diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 9f2addf88..90b709a31 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -47,11 +47,6 @@ jobs: if [[ ${{ matrix.mode }} == full-system-policy ]]; then sed -e "s/just complain/just fsp-complain/" -i debian/rules fi - if [[ ${{ matrix.os }} == ubuntu-24.04 ]] && [[ ${{ matrix.mode }} == default ]]; then - # Test with Re-attach disconnected path - sed -e 's;// builder.Register("attach");builder.Register("attach");' -i pkg/prebuild/cli/cli.go - sed -e '/@{att}/d' -i apparmor.d/tunables/multiarch.d/system - fi bash dists/build.sh dpkg - name: Install apparmor.d diff --git a/Justfile b/Justfile index e434586c4..64e333079 100644 --- a/Justfile +++ b/Justfile @@ -49,44 +49,52 @@ c := "--connect=qemu:///system" # VM prefix prefix := "aa-" -[doc('Show this help message')] +# Show this help message help: @just --list --unsorted @printf "\n%s\n" "See https://apparmor.pujol.io/development/ for more information." +# Build the go programs [group('build')] -[doc('Build the go programs')] build: @go build -o {{build}}/ ./cmd/aa-log @go build -o {{build}}/ ./cmd/prebuild +# Prebuild the profiles in enforced mode [group('build')] -[doc('Prebuild the profiles in enforced mode')] enforce: build @./{{build}}/prebuild --buildir {{build}} +# Prebuild the profiles in enforce mode (test) +enforce-test: build + @./{{build}}/prebuild --buildir {{build}} --test + +# Prebuild the profiles in complain mode [group('build')] -[doc('Prebuild the profiles in complain mode')] complain: build ./{{build}}/prebuild --buildir {{build}} --complain +# Prebuild the profiles in complain mode (test) +complain-test: build + @./{{build}}/prebuild --buildir {{build}} --complain --test + +# Prebuild the profiles in FSP mode [group('build')] -[doc('Prebuild the profiles in FSP mode')] fsp: build @./{{build}}/prebuild --buildir {{build}} --full +# Prebuild the profiles in FSP mode (complain) [group('build')] -[doc('Prebuild the profiles in FSP mode (complain)')] fsp-complain: build @./{{build}}/prebuild --buildir {{build}} --complain --full +# Prebuild the profiles in FSP mode (debug) [group('build')] -[doc('Prebuild the profiles in FSP mode (debug)')] fsp-debug: build @./{{build}}/prebuild --buildir {{build}} --complain --full --debug +# Install prebuild profiles [group('install')] -[doc('Install prebuild profiles')] install: #!/usr/bin/env bash set -eu -o pipefail @@ -113,8 +121,8 @@ install: install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf" done +# Locally install prebuild profiles [group('install')] -[doc('Locally install prebuild profiles')] local +names: #!/usr/bin/env bash set -eu -o pipefail @@ -135,39 +143,39 @@ local +names: done; systemctl restart apparmor || sudo journalctl -xeu apparmor.service +# Prebuild, install, and load a dev profile [group('install')] -[doc('Prebuild, install, and load a dev profile')] dev name: go run ./cmd/prebuild --complain --file `find apparmor.d -iname {{name}}` sudo install -Dm644 {{build}}/apparmor.d/{{name}} /etc/apparmor.d/{{name}} sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service +# Build & install apparmor.d on Arch based systems [group('packages')] -[doc('Build & install apparmor.d on Arch based systems')] pkg: @makepkg --syncdeps --install --cleanbuild --force --noconfirm +# Build & install apparmor.d on Debian based systems [group('packages')] -[doc('Build & install apparmor.d on Debian based systems')] dpkg: @bash dists/build.sh dpkg @sudo dpkg -i {{pkgdest}}/{{pkgname}}_*.deb +# Build & install apparmor.d on OpenSUSE based systems [group('packages')] -[doc('Build & install apparmor.d on OpenSUSE based systems')] rpm: @bash dists/build.sh rpm @sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm +# Run the unit tests [group('tests')] -[doc('Run the unit tests')] tests: @go test ./cmd/... -v -cover -coverprofile=coverage.out @go test ./pkg/... -v -cover -coverprofile=coverage.out @go tool cover -func=coverage.out +# Run the linters [group('linter')] -[doc('Run the linters')] lint: golangci-lint run packer fmt tests/packer/ @@ -177,34 +185,34 @@ lint: tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \ debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm +# Run style checks on the profiles [group('linter')] -[doc('Run style checks on the profiles')] check: @bash tests/check.sh +# Generate the man pages [group('docs')] -[doc('Generate the man pages')] man: @pandoc -t man -s -o share/man/man8/aa-log.8 share/man/man8/aa-log.md +# Build the documentation [group('docs')] -[doc('Build the documentation')] docs: @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict +# Serve the documentation [group('docs')] -[doc('Serve the documentation')] serve: @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve -[doc('Remove all build artifacts')] +# Remove all build artifacts clean: @rm -rf \ debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \ {{pkgdest}}/{{pkgname}}* {{build}} coverage.out +# Build the package in a clean OCI container [group('packages')] -[doc('Build the package in a clean OCI container')] package dist: #!/usr/bin/env bash set -eu -o pipefail @@ -219,8 +227,8 @@ package dist: fi bash dists/docker.sh $dist $version +# Build the VM image [group('vm')] -[doc('Build the VM image')] img dist flavor: (package dist) @mkdir -p {{base_dir}} packer build -force \ @@ -237,8 +245,8 @@ img dist flavor: (package dist) -var output_dir={{output_dir}} \ tests/packer/ +# Create the machine [group('vm')] -[doc('Create the machine')] create dist flavor: @cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 @virt-install {{c}} \ @@ -257,53 +265,53 @@ create dist flavor: --sound model=ich9 \ --noautoconsole +# Start a machine [group('vm')] -[doc('Start a machine')] up dist flavor: @virsh {{c}} start {{prefix}}{{dist}}-{{flavor}} +# Stops the machine [group('vm')] -[doc('Stops the machine')] halt dist flavor: @virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}} +# Reboot the machine [group('vm')] -[doc('Reboot the machine')] reboot dist flavor: @virsh {{c}} reboot {{prefix}}{{dist}}-{{flavor}} +# Destroy the machine [group('vm')] -[doc('Destroy the machine')] destroy dist flavor: @virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true @virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram @rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 +# Connect to the machine [group('vm')] -[doc('Connect to the machine')] ssh dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` +# Mount the shared directory on the machine [group('vm')] -[doc('Mount the shared directory on the machine')] mount dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4' +# Unmout the shared directory on the machine [group('vm')] -[doc('Unmout the shared directory on the machine')] umount dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true' +# List the machines [group('vm')] -[doc('List the machines')] list: @printf "{{BOLD}} %-4s %-22s %s{{NORMAL}}\n" "Id" "Distribution-Flavor" "State" @virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g' +# List the VM images [group('vm')] -[doc('List the VM images')] images: #!/usr/bin/env bash set -eu -o pipefail @@ -320,8 +328,8 @@ images: } ' +# List the VM images that can be created [group('vm')] -[doc('List the VM images that can be created')] available: #!/usr/bin/env bash set -eu -o pipefail @@ -337,36 +345,36 @@ available: } ' +# Install dependencies for the integration tests [group('tests')] -[doc('Install dependencies for the integration tests')] init: @bash tests/requirements.sh +# Run the integration tests [group('tests')] -[doc('Run the integration tests')] integration name="": bats --recursive --timing --print-output-on-failure tests/integration/{{name}} +# Install dependencies for the integration tests (machine) [group('tests')] -[doc('Install dependencies for the integration tests (machine)')] tests-init dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init +# Synchronize the integration tests (machine) [group('tests')] -[doc('Synchronize the integration tests (machine)')] tests-sync dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/ +# Re-synchronize the integration tests (machine) [group('tests')] -[doc('Re-synchronize the integration tests (machine)')] tests-resync dist flavor: (mount dist flavor) \ (tests-sync dist flavor) \ (umount dist flavor) +# Run the integration tests (machine) [group('tests')] -[doc('Run the integration tests (machine)')] tests-run dist flavor name="": (tests-resync dist flavor) ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ bats --recursive --pretty --timing --print-output-on-failure \ diff --git a/PKGBUILD b/PKGBUILD index dfbb46735..a68ba817d 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -3,8 +3,15 @@ # Warning: for development only, use https://aur.archlinux.org/packages/apparmor.d-git for production use. -pkgname=apparmor.d -pkgver=0.001 +pkgbase=apparmor.d +pkgname=( + apparmor.d + # apparmor.d.enforced + # apparmor.d.fsp apparmor.d.fsp.enforced + # apparmor.d.server apparmor.d.server.enforced + # apparmor.d.server.fsp apparmor.d.server.fsp.enforced +) +pkgver=0.0001 pkgrel=1 pkgdesc="Full set of apparmor profiles" arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') @@ -12,10 +19,9 @@ url="https://github.com/roddhjav/apparmor.d" license=('GPL-2.0-only') depends=('apparmor>=4.1.0' 'apparmor<5.0.0') makedepends=('go' 'git' 'rsync' 'just') -conflicts=("$pkgname-git") pkgver() { - cd "$srcdir/$pkgname" + cd "$srcdir/$pkgbase" echo "0.$(git rev-list --count HEAD)" } @@ -24,17 +30,104 @@ prepare() { } build() { - cd "$srcdir/$pkgname" + cd "$srcdir/$pkgbase" export CGO_CPPFLAGS="${CPPFLAGS}" export CGO_CFLAGS="${CFLAGS}" export CGO_CXXFLAGS="${CXXFLAGS}" export CGO_LDFLAGS="${LDFLAGS}" + export GOPATH="${srcdir}" export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw" export DISTRIBUTION=arch - just complain + local -A modes=( + # Mapping of modes to just build target. + [default]=complain + # [enforced]=enforce + # [fsp]=fsp-complain + # [fsp.enforced]=fsp + # [server]=server-complain + # [server.enforced]=server + # [server.fsp]=server-fsp-complain + # [server.fsp.enforced]=server-fsp + ) + for mode in "${!modes[@]}"; do + just build=".build/$mode" "${modes[$mode]}" + done } -package() { - cd "$srcdir/$pkgname" - just destdir="$pkgdir" install +_conflicts() { + local mode="$1" + local pattern=".$mode" + if [[ "$mode" == "default" ]]; then + pattern="" + else + echo "$pkgbase" + fi + for pkg in "${pkgname[@]}"; do + if [[ "$pkg" == "${pkgbase}${pattern}" ]]; then + continue + fi + echo "$pkg" + done +} + +_install() { + local mode="${1:?}" + cd "$srcdir/$pkgbase" + just build=".build/$mode" destdir="$pkgdir" install +} + +package_apparmor.d() { + mode=default + pkgdesc="$pkgdesc (complain mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.enforced() { + mode=enforced + pkgdesc="$pkgdesc (enforced mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.fsp() { + mode="fsp" + pkgdesc="$pkgdesc (FSP mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.fsp.enforced() { + mode="fsp.enforced" + pkgdesc="$pkgdesc (FSP enforced mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.server() { + mode="server" + pkgdesc="$pkgdesc (server complain mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.server.enforced() { + mode="server.enforced" + pkgdesc="$pkgdesc (server enforced mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.server.fsp() { + mode="server.fsp" + pkgdesc="$pkgdesc (server FSP complain mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.server.fsp.enforced() { + mode="server.fsp.enforced" + pkgdesc="$pkgdesc (server FSP enforced mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode } diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index 9330d2223..a92058206 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -5,10 +5,10 @@ abi , # The unix socket to use to connect to the display - unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), - unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), - unix type=stream addr="@/tmp/.ICE-unix/[0-9]*", - unix type=stream addr="@/tmp/.X11-unix/X[0-9]*", + unix (connect, receive, send) type=stream peer=(addr=@/tmp/.ICE-unix/@{int}), + unix (connect, receive, send) type=stream peer=(addr=@/tmp/.X11-unix/X@{int}), + unix type=stream addr=@/tmp/.ICE-unix/@{int}, + unix type=stream addr=@/tmp/.X11-unix/X@{int}, /usr/share/X11/{,**} r, /usr/share/xsessions/{,*.desktop} r, # Available Xsessions @@ -16,13 +16,13 @@ /etc/X11/cursors/{,**} r, - owner @{HOME}/.ICEauthority rw, # ICEauthority files required for X authentication, per user + owner @{HOME}/.ICEauthority r, # ICEauthority files required for X authentication, per user owner @{HOME}/.Xauthority rw, # Xauthority files required for X connections, per user owner @{HOME}/.xsession-errors rw, - /tmp/.ICE-unix/* rw, + /tmp/.ICE-unix/@{int} rw, /tmp/.X@{int}-lock rw, - /tmp/.X11-unix/* rw, + /tmp/.X11-unix/X@{int} rw, owner @{tmp}/xauth_@{rand6} rl -> @{tmp}/#@{int}, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, # Xwayland diff --git a/apparmor.d/abstractions/accessibility b/apparmor.d/abstractions/accessibility new file mode 100644 index 000000000..894ee467e --- /dev/null +++ b/apparmor.d/abstractions/accessibility @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow communication with Assistive Technology Service Provider Interface (AT-SPI) + + abi , + + include + include + include + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 8f991c230..dcb29fecb 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -2,6 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: name +# NEEDS-VARIABLE: domain +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: config_dirs +# NEEDS-VARIABLE: cache_dirs # Full set of rules for all chromium based browsers. It works as a *function* # and requires some variables to be provided as *arguments* and set in the @@ -20,32 +25,32 @@ abi , include + include include include - include - include include - include - include - include - include include - include - include - include + include + include + include include include include - include + include + include include include include + include + include + include + include include include include + include include include - include network inet dgram, network inet6 dgram, @@ -103,7 +108,6 @@ /etc/@{name}/{,**} r, /etc/fstab r, - /etc/{,opensc/}opensc.conf r, / r, owner @{HOME}/ r, @@ -151,9 +155,7 @@ @{sys}/class/**/ r, @{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r, @{sys}/devices/@{pci}/boot_vga r, - @{sys}/devices/@{pci}/report_descriptor r, @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/**/report_descriptor r, @{PROC}/ r, @{PROC}/@{pid}/fd/ r, @@ -178,7 +180,6 @@ owner @{PROC}/@{pid}/task/@{tid}/stat r, /dev/ r, - /dev/hidraw@{int} rw, /dev/tty rw, owner /dev/tty@{int} rw, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 238bf9e8b..0648e68d1 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -2,6 +2,10 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: name +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: config_dirs +# NEEDS-VARIABLE: cache_dirs # Full set of rules for all firefox based browsers. It works as a *function* # and requires some variables to be provided as *arguments* and set in the @@ -18,7 +22,6 @@ include include include - include include include include @@ -27,11 +30,13 @@ include include include + include include include include include include + include include include include @@ -75,7 +80,6 @@ /usr/share/webext/{,**} r, /usr/share/xul-ext/kwallet5/* r, - /etc/{,opensc/}opensc.conf r, /etc/@{name}/{,**} r, /etc/fstab r, /etc/lsb-release r, @@ -160,7 +164,6 @@ owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 /dev/ r, - /dev/hidraw@{int} rw, /dev/tty rw, /dev/video@{int} rw, owner /dev/tty@{int} rw, # File Inherit diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 243d18261..8dffc39b9 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -7,6 +7,8 @@ abi , + include + include include # We cannot use `@{open_path} mrix,` here because it includes: @@ -29,9 +31,6 @@ # if @{DE} == kde include - include - include - include include include diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep index 0ec14bea0..f563712ca 100644 --- a/apparmor.d/abstractions/app/pgrep +++ b/apparmor.d/abstractions/app/pgrep @@ -19,6 +19,7 @@ @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, + @{PROC}/@{pid}/status r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/environ r, diff --git a/apparmor.d/abstractions/common/apt b/apparmor.d/abstractions/apt similarity index 72% rename from apparmor.d/abstractions/common/apt rename to apparmor.d/abstractions/apt index 5dd8b26bc..25106ad6e 100644 --- a/apparmor.d/abstractions/common/apt +++ b/apparmor.d/abstractions/apt @@ -6,7 +6,9 @@ abi , /usr/share/dpkg/cputable r, + /usr/share/dpkg/ostable r, /usr/share/dpkg/tupletable r, + /usr/share/dpkg/varianttable r, /etc/apt/apt.conf r, /etc/apt/apt.conf.d/{,*} r, @@ -18,6 +20,9 @@ /etc/apt/sources.list.d/ r, /etc/apt/sources.list.d/*.{sources,list} r, + /etc/apt/trusted.gpg r, + /etc/apt/trusted.gpg.d/{,*} r, + /var/lib/apt/lists/{,**} r, /var/lib/apt/extended_states r, @@ -25,11 +30,14 @@ /var/cache/apt/srcpkgcache.bin r, /var/lib/dpkg/status r, - /var/lib/ubuntu-advantage/apt-esm/{,**} r, + /var/lib/ubuntu-advantage/apt-esm/{,**} r, #aa:only ubuntu owner @{tmp}/#@{int} rw, owner @{tmp}/clearsigned.message.* rw, - include if exists + #aa:only test + /tmp/autopkgtest.@{rand6}/** rwk, + + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 29c685f55..8741942ff 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -8,7 +8,7 @@ abi , - include + include @{att}/@{run}/systemd/journal/dev-log w, @{att}/@{run}/systemd/journal/socket w, diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index 826191309..1ebdf4c76 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -57,12 +57,18 @@ owner @{run}/user/@{uid}/pulse/ rw, owner @{run}/user/@{uid}/pulse/native rw, + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/+sound:card@{int} r, # For sound card + + @{sys}/class/ r, @{sys}/class/sound/ r, /dev/shm/ r, owner /dev/shm/pulse-shm-@{int} rw, /dev/snd/controlC@{int} r, + /dev/snd/pcmC@{int}D@{int}[cp] r, + /dev/snd/timer r, include if exists diff --git a/apparmor.d/abstractions/audio-server b/apparmor.d/abstractions/audio-server index 10bcef426..a7f89b91b 100644 --- a/apparmor.d/abstractions/audio-server +++ b/apparmor.d/abstractions/audio-server @@ -9,11 +9,6 @@ include - @{run}/udev/data/+sound:card@{int} r, # for sound card - - @{sys}/class/ r, - @{sys}/class/sound/ r, - @{PROC}/asound/** rw, /dev/admmidi* rw, diff --git a/apparmor.d/abstractions/avahi-observe b/apparmor.d/abstractions/avahi-observe new file mode 100644 index 000000000..aac14fa7d --- /dev/null +++ b/apparmor.d/abstractions/avahi-observe @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2016 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows domain, record, service, and service type browsing as well as address, +# host and service resolving + + abi , + + include + + include + include + include + include + include + include + include + + @{run}/avahi-daemon/socket rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index ad3945eb9..d89688b70 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -8,20 +8,20 @@ signal receive peer=@{p_systemd_user}, # Allow to receive some signals from new well-known profiles - signal (receive) peer=btop, - signal (receive) peer=htop, - signal (receive) peer=pkill, - signal (receive) peer=sudo, - signal (receive) peer=top, - signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown, - signal (receive) set=(hup term) peer=login, - signal (receive) set=(hup) peer=xinit, - signal (receive) set=(term,kill) peer=gnome-shell, - signal (receive) set=(term,kill) peer=gnome-system-monitor, - signal (receive) set=(term,kill) peer=openbox, - signal (receive) set=(term,kill) peer=su, + signal receive peer=btop, + signal receive peer=htop, + signal receive peer=pkill, + signal receive peer=sudo, + signal receive peer=top, + signal receive set=(cont,term,kill,stop) peer=systemd-shutdown, + signal receive set=(hup term) peer=login, + signal receive set=(hup) peer=xinit, + signal receive set=(term,kill) peer=gnome-shell, + signal receive set=(term,kill) peer=gnome-system-monitor, + signal receive set=(term,kill) peer=openbox, + signal receive set=(term,kill) peer=su, - ptrace (readby) peer=@{p_systemd_coredump}, + ptrace readby peer=@{p_systemd_coredump}, @{etc_rw}/localtime r, /etc/locale.conf r, @@ -30,4 +30,6 @@ @{PROC}/sys/kernel/core_pattern r, + /apparmor/.null rw, + # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/accessibility/org.a11y b/apparmor.d/abstractions/bus/accessibility/org.a11y new file mode 100644 index 000000000..0145fc494 --- /dev/null +++ b/apparmor.d/abstractions/bus/accessibility/org.a11y @@ -0,0 +1,65 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2017 Canonical Ltd +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + # Allow the accessibility services in the user session to send us any events + + dbus receive bus=accessibility + peer=(label="@{p_at_spi2_registryd}"), + + # Allow querying for capabilities and registering + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member=NotifyListenersSync + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + # org.a11y.atspi is not designed for application isolation and these rules + # can be used to send change events for other processes. + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Event.Object + member=ChildrenChanged + peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Accessible + member=Get* + peer=(label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int} + interface=org.a11y.atspi.Event.Object + member={ChildrenChanged,PropertyChange,StateChanged,TextCaretMoved} + peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/cache + interface=org.a11y.atspi.Cache + member={AddAccessible,RemoveAccessible} + peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y deleted file mode 100644 index c99f5f8bd..000000000 --- a/apparmor.d/abstractions/bus/org.a11y +++ /dev/null @@ -1,63 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - # Accessibility bus - - dbus receive bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=EventListenerDeregistered - peer=(name="@{busname}", label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), - - dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name="@{busname}", label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry), - - # Session bus - - dbus send bus=session path=/org/a11y/bus - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label="@{p_dbus_accessibility}"), - - dbus send bus=session path=/org/a11y/bus - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), - - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=Get - peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), - - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/org.freedesktop.Notifications deleted file mode 100644 index 6962bf7ec..000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.Notifications +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=session name=org.freedesktop.Notifications label=gjs-console - - dbus send bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member={GetCapabilities,GetServerInformation,Notify} - peer=(name="@{busname}", label=gjs-console), - - dbus receive bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member={NotificationClosed,CloseNotification} - peer=(name="@{busname}", label=gjs-console), - - dbus receive bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member=Notify - peer=(name=org.freedesktop.DBus, label=gjs-console), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit index f6cde2030..a4f9ba9b9 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit +++ b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit @@ -2,6 +2,9 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow communication with PackageKit transactions. Transactions are exported +# with random object paths that currently take the form /@{int}_@{hex8}. + abi , #aa:dbus common bus=system name=org.freedesktop.PackageKit label=packagekitd @@ -16,6 +19,14 @@ member=StateHasChanged peer=(name=org.freedesktop.PackageKit), + dbus send bus=system path=/@{int}_@{hex8} + interface=org.freedesktop.PackageKit.Transaction + peer=(label=packagekitd), + + dbus receive bus=system path=/@{int}_@{hex8} + interface=org.freedesktop.PackageKit.Transaction + peer=(label=packagekitd), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 index 9dfab7481..2a4e8c1e5 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Can talk to polkitd's CheckAuthorization API + abi , #aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" @@ -13,17 +15,13 @@ dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority - member=CheckAuthorization - peer=(name=org.freedesktop.PolicyKit1, label="@{p_polkitd}"), + member={CheckAuthorization,CancelCheckAuthorization} + peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority - member=CheckAuthorization - peer=(name="@{busname}", label="@{p_polkitd}"), - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=CheckAuthorization - peer=(name=org.freedesktop.PolicyKit1), + member=RegisterAuthenticationAgentWithOptions + peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 deleted file mode 100644 index fe6d52dc6..000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 +++ /dev/null @@ -1,16 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa-dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" - - dbus send bus=system path=/org/freedesktop/resolve1 - interface=org.freedesktop.resolve1.Manager - member={ResolveAddress,ResolveHostname,ResolveRecord,ResolveService} - peer=(name=org.freedesktop.resolve1, label="@{p_systemd_resolved}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver deleted file mode 100644 index 46d1a1006..000000000 --- a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=session name=org.gnome.ScreenSaver label=gjs-console - - dbus send bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - member=GetActive - peer=(name="@{busname}", label=gjs-console), - - dbus receive bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - member={ActiveChanged,WakeUpScreen} - peer=(name="@{busname}", label=gjs-console), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter b/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter new file mode 100644 index 000000000..0816b046f --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow accessing the GNOME crypto services prompt APIs as used by +# applications using libgcr (such as pinentry-gnome3) for secure pin +# entry to unlock GPG keys etc. See: +# https://developer.gnome.org/gcr/unstable/GcrPrompt.html +# https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html +# https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711 + + abi , + + unix type=stream peer=(label=gnome-keyring-daemon), + + dbus send bus=session path=/org/gnome/keyring/Prompter + interface=org.gnome.keyring.internal.Prompter + member={BeginPrompting,PerformPrompt,StopPrompting} + peer=(name=@{busname}, label=pinentry-*), + + dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int} + interface=org.gnome.keyring.internal.Prompter.Callback + member={PromptReady,PromptDone} + peer=(name=@{busname}, label=pinentry-*), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher b/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher new file mode 100644 index 000000000..ca2bf92c8 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow use of snapd's internal xdg-open + + abi , + + dbus send bus=session path=/ + interface=com.canonical.SafeLauncher + member=OpenURL + peer=(name=@{busname}, label=snap), + + dbus send bus=session path=/io/snapcraft/Launcher + interface=io.snapcraft.Launcher + member={OpenURL,OpenFile} + peer=(name=@{busname}, label=snap), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher b/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher new file mode 100644 index 000000000..704d9010d --- /dev/null +++ b/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Can identify and launch other snaps. + + abi , + + dbus send bus=session path=/io/snapcraft/PrivilegedDesktopLauncher + interface=io.snapcraft.PrivilegedDesktopLauncher + member=OpenDesktopEntry + peer=(name=io.snapcraft.Launcher, label=snap), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.Settings b/apparmor.d/abstractions/bus/session/io.snapcraft.Settings new file mode 100644 index 000000000..c50753cd6 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/io.snapcraft.Settings @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow use of snapd's internal 'xdg-settings' + + abi , + + dbus send bus=session path=/io/snapcraft/Settings + interface=io.snapcraft.Settings + member={Check,CheckSub,Get,GetSub,Set,SetSub} + peer=(name=io.snapcraft.Settings, label=snap), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.a11y b/apparmor.d/abstractions/bus/session/org.a11y new file mode 100644 index 000000000..8f517fe99 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.a11y @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label="@{p_dbus_accessibility}"), + + dbus send bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=Get + peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal b/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal new file mode 100644 index 000000000..e7c0f9cef --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow access to the IBus portal + + abi , + + dbus send bus=session path=/org/freedesktop/IBus + interface=org.freedesktop.IBus.Portal + member=CreateInputContext + peer=(name=org.freedesktop.portal.IBus), + + dbus send bus=session path=/org/freedesktop/IBus/InputContext_@{int} + interface=org.freedesktop.IBus.InputContext + peer=(label=ibus-daemon), + + dbus receive bus=session path=/org/freedesktop/IBus/InputContext_@{int} + interface=org.freedesktop.IBus.InputContext + peer=(label=ibus-daemon), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications new file mode 100644 index 000000000..b51c4bdcb --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.freedesktop.Notifications label="@{pp_notification}" + + dbus send bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.Notifications + member={GetCapabilities,GetServerInformation,Notify,CloseNotification} + peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), + + dbus receive bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.Notifications + member={ActionInvoked,NotificationClosed,NotificationReplied} + peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver new file mode 100644 index 000000000..ee837b886 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow checking status, activating and locking the screensaver + + abi , + + dbus send bus=session path=/ScreenSaver + interface=org.freedesktop.ScreenSaver + member={Inhibit,UnInhibit} + peer=(name=org.freedesktop.ScreenSaver), + + dbus send bus=session path=/{,org/freedesktop/}ScreenSaver + interface=org.freedesktop.ScreenSaver + member={GetActive,GetActiveTime,Lock,SetActive} + peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"), + + dbus receive bus=session path=/org/freedesktop/ScreenSaver + interface=org.freedesktop.ScreenSaver + member={ActiveChanged,WakeUpScreen} + peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Secret b/apparmor.d/abstractions/bus/session/org.freedesktop.Secret new file mode 100644 index 000000000..8ded1b6d7 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Secret @@ -0,0 +1,49 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2017 Canonical Ltd +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Provide full access to the secret-service API: +# - https://standards.freedesktop.org/secret-service/) +# +# The secret-service allows managing (add/delete/lock/etc) collections and +# (add/delete/etc) items within collections. The API also has the concept of +# aliases for collections which is typically used to access the default +# collection. While it would be possible for an application developer to use a +# snap-specific collection and mediate by object path, application developers +# are meant to instead to treat collections (typically the default collection) +# as a database of key/value attributes each with an associated secret that +# applications may query. Because AppArmor does not mediate member data, +# typical and recommended usage of the API does not allow for application +# isolation. For details, see: +# - https://standards.freedesktop.org/secret-service/ch03.html +# + + abi , + + #aa:dbus common bus=session name=org.freedesktop.{S,s}ecret label=gnome-keyring-daemon + + dbus send bus=session path=/org/freedesktop/secrets{,/**} + interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session} + peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), + + dbus receive bus=session path=/org/freedesktop/secrets{,/**} + interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session} + peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), + + dbus send bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gnome-keyring-daemon), + dbus send bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.Secret.Service + member=ReadAlias + peer=(name=org.freedesktop.secrets, label=gnome-keyring-daemon), + dbus send bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.Secret.Service + member=SearchItems + peer=(name=@{busname}, label=gnome-keyring-daemon), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings new file mode 100644 index 000000000..01cf21c46 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Settings + member=Read + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Settings + member=ReadAll + peer=(name=@{busname}, label=xdg-desktop-portal), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 b/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 similarity index 86% rename from apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 rename to apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 index 6bfa6114b..f69667e08 100644 --- a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 +++ b/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 @@ -11,6 +11,6 @@ member=GetSupportedTypes peer=(name="@{busname}", label="@{p_file_roller}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 b/apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 similarity index 76% rename from apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 rename to apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 index 178139a8d..8a3e7d74e 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 +++ b/apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 @@ -6,6 +6,6 @@ #aa:dbus common bus=session name=org.gnome.Nautilus.FileOperations2 label=nautilus - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver similarity index 51% rename from apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver rename to apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver index f73768e9f..27c456637 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver +++ b/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver @@ -2,18 +2,20 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow checking status, activating and locking the screensaver (GNOME version) + abi , - dbus send bus=session path=/ScreenSaver - interface=org.freedesktop.ScreenSaver - member={Inhibit,UnInhibit} - peer=(name=org.freedesktop.ScreenSaver), + dbus send bus=session path=/{,org/gnome/}ScreenSaver + interface=org.gnome.ScreenSaver + member={GetActive,GetActiveTime,Lock,SetActive} + peer=(name=@{busname}, label=gjs-console), dbus receive bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver member={ActiveChanged,WakeUpScreen} peer=(name=@{busname}, label=gjs-console), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.SessionManager b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager similarity index 61% rename from apparmor.d/abstractions/bus/org.gnome.SessionManager rename to apparmor.d/abstractions/bus/session/org.gnome.SessionManager index a532b67f2..4c641776b 100644 --- a/apparmor.d/abstractions/bus/org.gnome.SessionManager +++ b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager @@ -1,48 +1,46 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# FIXME: Too large, restrict it. - abi , - #aa:dbus common bus=session name=org.gnome.SessionManager label=gnome-session-binary + #aa:dbus common bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}" dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={RegisterClient,IsSessionRunning} - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={Inhibit,Uninhibit} - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={Setenv,IsSessionRunning} - peer=(name=org.gnome.SessionManager, label=gnome-session-binary), + peer=(name=org.gnome.SessionManager, label="{gnome-session-binary,gnome-session-service}"), dbus receive bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded} - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), dbus send bus=session path=/org/gnome/SessionManager/Client@{int} interface=org.gnome.SessionManager.ClientPrivate member=EndSessionResponse - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), dbus receive bus=session path=/org/gnome/SessionManager/Client@{int} interface=org.gnome.SessionManager.ClientPrivate member={CancelEndSession,QueryEndSession,EndSession,Stop} - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), dbus receive bus=session path=/org/gnome/SessionManager/Presence interface=org.gnome.SessionManager.Presence member=StatusChanged - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys b/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys new file mode 100644 index 000000000..93d830828 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow requesting interest in receiving media key events. This tells Gnome +# settings that our application should be notified when key events we are +# interested in are pressed, and allows us to receive those events. + + abi , + + # DBus.Properties: read all properties from the interface + dbus send bus=session path=/org/gnome/SettingsDaemon/MediaKeys + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys), + + dbus (receive, send) bus=session path=/org/gnome/SettingsDaemon/MediaKeys + interface=org.gnome.SettingsDaemon.MediaKeys + peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Actions b/apparmor.d/abstractions/bus/session/org.gtk.Actions new file mode 100644 index 000000000..899f244a8 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.Actions @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gnome-shell), + + dbus receive bus=session + interface=org.gtk.Actions + member={Activate,DescribeAll,SetState}, + + dbus send bus=session + interface=org.gtk.Actions + member=Changed, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Menus b/apparmor.d/abstractions/bus/session/org.gtk.Menus new file mode 100644 index 000000000..b21c08067 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.Menus @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session + interface=org.gtk.Menus + member={Start,End} + peer=(name=@{busname}), + + dbus send bus=session + interface=org.gtk.Menus + member=Changed, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler b/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler new file mode 100644 index 000000000..3fce0d719 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/gtk/MountOperationHandler + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gnome-shell), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.Notifications b/apparmor.d/abstractions/bus/session/org.gtk.Notifications similarity index 86% rename from apparmor.d/abstractions/bus/org.gtk.Notifications rename to apparmor.d/abstractions/bus/session/org.gtk.Notifications index ad1a1ffad..151c642a8 100644 --- a/apparmor.d/abstractions/bus/org.gtk.Notifications +++ b/apparmor.d/abstractions/bus/session/org.gtk.Notifications @@ -11,6 +11,6 @@ member={AddNotification,RemoveNotification} peer=(name=org.gtk.Notifications, label=gnome-shell), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor b/apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor similarity index 91% rename from apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor rename to apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor index 9060c8c15..b8160dcb2 100644 --- a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor +++ b/apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor @@ -19,6 +19,6 @@ member={VolumeAdded,DriveDisconnected,DriveConnected,DriveChanged} peer=(name="@{busname}", label=gvfs-*-volume-monitor), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Settings b/apparmor.d/abstractions/bus/session/org.gtk.Settings new file mode 100644 index 000000000..9d2dd282a --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.Settings @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gsd-xsettings), + dbus receive bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label=gsd-xsettings), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon similarity index 72% rename from apparmor.d/abstractions/bus/org.gtk.vfs.Daemon rename to apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon index 93ad35fe5..edf954ac5 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon @@ -1,7 +1,9 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2023-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Each daemon (main and for mounts) implement this. + abi , dbus send bus=session path=/org/gtk/vfs/Daemon @@ -14,6 +16,6 @@ member=GetConnection peer=(name=@{busname}), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata similarity index 80% rename from apparmor.d/abstractions/bus/org.gtk.vfs.Metadata rename to apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata index ce6e60082..9f1a77daf 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata @@ -13,13 +13,13 @@ dbus send bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata member={Set,Move,GetTreeFromDevice,Remove} - peer=(name="@{busname}", label=gvfsd-metadata), + peer=(name=@{busname}, label=gvfsd-metadata), dbus receive bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata member=AttributeChanged - peer=(name="@{busname}", label=gvfsd-metadata), + peer=(name=@{busname}, label=gvfsd-metadata), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation new file mode 100644 index 000000000..54dfc837f --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session path=/org/gtk/gvfs/mountop/@{int} + interface=org.gtk.vfs.MountOperation + member={AskPassword,AskQuestion} + peer=(name=@{busname}, label=gvfsd-*), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker similarity index 89% rename from apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker rename to apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker index c455d4f18..107c3dc13 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker @@ -2,12 +2,9 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , +# The mount tracking interface. - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=ListMountableInfo - peer=(name="@{busname}", label=gvfsd), + abi , dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker @@ -19,11 +16,16 @@ member=ListMounts2 peer=(name="@{busname}", label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(name="@{busname}", label=gvfsd), + dbus receive bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member={Mounted,Unmounted} peer=(name="@{busname}", label=gvfsd), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable new file mode 100644 index 000000000..603ef709b --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=@{busname}, label=gvfsd), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner new file mode 100644 index 000000000..7090afe24 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=@{busname}, label=gvfsd), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem similarity index 79% rename from apparmor.d/abstractions/bus/org.kde.StatusNotifierItem rename to apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem index 87fd06727..d017d44e3 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem +++ b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem @@ -23,11 +23,6 @@ member={NewAttentionIcon,NewIcon,NewIconThemePath,NewOverlayIcon,NewStatus,NewTitle,NewToolTip} peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), - dbus send bus=session path=/StatusNotifierWatcher - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell), - - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.kde.kwalletd b/apparmor.d/abstractions/bus/session/org.kde.kwalletd similarity index 50% rename from apparmor.d/abstractions/bus/org.kde.kwalletd rename to apparmor.d/abstractions/bus/session/org.kde.kwalletd index 1ae5a1ace..0afce1cdf 100644 --- a/apparmor.d/abstractions/bus/org.kde.kwalletd +++ b/apparmor.d/abstractions/bus/session/org.kde.kwalletd @@ -1,9 +1,9 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player b/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player similarity index 89% rename from apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player rename to apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player index d71b7ac1e..b2b934074 100644 --- a/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player +++ b/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2023-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -33,6 +33,6 @@ member=Seeked peer=(name=org.freedesktop.DBus), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.bluez b/apparmor.d/abstractions/bus/system/org.bluez similarity index 96% rename from apparmor.d/abstractions/bus/org.bluez rename to apparmor.d/abstractions/bus/system/org.bluez index 461ad9f94..acaa7bb36 100644 --- a/apparmor.d/abstractions/bus/org.bluez +++ b/apparmor.d/abstractions/bus/system/org.bluez @@ -36,6 +36,6 @@ member=RegisterApplication peer=(name=org.bluez, label="@{p_bluetoothd}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver new file mode 100644 index 000000000..f6a1a251c --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Address resolving + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=AddressResolverNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/AddressResolver@{int} + interface=org.freedesktop.Avahi.AddressResolver + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/AddressResolver@{int} + interface=org.freedesktop.Avahi.AddressResolver + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser new file mode 100644 index 000000000..39f5e4496 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Domain browsing + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=DomainBrowserNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/DomainBrowser@{int} + interface=org.freedesktop.Avahi.DomainBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/DomainBrowser@{int} + interface=org.freedesktop.Avahi.DomainBrowser + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver new file mode 100644 index 000000000..403a4db0f --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Hostname resolving + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=HostNameResolverNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/HostNameResolver@{int} + interface=org.freedesktop.Avahi.HostNameResolver + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/HostNameResolver@{int} + interface=org.freedesktop.Avahi.HostNameResolver + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser new file mode 100644 index 000000000..bff079b13 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Record browsing + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=RecordBrowserNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/RecordBrowser@{int} + interface=org.freedesktop.Avahi.RecordBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/RecordBrowser@{int} + interface=org.freedesktop.Avahi.RecordBrowser + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server new file mode 100644 index 000000000..bfc87b3cc --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + # Allow service introspection + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + # Allow accessing DBus properties and resolving + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member={Get*,Resolve*,IsNSSSupportAvailable} + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + # Allow receiving anything from the Avahi server + dbus receive bus=system + interface=org.freedesktop.Avahi.Server + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser new file mode 100644 index 000000000..6a3b1510d --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=ServiceBrowserNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/ServiceBrowser@{int} + interface=org.freedesktop.Avahi.ServiceBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} + interface=org.freedesktop.Avahi.ServiceBrowser + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver new file mode 100644 index 000000000..d90e9ca14 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Service resolving + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=ServiceResolverNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser new file mode 100644 index 000000000..93affdc51 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Service type browsing + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=ServiceTypeBrowserNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/ServiceTypeBrowser@{int} + interface=org.freedesktop.Avahi.ServiceTypeBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} + interface=org.freedesktop.Avahi.ServiceTypeBrowser + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager similarity index 67% rename from apparmor.d/abstractions/bus/org.freedesktop.ColorManager rename to apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager index e23092429..4b5dcc746 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager @@ -15,19 +15,19 @@ dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager - member=CreateDevice - peer=(name="@{busname}", label="@{p_colord}"), + member={CreateProfile,CreateDevice,DeleteDevice} + peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), dbus receive bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member={DeviceAdded,DeviceRemoved} - peer=(name="@{busname}", label="@{p_colord}"), + peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), dbus (receive, send) bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager - member=FindDeviceByProperty - peer=(name="@{busname}", label="@{p_colord}"), + member={FindDeviceByProperty,FindDeviceById} + peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower similarity index 94% rename from apparmor.d/abstractions/bus/org.freedesktop.UPower rename to apparmor.d/abstractions/bus/system/org.freedesktop.UPower index 64b400a3e..aa6a61371 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower @@ -29,6 +29,6 @@ member={DeviceAdded,DeviceRemoved} peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.locale1 b/apparmor.d/abstractions/bus/system/org.freedesktop.locale1 similarity index 70% rename from apparmor.d/abstractions/bus/org.freedesktop.locale1 rename to apparmor.d/abstractions/bus/system/org.freedesktop.locale1 index 1348c8a39..e2377a14b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.locale1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.locale1 @@ -4,12 +4,11 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}" dbus send bus=system path=/org/freedesktop/locale1 interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=org.freedesktop.locale1), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.DisplayManager b/apparmor.d/abstractions/bus/system/org.gnome.DisplayManager similarity index 73% rename from apparmor.d/abstractions/bus/org.gnome.DisplayManager rename to apparmor.d/abstractions/bus/system/org.gnome.DisplayManager index 741631f4b..4833b1512 100644 --- a/apparmor.d/abstractions/bus/org.gnome.DisplayManager +++ b/apparmor.d/abstractions/bus/system/org.gnome.DisplayManager @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2023-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,6 +11,6 @@ member=RegisterDisplay peer=(name="@{busname}", label=gdm), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/camera b/apparmor.d/abstractions/camera new file mode 100644 index 000000000..0f5cff363 --- /dev/null +++ b/apparmor.d/abstractions/camera @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows access to all cameras + + abi , + + # Allow detection of cameras. Leaks plugged in USB device info + @{sys}/bus/usb/devices/ r, + @{sys}/devices/@{pci}/usb@{int}/**/busnum r, + @{sys}/devices/@{pci}/usb@{int}/**/devnum r, + @{sys}/devices/@{pci}/usb@{int}/**/idProduct r, + @{sys}/devices/@{pci}/usb@{int}/**/idVendor r, + @{sys}/devices/@{pci}/usb@{int}/**/interface r, + @{sys}/devices/@{pci}/usb@{int}/**/modalias r, + @{sys}/devices/@{pci}/usb@{int}/**/speed r, + + @{sys}/class/video4linux/ r, + @{sys}/devices/**/video4linux/** r, + @{sys}/devices/**/video4linux/video@{int}/ r, + @{sys}/devices/**/video4linux/video@{int}/uevent r, + + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/c81:@{int} r, # For video4linux + + # VideoCore cameras (shared device with VideoCore/EGL) + /dev/vchiq rw, + + # Access to video /dev devices + /dev/video@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 5072cadfd..28badc6db 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -2,6 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: att # Common rules for applications sandboxed using bwrap. @@ -12,31 +13,35 @@ abi , include - include + include include include - include + include include include include + include include include include include include include + include include + include include include + include + include include include - include dbus bus=accessibility, dbus bus=session, dbus bus=system, - /usr/** r, + /usr/** rk, /usr/share/** rk, /etc/{,**} r, @@ -67,13 +72,10 @@ @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/avahi-daemon/socket rw, # Allow access to avahi-daemon socket. @{run}/host/{,**} r, @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket. @{run}/utmp rk, - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{sys}/ r, @{sys}/block/ r, @{sys}/bus/ r, @@ -83,6 +85,7 @@ @{sys}/bus/pci/slots/@{int}/address r, @{sys}/class/*/ r, @{sys}/devices/** r, + @{sys}/devices/virtual/dmi/id/bios_version k, @{sys}/fs/cgroup/user.slice/* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/* r, @@ -94,11 +97,13 @@ @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/comm rk, @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/maps r, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/net/** r, @{PROC}/@{pid}/smaps r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, + @{PROC}/@{pid}/status r, @{PROC}/@{pid}/task/@{tid}/stat r, @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/bus/pci/devices r, @@ -142,9 +147,6 @@ @{att}/dev/dri/renderD129 rw, owner @{att}/dev/shm/@{uuid} r, - /dev/hidraw@{int} rw, - /dev/input/ r, - /dev/input/event@{int} rw, /dev/ptmx rw, /dev/pts/ptmx rw, /dev/tty rw, diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index da73b8217..2d3ab179f 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -1,6 +1,7 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: att # A minimal set of rules for sandboxed programs using bwrap. # A profile using this abstraction still needs to set: diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 78441fe08..23f4544a3 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -2,6 +2,7 @@ # Copyright (C) 2022 Mikhail Morfikov # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: domain # This abstraction is for chromium based application. Chromium based browsers # need to use abstractions/app/chromium instead. @@ -16,9 +17,14 @@ userns, + # Required for dropping into PID namespace. Keep in mind that until the + # process drops this capability it can escape confinement, but once it + # drops CAP_SYS_ADMIN we are ok. + capability sys_admin, + + # All of these are for sanely dropping from root and chrooting capability setgid, # If kernel.unprivileged_userns_clone = 1 capability setuid, # If kernel.unprivileged_userns_clone = 1 - capability sys_admin, capability sys_chroot, capability sys_ptrace, @@ -32,20 +38,22 @@ owner @{tmp}/.@{domain}.@{rand6} rw, owner @{tmp}/.@{domain}.@{rand6}/ rw, - owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie w, - owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket w, + owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie rw, + owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket rw, owner @{tmp}/scoped_dir@{rand6}/ rw, - owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w, - owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w, - owner @{tmp}/scoped_dir@{rand6}/SS w, + owner @{tmp}/scoped_dir@{rand6}/SingletonCookie rw, + owner @{tmp}/scoped_dir@{rand6}/SingletonSocket rw, + owner @{tmp}/scoped_dir@{rand6}/SS rw, /dev/shm/ r, owner /dev/shm/.@{domain}.@{rand6} rw, @{sys}/devices/system/cpu/kernel_max r, + @{sys}/devices/virtual/tty/tty@{int}/active r, + + # Allow getting the manufacturer and model of the computer where chromium is currently running. @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/virtual/tty/tty@{int}/active r, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/setgroups w, diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index b581c9073..dd4976f5e 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -1,6 +1,11 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: name +# NEEDS-VARIABLE: domain +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: config_dirs +# NEEDS-VARIABLE: cache_dirs # Minimal set of rules for all electron based UI application. It works as a # *function* and requires some variables to be provided as *arguments* and set @@ -15,6 +20,7 @@ abi , + include include include include diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index 6b97b014c..2198c8537 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -17,8 +17,10 @@ include include include + include include include + include @{bin}/uname rix, @{bin}/xdg-settings rPx, @@ -66,9 +68,6 @@ owner /dev/shm/mono.@{int} rw, owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw, - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{sys}/ r, @{sys}/bus/ r, @{sys}/class/ r, @@ -79,7 +78,6 @@ @{sys}/devices/@{pci}/net/*/carrier r, @{sys}/devices/**/input@{int}/ r, @{sys}/devices/**/input@{int}/**/{vendor,product} r, - @{sys}/devices/**/input@{int}/capabilities/* r, @{sys}/devices/**/input/input@{int}/ r, @{sys}/devices/**/uevent r, @{sys}/devices/system/ r, @@ -108,11 +106,7 @@ /dev/ r, /dev/hidraw@{int} rw, - /dev/input/ r, - /dev/input/event@{int} rw, - /dev/input/js@{int} rw, /dev/tty rw, - /dev/uinput rw, include if exists diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index 056f6581b..6dcb26860 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -6,9 +6,8 @@ abi , - include include - include + include include include include diff --git a/apparmor.d/abstractions/common/steam-game b/apparmor.d/abstractions/common/steam-game index b60e74a10..851588220 100644 --- a/apparmor.d/abstractions/common/steam-game +++ b/apparmor.d/abstractions/common/steam-game @@ -1,6 +1,9 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: app_dirs +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: share_dirs abi , diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 4a32a1aa7..c4abbd574 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -9,14 +9,17 @@ abi , + include include include - include - include + include + include include include include include + include + include include include include diff --git a/apparmor.d/abstractions/devices-u2f b/apparmor.d/abstractions/devices-u2f new file mode 100644 index 000000000..c707d66e0 --- /dev/null +++ b/apparmor.d/abstractions/devices-u2f @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows access to Universal 2nd Factor (U2F) devices + + abi , + + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) + + # Needed for dynamic assignment of U2F devices + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + + @{sys}/devices/**/i2c*/**/report_descriptor r, + @{sys}/devices/**/usb@{int}/**/report_descriptor r, + + # Allow raw access HDI (Human Interface Devices) wich is how U2F devices are exposed + /dev/hidraw@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/devices-usb b/apparmor.d/abstractions/devices-usb index 85f8f6b92..3361f10ec 100644 --- a/apparmor.d/abstractions/devices-usb +++ b/apparmor.d/abstractions/devices-usb @@ -3,13 +3,22 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow raw access to all connected USB devices + abi , include - /dev/bus/usb/@{int}/@{int} wk, + @{PROC}/tty/drivers r, - @{sys}/devices/**/usb@{int}/{,**} w, + /dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} wk, + + # Allow access to all ttyUSB devices too + /dev/ttyACM@{int} wk, + /dev/ttyUSB@{int} wk, + + # Allow raw access to USB printers (i.e. for receipt printers in POS systems). + /dev/usb/lp@{int} wk, include if exists diff --git a/apparmor.d/abstractions/devices-usb-read b/apparmor.d/abstractions/devices-usb-read index 836a5f3c7..ea3131d59 100644 --- a/apparmor.d/abstractions/devices-usb-read +++ b/apparmor.d/abstractions/devices-usb-read @@ -3,26 +3,29 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , +# Allow detection of usb devices. Leaks plugged in USB device info - /dev/ r, - /dev/bus/usb/ r, - /dev/bus/usb/@{int}/ r, - /dev/bus/usb/@{int}/@{int} r, + abi , @{sys}/class/ r, @{sys}/class/usbmisc/ r, @{sys}/bus/ r, @{sys}/bus/usb/ r, - @{sys}/bus/usb/devices/{,**} r, - - @{sys}/devices/**/usb@{int}/{,**} r, + @{sys}/bus/usb/devices/ r, + @{sys}/devices/**/usb@{int}/ r, + @{sys}/devices/**/usb@{int}/** r, # Udev data about usb devices (~equal to content of lsusb -v) @{run}/udev/data/+usb:* r, # Identifies all USB devices - @{run}/udev/data/c16[6,7]:@{int} r, # USB modems - @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters + @{run}/udev/data/b180:@{int} r, # USB block devices + @{run}/udev/data/c16{6,7}:@{d} r, # ACM USB modems + @{run}/udev/data/c18{0,8,9}:@{int} r, # USB character devices + + /dev/ r, + /dev/bus/usb/ r, + /dev/bus/usb/@{int}/ r, + /dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} r, include if exists diff --git a/apparmor.d/abstractions/dri b/apparmor.d/abstractions/dri index dd8f7b55a..128da00d0 100644 --- a/apparmor.d/abstractions/dri +++ b/apparmor.d/abstractions/dri @@ -28,8 +28,11 @@ @{sys}/devices/@{pci}/uevent r, @{sys}/devices/@{pci}/vendor r, + # Allow access to all cards /dev/dri/ r, /dev/dri/card@{int} rw, + + # Video Acceleration API /dev/dri/renderD128 rw, /dev/dri/renderD129 rw, diff --git a/apparmor.d/abstractions/glibc b/apparmor.d/abstractions/glibc index aa6e14416..8536470bd 100644 --- a/apparmor.d/abstractions/glibc +++ b/apparmor.d/abstractions/glibc @@ -22,9 +22,15 @@ @{PROC}/stat r, # Glibc's *printf protections read the maps file - @{PROC}/@{pid}/auxv r, - @{PROC}/@{pid}/maps r, - @{PROC}/@{pid}/status r, + owner @{PROC}/@{pid}/auxv r, + owner @{PROC}/@{pid}/maps r, + owner @{PROC}/@{pid}/status r, + + # @{PROC}/@{pid}/map_files/ contains the same info than @{PROC}/@{pid}/maps, + # but in a format that is simpler to manage, because it doesn't require to + # parse the text data inside a file, but just reading the contents of + # a directory. + owner @{PROC}/@{pid}/map_files/ r, # Glibc statvfs @{PROC}/filesystems r, diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 445c62e6b..227377f3a 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -4,14 +4,17 @@ abi , + include include include - include - include + include + include include include include include + include + include include include include diff --git a/apparmor.d/abstractions/gnome.d/complete b/apparmor.d/abstractions/gnome.d/complete index 3dece8578..3d4b47f9f 100644 --- a/apparmor.d/abstractions/gnome.d/complete +++ b/apparmor.d/abstractions/gnome.d/complete @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - include + include dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics index 79872ceb4..c4edd09b4 100644 --- a/apparmor.d/abstractions/graphics +++ b/apparmor.d/abstractions/graphics @@ -13,14 +13,22 @@ /etc/libva.conf r, @{sys}/bus/pci/devices/ r, - @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/* r, + + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/id r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/level r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/size r, @{sys}/devices/system/cpu/cpu@{int}/cpu_capacity r, @{sys}/devices/system/cpu/cpu@{int}/online r, - @{sys}/devices/system/cpu/cpu@{int}/topology/* r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/* r, + @{sys}/devices/system/cpu/cpu@{int}/topology/core_cpus r, + @{sys}/devices/system/cpu/cpu@{int}/topology/physical_package_id r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_max_freq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, @{sys}/devices/system/cpu/present r, + @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, + @{sys}/devices/system/node/node@{int}/cpumap r, include if exists diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full index 1e2c97224..de5f865b5 100644 --- a/apparmor.d/abstractions/graphics-full +++ b/apparmor.d/abstractions/graphics-full @@ -8,13 +8,7 @@ include include - @{sys}/devices/@{pci}/numa_node r, - - @{PROC}/devices r, - /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 - /dev/nvidia-uvm rw, - /dev/nvidia-uvm-tools rw, include if exists diff --git a/apparmor.d/abstractions/gsettings b/apparmor.d/abstractions/gschemas similarity index 88% rename from apparmor.d/abstractions/gsettings rename to apparmor.d/abstractions/gschemas index 4d22f080b..21a4d860c 100644 --- a/apparmor.d/abstractions/gsettings +++ b/apparmor.d/abstractions/gschemas @@ -9,6 +9,6 @@ @{system_share_dirs}/glib-2.0/schemas/ r, @{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r, - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gtk-strict b/apparmor.d/abstractions/gtk-strict new file mode 100644 index 000000000..0bf0ab41c --- /dev/null +++ b/apparmor.d/abstractions/gtk-strict @@ -0,0 +1,74 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + include + include + include + include + + @{lib}/{,@{multiarch}/}gtk-2.0/{,**} mr, + @{lib}/{,@{multiarch}/}gtk-3.0/{,**} mr, + @{lib}/{,@{multiarch}/}gtk-4.0/{,**} mr, + + /usr/share/gtksourceview-2.0/{,**} r, + /usr/share/gtksourceview-3.0/{,**} r, + /usr/share/gtksourceview-4/{,**} r, + /usr/share/gtksourceview-5/{,**} r, + + /usr/share/gtk-2.0/ r, + /usr/share/gtk-2.0/gtkrc r, + + /usr/share/gtk-3.0/ r, + /usr/share/gtk-3.0/settings.ini r, + + /usr/share/gtk-4.0/ r, + /usr/share/gtk-4.0/settings.ini r, + + /etc/gtk/gtkrc r, + + /etc/gtk-2.0/ r, + /etc/gtk-2.0/gtkrc r, + + /etc/gtk-3.0/ r, + /etc/gtk-3.0/*.conf r, + /etc/gtk-3.0/settings.ini r, + + /etc/gtk-4.0/ r, + /etc/gtk-4.0/*.conf r, + /etc/gtk-4.0/settings.ini r, + + owner @{HOME}/.gtk r, + owner @{HOME}/.gtkrc r, + owner @{HOME}/.gtkrc-2.0 r, + owner @{HOME}/.gtk-bookmarks r, + + owner @{user_cache_dirs}/gtk-4.0/ rw, + owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/{,*} rw, + owner @{user_cache_dirs}/gtkrc r, + owner @{user_cache_dirs}/gtkrc-2.0 r, + + owner @{user_config_dirs}/gtk-2.0/ rw, + owner @{user_config_dirs}/gtk-2.0/gtkfilechooser.ini* rw, + + owner @{user_config_dirs}/gtk-3.0/ rw, + owner @{user_config_dirs}/gtk-3.0/bookmarks r, + owner @{user_config_dirs}/gtk-3.0/colors.css r, + owner @{user_config_dirs}/gtk-3.0/gtk.css r, + owner @{user_config_dirs}/gtk-3.0/servers r, + owner @{user_config_dirs}/gtk-3.0/settings.ini r, + owner @{user_config_dirs}/gtk-3.0/window_decorations.css r, + + owner @{user_config_dirs}/gtk-4.0/ rw, + owner @{user_config_dirs}/gtk-4.0/bookmarks r, + owner @{user_config_dirs}/gtk-4.0/colors.css r, + owner @{user_config_dirs}/gtk-4.0/gtk.css r, + owner @{user_config_dirs}/gtk-4.0/servers r, + owner @{user_config_dirs}/gtk-4.0/settings.ini r, + owner @{user_config_dirs}/gtk-4.0/window_decorations.css r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 99cf70d97..0b69d8ee1 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -2,23 +2,9 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus receive bus=session - interface=org.gtk.Actions - member={Activate,DescribeAll,SetState} - peer=(name=@{busname}), - - dbus send bus=session - interface=org.gtk.Actions - member=Changed, - - dbus send bus=session path=/org/gtk/Settings - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=gsd-xsettings), - dbus receive bus=session path=/org/gtk/Settings - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=@{busname}, label=gsd-xsettings), + include + include + include @{lib}/{,@{multiarch}/}gtk*/** mr, diff --git a/apparmor.d/abstractions/input b/apparmor.d/abstractions/input new file mode 100644 index 000000000..57905fd0c --- /dev/null +++ b/apparmor.d/abstractions/input @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Canonical Ltd +# Copyright (C) 2022-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow reading and writing to raw input devices + + abi , + + # network netlink raw, + + # Allow reading for supported event reports for all input devices. See + # https://www.kernel.org/doc/Documentation/input/event-codes.txt + @{sys}/devices/**/input@{int}/capabilities/* r, + + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + + /dev/input/ r, + /dev/input/event@{int} rw, + /dev/input/mice rw, + /dev/input/mouse@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 5fbdd7869..79e97b23f 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -4,14 +4,17 @@ abi , + include include include - include - include + include + include include include include include + include + include include include include @@ -45,7 +48,7 @@ owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/session/ rw, - owner @{user_config_dirs}/session/*_@{hex}_@{int}_@{int} rwlk, + owner @{user_config_dirs}/session/*_* rwlk, owner @{user_config_dirs}/session/#@{int} rw, owner @{user_config_dirs}/trashrc r, diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt index f20c24a32..913ab3eb3 100644 --- a/apparmor.d/abstractions/lxqt +++ b/apparmor.d/abstractions/lxqt @@ -4,11 +4,13 @@ abi , - include + include include + include include - include + include include + include include include include diff --git a/apparmor.d/abstractions/media-control b/apparmor.d/abstractions/media-control new file mode 100644 index 000000000..1cdcf66f2 --- /dev/null +++ b/apparmor.d/abstractions/media-control @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows access to media controller such as microphones, and video capture hardware. +# See: https://www.kernel.org/doc/Documentation/userspace-api/media/mediactl/media-controller-intro.rst + + abi , + + # Control of media devices + /dev/media@{int} rwk, + + # Access to V4L subnodes configuration + # See https://www.kernel.org/doc/html/v4.12/media/uapi/v4l/dev-subdev.html + /dev/v4l-subdev@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mediakeys b/apparmor.d/abstractions/mediakeys new file mode 100644 index 000000000..d9aafa764 --- /dev/null +++ b/apparmor.d/abstractions/mediakeys @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow requesting interest in receiving media key events. This tells Gnome +# settings that our application should be notified when key events we are +# interested in are pressed, and allows us to receive those events. + + abi , + + include + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mpris b/apparmor.d/abstractions/mpris new file mode 100644 index 000000000..f06c8560e --- /dev/null +++ b/apparmor.d/abstractions/mpris @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow operating as an MPRIS player. + + abi , + + include + + # Allow binding to the well-known DBus mpris interface based on the app's name + # See: https://specifications.freedesktop.org/mpris-spec/latest/ + #aa:dbus own bus=session name=org.mpris.MediaPlayer2.@{profile_name} + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/notifications b/apparmor.d/abstractions/notifications new file mode 100644 index 000000000..81d5cc94c --- /dev/null +++ b/apparmor.d/abstractions/notifications @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + include + include + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index c3aa8e805..a14691a9c 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -6,7 +6,7 @@ @{bin}/nvidia-modprobe Px -> child-modprobe-nvidia, - /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so.* mr, + /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so{,.*} mr, /usr/share/nvidia/nvidia-application-profiles-* r, @@ -24,20 +24,34 @@ owner @{user_cache_dirs}/nvidia/GLCache/ rw, owner @{user_cache_dirs}/nvidia/GLCache/** rwk, + @{sys}/devices/@{pci}/numa_node r, @{sys}/devices/system/memory/block_size_bytes r, @{sys}/module/nvidia/version r, - @{PROC}/driver/nvidia/params r, - @{PROC}/modules r, - @{PROC}/sys/vm/max_map_count r, - @{PROC}/sys/vm/mmap_min_addr r, + @{PROC}/driver/nvidia/capabilities/mig/monitor r, + @{PROC}/driver/nvidia/gpus/@{pci_id}/information r, + @{PROC}/driver/nvidia/params r, + @{PROC}/modules r, + @{PROC}/sys/vm/max_map_count r, + @{PROC}/sys/vm/mmap_min_addr r, + @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/task/@{tid}/comm r, - /dev/char/195:@{int} w, # Nvidia graphics devices + /dev/char/195:@{u8} w, # Nvidia graphics devices + + # Nvidia proprietary modset driver /dev/nvidia-modeset rw, + + # Nvidia graphics devices /dev/nvidia@{int} rw, + + # Nvidia's Unified Memory driver + /dev/nvidia-uvm rw, + /dev/nvidia-uvm-tools rw, + + # Nvidia's control device /dev/nvidiactl rw, deny owner @{HOME}/.nv/.local/share/gvfs-metadata/* r, diff --git a/apparmor.d/abstractions/nvidia.d/complete b/apparmor.d/abstractions/nvidia.d/complete index ef9d0c40d..e00385efd 100644 --- a/apparmor.d/abstractions/nvidia.d/complete +++ b/apparmor.d/abstractions/nvidia.d/complete @@ -8,6 +8,6 @@ /etc/nvidia/nvidia-application-profiles* r, - /dev/char/195:@{int} rw, # Nvidia graphics devices + /dev/char/195:@{u8} rw, # Nvidia graphics devices # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/pcscd b/apparmor.d/abstractions/pcscd new file mode 100644 index 000000000..33a981279 --- /dev/null +++ b/apparmor.d/abstractions/pcscd @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows interacting with PC/SC Smart Card Daemon + + abi , + + # Configuration file for OPENSC + /etc/opensc.conf r, + /etc/opensc/opensc.conf r, + + # Socket for communication between PCSCD and PS/SC API library + @{run}/pcscd/pcscd.comm rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/recently-used b/apparmor.d/abstractions/recently-used index d3a7ec289..66a80867b 100644 --- a/apparmor.d/abstractions/recently-used +++ b/apparmor.d/abstractions/recently-used @@ -14,8 +14,6 @@ owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl, owner @{user_share_dirs}/recently-used.xbel.lock rwk, - owner @{user_config_dirs}/user-dirs.dirs r, # FIXME: not here? - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/screensaver b/apparmor.d/abstractions/screensaver new file mode 100644 index 000000000..1a9369091 --- /dev/null +++ b/apparmor.d/abstractions/screensaver @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow checking status, activating and locking the screensaver + + abi , + + include if exists + include if exists + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/secrets-service b/apparmor.d/abstractions/secrets-service new file mode 100644 index 000000000..083672cc9 --- /dev/null +++ b/apparmor.d/abstractions/secrets-service @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2017 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Provide full access to the secret-service API: +# - https://standards.freedesktop.org/secret-service/) +# +# The secret-service allows managing (add/delete/lock/etc) collections and +# (add/delete/etc) items within collections. The API also has the concept of +# aliases for collections which is typically used to access the default +# collection. While it would be possible for an application developer to use a +# snap-specific collection and mediate by object path, application developers +# are meant to instead to treat collections (typically the default collection) +# as a database of key/value attributes each with an associated secret that +# applications may query. Because AppArmor does not mediate member data, +# typical and recommended usage of the API does not allow for application +# isolation. For details, see: +# - https://standards.freedesktop.org/secret-service/ch03.html +# + + abi , + + include + include + + dbus send bus=session path=/org/gnome/keyring/daemon + interface=org.gnome.keyring.Daemon + member=GetEnvironment + peer=(name=org.gnome.keyring, label=gnome-keyring-daemon), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/themes b/apparmor.d/abstractions/themes new file mode 100644 index 000000000..13fe70bc6 --- /dev/null +++ b/apparmor.d/abstractions/themes @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + /usr/share/themes/{,**} r, + + owner @{HOME}/.themes/{,**} r, + owner @{user_share_dirs}/themes/{,**} r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/tpm b/apparmor.d/abstractions/tpm new file mode 100644 index 000000000..ef7b30a2b --- /dev/null +++ b/apparmor.d/abstractions/tpm @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2016-2017 Canonical Ltd +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Communication to the system TPM chip over /dev/tpm@{int} and kernel TPM +# resource manager /dev/tpmrm@{int} + + abi , + + /dev/tpm@{int} rw, + /dev/tpmrm@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/uinput b/apparmor.d/abstractions/uinput new file mode 100644 index 000000000..b97d1eb8a --- /dev/null +++ b/apparmor.d/abstractions/uinput @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2020 Canonical Ltd +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow write access to the uinput device for emulating input devices from +# userspace for sending input events. + + abi , + + /dev/uinput rw, + /dev/input/uinput rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/upower-observe b/apparmor.d/abstractions/upower-observe new file mode 100644 index 000000000..67478bb6d --- /dev/null +++ b/apparmor.d/abstractions/upower-observe @@ -0,0 +1,13 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Can query UPower for power devices, history and statistics. + + abi , + + include + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/user-dirs b/apparmor.d/abstractions/user-dirs new file mode 100644 index 000000000..189f8eb38 --- /dev/null +++ b/apparmor.d/abstractions/user-dirs @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + /etc/xdg/user-dirs.conf r, + /etc/xdg/user-dirs.defaults r, + + owner @{user_config_dirs}/user-dirs.dirs r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/wine b/apparmor.d/abstractions/wine index 28d15cf76..145cd763a 100644 --- a/apparmor.d/abstractions/wine +++ b/apparmor.d/abstractions/wine @@ -9,9 +9,9 @@ owner @{user_share_dirs}/applications/wine/ rw, owner @{user_share_dirs}/applications/wine/**/ rw, - owner @{tmp}/.wine-@{uid}/ rw, - owner @{tmp}/.wine-@{uid}/** rwk, - owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex}/tmpmap-@{hex8} m, + owner @{att}/@{tmp}/.wine-@{uid}/ rw, + owner @{att}/@{tmp}/.wine-@{uid}/** rwk, + owner @{att}/@{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex}/tmpmap-@{hex8} m, owner /dev/shm/wine-@{hex6}-fsync rw, owner /dev/shm/wine-@{hex6}@{h}-fsync rw, diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index 3046c8f6d..df13363fc 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -4,9 +4,11 @@ abi , + include include include - include + include + include include include include diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index 13864f2dd..ccdbf338b 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -195,25 +195,26 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { @{sys}/firmware/efi/efivars/** w, @{sys}/fs/cgroup/{,**} w, - @{PROC}/@{pid}/attr/apparmor/exec w, - @{PROC}/@{pid}/attr/current r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/gid_map w, - @{PROC}/@{pid}/limits r, - @{PROC}/@{pid}/loginuid rw, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/oom_score_adj rw, - @{PROC}/@{pid}/sessionid r, - @{PROC}/@{pid}/setgroups r, - @{PROC}/@{pid}/setgroups w, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/uid_map r, - @{PROC}/@{pid}/uid_map w, + @{PROC}/@{pids}/attr/apparmor/exec w, + @{PROC}/@{pids}/attr/current r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/fdinfo/@{int} r, + @{PROC}/@{pids}/gid_map w, + @{PROC}/@{pids}/limits r, + @{PROC}/@{pids}/loginuid rw, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/oom_score_adj rw, + @{PROC}/@{pids}/sessionid r, + @{PROC}/@{pids}/setgroups r, + @{PROC}/@{pids}/setgroups w, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, + @{PROC}/@{pids}/uid_map r, + @{PROC}/@{pids}/uid_map w, @{PROC}/cmdline r, @{PROC}/interrupts r, @{PROC}/irq/@{int}/node r, diff --git a/apparmor.d/groups/apparmor/aa-enforce b/apparmor.d/groups/apparmor/aa-enforce index 1743fd9d0..1f8368045 100644 --- a/apparmor.d/groups/apparmor/aa-enforce +++ b/apparmor.d/groups/apparmor/aa-enforce @@ -31,7 +31,7 @@ profile aa-enforce @{exec_path} { owner /var/lib/snapd/apparmor/{,**} rw, owner @{tmp}/@{rand8} rw, - owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, + owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify index 7cb64af80..07706d052 100644 --- a/apparmor.d/groups/apparmor/aa-notify +++ b/apparmor.d/groups/apparmor/aa-notify @@ -45,7 +45,7 @@ profile aa-notify @{exec_path} { owner @{HOME}/.terminfo/@{int}/dumb r, owner @{tmp}/@{word8} rw, - owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, + owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, @{PROC}/ r, @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/apparmor/aa-unconfined b/apparmor.d/groups/apparmor/aa-unconfined index 68729b7fe..7308a5ef0 100644 --- a/apparmor.d/groups/apparmor/aa-unconfined +++ b/apparmor.d/groups/apparmor/aa-unconfined @@ -29,7 +29,7 @@ profile aa-unconfined @{exec_path} flags=(attach_disconnected) { @{etc_ro}/inputrc r, owner @{tmp}/@{rand8} rw, - owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, + owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, owner /var/tmp/@{rand8} rw, @{PROC}/ r, diff --git a/apparmor.d/groups/apparmor/apparmor_parser b/apparmor.d/groups/apparmor/apparmor_parser index 0a9f9fcaf..a5769931c 100644 --- a/apparmor.d/groups/apparmor/apparmor_parser +++ b/apparmor.d/groups/apparmor/apparmor_parser @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{sbin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser profile apparmor_parser @{exec_path} flags=(attach_disconnected) { @@ -46,7 +46,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, deny network netlink raw, # file_inherit - deny /apparmor/.null rw, + /opt/Mullvad*/resources/apparmor_mullvad r, # FIXME: WTF you thing you are doing mullvad? include if exists } diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 9bdabb1c2..8581fe724 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt @{bin}/apt-get @{sbin}/aptd profile apt @{exec_path} flags=(attach_disconnected) { include - include + include include include include @@ -147,6 +147,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { /tmp/ r, /tmp/apt-changelog-*/ w, /tmp/apt-changelog-*/*.changelog w, + /tmp/apt-tmp-index.@{rand6} rw, owner @{tmp}/apt-changelog-*/.apt-acquire-privs-test.* rw, owner @{tmp}/apt-dpkg-install-*/ rw, owner @{tmp}/apt-dpkg-install-*/@{int}-*.deb w, @@ -190,6 +191,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/bunzip2 rix, @{bin}/chmod rix, + @{bin}/bzip2 rix, @{bin}/gunzip rix, @{bin}/gzip rix, @{bin}/patch rix, @@ -197,7 +199,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/tar rix, @{bin}/xz rix, - /etc/dpkg/origins/debian r, + /etc/dpkg/origins/* r, owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, owner @{HOME}/** rwkl -> @{HOME}/**, diff --git a/apparmor.d/groups/apt/apt-cache b/apparmor.d/groups/apt/apt-cache index 1251fe449..afd34f7e5 100644 --- a/apparmor.d/groups/apt/apt-cache +++ b/apparmor.d/groups/apt/apt-cache @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-cache profile apt-cache @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-cdrom b/apparmor.d/groups/apt/apt-cdrom index a99b964c7..0ce146261 100644 --- a/apparmor.d/groups/apt/apt-cdrom +++ b/apparmor.d/groups/apt/apt-cdrom @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-cdrom profile apt-cdrom @{exec_path} flags=(complain) { include - include + include include capability dac_read_search, diff --git a/apparmor.d/groups/apt/apt-config b/apparmor.d/groups/apt/apt-config index 505a4b037..834bcbd8c 100644 --- a/apparmor.d/groups/apt/apt-config +++ b/apparmor.d/groups/apt/apt-config @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-config profile apt-config @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-extracttemplates b/apparmor.d/groups/apt/apt-extracttemplates index beb563f31..6fbfad65b 100644 --- a/apparmor.d/groups/apt/apt-extracttemplates +++ b/apparmor.d/groups/apt/apt-extracttemplates @@ -10,8 +10,8 @@ include @{exec_path} = @{bin}/apt-extracttemplates @{lib}/apt/apt-extracttemplates profile apt-extracttemplates @{exec_path} { include + include include - include capability dac_read_search, diff --git a/apparmor.d/groups/apt/apt-file b/apparmor.d/groups/apt/apt-file index bc140acd1..6551f21a7 100644 --- a/apparmor.d/groups/apt/apt-file +++ b/apparmor.d/groups/apt/apt-file @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-file profile apt-file @{exec_path} { include - include + include include @{exec_path} r, diff --git a/apparmor.d/groups/apt/apt-forktracer b/apparmor.d/groups/apt/apt-forktracer index 2fbb5d95b..3eec09d60 100644 --- a/apparmor.d/groups/apt/apt-forktracer +++ b/apparmor.d/groups/apt/apt-forktracer @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-forktracer profile apt-forktracer @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-helper b/apparmor.d/groups/apt/apt-helper index 5a2d7dd55..18b6d7241 100644 --- a/apparmor.d/groups/apt/apt-helper +++ b/apparmor.d/groups/apt/apt-helper @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/apt/apt-helper profile apt-helper @{exec_path} { include - include + include @{exec_path} mr, @@ -25,6 +25,8 @@ profile apt-helper @{exec_path} { capability net_admin, + ptrace read peer=@{p_systemd}, + include if exists } diff --git a/apparmor.d/groups/apt/apt-mark b/apparmor.d/groups/apt/apt-mark index 4af469c30..c174267f5 100644 --- a/apparmor.d/groups/apt/apt-mark +++ b/apparmor.d/groups/apt/apt-mark @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-mark profile apt-mark @{exec_path} { include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 61be160dc..77a418b07 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -74,6 +74,8 @@ profile apt-methods-http @{exec_path} flags=(attach_disconnected) { @{run}/ubuntu-advantage/aptnews.json rw, owner @{run}/ubuntu-advantage/apt-news/aptnews.json rw, + @{run}/systemd/resolve/io.systemd.Resolve rw, + @{PROC}/1/cgroup r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/apt/apt-overlay b/apparmor.d/groups/apt/apt-overlay index 4ba9e57d7..7f59635eb 100644 --- a/apparmor.d/groups/apt/apt-overlay +++ b/apparmor.d/groups/apt/apt-overlay @@ -30,7 +30,6 @@ profile apt-overlay @{exec_path} { /root/ r, owner @{PROC}/@{pids}/loginuid r, - owner @{PROC}/@{pids}/maps r, include if exists } diff --git a/apparmor.d/groups/apt/apt-show-versions b/apparmor.d/groups/apt/apt-show-versions index 16dc584b3..514b952ff 100644 --- a/apparmor.d/groups/apt/apt-show-versions +++ b/apparmor.d/groups/apt/apt-show-versions @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-show-versions profile apt-show-versions @{exec_path} { include - include + include include include diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index 9254be27d..b3f411c84 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -10,9 +10,9 @@ include @{exec_path} = @{bin}/aptitude{,-curses} profile aptitude @{exec_path} flags=(complain) { include + include include include - include # To remove the following errors: # W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index b42649d7c..6d09e34c0 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -12,7 +12,7 @@ include @{exec_path} += @{lib}/command-not-found profile command-not-found @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/apt/deb-systemd-invoke b/apparmor.d/groups/apt/deb-systemd-invoke index d2e9e9260..824d3b4dd 100644 --- a/apparmor.d/groups/apt/deb-systemd-invoke +++ b/apparmor.d/groups/apt/deb-systemd-invoke @@ -15,6 +15,8 @@ profile deb-systemd-invoke @{exec_path} { capability net_admin, capability sys_resource, + ptrace read peer=@{p_systemd}, + signal send set=(cont term) peer=systemd-tty-ask-password-agent, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend index 4660755d6..0a7706fe1 100644 --- a/apparmor.d/groups/apt/debconf-frontend +++ b/apparmor.d/groups/apt/debconf-frontend @@ -14,7 +14,7 @@ profile debconf-frontend @{exec_path} flags=(complain) { include include include - include + include capability dac_read_search, @@ -25,7 +25,7 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{bin}/stty ix, @{sbin}/update-secureboot-policy Px, - # debconf apps + # Debconf apps @{bin}/adequate Px, @{bin}/debconf-apt-progress Px, @{bin}/linux-check-removal Px, @@ -49,6 +49,8 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{lib}/dkms/dkms-* rPUx, @{lib}/dkms/dkms_* rPUx, + /etc/libpaper.d/texlive-base rPUx, + /usr/share/debconf/{,**} r, /etc/inputrc r, diff --git a/apparmor.d/groups/apt/debtags b/apparmor.d/groups/apt/debtags index 3e3fd2ab9..53e5964bd 100644 --- a/apparmor.d/groups/apt/debtags +++ b/apparmor.d/groups/apt/debtags @@ -10,8 +10,8 @@ include @{exec_path} = @{bin}/debtags profile debtags @{exec_path} { include + include include - include include #capability sys_tty_config, diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 2c1ac1ce5..986c6f188 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -18,6 +18,9 @@ profile dpkg @{exec_path} { capability fowner, capability fsetid, capability setgid, + capability sys_ptrace, + + ptrace read peer=apt, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/dpkg-buildflags b/apparmor.d/groups/apt/dpkg-buildflags index 467d0d50e..1a4055f77 100644 --- a/apparmor.d/groups/apt/dpkg-buildflags +++ b/apparmor.d/groups/apt/dpkg-buildflags @@ -14,10 +14,13 @@ profile dpkg-buildflags @{exec_path} flags=(complain) { @{exec_path} r, - /etc/dpkg/origins/debian r, + /usr/share/lto-disabled-list/lto-disabled-list r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, + /usr/share/dpkg/abitable r, + + /etc/dpkg/origins/* r, owner @{user_config_dirs}/dpkg/buildflags.conf r, diff --git a/apparmor.d/groups/apt/dpkg-checkbuilddeps b/apparmor.d/groups/apt/dpkg-checkbuilddeps index 6f54d3967..297a45f84 100644 --- a/apparmor.d/groups/apt/dpkg-checkbuilddeps +++ b/apparmor.d/groups/apt/dpkg-checkbuilddeps @@ -10,17 +10,22 @@ include @{exec_path} = @{bin}/dpkg-checkbuilddeps profile dpkg-checkbuilddeps @{exec_path} flags=(complain) { include + include include @{exec_path} r, - /etc/dpkg/origins/debian r, - - /var/lib/dpkg/status r, + @{bin}/dpkg rPx, + @{bin}/@{multiarch}gcc-@{int} mrix, + /usr/share/dpkg/ostable r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, + /etc/dpkg/origins/* r, + + /var/lib/dpkg/status r, + # For package building owner @{user_build_dirs}/**/debian/control r, diff --git a/apparmor.d/groups/apt/dpkg-db-backup b/apparmor.d/groups/apt/dpkg-db-backup index d83bdbb45..8e99e70c5 100644 --- a/apparmor.d/groups/apt/dpkg-db-backup +++ b/apparmor.d/groups/apt/dpkg-db-backup @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/dpkg/dpkg-db-backup profile dpkg-db-backup @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/dpkg-maintscript-helper b/apparmor.d/groups/apt/dpkg-maintscript-helper index dfb881e32..aa9232c73 100644 --- a/apparmor.d/groups/apt/dpkg-maintscript-helper +++ b/apparmor.d/groups/apt/dpkg-maintscript-helper @@ -21,8 +21,8 @@ profile dpkg-maintscript-helper @{exec_path} { profile dpkg { include + include include - include capability dac_read_search, diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor deleted file mode 100644 index 38a068ac0..000000000 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ /dev/null @@ -1,67 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /var/lib/dpkg/info/apparmor* -profile dpkg-script-apparmor @{exec_path} { - include - include - - capability dac_read_search, - - @{exec_path} mrix, - - @{bin}/{,e}grep ix, - - @{bin}/deb-systemd-helper Px, - @{bin}/deb-systemd-invoke Px, - @{bin}/dpkg-divert ix, - @{bin}/systemctl Cx -> systemctl, - @{sbin}/apparmor_parser Px, - - /usr/share/apparmor.d/** rw, - - /etc/apparmor.d/** rw, - - /var/lib/dpkg/diversions rw, - /var/lib/dpkg/diversions-new rw, - /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions, - - /var/lib/dpkg/info/*.list r, - /var/lib/dpkg/info/format r, - /var/lib/dpkg/status r, - /var/lib/dpkg/triggers/File r, - /var/lib/dpkg/triggers/Unincorp r, - /var/lib/dpkg/updates/ r, - /var/lib/dpkg/updates/@{int} r, - - profile systemctl { - include - include - - capability net_admin, - capability sys_resource, - capability dac_override, - capability dac_read_search, - - signal send set=(cont term) peer=systemd-tty-ask-password-agent, - - @{bin}/systemd-tty-ask-password-agent rix, - - @{run}/user/@{uid}/systemd/ask-password/ rw, - @{run}/user/@{uid}/systemd/ask-password-block/{,*} rw, - - owner @{run}/systemd/ask-password/ rw, - owner @{run}/systemd/ask-password-block/{,*} rw, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-kmod b/apparmor.d/groups/apt/dpkg-script-kmod deleted file mode 100644 index f900bba17..000000000 --- a/apparmor.d/groups/apt/dpkg-script-kmod +++ /dev/null @@ -1,18 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /var/lib/dpkg/info/kmod* -profile dpkg-script-kmod @{exec_path} { - include - - @{exec_path} mrix, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux deleted file mode 100644 index af578be50..000000000 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ /dev/null @@ -1,56 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /var/lib/dpkg/info/linux* -profile dpkg-script-linux @{exec_path} { - include - include - - capability dac_read_search, - - @{exec_path} mrix, - - @{bin}/cat ix, - @{bin}/mkdir ix, - @{bin}/rm ix, - @{bin}/run-parts ix, - @{bin}/stty ix, - - @{bin}/deb-systemd-helper Px, - @{bin}/deb-systemd-invoke Px, - @{bin}/dpkg-maintscript-helper Px, - @{bin}/dpkg-trigger Px, - @{bin}/kmod Px, - @{bin}/linux-check-removal Px, - @{bin}/linux-update-symlinks Px, - @{bin}/systemctl Cx -> systemctl, - - /usr/share/{update,reboot}-notifier/notify-reboot-required Px, - /etc/kernel/{,header_}postinst.d/* Px, - /etc/kernel/postrm.d/* Px, - /etc/kernel/preinst.d/* Px, - /etc/kernel/prerm.d/* Px, - - /etc/kernel/*.d/ r, - - @{lib}/linux/triggers/* w, - @{lib}/modules/*/.fresh-install w, - - profile systemctl { - include - include - - capability net_admin, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd deleted file mode 100644 index 6c76e6f70..000000000 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ /dev/null @@ -1,77 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /var/lib/dpkg/info/systemd* -profile dpkg-script-systemd @{exec_path} { - include - include - - capability dac_read_search, - - @{exec_path} mrix, - - @{coreutils_path} rix, - @{bin}/bootctl Px, - @{bin}/deb-systemd-helper Px, - @{bin}/deb-systemd-invoke Px, - @{bin}/dpkg Cx -> dpkg, - @{bin}/dpkg-divert Px, - @{bin}/dpkg-maintscript-helper Px, - @{bin}/journalctl Px, - @{bin}/kernel-install mrPx, - @{bin}/systemctl Cx -> systemctl, - @{bin}/systemd-machine-id-setup Px, - @{bin}/systemd-sysusers Px, - @{bin}/systemd-tmpfiles Px, - @{lib}/systemd/systemd-sysctl Px, - @{sbin}/pam-auth-update Px, - - /etc/systemd/system/*.wants/ rw, - /etc/systemd/system/*.wants/* rw, - - /etc/pam.d/sed@{rand6} rw, - /etc/pam.d/common-password rw, - - @{efi}/ r, - - /var/lib/systemd/{,*} rw, - /var/log/journal/ rw, - - profile dpkg { - include - include - include - - capability dac_read_search, - - @{bin}/dpkg mr, - - /etc/dpkg/dpkg.cfg r, - /etc/dpkg/dpkg.cfg.d/{,*} r, - - include if exists - } - - profile systemctl { - include - include - - capability net_admin, - capability sys_resource, - - signal send set=(cont term) peer=systemd-tty-ask-password-agent, - - @{bin}/systemd-tty-ask-password-agent Px, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 7d2073768..2434c9db9 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -63,8 +63,10 @@ profile dpkg-scripts @{exec_path} { /*/ r, @{bin}/ r, @{bin}/* w, + @{sbin}/ r, + @{sbin}/* w, @{lib}/ r, - @{lib}/** w, + @{lib}/** wl -> @{lib}/**, /opt/*/** rw, #aa:lint ignore=too-wide @@ -76,9 +78,11 @@ profile dpkg-scripts @{exec_path} { @{run}/** rw, @{efi}/grub/* rw, + /tmp/fmtutil.@{rand8} rw, /tmp/grub.@{rand10} rw, /tmp/sed@{rand6} rw, /tmp/tmp.@{rand10} rw, + /tmp/updateppds.@{rand6} rw, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/mountinfo r, @@ -113,6 +117,10 @@ profile dpkg-scripts @{exec_path} { capability sys_ptrace, capability sys_resource, + signal send set=(cont term) peer=systemd-tty-ask-password-agent, + + ptrace read peer=@{p_systemd}, + @{bin}/systemd-tty-ask-password-agent Px, @{pager_path} Px -> child-pager, diff --git a/apparmor.d/groups/apt/querybts b/apparmor.d/groups/apt/querybts index 2a2063d8e..87967d164 100644 --- a/apparmor.d/groups/apt/querybts +++ b/apparmor.d/groups/apt/querybts @@ -10,14 +10,14 @@ include @{exec_path} = @{bin}/querybts profile querybts @{exec_path} { include - include - include + include include + include include + include include include include - include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index a814eaaa9..a6584a23d 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/reportbug profile reportbug @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index 36e299a0c..c48286299 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/synaptic @{bin}/synaptic-pkexec profile synaptic @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index d501a325f..d2da77bc3 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -10,11 +10,11 @@ include @{exec_path} = @{bin}/unattended-upgrade profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { include + include include include include include - include include include include @@ -38,6 +38,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { unix type=stream addr=@@{udbus}/bus/unattended-upgr/system, + #aa:dbus own bus=system name=com.ubuntu.UnattendedUpgrade + @{exec_path} mr, @{bin}/ r, @@ -70,6 +72,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{lib}/zsys-system-autosnapshot Px, /usr/share/distro-info/* r, + /usr/share/dbus-1/interfaces/*UnattendedUpgrade*.xml r, @{etc_ro}/login.defs r, @{etc_ro}/security/capability.conf r, @@ -127,6 +130,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/attr/current r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/mounts r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index 1fb667fae..f7b94d68d 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -9,10 +9,10 @@ include @{exec_path} = /usr/share/unattended-upgrades/unattended-upgrade-shutdown profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { include + include include include include - include include include diff --git a/apparmor.d/groups/apt/update-apt-xapian-index b/apparmor.d/groups/apt/update-apt-xapian-index index f829ab3ff..6ea4f19fb 100644 --- a/apparmor.d/groups/apt/update-apt-xapian-index +++ b/apparmor.d/groups/apt/update-apt-xapian-index @@ -10,8 +10,8 @@ include @{exec_path} = @{bin}/update-apt-xapian-index profile update-apt-xapian-index @{exec_path} { include + include include - include include @{exec_path} r, diff --git a/apparmor.d/groups/avahi/avahi-browse b/apparmor.d/groups/avahi/avahi-browse index 3ac729baa..805d54b2b 100644 --- a/apparmor.d/groups/avahi/avahi-browse +++ b/apparmor.d/groups/avahi/avahi-browse @@ -11,14 +11,10 @@ include profile avahi-browse @{exec_path} { include include - include + include + include include - dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} - interface=org.freedesktop.Avahi.ServiceTypeBrowser - member={ItemNew,AllForNow,CacheExhausted} - peer=(name=:*, label="@{p_avahi_daemon}"), - @{exec_path} mr, @{lib}/@{multiarch}/avahi/service-types.db rwk, diff --git a/apparmor.d/groups/avahi/avahi-resolve b/apparmor.d/groups/avahi/avahi-resolve index 1a66b4726..d45cffca3 100644 --- a/apparmor.d/groups/avahi/avahi-resolve +++ b/apparmor.d/groups/avahi/avahi-resolve @@ -11,19 +11,11 @@ include profile avahi-resolve @{exec_path} { include include - include + include + include + include include - dbus send bus=system path=/Client@{int}/AddressResolver@{int} - interface=org.freedesktop.Avahi.AddressResolver - member={Free,HostNameResolverNew} - peer=(name=:*, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/AddressResolver@{int} - interface=org.freedesktop.Avahi.AddressResolver - member={Failure,Found} - peer=(name=:*, label="@{p_avahi_daemon}"), - @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/avahi/avahi-set-host-name b/apparmor.d/groups/avahi/avahi-set-host-name index dd9eaba6c..45df7ce93 100644 --- a/apparmor.d/groups/avahi/avahi-set-host-name +++ b/apparmor.d/groups/avahi/avahi-set-host-name @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2022 Jeroen Rijken +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,6 +10,8 @@ include @{exec_path} = @{bin}/avahi-set-host-name profile avahi-set-host-name @{exec_path} { include + include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/bluetooth/blueman b/apparmor.d/groups/bluetooth/blueman index 469fb24a0..08a553c1d 100644 --- a/apparmor.d/groups/bluetooth/blueman +++ b/apparmor.d/groups/bluetooth/blueman @@ -11,7 +11,6 @@ include profile blueman @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index 2800a4124..12c8e2e80 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -12,6 +12,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { include include include + include # Needed for configuring HCI interfaces capability net_admin, @@ -57,7 +58,6 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/hostname r, /dev/uhid rw, - /dev/uinput rw, /dev/rfkill rw, /dev/hidraw@{int} rw, diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index 65ad4c0e5..3ea17a4e5 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -25,6 +25,11 @@ profile obexd @{exec_path} { member=Release peer=(name=:*, label="@{p_bluetoothd}"), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{user_cache_dirs}/ rw, diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index 86b293e8d..45a32868e 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -12,6 +12,7 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -61,8 +62,6 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { deny @{user_share_dirs}/gvfs-metadata/* r, - /dev/video@{int} rw, - include if exists } diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd index 26311b575..fec6d7897 100644 --- a/apparmor.d/groups/bus/at-spi2-registryd +++ b/apparmor.d/groups/bus/at-spi2-registryd @@ -13,7 +13,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include include include - include + include include signal receive set=term peer=gdm, diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index f876d1210..c9b9a1538 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -9,12 +9,13 @@ include @{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include - include include include - include - include + include + include + include include + include include network inet dgram, @@ -39,7 +40,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mrix, @@ -53,7 +54,6 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/defaults/at-spi2/{,**} r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index cc6b33f61..27e228e2c 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -31,10 +31,10 @@ profile dbus-session flags=(attach_disconnected) { signal (send) set=(term hup kill) peer=xdg-*, #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} - dbus receive bus=session path=/org/freedesktop/DBus + dbus receive bus=session interface=org.freedesktop.DBus - member=Hello - peer=(name=@{busname}), + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name="{@{busname},org.freedesktop.DBus}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index 4dec1d407..1b62a1086 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -36,8 +36,8 @@ profile dbus-system flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus} dbus receive bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member=Hello - peer=(name=@{busname}), + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name="{@{busname},org.freedesktop.DBus}"), dbus receive bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Activator @@ -77,11 +77,12 @@ profile dbus-system flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/module/apparmor/parameters/enabled r, - @{PROC}/@{pid}/attr/apparmor/current r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/mounts r, - @{PROC}/@{pid}/oom_score_adj r, + @{PROC}/@{pids}/attr/apparmor/current r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/mounts r, + @{PROC}/@{pids}/oom_score_adj r, + @{PROC}/@{pids}/status r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, @@ -91,6 +92,7 @@ profile dbus-system flags=(attach_disconnected) { @{att}/dev/dri/card@{int} rw, @{att}/dev/input/event@{int} rw, + @{att}/dev/pts/ptmx rw, include if exists } diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index 3fdab031b..b326138d6 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -10,7 +10,7 @@ include profile ibus-daemon @{exec_path} flags=(attach_disconnected) { include include - include + include include include diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index 817d63175..bac225ebc 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -11,7 +11,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { include include include - include + include include include diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index e900fc3f5..8bdc3c79c 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -11,7 +11,7 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { include include include - include + include include signal (receive) set=term peer=ibus-daemon, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 34d881a8a..2fa49e50f 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -9,10 +9,7 @@ include @{exec_path} = @{lib}/{,ibus/}ibus-extension-gtk3 profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { include - include include - include - include include include include diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index 5233f8603..b1f1445b3 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -10,7 +10,7 @@ include profile ibus-memconf @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index 53edb4b00..6ea4891a7 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -15,11 +15,12 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.freedesktop.portal.IBus + #aa:dbus own bus=session name=org.freedesktop.IBus dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 698eeedb6..ce1c2b108 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -10,10 +10,7 @@ include profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include include - include include - include - include include include include diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index 61191fe9d..8e991cee7 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -41,7 +41,7 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { @{PROC}/modules r, owner /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 - owner /dev/char/195:@{int} w, # Nvidia graphics devices + owner /dev/char/195:@{u8} w, # Nvidia graphics devices /dev/nvidia-modeset w, /dev/nvidia-uvm w, diff --git a/apparmor.d/groups/children/child-open-strict b/apparmor.d/groups/children/child-open-strict index 7faf52185..4296f03af 100644 --- a/apparmor.d/groups/children/child-open-strict +++ b/apparmor.d/groups/children/child-open-strict @@ -18,6 +18,8 @@ profile child-open-strict flags=(attach_disconnected,mediate_deleted) { @{browsers_path} Px, @{file_explorers_path} Px, + @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mrix, + include if exists include if exists } diff --git a/apparmor.d/groups/cron/anacron b/apparmor.d/groups/cron/anacron index 3756c1d03..3acfc14fd 100644 --- a/apparmor.d/groups/cron/anacron +++ b/apparmor.d/groups/cron/anacron @@ -28,6 +28,7 @@ profile anacron @{exec_path} { @{tmp}/file@{rand6} rw, /tmp/anacron-@{rand6} rw, + /tmp/anacron-@{rand6}@{c} rw, profile run-parts { include @@ -39,7 +40,9 @@ profile anacron @{exec_path} { owner @{tmp}/#@{int} rw, owner @{tmp}/file@{rand6} rw, + /tmp/anacron-@{rand6} rw, + /tmp/anacron-@{rand6}@{c} rw, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-dnssd b/apparmor.d/groups/cups/cups-backend-dnssd index 1009a0ef2..877200660 100644 --- a/apparmor.d/groups/cups/cups-backend-dnssd +++ b/apparmor.d/groups/cups/cups-backend-dnssd @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/cups/backend/dnssd profile cups-backend-dnssd @{exec_path} { include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/cups/cups-backend-pdf b/apparmor.d/groups/cups/cups-backend-pdf index 6f658b064..21da6bf93 100644 --- a/apparmor.d/groups/cups/cups-backend-pdf +++ b/apparmor.d/groups/cups/cups-backend-pdf @@ -25,7 +25,7 @@ profile cups-backend-pdf @{exec_path} { @{sh_path} rix, @{bin}/cp rix, - @{bin}/gs rix, + @{bin}/gs{,.bin} rix, @{bin}/gsc rix, @{lib}/ghostscript/** mr, diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index a7773a57f..ca1dc9630 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -7,18 +7,19 @@ abi , include @{exec_path} = @{sbin}/cups-browsed -profile cups-browsed @{exec_path} { +profile cups-browsed @{exec_path} flags=(attach_disconnected) { include include - include include + include + include + include include include include -# capability net_admin, + capability net_admin, capability net_bind_service, -# capability sys_nice, network inet dgram, network inet6 dgram, @@ -26,20 +27,12 @@ profile cups-browsed @{exec_path} { network inet6 stream, network netlink raw, - dbus receive bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=StateChanged - peer=(name=:*, label="@{p_avahi_daemon}"), + #aa:dbus talk bus=system name=org.cups.cupsd.Notifier label=cups-notifier-dbus dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member=CheckPermissions - peer=(name=:*, label=NetworkManager), - - dbus receive bus=system path=/org/cups/cupsd/Notifier - interface=org.cups.cupsd.Notifier - member={PrinterDeleted,PrinterStopped} - peer=(name=@{busname}, label=cups-notifier-dbus), + peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, @@ -49,13 +42,15 @@ profile cups-browsed @{exec_path} { /etc/cups/{,**} r, - /var/cache/cups/{,**} rw, /var/log/cups/{,**} rw, + /var/cache/cups/{,**} rw, + owner /var/cache/cups-browsed/{,**} rw, + owner @{tmp}/@{hex} rw, @{run}/cups/certs/* r, - @{run}/avahi-daemon/socket rw, # TODO: in abs 'avahi' ? + @{run}/avahi-daemon/socket rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index acae9b7a1..ec0bbfd67 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -11,8 +11,8 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { include include include - include - include + include + include include include @@ -46,15 +46,6 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=cups-notifier-dbus, - dbus send bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager - member=DeleteDevice - peer=(name=org.freedesktop.ColorManager, label="@{p_colord}"), - dbus send bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager - member=FindDeviceById - peer=(name=org.freedesktop.ColorManager, label="@{p_colord}"), - @{exec_path} mr, @{sh_path} rix, @@ -62,7 +53,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{bin}/chmod rix, @{bin}/cp rix, @{bin}/{,e}grep rix, - @{bin}/gs rix, + @{bin}/gs{,.bin} rix, @{bin}/gsc rix, @{bin}/hostname rix, @{bin}/ippfind rix, diff --git a/apparmor.d/groups/cups/ippfind b/apparmor.d/groups/cups/ippfind index c2a944b11..fe4347237 100644 --- a/apparmor.d/groups/cups/ippfind +++ b/apparmor.d/groups/cups/ippfind @@ -10,7 +10,7 @@ include profile ippfind @{exec_path} { include include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index d110fb83b..df17e0d9f 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -10,6 +10,7 @@ include profile xdm-xsession @{exec_path} { include include + include include include include @@ -58,7 +59,6 @@ profile xdm-xsession @{exec_path} { @{HOME}/.xinitrc rPix, # TODO: rCx @{lib}/xinit/xinitrc rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mc/mc.sh r, /usr/share/terminfo/{,**} r, diff --git a/apparmor.d/groups/firewall/firewall-applet b/apparmor.d/groups/firewall/firewall-applet index 280bd9d04..bd144b7e2 100644 --- a/apparmor.d/groups/firewall/firewall-applet +++ b/apparmor.d/groups/firewall/firewall-applet @@ -21,6 +21,9 @@ profile firewall-applet @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/cgroup r, + + owner @{user_config_dirs}/firewall/applet.conf rwkl, include if exists } diff --git a/apparmor.d/groups/firewall/ufw-init b/apparmor.d/groups/firewall/ufw-init index aae80b87d..fcb9d8b6c 100644 --- a/apparmor.d/groups/firewall/ufw-init +++ b/apparmor.d/groups/firewall/ufw-init @@ -11,8 +11,10 @@ profile ufw-init @{exec_path} { include include + capability dac_override, capability dac_read_search, capability net_admin, + capability net_raw, network inet dgram, network inet raw, @@ -27,12 +29,29 @@ profile ufw-init @{exec_path} { @{sbin}/sysctl rCx -> sysctl, @{sbin}/xtables-legacy-multi rix, @{sbin}/xtables-nft-multi rix, + @{bin}/kmod rCx -> kmod, /etc/default/ufw r, /etc/ufw/* r, + @{run}/xtables.lock rwk, + @{PROC}/@{pid}/net/ip_tables_names r, - # @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/sys/kernel/modprobe r, + + profile kmod { + include + include + + capability sys_module, + + @{run}/xtables.lock r, + + @{sys}/module/compression r, + @{sys}/module/x_tables/initstate r, + + include if exists + } profile sysctl { include diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index c540b9db8..341db555e 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -9,12 +9,9 @@ include @{exec_path} = @{bin}/flatpak profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) { include - include include include - include - include - include + include include include include @@ -40,6 +37,9 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain signal send peer=flatpak-app, + unix type=seqpacket peer=(label=flatpak-system-helper), + unix type=stream peer=(label=flatpak//fusermount), + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.Flatpak.SystemHelper label=flatpak-system-helper #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" @@ -47,6 +47,16 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=ReloadConfig + peer=(name=org.freedesktop.DBus, label=dbus-session//&unconfined), + + dbus send bus=system path=/org/freedesktop/Flatpak/SystemHelper + interface=org.freedesktop.Flatpak.SystemHelper + member=GetRevokefsFd + peer=(name=org.freedesktop.Flatpak.SystemHelper), + @{exec_path} mr, @{bin}/bwrap rPx -> flatpak-app, @@ -154,6 +164,9 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain capability setuid, + unix type=seqpacket peer=(label=flatpak-system-helper), + unix type=stream peer=(label=flatpak), + mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index e8fe195fb..e6be7ef4f 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -98,6 +98,8 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { owner @{run}/ld-so-cache-dir/* rw, owner @{run}/user/ r, + /dev/ntsync r, + include if exists include if exists } diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index b86f0a4fd..97f9f4911 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -11,6 +11,8 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { include include include + include + include include capability sys_ptrace, @@ -32,11 +34,8 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { @{bin}/flatpak rPx, - /usr/share/mime/mime.cache r, /usr/share/xdg-desktop-portal/portals/{,*.portal} r, - /var/lib/flatpak/exports/share/mime/mime.cache r, - owner /att/**/ r, owner @{att}/.flatpak-info r, @@ -44,7 +43,6 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, owner @{user_config_dirs}/user-dirs.dirs r, - owner @{user_share_dirs}/mime/mime.cache r, owner @{run}/user/@{uid}/.flatpak/@{int}/* r, owner @{run}/user/@{uid}/.flatpak/@{int}-private/* r, diff --git a/apparmor.d/groups/flatpak/flatpak-session-helper b/apparmor.d/groups/flatpak/flatpak-session-helper index 162e3b448..8a8f5afb7 100644 --- a/apparmor.d/groups/flatpak/flatpak-session-helper +++ b/apparmor.d/groups/flatpak/flatpak-session-helper @@ -21,6 +21,11 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.Flatpak + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{shells_path} rUx -> user_unconfined, diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index 1381a1483..0bd74bdcb 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -11,6 +11,7 @@ profile flatpak-system-helper @{exec_path} { include include include + include include include include @@ -27,7 +28,13 @@ profile flatpak-system-helper @{exec_path} { ptrace read, + unix type=seqpacket peer=(label=dbus-system), + unix type=seqpacket peer=(label=flatpak), + unix type=seqpacket peer=(label=flatpak//fusermount), + unix type=seqpacket peer=(label=unconfined), + #aa:dbus own bus=system name=org.freedesktop.Flatpak.SystemHelper + #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon @{exec_path} mr, @@ -42,7 +49,6 @@ profile flatpak-system-helper @{exec_path} { /usr/share/flatpak/remotes.d/{,**} r, /usr/share/flatpak/triggers/ r, - /usr/share/mime/mime.cache r, /var/lib/flatpak/{,**} rwkl, /var/tmp/flatpak-cache-*/{,**} rw, @@ -54,7 +60,8 @@ profile flatpak-system-helper @{exec_path} { @{tmp}/remote-summary-sig.@{rand6} r, @{tmp}/remote-summary.@{rand6} r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 81d0c9f6b..c069b7afd 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -11,9 +11,11 @@ include profile colord @{exec_path} flags=(attach_disconnected) { include include - include include + include + include include + include include network inet dgram, @@ -31,11 +33,8 @@ profile colord @{exec_path} flags=(attach_disconnected) { /etc/udev/hwdb.bin r, /usr/share/color/icc/{,**} r, - /usr/share/mime/mime.cache r, /usr/share/snmp/mibs/{,*} r, - @{system_share_dirs}/mime/mime.cache r, - owner /var/lib/colord/.cache/ rw, owner /var/lib/colord/.cache/** rw, owner /var/lib/colord/{mapping,storage}.db{,-journal} rwk, diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 6332f49e2..04eeba521 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -9,12 +9,14 @@ include @{exec_path} = @{lib}/geoclue @{lib}/geoclue-2.0/demos/agent profile geoclue @{exec_path} flags=(attach_disconnected) { include - include include include - include include include + include + include + include + include include include include @@ -29,8 +31,6 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/geoclue/{,**} r, /etc/sysconfig/proxy r, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 02a370cdc..04b08ecc4 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -14,8 +14,9 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { include include include + include + include include - include capability sys_ptrace, @@ -66,8 +67,6 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, - include if exists } diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index af6f30e9c..83ee32baa 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -14,9 +14,9 @@ profile pipewire-media-session @{exec_path} { include include include + include include include - include network bluetooth raw, network bluetooth seqpacket, diff --git a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent index f1ca0fd31..bb48d0c5b 100644 --- a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent @@ -13,7 +13,6 @@ include profile polkit-gnome-authentication-agent @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 5e7a75a8d..8a08f02d0 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -11,10 +11,8 @@ include @{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9] profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,mediate_deleted) { include - include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 05e4c3ec2..206958062 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -14,17 +14,21 @@ profile pulseaudio @{exec_path} { include include include - include - include include include + include + include + include + include + include include include + include include include - include include include + include include ptrace (trace) peer=@{profile_name}, @@ -47,26 +51,11 @@ profile pulseaudio @{exec_path} { member=Introspect peer=(name=:*, label=gnome-shell), - dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} - interface=org.freedesktop.Avahi.ServiceResolver - member=Found - peer=(name=:*, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} - interface=org.freedesktop.Avahi.ServiceBrowser - member=ItemRemove - peer=(name=:*, label="@{p_avahi_daemon}"), - dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects peer=(name=org.bluez), - dbus send bus=system path=/Client@{int}/ServiceResolver@{int} - interface=org.freedesktop.Avahi.ServiceResolver - member={Found,Free} - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - @{exec_path} mrix, @{lib}/pulse/gsettings-helper rix, @@ -105,7 +94,6 @@ profile pulseaudio @{exec_path} { @{sys}/devices/**/sound/**/{uevent,pcm_class} r, @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r, - @{sys}/devices/virtual/video4linux/video@{int}/uevent r, deny @{sys}/module/apparmor/parameters/enabled r, @@ -113,9 +101,6 @@ profile pulseaudio @{exec_path} { owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/cmdline r, - /dev/media@{int} r, - /dev/video@{int} rw, - # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower index 0f6f9abeb..83652914f 100644 --- a/apparmor.d/groups/freedesktop/upower +++ b/apparmor.d/groups/freedesktop/upower @@ -13,7 +13,7 @@ profile upower @{exec_path} { include include - #aa:dbus own bus=system name=org.freedesktop.UPower label="@{p_upowerd}" + #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}" @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index d58385831..201e49f3c 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -11,7 +11,7 @@ include profile upowerd @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 7aff8bdd2..90eb46dc4 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -12,13 +12,14 @@ profile wireplumber @{exec_path} { include include include - include include include - include + include + include include + include include - include + include network bluetooth raw, network bluetooth seqpacket, @@ -26,6 +27,7 @@ profile wireplumber @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.freedesktop.ReserveDevice1.Audio@{int} + #aa:dbus own bus=session name=org.pipewire.Telephony dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -47,8 +49,8 @@ profile wireplumber @{exec_path} { /usr/share/wireplumber/{,**} r, owner @{desktop_local_dirs}/ w, - owner @{desktop_local_dirs}/state/ w, - owner @{desktop_local_dirs}/state/wireplumber/{,**} rw, + owner @{desktop_state_dirs}/ w, + owner @{desktop_state_dirs}/wireplumber/{,**} rw, owner @{HOME}/.local/ w, owner @{user_state_dirs}/ w, @@ -65,27 +67,27 @@ profile wireplumber @{exec_path} { @{run}/systemd/users/@{uid} r, @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) - @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, @{sys}/bus/media/devices/ r, - @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r, @{sys}/devices/**/device:*/{,**/}path r, @{sys}/devices/**/sound/**/pcm_class r, @{sys}/devices/**/sound/**/uevent r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/1/status r, @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, /dev/udmabuf rw, include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index be66f7484..031f03ac4 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -9,18 +9,20 @@ include @{exec_path} = @{bin}/xdg-dbus-proxy profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { include + include include - include include include - include - include + include include include include network unix stream, + #aa:dbus talk bus=session name=org.freedesktop.portal.Flatpak label=flatpak-portal + #aa:dbus talk bus=session name=org.freedesktop.portal.Request path=/org/freedesktop/portal/desktop label=xdg-desktop-portal + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime member=MakeThread* diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 89acacd34..ec2cc86be 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -52,6 +52,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Inhibit label=xdg-desktop-portal-gtk #aa:dbus talk bus=session name=org.freedesktop.FileManager1 label=nautilus #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal @@ -68,7 +69,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{bin}/kreadconfig{,5} rPx, @{lib}/xdg-desktop-portal-validate-icon rPx, - @{open_path} rPx -> child-open, + @{open_path} mrPx -> child-open, / r, @{att}/.flatpak-info r, @@ -101,6 +102,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/sys_vendor r, @{PROC}/ r, + @{PROC}/@{pids}/status r, @{PROC}/*/ r, @{PROC}/1/cgroup r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index ca5f62f82..30b415204 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -9,14 +9,12 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gnome profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include - include include include - include include include include - include + include include include include @@ -24,6 +22,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include + include include network unix stream, @@ -36,17 +35,13 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell #aa:dbus talk bus=session name=org.gnome.Settings.GlobalShortcutsProvider label=gnome-control-center-global-shortcuts-provider #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell + #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label="gvfs-*-volume-monitor" dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Background member=RunningApplicationsChanged peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), - dbus send bus=session path=/org/gtk/Notifications - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties member=GetAll @@ -85,6 +80,8 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { owner @{tmp}/gtkprint@{rand6} r, owner @{tmp}/xdg-desktop-portal-gnome@{rand6} rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + @{run}/mount/utab r, owner @{PROC}/@{pid}/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index c9585e2ab..b7906c5e2 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -9,23 +9,21 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gtk profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include - include - include include include - include include include include - include - include + include include - include + include include include include include include + include + include include include @@ -34,18 +32,12 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gtk + #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Settings label=xdg-desktop-portal + dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Settings peer=(name=:*), - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Settings - member=SettingChanged - peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), - - dbus send bus=session path=/org/gtk/Notifications - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers b/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers index 62adb343b..2fa8cc01f 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers @@ -10,7 +10,7 @@ include profile xdg-desktop-portal-rewrite-launchers @{exec_path} { include include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index cb7edf822..fd05bcee9 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -8,14 +8,14 @@ abi , include @{exec_path} = @{bin}/xdg-settings -profile xdg-settings @{exec_path} { +profile xdg-settings @{exec_path} flags=(attach_disconnected) { include include include @{exec_path} r, - @{sh_path} r, + @{sh_path} mr, @{bin}/{,e}grep rix, @{bin}/basename rix, @{bin}/cat ix, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index b2ae65450..feb1b9bd6 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -9,18 +9,16 @@ include @{exec_path} = @{bin}/xdg-user-dirs-gtk-update profile xdg-user-dirs-gtk-update @{exec_path} { include - include include - include include include + include @{exec_path} mr, @{bin}/xdg-user-dirs-update Px, owner @{user_config_dirs}/gtk-3.0/bookmarks* rw, - owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.locale r, owner @{tmp}/dirs-@{rand6} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-update index 7177703a9..09c66d6ac 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-update @@ -9,13 +9,11 @@ include @{exec_path} = @{bin}/xdg-user-dirs-update profile xdg-user-dirs-update @{exec_path} { include + include include @{exec_path} mr, - /etc/xdg/user-dirs.conf r, - /etc/xdg/user-dirs.defaults r, - owner @{desktop_config_dirs}/ rw, owner @{desktop_config_dirs}/user-dirs.dirs{,*} rw, owner @{desktop_config_dirs}/user-dirs.locale rw, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index c14af6d6e..bfec4405c 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -133,8 +133,9 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{PROC}/ioports r, @{PROC}/mtrr rw, + /dev/ r, /dev/fb@{int} rw, - /dev/input/event@{int} rw, + @{att}/dev/input/event@{int} rw, /dev/input/mouse@{int} rw, /dev/shm/#@{int} rw, /dev/shm/shmfd-* rw, diff --git a/apparmor.d/groups/freedesktop/xsetroot b/apparmor.d/groups/freedesktop/xsetroot index bc1291ef4..c0ddcb359 100644 --- a/apparmor.d/groups/freedesktop/xsetroot +++ b/apparmor.d/groups/freedesktop/xsetroot @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/xsetroot profile xsetroot @{exec_path} { include + include include capability dac_read_search, @@ -18,10 +19,6 @@ profile xsetroot @{exec_path} { @{exec_path} mr, - /usr/share/icons/{,**} r, - - owner @{HOME}/.icons/** r, - owner @{user_share_dirs}/sddm/xorg-session.log w, owner @{user_share_dirs}/sddm/wayland-session.log w, diff --git a/apparmor.d/groups/gnome/chrome-gnome-shell b/apparmor.d/groups/gnome/chrome-gnome-shell index 8c6372ba5..944d5e1d5 100644 --- a/apparmor.d/groups/gnome/chrome-gnome-shell +++ b/apparmor.d/groups/gnome/chrome-gnome-shell @@ -10,6 +10,7 @@ include profile chrome-gnome-shell @{exec_path} { include include + include include include include @@ -23,8 +24,6 @@ profile chrome-gnome-shell @{exec_path} { @{exec_path} mr, @{bin}/ r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{PROC}/@{pid}/mounts r, deny @{HOME}/.* r, diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index ac5d6af81..59b3c5d40 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -13,10 +13,13 @@ profile deja-dup-monitor @{exec_path} { include include include - include - include - include + include + include + include include + include + include + include network netlink raw, @@ -38,17 +41,26 @@ profile deja-dup-monitor @{exec_path} { member=GetAll peer=(name=@{busname}, label=power-profiles-daemon), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{bin}/chrt rix, @{bin}/ionice rix, @{bin}/deja-dup Px, - /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/gvfs/remote-volume-monitors/{,**} r, /var/tmp/ r, /tmp/ r, + @{run}/mount/utab r, + + owner @{PROC}/@{pid}/mountinfo r, + include if exists } diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index c9a9d72c9..1b9051a4a 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -11,10 +11,11 @@ profile evolution-addressbook-factory @{exec_path} { include include include - include + include include - include + include include + include include include include @@ -26,7 +27,9 @@ profile evolution-addressbook-factory @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} + #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookCursor #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookFactory + #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookView dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* @@ -63,7 +66,6 @@ profile evolution-addressbook-factory @{exec_path} { @{exec_path} mr, @{exec_path}-subprocess rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icu/@{int}.@{int}/*.dat r, owner @{user_share_dirs}/evolution/{,**} rwk, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 174cb323f..501685b22 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -9,10 +9,7 @@ include @{exec_path} = @{lib}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify profile evolution-alarm-notify @{exec_path} { include - include include - include - include include include include diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index fba734ad4..87cce8fbc 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -12,8 +12,10 @@ profile evolution-calendar-factory @{exec_path} { include include include - include + include + include include + include include include include @@ -65,8 +67,6 @@ profile evolution-calendar-factory @{exec_path} { @{exec_path} mr, @{exec_path}-subprocess rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{user_cache_dirs}/evolution/calendar/{,**} rwk, owner @{user_cache_dirs}/evolution/tasks/{,**} rwk, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index a5a1bd414..0732646b5 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -10,11 +10,12 @@ include profile evolution-source-registry @{exec_path} { include include - include - include + include include + include include include + include include network inet stream, @@ -47,8 +48,6 @@ profile evolution-source-registry @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{user_cache_dirs}/evolution/{,**} rwk, owner @{user_config_dirs}/evolution/sources/{,*} rw, owner @{user_share_dirs}/evolution/{,**} r, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 4c84fe822..3f958cb7e 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -17,6 +17,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { capability chown, capability dac_override, capability dac_read_search, + capability fowner, capability fsetid, capability kill, capability net_admin, @@ -54,6 +55,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { /usr/share/wayland-sessions/*.desktop r, /usr/share/xsessions/*.desktop r, + /etc/.pwd.lock rwk, /etc/default/locale r, /etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/daemon.conf r, @@ -66,18 +68,17 @@ profile gdm @{exec_path} flags=(attach_disconnected) { /var/log/gdm{3,}/ rw, - owner @{GDM_HOME}/block-initial-setup rw, + @{GDM_HOME}/ rw, + @{GDM_HOME}/** rw, - @{run}/gdm{3,}/greeter/ rw, - @{run}/systemd/seats/seat@{int} r, - @{run}/systemd/sessions/* r, - @{run}/systemd/users/@{uid} r, - owner @{run}/gdm{3,}.pid rw, - owner @{run}/gdm{3,}/ rw, - owner @{run}/gdm{3,}/custom.conf r, - owner @{run}/gdm{3,}/dbus/ w, - owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w, - owner @{run}/gdm{3,}/gdm.pid rw, + @{run}/gdm{,3}/ rw, + owner @{run}/gdm{,3}.pid rw, + owner @{run}/gdm{,3}/dbus/ rw, + owner @{run}/gdm{,3}/dbus/dbus-@{rand8} rw, + + @{run}/systemd/seats/seat@{int} r, + @{run}/systemd/sessions/* r, + @{run}/systemd/users/@{uid} r, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index 9d910cdd2..c5e6d4cd5 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -42,9 +42,11 @@ profile gdm-generate-config @{exec_path} { @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, + @{PROC}/tty/drivers r, @{PROC}/uptime r, profile pgrep { diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index 9a42bcdf1..5d2e3e21e 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -11,14 +11,15 @@ profile gdm-session @{exec_path} { include include include - include include + include - signal (receive) set=(hup term) peer=gdm-session-worker, - signal (receive) set=(term) peer=gdm, - signal (send) set=(term) peer=dbus-session, - signal (send) set=(term) peer=gnome-session-binary, - signal (send) set=(term) peer=xorg, + signal receive set=(hup term) peer=gdm-session-worker, + signal receive set=(term) peer=gdm, + signal send set=(term) peer=dbus-session, + signal send set=(term) peer=gnome-session-binary, + signal send set=(term) peer=xorg, + signal send set=term peer=gnome-session, dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 03e77816c..2882c3d9e 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -11,6 +11,7 @@ profile gdm-xsession @{exec_path} { include include include + include include include @@ -51,7 +52,6 @@ profile gdm-xsession @{exec_path} { @{etc_ro}/X11/xdm/Xsession rPx, @{lib}/gnome-session-binary rPx, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/im-config/data/{,*} r, /usr/share/im-config/xinputrc.common r, diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index a3d285e94..3652dd6e9 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -19,8 +19,7 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include include include @@ -33,6 +32,8 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { @{bin}/gnome-terminal rPUx, @{lib}/gio-launch-desktop rix, + @{lib}/*/** rPx, + @{lib}/* rPx, owner @{HOME}/{,**} rw, diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs new file mode 100644 index 000000000..de9d25a14 --- /dev/null +++ b/apparmor.d/groups/gnome/gjs @@ -0,0 +1,133 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# GNOME JavaScript interpreter. It is used to run some gnome internal app +# as well as third party extensions. +# +# Therefore, by default, some extension are confined under this profile. To fix +# this, the various programs using gjs must never run gjs as module, they need +# to run it as executable with a specific script. +# +# This currently concerns: +# - gnome-extension-ding (used to not be started as a module) +# - org.gnome.ScreenSaver (simple dbus service) +# - org.gnome.Shell.Extensions (full UI app, requires gnome-strict, graphics, ...) +# - org.gnome.Shell.Notifications (simple dbus service) +# - org.gnome.Shell.Screencast (simple dbus service) + +abi , + +include + +@{exec_path} = @{bin}/gjs-console +profile gjs @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + + # Only needed by org.gnome.Shell.Extensions + include + include + + # Only needed by gnome-extension-ding + include + include + include + include + include + include + include + include + + unix type=stream peer=(label=gnome-shell), + + signal receive set=(term hup) peer=gdm, + + #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions + #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface+=org.gtk.Actions + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus* + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus* + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + #aa:dbus own bus=session name=org.gnome.Shell.Screencast + #aa:dbus talk bus=session name=org.gnome.Mutter.ScreenCast label=gnome-shell + + #aa:dbus own bus=session name=org.freedesktop.Notifications + #aa:dbus own bus=session name=org.gnome.ScreenSaver + #aa:dbus own bus=session name=org.gnome.Shell.Extensions + #aa:dbus own bus=session name=org.gnome.Shell.Notifications + + @{exec_path} mrix, + + # gnome-extension-ding + @{sh_path} rix, + @{bin}/env rix, + @{bin}/gnome-control-center rPx, + @{bin}/nautilus rPx, + + @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, + @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, + @{lib}/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, + + /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, + @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, + + /usr/share/dconf/profile/gdm r, + /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/gnome-shell/{,**} r, + /usr/share/xkeyboard-config-2/{,**} r, + /usr/share/thumbnailers/{,**} r, + + owner @{gdm_cache_dirs}/gstreamer-1.0/registry.@{arch}.bin r, + owner @{gdm_config_dirs}/dconf/user r, + owner @{GDM_HOME}/greeter-dconf-defaults r, + + owner @{user_cache_dirs}/gstreamer-1.0/ rw, + owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, + + owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, + owner @{user_share_dirs}/nautilus/scripts/ r, + + owner @{user_desktop_dirs}/ r, + owner @{user_templates_dirs}/ r, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + /dev/ r, + /dev/dri/ r, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + profile gstreamer { + include + include + include + include + include + + network (bind create getattr setopt getopt) netlink raw, + + @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner mr, + @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner mr, + @{lib}/gstreamer-1.0/gst-plugin-scanner mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console deleted file mode 100644 index 6d6d6ea85..000000000 --- a/apparmor.d/groups/gnome/gjs-console +++ /dev/null @@ -1,108 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# TODO: GNOME JavaScript interpreter. It is used to run some gnome internal app -# as well as third party extensions. Therefore, by default, some extension are -# confined under this profile. The resulting profile is quite broad. -# This architecture needs to be rethinked. - -abi , - -include - -@{exec_path} = @{bin}/gjs-console -profile gjs-console @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - - network netlink raw, - - unix type=stream peer=(label=gnome-shell), - - signal receive set=(term hup) peer=gdm*, - - #aa:dbus own bus=session name=org.freedesktop.Notifications - #aa:dbus own bus=session name=org.gnome.ScreenSaver - #aa:dbus own bus=session name=org.gnome.Shell.Extensions - #aa:dbus own bus=session name=org.gnome.Shell.Notifications - #aa:dbus own bus=session name=org.gnome.Shell.Screencast - - #aa:dbus talk bus=session name=org.gnome.Mutter.ScreenCast label=gnome-shell - - dbus send bus=session path=/org/gnome/Shell - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gnome/Shell - interface=org.gnome.Shell.Extensions - member=ListExtensions - peer=(name=:*, label=gnome-shell), - - @{exec_path} mr, - - @{bin}/ r, - @{bin}/* PUx, - @{lib}/** PUx, - - /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, - @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, - - /etc/openni2/OpenNI.ini r, - - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/gnome-shell/{,**} r, - /usr/share/thumbnailers/{,**} r, - - /tmp/ r, - /var/tmp/ r, - - owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwl, - owner @{gdm_cache_dirs}/gstreamer-1.0/ rw, - owner @{gdm_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - owner @{gdm_config_dirs}/dconf/user r, - owner @{GDM_HOME}/greeter-dconf-defaults r, - - owner @{HOME}/ r, - - owner @{user_cache_dirs}/gstreamer-1.0/ rw, - owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, - owner @{user_share_dirs}/nautilus/scripts/ r, - - owner @{user_desktop_dirs}/ r, - owner @{user_templates_dirs}/ r, - - owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - - /dev/ r, - /dev/tty rw, - - deny @{user_share_dirs}/gvfs-metadata/* r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes index 1447715b7..cd46dd069 100644 --- a/apparmor.d/groups/gnome/gnome-boxes +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -13,10 +13,12 @@ profile gnome-boxes @{exec_path} { include include include + include include include include include + include include include include @@ -80,9 +82,6 @@ profile gnome-boxes @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/stat r, - /dev/media@{int} rw, - /dev/video@{int} rw, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, profile virsh { diff --git a/apparmor.d/groups/gnome/gnome-browser-connector-host b/apparmor.d/groups/gnome/gnome-browser-connector-host index 95af09ed6..e95762b6a 100644 --- a/apparmor.d/groups/gnome/gnome-browser-connector-host +++ b/apparmor.d/groups/gnome/gnome-browser-connector-host @@ -11,6 +11,7 @@ profile gnome-browser-connector-host @{exec_path} { include include include + include @{exec_path} mr, @@ -19,8 +20,6 @@ profile gnome-browser-connector-host @{exec_path} { @{lib}/@{python_name}/site-packages/gnome_browser_connector/__pycache__/{,**} rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{PROC}/@{pid}/mounts r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 2e553d9f4..4ab9b165f 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -7,9 +7,10 @@ abi , include @{exec_path} = @{bin}/gnome-calculator -profile gnome-calculator @{exec_path} { +profile gnome-calculator @{exec_path} flags=(attach_disconnected) { include include + include include # Needed to get currency exchange rates @@ -19,6 +20,8 @@ profile gnome-calculator @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.gnome.Calculator + @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 7d6d5246d..2173e3d62 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -14,7 +14,6 @@ profile gnome-calendar @{exec_path} { include include include - include include include include @@ -24,20 +23,19 @@ profile gnome-calendar @{exec_path} { #aa:dbus own bus=session name=org.gnome.Calendar + #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar path=/org/gnome/evolution/dataserver/ label=evolution-calendar-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarFactory label=evolution-calendar-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarView label=evolution-calendar-factory - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source label=evolution-source-registry - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Sources@{int} label=evolution-source-registry + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source path=/org/gnome/evolution/dataserver/ label=evolution-source-registry + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.SourceManager label=evolution-source-registry + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Subprocess label=evolution-calendar-factory #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color #aa:dbus talk bus=session name=org.gnome.Shell.SearchProvider2 path=/org/gnome/Calendar/SearchProvider label=gnome-shell - #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" - - dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label=evolution-source-registry), @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 7ce936e52..b5ae5672a 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -12,7 +12,6 @@ profile gnome-characters @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index bdffedb72..92886c887 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -12,7 +12,6 @@ profile gnome-clocks @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 1c35a8ec1..9f78fb4fd 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -10,18 +10,17 @@ include profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include - include + include include include - include - include include - include + include include include include include include + include include include include @@ -39,10 +38,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.Settings #aa:dbus own bus=session name=org.bluez.obex.Agent1 + #aa:dbus talk bus=session name=org.bluez.AgentManager1 label=bluetoothd #aa:dbus talk bus=session name=org.bluez.obex label=obexd #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell - #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary + #aa:dbus talk bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}" #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label="gsd-*" #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell @@ -51,6 +51,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label="@{p_fprintd}" #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.bolt1 label=boltd + #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" @@ -61,6 +62,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}" #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=NetworkManager), + @{exec_path} mr, @{bin}/@{shells} rUx, @@ -88,7 +94,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-any, - /opt/**/share/icons/{,**} r, /snap/*/@{int}/**.png r, /usr/share/backgrounds/{,**} r, /usr/share/cups/data/testprint r, @@ -131,7 +136,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/gnome-control-center/{,**} rw, owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, + owner @{user_config_dirs}/mimeapps.list w, + owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw, owner @{user_games_dirs}/**.png r, @@ -191,8 +197,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/task/*/comm rw, /dev/ r, - /dev/media@{int} r, - /dev/video@{int} rw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index 1fa7d7050..8b813d260 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -9,12 +9,9 @@ include @{exec_path} = @{lib}/gnome-control-center-goa-helper profile gnome-control-center-goa-helper @{exec_path} { include - include + include include include - include - include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 59679deb8..cbd1f1a75 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -9,9 +9,7 @@ include @{exec_path} = @{lib}/gnome-control-center-print-renderer profile gnome-control-center-print-renderer @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index 51c8f5107..6d24e72c1 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -11,7 +11,6 @@ profile gnome-control-center-search-provider @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index 379a887b3..d9959691b 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -9,10 +9,15 @@ include @{exec_path} = @{bin}/gnome-disk-image-mounter profile gnome-disk-image-mounter @{exec_path} { include + include + include + include include include include + #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd + @{exec_path} mr, # Allow to mount user files diff --git a/apparmor.d/groups/gnome/gnome-extension b/apparmor.d/groups/gnome/gnome-extension new file mode 100644 index 000000000..e13eca832 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-extension @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# gjs started from gnome-shell should (in theory) only run gnome extensions. + +abi , + +include + +@{exec_path} = @{bin}/gjs-console +profile gnome-extension { + include + include + include + include + include + include + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 695be9f0d..9f848be8e 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -9,26 +9,23 @@ include @{share_dirs} = /usr/share/gnome-shell/extensions/ding@rastersoft.com @{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/ding@rastersoft.com -@{exec_path} = @{share_dirs}/{,app/}ding.js +@{exec_path} = @{share_dirs}/app/{ding,createThumbnail}.js profile gnome-extension-ding @{exec_path} { include include - include include include include - include include - include - include - include - include - include - include - include + include + include + include + include + include include include include + include unix (send,receive) type=stream addr=none peer=(label=gnome-shell), @@ -58,8 +55,8 @@ profile gnome-extension-ding @{exec_path} { @{share_dirs}/{,**} r, /usr/share/thumbnailers/{,*.thumbnailer} r, - owner @{HOME}/@{XDG_TEMPLATES_DIR}/ r, - owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, + owner @{user_desktop_dirs}/ r, + owner @{user_templates_dirs}/ r, owner @{user_share_dirs}/nautilus/scripts/ r, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 3f57b3035..2592eb77e 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -13,22 +13,20 @@ include profile gnome-extension-gsconnect @{exec_path} { include include - include include include - include include include include include - include - include - include - include - include + include + include + include + include include include include + include include include include @@ -75,6 +73,7 @@ profile gnome-extension-gsconnect @{exec_path} { owner @{run}/user/@{uid}/gsconnect/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + owner @{run}/user/@{uid}/keyring/ssh rw, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 40b8bc9b5..7439e0fb6 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -9,13 +9,10 @@ include @{exec_path} = @{lib}/gnome-initial-setup profile gnome-initial-setup @{exec_path} { include - include include include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 6752f54d4..e39ef0dc0 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -15,16 +15,19 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { include include include - include + include capability ipc_lock, - signal (receive) set=(term) peer=gdm, - signal (send) set=(term) peer=ssh-agent, + signal receive set=(term) peer=gdm, + signal send set=(term) peer=ssh-agent, + + unix type=stream peer=(label=snap.*), #aa:dbus own bus=session name=org.gnome.keyring #aa:dbus own bus=session name=org.freedesktop.{S,s}ecret{,s} - #aa:dbus own bus=session name=org.freedesktop.impl.portal.Secret + #aa:dbus own bus=session name=org.freedesktop.impl.portal.Secret path=/org/freedesktop/portal/desktop + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Request path=/org/freedesktop/portal/desktop/ label=xdg-desktop-portal dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gnome-photos-thumbnailer b/apparmor.d/groups/gnome/gnome-photos-thumbnailer index 0182e9dad..31d9b7987 100644 --- a/apparmor.d/groups/gnome/gnome-photos-thumbnailer +++ b/apparmor.d/groups/gnome/gnome-photos-thumbnailer @@ -9,12 +9,11 @@ include @{exec_path} = @{lib}/gnome-photos-thumbnailer profile gnome-photos-thumbnailer @{exec_path} { include + include include @{exec_path} mr, - /usr/share/mime/mime.cache r, - owner @{user_pictures_dirs}/{,**} r, owner @{user_cache_dirs}/babl/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index 1f29958d1..257e91c0a 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -9,10 +9,21 @@ include @{exec_path} = @{bin}/gnome-session profile gnome-session @{exec_path} { include + include include + include + include include include + signal receive set=term peer=gdm, + signal receive set=term peer=gdm-session, + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mrix, @{shells_path} rix, @@ -61,6 +72,8 @@ profile gnome-session @{exec_path} { owner @{HOME}/ r, + owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 447c030d6..5359a70df 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -9,18 +9,16 @@ include @{exec_path} = @{lib}/gnome-session-binary profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include - include include include - include include - include include - include + include include include include include + include network inet stream, network inet6 stream, @@ -28,8 +26,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - signal (receive) set=(term, hup) peer=gdm*, - signal (send) set=(term) peer=gsd-*, + signal receive set=(term, hup) peer=gdm*, + signal send set=(term) peer=gsd-*, #aa:dbus own bus=session name=org.gnome.SessionManager #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @@ -67,6 +65,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{etc_ro}/xdg/autostart/{,*.desktop} r, owner @{gdm_cache_dirs}/gdm/Xauthority r, + owner @{gdm_config_dirs}/ rw, owner @{gdm_config_dirs}/dconf/user rw, owner @{gdm_config_dirs}/gnome-session/ rw, owner @{gdm_config_dirs}/gnome-session/saved-session/ rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index b7706ccf4..24c069e72 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -10,41 +10,39 @@ include profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include include include include include include include - include - include include include include include - include - include - include + include include - include include include - include include - include - include + include + include + include + include include include include include include include + include include + include include + include include include - include + include capability sys_nice, capability sys_ptrace, @@ -72,48 +70,45 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=org.gnome.Shell #aa:dbus own bus=session name=com.canonical.{U,u}nity + #aa:dbus own bus=session name=com.canonical.dbusmenu path=/{,com/canonical/dbusmenu} + #aa:dbus own bus=session name=com.canonical.Shell.PermissionPrompting #aa:dbus own bus=session name=com.rastersoft.dingextension #aa:dbus own bus=session name=org.ayatana.NotificationItem #aa:dbus own bus=session name=org.freedesktop.a11y.Manager + #aa:dbus own bus=session name=org.gnome.Shell #aa:dbus own bus=session name=org.gtk.Actions path=/** #aa:dbus own bus=session name=org.gtk.MountOperationHandler #aa:dbus own bus=session name=org.gtk.Notifications + #aa:dbus own bus=session name=org.kde.StatusNotifierItem path=/ #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher + # Talk with gnome-shell + # The strategy with dbus rules in this profile is first to declare all communications + # needed on buses and to limit them only to their profiles in apparmor.d. As such, + # only dbus directive is used for this. Later, some communications could be + # restricted. + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label="@{p_power_profiles_daemon}" #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding + #aa:dbus talk bus=session name=org.freedesktop.Notifications label=gjs + #aa:dbus talk bus=session name=org.freedesktop.ScreenSaver label=gsd-screensaver-proxy #aa:dbus talk bus=session name=org.gnome.* label=gnome-* - #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label="*" + #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label=* #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - # System bus - - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=RegisterAuthenticationAgent - peer=(name=:*, label="@{p_polkitd}"), - dbus receive bus=system path=/org/freedesktop/PolicyKit1/AuthenticationAgent - interface=org.freedesktop.PolicyKit1.AuthenticationAgent - member=BeginAuthentication - peer=(name=:*, label="@{p_polkitd}"), - - dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager - interface=org.freedesktop.NetworkManager.AgentManager - member={RegisterWithCapabilities,Unregister} - peer=(name=:*, label=NetworkManager), - # Session bus dbus send bus=session path=/org/gnome/** @@ -156,7 +151,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus send bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*), + peer=(name=@{busname}), dbus send bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -167,7 +162,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/unzip rix, @{bin}/flatpak rPx, - @{bin}/gjs-console rPx, + @{bin}/gjs-console rPx -> gnome-extension, @{bin}/glib-compile-schemas rPx, @{bin}/ibus-daemon rPx, @{bin}/sensors rPx, @@ -181,13 +176,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sh_path} rCx -> shell, @{bin}/pkexec rCx -> pkexec, - @{lib}/gio-launch-desktop rCx -> open, @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open, + @{lib}/gio-launch-desktop rCx -> open, + @{python_path} rCx -> python, @{user_share_dirs}/gnome-shell/extensions/*/** rPUx, /usr/share/gnome-shell/extensions/*/** rPUx, - /opt/**/share/icons/{,**} r, /snap/*/@{uid}/**.@{image_ext} r, /usr/share/**.@{image_ext} r, /usr/share/**/icons/{,**} r, @@ -279,22 +274,23 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{user_share_dirs}/icons/**/org.gnome.Shell.*.svg{,.@{rand6}} w, - owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r, owner @{user_cache_dirs}/gnome-boxes/*.png r, owner @{user_cache_dirs}/gnome-photos/{,**} r, owner @{user_cache_dirs}/gnome-screenshot/{,**} rw, owner @{user_cache_dirs}/gnome-software/icons/{,**} r, + owner @{user_cache_dirs}/gsconnect/@{hex32} r, owner @{user_cache_dirs}/libgweather/{,**} rw, owner @{user_cache_dirs}/media-art/{,**} r, owner @{user_cache_dirs}/vlc/**/*.jpg r, + owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, @{run}/gdm{3,}/dbus/dbus-@{rand8} rw, owner @{run}/user/@{uid}/app/*/*.@{rand6} r, owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw, + owner @{run}/user/@{uid}/snap.*/wayland-cursor-shared-@{rand6} rw, owner @{run}/user/@{uid}/systemd/notify rw, owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, @@ -323,7 +319,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @@ -339,7 +334,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/class/net/ r, @{sys}/class/power_supply/ r, @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/gpu_busy_percent r, @{sys}/devices/@{pci}/input@{int}/{properties,name} r, + @{sys}/devices/@{pci}/mem_info_vram_* r, @{sys}/devices/@{pci}/net/*/statistics/collisions r, @{sys}/devices/@{pci}/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/@{pci}/net/*/statistics/tx_{bytes,errors,packets} r, @@ -353,6 +350,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/platform/**/input@{int}/{properties,name} r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/net/*/statistics/collisions r, @{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r, @@ -381,7 +380,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, - /dev/media@{int} rw, /dev/tty@{int} rw, @{att}/dev/dri/card@{int} rw, @{att}/dev/input/event@{int} rw, @@ -434,6 +432,15 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include if exists } + profile python { + include + include + + # /usr/share/gnome-shell/extensions/{,**} + + include if exists + } + profile open flags=(attach_disconnected,mediate_deleted,complain) { include include diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 2f3e51670..37bb7b374 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -11,6 +11,7 @@ profile gnome-shell-calendar-server @{exec_path} { include include include + include include #aa:dbus own bus=session name=org.gnome.Shell.CalendarServer @@ -35,8 +36,6 @@ profile gnome-shell-calendar-server @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/sysconfig/clock r, /etc/timezone r, diff --git a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer index 51d5b43cf..56e448fd8 100644 --- a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer +++ b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer @@ -10,11 +10,10 @@ include profile gnome-shell-hotplug-sniffer @{exec_path} { include include + include @{exec_path} mr, - /usr/share/mime/mime.cache r, - @{MOUNTS}/**/ r, @{MOUNTS}/** r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 71141595b..0b1602fbb 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -13,11 +13,10 @@ profile gnome-software @{exec_path} { include include include - include - include include include include + include include include @@ -33,13 +32,19 @@ profile gnome-software @{exec_path} { #aa:dbus own bus=session name=org.freedesktop.PackageKit #aa:dbus own bus=session name=org.gnome.Software interface+=org.freedesktop.Application - #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/ label="@{p_packagekitd}" + #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/@{int}_@{hex8} label="@{p_packagekitd}" + + dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.PolicyKit1.Authority + member=Changed + peer=(name=@{busname}, label=polkitd), @{exec_path} mr, @{bin}/baobab rPUx, @{bin}/bwrap rPx -> flatpak-app, @{bin}/fusermount{,3} rCx -> fusermount, + @{bin}/gnome-control-center rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index e4ac12011..152b28ff7 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -10,9 +10,8 @@ include profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { include include - include - include - include + include + include include include @@ -22,9 +21,9 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - ptrace (read), + ptrace read, - signal (send) set=(kill term cont stop), + signal send set=(kill term cont stop), #aa:dbus own bus=session name=org.gnome.SystemMonitor @@ -75,6 +74,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/smaps r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/wchan r, @{PROC}/diskstats r, @{PROC}/vmstat r, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index cda4568c1..fe380dadd 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -10,11 +10,8 @@ include profile gnome-terminal-server @{exec_path} { include include - include include - include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index c399eadc7..8aa950e2c 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -10,8 +10,10 @@ include profile gnome-text-editor @{exec_path} { include include + include include include + include include include diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 8176d6c7c..b7c138285 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -12,7 +12,6 @@ profile goa-daemon @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service index 3992811c2..4509a6159 100644 --- a/apparmor.d/groups/gnome/goa-identity-service +++ b/apparmor.d/groups/gnome/goa-identity-service @@ -11,7 +11,7 @@ profile goa-identity-service @{exec_path} { include include include - include + include #aa:dbus own bus=session name=org.gnome.Identity diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index 5f05c21da..22aaba164 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -9,10 +9,11 @@ include @{exec_path} = @{lib}/gsd-a11y-settings profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include - include include - include + include + include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -27,7 +28,6 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, @{gdm_config_dirs}/dconf/user r, @{GDM_HOME}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 1b12a68cd..1a52321b1 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -10,13 +10,10 @@ include profile gsd-color @{exec_path} flags=(attach_disconnected) { include include - include include include - include include - include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index 0190ad9b3..0364f3f2b 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -9,10 +9,11 @@ include @{exec_path} = @{lib}/gsd-datetime profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include - include include - include + include + include include + include include network inet dgram, @@ -34,7 +35,6 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-settings-daemon/datetime/backward r, owner @{GDM_HOME}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 35f43a93e..497462a03 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -11,12 +11,12 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include + include include - include - include include include include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index cbb8ccf71..be27a873e 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -10,13 +10,10 @@ include profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include - include include include - include - include - include - include + include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 7f02d8bf4..b299ab7ff 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -10,22 +10,19 @@ include profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include - include include include - include include include - include include - include - include - include + include + include include include include include include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 379f7b814..d3ac6b456 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -10,27 +10,24 @@ include profile gsd-power @{exec_path} flags=(attach_disconnected) { include include - include include include include - include include include include - include include include - include include - include - include - include + include include include include include include + include + include + include network inet stream, network netlink raw, @@ -40,16 +37,22 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Power #aa:dbus talk bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell + #aa:dbus talk bus=session name=org.gnome.Shell.Brightness label=gnome-shell dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight interface=org.freedesktop.UPower.KbdBacklight member=GetBrightness - peer=(name=:*, label="@{p_upowerd}"), + peer=(name=@{busname}, label="@{p_upowerd}"), dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=gsd-xsettings), + peer=(name=@{busname}, label=gsd-xsettings), + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member=Suspend + peer=(name=@{busname}, label="@{p_systemd_logind}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 59123f485..22ec520cb 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -9,11 +9,13 @@ include @{exec_path} = @{lib}/gsd-print-notifications profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include - include include include - include - include + include + include + include + include + include include include @@ -30,7 +32,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/cups/cupsd/Notifier interface=org.cups.cupsd.Notifier - member={ServerStarted,PrinterDeleted,PrinterStopped} + member={ServerStarted,PrinterDeleted,PrinterStateChanged,PrinterStopped,PrinterAdded} peer=(name=@{busname}, label=cups-notifier-dbus), dbus receive bus=session @@ -38,24 +40,6 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=@{busname}, label=gnome-shell), - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=RecordBrowserNew - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), - dbus send bus=system path=/Client@{int}/RecordBrowser@{int} - interface=org.freedesktop.Avahi.RecordBrowser - member=Free - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), - - dbus receive bus=system path=/Client@{int}/RecordBrowser@{int} - interface=org.freedesktop.Avahi.RecordBrowser - member={CacheExhausted,ItemNew} - peer=(name=@{busname}, label=avahi-daemon), - dbus receive bus=system path=/Client4/RecordBrowser3 - interface=org.freedesktop.Avahi.RecordBrowser - member=ItemNew - peer=(name=@{busname}, label=avahi-daemon), - @{exec_path} mr, @{lib}/gsd-printer rPx, diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index b85a40f04..a768c8d1e 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -9,10 +9,11 @@ include @{exec_path} = @{lib}/gsd-printer profile gsd-printer @{exec_path} flags=(attach_disconnected) { include - include include include - include + include + include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index 5f1c13d9d..7283c5c00 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -15,7 +15,7 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { include include include - include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index 546a252d7..ac2f9229d 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -11,7 +11,7 @@ profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { include include include - include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 45b3ea1b9..9d432ae13 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -9,12 +9,13 @@ include @{exec_path} = @{lib}/gsd-sharing profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include - include include include include - include + include + include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -30,11 +31,15 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=:*, label=gnome-shell), + dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/3 + interface=org.freedesktop.NetworkManager.VPN.Connection + member=VpnStateChanged + peer=(name=@{busname}, label=NetworkManager), + @{exec_path} mr, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index bdacbfd00..5143b9984 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -9,12 +9,14 @@ include @{exec_path} = @{lib}/gsd-smartcard profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include - include include - include + include + include include + include include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -29,9 +31,7 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/{,opensc/}opensc.conf r, /etc/tpm2-tss/* rk, /var/tmp/ r, diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 871203e6c..ff2d30766 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -12,9 +12,10 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { include include include - include - include + include + include include + include signal receive set=(term, hup) peer=gdm*, @@ -29,7 +30,6 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 2359c9f39..bcdb353a8 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -10,13 +10,21 @@ include profile gsd-usb-protection @{exec_path} { include include + include + include + include include + include + include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection - @{exec_path} mr, + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), - /usr/share/glib-2.0/schemas/gschemas.compiled r, + @{exec_path} mr, include if exists } diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 484dda29d..3d4f2cb05 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -10,11 +10,8 @@ include profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include include - include include - include - include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-wwan b/apparmor.d/groups/gnome/gsd-wwan index ab2b2b089..3a5ee53df 100644 --- a/apparmor.d/groups/gnome/gsd-wwan +++ b/apparmor.d/groups/gnome/gsd-wwan @@ -10,10 +10,17 @@ include profile gsd-wwan @{exec_path} { include include + include include + include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Wwan + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 2e21750b9..20151eec0 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -9,16 +9,13 @@ include @{exec_path} = @{lib}/gsd-xsettings profile gsd-xsettings @{exec_path} { include - include include include - include include include - include + include include - include - include + include include include include @@ -43,7 +40,7 @@ profile gsd-xsettings @{exec_path} { dbus receive bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts - member=UserAdded + member={UserAdded,UserDeleted} peer=(name=@{busname}, label="@{p_accounts_daemon}"), dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index a32a3d8c3..f843d6c14 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -39,6 +39,7 @@ profile kgx @{exec_path} { @{PROC}/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 049b3c402..ea1566757 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -11,10 +11,8 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { include include include - include - include - include - include + include + include include include include @@ -24,6 +22,7 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { include include include + include network netlink raw, @@ -47,6 +46,8 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { /usr/share/osinfo/{,**} r, /usr/share/poppler/{,**} r, + /etc/fstab r, + # Allow to search user files owner @{HOME}/ r, owner @{HOME}/{,**} r, @@ -57,6 +58,11 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/tracker3/files/ rw, owner @{user_cache_dirs}/tracker3/files/** rwk, + owner @{GDM_HOME}/ r, + owner @{GDM_HOME}/*/ r, + owner @{gdm_cache_dirs}/tracker3/{,**} rwk, + owner @{gdm_config_dirs}/user-dirs.dirs r, + @{run}/mount/utab r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @@ -68,9 +74,6 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, - /dev/video@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 398b2b679..ea55ee902 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -9,10 +9,8 @@ include @{exec_path} = @{bin}/loupe profile loupe @{exec_path} flags=(attach_disconnected) { include - include include include - include include include include @@ -27,6 +25,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { signal send set=kill peer=loupe//bwrap, + #aa:dbus own bus=session name=org.gnome.Loupe interface+=org.freedesktop.Application + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" dbus send bus=system path=/org/freedesktop/hostname1 diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index ae225aa65..d5c83a31b 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -10,10 +10,7 @@ include profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { include include - include include - include - include include include include @@ -29,6 +26,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, owner @{GDM_HOME}/greeter-dconf-defaults r, + owner @{gdm_cache_dirs}//fontconfig/ rw, owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rwl, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 5ad6bb7b5..c405a3bf8 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -9,16 +9,14 @@ include @{exec_path} = @{bin}/nautilus profile nautilus @{exec_path} flags=(attach_disconnected) { include - include include include include - include include include include - include - include + include + include include include include @@ -35,6 +33,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2 #aa:dbus talk bus=session name=org.freedesktop.Application path=/ label="*" + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell @@ -65,6 +64,15 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { member=NameHasOwner peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session + interface=org.freedesktop.Application + member=Open, + + dbus send bus=session path=/org/gnome/Nautilus + interface=org.gtk.Application + member={CommandLine,DescribeAll} + peer=(name=org.gnome.Nautilus, label=nautilus), + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index f084e7b12..e1bde2238 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -10,14 +10,15 @@ include profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { include include + include include include include include include + include include include - include network netlink raw, @@ -52,8 +53,6 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/task/@{tid}/comm w, owner @{PROC}/@{pid}/task/@{tid}/stat r, - /dev/media@{int} r, - include if exists } diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 9a22e3de8..6c4fe6f12 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/papers -profile papers @{exec_path} { +profile papers @{exec_path} flags=(attach_disconnected) { include include include @@ -16,20 +16,31 @@ profile papers @{exec_path} { include include + #aa:dbus own bus=session name=org.gnome.Papers interface+=org.freedesktop.Application + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + dbus send bus=session path=/org/freedesktop/portal/desktop/session/1_4509/gtk1155412026 + interface=org.freedesktop.portal.Session + member=Close + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + @{exec_path} mr, @{open_path} Cx -> open, /usr/share/poppler/{,**} r, + /etc/passwd r, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db-journal rw, + /tmp/ r, + /var/tmp/ r, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/papers-@{int}/{,**} rw, owner @{tmp}/gtkprint_@{rand6} rw, diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index 838dc940c..3195d7f03 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -9,13 +9,13 @@ include @{exec_path} = @{bin}/ptyxis profile ptyxis @{exec_path} { include - include include include + include unix type=stream peer=(label=ptyxis-agent), - #aa:dbus own bus=session name=org.gnome.Ptyxis + #aa:dbus own bus=session name=org.gnome.Ptyxis interface+=org.freedesktop.Application @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index cf497e39f..6418193a6 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -10,16 +10,18 @@ include profile ptyxis-agent @{exec_path} { include include - include + include include include - include + include include - signal send set=hup peer=unconfined, + signal send set=hup peer=@{p_systemd}, ptrace read, + unix type=stream peer=(label=ptyxis), + @{exec_path} mr, @{bin}/podman Px, @@ -42,8 +44,15 @@ profile ptyxis-agent @{exec_path} { unix bind type=stream addr=@@{udbus}/bus/systemd-run/, @{bin}/systemd-run mr, + + # The shell is not confined on purpose. @{bin}/@{shells} Ux, + # Some CLI program can be launched directly from Gnome Shell + @{bin}/htop Px, + @{bin}/micro PUx, + @{bin}/nvtop Px, + owner @{run}/user/@{uid}/systemd/private rw, include if exists diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 2f190dfab..c34526ee1 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -9,17 +9,15 @@ include @{exec_path} = @{bin}/seahorse profile seahorse @{exec_path} { include - include + include include include - include - include include - include - include include include include + include + include include #aa:dbus own bus=session name=org.gnome.seahorse.Application interface+=org.gnome.Shell.SearchProvider2 @@ -34,7 +32,6 @@ profile seahorse @{exec_path} { /etc/pki/trust/blocklist/ r, /etc/gcrypt/hwf.deny r, - /etc/{,opensc/}opensc.conf r, owner @{HOME}/@{XDG_SSH_DIR}/{,**} r, diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index aeb46f6c0..b31532cae 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -9,8 +9,9 @@ include @{exec_path} = @{bin}/session-migration profile session-migration @{exec_path} { include - include include + include + include include @{exec_path} mr, @@ -21,7 +22,6 @@ profile session-migration @{exec_path} { @{bin}/gsettings rPx, /usr/share/session-migration/scripts/* rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/session-migration/{,**} r, owner @{gdm_share_dirs}/ w, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index e8612f7b6..e200ecb42 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -10,9 +10,9 @@ include profile tracker-extract @{exec_path} flags=(attach_disconnected) { include include - include - include - include + include + include + include include include include @@ -20,6 +20,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { include include include + include include network netlink raw, @@ -73,9 +74,6 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} r, - /dev/video@{int} rw, - # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 6b358c8b0..85b7b0d53 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -11,17 +11,18 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include - include - include - include - include + include + include + include include include include include include + include include include + include network netlink raw, @@ -86,8 +87,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, - /dev/video@{int} rw, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index b65823520..40c23b660 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -29,7 +29,7 @@ profile gpg @{exec_path} { @{lib}/{,gnupg/}scdaemon rPx, /usr/share/terminfo/** r, - /usr/share/keyrings/** rw, #aa:only apt + /usr/share/keyrings/** rw, #aa:only apt /usr/share/pacman/keyrings/** r, #aa:only pacman /etc/inputrc r, @@ -39,6 +39,7 @@ profile gpg @{exec_path} { /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, #aa:only apt + /etc/apt/trusted.gpg.d/{,*} r, owner /etc/apt/keyrings/ rw, owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**, diff --git a/apparmor.d/groups/grub/grub-sort-version b/apparmor.d/groups/grub/grub-sort-version index 5e65fe835..6ece8a60b 100644 --- a/apparmor.d/groups/grub/grub-sort-version +++ b/apparmor.d/groups/grub/grub-sort-version @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/grub/grub-sort-version profile grub-sort-version @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index 7f50d8b45..32136d710 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -17,7 +17,7 @@ profile gvfs-afc-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index 3f2fb0138..017a66e84 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -17,12 +17,12 @@ profile gvfs-goa-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), dbus send bus=session path=/org/gnome/OnlineAccounts interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=goa-daemon), + peer=(name=@{busname}, label=goa-daemon), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index dd03254b1..ece97e688 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -21,7 +21,7 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index 6fbbc6092..fd3b38012 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -20,7 +20,7 @@ profile gvfs-mtp-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 4ed214b71..80f7f86a9 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -12,7 +12,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -35,7 +35,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index c124c5855..e3e3edfae 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -18,20 +18,22 @@ profile gvfsd @{exec_path} { #aa:dbus own bus=session name=org.gtk.vfs.Daemon #aa:dbus own bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker + # The server side of abstractions/bus/session/org.gtk.vfs.Mountable dbus send bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount - peer=(name=:*, label=gvfsd-*), + peer=(name=@{busname}, label=gvfsd-*), + # The server side of abstractions/bus/session/org.gtk.vfs.Spawner dbus receive bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned - peer=(name=:*, label=gvfsd-*), + peer=(name=@{busname}, label=gvfsd-*), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index e1b16cac3..5a1fd1c82 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -10,6 +10,11 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-admin profile gvfsd-admin @{exec_path} { include + include + include + include + include + include include capability chown, @@ -18,9 +23,14 @@ profile gvfsd-admin @{exec_path} { capability fowner, capability setuid, - @{exec_path} mr, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - /usr/share/mime/mime.cache r, + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + + @{exec_path} mr, #aa:lint ignore=too-wide # Full access to system's data, but no write access to sensitive system directories diff --git a/apparmor.d/groups/gvfs/gvfsd-afc b/apparmor.d/groups/gvfs/gvfsd-afc index 68d4b689e..da231f469 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afc +++ b/apparmor.d/groups/gvfs/gvfsd-afc @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afc profile gvfsd-afc @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-afp b/apparmor.d/groups/gvfs/gvfsd-afp index eeaaec059..db6fe5a48 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afp +++ b/apparmor.d/groups/gvfs/gvfsd-afp @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afp profile gvfsd-afp @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-afp-browse b/apparmor.d/groups/gvfs/gvfsd-afp-browse index 48680f12f..a39e25785 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afp-browse +++ b/apparmor.d/groups/gvfs/gvfsd-afp-browse @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afp-browse profile gvfsd-afp-browse @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-archive b/apparmor.d/groups/gvfs/gvfsd-archive index 918841320..68b1e7765 100644 --- a/apparmor.d/groups/gvfs/gvfsd-archive +++ b/apparmor.d/groups/gvfs/gvfsd-archive @@ -10,9 +10,20 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-archive profile gvfsd-archive @{exec_path} { include + include + include + include + include include include + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{HOME}/**.{tar,tar.gz,zip} r, diff --git a/apparmor.d/groups/gvfs/gvfsd-burn b/apparmor.d/groups/gvfs/gvfsd-burn index b70fa7110..09062241a 100644 --- a/apparmor.d/groups/gvfs/gvfsd-burn +++ b/apparmor.d/groups/gvfs/gvfsd-burn @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-burn profile gvfsd-burn @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-cdda b/apparmor.d/groups/gvfs/gvfsd-cdda index 0648f5dc0..356f8dcd3 100644 --- a/apparmor.d/groups/gvfs/gvfsd-cdda +++ b/apparmor.d/groups/gvfs/gvfsd-cdda @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-cdda profile gvfsd-cdda @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer index 6eebca738..667b448c4 100644 --- a/apparmor.d/groups/gvfs/gvfsd-computer +++ b/apparmor.d/groups/gvfs/gvfsd-computer @@ -11,9 +11,18 @@ include profile gvfsd-computer @{exec_path} { include include + include + include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label=gvfs-afc-volume-monitor + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav index 77e1a2f6f..b335724cb 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dav +++ b/apparmor.d/groups/gvfs/gvfsd-dav @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-dav profile gvfsd-dav @{exec_path} { include + include + include + include + include include include include @@ -24,6 +28,13 @@ profile gvfsd-dav @{exec_path} { network inet6 dgram, network netlink raw, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index ab786106c..aad9de3a0 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -12,31 +12,14 @@ profile gvfsd-dnssd @{exec_path} { include include include - include - include - include + include + include + include + include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=:*, label=gvfsd), - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=:*, label=gvfsd), - - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member={MountLocation,LookupMount,RegisterMount} - peer=(name="@{busname}", label=gvfsd), - - dbus receive bus=session path=/ - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfsd-ftp b/apparmor.d/groups/gvfs/gvfsd-ftp index 5b7c833a5..3b36fc4f1 100644 --- a/apparmor.d/groups/gvfs/gvfsd-ftp +++ b/apparmor.d/groups/gvfs/gvfsd-ftp @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-ftp profile gvfsd-ftp @{exec_path} { include + include + include + include + include include include include @@ -20,6 +24,13 @@ profile gvfsd-ftp @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index 2695a1bf7..f67068f49 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -11,7 +11,9 @@ include profile gvfsd-fuse @{exec_path} { include include - include + include + include + include include capability sys_admin, @@ -20,20 +22,20 @@ profile gvfsd-fuse @{exec_path} { unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterFuse - peer=(name=:*, label=gvfsd), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session path=/ + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @{bin}/fusermount{,3} rCx -> fusermount, + owner @{run}/user/@{uid}/gvfsd-fuse/ rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} w, + @{PROC}/sys/fs/pipe-max-size r, /dev/fuse rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-google b/apparmor.d/groups/gvfs/gvfsd-google index eb80f3a7a..819e84c39 100644 --- a/apparmor.d/groups/gvfs/gvfsd-google +++ b/apparmor.d/groups/gvfs/gvfsd-google @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-google profile gvfsd-google @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-gphoto2 b/apparmor.d/groups/gvfs/gvfsd-gphoto2 index 688f03c27..0544000c0 100644 --- a/apparmor.d/groups/gvfs/gvfsd-gphoto2 +++ b/apparmor.d/groups/gvfs/gvfsd-gphoto2 @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-gphoto2 profile gvfsd-gphoto2 @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index f51ef2afe..2678bde40 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -11,9 +11,11 @@ include profile gvfsd-http @{exec_path} { include include - include + include + include + include include - include + # include include include include @@ -25,25 +27,15 @@ profile gvfsd-http @{exec_path} { network netlink raw, unix type=stream peer=(label=gnome-shell), + unix type=stream peer=(label=gnome-extension-gsconnect), #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_http + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name=:*, label=gvfsd), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-localtest b/apparmor.d/groups/gvfs/gvfsd-localtest index 5ffbabb40..d1af3c60c 100644 --- a/apparmor.d/groups/gvfs/gvfsd-localtest +++ b/apparmor.d/groups/gvfs/gvfsd-localtest @@ -10,6 +10,9 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-localtest profile gvfsd-localtest @{exec_path} { include + include + include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index f6f3820bb..8565856d9 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -11,6 +11,9 @@ include profile gvfsd-metadata @{exec_path} { include include + include + include + include include network netlink raw, @@ -18,11 +21,12 @@ profile gvfsd-metadata @{exec_path} { signal (receive) set=(usr1) peer=pacman, #aa:dbus own bus=session name=org.gtk.vfs.Metadata path=/org/gtk/vfs/{m,M}etadata + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index 3c747b8b3..8d5ad78c5 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-mtp profile gvfsd-mtp @{exec_path} { include + include + include + include + include include include include @@ -19,10 +23,18 @@ profile gvfsd-mtp @{exec_path} { network netlink raw, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, - owner @{HOME}/{,**} rw, # FIXME: ? - owner @{MOUNTS}/{,**} rw, + owner @{HOME}/ r, + owner @{HOME}/** rw, + owner @{MOUNTS}/** rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index 1af0a2b37..7874686bc 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -11,41 +11,22 @@ include profile gvfsd-network @{exec_path} { include include - include - include + include + include + include include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name="@{busname}", label=gvfsd), - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name="@{busname}", label=gvfsd), - - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member={MountLocation,LookupMount,RegisterMount} - peer=(name="@{busname}", label=gvfsd), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=@{busname}, label=gnome-shell), - dbus send bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=@{busname}), - @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-nfs b/apparmor.d/groups/gvfs/gvfsd-nfs index 575d9de39..aae859d73 100644 --- a/apparmor.d/groups/gvfs/gvfsd-nfs +++ b/apparmor.d/groups/gvfs/gvfsd-nfs @@ -10,12 +10,23 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-nfs profile gvfsd-nfs @{exec_path} { include + include + include + include + include include network inet stream, network inet6 stream, network netlink raw, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index 1219c8cbd..ca59d75cd 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -11,27 +11,16 @@ include profile gvfsd-recent @{exec_path} { include include - include - include + include + include + include include include include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name="@{busname}", label=gvfsd), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name="@{busname}", label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name="@{busname}", label=gvfsd), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp index 76bb55e98..862ef88aa 100644 --- a/apparmor.d/groups/gvfs/gvfsd-sftp +++ b/apparmor.d/groups/gvfs/gvfsd-sftp @@ -11,34 +11,21 @@ include profile gvfsd-sftp @{exec_path} { include include - include + include + include + include include include include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=@{busname}, label=gnome-extension-gsconnect), - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=@{busname}, label=nautilus), - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name=:*, label=gvfsd), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb b/apparmor.d/groups/gvfs/gvfsd-smb index 24891e9c3..9d99a43af 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb +++ b/apparmor.d/groups/gvfs/gvfsd-smb @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-smb profile gvfsd-smb @{exec_path} { include + include + include + include + include include include @@ -19,6 +23,13 @@ profile gvfsd-smb @{exec_path} { network inet dgram, network inet6 dgram, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, /etc/samba/smb.conf r, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index 59d778133..66099563e 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -11,8 +11,11 @@ include profile gvfsd-smb-browse @{exec_path} { include include - include + include + include + include include + include include network netlink raw, @@ -22,21 +25,15 @@ profile gvfsd-smb-browse @{exec_path} { network inet6 dgram, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_smb_browse + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name="@{busname}", label=gvfsd), - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name="@{busname}", label=gvfsd), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/samba/* r, /var/cache/samba/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index e13f870c7..070c41a84 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -11,7 +11,9 @@ include profile gvfsd-trash @{exec_path} { include include - include + include + include + include include include include @@ -21,26 +23,12 @@ profile gvfsd-trash @{exec_path} { network inet6 stream, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name="@{busname}", label=gvfsd), - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name="@{busname}", label=gvfsd), - - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name="@{busname}", label=gvfsd), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="@{busname}", label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 0dee4e73b..4ea39c7d0 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -11,31 +11,16 @@ profile gvfsd-wsdd @{exec_path} { include include include - include - include + include + include + include include + network inet dgram, # ip=127.0.0.1 peer=(ip=127.0.0.*, port=53), network netlink raw, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_wsdd - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name="@{busname}", label=gvfsd), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name="@{busname}", label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name="@{busname}", label=gvfsd), - - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=@{busname}, label=gvfsd-network), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -47,6 +32,7 @@ profile gvfsd-wsdd @{exec_path} { @{bin}/env mr, @{bin}/wsdd rPx, + @{run}/avahi-daemon/socket rw, @{run}/mount/utab r, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner @{run}/user/@{uid}/gvfsd/wsdd rw, diff --git a/apparmor.d/groups/hyprland/hyprpaper b/apparmor.d/groups/hyprland/hyprpaper index 3cb8dca92..6d0674d9f 100644 --- a/apparmor.d/groups/hyprland/hyprpaper +++ b/apparmor.d/groups/hyprland/hyprpaper @@ -9,12 +9,11 @@ include @{exec_path} = @{bin}/hyprpaper profile hyprpaper @{exec_path} flags=(attach_disconnected) { include + include include @{exec_path} mr, - /usr/share/icons/** r, - owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r, owner @{user_config_dirs}/hypr/hyprpaper.conf r, diff --git a/apparmor.d/groups/hyprland/hyprpicker b/apparmor.d/groups/hyprland/hyprpicker index a46d53f4c..7becc5fb6 100644 --- a/apparmor.d/groups/hyprland/hyprpicker +++ b/apparmor.d/groups/hyprland/hyprpicker @@ -9,12 +9,11 @@ include @{exec_path} = @{bin}/hyprpicker profile hyprpicker @{exec_path} { include + include @{exec_path} mr, @{bin}/wl-copy Px, - /usr/share/icons/** r, - owner @{run}/user/@{uid}/.hyprpicker* rw, owner /dev/shm/wlroots-@{rand6} r, owner /dev/shm/@{uuid} r, diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 2307c709f..b5e1b4ae8 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -10,10 +10,8 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}DiscoverNotifier profile DiscoverNotifier @{exec_path} { include - include include include - include include include include @@ -34,6 +32,7 @@ profile DiscoverNotifier @{exec_path} { @{exec_path} mr, @{bin}/apt-config rPx, + @{bin}/plasma-discover rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index 64372f497..33660a776 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -10,9 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloorunner profile baloorunner @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 2d3b099d7..022c0beec 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -25,7 +25,11 @@ profile dolphin @{exec_path} { network netlink raw, - signal (send) set=(term) peer=kioworker, + signal send set=hup peer=@{p_systemd}, + signal send set=term peer=kioworker, + + ptrace read peer=@{p_systemd}, + ptrace read peer=okular, @{exec_path} mr, @@ -109,10 +113,11 @@ profile dolphin @{exec_path} { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, @{sys}/devices/virtual/block/dm-@{int}/uevent r, - /dev/tty r, + /dev/tty rw, include if exists } diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index b30e39cdc..dbca9fcf5 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -9,11 +9,8 @@ include @{exec_path} = @{bin}/gmenudbusmenuproxy profile gmenudbusmenuproxy @{exec_path} { include - include include - include include - include include include diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 4b1e734ed..1fdb4b920 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -10,9 +10,7 @@ include profile kaccess @{exec_path} { include include - include include - include include include include @@ -24,15 +22,11 @@ profile kaccess @{exec_path} { @{bin}/gsettings rPx, - /usr/share/icons/{,**} r, - /etc/machine-id r, owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kaccessrc r, - owner @{user_share_dirs}/mime/generic-icons r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index ead285e5f..1cc6b41d1 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -11,7 +11,6 @@ include profile kactivitymanagerd @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index 4f8b10a32..59f60c285 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -11,7 +11,6 @@ profile kcminit @{exec_path} { include include include - include include #aa:dbus own bus=session name=org.kde.{KCM,kcm}init path=/kcminit diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index ee42fef98..6a01748fd 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -12,7 +12,6 @@ profile kconf_update @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 01706e649..7d6daeda6 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -11,17 +11,15 @@ include profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) { include include - include include include - include include include - include include include include include + include capability wake_alarm, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 93c70329e..678c64e71 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -9,21 +9,18 @@ include @{exec_path} = @{bin}/kded5 @{bin}/kded6 profile kded @{exec_path} { include + include #aa:only apt include - include include include - include - include include include include - include #aa:only apt + include include include include include - include include include include diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index b9c09d0c6..156bdf928 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/kglobalaccel5 @{lib}/kglobalacceld profile kglobalacceld @{exec_path} { include - include include - include include #aa:dbus own bus=session name=org.kde.KGlobalAccel path=/kglobalaccel diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod index cf9646051..571581059 100644 --- a/apparmor.d/groups/kde/kiod +++ b/apparmor.d/groups/kde/kiod @@ -20,9 +20,6 @@ profile kiod @{exec_path} { @{exec_path} mr, - /usr/share/icons/breeze/index.theme r, - /usr/share/mime/{,**} r, - owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/ksslcertificatemanager rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/ksslcertificatemanager.lock rwk, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 71465df97..0fc81a764 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -41,7 +41,7 @@ profile kioworker @{exec_path} { @{lib}/libheif/*.so* rm, @{bin}/wrestool rPUx, - @{bin}/gs rix, + @{bin}/gs{,.bin} rix, #aa:exec kio_http_cache_cleaner diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index fa55e177d..446d8a08d 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -11,9 +11,7 @@ include profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include include - include include include include diff --git a/apparmor.d/groups/kde/kscreen_backend_launcher b/apparmor.d/groups/kde/kscreen_backend_launcher index 00b4c9630..e44ee1f83 100644 --- a/apparmor.d/groups/kde/kscreen_backend_launcher +++ b/apparmor.d/groups/kde/kscreen_backend_launcher @@ -10,9 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kscreen_backend_launcher profile kscreen_backend_launcher @{exec_path} { include - include include - include include include diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index ddd14b5c2..192d3f957 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -13,15 +13,15 @@ profile kscreenlocker_greet @{exec_path} { include include include - include include - include + include include include include include include include + include network netlink raw, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index f4d54c295..09a228e29 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -11,7 +11,6 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index e46237c2a..711da6e9d 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -11,10 +11,8 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}ksmserver-logout-greeter profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { include - include include include - include include include include diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index ea80e28cd..770625988 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/ksplashqml profile ksplashqml @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/kde/kstart b/apparmor.d/groups/kde/kstart index fa0f88f75..04d084d0c 100644 --- a/apparmor.d/groups/kde/kstart +++ b/apparmor.d/groups/kde/kstart @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/kstart profile kstart @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index de175635a..0a685d8e5 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -11,13 +11,10 @@ include profile kwalletd @{exec_path} { include include - include include - include include include include - include include include include diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index e2e3ecfe0..224835ac2 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -10,10 +10,8 @@ include profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include include include - include include include include diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index f4f955a4f..8cc233ff2 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/kwin_x11 profile kwin_x11 @{exec_path} { include - include include include include @@ -41,6 +40,7 @@ profile kwin_x11 @{exec_path} { /usr/share/kwin-x11/{,**} r, /usr/share/kwin/{,**} r, /usr/share/plasma/desktoptheme/{,**} r, + /usr/share/sounds/*/stereo/*.oga r, /etc/machine-id r, /etc/xdg/plasmarc r, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index acd9b7430..a2ffad26f 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -23,6 +23,8 @@ profile okular @{exec_path} { network netlink raw, + ptrace read peer=@{p_systemd}, + signal send set=term peer=kioworker, @{exec_path} mr, @@ -69,7 +71,7 @@ profile okular @{exec_path} { owner @{user_state_dirs}/#@{int} rw, owner @{user_state_dirs}/okularstaterc rw, - owner @{user_state_dirs}/okularstaterc.@{rand6} rwl -> @{user_state_dirs}/#@{int}, + owner @{user_state_dirs}/okularstaterc.@{rand6} rwlk -> @{user_state_dirs}/#@{int}, owner @{user_state_dirs}/okularstaterc.lock rwk, owner @{tmp}/#@{int} rw, @@ -82,6 +84,7 @@ profile okular @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, profile gpg { include diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index e767d7bb5..600d1be48 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -11,14 +11,11 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include - include include include - include include include include - include include include include @@ -31,6 +28,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include + include userns, @@ -77,9 +75,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { #aa:exec kioworker - /opt/**/share/icons/{,**} r, - /opt/*/**/*.desktop r, - /opt/*/**/*.png r, /snap/*/@{uid}/**.@{image_ext} r, /usr/share/*/icons/{,**} r, /usr/share/akonadi/{,**} r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 08835eaf0..1b8930f06 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -14,12 +14,12 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include include include + include include capability audit_write, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index c9aca546a..47383bb75 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -13,13 +13,13 @@ profile sddm-greeter @{exec_path} { include include include - include include include include include include include + include network netlink raw, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 5db93719c..64e332dc5 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -12,7 +12,7 @@ profile startplasma @{exec_path} { include include include - include + include include include @@ -48,8 +48,6 @@ profile startplasma @{exec_path} { /etc/xdg/plasma-workspace/env/{,*} r, /etc/xdg/plasmarc r, - /var/lib/flatpak/exports/share/mime/ r, - @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/#@{int} rwk, owner @{user_cache_dirs}/kcrash-metadata/ rw, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index a78225b67..9558a6528 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -10,9 +10,7 @@ include profile systemsettings @{exec_path} { include include - include include - include include include include diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index 93259822e..5c36f579e 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/xembedsniproxy profile xembedsniproxy @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/lxqt/lxqt-globalkeysd b/apparmor.d/groups/lxqt/lxqt-globalkeysd index 8729b1abb..a9a75aa90 100644 --- a/apparmor.d/groups/lxqt/lxqt-globalkeysd +++ b/apparmor.d/groups/lxqt/lxqt-globalkeysd @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/lxqt-globalkeysd profile lxqt-globalkeysd @{exec_path} { include - include include include diff --git a/apparmor.d/groups/lxqt/lxqt-runner b/apparmor.d/groups/lxqt/lxqt-runner index 9477c1bda..5783c1fa0 100644 --- a/apparmor.d/groups/lxqt/lxqt-runner +++ b/apparmor.d/groups/lxqt/lxqt-runner @@ -14,7 +14,6 @@ profile lxqt-runner @{exec_path} { @{exec_path} mr, - /usr/share/icons/ r, /usr/share/desktop-directories/ r, /usr/share/desktop-directories/{,**} r, diff --git a/apparmor.d/groups/lxqt/lxqt-session b/apparmor.d/groups/lxqt/lxqt-session index 3a4a6cd61..910ea7c5f 100644 --- a/apparmor.d/groups/lxqt/lxqt-session +++ b/apparmor.d/groups/lxqt/lxqt-session @@ -11,7 +11,6 @@ include profile lxqt-session @{exec_path} flags=(attach_disconnected) { include include - include include include include @@ -47,7 +46,6 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) { @{bin}/xdg-user-dirs-update rPx, /usr/share/ r, - /usr/share/mime/ r, /usr/share/cursors/ r, /usr/share/backintime/common/* r, /usr/share/desktop-directories/* r, diff --git a/apparmor.d/groups/lxqt/startlxqt b/apparmor.d/groups/lxqt/startlxqt index a708e2336..3ae907116 100644 --- a/apparmor.d/groups/lxqt/startlxqt +++ b/apparmor.d/groups/lxqt/startlxqt @@ -31,7 +31,6 @@ profile startlxqt @{exec_path} { /usr/share/color-schemes/{,**} r, /usr/share/desktop-directories/{,**} r, /usr/share/kservices5/{,**} r, - /usr/share/mime/{,**} r, /etc/machine-id r, /etc/xdg/menus/{,**} r, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index f27449e77..fca80465d 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -11,7 +11,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -48,6 +48,23 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" + + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}), + + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=gnome-control-center), + + + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=nm-online), + dbus send bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher member=Action2 @@ -63,6 +80,11 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { member={InterfacesAdded,InterfacesRemoved} peer=(name=org.freedesktop.DBus), + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=cockpit-bridge), + @{exec_path} mr, @{sh_path} rix, @@ -84,9 +106,14 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx, /usr/share/netplan/netplan.script rPx, + @{lib}/netplan/@{int2}-network-manager-all.yaml w, + /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, /usr/share/iproute2/{,**} r, + /etc/netplan/ r, + /etc/netplan/90-NM-@{uuid}.yaml r, + @{att}/ r, /etc/ r, @@ -110,7 +137,9 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/rfkill/ r, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/resolve/io.systemd.Resolve rw, + @{run}/netplan/ r, @{run}/network/ifstate r, @{run}/NetworkManager/{,**} rw, @{run}/nm-*.pid rw, @@ -135,6 +164,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, + /dev/net/tun rw, /dev/rfkill rw, profile systemctl { diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 639d3ce4b..133e4bc00 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -15,9 +15,6 @@ include @{exec_path} = @{lib_dirs}/mullvad-gui profile mullvad-gui @{exec_path} flags=(attach_disconnected) { include - include - include - include include network inet stream, diff --git a/apparmor.d/groups/network/netplan b/apparmor.d/groups/network/netplan index 5855131a8..a0fad0a93 100644 --- a/apparmor.d/groups/network/netplan +++ b/apparmor.d/groups/network/netplan @@ -9,9 +9,12 @@ include @{exec_path} = /usr/share/netplan/netplan.script profile netplan @{exec_path} flags=(attach_disconnected) { include + include include include + #aa;dbus owb bus=system name=io.netplan.Netplan + @{exec_path} mr, @{lib}/netplan/generate rPx, @@ -20,6 +23,8 @@ profile netplan @{exec_path} flags=(attach_disconnected) { /usr/share/netplan/{,**} r, + /etc/netplan/{,*} r, + @{run}/netplan/ r, profile udevadm { @@ -42,6 +47,10 @@ profile netplan @{exec_path} flags=(attach_disconnected) { capability net_admin, + ptrace read peer=@{p_systemd}, + + @{run}/udev/control rw, + include if exists } diff --git a/apparmor.d/groups/network/netplan-generate b/apparmor.d/groups/network/netplan-generate index 74ed20aaf..cea17b81c 100644 --- a/apparmor.d/groups/network/netplan-generate +++ b/apparmor.d/groups/network/netplan-generate @@ -26,6 +26,8 @@ profile netplan-generate @{exec_path} flags=(attach_disconnected) { @{run}/NetworkManager/conf.d/ rw, @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf rw, @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf.@{rand6} rw, + @{run}/NetworkManager/conf.d/netplan.conf rw, + @{run}/NetworkManager/conf.d/netplan.conf.@{rand6} rw, @{run}/NetworkManager/system-connections/ rw, @{run}/NetworkManager/system-connections/* rw, diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index 6065a12da..b4da14960 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -16,11 +16,25 @@ profile nmcli @{exec_path} { capability sys_nice, #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesAdded + peer=(name=@{busname}, label=NetworkManager), + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesRemoved + peer=(name=@{busname}, label=NetworkManager), + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, @{pager_path} rPx -> child-pager, + /etc/netplan/* r, + owner @{HOME}/.nm-vpngate/*.ovpn r, owner @{HOME}/.cert/nm-openvpn/*.pem rw, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index b5a6b83ef..2a513b84e 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -66,6 +66,8 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/net/route r, + /dev/net/tun rw, + profile update-resolv { include include diff --git a/apparmor.d/groups/network/rpcbind b/apparmor.d/groups/network/rpcbind index 1d81292fd..0650470ac 100644 --- a/apparmor.d/groups/network/rpcbind +++ b/apparmor.d/groups/network/rpcbind @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2023 Jeroen Rijken +# Copyright (C) 2025 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,9 +10,18 @@ include @{exec_path} = @{sbin}/rpcbind profile rpcbind @{exec_path} flags=(complain) { include + include + + capability setgid, + capability setuid, @{exec_path} rm, + /etc/netconfig r, + + @{run}/rpcbind.lock rwkl, + @{run}/rpcbind/*.xdr rwkl, + include if exists } diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache index 8331951e7..d68c0b832 100644 --- a/apparmor.d/groups/pacman/paccache +++ b/apparmor.d/groups/pacman/paccache @@ -41,6 +41,9 @@ profile paccache @{exec_path} flags=(attach_disconnected) { /var/cache/pacman/pkg/{,*} rw, /var/lib/pacman/{,**} r, + @{HOME}/@{XDG_GPG_DIR}/gpg.conf r, + @{HOME}/@{XDG_GPG_DIR}/gpgsm.conf r, + owner @{PROC}/@{pid}/fd/ r, /dev/tty rw, diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index cab9eed4b..eef992666 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/pacdiff profile pacdiff @{exec_path} flags=(attach_disconnected) { include - include capability dac_read_search, capability mknod, @@ -20,17 +19,18 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/cat rix, - @{bin}/cmp rix, - @{bin}/find rix, - @{bin}/locate rix, - @{bin}/pacman rix, - @{bin}/pacman-conf rPx, - @{bin}/pacsort rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/tput rix, + @{bin}/{m,g,}awk ix, + @{bin}/cat ix, + @{bin}/cmp ix, + @{bin}/find ix, + @{bin}/locate ix, + @{bin}/pacman ix, + @{bin}/pacman-conf Px, + @{bin}/pacsort ix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/tput ix, + @{editor_path} Cx -> editor, # packages files / r, @@ -44,6 +44,15 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { /dev/tty rw, /dev/pts/@{int} rw, + profile editor { + include + include + + /etc/** rw, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 427ac0141..41b45c9d0 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -46,71 +46,49 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/gpg{,2} rCx -> gpg, - @{bin}/gpgconf rCx -> gpg, - @{bin}/gpgsm rCx -> gpg, + # Pacman's keyring + @{bin}/gpg{,2} Cx -> gpg, + @{bin}/gpgconf Cx -> gpg, + @{bin}/gpgsm Cx -> gpg, - # Pacman hooks & install scripts - @{sh_path} rix, - @{coreutils_path} rix, - @{bin}/appstreamcli rPx, - @{bin}/arch-audit rPx, - @{bin}/archlinux-java rPx, - @{bin}/bootctl rPx, - @{bin}/cert-sync rPx, - @{bin}/checkrebuild rPUx, - @{bin}/dconf rPx, - @{bin}/dot rix, - @{bin}/fc-cache{,-32} rPx, - @{bin}/filecap rix, - @{bin}/gdbus rix, - @{bin}/gdk-pixbuf-query-loaders rPx, - @{bin}/getent rix, - @{bin}/gettext rix, - @{bin}/ghc-pkg-@{version} rPx, - @{bin}/gio-querymodules rPx, - @{bin}/glib-compile-schemas rPx, - @{sbin}/groupadd rPx, - @{bin}/gtk-query-immodules-* rPx, - @{bin}/gtk{,4}-update-icon-cache rPx, - @{sbin}/iconvconfig rix, - @{bin}/install-catalog rPx, - @{bin}/install-info rPx, - @{sbin}/iscsi-iname rix, - @{bin}/journalctl rPx, - @{bin}/killall rix, - @{sbin}/ldconfig rix, - @{sbin}/locale-gen rPx, - @{bin}/limine-install rPUx, - @{bin}/mkinitcpio rPx, - @{sbin}/needrestart rPx, - @{bin}/pacdiff rPx, - @{bin}/pacman-key rPx, - @{bin}/pkgfile rPUx, - @{bin}/pkill rix, - @{bin}/rsync rix, - @{bin}/sbctl rPx, - @{sbin}/setcap rix, - @{bin}/setfacl rix, - @{sbin}/sysctl rPx, - @{bin}/systemctl rCx -> systemctl, - @{bin}/systemd-* rPx, - @{bin}/tput rix, - @{bin}/update-ca-trust rPx, - @{bin}/update-desktop-database rPx, - @{sbin}/update-grub rPx, - @{bin}/update-mime-database rPx, - @{bin}/vercmp rix, - @{bin}/which{,.debianutils} rix, - @{bin}/xmlcatalog rix, - @{lib}/systemd/systemd-* rPx, - @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} rPx, - @{lib}/vlc/vlc-cache-gen rPx, - /opt/Mullvad*/resources/mullvad-setup rPx, - /usr/share/code-features/patch.py rPx, - /usr/share/code-marketplace/patch.py rPx, - /usr/share/libalpm/scripts/* rPUx, - /usr/share/texmf-dist/scripts/texlive/mktexlsr rPUx, + # Common program found in hooks & install scripts + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/dot ix, + @{bin}/filecap ix, + @{bin}/getent ix, + @{bin}/gettext ix, + @{bin}/gzip ix, + @{bin}/rsync ix, + @{bin}/setfacl ix, + @{bin}/tput ix, + @{bin}/vercmp ix, + @{bin}/which{,.debianutils} ix, + @{bin}/xmlcatalog ix, + @{sbin}/iconvconfig ix, + @{sbin}/iscsi-iname ix, + @{sbin}/setcap ix, + + @{bin}/dbus-send Cx -> bus, + @{bin}/gdbus Cx -> bus, + @{bin}/killall Cx -> pkill, + @{bin}/kmod Cx -> kmod, + @{bin}/pkill Cx -> pkill, + @{bin}/systemctl Cx -> systemctl, + @{sbin}/ldconfig Cx -> ldconfig, + + #aa:lint ignore=too-wide + # Hooks & install scripts can legitimately start/restart anything + # PU is only used as a safety fallback. + @{bin}/** PUx, + @{sbin}/** PUx, + /opt/*/** PUx, + /etc/** PUx, + /usr/share/** PUx, + + @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} Px, + @{lib}/systemd/systemd-* Px, + @{lib}/vlc/vlc-cache-gen Px, # For shell pwd, keept as it can annoy users to see error in pacman output /**/ r, @@ -196,6 +174,8 @@ profile pacman @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability sys_resource, + ptrace read peer=@{p_systemd}, + signal send set=cont peer=child-pager, signal send set=(cont term) peer=systemd-tty-ask-password-agent, signal receive set=(term winch) peer=makepkg//sudo, @@ -207,11 +187,66 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/*.journal* r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, include if exists } + profile bus { + include + include + include + + @{bin}/gdbus rix, + + include if exists + } + + profile pkill { + include + include + + @{bin}/killall mr, + @{bin}/pkill mr, + + include if exists + } + + profile kmod { + include + include + + include if exists + } + + profile ldconfig { + include + include + + @{sh_path} rix, + @{sbin}/ldconfig mrix, + + @{lib}/ r, + /usr/local/ r, + /usr/local/lib/ r, + + /opt/cuda/**/@{lib}/ r, + /opt/cuda/**/@{lib}/@{multiarch}/ r, + + /etc/ld.so.cache rw, + /etc/ld.so.cache~ rw, + + /var/cache/ldconfig/ rw, + owner /var/cache/ldconfig/aux-cache* rw, + + include if exists + } + include if exists include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code index ee23781f4..3e916efe3 100644 --- a/apparmor.d/groups/pacman/pacman-hook-code +++ b/apparmor.d/groups/pacman/pacman-hook-code @@ -19,6 +19,7 @@ profile pacman-hook-code @{exec_path} { @{python_path} rix, @{lib}/code/product.json rw, + @{lib}/code/out/vs/code/electron-utility/sharedProcess/sharedProcessMain.js w, /usr/share/code-{features,marketplace}{,-insiders}/{,*} r, /usr/share/code-{features,marketplace}{,-insiders}/cache.json rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index 0878385c5..860fb34ea 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -46,6 +46,8 @@ profile pacman-hook-systemd @{exec_path} { capability net_admin, capability sys_resource, + ptrace read peer=@{p_systemd}, + signal send set=(cont, term) peer=systemd-tty-ask-password-agent, @{bin}/systemd-tty-ask-password-agent Px, diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index c2de7f8b6..fa00311cd 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -65,8 +65,9 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pids}/fdinfo/@{int} r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/task/@{tid}/stat r, @{PROC}/1/environ r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index d59fde5e5..ef14d9ca9 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -105,12 +105,14 @@ profile htop @{exec_path} { @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/net/dev r, @{PROC}/@{pids}/oom_{,score_}adj r, @{PROC}/@{pids}/oom_score r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/wchan r, @{PROC}/@{pids}/task/ r, diff --git a/apparmor.d/groups/procps/pgrep b/apparmor.d/groups/procps/pgrep index 489f55bd7..d10c1e772 100644 --- a/apparmor.d/groups/procps/pgrep +++ b/apparmor.d/groups/procps/pgrep @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/pgrep -profile pgrep @{exec_path} { +profile pgrep @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/procps/ps b/apparmor.d/groups/procps/ps index 1d9ae50cb..7663cbf5d 100644 --- a/apparmor.d/groups/procps/ps +++ b/apparmor.d/groups/procps/ps @@ -34,6 +34,7 @@ profile ps @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/loginuid r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/task/ r, @{PROC}/@{pids}/task/@{tid}/cmdline r, @{PROC}/@{pids}/task/@{tid}/stat r, diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 927d7a3da..9530b8594 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -6,8 +6,8 @@ abi , include -@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin} -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{bin_dirs} = @{bin}/ /snap/{snapd,core}/{,x}@{int}@{bin} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{bin_dirs}/snap profile snap @{exec_path} flags=(attach_disconnected) { @@ -17,13 +17,19 @@ profile snap @{exec_path} flags=(attach_disconnected) { include include include + include capability chown, capability dac_override, capability dac_read_search, capability setuid, capability sys_admin, + capability sys_ptrace, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, network netlink raw, ptrace read peer=snap.*, @@ -36,7 +42,7 @@ profile snap @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=io.snapcraft.SessionAgent #aa:dbus own bus=session name=io.snapcraft.Settings - #aa:dbus talk bus=session name=io.snapcraft.PrivilegedDesktopLauncher label=snap.snap-store.snap-store + #aa:dbus talk bus=session name=io.snapcraft.PrivilegedDesktopLauncher label=snap.snap-store.* #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @@ -59,9 +65,11 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{bin}/gpg{,2} rCx -> gpg, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-run rCx -> run, # Start snap from the cli + @{bin}/unsquashfs rCx -> unsquashfs, @{bin}/xdg-settings rCx -> xdg-settings, - @{lib_dirs}/** mr, + @{bin_dirs}/xdelta3 ix, + @{lib_dirs}/** mr, @{lib_dirs}/snapd/snap-confine rPx, @{lib_dirs}/snapd/snap-seccomp rPx, @{lib_dirs}/snapd/snapd rPx, @@ -80,6 +88,9 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{HOME}/.snap/{,**} rw, @{HOME}/snap/{,**} rw, + @{user_pkg_dirs}/** r, + + owner @{tmp}/read-file@{int}/unpack/{,**} w, owner @{tmp}/snapd-auto-import-mount-@{int}/ rw, @{run}/user/@{uid}/bus rw, @@ -176,14 +187,30 @@ profile snap @{exec_path} flags=(attach_disconnected) { include include - network unix stream, + capability net_admin, + network unix stream, + network (send receive) netlink raw, + + @{run}/systemd/notify w, owner @{run}/user/@{uid}/systemd/notify rw, owner @{run}/user/@{uid}/systemd/private rw, include if exists } + profile unsquashfs { + include + + @{bin}/unsquashfs mr, + + /**.snap r, + + owner /tmp/read-file@{int}/unpack/{,**} w, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/snap/snap-discard-ns b/apparmor.d/groups/snap/snap-discard-ns index 38396f3eb..0ccb3f1c7 100644 --- a/apparmor.d/groups/snap/snap-discard-ns +++ b/apparmor.d/groups/snap/snap-discard-ns @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-discard-ns profile snap-discard-ns @{exec_path} { diff --git a/apparmor.d/groups/snap/snap-failure b/apparmor.d/groups/snap/snap-failure index edc9845e8..bed3a2d12 100644 --- a/apparmor.d/groups/snap/snap-failure +++ b/apparmor.d/groups/snap/snap-failure @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-failure profile snap-failure @{exec_path} { diff --git a/apparmor.d/groups/snap/snap-seccomp b/apparmor.d/groups/snap/snap-seccomp index 2a14fd583..90c1724be 100644 --- a/apparmor.d/groups/snap/snap-seccomp +++ b/apparmor.d/groups/snap/snap-seccomp @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-seccomp profile snap-seccomp @{exec_path} flags=(attach_disconnected) { diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index 157651ac3..5d08a4240 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-update-ns profile snap-update-ns @{exec_path} { @@ -34,17 +34,24 @@ profile snap-update-ns @{exec_path} { @{lib_dirs}/**.so* mr, @{lib}/@{multiarch}/webkit2gtk-@{version}/ w, - /usr/share/xml/iso-codes/ w, + + /usr/share/xml/ r, + /usr/share/xml/iso-codes/ rw, /var/lib/snapd/mount/{,*} r, / r, /tmp/ r, + @{lib}/ r, /usr/ r, /usr/local/ r, /usr/local/share/ r, /usr/local/share/doc/ rw, /usr/local/share/fonts/ rw, + /usr/share/ r, + /usr/share/drirc.d w, + /usr/share/X11/ r, + /usr/share/X11/XErrorDB w, owner /snap/{,**} rw, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 7e2c288b6..87e535b3f 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -6,8 +6,8 @@ abi , include -@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin} -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{bin_dirs} = @{bin}/ /snap/{snapd,core}/{,x}@{int}@{bin} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd profile snapd @{exec_path} { @@ -97,9 +97,11 @@ profile snapd @{exec_path} { @{lib_dirs}/snapd/snap-update-ns rPx, /usr/share/bash-completion/{,**} r, - /usr/share/dbus-1/{system,session}.d/{,snapd*} rw, + /usr/share/dbus-1/{system,session}.d/ rw, + /usr/share/dbus-1/{system,session}.d/snapd* rw, /usr/share/dbus-1/services/*snap* r, - /usr/share/polkit-1/actions/{,**/} r, + /usr/share/polkit-1/actions/{,**} r, + /usr/share/polkit-1/actions/snap.*.policy* rw, @{etc_ro}/environment r, /etc/apparmor.d/*snapd.snap* r, @@ -147,6 +149,7 @@ profile snapd @{exec_path} { @{run}/user/ r, @{run}/user/@{uid}/ r, + @{run}/user/@{uid}/snap.*/{,**} rw, @{run}/user/@{uid}/snapd-session-agent.socket rw, @{run}/user/snap.*/{,**} rw, @@ -188,6 +191,8 @@ profile snapd @{exec_path} { network netlink raw, + ptrace read peer=@{p_systemd}, + /etc/systemd/system/{,**/} r, /etc/systemd/system/snap* rw, /etc/systemd/user/{,**/} rw, @@ -228,6 +233,12 @@ profile snapd @{exec_path} { @{sbin}/runuser mr, + @{sh_path} ix, + @{bin}/gzip ix, + @{bin}/tar ix, + + owner @{HOME}/snap/*/{,**} r, + include if exists } diff --git a/apparmor.d/groups/snap/snapd-aa-prompt-listener b/apparmor.d/groups/snap/snapd-aa-prompt-listener index 7b9adced7..37730ba6f 100644 --- a/apparmor.d/groups/snap/snapd-aa-prompt-listener +++ b/apparmor.d/groups/snap/snapd-aa-prompt-listener @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-aa-prompt-listener profile snapd-aa-prompt-listener @{exec_path} { diff --git a/apparmor.d/groups/snap/snapd-aa-prompt-ui b/apparmor.d/groups/snap/snapd-aa-prompt-ui index 0d26f42d3..99dc98efe 100644 --- a/apparmor.d/groups/snap/snapd-aa-prompt-ui +++ b/apparmor.d/groups/snap/snapd-aa-prompt-ui @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-aa-prompt-ui profile snapd-aa-prompt-ui @{exec_path} { diff --git a/apparmor.d/groups/snap/snapd-apparmor b/apparmor.d/groups/snap/snapd-apparmor index 63251a976..47b939fa0 100644 --- a/apparmor.d/groups/snap/snapd-apparmor +++ b/apparmor.d/groups/snap/snapd-apparmor @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-apparmor profile snapd-apparmor @{exec_path} { diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index bf71a8463..0d6826490 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -12,6 +12,7 @@ profile ssh @{exec_path} { include include include + include include network inet stream, @@ -43,6 +44,8 @@ profile ssh @{exec_path} { owner @{user_projects_dirs}/**/ssh/{,*} r, owner @{user_projects_dirs}/**/config r, + owner @{tmp}/krb5cc_* rwk, + audit owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index f6732b1cf..9fc2900b4 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -13,6 +13,7 @@ profile ssh-agent @{exec_path} { include signal receive set=term peer=cockpit-bridge, + signal receive set=term peer=cockpit-session, signal receive set=term peer=gnome-keyring-daemon, @{exec_path} mr, diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index b55824e58..738268b0a 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -15,10 +15,13 @@ profile ssh-keygen @{exec_path} { @{exec_path} mr, + @{lib}/{,ssh/}ssh-sk-helper rPx -> ssh-sk-helper, + /etc/ssh/moduli rw, /etc/ssh/ssh_host_*_key* rw, - owner @{HOME}/@{XDG_SSH_DIR}/{,*} rw, + owner @{HOME}/@{XDG_SSH_DIR}/ rw, + owner @{HOME}/@{XDG_SSH_DIR}/* rwl -> @{HOME}/@{XDG_SSH_DIR}/*, owner /tmp/snapd@{int}/*_*{,.pub} w, owner /tmp/snapd@{int}/*.key{,.pub} w, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 63f2c1370..633076ad6 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -69,6 +69,8 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, + @{sbin}/sshd.hmac r, + @{bin}/@{shells} Ux, #aa:exclude RBAC @{bin}/false ix, @{sbin}/nologin Px, @@ -102,7 +104,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { owner @{user_download_dirs}/{,**} rwl, owner @{user_sync_dirs}/{,**} rwl, - @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, + @{HOME}/@{XDG_SSH_DIR}/authorized_keys* r, owner @{user_cache_dirs}/{,motd*} rw, @{att}/@{run}/systemd/sessions/@{int}.ref rw, diff --git a/apparmor.d/groups/ssh/sshfs b/apparmor.d/groups/ssh/sshfs index 12e7d8930..ee6a2f903 100644 --- a/apparmor.d/groups/ssh/sshfs +++ b/apparmor.d/groups/ssh/sshfs @@ -18,7 +18,7 @@ profile sshfs @{exec_path} flags=(complain) { mount fstype=fuse.sshfs -> @{MOUNTS}/*/, mount fstype=fuse.sshfs -> @{MOUNTS}/*/*/, - unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount",addr=none), + unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount"), @{exec_path} mr, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index abfab75d7..e3fcb1931 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -41,6 +41,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include capability sys_ptrace, @@ -245,7 +246,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/input/ r, - /dev/uinput w, deny /opt/** r, @@ -353,8 +353,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/**/report_descriptor r, @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/usb@{int}/**/{idVendor,idProduct,interface} r, - @{sys}/devices/system/cpu/kernel_max r, - @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/ r, @{PROC}/version r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-system-update b/apparmor.d/groups/systemd-generators/systemd-generator-system-update index 557e4ab6e..9767a2e72 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-system-update +++ b/apparmor.d/groups/systemd-generators/systemd-generator-system-update @@ -13,7 +13,8 @@ profile systemd-generator-system-update @{exec_path} flags=(attach_disconnected) @{exec_path} mr, - @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/status r, include if exists } diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart index 8e3ebb6b3..ff4c74664 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart +++ b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart @@ -10,14 +10,13 @@ include profile systemd-generator-user-autostart @{exec_path} flags=(attach_disconnected) { include include + include include capability net_admin, @{exec_path} mr, - @{system_share_dirs}/applications/*.desktop r, - @{etc_ro}/xdg/autostart/{,*.desktop} r, owner @{user_config_dirs}/autostart/{,*.desktop} r, diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index 04ed76e72..eed7080f8 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -9,10 +9,8 @@ include @{exec_path} = @{bin}/busctl profile busctl @{exec_path} flags=(attach_disconnected) { include - include include include - include include include include diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index d1ee1141c..06969ef47 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -68,7 +68,7 @@ profile coredumpctl @{exec_path} flags=(complain) { @{PROC}/@{pids}/fd/ r, - include if exists + include if exists } include if exists diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index 0d46dbfed..9792fb75f 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/localectl -profile localectl @{exec_path} { +profile localectl @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index db1854f1f..061b93ffd 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -52,6 +52,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{att}/@{run}/systemd/coredump rw, @{run}/systemd/coredump rw, + @{PROC}/@{pids}/auxv r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/comm r, @@ -59,9 +60,11 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/fdinfo/@{int} r, @{PROC}/@{pids}/limits r, + @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/ns/ r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/setgroups r, include if exists diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 01e49025f..9b49c20fc 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -11,11 +11,10 @@ include profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { include include - include - capability net_admin, + capability sys_ptrace, - network netlink raw, + ptrace read peer=@{p_systemd}, @{exec_path} mr, @@ -32,11 +31,22 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { @{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/uv/prot_virt_guest r, @{sys}/hypervisor/properties/features r, + @{sys}/hypervisor/type r, + @{PROC}/1/environ r, + @{PROC}/device-tree/ r, + @{PROC}/device-tree/compatible r, + @{PROC}/device-tree/hypervisor/compatible r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sysinfo r, @{PROC}/xen/capabilities r, /dev/cpu/@{int}/msr r, + deny capability net_admin, + deny capability perfmon, + deny network (send receive) netlink raw, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect index 0381b93b1..1bbb91858 100644 --- a/apparmor.d/groups/systemd/systemd-dissect +++ b/apparmor.d/groups/systemd/systemd-dissect @@ -27,7 +27,7 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) { signal send set=cont peer=child-pager, - ptrace read peer=unconfined, + ptrace read peer=@{p_systemd}, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 01d04989b..8fae34b29 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -44,6 +44,8 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_serial r, + @{sys}/devices/virtual/dmi/id/product_uuid r, @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/uevent r, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index ad3d96990..e0a8a2e47 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -28,7 +28,7 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted network netlink raw, - ptrace (read), + ptrace read, @{exec_path} mr, @@ -82,6 +82,7 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/loginuid r, @{PROC}/@{pids}/sessionid r, + @{PROC}/@{pids}/status r, @{PROC}/pressure/* r, @{PROC}/sys/kernel/hostname r, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index e98bef009..cefab3890 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -24,18 +24,30 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{bin}/cat ix, + @{bin}/gzip ix, + @{bin}/localedef ix, + @{bin}/rm ix, + @{bin}/sort ix, + @{sbin}/locale-gen rPx, + + /usr/share/i18n/{,**} r, /usr/share/kbd/keymaps/{,**} r, - /usr/share/xkeyboard-config-2/{,**} r, /usr/share/systemd/*-map r, /usr/share/X11/xkb/{,**} r, /usr/share/xkeyboard-config-2/{,**} r, + /etc/ r, /etc/.#locale.conf@{hex16} rw, + /etc/.#locale.gen@{hex16} rw, /etc/.#vconsole.conf* rw, /etc/default/.#locale* rw, /etc/default/keyboard r, /etc/default/locale rw, /etc/locale.conf rw, + /etc/locale.gen rw, + /etc/nsswitch.conf r, + /etc/passwd r, /etc/vconsole.conf rw, /etc/X11/xorg.conf.d/ rw, /etc/X11/xorg.conf.d/.#*.conf@{hex} rw, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 271354633..6b102829d 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -124,19 +124,22 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{sys}/module/vt/parameters/default_utf8 r, @{sys}/power/{state,resume_offset,resume,disk} r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/sessionid r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/sessionid r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, @{PROC}/1/cmdline r, @{PROC}/pressure/* r, @{PROC}/swaps r, @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/fdinfo/@{int} r, - /dev/dri/card@{int} rw, + /dev/dri/card@{int} rw, + @{att}/dev/dri/card@{int} rw, + /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) /dev/mqueue/ r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index c791e6375..a2115a926 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -17,7 +17,7 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) { capability sys_admin, capability sys_chroot, - ptrace (read), + ptrace read, mount options=(rw rshared) -> /, mount options=(rw rslave) -> /, diff --git a/apparmor.d/groups/systemd/systemd-path b/apparmor.d/groups/systemd/systemd-path index 747527776..0d061d845 100644 --- a/apparmor.d/groups/systemd/systemd-path +++ b/apparmor.d/groups/systemd/systemd-path @@ -10,11 +10,10 @@ include profile systemd-path @{exec_path} { include include + include @{exec_path} mr, - owner @{user_config_dirs}/user-dirs.dirs r, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index 96b182e5f..73213160b 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -23,7 +23,8 @@ profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) { @{bin}/mount rix, - /etc/blkid.conf r, + @{etc_ro}/blkid.conf r, + @{etc_ro}/blkid.conf.d/{,**} r, /etc/fstab r, @{run}/host/container-manager r, diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill index bf983ea7a..34e7255ab 100644 --- a/apparmor.d/groups/systemd/systemd-rfkill +++ b/apparmor.d/groups/systemd/systemd-rfkill @@ -13,6 +13,7 @@ profile systemd-rfkill @{exec_path} flags=(attach_disconnected) { include capability net_admin, + capability sys_admin, capability sys_ptrace, network netlink raw, diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index d7c61e336..a55bf752d 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -19,6 +19,8 @@ profile systemd-sleep @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{sh_path} mr, + @{lib}/systemd/system-sleep/grub2.sleep rPx, @{lib}/systemd/system-sleep/hdparm rPx, @{lib}/systemd/system-sleep/nvidia rPx, diff --git a/apparmor.d/groups/systemd/systemd-sleep-hdparm b/apparmor.d/groups/systemd/systemd-sleep-hdparm index 4cbe61755..5b9c51dbe 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-hdparm +++ b/apparmor.d/groups/systemd/systemd-sleep-hdparm @@ -13,6 +13,8 @@ profile systemd-sleep-hdparm @{exec_path} { @{exec_path} mr, @{sh_path} r, + @{lib}/pm-utils/power.d/*hdparm-apm ix, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-sysstat b/apparmor.d/groups/systemd/systemd-sleep-sysstat index 94e2e8daf..e29a41a7a 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-sysstat +++ b/apparmor.d/groups/systemd/systemd-sleep-sysstat @@ -12,6 +12,9 @@ profile systemd-sleep-sysstat @{exec_path} { @{exec_path} mr, + @{lib}/sysstat/sa{1,2} Px, + @{lib}/sysstat/debian-sa{1,2} Px, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-upgrades b/apparmor.d/groups/systemd/systemd-sleep-upgrades index 4f2cce637..c2c107b1f 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-upgrades +++ b/apparmor.d/groups/systemd/systemd-sleep-upgrades @@ -11,6 +11,7 @@ profile systemd-sleep-upgrades @{exec_path} { include @{exec_path} mr, + @{sh_path} r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index ffed031b5..b65f2b7af 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -23,6 +23,14 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member={DisableUnitFiles,EnableUnitFiles} + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member={JobRemoved,Reload,StartUnit,StopUnit} + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 62bada2a8..cb9592d47 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -98,6 +98,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/network/ r, @{run}/systemd/network/*.link rw, @{run}/systemd/notify rw, + @{run}/systemd/private rw, @{run}/systemd/seats/seat@{int} r, @{att}/@{run}/systemd/notify w, @@ -127,6 +128,14 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { include include + capability sys_module, + + @{sh_path} rix, + @{bin}/kmod ix, + + @{sys}/module/*/initstate r, + @{sys}/module/compression r, + include if exists } diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator index 473848ef3..193bfc9b6 100644 --- a/apparmor.d/groups/systemd/zram-generator +++ b/apparmor.d/groups/systemd/zram-generator @@ -13,7 +13,7 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/kmod rCx, + @{bin}/kmod rCx -> kmod, @{bin}/systemd-detect-virt rPx, @{lib}/systemd/systemd-makefs rPx, @@ -31,10 +31,14 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { owner /dev/pts/@{int} rw, - profile kmod { + profile kmod flags=(attach_disconnected) { include include + capability sys_module, + + @{sys}/module/compression r, + include if exists } diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 2fa7bb92a..211dda9cc 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -9,9 +9,9 @@ include @{exec_path} = /usr/share/apport/apport profile apport @{exec_path} flags=(attach_disconnected) { include - include + include include - include + include include include diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 271ff23e4..6d90cadda 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -9,14 +9,12 @@ include @{exec_path} = /usr/share/apport/apport-gtk profile apport-gtk @{exec_path} { include + include include - include include - include - include - include include include + include include include include @@ -117,7 +115,6 @@ profile apport-gtk @{exec_path} { /usr/share/gdb/python/{,**/}__pycache__/{,**} rw, /usr/share/gdb/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/{,**} r, /usr/share/terminfo/** r, /usr/share/themes/{,**} r, diff --git a/apparmor.d/groups/ubuntu/apt-esm-hook b/apparmor.d/groups/ubuntu/apt-esm-hook index a04fc771d..2555d0373 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-hook @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/ubuntu-advantage/apt-esm-hook profile apt-esm-hook @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook index 2edc09970..e8f03807d 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-json-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/ubuntu-advantage/apt-esm-json-hook profile apt-esm-json-hook @{exec_path} { include - include + include include unix (receive, send) type=stream peer=(label=apt), diff --git a/apparmor.d/groups/ubuntu/apt_news b/apparmor.d/groups/ubuntu/apt_news index 9734803e4..91c8b29cc 100644 --- a/apparmor.d/groups/ubuntu/apt_news +++ b/apparmor.d/groups/ubuntu/apt_news @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/ubuntu-advantage/apt_news.py profile apt_news @{exec_path} flags=(attach_disconnected) { include - include + include include include diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 65a19e0e0..2b7b2b4ee 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -9,11 +9,8 @@ include @{exec_path} = @{lib}/ubuntu-release-upgrader/check-new-release-gtk profile check-new-release-gtk @{exec_path} { include - include - include + include include - include - include include include include diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade index 2d3eebbc2..e9c4c9ab3 100644 --- a/apparmor.d/groups/ubuntu/do-release-upgrade +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/do-release-upgrade profile do-release-upgrade @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/hwe-support-status b/apparmor.d/groups/ubuntu/hwe-support-status index d5ad6e06c..c85fb9966 100644 --- a/apparmor.d/groups/ubuntu/hwe-support-status +++ b/apparmor.d/groups/ubuntu/hwe-support-status @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/hwe-support-status profile hwe-support-status @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages index 91bc4876f..5e4b09ce3 100644 --- a/apparmor.d/groups/ubuntu/list-oem-metapackages +++ b/apparmor.d/groups/ubuntu/list-oem-metapackages @@ -9,8 +9,8 @@ include @{exec_path} = @{lib}/update-notifier/list-oem-metapackages profile list-oem-metapackages @{exec_path} { include + include include - include @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index 4d5ecb46a..fb8eb259e 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -9,10 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/livepatch-notification profile livepatch-notification @{exec_path} { include - include include - include - include include include diff --git a/apparmor.d/groups/ubuntu/package-data-downloader b/apparmor.d/groups/ubuntu/package-data-downloader index 37f7f72a5..1703d27cd 100644 --- a/apparmor.d/groups/ubuntu/package-data-downloader +++ b/apparmor.d/groups/ubuntu/package-data-downloader @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/package-data-downloader profile package-data-downloader @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index 8d55ec0b7..72e016573 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/software-properties/software-properties-dbus profile software-properties-dbus @{exec_path} { include - include + include include include include @@ -19,11 +19,16 @@ profile software-properties-dbus @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), dbus receive bus=system interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=software-properties-gtk), + peer=(name=@{busname}, label=software-properties-gtk), + + dbus receive bus=system path=/ + interface=com.ubuntu.SoftwareProperties + member=Reload + peer=(name=@{busname}, label=software-properties-gtk), @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 440ef4117..836adbb55 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -9,14 +9,11 @@ include @{exec_path} = @{bin}/software-properties-gtk profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include + include include - include include include - include include - include - include include include include @@ -44,12 +41,10 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { /usr/share/pixmaps/ r, /usr/share/python-apt/{,**} r, /usr/share/software-properties/{,**} r, - /usr/share/themes/{,**} r, /usr/share/ubuntu-drivers-common/detect/{,**} r, /usr/share/X11/xkb/{,**} r, /usr/share/xml/iso-codes/{,**} r, /usr/share/software-properties/gtkbuilder/* r, - /usr/share/xkeyboard-config-2/{,**} r, /etc/apport/blacklist.d/{,*} r, /etc/default/apport r, @@ -64,7 +59,7 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { /dev/shm/ r, owner /dev/shm/sem.@{rand6} rwl -> /dev/shm/sem.@{rand6}, - owner /dev/shm/sem.mp-@{rand8} rw, + owner /dev/shm/sem.mp-@{rand8} rwl -> /dev/shm/sem.@{rand6}, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index e8d847e92..4ede61bc8 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/ubuntu-advantage profile ubuntu-advantage @{exec_path} { include - include + include include include include @@ -60,9 +60,10 @@ profile ubuntu-advantage @{exec_path} { @{run}/ubuntu-advantage/{,**} rw, - @{PROC}/version_signature r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mounts r, + @{PROC}/1/cgroup r, + @{PROC}/version_signature r, owner @{PROC}/@{pid}/fd/ r, profile systemctl { diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index bf3d4c6c0..a44e226bc 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -9,10 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/ubuntu-advantage-notification profile ubuntu-advantage-notification @{exec_path} { include - include include - include - include include include diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index bcdcf108d..873f06b67 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -9,23 +9,20 @@ include @{exec_path} = @{bin}/update-manager profile update-manager @{exec_path} flags=(attach_disconnected) { include + include include - include include include - include include include include - include - include - include include include include include include include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index 88967baf8..09775cb6f 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/update-motd-updates-available profile update-motd-updates-available @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 8e9cddd54..06e851b45 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -9,18 +9,15 @@ include @{exec_path} = @{bin}/update-notifier profile update-notifier @{exec_path} { include + include include - include include include - include - include - include include - include include include include + include include unix (bind) type=stream addr=@@{udbus}/bus/systemd/bus-api-user, @@ -28,6 +25,11 @@ profile update-notifier @{exec_path} { #aa:dbus talk bus=system name=org.debian.apt label=apt #aa:dbus talk bus=session name=org.ayatana.NotificationItem interface+=org.kde.StatusNotifierItem label=gnome-shell + dbus receive bus=system path=/com/ubuntu/UnattendedUpgrade/Pending + interface=com.ubuntu.UnattendedUpgrade.Pending + member=Finished + peer=(name=@{busname}, label=unattended-upgrade), + @{exec_path} mr, @{sh_path} rix, @@ -49,6 +51,7 @@ profile update-notifier @{exec_path} { @{lib}/update-notifier/package-system-locked rPx, /usr/share/apport/apport-checkreports rPx, /usr/share/apport/apport-gtk rPx, + @{open_path} Cx -> open, @{lib}/@{python_name}/dist-packages/{apt,gi}/**/__pycache__/{,**} rw, @@ -95,6 +98,13 @@ profile update-notifier @{exec_path} { include if exists } + profile open { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/usb/lsusb b/apparmor.d/groups/usb/lsusb index b5a24940d..a10659292 100644 --- a/apparmor.d/groups/usb/lsusb +++ b/apparmor.d/groups/usb/lsusb @@ -14,6 +14,7 @@ profile lsusb @{exec_path} { include capability net_admin, + capability sys_admin, network netlink raw, diff --git a/apparmor.d/groups/utils/dmesg b/apparmor.d/groups/utils/dmesg index 14ace0dea..2976d1316 100644 --- a/apparmor.d/groups/utils/dmesg +++ b/apparmor.d/groups/utils/dmesg @@ -13,6 +13,7 @@ profile dmesg @{exec_path} flags=(attach_disconnected) { include capability dac_read_search, + capability sys_admin, capability syslog, @{exec_path} mr, diff --git a/apparmor.d/groups/utils/locale-gen b/apparmor.d/groups/utils/locale-gen index 3620018a7..5366f1403 100644 --- a/apparmor.d/groups/utils/locale-gen +++ b/apparmor.d/groups/utils/locale-gen @@ -18,6 +18,7 @@ profile locale-gen @{exec_path} { @{exec_path} mr, @{sh_path} rix, + @{bin}/{e,}grep rix, @{bin}/cat rix, @{bin}/gzip rix, @{bin}/localedef rix, diff --git a/apparmor.d/groups/utils/lsblk b/apparmor.d/groups/utils/lsblk index 7559e4e48..6fc1d5bb2 100644 --- a/apparmor.d/groups/utils/lsblk +++ b/apparmor.d/groups/utils/lsblk @@ -27,6 +27,7 @@ profile lsblk @{exec_path} flags=(attach_disconnected) { # File Inherit deny network inet stream, deny network inet6 stream, + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, include if exists } diff --git a/apparmor.d/groups/utils/su b/apparmor.d/groups/utils/su index 866da3d6a..e5293021c 100644 --- a/apparmor.d/groups/utils/su +++ b/apparmor.d/groups/utils/su @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/su -profile su @{exec_path} { +profile su @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/utils/who b/apparmor.d/groups/utils/who index d951bfe03..d9ca9e164 100644 --- a/apparmor.d/groups/utils/who +++ b/apparmor.d/groups/utils/who @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/who +@{exec_path} = @{bin}/{,gnu}who profile who @{exec_path} { include include diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico index a6c9149d2..9015d2157 100644 --- a/apparmor.d/groups/virt/cni-calico +++ b/apparmor.d/groups/virt/cni-calico @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/cni/calico /opt/cni/bin/calico profile cni-calico @{exec_path} flags=(attach_disconnected) { include + include capability sys_admin, capability net_admin, @@ -32,8 +33,6 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) { /var/log/calico/cni/ r, /var/log/calico/cni/*.log rw, - /usr/share/mime/globs2 r, - @{run}/calico/ rw, @{run}/calico/ipam.lock rwk, @{run}/netns/cni-@{uuid} r, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index bf3d48204..d8c71803d 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -11,7 +11,10 @@ profile cockpit-bridge @{exec_path} { include include include + include + include include + include include include @@ -37,6 +40,8 @@ profile cockpit-bridge @{exec_path} { #aa:dbus talk bus=session name=org.libvirt label=libvirt-dbus #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/** label=packagekitd + #aa:dbus talk bus=system name=org.freedesktop.systemd1 label=@{p_systemd} + #aa:dbus talk bus=system name=org.libvirt label=libvirt-dbus @{exec_path} mr, diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index 3fbefadb7..ba51fc8a5 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -10,6 +10,7 @@ include profile cockpit-session @{exec_path} flags=(attach_disconnected) { include include + include include include @@ -28,7 +29,8 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { @{shells_path} rix, @{bin}/cockpit-bridge rPx, @{lib}/cockpit/cockpit-pcp rPx, - @{bin}/ssh-agent rPx, + @{bin}/ssh-agent rPx, + @{bin}/ssh-add rix, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 2142e28b9..59c4b9473 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -68,7 +68,6 @@ profile k3s @{exec_path} flags=(attach_disconnected) { /var/lib/rancher/k3s/data/@{hex}/bin/* rix, @{lib}/kubernetes/kubelet-plugins/volume/exec/{,**} r, - /usr/share/mime/globs2 r, /etc/machine-id r, /etc/rancher/{,**} rw, diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus index f3bbaf019..971cdf55e 100644 --- a/apparmor.d/groups/virt/libvirt-dbus +++ b/apparmor.d/groups/virt/libvirt-dbus @@ -16,6 +16,11 @@ profile libvirt-dbus @{exec_path} { #aa:dbus own bus=session name=org.libvirt #aa:dbus own bus=system name=org.libvirt + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{sbin}/libvirtd rPx, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 44d6962f5..378449352 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -19,10 +19,11 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include + include include capability audit_write, @@ -92,6 +93,11 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { # Allow changing to our UUID-based named profiles change_profile -> libvirt-@{uuid}, + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{lib}/libvirt/libvirt_iohelper rix, @@ -136,7 +142,6 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /usr/share/hwdata/* r, /usr/share/iproute2/{,**} r, /usr/share/libvirt/{,**} r, - /usr/share/mime/mime.cache r, /usr/share/misc/pci.ids r, /usr/share/qemu/{,**} r, @@ -157,6 +162,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{user_vm_dirs}/{,**} rwk, @{user_publicshare_dirs}/{,**} rwk, + owner @{user_config_dirs}/libvirt/{,**} rwk, + owner @{run}/user/@{uid}/libvirt/ rw, owner @{run}/user/@{uid}/libvirt/** rwk, @@ -277,7 +284,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /etc/qemu/{,**} r, - owner @{PROC}/@{pids}/status r, + @{PROC}/@{pids}/status r, /dev/net/tun rw, diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index 2fcd83048..10096bce2 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/thunar profile thunar @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/xfce/thunar-volman b/apparmor.d/groups/xfce/thunar-volman index fc73a14c9..41e098548 100644 --- a/apparmor.d/groups/xfce/thunar-volman +++ b/apparmor.d/groups/xfce/thunar-volman @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/thunar-volman profile thunar-volman @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-clipman b/apparmor.d/groups/xfce/xfce-clipman new file mode 100644 index 000000000..270f7266f --- /dev/null +++ b/apparmor.d/groups/xfce/xfce-clipman @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2025 Sighy Brantler +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xfce4-clipman +profile xfce-clipman @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /etc/xdg/xfce4/panel/xfce4-clipman-actions.xml r, + + owner @{user_cache_dirs}/xfce4/clipman/ r, + owner @{user_cache_dirs}/xfce4/clipman/* rw, + + owner @{user_config_dirs}/autostart/ r, + owner @{user_config_dirs}/autostart/xfce4-clipman-plugin-autostart.desktop rw, + owner @{user_config_dirs}/autostart/xfce4-clipman-plugin-autostart.desktop.@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/xfce/xfce-clipman-settings b/apparmor.d/groups/xfce/xfce-clipman-settings index 9e74d8046..021a377b8 100644 --- a/apparmor.d/groups/xfce/xfce-clipman-settings +++ b/apparmor.d/groups/xfce/xfce-clipman-settings @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfce4-clipman-settings profile xfce-clipman-settings @{exec_path} { include - include include include diff --git a/apparmor.d/groups/xfce/xfce-notifyd b/apparmor.d/groups/xfce/xfce-notifyd index c594b8ed3..be813a84d 100644 --- a/apparmor.d/groups/xfce/xfce-notifyd +++ b/apparmor.d/groups/xfce/xfce-notifyd @@ -10,7 +10,6 @@ include @{exec_path} = @{lib}/{,@{multiarch}/}xfce4/notifyd/xfce4-notifyd profile xfce-notifyd @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-panel b/apparmor.d/groups/xfce/xfce-panel index b04ed2eb9..00c5d8700 100644 --- a/apparmor.d/groups/xfce/xfce-panel +++ b/apparmor.d/groups/xfce/xfce-panel @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfce4-panel @{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0 profile xfce-panel @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-power-manager b/apparmor.d/groups/xfce/xfce-power-manager index 91be9eede..11ccca455 100644 --- a/apparmor.d/groups/xfce/xfce-power-manager +++ b/apparmor.d/groups/xfce/xfce-power-manager @@ -10,7 +10,6 @@ include profile xfce-power-manager @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-screensaver b/apparmor.d/groups/xfce/xfce-screensaver index 2c0f13bc1..e9e19cca5 100644 --- a/apparmor.d/groups/xfce/xfce-screensaver +++ b/apparmor.d/groups/xfce/xfce-screensaver @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfce4-screensaver profile xfce-screensaver @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session index beddcce1f..be0f5c73d 100644 --- a/apparmor.d/groups/xfce/xfce-session +++ b/apparmor.d/groups/xfce/xfce-session @@ -11,7 +11,6 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-terminal b/apparmor.d/groups/xfce/xfce-terminal index 8d2f06a75..0f8836326 100644 --- a/apparmor.d/groups/xfce/xfce-terminal +++ b/apparmor.d/groups/xfce/xfce-terminal @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfce4-terminal profile xfce-terminal @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/xfce/xfdesktop b/apparmor.d/groups/xfce/xfdesktop index ff36e8459..6bc5ec15c 100644 --- a/apparmor.d/groups/xfce/xfdesktop +++ b/apparmor.d/groups/xfce/xfdesktop @@ -10,7 +10,6 @@ include profile xfdesktop @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/xfce/xfsettingsd b/apparmor.d/groups/xfce/xfsettingsd index 22db3f80d..d3f88c196 100644 --- a/apparmor.d/groups/xfce/xfsettingsd +++ b/apparmor.d/groups/xfce/xfsettingsd @@ -10,7 +10,6 @@ include profile xfsettingsd @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/xfce/xfwm b/apparmor.d/groups/xfce/xfwm index 7ecd2c8fe..c41e5254f 100644 --- a/apparmor.d/groups/xfce/xfwm +++ b/apparmor.d/groups/xfce/xfwm @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfwm4 profile xfwm @{exec_path} { include - include include include include diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte index b4cfb56e6..87908dc9e 100644 --- a/apparmor.d/profiles-a-f/alacarte +++ b/apparmor.d/profiles-a-f/alacarte @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/alacarte profile alacarte @{exec_path} flags=(attach_disconnected) { include - include include - include include include include diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index 284c35911..55502dd3e 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -10,19 +10,13 @@ include @{exec_path} = @{bin}/atril{,-*} profile atril @{exec_path} { include - include include - include - include include include - include - include - include + include include include include - include network netlink raw, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 6d2683ade..544be3be0 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -33,6 +33,7 @@ profile borg @{exec_path} { @{bin}/cat rix, @{sbin}/ldconfig rix, @{bin}/uname rix, + @{bin}/ip rix, @{bin}/ccache rCx -> ccache, @{bin}/fusermount{,3} rCx -> fusermount, diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/profiles-a-f/btop index 4910629ce..bac8aea75 100644 --- a/apparmor.d/profiles-a-f/btop +++ b/apparmor.d/profiles-a-f/btop @@ -48,7 +48,7 @@ profile btop @{exec_path} { @{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/devices/virtual/block/dm-@{int}/stat r, @{sys}/devices/virtual/net/{,**} r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,} r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,*} r, @{PROC} r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre index bba3dfedb..281d15718 100644 --- a/apparmor.d/profiles-a-f/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -12,11 +12,8 @@ include @{exec_path} += @{bin}/lrs2lrf @{bin}/lrf2lrs @{bin}/lrfviewer @{bin}/web2disk profile calibre @{exec_path} { include - include include - include include - include include include include diff --git a/apparmor.d/profiles-a-f/cheese b/apparmor.d/profiles-a-f/cheese index b89fa42f2..33b933be2 100644 --- a/apparmor.d/profiles-a-f/cheese +++ b/apparmor.d/profiles-a-f/cheese @@ -11,10 +11,12 @@ include profile cheese @{exec_path} { include include + include include include include include + include include include @@ -49,9 +51,6 @@ profile cheese @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, - /dev/video@{int} rw, - include if exists } diff --git a/apparmor.d/profiles-a-f/cider b/apparmor.d/profiles-a-f/cider new file mode 100644 index 000000000..be59811a1 --- /dev/null +++ b/apparmor.d/profiles-a-f/cider @@ -0,0 +1,57 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = {C,c}ider sh.cider.genten +@{domain} = sh.cider.genten org.chromium.Chromium +@{lib_dirs} = @{lib}/cider +@{cache_dirs} = @{user_cache_dirs}/@{name} +@{config_dirs} = @{user_config_dirs}/@{name} + +@{exec_path} = @{bin}/{C,c}ider @{lib_dirs}/Cider +profile cider @{exec_path} { + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mrix, + + @{lib_dirs}/ r, + @{lib_dirs}/** r, + @{lib_dirs}/libffmpeg.so mr, + @{lib_dirs}/chrome-sandbox rPx, + + @{bin}/xdg-settings rPx, + + owner @{user_config_dirs}/sh.cider.genten/ rw, + owner @{user_config_dirs}/sh.cider.genten/** rwk, + owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/_platform_specific/linux_@{arch}/libwidevinecdm.so mr, + + @{PROC}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/ r, + @{PROC}/@{pid}/task/@{tid}/status r, + @{PROC}/sys/fs/inotify/max_user_watches r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pid}/statm r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/console-setup b/apparmor.d/profiles-a-f/console-setup index 7a11e407f..aa0a56648 100644 --- a/apparmor.d/profiles-a-f/console-setup +++ b/apparmor.d/profiles-a-f/console-setup @@ -13,7 +13,7 @@ profile console-setup @{exec_path} { @{exec_path} mr, @{sh_path} r, - @{bin}/uname rPx, + @{bin}/uname rix, @{bin}/mkdir rix, @{run}/console-setup/ rw, diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index 87c2bbaba..2e7723995 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -13,16 +13,16 @@ include @{exec_path} = @{bin}/deltachat-desktop @{lib_dirs}/deltachat-desktop profile deltachat-desktop @{exec_path} { include + include include include - include - include include + include include + include include include include - include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index 3b34d5055..0991a243e 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -17,10 +17,9 @@ include profile discord @{exec_path} flags=(attach_disconnected) { include include - include - include include include + include include include diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/profiles-a-f/dropbox index f40d69799..57487b15c 100644 --- a/apparmor.d/profiles-a-f/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -16,11 +16,11 @@ include profile dropbox @{exec_path} { include include - include include include include include + include include include include diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index ec7ee9c65..59cfa3577 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -16,12 +16,11 @@ include profile element-desktop @{exec_path} flags=(attach_disconnected) { include include - include include - include include include include + include include network inet dgram, diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index c302ff400..3e650962f 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -10,11 +10,8 @@ include @{exec_path} = @{bin}/engrampa profile engrampa @{exec_path} { include - include include - include - include - include + include include include include diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index e07c91f3d..10b5ad4af 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -9,15 +9,14 @@ include @{exec_path} = @{bin}/evince @{lib}/evinced profile evince @{exec_path} { include - include include - include include include - include + include include include include + include include include include @@ -30,7 +29,6 @@ profile evince @{exec_path} { #aa:dbus own bus=session name=org.gnome.evince - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label="@{p_gsd_media_keys}" #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} rix, diff --git a/apparmor.d/profiles-a-f/evince-previewer b/apparmor.d/profiles-a-f/evince-previewer index 1597c35af..dcd28ddc9 100644 --- a/apparmor.d/profiles-a-f/evince-previewer +++ b/apparmor.d/profiles-a-f/evince-previewer @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/evince-previewer profile evince-previewer @{exec_path} { include - include + include include include include diff --git a/apparmor.d/profiles-a-f/evince-thumbnailer b/apparmor.d/profiles-a-f/evince-thumbnailer index 95fdba512..6fbabaf28 100644 --- a/apparmor.d/profiles-a-f/evince-thumbnailer +++ b/apparmor.d/profiles-a-f/evince-thumbnailer @@ -9,10 +9,10 @@ include @{exec_path} = @{bin}/evince-thumbnailer profile evince-thumbnailer @{exec_path} flags=(attach_disconnected) { include + include @{exec_path} mr, - /usr/share/mime/mime.cache r, /usr/share/poppler/{,**} r, owner @{tmp}/gnome-desktop-file-to-thumbnail.pdf r, diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 5ec394807..3d13b813f 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -9,8 +9,6 @@ include @{exec_path} = @{bin}/file-roller profile file-roller @{exec_path} { include - include - include include include include diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla index 366c2aed6..16bafb886 100644 --- a/apparmor.d/profiles-a-f/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -11,12 +11,12 @@ include profile filezilla @{exec_path} { include include - include - include + include include include include include + include include include include diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd index b22730a27..7ce69ab64 100644 --- a/apparmor.d/profiles-a-f/finalrd +++ b/apparmor.d/profiles-a-f/finalrd @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/finalrd profile finalrd @{exec_path} { include + include capability dac_read_search, capability sys_admin, diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index 95e37b4d6..b820f249c 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -17,11 +17,10 @@ include profile freetube @{exec_path} flags=(attach_disconnected) { include include - include - include - include + include include include + include include include diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 58ba493cc..65793364d 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -11,14 +11,16 @@ include profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include - include + include include include include include include + include include include + include capability dac_override, capability dac_read_search, @@ -57,7 +59,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /usr/share/fwupd/{,**} r, /usr/share/hwdata/* r, /usr/share/libdrm/*.ids r, - /usr/share/mime/mime.cache r, /usr/share/misc/*.ids r, /etc/fwupd/{,**} rw, @@ -77,7 +78,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{MOUNTDIRS}/*/{,@{efi}/} r, @{MOUNTDIRS}/*/{,@{efi}/}EFI/{,**} r, - /var/lib/flatpak/exports/share/mime/mime.cache r, owner /var/cache/fwupd/ rw, owner /var/cache/fwupd/** rwk, owner /var/lib/fwupd/ rw, @@ -134,8 +134,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /dev/mei@{int} rw, /dev/mem r, /dev/mtd@{int} rw, - /dev/tpm@{int} rw, - /dev/tpmrm@{int} rw, /dev/wmi/* r, profile gpg flags=(attach_disconnected,complain) { diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index 67b625d62..ad324e153 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -11,6 +11,7 @@ profile gimp @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 0538f5da0..01b491b98 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -65,6 +65,7 @@ profile git @{exec_path} flags=(attach_disconnected) { @{pager_path} rPx -> child-pager, + @{bin}/gh rPUx, @{bin}/man rPx, @{bin}/meld rPUx, @{lib}/code/extensions/git/dist/askpass.sh rPx, diff --git a/apparmor.d/profiles-g-l/gitg b/apparmor.d/profiles-g-l/gitg index ff5e12444..d668fbfd2 100644 --- a/apparmor.d/profiles-g-l/gitg +++ b/apparmor.d/profiles-g-l/gitg @@ -10,10 +10,10 @@ include profile gitg @{exec_path} { include include - include include include include + include include network inet dgram, diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index 579536674..aabde9cef 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -13,12 +13,12 @@ profile gitstatusd @{exec_path} { include signal receive set=term peer=*//shell, - signal receive set=term peer=vscode, + signal receive set=term peer={,vs}code, @{exec_path} mr, owner @{user_projects_dirs}/{,**} r, - owner @{user_projects_dirs}/**/.git/.gitstatus.@{rand6}/{,**} rw, + owner @{user_projects_dirs}/**/.git/{,**/}.gitstatus.@{rand6}/{,**} rw, owner @{HOME}/.gitconfig r, owner @{user_config_dirs}/git/{,*} r, diff --git a/apparmor.d/profiles-g-l/glxgears b/apparmor.d/profiles-g-l/glxgears index 1e27790df..cfd9f0dac 100644 --- a/apparmor.d/profiles-g-l/glxgears +++ b/apparmor.d/profiles-g-l/glxgears @@ -25,6 +25,7 @@ profile glxgears @{exec_path} { @{exec_path} mr, owner @{HOME}/.Xauthority r, + owner @{run}/user/@{uid}/xauth_@{rand6} r, include if exists } diff --git a/apparmor.d/profiles-g-l/grim b/apparmor.d/profiles-g-l/grim new file mode 100644 index 000000000..5717837ec --- /dev/null +++ b/apparmor.d/profiles-g-l/grim @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/grim +profile grim @{exec_path} { + include + include + include + + @{exec_path} mr, + + owner @{HOME}/@{int8}_**_grim.png w, + + owner /dev/shm/grim-@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 849599977..9b8eca8ee 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -9,13 +9,13 @@ include @{exec_path} = @{bin}/gsettings profile gsettings @{exec_path} flags=(attach_disconnected) { include - include include + include include + include @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, diff --git a/apparmor.d/profiles-g-l/homebank b/apparmor.d/profiles-g-l/homebank index cb459919f..7fbe74040 100644 --- a/apparmor.d/profiles-g-l/homebank +++ b/apparmor.d/profiles-g-l/homebank @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/homebank -profile homebank @{exec_path} { +profile homebank @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index ed62f48f1..fd9c3dfa0 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/hugo profile hugo @{exec_path} { include + include include include @@ -26,7 +27,6 @@ profile hugo @{exec_path} { @{lib}/go/bin/go rix, /usr/share/git{,-core}/{,**} r, - /usr/share/mime/{,**} r, /usr/share/terminfo/** r, /etc/mime.types r, diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index 7783c8005..093cd7100 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -19,6 +19,7 @@ profile issue-generator @{exec_path} { @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cmp rix, + @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/mv rix, @{bin}/rm rix, @@ -30,7 +31,7 @@ profile issue-generator @{exec_path} { @{run}/agetty.reload w, @{run}/issue rw, @{run}/issue.@{rand10} rw, - @{run}/issue.d/{,**} r, + @{run}/issue.d/{,**} rw, /dev/tty rw, diff --git a/apparmor.d/profiles-g-l/kdestroy b/apparmor.d/profiles-g-l/kdestroy new file mode 100644 index 000000000..ccc0a2b25 --- /dev/null +++ b/apparmor.d/profiles-g-l/kdestroy @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/kdestroy +profile kdestroy @{exec_path} { + include + include + + #Allow root to destroy other users' creds cache + capability dac_override, + + @{exec_path} mr, + + #Credentials cache + /tmp/krb5cc_* rwk, + /tmp/tkt* rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config index 2bd8ef6b9..75c536612 100644 --- a/apparmor.d/profiles-g-l/kdump-config +++ b/apparmor.d/profiles-g-l/kdump-config @@ -72,6 +72,8 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, + ptrace read peer=@{p_systemd}, + include if exists } diff --git a/apparmor.d/profiles-g-l/kdump-tools-init b/apparmor.d/profiles-g-l/kdump-tools-init index b5af4dcc9..7767831a8 100644 --- a/apparmor.d/profiles-g-l/kdump-tools-init +++ b/apparmor.d/profiles-g-l/kdump-tools-init @@ -29,6 +29,8 @@ profile kdump-tools-init @{exec_path} flags=(attach_disconnected) { capability net_admin, + ptrace read peer=@{p_systemd}, + include if exists } diff --git a/apparmor.d/profiles-g-l/kdump_mem_estimator b/apparmor.d/profiles-g-l/kdump_mem_estimator index b80a89343..5f85af3fe 100644 --- a/apparmor.d/profiles-g-l/kdump_mem_estimator +++ b/apparmor.d/profiles-g-l/kdump_mem_estimator @@ -27,6 +27,8 @@ profile kdump_mem_estimator @{exec_path} { capability net_admin, + ptrace read peer=@{p_systemd}, + include if exists } diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump index 50606695a..eb17c5355 100644 --- a/apparmor.d/profiles-g-l/kernel-postinst-kdump +++ b/apparmor.d/profiles-g-l/kernel-postinst-kdump @@ -31,8 +31,7 @@ profile kernel-postinst-kdump @{exec_path} { / r, - /etc/initramfs-tools/conf.d/{,**} r, - /etc/initramfs-tools/initramfs.conf r, + /etc/initramfs-tools/{,**} r, owner /var/lib/kdump/** rw, @@ -49,6 +48,11 @@ profile kernel-postinst-kdump @{exec_path} { include include + @{sys}/module/*/ r, + @{sys}/module/*/coresize r, + @{sys}/module/*/holders/ r, + @{sys}/module/*/refcnt r, + include if exists } diff --git a/apparmor.d/profiles-g-l/kerneloops-applet b/apparmor.d/profiles-g-l/kerneloops-applet index 758ead716..d9d556879 100644 --- a/apparmor.d/profiles-g-l/kerneloops-applet +++ b/apparmor.d/profiles-g-l/kerneloops-applet @@ -10,10 +10,8 @@ include @{exec_path} = @{bin}/kerneloops-applet profile kerneloops-applet @{exec_path} { include - include include include - include include include diff --git a/apparmor.d/profiles-g-l/kinit b/apparmor.d/profiles-g-l/kinit new file mode 100644 index 000000000..706a11c10 --- /dev/null +++ b/apparmor.d/profiles-g-l/kinit @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/kinit +profile kinit @{exec_path} { + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + #User keytab file + /var/lib/krb5/user/@{uid}/client.keytab r, + + #Credentials cache + /tmp/krb5cc_* rwk, + /tmp/tkt* rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/klist b/apparmor.d/profiles-g-l/klist new file mode 100644 index 000000000..f21f34295 --- /dev/null +++ b/apparmor.d/profiles-g-l/klist @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/klist +profile klist @{exec_path} { + include + include + + #Allow root to list other users' creds cache + capability dac_override, + capability dac_read_search, + + @{exec_path} mr, + + #User keytab file + /var/lib/krb5/user/@{uid}/client.keytab rk, + + #Credentials cache + /tmp/krb5cc_* rk, + /tmp/tkt* rk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 2370271ec..47cbb22a2 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -38,7 +38,7 @@ profile landscape-sysinfo @{exec_path} { @{sys}/class/hwmon/ r, @{sys}/class/thermal/ r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,*} r, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 0a9e6dfc2..7e4feed45 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -11,22 +11,20 @@ include profile libreoffice @{exec_path} { include include - include + include include include - include - include include - include - include - include - include + include + include + include include include include include include include + include include include include @@ -77,21 +75,24 @@ profile libreoffice @{exec_path} { /usr/share/mythes/{,**} r, /usr/share/thumbnailers/{,**} r, + /etc/cups/ppd/*.ppd r, /etc/java{,-}{,@{version}}-openjdk/{,**} r, /etc/libreoffice/{,**} r, - /etc/paperspecs r, /etc/papersize r, + /etc/paperspecs r, /etc/xdg/* r, /var/tmp/ r, owner /var/spool/libreoffice/uno_packages/cache/stamp.sys w, owner @{user_cache_dirs}/libreoffice/{,**} rw, + + owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/libreoffice/ rw, owner @{user_config_dirs}/libreoffice/** rwk, - owner @{user_config_dirs}/soffice.*.lock rwk, owner @{user_config_dirs}/plasma_workspace.notifyrc r, - owner @{user_config_dirs}/kservicemenurc r, + owner @{user_config_dirs}/soffice.*.lock rwk, + owner @{user_config_dirs}/soffice.binrc r, owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/user-places.xbel r, @@ -107,6 +108,7 @@ profile libreoffice @{exec_path} { owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} rw, owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, @{sys}/devices/virtual/block/**/queue/rotational r, diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index 04d2f0330..f2895299f 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -16,6 +16,8 @@ profile linux-check-removal @{exec_path} { @{bin}/stty rix, + /etc/shadow r, + include if exists } diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 0dee9ed6a..781a01a27 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -80,6 +80,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, + ptrace read peer=@{p_systemd}, + dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=KillUnit diff --git a/apparmor.d/profiles-g-l/lsb-release b/apparmor.d/profiles-g-l/lsb-release index d2d52d362..5214632dc 100644 --- a/apparmor.d/profiles-g-l/lsb-release +++ b/apparmor.d/profiles-g-l/lsb-release @@ -30,10 +30,16 @@ profile lsb-release @{exec_path} flags=(attach_disconnected) { #aa:only apt @{bin}/dpkg-query px, - /etc/ r, - /etc/*-release r, - /etc/lsb-release r, - /etc/lsb-release.d/{,*} r, + @{etc_ro}/ r, + @{etc_ro}/*-release r, + @{etc_ro}/lsb-release r, + @{etc_ro}/lsb-release.d/{,*} r, + + # file_inherit + deny /opt/*/** r, + deny owner @{user_config_dirs}/*/** r, + deny owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, + deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index cae5c1c3d..89a57310f 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -10,6 +10,7 @@ include profile initramfs-hooks @{exec_path} { include include + include include @{exec_path} mr, @@ -37,9 +38,9 @@ profile initramfs-hooks @{exec_path} { @{lib}/ r, @{lib}/** mr, + /usr/share/*/initramfs/{,**} r, /usr/share/initramfs-tools/{,**} r, /usr/share/plymouth/{,**} r, - /usr/share/cryptsetup/initramfs/{,**} r, /etc/console-setup/{,**} r, /etc/cryptsetup-initramfs/{,**} r, @@ -68,6 +69,7 @@ profile initramfs-hooks @{exec_path} { owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, @{sys}/firmware/efi/efivars/ r, @@ -80,8 +82,9 @@ profile initramfs-hooks @{exec_path} { include include - @{bin}/ldd mr, @{bin}/* mr, + @{sbin}/* mr, + @{lib}/@{multiarch}/ld-linux-*so* mrix, @{lib}/ld-linux.so* mr, diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index 15adcb9e6..b0397eb8d 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2025 Alexandre Pujol +# Copyright (C) 2025 Zane Zakraisek # SPDX-License-Identifier: GPL-2.0-only abi , @@ -7,18 +8,30 @@ abi , include @{exec_path} = @{sbin}/mdadm -profile mdadm @{exec_path} { +profile mdadm @{exec_path} flags=(attach_disconnected) { include include include + capability dac_read_search, capability sys_admin, + capability mknod, + capability net_admin, + + network netlink raw, mqueue (read getattr) type=posix /, @{exec_path} mr, + @{sh_path} rix, + @{sbin}/sendmail rPUx, + + /etc/{,mdadm/}mdadm.conf r, + /etc/{,mdadm/}mdadm.conf.d/* r, + @{run}/initctl r, + @{run}/mdadm/* rwk, /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, @@ -26,13 +39,17 @@ profile mdadm @{exec_path} { @{sys}/devices/@{pci}/class r, @{sys}/devices/@{pci}/device r, @{sys}/devices/@{pci}/vendor r, + @{sys}/devices/virtual/block/md*/** rw, + @{sys}/module/md_mod/** rw, @{PROC}/@{pid}/fd/ r, @{PROC}/cmdline r, @{PROC}/kcore r, @{PROC}/partitions r, + @{PROC}/mdstat rw, /dev/**/ r, + /dev/.tmp.md.* rw, include if exists } diff --git a/apparmor.d/profiles-m-r/mdevctl b/apparmor.d/profiles-m-r/mdevctl index 906dcf512..408947c83 100644 --- a/apparmor.d/profiles-m-r/mdevctl +++ b/apparmor.d/profiles-m-r/mdevctl @@ -19,8 +19,6 @@ profile mdevctl @{exec_path} { @{sys}/class/mdev_bus/ r, @{sys}/devices/@{pci}/mdev_supported_types/{,**} r, - @{PROC}/@{pids}/maps r, - include if exists } diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index 91d021fae..32950dbc4 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -10,23 +10,14 @@ include @{exec_path} = @{bin}/mimetype @{bin}/*_perl/mimetype profile mimetype @{exec_path} { include + include include @{exec_path} r, - /usr/share/mime/**.xml r, - /usr/share/mime/globs r, - /usr/share/mime/aliases r, - /usr/share/mime/magic r, - # To read files owner /** r, #aa:lint ignore=too-wide - owner @{user_share_dirs}/mime/**.xml r, - owner @{user_share_dirs}/mime/globs r, - owner @{user_share_dirs}/mime/aliases r, - owner @{user_share_dirs}/mime/magic r, - include if exists } diff --git a/apparmor.d/profiles-m-r/mission-control b/apparmor.d/profiles-m-r/mission-control index b8e79c0dc..bf6c55093 100644 --- a/apparmor.d/profiles-m-r/mission-control +++ b/apparmor.d/profiles-m-r/mission-control @@ -10,13 +10,13 @@ include profile mission-control @{exec_path} flags=(attach_disconnected) { include include + include network netlink raw, @{exec_path} mr, /usr/share/telepathy/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{user_share_dirs}/telepathy/ rw, owner @{user_share_dirs}/telepathy/mission-control/ rw, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index c6caf364f..d94e5aa44 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -33,6 +33,7 @@ profile mkinitramfs @{exec_path} { @{bin}/cpio rix, @{bin}/dirname rix, @{bin}/env rix, + @{bin}/find rix, @{bin}/getopt rix, @{bin}/gzip rix, @{bin}/id rix, @@ -56,10 +57,9 @@ profile mkinitramfs @{exec_path} { @{bin}/xargs rix, @{bin}/xz rix, @{bin}/zstd rix, - @{sbin}/blkid rPx, @{lib}/dracut/dracut-install rix, + @{sbin}/blkid rPx, - @{bin}/find rCx -> find, @{bin}/kmod rCx -> kmod, @{sbin}/ldconfig rCx -> ldconfig, @{bin}/ldd rCx -> ldd, @@ -113,11 +113,16 @@ profile mkinitramfs @{exec_path} { @{sys}/bus/ r, @{sys}/bus/*/drivers/ r, - @{sys}/devices/platform/ r, - @{sys}/devices/platform/**/ r, - @{sys}/devices/platform/**/modalias r, + @{sys}/devices/ r, + @{sys}/devices/**/ r, + @{sys}/devices/**/modalias r, + @{sys}/devices/**/uevent r, @{sys}/module/compression r, @{sys}/module/firmware_class/parameters/path r, + @{sys}/class/ r, + @{sys}/class/*/ r, + + @{sys}/bus/platform/drivers/simple-framebuffer/ r, @{PROC}/@{pid}/mounts r, @{PROC}/cmdline r, @@ -129,17 +134,14 @@ profile mkinitramfs @{exec_path} { include include - @{bin}/ldd mr, - @{lib}/@{multiarch}/ld-linux-*so* mr, - @{lib}/ld-linux.so* mr, - - @{sh_path} rix, - @{bin}/kmod mr, - @{lib}/initramfs-tools/bin/* mr, - + @{sh_path} rix, @{lib}/@{multiarch}/ld-*.so* rix, @{lib}/ld-*.so{,.2} rix, + @{bin}/* mr, + @{sbin}/* mr, + @{lib}/** mr, + include if exists } @@ -160,26 +162,6 @@ profile mkinitramfs @{exec_path} { include if exists } - profile find { - include - include - - @{bin}/find mr, - - # pwd dir - / r, - /etc/ r, - /root/ r, - - /usr/share/initramfs-tools/scripts/{,**/} r, - /etc/initramfs-tools/scripts/{,**/} r, - - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/{,**/} r, - owner /var/tmp/mkinitramfs_@{rand6}/{,**/} r, - - include if exists - } - profile kmod { include include diff --git a/apparmor.d/profiles-m-r/mkosi b/apparmor.d/profiles-m-r/mkosi new file mode 100644 index 000000000..f6489a501 --- /dev/null +++ b/apparmor.d/profiles-m-r/mkosi @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# This profile is large on purpose: +# - It is required to have a profile for mkosi to allow userns. +# - Mkosi uses a lot of different binaries and scripts inside sandbox. +# - Using the unconfined flag would Pix everything, we do not want that as the +# transitioned profile would have to account for mkosi paths too. + +abi , + +include + +@{exec_path} = @{bin}/mkosi @{user_share_dirs}/pipx/venvs/*/bin/mkosi +profile mkosi @{exec_path} flags=(attach_disconnected,mediate_deleted) { + include + + all, + userns, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mpris-proxy b/apparmor.d/profiles-m-r/mpris-proxy index 2f31aea79..3a5dfffb6 100644 --- a/apparmor.d/profiles-m-r/mpris-proxy +++ b/apparmor.d/profiles-m-r/mpris-proxy @@ -11,8 +11,7 @@ profile mpris-proxy @{exec_path} { include include include - include - include + include #aa:dbus own bus=session name=org.mpris.MediaPlayer2 dbus receive bus=session path=/ diff --git a/apparmor.d/profiles-m-r/murmurd b/apparmor.d/profiles-m-r/murmurd index 2065dd814..e0bd8d976 100644 --- a/apparmor.d/profiles-m-r/murmurd +++ b/apparmor.d/profiles-m-r/murmurd @@ -10,7 +10,7 @@ include profile murmurd @{exec_path} { include include - include + include include include diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 8c908ddb4..a09008ac3 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -56,10 +56,12 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { /tmp/@{word10}/ rw, @{PROC}/ r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/maps r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/fd/ r, /dev/ r, diff --git a/apparmor.d/profiles-m-r/nvidia-settings b/apparmor.d/profiles-m-r/nvidia-settings index 771bbb3b6..893770a4b 100644 --- a/apparmor.d/profiles-m-r/nvidia-settings +++ b/apparmor.d/profiles-m-r/nvidia-settings @@ -33,8 +33,6 @@ profile nvidia-settings @{exec_path} flags=(attach_disconnected) { /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} r, - /dev/nvidia-uvm rw, - /dev/nvidia-uvm-tools r, include if exists } diff --git a/apparmor.d/profiles-m-r/nvidia-smi b/apparmor.d/profiles-m-r/nvidia-smi index 1d6d62e2b..eb42bd59b 100644 --- a/apparmor.d/profiles-m-r/nvidia-smi +++ b/apparmor.d/profiles-m-r/nvidia-smi @@ -26,8 +26,6 @@ profile nvidia-smi @{exec_path} { /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} rw, - /dev/nvidia-uvm rw, - /dev/nvidia-uvm-tools r, include if exists } diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index d0553d186..fc51b5b9e 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -10,7 +10,7 @@ include profile nvtop @{exec_path} flags=(attach_disconnected) { include include - include + include include capability sys_ptrace, @@ -54,7 +54,6 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { @{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/dri/ r, /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} rw, diff --git a/apparmor.d/profiles-m-r/obconf b/apparmor.d/profiles-m-r/obconf index 7b11aaac5..d283466f5 100644 --- a/apparmor.d/profiles-m-r/obconf +++ b/apparmor.d/profiles-m-r/obconf @@ -11,7 +11,7 @@ include profile obconf @{exec_path} { include include - include + include include include include diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 19f6a515e..e5b54c34e 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -9,11 +9,11 @@ include @{exec_path} = @{lib}/packagekitd profile packagekitd @{exec_path} flags=(attach_disconnected) { include + include #aa:only apt include include include include - include #aa:only apt include include diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3 index f4a61b07b..b60d929e2 100644 --- a/apparmor.d/profiles-m-r/pinentry-gnome3 +++ b/apparmor.d/profiles-m-r/pinentry-gnome3 @@ -11,8 +11,8 @@ profile pinentry-gnome3 @{exec_path} { include include include - include include + include signal receive set=int, diff --git a/apparmor.d/profiles-m-r/pkcs11-register b/apparmor.d/profiles-m-r/pkcs11-register index 989f6ec8b..d775cafe5 100644 --- a/apparmor.d/profiles-m-r/pkcs11-register +++ b/apparmor.d/profiles-m-r/pkcs11-register @@ -9,11 +9,10 @@ include @{exec_path} = @{bin}/pkcs11-register profile pkcs11-register @{exec_path} { include + include @{exec_path} mr, - /etc/{,opensc/}opensc.conf r, - owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, owner @{HOME}/.mozilla/firefox/profiles.ini r, owner @{HOME}/.pki/nssdb/pkcs11.txt r, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 178bf28c6..e4e923159 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -12,8 +12,8 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { include include include - include include + include capability dac_read_search, capability net_admin, diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail index 0ac23267b..8a6a2982e 100644 --- a/apparmor.d/profiles-m-r/protonmail +++ b/apparmor.d/profiles-m-r/protonmail @@ -16,9 +16,8 @@ include @{exec_path} = @{bin}/proton-mail /opt/proton-mail/Proton* profile protonmail @{exec_path} flags=(attach_disconnected) { include - include - include include + include network inet stream, network inet dgram, diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index ca9680aea..a9bd819e3 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -33,6 +33,7 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { /etc/lsb-release r, /etc/machine-id r, + /etc/os-release r, owner @{user_passwordstore_dirs}/docker-credential-helpers/{,**} r, owner @{user_passwordstore_dirs}/protonmail-credentials/{,**} r, diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile index c308dcd91..105264ec2 100644 --- a/apparmor.d/profiles-m-r/pycompile +++ b/apparmor.d/profiles-m-r/pycompile @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/py{,3}compile @{bin}/py{,3}clean profile pycompile @{exec_path} flags=(attach_disconnected,complain) { include - include + include include include @@ -32,8 +32,8 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) { profile dpkg { include + include include - include capability dac_read_search, diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index 5d9cba087..e0d430443 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -10,10 +10,8 @@ include @{exec_path} = @{bin}/qbittorrent profile qbittorrent @{exec_path} { include - include include include - include include include include diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 5173c50d8..f8fd84d3f 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/qemu-ga +@{exec_path} = @{sbin}/qemu-ga @{bin}/qemu-ga #aa:lint ignore=sbin profile qemu-ga @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index c2bc95465..80e58fd7c 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -10,21 +10,19 @@ include profile remmina @{exec_path} { include include - include + include include include - include - include include - include - include - include + include include include include include include include + include + include include include include diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index ebbf0a5ab..2e548d40c 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -12,6 +12,7 @@ profile rngd @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_read_search, capability net_admin, @@ -24,7 +25,6 @@ profile rngd @{exec_path} flags=(attach_disconnected) { /etc/conf.d/rngd r, /etc/machine-id r, - /etc/{,opensc/}opensc.conf r, /var/lib/dbus/machine-id r, @{sys}/devices/virtual/misc/hw_random/rng_available r, diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index ede981f58..c5e5ac051 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -45,6 +45,7 @@ profile rsyslogd @{exec_path} { @{PROC}/cmdline r, @{PROC}/kmsg r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, include if exists } diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk index acdad5640..3e6791ddc 100644 --- a/apparmor.d/profiles-m-r/rustdesk +++ b/apparmor.d/profiles-m-r/rustdesk @@ -10,9 +10,7 @@ include profile rustdesk @{exec_path} { include include - include include - include include include include diff --git a/apparmor.d/profiles-s-z/YACReaderLibrary b/apparmor.d/profiles-s-z/YACReaderLibrary index 38336fbc7..e6c231df3 100644 --- a/apparmor.d/profiles-s-z/YACReaderLibrary +++ b/apparmor.d/profiles-s-z/YACReaderLibrary @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/YACReaderLibrary profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted) { include - include include include include diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl index ef007a32c..a4fdbac88 100644 --- a/apparmor.d/profiles-s-z/sbctl +++ b/apparmor.d/profiles-s-z/sbctl @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/sbctl profile sbctl @{exec_path} { include + include capability dac_read_search, capability linux_immutable, @@ -34,9 +35,6 @@ profile sbctl @{exec_path} { @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, - /dev/pts/@{int} rw, - /dev/tpmrm@{int} rw, - # File Inherit deny network inet stream, deny network inet6 stream, diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop index dc190b787..4fd9dff69 100644 --- a/apparmor.d/profiles-s-z/session-desktop +++ b/apparmor.d/profiles-s-z/session-desktop @@ -16,10 +16,9 @@ include profile session-desktop @{exec_path} { include include - include - include include include + include include network inet dgram, diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index bf0740919..53f3d20b1 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -17,11 +17,13 @@ include profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include - include - include + include include + include include include + include + include include include diff --git a/apparmor.d/profiles-s-z/simple-scan b/apparmor.d/profiles-s-z/simple-scan index f79b284fb..a005708db 100644 --- a/apparmor.d/profiles-s-z/simple-scan +++ b/apparmor.d/profiles-s-z/simple-scan @@ -9,8 +9,6 @@ include @{exec_path} = @{bin}/simple-scan profile simple-scan @{exec_path} { include - include - include include include include diff --git a/apparmor.d/profiles-s-z/slurp b/apparmor.d/profiles-s-z/slurp new file mode 100644 index 000000000..740af9b7b --- /dev/null +++ b/apparmor.d/profiles-s-z/slurp @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/slurp +profile slurp @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/icons/{,**} r, + + # often used in combination with grim screen cature tool + owner /dev/shm/grim-@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker deleted file mode 100644 index 6e5af1288..000000000 --- a/apparmor.d/profiles-s-z/spectre-meltdown-checker +++ /dev/null @@ -1,186 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /{,usr/}{,local/}bin/spectre-meltdown-checker{,.sh} -profile spectre-meltdown-checker @{exec_path} { - include - include - - # Needed to read the /dev/cpu/@{int}/msr device - capability sys_rawio, - - # Needed to read system logs - capability syslog, - - # Used by readlink - capability sys_ptrace, - ptrace (read), - - @{exec_path} r, - - @{bin}/ r, - @{bin}/{,@{multiarch}-}objdump rix, - @{bin}/{,@{multiarch}-}readelf rix, - @{bin}/{,@{multiarch}-}strings rix, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{,g,m}awk rix, - @{bin}/base64 rix, - @{bin}/basename rix, - @{bin}/bunzip2 rix, - @{bin}/cat rix, - @{bin}/ccache rCx -> ccache, - @{bin}/cut rix, - @{bin}/date rix, - @{bin}/dd rix, - @{bin}/dirname rix, - @{bin}/dmesg rix, - @{bin}/find rix, - @{bin}/gunzip rix, - @{bin}/gzip rix, - @{bin}/head rix, - @{bin}/id rix, - @{sbin}/iucode_tool rix, - @{bin}/kmod rCx -> kmod, - @{bin}/lzop rix, - @{bin}/mktemp rix, - @{bin}/mount rix, - @{bin}/nproc rix, - @{bin}/od rix, - @{bin}/perl rix, - @{bin}/pgrep rCx -> pgrep, - @{sbin}/rdmsr rix, - @{bin}/readlink rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/seq rix, - @{bin}/sort rix, - @{bin}/stat rix, - @{bin}/tail rix, - @{bin}/tr rix, - @{bin}/uname rix, - @{bin}/unzip rix, - @{bin}/xargs rix, - @{bin}/xz rix, - @{bin}/zstd rix, - - # To fetch MCE.db from the MCExtractor project - @{bin}/wget rCx -> mcedb, - @{bin}/sqlite3 rCx -> mcedb, - owner @{tmp}/mcedb-* rw, - owner @{tmp}/smc-* rw, - owner @{tmp}/{,smc-}intelfw-*/ rw, - owner @{tmp}/{,smc-}intelfw-*/fw.zip rw, - owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/ rw, - owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/** rw, - - owner @{HOME}/.mcedb rw, - - /tmp/ r, - owner @{tmp}/{config,kernel}-* rw, - - owner /dev/cpu/@{int}/cpuid r, - owner /dev/cpu/@{int}/msr rw, - owner /dev/kmsg r, - - @{efi}/ r, - @{efi}/config r, - @{efi}/System.map-* r, - @{efi}/vmlinuz-* r, - - @{sys}/devices/system/cpu/vulnerabilities/* r, - @{sys}/module/kvm_intel/parameters/ept r, - - @{PROC}/ r, - @{PROC}/config.gz r, - @{PROC}/cmdline r, - @{PROC}/kallsyms r, - @{PROC}/modules r, - - # find and denoise - @{PROC}/@{pids}/{status,exe} r, - @{PROC}/@{pids}/fd/ r, - @{PROC}/*/ r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # For shell pwd - /root/ r, - /etc/ r, - - profile ccache { - include - - @{bin}/ccache mr, - - @{lib}/llvm-[0-9]*/bin/clang rix, - @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, - @{bin}/{,@{multiarch}-}g++-[0-9]* rix, - - /media/ccache/*/** rw, - - /etc/debian_version r, - - include if exists - } - - profile pgrep { - include - include - - include if exists - } - - profile mcedb { - include - include - include - include - - deny capability net_admin, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{bin}/wget mr, - @{bin}/sqlite3 mr, - - /etc/wgetrc r, - owner @{HOME}/.wget-hsts rwk, - owner @{HOME}/.mcedb rw, - - /tmp/ r, - owner @{tmp}/{,smc-}mcedb-* rwk, - owner @{tmp}/{,smc-}intelfw-*/fw.zip rw, - - /usr/share/publicsuffix/public_suffix_list.* r, - - include if exists - } - - profile kmod { - include - include - - capability sys_module, - - owner @{sys}/module/cpuid/** r, - owner @{sys}/module/msr/** r, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index c73f5f678..2af3f99ae 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -9,21 +9,19 @@ include @{exec_path} = @{bin}/spice-vdagent profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include - include include include - include include include - include include include include - include - include - include + include include + include + include include + include dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime @@ -38,7 +36,6 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, owner @{desktop_config_dirs}/user-dirs.dirs r, - owner @{user_config_dirs}/user-dirs.dirs r, @{run}/spice-vdagentd/spice-vdagent-sock rw, diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index 95013d8e0..33957504c 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -11,6 +11,7 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_nice, @@ -24,7 +25,6 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cgroup r, - /dev/uinput rw, /dev/vport@{int}p@{int} rw, include if exists diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index f245e4312..b04432e39 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -17,20 +17,18 @@ include profile spotify @{exec_path} flags=(attach_disconnected) { include include - include - include - include - include + include include - include - include - include - include include - include include + include include include + include + include + include + include + include network inet dgram, network inet6 dgram, @@ -38,8 +36,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.mpris.MediaPlayer2.spotify - #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell #aa:dbus talk bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys @@ -49,7 +45,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { member=RetrieveSecret peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), - @{exec_path} mrix, @{sh_path} mr, @@ -57,6 +52,8 @@ profile spotify @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-strict, + /usr/local/lib/spotify-adblock.so mr, + /etc/machine-id r, /etc/spotify-adblock/* r, /var/lib/dbus/machine-id r, @@ -70,6 +67,8 @@ profile spotify @{exec_path} flags=(attach_disconnected) { owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm, owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm, + owner @{tmp}/.@{domain}.@{rand6}/{,**} rw, + @{PROC}/@{pid}/net/unix r, @{PROC}/pressure/* r, owner @{PROC}/@{pid}/clear_refs w, diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index 73a86672f..f812fc570 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -16,17 +16,15 @@ include profile superproductivity @{exec_path} flags=(attach_disconnected) { include include - include - include + include include - include - include include include - include - include - include + include + include + include include + include network inet stream, network inet6 stream, diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid index e275fb764..fc30c5fd6 100644 --- a/apparmor.d/profiles-s-z/syncoid +++ b/apparmor.d/profiles-s-z/syncoid @@ -25,8 +25,6 @@ profile syncoid @{exec_path} flags=(complain) { /etc/mbuffer.rc r, - @{PROC}/@{pids}/maps r, - include if exists } diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 83e1b2f45..d504b0c15 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -11,6 +11,7 @@ include profile syncthing @{exec_path} { include include + include include include include @@ -26,10 +27,6 @@ profile syncthing @{exec_path} { @{open_path} rPx -> child-open, @{bin}/ip rix, - /usr/share/mime/{,**} r, - - /etc/mime.types r, - @{HOME}/ r, @{HOME}/** rwk, diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 59c78396d..e8a2533b9 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -10,10 +10,7 @@ include profile terminator @{exec_path} flags=(attach_disconnected) { include include - include include - include - include include include include diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index b663865e8..4c27ee2ca 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -13,7 +13,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) { include include include - include + include capability sys_boot, diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb index 9b0912bd9..df4258b8c 100644 --- a/apparmor.d/profiles-s-z/tomb +++ b/apparmor.d/profiles-s-z/tomb @@ -21,6 +21,7 @@ profile tomb @{exec_path} { capability sys_rawio, signal send set=cont peer=gpg, + signal send set=cont peer=pinentry-*, ptrace read peer=@{p_systemd_user}, @@ -43,11 +44,11 @@ profile tomb @{exec_path} { @{bin}/findmnt rix, @{bin}/getent rix, @{bin}/gettext rix, + @{bin}/head rix, @{bin}/hostname rix, @{bin}/id rix, @{bin}/kill rix, @{bin}/locate rix, - @{sbin}/losetup rix, @{bin}/ls rix, @{bin}/lsof rix, @{bin}/mkdir rix, @@ -64,6 +65,7 @@ profile tomb @{exec_path} { @{bin}/touch rix, @{bin}/tr rix, @{bin}/zsh rix, + @{sbin}/losetup rix, @{sbin}/btrfs rPx, @{sbin}/cryptsetup rPUx, diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index fc582cae2..d1e429d45 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -10,10 +10,10 @@ include profile totem @{exec_path} flags=(attach_disconnected) { include include - include - include + include include include + include include include diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission index ad219f1ab..9c4a8e673 100644 --- a/apparmor.d/profiles-s-z/transmission +++ b/apparmor.d/profiles-s-z/transmission @@ -9,15 +9,13 @@ include @{exec_path} = @{bin}/transmission-{gtk,qt} profile transmission @{exec_path} flags=(attach_disconnected) { include - include include - include - include include include include include include + include include include include diff --git a/apparmor.d/profiles-s-z/udev-fido_id b/apparmor.d/profiles-s-z/udev-fido_id index 76ec27b68..453e0093a 100644 --- a/apparmor.d/profiles-s-z/udev-fido_id +++ b/apparmor.d/profiles-s-z/udev-fido_id @@ -14,8 +14,10 @@ profile udev-fido_id @{exec_path} { @{exec_path} mr, /etc/udev/udev.conf r, + /etc/udev/udev.conf.d/{,**} r, @{sys}/devices/@{pci}/report_descriptor r, + @{sys}/devices/platform/**/report_descriptor r, @{sys}/devices/virtual/**/report_descriptor r, include if exists diff --git a/apparmor.d/profiles-s-z/update-info-dir b/apparmor.d/profiles-s-z/update-info-dir index fe06b32af..dc2a0d7aa 100644 --- a/apparmor.d/profiles-s-z/update-info-dir +++ b/apparmor.d/profiles-s-z/update-info-dir @@ -14,8 +14,9 @@ profile update-info-dir @{exec_path} { @{exec_path} mr, @{sh_path} r, - @{bin}/install-info Px, + @{bin}/cp ix, @{bin}/find ix, + @{bin}/install-info Px, @{bin}/rm ix, /etc/environment r, diff --git a/apparmor.d/profiles-s-z/v4l2-ctl b/apparmor.d/profiles-s-z/v4l2-ctl index e398049de..ddb86b9a2 100644 --- a/apparmor.d/profiles-s-z/v4l2-ctl +++ b/apparmor.d/profiles-s-z/v4l2-ctl @@ -9,14 +9,12 @@ include @{exec_path} = @{bin}/v4l2-ctl profile v4l2-ctl @{exec_path} { include + include include - include + include @{exec_path} mr, - /dev/media@{int} rw, - /dev/video@{int} rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index aed85abe3..92dc977d9 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -12,16 +12,18 @@ include profile virt-manager @{exec_path} flags=(attach_disconnected) { include include - include include include - include + include + include + include include include include include include include + include include include include @@ -51,7 +53,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open, - /usr/share/gtksourceview-4/{,**} r, /usr/share/ladspa/rdf/{,ladspa.rdfs} r, /usr/share/misc/*.ids r, /usr/share/osinfo/{,**} r, @@ -102,9 +103,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, - /dev/media@{int} r, - /dev/video@{int} rw, - # Silence the noise deny /usr/share/virt-manager/{,**} w, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index d572ce9b8..05866296d 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -11,13 +11,10 @@ include profile vlc @{exec_path} { include include - include include - include - include - include - include include + include + include include include include @@ -25,8 +22,11 @@ profile vlc @{exec_path} { include include include + include include include + include + include include include @@ -36,9 +36,6 @@ profile vlc @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.mpris.MediaPlayer2.vlc - #aa:dbus talk bus=session name=org.mpris.MediaPlayer2.Player label=unconfined - @{exec_path} mrix, @{open_path} rPx -> child-open-help, @@ -85,7 +82,6 @@ profile vlc @{exec_path} { /dev/shm/#@{int} rw, /dev/snd/ r, /dev/tty r, - /dev/video@{int} rw, owner /dev/tty@{int} rw, # Silencer diff --git a/apparmor.d/profiles-s-z/wemeet b/apparmor.d/profiles-s-z/wemeet index 3606533d7..0b83e44c8 100644 --- a/apparmor.d/profiles-s-z/wemeet +++ b/apparmor.d/profiles-s-z/wemeet @@ -13,10 +13,10 @@ include @{exec_path} += /opt/wemeet/bin/QtWebEngineProcess profile wemeet @{exec_path} flags=(attach_disconnected) { include - include include include include + include include include include diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which index df049741f..c4de427ff 100644 --- a/apparmor.d/profiles-s-z/which +++ b/apparmor.d/profiles-s-z/which @@ -33,6 +33,7 @@ profile which @{exec_path} flags=(attach_disconnected) { owner /dev/tty@{int} rw, + deny @{user_share_dirs}/gnome-shell/session.gvdb rw, deny @{user_share_dirs}/gvfs-metadata/* r, include if exists diff --git a/apparmor.d/profiles-s-z/wireshark b/apparmor.d/profiles-s-z/wireshark index c29543d6b..a07d6bad1 100644 --- a/apparmor.d/profiles-s-z/wireshark +++ b/apparmor.d/profiles-s-z/wireshark @@ -11,7 +11,6 @@ include @{exec_path} = @{bin}/wireshark profile wireshark @{exec_path} { include - include include include include diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index fc6955793..b72cff3c4 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -9,9 +9,14 @@ include @{exec_path} = @{bin}/wsdd profile wsdd @{exec_path} { include + include include include + # wsdd can create its own chroot as a built-in security mechanism. + # This is used by default in the systemd wsdd-server service. + capability sys_chroot, + network inet dgram, network inet stream, network inet6 dgram, @@ -28,7 +33,8 @@ profile wsdd @{exec_path} { owner /var/lib/libuuid/clock.txt rw, @{run}/uuidd/request rw, - owner @{run}/user/@{uid}/gvfsd/wsdd w, + owner @{run}/user/@{uid}/wsdd w, + owner @{run}/user/@{uid}/*/wsdd w, include if exists } diff --git a/apparmor.d/profiles-s-z/xournalpp b/apparmor.d/profiles-s-z/xournalpp index 6442fe8b9..0d6c4d65f 100644 --- a/apparmor.d/profiles-s-z/xournalpp +++ b/apparmor.d/profiles-s-z/xournalpp @@ -37,7 +37,7 @@ profile xournalpp @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/snd/controlC@{int} w, - /dev/snd/pcmC@{rand4} rw, + /dev/snd/pcmC@{int}D@{int}[cp] w, include if exists } diff --git a/apparmor.d/tunables/alias.d/coreutils b/apparmor.d/tunables/alias.d/coreutils new file mode 100644 index 000000000..9fed4fefc --- /dev/null +++ b/apparmor.d/tunables/alias.d/coreutils @@ -0,0 +1,112 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# In ubuntu 25.10, to make room for the coming rust utils, classic coreutils has +# moved to /usr/bin/gnu* names. To avoid breaking existing profiles, we +# provide aliases for all the coreutils names to their gnu* counterpart. + + alias /{,usr/}bin/dd -> /usr/bin/gnudd, + alias /{,usr/}bin/tee -> /usr/bin/gnutee, + alias /{,usr/}bin/paste -> /usr/bin/gnupaste, + alias /{,usr/}bin/sha256sum -> /usr/bin/gnusha256sum, + alias /{,usr/}bin/env -> /usr/bin/gnuenv, + alias /{,usr/}bin/expr -> /usr/bin/gnuexpr, + alias /{,usr/}bin/sleep -> /usr/bin/gnusleep, + alias /{,usr/}bin/shred -> /usr/bin/gnushred, + alias /{,usr/}bin/dircolors -> /usr/bin/gnudircolors, + alias /{,usr/}bin/nohup -> /usr/bin/gnunohup, + alias /{,usr/}bin/stty -> /usr/bin/gnustty, + alias /{,usr/}bin/sha384sum -> /usr/bin/gnusha384sum, + alias /{,usr/}bin/pr -> /usr/bin/gnupr, + alias /{,usr/}bin/nice -> /usr/bin/gnunice, + alias /{,usr/}bin/basenc -> /usr/bin/gnubasenc, + alias /{,usr/}bin/sha224sum -> /usr/bin/gnusha224sum, + alias /{,usr/}bin/unexpand -> /usr/bin/gnuunexpand, + alias /{,usr/}bin/logname -> /usr/bin/gnulogname, + alias /{,usr/}bin/uniq -> /usr/bin/gnuuniq, + alias /{,usr/}bin/chown -> /usr/bin/gnuchown, + alias /{,usr/}bin/vdir -> /usr/bin/gnuvdir, + alias /{,usr/}bin/printf -> /usr/bin/gnuprintf, + alias /{,usr/}bin/true -> /usr/bin/gnutrue, + alias /{,usr/}bin/groups -> /usr/bin/gnugroups, + alias /{,usr/}bin/printenv -> /usr/bin/gnuprintenv, + alias /{,usr/}bin/truncate -> /usr/bin/gnutruncate, + alias /{,usr/}bin/md5sum -> /usr/bin/gnumd5sum, + alias /{,usr/}bin/pinky -> /usr/bin/gnupinky, + alias /{,usr/}bin/rm -> /usr/bin/gnurm, + alias /{,usr/}bin/cat -> /usr/bin/gnucat, + alias /{,usr/}bin/tac -> /usr/bin/gnutac, + alias /{,usr/}bin/b2sum -> /usr/bin/gnub2sum, + alias /{,usr/}bin/seq -> /usr/bin/gnuseq, + alias /{,usr/}bin/cut -> /usr/bin/gnucut, + alias /{,usr/}bin/csplit -> /usr/bin/gnucsplit, + alias /{,usr/}bin/split -> /usr/bin/gnusplit, + alias /{,usr/}bin/realpath -> /usr/bin/gnurealpath, + alias /{,usr/}bin/ptx -> /usr/bin/gnuptx, + alias /{,usr/}bin/who -> /usr/bin/gnuwho, + alias /{,usr/}bin/whoami -> /usr/bin/gnuwhoami, + alias /{,usr/}bin/cksum -> /usr/bin/gnucksum, + alias /{,usr/}bin/ls -> /usr/bin/gnuls, + alias /{,usr/}bin/runcon -> /usr/bin/gnuruncon, + alias /{,usr/}bin/arch -> /usr/bin/gnuarch, + alias /{,usr/}bin/head -> /usr/bin/gnuhead, + alias /{,usr/}bin/date -> /usr/bin/gnudate, + alias /{,usr/}bin/wc -> /usr/bin/gnuwc, + alias /{,usr/}bin/mktemp -> /usr/bin/gnumktemp, + alias /{,usr/}bin/pathchk -> /usr/bin/gnupathchk, + alias /{,usr/}bin/mkfifo -> /usr/bin/gnumkfifo, + alias /{,usr/}bin/du -> /usr/bin/gnudu, + alias /{,usr/}bin/cp -> /usr/bin/gnucp, + alias /{,usr/}bin/tty -> /usr/bin/gnutty, + alias /{,usr/}bin/sync -> /usr/bin/gnusync, + alias /{,usr/}bin/fold -> /usr/bin/gnufold, + alias /{,usr/}bin/users -> /usr/bin/gnuusers, + alias /{,usr/}bin/dirname -> /usr/bin/gnudirname, + alias /{,usr/}bin/nproc -> /usr/bin/gnunproc, + alias /{,usr/}bin/sort -> /usr/bin/gnusort, + alias /{,usr/}bin/[ -> /usr/bin/gnu[, + alias /{,usr/}bin/base64 -> /usr/bin/gnubase64, + alias /{,usr/}bin/od -> /usr/bin/gnuod, + alias /{,usr/}bin/tr -> /usr/bin/gnutr, + alias /{,usr/}bin/join -> /usr/bin/gnujoin, + alias /{,usr/}bin/sha512sum -> /usr/bin/gnusha512sum, + alias /{,usr/}bin/false -> /usr/bin/gnufalse, + alias /{,usr/}bin/expand -> /usr/bin/gnuexpand, + alias /{,usr/}bin/base32 -> /usr/bin/gnubase32, + alias /{,usr/}bin/chmod -> /usr/bin/gnuchmod, + alias /{,usr/}bin/rmdir -> /usr/bin/gnurmdir, + alias /{,usr/}bin/factor -> /usr/bin/gnufactor, + alias /{,usr/}bin/mknod -> /usr/bin/gnumknod, + alias /{,usr/}bin/chcon -> /usr/bin/gnuchcon, + alias /{,usr/}bin/basename -> /usr/bin/gnubasename, + alias /{,usr/}bin/chgrp -> /usr/bin/gnuchgrp, + alias /{,usr/}bin/sha1sum -> /usr/bin/gnusha1sum, + alias /{,usr/}bin/ln -> /usr/bin/gnuln, + alias /{,usr/}bin/tsort -> /usr/bin/gnutsort, + alias /{,usr/}bin/echo -> /usr/bin/gnuecho, + alias /{,usr/}bin/timeout -> /usr/bin/gnutimeout, + alias /{,usr/}bin/dir -> /usr/bin/gnudir, + alias /{,usr/}bin/numfmt -> /usr/bin/gnunumfmt, + alias /{,usr/}bin/touch -> /usr/bin/gnutouch, + alias /{,usr/}bin/mv -> /usr/bin/gnumv, + alias /{,usr/}bin/sum -> /usr/bin/gnusum, + alias /{,usr/}bin/stat -> /usr/bin/gnustat, + alias /{,usr/}bin/yes -> /usr/bin/gnuyes, + alias /{,usr/}bin/install -> /usr/bin/gnuinstall, + alias /{,usr/}bin/readlink -> /usr/bin/gnureadlink, + alias /{,usr/}bin/pwd -> /usr/bin/gnupwd, + alias /{,usr/}bin/tail -> /usr/bin/gnutail, + alias /{,usr/}bin/stdbuf -> /usr/bin/gnustdbuf, + alias /{,usr/}bin/comm -> /usr/bin/gnucomm, + alias /{,usr/}bin/shuf -> /usr/bin/gnushuf, + alias /{,usr/}bin/uname -> /usr/bin/gnuuname, + alias /{,usr/}bin/test -> /usr/bin/gnutest, + alias /{,usr/}bin/mkdir -> /usr/bin/gnumkdir, + alias /{,usr/}bin/link -> /usr/bin/gnulink, + alias /{,usr/}bin/df -> /usr/bin/gnudf, + alias /{,usr/}bin/unlink -> /usr/bin/gnuunlink, + alias /{,usr/}bin/hostid -> /usr/bin/gnuhostid, + alias /{,usr/}bin/fmt -> /usr/bin/gnufmt, + alias /{,usr/}bin/id -> /usr/bin/gnuid, + alias /{,usr/}bin/nl -> /usr/bin/gnunl, diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index 6868ae87a..d4fefb0b0 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -16,8 +16,8 @@ # Name of the dbus daemon profiles @{p_dbus_accessibility}=dbus-accessibility #aa:only apparmor4.1 -@{p_dbus_system}={dbus-system,dbus-system//&unconfined} -@{p_dbus_session}={dbus-session,dbus-session//&unconfined} +@{p_dbus_system}={dbus-system,unconfined} +@{p_dbus_session}={dbus-session,unconfined} #aa:exclude apparmor4.1 @{p_dbus_system}=dbus-system @@ -68,5 +68,12 @@ @{p_upowerd}=upowerd @{p_xdg_desktop_portal}=xdg-desktop-portal +# Profiles Patterns +# Fit to an action that can be handled by multiple profiles depending on the software installed and the distribution + +# Notification +@{pp_notification}={plasmashell,gjs-console} +@{pp_app_indicator}={plasmashell,gnome-shell} +@{pp_dbusmenu}={plasmashell,nautilus} # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index cf8575db0..b29be3f0c 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -69,7 +69,6 @@ # Default attachment path when re-attached path disconnected path is ignored. # Disabled on abi3 and Ubuntu 25.04+ # See https://apparmor.pujol.io/development/internal/#re-attached-path -@{att}=/ -alias / -> //, +@{att}="" # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/system-users b/apparmor.d/tunables/multiarch.d/system-users index 885913da3..07450efff 100644 --- a/apparmor.d/tunables/multiarch.d/system-users +++ b/apparmor.d/tunables/multiarch.d/system-users @@ -5,11 +5,12 @@ # Define some extra paths for some commonly used system user # Full path of the GDM configuration directories -@{GDM_HOME}=/var/lib/gdm{,3}/ +@{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/{,home/}{,gdm-}greeter/ @{gdm_cache_dirs}=@{GDM_HOME}/.cache/ @{gdm_config_dirs}=@{GDM_HOME}/.config/ @{gdm_local_dirs}=@{GDM_HOME}/.local/ @{gdm_share_dirs}=@{GDM_HOME}/.local/share/ +@{gdm_state_dirs}=@{GDM_HOME}/.local/state/ # Full path of the SDDM configuration directories @{SDDM_HOME}=/var/lib/sddm/ @@ -17,6 +18,7 @@ @{sddm_config_dirs}=@{SDDM_HOME}/.config/ @{sddm_local_dirs}=@{SDDM_HOME}/.local/ @{sddm_share_dirs}=@{SDDM_HOME}/.local/share/ +@{sddm_state_dirs}=@{SDDM_HOME}/.local/state/ # Full path of the LIGHTDM configuration directories @{LIGHTDM_HOME}=/var/lib/lightdm/ @@ -24,6 +26,7 @@ @{lightdm_config_dirs}=@{LIGHTDM_HOME}/.config/ @{lightdm_local_dirs}=@{LIGHTDM_HOME}/.local/ @{lightdm_share_dirs}=@{LIGHTDM_HOME}/.local/share/ +@{lightdm_state_dirs}=@{LIGHTDM_HOME}/.local/state/ # Full path of all DE configuration directories @{DESKTOP_HOME}=@{GDM_HOME} @{SDDM_HOME} @{LIGHTDM_HOME} @@ -31,5 +34,6 @@ @{desktop_config_dirs}=@{gdm_config_dirs} @{sddm_config_dirs} @{lightdm_config_dirs} @{desktop_local_dirs}=@{gdm_local_dirs} @{sddm_local_dirs} @{lightdm_local_dirs} @{desktop_share_dirs}=@{gdm_share_dirs} @{sddm_share_dirs} @{lightdm_share_dirs} +@{desktop_state_dirs}=@{gdm_state_dirs} @{sddm_state_dirs} @{lightdm_state_dirs} # vim:syntax=apparmor diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index 62685202f..455621e5b 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -32,8 +32,9 @@ func init() { // Build tasks applied by default builder.Register( - "userspace", // Resolve variable in profile attachments - "hotfix", // Temporary fix for #74, #80 & #235 + "userspace", // Resolve variable in profile attachments + "hotfix", // Temporary fix for #74, #80 & #235 + "base-strict", // Use base-strict as base abstraction ) // Matrix of ABI/Apparmor version to integrate with @@ -48,6 +49,9 @@ func init() { case "noble": prebuild.ABI = 4 prebuild.Version = 4.0 + case "questing": + prebuild.ABI = 4 + prebuild.Version = 5.0 } case "debian": diff --git a/cmd/prebuild/main_test.go b/cmd/prebuild/main_test.go deleted file mode 100644 index d3c28f025..000000000 --- a/cmd/prebuild/main_test.go +++ /dev/null @@ -1,56 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2023-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package main - -import ( - "os" - "os/exec" - "testing" - - "github.com/roddhjav/apparmor.d/pkg/prebuild" -) - -func chdirGitRoot() { - cmd := exec.Command("git", "rev-parse", "--show-toplevel") - out, err := cmd.Output() - if err != nil { - panic(err) - } - root := string(out[0 : len(out)-1]) - if err := os.Chdir(root); err != nil { - panic(err) - } -} - -func Test_main(t *testing.T) { - tests := []struct { - name string - dist string - }{ - { - name: "Build for Archlinux", - dist: "arch", - }, - { - name: "Build for Ubuntu", - dist: "ubuntu", - }, - { - name: "Build for Debian", - dist: "debian", - }, - { - name: "Build for OpenSUSE Tumbleweed", - dist: "opensuse", - }, - } - chdirGitRoot() - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - prebuild.Distribution = tt.dist - main() - }) - } -} diff --git a/debian/apparmor.d.postinst b/debian/apparmor.d.postinst index 2f8c90ae0..840f3196b 100644 --- a/debian/apparmor.d.postinst +++ b/debian/apparmor.d.postinst @@ -8,8 +8,6 @@ set -e #DEBHELPER# apparmor_parser --purge-cache || true -if systemctl is-active -q apparmor; then - systemctl reload apparmor -fi +deb-systemd-invoke reload apparmor.service || true exit 0 diff --git a/debian/apparmor.d.postrm b/debian/apparmor.d.postrm index 2f8c90ae0..840f3196b 100644 --- a/debian/apparmor.d.postrm +++ b/debian/apparmor.d.postrm @@ -8,8 +8,6 @@ set -e #DEBHELPER# apparmor_parser --purge-cache || true -if systemctl is-active -q apparmor; then - systemctl reload apparmor -fi +deb-systemd-invoke reload apparmor.service || true exit 0 diff --git a/debian/control b/debian/control index 56ad928ba..85c4d3786 100644 --- a/debian/control +++ b/debian/control @@ -18,6 +18,6 @@ Architecture: any Depends: apparmor-profiles Conflicts: apparmor-profiles-extra Provides: apparmor-profiles-extra -Description: Full set of AppArmor profiles (~ 1500 profiles) - apparmor.d is a set of over 1500 AppArmor profiles whose aim is to confine - most Linux based applications and processes. +Description: Full set of AppArmor profiles (~ 2000 profiles) + apparmor.d is a set of over 2000 AppArmor profiles whose aim is to confine + most Linux based applications and processes. diff --git a/dists/build.sh b/dists/build.sh index 9b9f9e765..e33c48695 100644 --- a/dists/build.sh +++ b/dists/build.sh @@ -16,7 +16,7 @@ readonly VERSION main() { case "$COMMAND" in pkg) - PKGDEST="$OUTPUT" makepkg --syncdeps --force --cleanbuild --noconfirm --noprogressbar + PKGDEST="$OUTPUT" BUILDDIR=/tmp/makepkg makepkg --syncdeps --force --cleanbuild --noconfirm --noprogressbar ;; dpkg) diff --git a/dists/docker.sh b/dists/docker.sh index 2e581883c..45191adb8 100644 --- a/dists/docker.sh +++ b/dists/docker.sh @@ -25,7 +25,7 @@ readonly VERSION PACKAGER _start() { local img="$1" - docker start "$img" + docker start "$img" || return 1 } _is_running() { @@ -65,7 +65,7 @@ build_in_docker_makepkg() { --env PKGDEST="$BUILDIR" --env PACKAGER="$PACKAGER" \ --env BUILDDIR=/tmp/build \ "$BASEIMAGE/$dist" - docker exec "$img" sudo pacman -Syu --noconfirm --noprogressbar + docker exec "$img" sudo pacman -Sy --noconfirm --noprogressbar fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh pkg diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 057c7c298..cd9a0e5a6 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -185,6 +185,7 @@ kconf_update complain kde-powerdevil attach_disconnected,mediate_deleted,complain kde-systemd-start-condition complain kded complain +kdestroy complain kdump_mem_estimator complain kdump-config attach_disconnected,complain kdump-tools-init complain,attach_disconnected @@ -193,9 +194,11 @@ kernel-install complain kernel-postinst-kdump complain keyboxd complain kglobalacceld complain +kinit complain kio_http_cache_cleaner complain kiod complain kioworker complain +klist complain konsole attach_disconnected,mediate_deleted,complain kscreen_backend_launcher complain kscreen_osd_service complain @@ -230,7 +233,7 @@ lvmdump complain lvmpolld complain man complain mate-notification-daemon complain -mdadm complain +mdadm attach_disconnected,complain mdadm-mkconf complain ModemManager attach_disconnected,complain mount attach_disconnected,complain @@ -327,7 +330,7 @@ systemd-generator-ds-identify attach_disconnected,complain systemd-generator-environment-arch complain systemd-generator-environment-flatpak complain systemd-generator-environment-snapd attach_disconnected,complain -systemd-generator-friendly-recover attach_disconnected,complain +systemd-generator-friendly-recovery attach_disconnected,complain systemd-generator-fstab attach_disconnected,complain systemd-generator-getty attach_disconnected,complain systemd-generator-gpt-auto attach_disconnected,complain diff --git a/dists/flags/ubuntu.flags b/dists/flags/ubuntu.flags index 7339702a2..125575ce1 100644 --- a/dists/flags/ubuntu.flags +++ b/dists/flags/ubuntu.flags @@ -8,6 +8,7 @@ apt-helper complain check-new-release-gtk complain do-release-upgrade complain dpkg-genbuildinfo complain +esm_cache complain fanctl attach_disconnected,complain hwe-support-status complain list-oem-metapackages complain diff --git a/dists/overwrite b/dists/overwrite index c8769ba54..70ee1cc41 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -6,6 +6,7 @@ brave chrome chromium +cockpit-desktop element-desktop epiphany firefox @@ -29,8 +30,8 @@ unix-chkpwd # Overwrite some profiles recently added in apparmor while being already present in apparmor.d for a while # They can be multiple justification for keeping our profiles here, or or the contrary using upstream ones: -# - Keep ours: If they use abstractions, tunable, rules, and integration with apparmor.d that would break if using the upstream profile -# - Drop ours: when upstream profiles is better +# - Keep ours: If we/they use abstractions, tunable, rules, and integration with apparmor.d that would break if using the upstream profile +# - Drop ours: when upstream profiles is better (see pkg/prebuild/prepare/configure.go) fusermount3 lsblk lsusb @@ -38,3 +39,6 @@ openvpn remmina transmission wg-quick +systemd-detect-virt # Missing integration with @{p_systemd} +hostname # Has @{bin} denied in header, would conflict with apparmor.d's @{bin} tunables + diff --git a/docs/development/abstractions.md b/docs/development/abstractions.md index f1ac6e18e..cd82f5d21 100644 --- a/docs/development/abstractions.md +++ b/docs/development/abstractions.md @@ -217,6 +217,14 @@ Minimal set of rules for sandboxed programs using `bwrap`. A profile using this A minimal set of rules for chromium based application. Handle access for internal sandbox. +It works as a *function* and requires some variables to be provided as *arguments* and set in the header of the calling profile: + +!!! note "" + + [apparmor.d/profile-s-z/spotify](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/steam/steam#L24-L25) + ``` sh linenums="24" + @{domain} = org.chromium.Chromium + ``` ### **`common/electron`** @@ -227,6 +235,7 @@ A minimal set of rules for all electron based UI applications. It works as a *fu [apparmor.d/profile-s-z/spotify](https://github.com/roddhjav/apparmor.d/blob/7d1380530aa56f31589ccc6a360a8144f3601731/apparmor.d/profiles-s-z/spotify#L10-L13) ``` sh linenums="10" @{name} = spotify + @{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/docs/development/build.md b/docs/development/build.md index eaa2487a2..b767e4e4e 100644 --- a/docs/development/build.md +++ b/docs/development/build.md @@ -10,18 +10,22 @@ go run ./cmd/prebuild -h ``` ``` -aa-prebuild [-h] [--complain | --enforce] [--full] [--abi 3|4] +aa-prebuild [-h] [--complain | --enforce] [--full] [--server] [--abi 3|4] [--version V] [--file FILE] Prebuild apparmor.d profiles for a given distribution and apply internal built-in directives. Options: - -h, --help Show this help message and exit. - -c, --complain Set complain flag on all profiles. - -e, --enforce Set enforce flag on all profiles. - -a, --abi ABI Target apparmor ABI. - -f, --full Set AppArmor for full system policy. - -F, --file Only prebuild a given file. + -h, --help Show this help message and exit. + -c, --complain Set complain flag on all profiles. + -e, --enforce Set enforce flag on all profiles. + -a, --abi ABI Target apparmor ABI. + -v, --version V Target apparmor version. + -f, --full Set AppArmor for full system policy. + -s, --server Set AppArmor for server. + -b, --buildir DIR Root build directory. + -F, --file Only prebuild a given file. + --debug Enable debug mode. Prepare tasks: configure - Set distribution specificities @@ -31,21 +35,27 @@ Prepare tasks: overwrite - Overwrite dummy upstream profiles synchronise - Initialize a new clean apparmor.d build directory ignore - Ignore profiles and files from: + server - Configure AppArmor for server systemd-default - Configure systemd unit drop in files to a profile for some units systemd-early - Configure systemd unit drop in files to ensure some service start after apparmor + attach - Configure tunable for re-attached path Build tasks: - abi3 - Convert all profiles from abi 4.0 to abi 3.0 - attach - Re-attach disconnected path - complain - Set complain flag on all profiles - enforce - All profiles have been enforced - fsp - Prevent unconfined transitions in profile rules - hotfix - Temporary fix for #74, #80 & #235 - userspace - Resolve variable in profile attachments + userspace - Fix: resolve variable in profile attachments + abi3 - Build: convert all profiles from abi 4.0 to abi 3.0 + attach - Feat: re-attach disconnected path + base-strict - Feat: use 'base-strict' as base abstraction + complain - Build: set complain flag on all profiles + debug - Build: debug mode enabled + enforce - Build: all profiles have been enforced + fsp - Feat: prevent unconfined transitions in profile rules + hotfix - Fix: temporary solution for #74, #80 & #235 + stacked-dbus - Fix: resolve peer label variable in dbus rules Directive: #aa:dbus own bus= name= [interface=AARE] [path=AARE] #aa:dbus talk bus= name= label= [interface=AARE] [path=AARE] + #aa:dbus common bus= name= label= #aa:exec [P|U|p|u|PU|pu|] profiles... #aa:only filters... #aa:exclude filters... @@ -66,6 +76,12 @@ Ignore profiles and files as defined in the `dist/ignore` directory. See [workfl *Enabled by default. Can be disabled in `cmd/prebuild/main.go`* +### **`server`** + +Configure AppArmor for server. Desktop related groups and profiles that use desktop abstraction are not included. [hotfix](#hotfix) is also disabled, as it is only needed on desktop system. It is mostly intended to be used on server with FSP enabled. E.g: [the play machine](https://github.com/roddhjav/play). + +*Enable with the `--server` option in the prebuild command.* + ### **`merge`** Merge profiles from `apparmor.d/group/`, `apparmor.d/profiles-*-*/` to a unified directory in `.build/apparmor.d` that AppArmor can parse. diff --git a/docs/development/roadmap.md b/docs/development/roadmap.md index 2585208e5..379241a49 100644 --- a/docs/development/roadmap.md +++ b/docs/development/roadmap.md @@ -6,11 +6,18 @@ title: Roadmap This is the current list of features that must be implemented to get to a stable release -- [x] **Play machine** +- [x] **[Play machine](https://github.com/roddhjav/play)** -- [ ] **[Sub packages](https://github.com/roddhjav/apparmor.d/issues/464)** - - [x] Move most profiles into groups such that - - [ ] New simplified build system to generate the packages with profile dependencies check +- [ ] **[Sub packages](https://github.com/roddhjav/apparmor.d/issues/464)** + - [x] Move most profiles into groups + - [ ] Provide complain/enforced packages version + - [ ] normal/FSP/server packages variants + +- [ ] **Build system** + - [ ] Continuous release on the main branch, ~2 releases per week + - [ ] Provide packages repo for ubuntu/debian + - [x] Add a `just` target to install the profiles in the right place + - [x] Fully drop the Makefile in favor of `just` - [ ] **Tests** - [x] Tests VM for all supported targets (see [tests/vm](vm.md)) @@ -22,14 +29,26 @@ This is the current list of features that must be implemented to get to a stable - [ ] **General improvements** - [ ] Provide a proper fix for [#74](https://github.com/roddhjav/apparmor.d/issues/74), [#80](https://github.com/roddhjav/apparmor.d/issues/80) & [#235](https://github.com/roddhjav/apparmor.d/issues/235) - - [x] The apt/dpkg profiles needs to be reworked -- [ ] Build system - - [ ] Continuous release on the main branch, ~2 releases per week - - [ ] Provide packages repo for ubuntu/debian - - [ ] Provide complain/enforced packages version - - [x] Add a `just` target to install the profiles in the right place - - [x] Fully drop the Makefile in favor of `just` +- [ ] **Abstractions** + - [ ] Document all abstractions + - [ ] Split and reorganize some big abs into set of smaller abstractions. + Strictly follow the new abstractions guidelines (layer 0, layer 1, etc.) + - [ ] Abstraction based profiles: + Most of the accesses needed by GUI based application are commons. As such 80-90% of the profile content should be handled by abstractions (internally they will have conditions). + - [ ] Test new interface like abstractions + - notifications + - audio-bluetooth + - secrets-service + - media-keys + - ... + - [ ] Rewrite the desktop abstraction to only contains other abs. No direct rules in it. + - [ ] Rewrite the DE specific abstraction to be a layer 1 abs + +- [ ] **Security improvements** + - [ ] Limit the use of `abstractions/common/systemd` + - [ ] Ensure systemctl restart/stop/reload is always confined and filtered by unit (dbus only) + - [ ] Revisit the usae of `systemd-tty-ask-password-agent` ## Next features @@ -45,8 +64,16 @@ This is the current list of features that must be implemented to get to a stable - [ ] Debug tool to show the profiles transition tree, and ensure no profile is missing - [x] Remove the `default` profile +- [ ] **Define roles** + - [ ] Unrestricted shell role without FSP enabled + - [ ] Define the roles when FSP is enabled + ## Done +**General improvements** + +- [x] The apt/dpkg profiles has been rewritten + **Abstractions** - [x] New `audio-client` and `audio-server` abstractions diff --git a/docs/development/workflow.md b/docs/development/workflow.md index 786d77c93..7cc7c5616 100644 --- a/docs/development/workflow.md +++ b/docs/development/workflow.md @@ -36,7 +36,7 @@ title: Workflow Here is the bare minimum for the program `foo`: ``` sh # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 You +# Copyright (C) 2025 You # SPDX-License-Identifier: GPL-2.0-only abi , @@ -130,7 +130,7 @@ For this individual profile installation to work, the full package needs to be i To discover the access needed by a program, you can use the following tools: -1. Star the program in *complain* mode, let it initialize itself, then close it. +1. Start the program in *complain* mode, let it initialize itself, then close it. 1. Run **[`aa-log -r`](../usage.md#apparmor-log)**. It will: - Convert the logs to AppArmor rules. diff --git a/docs/issues.md b/docs/issues.md index 1db3b195a..2f38f4c5a 100644 --- a/docs/issues.md +++ b/docs/issues.md @@ -6,6 +6,19 @@ title: Known issues Known bugs are tracked on the meta issue **[#75](https://github.com/roddhjav/apparmor.d/issues/74)**. +## Ubuntu + +### Dbus + +Ubuntu fully supports dbus mediation with apparmor. If it is a value added by Ubuntu from other distributions, it can also lead to some breakage if you enforce some profiles. *Do not enforce the rules on Ubuntu Desktop.* + +Note: Ubuntu server has been more tested and will work without issues with enforced rules. + +### Snap + +Apparmor.d needs to be fully integrated with snap, otherwise your snap applications may not work properly. As of today, it is a work in progress. + + ## Complain mode A profile in *complain* mode cannot break the program it confines. However, there are some **major exceptions**: @@ -14,20 +27,3 @@ A profile in *complain* mode cannot break the program it confines. However, ther 2. `attach_disconnected` (and `mediate_deleted`) will break the program if they are required and missing in the profile, 3. If AppArmor does not find the profile to transition `rPx`. -## Pacman "could not get current working directory" - -```sh -$ sudo pacman -Syu -... -error: could not get current working directory -:: Processing package changes... -... -``` - -This is **a feature, not a bug!** It can safely be ignored. Pacman tries to get your current directory. You will only get this error when you run pacman in your home directory. - -According to the Arch Linux guideline, on Arch Linux, packages cannot install files under `/home/`. Therefore, the [`pacman`][pacman] profile purposely does not allow access of your home directory. - -This provides a basic protection against some packages (on the AUR) that may have rogue install script. - -[pacman]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/pacman/pacman diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go index d27908129..1ec5e06b1 100644 --- a/pkg/prebuild/builder/attach.go +++ b/pkg/prebuild/builder/attach.go @@ -31,6 +31,9 @@ func init() { func (b ReAttach) Apply(opt *Option, profile string) (string, error) { var insert string var origin = "profile " + opt.Name + if opt.File.HasSuffix("attached/base") { + return profile, nil // Do not re-attach twice + } if strings.Contains(profile, "attach_disconnected") { insert = "@{att} = /att/" + opt.Name + "/\n" @@ -42,17 +45,18 @@ func (b ReAttach) Apply(opt *Option, profile string) (string, error) { "include ", "include ", ) + profile = strings.ReplaceAll(profile, + "include ", + "include ", + ) profile = strings.ReplaceAll(profile, "include ", "include ", ) } else { - insert = "@{att} = /\n" - profile = strings.ReplaceAll(profile, - "include ", - "include ", - ) + insert = "@{att} = \"\"\n" + } return strings.Replace(profile, origin, insert+origin, 1), nil diff --git a/pkg/prebuild/builder/base-strict.go b/pkg/prebuild/builder/base-strict.go new file mode 100644 index 000000000..29a065629 --- /dev/null +++ b/pkg/prebuild/builder/base-strict.go @@ -0,0 +1,32 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package builder + +import ( + "strings" + + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +type BaseStrict struct { + prebuild.Base +} + +func init() { + RegisterBuilder(&BaseStrict{ + Base: prebuild.Base{ + Keyword: "base-strict", + Msg: "Feat: use 'base-strict' as base abstraction", + }, + }) +} + +func (b BaseStrict) Apply(opt *Option, profile string) (string, error) { + profile = strings.ReplaceAll(profile, + "include ", + "include ", + ) + return profile, nil +} diff --git a/pkg/prebuild/builder/core_test.go b/pkg/prebuild/builder/core_test.go index 06ceb1d28..6bcf74647 100644 --- a/pkg/prebuild/builder/core_test.go +++ b/pkg/prebuild/builder/core_test.go @@ -231,10 +231,80 @@ func TestBuilder_Apply(t *testing.T) { want: "", wantErr: true, }, + { + name: "stacked-dbus-1", + b: Builders["stacked-dbus"], + profile: ` +profile foo { + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + +}`, + want: ` +profile foo { +dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus, label=dbus-session), +dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus, label=dbus-session//&unconfined), + +}`, + }, + { + name: "base-strict-1", + b: Builders["base-strict"], + profile: ` +profile foo { + include +}`, + want: ` +profile foo { + include +}`, + }, + { + name: "attach-1", + b: Builders["attach"], + profile: ` +profile attach-1 flags=(attach_disconnected) { + include + include + include +}`, + want: ` +@{att} = /att/attach-1/ +profile attach-1 flags=(attach_disconnected,attach_disconnected.path=@{att}) { + include + include + include +}`, + }, + { + name: "attach-2", + b: Builders["attach"], + profile: ` +profile attach-2 flags=(complain) { + include + include + include +}`, + want: ` +@{att} = "" +profile attach-2 flags=(complain) { + include + include + include +}`, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - opt := &Option{File: prebuild.RootApparmord.Join(tt.name)} + opt := &Option{File: prebuild.RootApparmord.Join(tt.name), Name: tt.name} got, err := tt.b.Apply(opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("Builder.Apply() error = %v, wantErr %v", err, tt.wantErr) diff --git a/pkg/prebuild/builder/stacked-dbus.go b/pkg/prebuild/builder/stacked-dbus.go index d572e9d31..eca8122c6 100644 --- a/pkg/prebuild/builder/stacked-dbus.go +++ b/pkg/prebuild/builder/stacked-dbus.go @@ -19,7 +19,7 @@ var ( } ) -// Fix for https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 +// StackedDbus is a fix for https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 type StackedDbus struct { prebuild.Base } @@ -51,7 +51,6 @@ func parse(kind aa.FileKind, profile string) (aa.ParaRules, []string, error) { case aa.AbstractionKind, aa.TunableKind: raw = profile } - raw = profile r, par, err := aa.ParseRules(raw) if err != nil { @@ -73,7 +72,7 @@ func (b StackedDbus) Apply(opt *Option, profile string) (string, error) { toResolve = append(toResolve, k) } - rulesByParagraph, paragraphs, err := parse(kind, profile) // + rulesByParagraph, paragraphs, err := parse(kind, profile) if err != nil { return "", err } diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 8abfb4323..afed5aedf 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -7,6 +7,8 @@ package cli import ( "flag" "fmt" + "os" + "slices" "strings" "github.com/roddhjav/apparmor.d/pkg/logging" @@ -20,7 +22,7 @@ import ( const ( nilABI = 0 nilVer = 0.0 - usage = `aa-prebuild [-h] [--complain | --enforce] [--full] [--abi 3|4] [--version V] [--file FILE] + usage = `aa-prebuild [-h] [--complain | --enforce] [--full] [--server] [--abi 3|4] [--version V] [--file FILE] Prebuild apparmor.d profiles for a given distribution and apply internal built-in directives. @@ -32,8 +34,10 @@ Options: -a, --abi ABI Target apparmor ABI. -v, --version V Target apparmor version. -f, --full Set AppArmor for full system policy. - -b, --buildir DIR Root build directory. + -s, --server Set AppArmor for server. + -b, --buildir DIR Root build directory. -F, --file Only prebuild a given file. + --test Enable test mode. --debug Enable debug mode. ` ) @@ -43,7 +47,9 @@ var ( complain bool enforce bool full bool + server bool debug bool + test bool abi int version float64 file string @@ -55,6 +61,8 @@ func init() { flag.BoolVar(&help, "help", false, "Show this help message and exit.") flag.BoolVar(&full, "f", false, "Set AppArmor for full system policy.") flag.BoolVar(&full, "full", false, "Set AppArmor for full system policy.") + flag.BoolVar(&server, "s", false, "Set AppArmor for server.") + flag.BoolVar(&server, "server", false, "Set AppArmor for server.") flag.BoolVar(&complain, "c", false, "Set complain flag on all profiles.") flag.BoolVar(&complain, "complain", false, "Set complain flag on all profiles.") flag.BoolVar(&enforce, "e", false, "Set enforce flag on all profiles.") @@ -68,6 +76,7 @@ func init() { flag.StringVar(&buildir, "b", "", "Root build directory.") flag.StringVar(&buildir, "buildir", "", "Root build directory.") flag.BoolVar(&debug, "debug", false, "Enable debug mode.") + flag.BoolVar(&test, "test", false, "Enable test mode.") } func Configure() { @@ -81,7 +90,22 @@ func Configure() { flag.Parse() if help { flag.Usage() - return + os.Exit(0) + } + + if server { + idx := slices.Index(prepare.Prepares, prepare.Tasks["merge"]) + if idx == -1 { + prepare.Register("server") + } else { + prepare.Prepares = slices.Insert(prepare.Prepares, idx, prepare.Tasks["server"]) + } + + // Remove hotfix task as it is not needed on server + idx = slices.Index(prepare.Prepares, prepare.Tasks["hotfix"]) + if idx != -1 { + prepare.Prepares = slices.Delete(prepare.Prepares, idx, idx+1) + } } if full && paths.New("apparmor.d/groups/_full").Exist() { @@ -97,6 +121,9 @@ func Configure() { if debug { builder.Register("debug") } + if test { + prebuild.Test = true + } } else if enforce { builder.Register("enforce") } @@ -118,8 +145,11 @@ func Configure() { builder.Register("stacked-dbus") } else { + if !prebuild.DownStream { + prepare.Register("attach") + } builder.Register("attach") - prepare.Register("attach") + } default: diff --git a/pkg/prebuild/directive/dbus.go b/pkg/prebuild/directive/dbus.go index 891eb9e1d..4862597bb 100644 --- a/pkg/prebuild/directive/dbus.go +++ b/pkg/prebuild/directive/dbus.go @@ -135,7 +135,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { } res = append(res, - // DBus.Properties + // DBus.Properties: reply to properties request from anyone &aa.Dbus{ Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.Properties", @@ -143,7 +143,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { PeerName: `"{@{busname},org.freedesktop.DBus}"`, }, - // DBus.Introspectable + // DBus.Introspectable: allow clients to introspect the service &aa.Dbus{ Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.Introspectable", @@ -151,7 +151,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { PeerName: `"@{busname}"`, }, - // DBus.ObjectManager + // DBus.ObjectManager: allow clients to enumerate sources &aa.Dbus{ Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.ObjectManager", @@ -170,7 +170,14 @@ func (d Dbus) own(rules map[string]string) aa.Rules { func (d Dbus) talk(rules map[string]string) aa.Rules { interfaces := getInterfaces(rules) - res := aa.Rules{} + res := aa.Rules{ + &aa.Unix{ + Type: "stream", + Address: "none", + PeerLabel: rules["label"], + PeerAddr: "none", + }, + } // Interfaces for _, iface := range interfaces { @@ -198,7 +205,7 @@ func (d Dbus) talk(rules map[string]string) aa.Rules { PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], }, - // DBus.ObjectManager + // DBus.ObjectManager: allow clients to enumerate sources &aa.Dbus{ Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.ObjectManager", diff --git a/pkg/prebuild/directive/dbus_test.go b/pkg/prebuild/directive/dbus_test.go index 0844fd745..d6e90bb99 100644 --- a/pkg/prebuild/directive/dbus_test.go +++ b/pkg/prebuild/directive/dbus_test.go @@ -8,7 +8,7 @@ import ( "testing" ) -const dbusOwnSystemd1 = ` include +const dbusOwnSystemd1 = ` include dbus bind bus=system name=org.freedesktop.systemd1{,.*}, dbus receive bus=system path=/org/freedesktop/systemd1{,/**} @@ -73,7 +73,7 @@ func TestDbus_Apply(t *testing.T) { Raw: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", }, profile: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", - want: ` include + want: ` include dbus bind bus=session name=com.rastersoft.ding{,.*}, dbus receive bus=session path=/com/rastersoft/ding{,/**} @@ -120,7 +120,9 @@ func TestDbus_Apply(t *testing.T) { Raw: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", }, profile: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", - want: ` dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} + want: ` unix type=stream addr=none peer=(label=accounts-daemon, addr=none), + + dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.Accounts{,.*} peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} diff --git a/pkg/prebuild/directive/filter.go b/pkg/prebuild/directive/filter.go index b6ec56816..ac632471b 100644 --- a/pkg/prebuild/directive/filter.go +++ b/pkg/prebuild/directive/filter.go @@ -43,6 +43,10 @@ func filterRuleForUs(opt *Option) bool { return true } + if prebuild.Test && slices.Contains(opt.ArgList, "test") { + return true + } + abiStr := fmt.Sprintf("abi%d", prebuild.ABI) if slices.Contains(opt.ArgList, abiStr) { return true diff --git a/pkg/prebuild/directories.go b/pkg/prebuild/directories.go index 37cbc69bc..486a45d14 100644 --- a/pkg/prebuild/directories.go +++ b/pkg/prebuild/directories.go @@ -13,9 +13,15 @@ var ( // AppArmor version Version = 4.0 + // Tells the build we are a downstream project using apparmor.d as dependency + DownStream = false + // Either or not RBAC is enabled RBAC = false + // Either or not we are in test mode + Test = false + // Pkgname is the name of the package Pkgname = "apparmor.d" diff --git a/pkg/prebuild/files.go b/pkg/prebuild/files.go index 504f05c1c..d9879570b 100644 --- a/pkg/prebuild/files.go +++ b/pkg/prebuild/files.go @@ -11,9 +11,12 @@ import ( ) // Hide is the default content of debian/apparmor.d.hide. Whonix has special addition. -var Hide = `# This file is generated by "make", all edit will be lost. +var Hide = `# This file is generated by "just", all edit will be lost. /etc/apparmor.d/usr.bin.firefox +/etc/apparmor.d/usr.bin.swtpm +/etc/apparmor.d/usr.bin.wsdd +/etc/apparmor.d/usr.libexec.geoclue /etc/apparmor.d/usr.sbin.cups-browsed /etc/apparmor.d/usr.sbin.cupsd /etc/apparmor.d/usr.sbin.rsyslogd diff --git a/pkg/prebuild/prepare/attach.go b/pkg/prebuild/prepare/attach.go index 3331c73dc..4523382d8 100644 --- a/pkg/prebuild/prepare/attach.go +++ b/pkg/prebuild/prepare/attach.go @@ -32,7 +32,6 @@ func (p ReAttach) Apply() ([]string, error) { if err != nil { return res, err } - out = strings.ReplaceAll(out, "@{att}=/", "# @{att}=/") - out = strings.ReplaceAll(out, "alias / -> //,", "#alias / -> //,") + out = strings.ReplaceAll(out, `@{att}=""`, `# @{att}=""`) return res, path.WriteFile([]byte(out)) } diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go index a6e954485..9ca3b14d3 100644 --- a/pkg/prebuild/prepare/configure.go +++ b/pkg/prebuild/prepare/configure.go @@ -6,6 +6,7 @@ package prepare import ( "fmt" + "strings" "github.com/roddhjav/apparmor.d/pkg/prebuild" ) @@ -23,6 +24,15 @@ func init() { }) } +func removeFiles(files []string) error { + for _, name := range files { + if err := prebuild.RootApparmord.Join(name).RemoveAll(); err != nil { + return err + } + } + return nil +} + func (p Configure) Apply() ([]string, error) { res := []string{} @@ -57,20 +67,41 @@ func (p Configure) Apply() ([]string, error) { } - if prebuild.Version == 4.1 { - // Remove files upstreamed in 4.1 + if prebuild.Version >= 4.1 { remove := []string{ + // Remove files upstreamed in 4.1 "abstractions/devices-usb-read", "abstractions/devices-usb", "abstractions/nameservice-strict", "tunables/multiarch.d/base", - "wg", // Upstream version is identical + + // Direct upstream contributed profiles, similar to ours + "wg", } - for _, name := range remove { - if err := prebuild.RootApparmord.Join(name).RemoveAll(); err != nil { - return res, err - } + if err := removeFiles(remove); err != nil { + return res, err } } + if prebuild.Version >= 5.0 { + remove := []string{ + // Direct upstrem contributed profiles, similar to ours + "dig", + "free", + "nslookup", + "who", + } + if err := removeFiles(remove); err != nil { + return res, err + } + + // @{pci_bus} was upstreamed in 5.0 + path := prebuild.RootApparmord.Join("tunables/multiarch.d/system") + out, err := path.ReadFileAsString() + if err != nil { + return res, err + } + out = strings.ReplaceAll(out, "@{pci_bus}=pci@{hex4}:@{hex2}", "") + return res, path.WriteFile([]byte(out)) + } return res, nil } diff --git a/pkg/prebuild/prepare/server.go b/pkg/prebuild/prepare/server.go new file mode 100644 index 000000000..fb9a1f602 --- /dev/null +++ b/pkg/prebuild/prepare/server.go @@ -0,0 +1,108 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package prepare + +import ( + "fmt" + "strings" + + "github.com/roddhjav/apparmor.d/pkg/paths" + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +var ( + serverIgnorePatterns = []string{ + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + } + serverIgnoreGroups = []string{ + "akonadi", + "avahi", + "bluetooth", + "browsers", + "cosmic", + "cups", + "display-manager", + "flatpak", + "freedesktop", + "gnome", + "gvfs", + "hyprland", + "kde", + "lxqt", + "steam", + "xfce", + "zed", + } +) + +type Server struct { + prebuild.Base +} + +func init() { + RegisterTask(&Server{ + Base: prebuild.Base{ + Keyword: "server", + Msg: "Configure AppArmor for server", + }, + }) +} + +func (p Server) Apply() ([]string, error) { + res := []string{} + + // Ignore desktop related groups + groupNb := 0 + for _, group := range serverIgnoreGroups { + path := prebuild.RootApparmord.Join("groups", group) + if path.IsDir() { + if err := path.RemoveAll(); err != nil { + return res, err + } + groupNb++ + } else { + res = append(res, fmt.Sprintf("Group %s not found, ignoring", path)) + } + } + + // Ignore profiles using a desktop related abstraction + fileNb := 0 + files, _ := prebuild.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) + for _, file := range files { + if !file.Exist() { + continue + } + profile, err := file.ReadFileAsString() + if err != nil { + return res, err + } + for _, pattern := range serverIgnorePatterns { + if strings.Contains(profile, pattern) { + if err := file.RemoveAll(); err != nil { + return res, err + } + fileNb++ + break + } + } + } + + res = append(res, fmt.Sprintf("%d groups ignored", groupNb)) + res = append(res, fmt.Sprintf("%d profiles ignored", fileNb)) + return res, nil +} diff --git a/systemd/default/user/at-spi-dbus-bus.service b/systemd/default/user/at-spi-dbus-bus.service deleted file mode 100644 index 9c1fad533..000000000 --- a/systemd/default/user/at-spi-dbus-bus.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=dbus-accessibility diff --git a/systemd/default/user/org.freedesktop.IBus.session.GNOME.service b/systemd/default/user/org.freedesktop.IBus.session.GNOME.service deleted file mode 100644 index 818d5cdf3..000000000 --- a/systemd/default/user/org.freedesktop.IBus.session.GNOME.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=ibus-daemon diff --git a/tests/check.sh b/tests/check.sh index 60e23c694..b54bc157a 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -11,9 +11,13 @@ set -eu -o pipefail RES=$(mktemp) echo "false" >"$RES" MAX_JOBS=$(nproc) +APPARMORD=${CHECK_APPARMORD:-apparmor.d} +SBIN_LIST=${CHECK_SBIN_LIST:-tests/sbin.list} declare WITH_CHECK declare _check_is_disabled -readonly RES MAX_JOBS APPARMORD="apparmor.d" +declare _check_is_disabled_global +_FILE_IGNORE_ALL=false +readonly APPARMORD SBIN_LIST RES MAX_JOBS readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" _msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } _warn() { @@ -42,6 +46,11 @@ _in_array() { _is_enabled() { local check="$1" if _in_array "$check" "${WITH_CHECK[@]}"; then + if [[ -n "${_check_is_disabled_global+x}" && ${#_check_is_disabled_global[@]} -gt 0 ]]; then + if _in_array "$check" "${_check_is_disabled_global[@]}"; then + return 1 + fi + fi if [[ -z "${_check_is_disabled+x}" || ${#_check_is_disabled[@]} -eq 0 ]]; then return 0 fi @@ -68,10 +77,18 @@ _ignore_lint() { local checks line="$1" if [[ "$line" =~ ^[[:space:]]*$_IGNORE_LINT=.*$ ]]; then - # Start of an ignore block - _IGNORE_LINT_BLOCK=true + # Start of an ignore block (or file-wide if in header) checks="${line#*"$_IGNORE_LINT="}" - read -ra _check_is_disabled <<<"${checks//,/ }" + read -ra _parsed <<<"${checks//,/ }" + if (( line_number <= 10 )); then + # Treat as file-wide ignore + _check_is_disabled_global=("${_parsed[@]}") + _FILE_IGNORE_ALL=true + _IGNORE_LINT_BLOCK=false + return 0 + fi + _IGNORE_LINT_BLOCK=true + _check_is_disabled=("${_parsed[@]}") elif [[ $_IGNORE_LINT_BLOCK == true && "$line" =~ ^[[:space:]]*$ ]]; then # New paragraph, end of block @@ -79,22 +96,33 @@ _ignore_lint() { _check_is_disabled=() elif [[ $_IGNORE_LINT_BLOCK == true ]]; then - # Nothing to do, we are in a block + # Nothing to do, we are in a block/paragraph return 0 elif [[ "$line" == *"$_IGNORE_LINT="* ]]; then - # Inline ignore + # Inline ignore (or file-wide if in header) checks="${line#*"$_IGNORE_LINT="}" - read -ra _check_is_disabled <<<"${checks//,/ }" + read -ra _parsed <<<"${checks//,/ }" + if (( line_number <= 10 )); then + _check_is_disabled_global=("${_parsed[@]}") + _FILE_IGNORE_ALL=true + return 0 + fi + _check_is_disabled=("${_parsed[@]}") else - _check_is_disabled=() + # Do not clear if file-wide ignore is set + if ! $_FILE_IGNORE_ALL; then + _check_is_disabled=() + fi fi } _check() { local file="$1" - local line_number=0 + line_number=0 + _FILE_IGNORE_ALL=false + _check_is_disabled_global=() while IFS= read -r line; do line_number=$((line_number + 1)) @@ -193,6 +221,7 @@ declare -A EQUIVALENTS=( ["awk"]="{m,g,}awk" ["gawk"]="{m,g,}awk" ["grep"]="{,e}grep" + ["gs"]="gs{,.bin}" ["which"]="which{,.debianutils}" ) _check_equivalent() { @@ -500,14 +529,14 @@ _check_udev() { check_sbin() { local file name jobs - mapfile -t sbin # SPDX-License-Identifier: GPL-2.0-only -set -eux +set -eux -o pipefail -_lsb_release() { - # shellcheck source=/dev/null - . /etc/os-release - echo "$ID" -} -DISTRIBUTION="$(_lsb_release)" +# shellcheck source=/dev/null +source /etc/os-release || exit 1 readonly SRC=/tmp/ -readonly DISTRIBUTION main() { install -dm0750 -o "$SUDO_USER" -g "$SUDO_USER" "/home/$SUDO_USER/Projects/" "/home/$SUDO_USER/Projects/apparmor.d" "/home/$SUDO_USER/.config/" @@ -24,30 +19,26 @@ main() { install -Dm0755 $SRC/aa-clean /usr/bin/aa-clean chown -R "$SUDO_USER:$SUDO_USER" "/home/$SUDO_USER/.config/" - case "$DISTRIBUTION" in + case "$ID" in arch) rm -f $SRC/*.sig # Ignore signature files - pacman --noconfirm -U $SRC/*.pkg.tar.zst + rm -f $SRC/*enforced* # Ignore enforced package + pacman --noconfirm -U $SRC/*.pkg.tar.zst || true ;; debian | ubuntu) - apt install -y apparmor-profiles - dpkg -i $SRC/*.deb || true + # Do not install apparmor.d on the current development version + if [[ $VERSION_ID != "25.10" ]]; then + dpkg -i $SRC/*.deb || true + fi ;; opensuse*) mv "/home/$SUDO_USER/.bash_aliases" "/home/$SUDO_USER/.alias" - rpm -i $SRC/*.rpm + rpm -i $SRC/*.rpm || true ;; esac - - verb="start" - rm -rf /var/cache/apparmor/* || true - if systemctl is-active -q apparmor; then - verb="reload" - fi - systemctl "$verb" apparmor.service || journalctl -xeu apparmor.service } main "$@" diff --git a/tests/packer/src/.bash_aliases b/tests/packer/src/.bash_aliases index 27e05bf80..2580556fd 100644 --- a/tests/packer/src/.bash_aliases +++ b/tests/packer/src/.bash_aliases @@ -8,7 +8,6 @@ for nb in $(seq "$1"); do done } -alias sudo='sudo -E' alias aa-log='sudo aa-log' alias aa-status='sudo aa-status' alias c='clear'