, @{bin}/pinentry-* rPx, @{bin}/qrencode rPx, - @{bin}/resize2fs rPx, + @{sbin}/resize2fs rPx, @{bin}/tomb-kdb-pbkdf2 rPUx, - @{bin}/tune2fs rPx, + @{sbin}/tune2fs rPx, @{bin}/umount rCx -> umount, @{bin}/updatedb.mlocate rPx, - @{bin}/zramctl rPx, + @{sbin}/zramctl rPx, /usr/share/file/** r, /usr/share/terminfo/** r, diff --git a/apparmor.d/profiles-s-z/torsocks b/apparmor.d/profiles-s-z/torsocks index c7c914387..ad258189c 100644 --- a/apparmor.d/profiles-s-z/torsocks +++ b/apparmor.d/profiles-s-z/torsocks @@ -19,7 +19,7 @@ profile torsocks @{exec_path} { @{sh_path} rix, @{bin}/* rPUx, @{lib}/uwt/uwtexec rPUx, - @{bin}/getcap rix, + @{sbin}/getcap rix, /etc/tor/torsocks.conf r, diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index 64ab228ba..d1e429d45 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -10,10 +10,11 @@ include profile totem @{exec_path} flags=(attach_disconnected) { include include - include - include + include include include + include + include include network netlink raw, @@ -67,6 +68,10 @@ profile totem @{exec_path} flags=(attach_disconnected) { include capability dac_override, + capability sys_ptrace, + + network inet dgram, + network inet6 dgram, @{bin}/bwrap mr, @{bin}/totem-video-thumbnailer rix, @@ -78,8 +83,11 @@ profile totem @{exec_path} flags=(attach_disconnected) { owner @{tmp}/flatpak-seccomp-@{rand6} rw, owner @{tmp}/gnome-desktop-file-to-thumbnail.* rw, owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw, + owner @{tmp}/gnome-desktop-thumbnailer.png rw, @{PROC}/sys/vm/mmap_min_addr r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm w, /dev/ r, diff --git a/apparmor.d/profiles-s-z/tpacpi-bat b/apparmor.d/profiles-s-z/tpacpi-bat index ee4de1e45..b4666bb96 100644 --- a/apparmor.d/profiles-s-z/tpacpi-bat +++ b/apparmor.d/profiles-s-z/tpacpi-bat @@ -13,7 +13,6 @@ profile tpacpi-bat @{exec_path} { include @{exec_path} mr, - @{bin}/perl r, @{sh_path} rix, @{bin}/cat rix, diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission index a6ccb7e2d..9c4a8e673 100644 --- a/apparmor.d/profiles-s-z/transmission +++ b/apparmor.d/profiles-s-z/transmission @@ -7,17 +7,15 @@ abi , include @{exec_path} = @{bin}/transmission-{gtk,qt} -profile transmission @{exec_path} { +profile transmission @{exec_path} flags=(attach_disconnected) { include - include include - include - include include include include include include + include include include include @@ -59,6 +57,7 @@ profile transmission @{exec_path} { owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-s-z/u-d-c-print-pci-ids b/apparmor.d/profiles-s-z/u-d-c-print-pci-ids new file mode 100644 index 000000000..2ae7f66ef --- /dev/null +++ b/apparmor.d/profiles-s-z/u-d-c-print-pci-ids @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/u-d-c-print-pci-ids +profile u-d-c-print-pci-ids @{exec_path} { + include + + @{exec_path} mr, + @{sh_path} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf new file mode 100644 index 000000000..47826d336 --- /dev/null +++ b/apparmor.d/profiles-s-z/ucf @@ -0,0 +1,62 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ucf +profile ucf @{exec_path} { + include + include + include + include + + @{exec_path} rix, + @{sh_path} rix, + + @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/cp rix, + @{bin}/dirname rix, + @{bin}/getopt rix, + @{bin}/id rix, + @{bin}/md5sum rix, + @{bin}/mkdir rix, + @{bin}/mv rix, + @{bin}/readlink rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/seq rix, + @{bin}/stat rix, + @{bin}/tr rix, + @{bin}/which{,.debianutils} rix, + + @{bin}/dpkg-query rpx, + @{bin}/dpkg-divert rPx, + @{pager_path} rCx -> child-pager, + + # For md5sum + /usr/share/** r, + + # For writing new config files + /etc/** rw, #aa:lint ignore=too-wide + + # For shell pwd + / r, + /root/ r, + + owner /var/lib/ucf/** rw, + + owner /tmp/tmp.@{rand10} r, + + deny capability sys_admin, # optional: no audit + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ucfq b/apparmor.d/profiles-s-z/ucfq new file mode 100644 index 000000000..b6ca3e7b1 --- /dev/null +++ b/apparmor.d/profiles-s-z/ucfq @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ucfq +profile ucfq @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/md5sum rix, + + /etc/ r, + /etc/default/ r, + /etc/default/grub r, + + /var/lib/ucf/* r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ucfr b/apparmor.d/profiles-s-z/ucfr new file mode 100644 index 000000000..4cc149a28 --- /dev/null +++ b/apparmor.d/profiles-s-z/ucfr @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ucfr +profile ucfr @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{bin}/basename ix, + @{bin}/dirname ix, + @{bin}/getopt ix, + @{bin}/id ix, + @{bin}/readlink ix, + @{bin}/sed ix, + + /usr/share/ucf/{,**} r, + + /etc/ucf.conf r, + + / r, + + /var/lib/ucf/ r, + /var/lib/ucf/registry r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-ata_id b/apparmor.d/profiles-s-z/udev-ata_id new file mode 100644 index 000000000..f12ed105f --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-ata_id @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/ata_id +profile udev-ata_id @{exec_path} { + include + include + + capability sys_rawio, + + @{exec_path} mr, + + /etc/udev/udev.conf r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-bcache-export-cached b/apparmor.d/profiles-s-z/udev-bcache-export-cached new file mode 100644 index 000000000..e42b10c26 --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-bcache-export-cached @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/bcache-export-cached +profile udev-bcache-export-cached @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{sbin}/bcache-super-show rix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-bridge-network-interface b/apparmor.d/profiles-s-z/udev-bridge-network-interface new file mode 100644 index 000000000..7e3ba52f9 --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-bridge-network-interface @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/bridge-network-interface +profile udev-bridge-network-interface @{exec_path} { + include + + @{exec_path} mr, + @{sh_path} r, + + /etc/default/bridge-utils r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-cdrom_id b/apparmor.d/profiles-s-z/udev-cdrom_id new file mode 100644 index 000000000..552159867 --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-cdrom_id @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/cdrom_id +profile udev-cdrom_id @{exec_path} { + include + + capability sys_rawio, + + @{exec_path} mr, + + /etc/udev/udev.conf r, + + /dev/sr@{int} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-fido_id b/apparmor.d/profiles-s-z/udev-fido_id new file mode 100644 index 000000000..453e0093a --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-fido_id @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/fido_id +profile udev-fido_id @{exec_path} { + include + include + + @{exec_path} mr, + + /etc/udev/udev.conf r, + /etc/udev/udev.conf.d/{,**} r, + + @{sys}/devices/@{pci}/report_descriptor r, + @{sys}/devices/platform/**/report_descriptor r, + @{sys}/devices/virtual/**/report_descriptor r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-hdparm b/apparmor.d/profiles-s-z/udev-hdparm new file mode 100644 index 000000000..bca98163b --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-hdparm @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/hdparm +profile udev-hdparm @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/sed rix, + @{bin}/udevadm rPx, + + /etc/hdparm.conf r, + + @{PROC}/cmdline r, + @{PROC}/mdstat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-probe-bcache b/apparmor.d/profiles-s-z/udev-probe-bcache new file mode 100644 index 000000000..e02e070a8 --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-probe-bcache @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/probe-bcache +profile udev-probe-bcache @{exec_path} { + include + include + + capability sys_rawio, + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/unhide-tcp b/apparmor.d/profiles-s-z/unhide-tcp index c4b30b884..8827bca14 100644 --- a/apparmor.d/profiles-s-z/unhide-tcp +++ b/apparmor.d/profiles-s-z/unhide-tcp @@ -22,7 +22,7 @@ profile unhide-tcp @{exec_path} { @{bin}/fuser rix, @{bin}/netstat rix, @{bin}/sed rix, - @{bin}/ss rix, + @{sbin}/ss rix, @{PROC}/@{pids}/net/tcp{,6} r, @{PROC}/@{pids}/net/udp{,6} r, diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd index 85b99b8ab..7407a9f99 100644 --- a/apparmor.d/profiles-s-z/unix-chkpwd +++ b/apparmor.d/profiles-s-z/unix-chkpwd @@ -7,13 +7,14 @@ abi , include -@{exec_path} = @{bin}/unix_chkpwd +@{exec_path} = @{sbin}/unix_chkpwd profile unix-chkpwd @{exec_path} { include include include capability audit_write, + capability dac_read_search, # To read shadow with 000 permissions. network netlink raw, diff --git a/apparmor.d/profiles-s-z/unmkinitramfs b/apparmor.d/profiles-s-z/unmkinitramfs index 6b5607ed1..2d641f994 100644 --- a/apparmor.d/profiles-s-z/unmkinitramfs +++ b/apparmor.d/profiles-s-z/unmkinitramfs @@ -18,25 +18,21 @@ profile unmkinitramfs @{exec_path} { @{exec_path} r, @{sh_path} rix, + @{archive_path} rix, @{bin}/{,e}grep rix, - @{bin}/bzip2 rix, @{bin}/cat rix, - @{bin}/cpio rix, @{bin}/dd rix, @{bin}/getopt rix, - @{bin}/gzip rix, @{bin}/lz4cat rix, @{bin}/lzma rix, @{bin}/lzop rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/rm rix, - @{bin}/xz rix, @{bin}/xzcat rix, - @{bin}/zstd rix, - /boot/ r, - owner /boot/initrd.img-* r, + @{efi}/ r, + owner @{efi}/initrd.img-* r, /tmp/ r, owner @{tmp}/initrd.img-* r, /mnt/ r, diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index a83e985d7..8f08b74fa 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -12,6 +12,8 @@ profile update-alternatives @{exec_path} { include include + capability dac_override, + @{exec_path} mr, @{bin}/* w, diff --git a/apparmor.d/profiles-s-z/update-ca-certificates b/apparmor.d/profiles-s-z/update-ca-certificates index b87f60ec4..df9c08fe4 100644 --- a/apparmor.d/profiles-s-z/update-ca-certificates +++ b/apparmor.d/profiles-s-z/update-ca-certificates @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-ca-certificates +@{exec_path} = @{sbin}/update-ca-certificates profile update-ca-certificates @{exec_path} { include include @@ -33,6 +33,7 @@ profile update-ca-certificates @{exec_path} { @{bin}/test rix, @{bin}/trust rix, @{bin}/wc rix, + @{bin}/run-parts rix, @{lib}/ca-certificates/update.d/ r, @{lib}/ca-certificates/update.d/* rix, @@ -45,7 +46,7 @@ profile update-ca-certificates @{exec_path} { /etc/ca-certificates.conf r, /etc/ssl/certs/ca-certificates.crt{,.new} rw, /etc/ssl/certs/*.pem rw, - /etc/ssl/certs/@{hex}.[0-9] rw, + /etc/ssl/certs/@{hex}.@{d} rw, /var/lib/ca-certificates/ rwk, /var/lib/ca-certificates/** rw, diff --git a/apparmor.d/profiles-s-z/update-catalog b/apparmor.d/profiles-s-z/update-catalog new file mode 100644 index 000000000..feac2d3c5 --- /dev/null +++ b/apparmor.d/profiles-s-z/update-catalog @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/update-catalog +profile update-catalog @{exec_path} { + include + include + + @{exec_path} mr, + + /etc/sgml/ r, + /etc/sgml/* r, + + /var/lib/sgml-base/*catalog rw, + /var/lib/sgml-base/*catalog.new rw, + /var/lib/sgml-base/*catalog.old w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-command-not-found b/apparmor.d/profiles-s-z/update-command-not-found index f1bf99bf8..9801f8737 100644 --- a/apparmor.d/profiles-s-z/update-command-not-found +++ b/apparmor.d/profiles-s-z/update-command-not-found @@ -20,7 +20,7 @@ profile update-command-not-found @{exec_path} { @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{lib}/ r, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/profiles-s-z/update-cracklib b/apparmor.d/profiles-s-z/update-cracklib index 9bef23a77..8f848b0ad 100644 --- a/apparmor.d/profiles-s-z/update-cracklib +++ b/apparmor.d/profiles-s-z/update-cracklib @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/update-cracklib +@{exec_path} = @{sbin}/update-cracklib profile update-cracklib @{exec_path} { include include @@ -16,12 +16,12 @@ profile update-cracklib @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/cracklib-format rix, - @{bin}/cracklib-packer rPx, + @{sbin}/cracklib-format rix, + @{sbin}/cracklib-packer rPx, @{bin}/env rix, @{bin}/file rix, @{bin}/find rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gzip rix, @{bin}/install rix, @{bin}/install rix, diff --git a/apparmor.d/profiles-s-z/update-dlocatedb b/apparmor.d/profiles-s-z/update-dlocatedb index c0e64f0f9..e9d92e421 100644 --- a/apparmor.d/profiles-s-z/update-dlocatedb +++ b/apparmor.d/profiles-s-z/update-dlocatedb @@ -26,7 +26,7 @@ profile update-dlocatedb @{exec_path} { /usr/share/dlocate/updatedb rCx -> updatedb, @{bin}/dpkg rPx -> child-dpkg, - owner @{PROC}/@{pid}/fd/2 w, + owner @{PROC}/@{pid}/fd/@{int} w, /var/lib/dlocate/dpkg-list w, @@ -39,7 +39,6 @@ profile update-dlocatedb @{exec_path} { include /usr/share/dlocate/updatedb r, - @{bin}/perl r, /etc/default/dlocate r, diff --git a/apparmor.d/profiles-s-z/update-info-dir b/apparmor.d/profiles-s-z/update-info-dir new file mode 100644 index 000000000..dc2a0d7aa --- /dev/null +++ b/apparmor.d/profiles-s-z/update-info-dir @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/update-info-dir +profile update-info-dir @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/cp ix, + @{bin}/find ix, + @{bin}/install-info Px, + @{bin}/rm ix, + + /etc/environment r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index 6948f2812..50f11caea 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-initramfs +@{exec_path} = @{sbin}/update-initramfs profile update-initramfs @{exec_path} { include include @@ -22,17 +22,20 @@ profile update-initramfs @{exec_path} { @{bin}/cat rix, @{bin}/{m,g,}awk rix, @{bin}/getopt rix, - @{bin}/ischroot rix, @{bin}/ln rix, @{bin}/mv rix, @{bin}/rm rix, @{bin}/sha1sum rix, @{bin}/sync rix, @{bin}/uname rix, + @{bin}/run-parts rix, @{bin}/dpkg-trigger rPx, + @{bin}/ischroot rPx, @{bin}/linux-version rPx, - @{bin}/mkinitramfs rPx, + @{sbin}/mkinitramfs rPx, + + /etc/initramfs/post-update.d/* rPUx, /var/lib/initramfs-tools/* w, @@ -47,9 +50,9 @@ profile update-initramfs @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner /boot/ r, - owner /boot/initrd.img-* rw, - owner /boot/initrd.img-*.dpkg-bak rwl -> /boot/initrd.img-*, + owner @{efi}/ r, + owner @{efi}/initrd.img-* rw, + owner @{efi}/initrd.img-*.dpkg-bak rwl -> @{efi}/initrd.img-*, include if exists } diff --git a/apparmor.d/profiles-s-z/update-pciids b/apparmor.d/profiles-s-z/update-pciids index d2e36ead0..901dae9a0 100644 --- a/apparmor.d/profiles-s-z/update-pciids +++ b/apparmor.d/profiles-s-z/update-pciids @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-pciids +@{exec_path} = @{sbin}/update-pciids profile update-pciids @{exec_path} { include include @@ -24,7 +24,7 @@ profile update-pciids @{exec_path} { @{bin}/chmod rix, @{bin}/echo rix, @{bin}/cat rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/bunzip2 rix, @{bin}/bzip2 rix, @{bin}/gzip rix, diff --git a/apparmor.d/profiles-s-z/update-secureboot-policy b/apparmor.d/profiles-s-z/update-secureboot-policy index e5ffca44f..31a03ef7b 100644 --- a/apparmor.d/profiles-s-z/update-secureboot-policy +++ b/apparmor.d/profiles-s-z/update-secureboot-policy @@ -7,28 +7,24 @@ abi , include -@{exec_path} = @{bin}/update-secureboot-policy +@{exec_path} = @{sbin}/update-secureboot-policy profile update-secureboot-policy @{exec_path} { include - include + include @{exec_path} rm, - @{sh_path} rix, - @{bin}/{,m,g}awk rix, - @{bin}/dpkg-trigger rPx, - @{bin}/find rix, - @{bin}/id rix, - @{bin}/od rix, - @{bin}/sort rix, - @{bin}/touch rix, - @{bin}/wc rix, - /usr/share/debconf/frontend rPx, + @{bin}/{,m,g}awk ix, + @{bin}/dpkg-trigger Px, + @{bin}/find ix, + @{bin}/id ix, + @{bin}/od ix, + @{bin}/sort ix, + @{bin}/touch ix, + @{bin}/wc ix, / r, - /usr/share/debconf/confmodule r, - /var/lib/dkms/ r, /var/lib/shim-signed/dkms-list rw, diff --git a/apparmor.d/profiles-s-z/update-shells b/apparmor.d/profiles-s-z/update-shells new file mode 100644 index 000000000..5922c1a14 --- /dev/null +++ b/apparmor.d/profiles-s-z/update-shells @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/update-shells +profile update-shells @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/basename ix, + @{bin}/chmod ix, + @{bin}/chown ix, + @{bin}/dirname ix, + @{bin}/dpkg-realpath rix, + @{bin}/mv ix, + @{bin}/sync ix, + @{bin}/readlink ix, + + /usr/share/debianutils/shells r, + /usr/share/debianutils/shells.d/{,**} r, + /usr/share/dpkg/sh/dpkg-error.sh r, + + /etc/shells r, + /etc/shells.tmp w, + + /var/lib/shells.state r, + /var/lib/shells.state.tmp w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-smart-drivedb b/apparmor.d/profiles-s-z/update-smart-drivedb index 2ce61cebf..70b9bc6e2 100644 --- a/apparmor.d/profiles-s-z/update-smart-drivedb +++ b/apparmor.d/profiles-s-z/update-smart-drivedb @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-smart-drivedb +@{exec_path} = @{sbin}/update-smart-drivedb profile update-smart-drivedb @{exec_path} { include include @@ -28,7 +28,7 @@ profile update-smart-drivedb @{exec_path} { @{bin}/cmp rix, @{bin}/ r, - @{bin}/smartctl rPx, + @{sbin}/smartctl rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/wget rCx -> browse, diff --git a/apparmor.d/profiles-s-z/updatedb-mlocate b/apparmor.d/profiles-s-z/updatedb-mlocate index 7a951b7e7..518a8d7df 100644 --- a/apparmor.d/profiles-s-z/updatedb-mlocate +++ b/apparmor.d/profiles-s-z/updatedb-mlocate @@ -19,13 +19,13 @@ profile updatedb-mlocate @{exec_path} { @{exec_path} mr, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, # For shell pwd / r, - /boot/ r, - /boot/**/ r, + @{efi}/ r, + @{efi}/**/ r, /home/ r, @{HOME}/ r, @@ -47,7 +47,7 @@ profile updatedb-mlocate @{exec_path} { /srv/**/ r, # Silence the noise - deny /efi/ r, + deny @{efi}/ r, deny /hugepages/ r, deny /lost+found/ r, deny /mnt/ r, diff --git a/apparmor.d/profiles-s-z/uupdate b/apparmor.d/profiles-s-z/uupdate index 8858a80f1..88a6cd406 100644 --- a/apparmor.d/profiles-s-z/uupdate +++ b/apparmor.d/profiles-s-z/uupdate @@ -18,7 +18,7 @@ profile uupdate @{exec_path} flags=(complain) { @{sh_path} rix, @{bin}/basename rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/tr rix, @{bin}/{,e}grep rix, @{bin}/getopt rix, diff --git a/apparmor.d/profiles-s-z/v2ray b/apparmor.d/profiles-s-z/v2ray new file mode 100644 index 000000000..046151222 --- /dev/null +++ b/apparmor.d/profiles-s-z/v2ray @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 EricLin +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/v2ray +profile v2ray @{exec_path} flags=(attach_disconnected) { + include + include + + network inet dgram, + network inet stream, + network inet raw, + network inet6 dgram, + network inet6 raw, + network netlink raw, + + @{exec_path} mr, + + /etc/v2ray/{,*} r, + /usr/share/v2ray/**.dat r, + + @{PROC}/sys/net/core/somaxconn r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/v4l2-ctl b/apparmor.d/profiles-s-z/v4l2-ctl new file mode 100644 index 000000000..ddb86b9a2 --- /dev/null +++ b/apparmor.d/profiles-s-z/v4l2-ctl @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/v4l2-ctl +profile v4l2-ctl @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/vcsi b/apparmor.d/profiles-s-z/vcsi index 25f4a979f..eaf6ca24b 100644 --- a/apparmor.d/profiles-s-z/vcsi +++ b/apparmor.d/profiles-s-z/vcsi @@ -16,7 +16,7 @@ profile vcsi @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/ffmpeg rPx, diff --git a/apparmor.d/profiles-s-z/veracrypt b/apparmor.d/profiles-s-z/veracrypt index 6612846cd..b9b92a721 100644 --- a/apparmor.d/profiles-s-z/veracrypt +++ b/apparmor.d/profiles-s-z/veracrypt @@ -29,11 +29,11 @@ profile veracrypt @{exec_path} { @{sh_path} rix, @{open_path} rPx -> child-open-help, - @{bin}/dmsetup rPx, - @{bin}/grep rix, + @{sbin}/dmsetup rPx, + @{bin}/{,e}grep rix, @{bin}/kmod rix, - @{bin}/ldconfig rix, - @{bin}/losetup rCx -> losetup, + @{sbin}/ldconfig rix, + @{sbin}/losetup rCx -> losetup, @{bin}/mount rPx, @{bin}/sudo rix, @{bin}/umount rCx -> umount, @@ -85,7 +85,7 @@ profile veracrypt @{exec_path} { capability sys_rawio, - @{bin}/losetup mr, + @{sbin}/losetup mr, include if exists } diff --git a/apparmor.d/profiles-s-z/vesktop b/apparmor.d/profiles-s-z/vesktop index b4b63fe74..4f4432650 100644 --- a/apparmor.d/profiles-s-z/vesktop +++ b/apparmor.d/profiles-s-z/vesktop @@ -8,6 +8,7 @@ abi , include @{name} = vesktop +@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -33,7 +34,6 @@ profile vesktop @{exec_path} flags=(attach_disconnected) { @{bin}/speech-dispatcher rPx, @{open_path} rPx -> child-open, - owner /tmp/.org.chromium.Chromium.@{rand6} mr, owner @{run}/user/@{uid}/discord-ipc-@{int} rw, @{sys}/devices/@{pci}/usb@{int}/**/interface r, diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index 283eab051..7cf741dc2 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -25,10 +25,10 @@ profile vidcutter @{exec_path} { include @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/ffmpeg rPx, @{bin}/ffprobe rPx, diff --git a/apparmor.d/profiles-s-z/vipw-vigr b/apparmor.d/profiles-s-z/vipw-vigr index 50ada1d64..396f1e4f8 100644 --- a/apparmor.d/profiles-s-z/vipw-vigr +++ b/apparmor.d/profiles-s-z/vipw-vigr @@ -18,7 +18,7 @@ profile vipw-vigr @{exec_path} { @{sh_path} rix, @{editor_path} rCx -> editor, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,shadow,gshadow,group}{,.edit} rw, /etc/{passwd,shadow,gshadow,group}.@{pid} rw, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index bce236989..92dc977d9 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -12,12 +12,18 @@ include profile virt-manager @{exec_path} flags=(attach_disconnected) { include include + include + include + include + include + include include include include include include include + include include include include @@ -28,24 +34,25 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.virt-manager.virt-manager + @{exec_path} rix, @{sh_path} rix, - @{bin}/python3.@{int} r, - @{lib}/python3.@{int}/site-packages/__pycache__/guestfs.cpython-@{int}.pyc.@{int} w, + @{python_path} rix, + @{lib}/@{python_name}/site-packages/__pycache__/guestfs.cpython-@{int}.pyc.@{int} w, @{bin}/ r, @{bin}/env rix, @{bin}/getfacl rix, @{bin}/setfacl rix, - @{bin}/libvirtd rPx, + @{sbin}/libvirtd rPx, @{bin}/ssh rPx, @{lib}/spice-client-glib-usb-acl-helper rPx, @{open_path} rPx -> child-open, - /usr/share/gtksourceview-4/{,**} r, /usr/share/ladspa/rdf/{,ladspa.rdfs} r, /usr/share/misc/*.ids r, /usr/share/osinfo/{,**} r, @@ -78,6 +85,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, + @{run}/libvirt/libvirt-sock rw, @{run}/mount/utab r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @@ -85,18 +93,16 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/drm/ttm/uevent r, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, @{PROC}/@{pids}/net/route r, owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, - /dev/media@{int} r, - /dev/video@{int} rw, - # Silence the noise deny /usr/share/virt-manager/{,**} w, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index d572ce9b8..05866296d 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -11,13 +11,10 @@ include profile vlc @{exec_path} { include include - include include - include - include - include - include include + include + include include include include @@ -25,8 +22,11 @@ profile vlc @{exec_path} { include include include + include include include + include + include include include @@ -36,9 +36,6 @@ profile vlc @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.mpris.MediaPlayer2.vlc - #aa:dbus talk bus=session name=org.mpris.MediaPlayer2.Player label=unconfined - @{exec_path} mrix, @{open_path} rPx -> child-open-help, @@ -85,7 +82,6 @@ profile vlc @{exec_path} { /dev/shm/#@{int} rw, /dev/snd/ r, /dev/tty r, - /dev/video@{int} rw, owner /dev/tty@{int} rw, # Silencer diff --git a/apparmor.d/profiles-s-z/vsftpd b/apparmor.d/profiles-s-z/vsftpd index 2b6af3561..8fe33af50 100644 --- a/apparmor.d/profiles-s-z/vsftpd +++ b/apparmor.d/profiles-s-z/vsftpd @@ -12,7 +12,7 @@ profile vsftpd @{exec_path} { include include include - include + include include # To be able to listen on ports < 1024 @@ -41,6 +41,12 @@ profile vsftpd @{exec_path} { capability dac_read_search, # If session_support=YES, vsftpd will also try and update utmp and wtmp + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, # To validate allowed users shells diff --git a/apparmor.d/profiles-s-z/w3m b/apparmor.d/profiles-s-z/w3m index 1a0e33418..ade896ea5 100644 --- a/apparmor.d/profiles-s-z/w3m +++ b/apparmor.d/profiles-s-z/w3m @@ -36,7 +36,7 @@ profile w3m @{exec_path} { owner @{user_config_dirs}/w3m/{,**} rw, - owner @{tmp}/@{rand6}/{,**} rw, + owner @{tmp}/w3m-@{rand6}/{,**} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/waybar b/apparmor.d/profiles-s-z/waybar index 8499a1ad6..b8d1d5326 100644 --- a/apparmor.d/profiles-s-z/waybar +++ b/apparmor.d/profiles-s-z/waybar @@ -26,11 +26,13 @@ profile waybar @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/waybar/{,**} r, + @{sys}/devices/@{pci}/uevent r, + @{sys}/devices/system/cpu/present r, @{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/system/cpu/present r, + @{sys}/devices/virtual/dmi/id/uevent r, @{PROC}/@{pid}/net/dev r, @{PROC}/spl/kstat/zfs/arcstats r, diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat new file mode 100644 index 000000000..00fe0a8c5 --- /dev/null +++ b/apparmor.d/profiles-s-z/wechat @@ -0,0 +1,46 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 EricLin +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = wechat +@{domain} = org.chromium.Chromium +@{lib_dirs} = /opt/wechat/ +@{config_dirs} = @{user_config_dirs}/@{name} +@{cache_dirs} = @{user_cache_dirs}/@{name} + +@{exec_path} = @{lib_dirs}/wechat +profile wechat @{exec_path} flags=(attach_disconnected) { + include + include + include + include + + network netlink raw, + network netlink dgram, + network inet stream, + network inet dgram, + network inet6 dgram, + network inet6 stream, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{bin}/ip rix, + @{bin}/lsblk Px, + @{bin}/mkdir rix, + @{bin}/xdg-user-dir rix, + @{lib_dirs}/crashpad_handler ix, + @{open_path} Px -> child-open-strict, + + owner @{HOME}/.xwechat/{,**} rwk, + owner @{user_documents_dirs}/xwechat_files/{,**} rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage new file mode 100755 index 000000000..335860d07 --- /dev/null +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -0,0 +1,82 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 EricLin +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = wechat-appimage +@{domain} = org.chromium.Chromium +@{lib_dirs} = /opt/wechat-appimage/ +@{config_dirs} = @{user_config_dirs}/@{name} +@{cache_dirs} = @{user_cache_dirs}/@{name} + +@{exec_path} = @{bin}/wechat @{lib_dirs}/wechat-appimage.Appimage /tmp/.mount_wechat??????/user/bin/wechat +profile wechat-appimage @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + + network netlink raw, + network netlink dgram, + network inet stream, + network inet dgram, + network inet6 dgram, + network inet6 stream, + + mount fstype=fuse.wechat-appimage.AppImage options=(ro nodev nosuid) -> @{tmp}/.mount_wechat@{word6}/, + + umount @{tmp}/.mount_wechat@{word6}/, + + @{exec_path} r, + + @{sh_path} rix, + @{bin}/dirname rix, + @{bin}/fusermount{,3} Cx -> fusermount, + @{bin}/{m,g,}awk rix, + @{bin}/lsblk Px, + @{bin}/mkdir rix, + @{bin}/readlink rix, + @{bin}/xdg-user-dir rix, + @{bin}/ip rix, + @{lib_dirs}/wechat-appimage.AppImage ix, + @{open_path} Px -> child-open-strict, + + @{bin}/fusermount{,3} Cx -> fusermount, + @{bin}/dirname rix, + @{bin}/readlink rix, + + @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} ix, + @{tmp}/.mount_wechat@{word6}/usr/bin/wechat ix, + @{tmp}/.mount_wechat@{word6}/AppRun ix, + + /etc/machine-id r, + + @{HOME}/.xwechat/{,**} rwk, + + owner @{user_documents_dirs}/xwechat_files/{,**} rwk, + + /dev/fuse rw, + /dev/tty rw, + + profile fusermount { + include + include + + mount fstype=fuse.wechat-appimage.AppImage options=(ro nodev nosuid) -> @{tmp}/.mount_wechat@{word6}/, + + umount @{tmp}/.mount_wechat@{word6}/, + + @{lib_dirs}/wechat-appimage.AppImage r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index 9d563111a..94da6c60e 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -7,6 +7,7 @@ abi , include @{name} = wechat-universal +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/wechat-universal/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -14,12 +15,10 @@ include @{exec_path} = @{bin}/wechat-universal @{lib_dirs}/wechat profile wechat-universal @{exec_path} flags=(attach_disconnected) { include - include include - include include - include - include + include + include network netlink raw, network netlink dgram, @@ -30,20 +29,21 @@ profile wechat-universal @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{sh_path} rix, - @{lib}/wechat-universal/common.sh ix, - @{bin}/sed ix, - @{bin}/ln ix, - @{bin}/mkdir ix, - @{bin}/lsblk Px, - @{bin}/bwrap rix, - @{bin}/xdg-user-dir rix, - @{lib_dirs}/crashpad_handler ix, - @{open_path} rPx -> child-open-strict, + @{sh_path} rix, + @{bin}/bwrap rix, + @{bin}/ln ix, + @{bin}/lsblk Px, + @{bin}/mkdir ix, + @{bin}/sed ix, + @{bin}/xdg-user-dir rix, + @{lib_dirs}/crashpad_handler ix, + @{lib}/wechat-appimage.AppImage ix, + @{open_path} Px -> child-open-strict, /etc/lsb-release r, + /etc/machine-id r, - owner @{HOME}/@{XDG_DOCUMENTS_DIR}/WeChat_Data/{,**} rwk, + owner @{user_documents_dirs}/WeChat_Data/{,**} rwk, owner @{HOME}/.xwechat/{,**} rwk, owner @{HOME}/.sys1og.conf rw, diff --git a/apparmor.d/profiles-s-z/wemeet b/apparmor.d/profiles-s-z/wemeet index 861908a6b..0b83e44c8 100644 --- a/apparmor.d/profiles-s-z/wemeet +++ b/apparmor.d/profiles-s-z/wemeet @@ -6,15 +6,17 @@ abi , include +@{domain} = org.chromium.Chromium + @{exec_path} = @{bin}/wemeet @{exec_path} += /opt/wemeet/bin/wemeetapp @{exec_path} += /opt/wemeet/bin/QtWebEngineProcess profile wemeet @{exec_path} flags=(attach_disconnected) { include - include include include include + include include include include diff --git a/apparmor.d/profiles-s-z/whatis b/apparmor.d/profiles-s-z/whatis index 43fa8ff09..3febd0b0b 100644 --- a/apparmor.d/profiles-s-z/whatis +++ b/apparmor.d/profiles-s-z/whatis @@ -13,7 +13,7 @@ profile whatis @{exec_path} { include @{exec_path} mr, - @{bin}/grep rix, + @{bin}/{,e}grep rix, /usr/{,**/}man/{,**/}{,whatis} r, diff --git a/apparmor.d/profiles-s-z/whdd b/apparmor.d/profiles-s-z/whdd index cc4ae2959..41541ea84 100644 --- a/apparmor.d/profiles-s-z/whdd +++ b/apparmor.d/profiles-s-z/whdd @@ -25,7 +25,7 @@ profile whdd @{exec_path} { @{bin}/tr rix, # To read SMART attributes - @{bin}/smartctl rPx, + @{sbin}/smartctl rPx, owner @{PROC}/@{pid}/mounts r, @{PROC}/partitions r, diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which index 855db3f4b..c4de427ff 100644 --- a/apparmor.d/profiles-s-z/which +++ b/apparmor.d/profiles-s-z/which @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/which{.debianutils,} +@{exec_path} = @{bin}/which{,.debianutils} profile which @{exec_path} flags=(attach_disconnected) { include include @@ -17,7 +17,9 @@ profile which @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/ r, + @{sbin}/ r, @{bin}/**/ r, + @{sbin}/**/ r, @{lib}/ r, @{lib}/**/ r, /opt/**/bin/ r, @@ -31,6 +33,7 @@ profile which @{exec_path} flags=(attach_disconnected) { owner /dev/tty@{int} rw, + deny @{user_share_dirs}/gnome-shell/session.gvdb rw, deny @{user_share_dirs}/gvfs-metadata/* r, include if exists diff --git a/apparmor.d/profiles-s-z/whiptail b/apparmor.d/profiles-s-z/whiptail index a7b98ebee..a42a63312 100644 --- a/apparmor.d/profiles-s-z/whiptail +++ b/apparmor.d/profiles-s-z/whiptail @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/whiptail -profile whiptail @{exec_path} flags=(complain) { +profile whiptail @{exec_path} { include include @@ -16,9 +16,9 @@ profile whiptail @{exec_path} flags=(complain) { @{exec_path} mr, - /etc/newt/palette.* r, + /usr/share/terminfo/** r, - owner @{tmp}/gpm* w, + /etc/newt/palette.* r, include if exists } diff --git a/apparmor.d/profiles-s-z/whois b/apparmor.d/profiles-s-z/whois new file mode 100644 index 000000000..a1549db03 --- /dev/null +++ b/apparmor.d/profiles-s-z/whois @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/whois +profile whois @{exec_path} { + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + /etc/whois.conf r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/whoopsie b/apparmor.d/profiles-s-z/whoopsie new file mode 100644 index 000000000..8a2c83904 --- /dev/null +++ b/apparmor.d/profiles-s-z/whoopsie @@ -0,0 +1,43 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/whoopsie +profile whoopsie @{exec_path} { + include + include + include + + capability setgid, + capability setuid, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 dgram, + network netlink raw, + + @{exec_path} mr, + + /var/crash/ r, + + /var/lib/whoopsie/ rw, + /var/lib/whoopsie/whoopsie-id rw, + /var/lib/whoopsie/whoopsie-id.@{rand6} rw, + + /var/crash/*.@{uid}.crash r, + owner /var/crash/*.@{uid}.uploaded rw, + + owner @{run}/lock/whoopsie/ rw, + owner @{run}/lock/whoopsie/lock rwk, + + @{sys}/devices/virtual/dmi/id/product_uuid r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/whoopsie-preferences b/apparmor.d/profiles-s-z/whoopsie-preferences new file mode 100644 index 000000000..3b720d0da --- /dev/null +++ b/apparmor.d/profiles-s-z/whoopsie-preferences @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/whoopsie-preferences +profile whoopsie-preferences @{exec_path} { + include + include + include + + #aa:dbus own bus=system name=com.ubuntu.WhoopsiePreferences + + @{exec_path} mr, + + @{bin}/systemctl Cx -> systemctl, + + /etc/whoopsie w, + /etc/whoopsie.@{rand6} rw, + + profile systemctl { + include + include + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wireshark b/apparmor.d/profiles-s-z/wireshark index c29543d6b..a07d6bad1 100644 --- a/apparmor.d/profiles-s-z/wireshark +++ b/apparmor.d/profiles-s-z/wireshark @@ -11,7 +11,6 @@ include @{exec_path} = @{bin}/wireshark profile wireshark @{exec_path} { include - include include include include diff --git a/apparmor.d/profiles-s-z/wpa-action b/apparmor.d/profiles-s-z/wpa-action index 136caa781..b6764ba0e 100644 --- a/apparmor.d/profiles-s-z/wpa-action +++ b/apparmor.d/profiles-s-z/wpa-action @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/wpa_action +@{exec_path} = @{sbin}/wpa_action profile wpa-action @{exec_path} { include @@ -17,7 +17,7 @@ profile wpa-action @{exec_path} { @{exec_path} mr, - @{bin}/wpa_cli rPx, + @{sbin}/wpa_cli rPx, @{sh_path} rix, @{bin}/{,e}grep rix, diff --git a/apparmor.d/profiles-s-z/wpa-cli b/apparmor.d/profiles-s-z/wpa-cli index c9987fa01..eb4efeee9 100644 --- a/apparmor.d/profiles-s-z/wpa-cli +++ b/apparmor.d/profiles-s-z/wpa-cli @@ -7,13 +7,13 @@ abi , include -@{exec_path} = @{bin}/wpa_cli +@{exec_path} = @{sbin}/wpa_cli profile wpa-cli @{exec_path} { include @{exec_path} mr, - /{usr/,}{s,}/wpa_action rPx, + @{sbin}/wpa_action rPx, /etc/inputrc r, @@ -21,7 +21,7 @@ profile wpa-cli @{exec_path} { owner @{HOME}/.wpa_cli_history-@{int}.tmp rw, owner @{run}/wpa_supplicant/ r, - owner @{tmp}/wpa_ctrl_@{pid}-[0-9] rw, + owner @{tmp}/wpa_ctrl_@{pid}-@{d} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/wpa-gui b/apparmor.d/profiles-s-z/wpa-gui index fd10713cc..f833c812e 100644 --- a/apparmor.d/profiles-s-z/wpa-gui +++ b/apparmor.d/profiles-s-z/wpa-gui @@ -17,7 +17,7 @@ profile wpa-gui @{exec_path} { @{exec_path} mr, - owner @{tmp}/wpa_ctrl_@{pid}-[0-9] w, + owner @{tmp}/wpa_ctrl_@{pid}-@{d} w, owner /dev/shm/#@{int} rw, @{run}/wpa_supplicant/ r, diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index 23f77f840..b20c6f1b4 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/wpa_supplicant +@{exec_path} = @{sbin}/wpa_supplicant profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { include include @@ -42,6 +42,7 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { @{user_config_dirs}/cat_installer/*.pem r, owner @{run}/wpa_supplicant/{,**} rw, + owner @{run}/netplan/* r, @{sys}/devices/@{pci}/ieee*/phy@{int}/name r, diff --git a/apparmor.d/profiles-s-z/wrmsr b/apparmor.d/profiles-s-z/wrmsr index 7de522fc8..6ef05cc0f 100644 --- a/apparmor.d/profiles-s-z/wrmsr +++ b/apparmor.d/profiles-s-z/wrmsr @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/wrmsr +@{exec_path} = @{sbin}/wrmsr profile wrmsr @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index 22713e3bf..b72cff3c4 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -9,9 +9,14 @@ include @{exec_path} = @{bin}/wsdd profile wsdd @{exec_path} { include + include include include + # wsdd can create its own chroot as a built-in security mechanism. + # This is used by default in the systemd wsdd-server service. + capability sys_chroot, + network inet dgram, network inet stream, network inet6 dgram, @@ -21,13 +26,15 @@ profile wsdd @{exec_path} { @{exec_path} mr, @{bin}/env r, - @{bin}/python3.@{int} rix, + @{python_path} rix, /etc/machine-id r, owner /var/lib/libuuid/clock.txt rw, - owner @{run}/user/@{uid}/gvfsd/wsdd w, + @{run}/uuidd/request rw, + owner @{run}/user/@{uid}/wsdd w, + owner @{run}/user/@{uid}/*/wsdd w, include if exists } diff --git a/apparmor.d/profiles-s-z/wttrbar b/apparmor.d/profiles-s-z/wttrbar new file mode 100644 index 000000000..37933679d --- /dev/null +++ b/apparmor.d/profiles-s-z/wttrbar @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/wttrbar +profile wttrbar @{exec_path} { + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + + @{exec_path} mr, + + owner /tmp/wttrbar--wttr.in.json rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index 003770008..4d2766101 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -28,18 +28,7 @@ profile xarchiver @{exec_path} { @{bin}/cp rix, # Archivers - @{bin}/7z rix, - @{lib}/p7zip/7z rix, - @{bin}/unrar-nonfree rix, - @{bin}/zip rix, - @{bin}/unzip rix, - @{bin}/tar rix, - @{bin}/xz rix, - @{bin}/bzip2 rix, - @{bin}/cpio rix, - @{bin}/gzip rix, - @{bin}/zstd rix, - # For deb packages + @{archive_path} rix, @{bin}/{,@{multiarch}-}ar rix, @{open_path} rPx -> child-open, @@ -51,13 +40,10 @@ profile xarchiver @{exec_path} { owner @{HOME}/.bz2 rw, - / r, - /home/ r, - #owner @{HOME}/ r, - #owner @{HOME}/** rw, - @{MOUNTS}/ r, - @{MOUNTS}/** rw, - /tmp/ r, + #aa:lint ignore=too-wide + # Full access to user's data + @{MOUNTS}/** rw, + owner @{HOME}/** rw, owner @{tmp}/** rw, @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/xbrlapi b/apparmor.d/profiles-s-z/xbrlapi index f40b4fa6b..b2f94975f 100644 --- a/apparmor.d/profiles-s-z/xbrlapi +++ b/apparmor.d/profiles-s-z/xbrlapi @@ -9,13 +9,15 @@ include @{exec_path} = @{bin}/xbrlapi profile xbrlapi @{exec_path} flags=(attach_disconnected) { include - include + include network inet stream, network inet6 stream, @{exec_path} mr, + owner @{HOME}/.xsession-errors w, + include if exists } diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit index 0801ac188..9abc02350 100644 --- a/apparmor.d/profiles-s-z/xinit +++ b/apparmor.d/profiles-s-z/xinit @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/xinit profile xinit @{exec_path} { include + include include signal (receive) set=(usr1) peer=xorg, @@ -34,7 +35,7 @@ profile xinit @{exec_path} { @{bin}/tail rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, /etc/X11/xinit/xinitrc rix, /etc/X11/xinit/xserverrc rix, diff --git a/apparmor.d/profiles-s-z/xournalpp b/apparmor.d/profiles-s-z/xournalpp new file mode 100644 index 000000000..0d6c4d65f --- /dev/null +++ b/apparmor.d/profiles-s-z/xournalpp @@ -0,0 +1,45 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xournalpp +profile xournalpp @{exec_path} { + include + include + include + include + include + include + include + include + + @{exec_path} mr, + + @{open_path} rPx -> child-open-browsers, + + /usr/share/xournalpp/** r, + + /etc/machine-id r, + /etc/pipewire/jack.conf.d/ r, + + owner @{user_config_dirs}/xournalpp/{,**} rw, + owner @{user_cache_dirs}/xournalpp/{,**} rw, + + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + /dev/snd/controlC@{int} w, + /dev/snd/pcmC@{int}D@{int}[cp] w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xray b/apparmor.d/profiles-s-z/xray new file mode 100644 index 000000000..79c3104dc --- /dev/null +++ b/apparmor.d/profiles-s-z/xray @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 EricLin +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xray +profile xray @{exec_path} flags=(attach_disconnected) { + include + include + + network inet dgram, + network inet stream, + network inet raw, + network inet6 dgram, + network inet6 raw, + network netlink raw, + + @{exec_path} mr, + + /etc/xray/{,*} r, + /usr/share/xray/**.dat r, + /usr/share/v2ray/**.dat r, + + @{PROC}/sys/net/core/somaxconn r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xsane-gimp b/apparmor.d/profiles-s-z/xsane-gimp index 41ac0b973..4273e803d 100644 --- a/apparmor.d/profiles-s-z/xsane-gimp +++ b/apparmor.d/profiles-s-z/xsane-gimp @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Roman Beslik +# Copyright (C) 2024-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,27 +11,30 @@ include profile xsane-gimp @{exec_path} { include include - include - - signal (receive) set=(term, kill) peer=gimp, + include network inet dgram, network inet6 dgram, network netlink raw, + signal receive set=(term, kill) peer=gimp, + @{exec_path} mr, + @{system_share_dirs}/gimp/{,**} r, @{system_share_dirs}/sane/xsane/{,**} r, - @{system_share_dirs}/snmp/mibs/{,**} r, # network + @{system_share_dirs}/snmp/mibs/{,**} r, + /etc/sane.d/{,**} r, + owner @{HOME}/.sane/{,**} rw, owner @{tmp}/xsane-*-@{rand6} rw, - @{sys}/devices/@{pci}/{model,type,vendor} r, - @{PROC}/sys/dev/parport/{,parport@{int}/{base-addr,irq}} r, - # SCSI @{sys}/bus/scsi/devices/ r, + @{sys}/devices/@{pci}/{model,type,vendor} r, + @{PROC}/scsi/scsi r, + @{PROC}/sys/dev/parport/{,parport@{int}/{base-addr,irq}} r, include if exists } diff --git a/apparmor.d/profiles-s-z/youtube-dl b/apparmor.d/profiles-s-z/youtube-dl index 781e24768..d0b1c1988 100644 --- a/apparmor.d/profiles-s-z/youtube-dl +++ b/apparmor.d/profiles-s-z/youtube-dl @@ -13,13 +13,11 @@ profile youtube-dl @{exec_path} { include include include - include - include + include include include include include - include network inet dgram, network inet6 dgram, @@ -30,7 +28,7 @@ profile youtube-dl @{exec_path} { signal (receive) set=(term, kill), @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ffmpeg rPx, @{bin}/ffprobe rPx, @@ -38,7 +36,7 @@ profile youtube-dl @{exec_path} { @{bin}/ r, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, @{bin}/git rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/rtmpdump rix, @{bin}/uname rix, @{lib}/git{,-core}/git rix, diff --git a/apparmor.d/profiles-s-z/youtube-viewer b/apparmor.d/profiles-s-z/youtube-viewer index 46b0c6c06..100ae9985 100644 --- a/apparmor.d/profiles-s-z/youtube-viewer +++ b/apparmor.d/profiles-s-z/youtube-viewer @@ -24,7 +24,6 @@ profile youtube-viewer @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/perl r, @{sh_path} rix, @{bin}/infocmp rix, diff --git a/apparmor.d/profiles-s-z/yt-dlp b/apparmor.d/profiles-s-z/yt-dlp index 551a8edf4..ffa78eda3 100644 --- a/apparmor.d/profiles-s-z/yt-dlp +++ b/apparmor.d/profiles-s-z/yt-dlp @@ -24,7 +24,7 @@ profile yt-dlp @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, @{bin}/file rix, diff --git a/apparmor.d/profiles-s-z/ytdl b/apparmor.d/profiles-s-z/ytdl index 81ccfc284..a76bf0d89 100644 --- a/apparmor.d/profiles-s-z/ytdl +++ b/apparmor.d/profiles-s-z/ytdl @@ -24,10 +24,10 @@ profile ytdl @{exec_path} { signal (receive) set=(term, kill), @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/ r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/uname rix, /etc/mime.types r, diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed index bb160a5e5..893cead5b 100644 --- a/apparmor.d/profiles-s-z/zed +++ b/apparmor.d/profiles-s-z/zed @@ -23,7 +23,7 @@ profile zed @{exec_path} { @{bin}/diff rix, @{bin}/expr rix, @{bin}/flock rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/hostname rix, @{bin}/logger rix, @{bin}/ls rix, @@ -46,6 +46,7 @@ profile zed @{exec_path} { owner @{tmp}/tmp.* rw, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/module/zfs/parameters/zfs_zevent_len_max rw, diff --git a/apparmor.d/profiles-s-z/zenmap b/apparmor.d/profiles-s-z/zenmap index 59a8d772e..f4dc9fc77 100644 --- a/apparmor.d/profiles-s-z/zenmap +++ b/apparmor.d/profiles-s-z/zenmap @@ -20,7 +20,7 @@ profile zenmap @{exec_path} { signal (send) set=(term, kill) peer=nmap, @{exec_path} r, - @{bin}/python3.@{int} r, + @{python_path} r, @{bin}/nmap rPx, diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index 2cb997fd7..e6033d9d2 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -31,6 +31,7 @@ profile zpool @{exec_path} { @{sys}/module/zfs/** r, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/zsysd b/apparmor.d/profiles-s-z/zsysd index 8ac23a07c..42181500b 100644 --- a/apparmor.d/profiles-s-z/zsysd +++ b/apparmor.d/profiles-s-z/zsysd @@ -20,7 +20,7 @@ profile zsysd @{exec_path} flags=(complain) { /{usr/,}{local/,}{s,}bin/zfs rPx, /{usr/,}{local/,}{s,}bin/zpool rPx, # ALLOWED zsysd exec /usr/sbin/update-grub info="no new privs" comm=zsysd requested_mask=x denied_mask=x error=-1 - @{bin}/update-grub rPx, + @{sbin}/update-grub rPx, /etc/hostid r, /etc/zsys.conf r, diff --git a/apparmor.d/tunables/alias.d/coreutils b/apparmor.d/tunables/alias.d/coreutils new file mode 100644 index 000000000..9fed4fefc --- /dev/null +++ b/apparmor.d/tunables/alias.d/coreutils @@ -0,0 +1,112 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# In ubuntu 25.10, to make room for the coming rust utils, classic coreutils has +# moved to /usr/bin/gnu* names. To avoid breaking existing profiles, we +# provide aliases for all the coreutils names to their gnu* counterpart. + + alias /{,usr/}bin/dd -> /usr/bin/gnudd, + alias /{,usr/}bin/tee -> /usr/bin/gnutee, + alias /{,usr/}bin/paste -> /usr/bin/gnupaste, + alias /{,usr/}bin/sha256sum -> /usr/bin/gnusha256sum, + alias /{,usr/}bin/env -> /usr/bin/gnuenv, + alias /{,usr/}bin/expr -> /usr/bin/gnuexpr, + alias /{,usr/}bin/sleep -> /usr/bin/gnusleep, + alias /{,usr/}bin/shred -> /usr/bin/gnushred, + alias /{,usr/}bin/dircolors -> /usr/bin/gnudircolors, + alias /{,usr/}bin/nohup -> /usr/bin/gnunohup, + alias /{,usr/}bin/stty -> /usr/bin/gnustty, + alias /{,usr/}bin/sha384sum -> /usr/bin/gnusha384sum, + alias /{,usr/}bin/pr -> /usr/bin/gnupr, + alias /{,usr/}bin/nice -> /usr/bin/gnunice, + alias /{,usr/}bin/basenc -> /usr/bin/gnubasenc, + alias /{,usr/}bin/sha224sum -> /usr/bin/gnusha224sum, + alias /{,usr/}bin/unexpand -> /usr/bin/gnuunexpand, + alias /{,usr/}bin/logname -> /usr/bin/gnulogname, + alias /{,usr/}bin/uniq -> /usr/bin/gnuuniq, + alias /{,usr/}bin/chown -> /usr/bin/gnuchown, + alias /{,usr/}bin/vdir -> /usr/bin/gnuvdir, + alias /{,usr/}bin/printf -> /usr/bin/gnuprintf, + alias /{,usr/}bin/true -> /usr/bin/gnutrue, + alias /{,usr/}bin/groups -> /usr/bin/gnugroups, + alias /{,usr/}bin/printenv -> /usr/bin/gnuprintenv, + alias /{,usr/}bin/truncate -> /usr/bin/gnutruncate, + alias /{,usr/}bin/md5sum -> /usr/bin/gnumd5sum, + alias /{,usr/}bin/pinky -> /usr/bin/gnupinky, + alias /{,usr/}bin/rm -> /usr/bin/gnurm, + alias /{,usr/}bin/cat -> /usr/bin/gnucat, + alias /{,usr/}bin/tac -> /usr/bin/gnutac, + alias /{,usr/}bin/b2sum -> /usr/bin/gnub2sum, + alias /{,usr/}bin/seq -> /usr/bin/gnuseq, + alias /{,usr/}bin/cut -> /usr/bin/gnucut, + alias /{,usr/}bin/csplit -> /usr/bin/gnucsplit, + alias /{,usr/}bin/split -> /usr/bin/gnusplit, + alias /{,usr/}bin/realpath -> /usr/bin/gnurealpath, + alias /{,usr/}bin/ptx -> /usr/bin/gnuptx, + alias /{,usr/}bin/who -> /usr/bin/gnuwho, + alias /{,usr/}bin/whoami -> /usr/bin/gnuwhoami, + alias /{,usr/}bin/cksum -> /usr/bin/gnucksum, + alias /{,usr/}bin/ls -> /usr/bin/gnuls, + alias /{,usr/}bin/runcon -> /usr/bin/gnuruncon, + alias /{,usr/}bin/arch -> /usr/bin/gnuarch, + alias /{,usr/}bin/head -> /usr/bin/gnuhead, + alias /{,usr/}bin/date -> /usr/bin/gnudate, + alias /{,usr/}bin/wc -> /usr/bin/gnuwc, + alias /{,usr/}bin/mktemp -> /usr/bin/gnumktemp, + alias /{,usr/}bin/pathchk -> /usr/bin/gnupathchk, + alias /{,usr/}bin/mkfifo -> /usr/bin/gnumkfifo, + alias /{,usr/}bin/du -> /usr/bin/gnudu, + alias /{,usr/}bin/cp -> /usr/bin/gnucp, + alias /{,usr/}bin/tty -> /usr/bin/gnutty, + alias /{,usr/}bin/sync -> /usr/bin/gnusync, + alias /{,usr/}bin/fold -> /usr/bin/gnufold, + alias /{,usr/}bin/users -> /usr/bin/gnuusers, + alias /{,usr/}bin/dirname -> /usr/bin/gnudirname, + alias /{,usr/}bin/nproc -> /usr/bin/gnunproc, + alias /{,usr/}bin/sort -> /usr/bin/gnusort, + alias /{,usr/}bin/[ -> /usr/bin/gnu[, + alias /{,usr/}bin/base64 -> /usr/bin/gnubase64, + alias /{,usr/}bin/od -> /usr/bin/gnuod, + alias /{,usr/}bin/tr -> /usr/bin/gnutr, + alias /{,usr/}bin/join -> /usr/bin/gnujoin, + alias /{,usr/}bin/sha512sum -> /usr/bin/gnusha512sum, + alias /{,usr/}bin/false -> /usr/bin/gnufalse, + alias /{,usr/}bin/expand -> /usr/bin/gnuexpand, + alias /{,usr/}bin/base32 -> /usr/bin/gnubase32, + alias /{,usr/}bin/chmod -> /usr/bin/gnuchmod, + alias /{,usr/}bin/rmdir -> /usr/bin/gnurmdir, + alias /{,usr/}bin/factor -> /usr/bin/gnufactor, + alias /{,usr/}bin/mknod -> /usr/bin/gnumknod, + alias /{,usr/}bin/chcon -> /usr/bin/gnuchcon, + alias /{,usr/}bin/basename -> /usr/bin/gnubasename, + alias /{,usr/}bin/chgrp -> /usr/bin/gnuchgrp, + alias /{,usr/}bin/sha1sum -> /usr/bin/gnusha1sum, + alias /{,usr/}bin/ln -> /usr/bin/gnuln, + alias /{,usr/}bin/tsort -> /usr/bin/gnutsort, + alias /{,usr/}bin/echo -> /usr/bin/gnuecho, + alias /{,usr/}bin/timeout -> /usr/bin/gnutimeout, + alias /{,usr/}bin/dir -> /usr/bin/gnudir, + alias /{,usr/}bin/numfmt -> /usr/bin/gnunumfmt, + alias /{,usr/}bin/touch -> /usr/bin/gnutouch, + alias /{,usr/}bin/mv -> /usr/bin/gnumv, + alias /{,usr/}bin/sum -> /usr/bin/gnusum, + alias /{,usr/}bin/stat -> /usr/bin/gnustat, + alias /{,usr/}bin/yes -> /usr/bin/gnuyes, + alias /{,usr/}bin/install -> /usr/bin/gnuinstall, + alias /{,usr/}bin/readlink -> /usr/bin/gnureadlink, + alias /{,usr/}bin/pwd -> /usr/bin/gnupwd, + alias /{,usr/}bin/tail -> /usr/bin/gnutail, + alias /{,usr/}bin/stdbuf -> /usr/bin/gnustdbuf, + alias /{,usr/}bin/comm -> /usr/bin/gnucomm, + alias /{,usr/}bin/shuf -> /usr/bin/gnushuf, + alias /{,usr/}bin/uname -> /usr/bin/gnuuname, + alias /{,usr/}bin/test -> /usr/bin/gnutest, + alias /{,usr/}bin/mkdir -> /usr/bin/gnumkdir, + alias /{,usr/}bin/link -> /usr/bin/gnulink, + alias /{,usr/}bin/df -> /usr/bin/gnudf, + alias /{,usr/}bin/unlink -> /usr/bin/gnuunlink, + alias /{,usr/}bin/hostid -> /usr/bin/gnuhostid, + alias /{,usr/}bin/fmt -> /usr/bin/gnufmt, + alias /{,usr/}bin/id -> /usr/bin/gnuid, + alias /{,usr/}bin/nl -> /usr/bin/gnunl, diff --git a/apparmor.d/tunables/home.d/apparmor.d b/apparmor.d/tunables/home.d/apparmor.d index f1be9acbe..c791f5376 100644 --- a/apparmor.d/tunables/home.d/apparmor.d +++ b/apparmor.d/tunables/home.d/apparmor.d @@ -11,30 +11,7 @@ # First part, second part in /etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d -# Extra user personal directories -@{XDG_SCREENSHOTS_DIR}="Pictures/Screenshots" -@{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers" -@{XDG_BOOKS_DIR}="Books" -@{XDG_GAMES_DIR}=".games" -@{XDG_PROJECTS_DIR}="Projects" -@{XDG_WORK_DIR}="Work" -@{XDG_MAIL_DIR}="Mail" ".{m,M}ail" -@{XDG_SYNC_DIR}="Sync" -@{XDG_TORRENTS_DIR}="Torrents" -@{XDG_VM_DIR}=".vm" -@{XDG_VM_SHARES_DIR}="VM_Shares" -@{XDG_IMG_DIR}="images" -@{XDG_GAMESSTUDIO_DIR}="unity3d" - -# User personal keyrings -@{XDG_GPG_DIR}=".gnupg" -@{XDG_SSH_DIR}=".ssh" -@{XDG_PASSWORD_STORE_DIR}=".password-store" - -# User personal private directories -@{XDG_PRIVATE_DIR}=".{p,P}rivate" "{p,P}rivate" - -# Definition of local user configuration directories +# Define the XDG Base Directory @{XDG_CACHE_DIR}=".cache" @{XDG_CONFIG_DIR}=".config" @{XDG_DATA_DIR}=".local/share" @@ -42,28 +19,59 @@ @{XDG_BIN_DIR}=".local/bin" @{XDG_LIB_DIR}=".local/lib" -# Full path of the user configuration directories +# Define extended user directories not defined in the XDG standard but commonly +# used in profiles +@{XDG_SCREENSHOTS_DIR}="Pictures/Screenshots" +@{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers" +@{XDG_BOOKS_DIR}="Books" +@{XDG_GAMES_DIR}="Games" +@{XDG_PROJECTS_DIR}="Projects" +@{XDG_WORK_DIR}="Work" +@{XDG_MAIL_DIR}="Mail" ".{m,M}ail" +@{XDG_SYNC_DIR}="Sync" +@{XDG_TORRENTS_DIR}="Torrents" +@{XDG_GAMESSTUDIO_DIR}="unity3d" + +# Define user directories for virtual machines, shared folders and disk images +@{XDG_VM_DIR}=".vm" +@{XDG_VMSHARE_DIR}=".vmshare" +@{XDG_IMG_DIR}=".img" + +# Define user build directories and artifacts output +@{XDG_BUILD_DIR}=".build" +@{XDG_PKG_DIR}=".pkg" + +# Define user personal keyrings +@{XDG_GPG_DIR}=".gnupg" +@{XDG_SSH_DIR}=".ssh" +@{XDG_PASSWORDSTORE_DIR}=".password-store" + +# Define user personal private directories +@{XDG_PRIVATE_DIR}=".{p,P}rivate" "{p,P}rivate" + +# Full path of the XDG Base Directory @{user_cache_dirs}=@{HOME}/@{XDG_CACHE_DIR} @{user_config_dirs}=@{HOME}/@{XDG_CONFIG_DIR} +@{user_state_dirs}=@{HOME}/@{XDG_STATE_DIR} @{user_bin_dirs}=@{HOME}/@{XDG_BIN_DIR} @{user_lib_dirs}=@{HOME}/@{XDG_LIB_DIR} -@{user_state_dirs}=@{HOME}/@{XDG_STATE_DIR} - -# User build directories and output -@{user_build_dirs}="/tmp/build/" -@{user_pkg_dirs}="/tmp/pkg/" -@{user_img_dirs}=@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR} # Other user directories @{user_books_dirs}=@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR} @{user_games_dirs}=@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR} -@{user_private_dirs}=@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR} -@{user_password_store_dirs}=@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR} +@{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR} @{user_work_dirs}=@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR} @{user_mail_dirs}=@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR} -@{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR} -@{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR} +@{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/@{XDG_SYNC_DIR} @{user_torrents_dirs}=@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR} @{user_vm_dirs}=@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR} +@{user_vmshare_dirs}=@{HOME}/@{XDG_VMSHARE_DIR} @{MOUNTS}/@{XDG_VMSHARE_DIR} +@{user_img_dirs}=@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR} +@{user_build_dirs}=@{HOME}/@{XDG_BUILD_DIR} @{MOUNTS}/@{XDG_BUILD_DIR} +@{user_pkg_dirs}=@{HOME}/@{XDG_PKG_DIR} @{MOUNTS}/@{XDG_PKG_DIR} +@{user_gpg_dirs}=@{HOME}/@{XDG_GPG_DIR} @{MOUNTS}/@{XDG_GPG_DIR} +@{user_ssh_dirs}=@{HOME}/@{XDG_SSH_DIR} @{MOUNTS}/@{XDG_SSH_DIR} +@{user_passwordstore_dirs}=@{HOME}/@{XDG_PASSWORDSTORE_DIR} @{MOUNTS}/@{XDG_PASSWORDSTORE_DIR} +@{user_private_dirs}=@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR} # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/base b/apparmor.d/tunables/multiarch.d/base new file mode 100644 index 000000000..9661b1e51 --- /dev/null +++ b/apparmor.d/tunables/multiarch.d/base @@ -0,0 +1,93 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Base variables, upstreamed in apparmor 4.1 + +# Any digit +@{d}=[0-9] + +# Any letter +@{l}=[a-zA-Z] + +# Single alphanumeric character +@{c}=[0-9a-zA-Z] + +# Word character: matches any letter, digit or underscore. +@{w}=[a-zA-Z0-9_] + +# Single hexadecimal character +@{h}=[0-9a-fA-F] + +# Integer up to 10 digits (0-9999999999) +@{int}=@{d}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},} + +# hexadecimal, alphanumeric and word up to 64 characters +@{hex}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} +@{rand}=@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},} +@{word}=@{w}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},} + +# Unsigned integer over 8 bits (0...255) +@{u8}=[0-9]{[0-9],} 1[0-9][0-9] 2[0-4][0-9] 25[0-5] + +# Unsigned integer over 16 bits (0...65,535 5 digits) +@{u16}={@{d},[1-9]@{d},[1-9][@{d}@{d},[1-9]@{d}@{d}@{d},[1-6]@{d}@{d}@{d}@{d}} + +# Unsigned integer over 32 bits (0...4,294,967,295 10 digits) +@{u32}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-4]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}} + +# Unsigned integer over 64 bits (0...18,446,744,073,709,551,615 20 digits). +@{u64}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},1@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}} + +# Any x digits characters +@{int2}=@{d}@{d} +@{int4}=@{int2}@{int2} +@{int6}=@{int4}@{int2} +@{int8}=@{int4}@{int4} +@{int9}=@{int8}@{d} +@{int10}=@{int8}@{int2} +@{int12}=@{int8}@{int4} +@{int15}=@{int8}@{int4}@{int2}@{d} +@{int16}=@{int8}@{int8} +@{int32}=@{int16}@{int16} +@{int64}=@{int32}@{int32} + +# Any x hexadecimal characters +@{hex2}=@{h}@{h} +@{hex4}=@{hex2}@{hex2} +@{hex6}=@{hex4}@{hex2} +@{hex8}=@{hex4}@{hex4} +@{hex9}=@{hex8}@{h} +@{hex10}=@{hex8}@{hex2} +@{hex12}=@{hex8}@{hex4} +@{hex15}=@{hex8}@{hex4}@{hex2}@{h} +@{hex16}=@{hex8}@{hex8} +@{hex32}=@{hex16}@{hex16} +@{hex38}=@{hex32}@{hex6} +@{hex64}=@{hex32}@{hex32} + +# Any x alphanumeric characters +@{rand2}=@{c}@{c} +@{rand4}=@{rand2}@{rand2} +@{rand6}=@{rand4}@{rand2} +@{rand8}=@{rand4}@{rand4} +@{rand9}=@{rand8}@{c} +@{rand10}=@{rand8}@{rand2} +@{rand12}=@{rand8}@{rand4} +@{rand15}=@{rand8}@{rand4}@{rand2}@{c} +@{rand16}=@{rand8}@{rand8} +@{rand32}=@{rand16}@{rand16} +@{rand64}=@{rand32}@{rand32} + +# Any x word characters +@{word2}=@{w}@{w} +@{word4}=@{word2}@{word2} +@{word6}=@{word4}@{word2} +@{word8}=@{word4}@{word4} +@{word9}=@{word8}@{w} +@{word10}=@{word8}@{word2} +@{word12}=@{word8}@{word4} +@{word15}=@{word8}@{word4}@{word2}@{w} +@{word16}=@{word8}@{word8} +@{word32}=@{word16}@{word16} +@{word64}=@{word32}@{word32} diff --git a/apparmor.d/tunables/multiarch.d/extensions b/apparmor.d/tunables/multiarch.d/extensions index 956e8c253..d7f7450aa 100644 --- a/apparmor.d/tunables/multiarch.d/extensions +++ b/apparmor.d/tunables/multiarch.d/extensions @@ -311,24 +311,24 @@ @{video_ext} += 3[gG]2 # 3g2 # Subtitles -@{suntitles_ext} = [aA][qQ][tT] # aqt -@{suntitles_ext} += [aA][sS][sS] # ass -@{suntitles_ext} += [gG][sS][uU][bB] # gsub -@{suntitles_ext} += [uU][sS][fF] # usf -@{suntitles_ext} += [pP][aA][cC] # pac -@{suntitles_ext} += [pP][jJ][sS] # pjs -@{suntitles_ext} += [pP][sS][bB] # psb -@{suntitles_ext} += [rR][tT] # rt -@{suntitles_ext} += [sS][bB][vV] # sbv -@{suntitles_ext} += [sS][mM][iI] # smi -@{suntitles_ext} += [sS][rR][tT] # srt -@{suntitles_ext} += [sS][sS][aA] # ssa -@{suntitles_ext} += [sS][sS][fF] # ssf -@{suntitles_ext} += [sS][tT][lL] # stl -@{suntitles_ext} += [sS][uU][bB] # sub -@{suntitles_ext} += [tT][t][mM][lL] # ttml -@{suntitles_ext} += [tT][t][xX][tT] # ttxt -@{suntitles_ext} += [vV][tT][t] # vtt +@{subtitles_ext} = [aA][qQ][tT] # aqt +@{subtitles_ext} += [aA][sS][sS] # ass +@{subtitles_ext} += [gG][sS][uU][bB] # gsub +@{subtitles_ext} += [uU][sS][fF] # usf +@{subtitles_ext} += [pP][aA][cC] # pac +@{subtitles_ext} += [pP][jJ][sS] # pjs +@{subtitles_ext} += [pP][sS][bB] # psb +@{subtitles_ext} += [rR][tT] # rt +@{subtitles_ext} += [sS][bB][vV] # sbv +@{subtitles_ext} += [sS][mM][iI] # smi +@{subtitles_ext} += [sS][rR][tT] # srt +@{subtitles_ext} += [sS][sS][aA] # ssa +@{subtitles_ext} += [sS][sS][fF] # ssf +@{subtitles_ext} += [sS][tT][lL] # stl +@{subtitles_ext} += [sS][uU][bB] # sub +@{subtitles_ext} += [tT][t][mM][lL] # ttml +@{subtitles_ext} += [tT][t][xX][tT] # ttxt +@{subtitles_ext} += [vV][tT][t] # vtt # Images @{image_ext} = [aA][pP][nN][gG] # apng @@ -645,4 +645,7 @@ @{text_ext} += 3[dD][mM] # 3dm @{text_ext} += 3[dD][mM][lL] # 3dml +# Dpkg maintainer's scripts +@{dpkg_script_ext} = config templates preinst postinst prerm postrm + # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index 83aec3ce3..cca544370 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -38,8 +38,9 @@ @{open_path} += @{lib}/gio-launch-desktop @{open_path} += @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop -# Editor +# Editors @{editor_path} = @{bin}/@{editor_names} +@{editor_ui_path} = @{bin}/@{editor_ui_names} # Pager @{pager_path} = @{bin}/@{pager_names} @@ -65,4 +66,13 @@ # Help @{help_path} = @{bin}/@{help_names} +# Terminal emulator +@{terminal_path} = @{bin}/@{terminal_names} + +# Backup +@{backup_path} = @{bin}/@{backup_names} @{lib}/deja-dup/deja-dup-monitor + +# Archives +@{archive_path} = @{bin}/@{archive_names} @{lib}/p7zip/7z + # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index a24cefc01..d4fefb0b0 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -8,7 +8,72 @@ # All variables that refer to a profile name should be prefixed with `p_` # Name of the systemd profiles. Can be `unconfined` or `systemd`, `systemd-user` -@{p_systemd}=unconfined +@{p_sd}=unconfined +@{p_sdu}=unconfined @{p_systemd_user}=unconfined +@{p_systemd}=unconfined + +# Name of the dbus daemon profiles +@{p_dbus_accessibility}=dbus-accessibility +#aa:only apparmor4.1 +@{p_dbus_system}={dbus-system,unconfined} +@{p_dbus_session}={dbus-session,unconfined} + +#aa:exclude apparmor4.1 +@{p_dbus_system}=dbus-system +@{p_dbus_session}=dbus-session + +@{p_accounts_daemon}=accounts-daemon +@{p_apt_news}=apt_news +@{p_at_spi2_registryd}=at-spi2-registryd +@{p_avahi_daemon}=avahi-daemon +@{p_bluetoothd}=bluetoothd +@{p_colord}=colord +@{p_e2scrub_all}=e2scrub_all +@{p_e2scrub}=e2scrub +@{p_file_roller}=file-roller +@{p_fprintd}=fprintd +@{p_fwupd}=fwupd +@{p_fwupdmgr}=fwupdmgr +@{p_geoclue}=geoclue +@{p_gnome_shell}=gnome-shell +@{p_gsd_media_keys}=gsd-media-keys +@{p_irqbalance}=irqbalance +@{p_logrotate}=logrotate +@{p_ModemManager}=ModemManager +@{p_nm_priv_helper}=nm-priv-helper +@{p_packagekitd}=packagekitd +@{p_pcscd}=pcscd +@{p_polkitd}=polkitd +@{p_power_profiles_daemon}=power-profiles-daemon +@{p_rsyslogd}=rsyslogd +@{p_rtkit_daemon}=rtkit-daemon +@{p_snap}=snap +@{p_systemd_coredump}=systemd-coredump +@{p_systemd_homed}=systemd-homed +@{p_systemd_hostnamed}=systemd-hostnamed +@{p_systemd_importd}=systemd-importd +@{p_systemd_initctl}=systemd-initctl +@{p_systemd_journal_remote}=systemd-journal-remote +@{p_systemd_journald}=systemd-journald +@{p_systemd_localed}=systemd-localed +@{p_systemd_logind}=systemd-logind +@{p_systemd_networkd}=systemd-networkd +@{p_systemd_oomd}=systemd-oomd +@{p_systemd_resolved}=systemd-resolved +@{p_systemd_rfkill}=systemd-rfkill +@{p_systemd_timedated}=systemd-timedated +@{p_systemd_timesyncd}=systemd-timesyncd +@{p_systemd_userdbd}=systemd-userdbd +@{p_upowerd}=upowerd +@{p_xdg_desktop_portal}=xdg-desktop-portal + +# Profiles Patterns +# Fit to an action that can be handled by multiple profiles depending on the software installed and the distribution + +# Notification +@{pp_notification}={plasmashell,gjs-console} +@{pp_app_indicator}={plasmashell,gnome-shell} +@{pp_dbusmenu}={plasmashell,nautilus} # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index e8f523b6a..a7cbaf831 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -22,7 +22,7 @@ @{coreutils} += ln locate logname ls md5sum mkdir mkfifo mknod mktemp mv nice nl nohup nproc numfmt @{coreutils} += od paste pathchk pinky pr printenv printf ptx pwd readlink realpath rm rmdir @{coreutils} += runcon sdiff sed seq sha1sum sha224sum sha256sum sha384sum sha512sum shred shuf sleep -@{coreutils} += sort split stat stdbuf stty sum sync tac tail tee test timeout touch tr true +@{coreutils} += sort split stat stdbuf stty sum tac tail tee test timeout touch tr true @{coreutils} += truncate tsort tty uname unexpand uniq unlink updatedb vdir wc who whoami xargs yes # Python interpreters @@ -32,8 +32,9 @@ # Open @{open_names} = exo-open xdg-open gio kde-open gio-launch-desktop -# Editor -@{editor_names} = sensible-editor vim{,.*} nvim nano +# Editors +@{editor_names} = sensible-editor vim{,.*} vim-nox11 nvim nano +@{editor_ui_names} = gnome-text-editor gedit mousepad # Pager @{pager_names} = sensible-pager pager less more nvimpager @@ -75,7 +76,7 @@ @{text_editors_names} = code gedit mousepad gnome-text-editor zeditor zedit zed-cli # Document viewers -@{document_viewers_names} = evince okular *{F,f}oliate YACReader +@{document_viewers_names} = evince papers okular *{F,f}oliate YACReader # Image viewers @{image_viewers_names} = eog loupe ristretto @@ -84,9 +85,18 @@ @{archive_viewers_names} = engrampa file-roller xarchiver # Office suites -@{offices_names} = libreoffice soffice +@{offices_names} = libreoffice soffice wps # Help @{help_names} = yelp +# Terminal emulator +@{terminal_names} = kgx terminator konsole ptyxis + +# Backup +@{backup_names} = deja-dup borg + +# Archives +@{archive_names} = 7z 7zz ar bzip2 cpio gzip lzip rar tar unrar-nonfree unzip xz zip zstd + # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 0a95d1837..b29be3f0c 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -2,98 +2,6 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Base variables -# -------------- - -# Any digit -@{d}=[0-9] - -# Any letter -@{l}=[a-zA-Z] - -# Single alphanumeric character -@{c}=[0-9a-zA-Z] - -# Word character: matches any letter, digit or underscore. -@{w}=[a-zA-Z0-9_] - -# Single hexadecimal character -@{h}=[0-9a-fA-F] - -# Integer up to 10 digits (0-9999999999) -@{int}=@{d}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},} - -# hexadecimal, alphanumeric and word up to 64 characters -@{hex}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} -@{rand}=@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},} -@{word}=@{w}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},} - -# Unsigned integer over 8 bits (0...255) -@{u8}=[0-9]{[0-9],} 1[0-9][0-9] 2[0-4][0-9] 25[0-5] - -# Unsigned integer over 16 bits (0...65,535 5 digits) -@{u16}={@{d},[1-9]@{d},[1-9][@{d}@{d},[1-9]@{d}@{d}@{d},[1-6]@{d}@{d}@{d}@{d}} - -# Unsigned integer over 32 bits (0...4,294,967,295 10 digits) -@{u32}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-4]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}} - -# Unsigned integer over 64 bits (0...18,446,744,073,709,551,615 20 digits). -@{u64}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},1@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}} - -# Any x digits characters -@{int2}=@{d}@{d} -@{int4}=@{int2}@{int2} -@{int6}=@{int4}@{int2} -@{int8}=@{int4}@{int4} -@{int9}=@{int8}@{d} -@{int10}=@{int8}@{int2} -@{int12}=@{int8}@{int4} -@{int15}=@{int8}@{int4}@{int2}@{d} -@{int16}=@{int8}@{int8} -@{int32}=@{int16}@{int16} -@{int64}=@{int32}@{int32} - -# Any x hexadecimal characters -@{hex2}=@{h}@{h} -@{hex4}=@{hex2}@{hex2} -@{hex6}=@{hex4}@{hex2} -@{hex8}=@{hex4}@{hex4} -@{hex9}=@{hex8}@{h} -@{hex10}=@{hex8}@{hex2} -@{hex12}=@{hex8}@{hex4} -@{hex15}=@{hex8}@{hex4}@{hex2}@{h} -@{hex16}=@{hex8}@{hex8} -@{hex32}=@{hex16}@{hex16} -@{hex38}=@{hex32}@{hex6} -@{hex64}=@{hex32}@{hex32} - -# Any x alphanumeric characters -@{rand2}=@{c}@{c} -@{rand4}=@{rand2}@{rand2} -@{rand6}=@{rand4}@{rand2} -@{rand8}=@{rand4}@{rand4} -@{rand9}=@{rand8}@{c} -@{rand10}=@{rand8}@{rand2} -@{rand12}=@{rand8}@{rand4} -@{rand15}=@{rand8}@{rand4}@{rand2}@{c} -@{rand16}=@{rand8}@{rand8} -@{rand32}=@{rand16}@{rand16} -@{rand64}=@{rand64}@{rand64} - -# Any x word characters -@{word2}=@{w}@{w} -@{word4}=@{word2}@{word2} -@{word6}=@{word4}@{word2} -@{word8}=@{word4}@{word4} -@{word9}=@{word8}@{w} -@{word10}=@{word8}@{word2} -@{word12}=@{word8}@{word4} -@{word15}=@{word8}@{word4}@{word2}@{w} -@{word16}=@{word8}@{word8} -@{word32}=@{word16}@{word16} -@{word64}=@{word32}@{word32} - - # System Paths # ------------ @@ -106,51 +14,61 @@ @{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/ # Common places for binaries and libraries across distributions -@{bin}=/{,usr/}{,s}bin +@{bin}=/{,usr/}bin +@{sbin}=/{,usr/}sbin #aa:only apt zypper +@{sbin}=/{,usr/}{,s}bin #aa:only pacman @{lib}=/{,usr/}lib{,exec,32,64} # Common places for temporary files +# /tmp/user/@{uid}/ is needed when using .... (default on Debian) @{tmp}=/tmp/ /tmp/user/@{uid}/ +# Common places for EFI +@{efi}=/boot/ /efi/ /boot/efi/ # System Variables # ---------------- # Common architecture names -@{arch}=x86_64 amd64 i386 i686 +@{arch}=x86_64 x64 amd64 i386 i686 # Dbus unique name @{busname}=:1.@{u16} :not.active.yet +# Unix dbus address prefix +@{udbus}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} + # Universally unique identifier -@{uuid}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h} +@{uuid}=@{hex8}[-_]@{hex4}[-_]@{hex4}[-_]@{hex4}[-_]@{hex12} # Username & group valid characters @{user}=[a-zA-Z_]{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},} @{group}=@{user} # Semantic version -@{version}=@{int}{.@{int},}{.@{int},}{-@{rand},} +@{version}=@{u16}{.@{u16},}{.@{u16},}{{-,_}@{rand},} +#aa:only opensuse # OpenSUSE does not have the same multiarch structure -@{multiarch}+=*-suse-linux* #aa:only opensuse +@{multiarch}+=*-suse-linux* # System Internal # --------------- # Shortcut for PCI device -@{pci_id}=@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h} -@{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h} +@{pci_id}=@{hex}:@{hex2}:@{hex2}.@{h} +@{pci_bus}=pci@{hex4}:@{hex2} @{pci}=@{pci_bus}/**/ # Udev data dynamic assignment ranges +# See https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt @{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254 @{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511 -# Attachment path for attach_disconnected.path flag. -# Automatically generated and set in profile preamble on ABI4. Disabled on ABI3. -@{att}=/ -alias // -> /, +# Default attachment path when re-attached path disconnected path is ignored. +# Disabled on abi3 and Ubuntu 25.04+ +# See https://apparmor.pujol.io/development/internal/#re-attached-path +@{att}="" # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/system-users b/apparmor.d/tunables/multiarch.d/system-users index 885913da3..07450efff 100644 --- a/apparmor.d/tunables/multiarch.d/system-users +++ b/apparmor.d/tunables/multiarch.d/system-users @@ -5,11 +5,12 @@ # Define some extra paths for some commonly used system user # Full path of the GDM configuration directories -@{GDM_HOME}=/var/lib/gdm{,3}/ +@{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/{,home/}{,gdm-}greeter/ @{gdm_cache_dirs}=@{GDM_HOME}/.cache/ @{gdm_config_dirs}=@{GDM_HOME}/.config/ @{gdm_local_dirs}=@{GDM_HOME}/.local/ @{gdm_share_dirs}=@{GDM_HOME}/.local/share/ +@{gdm_state_dirs}=@{GDM_HOME}/.local/state/ # Full path of the SDDM configuration directories @{SDDM_HOME}=/var/lib/sddm/ @@ -17,6 +18,7 @@ @{sddm_config_dirs}=@{SDDM_HOME}/.config/ @{sddm_local_dirs}=@{SDDM_HOME}/.local/ @{sddm_share_dirs}=@{SDDM_HOME}/.local/share/ +@{sddm_state_dirs}=@{SDDM_HOME}/.local/state/ # Full path of the LIGHTDM configuration directories @{LIGHTDM_HOME}=/var/lib/lightdm/ @@ -24,6 +26,7 @@ @{lightdm_config_dirs}=@{LIGHTDM_HOME}/.config/ @{lightdm_local_dirs}=@{LIGHTDM_HOME}/.local/ @{lightdm_share_dirs}=@{LIGHTDM_HOME}/.local/share/ +@{lightdm_state_dirs}=@{LIGHTDM_HOME}/.local/state/ # Full path of all DE configuration directories @{DESKTOP_HOME}=@{GDM_HOME} @{SDDM_HOME} @{LIGHTDM_HOME} @@ -31,5 +34,6 @@ @{desktop_config_dirs}=@{gdm_config_dirs} @{sddm_config_dirs} @{lightdm_config_dirs} @{desktop_local_dirs}=@{gdm_local_dirs} @{sddm_local_dirs} @{lightdm_local_dirs} @{desktop_share_dirs}=@{gdm_share_dirs} @{sddm_share_dirs} @{lightdm_share_dirs} +@{desktop_state_dirs}=@{gdm_state_dirs} @{sddm_state_dirs} @{lightdm_state_dirs} # vim:syntax=apparmor diff --git a/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d b/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d index 00231cbce..52be8b920 100644 --- a/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d +++ b/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d @@ -14,14 +14,14 @@ @{XDG_DOWNLOAD_DIR}+=".tb/tor-browser/Browser/Downloads" # Other user directories -@{user_documents_dirs}=@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR} +@{user_desktop_dirs}=@{HOME}/@{XDG_DESKTOP_DIR} @{MOUNTS}/@{XDG_DESKTOP_DIR} @{user_download_dirs}=@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR} +@{user_templates_dirs}=@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR} +@{user_publicshare_dirs}=@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR} +@{user_documents_dirs}=@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR} @{user_music_dirs}=@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR} @{user_pictures_dirs}=@{HOME}/@{XDG_PICTURES_DIR} @{MOUNTS}/@{XDG_PICTURES_DIR} @{user_videos_dirs}=@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR} -@{user_publicshare_dirs}=@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR} -@{user_templates_dirs}=@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR} -@{user_vm_shares}=@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR} include if exists diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go index 58aee3716..ccd6e9cca 100644 --- a/cmd/aa-log/main.go +++ b/cmd/aa-log/main.go @@ -15,15 +15,15 @@ import ( "github.com/roddhjav/apparmor.d/pkg/logs" ) -const usage = `aa-log [-h] [--systemd] [--file file] [--rules | --raw] [profile] +const usage = `aa-log [-h] [--systemd] [--file file] [--rules | --raw] [--since] [profile] Review AppArmor generated messages in a colorful way. It supports logs from auditd, systemd, syslog as well as dbus session events. It can be given an optional profile name to filter the output with. - Default logs are read from '/var/log/audit/audit.log'. Other files in - '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' + Default logs are read from '/var/log/audit/audit.log'. Other files in + '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' Options: -h, --help Show this help message and exit. @@ -55,7 +55,7 @@ func aaLog(logger string, path string, profile string) error { case "systemd": file, err = logs.GetJournalctlLogs(path, since, !slices.Contains(logs.LogFiles, path)) default: - err = fmt.Errorf("Logger %s not supported.", logger) + err = fmt.Errorf("logger %s not supported", logger) } if err != nil { return err diff --git a/cmd/aa/main.go b/cmd/aa/main.go index 5f7dd6396..b0737de77 100644 --- a/cmd/aa/main.go +++ b/cmd/aa/main.go @@ -8,6 +8,9 @@ import ( "flag" "fmt" "os" + "os/exec" + "regexp" + "slices" "strings" "github.com/roddhjav/apparmor.d/pkg/aa" @@ -15,12 +18,14 @@ import ( "github.com/roddhjav/apparmor.d/pkg/paths" ) -const usage = `aa [-h] [--lint | --format | --tree] [-s] [-F file] [profiles...] +const usage = `aa [-h] [--lint | --format | --tree | --complain | --enfore] [-s] [-F file] [profiles...] Various AppArmor profiles development tools Options: -h, --help Show this help message and exit. + -e, --enforce Switch the given profile(s) to enforce mode. + -c, --complain Switch the given profile(s) to complain mode. -f, --format Format the AppArmor profiles. -l, --lint Lint the AppArmor profiles. -t, --tree Generate a tree of visited profiles. @@ -31,12 +36,19 @@ Options: // Command line options var ( - help bool - path string - systemd bool - lint bool - format bool - tree bool + help bool + path string + systemd bool + enforce bool + complain bool + lint bool + format bool + tree bool +) + +var ( + regFlags = regexp.MustCompile(`flags=\(([^)]+)\) `) + regProfileHeader = regexp.MustCompile(` {\n`) ) type kind uint8 @@ -60,6 +72,10 @@ func init() { flag.StringVar(&path, "file", "", "Set a logfile or a suffix to the default log file.") flag.BoolVar(&systemd, "s", false, "Parse systemd logs from journalctl.") flag.BoolVar(&systemd, "systemd", false, "Parse systemd logs from journalctl.") + flag.BoolVar(&enforce, "e", false, "Switch the given profile to enforce mode.") + flag.BoolVar(&enforce, "enforce", false, "Switch the given profile to enforce mode.") + flag.BoolVar(&complain, "c", false, "Switch the given profile to complain mode.") + flag.BoolVar(&complain, "complain", false, "Switch the given profile to complain mode.") } func getIndentationLevel(input string) int { @@ -111,7 +127,7 @@ func formatFile(kind kind, profile string) (string, error) { for idx, rules := range rulesByParagraph { aa.IndentationLevel = getIndentationLevel(paragraphs[idx]) rules = rules.Merge().Sort().Format() - profile = strings.Replace(profile, paragraphs[idx], rules.String()+"\n", -1) + fmt.Printf(rules.String() + "\n") } return profile, nil } @@ -152,17 +168,95 @@ func aaFormat(files paths.PathList) error { return nil } +func aaLint(files paths.PathList) error { + for _, file := range files { + fmt.Printf("wip: %v\n", file) + } + return nil +} + +func setFlag(profile string, flag string) (string, error) { + f := aa.DefaultTunables() + if _, err := f.Parse(profile); err != nil { + return profile, err + } + + flags := f.GetDefaultProfile().Flags + switch flag { + case "enforce": + if len(flags) == 0 || slices.Contains(flags, "enforce") { + return profile, nil // Nothing to do + } + idx := slices.Index(flags, "complain") + if idx == -1 { + return profile, nil // No complain flag, nothing to do + } + flags = slices.Delete(flags, idx, idx+1) + + case "complain": + if slices.Contains(flags, "complain") { + return profile, nil // Nothing to do + } + flags = append(flags, "complain") + + default: + return profile, fmt.Errorf("unknown flag: %s", flag) + } + strFlags := " flags=(" + strings.Join(flags, ",") + ") {\n" + + // Remove all flags definition, then the new flags + profile = regFlags.ReplaceAllLiteralString(profile, "") + if len(flags) > 0 { + profile = regProfileHeader.ReplaceAllLiteralString(profile, strFlags) + } + return profile, nil +} + +func aaSetFlag(files paths.PathList, flag string) error { + for _, file := range files { + profile, err := file.ReadFileAsString() + if err != nil { + return err + } + profile, err = setFlag(profile, flag) + if err != nil { + return err + } + if err = file.WriteFile([]byte(profile)); err != nil { + return err + } + if err = reloadProfile(file); err != nil { + return err + } + } + return nil +} + func aaTree() error { return nil } +func reloadProfile(file *paths.Path) error { + cmd := exec.Command("apparmor_parser", "--replace", file.String()) + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + if err := cmd.Run(); err != nil { + return fmt.Errorf("apparmor_parser failed: %w", err) + } + return nil +} + func pathsFromArgs() (paths.PathList, error) { res := paths.PathList{} for _, arg := range flag.Args() { path := paths.New(arg) switch { case !path.Exist(): - return nil, fmt.Errorf("file %s not found", path) + if aa.MagicRoot.Join(arg).Exist() { + res = append(res, aa.MagicRoot.Join(arg)) + } else { + return nil, fmt.Errorf("file %s not found", path) + } case path.IsDir(): files, err := path.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories(), @@ -190,7 +284,26 @@ func main() { var err error var files paths.PathList switch { + case enforce: + files, err = pathsFromArgs() + if err != nil { + logging.Fatal("%s", err.Error()) + } + err = aaSetFlag(files, "enforce") + + case complain: + files, err = pathsFromArgs() + if err != nil { + logging.Fatal("%s", err.Error()) + } + err = aaSetFlag(files, "complain") + case lint: + files, err = pathsFromArgs() + if err != nil { + logging.Fatal("%s", err.Error()) + } + err = aaLint(files) case format: files, err = pathsFromArgs() diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index 940be7501..455621e5b 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -5,8 +5,6 @@ package main import ( - "slices" - "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" "github.com/roddhjav/apparmor.d/pkg/prebuild/cli" @@ -18,6 +16,9 @@ func init() { // Define the default ABI prebuild.ABI = 4 + // Define the default version + prebuild.Version = 4.1 + // Define the tasks applied by default prepare.Register( "synchronise", // Initialize a new clean apparmor.d build directory @@ -31,24 +32,40 @@ func init() { // Build tasks applied by default builder.Register( - "userspace", // Resolve variable in profile attachments - "hotfix", // Temporary fix for #74, #80 & #235 + "userspace", // Resolve variable in profile attachments + "hotfix", // Temporary fix for #74, #80 & #235 + "base-strict", // Use base-strict as base abstraction ) - // Compatibility with AppArmor 3 + // Matrix of ABI/Apparmor version to integrate with switch prebuild.Distribution { + case "arch": + case "ubuntu": - if !slices.Contains([]string{"noble"}, prebuild.Release["VERSION_CODENAME"]) { + switch prebuild.Release["VERSION_CODENAME"] { + case "jammy": prebuild.ABI = 3 + prebuild.Version = 3.0 + case "noble": + prebuild.ABI = 4 + prebuild.Version = 4.0 + case "questing": + prebuild.ABI = 4 + prebuild.Version = 5.0 } case "debian": - prebuild.ABI = 3 + switch prebuild.Release["VERSION_CODENAME"] { + case "bullseye", "bookworm": + prebuild.ABI = 3 + prebuild.Version = 3.0 + } case "whonix": prebuild.ABI = 3 + prebuild.Version = 3.0 - // Hide rewrittem Whonix profiles + // Hide rewritten Whonix profiles prebuild.Hide += `/etc/apparmor.d/abstractions/base.d/kicksecure /etc/apparmor.d/home.tor-browser.firefox /etc/apparmor.d/tunables/homsanitycheck @@ -65,5 +82,6 @@ func init() { } func main() { + cli.Configure() cli.Prebuild() } diff --git a/cmd/prebuild/main_test.go b/cmd/prebuild/main_test.go deleted file mode 100644 index d3c28f025..000000000 --- a/cmd/prebuild/main_test.go +++ /dev/null @@ -1,56 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2023-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package main - -import ( - "os" - "os/exec" - "testing" - - "github.com/roddhjav/apparmor.d/pkg/prebuild" -) - -func chdirGitRoot() { - cmd := exec.Command("git", "rev-parse", "--show-toplevel") - out, err := cmd.Output() - if err != nil { - panic(err) - } - root := string(out[0 : len(out)-1]) - if err := os.Chdir(root); err != nil { - panic(err) - } -} - -func Test_main(t *testing.T) { - tests := []struct { - name string - dist string - }{ - { - name: "Build for Archlinux", - dist: "arch", - }, - { - name: "Build for Ubuntu", - dist: "ubuntu", - }, - { - name: "Build for Debian", - dist: "debian", - }, - { - name: "Build for OpenSUSE Tumbleweed", - dist: "opensuse", - }, - } - chdirGitRoot() - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - prebuild.Distribution = tt.dist - main() - }) - } -} diff --git a/debian/apparmor.d.hide b/debian/apparmor.d.hide index 20725a133..8fc1d019d 100644 --- a/debian/apparmor.d.hide +++ b/debian/apparmor.d.hide @@ -1 +1 @@ -# This file is generated by "make", all edit will be lost. +# This file is generated by "just", all edit will be lost. diff --git a/debian/apparmor.d.postinst b/debian/apparmor.d.postinst index 4e659173c..840f3196b 100644 --- a/debian/apparmor.d.postinst +++ b/debian/apparmor.d.postinst @@ -7,6 +7,7 @@ set -e #DEBHELPER# -systemctl is-active -q apparmor && systemctl reload apparmor ||: +apparmor_parser --purge-cache || true +deb-systemd-invoke reload apparmor.service || true exit 0 diff --git a/debian/apparmor.d.postrm b/debian/apparmor.d.postrm index 4e659173c..840f3196b 100644 --- a/debian/apparmor.d.postrm +++ b/debian/apparmor.d.postrm @@ -7,6 +7,7 @@ set -e #DEBHELPER# -systemctl is-active -q apparmor && systemctl reload apparmor ||: +apparmor_parser --purge-cache || true +deb-systemd-invoke reload apparmor.service || true exit 0 diff --git a/debian/control b/debian/control index 3d15800b8..85c4d3786 100644 --- a/debian/control +++ b/debian/control @@ -6,19 +6,18 @@ Build-Depends: debhelper (>= 13.4), debhelper-compat (= 13), golang-any, config-package-dev, + just, Homepage: https://github.com/roddhjav/apparmor.d Vcs-Browser: https://github.com/roddhjav/apparmor.d Vcs-Git: https://github.com/roddhjav/apparmor.d.git -Standards-Version: 4.5.0 +Standards-Version: 4.6.0 Rules-Requires-Root: no Package: apparmor.d Architecture: any -Depends: - apparmor-profiles, - ${shlibs:Depends} +Depends: apparmor-profiles Conflicts: apparmor-profiles-extra Provides: apparmor-profiles-extra -Description: Full set of AppArmor profiles (~ 1500 profiles) - apparmor.d is a set of over 1500 AppArmor profiles whose aim is to confine +Description: Full set of AppArmor profiles (~ 2000 profiles) + apparmor.d is a set of over 2000 AppArmor profiles whose aim is to confine most Linux based applications and processes. diff --git a/debian/rules b/debian/rules index 6e7d2d6e4..d78e652ca 100755 --- a/debian/rules +++ b/debian/rules @@ -8,3 +8,10 @@ # golang/1.19 compresses debug symbols itself. override_dh_dwz: + +override_dh_auto_build: + just complain + +override_dh_auto_install: + just destdir="${CURDIR}/debian/apparmor.d" install + diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index 339d88036..d60841581 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -15,6 +15,7 @@ URL: https://github.com/roddhjav/apparmor.d Source0: %{name}-%{version}.tar.gz Requires: apparmor-profiles BuildRequires: distribution-release +BuildRequires: just BuildRequires: golang-packaging BuildRequires: apparmor-profiles @@ -25,14 +26,14 @@ AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most %autosetup %build -%make_build +just complain %install -%make_install +just destdir="%{buildroot}" install %posttrans -rm -f /var/cache/apparmor/* 2>/dev/null -systemctl is-active -q apparmor && systemctl reload apparmor ||: +apparmor_parser --purge-cache +%restart_on_update apparmor %files %license LICENSE diff --git a/dists/build.sh b/dists/build.sh index 523bf8ca4..e33c48695 100644 --- a/dists/build.sh +++ b/dists/build.sh @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Usage: make [ dpkg | pkg | rpm ] +# Usage: just [ dpkg | pkg | rpm ] set -eu -o pipefail @@ -16,11 +16,11 @@ readonly VERSION main() { case "$COMMAND" in pkg) - PKGDEST="$OUTPUT" makepkg --syncdeps --force --cleanbuild --noconfirm --noprogressbar + PKGDEST="$OUTPUT" BUILDDIR=/tmp/makepkg makepkg --syncdeps --force --cleanbuild --noconfirm --noprogressbar ;; dpkg) - dch --newversion="$VERSION-1" --urgency=medium --distribution=stable --controlmaint "Release $VERSION-1" + dch --newversion="$VERSION-1" --urgency=medium --distribution="$(lsb_release -sc)" --controlmaint "Release $VERSION-1" dpkg-buildpackage -b -d --no-sign lintian || true mv ../"${PKGNAME}_${VERSION}-1"_*.deb "$OUTPUT" diff --git a/dists/docker.sh b/dists/docker.sh index 4dd958759..45191adb8 100644 --- a/dists/docker.sh +++ b/dists/docker.sh @@ -3,7 +3,10 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Usage: make package dist= +# Usage: +# just package ubuntu24 +# just package archlinux +# just package opensuse set -eu -o pipefail @@ -14,14 +17,15 @@ readonly VOLUME=/tmp/build readonly BUILDIR=/home/build/tmp readonly OUTDIR=".pkg" readonly OUTPUT="$PWD/$OUTDIR" -readonly COMMAND="$1" +readonly DISTRIBUTION="${1:-}" +readonly RELEASE="${2:-}" VERSION="0.$(git rev-list --count HEAD)" PACKAGER="$(git config user.name) <$(git config user.email)>" readonly VERSION PACKAGER _start() { local img="$1" - docker start "$img" + docker start "$img" || return 1 } _is_running() { @@ -61,6 +65,7 @@ build_in_docker_makepkg() { --env PKGDEST="$BUILDIR" --env PACKAGER="$PACKAGER" \ --env BUILDDIR=/tmp/build \ "$BASEIMAGE/$dist" + docker exec "$img" sudo pacman -Sy --noconfirm --noprogressbar fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh pkg @@ -68,21 +73,24 @@ build_in_docker_makepkg() { } build_in_docker_dpkg() { - local dist="$1" target="$1" - local img="$PREFIX$dist" + local img dist="$1" target="$1" release="$2" [[ "$dist" == whonix ]] && dist=debian + [[ "$release" == "13" ]] && release=trixie + img="$PREFIX$dist$release" if _exist "$img"; then if ! _is_running "$img"; then _start "$img" fi else - docker pull "$BASEIMAGE/$dist" + docker pull "$BASEIMAGE/$dist:$release" docker run -tid --name "$img" --volume "$VOLUME:$BUILDIR" \ - --env DISTRIBUTION="$target" "$BASEIMAGE/$dist" + --env DISTRIBUTION="$target" "$BASEIMAGE/$dist:$release" docker exec "$img" sudo apt-get update -q - docker exec "$img" sudo apt-get install -y config-package-dev rsync - [[ "$dist" == debian ]] && aptopt=(-t bookworm-backports) + docker exec "$img" sudo apt-get install -y config-package-dev lsb-release libdistro-info-perl + if [[ "$dist" == debian && "$release" == "12" ]]; then + aptopt=(-t bookworm-backports) + fi docker exec "$img" sudo apt-get install -y "${aptopt[@]}" golang-go fi @@ -102,7 +110,7 @@ build_in_docker_rpm() { docker pull "$BASEIMAGE/$dist" docker run -tid --name "$img" --volume "$VOLUME:$BUILDIR" \ "$BASEIMAGE/$dist" - docker exec "$img" sudo zypper install -y distribution-release golang-packaging rsync apparmor-profiles + docker exec "$img" sudo zypper install -y distribution-release golang-packaging apparmor-profiles fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh rpm @@ -110,20 +118,19 @@ build_in_docker_rpm() { } main() { - case "$COMMAND" in + case "$DISTRIBUTION" in archlinux) - # build_in_docker_makepkg "$COMMAND" - PKGDEST="$OUTPUT" makepkg -Cf + build_in_docker_makepkg "$DISTRIBUTION" ;; debian | ubuntu | whonix) sync - build_in_docker_dpkg "$COMMAND" + build_in_docker_dpkg "$DISTRIBUTION" "$RELEASE" ;; opensuse) sync - build_in_docker_rpm "$COMMAND" + build_in_docker_rpm "$DISTRIBUTION" ;; *) ;; diff --git a/dists/flags/main.flags b/dists/flags/main.flags index ac4547850..cd9a0e5a6 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -1,15 +1,9 @@ # Common profile flags definition for all distributions # File format: one profile by line using the format: ' ' -bwrap attach_disconnected,mediate_deleted,complain -bwrap-app attach_disconnected,mediate_deleted,complain -default attach_disconnected,mediate_deleted,complain -default-sudo attach_disconnected,complain systemd attach_disconnected,mediate_deleted,complain -systemd-service attach_disconnected,complain systemd-user attach_disconnected,mediate_deleted,complain -aa-notify complain akonadi_akonotes_resource complain akonadi_archivemail_agent complain akonadi_birthdays_resource complain @@ -28,6 +22,7 @@ akonadi_notes_agent complain akonadi_sendlater_agent complain akonadi_unifiedmailbox_agent complain anacron complain +apt-methods-sqv complain at complain atd complain auditctl attach_disconnected,complain @@ -40,12 +35,9 @@ avahi-resolve complain avahi-set-host-name complain baloo complain baloorunner complain -busctl complain calibre complain cc-remote-login-helper complain cctk complain -child-modprobe-nvidia attach_disconnected,complain -child-open attach_disconnected,complain cockpit-askpass complain cockpit-bridge complain cockpit-certificate-ensure attach_disconnected,complain @@ -54,7 +46,7 @@ cockpit-desktop complain cockpit-session attach_disconnected,complain cockpit-ssh complain cockpit-tls attach_disconnected,complain -cockpit-ws complain +cockpit-ws attach_disconnected,complain cockpit-wsinstance-factory complain cups-backend-beh complain cups-backend-bluetooth complain @@ -78,8 +70,12 @@ cups-notifier-rss complain cups-pk-helper-mechanism complain cupsd attach_disconnected,complain ddcutil complain +deb-systemd-helper complain +deb-systemd-invoke complain +debconf-escape complain +decibels complain dino attach_disconnected,complain -discord complain +discord attach_disconnected,complain discord-chrome-sandbox complain DiscoverNotifier complain dkms attach_disconnected,complain @@ -87,6 +83,14 @@ dmsetup complain dockerd attach_disconnected,complain dolphin complain downloadhelper complain +dpkg-db-backup complain +dpkg-maintscript-helper complain +dpkg-script-apparmor complain +dpkg-script-kmod complain +dpkg-script-linux complain +dpkg-script-systemd complain +dpkg-scripts complain +dracut-install complain drkonqi complain drkonqi-coredump-cleanup complain drkonqi-coredump-processor complain @@ -99,41 +103,31 @@ fail2ban-client attach_disconnected,complain fail2ban-server attach_disconnected,complain fdisk complain filezilla complain +finalrd complain firewall-applet attach_disconnected,complain firewall-config complain -firewalld attach_disconnected,complain flameshot complain flatpak attach_disconnected,mediate_deleted,complain flatpak-app attach_disconnected,mediate_deleted,complain flatpak-oci-authenticator complain -flatpak-portal attach_disconnected,complain flatpak-session-helper attach_disconnected,complain flatpak-system-helper complain flatpak-validate-icon complain -fstrim complain fuse-overlayfs complain -fusermount complain +gdk-pixbuf-thumbnailer complain gdm-generate-config complain gdm-runtime-config complain gdm-session attach_disconnected,complain gdm-xsession complain -gimp complain gmenudbusmenuproxy complain gnome-browser-connector-host complain gnome-control-center attach_disconnected,complain gnome-control-center-goa-helper complain gnome-disk-image-mounter complain -gnome-disks complain gnome-extension-gsconnect complain gnome-extension-manager complain gnome-initial-setup complain -gnome-music attach_disconnected,complain -gnome-photos-thumbnailer complain gnome-remote-desktop-daemon complain -gnome-software complain -gnome-system-monitor attach_disconnected,complain -gnome-terminal-server complain -gnome-tweaks complain grub-bios-setup complain grub-editenv complain grub-file complain @@ -163,12 +157,11 @@ grub-set-default complain grub-syslinux2cfg complain gsd-printer attach_disconnected,complain gsd-wwan complain -gsettings complain gvfsd-dav complain gvfsd-wsdd complain hostnamectl complain -hyprctl complain -hyprlock complain +hyprctl attach_disconnected,complain +hyprlock attach_disconnected,complain hyprpaper attach_disconnected,complain hyprpicker complain hyprpm complain @@ -178,7 +171,6 @@ im-launch complain install-info complain iwctl complain iwd complain -jitterentropy-rngd complain kaccess complain kactivitymanagerd complain kalendarac complain @@ -193,13 +185,20 @@ kconf_update complain kde-powerdevil attach_disconnected,mediate_deleted,complain kde-systemd-start-condition complain kded complain +kdestroy complain +kdump_mem_estimator complain +kdump-config attach_disconnected,complain +kdump-tools-init complain,attach_disconnected +kernel complain kernel-install complain +kernel-postinst-kdump complain keyboxd complain kglobalacceld complain -kgx complain +kinit complain kio_http_cache_cleaner complain kiod complain kioworker complain +klist complain konsole attach_disconnected,mediate_deleted,complain kscreen_backend_launcher complain kscreen_osd_service complain @@ -217,8 +216,14 @@ libreoffice complain libvirt-dbus complain libvirtd attach_disconnected,complain lightdm attach_disconnected,complain +lightdm-session complain +linux-check-removal complain +linux-update-symlinks complain locale-gen complain localectl complain +localsearch complain +localsearch-control complain +localsearch-writeback complain login attach_disconnected,complain loginctl complain low-memory-monitor attach_disconnected,complain @@ -228,14 +233,16 @@ lvmdump complain lvmpolld complain man complain mate-notification-daemon complain -mdevctl complain -metadata-cleaner attach_disconnected,complain -mke2fs complain +mdadm attach_disconnected,complain +mdadm-mkconf complain ModemManager attach_disconnected,complain mount attach_disconnected,complain multipath attach_disconnected,complain multipathd complain -netplan.script attach_disconnected,complain +needrestart-hook complain +needrestart-notify complain +needrestart-restart complain +netplan attach_disconnected,complain networkctl attach_disconnected,complain networkd-dispatcher complain nm-online complain @@ -247,9 +254,10 @@ nvidia-persistenced complain ollama attach_disconnected,complain os-prober attach_disconnected,complain pam_kwallet_init complain -pam-tmpdir-helper complain +papers complain passimd attach_disconnected,complain -pidof complain +pkla-admin-identities complain +pkla-check-authorization complain pkttyagent complain plank complain plasma_waitforname complain @@ -260,6 +268,10 @@ plymouth complain plymouth-set-default-theme attach_disconnected,complain plymouthd complain polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted +pollinate complain +ptyxis complain +ptyxis-agent complain +pycompile complain qdbus complain remmina complain run-parts complain @@ -269,23 +281,19 @@ sddm attach_disconnected,mediate_deleted,complain sddm-greeter complain secure-time-sync attach_disconnected,complain sftp-server complain -signal-desktop attach_disconnected,complain -signal-desktop-chrome-sandbox complain sing-box complain slirp4netns attach_disconnected,complain -snap complain -snap-bootstrap complain +snap attach_disconnected,complain snap-device-helper complain snap-discard-ns complain snap-failure complain -snap-repair complain -snap-seccomp complain +snap-seccomp attach_disconnected,complain snap-update-ns complain snapd complain snapd-apparmor complain -snapd-core-fixup complain snapshot complain speech-dispatcher complain +sshd-auth complain ssservice complain startplasma complain startx attach_disconnected,complain @@ -304,12 +312,14 @@ swtpm complain swtpm_ioctl complain swtpm_localca complain swtpm_setup complain +sysstat-sa complain +sysstat-sadc complain systemd-analyze complain systemd-ask-password complain systemd-binfmt attach_disconnected,complain systemd-cgls complain systemd-cgtop complain -systemd-cryptsetup complain +systemd-cryptsetup attach_disconnected,complain systemd-dissect attach_disconnected,complain systemd-escape complain systemd-generator-bless-boot attach_disconnected,complain @@ -319,42 +329,66 @@ systemd-generator-debug attach_disconnected,complain systemd-generator-ds-identify attach_disconnected,complain systemd-generator-environment-arch complain systemd-generator-environment-flatpak complain +systemd-generator-environment-snapd attach_disconnected,complain +systemd-generator-friendly-recovery attach_disconnected,complain systemd-generator-fstab attach_disconnected,complain systemd-generator-getty attach_disconnected,complain systemd-generator-gpt-auto attach_disconnected,complain systemd-generator-hibernate-resume attach_disconnected,complain +systemd-generator-import attach_disconnected,complain systemd-generator-integritysetup attach_disconnected,complain +systemd-generator-openvpn attach_disconnected,complain systemd-generator-ostree attach_disconnected,complain +systemd-generator-rc-local attach_disconnected,complain systemd-generator-run attach_disconnected,complain +systemd-generator-snapd attach_disconnected,complain +systemd-generator-ssh attach_disconnected,complain +systemd-generator-sshd-socket attach_disconnected,complain systemd-generator-system-update attach_disconnected,complain -systemd-generator-user-autostart complain -systemd-generator-user-environment complain +systemd-generator-sysv attach_disconnected,complain +systemd-generator-tpm2 attach_disconnected,complain +systemd-generator-user-autostart attach_disconnected,complain +systemd-generator-user-environment attach_disconnected,complain systemd-generator-veritysetup attach_disconnected,complain systemd-homed attach_disconnected,complain systemd-homework complain systemd-inhibit attach_disconnected,complain +systemd-initctl attach_disconnected,complain +systemd-journald attach_disconnected,mediate_deleted systemd-mount complain -systemd-network-generator complain +systemd-network-generator attach_disconnected,complain +systemd-nsresourced attach_disconnected,complain +systemd-nsresourcework complain systemd-portabled complain -systemd-remount-fs complain -systemd-resolve complain systemd-shutdown complain systemd-sleep-tlp complain systemd-socket-proxyd complain systemd-udevd attach_disconnected,complain -systemd-user-sessions complain +systemd-user-sessions attach_disconnected,complain systemd-userwork attach_disconnected,complain systemsettings complain telegram-desktop complain totem attach_disconnected,complain tracker-writeback complain +ucf complain +ucfq complain +ucfr complain +udev-ata_id complain +udev-bcache-export-cached complain +udev-cdrom_id complain udev-dmi-memory-id complain +udev-fido_id complain +udev-hdparm complain +udev-probe-bcache complain udisksctl complain udisksd attach_disconnected,complain ufw complain +update-catalog complain update-grub complain +update-info-dir complain update-secureboot-policy complain -userdbctl complain +update-shells complain +userdbctl attach_disconnected,complain utempter attach_disconnected,complain veracrypt complain virt-manager attach_disconnected,complain @@ -366,18 +400,21 @@ virtnodedevd attach_disconnected,complain virtsecretd attach_disconnected,complain virtstoraged attach_disconnected,complain waybar attach_disconnected,complain -wg complain +wechat attach_disconnected,complain +wechat-appimage attach_disconnected,complain wg-quick complain +whoopsie complain +whoopsie-preferences complain wsdd complain xdg-dbus-proxy attach_disconnected,complain xdg-desktop-icon complain xdg-desktop-portal-kde complain xdg-desktop-portal-rewrite-launchers complain +xdg-desktop-portal-validate-icon attach_disconnected,complain xdg-user-dirs-gtk-update complain xdm-xsession complain xembedsniproxy complain xfce-session attach_disconnected,complain xsettingsd complain -xwaylandvideobridge complain zpool complain diff --git a/dists/flags/ubuntu.flags b/dists/flags/ubuntu.flags index a6d6bcc85..125575ce1 100644 --- a/dists/flags/ubuntu.flags +++ b/dists/flags/ubuntu.flags @@ -1,12 +1,15 @@ apport attach_disconnected,complain apport-checkreports complain apport-gtk complain +apt_news attach_disconnected,complain apt-esm-hook complain apt-esm-json-hook complain apt-helper complain check-new-release-gtk complain do-release-upgrade complain dpkg-genbuildinfo complain +esm_cache complain +fanctl attach_disconnected,complain hwe-support-status complain list-oem-metapackages complain livepatch-notification complain @@ -18,6 +21,7 @@ software-properties-gtk complain ubuntu-advantage complain ubuntu-advantage-notification complain ubuntu-distro-info complain +ubuntu-fan-net attach_disconnected,complain ubuntu-report complain update-manager attach_disconnected,complain update-motd-fsck-at-reboot complain diff --git a/dists/ignore/arch.ignore b/dists/ignore/arch.ignore index f291b36c9..3b98aa3e0 100644 --- a/dists/ignore/arch.ignore +++ b/dists/ignore/arch.ignore @@ -4,6 +4,9 @@ apparmor.d/groups/apt # Ubuntu specific definition apparmor.d/groups/ubuntu +# OpenSUSE specific definition +apparmor.d/groups/suse + # Whonix specific definition apparmor.d/groups/whonix apparmor.d/tunables/home.d/whonix diff --git a/dists/ignore/debian.ignore b/dists/ignore/debian.ignore index f963dbc51..bfd8998ae 100644 --- a/dists/ignore/debian.ignore +++ b/dists/ignore/debian.ignore @@ -5,6 +5,9 @@ share/libalpm # Ubuntu specific definition apparmor.d/groups/ubuntu +# OpenSUSE specific definition +apparmor.d/groups/suse + # Whonix specific definition apparmor.d/groups/whonix apparmor.d/abstractions/base.anondist diff --git a/dists/ignore/main.ignore b/dists/ignore/main.ignore index 917b117f1..0665edf85 100644 --- a/dists/ignore/main.ignore +++ b/dists/ignore/main.ignore @@ -2,21 +2,13 @@ # File format: one ignore by line, it can be a profile name or a directory to ignore # Contains profiles and configuration for full system confinement, only included -# when built with 'make full' +# when built with 'just fsp' apparmor.d/groups/_full # Provided by other packages man # Work in progress profiles +apparmor.d/groups/steam dunst plasma-discover -steam -steam-fossilize -steam-game-native -steam-game-proton -steam-gameoverlayui -steam-launch -steam-launcher -steam-runtime -steamerrorreporter diff --git a/dists/ignore/ubuntu.ignore b/dists/ignore/ubuntu.ignore index 297f3c6ae..eb0df718f 100644 --- a/dists/ignore/ubuntu.ignore +++ b/dists/ignore/ubuntu.ignore @@ -2,6 +2,9 @@ apparmor.d/groups/pacman share/libalpm +# OpenSUSE specific definition +apparmor.d/groups/suse + # Whonix specific definition apparmor.d/groups/whonix apparmor.d/tunables/home.d/whonix diff --git a/dists/ignore/whonix.ignore b/dists/ignore/whonix.ignore index 3e9ba54d3..959f8ce6e 100644 --- a/dists/ignore/whonix.ignore +++ b/dists/ignore/whonix.ignore @@ -2,6 +2,9 @@ apparmor.d/groups/pacman share/libalpm +# OpenSUSE specific definition +apparmor.d/groups/suse + # Whonix does not have them apparmor.d/groups/pacman apparmor.d/groups/ubuntu diff --git a/dists/overwrite b/dists/overwrite index 767c07312..70ee1cc41 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -1,11 +1,12 @@ -# Apparmor 4.0 ships several profiles that allow userns and are otherwise -# unconfined. This file keeps track of them and allow apparmor.d to replace -# them by our own. +# Apparmor 4.0 and over ships a few profiles that can conflict with apparmor.d +# This file keeps track of them and allow apparmor.d to replace them by our own. # File format: one profile name by line. +# Overwrite unconfined upstream profiles that only allow userns brave chrome chromium +cockpit-desktop element-desktop epiphany firefox @@ -13,13 +14,31 @@ flatpak foliate loupe msedge +mullvad nautilus opera +os-prober plasmashell signal-desktop slirp4netns systemd-coredump thunderbird -transmission -unix-chkpwd virtiofsd + +# Overwrite upstreamed profiles, our local version may be more up to date +unix-chkpwd + +# Overwrite some profiles recently added in apparmor while being already present in apparmor.d for a while +# They can be multiple justification for keeping our profiles here, or or the contrary using upstream ones: +# - Keep ours: If we/they use abstractions, tunable, rules, and integration with apparmor.d that would break if using the upstream profile +# - Drop ours: when upstream profiles is better (see pkg/prebuild/prepare/configure.go) +fusermount3 +lsblk +lsusb +openvpn +remmina +transmission +wg-quick +systemd-detect-virt # Missing integration with @{p_systemd} +hostname # Has @{bin} denied in header, would conflict with apparmor.d's @{bin} tunables + diff --git a/dists/packages/base.conf b/dists/packages/base.conf deleted file mode 100644 index 8138f7a7d..000000000 --- a/dists/packages/base.conf +++ /dev/null @@ -1,22 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Minimal core with tunables, abstractions, and dependencies of other profiles - -mode=enforce - -tunables - -abstractions -!abstractions/app/chromium -!abstractions/app/firefox - -groups/children -!groups/children/user_confined -!groups/children/user_default -!groups/children/user_unconfined - -groups/bus -profiles-s-z/unix-chkpwd -profiles-m-r/pam-tmpdir-helper diff --git a/docs/assets/avatar-icon.png b/docs/assets/avatar-icon.png new file mode 100644 index 000000000..80170da1e Binary files /dev/null and b/docs/assets/avatar-icon.png differ diff --git a/docs/configuration.md b/docs/configuration.md index e3fbba5ea..5e1c7992f 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -32,7 +32,7 @@ The profiles heavily use the **largely extended** [XDG directory variables](#xdg ``` 3. Then restart the AppArmor service to reload the profiles in the kernel: ```sh - sudo systemctl restart apparmor.service + sudo systemctl reload apparmor.service ``` ### Profile Additions @@ -41,7 +41,7 @@ You can extend any profile with your own rules by creating a file in the `/etc/a **Example** -By default, `nautilus` (and any file browser) only allows access to user files. Thus, your cannot browse system files such as `/etc/`, `/srv/`, `/var/`. You can change this behaviour by creating a local profile addition file for `nautilus`: +By default, `nautilus` (and any file browser) only allows access to user files. Thus, your cannot browse system files such as `/etc/`, `/srv/`, `/var/`. You can change this behavior by creating a local profile addition file for `nautilus`: 1. Create the file `/etc/apparmor.d/local/nautilus` and add the following rules in it: ```sh @@ -55,7 +55,7 @@ By default, `nautilus` (and any file browser) only allows access to user files. ``` 2. Then restart the AppArmor service to reload the profiles in the kernel: ```sh - sudo systemctl restart apparmor.service + sudo systemctl reload apparmor.service ``` ### XDG variables @@ -143,7 +143,7 @@ Please ensure that all personal directories you are using are well-defined XDG d | Books | `@{user_books_dirs}` | `@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}` | | Games | `@{user_games_dirs}` | `@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR}` | | Private | `@{user_private_dirs}` | `@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR}` | - | Passwords | `@{user_password_store_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | + | Passwords | `@{user_passwordstore_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | | Work | `@{user_work_dirs}` | `@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR}` | | Mail | `@{user_mail_dirs}` | `@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR}` | | Projects | `@{user_projects_dirs}` | `@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}` | @@ -152,7 +152,7 @@ Please ensure that all personal directories you are using are well-defined XDG d | Torrents | `@{user_torrents_dirs}` | `@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}` | | Sync | `@{user_sync_dirs}` | `@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}` | | Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` | - | Vm Shares | `@{user_vm_shares}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` | + | Vm Shares | `@{user_vmshare_dirs}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` | | Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}` | @@ -189,7 +189,7 @@ Common mount points are defined in the `@{MOUNTS}` variable. If you mount a disk If you mount a disk on `/ssd/`, add the following to `/etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d/local`: ```sh -@{MOUNT}+=/ssd/ +@{MOUNTS}+=/ssd/ ``` + -### Chat - -A development chat is available on https://matrix.to/#/#apparmor.d:matrix.org +
+
+
+
+ +

apparmor.d

+

Full set of AppArmor policies

+

apparmor.d is a collection of AppArmor profiles designed to restrict the behavior of Linux applications and processes.

+

Its goal is to confine everything, targeting both desktops and servers across all distributions that support AppArmor.

+ + Get started + + + + Demo Server + + +
+
+
+
diff --git a/docs/install.md b/docs/install.md index 91b0b4ae6..a56599c22 100644 --- a/docs/install.md +++ b/docs/install.md @@ -36,7 +36,8 @@ The following desktop environments are supported: **Build dependency** -* Go >= 1.21 +* Go >= 1.23 +* [just](https://github.com/casey/just) >= 1.40.0 ## Configure AppArmor @@ -84,12 +85,21 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf If you have `devscripts` installed, you can use the one liner: ```sh - make dpkg + just dpkg + ``` + + !!! note + + **Ubuntu 24.04 user will need to:** + + Install [just](https://github.com/casey/just). E.g: + ```sh + pipx install rust-just ``` !!! warning - **Beware**: do not install a `.deb` made for Debian on Ubuntu, the packages are different. + **Beware**: do not install a `.deb` made for Debian on Ubuntu as the packages are different. If your distribution is based on Ubuntu, you may want to manually set the target distribution by exporting `DISTRIBUTION=ubuntu`. @@ -110,22 +120,29 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf If you have `devscripts` installed, you can use the one liner: ```sh - make dpkg + just dpkg ``` !!! note - You may need golang from the backports repository to build: + **Debian 12 user will need to:** + 1. Install Golang from the backports repository: ```sh echo 'deb http://deb.debian.org/debian bookworm-backports main contrib non-free' | sudo tee -a /etc/apt/sources.list sudo apt update sudo apt install -t bookworm-backports golang-go ``` + 2. Install [just](https://github.com/casey/just) locally, and ignore the dependence. E.g: + ```sh + pipx install rust-just + sed '/just/d' -i debian/control + ``` + !!! warning - **Beware**: do not install a `.deb` made for Ubuntu on Debian, the packages are different. + **Beware**: do not install a `.deb` made for Ubuntu on Debian as the packages are different. If your distribution is based on Debian, you may want to manually set the target distribution by exporting `DISTRIBUTION=debian`. @@ -144,20 +161,20 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf For test purposes, you can install specific profiles with the following commands. Abstractions, tunable, and most of the OS dependent post-processing is managed. ```sh - make - sudo make profile-names... + just complain + sudo just local profile-names... ``` !!! warning Partial installation is discouraged because profile dependencies are not fetched. To prevent some AppArmor issues, the dependencies are automatically switched to unconfined (`rPx` -> `rPUx`). The installation process warns on the missing profiles so that you can easily install them if desired. (PR is welcome see [#77](https://github.com/roddhjav/apparmor.d/issues/77)) - For instance, `sudo make pass` gives: + For instance, `sudo just local pass` gives: ```sh Warning: profile dependencies fallback to unconfined. @{bin}/wl-{copy,paste} rPx, @{bin}/xclip rPx, - @{bin}/python3.@{int} rPx -> pass-import, # pass-import + @{python_path} rPx -> pass-import, # pass-import @{pager_path} rPx -> child-pager, '.build/apparmor.d/pass' -> '/etc/apparmor.d/pass' ``` diff --git a/docs/issues.md b/docs/issues.md index 1db3b195a..2f38f4c5a 100644 --- a/docs/issues.md +++ b/docs/issues.md @@ -6,6 +6,19 @@ title: Known issues Known bugs are tracked on the meta issue **[#75](https://github.com/roddhjav/apparmor.d/issues/74)**. +## Ubuntu + +### Dbus + +Ubuntu fully supports dbus mediation with apparmor. If it is a value added by Ubuntu from other distributions, it can also lead to some breakage if you enforce some profiles. *Do not enforce the rules on Ubuntu Desktop.* + +Note: Ubuntu server has been more tested and will work without issues with enforced rules. + +### Snap + +Apparmor.d needs to be fully integrated with snap, otherwise your snap applications may not work properly. As of today, it is a work in progress. + + ## Complain mode A profile in *complain* mode cannot break the program it confines. However, there are some **major exceptions**: @@ -14,20 +27,3 @@ A profile in *complain* mode cannot break the program it confines. However, ther 2. `attach_disconnected` (and `mediate_deleted`) will break the program if they are required and missing in the profile, 3. If AppArmor does not find the profile to transition `rPx`. -## Pacman "could not get current working directory" - -```sh -$ sudo pacman -Syu -... -error: could not get current working directory -:: Processing package changes... -... -``` - -This is **a feature, not a bug!** It can safely be ignored. Pacman tries to get your current directory. You will only get this error when you run pacman in your home directory. - -According to the Arch Linux guideline, on Arch Linux, packages cannot install files under `/home/`. Therefore, the [`pacman`][pacman] profile purposely does not allow access of your home directory. - -This provides a basic protection against some packages (on the AUR) that may have rogue install script. - -[pacman]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/pacman/pacman diff --git a/docs/overview.md b/docs/overview.md new file mode 100644 index 000000000..20a5a454f --- /dev/null +++ b/docs/overview.md @@ -0,0 +1,52 @@ +--- +title: Overview +--- + +!!! danger "Help Wanted" + + This project is still in its early development. Help is very welcome; see [Development](development/index.md) + +**AppArmor.d** is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes. + +### Purpose + +- Confine all root processes such as all `systemd` tools, `bluetooth`, `dbus`, `polkit`, `NetworkManager`, `OpenVPN`, `GDM`, `rtkit`, `colord` +- Confine all Desktop environments +- Confine all user services such as `Pipewire`, `Gvfsd`, `dbus`, `xdg`, `xwayland` +- Confine some *"special"* user applications: web browsers, file managers, etc +- Should not break a normal usage of the confined software + +See the [Concepts](concepts.md)' page for more detail on the architecture. + +### Goals + +- Target both desktops and servers +- Support for all distributions that support AppArmor: + * [:material-arch: Arch Linux](install.md#archlinux) + * [:material-ubuntu: Ubuntu 24.04/22.04](install.md#ubuntu) + * [:material-debian: Debian 12/13](install.md#debian) + * [:simple-suse: openSUSE Tumbleweed](install.md#opensuse) +- Support for all major desktop environments: + - [x] :material-gnome: Gnome (GDM) + - [x] :simple-kde: KDE (SDDM) + - [ ] :simple-xfce: XFCE (Lightdm) *(work in progress)* +- [Fully tested](development/tests.md) + +### Demo + +You want to try this project, or you are curious about the advanced usage and security it can provide without installing it on your machine. You can try it online on my AppArmor play machine at https://play.pujol.io/ + +### Presentations + +Building the largest set of AppArmor profiles: + +- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* +- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* + +Lessons learned while making an AppArmor Play machine: + +- [Linux Security Summit North America (LSS-NA 2025)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2025.sched.com/event/1zalf/lessons-learned-while-making-an-apparmor-play-machine-alexandre-pujol-linagora), [Video](https://www.youtube.com/watch?v=zCSl8honRI0))* + +### Chat + +A development chat is available on https://matrix.to/#/#apparmor.d:matrix.org diff --git a/docs/usage.md b/docs/usage.md index e73439efc..372762998 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -116,15 +116,15 @@ profile dnsmasq { ### Help ``` -aa-log [-h] [--systemd] [--file file] [--rules | --raw] [profile] +aa-log [-h] [--systemd] [--file file] [--rules | --raw] [--since] [profile] - Review AppArmor generated messages in a colorful way. Supports logs from + Review AppArmor generated messages in a colorful way. It supports logs from auditd, systemd, syslog as well as dbus session events. It can be given an optional profile name to filter the output with. - Default logs are read from '/var/log/audit/audit.log'. Other files in - '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' + Default logs are read from '/var/log/audit/audit.log'. Other files in + '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' Options: -h, --help Show this help message and exit. @@ -132,4 +132,5 @@ Options: -s, --systemd Parse systemd logs from journalctl. -r, --rules Convert the log into AppArmor rules. -R, --raw Print the raw log without any formatting. + -S, --since DATE Show entries not older than the specified date. ``` diff --git a/docs/variables.md b/docs/variables.md index ef2533c0f..1bcee8f93 100644 --- a/docs/variables.md +++ b/docs/variables.md @@ -29,7 +29,7 @@ title: Variables References | Sync | `@{XDG_SYNC_DIR}` | `Sync` | | Torrents | `@{XDG_TORRENTS_DIR}` | `Torrents` | | Vm | `@{XDG_VM_DIR}` | `.vm` | -| Vm Shares | `@{XDG_VM_SHARES_DIR}` | `VM_Shares` | +| Vm Shares | `@{XDG_VMSHARE_DIR}` | `VM_Shares` | | Disk images | `@{XDG_IMG_DIR}` | `images` | | Games Studio | `@{XDG_GAMESSTUDIO_DIR}` | `.unity3d` | @@ -85,7 +85,7 @@ title: Variables References | Books | `@{user_books_dirs}` | `@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}` | | Games | `@{user_games_dirs}` | `@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR}` | | Private | `@{user_private_dirs}` | `@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR}` | -| Passwords | `@{user_password_store_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | +| Passwords | `@{user_passwordstore_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | | Work | `@{user_work_dirs}` | `@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR}` | | Mail | `@{user_mail_dirs}` | `@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR}` | | Projects | `@{user_projects_dirs}` | `@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}` | @@ -94,7 +94,7 @@ title: Variables References | Torrents | `@{user_torrents_dirs}` | `@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}` | | Sync | `@{user_sync_dirs}` | `@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}` | | Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` | -| Vm Shares | `@{user_vm_shares}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` | +| Vm Shares | `@{user_vmshare_dirs}` | `@{HOME}/@{XDG_VMSHARE_DIR} @{MOUNTS}/@{XDG_VMSHARE_DIR}` | | Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}` | @@ -168,7 +168,8 @@ title: Variables References | Home directories | `@{HOME}` | `@{HOMEDIRS}/*/ /root/` | | Root Mountpoints | `@{MOUNTDIRS}` | `/media/ @{run}/media/@{user}/ /mnt/` | | Mountpoints directories | `@{MOUNTS}` | `@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/` | -| Bin | `@{bin}` | `/{usr/,}{s,}bin` | +| Bin | `@{bin}` | `/{usr/,}bin` | +| Sbin | `@{sbin}` | `/{usr/,}sbin` | | Lib | `@{lib}` | `/{usr/,}lib{,exec,32,64}` | | multi-arch library | `@{multiarch}` | `*-linux-gnu*` | | Proc | `@{PROC}` | `/proc/` | diff --git a/go.mod b/go.mod index f98df5c19..3bea9f548 100644 --- a/go.mod +++ b/go.mod @@ -1,3 +1,3 @@ module github.com/roddhjav/apparmor.d -go 1.22 +go 1.23.0 diff --git a/mkdocs.yml b/mkdocs.yml index 9390b3dde..e5244a529 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -15,7 +15,7 @@ repo_url: https://github.com/roddhjav/apparmor.d edit_uri: edit/main/docs/ # Copyright -copyright: Copyright © 2021-2024 Alexandre Pujol +copyright: Copyright © 2021-2025 Alexandre Pujol # Configuration theme: @@ -138,6 +138,7 @@ nav: - Home: - index.md - Getting Started: + - overview.md - concepts.md - install.md - configuration.md @@ -152,6 +153,7 @@ nav: - recovery.md - Development: - development/index.md + - development/roadmap.md - Profiles: - development/workflow.md - development/guidelines.md @@ -160,6 +162,9 @@ nav: - development/directives.md - development/dbus.md - development/recommendations.md + - Packages: + - development/build.md - Tests: - development/tests.md + - development/vm.md - development/integration.md diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go index a887d4b98..94e232c81 100644 --- a/pkg/aa/apparmor.go +++ b/pkg/aa/apparmor.go @@ -5,12 +5,39 @@ package aa import ( + "strings" + "github.com/roddhjav/apparmor.d/pkg/paths" ) -// Default Apparmor magic directory: /etc/apparmor.d/. +// MagicRoot is the default Apparmor magic directory: /etc/apparmor.d/. var MagicRoot = paths.New("/etc/apparmor.d") +// FileKind represents an AppArmor file kind. +type FileKind uint8 + +const ( + ProfileKind FileKind = iota + AbstractionKind + TunableKind +) + +func KindFromPath(file *paths.Path) FileKind { + dirname := file.Parent().String() + switch { + case strings.Contains(dirname, "abstractions"): + return AbstractionKind + case strings.Contains(dirname, "tunables"): + return TunableKind + case strings.Contains(dirname, "local"): + return AbstractionKind + case strings.Contains(dirname, "mappings"): + return AbstractionKind + default: + return ProfileKind + } +} + // AppArmorProfileFiles represents a full set of apparmor profiles type AppArmorProfileFiles map[string]*AppArmorProfileFile @@ -33,8 +60,9 @@ func DefaultTunables() *AppArmorProfileFile { return &AppArmorProfileFile{ Preamble: Rules{ &Variable{Name: "arch", Values: []string{"x86_64", "amd64", "i386"}, Define: true}, - &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true}, + &Variable{Name: "bin", Values: []string{"/{,usr/}bin"}, Define: true}, &Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true}, + &Variable{Name: "dpkg_script_ext", Values: []string{"config", "templates", "preinst", "postinst", "prerm", "postrm"}, Define: true}, &Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true}, &Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true}, &Variable{Name: "int", Values: []string{"[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}"}, Define: true}, @@ -48,7 +76,9 @@ func DefaultTunables() *AppArmorProfileFile { &Variable{Name: "user_cache_dirs", Values: []string{"/home/*/.cache"}, Define: true}, &Variable{Name: "user_config_dirs", Values: []string{"/home/*/.config"}, Define: true}, &Variable{Name: "user_share_dirs", Values: []string{"/home/*/.local/share"}, Define: true}, + &Variable{Name: "user", Values: []string{"[a-zA-Z_]{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}"}, Define: true}, &Variable{Name: "version", Values: []string{"@{int}{.@{int},}{.@{int},}{-@{rand},}"}, Define: true}, + &Variable{Name: "w", Values: []string{"[a-zA-Z0-9_]"}, Define: true}, }, } } diff --git a/pkg/aa/apparmor_test.go b/pkg/aa/apparmor_test.go index 0cc74d438..172cfc2b5 100644 --- a/pkg/aa/apparmor_test.go +++ b/pkg/aa/apparmor_test.go @@ -211,7 +211,7 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { &Include{IsMagic: true, Path: "tunables/global"}, &Variable{ Name: "exec_path", Define: true, - Values: []string{"@{bin}/aa-status", "@{bin}/apparmor_status"}, + Values: []string{"@{sbin}/aa-status", "@{sbin}/apparmor_status"}, }, }, Profiles: []*Profile{{ @@ -223,11 +223,11 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { &Include{IfExists: true, IsMagic: true, Path: "local/aa-status"}, &Capability{Names: []string{"dac_read_search"}}, &File{Path: "@{exec_path}", Access: []string{"m", "r"}}, - &File{Path: "@{PROC}/@{pids}/attr/apparmor/current", Access: []string{"r"}}, + &File{Path: "@{PROC}/@{pid}/attr/apparmor/current", Access: []string{"r"}}, &File{Path: "@{PROC}/", Access: []string{"r"}}, &File{Path: "@{sys}/module/apparmor/parameters/enabled", Access: []string{"r"}}, &File{Path: "@{sys}/kernel/security/apparmor/profiles", Access: []string{"r"}}, - &File{Path: "@{PROC}/@{pids}/attr/current", Access: []string{"r"}}, + &File{Path: "@{PROC}/@{pid}/attr/current", Access: []string{"r"}}, &Include{IsMagic: true, Path: "abstractions/consoles"}, &File{Owner: true, Path: "@{PROC}/@{pid}/mounts", Access: []string{"r"}}, &Include{IsMagic: true, Path: "abstractions/base"}, @@ -237,7 +237,7 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { }, }}, }, - want: mustReadProfileFile(intData.Join("profiles-a-f/aa-status")), + want: mustReadProfileFile(intData.Join("groups/apparmor/aa-status")), }, } for _, tt := range tests { diff --git a/pkg/aa/base.go b/pkg/aa/base.go index 609525111..a712a5899 100644 --- a/pkg/aa/base.go +++ b/pkg/aa/base.go @@ -99,19 +99,20 @@ func (r Base) addLine(other Rule) bool { } type Qualifier struct { + Priority string Audit bool AccessType string } func newQualifierFromLog(log map[string]string) Qualifier { - audit := false - if log["apparmor"] == "AUDIT" { - audit = true - } + audit := log["apparmor"] == "AUDIT" return Qualifier{Audit: audit} } func (r Qualifier) Compare(o Qualifier) int { + if r := compare(r.Priority, o.Priority); r != 0 { + return r + } if r := compare(r.Audit, o.Audit); r != 0 { return r } @@ -119,7 +120,7 @@ func (r Qualifier) Compare(o Qualifier) int { } func (r Qualifier) Equal(o Qualifier) bool { - return r.Audit == o.Audit && r.AccessType == o.AccessType + return r.Priority == o.Priority && r.Audit == o.Audit && r.AccessType == o.AccessType } func (r Qualifier) getLenAudit() int { diff --git a/pkg/aa/blocks.go b/pkg/aa/blocks.go index 901fdaae8..d0826dfa2 100644 --- a/pkg/aa/blocks.go +++ b/pkg/aa/blocks.go @@ -27,21 +27,21 @@ func (p *Hat) String() string { return renderTemplate(p.Kind(), p) } -func (r *Hat) Validate() error { +func (p *Hat) Validate() error { return nil } -func (r *Hat) Compare(other Rule) int { +func (p *Hat) Compare(other Rule) int { o, _ := other.(*Hat) - return compare(r.Name, o.Name) + return compare(p.Name, o.Name) } -func (r *Hat) Merge(other Rule) bool { +func (p *Hat) Merge(other Rule) bool { return false // Never merge hat blocks } -func (r *Hat) Lengths() []int { +func (p *Hat) Lengths() []int { return []int{} // No len for hat } -func (r *Hat) setPaddings(max []int) {} // No paddings for hat +func (p *Hat) setPaddings(max []int) {} // No paddings for hat diff --git a/pkg/aa/capability.go b/pkg/aa/capability.go index b1ba27c6a..a55f8bc9b 100644 --- a/pkg/aa/capability.go +++ b/pkg/aa/capability.go @@ -84,8 +84,8 @@ func (r *Capability) Merge(other Rule) bool { func (r *Capability) Lengths() []int { return []int{ - r.Qualifier.getLenAudit(), - r.Qualifier.getLenAccess(), + r.getLenAudit(), + r.getLenAccess(), length("", r.Names), } } diff --git a/pkg/aa/change_profile.go b/pkg/aa/change_profile.go index 769427024..5334b343c 100644 --- a/pkg/aa/change_profile.go +++ b/pkg/aa/change_profile.go @@ -106,8 +106,8 @@ func (r *ChangeProfile) Merge(other Rule) bool { func (r *ChangeProfile) Lengths() []int { return []int{ - r.Qualifier.getLenAudit(), - r.Qualifier.getLenAccess(), + r.getLenAudit(), + r.getLenAccess(), length("", r.ExecMode), length("", r.Exec), length("", r.ProfileName), diff --git a/pkg/aa/data_test.go b/pkg/aa/data_test.go index b96fd865f..28aa703d6 100644 --- a/pkg/aa/data_test.go +++ b/pkg/aa/data_test.go @@ -65,8 +65,34 @@ var ( "denied_mask": "create", "comm": "sddm-greeter", } + network3Log = map[string]string{ + "apparmor": "ALLOWED", + "class": "net", + "operation": "sendmsg", + "info": "failed af match", + "error": "-13", + "profile": "unattended-upgrade", + "comm": "unattended-upgr", + "laddr": "127.0.0.1", + "lport": "57007", + "faddr": "127.0.0.53", + "saddr": "127.0.0.1", + "src": "57007", + "fport": "53", + "sock_type": "dgram", + "protocol": "17", + "requested": "send", + "denied": "send", + } network1 = &Network{Domain: "netlink", Type: "raw", Protocol: "15"} network2 = &Network{Domain: "inet", Type: "dgram"} + network3 = &Network{ + Base: Base{Comment: " failed af match"}, + LocalAddress: LocalAddress{IP: "127.0.0.1", Port: "57007"}, + PeerAddress: PeerAddress{IP: "127.0.0.53", Port: "53", Src: "127.0.0.1"}, + Type: "dgram", + Protocol: "17", + } // Mount mount1Log = map[string]string{ diff --git a/pkg/aa/dbus.go b/pkg/aa/dbus.go index 79072925f..fa4ec7ec4 100644 --- a/pkg/aa/dbus.go +++ b/pkg/aa/dbus.go @@ -125,7 +125,7 @@ func (r *Dbus) Compare(other Rule) int { func (r *Dbus) Merge(other Rule) bool { o, _ := other.(*Dbus) - if !r.Qualifier.Equal(o.Qualifier) { + if !r.Equal(o.Qualifier) { return false } if r.Bus == o.Bus && r.Name == o.Name && r.Path == o.Path && diff --git a/pkg/aa/file.go b/pkg/aa/file.go index 36c7101a4..091f9436f 100644 --- a/pkg/aa/file.go +++ b/pkg/aa/file.go @@ -168,7 +168,7 @@ func (r *File) Compare(other Rule) int { func (r *File) Merge(other Rule) bool { o, _ := other.(*File) - if !r.Qualifier.Equal(o.Qualifier) { + if !r.Equal(o.Qualifier) { return false } if r.Owner == o.Owner && r.Path == o.Path && r.Target == o.Target { @@ -189,8 +189,8 @@ func (r *File) Lengths() []int { lenPath = length("", r.Path) } return []int{ - r.Qualifier.getLenAudit(), - r.Qualifier.getLenAccess(), + r.getLenAudit(), + r.getLenAccess(), length("owner", r.Owner), lenPath, } @@ -212,7 +212,7 @@ func (r *File) addLine(other Rule) bool { letterJ := getLetterIn(fileAlphabet, other.(*File).Path) groupI, ok1 := fileAlphabetGroups[letterI] groupJ, ok2 := fileAlphabetGroups[letterJ] - return letterI != letterJ && !(ok1 && ok2 && groupI == groupJ) + return letterI != letterJ && (!ok1 || !ok2 || groupI != groupJ) } type Link struct { @@ -314,8 +314,8 @@ func (r *Link) Merge(other Rule) bool { func (r *Link) Lengths() []int { return []int{ - r.Qualifier.getLenAudit(), - r.Qualifier.getLenAccess(), + r.getLenAudit(), + r.getLenAccess(), length("owner", r.Owner), length("subset", r.Subset), length("", r.Path), diff --git a/pkg/aa/io_uring.go b/pkg/aa/io_uring.go index 3346ed4c6..76e9e172d 100644 --- a/pkg/aa/io_uring.go +++ b/pkg/aa/io_uring.go @@ -78,7 +78,7 @@ func (r *IOUring) Compare(other Rule) int { func (r *IOUring) Merge(other Rule) bool { o, _ := other.(*IOUring) - if !r.Qualifier.Equal(o.Qualifier) { + if !r.Equal(o.Qualifier) { return false } if r.Label == o.Label { @@ -91,8 +91,8 @@ func (r *IOUring) Merge(other Rule) bool { func (r *IOUring) Lengths() []int { return []int{ - r.Qualifier.getLenAudit(), - r.Qualifier.getLenAccess(), + r.getLenAudit(), + r.getLenAccess(), length("", r.Access), length("label=", r.Label), } diff --git a/pkg/aa/mount.go b/pkg/aa/mount.go index a9d8dbeaf..72719414d 100644 --- a/pkg/aa/mount.go +++ b/pkg/aa/mount.go @@ -29,7 +29,7 @@ func init() { "ro", "rw", "acl", "async", "atime", "bind", "dev", "diratime", "dirsync", "exec", "iversion", "loud", "mand", "move", "noacl", "noatime", "nodev", "nodiratime", "noexec", "noiversion", "nomand", - "norelatime", "nosuid", "nouser", "private", "rbind", "relatime", + "norelatime", "nosuid", "nosymfollow", "nouser", "private", "rbind", "relatime", "remount", "rprivate", "rshared", "rslave", "runbindable", "shared", "silent", "slave", "strictatime", "suid", "sync", "unbindable", "user", "verbose", @@ -181,7 +181,7 @@ func (r *Mount) Merge(other Rule) bool { o, _ := other.(*Mount) mc := &r.MountConditions - if !r.Qualifier.Equal(o.Qualifier) { + if !r.Equal(o.Qualifier) { return false } if r.Source == o.Source && r.MountPoint == o.MountPoint && @@ -194,10 +194,10 @@ func (r *Mount) Merge(other Rule) bool { func (r *Mount) Lengths() []int { return []int{ - r.Qualifier.getLenAudit(), - r.Qualifier.getLenAccess(), - r.MountConditions.getLenFsType(), - r.MountConditions.getLenOptions(), + r.getLenAudit(), + r.getLenAccess(), + r.getLenFsType(), + r.getLenOptions(), length("", r.Source), length("", r.MountPoint), } @@ -278,7 +278,7 @@ func (r *Umount) Merge(other Rule) bool { o, _ := other.(*Umount) mc := &r.MountConditions - if !r.Qualifier.Equal(o.Qualifier) { + if !r.Equal(o.Qualifier) { return false } if r.MountPoint == o.MountPoint && mc.Merge(o.MountConditions) { @@ -290,10 +290,10 @@ func (r *Umount) Merge(other Rule) bool { func (r *Umount) Lengths() []int { return []int{ - r.Qualifier.getLenAudit(), - r.Qualifier.getLenAccess(), - r.MountConditions.getLenFsType(), - r.MountConditions.getLenOptions(), + r.getLenAudit(), + r.getLenAccess(), + r.getLenFsType(), + r.getLenOptions(), length("", r.MountPoint), } } @@ -374,7 +374,7 @@ func (r *Remount) Merge(other Rule) bool { o, _ := other.(*Remount) mc := &r.MountConditions - if !r.Qualifier.Equal(o.Qualifier) { + if !r.Equal(o.Qualifier) { return false } if r.MountPoint == o.MountPoint && mc.Merge(o.MountConditions) { @@ -386,10 +386,10 @@ func (r *Remount) Merge(other Rule) bool { func (r *Remount) Lengths() []int { return []int{ - r.Qualifier.getLenAudit(), - r.Qualifier.getLenAccess(), - r.MountConditions.getLenFsType(), - r.MountConditions.getLenOptions(), + r.getLenAudit(), + r.getLenAccess(), + r.getLenFsType(), + r.getLenOptions(), length("", r.MountPoint), } } diff --git a/pkg/aa/mqueue.go b/pkg/aa/mqueue.go index 82106ec79..12ae4bd59 100644 --- a/pkg/aa/mqueue.go +++ b/pkg/aa/mqueue.go @@ -112,7 +112,7 @@ func (r *Mqueue) Compare(other Rule) int { func (r *Mqueue) Merge(other Rule) bool { o, _ := other.(*Mqueue) - if !r.Qualifier.Equal(o.Qualifier) { + if !r.Equal(o.Qualifier) { return false } if r.Type == o.Type && r.Label == o.Label && r.Name == o.Name { @@ -125,8 +125,8 @@ func (r *Mqueue) Merge(other Rule) bool { func (r *Mqueue) Lengths() []int { return []int{ - r.Qualifier.getLenAudit(), - r.Qualifier.getLenAccess(), + r.getLenAudit(), + r.getLenAccess(), length("", r.Access), length("type=", r.Type), length("label=", r.Label), diff --git a/pkg/aa/network.go b/pkg/aa/network.go index 69bd01c83..15dd4385e 100644 --- a/pkg/aa/network.go +++ b/pkg/aa/network.go @@ -33,34 +33,54 @@ func init() { } } -type AddressExpr struct { - Source string - Destination string - Port string +type LocalAddress struct { + IP string + Port string } -func newAddressExprFromLog(log map[string]string) AddressExpr { - return AddressExpr{ - Source: log["laddr"], - Destination: log["faddr"], - Port: log["lport"], +func newLocalAddressFromLog(log map[string]string) LocalAddress { + return LocalAddress{ + IP: log["laddr"], + Port: log["lport"], } } -func (r AddressExpr) Compare(other AddressExpr) int { - if res := compare(r.Source, other.Source); res != 0 { - return res - } - if res := compare(r.Destination, other.Destination); res != 0 { +func (r LocalAddress) Compare(other LocalAddress) int { + if res := compare(r.IP, other.IP); res != 0 { return res } return compare(r.Port, other.Port) } +type PeerAddress struct { + IP string + Port string + Src string +} + +func newPeerAddressFromLog(log map[string]string) PeerAddress { + return PeerAddress{ + IP: log["faddr"], + Port: log["fport"], + Src: log["saddr"], + } +} + +func (r PeerAddress) Compare(other PeerAddress) int { + if res := compare(r.IP, other.IP); res != 0 { + return res + } + if res := compare(r.Port, other.Port); res != 0 { + return res + } + return compare(r.Src, other.Src) +} + type Network struct { Base Qualifier - AddressExpr + LocalAddress + PeerAddress Domain string Type string Protocol string @@ -90,12 +110,13 @@ func newNetwork(q Qualifier, rule rule) (Rule, error) { func newNetworkFromLog(log map[string]string) Rule { return &Network{ - Base: newBaseFromLog(log), - Qualifier: newQualifierFromLog(log), - AddressExpr: newAddressExprFromLog(log), - Domain: log["family"], - Type: log["sock_type"], - Protocol: log["protocol"], + Base: newBaseFromLog(log), + Qualifier: newQualifierFromLog(log), + LocalAddress: newLocalAddressFromLog(log), + PeerAddress: newPeerAddressFromLog(log), + Domain: log["family"], + Type: log["sock_type"], + Protocol: log["protocol"], } } @@ -135,7 +156,10 @@ func (r *Network) Compare(other Rule) int { if res := compare(r.Protocol, o.Protocol); res != 0 { return res } - if res := r.AddressExpr.Compare(o.AddressExpr); res != 0 { + if res := r.LocalAddress.Compare(o.LocalAddress); res != 0 { + return res + } + if res := r.PeerAddress.Compare(o.PeerAddress); res != 0 { return res } return r.Qualifier.Compare(o.Qualifier) @@ -147,8 +171,8 @@ func (r *Network) Merge(other Rule) bool { func (r *Network) Lengths() []int { return []int{ - r.Qualifier.getLenAudit(), - r.Qualifier.getLenAccess(), + r.getLenAudit(), + r.getLenAccess(), length("", r.Domain), length("", r.Type), length("", r.Protocol), diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index ef8a7acd9..3b737abfd 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -15,6 +15,8 @@ const ( tokALLOW = "allow" tokAUDIT = "audit" tokDENY = "deny" + tokPROMPT = "prompt" + tokPRIORITY = "priority" tokARROW = "->" tokEQUAL = "=" tokLESS = "<" @@ -286,10 +288,7 @@ func parseRule(str string) rule { res := make(rule, 0, len(str)/2) tokens := tokenizeRule(str) - inAare := false - if len(tokens) > 0 && (isAARE(tokens[0]) || tokens[0] == tokOWNER) { - inAare = true - } + inAare := len(tokens) > 0 && (isAARE(tokens[0]) || tokens[0] == tokOWNER) for idx, token := range tokens { switch { case token == tokEQUAL, token == tokPLUS+tokEQUAL, token == tokLESS+tokEQUAL: // Variable & Rlimit @@ -514,7 +513,7 @@ func newRules(rules []rule) (Rules, error) { for _, rule := range rules { if len(rule) == 0 { - return nil, fmt.Errorf("Empty rule") + return nil, fmt.Errorf("empty rule") } owner := false @@ -527,7 +526,11 @@ func newRules(rules []rule) (Rules, error) { rule = rule[1:] goto qualifier // Qualifier - case tokALLOW, tokDENY: + case tokPRIORITY: + q.Priority = rule.GetValues(tokPRIORITY).GetString() + rule = rule[1:] + goto qualifier + case tokALLOW, tokDENY, tokPROMPT: q.AccessType = rule.Get(0) rule = rule[1:] goto qualifier @@ -563,7 +566,7 @@ func newRules(rules []rule) (Rules, error) { // return nil, fmt.Errorf("Unknown rule: %s", rule) } } else { - return nil, fmt.Errorf("Unrecognized rule: %s", rule) + return nil, fmt.Errorf("unrecognized rule: %s", rule) } } } @@ -657,7 +660,7 @@ done: return nb, nil } -// Parse apparmor profile rules by paragraphs +// ParseRules parses apparmor profile rules by paragraphs func ParseRules(input string) (ParaRules, []string, error) { paragraphRules := ParaRules{} paragraphs := []string{} diff --git a/pkg/aa/pivot_root.go b/pkg/aa/pivot_root.go index 2341f4458..8632b4490 100644 --- a/pkg/aa/pivot_root.go +++ b/pkg/aa/pivot_root.go @@ -86,8 +86,8 @@ func (r *PivotRoot) Merge(other Rule) bool { func (r *PivotRoot) Lengths() []int { return []int{ - r.Qualifier.getLenAudit(), - r.Qualifier.getLenAccess(), + r.getLenAudit(), + r.getLenAccess(), length("oldroot=", r.OldRoot), length("", r.NewRoot), length("", r.TargetProfile), diff --git a/pkg/aa/preamble.go b/pkg/aa/preamble.go index 4b54954a9..50e7dbef7 100644 --- a/pkg/aa/preamble.go +++ b/pkg/aa/preamble.go @@ -72,10 +72,10 @@ func newAbi(q Qualifier, rule rule) (Rule, error) { } path := rule.Get(0) - switch { - case path[0] == '"': + switch path[0] { + case '"': magic = false - case path[0] == '<': + case '<': magic = true default: return nil, fmt.Errorf("invalid path %s in rule: %s", path, rule) @@ -198,10 +198,10 @@ func newInclude(rule rule) (Rule, error) { } path := r[0] - switch { - case path[0] == '"': + switch path[0] { + case '"': magic = false - case path[0] == '<': + case '<': magic = true default: return nil, fmt.Errorf("invalid path format: %v", path) diff --git a/pkg/aa/profile.go b/pkg/aa/profile.go index 30e8b106f..5d097cad9 100644 --- a/pkg/aa/profile.go +++ b/pkg/aa/profile.go @@ -81,19 +81,19 @@ func (p *Profile) String() string { return renderTemplate(p.Kind(), p) } -func (r *Profile) Validate() error { - if err := validateValues(r.Kind(), tokFLAGS, r.Flags); err != nil { - return fmt.Errorf("profile %s: %w", r.Name, err) +func (p *Profile) Validate() error { + if err := validateValues(p.Kind(), tokFLAGS, p.Flags); err != nil { + return fmt.Errorf("profile %s: %w", p.Name, err) } - return r.Rules.Validate() + return p.Rules.Validate() } -func (r *Profile) Compare(other Rule) int { +func (p *Profile) Compare(other Rule) int { o, _ := other.(*Profile) - if res := compare(r.Name, o.Name); res != 0 { + if res := compare(p.Name, o.Name); res != 0 { return res } - return compare(r.Attachments, o.Attachments) + return compare(p.Attachments, o.Attachments) } func (p *Profile) Merge(other Rule) bool { @@ -103,11 +103,11 @@ func (p *Profile) Merge(other Rule) bool { return false } -func (r *Profile) Lengths() []int { +func (p *Profile) Lengths() []int { return []int{} // No len for profile } -func (r *Profile) setPaddings(max []int) {} // No paddings for profile +func (p *Profile) setPaddings(max []int) {} // No paddings for profile func (p *Profile) Sort() { p.Rules = p.Rules.Sort() @@ -140,10 +140,16 @@ func (p *Profile) GetAttachments() string { var ( newLogMap = map[string]func(log map[string]string) Rule{ // class - "rlimits": newRlimitFromLog, - "namespace": newUsernsFromLog, - "cap": newCapabilityFromLog, - "net": newNetworkFromLog, + "rlimits": newRlimitFromLog, + "namespace": newUsernsFromLog, + "cap": newCapabilityFromLog, + "net": func(log map[string]string) Rule { + if log["family"] == "unix" { + return newUnixFromLog(log) + } else { + return newNetworkFromLog(log) + } + }, "posix_mqueue": newMqueueFromLog, "sysv_mqueue": newMqueueFromLog, "signal": newSignalFromLog, @@ -176,6 +182,7 @@ var ( "open": newFileFromLog, "rename_dest": newFileFromLog, "rename_src": newFileFromLog, + "rmdir": newFileFromLog, "truncate": newFileFromLog, "unlink": newFileFromLog, } @@ -219,7 +226,7 @@ func (p *Profile) AddRule(log map[string]string) { case strings.Contains(log["operation"], "dbus"): p.Rules = append(p.Rules, newDbusFromLog(log)) default: - fmt.Printf("unknown log type: %s\n", log["operation"]) + fmt.Printf("unknown log type: %s:%v\n", log["operation"], log) } } } diff --git a/pkg/aa/ptrace.go b/pkg/aa/ptrace.go index 91547087c..7e0990fe8 100644 --- a/pkg/aa/ptrace.go +++ b/pkg/aa/ptrace.go @@ -80,7 +80,7 @@ func (r *Ptrace) Compare(other Rule) int { func (r *Ptrace) Merge(other Rule) bool { o, _ := other.(*Ptrace) - if !r.Qualifier.Equal(o.Qualifier) { + if !r.Equal(o.Qualifier) { return false } if r.Peer == o.Peer { @@ -93,8 +93,8 @@ func (r *Ptrace) Merge(other Rule) bool { func (r *Ptrace) Lengths() []int { return []int{ - r.Qualifier.getLenAudit(), - r.Qualifier.getLenAccess(), + r.getLenAudit(), + r.getLenAccess(), length("", r.Access), length("peer=", r.Peer), } diff --git a/pkg/aa/resolve.go b/pkg/aa/resolve.go index 6ce768bc0..8dc09b2c6 100644 --- a/pkg/aa/resolve.go +++ b/pkg/aa/resolve.go @@ -80,7 +80,7 @@ func (f *AppArmorProfileFile) resolveValues(input string) ([]string, error) { values := []string{} match := regVariableReference.FindStringSubmatch(input) if len(match) == 0 { - return nil, fmt.Errorf("Invalid variable reference: %s", input) + return nil, fmt.Errorf("invalid variable reference: %s", input) } variable := match[0] @@ -105,7 +105,7 @@ func (f *AppArmorProfileFile) resolveValues(input string) ([]string, error) { } if !found { - return nil, fmt.Errorf("Variable %s not defined", varname) + return nil, fmt.Errorf("variable %s not defined", varname) } return values, nil } @@ -113,7 +113,7 @@ func (f *AppArmorProfileFile) resolveValues(input string) ([]string, error) { // resolveInclude resolves all includes defined in the profile preamble func (f *AppArmorProfileFile) resolveInclude(include *Include) error { if include == nil || include.Path == "" { - return fmt.Errorf("Invalid include: %v", include) + return fmt.Errorf("invalid include: %v", include) } _, isCached := includeCache[include] diff --git a/pkg/aa/resolve_test.go b/pkg/aa/resolve_test.go index 5c9c9026f..1e4a54fe5 100644 --- a/pkg/aa/resolve_test.go +++ b/pkg/aa/resolve_test.go @@ -85,7 +85,7 @@ func TestAppArmorProfileFile_resolveValues(t *testing.T) { { name: "simple", input: "@{bin}/foo", - want: []string{"/{,usr/}{,s}bin/foo"}, + want: []string{"/{,usr/}bin/foo"}, }, { name: "double", diff --git a/pkg/aa/rlimit.go b/pkg/aa/rlimit.go index d7b9a0518..29c617ff1 100644 --- a/pkg/aa/rlimit.go +++ b/pkg/aa/rlimit.go @@ -45,8 +45,8 @@ func newRlimit(q Qualifier, rule rule) (Rule, error) { func newRlimitFromLog(log map[string]string) Rule { return &Rlimit{ Base: newBaseFromLog(log), - Key: log["key"], - Op: log["op"], + Key: log["rlimit"], + Op: "<=", Value: log["value"], } } diff --git a/pkg/aa/rule_test.go b/pkg/aa/rule_test.go index ee50532a9..ed6e7043d 100644 --- a/pkg/aa/rule_test.go +++ b/pkg/aa/rule_test.go @@ -216,6 +216,17 @@ var ( wMerge: false, wString: "network netlink raw,", }, + { + name: "network3", + fromLog: newNetworkFromLog, + log: network3Log, + rule: network3, + wValidErr: true, + other: network1, + wCompare: -7, + wMerge: false, + wString: "network dgram ip=127.0.0.1 port=57007 peer=(ip=127.0.0.53, port=53), # failed af match", + }, { name: "mount", fromLog: newMountFromLog, diff --git a/pkg/aa/signal.go b/pkg/aa/signal.go index c0fa4e1be..319e16584 100644 --- a/pkg/aa/signal.go +++ b/pkg/aa/signal.go @@ -106,7 +106,7 @@ func (r *Signal) Compare(other Rule) int { func (r *Signal) Merge(other Rule) bool { o, _ := other.(*Signal) - if !r.Qualifier.Equal(o.Qualifier) { + if !r.Equal(o.Qualifier) { return false } switch { @@ -124,8 +124,8 @@ func (r *Signal) Merge(other Rule) bool { func (r *Signal) Lengths() []int { return []int{ - r.Qualifier.getLenAudit(), - r.Qualifier.getLenAccess(), + r.getLenAudit(), + r.getLenAccess(), length("", r.Access), length("set=", r.Set), length("peer=", r.Peer), diff --git a/pkg/aa/templates/rule/network.j2 b/pkg/aa/templates/rule/network.j2 index 6f2503a8b..3694442be 100644 --- a/pkg/aa/templates/rule/network.j2 +++ b/pkg/aa/templates/rule/network.j2 @@ -15,6 +15,22 @@ {{ " " }}{{ . }} {{- end -}} {{- end -}} + {{- with .LocalAddress.IP -}} + {{ " ip=" }}{{ . }} + {{- end -}} + {{- with .LocalAddress.Port -}} + {{ " port=" }}{{ . }} + {{- end -}} + {{- if and .PeerAddress.IP .PeerAddress.Port -}} + {{ " peer=(ip=" }}{{ .PeerAddress.IP }}{{ ", port="}}{{ .PeerAddress.Port }}{{ ")" }} + {{- else -}} + {{- with .PeerAddress.IP -}} + {{ " peer=(ip=" }}{{ . }}{{ ")" }} + {{- end -}} + {{- with .PeerAddress.Port -}} + {{ " peer=(port=" }}{{ . }}{{ ")" }} + {{- end -}} + {{- end -}} {{- "," -}} {{- template "comment" . -}} {{- end -}} \ No newline at end of file diff --git a/pkg/aa/templates/rule/qualifier.j2 b/pkg/aa/templates/rule/qualifier.j2 index a0ff554ec..69181051a 100644 --- a/pkg/aa/templates/rule/qualifier.j2 +++ b/pkg/aa/templates/rule/qualifier.j2 @@ -3,6 +3,9 @@ {{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} {{- define "qualifier" -}} + {{- with .Priority -}} + {{- "priority=" -}}{{ . }}{{ " " }} + {{- end -}} {{- if .Audit -}} {{- "audit " -}} {{- end -}} diff --git a/pkg/aa/unix.go b/pkg/aa/unix.go index 3b14c2984..1e8a99298 100644 --- a/pkg/aa/unix.go +++ b/pkg/aa/unix.go @@ -124,7 +124,7 @@ func (r *Unix) Compare(other Rule) int { func (r *Unix) Merge(other Rule) bool { o, _ := other.(*Unix) - if !r.Qualifier.Equal(o.Qualifier) { + if !r.Equal(o.Qualifier) { return false } if r.Type == o.Type && r.Protocol == o.Protocol && r.Address == o.Address && @@ -139,8 +139,8 @@ func (r *Unix) Merge(other Rule) bool { func (r *Unix) Lengths() []int { return []int{ - r.Qualifier.getLenAudit(), - r.Qualifier.getLenAccess(), + r.getLenAudit(), + r.getLenAccess(), length("", r.Access), length("type=", r.Type), length("protocol=", r.Protocol), diff --git a/pkg/aa/util.go b/pkg/aa/util.go index 485478fef..523eb99fe 100644 --- a/pkg/aa/util.go +++ b/pkg/aa/util.go @@ -148,9 +148,10 @@ func validateValues(kind Kind, key string, values []string) error { func tokenToSlice(token string) []string { res := []string{} - token = strings.Trim(token, "()\n") + token = strings.Trim(token, "()\n ") if strings.ContainsAny(token, ", ") { var sep string + token = strings.ReplaceAll(token, " ", " ") switch { case strings.Contains(token, ","): sep = "," @@ -182,7 +183,7 @@ func toValues(kind Kind, key string, input string) ([]string, error) { continue } if !slices.Contains(req, res[idx]) { - return nil, fmt.Errorf("unrecognized %s: %s", key, res[idx]) + return nil, fmt.Errorf("unrecognized %s for rule %s: %s", key, kind, res[idx]) } } slices.SortFunc(res, func(i, j string) int { diff --git a/pkg/logging/logging.go b/pkg/logging/logging.go index 7f5af2e08..642dc8273 100644 --- a/pkg/logging/logging.go +++ b/pkg/logging/logging.go @@ -81,7 +81,7 @@ func Warning(msg string, a ...interface{}) int { return Print("%s", Warningf(msg, a...)) } -// Fatalf returns a formatted error message +// Error returns a formatted error message func Error(msg string, a ...interface{}) int { return Print("%s", fmt.Sprintf("%s%s%s\n", Indent, errorText, fmt.Sprintf(msg, a...))) } diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go index 194e6dc03..b0ae58702 100644 --- a/pkg/logs/logs.go +++ b/pkg/logs/logs.go @@ -64,10 +64,11 @@ var ( `/home/[^/]+/`, `@{HOME}/`, // Resolve system variables - `/att/[^/@]+`, `@{att}/`, + `/att/[^/]+/`, `@{att}/`, `/usr/lib(32|64|exec)`, `@{lib}`, `/usr/lib`, `@{lib}`, - `/usr/(bin|sbin)`, `@{bin}`, + `/usr/sbin`, `@{sbin}`, + `/usr/bin`, `@{bin}`, `(x86_64|amd64|i386|i686)`, `@{arch}`, `@{arch}-*linux-gnu[^/]?`, `@{multiarch}`, `/usr/etc/`, `@{etc_ro}/`, @@ -85,7 +86,6 @@ var ( `pci` + strings.Repeat(h, 4) + `:` + strings.Repeat(h, 2), `@{pci_bus}`, `@{pci_bus}/[0-9a-f:*./]*/`, `@{pci}/`, `1000`, `@{uid}`, - `@{att}//`, `@{att}/`, // Some system glob `:not.active.yet`, `@{busname}`, // dbus unique bus name diff --git a/pkg/logs/logs_test.go b/pkg/logs/logs_test.go index 6ddd5ac9e..376b23f42 100644 --- a/pkg/logs/logs_test.go +++ b/pkg/logs/logs_test.go @@ -81,7 +81,7 @@ func TestAppArmorEvents(t *testing.T) { want: AppArmorLogs{ { "apparmor": "ALLOWED", - "profile": "@{bin}/httpd2-prefork//vhost_foo", + "profile": "@{sbin}/httpd2-prefork//vhost_foo", "operation": "rename_dest", "name": "@{HOME}/foo.bar.in/httpdocs/apparmor/images/test/image 1.jpg", "comm": "httpd2-prefork", diff --git a/pkg/paths/paths.go b/pkg/paths/paths.go index feb1e21c4..357b9c2f7 100644 --- a/pkg/paths/paths.go +++ b/pkg/paths/paths.go @@ -388,6 +388,16 @@ func CopyTo(src *Path, dst *Path) error { return nil } +// CopyFS copies the file system fsys into the directory dir, +// creating dir if necessary. It is the exivalent of os.CopyFS with Path. +func (p *Path) CopyFS(dst *Path) error { + err := os.CopyFS(dst.String(), os.DirFS(p.String())) + if err != nil { + return fmt.Errorf("copying %s to %s: %s", p, dst, err) + } + return nil +} + // CopyDirTo recursively copies the directory denoted by the current path to // the destination path. The source directory must exist and the destination // directory must NOT exist (no implicit destination name allowed). @@ -515,7 +525,7 @@ func (p *Path) ReadFileAsLines() ([]string, error) { return nil, err } txt := string(data) - txt = strings.Replace(txt, "\r\n", "\n", -1) + txt = strings.ReplaceAll(txt, "\r\n", "\n") return strings.Split(txt, "\n"), nil } @@ -536,7 +546,7 @@ func (p *Path) MustReadFilteredFileAsLines() []string { panic(err) } txt := string(data) - txt = strings.Replace(txt, "\r\n", "\n", -1) + txt = strings.ReplaceAll(txt, "\r\n", "\n") txt = util.Filter(txt) res := strings.Split(txt, "\n") if slices.Contains(res, "") { @@ -630,7 +640,9 @@ func (p *Path) String() string { func (p *Path) Canonical() *Path { canonical := p.Clone() // https://github.com/golang/go/issues/17084#issuecomment-246645354 - canonical.FollowSymLink() + if err := canonical.FollowSymLink(); err != nil { + return nil + } if absPath, err := canonical.Abs(); err == nil { canonical = absPath } diff --git a/pkg/prebuild/builder/abi.go b/pkg/prebuild/builder/abi.go index 818edbb76..b0052d13f 100644 --- a/pkg/prebuild/builder/abi.go +++ b/pkg/prebuild/builder/abi.go @@ -14,6 +14,8 @@ var ( `abi/4.0`, `abi/3.0`, ` userns,`, ` # userns,`, ` mqueue`, ` # mqueue`, + ` all`, ` # all`, + ` deny mqueue`, ` # deny mqueue`, }) ) @@ -25,7 +27,7 @@ func init() { RegisterBuilder(&ABI3{ Base: prebuild.Base{ Keyword: "abi3", - Msg: "Convert all profiles from abi 4.0 to abi 3.0", + Msg: "Build: convert all profiles from abi 4.0 to abi 3.0", }, }) } diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go index 6fd700291..1ec5e06b1 100644 --- a/pkg/prebuild/builder/attach.go +++ b/pkg/prebuild/builder/attach.go @@ -5,16 +5,11 @@ package builder import ( - "regexp" "strings" "github.com/roddhjav/apparmor.d/pkg/prebuild" ) -var ( - regProfile = regexp.MustCompile(`profile ([^ ]+)`) -) - type ReAttach struct { prebuild.Base } @@ -23,42 +18,45 @@ func init() { RegisterBuilder(&ReAttach{ Base: prebuild.Base{ Keyword: "attach", - Msg: "Re-attach disconnect path", + Msg: "Feat: re-attach disconnected path", }, }) } // Apply will re-attach the disconnected path // - Add the attach_disconnected.path flag on all frofile with the attach_disconnected flag -// - Add the attached/base abstraction in the profile +// - Replace the base abstraction by attached/base +// - Replace the consoles abstraction by attached/consoles // - For compatibility, non disconnected profile will have the @{att} variable set to / func (b ReAttach) Apply(opt *Option, profile string) (string, error) { var insert string var origin = "profile " + opt.Name + if opt.File.HasSuffix("attached/base") { + return profile, nil // Do not re-attach twice + } if strings.Contains(profile, "attach_disconnected") { insert = "@{att} = /att/" + opt.Name + "/\n" - profile = strings.Replace(profile, + profile = strings.ReplaceAll(profile, "attach_disconnected", - "attach_disconnected,attach_disconnected.path=@{att}", -1, + "attach_disconnected,attach_disconnected.path=@{att}", + ) + profile = strings.ReplaceAll(profile, + "include ", + "include ", + ) + profile = strings.ReplaceAll(profile, + "include ", + "include ", + ) + profile = strings.ReplaceAll(profile, + "include ", + "include ", ) - old := "include if exists " - new := "include \n " + old - profile = strings.Replace(profile, old, new, 1) - - for _, match := range regProfile.FindAllStringSubmatch(profile, -1) { - name := match[1] - if name == opt.Name { - continue - } - old = "include if exists " - new = "include \n " + old - profile = strings.Replace(profile, old, new, 1) - } - } else { - insert = "@{att} = /\n" + insert = "@{att} = \"\"\n" + } return strings.Replace(profile, origin, insert+origin, 1), nil diff --git a/pkg/prebuild/builder/base-strict.go b/pkg/prebuild/builder/base-strict.go new file mode 100644 index 000000000..29a065629 --- /dev/null +++ b/pkg/prebuild/builder/base-strict.go @@ -0,0 +1,32 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package builder + +import ( + "strings" + + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +type BaseStrict struct { + prebuild.Base +} + +func init() { + RegisterBuilder(&BaseStrict{ + Base: prebuild.Base{ + Keyword: "base-strict", + Msg: "Feat: use 'base-strict' as base abstraction", + }, + }) +} + +func (b BaseStrict) Apply(opt *Option, profile string) (string, error) { + profile = strings.ReplaceAll(profile, + "include ", + "include ", + ) + return profile, nil +} diff --git a/pkg/prebuild/builder/complain.go b/pkg/prebuild/builder/complain.go index dbd9b3478..0d6a48f37 100644 --- a/pkg/prebuild/builder/complain.go +++ b/pkg/prebuild/builder/complain.go @@ -25,7 +25,7 @@ func init() { RegisterBuilder(&Complain{ Base: prebuild.Base{ Keyword: "complain", - Msg: "Set complain flag on all profiles", + Msg: "Build: set complain flag on all profiles", }, }) } @@ -38,6 +38,9 @@ func (b Complain) Apply(opt *Option, profile string) (string, error) { if slices.Contains(flags, "complain") { return profile, nil } + if slices.Contains(flags, "unconfined") { + return profile, nil + } } flags = append(flags, "complain") strFlags := " flags=(" + strings.Join(flags, ",") + ") {\n" diff --git a/pkg/prebuild/builder/core.go b/pkg/prebuild/builder/core.go index cce8c94ba..bfc1aa025 100644 --- a/pkg/prebuild/builder/core.go +++ b/pkg/prebuild/builder/core.go @@ -6,7 +6,6 @@ package builder import ( "fmt" - "slices" "strings" "github.com/roddhjav/apparmor.d/pkg/paths" @@ -21,13 +20,13 @@ var ( Builders = map[string]Builder{} ) -// Main directive interface +// Builder main directive interface type Builder interface { prebuild.BaseInterface Apply(opt *Option, profile string) (string, error) } -// Builder options +// Option for a builder type Option struct { Name string File *paths.Path @@ -43,26 +42,13 @@ func NewOption(file *paths.Path) *Option { func Register(names ...string) { for _, name := range names { if b, present := Builders[name]; present { - if !slices.Contains(Builds, b) { - Builds = append(Builds, b) - } + Builds = append(Builds, b) } else { panic(fmt.Sprintf("Unknown builder: %s", name)) } } } -func Unregister(names ...string) { - for _, name := range names { - for i, b := range Builds { - if b.Name() == name { - Builds = slices.Delete(Builds, i, i+1) - break - } - } - } -} - func RegisterBuilder(d Builder) { Builders[d.Name()] = d } diff --git a/pkg/prebuild/builder/core_test.go b/pkg/prebuild/builder/core_test.go index 5a1a39da0..6bcf74647 100644 --- a/pkg/prebuild/builder/core_test.go +++ b/pkg/prebuild/builder/core_test.go @@ -209,7 +209,7 @@ func TestBuilder_Apply(t *testing.T) { want: ` @{exec_path} = @{bin}/baloo_file @{lib}/{,kf6/}baloo_file @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloo_file - profile baloo /{{,usr/}{,s}bin/baloo_file,{,usr/}lib{,exec,32,64}/{,kf6/}baloo_file,{,usr/}lib{,exec,32,64}/*-linux-gnu*/{,libexec/}baloo_file} { + profile baloo /{{,usr/}bin/baloo_file,{,usr/}lib{,exec,32,64}/{,kf6/}baloo_file,{,usr/}lib{,exec,32,64}/*-linux-gnu*/{,libexec/}baloo_file} { include @{exec_path} mr, @@ -231,10 +231,80 @@ func TestBuilder_Apply(t *testing.T) { want: "", wantErr: true, }, + { + name: "stacked-dbus-1", + b: Builders["stacked-dbus"], + profile: ` +profile foo { + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + +}`, + want: ` +profile foo { +dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus, label=dbus-session), +dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus, label=dbus-session//&unconfined), + +}`, + }, + { + name: "base-strict-1", + b: Builders["base-strict"], + profile: ` +profile foo { + include +}`, + want: ` +profile foo { + include +}`, + }, + { + name: "attach-1", + b: Builders["attach"], + profile: ` +profile attach-1 flags=(attach_disconnected) { + include + include + include +}`, + want: ` +@{att} = /att/attach-1/ +profile attach-1 flags=(attach_disconnected,attach_disconnected.path=@{att}) { + include + include + include +}`, + }, + { + name: "attach-2", + b: Builders["attach"], + profile: ` +profile attach-2 flags=(complain) { + include + include + include +}`, + want: ` +@{att} = "" +profile attach-2 flags=(complain) { + include + include + include +}`, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - opt := &Option{File: prebuild.RootApparmord.Join(tt.name)} + opt := &Option{File: prebuild.RootApparmord.Join(tt.name), Name: tt.name} got, err := tt.b.Apply(opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("Builder.Apply() error = %v, wantErr %v", err, tt.wantErr) diff --git a/pkg/prebuild/builder/enforce.go b/pkg/prebuild/builder/enforce.go index a7ce90a7a..3d3d218c6 100644 --- a/pkg/prebuild/builder/enforce.go +++ b/pkg/prebuild/builder/enforce.go @@ -19,7 +19,7 @@ func init() { RegisterBuilder(&Enforce{ Base: prebuild.Base{ Keyword: "enforce", - Msg: "All profiles have been enforced", + Msg: "Build: all profiles have been enforced", }, }) } diff --git a/pkg/prebuild/builder/fsp.go b/pkg/prebuild/builder/fsp.go index ed2285de5..12dab15cd 100644 --- a/pkg/prebuild/builder/fsp.go +++ b/pkg/prebuild/builder/fsp.go @@ -11,7 +11,7 @@ import ( var ( regFullSystemPolicy = util.ToRegexRepl([]string{ - `r(PU|U)x,`, `rPx,`, + `(PU|U)x,`, `Px,`, }) ) @@ -23,7 +23,7 @@ func init() { RegisterBuilder(&FullSystemPolicy{ Base: prebuild.Base{ Keyword: "fsp", - Msg: "Prevent unconfined transitions in profile rules", + Msg: "Feat: prevent unconfined transitions in profile rules", }, }) } diff --git a/pkg/prebuild/builder/hotfix.go b/pkg/prebuild/builder/hotfix.go index f7e6143b1..be8750f26 100644 --- a/pkg/prebuild/builder/hotfix.go +++ b/pkg/prebuild/builder/hotfix.go @@ -26,7 +26,7 @@ func init() { RegisterBuilder(&Hotfix{ Base: prebuild.Base{ Keyword: "hotfix", - Msg: "Temporary fix for #74, #80 & #235", + Msg: "Fix: temporary solution for #74, #80 & #235", }, }) } diff --git a/pkg/prebuild/builder/stacked-dbus.go b/pkg/prebuild/builder/stacked-dbus.go new file mode 100644 index 000000000..eca8122c6 --- /dev/null +++ b/pkg/prebuild/builder/stacked-dbus.go @@ -0,0 +1,104 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package builder + +import ( + "slices" + "strings" + + "github.com/roddhjav/apparmor.d/pkg/aa" + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +var ( + resolve = map[string][]string{ + `"@{p_dbus_system}"`: {"dbus-system", "dbus-system//&unconfined"}, + `"@{p_dbus_session}"`: {"dbus-session", "dbus-session//&unconfined"}, + } +) + +// StackedDbus is a fix for https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 +type StackedDbus struct { + prebuild.Base +} + +func init() { + RegisterBuilder(&StackedDbus{ + Base: prebuild.Base{ + Keyword: "stacked-dbus", + Msg: "Fix: resolve peer label variable in dbus rules", + }, + }) +} + +func parse(kind aa.FileKind, profile string) (aa.ParaRules, []string, error) { + var raw string + paragraphs := []string{} + rulesByParagraph := aa.ParaRules{} + + switch kind { + case aa.ProfileKind: + f := &aa.AppArmorProfileFile{} + nb, err := f.Parse(profile) + if err != nil { + return nil, nil, err + } + lines := strings.Split(profile, "\n") + raw = strings.Join(lines[nb:], "\n") + + case aa.AbstractionKind, aa.TunableKind: + raw = profile + } + + r, par, err := aa.ParseRules(raw) + if err != nil { + return nil, nil, err + } + rulesByParagraph = append(rulesByParagraph, r...) + paragraphs = append(paragraphs, par...) + return rulesByParagraph, paragraphs, nil +} + +func (b StackedDbus) Apply(opt *Option, profile string) (string, error) { + kind := aa.KindFromPath(opt.File) + if kind == aa.TunableKind { + return profile, nil + } + + toResolve := []string{} + for k := range resolve { + toResolve = append(toResolve, k) + } + + rulesByParagraph, paragraphs, err := parse(kind, profile) + if err != nil { + return "", err + } + for idx, rules := range rulesByParagraph { + changed := false + newRules := aa.Rules{} + for _, rule := range rules { + switch rule := rule.(type) { + case *aa.Dbus: + if slices.Contains(toResolve, rule.PeerLabel) { + changed = true + for _, label := range resolve[rule.PeerLabel] { + newRule := *rule + newRule.PeerLabel = label + newRules = append(newRules, &newRule) + } + } else { + newRules = append(newRules, rule) + } + default: + newRules = append(newRules, rule) + } + } + if changed { + profile = strings.ReplaceAll(profile, paragraphs[idx], newRules.String()+"\n") + } + } + return profile, nil +} diff --git a/pkg/prebuild/builder/userspace.go b/pkg/prebuild/builder/userspace.go index d62cad522..70dff8ec9 100644 --- a/pkg/prebuild/builder/userspace.go +++ b/pkg/prebuild/builder/userspace.go @@ -27,20 +27,29 @@ func init() { RegisterBuilder(&Userspace{ Base: prebuild.Base{ Keyword: "userspace", - Msg: "Resolve variable in profile attachments", + Msg: "Fix: resolve variable in profile attachments", }, }) } func (b Userspace) Apply(opt *Option, profile string) (string, error) { - if ok, _ := opt.File.IsInsideDir(prebuild.RootApparmord.Join("abstractions")); ok { - return profile, nil - } - if ok, _ := opt.File.IsInsideDir(prebuild.RootApparmord.Join("tunables")); ok { - return profile, nil + for _, dir := range []string{"abstractions", "tunables", "local", "mappings"} { + if ok, _ := opt.File.IsInsideDir(prebuild.RootApparmord.Join(dir)); ok { + return profile, nil + } } f := aa.DefaultTunables() + if prebuild.Distribution == "arch" { + f.Preamble = append(f.Preamble, &aa.Variable{ + Name: "sbin", Values: []string{"/{,usr/}{,s}bin"}, Define: true, + }) + } else { + f.Preamble = append(f.Preamble, &aa.Variable{ + Name: "sbin", Values: []string{"/{,usr/}sbin"}, Define: true, + }) + } + if _, err := f.Parse(profile); err != nil { return "", err } @@ -55,7 +64,7 @@ func (b Userspace) Apply(opt *Option, profile string) (string, error) { matches := regAttachments.FindAllString(profile, -1) if len(matches) > 0 { att := f.GetDefaultProfile().GetAttachments() - strheader := strings.Replace(matches[0], tokATTACHMENT, att, -1) + strheader := strings.ReplaceAll(matches[0], tokATTACHMENT, att) return regAttachments.ReplaceAllLiteralString(profile, strheader), nil } return profile, nil diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 2ae440afc..afed5aedf 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -7,6 +7,8 @@ package cli import ( "flag" "fmt" + "os" + "slices" "strings" "github.com/roddhjav/apparmor.d/pkg/logging" @@ -15,25 +17,28 @@ import ( "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" "github.com/roddhjav/apparmor.d/pkg/prebuild/directive" "github.com/roddhjav/apparmor.d/pkg/prebuild/prepare" - "github.com/roddhjav/apparmor.d/pkg/util" ) const ( - nilABI uint = 0 - usage = `aa-prebuild [-h] [-s] [--complain|--enforce] [--packages] [--full] [--abi 3|4] + nilABI = 0 + nilVer = 0.0 + usage = `aa-prebuild [-h] [--complain | --enforce] [--full] [--server] [--abi 3|4] [--version V] [--file FILE] - Prebuild apparmor.d profiles for a given distribution, apply - internal built-in directives and build sub-packages structure. + Prebuild apparmor.d profiles for a given distribution and apply + internal built-in directives. Options: - -h, --help Show this help message and exit. - -c, --complain Set complain flag on all profiles. - -e, --enforce Set enforce flag on ALL profiles. - -a, --abi ABI Target apparmor ABI. - -f, --full Set AppArmor for full system policy. - -p, --packages Build all split packages. - -s, --status Show build configuration. - -F, --file Only prebuild a given file. + -h, --help Show this help message and exit. + -c, --complain Set complain flag on all profiles. + -e, --enforce Set enforce flag on all profiles. + -a, --abi ABI Target apparmor ABI. + -v, --version V Target apparmor version. + -f, --full Set AppArmor for full system policy. + -s, --server Set AppArmor for server. + -b, --buildir DIR Root build directory. + -F, --file Only prebuild a given file. + --test Enable test mode. + --debug Enable debug mode. ` ) @@ -42,9 +47,13 @@ var ( complain bool enforce bool full bool - packages bool - abi uint + server bool + debug bool + test bool + abi int + version float64 file string + buildir string ) func init() { @@ -52,19 +61,25 @@ func init() { flag.BoolVar(&help, "help", false, "Show this help message and exit.") flag.BoolVar(&full, "f", false, "Set AppArmor for full system policy.") flag.BoolVar(&full, "full", false, "Set AppArmor for full system policy.") + flag.BoolVar(&server, "s", false, "Set AppArmor for server.") + flag.BoolVar(&server, "server", false, "Set AppArmor for server.") flag.BoolVar(&complain, "c", false, "Set complain flag on all profiles.") flag.BoolVar(&complain, "complain", false, "Set complain flag on all profiles.") flag.BoolVar(&enforce, "e", false, "Set enforce flag on all profiles.") flag.BoolVar(&enforce, "enforce", false, "Set enforce flag on all profiles.") - flag.UintVar(&abi, "a", nilABI, "Target apparmor ABI.") - flag.UintVar(&abi, "abi", nilABI, "Target apparmor ABI.") - flag.BoolVar(&packages, "p", false, "Build all split packages.") - flag.BoolVar(&packages, "packages", false, "Build all split packages.") + flag.IntVar(&abi, "a", nilABI, "Target apparmor ABI.") + flag.IntVar(&abi, "abi", nilABI, "Target apparmor ABI.") + flag.Float64Var(&version, "v", nilVer, "Target apparmor version.") + flag.Float64Var(&version, "version", nilVer, "Target apparmor version.") flag.StringVar(&file, "F", "", "Only prebuild a given file.") flag.StringVar(&file, "file", "", "Only prebuild a given file.") + flag.StringVar(&buildir, "b", "", "Root build directory.") + flag.StringVar(&buildir, "buildir", "", "Root build directory.") + flag.BoolVar(&debug, "debug", false, "Enable debug mode.") + flag.BoolVar(&test, "test", false, "Enable test mode.") } -func Prebuild() { +func Configure() { flag.Usage = func() { fmt.Printf("%s\n%s\n%s\n%s", usage, prebuild.Help("Prepare", prepare.Tasks), @@ -75,16 +90,44 @@ func Prebuild() { flag.Parse() if help { flag.Usage() - return + os.Exit(0) + } + + if server { + idx := slices.Index(prepare.Prepares, prepare.Tasks["merge"]) + if idx == -1 { + prepare.Register("server") + } else { + prepare.Prepares = slices.Insert(prepare.Prepares, idx, prepare.Tasks["server"]) + } + + // Remove hotfix task as it is not needed on server + idx = slices.Index(prepare.Prepares, prepare.Tasks["hotfix"]) + if idx != -1 { + prepare.Prepares = slices.Delete(prepare.Prepares, idx, idx+1) + } } if full && paths.New("apparmor.d/groups/_full").Exist() { prepare.Register("fsp") builder.Register("fsp") + prebuild.RBAC = true } else if prebuild.SystemdDir.Exist() { prepare.Register("systemd-early") } + if complain { + builder.Register("complain") + if debug { + builder.Register("debug") + } + if test { + prebuild.Test = true + } + } else if enforce { + builder.Register("enforce") + } + if abi != nilABI { prebuild.ABI = abi } @@ -92,44 +135,56 @@ func Prebuild() { case 3: builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0 case 4: - // builder.Register("attach") // Re-attach disconnect path + // Re-attach disconnected path + if prebuild.Distribution == "ubuntu" && prebuild.Version >= 4.1 { + // Ignored on ubuntu 25.04+ due to a memory leak that fully prevent + // profiles compilation with re-attached paths. + // See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730 + + // Use stacked-dbus builder to resolve dbus rules + builder.Register("stacked-dbus") + + } else { + if !prebuild.DownStream { + prepare.Register("attach") + } + builder.Register("attach") + + } + default: logging.Fatal("Invalid ABI version: %d", prebuild.ABI) } + if version != nilVer { + prebuild.Version = version + } + if buildir != "" { + prebuild.Root = paths.New(buildir) + prebuild.RootApparmord = prebuild.Root.Join("apparmor.d") + } if file != "" { sync, _ := prepare.Tasks["synchronise"].(*prepare.Synchronise) - sync.Path = file + sync.Paths = []string{file} overwrite, _ := prepare.Tasks["overwrite"].(*prepare.Overwrite) - overwrite.OneFile = true + overwrite.Optional = true } +} - // Prepare the build directories - logging.Step("Building apparmor.d profiles for %s (abi%d).", prebuild.Distribution, prebuild.ABI) - prebuild.RootApparmord = prebuild.Root.Join(prebuild.Src) +func Prebuild() { + logging.Step("Building apparmor.d profiles for %s on ABI%d.", prebuild.Distribution, prebuild.ABI) + if full { + logging.Success("Full system policy enabled") + } + if prebuild.Version != nilVer { + logging.Success("AppArmor version targeted: %.1f", prebuild.Version) + } if err := Prepare(); err != nil { logging.Fatal("%s", err.Error()) } - - // Generate the packages - if packages { - if err := Packages(); err != nil { - logging.Fatal("%s", err.Error()) - } - } - - // Build the apparmor.d profiles if err := Build(); err != nil { logging.Fatal("%s", err.Error()) } - - if packages { - // Move all other profiles to apparmor.d.other - prebuild.RootApparmord = prebuild.Root.Join(prebuild.Src) - if err := prebuild.RootApparmord.Rename(prebuild.Root.Join("other")); err != nil { - logging.Fatal("%s", err.Error()) - } - } } func Prepare() error { @@ -155,64 +210,26 @@ func Prepare() error { return nil } -func Packages() error { - logging.Success("Building apparmor.d.* packages structure:") - - for _, name := range prebuild.Packages { - pkg := prebuild.NewPackage(name) - msg, err := pkg.Generate() +func Build() error { + files, _ := prebuild.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) + for _, file := range files { + if !file.Exist() { + continue + } + profile, err := file.ReadFileAsString() if err != nil { return err } - if err = pkg.Validate(); err != nil { + profile, err = builder.Run(file, profile) + if err != nil { return err } - logging.Indent = " " - logging.Bullet("apparmor.d.%s", name) - logging.Indent += " " - for _, line := range util.RemoveDuplicate(msg) { - logging.Warning("%s", line) + profile, err = directive.Run(file, profile) + if err != nil { + return err } - logging.Indent = "" - } - return nil -} - -func Build() error { - sources := []string{prebuild.Src} - if packages { - sources = append(sources, prebuild.Packages...) - } - - for _, src := range sources { - prebuild.RootApparmord = prebuild.Root.Join(src) - if src == prebuild.Src { - setMode("") - } else { - pkg := prebuild.NewPackage(src) - setMode(pkg.Mode) - } - - files, _ := prebuild.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) - for _, file := range files { - if !file.Exist() { - continue - } - profile, err := file.ReadFileAsString() - if err != nil { - return err - } - profile, err = builder.Run(file, profile) - if err != nil { - return err - } - profile, err = directive.Run(file, profile) - if err != nil { - return err - } - if err := file.WriteFile([]byte(profile)); err != nil { - return err - } + if err := file.WriteFile([]byte(profile)); err != nil { + return err } } @@ -230,20 +247,3 @@ func Build() error { logging.Indent = "" return nil } - -func setMode(mode string) { - if mode == "" { - if complain { - mode = "complain" - } else if enforce { - mode = "enforce" - } - } - switch mode { - case "complain": - builder.Register("complain") - builder.Unregister("enforce") - case "enforce": - builder.Unregister("complain") - } -} diff --git a/pkg/prebuild/directive/core.go b/pkg/prebuild/directive/core.go index aadf9294e..cde9470dc 100644 --- a/pkg/prebuild/directive/core.go +++ b/pkg/prebuild/directive/core.go @@ -23,7 +23,7 @@ var ( regDirective = regexp.MustCompile(`(?m).*` + Keyword + `([a-z]*)( .*)?`) ) -// Main directive interface +// Directive main interface type Directive interface { prebuild.BaseInterface Apply(opt *Option, profile string) (string, error) @@ -39,7 +39,7 @@ func Usage() string { return res } -// Directive options +// Option for the directive type Option struct { Name string ArgMap map[string]string @@ -83,7 +83,7 @@ func (o *Option) cleanKeyword(input string) string { return reg.ReplaceAllString(input, "") } -// Check if the directive is inline or if it is a paragraph +// IsInline checks if either the directive is in one line or if it is a paragraph func (o *Option) IsInline() bool { inline := true tmp := strings.Split(o.Raw, Keyword) @@ -106,7 +106,10 @@ func Run(file *paths.Path, profile string) (string, error) { opt := NewOption(file, match) drtv, ok := Directives[opt.Name] if !ok { - return "", fmt.Errorf("Unknown directive '%s' in %s", opt.Name, opt.File) + if opt.Name == "lint" { + continue + } + return "", fmt.Errorf("unknown directive '%s' in %s", opt.Name, opt.File) } profile, err = drtv.Apply(opt, profile) if err != nil { diff --git a/pkg/prebuild/directive/core_test.go b/pkg/prebuild/directive/core_test.go index faf39df4b..229dda630 100644 --- a/pkg/prebuild/directive/core_test.go +++ b/pkg/prebuild/directive/core_test.go @@ -20,7 +20,7 @@ func TestNewOption(t *testing.T) { }{ { name: "dbus", - file: nil, + file: paths.New("dbus"), match: []string{ " #aa:dbus own bus=system name=org.gnome.DisplayManager", "dbus", @@ -34,13 +34,13 @@ func TestNewOption(t *testing.T) { "own": "", }, ArgList: []string{"own", "bus=system", "name=org.gnome.DisplayManager"}, - File: nil, + File: paths.New("dbus"), Raw: " #aa:dbus own bus=system name=org.gnome.DisplayManager", }, }, { name: "only", - file: nil, + file: paths.New("only"), match: []string{ " #aa:only opensuse", "only", @@ -50,7 +50,7 @@ func TestNewOption(t *testing.T) { Name: "only", ArgMap: map[string]string{"opensuse": ""}, ArgList: []string{"opensuse"}, - File: nil, + File: paths.New("only"), Raw: " #aa:only opensuse", }, }, @@ -74,13 +74,13 @@ func TestRun(t *testing.T) { }{ { name: "none", - file: nil, + file: paths.New("dummy"), profile: ` `, want: ` `, }, { name: "present", - file: nil, + file: paths.New("fake-own"), profile: ` #aa:dbus own bus=system name=org.freedesktop.systemd1`, want: dbusOwnSystemd1, }, diff --git a/pkg/prebuild/directive/dbus.go b/pkg/prebuild/directive/dbus.go index a1135d675..4862597bb 100644 --- a/pkg/prebuild/directive/dbus.go +++ b/pkg/prebuild/directive/dbus.go @@ -21,11 +21,6 @@ import ( "github.com/roddhjav/apparmor.d/pkg/prebuild" ) -var defaultInterfaces = []string{ - "org.freedesktop.DBus.Properties", - "org.freedesktop.DBus.ObjectManager", -} - type Dbus struct { prebuild.Base } @@ -38,20 +33,12 @@ func init() { Help: []string{ "own bus= name= [interface=AARE] [path=AARE]", "talk bus= name= label= [interface=AARE] [path=AARE]", + "common bus= name= label=", }, }}, ) } -func setInterfaces(rules map[string]string) []string { - interfaces := []string{rules["name"]} - if _, present := rules["interface"]; present { - interfaces = append(interfaces, rules["interface"]) - } - interfaces = append(interfaces, defaultInterfaces...) - return interfaces -} - func (d Dbus) Apply(opt *Option, profile string) (string, error) { var r aa.Rules @@ -64,6 +51,8 @@ func (d Dbus) Apply(opt *Option, profile string) (string, error) { r = d.own(opt.ArgMap) case "talk": r = d.talk(opt.ArgMap) + case "common": + r = d.common(opt.ArgMap) } aa.IndentationLevel = strings.Count( @@ -72,94 +61,213 @@ func (d Dbus) Apply(opt *Option, profile string) (string, error) { generatedDbus := r.String() lenDbus := len(generatedDbus) generatedDbus = generatedDbus[:lenDbus-1] - profile = strings.Replace(profile, opt.Raw, generatedDbus, -1) + profile = strings.ReplaceAll(profile, opt.Raw, generatedDbus) return profile, nil } func (d Dbus) sanityCheck(opt *Option) (string, error) { if len(opt.ArgList) < 1 { - return "", fmt.Errorf("Unknown dbus action: %s in %s", opt.Name, opt.File) + return "", fmt.Errorf("unknown dbus action: %s in %s", opt.Name, opt.File) } action := opt.ArgList[0] - if action != "own" && action != "talk" { - return "", fmt.Errorf("Unknown dbus action: %s in %s", opt.Name, opt.File) + if action != "own" && action != "talk" && action != "common" { + return "", fmt.Errorf("unknown dbus action: %s in %s", opt.Name, opt.File) } if _, present := opt.ArgMap["name"]; !present { - return "", fmt.Errorf("Missing name for 'dbus: %s' in %s", action, opt.File) + return "", fmt.Errorf("missing name for 'dbus: %s' in %s", action, opt.File) } if _, present := opt.ArgMap["bus"]; !present { - return "", fmt.Errorf("Missing bus for '%s' in %s", opt.ArgMap["name"], opt.File) + return "", fmt.Errorf("missing bus for '%s' in %s", opt.ArgMap["name"], opt.File) } if _, present := opt.ArgMap["label"]; !present && action == "talk" { - return "", fmt.Errorf("Missing label for '%s' in %s", opt.ArgMap["name"], opt.File) + return "", fmt.Errorf("missing label for '%s' in %s", opt.ArgMap["name"], opt.File) } // Set default values if _, present := opt.ArgMap["path"]; !present { - opt.ArgMap["path"] = "/" + strings.Replace(opt.ArgMap["name"], ".", "/", -1) + "{,/**}" + opt.ArgMap["path"] = "/" + strings.ReplaceAll(opt.ArgMap["name"], ".", "/") + "{,/**}" } opt.ArgMap["name"] += "{,.*}" return action, nil } +func getInterfaces(rules map[string]string) []string { + var interfaces []string + if _, present := rules["interface"]; present { + interfaces = []string{rules["interface"]} + } else { + interfaces = []string{rules["name"]} + } + + if _, present := rules["interface+"]; present { + interfaces = append(interfaces, rules["interface+"]) + } + return interfaces +} + func (d Dbus) own(rules map[string]string) aa.Rules { - interfaces := setInterfaces(rules) - res := aa.Rules{} - res = append(res, &aa.Dbus{ - Access: []string{"bind"}, Bus: rules["bus"], Name: rules["name"], - }) - for _, iface := range interfaces { - res = append(res, &aa.Dbus{ - Access: []string{"receive"}, - Bus: rules["bus"], - Path: rules["path"], - Interface: iface, - PeerName: `":1.@{int}"`, - }) + interfaces := getInterfaces(rules) + + res := aa.Rules{ + &aa.Include{ + IsMagic: true, Path: "abstractions/bus/" + rules["bus"] + "/own", + }, + &aa.Dbus{ + Access: []string{"bind"}, Bus: rules["bus"], Name: rules["name"], + }, } + + // Interfaces for _, iface := range interfaces { - res = append(res, &aa.Dbus{ - Access: []string{"send"}, - Bus: rules["bus"], - Path: rules["path"], - Interface: iface, - PeerName: `"{:1.@{int},org.freedesktop.DBus}"`, - }) + res = append(res, + &aa.Dbus{ + Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: iface, + PeerName: `"@{busname}"`, + }, + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: iface, + PeerName: `"{@{busname},org.freedesktop.DBus}"`, + }, + ) } - res = append(res, &aa.Dbus{ - Access: []string{"receive"}, - Bus: rules["bus"], - Path: rules["path"], - Interface: "org.freedesktop.DBus.Introspectable", - Member: "Introspect", - PeerName: `":1.@{int}"`, - }) + + res = append(res, + // DBus.Properties: reply to properties request from anyone + &aa.Dbus{ + Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Properties", + Member: "{Get,GetAll,Set,PropertiesChanged}", + PeerName: `"{@{busname},org.freedesktop.DBus}"`, + }, + + // DBus.Introspectable: allow clients to introspect the service + &aa.Dbus{ + Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Introspectable", + Member: "Introspect", + PeerName: `"@{busname}"`, + }, + + // DBus.ObjectManager: allow clients to enumerate sources + &aa.Dbus{ + Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.ObjectManager", + Member: "GetManagedObjects", + PeerName: `"{@{busname},` + rules["name"] + `}"`, + }, + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.ObjectManager", + Member: "{InterfacesAdded,InterfacesRemoved}", + PeerName: `"{@{busname},org.freedesktop.DBus}"`, + }, + ) return res } func (d Dbus) talk(rules map[string]string) aa.Rules { - interfaces := setInterfaces(rules) - res := aa.Rules{} + interfaces := getInterfaces(rules) + res := aa.Rules{ + &aa.Unix{ + Type: "stream", + Address: "none", + PeerLabel: rules["label"], + PeerAddr: "none", + }, + } + + // Interfaces for _, iface := range interfaces { res = append(res, &aa.Dbus{ - Access: []string{"send"}, - Bus: rules["bus"], - Path: rules["path"], + Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], Interface: iface, - PeerName: `"{:1.@{int},` + rules["name"] + `}"`, - PeerLabel: rules["label"], + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], }) } - for _, iface := range interfaces { - res = append(res, &aa.Dbus{ - Access: []string{"receive"}, - Bus: rules["bus"], - Path: rules["path"], - Interface: iface, - PeerName: `"{:1.@{int},` + rules["name"] + `}"`, - PeerLabel: rules["label"], - }) + + res = append(res, + // DBus.Properties + &aa.Dbus{ + Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Properties", + Member: "{Get,GetAll,Set,PropertiesChanged}", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + + // DBus.Introspectable + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Introspectable", + Member: "Introspect", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + + // DBus.ObjectManager: allow clients to enumerate sources + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.ObjectManager", + Member: "GetManagedObjects", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + &aa.Dbus{ + Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.ObjectManager", + Member: "{InterfacesAdded,InterfacesRemoved}", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + ) + return res +} + +func (d Dbus) common(rules map[string]string) aa.Rules { + res := aa.Rules{ + + // DBus.Properties: read all properties from the interface + &aa.Comment{ + Base: aa.Base{ + Comment: " DBus.Properties: read all properties from the interface", + IsLineRule: true, + }, + }, + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Properties", + Member: "{Get,GetAll}", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + nil, + + // DBus.Properties: receive property changed events + &aa.Comment{ + Base: aa.Base{ + Comment: " DBus.Properties: receive property changed events", + IsLineRule: true, + }, + }, + &aa.Dbus{ + Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Properties", + Member: "PropertiesChanged", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, + nil, + + // DBus.Introspectable: allow clients to introspect the service + &aa.Comment{ + Base: aa.Base{ + Comment: " DBus.Introspectable: allow clients to introspect the service", + IsLineRule: true, + }, + }, + &aa.Dbus{ + Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], + Interface: "org.freedesktop.DBus.Introspectable", + Member: "Introspect", + PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + }, } return res } diff --git a/pkg/prebuild/directive/dbus_test.go b/pkg/prebuild/directive/dbus_test.go index 65e55e785..d6e90bb99 100644 --- a/pkg/prebuild/directive/dbus_test.go +++ b/pkg/prebuild/directive/dbus_test.go @@ -8,29 +8,31 @@ import ( "testing" ) -const dbusOwnSystemd1 = ` dbus bind bus=system name=org.freedesktop.systemd1{,.*}, +const dbusOwnSystemd1 = ` include + + dbus bind bus=system name=org.freedesktop.systemd1{,.*}, dbus receive bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.systemd1{,.*} - peer=(name=":1.@{int}"), - dbus receive bus=system path=/org/freedesktop/systemd1{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name=":1.@{int}"), - dbus receive bus=system path=/org/freedesktop/systemd1{,/**} - interface=org.freedesktop.DBus.ObjectManager - peer=(name=":1.@{int}"), + peer=(name="@{busname}"), dbus send bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.systemd1{,.*} - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus send bus=system path=/org/freedesktop/systemd1{,/**} + peer=(name="{@{busname},org.freedesktop.DBus}"), + dbus (send receive) bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.DBus.Properties - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus send bus=system path=/org/freedesktop/systemd1{,/**} - interface=org.freedesktop.DBus.ObjectManager - peer=(name="{:1.@{int},org.freedesktop.DBus}"), + member={Get,GetAll,Set,PropertiesChanged} + peer=(name="{@{busname},org.freedesktop.DBus}"), dbus receive bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=":1.@{int}"),` + peer=(name="@{busname}"), + dbus receive bus=system path=/org/freedesktop/systemd1{,/**} + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name="{@{busname},org.freedesktop.systemd1{,.*}}"), + dbus send bus=system path=/org/freedesktop/systemd1{,/**} + interface=org.freedesktop.DBus.ObjectManager + member={InterfacesAdded,InterfacesRemoved} + peer=(name="{@{busname},org.freedesktop.DBus}"),` func TestDbus_Apply(t *testing.T) { tests := []struct { @@ -61,45 +63,47 @@ func TestDbus_Apply(t *testing.T) { opt: &Option{ Name: "dbus", ArgMap: map[string]string{ - "bus": "session", - "name": "com.rastersoft.dingextension", - "interface": "org.gtk.Actions", - "own": "", + "bus": "session", + "name": "com.rastersoft.ding", + "interface+": "org.gtk.Actions", + "own": "", }, - ArgList: []string{"own", "bus=session", "name=com.rastersoft.dingextension", "interface=org.gtk.Actions"}, + ArgList: []string{"own", "bus=session", "name=com.rastersoft.ding", "interface+=org.gtk.Actions"}, File: nil, - Raw: " #aa:dbus own bus=session name=com.rastersoft.dingextension interface=org.gtk.Actions", + Raw: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", }, - profile: " #aa:dbus own bus=session name=com.rastersoft.dingextension interface=org.gtk.Actions", - want: ` dbus bind bus=session name=com.rastersoft.dingextension{,.*}, - dbus receive bus=session path=/com/rastersoft/dingextension{,/**} - interface=com.rastersoft.dingextension{,.*} - peer=(name=":1.@{int}"), - dbus receive bus=session path=/com/rastersoft/dingextension{,/**} + profile: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", + want: ` include + + dbus bind bus=session name=com.rastersoft.ding{,.*}, + dbus receive bus=session path=/com/rastersoft/ding{,/**} + interface=com.rastersoft.ding{,.*} + peer=(name="@{busname}"), + dbus send bus=session path=/com/rastersoft/ding{,/**} + interface=com.rastersoft.ding{,.*} + peer=(name="{@{busname},org.freedesktop.DBus}"), + dbus receive bus=session path=/com/rastersoft/ding{,/**} interface=org.gtk.Actions - peer=(name=":1.@{int}"), - dbus receive bus=session path=/com/rastersoft/dingextension{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name=":1.@{int}"), - dbus receive bus=session path=/com/rastersoft/dingextension{,/**} - interface=org.freedesktop.DBus.ObjectManager - peer=(name=":1.@{int}"), - dbus send bus=session path=/com/rastersoft/dingextension{,/**} - interface=com.rastersoft.dingextension{,.*} - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus send bus=session path=/com/rastersoft/dingextension{,/**} + peer=(name="@{busname}"), + dbus send bus=session path=/com/rastersoft/ding{,/**} interface=org.gtk.Actions - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus send bus=session path=/com/rastersoft/dingextension{,/**} + peer=(name="{@{busname},org.freedesktop.DBus}"), + dbus (send receive) bus=session path=/com/rastersoft/ding{,/**} interface=org.freedesktop.DBus.Properties - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus send bus=session path=/com/rastersoft/dingextension{,/**} - interface=org.freedesktop.DBus.ObjectManager - peer=(name="{:1.@{int},org.freedesktop.DBus}"), - dbus receive bus=session path=/com/rastersoft/dingextension{,/**} + member={Get,GetAll,Set,PropertiesChanged} + peer=(name="{@{busname},org.freedesktop.DBus}"), + dbus receive bus=session path=/com/rastersoft/ding{,/**} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=":1.@{int}"),`, + peer=(name="@{busname}"), + dbus receive bus=session path=/com/rastersoft/ding{,/**} + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name="{@{busname},com.rastersoft.ding{,.*}}"), + dbus send bus=session path=/com/rastersoft/ding{,/**} + interface=org.freedesktop.DBus.ObjectManager + member={InterfacesAdded,InterfacesRemoved} + peer=(name="{@{busname},org.freedesktop.DBus}"),`, }, { name: "talk", @@ -116,24 +120,60 @@ func TestDbus_Apply(t *testing.T) { Raw: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", }, profile: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", - want: ` dbus send bus=system path=/org/freedesktop/Accounts{,/**} + want: ` unix type=stream addr=none peer=(label=accounts-daemon, addr=none), + + dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.Accounts{,.*} - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), - dbus send bus=system path=/org/freedesktop/Accounts{,/**} + peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.DBus.Properties - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + member={Get,GetAll,Set,PropertiesChanged} + peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + dbus send bus=system path=/org/freedesktop/Accounts{,/**} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), dbus send bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.DBus.ObjectManager - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), - dbus receive bus=system path=/org/freedesktop/Accounts{,/**} - interface=org.freedesktop.Accounts{,.*} - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), - dbus receive bus=system path=/org/freedesktop/Accounts{,/**} - interface=org.freedesktop.DBus.Properties - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + member=GetManagedObjects + peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), dbus receive bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.DBus.ObjectManager - peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon),`, + member={InterfacesAdded,InterfacesRemoved} + peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon),`, + }, + { + name: "common", + opt: &Option{ + Name: "dbus", + ArgMap: map[string]string{ + "bus": "system", + "name": "net.hadess.PowerProfiles", + "label": "power-profiles-daemon", + "talk": "", + }, + ArgList: []string{"common", "bus=system", "name=net.hadess.PowerProfiles", "power-profiles-daemon"}, + File: nil, + Raw: " #aa:dbus common bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon", + }, + profile: " #aa:dbus common bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon", + want: ` # DBus.Properties: read all properties from the interface + dbus send bus=system path=/net/hadess/PowerProfiles{,/**} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon), + + # DBus.Properties: receive property changed events + dbus receive bus=system path=/net/hadess/PowerProfiles{,/**} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon), + + # DBus.Introspectable: allow clients to introspect the service + dbus send bus=system path=/net/hadess/PowerProfiles{,/**} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon),`, }, } for _, tt := range tests { diff --git a/pkg/prebuild/directive/exec.go b/pkg/prebuild/directive/exec.go index 26722349a..b348fb46b 100644 --- a/pkg/prebuild/directive/exec.go +++ b/pkg/prebuild/directive/exec.go @@ -8,12 +8,10 @@ package directive import ( "fmt" - "path/filepath" "slices" "strings" "github.com/roddhjav/apparmor.d/pkg/aa" - "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" ) @@ -33,7 +31,7 @@ func init() { func (d Exec) Apply(opt *Option, profileRaw string) (string, error) { if len(opt.ArgList) == 0 { - return "", fmt.Errorf("No profile to exec") + return "", fmt.Errorf("no profile to exec") } transition := "Px" transitions := []string{"P", "U", "p", "u", "PU", "pu"} @@ -45,14 +43,7 @@ func (d Exec) Apply(opt *Option, profileRaw string) (string, error) { rules := aa.Rules{} for name := range opt.ArgMap { - match, err := filepath.Glob(prebuild.Root.String() + "/*/" + name) - if err != nil { - return "", err - } - if len(match) != 1 { - return "", fmt.Errorf("No profile found for %s", name) - } - profiletoTransition := paths.New(match[0]).MustReadFileAsString() + profiletoTransition := prebuild.RootApparmord.Join(name).MustReadFileAsString() dstProfile := aa.DefaultTunables() if _, err := dstProfile.Parse(profiletoTransition); err != nil { return "", err @@ -79,5 +70,5 @@ func (d Exec) Apply(opt *Option, profileRaw string) (string, error) { rules = rules.Sort() new := rules.String() new = new[:len(new)-1] - return strings.Replace(profileRaw, opt.Raw, new, -1), nil + return strings.ReplaceAll(profileRaw, opt.Raw, new), nil } diff --git a/pkg/prebuild/directive/exec_test.go b/pkg/prebuild/directive/exec_test.go index 5581d7f2b..255d9a237 100644 --- a/pkg/prebuild/directive/exec_test.go +++ b/pkg/prebuild/directive/exec_test.go @@ -36,7 +36,7 @@ func TestExec_Apply(t *testing.T) { }, { name: "exec-unconfined", - rootApparmord: paths.New("../../../apparmor.d/groups/freedesktop/"), + rootApparmord: paths.New("../../../apparmor.d/groups/polkit/"), opt: &Option{ Name: "exec", ArgMap: map[string]string{"U": "", "polkit-agent-helper": ""}, diff --git a/pkg/prebuild/directive/filter.go b/pkg/prebuild/directive/filter.go index 2fe46e6f2..ac632471b 100644 --- a/pkg/prebuild/directive/filter.go +++ b/pkg/prebuild/directive/filter.go @@ -39,10 +39,22 @@ func init() { } func filterRuleForUs(opt *Option) bool { + if prebuild.RBAC && slices.Contains(opt.ArgList, "RBAC") { + return true + } + + if prebuild.Test && slices.Contains(opt.ArgList, "test") { + return true + } + abiStr := fmt.Sprintf("abi%d", prebuild.ABI) if slices.Contains(opt.ArgList, abiStr) { return true } + versionStr := fmt.Sprintf("apparmor%.1f", prebuild.Version) + if slices.Contains(opt.ArgList, versionStr) { + return true + } return slices.Contains(opt.ArgList, prebuild.Distribution) || slices.Contains(opt.ArgList, prebuild.Family) } @@ -55,7 +67,7 @@ func filter(only bool, opt *Option, profile string) (string, error) { } if opt.IsInline() { - profile = strings.Replace(profile, opt.Raw, "", -1) + profile = strings.ReplaceAll(profile, opt.Raw, "") } else { regRemoveParagraph := regexp.MustCompile(`(?s)` + opt.Raw + `\n.*?\n\n`) profile = regRemoveParagraph.ReplaceAllString(profile, "") diff --git a/pkg/prebuild/directive/stack.go b/pkg/prebuild/directive/stack.go index 631c6f00f..a43849228 100644 --- a/pkg/prebuild/directive/stack.go +++ b/pkg/prebuild/directive/stack.go @@ -6,12 +6,10 @@ package directive import ( "fmt" - "path/filepath" "regexp" "slices" "strings" - "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/util" ) @@ -42,7 +40,7 @@ func init() { func (s Stack) Apply(opt *Option, profile string) (string, error) { if len(opt.ArgList) == 0 { - return "", fmt.Errorf("No profile to stack") + return "", fmt.Errorf("no profile to stack") } t := opt.ArgList[0] if t != "X" { @@ -57,17 +55,13 @@ func (s Stack) Apply(opt *Option, profile string) (string, error) { res := "" for name := range opt.ArgMap { - match, err := filepath.Glob(prebuild.Root.String() + "/*/" + name) + stackedProfile, err := prebuild.RootApparmord.Join(name).ReadFileAsString() if err != nil { - return "", err + return "", fmt.Errorf("%s need to stack: %w", name, err) } - if len(match) != 1 { - return "", fmt.Errorf("No profile found for %s", name) - } - stackedProfile := paths.New(match[0]).MustReadFileAsString() m := regRules.FindStringSubmatch(stackedProfile) if len(m) < 2 { - return "", fmt.Errorf("No profile found in %s", name) + return "", fmt.Errorf("no profile found in %s", name) } stackedRules := m[1] stackedRules = regCleanStakedRules.Replace(stackedRules) @@ -77,9 +71,9 @@ func (s Stack) Apply(opt *Option, profile string) (string, error) { // Insert the stacked profile at the end of the current profile, remove the stack directive m := regEndOfRules.FindStringSubmatch(profile) if len(m) <= 1 { - return "", fmt.Errorf("No end of rules found in %s", opt.File) + return "", fmt.Errorf("no end of rules found in %s", opt.File) } - profile = strings.Replace(profile, m[0], res+m[0], -1) - profile = strings.Replace(profile, opt.Raw, "", -1) + profile = strings.ReplaceAll(profile, m[0], res+m[0]) + profile = strings.ReplaceAll(profile, opt.Raw, "") return profile, nil } diff --git a/pkg/prebuild/directories.go b/pkg/prebuild/directories.go index 7859fa89d..486a45d14 100644 --- a/pkg/prebuild/directories.go +++ b/pkg/prebuild/directories.go @@ -4,28 +4,32 @@ package prebuild -import ( - "os" - "strings" - - "github.com/roddhjav/apparmor.d/pkg/paths" -) +import "github.com/roddhjav/apparmor.d/pkg/paths" var ( // AppArmor ABI version - ABI uint = 0 + ABI = 0 - // Root is the root directory for the build (default: ./.build) - Root *paths.Path = getRootBuild() + // AppArmor version + Version = 4.0 + + // Tells the build we are a downstream project using apparmor.d as dependency + DownStream = false + + // Either or not RBAC is enabled + RBAC = false + + // Either or not we are in test mode + Test = false + + // Pkgname is the name of the package + Pkgname = "apparmor.d" + + // Root is the root directory for the build (default: .build) + Root *paths.Path = paths.New(".build") // RootApparmord is the final built apparmor.d directory (default: .build/apparmor.d) - RootApparmord *paths.Path = Root.Join(Src) - - // src is the basename of the source directory (default: apparmor.d) - Src = "apparmor.d" - - // SrcApparmord is the source apparmor.d directory (default: ./apparmor.d) - SrcApparmord *paths.Path = paths.New(Src) + RootApparmord *paths.Path = Root.Join("apparmor.d") // DistDir is the directory where the distribution specific files are stored DistDir *paths.Path = paths.New("dists") @@ -36,9 +40,6 @@ var ( // IgnoreDir is the directory where the ignore files are stored IgnoreDir *paths.Path = DistDir.Join("ignore") - // PkgDir is the directory where the packages files are stored - PkgDir *paths.Path = DistDir.Join("packages") - // SystemdDir is the directory where the systemd drop-in files are stored SystemdDir *paths.Path = paths.New("systemd") @@ -48,29 +49,6 @@ var ( // DebianHide is the path to the debian/apparmor.d.hide file DebianHide = DebianHider{path: DebianDir.Join("apparmor.d.hide")} - // Packages are the packages to build - Packages = getPackages() - Ignore = Ignorer{} Flags = Flagger{} ) - -func getRootBuild() *paths.Path { - root, present := os.LookupEnv("BUILD") - if !present { - root = ".build" - } - return paths.New(root) -} - -func getPackages() []string { - files, err := PkgDir.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) - if err != nil { - return []string{} - } - packages := make([]string, 0, len(files)) - for _, file := range files { - packages = append(packages, strings.TrimSuffix(file.Base(), ".conf")) - } - return packages -} diff --git a/pkg/prebuild/files.go b/pkg/prebuild/files.go index c14730960..d9879570b 100644 --- a/pkg/prebuild/files.go +++ b/pkg/prebuild/files.go @@ -10,10 +10,13 @@ import ( "github.com/roddhjav/apparmor.d/pkg/paths" ) -// Default content of debian/apparmor.d.hide. Whonix has special addition. -var Hide = `# This file is generated by "make", all edit will be lost. +// Hide is the default content of debian/apparmor.d.hide. Whonix has special addition. +var Hide = `# This file is generated by "just", all edit will be lost. /etc/apparmor.d/usr.bin.firefox +/etc/apparmor.d/usr.bin.swtpm +/etc/apparmor.d/usr.bin.wsdd +/etc/apparmor.d/usr.libexec.geoclue /etc/apparmor.d/usr.sbin.cups-browsed /etc/apparmor.d/usr.sbin.cupsd /etc/apparmor.d/usr.sbin.rsyslogd @@ -55,7 +58,7 @@ type DebianHider struct { path *paths.Path } -// Initialize the file with content from Hide +// Init initializes the file with content from Hide func (d DebianHider) Init() error { return d.path.WriteFile([]byte(Hide)) } diff --git a/pkg/prebuild/os.go b/pkg/prebuild/os.go index 352f4e185..8ef8fb79e 100644 --- a/pkg/prebuild/os.go +++ b/pkg/prebuild/os.go @@ -67,13 +67,13 @@ func getDistribution() string { if id == "ubuntu" { return id } - id_like := Release["ID_LIKE"] + idLike := Release["ID_LIKE"] for main, based := range supportedDists { - if main == id || main == id_like { + if main == id || main == idLike { return main } else if slices.Contains(based, id) { return main - } else if slices.Contains(based, id_like) { + } else if slices.Contains(based, idLike) { return main } } diff --git a/pkg/prebuild/packages.go b/pkg/prebuild/packages.go deleted file mode 100644 index 56d30c04c..000000000 --- a/pkg/prebuild/packages.go +++ /dev/null @@ -1,231 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package prebuild - -import ( - "fmt" - "slices" - "strings" - - "github.com/roddhjav/apparmor.d/pkg/paths" -) - -type Package struct { - Name string - Mode string - Required []string - Profiles []string - Ignores []string - Ignored []string - builddir *paths.Path -} - -func NewPackage(name string) *Package { - path := PkgDir.Join(name + ".conf") - if !path.Exist() { - panic(fmt.Sprintf("Unknown package: %s", name)) - } - lines := path.MustReadFilteredFileAsLines() - mode := "" - profiles := make([]string, 0, len(lines)) - ignores := []string{} - dependencies := []string{} - ignored := getFilesIgnoredByDistribution() - for _, line := range lines { - switch { - case strings.HasPrefix(line, "mode="): - mode = strings.TrimPrefix(line, "mode=") - case strings.HasPrefix(line, "require="): - dependencies = strings.Split(strings.TrimPrefix(line, "require="), ",") - case strings.HasPrefix(line, "!"): - ignores = append(ignores, strings.TrimPrefix(line, "!")) - default: - profiles = append(profiles, line) - } - } - return &Package{ - Name: name, - Mode: mode, - Required: dependencies, - Profiles: profiles, - Ignores: ignores, - Ignored: ignored, - builddir: Root.Join(name), - } -} - -func getFilesIgnoredByDistribution() []string { - res := []string{} - for _, iname := range []string{"main", Distribution} { - for _, ignore := range Ignore.Read(iname) { - if !strings.HasPrefix(ignore, Src) { - continue - } - profile := strings.TrimPrefix(ignore, Src+"/") - path := SrcApparmord.Join(profile) - if path.IsDir() { - files, err := path.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) - if err != nil { - panic(err) - } - for _, file := range files { - res = append(res, file.Base()) - } - } else if path.Exist() { - res = append(res, path.Base()) - } else { - panic(fmt.Errorf("%s.ignore: no files found for '%s'", iname, profile)) - } - } - } - return res -} - -func (p *Package) Generate() ([]string, error) { - var res []string - - if err := p.builddir.RemoveAll(); err != nil { - return res, err - } - if err := p.builddir.MkdirAll(); err != nil { - return res, err - } - - explode := paths.PathList{ - paths.New("groups"), paths.New("profiles-a-f"), - paths.New("profiles-m-r"), paths.New("profiles-s-z"), - } - for _, name := range p.Profiles { - originalPath := SrcApparmord.Join(name) - - if originalPath.IsDir() { - originFiles, err := originalPath.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) - if err != nil { - return res, err - } - for _, originFile := range originFiles { - file, err := originFile.RelFrom(SrcApparmord) - if err != nil { - return res, err - } - - if slices.Contains(p.Ignores, file.String()) { - continue - } - - done := false - for _, e := range explode { - if ok, _ := file.IsInsideDir(e); ok { - base := file.Base() - msg, err := p.move(base) - if err != nil { - return res, err - } - res = append(res, msg) - done = true - break - } - } - - if !done { - msg, err := p.move(file) - if err != nil { - return res, err - } - res = append(res, msg) - } - } - - } else if originalPath.Exist() { - base := originalPath.Base() - if slices.Contains(p.Ignores, base) { - continue - } - msg, err := p.move(base) - if err != nil { - return res, err - } - res = append(res, msg) - - } else { - return res, fmt.Errorf("No %s", originalPath) - } - } - return res, nil -} - -func (p *Package) move(origin any) (string, error) { - var src *paths.Path - var dst *paths.Path - var srcOverridden *paths.Path - var dstOverridden *paths.Path - var srcSymlink *paths.Path - var dstSymlink *paths.Path - const ext = ".apparmor.d" - - switch value := any(origin).(type) { - case string: - src = RootApparmord.Join(value) - dst = p.builddir.Join(value) - srcOverridden = RootApparmord.Join(value + ext) - dstOverridden = p.builddir.Join(value + ext) - srcSymlink = RootApparmord.Join("disable", value) - dstSymlink = p.builddir.Join("disable", value) - - case *paths.Path: - src = RootApparmord.JoinPath(value) - dst = p.builddir.JoinPath(value) - srcOverridden = RootApparmord.JoinPath(value.Parent()).Join(value.Base() + ext) - dstOverridden = p.builddir.JoinPath(value.Parent()).Join(value.Base() + ext) - srcSymlink = RootApparmord.Join("disable").JoinPath(value) - dstSymlink = p.builddir.Join("disable").JoinPath(value) - - default: - panic("Package.move: unsupported type") - } - - if src.Exist() { - if err := dst.Parent().MkdirAll(); err != nil { - return "", nil - } - if err := src.Rename(dst); err != nil { - return "", nil - } - // fmt.Printf("%s -> %s\n", src, dst) - - } else if srcOverridden.Exist() { - if err := dstOverridden.Parent().MkdirAll(); err != nil { - return "", nil - } - if err := dstSymlink.Parent().MkdirAll(); err != nil { - return "", nil - } - if err := srcOverridden.Rename(dstOverridden); err != nil { - return "", nil - } - if err := srcSymlink.Rename(dstSymlink); err != nil { - return "", nil - } - // fmt.Printf("%s -> %s\n", srcOverridden, dstOverridden) - - } else { - srcRltv, err := src.RelFrom(RootApparmord) - if err != nil { - return "", nil - } - if !slices.Contains(p.Ignored, srcRltv.String()) { - fmt.Printf("Warning: No %s\n", src) - // return "", fmt.Errorf("No %s", src) - } - - } - return "", nil -} - -// Validate ensures a package has its required dependencies -func (p *Package) Validate() error { - return nil -} - diff --git a/pkg/prebuild/prepare/attach.go b/pkg/prebuild/prepare/attach.go new file mode 100644 index 000000000..4523382d8 --- /dev/null +++ b/pkg/prebuild/prepare/attach.go @@ -0,0 +1,37 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2025 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package prepare + +import ( + "strings" + + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +type ReAttach struct { + prebuild.Base +} + +func init() { + RegisterTask(&ReAttach{ + Base: prebuild.Base{ + Keyword: "attach", + Msg: "Configure tunable for re-attached path", + }, + }) +} + +func (p ReAttach) Apply() ([]string, error) { + res := []string{} + + // Remove the @{att} tunable that is going to be defined in profile header + path := prebuild.RootApparmord.Join("tunables/multiarch.d/system") + out, err := path.ReadFileAsString() + if err != nil { + return res, err + } + out = strings.ReplaceAll(out, `@{att}=""`, `# @{att}=""`) + return res, path.WriteFile([]byte(out)) +} diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go index 4b8e11ec5..9ca3b14d3 100644 --- a/pkg/prebuild/prepare/configure.go +++ b/pkg/prebuild/prepare/configure.go @@ -6,8 +6,8 @@ package prepare import ( "fmt" + "strings" - "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" ) @@ -24,6 +24,15 @@ func init() { }) } +func removeFiles(files []string) error { + for _, name := range files { + if err := prebuild.RootApparmord.Join(name).RemoveAll(); err != nil { + return err + } + } + return nil +} + func (p Configure) Apply() ([]string, error) { res := []string{} @@ -35,8 +44,8 @@ func (p Configure) Apply() ([]string, error) { return res, err } - if prebuild.ABI == 3 { - if err := paths.CopyTo(prebuild.DistDir.Join("ubuntu"), prebuild.RootApparmord); err != nil { + if prebuild.Version < 3.0 { + if err := prebuild.DistDir.Join("ubuntu").CopyFS(prebuild.RootApparmord); err != nil { return res, err } } @@ -46,14 +55,53 @@ func (p Configure) Apply() ([]string, error) { return res, err } - // Copy Debian specific abstractions - if err := paths.CopyTo(prebuild.DistDir.Join("ubuntu"), prebuild.RootApparmord); err != nil { - return res, err + if prebuild.Version < 4.1 { + // Copy Debian specific abstractions + if err := prebuild.DistDir.Join("ubuntu").CopyFS(prebuild.RootApparmord); err != nil { + return res, err + } } default: return []string{}, fmt.Errorf("%s is not a supported distribution", prebuild.Distribution) } + + if prebuild.Version >= 4.1 { + remove := []string{ + // Remove files upstreamed in 4.1 + "abstractions/devices-usb-read", + "abstractions/devices-usb", + "abstractions/nameservice-strict", + "tunables/multiarch.d/base", + + // Direct upstream contributed profiles, similar to ours + "wg", + } + if err := removeFiles(remove); err != nil { + return res, err + } + } + if prebuild.Version >= 5.0 { + remove := []string{ + // Direct upstrem contributed profiles, similar to ours + "dig", + "free", + "nslookup", + "who", + } + if err := removeFiles(remove); err != nil { + return res, err + } + + // @{pci_bus} was upstreamed in 5.0 + path := prebuild.RootApparmord.Join("tunables/multiarch.d/system") + out, err := path.ReadFileAsString() + if err != nil { + return res, err + } + out = strings.ReplaceAll(out, "@{pci_bus}=pci@{hex4}:@{hex2}", "") + return res, path.WriteFile([]byte(out)) + } return res, nil } diff --git a/pkg/prebuild/prepare/core.go b/pkg/prebuild/prepare/core.go index d96e21043..74d7778ed 100644 --- a/pkg/prebuild/prepare/core.go +++ b/pkg/prebuild/prepare/core.go @@ -18,7 +18,7 @@ var ( Tasks = map[string]Task{} ) -// Main directive interface +// Task main directive interface type Task interface { prebuild.BaseInterface Apply() ([]string, error) diff --git a/pkg/prebuild/prepare/fsp.go b/pkg/prebuild/prepare/fsp.go index 1d38ca294..f8d3cb17f 100644 --- a/pkg/prebuild/prepare/fsp.go +++ b/pkg/prebuild/prepare/fsp.go @@ -5,11 +5,60 @@ package prepare import ( - "strings" + "regexp" "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" - "github.com/roddhjav/apparmor.d/pkg/util" +) + +var ( + tunables = map[string]string{ + // Set systemd profiles name + "sd": "sd", + "sdu": "sdu", + "systemd_user": "systemd-user", + "systemd": "systemd", + + // With FSP on apparmor 4.1+, the dbus profiles don't get stacked as they + "dbus_system": "dbus-system", + "dbus_session": "dbus-session", + + // Update name of stacked profiles + "apt_news": "", + "colord": "", + "e2scrub_all": "", + "e2scrub": "", + "fprintd": "", + "fwupd": "", + "fwupdmgr": "", + "geoclue": "", + "irqbalance": "", + "logrotate": "", + "ModemManager": "", + "nm_priv_helper": "", + "pcscd": "", + "polkitd": "", + "power_profiles_daemon": "", + "rsyslogd": "", + "systemd_coredump": "", + "systemd_homed": "", + "systemd_hostnamed": "", + "systemd_importd": "", + "systemd_initctl": "", + "systemd_journal_remote": "", + "systemd_journald": "", + "systemd_localed": "", + "systemd_logind": "", + "systemd_machined": "", + "systemd_networkd": "", + "systemd_oomd": "", + "systemd_resolved": "", + "systemd_rfkill": "", + "systemd_timedated": "", + "systemd_timesyncd": "", + "systemd_userdbd": "", + "upowerd": "", + } ) type FullSystemPolicy struct { @@ -29,30 +78,24 @@ func (p FullSystemPolicy) Apply() ([]string, error) { res := []string{} // Install full system policy profiles - if err := paths.CopyTo(paths.New("apparmor.d/groups/_full/"), prebuild.Root.Join("apparmor.d")); err != nil { + if err := paths.New("apparmor.d/groups/_full/").CopyFS(prebuild.Root.Join("apparmor.d")); err != nil { return res, err } - // Set systemd profile name - path := prebuild.RootApparmord.Join("tunables/multiarch.d/system") + // Set profile name for FSP + path := prebuild.RootApparmord.Join("tunables/multiarch.d/profiles") out, err := path.ReadFileAsString() if err != nil { return res, err } - out = strings.Replace(out, "@{p_systemd}=unconfined", "@{p_systemd}=systemd", -1) - out = strings.Replace(out, "@{p_systemd_user}=unconfined", "@{p_systemd_user}=systemd-user", -1) - if err := path.WriteFile([]byte(out)); err != nil { - return res, err + for varname, profile := range tunables { + pattern := regexp.MustCompile(`(@\{p_` + varname + `}=)([^\s]+)`) + if profile == "" { + out = pattern.ReplaceAllString(out, `@{p_`+varname+`}={$2,sd//&$2,$2//&sd}`) + } else { + out = pattern.ReplaceAllString(out, `@{p_`+varname+`}=`+profile) + } } - - // Fix conflicting x modifiers in abstractions - FIXME: Temporary solution - path = prebuild.RootApparmord.Join("abstractions/gstreamer") - out, err = path.ReadFileAsString() - if err != nil { - return res, err - } - regFixConflictX := util.ToRegexRepl([]string{`.*gst-plugin-scanner.*`, ``}) - out = regFixConflictX.Replace(out) if err := path.WriteFile([]byte(out)); err != nil { return res, err } diff --git a/pkg/prebuild/prepare/ignore.go b/pkg/prebuild/prepare/ignore.go index 4a7eb929a..2aece5174 100644 --- a/pkg/prebuild/prepare/ignore.go +++ b/pkg/prebuild/prepare/ignore.go @@ -5,9 +5,6 @@ package prepare import ( - "fmt" - "strings" - "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" ) @@ -29,39 +26,21 @@ func (p Ignore) Apply() ([]string, error) { res := []string{} for _, name := range []string{"main", prebuild.Distribution} { for _, ignore := range prebuild.Ignore.Read(name) { - // Ignore file from share/ - path := prebuild.Root.Join(ignore) - if path.Exist() { - if err := path.RemoveAll(); err != nil { - return res, err - } - continue - } - - // Ignore file from apparmor.d/ - profile := strings.TrimPrefix(ignore, prebuild.Src+"/") - if strings.HasPrefix(ignore, prebuild.Src) { - path = prebuild.RootApparmord.Join(profile) - } - if path.Exist() { - if err := path.RemoveAll(); err != nil { - return res, err - } - - } else { - files, err := prebuild.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterNames(profile)) + profile := prebuild.Root.Join(ignore) + if profile.NotExist() { + files, err := prebuild.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterNames(ignore)) if err != nil { return res, err } - if len(files) == 0 { - return res, fmt.Errorf("%s.ignore: no files found for '%s'", name, profile) - } for _, path := range files { if err := path.RemoveAll(); err != nil { return res, err } } - + } else { + if err := profile.RemoveAll(); err != nil { + return res, err + } } } res = append(res, prebuild.IgnoreDir.Join(name+".ignore").String()) diff --git a/pkg/prebuild/prepare/merge.go b/pkg/prebuild/prepare/merge.go index bc8be9062..d2c720003 100644 --- a/pkg/prebuild/prepare/merge.go +++ b/pkg/prebuild/prepare/merge.go @@ -48,7 +48,7 @@ func (p Merge) Apply() ([]string, error) { files, err = filepath.Glob(prebuild.RootApparmord.Join(dirRemoved).String()) if err != nil { - return res, err + return []string{}, err } for _, file := range files { if err := paths.New(file).RemoveAll(); err != nil { diff --git a/pkg/prebuild/prepare/overwrite.go b/pkg/prebuild/prepare/overwrite.go index 4f31fee70..d974b26e4 100644 --- a/pkg/prebuild/prepare/overwrite.go +++ b/pkg/prebuild/prepare/overwrite.go @@ -11,11 +11,11 @@ import ( "github.com/roddhjav/apparmor.d/pkg/prebuild" ) -const ext = ".apparmor.d" +var ext = "." + prebuild.Pkgname type Overwrite struct { prebuild.Base - OneFile bool + Optional bool } func init() { @@ -24,7 +24,7 @@ func init() { Keyword: "overwrite", Msg: "Overwrite dummy upstream profiles", }, - OneFile: false, + Optional: false, }) } @@ -46,11 +46,13 @@ func (p Overwrite) Apply() ([]string, error) { for _, name := range path.MustReadFilteredFileAsLines() { origin := prebuild.RootApparmord.Join(name) dest := prebuild.RootApparmord.Join(name + ext) - if !dest.Exist() && p.OneFile { + if !dest.Exist() && p.Optional { continue } - if err := origin.Rename(dest); err != nil { - return res, err + if origin.Exist() { + if err := origin.Rename(dest); err != nil { + return res, err + } } originRel, err := origin.RelFrom(dest) if err != nil { diff --git a/pkg/prebuild/prepare/server.go b/pkg/prebuild/prepare/server.go new file mode 100644 index 000000000..fb9a1f602 --- /dev/null +++ b/pkg/prebuild/prepare/server.go @@ -0,0 +1,108 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package prepare + +import ( + "fmt" + "strings" + + "github.com/roddhjav/apparmor.d/pkg/paths" + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +var ( + serverIgnorePatterns = []string{ + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + } + serverIgnoreGroups = []string{ + "akonadi", + "avahi", + "bluetooth", + "browsers", + "cosmic", + "cups", + "display-manager", + "flatpak", + "freedesktop", + "gnome", + "gvfs", + "hyprland", + "kde", + "lxqt", + "steam", + "xfce", + "zed", + } +) + +type Server struct { + prebuild.Base +} + +func init() { + RegisterTask(&Server{ + Base: prebuild.Base{ + Keyword: "server", + Msg: "Configure AppArmor for server", + }, + }) +} + +func (p Server) Apply() ([]string, error) { + res := []string{} + + // Ignore desktop related groups + groupNb := 0 + for _, group := range serverIgnoreGroups { + path := prebuild.RootApparmord.Join("groups", group) + if path.IsDir() { + if err := path.RemoveAll(); err != nil { + return res, err + } + groupNb++ + } else { + res = append(res, fmt.Sprintf("Group %s not found, ignoring", path)) + } + } + + // Ignore profiles using a desktop related abstraction + fileNb := 0 + files, _ := prebuild.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) + for _, file := range files { + if !file.Exist() { + continue + } + profile, err := file.ReadFileAsString() + if err != nil { + return res, err + } + for _, pattern := range serverIgnorePatterns { + if strings.Contains(profile, pattern) { + if err := file.RemoveAll(); err != nil { + return res, err + } + fileNb++ + break + } + } + } + + res = append(res, fmt.Sprintf("%d groups ignored", groupNb)) + res = append(res, fmt.Sprintf("%d profiles ignored", fileNb)) + return res, nil +} diff --git a/pkg/prebuild/prepare/synchronise.go b/pkg/prebuild/prepare/synchronise.go index 6dbfd8bb8..b6c2dbf5b 100644 --- a/pkg/prebuild/prepare/synchronise.go +++ b/pkg/prebuild/prepare/synchronise.go @@ -11,7 +11,7 @@ import ( type Synchronise struct { prebuild.Base - Path string + Paths []string // File or directory to sync into the build directory. } func init() { @@ -20,39 +20,39 @@ func init() { Keyword: "synchronise", Msg: "Initialize a new clean apparmor.d build directory", }, - Path: "", + Paths: []string{"apparmor.d", "share"}, }) } func (p Synchronise) Apply() ([]string, error) { res := []string{} - dirs := paths.PathList{prebuild.RootApparmord, prebuild.Root.Join("share"), prebuild.Root.Join("systemd")} - for _, dir := range dirs { - if err := dir.RemoveAll(); err != nil { - return res, err - } + if err := prebuild.Root.Join("systemd").RemoveAll(); err != nil { + return res, err } - if p.Path == "" { - if err := paths.CopyTo(paths.New("share"), prebuild.Root.Join("share")); err != nil { + if err := prebuild.RootApparmord.RemoveAll(); err != nil { + return res, err + } + + for _, name := range p.Paths { + src := paths.New(name) + dst := prebuild.Root.Join(name) + if err := dst.RemoveAll(); err != nil { return res, err } - if err := paths.CopyTo(prebuild.SrcApparmord, prebuild.RootApparmord); err != nil { - return res, err + + if src.IsDir() { + if err := src.CopyFS(dst); err != nil { + return res, err + } + } else { + if err := dst.Parent().MkdirAll(); err != nil { + return res, err + } + if err := src.CopyTo(dst); err != nil { + return res, err + } } - } else { - file := paths.New(p.Path) - destination, err := file.RelFrom(prebuild.SrcApparmord) - if err != nil { - return res, err - } - destination = prebuild.RootApparmord.JoinPath(destination) - if err := destination.Parent().MkdirAll(); err != nil { - return res, err - } - if err := file.CopyTo(destination); err != nil { - return res, err - } - res = append(res, destination.String()) + res = append(res, dst.String()) } return res, nil } diff --git a/share/man/man8/aa-log.8 b/share/man/man8/aa-log.8 index 42c9a3560..62f40966e 100644 --- a/share/man/man8/aa-log.8 +++ b/share/man/man8/aa-log.8 @@ -1,10 +1,10 @@ -.\" Automatically generated by Pandoc 3.1.9 +.\" Automatically generated by Pandoc 3.1.12.1 .\" -.TH "aa-log" "8" "September 2024" "" "" +.TH "aa\-log" "8" "September 2024" "" "" .SH NAME -aa-log \[em] Review AppArmor generated messages in a colorful way. +aa\-log \[em] Review AppArmor generated messages in a colorful way. .SH SYNOPSIS -\f[B]aa-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]] +\f[B]aa\-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]] .SH DESCRIPTION Review AppArmor generated messages in a colourful way. Support logs from \f[I]auditd\f[R], \f[I]systemd\f[R], \f[I]syslog\f[R] @@ -13,48 +13,48 @@ as well as \f[I]dbus session\f[R] events. It can be given an optional profile name to filter the output with. .PP It can be used to generate AppArmor rules from the logs and it therefore -an alternative to \f[CR]aa-logprof(8)\f[R]. +an alternative to \f[CR]aa\-logprof(8)\f[R]. The generated rules should be manually reviewed and inserted into the profile. .PP Default logs are read from \f[CR]/var/log/audit/audit.log\f[R]. Other files in \f[CR]/var/log/audit/\f[R] can easily be checked: -\f[B]aa-log -f 1\f[R] parses \f[CR]audit.log.1\f[R] +\f[B]aa\-log \-f 1\f[R] parses \f[CR]audit.log.1\f[R] .SH OPTIONS -\f[B]aa-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]] +\f[B]aa\-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]] .TP [\f[I]profile\f[R]] Optional profile name to filter the output with. .TP -\f[CR]--file\f[R], \f[CR]-f\f[R] +\f[CR]\-\-file\f[R], \f[CR]\-f\f[R] Set a logfile or a suffix to the default log file. .TP -\f[CR]--systemd\f[R], \f[CR]-s\f[R] +\f[CR]\-\-systemd\f[R], \f[CR]\-s\f[R] Parse systemd logs from journalctl. Provides all AppArmor logs since the last boot. .TP -\f[CR]--rules\f[R], \f[CR]-r\f[R] +\f[CR]\-\-rules\f[R], \f[CR]\-r\f[R] Convert the log into AppArmor rules. .TP -\f[CR]--raw\f[R], \f[CR]-R\f[R] +\f[CR]\-\-raw\f[R], \f[CR]\-R\f[R] Print the raw log without any formatting. Useful for reporting logs. .TP -\f[CR]--help\f[R], \f[CR]-h\f[R] +\f[CR]\-\-help\f[R], \f[CR]\-h\f[R] Print the program usage. .SH USAGE To read the AppArmor log from \f[CR]/var/log/audit/audit.log\f[R]: .IP .EX -aa-log +aa\-log .EE .PP To optionally filter a given profile name: -\f[CR]aa-log \f[R] (your shell will autocomplete the +\f[CR]aa\-log \f[R] (your shell will autocomplete the profile name): .IP .EX -$ aa-log dnsmasq +$ aa\-log dnsmasq DENIED dnsmasq open /proc/sys/kernel/osrelease comm=dnsmasq requested_mask=r denied_mask=r DENIED dnsmasq open /proc/1/environ comm=dnsmasq requested_mask=r denied_mask=r DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r @@ -63,7 +63,7 @@ DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r To generate AppArmor rule: .IP .EX -$ aa-log -r dnsmasq +$ aa\-log \-r dnsmasq profile dnsmasq { \[at]{PROC}/\[at]{pid}/environ r, \[at]{PROC}/cmdline r, @@ -71,9 +71,9 @@ profile dnsmasq { } .EE .SH SEE ALSO -\f[CR]aa-logprof(8)\f[R], \f[CR]apparmor(7)\f[R], -\f[CR]apparmor.d(5)\f[R], \f[CR]aa-genprof(1)\f[R], -\f[CR]aa-enforce(1)\f[R], \f[CR]aa-complain(1)\f[R], -\f[CR]aa-disable(1)\f[R], and https://apparmor.pujol.io. +\f[CR]aa\-logprof(8)\f[R], \f[CR]apparmor(7)\f[R], +\f[CR]apparmor.d(5)\f[R], \f[CR]aa\-genprof(1)\f[R], +\f[CR]aa\-enforce(1)\f[R], \f[CR]aa\-complain(1)\f[R], +\f[CR]aa\-disable(1)\f[R], and https://apparmor.pujol.io. .SH AUTHORS -aa-log was written by Alexandre Pujol (alexandre\[at]pujol.io). +aa\-log was written by Alexandre Pujol (alexandre\[at]pujol.io). diff --git a/systemd/default/user/at-spi-dbus-bus.service b/systemd/default/user/at-spi-dbus-bus.service deleted file mode 100644 index 9c1fad533..000000000 --- a/systemd/default/user/at-spi-dbus-bus.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=dbus-accessibility diff --git a/systemd/default/user/org.freedesktop.IBus.session.GNOME.service b/systemd/default/user/org.freedesktop.IBus.session.GNOME.service deleted file mode 100644 index 818d5cdf3..000000000 --- a/systemd/default/user/org.freedesktop.IBus.session.GNOME.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=ibus-daemon diff --git a/systemd/full/system/ModemManager.service b/systemd/full/system/ModemManager.service index 03d352890..2d1593f19 100644 --- a/systemd/full/system/ModemManager.service +++ b/systemd/full/system/ModemManager.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&ModemManager diff --git a/systemd/full/system/apport-coredump-hook@.service b/systemd/full/system/apport-coredump-hook@.service new file mode 100644 index 000000000..73bbc99d8 --- /dev/null +++ b/systemd/full/system/apport-coredump-hook@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&apport \ No newline at end of file diff --git a/systemd/full/system/apt-news.service b/systemd/full/system/apt-news.service new file mode 100644 index 000000000..d7bf885dd --- /dev/null +++ b/systemd/full/system/apt-news.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&apt_news diff --git a/systemd/full/system/archlinux-keyring-wkd-sync.service b/systemd/full/system/archlinux-keyring-wkd-sync.service index 03d352890..b88768556 100644 --- a/systemd/full/system/archlinux-keyring-wkd-sync.service +++ b/systemd/full/system/archlinux-keyring-wkd-sync.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&archlinux-keyring-wkd-sync diff --git a/systemd/full/system/bluetooth.service b/systemd/full/system/bluetooth.service index 03d352890..5cccff422 100644 --- a/systemd/full/system/bluetooth.service +++ b/systemd/full/system/bluetooth.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&bluetoothd \ No newline at end of file diff --git a/systemd/full/system/cloud-init-hotplugd.service b/systemd/full/system/cloud-init-hotplugd.service new file mode 100644 index 000000000..a2a121fc3 --- /dev/null +++ b/systemd/full/system/cloud-init-hotplugd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&cloud-init-hotplugd.service diff --git a/systemd/full/system/colord.service b/systemd/full/system/colord.service new file mode 100644 index 000000000..9a64fbc26 --- /dev/null +++ b/systemd/full/system/colord.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&colord diff --git a/systemd/full/system/dbus-org.freedesktop.hostname1.service b/systemd/full/system/dbus-org.freedesktop.hostname1.service index 03d352890..6d078aea9 100644 --- a/systemd/full/system/dbus-org.freedesktop.hostname1.service +++ b/systemd/full/system/dbus-org.freedesktop.hostname1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-hostnamed \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.import1.service b/systemd/full/system/dbus-org.freedesktop.import1.service index 03d352890..0ab519541 100644 --- a/systemd/full/system/dbus-org.freedesktop.import1.service +++ b/systemd/full/system/dbus-org.freedesktop.import1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-importd \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.locale1.service b/systemd/full/system/dbus-org.freedesktop.locale1.service index 03d352890..276595080 100644 --- a/systemd/full/system/dbus-org.freedesktop.locale1.service +++ b/systemd/full/system/dbus-org.freedesktop.locale1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-localed \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.login1.service b/systemd/full/system/dbus-org.freedesktop.login1.service index 03d352890..c5728915c 100644 --- a/systemd/full/system/dbus-org.freedesktop.login1.service +++ b/systemd/full/system/dbus-org.freedesktop.login1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-logind \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.machine1.service b/systemd/full/system/dbus-org.freedesktop.machine1.service index 03d352890..315b1b230 100644 --- a/systemd/full/system/dbus-org.freedesktop.machine1.service +++ b/systemd/full/system/dbus-org.freedesktop.machine1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-machined \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.timedate1.service b/systemd/full/system/dbus-org.freedesktop.timedate1.service index 03d352890..ab04c5a45 100644 --- a/systemd/full/system/dbus-org.freedesktop.timedate1.service +++ b/systemd/full/system/dbus-org.freedesktop.timedate1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-timedated \ No newline at end of file diff --git a/systemd/full/system/debug-shell.service b/systemd/full/system/debug-shell.service new file mode 100644 index 000000000..f895f7941 --- /dev/null +++ b/systemd/full/system/debug-shell.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=debug-shell.service \ No newline at end of file diff --git a/systemd/full/system/dmesg.service b/systemd/full/system/dmesg.service new file mode 100644 index 000000000..d4647117b --- /dev/null +++ b/systemd/full/system/dmesg.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=dmesg.service \ No newline at end of file diff --git a/systemd/full/system/e2scrub@.service b/systemd/full/system/e2scrub@.service index 03d352890..7340b7610 100644 --- a/systemd/full/system/e2scrub@.service +++ b/systemd/full/system/e2scrub@.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&e2scrub \ No newline at end of file diff --git a/systemd/full/system/e2scrub_reap.service b/systemd/full/system/e2scrub_reap.service index 03d352890..b903d2f0a 100644 --- a/systemd/full/system/e2scrub_reap.service +++ b/systemd/full/system/e2scrub_reap.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&e2scrub_all \ No newline at end of file diff --git a/systemd/full/system/fprintd.service b/systemd/full/system/fprintd.service index 03d352890..5f1f063fa 100644 --- a/systemd/full/system/fprintd.service +++ b/systemd/full/system/fprintd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&fprintd \ No newline at end of file diff --git a/systemd/full/system/fwupd-refresh.service b/systemd/full/system/fwupd-refresh.service index fa215b3f0..acd28a5a4 100644 --- a/systemd/full/system/fwupd-refresh.service +++ b/systemd/full/system/fwupd-refresh.service @@ -1,4 +1,2 @@ [Service] -ProtectKernelModules=no -RestrictRealtime=no -ProtectKernelModules=no +AppArmorProfile=&fwupdmgr \ No newline at end of file diff --git a/systemd/full/system/fwupd.service b/systemd/full/system/fwupd.service new file mode 100644 index 000000000..5054a73d6 --- /dev/null +++ b/systemd/full/system/fwupd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&fwupd \ No newline at end of file diff --git a/systemd/full/system/geoclue.service b/systemd/full/system/geoclue.service index 4ba897659..2c10e32f5 100644 --- a/systemd/full/system/geoclue.service +++ b/systemd/full/system/geoclue.service @@ -1,6 +1,2 @@ [Service] -NoNewPrivileges=no -MemoryDenyWriteExecute=no -ProtectKernelTunables=no -ProtectKernelModules=no -RestrictRealtime=no +AppArmorProfile=&geoclue \ No newline at end of file diff --git a/systemd/full/system/grub-common.service b/systemd/full/system/grub-common.service new file mode 100644 index 000000000..8520aea76 --- /dev/null +++ b/systemd/full/system/grub-common.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=grub-common.service \ No newline at end of file diff --git a/systemd/full/system/irqbalance.service b/systemd/full/system/irqbalance.service index 03d352890..eab67fa44 100644 --- a/systemd/full/system/irqbalance.service +++ b/systemd/full/system/irqbalance.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&irqbalance \ No newline at end of file diff --git a/systemd/full/system/ldconfig.service b/systemd/full/system/ldconfig.service new file mode 100644 index 000000000..1b2a9c287 --- /dev/null +++ b/systemd/full/system/ldconfig.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=ldconfig.service \ No newline at end of file diff --git a/systemd/full/system/logrotate.service b/systemd/full/system/logrotate.service new file mode 100644 index 000000000..bc984e025 --- /dev/null +++ b/systemd/full/system/logrotate.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&logrotate \ No newline at end of file diff --git a/systemd/full/system/low-memory-monitor.service b/systemd/full/system/low-memory-monitor.service deleted file mode 100644 index dabf76f3a..000000000 --- a/systemd/full/system/low-memory-monitor.service +++ /dev/null @@ -1,3 +0,0 @@ -[Service] -NoNewPrivileges=no - diff --git a/systemd/full/system/man-db.service b/systemd/full/system/man-db.service new file mode 100644 index 000000000..d3a78dd80 --- /dev/null +++ b/systemd/full/system/man-db.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=man-db.service \ No newline at end of file diff --git a/systemd/full/system/nm-priv-helper.service b/systemd/full/system/nm-priv-helper.service index 03d352890..53f99edd0 100644 --- a/systemd/full/system/nm-priv-helper.service +++ b/systemd/full/system/nm-priv-helper.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&nm-priv-helper diff --git a/systemd/full/system/paccache.service b/systemd/full/system/paccache.service deleted file mode 100644 index 03d352890..000000000 --- a/systemd/full/system/paccache.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/passim.service b/systemd/full/system/passim.service deleted file mode 100644 index 03d352890..000000000 --- a/systemd/full/system/passim.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/pcscd.service b/systemd/full/system/pcscd.service new file mode 100644 index 000000000..8d39f3f26 --- /dev/null +++ b/systemd/full/system/pcscd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pcscd diff --git a/systemd/full/system/polkit.service b/systemd/full/system/polkit.service index 03d352890..b21a28baa 100644 --- a/systemd/full/system/polkit.service +++ b/systemd/full/system/polkit.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&polkitd diff --git a/systemd/full/system/power-profiles-daemon.service b/systemd/full/system/power-profiles-daemon.service new file mode 100644 index 000000000..45c5ed93b --- /dev/null +++ b/systemd/full/system/power-profiles-daemon.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&power-profiles-daemon \ No newline at end of file diff --git a/systemd/full/system/reflector.service b/systemd/full/system/reflector.service deleted file mode 100644 index 03d352890..000000000 --- a/systemd/full/system/reflector.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/rngd.service b/systemd/full/system/rngd.service index 03d352890..c52a85d0c 100644 --- a/systemd/full/system/rngd.service +++ b/systemd/full/system/rngd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&rngd diff --git a/systemd/full/system/rsyslog.service b/systemd/full/system/rsyslog.service new file mode 100644 index 000000000..6b49a73f0 --- /dev/null +++ b/systemd/full/system/rsyslog.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&rsyslogd diff --git a/systemd/full/system/secureboot-db.service b/systemd/full/system/secureboot-db.service new file mode 100644 index 000000000..722781b8a --- /dev/null +++ b/systemd/full/system/secureboot-db.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=secureboot-db.service diff --git a/systemd/full/system/shadow.service b/systemd/full/system/shadow.service index dabf76f3a..52d2f644c 100644 --- a/systemd/full/system/shadow.service +++ b/systemd/full/system/shadow.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no - +AppArmorProfile=&shadow.service diff --git a/systemd/full/system/snapd.system-shutdown.service b/systemd/full/system/snapd.system-shutdown.service new file mode 100644 index 000000000..7953d522a --- /dev/null +++ b/systemd/full/system/snapd.system-shutdown.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=snapd.system-shutdown.service \ No newline at end of file diff --git a/systemd/full/system/system-update-cleanup.service b/systemd/full/system/system-update-cleanup.service new file mode 100644 index 000000000..24c914f77 --- /dev/null +++ b/systemd/full/system/system-update-cleanup.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=system-update-cleanup.service \ No newline at end of file diff --git a/systemd/full/system/systemd-coredump@.service b/systemd/full/system/systemd-coredump@.service new file mode 100644 index 000000000..d13624709 --- /dev/null +++ b/systemd/full/system/systemd-coredump@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-coredump diff --git a/systemd/full/system/systemd-homed.service b/systemd/full/system/systemd-homed.service index 03d352890..65d4ae62e 100644 --- a/systemd/full/system/systemd-homed.service +++ b/systemd/full/system/systemd-homed.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-homed diff --git a/systemd/full/system/systemd-hostnamed.service b/systemd/full/system/systemd-hostnamed.service index 03d352890..6d078aea9 100644 --- a/systemd/full/system/systemd-hostnamed.service +++ b/systemd/full/system/systemd-hostnamed.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-hostnamed \ No newline at end of file diff --git a/systemd/full/system/systemd-initctl.service b/systemd/full/system/systemd-initctl.service new file mode 100644 index 000000000..e44c8767f --- /dev/null +++ b/systemd/full/system/systemd-initctl.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-initctl \ No newline at end of file diff --git a/systemd/full/system/systemd-journal-remote.service b/systemd/full/system/systemd-journal-remote.service new file mode 100644 index 000000000..e08cf75a9 --- /dev/null +++ b/systemd/full/system/systemd-journal-remote.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-journal-remote \ No newline at end of file diff --git a/systemd/full/system/systemd-journald.service b/systemd/full/system/systemd-journald.service index 0316a67c8..48f5a0156 100644 --- a/systemd/full/system/systemd-journald.service +++ b/systemd/full/system/systemd-journald.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no -ProtectClock=no \ No newline at end of file +AppArmorProfile=&systemd-journald \ No newline at end of file diff --git a/systemd/full/system/systemd-journald@.service b/systemd/full/system/systemd-journald@.service index 0316a67c8..48f5a0156 100644 --- a/systemd/full/system/systemd-journald@.service +++ b/systemd/full/system/systemd-journald@.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no -ProtectClock=no \ No newline at end of file +AppArmorProfile=&systemd-journald \ No newline at end of file diff --git a/systemd/full/system/systemd-localed.service b/systemd/full/system/systemd-localed.service index 03d352890..276595080 100644 --- a/systemd/full/system/systemd-localed.service +++ b/systemd/full/system/systemd-localed.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-localed \ No newline at end of file diff --git a/systemd/full/system/systemd-logind.service b/systemd/full/system/systemd-logind.service index 0316a67c8..c5728915c 100644 --- a/systemd/full/system/systemd-logind.service +++ b/systemd/full/system/systemd-logind.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no -ProtectClock=no \ No newline at end of file +AppArmorProfile=&systemd-logind \ No newline at end of file diff --git a/systemd/full/system/systemd-machined.service b/systemd/full/system/systemd-machined.service index 03d352890..315b1b230 100644 --- a/systemd/full/system/systemd-machined.service +++ b/systemd/full/system/systemd-machined.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-machined \ No newline at end of file diff --git a/systemd/full/system/systemd-networkd.service b/systemd/full/system/systemd-networkd.service index 03d352890..3f4b60849 100644 --- a/systemd/full/system/systemd-networkd.service +++ b/systemd/full/system/systemd-networkd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-networkd diff --git a/systemd/full/system/systemd-nsresourced.service b/systemd/full/system/systemd-nsresourced.service new file mode 100644 index 000000000..2dc668b80 --- /dev/null +++ b/systemd/full/system/systemd-nsresourced.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-nsresourced diff --git a/systemd/full/system/systemd-oomd.service b/systemd/full/system/systemd-oomd.service new file mode 100644 index 000000000..c384626ee --- /dev/null +++ b/systemd/full/system/systemd-oomd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-oomd diff --git a/systemd/full/system/systemd-resolved.service b/systemd/full/system/systemd-resolved.service index 03d352890..fd36871e4 100644 --- a/systemd/full/system/systemd-resolved.service +++ b/systemd/full/system/systemd-resolved.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-resolved diff --git a/systemd/full/system/systemd-rfkill.service b/systemd/full/system/systemd-rfkill.service new file mode 100644 index 000000000..4abf222d5 --- /dev/null +++ b/systemd/full/system/systemd-rfkill.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-rfkill diff --git a/systemd/full/system/systemd-timedated.service b/systemd/full/system/systemd-timedated.service index 03d352890..78dd0193d 100644 --- a/systemd/full/system/systemd-timedated.service +++ b/systemd/full/system/systemd-timedated.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-timedated diff --git a/systemd/full/system/systemd-timesyncd.service b/systemd/full/system/systemd-timesyncd.service new file mode 100644 index 000000000..0cd6fefbf --- /dev/null +++ b/systemd/full/system/systemd-timesyncd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-timesyncd diff --git a/systemd/full/system/systemd-userdbd.service b/systemd/full/system/systemd-userdbd.service index 03d352890..d3771658d 100644 --- a/systemd/full/system/systemd-userdbd.service +++ b/systemd/full/system/systemd-userdbd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-userdbd diff --git a/systemd/full/system/upower.service b/systemd/full/system/upower.service index 03d352890..082e8f0fa 100644 --- a/systemd/full/system/upower.service +++ b/systemd/full/system/upower.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&upowerd diff --git a/systemd/full/system/usb_modeswitch@.service b/systemd/full/system/usb_modeswitch@.service new file mode 100644 index 000000000..0eca1db25 --- /dev/null +++ b/systemd/full/system/usb_modeswitch@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=usb_modeswitch.service \ No newline at end of file diff --git a/systemd/full/user/filter-chain.service b/systemd/full/user/filter-chain.service new file mode 100644 index 000000000..4dd212f51 --- /dev/null +++ b/systemd/full/user/filter-chain.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pipewire \ No newline at end of file diff --git a/systemd/full/user/pipewire-media-session.service b/systemd/full/user/pipewire-media-session.service deleted file mode 100644 index c392e82fe..000000000 --- a/systemd/full/user/pipewire-media-session.service +++ /dev/null @@ -1,5 +0,0 @@ -[Service] -NoNewPrivileges=no -MemoryDenyWriteExecute=no -LockPersonality=no -RestrictNamespaces=no diff --git a/systemd/full/user/pipewire-pulse.service b/systemd/full/user/pipewire-pulse.service new file mode 100644 index 000000000..1d35a493e --- /dev/null +++ b/systemd/full/user/pipewire-pulse.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pipewire-pulse \ No newline at end of file diff --git a/systemd/full/user/pipewire.service b/systemd/full/user/pipewire.service new file mode 100644 index 000000000..4dd212f51 --- /dev/null +++ b/systemd/full/user/pipewire.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pipewire \ No newline at end of file diff --git a/systemd/full/user/wireplumber.service b/systemd/full/user/wireplumber.service new file mode 100644 index 000000000..c47175f40 --- /dev/null +++ b/systemd/full/user/wireplumber.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&wireplumber \ No newline at end of file diff --git a/systemd/full/user/wireplumber@.service b/systemd/full/user/wireplumber@.service new file mode 100644 index 000000000..c47175f40 --- /dev/null +++ b/systemd/full/user/wireplumber@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&wireplumber \ No newline at end of file diff --git a/tests/Makefile b/tests/Makefile deleted file mode 100644 index 8bf5f6182..000000000 --- a/tests/Makefile +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/make -f -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Usage: -# make archlinux flavor=gnome -# vagrant up arch-gnome -# vagrant ssh archl-gnome - -# Build variables -flavor ?= -disk ?= 10G - -VERSION := 0.$(shell git rev-list --count HEAD) -BASE = archlinux debian ubuntu opensuse fedora - -.PHONY: ${BASE} lint - -$(BASE): - @make --directory=../ package dist=${@} - @packer build -force -var version=${VERSION} \ - -var disk_size=${disk} -var flavor="${flavor}" \ - -only=qemu.${@} packer/ - -lint: - @packer fmt --check packer/ - @packer validate --syntax-only packer/ diff --git a/tests/Vagrantfile b/tests/Vagrantfile deleted file mode 100644 index 4bdaac985..000000000 --- a/tests/Vagrantfile +++ /dev/null @@ -1,62 +0,0 @@ -# -*- mode: ruby -*- -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -require 'yaml' - -machines = YAML.load_file(File.join(File.dirname(__FILE__), 'boxes.yml')) -default = machines['defaults'] - -Vagrant.require_version '>= 2.0.0' - -Vagrant.configure("2") do |config| - - config.ssh.keys_only = true - config.ssh.insert_key = false - config.ssh.private_key_path = [ '~/.ssh/id_ed25519' ] - config.ssh.username = 'user' - - machines['boxes'].each do |instance| - - # Configure the VMs per details in boxes.yml - config.vm.define instance['name'] do |srv| - srv.vm.box = instance['box'] - srv.vm.box_check_update = false - srv.vm.post_up_message = instance.to_yaml - srv.vm.synced_folder '.', '/vagrant', disabled: true - if !ENV['AA_INTEGRATION'] - srv.vm.synced_folder '../', '/home/user/Projects/apparmor.d', type: 'virtiofs', mount: false - end - - # Configure Libvirt provider - srv.vm.provider 'libvirt' do |libvirt| - libvirt.driver = 'kvm' - libvirt.default_prefix = 'aa-' - libvirt.connect_via_ssh = false - libvirt.storage_pool_name = 'ssd' - libvirt.memory = instance.fetch('ram', default['ram']) - libvirt.cpus = instance.fetch('cpu', default['cpu']) - libvirt.cpu_mode = 'host-passthrough' - libvirt.machine_type = 'q35' - libvirt.video_type = 'virtio' - libvirt.graphics_type = 'spice' - libvirt.sound_type = 'ich9' - libvirt.tpm_model = 'tpm-crb' - libvirt.tpm_type = 'emulator' - libvirt.tpm_version = '2.0' - libvirt.random model: 'random' - libvirt.memorybacking 'source', type: 'memfd' - libvirt.memorybacking 'access', mode: 'shared' - libvirt.channel type: 'unix', target_name: 'org.qemu.guest_agent.0', target_type: 'virtio' - (1..2).each do - libvirt.redirdev :type => "spicevmc" - end - if instance.fetch('uefi', default['uefi']) - libvirt.loader = '/usr/share/edk2/x64/OVMF_CODE.fd' - end - end - - end - end -end diff --git a/tests/bats/flatpak.bats b/tests/bats/flatpak.bats deleted file mode 100644 index 23647c932..000000000 --- a/tests/bats/flatpak.bats +++ /dev/null @@ -1,52 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load common - -setup_file() { - aa_setup -} - -# bats test_tags=flatpak -@test "flatpak: List installed applications, ignoring runtimes" { - flatpak list --app - aa_check -} - -# bats test_tags=flatpak -@test "flatpak: Install an application from a remote source" { - flatpak install --noninteractive org.vim.Vim - aa_check -} - -# bats test_tags=flatpak -@test "flatpak: Show information about an installed application" { - flatpak info org.vim.Vim - aa_check -} - -# bats test_tags=flatpak -@test "flatpak: Run an installed application" { - flatpak run org.vim.Vim - aa_check -} - -# bats test_tags=flatpak -@test "flatpak: Update all installed applications and runtimes" { - flatpak update --noninteractive - aa_check -} - -# bats test_tags=flatpak -@test "flatpak: Remove an installed application" { - flatpak remove --noninteractive org.vim.Vim - aa_check -} - -# bats test_tags=flatpak -@test "flatpak: Remove all unused applications" { - flatpak remove --unused - aa_check -} diff --git a/tests/bats/ip.bats b/tests/bats/ip.bats deleted file mode 100644 index 980495d2d..000000000 --- a/tests/bats/ip.bats +++ /dev/null @@ -1,41 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load common - -setup_file() { - aa_setup -} - -# bats test_tags=ip -@test "ip: List interfaces with detailed info" { - ip address - aa_check -} - -# bats test_tags=ip -@test "ip: List interfaces with brief network layer info" { - ip -brief address - aa_check -} - -# bats test_tags=ip -@test "ip: List interfaces with brief link layer info" { - ip -brief link - aa_check -} - -# bats test_tags=ip -@test "ip: Display the routing table" { - ip route - aa_check -} - -# bats test_tags=ip -@test "ip: Show neighbors (ARP table)" { - ip neighbour - aa_check -} - diff --git a/tests/boxes.yml b/tests/boxes.yml deleted file mode 100644 index ef037e07f..000000000 --- a/tests/boxes.yml +++ /dev/null @@ -1,51 +0,0 @@ ---- - -defaults: - uefi: true - ram: '4096' - cpu: '6' - -boxes: - - name: arch-gnome - box: aa-archlinux-gnome - uefi: false - - - name: arch-kde - box: aa-archlinux-kde - uefi: false - - - name: arch-xfce - box: aa-archlinux-xfce - uefi: false - - - name: arch-cosmic - box: aa-archlinux-cosmic - uefi: false - - - name: arch-server - box: aa-archlinux-server - uefi: false - - - name: ubuntu-desktop - box: aa-ubuntu-desktop - - - name: ubuntu-desktop24 - box: aa-ubuntu-desktop24 - - - name: ubuntu-server - box: aa-ubuntu-server - - - name: ubuntu-server24 - box: aa-ubuntu-server24 - - - name: debian-server - box: aa-debian-server - - - name: debian-gnome - box: aa-debian-gnome - - - name: debian-kde - box: aa-debian-kde - - - name: opensuse-kde - box: aa-opensuse-kde diff --git a/tests/check.sh b/tests/check.sh index 3ddda9827..b54bc157a 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -1,174 +1,633 @@ #!/usr/bin/env bash # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Usage: make check +# Usage: just check # shellcheck disable=SC2044 set -eu -o pipefail -readonly APPARMORD="apparmor.d" +RES=$(mktemp) +echo "false" >"$RES" +MAX_JOBS=$(nproc) +APPARMORD=${CHECK_APPARMORD:-apparmor.d} +SBIN_LIST=${CHECK_SBIN_LIST:-tests/sbin.list} +declare WITH_CHECK +declare _check_is_disabled +declare _check_is_disabled_global +_FILE_IGNORE_ALL=false +readonly APPARMORD SBIN_LIST RES MAX_JOBS +readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" +_msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } +_warn() { + local name="$1" file="$2" + shift 2 + printf '%bwarning%b %s(%b%s%b): %s\n' "$fgYellow" "$reset" "$name" "$fgWhite" "$file" "$reset" "$*" +} +_err() { + local name="$1" file="$2" + shift 2 + printf ' %berror%b %s(%b%s%b): %s\n' "$fgRed" "$reset" "$name" "$fgWhite" "$file" "$reset" "$*" + echo "true" >"$RES" +} + +_in_array() { + local item needle="$1" + shift + for item in "$@"; do + if [[ "${item}" == "${needle}" ]]; then + return 0 + fi + done + return 1 +} + +_is_enabled() { + local check="$1" + if _in_array "$check" "${WITH_CHECK[@]}"; then + if [[ -n "${_check_is_disabled_global+x}" && ${#_check_is_disabled_global[@]} -gt 0 ]]; then + if _in_array "$check" "${_check_is_disabled_global[@]}"; then + return 1 + fi + fi + if [[ -z "${_check_is_disabled+x}" || ${#_check_is_disabled[@]} -eq 0 ]]; then + return 0 + fi + if _in_array "$check" "${_check_is_disabled[@]}"; then + return 1 + fi + return 0 + fi + return 1 +} + +_wait() { + local -n job=$1 + job=$((job + 1)) + if ((job >= MAX_JOBS)); then + wait -n + job=$((job - 1)) + fi +} + +_IGNORE_LINT_BLOCK=false +readonly _IGNORE_LINT="#aa:lint ignore" +_ignore_lint() { + local checks line="$1" + + if [[ "$line" =~ ^[[:space:]]*$_IGNORE_LINT=.*$ ]]; then + # Start of an ignore block (or file-wide if in header) + checks="${line#*"$_IGNORE_LINT="}" + read -ra _parsed <<<"${checks//,/ }" + if (( line_number <= 10 )); then + # Treat as file-wide ignore + _check_is_disabled_global=("${_parsed[@]}") + _FILE_IGNORE_ALL=true + _IGNORE_LINT_BLOCK=false + return 0 + fi + _IGNORE_LINT_BLOCK=true + _check_is_disabled=("${_parsed[@]}") + + elif [[ $_IGNORE_LINT_BLOCK == true && "$line" =~ ^[[:space:]]*$ ]]; then + # New paragraph, end of block + _IGNORE_LINT_BLOCK=false + _check_is_disabled=() + + elif [[ $_IGNORE_LINT_BLOCK == true ]]; then + # Nothing to do, we are in a block/paragraph + return 0 + + elif [[ "$line" == *"$_IGNORE_LINT="* ]]; then + # Inline ignore (or file-wide if in header) + checks="${line#*"$_IGNORE_LINT="}" + read -ra _parsed <<<"${checks//,/ }" + if (( line_number <= 10 )); then + _check_is_disabled_global=("${_parsed[@]}") + _FILE_IGNORE_ALL=true + return 0 + fi + _check_is_disabled=("${_parsed[@]}") + + else + # Do not clear if file-wide ignore is set + if ! $_FILE_IGNORE_ALL; then + _check_is_disabled=() + fi + fi +} + +_check() { + local file="$1" + line_number=0 + _FILE_IGNORE_ALL=false + _check_is_disabled_global=() + + while IFS= read -r line; do + line_number=$((line_number + 1)) + _ignore_lint "$line" + + # Style check + if [[ $line_number -lt 10 ]]; then + _check_header + fi + _check_tabs + _check_trailing + _check_indentation + _check_vim + _check_udev + + # The following checks do not apply to commented lines + [[ "$line" =~ ^[[:space:]]*# ]] && continue + if [[ "$line" =~ ,[[:space:]]*# ]]; then + line="${line%%#*}" + fi + + # Rules checks + _check_abstractions + _check_directory_mark + _check_equivalent + _check_too_wide + _check_transition + _check_useless + _check_tunables + + # Guidelines check + _check_abi + _check_include + _check_profile + _check_subprofiles + + done <"$file" + + # Results + _res_abi + _res_include + _res_profile + _res_subprofiles + _res_header + _res_vim +} + +# Rules checks: security, compatibility, and rule issues + +readonly ABS="abstractions" +readonly ABS_DANGEROUS=(dbus dbus-session dbus-system dbus-accessibility user-tmp) +declare -A ABS_DEPRECATED=( + ["nameservice"]="nameservice-strict" + ["bash"]="shell" + ["X"]="X-strict" + ["dbus-accessibility-strict"]="bus-accessibility" + ["dbus-network-manager-strict"]="bus/org.freedesktop.NetworkManager" + ["dbus-session-strict"]="bus-session" + ["dbus-system-strict"]="bus-system" + ["gnome"]="gnome-strict" + ["kde"]="kde-strict" +) +_check_abstractions() { + _is_enabled abstractions || return 0 + + local absname + for absname in "${ABS_DANGEROUS[@]}"; do + if [[ "$line" == *"<$ABS/$absname>"* ]]; then + _err abstractions "$file:$line_number" "dangerous abstraction '<$ABS/$absname>'" + fi + done + for absname in "${!ABS_DEPRECATED[@]}"; do + if [[ "$line" == *"<$ABS/$absname>"* ]]; then + _err abstractions "$file:$line_number" "deprecated abstraction '<$ABS/$absname>', use '<$ABS/${ABS_DEPRECATED[$absname]}>' instead" + fi + done + if [[ "$line" == *"<$ABS/ubuntu-"*">"* ]]; then + _err abstractions "$file:$line_number" "deprecated, ubuntu only abstraction '<$ABS/$absname>'" + fi +} + +readonly DIRECTORIES=('@{HOME}' '@{MOUNTS}' '@{bin}' '@{sbin}' '@{lib}' '@{tmp}' '_dirs}' '_DIR}') +_check_directory_mark() { + _is_enabled directory-mark || return 0 + for pattern in "${DIRECTORIES[@]}"; do + if [[ "$line" == *"$pattern"* ]]; then + [[ "$line" == *'='* ]] && continue + if [[ ! "$line" == *"$pattern/"* ]]; then + _err directory-mark "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'" + fi + fi + done +} + +declare -A EQUIVALENTS=( + ["awk"]="{m,g,}awk" + ["gawk"]="{m,g,}awk" + ["grep"]="{,e}grep" + ["gs"]="gs{,.bin}" + ["which"]="which{,.debianutils}" +) +_check_equivalent() { + _is_enabled equivalent || return 0 + local prgmname + for prgmname in "${!EQUIVALENTS[@]}"; do + if [[ "$line" == *"/$prgmname "* ]]; then + if [[ ! "$line" == *"${EQUIVALENTS[$prgmname]}"* ]]; then + _err equivalent "$file:$line_number" "missing equivalent program: '@{bin}/$prgmname' instead of '@{bin}/${EQUIVALENTS[$prgmname]}'" + fi + fi + done +} + +readonly TOOWIDE=('/**' '/tmp/**' '/var/tmp/**' '@{tmp}/**' '/etc/**' '/dev/shm/**' '@{run}/user/@{uid}/**') +_check_too_wide() { + _is_enabled too-wide || return 0 + for pattern in "${TOOWIDE[@]}"; do + if [[ "$line" == *" $pattern "* ]]; then + _warn too-wide "$file:$line_number" "rule too wide: '$pattern'" + fi + done +} + +readonly TRANSITION_MUST_CI=( # Must transition to 'ix' or 'Cx' + chgrp chmod chown cp find head install link ln ls mkdir mktemp mv rm rmdir + sed shred stat tail tee test timeout touch truncate unlink +) +readonly TRANSITION_MUST_PC=( # Must transition to 'Px' + ischroot who +) +readonly TRANSITION_MUST_C=( # Must transition to 'Cx' + sysctl kmod pgrep pkill pkexec sudo systemctl udevadm + fusermount fusermount3 fusermount{,3} + nvim vim sensible-editor +) +_check_transition() { + _is_enabled transition || return 0 + for prgmname in "${!TRANSITION_MUST_CI[@]}"; do + if [[ "$line" =~ "/${TRANSITION_MUST_CI[$prgmname]} ".*([uU]x|[pP][uU]x|[pP]x) ]]; then + _err transition "$file:$line_number" \ + "@{bin}/${TRANSITION_MUST_CI[$prgmname]} should be used inherited: 'ix' | 'Cx'" + fi + done + for prgmname in "${!TRANSITION_MUST_PC[@]}"; do + if [[ "$line" =~ "/${TRANSITION_MUST_PC[$prgmname]} ".*(Pix|ix) ]]; then + _err transition "$file:$line_number" \ + "@{bin}/${TRANSITION_MUST_PC[$prgmname]} should transition to another (sub)profile with 'Px' or 'Cx'" + fi + done + for prgmname in "${!TRANSITION_MUST_C[@]}"; do + if [[ "$line" =~ "/${TRANSITION_MUST_C[$prgmname]} ".*([pP]ix|[uU]x|[pP][uU]x|ix) ]]; then + _warn transition "$file:$line_number" \ + "@{bin}/${TRANSITION_MUST_C[$prgmname]} should transition to a subprofile with 'Cx'" + fi + done +} + +readonly USELESS=( + 'ptrace readby' + '/usr/share/locale/' + '@{sys}/devices/system/cpu/online' + '@{sys}/devices/system/cpu/possible' + '@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size' + '@{PROC}/@{pid}/auxv' '@{PROC}/@{pid}/maps' '@{PROC}/@{pid}/status' '@{PROC}/cpuinfo' + '@{PROC}/filesystems' '@{PROC}/meminfo' '@{PROC}/stat' + '@{PROC}/sys/kernel/cap_last_cap' '@{PROC}/sys/kernel/ngroups_max' + '@{PROC}/sys/kernel/version' '@{PROC}/sys/vm/overcommit_memory' + '/dev/full' '/dev/zero' +) +_check_useless() { + _is_enabled useless || return 0 + for rule in "${!USELESS[@]}"; do + if [[ "$line" == *"${USELESS[$rule]}"* ]]; then + _err useless "$file:$line_number" "rule already included in the base abstraction, remove it" + fi + done +} + +declare -A TUNABLES=( + # User variables + ["(@\{HOME\}/|/home/[^/]+/).cache"]="@{user_cache_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).config"]="@{user_config_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).local/share"]="@{user_share_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).local/state"]="@{user_state_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).local/bin"]="@{user_bin_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).local/lib"]="@{user_lib_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).ssh"]="@{HOME}/@{XDG_SSH_DIR}" + ["(@\{HOME\}/|/home/[^/]+/).gnupg"]="@{HOME}/@{XDG_GPG_DIR}" + ["/home/[^/]+/"]="@{HOME}/" + + # System variables + ["/usr/lib(|32|64|exec)"]='@{lib}' + ["/usr/sbin"]='@{sbin}' + ["/usr/bin"]='@{bin}' + ["(x86_64|amd64|i386|i686)"]='@{arch}' + ["(@\{arch\}|x86_64|amd64|i386|i686)-*linux-gnu[^/]?"]='@{multiarch}' + ["/usr/etc/"]='@{etc_ro}/' + ["/boot/(|efi/)"]="@{efi}/" + ["/efi/"]="@{efi}/" + ["/var/run/"]='@{run}/' + ["/run/"]='@{run}/' + ["user/[0-9]*/"]='user/@{uid}/' + ["/tmp/user/[^/]+/"]='@{tmp}/' + ["/sys/"]='@{sys}/' + ["/proc/"]='@{PROC}/' + ["1000"]="@{uid}" + + # Some system glob + [":not.active.yet"]="@{busname}" + [":1.[0-9]*"]="@{busname}" + ["(@\{bin\}|/usr/bin)/(|ba|da)sh "]="@{sh_path}" + ["@\{lib\}/modules/[^/*]+/"]="@{lib}/modules/*/" +) +_check_tunables() { + _is_enabled tunables || return 0 + for pattern in "${!TUNABLES[@]}"; do + rpattern="$pattern" + [[ "$rpattern" == /* ]] && rpattern=" $rpattern" + if [[ "$line" =~ $rpattern ]]; then + match="${BASH_REMATCH[0]}" + _err tunables "$file:$line_number" "variable '${TUNABLES[$pattern]}' must be used instead of: $match" + fi + done +} + +# Guidelines check: https://apparmor.pujol.io/development/guidelines/ + +RES_ABI=false +readonly ABI_SYNTAX='abi ,' +_check_abi() { + _is_enabled abi || return 0 + if [[ "$line" == *"$ABI_SYNTAX" ]]; then + RES_ABI=true + fi +} +_res_abi() { + _is_enabled abi || return 0 + if ! $RES_ABI; then + _err abi "$file" "missing 'abi ,'" + fi +} + +RES_INCLUDE=false +_check_include() { + _is_enabled include || return 0 + if [[ "$line" == *"${include}"* ]]; then + RES_INCLUDE=true + fi +} +_res_include() { + _is_enabled include || return 0 + if ! $RES_INCLUDE; then + _err include "$file" "missing '$include'" + fi +} + +RES_PROFILE=false +_check_profile() { + _is_enabled profile || return 0 + if [[ "$line" =~ ^"profile $name" ]]; then + RES_PROFILE=true + fi +} +_res_profile() { + _is_enabled profile || return 0 + if ! $RES_PROFILE; then + _err profile "$file" "missing profile name: 'profile $name'" + fi +} + +# Style check + readonly HEADERS=( "# apparmor.d - Full set of apparmor profiles" "# Copyright (C) " "# SPDX-License-Identifier: GPL-2.0-only" ) - -_die() { - echo -e "\033[1;31m ✗ Error: \033[0m$*" - exit 1 -} - -_ensure_header() { - local file="$1" - for header in "${HEADERS[@]}"; do - if ! grep -q "^$header" "$file"; then - _die "$file does not contain '$header'" +_RES_HEADER=(false false false) +_check_header() { + _is_enabled header || return 0 + for idx in "${!HEADERS[@]}"; do + if [[ "$line" == "${HEADERS[$idx]}"* ]]; then + _RES_HEADER[idx]=true + break fi done } - -_ensure_indentation() { - local file="$1" - local in_profile=false - local first_line_after_profile=true - local line_number=0 - - while IFS= read -r line; do - line_number=$((line_number + 1)) - - if [[ "$line" =~ $'\t' ]]; then - _die "$file:$line_number: tabs are not allowed." +_res_header() { + _is_enabled header || return 0 + for idx in "${!_RES_HEADER[@]}"; do + if ${_RES_HEADER[$idx]}; then + continue fi + _err header "$file" "missing header: '${HEADERS[$idx]}'" + done +} - if [[ "$line" =~ ^profile ]]; then - in_profile=true - first_line_after_profile=true +_check_tabs() { + _is_enabled tabs || return 0 + if [[ "$line" =~ $'\t' ]]; then + _err tabs "$file:$line_number" "tabs are not allowed" + fi +} - elif [[ "$line" =~ [[:space:]]+$ ]]; then - _die "$file:$line_number: line has trailing whitespace." +_check_trailing() { + _is_enabled trailing || return 0 + if [[ "$line" =~ [[:space:]]+$ ]]; then + _err trailing "$file:$line_number" "line has trailing whitespace" + fi +} - elif $in_profile; then - if $first_line_after_profile; then - local leading_spaces="${line%%[! ]*}" - local num_spaces=${#leading_spaces} - if ((num_spaces != 2)); then - _die "$file: profile must have a two-space indentation." - fi - first_line_after_profile=false +_CHECK_IN_PROFILE=false +_CHECK_FIRST_LINE_AFTER_PROFILE=true +_check_indentation() { + _is_enabled indentation || return 0 + if [[ "$line" =~ ^profile ]]; then + _CHECK_IN_PROFILE=true + _CHECK_FIRST_LINE_AFTER_PROFILE=true - else - local leading_spaces="${line%%[! ]*}" - local num_spaces=${#leading_spaces} + elif $_CHECK_IN_PROFILE; then + if $_CHECK_FIRST_LINE_AFTER_PROFILE; then + local leading_spaces="${line%%[! ]*}" + local num_spaces=${#leading_spaces} + if ((num_spaces != 2)); then + _err indentation "$file:$line_number" "profile must have a two-space indentation" + fi + _CHECK_FIRST_LINE_AFTER_PROFILE=false - if ((num_spaces % 2 != 0)); then - ok=false - for offset in 5 11; do - num_spaces=$((num_spaces - offset)) - if ((num_spaces < 0)); then - break - fi - if ((num_spaces % 2 == 0)); then - ok=true - break - fi - done + else + local leading_spaces="${line%%[! ]*}" + local num_spaces=${#leading_spaces} - if ! $ok; then - _die "$file:$line_number: invalid indentation." + if ((num_spaces % 2 != 0)); then + ok=false + for offset in 5 11; do + num_spaces=$((num_spaces - offset)) + if ((num_spaces < 0)); then + break fi + if ((num_spaces % 2 == 0)); then + ok=true + break + fi + done + + if ! $ok; then + _err indentation "$file:$line_number" "invalid indentation" fi fi fi - done <"$file" -} - -_ensure_include() { - local file="$1" - local include="$2" - if ! grep -q "^ *${include}$" "$file"; then - _die "$file does not contain '$include'" fi } -_ensure_abi() { - local file="$1" - if ! grep -q "^ *abi ," "$file"; then - _die "$file does not contain 'abi ,'" +_CHEK_IN_SUBPROFILE=false +declare -A _RES_SUBPROFILES +_check_subprofiles() { + _is_enabled subprofiles || return 0 + if [[ "$line" =~ ^(' ')+'profile '(.*)' {' ]]; then + indentation="${BASH_REMATCH[1]}" + subprofile="${BASH_REMATCH[2]}" + subprofile="${subprofile%% *}" + include="${indentation}include if exists " + _RES_SUBPROFILES["$subprofile"]="$name//$subprofile does not contain '$include'" + _CHEK_IN_SUBPROFILE=true + elif $_CHEK_IN_SUBPROFILE; then + if [[ "$line" == *"$include" ]]; then + _RES_SUBPROFILES["$subprofile"]=true + fi + fi +} +_res_subprofiles() { + _is_enabled subprofiles || return 0 + for msg in "${_RES_SUBPROFILES[@]}"; do + if [[ $msg == true ]]; then + continue + fi + _err subprofiles "$file" "$msg" + done +} + +readonly VIM_SYNTAX="# vim:syntax=apparmor" +RES_VIM=false +_check_vim() { + _is_enabled vim || return 0 + if [[ "$line" =~ ^"$VIM_SYNTAX" ]]; then + RES_VIM=true + fi +} +_res_vim() { + _is_enabled vim || return 0 + if ! $RES_VIM; then + _err vim "$file" "missing vim syntax: '$VIM_SYNTAX'" fi } -_ensure_vim() { - local file="$1" - if ! grep -q "^# vim:syntax=apparmor" "$file"; then - _die "$file does not contain '# vim:syntax=apparmor'" +_check_udev() { + _is_enabled udev || return 0 + if [[ "$line" == *"@{run}/udev/data/"* ]]; then + if [[ "$line" != *"#"* ]]; then + _err udev "$file:$line_number" "udev data path without a description comment" + fi fi } +check_sbin() { + local file name jobs + mapfile -t sbin <"$SBIN_LIST" + _msg "Ensuring '@{bin} and '@{sbin}' are correctly used in profiles" + + jobs=0 + for name in "${sbin[@]}"; do + ( + mapfile -t files < <( + grep --line-number --recursive -P "(^|[[:space:]])@{bin}/$name([[:space:]]|$)(?!.*$_IGNORE_LINT=sbin)" "$APPARMORD" | + cut -d: -f1,2 + ) + for file in "${files[@]}"; do + _err sbin "$file" "contains '@{bin}/$name' instead of '@{sbin}/$name'" + done + ) & + _wait jobs + done + wait + + local pattern='[[:alnum:]_.-]+' # Pattern for valid file names + jobs=0 + mapfile -t files < <(grep --line-number --recursive -E "(^|[[:space:]])@{sbin}/$pattern([[:space:]]|$)" "$APPARMORD" | cut -d: -f1,2) + for file in "${files[@]}"; do + ( + while read -r match; do + name="${match/\@\{sbin\}\//}" + if ! _in_array "$name" "${sbin[@]}"; then + _err bin "$file" "contains '@{sbin}/$name' but it is not in sbin.list" + fi + done < <(grep --only-matching -E "@\{sbin\}/$pattern" "${file%%:*}") + ) & + _wait jobs + done + wait +} + check_profiles() { - echo -e "\033[1m â‹… \033[0mChecking if all profiles contain:" - echo " - apparmor.d header & license" - echo " - Check indentation: 2 spaces" - echo " - Check for trailing whitespaces" - echo " - 'abi ,'" - echo " - 'profile '" - echo " - 'include if exists '" - echo " - include if exists local for subprofiles" - echo " - vim:syntax=apparmor" - directories=("$APPARMORD/groups/*" "$APPARMORD/profiles-*-*") - # shellcheck disable=SC2068 - for dir in ${directories[@]}; do - for file in $(find "$dir" -maxdepth 1 -type f); do - case "$file" in */README.md) continue ;; esac + _msg "Checking profiles" + mapfile -t files < <( + find "$APPARMORD" \( -path "$APPARMORD/abstractions" -o -path "$APPARMORD/local" -o -path "$APPARMORD/tunables" -o -path "$APPARMORD/mappings" \) \ + -prune -o -type f -print + ) + jobs=0 + WITH_CHECK=( + abstractions directory-mark equivalent too-wide useless transition tunables + abi include profile header tabs trailing indentation subprofiles vim udev + ) + for file in "${files[@]}"; do + ( name="$(basename "$file")" name="${name/.apparmor.d/}" include="include if exists " - _ensure_header "$file" - _ensure_indentation "$file" - _ensure_include "$file" "$include" - _ensure_abi "$file" - _ensure_vim "$file" - if ! grep -q "^profile $name" "$file"; then - _die "$name does not contain 'profile $name'" - fi - mapfile -t subrofiles < <(grep "^ *profile*" "$file" | awk '{print $2}') - for subprofile in "${subrofiles[@]}"; do - include="include if exists " - if ! grep -q "^ *${include}$" "$file"; then - _die "$name: $name//$subprofile does not contain '$include'" - fi - done - done + _check "$file" + ) & + _wait jobs done + wait } check_abstractions() { - echo -e "\033[1m â‹… \033[0mChecking if all abstractions contain:" - echo " - apparmor.d header & license" - echo " - Check indentation: 2 spaces" - echo " - Check for trailing whitespaces" - echo " - 'abi ,'" - echo " - 'include if exists '" - echo " - vim:syntax=apparmor" - directories=( - "$APPARMORD/abstractions/" "$APPARMORD/abstractions/app/" - "$APPARMORD/abstractions/attached/" - "$APPARMORD/abstractions/bus/" "$APPARMORD/abstractions/common/" + _msg "Checking abstractions" + mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true) + jobs=0 + WITH_CHECK=( + abstractions directory-mark equivalent too-wide tunables + abi include header tabs trailing indentation vim udev ) - for dir in "${directories[@]}"; do - for file in $(find "$dir" -maxdepth 1 -type f); do + for file in "${files[@]}"; do + ( name="$(basename "$file")" - root="${dir/${APPARMORD}\/abstractions\//}" - include="include if exists " - _ensure_header "$file" - _ensure_indentation "$file" - _ensure_include "$file" "$include" - _ensure_abi "$file" - _ensure_vim "$file" - done + absdir="${file/${APPARMORD}\//}" + include="include if exists <${absdir}.d>" + _check "$file" + ) & + _wait jobs done + wait + + mapfile -t files < <( + find "$APPARMORD/abstractions" -type f -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true + find "$APPARMORD/mappings" -type f 2>/dev/null || true + ) + # shellcheck disable=SC2034 + jobs=0 + WITH_CHECK=( + abstractions directory-mark equivalent too-wide tunables + header tabs trailing indentation vim udev + ) + for file in "${files[@]}"; do + _check "$file" & + _wait jobs + done + wait } +check_sbin check_profiles check_abstractions + +FAIL=$(cat "$RES") +if [[ "$FAIL" == "true" ]]; then + exit 1 +fi diff --git a/tests/cloud-init/archlinux-cosmic.user-data.yml b/tests/cloud-init/archlinux-cosmic.user-data.yml new file mode 100644 index 000000000..9ed6c1d92 --- /dev/null +++ b/tests/cloud-init/archlinux-cosmic.user-data.yml @@ -0,0 +1,57 @@ +#cloud-config + +packages: + # Install core packages + - apparmor + - base-devel + - qemu-guest-agent + - rng-tools + - spice-vdagent + + # Install usefull core packages + - bash-completion + - just + - git + - htop + - man + - pass + - python-notify2 + - vim + - wget + + # Install basic services + - networkmanager + - cups + - cups-pdf + - system-config-printer + + # Install Applications + - firefox + - chromium + - terminator + + # Install Graphical Interface + - cosmic + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable cosmic-greeter + - systemctl enable NetworkManager + - systemctl enable rngd + - systemctl enable avahi-daemon + - systemctl enable systemd-timesyncd.service + +write_files: + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-gnome.user-data.yml b/tests/cloud-init/archlinux-gnome.user-data.yml new file mode 100644 index 000000000..d33f685b6 --- /dev/null +++ b/tests/cloud-init/archlinux-gnome.user-data.yml @@ -0,0 +1,26 @@ +#cloud-config + +packages: *gnome-packages + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable gdm + - systemctl enable NetworkManager + - systemctl enable rngd + - systemctl enable avahi-daemon + - systemctl enable systemd-timesyncd.service + +write_files: + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-kde.user-data.yml b/tests/cloud-init/archlinux-kde.user-data.yml new file mode 100644 index 000000000..cb4c4d3b0 --- /dev/null +++ b/tests/cloud-init/archlinux-kde.user-data.yml @@ -0,0 +1,26 @@ +#cloud-config + +packages: *kde-packages + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable sddm + - systemctl enable NetworkManager + - systemctl enable rngd + - systemctl enable avahi-daemon + - systemctl enable systemd-timesyncd.service + +write_files: + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-lxqt.user-data.yml b/tests/cloud-init/archlinux-lxqt.user-data.yml new file mode 100644 index 000000000..208f7dab5 --- /dev/null +++ b/tests/cloud-init/archlinux-lxqt.user-data.yml @@ -0,0 +1,28 @@ +#cloud-config + +packages: *lxqt-packages + +# lxqt-wayland-session kwin + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable sddm + - systemctl enable NetworkManager + - systemctl enable rngd + - systemctl enable avahi-daemon + - systemctl enable systemd-timesyncd.service + +write_files: + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-server.user-data.yml b/tests/cloud-init/archlinux-server.user-data.yml new file mode 100644 index 000000000..2b3567171 --- /dev/null +++ b/tests/cloud-init/archlinux-server.user-data.yml @@ -0,0 +1,24 @@ +#cloud-config + +packages: *core-packages + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable rngd + - systemctl enable systemd-timesyncd.service + +write_files: + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/archlinux-xfce.user-data.yml b/tests/cloud-init/archlinux-xfce.user-data.yml new file mode 100644 index 000000000..afba57519 --- /dev/null +++ b/tests/cloud-init/archlinux-xfce.user-data.yml @@ -0,0 +1,26 @@ +#cloud-config + +packages: *xfce-packages + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable lightdm.service + - systemctl enable NetworkManager + - systemctl enable rngd + - systemctl enable avahi-daemon + - systemctl enable systemd-timesyncd.service + +write_files: + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux.yml b/tests/cloud-init/archlinux.yml new file mode 100644 index 000000000..629de7d02 --- /dev/null +++ b/tests/cloud-init/archlinux.yml @@ -0,0 +1,170 @@ +#cloud-config + +core-packages: &core-packages + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + +gnome-packages: &gnome-packages + # Core packages for Archlinux + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + + # Desktop packages for Archlinux + - networkmanager + - cups + - cups-pdf + - system-config-printer + - chromium + - firefox + - spice-vdagent + - terminator + + # Install Graphical Interface + - alacarte + - gnome + - gnome-extra + - ptyxis + - seahorse + +kde-packages: &kde-packages + # Core packages for Archlinux + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + + # Desktop packages for Archlinux + - networkmanager + - cups + - cups-pdf + - system-config-printer + - chromium + - firefox + - spice-vdagent + - terminator + + # Install Graphical Interface + - plasma-meta + - sddm + - ark + - dolphin + - konsole + - okular + +lxqt-packages: &lxqt-packages + # Core packages for Archlinux + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + + # Desktop packages for Archlinux + - networkmanager + - cups + - cups-pdf + - system-config-printer + - chromium + - firefox + - spice-vdagent + - terminator + + # Install Graphical Interface + - lxqt + - breeze-icons + - sddm + +xfce-packages: &xfce-packages + # Core packages for Archlinux + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + + # Desktop packages for Archlinux + - networkmanager + - cups + - cups-pdf + - system-config-printer + - chromium + - firefox + - spice-vdagent + - terminator + + # Install Graphical Interface + - xfce4 + - xfce4-goodies + - lightdm + - lightdm-gtk-greeter + +# Enable AppArmor in kernel parameters +grub-enable-apparmor: &grub-enable-apparmor + path: /etc/default/grub + append: true + content: | + GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" + +# Set some bash aliases +setup-bash-aliases: &setup-bash-aliases + path: /etc/skel/.bashrc + append: true + content: | + [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases diff --git a/tests/cloud-init/common.yml b/tests/cloud-init/common.yml new file mode 100644 index 000000000..2048e5368 --- /dev/null +++ b/tests/cloud-init/common.yml @@ -0,0 +1,39 @@ +#cloud-config + +hostname: ${hostname} + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false + +# Mount shared directory +shared-directory: &shared-directory + path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + +# Network configuration for server +systemd-netword: &systemd-netword + path: /etc/systemd/network/20-wired.network + owner: "root:root" + permissions: "0644" + content: | + [Match] + Name=en* + + [Network] + DHCP=yes + + [DHCPv4] + RouteMetric=10 diff --git a/tests/cloud-init/debian.yml b/tests/cloud-init/debian.yml new file mode 100644 index 000000000..b96bb5880 --- /dev/null +++ b/tests/cloud-init/debian.yml @@ -0,0 +1,97 @@ +#cloud-config + +# Core packages for Debian +core-packages: &core-packages + - apparmor-profiles + - apparmor-utils + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - docker.io + - htop + - just + - libpam-apparmor + - lintian + - qemu-guest-agent + - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades + - vim + +gnome-packages: &gnome-packages + # Core packages for Debian + - apparmor-profiles + - apparmor-utils + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - docker.io + - htop + - just + - libpam-apparmor + - lintian + - qemu-guest-agent + - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades + - vim + + # Gnome packages for Debian + - spice-vdagent + - task-gnome-desktop + - terminator + - loupe + - ptyxis + +kde-packages: &kde-packages + # Core packages for Debian + - apparmor-profiles + - apparmor-utils + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - docker.io + - htop + - just + - libpam-apparmor + - lintian + - qemu-guest-agent + - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades + - vim + + # KDE packages for Debian + - spice-vdagent + - task-kde-desktop + - plasma-workspace-wayland + - terminator + +debian12-runcmd: &debian12-runcmd + - apt-get update -y + - apt-get install -y -t bookworm-backports golang-go + +debian13-runcmd: &debian13-runcmd + - apt-get update -y + - apt-get install -y golang-go + +# Add backports repository +debian12-backports: &debian12-backports + path: /etc/apt/sources.list + append: true + content: deb http://deb.debian.org/debian bookworm-backports main contrib non-free diff --git a/tests/cloud-init/debian12-gnome.user-data.yml b/tests/cloud-init/debian12-gnome.user-data.yml new file mode 100644 index 000000000..fbb3d1232 --- /dev/null +++ b/tests/cloud-init/debian12-gnome.user-data.yml @@ -0,0 +1,10 @@ +#cloud-config + +packages: *gnome-packages + +runcmd: *debian12-runcmd + +write_files: + - *debian12-backports # Add backports repository + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/packer/init/debian-kde.user-data.yml b/tests/cloud-init/debian12-kde.user-data.yml similarity index 65% rename from tests/packer/init/debian-kde.user-data.yml rename to tests/cloud-init/debian12-kde.user-data.yml index a608e9b0b..451068db1 100644 --- a/tests/packer/init/debian-kde.user-data.yml +++ b/tests/cloud-init/debian12-kde.user-data.yml @@ -1,23 +1,5 @@ #cloud-config -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false packages: - apparmor-profiles - auditd @@ -27,8 +9,8 @@ packages: - devscripts - htop - qemu-guest-agent - - spice-vdagent - rsync + - spice-vdagent - vim - task-kde-desktop diff --git a/tests/cloud-init/debian12-server.user-data.yml b/tests/cloud-init/debian12-server.user-data.yml new file mode 100644 index 000000000..cec721285 --- /dev/null +++ b/tests/cloud-init/debian12-server.user-data.yml @@ -0,0 +1,10 @@ +#cloud-config + +packages: *core-packages + +runcmd: *debian12-runcmd + +write_files: + - *debian12-backports # Add backports repository + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/debian13-gnome.user-data.yml b/tests/cloud-init/debian13-gnome.user-data.yml new file mode 100644 index 000000000..0d5adfe17 --- /dev/null +++ b/tests/cloud-init/debian13-gnome.user-data.yml @@ -0,0 +1,9 @@ +#cloud-config + +packages: *gnome-packages + +runcmd: *debian13-runcmd + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/debian13-kde.user-data.yml b/tests/cloud-init/debian13-kde.user-data.yml new file mode 100644 index 000000000..5a4d33bf5 --- /dev/null +++ b/tests/cloud-init/debian13-kde.user-data.yml @@ -0,0 +1,9 @@ +#cloud-config + +packages: *kde-packages + +runcmd: *debian13-runcmd + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/debian13-server.user-data.yml b/tests/cloud-init/debian13-server.user-data.yml new file mode 100644 index 000000000..692548770 --- /dev/null +++ b/tests/cloud-init/debian13-server.user-data.yml @@ -0,0 +1,9 @@ +#cloud-config + +packages: *core-packages + +runcmd: *debian13-runcmd + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/opensuse-gnome.user-data.yml b/tests/cloud-init/opensuse-gnome.user-data.yml new file mode 100644 index 000000000..b59d66af3 --- /dev/null +++ b/tests/cloud-init/opensuse-gnome.user-data.yml @@ -0,0 +1,22 @@ +#cloud-config + +packages: *gnome-packages + +runcmd: + # Replace SELinux by AppArmor in kernel parameters + - sed -i 's/security=selinux selinux=1/apparmor=1 apparmor.debug=1/g' /etc/default/grub + + # Regenerate grub.cfg + - grub2-mkconfig -o /boot/grub2/grub.cfg + + # Ensure auditd is enabled + - systemctl enable systemd-journald-audit.socket + +write_files: + - *shared-directory # Setup shared directory + + - path: /etc/sysconfig/displaymanager + append: true + content: | + DISPLAYMANAGER="gdm" + diff --git a/tests/cloud-init/opensuse-kde.user-data.yml b/tests/cloud-init/opensuse-kde.user-data.yml new file mode 100644 index 000000000..2058846dd --- /dev/null +++ b/tests/cloud-init/opensuse-kde.user-data.yml @@ -0,0 +1,18 @@ +#cloud-config + +packages: *kde-packages + +# apparmor.debug=1 +runcmd: + # Replace SELinux by AppArmor in kernel parameters + - sed -i 's/security=selinux selinux=1/apparmor=1/g' /etc/default/grub + + # Regenerate grub.cfg + - grub2-mkconfig -o /boot/grub2/grub.cfg + +write_files: + - *shared-directory # Setup shared directory + - path: /etc/sysconfig/displaymanager + append: true + content: | + DISPLAYMANAGER="sddm" diff --git a/tests/cloud-init/opensuse-server.user-data.yml b/tests/cloud-init/opensuse-server.user-data.yml new file mode 100644 index 000000000..b6d35cd68 --- /dev/null +++ b/tests/cloud-init/opensuse-server.user-data.yml @@ -0,0 +1,14 @@ +#cloud-config + +packages: *core-packages + +runcmd: + # Replace SELinux by AppArmor in kernel parameters + - sed -i 's/security=selinux selinux=1/apparmor=1 apparmor.debug=1/g' /etc/default/grub + + # Regenerate grub.cfg + - grub2-mkconfig -o /boot/grub2/grub.cfg + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/opensuse.yml b/tests/cloud-init/opensuse.yml new file mode 100644 index 000000000..ab0954c6a --- /dev/null +++ b/tests/cloud-init/opensuse.yml @@ -0,0 +1,70 @@ +#cloud-config + +# Core packages for OpenSUSE +core-packages: &core-packages + - pattern:apparmor + - apparmor-profiles + - bash-completion + - distribution-release + - docker + - git + - go + - golang-packaging + - htop + - just + - rpmbuild + - rsync + - systemd-container + - systemd-homed + - vim + +gnome-packages: &gnome-packages + # Core packages for OpenSUSE + - pattern:apparmor + - apparmor-profiles + - bash-completion + - distribution-release + - docker + - git + - go + - golang-packaging + - htop + - just + - rpmbuild + - rsync + - systemd-container + - systemd-homed + - vim + + # Gnome packages for OpenSUSE + - pattern:gnome + - gdm + - spice-vdagent + - terminator + - loupe + - ptyxis + +kde-packages: &kde-packages + # Core packages for OpenSUSE + - pattern:apparmor + - apparmor-profiles + - bash-completion + - distribution-release + - docker + - git + - go + - golang-packaging + - htop + - just + - rpmbuild + - rsync + - systemd-container + - systemd-homed + - vim + + # KDE packages for OpenSUSE + - pattern:kde_plasma + - pattern:kde + - sddm + - spice-vdagent + - terminator diff --git a/tests/cloud-init/ubuntu.yml b/tests/cloud-init/ubuntu.yml new file mode 100644 index 000000000..1f3563750 --- /dev/null +++ b/tests/cloud-init/ubuntu.yml @@ -0,0 +1,114 @@ +#cloud-config + +core-packages: &core-packages + - apparmor-profiles + - apparmor-utils + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - docker.io + - golang-go + - htop + - just + - libpam-apparmor + - lintian + - qemu-guest-agent + - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades + - vim + +desktop-packages: &desktop-packages + # Core packages for Ubuntu + - apparmor-profiles + - apparmor-utils + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - docker.io + - golang-go + - htop + - just + - libpam-apparmor + - lintian + - qemu-guest-agent + - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades + - vim + + # Desktop packages for Ubuntu + - spice-vdagent + - terminator + - ubuntu-desktop + - loupe + - ptyxis + +kubuntu-packages: &kubuntu-packages + # Core packages for Ubuntu + - apparmor-profiles + - apparmor-utils + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - docker.io + - golang-go + - htop + - just + - libpam-apparmor + - lintian + - qemu-guest-agent + - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades + - vim + + # Desktop packages for Ubuntu + - spice-vdagent + - terminator + - kubuntu-desktop + - plasma-workspace-wayland + +desktop-runcmd: &desktop-runcmd + # Add missing snap packages + - snap install snap-store + - snap install snapd-desktop-integration + - snap install --edge desktop-security-center + + # Remove default filesystem and related tools not used with the suggested + # storage layout. These may yet be required if different partitioning schemes + # are used. + - apt-get -y purge btrfs-progs xfsprogs + + # Remove other packages present by default in Ubuntu Server but not + # normally present in Ubuntu Desktop. + - >- + apt-get -y purge + byobu dmeventd finalrd gawk kpartx landscape-common lxd-agent-loader + mdadm motd-news-config ncurses-term open-iscsi open-vm-tools + screen sg3-utils sosreport ssh-import-id sssd tmux + + # Finally, remove things only installed as dependencies of other things + # we have already removed. + - apt-get -y autoremove + + # Ensure systemd-networkd is disabled + - systemctl disable systemd-networkd-wait-online.service + + # Ensure auditd is enabled + - systemctl enable systemd-journald-audit.socket diff --git a/tests/cloud-init/ubuntu24-desktop.user-data.yml b/tests/cloud-init/ubuntu24-desktop.user-data.yml new file mode 100644 index 000000000..7f4183d49 --- /dev/null +++ b/tests/cloud-init/ubuntu24-desktop.user-data.yml @@ -0,0 +1,8 @@ +#cloud-config + +packages: *desktop-packages + +runcmd: *desktop-runcmd + +write_files: + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/ubuntu24-kubuntu.user-data.yml b/tests/cloud-init/ubuntu24-kubuntu.user-data.yml new file mode 100644 index 000000000..bea74af3a --- /dev/null +++ b/tests/cloud-init/ubuntu24-kubuntu.user-data.yml @@ -0,0 +1,9 @@ +#cloud-config + +packages: *kubuntu-packages + +runcmd: *desktop-runcmd + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/ubuntu24-server.user-data.yml b/tests/cloud-init/ubuntu24-server.user-data.yml new file mode 100644 index 000000000..98b78ec80 --- /dev/null +++ b/tests/cloud-init/ubuntu24-server.user-data.yml @@ -0,0 +1,7 @@ +#cloud-config + +packages: *core-packages + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/ubuntu25-desktop.user-data.yml b/tests/cloud-init/ubuntu25-desktop.user-data.yml new file mode 100644 index 000000000..7f4183d49 --- /dev/null +++ b/tests/cloud-init/ubuntu25-desktop.user-data.yml @@ -0,0 +1,8 @@ +#cloud-config + +packages: *desktop-packages + +runcmd: *desktop-runcmd + +write_files: + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/ubuntu25-kubuntu.user-data.yml b/tests/cloud-init/ubuntu25-kubuntu.user-data.yml new file mode 100644 index 000000000..bea74af3a --- /dev/null +++ b/tests/cloud-init/ubuntu25-kubuntu.user-data.yml @@ -0,0 +1,9 @@ +#cloud-config + +packages: *kubuntu-packages + +runcmd: *desktop-runcmd + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/ubuntu25-server.user-data.yml b/tests/cloud-init/ubuntu25-server.user-data.yml new file mode 100644 index 000000000..98b78ec80 --- /dev/null +++ b/tests/cloud-init/ubuntu25-server.user-data.yml @@ -0,0 +1,7 @@ +#cloud-config + +packages: *core-packages + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cmd/main.go b/tests/cmd/main.go index 5ca948196..e7e620b00 100644 --- a/tests/cmd/main.go +++ b/tests/cmd/main.go @@ -68,7 +68,6 @@ func run() error { if err != nil { return err } - tests = tests.Filter() if err := cfg.BatsDir.RemoveAll(); err != nil { return err @@ -76,6 +75,12 @@ func run() error { if err := cfg.BatsDir.MkdirAll(); err != nil { return err } + if err := cfg.BatsDir.Join("profiled").MkdirAll(); err != nil { + return err + } + if err := cfg.BatsDir.Join("unprofiled").MkdirAll(); err != nil { + return err + } for _, test := range tests { if err := test.Write(cfg.BatsDir); err != nil { return err @@ -83,7 +88,8 @@ func run() error { } logging.Bullet("Bats tests directory: %s", cfg.BatsDir) - logging.Bullet("Number of tests found %d", len(tests)) + logging.Bullet("Number of profiles with tests found %d", len(tests)) + logging.Bullet("Number of programs without profile found %d", len(tests)) return nil } diff --git a/tests/cmd/tests.go b/tests/cmd/tests.go index 2d37324ea..1c5f55aee 100644 --- a/tests/cmd/tests.go +++ b/tests/cmd/tests.go @@ -20,16 +20,10 @@ const tmplTest = `#!/usr/bin/env bats # SPDX-License-Identifier: GPL-2.0-only load common - -setup_file() { - aa_setup -} {{ $name := .Name -}} {{ range .Commands }} -# bats test_tags={{ $name }} @test "{{ $name }}: {{ .Description }}" { {{ .Cmd }} - aa_check } {{ end }} ` @@ -77,13 +71,14 @@ func (t Test) IsInstalled() bool { } func (t Test) Write(dir *paths.Path) error { + dstDir := dir.Join("profiled") if !t.HasProfile() { - return nil + dstDir = dir.Join("unprofiled") } + path := dstDir.Join(t.Name + ".bats") - path := dir.Join(t.Name + ".bats") if paths.New("tests/bats").Join(t.Name + ".bats").Exist() { - path = dir.Join("00." + t.Name + ".bats") + path = dstDir.Join("00." + t.Name + ".bats") } content := renderBatsFile(t) if err := path.WriteFile([]byte(content)); err != nil { diff --git a/tests/cmd/tldr.go b/tests/cmd/tldr.go index d86c80565..ec98fa8b4 100644 --- a/tests/cmd/tldr.go +++ b/tests/cmd/tldr.go @@ -17,14 +17,14 @@ import ( ) type Tldr struct { - Url string // Tldr download url + URL string // Tldr download url Dir *paths.Path // Tldr cache directory Ignore []string // List of ignored software } func NewTldr(dir *paths.Path) Tldr { return Tldr{ - Url: "https://github.com/tldr-pages/tldr/archive/refs/heads/main.tar.gz", + URL: "https://github.com/tldr-pages/tldr/archive/refs/heads/main.tar.gz", Dir: dir, } } @@ -33,9 +33,9 @@ func NewTldr(dir *paths.Path) Tldr { func (t Tldr) Download() error { gzPath := t.Dir.Parent().Join("tldr.tar.gz") if !gzPath.Exist() { - resp, err := http.Get(t.Url) + resp, err := http.Get(t.URL) if err != nil { - return fmt.Errorf("downloading %s: %w", t.Url, err) + return fmt.Errorf("downloading %s: %w", t.URL, err) } defer resp.Body.Close() diff --git a/tests/github.local b/tests/github.local new file mode 100644 index 000000000..b4119bc56 --- /dev/null +++ b/tests/github.local @@ -0,0 +1,9 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Local tunables addition for bats integration tests on Github Action + +@{p_dbus_system}+=unconfined +@{p_dbus_session}+=unconfined +@{p_dbus_accessibility}+=unconfined diff --git a/tests/bats/aa-enforce.bats b/tests/integration/apparmor/aa-enforce.bats similarity index 70% rename from tests/bats/aa-enforce.bats rename to tests/integration/apparmor/aa-enforce.bats index 05f311ca1..7bc0e740b 100644 --- a/tests/bats/aa-enforce.bats +++ b/tests/integration/apparmor/aa-enforce.bats @@ -3,33 +3,24 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common setup_file() { - aa_setup skip } -# bats test_tags=aa-enforce @test "aa-enforce: Disable profile" { sudo aa-disable pass - aa_check } -# bats test_tags=aa-enforce @test "aa-enforce: Enforce a profile" { sudo aa-enforce pass - aa_check } -# bats test_tags=aa-enforce @test "aa-enforce: Complain a profile" { sudo aa-complain pass - aa_check } -# bats test_tags=aa-enforce @test "aa-enforce: Audit a profile" { sudo aa-audit pass - aa_check } diff --git a/tests/bats/aa-status.bats b/tests/integration/apparmor/aa-status.bats similarity index 72% rename from tests/bats/aa-status.bats rename to tests/integration/apparmor/aa-status.bats index 8adcd1580..e7e0fc3d5 100644 --- a/tests/bats/aa-status.bats +++ b/tests/integration/apparmor/aa-status.bats @@ -3,38 +3,24 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common -setup_file() { - aa_setup -} - -# bats test_tags=aa-status @test "aa-status: Check status" { sudo aa-status - aa_check } -# bats test_tags=aa-status @test "aa-status: Display the number of loaded policies" { sudo aa-status --profiled - aa_check } -# bats test_tags=aa-status @test "aa-status: Display the number of loaded enforicing policies" { sudo aa-status --enforced - aa_check } -# bats test_tags=aa-status @test "aa-status: Display the number of loaded non-enforcing policies" { sudo aa-status --complaining - aa_check } -# bats test_tags=aa-status @test "aa-status: Display the number of loaded enforcing policies that kill tasks" { sudo aa-status --kill - aa_check } diff --git a/tests/integration/apt/apt.bats b/tests/integration/apt/apt.bats new file mode 100644 index 000000000..3f13d4ea4 --- /dev/null +++ b/tests/integration/apt/apt.bats @@ -0,0 +1,54 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "apt: Update the list of available packages and versions" { + sudo apt update +} + +@test "apt: Search for a given package" { + apt search apparmor +} + +@test "apt: Show information for a package" { + apt show apparmor +} + +@test "apt: Install a package, or update it to the latest available version" { + sudo apt install -y pass +} + +@test "apt: Remove a package and its configuration files" { + sudo apt purge -y pass +} + +@test "apt: Upgrade all installed packages to their newest available versions" { + sudo apt upgrade -y +} + +@test "apt: Upgrade installed packages, but remove obsolete packages and install additional packages to meet new dependencies" { + sudo apt dist-upgrade -y +} + +@test "apt: Clean the local repository - removing package files (.deb) from interrupted downloads that can no longer be downloaded" { + sudo apt autoclean -y +} + +@test "apt: Remove all packages that are no longer needed" { + sudo apt autoremove -y +} + +@test "apt: List all packages" { + apt list +} + +@test "apt: List installed packages" { + apt list --installed +} + +@test "apt: Print a cow easter egg" { + apt moo +} diff --git a/tests/integration/apt/dpkg-query.bats b/tests/integration/apt/dpkg-query.bats new file mode 100644 index 000000000..39259e0a0 --- /dev/null +++ b/tests/integration/apt/dpkg-query.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "dpkg-query: List all installed packages" { + dpkg-query --list +} + +@test "dpkg-query: List installed packages matching a pattern" { + dpkg-query --list 'libc6*' +} + +@test "dpkg-query: List all files installed by a package" { + dpkg-query --listfiles libc6 +} + +@test "dpkg-query: Show information about a package" { + dpkg-query --status libc6 +} + +@test "dpkg-query: Search for packages that own files matching a pattern" { + dpkg-query --search /etc/ld.so.conf.d +} + diff --git a/tests/integration/apt/dpkg-reconfigure.bats b/tests/integration/apt/dpkg-reconfigure.bats new file mode 100644 index 000000000..f6aec98ea --- /dev/null +++ b/tests/integration/apt/dpkg-reconfigure.bats @@ -0,0 +1,12 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "dpkg-reconfigure: Reconfigure one or more packages" { + sudo apt install -y pass + sudo dpkg-reconfigure pass +} + diff --git a/tests/integration/apt/dpkg.bats b/tests/integration/apt/dpkg.bats new file mode 100644 index 000000000..6a0e735b4 --- /dev/null +++ b/tests/integration/apt/dpkg.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "dpkg: Remove a package" { + sudo apt install -y pass + sudo dpkg -r pass +} + +@test "dpkg: List installed packages" { + dpkg -l apparmor +} + +@test "dpkg: List a package's contents" { + dpkg -L apparmor.d +} + +@test "dpkg: Find out which package owns a file" { + dpkg -S /etc/apparmor/parser.conf +} + +@test "dpkg: Purge an installed or already removed package, including configuration" { + sudo dpkg -P pass +} diff --git a/tests/bats/common.bash b/tests/integration/common.bash similarity index 86% rename from tests/bats/common.bash rename to tests/integration/common.bash index c08d13758..7a012191b 100644 --- a/tests/bats/common.bash +++ b/tests/integration/common.bash @@ -6,6 +6,14 @@ export BATS_LIB_PATH=${BATS_LIB_PATH:-/usr/lib/bats} load "$BATS_LIB_PATH/bats-support/load" +export SYSTEMD_PAGER= + +# Ignore the profile not managed by apparmor.d +IGNORE=(php-fpm snapd/snap-confine snap.vault.vaultd) + +# User password for sudo commands +export PASSWORD=${PASSWORD:-user} + export XDG_CACHE_DIR=".cache" export XDG_CONFIG_DIR=".config" export XDG_DATA_DIR=".local/share" @@ -100,10 +108,29 @@ aa_check() { local now duration logs now=$(date +%s) - duration=$((now - _START + 2)) + duration=$((now - _START + 1)) logs=$(aa-log --raw --systemd --since "-${duration}s") + for profile in "${IGNORE[@]}"; do + logs=$(echo "$logs" | grep -v "$profile") + done + + aa_start if [[ -n "$logs" ]]; then fail "profile $PROGRAM raised logs: $logs" fi - aa_start +} + +_timeout() { + local duration="2s" + timeout --preserve-status --kill-after="$duration" "$duration" "$@" +} + +# Bats setup and teardown hooks + +setup_file() { + aa_setup +} + +teardown() { + aa_check } diff --git a/tests/integration/cpuid.bats b/tests/integration/cpuid.bats new file mode 100644 index 000000000..0fe2da6ac --- /dev/null +++ b/tests/integration/cpuid.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "cpuid: Display information for all CPUs" { + cpuid +} + +@test "cpuid: Display information only for the current CPU" { + cpuid -1 +} + +@test "cpuid: Display raw hex information with no decoding" { + cpuid -r +} diff --git a/tests/integration/dfc.bats b/tests/integration/dfc.bats new file mode 100644 index 000000000..56871f16c --- /dev/null +++ b/tests/integration/dfc.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "dfc: Display filesystems and their disk usage in human-readable form with colors and graphs" { + dfc +} + +@test "dfc: Display all filesystems including pseudo, duplicate and inaccessible filesystems" { + dfc -a +} + +@test "dfc: Display filesystems without color" { + dfc -c never +} + +@test "dfc: Display filesystems containing "ext" in the filesystem type" { + dfc -t ext +} diff --git a/tests/bats/fc-cache.bats b/tests/integration/fc-cache.bats similarity index 75% rename from tests/bats/fc-cache.bats rename to tests/integration/fc-cache.bats index 7ad92d94c..05b8f1930 100644 --- a/tests/bats/fc-cache.bats +++ b/tests/integration/fc-cache.bats @@ -5,25 +5,14 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=fc-cache @test "fc-cache: Generate font cache files" { fc-cache - aa_check } -# bats test_tags=fc-cache @test "fc-cache: Force a rebuild of all font cache files, without checking if cache is up-to-date" { fc-cache -f - aa_check } -# bats test_tags=fc-cache @test "fc-cache: Erase font cache files, then generate new font cache files" { fc-cache -r - aa_check } - diff --git a/tests/integration/fc-list.bats b/tests/integration/fc-list.bats new file mode 100644 index 000000000..12b1df2ca --- /dev/null +++ b/tests/integration/fc-list.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "fc-list: Return a list of installed fonts in your system" { + fc-list +} + +@test "fc-match: Return a sorted list of best matching fonts" { + fc-match -s 'DejaVu Serif' +} + +@test "fc-pattern: Display default information about a font" { + fc-pattern --default 'DejaVu Serif' +} + +@test "fc-pattern: Display configuration information about a font" { + fc-pattern --config 'DejaVu Serif' +} diff --git a/tests/integration/flatpak.bats b/tests/integration/flatpak.bats new file mode 100644 index 000000000..b61024d06 --- /dev/null +++ b/tests/integration/flatpak.bats @@ -0,0 +1,47 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "flatpak: Add a new remote repository (by URL)" { + sudo flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo +} + +@test "flatpak: List all remote repositories" { + flatpak remotes +} + +@test "flatpak: Search for an application in a remote repository" { + sudo flatpak search vim + sudo flatpak search org.freedesktop.Platform +} + +@test "flatpak: Install an application from a remote source" { + sudo flatpak install --noninteractive org.vim.Vim +} + +@test "flatpak: List installed applications, ignoring runtimes" { + flatpak list --app +} + +@test "flatpak: Show information about an installed application" { + flatpak info org.vim.Vim +} + +# @test "flatpak: Run an installed application" { +# _timeout flatpak run org.vim.Vim +# } + +@test "flatpak: Update all installed applications and runtimes" { + sudo flatpak update --noninteractive +} + +@test "flatpak: Remove an installed application" { + sudo flatpak remove --noninteractive org.vim.Vim +} + +@test "flatpak: Remove all unused applications" { + sudo flatpak remove --noninteractive --unused +} diff --git a/tests/integration/fwupdmgr.bats b/tests/integration/fwupdmgr.bats new file mode 100644 index 000000000..332a63743 --- /dev/null +++ b/tests/integration/fwupdmgr.bats @@ -0,0 +1,23 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "fwupdmgr: Display all devices detected by fwupd" { + fwupdmgr get-devices +} + +@test "fwupdmgr: Download the latest firmware metadata from LVFS" { + fwupdmgr refresh || true +} + +@test "fwupdmgr: List the updates available for devices on your system" { + fwupdmgr get-updates || true +} + +@test "fwupdmgr: Install firmware updates" { + fwupdmgr update || true +} + diff --git a/tests/bats/gpgconf.bats b/tests/integration/gpg/gpgconf.bats similarity index 78% rename from tests/bats/gpgconf.bats rename to tests/integration/gpg/gpgconf.bats index 7d522d859..41627dc67 100644 --- a/tests/bats/gpgconf.bats +++ b/tests/integration/gpg/gpgconf.bats @@ -3,46 +3,32 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common -setup_file() { - aa_setup -} - -# bats test_tags=gpgconf @test "gpgconf: List all components" { gpgconf --list-components - aa_check } -# bats test_tags=gpgconf @test "gpgconf: List the directories used by gpgconf" { gpgconf --list-dirs - aa_check } -# bats test_tags=gpgconf @test "gpgconf: List all options of a component" { gpgconf --list-options gpg gpgconf --list-options gpgsm gpgconf --list-options gpg-agent gpgconf --list-options scdaemon || true gpgconf --list-options dirmngr - aa_check } -# bats test_tags=gpgconf @test "gpgconf: List programs and test whether they are runnable" { gpgconf --check-programs || true - aa_check } -# bats test_tags=gpgconf @test "gpgconf: Reload a component" { gpgconf --reload gpg gpgconf --reload gpgsm gpgconf --reload gpg-agent gpgconf --reload scdaemon || true gpgconf --reload dirmngr - aa_check } diff --git a/tests/integration/hostname.bats b/tests/integration/hostname.bats new file mode 100644 index 000000000..35008bd79 --- /dev/null +++ b/tests/integration/hostname.bats @@ -0,0 +1,29 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "hostname: Show current host name" { + hostname +} + +@test "hostname: Show the network address of the host name" { + hostname -i +} + +@test "hostname: Show all network addresses of the host" { + hostname -I +} + +@test "hostname: Show the FQDN (Fully Qualified Domain Name)" { + hostname --fqdn +} + +@test "hostname: Set current host name" { + name=$(hostname) + sudo hostname "new-$(hostname)" + sudo hostname "$name" +} + diff --git a/tests/bats/id.bats b/tests/integration/id.bats similarity index 76% rename from tests/bats/id.bats rename to tests/integration/id.bats index 5a7b58c50..a09def4a9 100644 --- a/tests/bats/id.bats +++ b/tests/integration/id.bats @@ -5,41 +5,26 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=id @test "id: Display current user's ID (UID), group ID (GID) and groups to which they belong" { id - aa_check } -# bats test_tags=id @test "id: Display the current user identity" { id -un - aa_check } -# bats test_tags=id @test "id: Display the current user identity as a number" { id -u - aa_check } -# bats test_tags=id @test "id: Display the current primary group identity" { id -gn - aa_check } -# bats test_tags=id @test "id: Display the current primary group identity as a number" { id -g - aa_check } -# bats test_tags=id @test "id: Display an arbitrary user ID (UID), group ID (GID) and groups to which they belong" { id root } diff --git a/tests/integration/ip.bats b/tests/integration/ip.bats new file mode 100644 index 000000000..585d11b2d --- /dev/null +++ b/tests/integration/ip.bats @@ -0,0 +1,42 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "ip-address: List network interfaces and their associated IP addresses" { + ip address +} + +@test "ip-address: Filter to show only active network interfaces" { + ip address show up +} + +@test "ip-route: Display the routing table" { + ip route +} + +@test "ip-route-get: Print route to a destination" { + ip route get 1.1.1.1 +} + +@test "ip link: Show information about all network interfaces" { + ip link +} + +@test "ip neighbour: Display the neighbour/ARP table entries" { + ip neighbour +} + +@test "ip rule: Display the routing policy" { + ip rule show + ip rule list +} + +@test "ip: Manage network namespace" { + sudo ip netns add foo + sudo ip netns list + sudo ip netns exec foo bash -c "pwd" + sudo ip netns delete foo +} diff --git a/tests/integration/needrestart.bats b/tests/integration/needrestart.bats new file mode 100644 index 000000000..4676b36af --- /dev/null +++ b/tests/integration/needrestart.bats @@ -0,0 +1,34 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "needrestart: List outdated processes" { + needrestart +} + +@test "needrestart: Interactively restart services" { + sudo needrestart +} + +@test "needrestart: List outdated processes in verbose mode" { + needrestart -v +} + +@test "needrestart: Check if the kernel is outdated" { + needrestart -k +} + +@test "needrestart: Check if the CPU microcode is outdated" { + needrestart -w +} + +@test "needrestart: List outdated processes in batch mode" { + needrestart -b +} + +@test "needrestart: Display help" { + needrestart --help +} diff --git a/tests/integration/pacman/paccache.bats b/tests/integration/pacman/paccache.bats new file mode 100644 index 000000000..b2e1369e2 --- /dev/null +++ b/tests/integration/pacman/paccache.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "paccache: Perform a dry-run and show the number of candidate packages for deletion" { + sudo paccache -d +} + +@test "paccache: Move candidate packages to a directory instead of deleting them" { + sudo paccache -m "$USER_BUILD_DIRS" +} + +@test "paccache: Remove all but the 3 most recent package versions from the `pacman` cache" { + sudo paccache -r +} + +@test "paccache: Set the number of package versions to keep" { + sudo paccache -rk 3 +} diff --git a/tests/integration/pacman/pacman-key.bats b/tests/integration/pacman/pacman-key.bats new file mode 100644 index 000000000..82e34a379 --- /dev/null +++ b/tests/integration/pacman/pacman-key.bats @@ -0,0 +1,34 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pacman-key: Initialize the 'pacman' keyring" { + sudo pacman-key --init +} + +@test "pacman-key: Add the default Arch Linux keys" { + sudo pacman-key --populate +} + +@test "pacman-key: List keys from the public keyring" { + pacman-key --list-keys +} + +@test "pacman-key: Receive a key from a key server" { + sudo pacman-key --recv-keys 06A26D531D56C42D66805049C5469996F0DF68EC +} + +@test "pacman-key: Print the fingerprint of a specific key" { + pacman-key --finger 06A26D531D56C42D66805049C5469996F0DF68EC +} + +@test "pacman-key: Sign an imported key locally" { + sudo pacman-key --lsign-key 06A26D531D56C42D66805049C5469996F0DF68EC +} + +@test "pacman-key: Remove a specific key" { + sudo pacman-key --delete 06A26D531D56C42D66805049C5469996F0DF68EC +} diff --git a/tests/integration/pacman/pacman.bats b/tests/integration/pacman/pacman.bats new file mode 100644 index 000000000..575a65bc1 --- /dev/null +++ b/tests/integration/pacman/pacman.bats @@ -0,0 +1,34 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pacman: Synchronize and update all packages" { + sudo pacman -Syu --noconfirm +} + +@test "pacman: Install a new package" { + sudo pacman -S --noconfirm pass pass-otp +} + +@test "pacman: Remove a package and its dependencies" { + sudo pacman -Rs --noconfirm pass-otp +} + +@test "pacman: List installed packages and versions" { + pacman -Q +} + +@test "pacman: List only the explicitly installed packages and versions" { + pacman -Qe +} + +@test "pacman: List orphan packages (installed as dependencies but not actually required by any package)" { + pacman -Qtdq +} + +@test "pacman: Empty the entire 'pacman' cache" { + sudo pacman -Scc --noconfirm +} diff --git a/tests/integration/procps/free.bats b/tests/integration/procps/free.bats new file mode 100644 index 000000000..dcc216bfa --- /dev/null +++ b/tests/integration/procps/free.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "free: Display system memory" { + free +} + +@test "free: Display memory in GB" { + free -g +} + +@test "free: Display memory in human-readable units" { + free -h +} diff --git a/tests/integration/procps/pgrep.bats b/tests/integration/procps/pgrep.bats new file mode 100644 index 000000000..9fd6b92f8 --- /dev/null +++ b/tests/integration/procps/pgrep.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pgrep: Return PIDs of any running processes with a matching command string" { + pgrep systemd +} + +@test "pgrep: Search for processes including their command-line options" { + pgrep --full 'systemd' +} + +@test "pgrep: Search for processes run by a specific user" { + pgrep --euid root systemd-udevd +} + diff --git a/tests/integration/procps/pidof.bats b/tests/integration/procps/pidof.bats new file mode 100644 index 000000000..ec20cbe86 --- /dev/null +++ b/tests/integration/procps/pidof.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pidof: List all process IDs with given name" { + pidof systemd + pidof bash +} + +@test "pidof: List a single process ID with given name" { + pidof -s bash +} + +@test "pidof: List process IDs including scripts with given name" { + pidof -x bash +} diff --git a/tests/bats/ps.bats b/tests/integration/procps/ps.bats similarity index 73% rename from tests/bats/ps.bats rename to tests/integration/procps/ps.bats index 4be301f7b..a27bdf98d 100644 --- a/tests/bats/ps.bats +++ b/tests/integration/procps/ps.bats @@ -3,44 +3,28 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common -setup_file() { - aa_setup -} - -# bats test_tags=ps @test "ps: List all running processes" { ps aux - aa_check } -# bats test_tags=ps @test "ps: List all running processes including the full command string" { ps auxww - aa_check } -# bats test_tags=ps @test "ps: List all processes of the current user in extra full format" { ps --user "$(id -u)" -F - aa_check } -# bats test_tags=ps @test "ps: List all processes of the current user as a tree" { ps --user "$(id -u)" -f - aa_check } -# bats test_tags=ps @test "ps: Get the parent PID of a process" { ps -o ppid= -p 1 - aa_check } -# bats test_tags=ps @test "ps: Sort processes by memory consumption" { ps auxww --sort size - aa_check } diff --git a/tests/integration/procps/sysctl.bats b/tests/integration/procps/sysctl.bats new file mode 100644 index 000000000..66720c434 --- /dev/null +++ b/tests/integration/procps/sysctl.bats @@ -0,0 +1,26 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "sysctl: Show all available variables and their values" { + sysctl -a +} + +@test "sysctl: Set a changeable kernel state variable" { + sudo sysctl -w vm.panic_on_oom=0 +} + +@test "sysctl: Get currently open file handlers" { + sysctl fs.file-nr +} + +@test "sysctl: Get limit for simultaneous open files" { + sysctl fs.file-max +} + +@test "sysctl: Apply changes from '/etc/sysctl.conf'" { + sudo sysctl -p +} diff --git a/tests/integration/procps/uptime.bats b/tests/integration/procps/uptime.bats new file mode 100644 index 000000000..7d9361d5a --- /dev/null +++ b/tests/integration/procps/uptime.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "uptime: Print current time, uptime, number of logged-in users and other information" { + uptime +} + +@test "uptime: Show only the amount of time the system has been booted for" { + uptime --pretty +} + +@test "uptime: Print the date and time the system booted up at" { + uptime --since +} diff --git a/tests/integration/procps/vmstat.bats b/tests/integration/procps/vmstat.bats new file mode 100644 index 000000000..e5900a324 --- /dev/null +++ b/tests/integration/procps/vmstat.bats @@ -0,0 +1,25 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "vmstat: Display virtual memory statistics" { + vmstat + vmstat --active + vmstat --forks +} + +@test "vmstat: Display disk statistics" { + vmstat --disk + vmstat --disk-sum +} + +@test "vmstat: Display slabinfo" { + sudo vmstat --slabs +} + +@test "vmstat: Display reports every second for 3 times" { + vmstat 1 3 +} diff --git a/tests/integration/procps/w.bats b/tests/integration/procps/w.bats new file mode 100644 index 000000000..3ee1fe218 --- /dev/null +++ b/tests/integration/procps/w.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "w: Display information about all users who are currently logged in" { + w +} + +@test "w: Display information about a specific user" { + w root +} + +@test "w: Display information without including the header, the login, JCPU and PCPU columns" { + w --no-header + w --short +} diff --git a/tests/bats/groupadd.bats b/tests/integration/shadow/groupadd.bats similarity index 70% rename from tests/bats/groupadd.bats rename to tests/integration/shadow/groupadd.bats index f55579591..3d07619b2 100644 --- a/tests/bats/groupadd.bats +++ b/tests/integration/shadow/groupadd.bats @@ -3,34 +3,30 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common -setup_file() { - aa_setup -} - -# bats test_tags=groupadd @test "groupadd: Create a new group" { sudo groupadd user2 - aa_check } -# bats test_tags=groupadd @test "groupadd: Create a new system group" { sudo groupadd --system system2 - aa_check } -# bats test_tags=groupadd @test "groupadd: Create a new group with the specific groupid" { sudo groupadd --gid 3000 user3 - aa_check } -# bats test_tags=groupadd +@test "groupmod: Change the group name" { + sudo groupmod --new-name user22 user2 +} + +@test "groupmod: Change the group ID" { + sudo groupmod --gid 2222 user22 +} + @test "groupdel: Delete newly created group" { - sudo groupdel user2 + sudo groupdel user22 sudo groupdel system2 sudo groupdel user3 - aa_check } diff --git a/tests/bats/groups.bats b/tests/integration/shadow/groups.bats similarity index 73% rename from tests/bats/groups.bats rename to tests/integration/shadow/groups.bats index 829e2393f..f932e9129 100644 --- a/tests/bats/groups.bats +++ b/tests/integration/shadow/groups.bats @@ -3,21 +3,13 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common -setup_file() { - aa_setup -} - -# bats test_tags=groups @test "groups: Print group memberships for the current user" { groups - aa_check } -# bats test_tags=groups @test "groups: Print group memberships for a list of users" { groups root - aa_check } diff --git a/tests/bats/snap.bats b/tests/integration/snap.bats similarity index 52% rename from tests/bats/snap.bats rename to tests/integration/snap.bats index a54dda828..a670a9ece 100644 --- a/tests/bats/snap.bats +++ b/tests/integration/snap.bats @@ -5,49 +5,51 @@ load common -setup_file() { - aa_setup - skip -} - -# bats test_tags=snap @test "snap: Search for a package" { snap find vim - aa_check } -# bats test_tags=snap @test "snap: Install a package" { - sudo snap install nano-strict - aa_check + sudo snap install vault } -# bats test_tags=snap @test "snap: Update a package to another channel (track, risk, or branch)" { - sudo snap refresh nano-strict --channel=edge - aa_check + sudo snap refresh vault --channel=edge } -# bats test_tags=snap @test "snap: Update all packages" { sudo snap refresh - aa_check } -# bats test_tags=snap @test "snap: Display basic information about installed snap software" { sudo snap list - aa_check } -# bats test_tags=snap +@test "snap: lists information about the services" { + sudo snap services + sudo snap services vault +} + +@test "snap: starts, and optionally enables, the given services" { + sudo snap start --enable vault +} + +@test "snap: logs of the given services" { + sudo snap logs vault || true +} + +@test "snap: restarts the given services" { + sudo snap restart vault +} + +@test "snap: stops, and optionally disables, the given services" { + sudo snap stop --disable vault +} + +@test "snap: Uninstall a package" { + sudo snap remove vault +} + @test "snap: Check for recent snap changes in the system" { sudo snap changes - aa_check -} - -# bats test_tags=snap -@test "snap: Uninstall a package" { - sudo snap remove nano-strict - aa_check } diff --git a/tests/integration/systemd/bootctl.bats b/tests/integration/systemd/bootctl.bats new file mode 100644 index 000000000..2dfb39a7f --- /dev/null +++ b/tests/integration/systemd/bootctl.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "bootctl: Show information about the system firmware and the bootloaders" { + sudo bootctl status +} + +@test "bootctl: Show all available bootloader entries" { + sudo bootctl list +} + +@test "bootctl: Install 'systemd-boot' into the EFI system partition" { + sudo bootctl install +} + +@test "bootctl: Remove all installed versions of 'systemd-boot' from the EFI system partition" { + sudo bootctl remove +} diff --git a/tests/integration/systemd/busctl.bats b/tests/integration/systemd/busctl.bats new file mode 100644 index 000000000..ef3e973e9 --- /dev/null +++ b/tests/integration/systemd/busctl.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "busctl: Show all peers on the bus, by their service names" { + busctl list +} + +@test "busctl: Show process information and credentials of a bus service, a process, or the owner of the bus (if no parameter is specified)" { + busctl status 1 + busctl status org.freedesktop.DBus +} + +@test "busctl: Show an object tree of one or more services (or all services if no service is specified)" { + busctl tree org.freedesktop.DBus +} + +@test "busctl: Show interfaces, methods, properties and signals of the specified object on the specified service" { + busctl introspect org.freedesktop.login1 /org/freedesktop/login1 +} + +@test "busctl: Retrieve the current value of one or more object properties" { + busctl get-property org.freedesktop.login1 /org/freedesktop/login1 org.freedesktop.login1.Manager Docked +} diff --git a/tests/integration/systemd/homectl.bats b/tests/integration/systemd/homectl.bats new file mode 100644 index 000000000..bb3b38227 --- /dev/null +++ b/tests/integration/systemd/homectl.bats @@ -0,0 +1,44 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +setup_file() { + sudo systemctl start systemd-homed + skip + aa_setup +} + +@test "homectl: Display help" { + homectl --no-pager --help +} + +@test "homectl: Create a user account and their associated home directory" { + printf "user2\nuser2" | sudo homectl create user2 +} + +@test "homectl: List user accounts and their associated home directories" { + homectl list +} + +@test "homectl: Change the password for a specific user" { + sudo homectl passwd user2 +} + +@test "homectl: Run a shell or a command with access to a specific home directory" { + sudo homectl with user2 -- ls -al /home/user2 +} + +@test "homectl: Lock or unlock a specific home directory" { + sudo homectl lock user2 +} + +@test "homectl: Change the disk space assigned to a specific home directory to 100 GiB" { + sudo homectl resize user2 1G +} + +@test "homectl: Remove a specific user and the associated home directory" { + sudo homectl remove user2 +} diff --git a/tests/integration/systemd/hostnamectl.bats b/tests/integration/systemd/hostnamectl.bats new file mode 100644 index 000000000..38924920a --- /dev/null +++ b/tests/integration/systemd/hostnamectl.bats @@ -0,0 +1,20 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "hostnamectl: Get the hostname of the computer" { + hostnamectl +} + +@test "hostnamectl: Get the location of the computer" { + hostnamectl location +} + +@test "hostnamectl: Set the hostname of the computer" { + name=$(hostnamectl hostname) + sudo hostnamectl set-hostname "new" + sudo hostnamectl set-hostname "$name" +} diff --git a/tests/integration/systemd/journalctl.bats b/tests/integration/systemd/journalctl.bats new file mode 100644 index 000000000..9eeb7c9fe --- /dev/null +++ b/tests/integration/systemd/journalctl.bats @@ -0,0 +1,30 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "journalctl: Show all messages with priority level 3 (errors) from this boot" { + sudo journalctl -b --priority=3 +} + +@test "journalctl: Show only the last N lines of the journal" { + sudo journalctl --lines 100 +} + +@test "journalctl: Show all messages by a specific [u]nit" { + sudo journalctl --unit apparmor.service +} + +@test "journalctl: Show all messages by a specific process" { + sudo journalctl _PID=1 +} + +@test "journalctl: Show all messages by a specific executable" { + sudo journalctl /usr/bin/bootctl +} + +@test "journalctl: Delete journal logs which are older than 10 seconds" { + sudo journalctl --vacuum-time=10s +} diff --git a/tests/integration/systemd/localectl.bats b/tests/integration/systemd/localectl.bats new file mode 100644 index 000000000..71dfd2e06 --- /dev/null +++ b/tests/integration/systemd/localectl.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "localectl: Show the current settings of the system locale and keyboard mapping" { + localectl +} + +@test "localectl: List available locales" { + localectl list-locales +} + +@test "localectl: Set a system locale variable" { + sudo localectl set-locale LANG=en_US.UTF-8 +} + +@test "localectl: List available keymaps" { + localectl list-keymaps || true +} + +@test "localectl: Set the system keyboard mapping for the console and X11" { + sudo localectl set-keymap uk || true +} + diff --git a/tests/integration/systemd/machinectl.bats b/tests/integration/systemd/machinectl.bats new file mode 100644 index 000000000..18771ae72 --- /dev/null +++ b/tests/integration/systemd/machinectl.bats @@ -0,0 +1,26 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "importctl: Import an image as a machine" { + sudo importctl pull-tar --force --class=machine -N https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64-root.tar.xz noble || true +} + +@test "machinectl: Display a list of available images" { + sudo machinectl list-images +} + +@test "machinectl: Start a machine as a service using systemd-nspawn" { + sudo machinectl start noble || true +} + +@test "machinectl: Display a list of running machines" { + sudo machinectl list +} + +@test "machinectl: Stop a running machine" { + sudo machinectl stop noble || true +} diff --git a/tests/integration/systemd/networkctl.bats b/tests/integration/systemd/networkctl.bats new file mode 100644 index 000000000..81418ba01 --- /dev/null +++ b/tests/integration/systemd/networkctl.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "networkctl: List existing links with their status" { + sudo networkctl list +} + +@test "networkctl: Show an overall network status" { + sudo networkctl status +} + +@test "networkctl: Reload configuration files (.netdev and .network)" { + sudo networkctl reload +} diff --git a/tests/integration/systemd/systemd-ac-power.bats b/tests/integration/systemd/systemd-ac-power.bats new file mode 100644 index 000000000..65779b617 --- /dev/null +++ b/tests/integration/systemd/systemd-ac-power.bats @@ -0,0 +1,15 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "systemd-ac-power: Report whether we are connected to an external power source." { + systemd-ac-power || true +} + +@test "systemd-ac-power: Check if battery is discharging and low" { + systemd-ac-power --low || true +} + diff --git a/tests/integration/systemd/systemd-analyze.bats b/tests/integration/systemd/systemd-analyze.bats new file mode 100644 index 000000000..b36abb62d --- /dev/null +++ b/tests/integration/systemd/systemd-analyze.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "systemd-analyze: List all running units, ordered by the time they took to initialize" { + systemd-analyze --no-pager blame +} + +@test "systemd-analyze: Print a tree of the time-critical chain of units" { + systemd-analyze --no-pager critical-chain +} + +@test "systemd-analyze: Show security scores of running units" { + systemd-analyze --no-pager security +} diff --git a/tests/integration/systemd/systemd-cat.bats b/tests/integration/systemd/systemd-cat.bats new file mode 100644 index 000000000..9d796ff07 --- /dev/null +++ b/tests/integration/systemd/systemd-cat.bats @@ -0,0 +1,14 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "systemd-cat: Write the output of the specified command to the journal (both output streams are captured)" { + systemd-cat pwd +} + +@test "systemd-cat: Write the output of a pipeline to the journal (`stderr` stays connected to the terminal)" { + echo apparmor.d-test-suite | systemd-cat +} diff --git a/tests/integration/systemd/systemd-cgls.bats b/tests/integration/systemd/systemd-cgls.bats new file mode 100644 index 000000000..a0822a516 --- /dev/null +++ b/tests/integration/systemd/systemd-cgls.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "systemd-cgls: Display the whole control group hierarchy on your system" { + systemd-cgls --no-pager +} + +@test "systemd-cgls: Display a control group tree of a specific resource controller" { + systemd-cgls --no-pager io +} + +@test "systemd-cgls: Display the control group hierarchy of one or more systemd units" { + systemd-cgls --no-pager --unit systemd-logind +} diff --git a/tests/bats/systemd-detect-virt.bats b/tests/integration/systemd/systemd-detect-virt.bats similarity index 71% rename from tests/bats/systemd-detect-virt.bats rename to tests/integration/systemd/systemd-detect-virt.bats index 0ea5fae35..bb2b2a659 100644 --- a/tests/bats/systemd-detect-virt.bats +++ b/tests/integration/systemd/systemd-detect-virt.bats @@ -3,23 +3,21 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# bats test_tags=systemd-detect-virt +load ../common + @test "systemd-detect-virt: List detectable virtualization technologies" { systemd-detect-virt --list } -# bats test_tags=systemd-detect-virt @test "systemd-detect-virt: Detect virtualization, print the result and return a zero status code when running in a VM or a container, and a non-zero code otherwise" { - systemd-detect-virt + systemd-detect-virt || true } -# bats test_tags=systemd-detect-virt @test "systemd-detect-virt: Silently check without printing anything" { - systemd-detect-virt --quiet + systemd-detect-virt --quiet || true } -# bats test_tags=systemd-detect-virt @test "systemd-detect-virt: Only detect hardware virtualization" { - systemd-detect-virt --vm + systemd-detect-virt --vm || true } diff --git a/tests/integration/systemd/systemd-id128.bats b/tests/integration/systemd/systemd-id128.bats new file mode 100644 index 000000000..68e48d9a4 --- /dev/null +++ b/tests/integration/systemd/systemd-id128.bats @@ -0,0 +1,23 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "systemd-id128: Generate a new random identifier" { + systemd-id128 new +} + +@test "systemd-id128: Print the identifier of the current machine" { + systemd-id128 machine-id +} + +@test "systemd-id128: Print the identifier of the current boot" { + systemd-id128 boot-id +} + +@test "systemd-id128: Generate a new random identifier and print it as a UUID (five groups of digits separated by hyphens)" { + systemd-id128 new --uuid +} + diff --git a/tests/integration/systemd/systemd-sysusers.bats b/tests/integration/systemd/systemd-sysusers.bats new file mode 100644 index 000000000..7fff472ee --- /dev/null +++ b/tests/integration/systemd/systemd-sysusers.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "systemd-sysusers: Print the contents of all configuration files (before each file, its name is printed as a comment)" { + systemd-sysusers --cat-config +} + +@test "systemd-sysusers: Process configuration files and print what would be done without actually doing anything" { + systemd-sysusers --dry-run +} + +@test "systemd-sysusers: Create users and groups from all configuration file" { + sudo systemd-sysusers +} diff --git a/tests/integration/systemd/userdbctl.bats b/tests/integration/systemd/userdbctl.bats new file mode 100644 index 000000000..eda5f5b09 --- /dev/null +++ b/tests/integration/systemd/userdbctl.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "userdbctl: List all known user records" { + userdbctl --no-pager user +} + +@test "userdbctl: Show details of a specific user" { + userdbctl --no-pager user "$USER" +} + +@test "userdbctl: List all known groups" { + userdbctl --no-pager group +} + +@test "userdbctl: Show details of a specific group" { + sudo userdbctl --no-pager group "$USER" +} + +@test "userdbctl: List all services currently providing user/group definitions to the system" { + userdbctl --no-pager services +} + diff --git a/tests/integration/tlp.bats b/tests/integration/tlp.bats new file mode 100644 index 000000000..b9a9530fc --- /dev/null +++ b/tests/integration/tlp.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "tlp: Apply settings (according to the actual power source)" { + sudo tlp start +} + +@test "tlp: Apply battery settings (ignoring the actual power source)" { + sudo tlp bat +} + +@test "tlp: Apply AC settings (ignoring the actual power source)" { + sudo tlp ac +} + +@test "tlp: Apply Disk settings" { + sudo tlp diskid +} diff --git a/tests/bats/uname.bats b/tests/integration/uname.bats similarity index 71% rename from tests/bats/uname.bats rename to tests/integration/uname.bats index 683cef111..8723b9fe8 100644 --- a/tests/bats/uname.bats +++ b/tests/integration/uname.bats @@ -5,55 +5,35 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=uname @test "uname: Print all information" { uname --all - aa_check } -# bats test_tags=uname @test "uname: Print the current kernel name" { uname --kernel-name - aa_check } -# bats test_tags=uname @test "uname: Print the current network node host name" { uname --nodename - aa_check } -# bats test_tags=uname @test "uname: Print the current kernel release" { uname --kernel-release - aa_check } -# bats test_tags=uname @test "uname: Print the current kernel version" { uname --kernel-version - aa_check } -# bats test_tags=uname @test "uname: Print the current machine hardware name" { uname --machine - aa_check } -# bats test_tags=uname @test "uname: Print the current processor type" { uname --processor - aa_check } -# bats test_tags=uname @test "uname: Print the current operating system name" { uname --operating-system - aa_check } diff --git a/tests/integration/upower.bats b/tests/integration/upower.bats new file mode 100644 index 000000000..3917621b8 --- /dev/null +++ b/tests/integration/upower.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "upower: Display power and battery information" { + upower --dump +} + +@test "upower: List all power devices" { + upower --enumerate +} + +@test "upower: Display version" { + upower --version +} + diff --git a/tests/bats/uptime.bats b/tests/integration/uptime.bats similarity index 74% rename from tests/bats/uptime.bats rename to tests/integration/uptime.bats index 846342f47..7b64e8d2c 100644 --- a/tests/bats/uptime.bats +++ b/tests/integration/uptime.bats @@ -5,31 +5,19 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=uptime @test "uptime: Print current time, uptime, number of logged-in users and other information" { uptime - aa_check } -# bats test_tags=uptime @test "uptime: Show only the amount of time the system has been booted for" { uptime --pretty - aa_check } -# bats test_tags=uptime @test "uptime: Print the date and time the system booted up at" { uptime --since - aa_check } -# bats test_tags=uptime @test "uptime: Display version" { uptime --version - aa_check } diff --git a/tests/integration/usb/lsusb.bats b/tests/integration/usb/lsusb.bats new file mode 100644 index 000000000..85bee2fd6 --- /dev/null +++ b/tests/integration/usb/lsusb.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lsusb: List all the USB devices available" { + lsusb || true +} + +@test "lsusb: List the USB hierarchy as a tree" { + lsusb -t || true +} + +@test "lsusb: List verbose information about USB devices" { + lsusb --verbose || true +} diff --git a/tests/integration/useradd.bats b/tests/integration/useradd.bats new file mode 100644 index 000000000..5ac024f15 --- /dev/null +++ b/tests/integration/useradd.bats @@ -0,0 +1,32 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "useradd: Create a new user with the specified shell" { + sudo useradd --shell /bin/bash --create-home user2 +} + +@test "useradd: Create a new user with the specified user ID" { + sudo useradd --uid 3000 user3 +} + +@test "useradd: Create a new user belonging to additional groups (mind the lack of whitespace)" { + sudo useradd --groups adm user4 +} + +@test "useradd: Create a new system user without the home directory" { + sudo useradd --system sys2 +} + +@test "userdel: Remove a user" { + sudo userdel user3 + sudo userdel user4 + sudo userdel sys2 +} + +@test "userdel: Remove a user along with the home directory and mail spool" { + sudo userdel --remove user2 +} diff --git a/tests/bats/blkid.bats b/tests/integration/utils/blkid.bats similarity index 73% rename from tests/bats/blkid.bats rename to tests/integration/utils/blkid.bats index 65160f188..625f5f9bb 100644 --- a/tests/bats/blkid.bats +++ b/tests/integration/utils/blkid.bats @@ -3,20 +3,12 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common -setup_file() { - aa_setup -} - -# bats test_tags=blkid @test "blkid: List all partitions" { sudo blkid - aa_check } -# bats test_tags=blkid @test "blkid: List all partitions in a table, including current mountpoints" { sudo blkid -o list - aa_check } diff --git a/tests/integration/utils/chsh.bats b/tests/integration/utils/chsh.bats new file mode 100644 index 000000000..a23799def --- /dev/null +++ b/tests/integration/utils/chsh.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "chsh: list available shells" { + chsh --list-shells || true +} + +@test "chsh: Set a specific login shell for the current user" { + echo "$PASSWORD" | chsh --shell /usr/bin/bash || true +} + +# bats test_tags=chsh +@test "chsh: Set a login shell for a specific user" { + sudo chsh --shell /usr/bin/sh root || true +} diff --git a/tests/bats/df.bats b/tests/integration/utils/df.bats similarity index 73% rename from tests/bats/df.bats rename to tests/integration/utils/df.bats index be2843213..c15a32d5f 100644 --- a/tests/bats/df.bats +++ b/tests/integration/utils/df.bats @@ -3,32 +3,24 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common -setup_file() { - aa_setup -} - -# bats test_tags=df @test "df: Display all filesystems and their disk usage" { df - aa_check } -# bats test_tags=df @test "df: Display all filesystems and their disk usage in human-readable form" { df -h - aa_check } -# bats test_tags=df +@test "df: Display the filesystem and its disk usage containing the given file or directory" { + df /etc/apparmor.d/ +} + @test "df: Include statistics on the number of free inodes" { df --inodes - aa_check } -# bats test_tags=df @test "df: Display filesystem types" { df --print-type - aa_check } diff --git a/tests/integration/utils/dmesg.bats b/tests/integration/utils/dmesg.bats new file mode 100644 index 000000000..f2880666d --- /dev/null +++ b/tests/integration/utils/dmesg.bats @@ -0,0 +1,30 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "dmesg: Show kernel messages" { + sudo dmesg +} + +@test "dmesg: Show kernel error messages" { + sudo dmesg --level err +} + +@test "dmesg: Show how much physical memory is available on this system" { + sudo dmesg | grep -i memory +} + +@test "dmesg: Show kernel messages with a timestamp (available in kernels 3.5.0 and newer)" { + sudo dmesg -T +} + +@test "dmesg: Show kernel messages in human-readable form (available in kernels 3.5.0 and newer)" { + sudo dmesg -H +} + +@test "dmesg: Colorize output (available in kernels 3.5.0 and newer)" { + sudo dmesg -L +} diff --git a/tests/bats/fc-list.bats b/tests/integration/utils/eject.bats similarity index 51% rename from tests/bats/fc-list.bats rename to tests/integration/utils/eject.bats index b85b1037e..c4c2a3e0d 100644 --- a/tests/bats/fc-list.bats +++ b/tests/integration/utils/eject.bats @@ -3,14 +3,12 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common -setup_file() { - aa_setup +@test "eject: Display the default device" { + eject -d || true } -# bats test_tags=fc-list -@test "fc-list: Return a list of installed fonts in your system" { - fc-list - aa_check +@test "eject: Eject the default device" { + eject || true } diff --git a/tests/integration/utils/fstrim.bats b/tests/integration/utils/fstrim.bats new file mode 100644 index 000000000..dff1083e2 --- /dev/null +++ b/tests/integration/utils/fstrim.bats @@ -0,0 +1,14 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "fstrim: Trim unused blocks on all mounted partitions that support it" { + sudo fstrim --all +} + +@test "fstrim: Trim unused blocks on a specified partition" { + sudo fstrim --verbose / +} diff --git a/tests/integration/utils/hwclock.bats b/tests/integration/utils/hwclock.bats new file mode 100644 index 000000000..a3dcdc31a --- /dev/null +++ b/tests/integration/utils/hwclock.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "hwclock: Display the current time as reported by the hardware clock" { + sudo hwclock || true +} + +@test "hwclock: Write the current software clock time to the hardware clock (sometimes used during system setup)" { + sudo hwclock --systohc || true +} + +@test "hwclock: Write the current hardware clock time to the software clock" { + sudo hwclock --hctosys || true +} + diff --git a/tests/bats/lsblk.bats b/tests/integration/utils/lsblk.bats similarity index 72% rename from tests/bats/lsblk.bats rename to tests/integration/utils/lsblk.bats index 4fecf42a5..4093526a9 100644 --- a/tests/bats/lsblk.bats +++ b/tests/integration/utils/lsblk.bats @@ -3,56 +3,36 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common -setup_file() { - aa_setup -} - -# bats test_tags=lsblk @test "lsblk: List all storage devices in a tree-like format" { lsblk - aa_check } -# bats test_tags=lsblk @test "lsblk: Also list empty devices" { lsblk -a - aa_check } -# bats test_tags=lsblk @test "lsblk: Print the SIZE column in bytes rather than in a human-readable format" { lsblk -b - aa_check } -# bats test_tags=lsblk @test "lsblk: Output info about filesystems" { lsblk -f - aa_check } -# bats test_tags=lsblk @test "lsblk: Use ASCII characters for tree formatting" { lsblk -i - aa_check } -# bats test_tags=lsblk @test "lsblk: Output info about block-device topology" { lsblk -t - aa_check } -# bats test_tags=lsblk @test "lsblk: Exclude the devices specified by the comma-separated list of major device numbers" { lsblk -e 1 - aa_check } -# bats test_tags=lsblk @test "lsblk: Display a customized summary using a comma-separated list of columns" { lsblk --output NAME,SERIAL,MODEL,TRAN,TYPE,SIZE,FSTYPE,MOUNTPOINT - aa_check } diff --git a/tests/bats/lscpu.bats b/tests/integration/utils/lscpu.bats similarity index 72% rename from tests/bats/lscpu.bats rename to tests/integration/utils/lscpu.bats index ef09cfbb7..eb60d890d 100644 --- a/tests/bats/lscpu.bats +++ b/tests/integration/utils/lscpu.bats @@ -3,26 +3,16 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common -setup_file() { - aa_setup -} - -# bats test_tags=lscpu @test "lscpu: Display information about all CPUs" { lscpu - aa_check } -# bats test_tags=lscpu @test "lscpu: Display information in a table" { lscpu --extended - aa_check } -# bats test_tags=lscpu @test "lscpu: Display only information about offline CPUs in a table" { lscpu --extended --offline - aa_check } diff --git a/tests/integration/utils/lsfd.bats b/tests/integration/utils/lsfd.bats new file mode 100644 index 000000000..bf0c4de0c --- /dev/null +++ b/tests/integration/utils/lsfd.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lsfd: List all open file descriptors" { + lsfd +} + +@test "lsfd: List all files kept open by a specific program" { + sudo lsfd --filter 'PID == 1' +} + +@test "lsfd: List open IPv4 or IPv6 sockets" { + sudo lsfd -i4 + sudo lsfd -i6 +} diff --git a/tests/integration/utils/lsipc.bats b/tests/integration/utils/lsipc.bats new file mode 100644 index 000000000..a18126982 --- /dev/null +++ b/tests/integration/utils/lsipc.bats @@ -0,0 +1,16 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lsipc: Show information about all active IPC facilities" { + lsipc +} + +@test "lsipc: Show information about active shared memory segments, message queues or sempahore sets" { + lsipc --shmems + lsipc --queues + lsipc --semaphores +} diff --git a/tests/integration/utils/lslocks.bats b/tests/integration/utils/lslocks.bats new file mode 100644 index 000000000..042834cae --- /dev/null +++ b/tests/integration/utils/lslocks.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lslocks: List all local system locks" { + sudo lslocks +} + +@test "lslocks: List locks producing a raw output (no columns), and without column headers" { + sudo lslocks --raw --noheadings +} + +@test "lslocks: List locks by PID input" { + sudo lslocks --pid "$(sudo lslocks --raw --noheadings --output PID | head -1)" +} + +@test "lslocks: List locks with JSON output to stdout" { + lslocks --json +} diff --git a/tests/integration/utils/lslogins.bats b/tests/integration/utils/lslogins.bats new file mode 100644 index 000000000..aa2df69b4 --- /dev/null +++ b/tests/integration/utils/lslogins.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lslogins: Display users in the system" { + lslogins + sudo lslogins +} + +@test "lslogins: Display user accounts" { + lslogins --user-accs +} + +@test "lslogins: Display last logins" { + lslogins --last +} + +@test "lslogins: Display system accounts" { + lslogins --system-accs +} + +@test "lslogins: Display supplementary groups" { + lslogins --supp-groups +} diff --git a/tests/integration/utils/lsns.bats b/tests/integration/utils/lsns.bats new file mode 100644 index 000000000..c7e6563e2 --- /dev/null +++ b/tests/integration/utils/lsns.bats @@ -0,0 +1,31 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lsns: List all namespaces" { + lsns + sudo lsns +} + +@test "lsns: List namespaces in JSON format" { + sudo lsns --json +} + +@test "lsns: List namespaces associated with the specified process" { + sudo lsns --task 1 +} + +@test "lsns: List the specified type of namespaces only" { + sudo lsns --type mnt + sudo lsns --type net + sudo lsns --type ipc + sudo lsns --type user + sudo lsns --type pid + sudo lsns --type uts + sudo lsns --type cgroup + sudo lsns --type time +} + diff --git a/tests/bats/lspci.bats b/tests/integration/utils/lspci.bats similarity index 69% rename from tests/bats/lspci.bats rename to tests/integration/utils/lspci.bats index bc6ea2013..facf379a9 100644 --- a/tests/bats/lspci.bats +++ b/tests/integration/utils/lspci.bats @@ -3,38 +3,29 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common -setup_file() { - aa_setup -} - -# bats test_tags=lspci @test "lspci: Show a brief list of devices" { lspci - aa_check + sudo lspci } -# bats test_tags=lspci @test "lspci: Display additional info" { lspci -v - aa_check } -# bats test_tags=lspci @test "lspci: Display drivers and modules handling each device" { lspci -k - aa_check } -# bats test_tags=lspci @test "lspci: Show a specific device" { lspci -s 00:00.0 - aa_check } -# bats test_tags=lspci +@test "lspci: Query the PCI ID database for unknown ID's via DNS" { + sudo lspci -q +} + @test "lspci: Dump info in a readable form" { lspci -vm - aa_check } diff --git a/tests/bats/pstree.bats b/tests/integration/utils/pstree.bats similarity index 72% rename from tests/bats/pstree.bats rename to tests/integration/utils/pstree.bats index e3ed5fa80..1fc43c76c 100644 --- a/tests/bats/pstree.bats +++ b/tests/integration/utils/pstree.bats @@ -3,27 +3,17 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common -setup_file() { - aa_setup -} - -# bats test_tags=pstree @test "pstree: Display a tree of processes" { pstree - aa_check } -# bats test_tags=pstree @test "pstree: Display a tree of processes with PIDs" { pstree -p - aa_check } -# bats test_tags=pstree @test "pstree: Display all process trees rooted at processes owned by specified user" { pstree root - aa_check } diff --git a/tests/integration/utils/sync.bats b/tests/integration/utils/sync.bats new file mode 100644 index 000000000..03cc4730f --- /dev/null +++ b/tests/integration/utils/sync.bats @@ -0,0 +1,14 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "sync: Flush all pending write operations on all disks" { + sync +} + +@test "sync: Flush all pending write operations on a single file to disk" { + sudo sync / +} diff --git a/tests/bats/users.bats b/tests/integration/utils/users.bats similarity index 73% rename from tests/bats/users.bats rename to tests/integration/utils/users.bats index 097870abf..885121a58 100644 --- a/tests/bats/users.bats +++ b/tests/integration/utils/users.bats @@ -3,21 +3,13 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common -setup_file() { - aa_setup -} - -# bats test_tags=users @test "users: Print logged in usernames" { users - aa_check } -# bats test_tags=users @test "users: Print logged in usernames according to a given file" { users /var/log/wmtp - aa_check } diff --git a/tests/integration/utils/uuidd.bats b/tests/integration/utils/uuidd.bats new file mode 100644 index 000000000..d3ab28cc0 --- /dev/null +++ b/tests/integration/utils/uuidd.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "uuidd: Generate a random UUID" { + uuidd --random +} + +@test "uuidd: Generate a bulk number of random UUIDs" { + uuidd --random --uuids 10 +} + +@test "uuidd: Generate a time-based UUID, based on the current time and MAC address of the system" { + uuidd --time +} diff --git a/tests/bats/uuidgen.bats b/tests/integration/utils/uuidgen.bats similarity index 72% rename from tests/bats/uuidgen.bats rename to tests/integration/utils/uuidgen.bats index 8caa41862..838be5cbc 100644 --- a/tests/bats/uuidgen.bats +++ b/tests/integration/utils/uuidgen.bats @@ -3,21 +3,12 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common -setup_file() { - aa_setup -} - -# bats test_tags=uuidgen @test "uuidgen: Create a random UUIDv4" { uuidgen --random - aa_check } -# bats test_tags=uuidgen @test "uuidgen: Create a UUIDv1 based on the current time" { uuidgen --time - aa_check } - diff --git a/tests/bats/who.bats b/tests/integration/utils/who.bats similarity index 73% rename from tests/bats/who.bats rename to tests/integration/utils/who.bats index f8aaf5a17..b69fc2dd1 100644 --- a/tests/bats/who.bats +++ b/tests/integration/utils/who.bats @@ -3,27 +3,17 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load common +load ../common -setup_file() { - aa_setup -} - -# bats test_tags=who @test "who: Display the username, line, and time of all currently logged-in sessions" { who - aa_check } -# bats test_tags=who @test "who: Display all available information" { who -a - aa_check } -# bats test_tags=who @test "who: Display all available information with table headers" { who -a -H - aa_check } diff --git a/tests/integration/utils/zramctl.bats b/tests/integration/utils/zramctl.bats new file mode 100644 index 000000000..41a3c1f51 --- /dev/null +++ b/tests/integration/utils/zramctl.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "zramctl: Check if zram is enabled; enable it if needed" { + lsmod | grep -i zram || sudo modprobe zram || true +} + +@test "zramctl: Find and initialize the next free zram device to a 1 GB virtual drive using LZ4 compression" { + sudo zramctl --find --size 1GB --algorithm lz4 || true +} + +@test "zramctl: List currently initialized devices" { + sudo zramctl || true +} diff --git a/tests/integration/whois.bats b/tests/integration/whois.bats new file mode 100644 index 000000000..fd1cba5fa --- /dev/null +++ b/tests/integration/whois.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "whois: Get information about a domain name" { + whois google.fr +} + +@test "whois: Get information about an IP address" { + whois 8.8.8.8 +} + +@test "whois: Get abuse contact for an IP address" { + whois -b 8.8.8.8 +} + diff --git a/tests/packer/archlinux.pkr.hcl b/tests/packer/archlinux.pkr.hcl deleted file mode 100644 index 41a2627d5..000000000 --- a/tests/packer/archlinux.pkr.hcl +++ /dev/null @@ -1,39 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -source "qemu" "archlinux" { - disk_image = true - iso_url = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2" - iso_checksum = "file:https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2.SHA256" - iso_target_path = "${var.iso_dir}/archlinux-cloudimg-amd64.img" - cpu_model = "host" - cpus = 6 - memory = 4096 - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = var.output - vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" - boot_wait = "10s" - shutdown_command = "echo ${var.password} | sudo -S shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}-${var.flavor}" - } - ) - } -} diff --git a/tests/packer/builds.pkr.hcl b/tests/packer/builds.pkr.hcl index 1c16a6b84..98e923fd9 100644 --- a/tests/packer/builds.pkr.hcl +++ b/tests/packer/builds.pkr.hcl @@ -2,70 +2,91 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +locals { + name = "${var.prefix}${var.dist}-${var.flavor}" +} + +source "qemu" "default" { + disk_image = true + iso_url = var.DM[var.dist].img_url + iso_checksum = "file:${var.DM[var.dist].img_checksum}" + iso_target_path = pathexpand("${var.iso_dir}/${basename("${var.DM[var.dist].img_url}")}") + cpu_model = "host" + cpus = var.cpus + memory = var.ram + disk_size = var.disk_size + accelerator = "kvm" + headless = true + ssh_username = var.username + ssh_password = var.password + ssh_port = 22 + ssh_wait_timeout = "1000s" + disk_compression = true + disk_detect_zeroes = "unmap" + disk_discard = "unmap" + output_directory = pathexpand(var.output_dir) + vm_name = "${local.name}.qcow2" + boot_wait = "10s" + firmware = pathexpand(var.firmware) + shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" + cd_label = "cidata" + cd_content = { + "meta-data" = "" + "user-data" = format("%s\n%s\n%s", + templatefile("${path.cwd}/tests/cloud-init/common.yml", + { + username = "${var.username}" + password = "${var.password}" + ssh_key = file("${var.ssh_publickey}") + hostname = "${local.name}" + } + ), + file("${path.cwd}/tests/cloud-init/${regex_replace(var.dist, "[0-9]*$", "")}.yml"), + file("${path.cwd}/tests/cloud-init/${var.dist}-${var.flavor}.user-data.yml") + ) + } +} + build { sources = [ - "source.qemu.archlinux", - "source.qemu.debian", - "source.qemu.fedora", - "source.qemu.opensuse", - "source.qemu.ubuntu22", - "source.qemu.ubuntu24", + "source.qemu.default", ] - # Upload local files + # Upload artifacts provisioner "file" { - destination = "/tmp" - sources = ["${path.cwd}/packer/src"] - } - - provisioner "file" { - only = ["qemu.archlinux"] - destination = "/tmp/src/" + destination = "/tmp/" sources = [ - "${path.cwd}/../.pkg/apparmor.d-${var.version}-1-x86_64.pkg.tar.zst", + "${path.cwd}/tests/packer/src/", + "${path.cwd}/tests/packer/init.sh", + "${path.cwd}/tests/packer/clean.sh", + "${path.cwd}/.pkg/", ] } - provisioner "file" { - only = ["qemu.opensuse"] - destination = "/tmp/src/" - sources = ["${path.cwd}/../.pkg/apparmor.d-${var.version}-1.x86_64.rpm"] - } - - provisioner "file" { - only = ["qemu.debian", "qemu.ubuntu22", "qemu.ubuntu24"] - destination = "/tmp/src/" - sources = ["${path.cwd}/../.pkg/apparmor.d_${var.version}-1_amd64.deb"] - } - - # Wait for cloud-init to finish + # Full system provisioning provisioner "shell" { execute_command = "echo '${var.password}' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'" inline = [ + # Wait for cloud-init to finish "while [ ! -f /var/lib/cloud/instance/boot-finished ]; do echo 'Waiting for Cloud-Init...'; sleep 20; done", - "cloud-init clean", # Remove logs and artifacts so cloud-init can re-run + + # Ensure cloud-init is successful + "cloud-init status || cloud-init collect-logs --tarfile /root/cloud-init.tar.gz", + + # Remove logs and artifacts so cloud-init can re-run + "cloud-init clean || true", + + # Install local files and config + "bash /tmp/init.sh", + + # Minimize the image + "bash /tmp/clean.sh", ] } - # Install local files and config - provisioner "shell" { - script = "${path.cwd}/packer/init/init.sh" - execute_command = "echo '${var.password}' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'" - } - - # Minimize the image - provisioner "shell" { - script = "${path.cwd}/packer/init/clean.sh" - execute_command = "echo '${var.password}' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'" - } - - post-processor "vagrant" { - output = "${var.base_dir}/packer_${var.prefix}${source.name}-${var.flavor}.box" - } - post-processor "shell-local" { inline = [ - "vagrant box add --force --name ${var.prefix}${source.name}-${var.flavor} ${var.base_dir}/packer_${var.prefix}${source.name}-${var.flavor}.box" + "mv ${var.output_dir}/${local.name}.qcow2 ${var.base_dir}/${local.name}.qcow2", ] } diff --git a/tests/packer/init/clean.sh b/tests/packer/clean.sh similarity index 83% rename from tests/packer/init/clean.sh rename to tests/packer/clean.sh index 2e1e7b551..23c587d4f 100644 --- a/tests/packer/init/clean.sh +++ b/tests/packer/clean.sh @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -set -u +set -eu -o pipefail # shellcheck source=/dev/null _lsb_release() { @@ -46,40 +46,26 @@ _sshdgenkeys() { _EOF } -clean_debian() { - _msg "Apt clean configuration" - - _msg "Full system upgrade" - apt-get update -y - apt-get -qq -y --no-install-recommends upgrade - apt-get -qq -y --no-install-recommends dist-upgrade - - _msg "Clean the apt cache" +clean_apt() { + _msg "Cleaning the apt cache" apt-get -y autoremove --purge apt-get -y autoclean apt-get -y clean } -clean_arch() { - _msg "Pacman clean configuration" - - pacman -Syu --noconfirm - pacman -Qdtq | while IFS='' read -r pkg; do - pacman -Rsccn --noconfirm "$pkg" - done +clean_pacman() { + _msg "Cleaning pacman cache" pacman -Scc --noconfirm } -clean_opensuse() { - _msg "zypper clean configuration" - - zypper update -y - zypper clean -y +clean_zypper() { + _msg "Cleaning zypper cache" + zypper clean --all } # Make the image as impersonal as possible. impersonalize() { - _msg "Make the image as impersonal as possible." + _msg "Making the image as impersonal as possible." # Remove remaining pkg file, docs and caches dirs=( @@ -145,10 +131,6 @@ trim() { truncate --size=0 /swap/swapfile fi - # _msg "Fill root filesystem with 0 to reduce box size" - # dd if=/dev/zero of=/EMPTY bs=1M || true - # rm -f /EMPTY - # Block until the empty file has been removed, otherwise, Packer will # try to kill the box while the disk is still full and that is bad. sync @@ -159,16 +141,16 @@ main() { begin=$(_diskused) case "$DISTRIBUTION" in debian | ubuntu) - clean_debian + clean_apt _sshdgenkeys ;; opensuse*) - clean_opensuse + clean_zypper ;; arch) - clean_arch + clean_pacman ;; esac impersonalize diff --git a/tests/packer/debian.pkr.hcl b/tests/packer/debian.pkr.hcl deleted file mode 100644 index 7fd176b6e..000000000 --- a/tests/packer/debian.pkr.hcl +++ /dev/null @@ -1,40 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -source "qemu" "debian" { - disk_image = true - iso_url = "https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/debian-${var.release.debian.version}-genericcloud-amd64.qcow2" - iso_checksum = "file:https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/SHA512SUMS" - iso_target_path = "${var.iso_dir}/debian-cloudimg-amd64.img" - cpu_model = "host" - cpus = 6 - memory = 4096 - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = var.output - vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" - boot_wait = "10s" - firmware = var.firmware - shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} diff --git a/tests/packer/init/init.sh b/tests/packer/init.sh similarity index 54% rename from tests/packer/init/init.sh rename to tests/packer/init.sh index df300c0c4..44a86220f 100644 --- a/tests/packer/init/init.sh +++ b/tests/packer/init.sh @@ -3,45 +3,39 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -set -eu +set -eux -o pipefail -_lsb_release() { - # shellcheck source=/dev/null - . /etc/os-release - echo "$ID" -} -DISTRIBUTION="$(_lsb_release)" -readonly SRC=/tmp/src -readonly DISTRIBUTION +# shellcheck source=/dev/null +source /etc/os-release || exit 1 +readonly SRC=/tmp/ main() { install -dm0750 -o "$SUDO_USER" -g "$SUDO_USER" "/home/$SUDO_USER/Projects/" "/home/$SUDO_USER/Projects/apparmor.d" "/home/$SUDO_USER/.config/" install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/.bash_aliases "/home/$SUDO_USER/.bash_aliases" - install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/monitors.xml "/home/$SUDO_USER/.config/monitors.xml" install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/htoprc "/home/$SUDO_USER/.config/htop/htoprc" + install -Dm0644 $SRC/parser.conf /etc/apparmor/parser.conf install -Dm0644 $SRC/site.local /etc/apparmor.d/tunables/multiarch.d/site.local install -Dm0755 $SRC/aa-update /usr/bin/aa-update - install -Dm0755 $SRC/aa-log-clean /usr/bin/aa-log-clean - cat $SRC/parser.conf >>/etc/apparmor/parser.conf + install -Dm0755 $SRC/aa-clean /usr/bin/aa-clean chown -R "$SUDO_USER:$SUDO_USER" "/home/$SUDO_USER/.config/" - case "$DISTRIBUTION" in + case "$ID" in arch) - pacman --noconfirm -U $SRC/*.pkg.tar.zst - systemctl start apparmor.service + rm -f $SRC/*.sig # Ignore signature files + rm -f $SRC/*enforced* # Ignore enforced package + pacman --noconfirm -U $SRC/*.pkg.tar.zst || true ;; debian | ubuntu) - apt-get update -y - apt-get install -y apparmor-profiles build-essential config-package-dev \ - debhelper devscripts htop rsync vim - dpkg -i $SRC/*.deb + # Do not install apparmor.d on the current development version + if [[ $VERSION_ID != "25.10" ]]; then + dpkg -i $SRC/*.deb || true + fi ;; opensuse*) mv "/home/$SUDO_USER/.bash_aliases" "/home/$SUDO_USER/.alias" - zypper install -y bash-completion git go htop make rsync vim - rpm -i $SRC/*.rpm + rpm -i $SRC/*.rpm || true ;; esac diff --git a/tests/packer/init/archlinux-cosmic.user-data.yml b/tests/packer/init/archlinux-cosmic.user-data.yml deleted file mode 100644 index 442c32470..000000000 --- a/tests/packer/init/archlinux-cosmic.user-data.yml +++ /dev/null @@ -1,90 +0,0 @@ -#cloud-config - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - # Install core packages - - apparmor - - audit - - base-devel - - firewalld - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - git - - htop - - man - - pass - - python-notify2 - - vim - - wget - - # Install basic services - - networkmanager - - cups - - cups-pdf - - system-config-printer - - # Install Graphical Interface - - cosmic - - # Install Applications - - firefox - - chromium - - terminator - -runcmd: - # Regenerate grub.cfg - - grub-mkconfig -o /boot/grub/grub.cfg - - # Remove swapfile - - swapoff -a - - rm -rf /swap/ - - sed -e "/swap/d" -i /etc/fstab - - # Enable core services - - systemctl enable apparmor - - systemctl enable auditd - - systemctl enable cosmic-greeter - - systemctl enable NetworkManager - - systemctl enable rngd - - systemctl enable avahi-daemon - - systemctl enable systemd-timesyncd.service - -write_files: - # Enable AppArmor in kernel parameters - - path: /etc/default/grub - append: true - content: | - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" - - # Set some bash aliases - - path: /etc/skel/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 diff --git a/tests/packer/init/archlinux-gnome.user-data.yml b/tests/packer/init/archlinux-gnome.user-data.yml deleted file mode 100644 index c65dfc4dd..000000000 --- a/tests/packer/init/archlinux-gnome.user-data.yml +++ /dev/null @@ -1,92 +0,0 @@ -#cloud-config - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - # Install core packages - - apparmor - - base-devel - - firewalld - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - git - - htop - - man - - pass - - python-notify2 - - vim - - wget - - # Install basic services - - networkmanager - - cups - - cups-pdf - - system-config-printer - - # Install Graphical Interface - - gnome - - gnome-extra - - seahorse - - alacarte - - # Install Applications - - firefox - - chromium - - terminator - -runcmd: - # Regenerate grub.cfg - - grub-mkconfig -o /boot/grub/grub.cfg - - # Remove swapfile - - swapoff -a - - rm -rf /swap/ - - sed -e "/swap/d" -i /etc/fstab - - # Enable core services - - systemctl enable apparmor - - systemctl enable auditd - - systemctl enable gdm - - systemctl enable NetworkManager - - systemctl enable rngd - - systemctl enable avahi-daemon - - systemctl enable systemd-timesyncd.service - -write_files: - # Enable AppArmor in kernel parameters - - path: /etc/default/grub - append: true - content: | - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" - - # Set some bash aliases - - path: /etc/skel/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 diff --git a/tests/packer/init/archlinux-kde.user-data.yml b/tests/packer/init/archlinux-kde.user-data.yml deleted file mode 100644 index 97e8ffa7b..000000000 --- a/tests/packer/init/archlinux-kde.user-data.yml +++ /dev/null @@ -1,94 +0,0 @@ -#cloud-config - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - # Install core packages - - apparmor - - base-devel - - firewalld - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - git - - htop - - man - - pass - - python-notify2 - - vim - - wget - - # Install basic services - - networkmanager - - cups - - cups-pdf - - system-config-printer - - # Install Graphical Interface - - plasma-meta - - sddm - - ark - - dolphin - - konsole - - okular - - # Install Applications - - firefox - - chromium - - terminator - -runcmd: - # Regenerate grub.cfg - - grub-mkconfig -o /boot/grub/grub.cfg - - # Remove swapfile - - swapoff -a - - rm -rf /swap/ - - sed -e "/swap/d" -i /etc/fstab - - # Enable core services - - systemctl enable apparmor - - systemctl enable auditd - - systemctl enable sddm - - systemctl enable NetworkManager - - systemctl enable rngd - - systemctl enable avahi-daemon - - systemctl enable systemd-timesyncd.service - -write_files: - # Enable AppArmor in kernel parameters - - path: /etc/default/grub - append: true - content: | - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" - - # Set some bash aliases - - path: /etc/skel/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 diff --git a/tests/packer/init/archlinux-server.user-data.yml b/tests/packer/init/archlinux-server.user-data.yml deleted file mode 100644 index 93fd254a5..000000000 --- a/tests/packer/init/archlinux-server.user-data.yml +++ /dev/null @@ -1,85 +0,0 @@ -#cloud-config - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - # Install core packages - - apparmor - - base-devel - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - git - - htop - - man - - pass - - python-notify2 - - vim - - wget - -runcmd: - # Regenerate grub.cfg - - grub-mkconfig -o /boot/grub/grub.cfg - - # Remove swapfile - - swapoff -a - - rm -rf /swap/ - - sed -e "/swap/d" -i /etc/fstab - - # Enable core services - - systemctl enable apparmor - - systemctl enable auditd - - systemctl enable rngd - - systemctl enable systemd-timesyncd.service - -write_files: - # Enable AppArmor in kernel parameters - - path: /etc/default/grub - append: true - content: | - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" - - # Set some bash aliases - - path: /etc/skel/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - # Network configuration - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 diff --git a/tests/packer/init/archlinux-xfce.user-data.yml b/tests/packer/init/archlinux-xfce.user-data.yml deleted file mode 100644 index 1cc18f556..000000000 --- a/tests/packer/init/archlinux-xfce.user-data.yml +++ /dev/null @@ -1,92 +0,0 @@ -#cloud-config - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - # Install core packages - - apparmor - - base-devel - - firewalld - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - git - - htop - - man - - pass - - python-notify2 - - vim - - wget - - # Install basic services - - networkmanager - - cups - - cups-pdf - - system-config-printer - - # Install Graphical Interface - - xfce4 - - xfce4-goodies - - lightdm - - lightdm-gtk-greeter - - # Install Applications - - firefox - - chromium - - terminator - -runcmd: - # Regenerate grub.cfg - - grub-mkconfig -o /boot/grub/grub.cfg - - # Remove swapfile - - swapoff -a - - rm -rf /swap/ - - sed -e "/swap/d" -i /etc/fstab - - # Enable core services - - systemctl enable apparmor - - systemctl enable auditd - - systemctl enable lightdm.service - - systemctl enable NetworkManager - - systemctl enable rngd - - systemctl enable avahi-daemon - - systemctl enable systemd-timesyncd.service - -write_files: - # Enable AppArmor in kernel parameters - - path: /etc/default/grub - append: true - content: | - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf" - - # Set some bash aliases - - path: /etc/skel/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 diff --git a/tests/packer/init/debian-gnome.user-data.yml b/tests/packer/init/debian-gnome.user-data.yml deleted file mode 100644 index 0e2571883..000000000 --- a/tests/packer/init/debian-gnome.user-data.yml +++ /dev/null @@ -1,63 +0,0 @@ -#cloud-config - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - - apparmor-profiles - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - htop - - qemu-guest-agent - - spice-vdagent - - rsync - - vim - - task-gnome-desktop - -runcmd: - - apt-get update -y - - apt-get install -y -t bookworm-backports golang-go - -write_files: - # Add backports repository - - path: /etc/apt/sources.list - append: true - content: deb http://deb.debian.org/debian bookworm-backports main contrib non-free - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - # Network configuration - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 diff --git a/tests/packer/init/debian-server.user-data.yml b/tests/packer/init/debian-server.user-data.yml deleted file mode 100644 index 5f4fe526e..000000000 --- a/tests/packer/init/debian-server.user-data.yml +++ /dev/null @@ -1,61 +0,0 @@ -#cloud-config - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - - apparmor-profiles - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - htop - - qemu-guest-agent - - rsync - - vim - -runcmd: - - apt-get update -y - - apt-get install -y -t bookworm-backports golang-go - -write_files: - # Add backports repository - - path: /etc/apt/sources.list - append: true - content: deb http://deb.debian.org/debian bookworm-backports main contrib non-free - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - # Network configuration - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 diff --git a/tests/packer/init/opensuse-gnome.user-data.yml b/tests/packer/init/opensuse-gnome.user-data.yml deleted file mode 100644 index b54bb458e..000000000 --- a/tests/packer/init/opensuse-gnome.user-data.yml +++ /dev/null @@ -1,43 +0,0 @@ -#cloud-config - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - - apparmor-profiles - - bash-completion - - distribution-release - - git - - golang-packaging - - htop - - make - - rpmbuild - - vim - -write_files: - # Set some bash aliases - - path: /home/${username}/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 diff --git a/tests/packer/init/opensuse-kde.user-data.yml b/tests/packer/init/opensuse-kde.user-data.yml deleted file mode 100644 index b54bb458e..000000000 --- a/tests/packer/init/opensuse-kde.user-data.yml +++ /dev/null @@ -1,43 +0,0 @@ -#cloud-config - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - - apparmor-profiles - - bash-completion - - distribution-release - - git - - golang-packaging - - htop - - make - - rpmbuild - - vim - -write_files: - # Set some bash aliases - - path: /home/${username}/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 diff --git a/tests/packer/init/ubuntu22-desktop.user-data.yml b/tests/packer/init/ubuntu22-desktop.user-data.yml deleted file mode 100644 index 30a82279a..000000000 --- a/tests/packer/init/ubuntu22-desktop.user-data.yml +++ /dev/null @@ -1,83 +0,0 @@ -#cloud-config - -# Based on https://github.com/canonical/autoinstall-desktop - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - - ubuntu-desktop - - linux-generic-hwe-22.04 - - qemu-guest-agent - - spice-vdagent - - terminator - - apparmor-profiles - - build-essential - - config-package-dev - - debhelper - - devscripts - - golang-go - - rsync - -snap: - commands: - - install firefox - - install gtk-common-themes - - install snap-store - - install snapd-desktop-integration - -runcmd: - # Remove default filesystem and related tools not used with the suggested - # storage layout. These may yet be required if different partitioning schemes - # are used. - - apt-get -y purge btrfs-progs cryptsetup* lvm2 xfsprogs - - # Remove other packages present by default in Ubuntu Server but not - # normally present in Ubuntu Desktop. - - >- - apt-get -y purge - ubuntu-server ubuntu-server-minimal netplan.io cloud-init - binutils byobu curl dmeventd finalrd gawk - kpartx mdadm ncurses-term needrestart open-iscsi - sg3-utils ssh-import-id sssd thin-provisioning-tools tmux - sosreport screen open-vm-tools motd-news-config lxd-agent-loader - landscape-common fonts-ubuntu-console ethtool - - # Finally, remove things only installed as dependencies of other things - # we have already removed. - - apt-get -y autoremove - -write_files: - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 diff --git a/tests/packer/init/ubuntu24-desktop.user-data.yml b/tests/packer/init/ubuntu24-desktop.user-data.yml deleted file mode 100644 index 3c3807e29..000000000 --- a/tests/packer/init/ubuntu24-desktop.user-data.yml +++ /dev/null @@ -1,85 +0,0 @@ -#cloud-config - -# Based on https://github.com/canonical/autoinstall-desktop - -# https://github.com/canonical/ubuntu-desktop-provision/blob/main/README.md - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - - ubuntu-desktop - - linux-generic-hwe-24.04 - - qemu-guest-agent - - spice-vdagent - - terminator - - apparmor-profiles - - build-essential - - config-package-dev - - debhelper - - devscripts - - golang-go - - rsync - -snap: - commands: - - install firefox - - install gtk-common-themes - - install snap-store - - install snapd-desktop-integration - -runcmd: - # Remove default filesystem and related tools not used with the suggested - # storage layout. These may yet be required if different partitioning schemes - # are used. - - apt-get -y purge btrfs-progs cryptsetup* lvm2 xfsprogs - - # Remove other packages present by default in Ubuntu Server but not - # normally present in Ubuntu Desktop. - # - >- - # apt-get -y purge - # ubuntu-server ubuntu-server-minimal netplan.io cloud-init - # binutils byobu curl dmeventd finalrd gawk - # kpartx mdadm ncurses-term needrestart open-iscsi - # sg3-utils ssh-import-id sssd thin-provisioning-tools tmux - # sosreport screen open-vm-tools motd-news-config lxd-agent-loader - # landscape-common fonts-ubuntu-console ethtool - - # Finally, remove things only installed as dependencies of other things - # we have already removed. - - apt-get -y autoremove - -write_files: - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 diff --git a/tests/packer/init/ubuntu24-server.user-data.yml b/tests/packer/init/ubuntu24-server.user-data.yml deleted file mode 100644 index 5e6d853ba..000000000 --- a/tests/packer/init/ubuntu24-server.user-data.yml +++ /dev/null @@ -1,53 +0,0 @@ -#cloud-config - -hostname: ${hostname} -locale: en_IE -keyboard: - layout: ie - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false -packages: - - apparmor-profiles - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - golang-go - - htop - - qemu-guest-agent - - rsync - - vim - -write_files: - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - # Network configuration - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 diff --git a/tests/packer/main.pkr.hcl b/tests/packer/main.pkr.hcl index ee13e8f92..d2b1a6dbf 100644 --- a/tests/packer/main.pkr.hcl +++ b/tests/packer/main.pkr.hcl @@ -8,9 +8,5 @@ packer { source = "github.com/hashicorp/qemu" version = "~> 1" } - vagrant = { - source = "github.com/hashicorp/vagrant" - version = "~> 1" - } } } diff --git a/tests/packer/opensuse.pkr.hcl b/tests/packer/opensuse.pkr.hcl deleted file mode 100644 index 49ba09f70..000000000 --- a/tests/packer/opensuse.pkr.hcl +++ /dev/null @@ -1,42 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# TODO: Fully automate the creation of the base image - -source "qemu" "opensuse" { - disk_image = true - iso_url = "${var.base_dir}/base-tumbleweed-gnome.qcow2" - iso_checksum = "sha256:223ed62160ef4f1a4f21b69c574f552a07eee6ef66cf66eef2b49c5a7c4864f4" - iso_target_path = "${var.base_dir}/base-tumbleweed-gnome.qcow2" - cpu_model = "host" - cpus = 6 - memory = 4096 - disk_size = var.disk_size - accelerator = "kvm" - headless = false - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = var.output - vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" - boot_wait = "10s" - firmware = var.firmware - shutdown_command = "echo ${var.password} | sudo shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} diff --git a/tests/packer/src/.bash_aliases b/tests/packer/src/.bash_aliases index 27e05bf80..2580556fd 100644 --- a/tests/packer/src/.bash_aliases +++ b/tests/packer/src/.bash_aliases @@ -8,7 +8,6 @@ for nb in $(seq "$1"); do done } -alias sudo='sudo -E' alias aa-log='sudo aa-log' alias aa-status='sudo aa-status' alias c='clear' diff --git a/tests/packer/src/aa-clean b/tests/packer/src/aa-clean new file mode 100644 index 000000000..a01b9d77e --- /dev/null +++ b/tests/packer/src/aa-clean @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +set -eu -o pipefail +rm -vf /var/log/audit/* /var/log/syslog* +touch /var/log/audit/audit.log /var/log/syslog diff --git a/tests/packer/src/aa-log-clean b/tests/packer/src/aa-log-clean deleted file mode 100644 index 9f3ebd818..000000000 --- a/tests/packer/src/aa-log-clean +++ /dev/null @@ -1,4 +0,0 @@ -#!/usr/bin/env bash -set -eu -rm -rf /var/log/audit/* -touch /var/log/audit/audit.log diff --git a/tests/packer/src/aa-update b/tests/packer/src/aa-update index 9a326305d..bdbd6ed00 100644 --- a/tests/packer/src/aa-update +++ b/tests/packer/src/aa-update @@ -1,5 +1,5 @@ #!/usr/bin/env bash -set -eu +set -eu -o pipefail export BUILDDIR=/tmp/build/ @@ -13,15 +13,15 @@ DISTRIBUTION="$(_lsb_release)" cd "$HOME/Projects/apparmor.d" case "$DISTRIBUTION" in arch) - make pkg + just pkg ;; debian | ubuntu | whonix) sudo rm -rf debian/.debhelper/ - make dpkg + just dpkg sudo rm -rf debian/.debhelper/ ;; opensuse*) - make rpm + just rpm ;; *) ;; esac diff --git a/tests/packer/src/monitors.xml b/tests/packer/src/monitors.xml deleted file mode 100644 index b17136584..000000000 --- a/tests/packer/src/monitors.xml +++ /dev/null @@ -1,23 +0,0 @@ - - - - 0 - 0 - 1 - yes - - - Virtual-1 - RHT - QEMU Monitor - 0x00000000 - - - 1920 - 1080 - 60 - - - - - diff --git a/tests/packer/src/parser.conf b/tests/packer/src/parser.conf index be8c42560..8651efad1 100644 --- a/tests/packer/src/parser.conf +++ b/tests/packer/src/parser.conf @@ -1,4 +1,9 @@ - +# Turn creating/updating of the cache on by default write-cache -cache-loc /etc/apparmor/earlypolicy/ + +# Enable early policy loads to confine systemd, and services that can not depend +# on the apparmor unit. +cache-loc=/etc/apparmor/earlypolicy/ + +# Adjust compression Optimize=compress-fast diff --git a/tests/packer/ubuntu.pkr.hcl b/tests/packer/ubuntu.pkr.hcl deleted file mode 100644 index 052b460da..000000000 --- a/tests/packer/ubuntu.pkr.hcl +++ /dev/null @@ -1,77 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -source "qemu" "ubuntu22" { - disk_image = true - iso_url = "https://cloud-images.ubuntu.com/${var.release.ubuntu22.codename}/current/${var.release.ubuntu22.codename}-server-cloudimg-amd64.img" - iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu22.codename}/current/SHA256SUMS" - iso_target_path = "${var.iso_dir}/ubuntu22-cloudimg-amd64.img" - cpu_model = "host" - cpus = 6 - memory = 4096 - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = var.output - vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" - boot_wait = "10s" - firmware = var.firmware - shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} - -source "qemu" "ubuntu24" { - disk_image = true - iso_url = "https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/${var.release.ubuntu24.codename}-server-cloudimg-amd64.img" - iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/SHA256SUMS" - iso_target_path = "${var.iso_dir}/ubuntu24-cloudimg-amd64.img" - cpu_model = "host" - cpus = 6 - memory = 4096 - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = var.output - vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" - boot_wait = "10s" - firmware = var.firmware - shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${var.prefix}${source.name}" - } - ) - } -} diff --git a/tests/packer/variables.pkr.hcl b/tests/packer/variables.pkr.hcl index a37c89bf0..a44f98412 100644 --- a/tests/packer/variables.pkr.hcl +++ b/tests/packer/variables.pkr.hcl @@ -16,10 +16,16 @@ variable "password" { default = "user" } -variable "ssh_publickey" { - description = "Path to the ssh public key" +variable "cpus" { + description = "Default CPU of the VM" type = string - default = "~/.ssh/id_ed25519.pub" + default = "6" +} + +variable "ram" { + description = "Default RAM of the VM" + type = string + default = "4096" } variable "disk_size" { @@ -28,28 +34,34 @@ variable "disk_size" { default = "40G" } +variable "ssh_publickey" { + description = "Path to the ssh public key" + type = string + default = "~/.ssh/id_ed25519.pub" +} + variable "iso_dir" { description = "Original ISO file directory" type = string - default = "/var/lib/libvirt/images" + default = "~/.libvirt/iso" } variable "base_dir" { description = "Final packer image output directory" type = string - default = "/var/lib/libvirt/images" + default = "~/.libvirt/base" +} + +variable "output_dir" { + description = "Output build directory" + type = string + default = "~/.libvirt/base/packer" } variable "firmware" { description = "Path to the UEFI firmware" type = string - default = "/usr/share/edk2/x64/OVMF_CODE.fd" -} - -variable "output" { - description = "Output build directory" - type = string - default = "/tmp/packer" + default = "/usr/share/edk2/x64/OVMF.4m.fd" } variable "prefix" { @@ -58,10 +70,10 @@ variable "prefix" { default = "aa-" } -variable "version" { - description = "apparmor.d version" +variable "dist" { + description = "Distribution to target" type = string - default = "0.001" + default = "ubuntu24" } variable "flavor" { @@ -70,32 +82,40 @@ variable "flavor" { default = "" } -variable "release" { - description = "Distribution metadata to use" +variable "DM" { + description = "Distribution Metadata to use" type = map(object({ - codename = string - version = string + img_url = string + img_checksum = string })) default = { + "archlinux" : { + img_url = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2" + img_checksum = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2.SHA256" + }, + "debian12" : { + img_url = "https://cdimage.debian.org/images/cloud/bookworm/latest/debian-12-genericcloud-amd64.qcow2" + img_checksum = "https://cdimage.debian.org/images/cloud/bookworm/latest/SHA512SUMS" + } + "debian13" : { + img_url = "https://cdimage.debian.org/images/cloud/trixie/latest/debian-13-genericcloud-amd64.qcow2" + img_checksum = "https://cdimage.debian.org/images/cloud/trixie/latest/SHA512SUMS" + } "ubuntu22" : { - codename = "jammy", - version = "22.04.2", + img_url = "https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img" + img_checksum = "https://cloud-images.ubuntu.com/jammy/current/SHA256SUMS" }, "ubuntu24" : { - codename = "noble", - version = "24.04", + img_url = "https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img" + img_checksum = "https://cloud-images.ubuntu.com/noble/current/SHA256SUMS" + }, + "ubuntu25" : { + img_url = "https://cloud-images.ubuntu.com/plucky/current/plucky-server-cloudimg-amd64.img" + img_checksum = "https://cloud-images.ubuntu.com/plucky/current/SHA256SUMS" }, - "debian" : { - codename = "bookworm", - version = "12", - } "opensuse" : { - codename = "tumbleweed", - version = "", - } - "fedora" : { - codename = "40", - version = "1.14", + img_url = "https://download.opensuse.org/tumbleweed/appliances/openSUSE-Tumbleweed-Minimal-VM.x86_64-Cloud.qcow2" + img_checksum = "https://download.opensuse.org/tumbleweed/appliances/openSUSE-Tumbleweed-Minimal-VM.x86_64-Cloud.qcow2.sha256" } } } diff --git a/tests/profile_check.py b/tests/profile_check.py new file mode 100644 index 000000000..9b61e6367 --- /dev/null +++ b/tests/profile_check.py @@ -0,0 +1,480 @@ +#!/usr/bin/env python3 +# SPDX-License-Identifier: GPL-2.0-only + +# KNOWN ISSUES: +# No guards for file type - expects AppArmor +# Diffirent suggestions for single line are mutually exclusive +# Suggestion could point to changed profile name, based on other suggestion + +import sys +import argparse +import pathlib +import shlex +import json +from copy import deepcopy + +try: + from apparmor.regex import * + from apparmor.aa import is_skippable_file + from apparmor.rule.file import FileRule, FileRuleset + from apparmor.common import convert_regexp + try: + from apparmor.rule.variable import separate_vars + except ImportError: + from apparmor.aa import separate_vars + + LIBAPPARMOR = True + +except ImportError: + LIBAPPARMOR = False + +def sanitizeProfileName(name): + + if name.startswith('/') or name.startswith('@{'): + name = pathlib.Path(name).stem + + if ' ' in name: + name = re.sub(r'\s+', '-', name) + + return name + +def makeLocalIdentity(nestingStacker_): + + newStacker = [] + for i in nestingStacker_: + i = sanitizeProfileName(i) + newStacker.append(i) + + identity = '_'.join(newStacker) # separate each (sub)profile identity with underscores + + return identity + +def getCurrentProfile(stacker): + + if stacker: + profile = stacker[-1] + else: + profile = None + + return profile + +def handleFileMessages(l, file, profile, lineNum): + + wholeFileAccessProfiles = ( +# '', + ) + suggestOwner = ( # TODO: switch to AARE + r'^@{HOME}/', + r'^/home/\w+/', + r'^@{run}/user/@{uid}/', + r'^/run/user/\d+/', + r'^@{tmp}/', + r'^/tmp/', + r'^/var/tmp/', + r'^/dev/shm/', + ) + + lG = l.groupdict() + reason_ = None + if lG.get('path'): + if lG.get('path').startswith('/**') and profile not in wholeFileAccessProfiles: # false positives + severity_ = 'ERROR' + reason_ = 'Whole filesystem access is too broad' + suggestion_ = None + + for r in suggestOwner: + if re.match(r, lG.get('path')) and not lG.get('owner'): + indentRe = re.match(r'^\s+', l.group()) + if indentRe: + indent = indentRe.group() + else: + indent = '' + + severity_ = 'NOTICE' + reason_ = "'owner' is likely required" + suggestion_ = indent + 'owner ' + l.group().lstrip() + break + + elif lG.get('bare_file') and profile not in wholeFileAccessProfiles: + severity_ = 'ERROR' + reason_ = 'Whole filesystem access is too broad' + suggestion_ = None + + if reason_: # something matched + msg = {'filename': file, + 'profile': profile, + 'severity': severity_, + 'line': lineNum, + 'reason': reason_, + 'suggestion': suggestion_} + else: + msg = None + + return msg + +def readApparmorFile(fullpath): + '''AA file could contain multiple AA profiles''' + headers = ( + '# apparmor.d - Full set of apparmor profiles', + '# Copyright (C) ', + '# SPDX-License-Identifier: GPL-2.0-only', + ) + + file_data = {} + fileVars = {} + nestingStacker = [] + duplicateProfilesCounter = [] + localExists = {} + localExists_eol = {} + messages = [] + exceptionMsg = None + line = None + gotAbi = False + gotHeaders = {} + gotAttach = False + isAfterProfileStart = False + lastLineNum = None + try: + with open(fullpath, 'r') as f: + for n,line in enumerate(f, start=1): + if isAfterProfileStart: + isAfterProfileStart = False + expectedIndent = len(nestingStacker) * ' ' + indentRe = re.match(r'^\s+', line) + if indentRe: + indent = indentRe.group() + else: + indent = '' + + if indent != expectedIndent: + spacesCount = len(nestingStacker) * 2 + nestingCount = len(nestingStacker) + messages.append({'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'WARNING', + 'line': n, + 'reason': f"Expected {spacesCount} spaces for {nestingCount} nesting", + 'suggestion': f"{expectedIndent}{line.lstrip()}"}) + + if line.endswith(' \n'): + messages.append({'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'WARNING', + 'line': n, + 'reason': "Redundant trailing whitespace", + 'suggestion': line.rstrip()}) + + if '\t' in line: + messages.append({'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'WARNING', + 'line': n, + 'reason': "Tabs are not allowed", + 'suggestion': line.replace('\t', ' ')}) + + if len(gotHeaders) < 3 and not nestingStacker: + for nH,i in enumerate(headers): + if line.startswith(i): + gotHeaders[nH] = True + + if RE_ABI.search(line): + gotAbi = line + + elif RE_PROFILE_START.search(line) or RE_PROFILE_HAT_DEF.search(line): + isAfterProfileStart = True + m = parse_profile_start_line(line, fullpath) + if m.get('profile'): + nestingStacker.append(m.get('profile')) # set early + + if m.get('attachment') == '@{exec_path}' and not gotAttach: # can be only singular + gotAttach = True + + profileMsg = {'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'WARNING', + 'line': n, + 'reason': "A short named profile must be defined", + 'suggestion': None} + if m.get('plainprofile'): + messages.append(profileMsg) + elif m.get('namedprofile'): + if m.get('namedprofile').startswith('/'): + messages.append(profileMsg) + + if m.get('flags'): + m['flags'] = set(shlex.split(m.pop('flags').replace(',', ''))) + if 'complain' in m['flags']: + messages.append({'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'WARNING', + 'line': n, + 'reason': "'complain' flag must be defined in 'dists/flags'", + 'suggestion': None}) + else: + m['flags'] = set() + + if m.get('profile'): + duplicateProfilesCounter.append(m.get('profile')) + profileIdentity = '//'.join(nestingStacker) + file_data[profileIdentity] = m + + elif RE_PROFILE_VARIABLE.search(line): + lineV = RE_PROFILE_VARIABLE.search(line).groups() + + name = strip_quotes(lineV[0]) + operation = lineV[1] + val = separate_vars(lineV[2]) + if fileVars.get(name): + fileVars[name].update(set(val)) + if operation == '=': + messages.append({'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'DEGRADED', + 'line': n, + 'reason': "Tunable must be appended with '+='", + 'suggestion': None}) + else: + fileVars[name] = set(val) + if operation == '+=': + messages.append({'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'DEGRADED', + 'line': n, + 'reason': "Tunable must be defined with '='", + 'suggestion': None}) + + elif RE_INCLUDE.search(line): + if nestingStacker: + profileIdentity = '//'.join(nestingStacker) + localIdentity = makeLocalIdentity(nestingStacker) + localValue = f'include if exists ' # commented out will also match + if localValue in line: + localExists[profileIdentity] = localValue + + # Handle file entries + elif RE_PROFILE_FILE_ENTRY.search(line): + lineF = RE_PROFILE_FILE_ENTRY.search(line) + fileMsg = handleFileMessages(lineF, fullpath, getCurrentProfile(nestingStacker), n) + if fileMsg: + messages.append(fileMsg) + + elif RE_PROFILE_END.search(line): + if getCurrentProfile(nestingStacker): + if not nestingStacker: + messages.append({'filename': fullpath, + 'profile': None, + 'severity': 'DEGRADED', + 'line': n, + 'reason': "Unbalanced parenthesis?", # not fully covered + 'suggestion': None}) + else: + profileIdentity = '//'.join(nestingStacker) + localExists_eol[profileIdentity] = n + del nestingStacker[-1] # remove last + + lastLineNum = n + + except PermissionError: + exceptionMsg = 'Unable to read the file (PermissionError)' + + except UnicodeDecodeError: + exceptionMsg = 'Unable to read the file (UnicodeDecodeError)' + + except FileNotFoundError: + exceptionMsg = 'No such file or directory (FileNotFoundError)' + + if exceptionMsg: + messages.append({'filename': fullpath, + 'profile': None, + 'severity': 'NOTICE', + 'line': None, + 'reason': exceptionMsg, + 'suggestion': None}) + + # Ensure proper header is present + if len(gotHeaders) < 3: + combinedHeader = '\n'.join(headers) + messages.append({'filename': fullpath, + 'profile': None, + 'severity': 'WARNING', + 'line': 1, + 'reason': 'No proper header', + 'suggestion': combinedHeader}) + + # Ensure ABI is present + changeAbi = False + abi = 'abi ,' + if gotAbi: + if gotAbi.strip() != abi: + changeAbi = True + else: + changeAbi = True + + if changeAbi: + messages.append({'filename': fullpath, + 'profile': None, + 'severity': 'WARNING', + 'line': None, + 'reason': 'ABI is required', + 'suggestion': abi}) + + # Ensure singular '@{exec_path}' + if not gotAttach: + messages.append({'filename': fullpath, + 'profile': None, + 'severity': 'WARNING', + 'line': None, + 'reason': "'@{exec_path}' must be defined as main path attachment", + 'suggestion': None}) + + # Ensure trailing vim syntax + if line: + trailingSyntax = '# vim:syntax=apparmor\n' + if line != trailingSyntax: + messages.append({'filename': fullpath, + 'profile': None, + 'severity': 'WARNING', + 'line': lastLineNum, + 'reason': 'No trailing syntax hint', + 'suggestion': trailingSyntax}) + + # Assign variables to profile attachments as paths and assign filenames + for p,d in deepcopy(file_data).items(): + file_data[p]['filename'] = fullpath + attachment = d.get('attachment') + if attachment: + if attachment.startswith('@{'): + if fileVars.get(attachment): + file_data[p]['attach_paths'] = fileVars[attachment] # incoming set + else: + messages.append({'filename': fullpath, + 'profile': p, + 'severity': 'ERROR', + 'line': None, + 'reason': f"Unknown global variable as profile attachment: {attachment}", + 'suggestion': None}) + + else: + if isinstance(file_data[p].get('attachment'), set): + raise ValueError("Expecting 'str' or 'None', not 'set'") + file_data[p]['attach_paths'] = {file_data[p]['attachment']} + + # Check if profile block does not have corresponding 'local' include + for p,d in file_data.items(): + if not localExists.get(p): # not found previously + if '//' in p: + identity = p.split('//') + else: + identity = [p] + + localIdentity = makeLocalIdentity(identity) + filename = file_data[p]['filename'] + messages.append({'filename': filename, + 'profile': p, + 'severity': 'WARNING', + 'line': localExists_eol.get(p), # None? Unbalanced parenthesis? + 'reason': "The (sub)profile block does not have expected 'local' include", + 'suggestion': f'include if exists '}) + + # Track multiple definitions inside single file + for profile in duplicateProfilesCounter: + counter = duplicateProfilesCounter.count(profile) + if counter >= 2: + messages.append({'filename': fullpath, + 'profile': profile, + 'severity': 'DEGRADED', + 'line': None, + 'reason': "Profile has been defined {counter} times in the same file", + 'suggestion': None}) + + return (messages, file_data) + +def findAllProfileFilenames(profile_dir): + + profiles = set() + for path in pathlib.Path(profile_dir).iterdir(): + if path.is_file() and not is_skippable_file(path): + profiles.add(path.resolve()) + + # Not default, dig deeper + if not profiles: + nestedDirs = ( + 'groups', + 'profiles-a-f', + 'profiles-g-l', + 'profiles-m-r', + 'profiles-s-z', + ) + for d in nestedDirs: + dirpath = pathlib.Path(pathlib.Path(profile_dir).resolve(), pathlib.Path(d)) + for p in dirpath.rglob("*"): + if p.is_file(): + profiles.add(p) + + return profiles + +def handleArgs(): + """DEGRADED are purposed for fatal errors - when the profile set will fail to load entirely""" + + allSeverities = ['DEBUG', 'NOTICE', 'WARNING', 'ERROR', 'CRITICAL', 'DEGRADED'] + aaRoot = '/etc/apparmor.d' + + parser = argparse.ArgumentParser() + parser.add_argument('-d', '--aa-root-dir', action='store', + default=aaRoot, + help='Target different AppArmor root directory rather than default') + parser.add_argument('-p', '--profile', action='append', + help='Handle only specified profile') +# parser.add_argument('-s', '--severity', action='append', +# choices=allSeverities, +# help='Handle only specified severity event') + + args = parser.parse_args() + +# if not args.severity: +# args.severity = allSeverities + + return args + +def main(argv): + + args = handleArgs() + + messages = [] + + profile_dir = args.aa_root_dir + if not args.profile: + profiles = findAllProfileFilenames(profile_dir) + else: + profiles = set() + for p in args.profile: + absolutePath = pathlib.Path(p).resolve() + profiles.add(absolutePath) + + profile_data = {} + for path in sorted(profiles): + if not is_skippable_file(path): + readApparmorFile_Out = readApparmorFile(path) + profilesInFile = readApparmorFile_Out[1] + messages.extend(readApparmorFile_Out[0]) + profile_data.update(profilesInFile) + + for m in messages: + if m.get('suggestion'): + if m['suggestion'].endswith('\n'): + m['suggestion'] = m.get('suggestion').removesuffix('\n') + m['filename'] = str(m.get('filename')) + print(json.dumps(m, indent=2)) + + if messages: + sys.exit(1) + + return None + +if __name__ == '__main__': + + if not LIBAPPARMOR: + raise ImportError(f"""Can't find 'python3-apparmor' package! Install with: +$ sudo apt install python3-apparmor""") + + main(sys.argv) diff --git a/tests/requirements.sh b/tests/requirements.sh new file mode 100644 index 000000000..0801ff27d --- /dev/null +++ b/tests/requirements.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Dependencies for the bats integration tests + +set -eu -o pipefail + +# shellcheck source=/dev/null +_lsb_release() { + . /etc/os-release || exit 1 + echo "$ID" +} +DISTRIBUTION="$(_lsb_release)" + +case "$DISTRIBUTION" in +arch) + sudo pacman -Syu --noconfirm \ + bats bats-support \ + pacman-contrib tlp flatpak networkmanager + ;; +debian | ubuntu | whonix) + sudo apt update -y + sudo apt install -y \ + bats bats-support \ + cpuid dfc systemd-boot systemd-userdbd systemd-homed systemd-container tlp \ + network-manager systemd-container flatpak util-linux-extra + ;; +opensuse*) + ;; +*) ;; +esac diff --git a/tests/sbin.list b/tests/sbin.list new file mode 100644 index 000000000..16073f0d2 --- /dev/null +++ b/tests/sbin.list @@ -0,0 +1,884 @@ +a2enmod +a2query +aa-audit +aa-autodep +aa-cleanprof +aa-complain +aa-decode +aa-disable +aa-enforce +aa-genprof +aa-load +aa-logprof +aa-mergeprof +aa-notify +aa-remove-unknown +aa-status +aa-teardown +aa-unconfined +aa-update-browser +accessdb +acpi_genl +acpid +acpidump +add-shell +addgnupghome +addpart +adduser +agetty +alsa +alsa-info +alsa-info.sh +alsa-init +alsabat-test +alsactl +anacron +apache2 +apache2ctl +apparmor_parser +apparmor_status +applygnupgdefaults +aptd +argdist-bpfcc +arp +arpd +aspell-autobuildhash +atd +audisp-af_unix +audisp-filter +audisp-syslog +audit +auditctl +auditd +augenrules +aureport +ausearch +autodep +automount +autrace +avahi-daemon +avahi-dnsconfd +badblocks +bashreadline-bpfcc +bashreadline.bt +bcache-super-show +bindsnoop-bpfcc +biolatency-bpfcc +biolatency-kp.bt +biolatency.bt +biolatpcts-bpfcc +biopattern-bpfcc +biosdecode +biosnoop-bpfcc +biosnoop.bt +biostacks.bt +biotop-bpfcc +bitesize-bpfcc +bitesize.bt +blkdeactivate +blkdiscard +blkid +blkmapd +blkpr +blkzone +blockdev +blogctl +blogd +blogger +bpflist-bpfcc +bpftool +brctl +bridge +brltty-setup +btrfs +btrfs-convert +btrfs-find-root +btrfs-image +btrfsdist-bpfcc +btrfsslower-bpfcc +btrfstune +cachestat-bpfcc +cachetop-bpfcc +capable-bpfcc +capable.bt +capsh +cfdisk +cgdisk +chat +chcpu +check_forensic +check_mail_queue +check-bios-nx +checkproc +chgpasswd +chkstat-polkit +chmem +chpasswd +chronyd +chroot +cifs.idmap +cifs.upcall +cobjnew-bpfcc +coldreboot +compactsnoop-bpfcc +complain +config.postfix +cppw +cpudist-bpfcc +cpuunclaimed-bpfcc +cpuwalk.bt +cracklib-check +cracklib-format +cracklib-packer +cracklib-unpacker +cracklib-update +crda +create-cracklib-dict +criticalstat-bpfcc +cron +cryptdisks_start +cryptdisks_stop +cryptsetup +ctrlaltdel +cups-browsed +cups-genppd.5.3 +cups-genppdupdate +cupsaccept +cupsctl +cupsd +cupsfilter +dbslower-bpfcc +dbstat-bpfcc +dcb +dcsnoop-bpfcc +dcsnoop.bt +dcstat-bpfcc +ddns-confgen +deadlock-bpfcc +debugfs +decode +delpart +deluser +devlink +dhcpcd +dirtop-bpfcc +disable +dkms +dmevent_tool +dmeventd +dmfilemapd +dmidecode +dmraid +dmsetup +dnsmasq +dockerd +dosfsck +dosfslabel +dpkg-preconfigure +dpkg-reconfigure +drsnoop-bpfcc +dump.exfat +dump.f2fs +dumpe2fs +e2freefrag +e2fsck +e2image +e2label +e2mmpstatus +e2scrub +e2scrub_all +e2undo +e4crypt +e4defrag +eapol_test +ec_access +efibootdump +efibootmgr +enforce +ephemeral-disk-warning +escapesrc +ethtool +eventlogadm +execsnoop-bpfcc +execsnoop.bt +exfat2img +exfatlabel +exicyclog +exigrep +exim_checkaccess +exim_convert4r4 +exim_dbmbuild +exim_dumpdb +exim_fixdb +exim_id_update +exim_lock +exim_msgdate +exim_tidydb +exim4 +eximstats +exinext +exipick +exiqgrep +exiqsumm +exitsnoop-bpfcc +exiwhat +ext4dist-bpfcc +ext4slower-bpfcc +f2fsslower-bpfcc +faillock +fanatic +fancontrol +fanctl +fatlabel +fatresize +fbtest +fdformat +fdisk +filefrag +filegone-bpfcc +filelife-bpfcc +fileslower-bpfcc +filetop-bpfcc +findfs +firewalld +fixparts +flushb +fonts-config +fsadm +fsck +fsck. +fsck.btrfs +fsck.cramfs +fsck.exfat +fsck.ext2 +fsck.ext3 +fsck.ext4 +fsck.fat +fsck.minix +fsck.msdos +fsck.reiserfs +fsck.vfat +fsck.xfs +fsfreeze +fstab-decode +fstrim +funccount-bpfcc +funcinterval-bpfcc +funclatency-bpfcc +funcslower-bpfcc +g13-syshelp +gdisk +gdm +gdm3 +genccode +gencmn +genl +gennorm2 +genprof +gensprep +getcap +gethostlatency-bpfcc +gethostlatency.bt +getpcaps +getsysinfo +getweb +gnome-menus-blacklist +gpart +gparted +gpartedbin +gpm +groupadd +groupdel +groupmems +groupmod +grpck +grpconv +grpunconv +grub-install +grub-macbless +grub-mkconfig +grub-mkdevicemap +grub-probe +grub-reboot +grub-set-default +grub2-bios-setup +grub2-check-default +grub2-install +grub2-macbless +grub2-mkconfig +grub2-ofpathname +grub2-once +grub2-probe +grub2-reboot +grub2-set-default +grub2-sparc64-setup +grub2-switch-to-blscfg +hardirqs-bpfcc +haveged +hc-ifscan +hdparm +httxt2dbm +hv_fcopy_daemon +hv_get_dhcp_info +hv_get_dns_info +hv_kvp_daemon +hv_set_ifconfig +hv_vss_daemon +hwclock +hwinfo +iconvconfig +icupkg +ifconfig +ifrename +ifstat +import-openSUSE-build-key +inject-bpfcc +inputattach +install_acx100_firmware +install_intersil_firmware +install-sgmlcatalog +installkernel +integritysetup +invoke-rc.d +ip6tables-legacy-batch +ipmaddr +ipp-usb +ippevepcl +ippeveprinter +ippeveps +ipset +iptables-apply +iptables-legacy-batch +iptunnel +irqbalance +irqbalance-ui +isadump +isaset +iscsi_discovery +iscsi-iname +iscsiadm +iscsid +iscsistart +isosize +ispell-autobuildhash +isserial +issue-generator +iucode_tool +iw +iwconfig +iwevent +iwgetid +iwlist +iwpriv +iwspy +javacalls-bpfcc +javaflow-bpfcc +javagc-bpfcc +javaobjnew-bpfcc +javastat-bpfcc +javathreads-bpfcc +kbdrate +kbdsettings +kdump-config +kerneloops +kexec +kexec-bootloader +kexec-load-kernel +key.dns_resolver +killall5 +killproc +killsnoop-bpfcc +killsnoop.bt +klockstat-bpfcc +klogd +kpartx +kvm-ok +kvmexit-bpfcc +ldattach +ldconfig +ldconfig.real +libguestfs-make-fixed-appliance +libgvc6-config-update +libvirt-dbus +libvirtd +llcstat-bpfcc +lnstat +loads.bt +locale-gen +logprof +logrotate +logrotate-all +logsave +losetup +lpadmin +lpc +lpinfo +lpmove +lsvmbus +luksformat +lvm +lvm_import_vdo +lvmconfig +lvmdump +lvmpolld +lwepgen +lxc +lxd +make-bcache +make-ssl-cert +mariadbd +mcelog +mdadm +mdflush-bpfcc +mdflush.bt +mdmon +memleak-bpfcc +mii-tool +mk_isdnhwdb +mkdict +mkdosfs +mke2fs +mkfs +mkfs. +mkfs.bfs +mkfs.btrfs +mkfs.cramfs +mkfs.exfat +mkfs.ext2 +mkfs.ext3 +mkfs.ext4 +mkfs.f2fs +mkfs.fat +mkfs.minix +mkfs.xfs +mkhomedir_helper +mkill +mkinitramfs +mklost+found +mkntfs +mkpostfixcert +mkreiserfs +mksubvolume +mkswap +ModemManager +mount.cifs +mount.ddi +mount.fuse +mount.fuse3 +mount.lowntfs-3g +mount.nfs +mount.nfs4 +mount.ntfs +mount.ntfs-3g +mount.smb3 +mountsnoop-bpfcc +mountstats +mpathpersist +multipath +multipathc +multipathd +mysqld +mysqld_qslower-bpfcc +nameif +naptime.bt +needrestart +netqtop-bpfcc +NetworkManager +newusers +nfnl_osf +nfsconf +nfsdcld +nfsdist-bpfcc +nfsidmap +nfsiostat +nfsslower-bpfcc +nfsstat +nft +nginx +nmbd +nodegc-bpfcc +nodestat-bpfcc +nologin +notify +nss-mdns-config +nstat +ntfsclone +ntfscp +ntfslabel +ntfsresize +ntfsundelete +nvme +offcputime-bpfcc +offwaketime-bpfcc +on_ac_power +oomkill-bpfcc +oomkill.bt +openconnect +opensnoop-bpfcc +opensnoop.bt +openvpn +overlayroot-chroot +ownership +pam_extrausers_chkpwd +pam_extrausers_update +pam_getenv +pam_namespace_helper +pam_timestamp_check +pam-auth-update +pam-config +paperconfig +parted +partprobe +partx +pbl +pccardctl +pcscd +pdata_tools +perlcalls-bpfcc +perlflow-bpfcc +perlstat-bpfcc +pg_updatedicts +php-fpm8.3 +phpcalls-bpfcc +phpenmod +phpflow-bpfcc +phpquery +phpstat-bpfcc +pidpersec-bpfcc +pidpersec.bt +pivot_root +plipconfig +pluginviewer +plymouth-set-default-theme +plymouthd +postalias +postcat +postconf +postdrop +postfix +postkick +postlock +postlog +postmap +postmulti +postqueue +postsuper +posttls-finger +ppchcalls-bpfcc +pppd +pppdump +pppoe-discovery +pppstats +pptp +pptpsetup +profile-bpfcc +pwck +pwconv +pwhistory_helper +pwmconfig +pwunconv +pythoncalls-bpfcc +pythonflow-bpfcc +pythongc-bpfcc +pythonstat-bpfcc +qemu-ga +qmqp-source +qshape +rarp +rcfirewalld +rcopenvpn +rcpcscd +rcxdm +rcxvnc +rdma +rdmaucma-bpfcc +rdmsr +readahead-bpfcc +readprofile +realm +regdbdump +remove-default-ispell +remove-default-wordlist +remove-shell +request-key +reset-trace-bpfcc +resize2fs +resizepart +resolvconf +rfkill +rmt-tar +rndc +rndc-confgen +rngd +route +routel +rpc.gssd +rpc.idmapd +rpc.statd +rpc.svcgssd +rpcbind +rpcctl +rpcdebug +rpmconfigcheck +rsyncd +rsyslogd +rtacct +rtcwake +rtkitctl +rtmon +rubycalls-bpfcc +rubyflow-bpfcc +rubygc-bpfcc +rubyobjnew-bpfcc +rubystat-bpfcc +runc +runqlat-bpfcc +runqlat.bt +runqlen-bpfcc +runqlen.bt +runqslower-bpfcc +runuser +rvmtab +saned +sasldblistusers2 +saslpasswd2 +save_y2logs +schema2ldif +select-default-ispell +select-default-wordlist +sendmail +sensors-detect +service +set_polkit_default_privs +setcap +setuids.bt +setup-nsssysinit.sh +setvesablank +setvtrgb +sfdisk +sgdisk +shadowconfig +shim-install +shmsnoop-bpfcc +showconsole +showmount +skdump +sktest +slabratetop-bpfcc +slattach +sm-notify +smart_agetty +smartctl +smartd +smbd +smtp-sink +smtp-source +snapperd +snmpd +snmptrapd +sofdsnoop-bpfcc +softirqs-bpfcc +solisten-bpfcc +spice-vdagentd +split-logfile +ss +sshd +sshd-gen-keys-start +sshd.hmac +ssllatency.bt +sslsniff-bpfcc +sslsnoop.bt +sssd +stackcount-bpfcc +start-statd +start-stop-daemon +startproc +statsnoop-bpfcc +statsnoop.bt +status +sudo_logsrvd +sudo_sendlog +sulogin +swapin.bt +swaplabel +swapoff +swapon +switch_root +sync-available +syncsnoop-bpfcc +syncsnoop.bt +sysconf_addword +syscount-bpfcc +syscount.bt +sysctl +syslog2eximlog +sysusers2shadow +tarcat +tc +tclcalls-bpfcc +tclflow-bpfcc +tclobjnew-bpfcc +tclstat-bpfcc +tcpaccept-bpfcc +tcpaccept.bt +tcpcong-bpfcc +tcpconnect-bpfcc +tcpconnect.bt +tcpconnlat-bpfcc +tcpdrop-bpfcc +tcpdrop.bt +tcplife-bpfcc +tcplife.bt +tcpretrans-bpfcc +tcpretrans.bt +tcprtt-bpfcc +tcpstates-bpfcc +tcpsubnet-bpfcc +tcpsynbl-bpfcc +tcpsynbl.bt +tcptop-bpfcc +tcptracer-bpfcc +tcptraceroute.db +thermald +threadsnoop-bpfcc +threadsnoop.bt +tipc +tlp +tplist-bpfcc +trace-bpfcc +tsig-keygen +ttysnoop-bpfcc +tune.exfat +tune2fs +tuned +tuned-adm +tunelp +u-d-c-print-pci-ids +ucalls +uflow +ufw +ugc +umount.nfs +umount.nfs4 +umount.udisks2 +unbound +unconfined +undump.bt +unix_chkpwd +unix_update +unix2_chkpwd +uobjnew +update-ca-certificates +update-catalog +update-cracklib +update-default-ispell +update-default-wordlist +update-dictcommon-aspell +update-dictcommon-hunspell +update-exim4.conf +update-exim4.conf.template +update-fonts-alias +update-fonts-dir +update-fonts-scale +update-grub +update-grub-gfxpayload +update-gsfontmap +update-icon-caches +update-ieee-data +update-inetd +update-info-dir +update-initramfs +update-java-alternatives +update-language +update-locale +update-mime +update-passwd +update-pciids +update-rc.d +update-secureboot-policy +update-shells +update-smart-drivedb +update-texmf +update-texmf-config +update-tl-stacked-conffile +update-xmlcatalog +upgrade-from-grub-legacy +usb_modeswitch +usb_modeswitch_dispatcher +usbmuxd +useradd +userdel +usermod +ustat +uthreads +uuidd +validlocale +vconfig +vcstime +vdpa +veritysetup +vfscount-bpfcc +vfscount.bt +vfsstat-bpfcc +vfsstat.bt +vhangup +vipw +virt-what +virt-what-cvm +virtiostat-bpfcc +virtlockd +virtlogd +visudo +vmcore-dmesg +vncsession +vpddecode +vpnc +vpnc-disconnect +wakeuptime-bpfcc +wipefs +wiper.sh +wpa_action +wpa_cli +wpa_passphrase +wpa_supplicant +wqlat-bpfcc +writeback.bt +wrmsr +xfs_admin +xfs_bmap +xfs_copy +xfs_db +xfs_estimate +xfs_freeze +xfs_fsr +xfs_growfs +xfs_info +xfs_io +xfs_logprint +xfs_mdrestore +xfs_metadump +xfs_mkfile +xfs_ncheck +xfs_property +xfs_protofile +xfs_quota +xfs_repair +xfs_rtcp +xfs_scrub +xfs_scrub_all +xfs_spaceman +xfsdist-bpfcc +xfsdist.bt +xfsslower-bpfcc +xkbctrl +xtables-legacy-multi +xtables-nft-multi +yast2 +zdump +zerofree +zfsdist-bpfcc +zfsslower-bpfcc +zic +zramctl +zypp-refresh +zypper-log