diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 90b709a31..8a57149d5 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -3,61 +3,48 @@ name: Ubuntu on: [push, pull_request, workflow_dispatch] jobs: - check: - runs-on: ubuntu-24.04 - steps: - - name: Check out repository code - uses: actions/checkout@v4 - - - name: Install linter dependencies - run: | - pipx install rust-just - echo "$HOME/.local/bin" >> $GITHUB_PATH - - - name: Run basic profile linter check - run: | - just check - build: runs-on: ${{ matrix.os }} - needs: check strategy: matrix: - include: - - os: ubuntu-24.04 - mode: default - - os: ubuntu-24.04 - mode: full-system-policy + os: + # - ubuntu-24.04 + - ubuntu-22.04 + mode: + - default + - full-system-policy steps: + - name: Check out repository code uses: actions/checkout@v4 - - name: Install Build dependencies + - name: Install Build dependencies run: | sudo apt-get update -q sudo apt-get install -y \ devscripts debhelper config-package-dev \ auditd apparmor-profiles apparmor-utils - pipx install rust-just - echo "$HOME/.local/bin" >> $GITHUB_PATH sudo rm /etc/apparmor.d/usr.lib.snapd.snap-confine.real - name: Build the apparmor.d package run: | if [[ ${{ matrix.mode }} == full-system-policy ]]; then - sed -e "s/just complain/just fsp-complain/" -i debian/rules + echo -e "\noverride_dh_auto_build:\n\tmake full" >> debian/rules fi - bash dists/build.sh dpkg + VERSION="0.$(git rev-list --count HEAD)-1" + dch --newversion="$VERSION" --urgency=medium --distribution=stable --controlmaint "Release $VERSION" + dpkg-buildpackage -b -d --no-sign - name: Install apparmor.d - run: sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true + run: sudo dpkg --install ../apparmor.d_*_amd64.deb || true - name: Reload AppArmor - run: | - if ! sudo systemctl restart apparmor.service; then - sudo journalctl -xeu apparmor.service - exit 1 - fi + run: | + sudo systemctl restart apparmor.service || true + sudo systemctl status apparmor.service + + - name: Ensure compatibility with some AppArmor userspace tools + run: sudo aa-enforce /etc/apparmor.d/aa-notify - name: Show AppArmor log and rules run: | @@ -67,83 +54,3 @@ jobs: - name: Show Number of loaded profile run: sudo aa-status --profiled - - - name: Cache the build package - if: matrix.mode == 'default' && matrix.os == 'ubuntu-24.04' - uses: actions/cache/save@v4 - with: - path: .pkg/apparmor.d_*_amd64.deb - key: ${{ matrix.os }}-${{ matrix.mode }}-${{ hashFiles('.pkg/apparmor.d_*_amd64.deb') }} - - tests: - runs-on: ubuntu-24.04 - needs: build - if: github.ref_name == 'dev' || github.event_name == 'workflow_dispatch' - steps: - - name: Check out repository code - uses: actions/checkout@v4 - - - name: Restore the cached build package - uses: actions/cache/restore@v4 - with: - fail-on-cache-miss: true - path: .pkg/apparmor.d_*_amd64.deb - key: ubuntu-24.04-default-${{ hashFiles('.pkg/apparmor.d_*_amd64.deb') }} - restore-keys: | - ubuntu-24.04-default- - - - name: Install Tests dependencies - run: | - sudo apt-get update -q - sudo apt-get install -y \ - apparmor-profiles apparmor-utils \ - bats bats-support - pipx install rust-just - echo "$HOME/.local/bin" >> $GITHUB_PATH - - - name: Install apparmor.d - run: | - sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true - sudo systemctl restart apparmor.service - sudo systemctl daemon-reload - systemctl --user daemon-reload - - - name: Restart some services to ensure they are confined - run: | - services=( - containerd cron - dbus docker - ModemManager multipathd - networkd-dispatcher - packagekit polkit - snapd - systemd-journald systemd-hostnamed systemd-logind systemd-networkd - systemd-resolved systemd-udevd - udisks2 - ) - sudo systemctl daemon-reload - for service in "${services[@]}"; do - sudo systemctl restart "$service" || systemctl status "$service.service" || true - done - systemctl restart --user dbus || systemctl status --user "dbus.service" || true - sudo ps auxZ | grep -v '\[.*\]' - sudo aa-log -s --raw - - - name: Install integration dependencies - run: | - just init - find /usr/sbin/ -type f - - - name: Run the integration tests - run: | - just integration - - - name: Show final AppArmor logs - if: always() - run: | - sudo aa-log -s --raw - - - name: Show final processes security context - if: always() - run: | - sudo ps auxZ | grep -v '\[.*\]' diff --git a/.gitignore b/.gitignore index 077d62cbf..d888d6d5c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,6 @@ # Build .build .logs -.pkg tests/tldr tests/tldr.tar.gz diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 80dc69c7b..ffc9dded0 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -4,7 +4,7 @@ include: - template: Security/SAST.gitlab-ci.yml variables: - PKGDEST: $CI_PROJECT_DIR/.pkg + PKGDEST: $CI_PROJECT_DIR/packages PACKAGER: 'Alexandre Pujol ' stages: @@ -23,14 +23,14 @@ bash: image: koalaman/shellcheck-alpine script: - shellcheck --shell=bash - PKGBUILD dists/build.sh dists/docker.sh tests/check.sh - tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh + PKGBUILD dists/build.sh dists/docker.sh + tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh golangci-lint: stage: lint image: golangci/golangci-lint script: - - golangci-lint run + - golangci-lint run --skip-dirs pkg/paths packer: stage: lint @@ -54,6 +54,7 @@ tests: image: golang coverage: '/Coverage: \d+.\d+/' script: + - apt update && apt install -y rsync - cp tests/journalctl /usr/bin/journalctl - chmod 755 /usr/bin/journalctl - mkdir -p /var/log/audit/ @@ -62,11 +63,6 @@ tests: - go test $(go list ./pkg/... | grep -v /pkg/paths) -v -cover -coverprofile=coverage.out - go tool cover -func=coverage.out -check: - stage: test - image: registry.gitlab.com/roddhjav/builders/archlinux - script: - - just check # Package Build # ------------- @@ -84,12 +80,13 @@ archlinux: debian: stage: build - image: registry.gitlab.com/roddhjav/builders/debian:trixie + image: registry.gitlab.com/roddhjav/builders/debian script: - sudo chown -R build:build /builds/ - git config --global --add safe.directory $CI_PROJECT_DIR - mkdir -p "$PKGDEST" - - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl + - sudo apt-get update -q && sudo apt-get install -y config-package-dev rsync + - sudo apt-get install -y -t bookworm-backports golang-go - bash dists/build.sh dpkg artifacts: expire_in: 1 day @@ -98,13 +95,12 @@ debian: ubuntu: stage: build - image: registry.gitlab.com/roddhjav/builders/ubuntu:24.04 - variables: - GOFLAGS: "-buildvcs=false" + image: registry.gitlab.com/roddhjav/builders/ubuntu script: + - sudo chown -R ubuntu:ubuntu /builds/ - git config --global --add safe.directory $CI_PROJECT_DIR - mkdir -p "$PKGDEST" - - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl + - sudo apt-get update -q && sudo apt-get install -y config-package-dev rsync golang-go - bash dists/build.sh dpkg artifacts: expire_in: 1 day @@ -116,14 +112,14 @@ whonix: variables: DISTRIBUTION: whonix before_script: - - sed -e "s/just complain/just fsp-complain/" -i debian/rules + - echo "\noverride_dh_auto_build:\n\tmake full" >> debian/rules opensuse: stage: build image: registry.gitlab.com/roddhjav/builders/opensuse script: - mkdir -p "$PKGDEST" - - sudo zypper install -y distribution-release golang-packaging apparmor-profiles + - sudo zypper install -y distribution-release golang-packaging rsync apparmor-profiles - bash dists/build.sh rpm artifacts: expire_in: 1 day @@ -146,7 +142,7 @@ preprocess-archlinux: preprocess-debian: stage: preprocess - image: debian:trixie + image: debian dependencies: - debian script: @@ -166,7 +162,7 @@ preprocess-ubuntu: - dpkg --install $PKGDEST/* - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null -.preprocess-whonix: +preprocess-whonix: extends: preprocess-debian dependencies: - whonix @@ -194,7 +190,7 @@ pages: GIT_DEPTH: 0 script: - pip install -r requirements.txt - - mkdocs build --site-dir public + - mkdocs build --strict --site-dir public artifacts: paths: - public diff --git a/.golangci.yaml b/.golangci.yaml index 6861d253d..7718ccda2 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -1,15 +1,5 @@ --- -version: "2" -linters: - settings: - staticcheck: - checks: - - all - - -SA1019 - - -ST1000 - exclusions: - paths: - - pkg/paths - - tests/cmd/ - +linters-settings: + staticcheck: + checks: ["all", "-SA1019" ] diff --git a/Justfile b/Justfile deleted file mode 100644 index 64e333079..000000000 --- a/Justfile +++ /dev/null @@ -1,399 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Usage: `just` -# See https://apparmor.pujol.io/development/ for more information. - -# Build settings -destdir := "/" -build := ".build" -pkgdest := `pwd` / ".pkg" -pkgname := "apparmor.d" - -# Admin username -username := "user" - -# Default admin password -password := "user" - -# Disk size of the VM to build -disk_size := "40G" - -# Virtual machine CPU -vcpus := "6" - -# Virtual machine RAM -ram := "4096" - -# Path to the ssh key -ssh_keyname := "id_ed25519" -ssh_privatekey := home_dir() / ".ssh/" + ssh_keyname -ssh_publickey := ssh_privatekey + ".pub" - -# Where the VM are stored -vm := home_dir() / ".vm" - -# Where the VM images are stored -base_dir := home_dir() / ".libvirt/base" - -# Where the packer temporary output is stored -output_dir := base_dir / "packer" - -# SSH options -sshopt := "-i " + ssh_privatekey + " -o IdentitiesOnly=yes -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" - -# Libvirt connection address -c := "--connect=qemu:///system" - -# VM prefix -prefix := "aa-" - -# Show this help message -help: - @just --list --unsorted - @printf "\n%s\n" "See https://apparmor.pujol.io/development/ for more information." - -# Build the go programs -[group('build')] -build: - @go build -o {{build}}/ ./cmd/aa-log - @go build -o {{build}}/ ./cmd/prebuild - -# Prebuild the profiles in enforced mode -[group('build')] -enforce: build - @./{{build}}/prebuild --buildir {{build}} - -# Prebuild the profiles in enforce mode (test) -enforce-test: build - @./{{build}}/prebuild --buildir {{build}} --test - -# Prebuild the profiles in complain mode -[group('build')] -complain: build - ./{{build}}/prebuild --buildir {{build}} --complain - -# Prebuild the profiles in complain mode (test) -complain-test: build - @./{{build}}/prebuild --buildir {{build}} --complain --test - -# Prebuild the profiles in FSP mode -[group('build')] -fsp: build - @./{{build}}/prebuild --buildir {{build}} --full - -# Prebuild the profiles in FSP mode (complain) -[group('build')] -fsp-complain: build - @./{{build}}/prebuild --buildir {{build}} --complain --full - -# Prebuild the profiles in FSP mode (debug) -[group('build')] -fsp-debug: build - @./{{build}}/prebuild --buildir {{build}} --complain --full --debug - -# Install prebuild profiles -[group('install')] -install: - #!/usr/bin/env bash - set -eu -o pipefail - install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log - mapfile -t share < <(find "{{build}}/share" -type f -not -name "*.md" -printf "%P\n") - for file in "${share[@]}"; do - install -Dm0644 "{{build}}/share/$file" "{{destdir}}/usr/share/$file" - done - mapfile -t aa < <(find "{{build}}/apparmor.d" -type f -printf "%P\n") - for file in "${aa[@]}"; do - install -Dm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" - done - mapfile -t links < <(find "{{build}}/apparmor.d" -type l -printf "%P\n") - for file in "${links[@]}"; do - mkdir -p "{{destdir}}/etc/apparmor.d/disable" - cp -d "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" - done - for file in "{{build}}/systemd/system/"*; do - service="$(basename "$file")" - install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/system/$service.d/apparmor.conf" - done - for file in "{{build}}/systemd/user/"*; do - service="$(basename "$file")" - install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf" - done - -# Locally install prebuild profiles -[group('install')] -local +names: - #!/usr/bin/env bash - set -eu -o pipefail - install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log - mapfile -t abs < <(find "{{build}}/apparmor.d/abstractions" -type f -printf "%P\n") - for file in "${abs[@]}"; do - install -Dm0644 "{{build}}/apparmor.d/abstractions/$file" "{{destdir}}/etc/apparmor.d/abstractions/$file" - done; - mapfile -t tunables < <(find "{{build}}/apparmor.d/tunables" -type f -printf "%P\n") - for file in "${tunables[@]}"; do - install -Dm0644 "{{build}}/apparmor.d/tunables/$file" "{{destdir}}/etc/apparmor.d/tunables/$file" - done; - echo "Warning: profile dependencies fallback to unconfined." - for file in {{names}}; do - grep -Ei 'rPx|rpx' "{{build}}/apparmor.d/$file" || true - sed -i -e "s/rPx/rPUx/g" "{{build}}/apparmor.d/$file" - install -Dvm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" - done; - systemctl restart apparmor || sudo journalctl -xeu apparmor.service - -# Prebuild, install, and load a dev profile -[group('install')] -dev name: - go run ./cmd/prebuild --complain --file `find apparmor.d -iname {{name}}` - sudo install -Dm644 {{build}}/apparmor.d/{{name}} /etc/apparmor.d/{{name}} - sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service - -# Build & install apparmor.d on Arch based systems -[group('packages')] -pkg: - @makepkg --syncdeps --install --cleanbuild --force --noconfirm - -# Build & install apparmor.d on Debian based systems -[group('packages')] -dpkg: - @bash dists/build.sh dpkg - @sudo dpkg -i {{pkgdest}}/{{pkgname}}_*.deb - -# Build & install apparmor.d on OpenSUSE based systems -[group('packages')] -rpm: - @bash dists/build.sh rpm - @sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm - -# Run the unit tests -[group('tests')] -tests: - @go test ./cmd/... -v -cover -coverprofile=coverage.out - @go test ./pkg/... -v -cover -coverprofile=coverage.out - @go tool cover -func=coverage.out - -# Run the linters -[group('linter')] -lint: - golangci-lint run - packer fmt tests/packer/ - packer validate --syntax-only tests/packer/ - shellcheck --shell=bash \ - PKGBUILD dists/build.sh dists/docker.sh tests/check.sh \ - tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \ - debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm - -# Run style checks on the profiles -[group('linter')] -check: - @bash tests/check.sh - -# Generate the man pages -[group('docs')] -man: - @pandoc -t man -s -o share/man/man8/aa-log.8 share/man/man8/aa-log.md - -# Build the documentation -[group('docs')] -docs: - @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict - -# Serve the documentation -[group('docs')] -serve: - @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve - -# Remove all build artifacts -clean: - @rm -rf \ - debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \ - {{pkgdest}}/{{pkgname}}* {{build}} coverage.out - -# Build the package in a clean OCI container -[group('packages')] -package dist: - #!/usr/bin/env bash - set -eu -o pipefail - dist="{{dist}}" - version="" - if [[ $dist =~ ubuntu([0-9]+) ]]; then - version="${BASH_REMATCH[1]}.04" - dist="ubuntu" - elif [[ $dist == debian* ]]; then - version="trixie" - dist="debian" - fi - bash dists/docker.sh $dist $version - -# Build the VM image -[group('vm')] -img dist flavor: (package dist) - @mkdir -p {{base_dir}} - packer build -force \ - -var dist={{dist}} \ - -var flavor={{flavor}} \ - -var prefix={{prefix}} \ - -var username={{username}} \ - -var password={{password}} \ - -var ssh_publickey={{ssh_publickey}} \ - -var disk_size={{disk_size}} \ - -var cpus={{vcpus}} \ - -var ram={{ram}} \ - -var base_dir={{base_dir}} \ - -var output_dir={{output_dir}} \ - tests/packer/ - -# Create the machine -[group('vm')] -create dist flavor: - @cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 - @virt-install {{c}} \ - --import \ - --name {{prefix}}{{dist}}-{{flavor}} \ - --vcpus {{vcpus}} \ - --ram {{ram}} \ - --machine q35 \ - {{ if dist == "archlinux" { "" } else { "--boot uefi" } }} \ - --memorybacking source.type=memfd,access.mode=shared \ - --disk path={{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2,format=qcow2,bus=virtio \ - --filesystem "`pwd`,0a31bc478ef8e2461a4b1cc10a24cc4",accessmode=passthrough,driver.type=virtiofs \ - --os-variant "`just _get_osinfo {{dist}}`" \ - --graphics spice \ - --audio id=1,type=spice \ - --sound model=ich9 \ - --noautoconsole - -# Start a machine -[group('vm')] -up dist flavor: - @virsh {{c}} start {{prefix}}{{dist}}-{{flavor}} - -# Stops the machine -[group('vm')] -halt dist flavor: - @virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}} - -# Reboot the machine -[group('vm')] -reboot dist flavor: - @virsh {{c}} reboot {{prefix}}{{dist}}-{{flavor}} - -# Destroy the machine -[group('vm')] -destroy dist flavor: - @virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true - @virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram - @rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 - -# Connect to the machine -[group('vm')] -ssh dist flavor: - @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` - -# Mount the shared directory on the machine -[group('vm')] -mount dist flavor: - @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ - sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4' - -# Unmout the shared directory on the machine -[group('vm')] -umount dist flavor: - @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ - sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true' - -# List the machines -[group('vm')] -list: - @printf "{{BOLD}} %-4s %-22s %s{{NORMAL}}\n" "Id" "Distribution-Flavor" "State" - @virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g' - -# List the VM images -[group('vm')] -images: - #!/usr/bin/env bash - set -eu -o pipefail - mkdir -p {{base_dir}} - ls -lh {{base_dir}} | awk ' - BEGIN { - printf("{{BOLD}}%-18s %-10s %-5s %s{{NORMAL}}\n", "Distribution", "Flavor", "Size", "Date") - } - { - if ($9 ~ /^{{prefix}}.*\.qcow2$/) { - split($9, arr, "-|\\.") - printf("%-18s %-10s %-5s %s %s %s\n", arr[2], arr[3], $5, $6, $7, $8) - } - } - ' - -# List the VM images that can be created -[group('vm')] -available: - #!/usr/bin/env bash - set -eu -o pipefail - ls -lh tests/cloud-init | awk ' - BEGIN { - printf("{{BOLD}}%-18s %s{{NORMAL}}\n", "Distribution", "Flavor") - } - { - if ($9 ~ /^.*\.user-data.yml$/) { - split($9, arr, "-|\\.") - printf("%-18s %s\n", arr[1], arr[2]) - } - } - ' - -# Install dependencies for the integration tests -[group('tests')] -init: - @bash tests/requirements.sh - -# Run the integration tests -[group('tests')] -integration name="": - bats --recursive --timing --print-output-on-failure tests/integration/{{name}} - -# Install dependencies for the integration tests (machine) -[group('tests')] -tests-init dist flavor: - @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ - just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init - -# Synchronize the integration tests (machine) -[group('tests')] -tests-sync dist flavor: - @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ - rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/ - -# Re-synchronize the integration tests (machine) -[group('tests')] -tests-resync dist flavor: (mount dist flavor) \ - (tests-sync dist flavor) \ - (umount dist flavor) - -# Run the integration tests (machine) -[group('tests')] -tests-run dist flavor name="": (tests-resync dist flavor) - ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ - bats --recursive --pretty --timing --print-output-on-failure \ - /home/{{username}}/Projects/tests/integration/{{name}} - -_get_ip dist flavor: - @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \ - head -1 | \ - grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}' - -_get_osinfo dist: - #!/usr/bin/env python3 - osinfo = { - "archlinux": "archlinux", - "debian12": "debian12", - "debian13": "debian13", - "ubuntu22": "ubuntu22.04", - "ubuntu24": "ubuntu24.04", - "ubuntu25": "ubuntu25.04", - "opensuse": "opensusetumbleweed", - } - print(osinfo.get("{{dist}}", "{{dist}}")) diff --git a/Makefile b/Makefile new file mode 100644 index 000000000..85a4a7190 --- /dev/null +++ b/Makefile @@ -0,0 +1,106 @@ +#!/usr/bin/make -f +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +DESTDIR ?= / +BUILD := .build +PKGDEST := /tmp/pkg +PKGNAME := apparmor.d +P = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*))) + +.PHONY: all build enforce full install local $(P) pkg dpkg rpm tests lint clean + +all: build + @./${BUILD}/prebuild --complain + +build: + @go build -o ${BUILD}/ ./cmd/aa-log + @go build -o ${BUILD}/ ./cmd/prebuild + +enforce: build + @./${BUILD}/prebuild + +full: build + @./${BUILD}/prebuild --complain --full + +ROOT = $(shell find "${BUILD}/root" -type f -printf "%P\n") +PROFILES = $(shell find "${BUILD}/apparmor.d" -type f -printf "%P\n") +DISABLES = $(shell find "${BUILD}/apparmor.d" -type l -printf "%P\n") +install: + @install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log + @for file in ${ROOT}; do \ + install -Dm0644 "${BUILD}/root/$${file}" "${DESTDIR}/$${file}"; \ + done; + @for file in ${PROFILES}; do \ + install -Dm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ + done; + @for file in ${DISABLES}; do \ + mkdir -p "${DESTDIR}/etc/apparmor.d/disable"; \ + cp -d "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ + done; + @for file in ${BUILD}/systemd/system/*; do \ + service="$$(basename "$$file")"; \ + install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/system/$${service}.d/apparmor.conf"; \ + done; + @for file in ${BUILD}/systemd/user/*; do \ + service="$$(basename "$$file")"; \ + install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \ + done + +local: + @make + @sudo make install + @sudo systemctl restart apparmor || sudo systemctl status apparmor + +ABSTRACTIONS = $(shell find ${BUILD}/apparmor.d/abstractions/ -type f -printf "%P\n") +TUNABLES = $(shell find ${BUILD}/apparmor.d/tunables/ -type f -printf "%P\n") +$(P): + @[ -f ${BUILD}/aa-log ] || exit 0; install -Dm755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log + @for file in ${ABSTRACTIONS}; do \ + install -Dm0644 "${BUILD}/apparmor.d/abstractions/$${file}" "${DESTDIR}/etc/apparmor.d/abstractions/$${file}"; \ + done; + @for file in ${TUNABLES}; do \ + install -Dm0644 "${BUILD}/apparmor.d/tunables/$${file}" "${DESTDIR}/etc/apparmor.d/tunables/$${file}"; \ + done; + @echo "Warning: profile dependencies fallback to unconfined." + @for file in ${@}; do \ + grep 'rPx' "${BUILD}/apparmor.d/$${file}"; \ + sed -i -e "s/rPx/rPUx/g" "${BUILD}/apparmor.d/$${file}"; \ + install -Dvm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ + done; + @systemctl restart apparmor || systemctl status apparmor + +dist ?= archlinux +package: + @bash dists/docker.sh ${dist} + +pkg: + @makepkg --syncdeps --install --cleanbuild --force --noconfirm + +dpkg: + @bash dists/build.sh dpkg + @sudo dpkg -i ${PKGDEST}/${PKGNAME}_*.deb + +rpm: + @bash dists/build.sh rpm + @sudo rpm -ivh --force ${PKGDEST}/${PKGNAME}-*.rpm + +tests: + @go test ./cmd/... -v -cover -coverprofile=coverage.out + @go test ./pkg/... -v -cover -coverprofile=coverage.out + @go tool cover -func=coverage.out + +lint: + @golangci-lint run + @make --directory=tests lint + @shellcheck --shell=bash \ + PKGBUILD dists/build.sh dists/docker.sh \ + tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh \ + debian/${PKGNAME}.postinst debian/${PKGNAME}.postrm + +clean: + @rm -rf \ + debian/.debhelper debian/debhelper* debian/*.debhelper debian/${PKGNAME} \ + ${PKGNAME}-*.pkg.tar.zst.sig ${PKGNAME}-*.pkg.tar.zst coverage.out \ + ${PKGNAME}_*.* ${PKGNAME}-*.rpm ${BUILD} diff --git a/PKGBUILD b/PKGBUILD index a68ba817d..5bac14835 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -3,25 +3,19 @@ # Warning: for development only, use https://aur.archlinux.org/packages/apparmor.d-git for production use. -pkgbase=apparmor.d -pkgname=( - apparmor.d - # apparmor.d.enforced - # apparmor.d.fsp apparmor.d.fsp.enforced - # apparmor.d.server apparmor.d.server.enforced - # apparmor.d.server.fsp apparmor.d.server.fsp.enforced -) -pkgver=0.0001 +pkgname=apparmor.d +pkgver=0.001 pkgrel=1 pkgdesc="Full set of apparmor profiles" -arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') -url="https://github.com/roddhjav/apparmor.d" -license=('GPL-2.0-only') -depends=('apparmor>=4.1.0' 'apparmor<5.0.0') -makedepends=('go' 'git' 'rsync' 'just') +arch=("x86_64") +url="https://github.com/roddhjav/$pkgname" +license=('GPL2') +depends=('apparmor') +makedepends=('go' 'git' 'rsync') +conflicts=("$pkgname-git") pkgver() { - cd "$srcdir/$pkgbase" + cd "$srcdir/$pkgname" echo "0.$(git rev-list --count HEAD)" } @@ -30,104 +24,16 @@ prepare() { } build() { - cd "$srcdir/$pkgbase" + cd "$srcdir/$pkgname" export CGO_CPPFLAGS="${CPPFLAGS}" export CGO_CFLAGS="${CFLAGS}" export CGO_CXXFLAGS="${CXXFLAGS}" export CGO_LDFLAGS="${LDFLAGS}" - export GOPATH="${srcdir}" export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw" - export DISTRIBUTION=arch - local -A modes=( - # Mapping of modes to just build target. - [default]=complain - # [enforced]=enforce - # [fsp]=fsp-complain - # [fsp.enforced]=fsp - # [server]=server-complain - # [server.enforced]=server - # [server.fsp]=server-fsp-complain - # [server.fsp.enforced]=server-fsp - ) - for mode in "${!modes[@]}"; do - just build=".build/$mode" "${modes[$mode]}" - done + make DISTRIBUTION=arch } -_conflicts() { - local mode="$1" - local pattern=".$mode" - if [[ "$mode" == "default" ]]; then - pattern="" - else - echo "$pkgbase" - fi - for pkg in "${pkgname[@]}"; do - if [[ "$pkg" == "${pkgbase}${pattern}" ]]; then - continue - fi - echo "$pkg" - done -} - -_install() { - local mode="${1:?}" - cd "$srcdir/$pkgbase" - just build=".build/$mode" destdir="$pkgdir" install -} - -package_apparmor.d() { - mode=default - pkgdesc="$pkgdesc (complain mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode -} - -package_apparmor.d.enforced() { - mode=enforced - pkgdesc="$pkgdesc (enforced mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode -} - -package_apparmor.d.fsp() { - mode="fsp" - pkgdesc="$pkgdesc (FSP mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode -} - -package_apparmor.d.fsp.enforced() { - mode="fsp.enforced" - pkgdesc="$pkgdesc (FSP enforced mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode -} - -package_apparmor.d.server() { - mode="server" - pkgdesc="$pkgdesc (server complain mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode -} - -package_apparmor.d.server.enforced() { - mode="server.enforced" - pkgdesc="$pkgdesc (server enforced mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode -} - -package_apparmor.d.server.fsp() { - mode="server.fsp" - pkgdesc="$pkgdesc (server FSP complain mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode -} - -package_apparmor.d.server.fsp.enforced() { - mode="server.fsp.enforced" - pkgdesc="$pkgdesc (server FSP enforced mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode +package() { + cd "$srcdir/$pkgname" + make install DESTDIR="$pkgdir" } diff --git a/README.md b/README.md index c1c7726c5..ae9899b70 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ # apparmor.d -[![][workflow]][action] [![][build]][project] [![][quality]][goreportcard] [![][matrix]][matrix-link] [![][play]][play-link] +[![][workflow]][action] [![][build]][project] [![][quality]][goreportcard] [![][matrix]][matrix-link] **Full set of AppArmor profiles** @@ -27,19 +27,16 @@ - Target both desktops and servers - Support all distributions that support AppArmor: - * [Arch Linux](https://apparmor.pujol.io/install#archlinux) - * [Ubuntu 24.04/22.04](https://apparmor.pujol.io/install#ubuntu) - * [Debian 12](https://apparmor.pujol.io/install#debian) - * [OpenSUSE Tumbleweed](https://apparmor.pujol.io/install#opensuse) + * Arch Linux + * Ubuntu 22.04 + * Debian 12 + * OpenSUSE Tumbleweed - Support for all major desktop environments: - * Gnome (GDM) - * KDE (SDDM) - * XFCE (Lightdm) *(work in progress)* -- [Fully tested](https://apparmor.pujol.io/development/tests/) + * Gnome + * KDE + * XFCE *(work in progress)* +- Fully tested (Work in progress) -**Demo** - -You want to try this project, or you are curious about the advanced usage and security it can provide without installing it on your machine. You can try it online on my AppArmor play machine at https://play.pujol.io/ > This project is originally based on the work from [Morfikov][upstream] and aims to extend it to more Linux distributions and desktop environments. @@ -62,10 +59,6 @@ Building the largest set of AppArmor profiles: - [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* - [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* -Lessons learned while making an AppArmor Play machine: - -- [Linux Security Summit North America (LSS-NA 2025)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2025.sched.com/event/1zalf/lessons-learned-while-making-an-apparmor-play-machine-alexandre-pujol-linagora), [Video](https://www.youtube.com/watch?v=zCSl8honRI0))* - ## Installation Please see [apparmor.pujol.io/install](https://apparmor.pujol.io/install) @@ -100,8 +93,6 @@ and thus has the same license (GPL2). [goreportcard]: https://goreportcard.com/report/github.com/roddhjav/apparmor.d [matrix]: https://img.shields.io/badge/Matrix-%23apparmor.d-blue?style=flat-square&logo=matrix [matrix-link]: https://matrix.to/#/#apparmor.d:matrix.org -[play]: https://img.shields.io/badge/Live_Demo-play.pujol.io-blue?style=flat-square -[play-link]: https://play.pujol.io [android_model]: https://arxiv.org/pdf/1904.05572 [clipos]: https://clip-os.org/en/ diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index a92058206..0998bbb44 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -2,32 +2,28 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - # The unix socket to use to connect to the display - unix (connect, receive, send) type=stream peer=(addr=@/tmp/.ICE-unix/@{int}), - unix (connect, receive, send) type=stream peer=(addr=@/tmp/.X11-unix/X@{int}), - unix type=stream addr=@/tmp/.ICE-unix/@{int}, - unix type=stream addr=@/tmp/.X11-unix/X@{int}, + unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), + unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), + unix type=stream addr="@/tmp/.ICE-unix/[0-9]*", + unix type=stream addr="@/tmp/.X11-unix/X[0-9]*", /usr/share/X11/{,**} r, /usr/share/xsessions/{,*.desktop} r, # Available Xsessions - /usr/share/xkeyboard-config-2/{,**} r, /etc/X11/cursors/{,**} r, - owner @{HOME}/.ICEauthority r, # ICEauthority files required for X authentication, per user + owner @{HOME}/.ICEauthority rw, # ICEauthority files required for X authentication, per user owner @{HOME}/.Xauthority rw, # Xauthority files required for X connections, per user owner @{HOME}/.xsession-errors rw, - /tmp/.ICE-unix/@{int} rw, + /tmp/.ICE-unix/* rw, /tmp/.X@{int}-lock rw, - /tmp/.X11-unix/X@{int} rw, + /tmp/.X11-unix/* rw, owner @{tmp}/xauth_@{rand6} rl -> @{tmp}/#@{int}, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, # Xwayland owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r, - owner @{run}/user/@{uid}/iceauth_@{rand6} r, owner @{run}/user/@{uid}/ICEauthority r, owner @{run}/user/@{uid}/X11/Xauthority r, owner @{run}/user/@{uid}/xauth_@{rand6} rl -> @{run}/user/@{uid}/#@{int}, diff --git a/apparmor.d/abstractions/accessibility b/apparmor.d/abstractions/accessibility deleted file mode 100644 index 894ee467e..000000000 --- a/apparmor.d/abstractions/accessibility +++ /dev/null @@ -1,15 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow communication with Assistive Technology Service Provider Interface (AT-SPI) - - abi , - - include - include - include - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/amdgpu b/apparmor.d/abstractions/amdgpu deleted file mode 100644 index 181d86864..000000000 --- a/apparmor.d/abstractions/amdgpu +++ /dev/null @@ -1,30 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Kernel Fusion Driver for AMD GPUs - - abi , - - @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, - @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, - - @{sys}/devices/virtual/kfd/kfd/dev r, - @{sys}/devices/virtual/kfd/kfd/topology/ r, - @{sys}/devices/virtual/kfd/kfd/topology/generation_id r, - @{sys}/devices/virtual/kfd/kfd/topology/nodes/ r, - @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, - @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/caches/@{int}/properties r, - @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/gpu_id r, - @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/io_links/@{int}/properties r, - @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/mem_banks/@{int}/properties r, - @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, - @{sys}/devices/virtual/kfd/kfd/topology/system_properties r, - @{sys}/devices/virtual/kfd/kfd/uevent r, - @{sys}/module/amdgpu/initstate r, - - /dev/kfd rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/ansible b/apparmor.d/abstractions/ansible deleted file mode 100644 index 579783096..000000000 --- a/apparmor.d/abstractions/ansible +++ /dev/null @@ -1,11 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - owner @{HOME}/.ansible/tmp/ansible-tmp-*/* rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root index 7f7e2a673..c31d328fb 100644 --- a/apparmor.d/abstractions/app-launcher-root +++ b/apparmor.d/abstractions/app-launcher-root @@ -3,13 +3,13 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , + @{bin}/* PUx, + /usr/local/{s,}bin/* PUx, - include - - @{bin}/** PUx, - @{sbin}/** PUx, - /usr/local/{s,}bin/** PUx, + @{bin}/ r, + / r, + /usr/ r, + /usr/local/{s,}bin/ r, include if exists diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user index 3f35d5882..5e7c50824 100644 --- a/apparmor.d/abstractions/app-launcher-user +++ b/apparmor.d/abstractions/app-launcher-user @@ -3,14 +3,10 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - include - - @{bin}/** PUx, + @{bin}/* PUx, /opt/*/** PUx, - /usr/share/** PUx, - /usr/local/bin/** PUx, + /usr/share/*/* PUx, + /usr/local/bin/* PUx, @{brave_path} Px, @{chrome_path} Px, @@ -20,7 +16,10 @@ @{thunderbird_path} Px, @{offices_path} PUx, - @{user_bin_dirs}/** PUx, + @{bin}/ r, + / r, + /usr/ r, + /usr/local/bin/ r, include if exists diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index e0c8d3d59..513924de6 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -8,58 +8,47 @@ # Ultimately, only sandbox manager such as like bwrap, snap, flatpak, firejail # should be present here. Until this day, this profile will be a controlled mess. - abi , - # Sandbox managers - @{bin}/bwrap PUx, - @{bin}/firejail PUx, - @{bin}/flatpak Px, - @{bin}/snap Px, + @{bin}/bwrap rPUx, + @{bin}/firejail rPUx, + @{bin}/flatpak rPUx, + @{bin}/snap rPUx, # Labeled programs - @{archive_viewers_path} PUx, - @{backup_path} PUx, - @{browsers_path} Px, - @{document_viewers_path} PUx, - @{emails_path} PUx, - @{file_explorers_path} Px, - @{help_path} Px, - @{image_viewers_path} PUx, - @{offices_path} PUx, - @{terminal_path} Px, - @{text_editors_path} PUx, + @{archive_viewers_path} rPUx, + @{browsers_path} rPx, + @{document_viewers_path} rPUx, + @{emails_path} rPUx, + @{file_explorers_path} rPx, + @{image_viewers_path} rPUx, + @{offices_path} rPUx, + @{text_editors_path} rPUx, # Others - @{bin}/amule Px, - @{bin}/blueman-tray Px, - @{bin}/discord{,-ptb} Px, - @{bin}/draw.io PUx, - @{bin}/dropbox Px, - @{bin}/ebook-edit PUx, - @{bin}/element-desktop Px, - @{bin}/extension-manager Px, - @{bin}/filezilla Px, - @{bin}/flameshot Px, - @{bin}/gimp{,-3.0} Px, - @{bin}/gnome-calculator Px, - @{bin}/gnome-disk-image-mounter Px, - @{bin}/gnome-disks Px, - @{bin}/gnome-session-quit Px, - @{bin}/gnome-software Px, - @{bin}/gwenview PUx, - @{bin}/keepassxc Px, - @{bin}/qbittorrent Px, - @{bin}/qpdfview Px, - @{bin}/smplayer Px, - @{bin}/steam-runtime PUx, - @{bin}/telegram-desktop Px, - @{bin}/transmission-gtk Px, - @{bin}/viewnior PUx, - @{bin}/vlc Px, - @{bin}/xbrlapi Px, + @{bin}/blueman-tray rPx, + @{bin}/discord{,-ptb} rPx, + @{bin}/draw.io rPUx, + @{bin}/dropbox rPx, + @{bin}/element-desktop rPx, + @{bin}/extension-manager rPx, + @{bin}/filezilla rPx, + @{bin}/flameshot rPx, + @{bin}/gimp* rPUx, + @{bin}/gnome-calculator rPUx, + @{bin}/gnome-disk-image-mounter rPx, + @{bin}/gnome-disks rPx, + @{bin}/gwenview rPUx, + @{bin}/kgx rPx, + @{bin}/qbittorrent rPx, + @{bin}/qpdfview rPx, + @{bin}/smplayer rPx, + @{bin}/steam-runtime rPUx, + @{bin}/telegram-desktop rPx, + @{bin}/transmission-gtk rPx, + @{bin}/viewnior rPUx, + @{bin}/vlc rPUx, + @{bin}/xbrlapi rPx, - #aa:only opensuse - @{lib}/YaST2/** PUx, include if exists diff --git a/apparmor.d/abstractions/app/bus b/apparmor.d/abstractions/app/bus deleted file mode 100644 index 8c7e6e98b..000000000 --- a/apparmor.d/abstractions/app/bus +++ /dev/null @@ -1,22 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only -# LOGPROF-SUGGEST: no - -# Minimal set of rules for dbus-send/dbus-launch. - - abi , - - include - include - - @{bin}/dbus-launch mix, - @{bin}/dbus-send mrix, - - @{bin}/dbus-daemon Px -> dbus-session, - - owner @{HOME}/.dbus/session-bus/@{hex}-@{int} w, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index dcb29fecb..d7ffd9fa7 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -1,12 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# LOGPROF-SUGGEST: no -# NEEDS-VARIABLE: name -# NEEDS-VARIABLE: domain -# NEEDS-VARIABLE: lib_dirs -# NEEDS-VARIABLE: config_dirs -# NEEDS-VARIABLE: cache_dirs # Full set of rules for all chromium based browsers. It works as a *function* # and requires some variables to be provided as *arguments* and set in the @@ -22,35 +16,38 @@ # or abstractions/common/electron instead. # - abi , - include - include include include + include + include include - include - include - include - include - include + include + include + include + include + include + include include include - include - include + include include - include + include include - include - include - include - include include include include - include include include + include + + # userns, + + capability setgid, + capability setuid, + capability sys_admin, + capability sys_chroot, + capability sys_ptrace, network inet dgram, network inet6 dgram, @@ -76,7 +73,7 @@ @{lib_dirs}/chrome-sandbox rPx, # Desktop integration - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{bin}/xdg-desktop-menu rPx, @{bin}/xdg-email rPx, @{bin}/xdg-icon-resource rPx, @@ -84,11 +81,16 @@ @{bin}/xdg-open rPx -> child-open, @{bin}/xdg-settings rPx, - # Installing/removing extensions, applications, and stacked xdg menus - @{sh_path} rix, - @{bin}/{,e}grep ix, - @{bin}/{m,g,}awk ix, - @{coreutils_path} ix, + # Installing/removing extensions & applications + @{bin}/{,e}grep rix, + @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/cut rix, + @{bin}/mkdir rix, + @{bin}/mktemp rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/touch rix, # For storing passwords externally @{bin}/keepassxc-proxy rix, # as a temporary solution - see issue #128 @@ -108,14 +110,24 @@ /etc/@{name}/{,**} r, /etc/fstab r, + /etc/{,opensc/}opensc.conf r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, / r, owner @{HOME}/ r, - owner @{user_cache_dirs}/gtk-3.0/**/*.cache r, - owner @{user_config_dirs}/gtk-3.0/servers r, + owner @{HOME}/.pki/ rw, + owner @{HOME}/.pki/nssdb/ rw, + owner @{HOME}/.pki/nssdb/pkcs11.txt rw, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner @{user_share_dirs}/icons/hicolor/.xdg-icon-resource-dummy w, + owner @{user_config_dirs}/gtk-3.0/servers r, + owner @{user_share_dirs}/.@{domain}.* rw, + owner @{user_cache_dirs}/gtk-3.0/**/*.cache r, + owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{config_dirs}/ rw, owner @{config_dirs}/** rwk, @@ -123,10 +135,6 @@ owner @{cache_dirs}/{,**} rw, - owner @{user_config_dirs}/kioslaverc r, - owner @{user_config_dirs}/menus/applications-merged/ r, - owner @{user_config_dirs}/menus/applications-merged/*.menu rw, - # For importing data (bookmarks, cookies, etc) from Firefox # owner @{HOME}/.mozilla/firefox/profiles.ini r, # owner @{HOME}/.mozilla/firefox/*/ r, @@ -139,8 +147,10 @@ /tmp/ r, /var/tmp/ r, + owner @{tmp}/.@{domain}.* rw, + owner @{tmp}/.@{domain}*/{,**} rw, owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw, - owner @{tmp}/tmp.@{rand10} rw, + owner @{tmp}/scoped_dir@{rand6}/{,**} rw, owner @{tmp}/tmp.@{rand6} rw, owner @{tmp}/tmp.@{rand6}/ rw, owner @{tmp}/tmp.@{rand6}/** rwk, @@ -148,6 +158,9 @@ owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw, owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw, + /dev/shm/ r, + owner /dev/shm/.@{domain}* rw, + @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{sys}/bus/ r, @@ -155,31 +168,39 @@ @{sys}/class/**/ r, @{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r, @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/report_descriptor r, @{sys}/devices/**/uevent r, + @{sys}/devices/system/cpu/kernel_max r, + @{sys}/devices/virtual/**/report_descriptor r, + @{sys}/devices/virtual/dmi/id/{sys_vendor,product_name} r, + @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/ r, @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/statm r, - @{PROC}/@{pid}/task/@{tid}/status r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/@{pids}/task/@{tid}/status r, @{PROC}/pressure/{memory,cpu,io} r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/vmstat r, - owner @{PROC}/@{pid}/clear_refs w, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/environ r, + owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_{,score_}adj rw, - owner @{PROC}/@{pid}/smaps_rollup r, - owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/setgroups w, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pid}/task/@{tid}/stat r, + owner @{PROC}/@{pid}/uid_map w, + owner @{PROC}/@{pids}/clear_refs w, + owner @{PROC}/@{pids}/cmdline r, + owner @{PROC}/@{pids}/environ r, + owner @{PROC}/@{pids}/task/ r, /dev/ r, + /dev/hidraw@{int} rw, /dev/tty rw, owner /dev/tty@{int} rw, diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index b33dbc7f4..f0972f3e7 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -1,43 +1,29 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol # Copyright (C) 2024 Zane Zakraisek # SPDX-License-Identifier: GPL-2.0-only -# LOGPROF-SUGGEST: no - - abi , include - include - @{sh_path} rix, - @{bin}/nvim mrix, - @{bin}/sensible-editor mr, - @{bin}/vim* mrix, - @{bin}/which{,.debianutils} rix, + @{bin}/sensible-editor mr, + @{bin}/vim{,.*} mrix, + @{sh_path} rix, + @{bin}/which{,.debianutils} rix, - /usr/share/doc/{,**} r, - /usr/share/nvim/{,**} r, - /usr/share/terminfo/** r, /usr/share/vim/{,**} r, + /usr/share/terminfo/** r, - /etc/vim/{,**} r, /etc/vimrc r, - /etc/xdg/nvim/* r, + /etc/vim/{,**} r, owner @{HOME}/.selected_editor r, - owner @{HOME}/.vim/{after/,}spell/{,**} rw, - owner @{HOME}/.vim/** r, owner @{HOME}/.viminf@{c}{,.tmp} rw, owner @{HOME}/.vimrc r, + # Vim swap file owner @{HOME}/ r, owner @{user_cache_dirs}/ r, owner @{user_cache_dirs}/vim/{,**} rw, owner @{user_config_dirs}/vim/{,**} r, - owner @{user_state_dirs}/nvim/{,**} rw, - owner @{user_config_dirs}/nvim/{,**} rw, - - owner @{run}/user/@{uid}/nvim.* rw, include if exists diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 0648e68d1..bf86f419c 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -1,11 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# LOGPROF-SUGGEST: no -# NEEDS-VARIABLE: name -# NEEDS-VARIABLE: lib_dirs -# NEEDS-VARIABLE: config_dirs -# NEEDS-VARIABLE: cache_dirs # Full set of rules for all firefox based browsers. It works as a *function* # and requires some variables to be provided as *arguments* and set in the @@ -17,31 +12,25 @@ # @{cache_dirs} = @{user_cache_dirs}/mozilla/ # - abi , - include include include + include include - include - include - include - include include include include - include include include - include + include include include - include include include - include + include + include - userns, + # userns, capability sys_admin, # If kernel.unprivileged_userns_clone = 1 capability sys_chroot, # If kernel.unprivileged_userns_clone = 1 @@ -57,8 +46,6 @@ signal (send) set=(term, kill) peer=@{profile_name}-*, - #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - @{sh_path} rix, @{bin}/basename rix, @{bin}/dirname rix, @@ -67,12 +54,14 @@ @{lib_dirs}/{,**} r, @{lib_dirs}/*.so mr, @{lib_dirs}/crashreporter rPx, + @{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest, @{lib_dirs}/minidump-analyzer rPx, @{lib_dirs}/pingsender rPx, @{lib_dirs}/plugin-container rPx, + @{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest, # Desktop integration - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, /usr/share/@{name}/{,**} r, /usr/share/doc/{,**} r, @@ -82,9 +71,9 @@ /etc/@{name}/{,**} r, /etc/fstab r, - /etc/lsb-release r, /etc/mailcap r, /etc/mime.types r, + /etc/{,opensc/}opensc.conf r, /etc/sysconfig/proxy r, /etc/xdg/* r, /etc/xul-ext/kwallet5.js r, @@ -99,28 +88,18 @@ owner @{cache_dirs}/ rw, owner @{cache_dirs}/** rwk, - /tmp/ rw, + /tmp/ r, /var/tmp/ r, owner @{tmp}/@{name}/ rw, owner @{tmp}/@{name}/* rwk, - owner @{tmp}/@{rand6}.tmp rw, owner @{tmp}/firefox/ rw, owner @{tmp}/firefox/* rwk, - owner @{tmp}/mozilla* rw, - owner @{tmp}/mozilla*/ rw, - owner @{tmp}/mozilla*/* rwk, - owner @{tmp}/remote-settings-startup-bundle- rw, - owner @{tmp}/remote-settings-startup-bundle-.tmp rw, owner @{tmp}/Temp-@{uuid}/ rw, owner @{tmp}/Temp-@{uuid}/* rwk, - owner @{tmp}/tmp-*.xpi rw, - owner @{tmp}/tmpaddon rw, + owner @{tmp}/tmp-???.xpi rw, + owner @{tmp}/tmpaddon r, owner @{tmp}/tmpaddon-@{int} r, - owner /dev/shm/org.chromium.@{rand6} rw, - owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw, - owner /dev/shm/wayland.mozilla.ipc.@{int} rw, - @{run}/mount/utab r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @@ -137,10 +116,8 @@ @{sys}/devices/**/uevent r, @{sys}/devices/power/events/energy-* r, @{sys}/devices/power/type r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/product_sku r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r, @{PROC}/@{pid}/net/arp r, @@ -164,13 +141,18 @@ owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 /dev/ r, + /dev/hidraw@{int} rw, /dev/tty rw, /dev/video@{int} rw, + owner /dev/shm/org.chromium.* rw, + owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw, + owner /dev/shm/wayland.mozilla.ipc.@{int} rw, owner /dev/tty@{int} rw, # File Inherit # Silencer deny dbus send bus=system path=/org/freedesktop/hostname1, deny /tmp/MozillaUpdateLock-* w, + deny owner @{HOME}/ r, deny owner @{HOME}/.* r, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny @{run}/user/@{uid}/gnome-shell-disable-extensions w, diff --git a/apparmor.d/abstractions/app/fusermount b/apparmor.d/abstractions/app/fusermount deleted file mode 100644 index a394e2528..000000000 --- a/apparmor.d/abstractions/app/fusermount +++ /dev/null @@ -1,35 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only -# LOGPROF-SUGGEST: no - -# Minimal set of rules for fusermount subprofiles. Path to mount/unmount should -# be defined in the calling profile. - - abi , - - include - include - - capability dac_override, - capability dac_read_search, - capability sys_admin, # To mount anything - - @{bin}/fusermount{,3} mr, - - @{bin}/mount rix, - @{bin}/umount rix, - - @{etc_ro}/fuse{,3}.conf r, - - @{run}/mount/utab r, - @{run}/mount/utab.* rwk, - - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/mounts r, - - /dev/fuse rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/kmod b/apparmor.d/abstractions/app/kmod index b6beeb7f6..ae6b1cd78 100644 --- a/apparmor.d/abstractions/app/kmod +++ b/apparmor.d/abstractions/app/kmod @@ -1,13 +1,10 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# LOGPROF-SUGGEST: no - - abi , include - @{bin}/kmod mr, + @{bin}/kmod mr, @{lib}/modprobe.d/ r, @{lib}/modprobe.d/*.conf r, diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 8dffc39b9..f93a1c444 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -1,46 +1,17 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# LOGPROF-SUGGEST: no -# Full set of rules for desktop generic open-* used in child-open-* profiles. +# Full set of rules for child-open-* profiles. - abi , - - include - include include - # We cannot use `@{open_path} mrix,` here because it includes: - # @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop - # And `@{multiarch}` has a wildcard that cannot be merged and that will generate - # "has merged rule with conflicting x modifiers" error when used with other - # wilcard over PUx transition. - @{bin}/exo-open mrix, - @{bin}/xdg-open mrix, - @{bin}/gio mrix, - @{bin}/kde-open mrix, - @{bin}/gio-launch-desktop mrix, - @{lib}/gio-launch-desktop mrix, + @{open_path} mrix, - @{bin}/env rix, @{sh_path} r, /dev/tty rw, - # if @{DE} == kde - - include - include - include - - owner @{run}/user/@{uid}/#@{int} rw, - owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, - - @{PROC}/sys/kernel/random/boot_id r, - - # fi - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/pager b/apparmor.d/abstractions/app/pager deleted file mode 100644 index 30acc5612..000000000 --- a/apparmor.d/abstractions/app/pager +++ /dev/null @@ -1,39 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only -# LOGPROF-SUGGEST: no - -# Minimal set of rules for pagers. - - abi , - - include - - capability dac_override, - capability dac_read_search, - - signal receive set=(stop, cont, term, kill), - - @{bin}/ r, - @{pager_path} mrix, - - @{system_share_dirs}/terminfo/{,**} r, - /usr/share/file/misc/** r, - /usr/share/nvim/{,**} r, - - @{etc_ro}/lesskey.bin r, - - @{HOME}/.lesshst r, - - owner @{HOME}/ r, - owner @{HOME}/.lesshs* rw, - owner @{HOME}/.terminfo/@{int}/* r, - owner @{user_cache_dirs}/lesshs* rw, - owner @{user_state_dirs}/ r, - owner @{user_state_dirs}/lesshs* rw, - - /dev/tty@{int} rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep index f563712ca..4bab75387 100644 --- a/apparmor.d/abstractions/app/pgrep +++ b/apparmor.d/abstractions/app/pgrep @@ -1,11 +1,8 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# LOGPROF-SUGGEST: no -# Minimal set of rules for pgrep/pkill. - - abi , +# Minimal set of rules for pgrep. include @@ -19,13 +16,10 @@ @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, - @{PROC}/@{pid}/status r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/stat r, @{PROC}/sys/kernel/osrelease r, - @{PROC}/tty/drivers r, @{PROC}/uptime r, include if exists diff --git a/apparmor.d/abstractions/app/pkexec b/apparmor.d/abstractions/app/pkexec deleted file mode 100644 index 87b3ea842..000000000 --- a/apparmor.d/abstractions/app/pkexec +++ /dev/null @@ -1,43 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only -# LOGPROF-SUGGEST: no - -# Minimal set of rules for pkexec. - - abi , - - include - include - include - include - include - - capability audit_write, - capability dac_override, - capability dac_read_search, - capability net_admin, - capability setgid, - capability setuid, - capability sys_ptrace, - capability sys_resource, - - network netlink raw, # PAM - - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1.Authority label=polkitd - - @{bin}/pkexec mr, - - /etc/shells r, - - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/loginuid r, - - owner /dev/tty@{int} rw, - - deny @{user_share_dirs}/gvfs-metadata/* r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index 1c47490cd..6fba1adfd 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -1,18 +1,14 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# LOGPROF-SUGGEST: no -# Minimal set of rules for sudo. - - abi , +# Minimal set of rules for sudo. Interactive sudo need more rules. include include include include include - include capability audit_write, capability dac_override, @@ -24,10 +20,10 @@ network netlink raw, # PAM - unix type=stream addr=@@{udbus}/bus/sudo/system, - - #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" - #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.logi1.Manager + member=CreateSession + peer=(name=org.freedesktop.login1, label=systemd-logind), dbus (send receive) bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd.Manager @@ -36,6 +32,8 @@ @{bin}/sudo mr, @{lib}/sudo/** mr, + @{etc_ro}/environment r, + @{etc_ro}/security/limits.d/{,*} r, @{etc_ro}/sudo.conf r, @{etc_ro}/sudoers r, @{etc_ro}/sudoers.d/{,*} r, @@ -43,17 +41,12 @@ / r, /etc/machine-id r, - /var/db/sudo/lectured/ r, - owner /var/lib/sudo/ts/ rw, + owner /var/lib/sudo/ts/ rw, owner /var/lib/sudo/ts/@{uid} rwk, owner /var/log/sudo.log wk, owner @{HOME}/.sudo_as_admin_successful rw, - # yubikey support - @{HOME}/.yubico/ r, - owner @{HOME}/.yubico/challenge-* rw, - @{run}/faillock/ rw, @{run}/faillock/@{user} rwk, owner @{run}/sudo/ rw, @@ -63,6 +56,8 @@ @{PROC}/@{pid}/limits r, @{PROC}/@{pid}/loginuid r, @{PROC}/@{pid}/stat r, + @{PROC}/sys/kernel/cap_last_cap r, + @{PROC}/sys/kernel/ngroups_max r, @{PROC}/sys/kernel/seccomp/actions_avail r, /dev/ r, diff --git a/apparmor.d/abstractions/app/systemctl b/apparmor.d/abstractions/app/systemctl index b707add4d..62b4aafdf 100644 --- a/apparmor.d/abstractions/app/systemctl +++ b/apparmor.d/abstractions/app/systemctl @@ -1,22 +1,16 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# LOGPROF-SUGGEST: no - - abi , include include - ptrace read peer=@{p_systemd}, + ptrace (read) peer=@{p_systemd}, - unix bind type=stream addr=@@{udbus}/bus/systemctl/, - unix bind type=stream addr=@@{udbus}/bus/systemctl/system, + unix (bind) type=stream addr=@@{hex16}/bus/systemctl/, @{bin}/systemctl mr, - @{att}/@{run}/systemd/private rw, - owner @{run}/systemd/private rw, @{PROC}/1/cgroup r, diff --git a/apparmor.d/abstractions/app/udevadm b/apparmor.d/abstractions/app/udevadm index d659143d6..72fb4c61b 100644 --- a/apparmor.d/abstractions/app/udevadm +++ b/apparmor.d/abstractions/app/udevadm @@ -1,9 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# LOGPROF-SUGGEST: no - - abi , ptrace read peer=@{p_systemd}, @@ -11,8 +8,7 @@ /etc/udev/udev.conf r, - @{run}/udev/data/+*:* r, # Identifies all subsystems - @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + @{run}/udev/data/* r, @{sys}/** r, diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base deleted file mode 100644 index 8741942ff..000000000 --- a/apparmor.d/abstractions/attached/base +++ /dev/null @@ -1,24 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only -# LOGPROF-SUGGEST: no - - # Do not use it manually, It automatically replaces the base abstraction in a - # profile with the attach_disconnected flag set and the re-attached path enabled. - - abi , - - include - - @{att}/@{run}/systemd/journal/dev-log w, - @{att}/@{run}/systemd/journal/socket w, - @{att}/@{run}/systemd/journal/stdout rw, - - @{att}/dev/null rw, - - /apparmor/.null rw, - @{att}/apparmor/.null rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/attached/consoles b/apparmor.d/abstractions/attached/consoles deleted file mode 100644 index f306c2273..000000000 --- a/apparmor.d/abstractions/attached/consoles +++ /dev/null @@ -1,29 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only -# LOGPROF-SUGGEST: no - - # Do not use it manually, It automatically replaces the consoles abstraction in a - # profile with the attach_disconnected flag set and the re-attached path enabled. - - abi , - - # There are the common ways to refer to consoles - /dev/console rw, - /dev/tty rw, - /dev/tty@{u8} rw, - @{att}/dev/tty rw, - @{att}/dev/tty@{u8} rw, - - # These entries are a bit unfortunate; /dev/tty will always be - # associated with the controlling terminal by the kernel, but if a - # program uses the /dev/pts/ interface, it actually has access to - # -all- xterm, sshd, etc, terminals on the system. - /dev/pts/ r, - owner /dev/pts/@{u16} rw, - @{att}/pts/ r, - owner @{att}/dev/pts/@{u16} rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index 1ebdf4c76..ca4a8e16c 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -5,13 +5,10 @@ # Most programs do not need access to audio devices, audio-client only includes # configuration files to be used by client applications. - abi , - - /usr/share/alsa/{,**} r, + /usr/share/alsa/** r, /usr/share/openal/hrtf/{,**} r, /usr/share/pipewire/client-rt.conf r, /usr/share/pipewire/client.conf r, - /usr/share/pipewire/jack.conf r, /usr/share/sounds/{,**} r, /etc/alsa/conf.d/{,**} r, @@ -20,8 +17,7 @@ /etc/libao.conf r, /etc/openal/alsoft.conf r, /etc/pipewire/client{,-rt}.conf r, - /etc/pipewire/client{,-rt}.conf.d/{,**} r, - /etc/pipewire/jack.conf.d/{,**} r, + /etc/pipewire/client.conf.d/{,**} r, /etc/pulse/client.conf r, /etc/pulse/client.conf.d/{,**} r, /etc/wildmidi/wildmidi.cfg r, @@ -49,7 +45,6 @@ owner @{user_config_dirs}/pipewire/client.conf r, owner @{user_share_dirs}/openal/hrtf/{,**} r, - owner @{user_share_dirs}/sounds/ r, owner @{user_share_dirs}/sounds/__custom/index.theme r, owner @{run}/user/@{uid}/pipewire-@{int} rw, @@ -57,19 +52,11 @@ owner @{run}/user/@{uid}/pulse/ rw, owner @{run}/user/@{uid}/pulse/native rw, - @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/+sound:card@{int} r, # For sound card - - @{sys}/class/ r, @{sys}/class/sound/ r, /dev/shm/ r, owner /dev/shm/pulse-shm-@{int} rw, - /dev/snd/controlC@{int} r, - /dev/snd/pcmC@{int}D@{int}[cp] r, - /dev/snd/timer r, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/audio-server b/apparmor.d/abstractions/audio-server index a7f89b91b..619ba1111 100644 --- a/apparmor.d/abstractions/audio-server +++ b/apparmor.d/abstractions/audio-server @@ -3,12 +3,19 @@ # SPDX-License-Identifier: GPL-2.0-only # Provide access to audio devices. It should only be used by audio servers that -# need direct access to them. - - abi , +# need direct access to them. include + /usr/share/alsa/{,**} r, + + /etc/alsa/conf.d/{,**} r, + + @{run}/udev/data/+sound:card@{int} r, # for sound card + + @{sys}/class/ r, + @{sys}/class/sound/ r, + @{PROC}/asound/** rw, /dev/admmidi* rw, diff --git a/apparmor.d/abstractions/authentication.d/complete b/apparmor.d/abstractions/authentication.d/complete index a4ed65e8c..63819cc1b 100644 --- a/apparmor.d/abstractions/authentication.d/complete +++ b/apparmor.d/abstractions/authentication.d/complete @@ -3,14 +3,13 @@ # SPDX-License-Identifier: GPL-2.0-only @{bin}/pam-tmpdir-helper rPx, - @{lib}/pam-tmpdir/pam-tmpdir-helper rPx, - #aa:only abi3 - @{sbin}/unix_chkpwd rPx, + #aa:exclude ubuntu opensuse + @{bin}/unix_chkpwd rPx, #aa:only whonix - @{lib}/security-misc/pam-abort-on-locked-password rPx, - @{lib}/security-misc/pam-info rPx, - @{lib}/security-misc/pam_faillock_not_if_x rPx, + @{lib}/security-misc/pam_faillock_not_if_x rPx, + @{lib}/security-misc/pam-abort-on-locked-password rPx, + @{lib}/security-misc/pam-info rPx, # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/avahi-observe b/apparmor.d/abstractions/avahi-observe deleted file mode 100644 index aac14fa7d..000000000 --- a/apparmor.d/abstractions/avahi-observe +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2016 Canonical Ltd -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allows domain, record, service, and service type browsing as well as address, -# host and service resolving - - abi , - - include - - include - include - include - include - include - include - include - - @{run}/avahi-daemon/socket rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict deleted file mode 100644 index 22ca5ec5e..000000000 --- a/apparmor.d/abstractions/base-strict +++ /dev/null @@ -1,132 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2002-2009 Novell/SUSE -# Copyright (C) 2009-2011 Canonical Ltd. -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only -# LOGPROF-SUGGEST: no - - # Do not use it manually, It automatically replaces the base abstraction in - # profiles when the re-attached mode is enabled. - - # For now, it is only a restructuring of the base abstraction with awareness - # of the apparmor.d architecture. - - abi , - - include - include - include - include - - # Allow us to signal ourselves - signal peer=@{profile_name}, - - # Checking for PID existence is quite common so add it by default for now - signal (receive, send) set=exists, - - #aa:exclude RBAC - # Allow unconfined processes to send us signals by default - signal receive peer=unconfined, - - # Systemd: allow to receive any signal from the systemd profiles stack - signal receive peer=@{p_systemd}, - signal receive peer=@{p_systemd_user}, - - # Htop like programs can send any signal to any process - signal receive peer=btop, - signal receive peer=htop, - signal receive peer=top, - signal receive set=(cont,term,kill,stop) peer=gnome-system-monitor, - - # Allow to receive termination signal from manager such as sudo, login, shutdown or systemd - signal receive peer=su, - signal receive peer=sudo, - signal receive set=(cont,term,kill,stop) peer=gnome-shell, - signal receive set=(cont,term,kill,stop) peer=login, - signal receive set=(cont,term,kill,stop) peer=openbox, - signal receive set=(cont,term,kill,stop) peer=systemd-shutdown, - signal receive set=(cont,term,kill,stop) peer=xinit, - - # Allow other processes to read our /proc entries, futexes, perf tracing and - # kcmp for now (they will need 'read' in the first place). Administrators can - # override with: - # deny ptrace readby ... - ptrace readby, - - # Allow other processes to trace us by default (they will need 'trace' in - # the first place). Administrators can override with: - # deny ptrace tracedby ... - ptrace tracedby, - - # Allow us to ptrace read ourselves - ptrace read peer=@{profile_name}, - - # Allow us to create and use abstract and anonymous sockets - unix peer=(label=@{profile_name}), - - # Allow unconfined processes to us via unix sockets - unix receive peer=(label=unconfined), - - # Allow communication to children and stacked profiles - signal peer=@{profile_name}//*, - signal peer=@{profile_name}//&*, - unix type=stream peer=(label=@{profile_name}//*), - - # Allow us to create abstract and anonymous sockets - unix create, - - # Allow us to getattr, getopt, setop and shutdown on unix sockets - unix (getattr, getopt, setopt, shutdown), - - # Allow all programs to use common libraries - @{lib}/** r, - @{lib}/**.so* m, - @{lib}/@{multiarch}/**.so* m, - @{lib}/@{multiarch}/** r, - - # Some applications will display license information - /usr/share/common-licenses/** r, - - # Allow access to the uuidd daemon (this daemon is a thin wrapper around - # time and getrandom()/{,u}random and, when available, runs under an - # unprivilged, dedicated user). - @{run}/uuidd/request r, - - # Transparent hugepage support - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - - # Systemd's equivalent of /dev/log - @{run}/systemd/journal/dev-log w, - - # Systemd native journal API (see sd_journal_print(4)) - @{run}/systemd/journal/socket w, - - # Nested containers and anything using systemd-cat need this. 'r' shouldn't - # be required but applications fail without it. journald doesn't leak - # anything when reading so this is ok. - @{run}/systemd/journal/stdout rw, - - # Allow determining the highest valid capability of the running kernel - @{PROC}/sys/kernel/cap_last_cap r, - - # Controls how core dump files are named - @{PROC}/sys/kernel/core_pattern r, - - # Sometimes used to determine kernel/user interfaces to use - @{PROC}/sys/kernel/version r, - - # Harmless and frequently used - /dev/null rw, - /dev/random r, - /dev/urandom r, - /dev/zero rw, - - # The __canary_death_handler function writes a time-stamped log - # message to /dev/log for logging by syslogd. So, /dev/log, timezones, - # and localisations of date should be available EVERYWHERE, so - # StackGuard, FormatGuard, etc., alerts can be properly logged. - /dev/log w, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index d89688b70..e9761b843 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -3,25 +3,23 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - # Systemd: allow to receive any signal from the systemd profiles stack - signal receive peer=@{p_systemd}, - signal receive peer=@{p_systemd_user}, - # Allow to receive some signals from new well-known profiles - signal receive peer=btop, - signal receive peer=htop, - signal receive peer=pkill, - signal receive peer=sudo, - signal receive peer=top, - signal receive set=(cont,term,kill,stop) peer=systemd-shutdown, - signal receive set=(hup term) peer=login, - signal receive set=(hup) peer=xinit, - signal receive set=(term,kill) peer=gnome-shell, - signal receive set=(term,kill) peer=gnome-system-monitor, - signal receive set=(term,kill) peer=openbox, - signal receive set=(term,kill) peer=su, + signal (receive) peer=btop, + signal (receive) peer=htop, + signal (receive) peer=sudo, + signal (receive) peer=top, + signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown, + signal (receive) set=(cont,term) peer=@{p_systemd_user}, + signal (receive) set=(cont,term) peer=@{p_systemd}, + signal (receive) set=(hup) peer=xinit, + signal (receive) set=(term,kill) peer=gnome-shell, + signal (receive) set=(term,kill) peer=gnome-system-monitor, + signal (receive) set=(term,kill) peer=openbox, + signal (receive) set=(term,kill) peer=su, - ptrace readby peer=@{p_systemd_coredump}, + ptrace (readby) peer=systemd-coredump, + + /usr/share/locale/ r, @{etc_rw}/localtime r, /etc/locale.conf r, @@ -30,6 +28,6 @@ @{PROC}/sys/kernel/core_pattern r, - /apparmor/.null rw, + deny /apparmor/.null rw, # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bash-strict b/apparmor.d/abstractions/bash-strict index cd4a7c8a7..eb4f65230 100644 --- a/apparmor.d/abstractions/bash-strict +++ b/apparmor.d/abstractions/bash-strict @@ -2,11 +2,9 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction is only required when .bashrc is loaded (e.g. interactive shell). +# This abstraction is only required when an interactive shell is started. # Classic shell scripts do not need it. - abi , - /usr/share/bash-completion/{,**} r, /usr/share/terminfo/{,**} r, @@ -26,7 +24,6 @@ owner @{HOME}/.alias r, owner @{HOME}/.bash_aliases r, - owner @{HOME}/.bash_complete r, owner @{HOME}/.bash_history rw, owner @{HOME}/.bash_profile r, owner @{HOME}/.bashrc r, diff --git a/apparmor.d/abstractions/bus-accessibility b/apparmor.d/abstractions/bus-accessibility index 70850b2ba..f032f842b 100644 --- a/apparmor.d/abstractions/bus-accessibility +++ b/apparmor.d/abstractions/bus-accessibility @@ -2,12 +2,15 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), + peer=(name=org.freedesktop.DBus, label=dbus-accessibility), + + dbus send bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-accessibility), owner @{run}/user/@{uid}/at-spi/ rw, owner @{run}/user/@{uid}/at-spi/bus rw, diff --git a/apparmor.d/abstractions/bus-session b/apparmor.d/abstractions/bus-session index a1226d8e7..d5ca957e8 100644 --- a/apparmor.d/abstractions/bus-session +++ b/apparmor.d/abstractions/bus-session @@ -2,14 +2,19 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , + unix (bind, listen) type=stream addr="@/tmp/dbus-*", + unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*", + unix (connect, send, receive, accept) type=stream peer=(addr="@/tmp/dbus-*"), - unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/session, - - dbus send bus=session path=/org/freedesktop/{dbus,DBus} + dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + peer=(name=org.freedesktop.DBus, label=dbus-session), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-session), /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/abstractions/bus-system b/apparmor.d/abstractions/bus-system index d05c018c7..0148d0711 100644 --- a/apparmor.d/abstractions/bus-system +++ b/apparmor.d/abstractions/bus-system @@ -2,17 +2,17 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/system, - dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + peer=(name=org.freedesktop.DBus, label=dbus-system), - @{run}/dbus/system_bus_socket rw, - @{att}/@{run}/dbus/system_bus_socket rw, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label=dbus-system), + + @{run}/dbus/system_bus_socket rw, include if exists diff --git a/apparmor.d/abstractions/bus/accessibility/org.a11y b/apparmor.d/abstractions/bus/accessibility/org.a11y deleted file mode 100644 index 0145fc494..000000000 --- a/apparmor.d/abstractions/bus/accessibility/org.a11y +++ /dev/null @@ -1,65 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2017 Canonical Ltd -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - # Allow the accessibility services in the user session to send us any events - - dbus receive bus=accessibility - peer=(label="@{p_at_spi2_registryd}"), - - # Allow querying for capabilities and registering - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member=NotifyListenersSync - peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), - - # org.a11y.atspi is not designed for application isolation and these rules - # can be used to send change events for other processes. - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Event.Object - member=ChildrenChanged - peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Accessible - member=Get* - peer=(label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int} - interface=org.a11y.atspi.Event.Object - member={ChildrenChanged,PropertyChange,StateChanged,TextCaretMoved} - peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int} - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/cache - interface=org.a11y.atspi.Cache - member={AddAccessible,RemoveAccessible} - peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/accessibility/own b/apparmor.d/abstractions/bus/accessibility/own deleted file mode 100644 index d1eab1ce7..000000000 --- a/apparmor.d/abstractions/bus/accessibility/own +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only -# LOGPROF-SUGGEST: no - -# Do not use it manually, It is automatically included in a profile by the -# `aa:dbus own` directive. - -# Allow owning a name on DBus public bus - - abi , - - dbus send bus=accessibility path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), - - dbus send bus=accessibility path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/ca.desrt.dconf.Writer b/apparmor.d/abstractions/bus/ca.desrt.dconf.Writer deleted file mode 100644 index 9bad3655d..000000000 --- a/apparmor.d/abstractions/bus/ca.desrt.dconf.Writer +++ /dev/null @@ -1,19 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=session path=/ca/desrt/dconf/Writer/user - interface=ca.desrt.dconf.Writer - member=Change - peer=(name=ca.desrt.dconf), # no peer's labels - - dbus receive bus=session path=/ca/desrt/dconf/Writer/user - interface=ca.desrt.dconf.Writer - member=Notify - peer=(name=@{busname}, label=dconf-service), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry b/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry index 9363bb757..3eceb53ab 100644 --- a/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry +++ b/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry @@ -4,8 +4,6 @@ # Access required for connecting to/communicating with the Unity Launcher - abi , - dbus send bus=session path=/com/canonical/unity/launcherentry/@{int} interface=com.canonical.Unity.LauncherEntry member=Update @@ -14,12 +12,12 @@ dbus receive bus=session path=/com/canonical/unity/launcherentry/@{int} interface=com.canonical.dbusmenu member={GetLayout,GetGroupProperties} - peer=(name="@{busname}", label=gnome-shell), + peer=(name=:*, label=gnome-shell), dbus receive bus=session path=/com/canonical/unity/launcherentry/@{int} interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name="@{busname}", label=gnome-shell), + peer=(name=:*, label=gnome-shell), include if exists diff --git a/apparmor.d/abstractions/bus/com.canonical.dbusmenu b/apparmor.d/abstractions/bus/com.canonical.dbusmenu index 61ce81111..290a86de8 100644 --- a/apparmor.d/abstractions/bus/com.canonical.dbusmenu +++ b/apparmor.d/abstractions/bus/com.canonical.dbusmenu @@ -2,12 +2,6 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - dbus send bus=session path=/com/canonical/unity/launcherentry/** - interface=com.canonical.dbusmenu - member={GetGroupProperties,GetLayout} - peer=(name=@{busname}, label=nautilus), include if exists diff --git a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 index 7989ea4c5..a8e3d52a5 100644 --- a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 +++ b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 @@ -2,39 +2,50 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - #aa:dbus common bus=system name=fi.w1.wpa_supplicant1 label=wpa-supplicant + dbus send bus=system path=/fi/w1/wpa_supplicant1 + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=wpa-supplicant), dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=org.freedesktop.DBus.Properties - member=Set - peer=(name="@{busname}", label=wpa-supplicant), + member={GetAll,Set} + peer=(name=:*, label=wpa-supplicant), dbus send bus=system path=/fi/w1/wpa_supplicant1 interface=fi.w1.wpa_supplicant1.Interface member=CreateInterface - peer=(name="@{busname}", label=wpa-supplicant), + peer=(name=:*, label=wpa-supplicant), dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=fi.w1.wpa_supplicant1.Interface member={AddNetwork,Disconnect,RemoveNetwork,Scan,SelectNetwork} - peer=(name="@{busname}", label=wpa-supplicant), + peer=(name=:*, label=wpa-supplicant), dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=fi.w1.wpa_supplicant1.Interface.P2PDevice member=Cancel - peer=(name="@{busname}", label=wpa-supplicant), + peer=(name=:*, label=wpa-supplicant), dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=InterfacesRemoved - peer=(name="@{busname}", label=wpa-supplicant), + peer=(name=:*, label=wpa-supplicant), dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=fi.w1.wpa_supplicant1.Interface member={BSSAdded,BSSRemoved,NetworkAdded,NetworkRemoved,NetworkSelected,ScanDone,PropertiesChanged} - peer=(name="@{busname}", label=wpa-supplicant), + peer=(name=:*, label=wpa-supplicant), + + dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=wpa-supplicant), + + dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}/BSSs/@{int} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=wpa-supplicant), include if exists diff --git a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles index 7e7560992..b4032e033 100644 --- a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles +++ b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles @@ -2,9 +2,10 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - #aa:dbus common bus=system name=net.hadess.PowerProfiles label="@{p_power_profiles_daemon}" + dbus send bus=system path=/net/hadess/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=power-profiles-daemon), include if exists diff --git a/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl b/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl index df65417da..55e4f414d 100644 --- a/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl +++ b/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl @@ -2,9 +2,10 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - #aa:dbus common bus=system name=net.hadess.SwitcherooControl label=switcheroo-control + dbus send bus=system path=/net/hadess/SwitcherooControl + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=switcheroo-control), include if exists diff --git a/apparmor.d/abstractions/bus/net.reactivated.Fprint b/apparmor.d/abstractions/bus/net.reactivated.Fprint index 0241fc889..7e7b21565 100644 --- a/apparmor.d/abstractions/bus/net.reactivated.Fprint +++ b/apparmor.d/abstractions/bus/net.reactivated.Fprint @@ -2,14 +2,10 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - #aa:dbus common bus=system name=net.reactivated.Fprint label="@{p_fprintd}" - dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager member={GetDevices,GetDefaultDevice} - peer=(name="@{busname}", label="@{p_fprintd}"), + peer=(name=:*, label=fprintd), dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager @@ -19,7 +15,7 @@ dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager member={GetDevices,GetDefaultDevice} - peer=(name=net.reactivated.Fprint, label="@{p_fprintd}"), + peer=(name=net.reactivated.Fprint, label=fprintd), include if exists diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y new file mode 100644 index 000000000..5103361c9 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.a11y @@ -0,0 +1,46 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + # Accessibility bus + + dbus receive bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=EventListenerDeregistered + peer=(name=:*, label=at-spi2-registryd), + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + + dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=:*, label=at-spi2-registryd), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + + # Session bus + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus, label=dbus-accessibility), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.bluez b/apparmor.d/abstractions/bus/org.bluez similarity index 54% rename from apparmor.d/abstractions/bus/system/org.bluez rename to apparmor.d/abstractions/bus/org.bluez index acaa7bb36..7c86817f5 100644 --- a/apparmor.d/abstractions/bus/system/org.bluez +++ b/apparmor.d/abstractions/bus/org.bluez @@ -2,40 +2,46 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - #aa:dbus common bus=system name=org.bluez label="@{p_bluetoothd}" - dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager - member={InterfacesAdded,InterfacesRemoved} - peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), + member=InterfacesRemoved + peer=(name="{:*,org.bluez}", label=bluetoothd), + + dbus receive bus=system path=/org/bluez/hci@{int}{,/**} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="{:*,org.bluez}", label=bluetoothd), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), + peer=(name="{:*,org.bluez}", label=bluetoothd), dbus send bus=system path=/org/bluez interface=org.bluez.AgentManager@{int} member={RegisterAgent,RequestDefaultAgent,UnregisterAgent} - peer=(name=org.bluez, label="@{p_bluetoothd}"), + peer=(name=org.bluez, label=bluetoothd), dbus send bus=system path=/org/bluez interface=org.bluez.ProfileManager@{int} member=RegisterProfile - peer=(name=org.bluez, label="@{p_bluetoothd}"), + peer=(name=org.bluez, label=bluetoothd), + + dbus send bus=system path=/org/bluez/hci@{int} + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name="{:*,org.bluez}", label=bluetoothd), dbus send bus=system path=/org/bluez/hci@{int} interface=org.bluez.BatteryProviderManager@{int} member=RegisterProfile - peer=(name=org.bluez, label="@{p_bluetoothd}"), + peer=(name=org.bluez, label=bluetoothd), dbus send bus=system path=/org/bluez/hci@{int} interface=org.bluez.Media@{int} member=RegisterApplication - peer=(name=org.bluez, label="@{p_bluetoothd}"), + peer=(name=org.bluez, label=bluetoothd), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Accounts b/apparmor.d/abstractions/bus/org.freedesktop.Accounts index e77f17b88..10a9e8fc0 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Accounts +++ b/apparmor.d/abstractions/bus/org.freedesktop.Accounts @@ -2,29 +2,30 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - #aa:dbus common bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" - dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts - member={FindUserByName,ListCachedUsers,FindUserById} - peer=(name="{@{busname},org.freedesktop.Accounts}", label="@{p_accounts_daemon}"), + member={FindUserByName,ListCachedUsers} + peer=(name=:*, label=accounts-daemon), + + dbus send bus=system path=/org/freedesktop/Accounts{,/User@{uid}} + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=accounts-daemon), dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User member=*Changed - peer=(name="@{busname}", label="@{p_accounts_daemon}"), + peer=(name=:*, label=accounts-daemon), dbus receive bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member=UserAdded - peer=(name="@{busname}", label="@{p_accounts_daemon}"), + peer=(name=:*, label=accounts-daemon), dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.DBus.Properties member=*Changed - peer=(name="@{busname}", label="@{p_accounts_daemon}"), + peer=(name=:*, label=accounts-daemon), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index 4ddf95af3..8b24700db 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -2,44 +2,25 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - #aa:dbus common bus=system name=org.freedesktop.Avahi label="@{p_avahi_daemon}" - dbus send bus=system path=/ interface=org.freedesktop.DBus.Peer member=Ping - peer=(name=org.freedesktop.Avahi), + peer=(name=org.freedesktop.Avahi, label=avahi-daemon), dbus send bus=system path=/ interface=org.freedesktop.Avahi.Server member={GetAPIVersion,GetState,Service*New} - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + peer=(name=org.freedesktop.Avahi, label=avahi-daemon), dbus send bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + peer=(name=org.freedesktop.Avahi, label=avahi-daemon), dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser - member={ItemNew,ItemRemove,AllForNow,CacheExhausted} - peer=(name="@{busname}", label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=StateChanged - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} - interface=org.freedesktop.Avahi.ServiceResolver - member=Found - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - dbus send bus=system path=/Client@{int}/ServiceResolver@{int} - interface=org.freedesktop.Avahi.ServiceResolver - member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + member={ItemNew,AllForNow,CacheExhausted} + peer=(name=:*, label=avahi-daemon), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager new file mode 100644 index 000000000..3950b77aa --- /dev/null +++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + dbus send bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member=GetDevices + peer=(name=:*, label=colord), + + dbus send bus=system path=/org/freedesktop/ColorManager{,/**} + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=colord), + + dbus send bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member=CreateDevice + peer=(name=:*, label=colord), + + dbus receive bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member={DeviceAdded,DeviceRemoved} + peer=(name=:*, label=colord), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 index a08c98b26..b4e985b9e 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 @@ -2,14 +2,15 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - #aa:dbus common bus=session name=org.freedesktop.FileManager1 label=nautilus - dbus send bus=session path=/org/freedesktop/FileManager1 - interface=org.freedesktop.FileManager1 - member=ShowItems - peer=(name=org.freedesktop.FileManager1, label=nautilus), + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=nautilus), + + dbus receive bus=session path=/org/freedesktop/FileManager1 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=nautilus), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 index 9957c7b67..836e99d94 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 @@ -2,28 +2,35 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , + dbus send bus=system path=/org/freedesktop/GeoClue2/Manager + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=geoclue), - #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" dbus send bus=system path=/org/freedesktop/GeoClue2/Agent interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=org.freedesktop.DBus, label="@{p_geoclue}"), + peer=(name=org.freedesktop.DBus, label=geoclue), dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name="@{busname}", label="@{p_geoclue}"), - + peer=(name=:*, label=geoclue), + dbus send bus=system path=/org/freedesktop/GeoClue2/Manager interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name="@{busname}", label="@{p_geoclue}"), + peer=(name=:*, label=geoclue), dbus send bus=system path=/org/freedesktop/GeoClue2/Manager interface=org.freedesktop.GeoClue2.Manager member=AddAgent - peer=(name="@{busname}", label="@{p_geoclue}"), + peer=(name=:*, label=geoclue), + + dbus receive bus=system path=/org/freedesktop/GeoClue2/Manager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=geoclue), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 index 4f53ba497..217b588a4 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 @@ -2,19 +2,20 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - #aa:dbus common bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" + dbus send bus=system path=/org/freedesktop/ModemManager1 + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=org.freedesktop.ModemManager1, label=ModemManager), dbus send bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=org.freedesktop.ModemManager1, label="@{p_ModemManager}"), + peer=(name=:*, label=ModemManager), dbus send bus=system path=/org/freedesktop/ModemManager1 - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name="@{busname}", label="@{p_ModemManager}"), + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=ModemManager), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager index a22a235fb..0fa92d3cc 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager @@ -2,59 +2,75 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - #aa:dbus common bus=system name=org.freedesktop.NetworkManager label=NetworkManager - dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member={GetManagedObjects,InterfacesRemoved} - peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), + member=GetManagedObjects + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member={GetDevices,GetPermissions} - peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/Settings interface=org.freedesktop.NetworkManager.Settings member=ListConnections - peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} interface=org.freedesktop.NetworkManager.Settings.Connection member=GetSettings - peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + + dbus send bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + + dbus send bus=system path=/org/freedesktop/NetworkManager/Devices/@{int} + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member={InterfacesAdded,InterfacesRemoved} - peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), + member=InterfacesAdded + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + + dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member=CheckPermissions - peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member=CheckPermissions - peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member={CheckPermissions,DeviceAdded,DeviceRemoved,StateChanged} - peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} interface=org.freedesktop.NetworkManager.Settings.Connection member=Updated - peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), - - dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} - interface=org.freedesktop.NetworkManager.Connection.Active - member=StateChanged - peer=(name=@{busname}, label=NetworkManager), + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/org.freedesktop.Notifications new file mode 100644 index 000000000..90ee1aefc --- /dev/null +++ b/apparmor.d/abstractions/bus/org.freedesktop.Notifications @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + dbus send bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gjs-console), + + dbus send bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.DBus.Properties + member={GetCapabilities,GetServerInformation,Notify} + peer=(name=:*, label=gjs-console), + + dbus receive bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.DBus.Properties + member={GetAll,NotificationClosed,CloseNotification} + peer=(name=:*, label=gjs-console), + + dbus receive bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.DBus.Properties + member=Notify + peer=(name=org.freedesktop.DBus, label=gjs-console), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit index a4f9ba9b9..7cdd9a3ce 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit +++ b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit @@ -2,13 +2,15 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Allow communication with PackageKit transactions. Transactions are exported -# with random object paths that currently take the form /@{int}_@{hex8}. - - abi , - - #aa:dbus common bus=system name=org.freedesktop.PackageKit label=packagekitd + dbus send bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=packagekitd), + dbus send bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.freedesktop.PackageKit, label=packagekitd), dbus send bus=system path=/org/freedesktop/PackageKit interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -17,15 +19,7 @@ dbus send bus=system path=/org/freedesktop/PackageKit interface=org.freedesktop.PackageKit member=StateHasChanged - peer=(name=org.freedesktop.PackageKit), - - dbus send bus=system path=/@{int}_@{hex8} - interface=org.freedesktop.PackageKit.Transaction - peer=(label=packagekitd), - - dbus receive bus=system path=/@{int}_@{hex8} - interface=org.freedesktop.PackageKit.Transaction - peer=(label=packagekitd), + peer=(name=org.freedesktop.PackageKit, label=packagekitd), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 index 2a4e8c1e5..3201e48ce 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 @@ -2,26 +2,34 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Can talk to polkitd's CheckAuthorization API - - abi , - - #aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" - dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=Changed - peer=(name="@{busname}", label="@{p_polkitd}"), + peer=(name=:*, label=polkitd), + + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=polkitd), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority - member={CheckAuthorization,CancelCheckAuthorization} - peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"), + member=CheckAuthorization + peer=(name=org.freedesktop.PolicyKit1, label=polkitd), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority - member=RegisterAuthenticationAgentWithOptions - peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"), + member=CheckAuthorization + peer=(name=:*, label=polkitd), + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.PolicyKit1.Authority + member=CheckAuthorization + peer=(name=org.freedesktop.PolicyKit1), + + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=polkitd), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 index f66fdb20a..474c4c625 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 @@ -2,25 +2,30 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Allow setting realtime priorities. - - abi , - - #aa:dbus common bus=system name=org.freedesktop.RealtimeKit1 label="@{p_rtkit_daemon}" dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.DBus.Properties member=Get peer=(name=org.freedesktop.RealtimeKit1), dbus send bus=system path=/org/freedesktop/RealtimeKit1 - interface=org.freedesktop.RealtimeKit1 - member={MakeThreadHighPriority,MakeThreadRealtime} - peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"), + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=:*, label=rtkit-daemon), dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 - member={MakeThreadHighPriorityWithPID,MakeThreadRealtimeWithPID} - peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"), + member=MakeThread* + peer=(name=:*, label=rtkit-daemon), + + dbus send bus=system path=/org/freedesktop/RealtimeKit1 + interface=org.freedesktop.RealtimeKit1 + member=MakeThread* + peer=(name=org.freedesktop.RealtimeKit1), + + dbus send bus=system path=/org/freedesktop/RealtimeKit1 + interface=org.freedesktop.RealtimeKit1 + member=MakeThread* + peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver new file mode 100644 index 000000000..842057a1d --- /dev/null +++ b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + dbus send bus=session path=/ScreenSaver + interface=org.freedesktop.ScreenSaver + member={Inhibit,UnInhibit} + peer=(name=org.freedesktop.ScreenSaver), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files b/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files index c55736c1e..567740a35 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files +++ b/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files @@ -2,17 +2,15 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint interface=org.freedesktop.DBus.Peer member=Ping - peer=(name=org.freedesktop.Tracker3.Miner.Files, label="{localsearch,tracker-miner}"), + peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner), dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint interface=org.freedesktop.Tracker3.Endpoint member=Query - peer=(name=org.freedesktop.Tracker3.Miner.Files, label="{localsearch,tracker-miner}"), + peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 index c97e83d71..79b882e51 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 @@ -2,39 +2,55 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - #aa:dbus common bus=system name=org.freedesktop.UDisks2 label=udisksd - dbus send bus=system path=/org/freedesktop/UDisks2 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), + + dbus send bus=system path=/org/freedesktop/UDisks2/** + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/ interface=org.freedesktop.DBus.Properties member=Get - peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus send bus=system path=/org/freedesktop/UDisks2/drives{,/*} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), + + dbus send bus=system path=/org/freedesktop/UDisks2/drives{,/*} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), + + dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/* + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus receive bus=system path=/org/freedesktop/UDisks2 interface=org.freedesktop.DBus.ObjectManager member=InterfacesAdded - peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), dbus receive bus=system path=/org/freedesktop/UDisks2/jobs/@{int} interface=org.freedesktop.UDisks2.Job member=Completed - peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), + + dbus receive bus=system path=/org/freedesktop/UDisks2/block_devices/* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower new file mode 100644 index 000000000..d8341d33c --- /dev/null +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -0,0 +1,46 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + dbus send bus=system path=/org/freedesktop/UPower + interface=org.freedesktop.UPower + member=EnumerateDevices + peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), + + dbus send bus=system path=/org/freedesktop/UPower{,/**} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), + dbus send bus=system path=/org/freedesktop/UPower{,/**} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=org.freedesktop.UPower, label=upowerd), + + dbus send bus=system path=/org/freedesktop/UPower + interface=org.freedesktop.DBus.Properties + member=GetDisplayDevice + peer=(name=org.freedesktop.UPower, label=upowerd), + + dbus send bus=system path=/org/freedesktop/UPower/devices/* + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), + + dbus send bus=system path=/org/freedesktop/UPower/devices/* + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), + + dbus receive bus=system path=/org/freedesktop/UPower + interface=org.freedesktop.UPower + member=DeviceAdded + peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), + + dbus receive bus=system path=/org/freedesktop/UPower/devices/* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles b/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles deleted file mode 100644 index 45e88b103..000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles +++ /dev/null @@ -1,11 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor b/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor index 0f371f79b..5f951381b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor +++ b/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor @@ -2,9 +2,15 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , + dbus send bus=session path=/org/freedesktop/background/monitor + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=xdg-desktop-portal), - #aa:dbus common bus=session name=org.freedesktop.background.Monitor label=xdg-desktop-portal + dbus receive bus=session path=/org/freedesktop/background/monitor + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=xdg-desktop-portal), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 index 165e3ae6e..54196d16b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 @@ -2,13 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - #aa:dbus common bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" + dbus send bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{:*,org.freedesktop.hostname1}", label=systemd-hostnamed), dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties - member=Get + member={Get,GetAll} peer=(name=org.freedesktop.hostname1), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore index 22886c8a5..6b965a2f5 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore +++ b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore @@ -2,19 +2,15 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - #aa:dbus common bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store + dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=xdg-permission-store), dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore interface=org.freedesktop.impl.portal.PermissionStore member=Lookup - peer=(name="@{busname}", label=xdg-permission-store), - - dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore - interface=org.freedesktop.impl.portal.PermissionStore - member=Lookup - peer=(name=org.freedesktop.impl.portal.PermissionStore, label=xdg-permission-store), + peer=(name=:*, label=xdg-permission-store), include if exists diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.locale1 b/apparmor.d/abstractions/bus/org.freedesktop.locale1 similarity index 59% rename from apparmor.d/abstractions/bus/system/org.freedesktop.locale1 rename to apparmor.d/abstractions/bus/org.freedesktop.locale1 index e2377a14b..a2865c7c9 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.locale1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.locale1 @@ -2,13 +2,15 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - + dbus send bus=system path=/org/freedesktop/locale1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=systemd-localed), dbus send bus=system path=/org/freedesktop/locale1 interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=org.freedesktop.locale1), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1 b/apparmor.d/abstractions/bus/org.freedesktop.login1 index ad368ed98..fdceceea4 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1 @@ -2,24 +2,35 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), - #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + dbus receive bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={Inhibit,CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend,CreateSession,GetSessionByPID} - peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), + peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), dbus receive bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager - member={SessionNew,SessionRemoved,UserNew,UserRemoved,SeatNew,PrepareFor*} - peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), + member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareFor*} + peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member=PauseDeviceComplete - peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + peer=(name=org.freedesktop.login1, label=systemd-logind), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session index f60c69301..24d5c1452 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session @@ -2,24 +2,40 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" - dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=GetSession - peer=(name="@{busname}", label="@{p_systemd_logind}"), + peer=(name=:*, label=systemd-logind), + + dbus send bus=system path=/org/freedesktop/login1{,session/*,seat/*} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), + + dbus send bus=system path=/org/freedesktop/login1/session/* + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=:*, label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness,SetLockedHint,SetIdleHint} - peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), + peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), + + dbus send bus=system path=/org/freedesktop/login1/seat/* + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), + + dbus receive bus=system path=/org/freedesktop/login1/session/* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=systemd-logind), dbus receive bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member={PauseDevice,Unlock} - peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), + peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.network1 b/apparmor.d/abstractions/bus/org.freedesktop.network1 index 7583a3e9d..268a21dea 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.network1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.network1 @@ -2,9 +2,10 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - #aa:dbus common bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" + dbus send bus=system path=/org/freedesktop/network1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.network1, label=systemd-networkd), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop index 4778dd6dc..a2a1a94a0 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop @@ -2,59 +2,30 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - #aa:dbus common bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal - dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.DBus.Properties - member=Read - peer=(name="{@{busname},org.freedesktop.portal.Desktop}", label=xdg-desktop-portal), - - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=xdg-desktop-portal), + member={Get,GetAll,Read} + peer=(name="{:*,org.freedesktop.portal.Desktop}", label=xdg-desktop-portal), dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member={Read,ReadAll} - peer=(name=@{busname}, label=xdg-desktop-portal), + peer=(name=:*, label=xdg-desktop-portal), dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member=SettingChanged - peer=(name=@{busname}, label=xdg-desktop-portal), + peer=(name=:*, label=xdg-desktop-portal), - dbus receive bus=session path=/org/freedesktop/portal/desktop{,/**} + dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name=@{busname}, label=xdg-desktop-portal), + peer=(name=:*, label=xdg-desktop-portal), dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Settings member={Read,ReadAll} - peer=(name=@{busname}, label=xdg-desktop-portal), - - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.host.portal.Registry - member=Register - peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), - - dbus receive bus=session path=/org/freedesktop/portal/desktop/** - interface=org.freedesktop.portal.Request - member=Response - peer=(name=@{busname}, label=xdg-desktop-portal), - - dbus receive bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.portal.Inhibit - member={StateChanged,CreateMonitor} - peer=(name=@{busname}, label=xdg-desktop-portal), - - dbus receive bus=session path=/org/freedesktop/portal/desktop/session/** - interface=org.freedesktop.impl.portal.Session - member=Close - peer=(name=@{busname}, label=xdg-desktop-portal), + peer=(name=:*, label=xdg-desktop-portal), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 new file mode 100644 index 000000000..3057282c9 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + dbus send bus=system path=/org/freedesktop/resolve1 + interface=org.freedesktop.resolve1.Manager + member={SetLink*,ResolveHostname} + peer=(name="{:*,org.freedesktop.resolve1}", label=systemd-resolved), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.secrets b/apparmor.d/abstractions/bus/org.freedesktop.secrets index e30e7b1c2..01ecf0786 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.secrets +++ b/apparmor.d/abstractions/bus/org.freedesktop.secrets @@ -2,14 +2,15 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - #aa:dbus common bus=session name=org.freedesktop.secrets label=gnome-keyring-daemon + dbus send bus=session path=/org/freedesktop/secrets{,/**} + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-keyring-daemon), dbus send bus=session path=/org/freedesktop/secrets interface=org.freedesktop.Secret.Service - member={OpenSession,GetSecrets,SearchItems,Unlock,ReadAlias} - peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), + member={OpenSession,GetSecrets,SearchItems,ReadAlias} + peer=(name=:*, label=gnome-keyring-daemon), dbus send bus=session path=/org/freedesktop/secrets/aliases/default interface=org.freedesktop.Secret.Collection @@ -19,7 +20,12 @@ dbus receive bus=session path=/org/freedesktop/secrets/collection/login interface=org.freedesktop.Secret.Collection member=ItemCreated - peer=(name="@{busname}", label=gnome-keyring-daemon), + peer=(name=:*, label=gnome-keyring-daemon), + + dbus receive bus=session path=/org/freedesktop/secrets/collection/login + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=gnome-keyring-daemon), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 index 167e66d65..49e4b014d 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 @@ -2,18 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - #aa:dbus common bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member={GetUnit,GetUnitByPIDFD,StartUnit,StartTransientUnit} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), - dbus send bus=system path=/org/freedesktop/systemd1 + dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager - member=ListUnitsByPatterns + member={GetUnit,StartUnit,StartTransientUnit} peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), dbus send bus=session path=/org/freedesktop/systemd1 diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session new file mode 100644 index 000000000..c0e852662 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=org.freedesktop.systemd1), + + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{:*,org.freedesktop.systemd1}", label="@{p_systemd_user}"), + + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=GetUnit + peer=(name="{:*,org.freedesktop.systemd1}", label="@{p_systemd_user}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 index 8f6118355..883c5c165 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 @@ -2,9 +2,21 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , + dbus send bus=system path=/org/freedesktop/timedate1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.timedate1, label=systemd-timedated), - #aa:dbus common bus=system name=org.freedesktop.timedate1 label="@{p_systemd_timedated}" + # FIXME: should be under the systemd-timedated label + dbus send bus=system path=/org/freedesktop/timedate1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.timedate1, label=unconfined), + + dbus send bus=system path=/org/freedesktop/timedate1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=systemd-timedated), include if exists diff --git a/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 similarity index 52% rename from apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 rename to apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 index f69667e08..9953ee8bf 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 +++ b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 @@ -2,15 +2,16 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - #aa:dbus common bus=session name=org.gnome.ArchiveManager1 label="@{p_file_roller}" + dbus send bus=session path=/org/gnome/ArchiveManager1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=file-roller), dbus send bus=session path=/org/gnome/ArchiveManager1 interface=org.gnome.ArchiveManager1 member=GetSupportedTypes - peer=(name="@{busname}", label="@{p_file_roller}"), + peer=(name=:*, label=file-roller), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.DisplayManager b/apparmor.d/abstractions/bus/org.gnome.DisplayManager new file mode 100644 index 000000000..05945a253 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.DisplayManager @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + dbus send bus=system path=/org/gnome/DisplayManager/Manager + interface=org.gnome.DisplayManager.Manager + member=RegisterDisplay + peer=(name=:*, label=gdm), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig b/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig index f275850cd..d701792a6 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig @@ -2,24 +2,30 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - #aa:dbus common bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell - dbus send bus=session path=/org/gnome/Mutter/DisplayConfig interface=org.gnome.Mutter.DisplayConfig member={GetResources,GetCrtcGamma} - peer=(name="@{busname}", label=gnome-shell), + peer=(name=:*, label=gnome-shell), dbus send bus=session path=/org/gnome/Mutter/DisplayConfig interface=org.gnome.Mutter.DisplayConfig member=GetCurrentState - peer=(name="{@{busname},org.gnome.Mutter.DisplayConfig}", label=gnome-shell), + peer=(name="{:*,org.gnome.Mutter.DisplayConfig}", label=gnome-shell), + + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=gnome-shell), dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig interface=org.gnome.Mutter.DisplayConfig member=MonitorsChanged - peer=(name="@{busname}", label=gnome-shell), + peer=(name=:*, label=gnome-shell), include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor index d1ff350fc..7ada64f05 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor @@ -2,24 +2,20 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - #aa:dbus common bus=session name=org.gnome.Mutter.IdleMonitor label=gnome-shell - dbus send bus=session path=/org/gnome/Mutter/IdleMonitor interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="@{busname}", label=gnome-shell), + peer=(name=:*, label=gnome-shell), dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor - member={AddIdleWatch,AddUserActiveWatch,RemoveWatch,GetIdletime} - peer=(name="{@{busname},org.gnome.Mutter.IdleMonitor}", label=gnome-shell), + member={AddIdleWatch,AddUserActiveWatch,RemoveWatch} + peer=(name=:*, label=gnome-shell), dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor member=WatchFired - peer=(name="@{busname}", label=gnome-shell), + peer=(name=:*, label=gnome-shell), include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 b/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 new file mode 100644 index 000000000..e547ab2c5 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + dbus send bus=session path=/org/gnome/Nautilus/FileOperations2 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=nautilus), + + dbus send bus=session path=/org/gnome/Nautilus/FileOperations2 + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=nautilus), + + dbus receive bus=session path=/org/gnome/Nautilus/FileOperations2 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=nautilus), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver new file mode 100644 index 000000000..3e228ad1f --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + dbus send bus=session path=/org/gnome/ScreenSaver + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gjs-console), + + dbus send bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member=GetActive + peer=(name=:*, label=gjs-console), + + dbus receive bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member={ActiveChanged,WakeUpScreen} + peer=(name=:*, label=gjs-console), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.SessionManager b/apparmor.d/abstractions/bus/org.gnome.SessionManager new file mode 100644 index 000000000..4197fb4cf --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.SessionManager @@ -0,0 +1,64 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# FIXME: Too large, restrict it. + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={RegisterClient,IsSessionRunning} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={Setenv,IsSessionRunning} + peer=(name=org.gnome.SessionManager, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client@{int} + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client@{int} + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client@{int} + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client@{int} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Presence + interface=org.gnome.SessionManager.Presence + member=StatusChanged + peer=(name=:*, label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.gnome.SessionManager, label=gnome-session-binary), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect index b53acf610..72e4525bc 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect +++ b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect @@ -2,19 +2,30 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , + dbus send bus=session path=/org/gnome/Shell/Introspect + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), - #aa:dbus common bus=session name=org.gnome.Shell.Introspect label=gnome-shell + dbus send bus=session path=/org/gnome/Shell/Introspect + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.gnome.Shell.Introspect, label=gnome-shell), dbus send bus=session path=/org/gnome/Shell/Introspect interface=org.gnome.Shell.Introspect member=GetRunningApplications - peer=(name="@{busname}", label=gnome-shell), + peer=(name=:*, label=gnome-shell), dbus receive bus=session path=/org/gnome/Shell/Introspect interface=org.gnome.Shell.Introspect member={RunningApplicationsChanged,WindowsChanged} - peer=(name="@{busname}", label=gnome-shell), + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Shell/Introspect + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=gnome-shell), include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 deleted file mode 100644 index ae8b68448..000000000 --- a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 +++ /dev/null @@ -1,22 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell - - dbus receive bus=session path=/org/gnome/Characters/SearchProvider - interface=org.gnome.Shell.SearchProvider2 - member={GetInitialResultSet,GetSubsearchResultSet,GetResultMetas} - peer=(name=@{busname}, label=gnome-shell), - - dbus receive bus=session path=/org/gnome/Characters/SearchProvider - interface=org.gnome.Shell.SearchProvider2 - member=*Cancel - peer=(name=@{busname}, label=gnome-shell), - - include if exists - -# vim:syntax=apparmor - diff --git a/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter b/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter deleted file mode 100644 index 0816b046f..000000000 --- a/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter +++ /dev/null @@ -1,28 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow accessing the GNOME crypto services prompt APIs as used by -# applications using libgcr (such as pinentry-gnome3) for secure pin -# entry to unlock GPG keys etc. See: -# https://developer.gnome.org/gcr/unstable/GcrPrompt.html -# https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html -# https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711 - - abi , - - unix type=stream peer=(label=gnome-keyring-daemon), - - dbus send bus=session path=/org/gnome/keyring/Prompter - interface=org.gnome.keyring.internal.Prompter - member={BeginPrompting,PerformPrompt,StopPrompting} - peer=(name=@{busname}, label=pinentry-*), - - dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int} - interface=org.gnome.keyring.internal.Prompter.Callback - member={PromptReady,PromptDone} - peer=(name=@{busname}, label=pinentry-*), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor b/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor similarity index 72% rename from apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor rename to apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor index b8160dcb2..73d958513 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor +++ b/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor @@ -2,23 +2,21 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor member={List,IsSupported,VolumeChanged,VolumeMount,MountAdded} - peer=(name="@{busname}", label=gvfs-*-volume-monitor), + peer=(name=:*, label=gvfs-*-volume-monitor), dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor member={MountAdded,MountChanged,VolumeChanged,VolumeRemoved} - peer=(name="@{busname}", label=gvfs-*-volume-monitor), + peer=(name=:*, label=gvfs-*-volume-monitor), dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor member={VolumeAdded,DriveDisconnected,DriveConnected,DriveChanged} - peer=(name="@{busname}", label=gvfs-*-volume-monitor), + peer=(name=:*, label=gvfs-*-volume-monitor), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon new file mode 100644 index 000000000..35cd640d6 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + dbus send bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member={GetConnection,ListMonitorImplementations,ListMountableInfo} + peer=(name=:*, label=gvfsd), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata new file mode 100644 index 000000000..33d3c1c36 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + dbus send bus=session path=/org/gtk/vfs/metadata + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gvfsd-metadata), + + dbus receive bus=session path=/org/gtk/vfs/metadata + interface=org.gtk.vfs.Metadata + member=AttributeChanged + peer=(name=:*, label=gvfsd-metadata), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker similarity index 53% rename from apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker rename to apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker index 107c3dc13..4d59f0afc 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker @@ -2,30 +2,21 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# The mount tracking interface. - - abi , - dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker - member=LookupMount - peer=(name="@{busname}", label=gvfsd), + member=ListMountableInfo + peer=(name=:*, label=gvfsd), dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=ListMounts2 - peer=(name="@{busname}", label=gvfsd), - - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=ListMountableInfo - peer=(name="@{busname}", label=gvfsd), + peer=(name=:*, label=gvfsd), dbus receive bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker - member={Mounted,Unmounted} - peer=(name="@{busname}", label=gvfsd), + member=Mounted + peer=(name=:*, label=gvfsd), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem new file mode 100644 index 000000000..4fca40e84 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem @@ -0,0 +1,8 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher index 90a78d2ed..67ac1fb6d 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher @@ -2,52 +2,20 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Allow to display Status Notifier Items in the KDE Plasma systray - - abi , - - #aa-dbus common bus=session name=org.kde.StatusNotifierWatcher label=gnome-shell - - dbus send bus=session path=/StatusNotifierWatcher - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), - dbus send bus=session path=/StatusNotifierWatcher interface=org.freedesktop.DBus.Properties member=Get - peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), - - dbus receive bus=session path=/StatusNotifierItem - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(label="@{pp_app_indicator}"), - - - dbus send bus=session path=/{StatusNotifierItem/menu,org/ayatana/NotificationItem/*/Menu} - interface=com.canonical.dbusmenu - member={LayoutUpdated,ItemsPropertiesUpdated} - peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), - - dbus receive bus=session path=/{StatusNotifierItem,StatusNotifierItem/menu,org/ayatana/NotificationItem/**} - interface={org.freedesktop.DBus.Properties,com.canonical.dbusmenu} - member={Get*,AboutTo*,Event*} - peer=(label="@{pp_app_indicator}"), + peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell), dbus send bus=session path=/StatusNotifierWatcher interface=org.kde.StatusNotifierWatcher member=RegisterStatusNotifierItem - peer=(label="@{pp_app_indicator}"), + peer=(name="{:*,org.kde.StatusNotifierWatcher}", label=gnome-shell), - dbus receive bus=session path=/StatusNotifierItem - interface=org.kde.StatusNotifierItem - member={ProvideXdgActivationToken,Activate} - peer=(label="@{pp_app_indicator}"), - - dbus receive bus=session path=/MenuBar - interface=com.canonical.dbusmenu - member={AboutToShow,GetLayout,Event} - peer=(label="@{pp_app_indicator}"), + dbus send bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell), include if exists diff --git a/apparmor.d/abstractions/glfw b/apparmor.d/abstractions/bus/org.kde.kwalletd similarity index 59% rename from apparmor.d/abstractions/glfw rename to apparmor.d/abstractions/bus/org.kde.kwalletd index 5dbda197d..c0d2ecba2 100644 --- a/apparmor.d/abstractions/glfw +++ b/apparmor.d/abstractions/bus/org.kde.kwalletd @@ -2,10 +2,6 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - owner @{run}/user/@{uid}/glfw-shared-@{rand6} rw, - - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher b/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher deleted file mode 100644 index ca2bf92c8..000000000 --- a/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow use of snapd's internal xdg-open - - abi , - - dbus send bus=session path=/ - interface=com.canonical.SafeLauncher - member=OpenURL - peer=(name=@{busname}, label=snap), - - dbus send bus=session path=/io/snapcraft/Launcher - interface=io.snapcraft.Launcher - member={OpenURL,OpenFile} - peer=(name=@{busname}, label=snap), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher b/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher deleted file mode 100644 index 704d9010d..000000000 --- a/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher +++ /dev/null @@ -1,16 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Can identify and launch other snaps. - - abi , - - dbus send bus=session path=/io/snapcraft/PrivilegedDesktopLauncher - interface=io.snapcraft.PrivilegedDesktopLauncher - member=OpenDesktopEntry - peer=(name=io.snapcraft.Launcher, label=snap), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.Settings b/apparmor.d/abstractions/bus/session/io.snapcraft.Settings deleted file mode 100644 index c50753cd6..000000000 --- a/apparmor.d/abstractions/bus/session/io.snapcraft.Settings +++ /dev/null @@ -1,16 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow use of snapd's internal 'xdg-settings' - - abi , - - dbus send bus=session path=/io/snapcraft/Settings - interface=io.snapcraft.Settings - member={Check,CheckSub,Get,GetSub,Set,SetSub} - peer=(name=io.snapcraft.Settings, label=snap), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.a11y b/apparmor.d/abstractions/bus/session/org.a11y deleted file mode 100644 index 8f517fe99..000000000 --- a/apparmor.d/abstractions/bus/session/org.a11y +++ /dev/null @@ -1,29 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=session path=/org/a11y/bus - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label="@{p_dbus_accessibility}"), - - dbus send bus=session path=/org/a11y/bus - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), - - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=Get - peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), - - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal b/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal deleted file mode 100644 index e7c0f9cef..000000000 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal +++ /dev/null @@ -1,24 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow access to the IBus portal - - abi , - - dbus send bus=session path=/org/freedesktop/IBus - interface=org.freedesktop.IBus.Portal - member=CreateInputContext - peer=(name=org.freedesktop.portal.IBus), - - dbus send bus=session path=/org/freedesktop/IBus/InputContext_@{int} - interface=org.freedesktop.IBus.InputContext - peer=(label=ibus-daemon), - - dbus receive bus=session path=/org/freedesktop/IBus/InputContext_@{int} - interface=org.freedesktop.IBus.InputContext - peer=(label=ibus-daemon), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications deleted file mode 100644 index b51c4bdcb..000000000 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=session name=org.freedesktop.Notifications label="@{pp_notification}" - - dbus send bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.Notifications - member={GetCapabilities,GetServerInformation,Notify,CloseNotification} - peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), - - dbus receive bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.Notifications - member={ActionInvoked,NotificationClosed,NotificationReplied} - peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver deleted file mode 100644 index ee837b886..000000000 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow checking status, activating and locking the screensaver - - abi , - - dbus send bus=session path=/ScreenSaver - interface=org.freedesktop.ScreenSaver - member={Inhibit,UnInhibit} - peer=(name=org.freedesktop.ScreenSaver), - - dbus send bus=session path=/{,org/freedesktop/}ScreenSaver - interface=org.freedesktop.ScreenSaver - member={GetActive,GetActiveTime,Lock,SetActive} - peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"), - - dbus receive bus=session path=/org/freedesktop/ScreenSaver - interface=org.freedesktop.ScreenSaver - member={ActiveChanged,WakeUpScreen} - peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Secret b/apparmor.d/abstractions/bus/session/org.freedesktop.Secret deleted file mode 100644 index 8ded1b6d7..000000000 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.Secret +++ /dev/null @@ -1,49 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2017 Canonical Ltd -# Copyright (C) 2021-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Provide full access to the secret-service API: -# - https://standards.freedesktop.org/secret-service/) -# -# The secret-service allows managing (add/delete/lock/etc) collections and -# (add/delete/etc) items within collections. The API also has the concept of -# aliases for collections which is typically used to access the default -# collection. While it would be possible for an application developer to use a -# snap-specific collection and mediate by object path, application developers -# are meant to instead to treat collections (typically the default collection) -# as a database of key/value attributes each with an associated secret that -# applications may query. Because AppArmor does not mediate member data, -# typical and recommended usage of the API does not allow for application -# isolation. For details, see: -# - https://standards.freedesktop.org/secret-service/ch03.html -# - - abi , - - #aa:dbus common bus=session name=org.freedesktop.{S,s}ecret label=gnome-keyring-daemon - - dbus send bus=session path=/org/freedesktop/secrets{,/**} - interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session} - peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), - - dbus receive bus=session path=/org/freedesktop/secrets{,/**} - interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session} - peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), - - dbus send bus=session path=/org/freedesktop/secrets - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=gnome-keyring-daemon), - dbus send bus=session path=/org/freedesktop/secrets - interface=org.freedesktop.Secret.Service - member=ReadAlias - peer=(name=org.freedesktop.secrets, label=gnome-keyring-daemon), - dbus send bus=session path=/org/freedesktop/secrets - interface=org.freedesktop.Secret.Service - member=SearchItems - peer=(name=@{busname}, label=gnome-keyring-daemon), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings deleted file mode 100644 index 01cf21c46..000000000 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings +++ /dev/null @@ -1,19 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.portal.Settings - member=Read - peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), - - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.portal.Settings - member=ReadAll - peer=(name=@{busname}, label=xdg-desktop-portal), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 deleted file mode 100644 index 0c8185be6..000000000 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" - - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=GetUnit - peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"), - - dbus send bus=session path=/org/freedesktop/systemd1/unit/app_* - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), - - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=StartTransientUnit - peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 b/apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 deleted file mode 100644 index 8a3e7d74e..000000000 --- a/apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 +++ /dev/null @@ -1,11 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=session name=org.gnome.Nautilus.FileOperations2 label=nautilus - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver b/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver deleted file mode 100644 index 27c456637..000000000 --- a/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow checking status, activating and locking the screensaver (GNOME version) - - abi , - - dbus send bus=session path=/{,org/gnome/}ScreenSaver - interface=org.gnome.ScreenSaver - member={GetActive,GetActiveTime,Lock,SetActive} - peer=(name=@{busname}, label=gjs-console), - - dbus receive bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - member={ActiveChanged,WakeUpScreen} - peer=(name=@{busname}, label=gjs-console), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gnome.SessionManager b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager deleted file mode 100644 index 4c641776b..000000000 --- a/apparmor.d/abstractions/bus/session/org.gnome.SessionManager +++ /dev/null @@ -1,46 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}" - - dbus send bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={RegisterClient,IsSessionRunning} - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), - - dbus send bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={Inhibit,Uninhibit} - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), - - dbus send bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={Setenv,IsSessionRunning} - peer=(name=org.gnome.SessionManager, label="{gnome-session-binary,gnome-session-service}"), - - dbus receive bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded} - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), - - dbus send bus=session path=/org/gnome/SessionManager/Client@{int} - interface=org.gnome.SessionManager.ClientPrivate - member=EndSessionResponse - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), - - dbus receive bus=session path=/org/gnome/SessionManager/Client@{int} - interface=org.gnome.SessionManager.ClientPrivate - member={CancelEndSession,QueryEndSession,EndSession,Stop} - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), - - dbus receive bus=session path=/org/gnome/SessionManager/Presence - interface=org.gnome.SessionManager.Presence - member=StatusChanged - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys b/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys deleted file mode 100644 index 93d830828..000000000 --- a/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow requesting interest in receiving media key events. This tells Gnome -# settings that our application should be notified when key events we are -# interested in are pressed, and allows us to receive those events. - - abi , - - # DBus.Properties: read all properties from the interface - dbus send bus=session path=/org/gnome/SettingsDaemon/MediaKeys - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys), - - dbus (receive, send) bus=session path=/org/gnome/SettingsDaemon/MediaKeys - interface=org.gnome.SettingsDaemon.MediaKeys - peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Actions b/apparmor.d/abstractions/bus/session/org.gtk.Actions deleted file mode 100644 index 899f244a8..000000000 --- a/apparmor.d/abstractions/bus/session/org.gtk.Actions +++ /dev/null @@ -1,22 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus receive bus=session - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=gnome-shell), - - dbus receive bus=session - interface=org.gtk.Actions - member={Activate,DescribeAll,SetState}, - - dbus send bus=session - interface=org.gtk.Actions - member=Changed, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Menus b/apparmor.d/abstractions/bus/session/org.gtk.Menus deleted file mode 100644 index b21c08067..000000000 --- a/apparmor.d/abstractions/bus/session/org.gtk.Menus +++ /dev/null @@ -1,18 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus receive bus=session - interface=org.gtk.Menus - member={Start,End} - peer=(name=@{busname}), - - dbus send bus=session - interface=org.gtk.Menus - member=Changed, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler b/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler deleted file mode 100644 index 3fce0d719..000000000 --- a/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=session path=/org/gtk/MountOperationHandler - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=gnome-shell), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Notifications b/apparmor.d/abstractions/bus/session/org.gtk.Notifications deleted file mode 100644 index 151c642a8..000000000 --- a/apparmor.d/abstractions/bus/session/org.gtk.Notifications +++ /dev/null @@ -1,16 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=session name=org.gtk.Notifications label=gnome-shell - - dbus send bus=session path=/org/gtk/Notifications - interface=org.gtk.Notifications - member={AddNotification,RemoveNotification} - peer=(name=org.gtk.Notifications, label=gnome-shell), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Settings b/apparmor.d/abstractions/bus/session/org.gtk.Settings deleted file mode 100644 index 9d2dd282a..000000000 --- a/apparmor.d/abstractions/bus/session/org.gtk.Settings +++ /dev/null @@ -1,18 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=session path=/org/gtk/Settings - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=gsd-xsettings), - dbus receive bus=session path=/org/gtk/Settings - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=@{busname}, label=gsd-xsettings), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon deleted file mode 100644 index edf954ac5..000000000 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Each daemon (main and for mounts) implement this. - - abi , - - dbus send bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member={GetConnection,ListMonitorImplementations,ListMountableInfo} - peer=(name=@{busname}, label=gvfsd), - - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=@{busname}), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata deleted file mode 100644 index 9f1a77daf..000000000 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=system name=org.gtk.vfs.Metadata path=/org/gtk/vfs/metadata label=gvfsd-metadata - dbus send bus=session path=/org/gtk/vfs/metadata - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=gvfsd-metadata), - - dbus send bus=session path=/org/gtk/vfs/metadata - interface=org.gtk.vfs.Metadata - member={Set,Move,GetTreeFromDevice,Remove} - peer=(name=@{busname}, label=gvfsd-metadata), - - dbus receive bus=session path=/org/gtk/vfs/metadata - interface=org.gtk.vfs.Metadata - member=AttributeChanged - peer=(name=@{busname}, label=gvfsd-metadata), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation deleted file mode 100644 index 54dfc837f..000000000 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus receive bus=session path=/org/gtk/gvfs/mountop/@{int} - interface=org.gtk.vfs.MountOperation - member={AskPassword,AskQuestion} - peer=(name=@{busname}, label=gvfsd-*), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable deleted file mode 100644 index 603ef709b..000000000 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=@{busname}, label=gvfsd), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner deleted file mode 100644 index 7090afe24..000000000 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=@{busname}, label=gvfsd), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem deleted file mode 100644 index d017d44e3..000000000 --- a/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem +++ /dev/null @@ -1,28 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - include - - dbus bind bus=session name=org.kde.StatusNotifierItem-@{int}, - - dbus send bus=session path=/StatusNotifierWatcher - interface=org.kde.StatusNotifierWatcher - member=RegisterStatusNotifierItem - peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), - - dbus send bus=session path=/StatusNotifierItem - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), - - dbus send bus=session path=/{StatusNotifierItem,org/ayatana/NotificationItem/*} - interface=org.kde.StatusNotifierItem - member={NewAttentionIcon,NewIcon,NewIconThemePath,NewOverlayIcon,NewStatus,NewTitle,NewToolTip} - peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.kde.kwalletd b/apparmor.d/abstractions/bus/session/org.kde.kwalletd deleted file mode 100644 index 0afce1cdf..000000000 --- a/apparmor.d/abstractions/bus/session/org.kde.kwalletd +++ /dev/null @@ -1,9 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player b/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player deleted file mode 100644 index b2b934074..000000000 --- a/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player +++ /dev/null @@ -1,38 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - # DBus.Properties: read all properties from the interface - dbus send bus=system path=/org/mpris/MediaPlayer2 - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name=@{busname}), - - # DBus.Properties: receive property changed events - dbus receive bus=session path=/org/mpris/MediaPlayer2 - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=@{busname}), - - # DBus.Introspectable: allow clients to introspect the service - dbus send bus=system path=/org/mpris/MediaPlayer2 - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}), - - dbus receive bus=session path=/org/mpris/MediaPlayer2 - interface=org.mpris.MediaPlayer2.Player - member={Seeked,Next,PlayPause} - peer=(name=@{busname}), - - # https://specifications.freedesktop.org/mpris-spec/latest/Player_Interface.html#Signal:Seeked - dbus send bus=session path=/org/mpris/MediaPlayer2 - interface=org.mpris.MediaPlayer2.Player - member=Seeked - peer=(name=org.freedesktop.DBus), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/own b/apparmor.d/abstractions/bus/session/own deleted file mode 100644 index d975ebb48..000000000 --- a/apparmor.d/abstractions/bus/session/own +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only -# LOGPROF-SUGGEST: no - -# Do not use it manually, It is automatically included in a profile by the -# `aa:dbus own` directive. - -# Allow owning a name on DBus public bus - - abi , - - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver deleted file mode 100644 index f6a1a251c..000000000 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Address resolving - - abi , - - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=AddressResolverNew - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus send bus=system path=/Client@{int}/AddressResolver@{int} - interface=org.freedesktop.Avahi.AddressResolver - member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/AddressResolver@{int} - interface=org.freedesktop.Avahi.AddressResolver - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser deleted file mode 100644 index 39f5e4496..000000000 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Domain browsing - - abi , - - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=DomainBrowserNew - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus send bus=system path=/Client@{int}/DomainBrowser@{int} - interface=org.freedesktop.Avahi.DomainBrowser - member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/DomainBrowser@{int} - interface=org.freedesktop.Avahi.DomainBrowser - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver deleted file mode 100644 index 403a4db0f..000000000 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Hostname resolving - - abi , - - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=HostNameResolverNew - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus send bus=system path=/Client@{int}/HostNameResolver@{int} - interface=org.freedesktop.Avahi.HostNameResolver - member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/HostNameResolver@{int} - interface=org.freedesktop.Avahi.HostNameResolver - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser deleted file mode 100644 index bff079b13..000000000 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Record browsing - - abi , - - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=RecordBrowserNew - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus send bus=system path=/Client@{int}/RecordBrowser@{int} - interface=org.freedesktop.Avahi.RecordBrowser - member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/RecordBrowser@{int} - interface=org.freedesktop.Avahi.RecordBrowser - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server deleted file mode 100644 index bfc87b3cc..000000000 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server +++ /dev/null @@ -1,31 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=system path=/ - interface=org.freedesktop.DBus.Peer - member=Ping - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - # Allow service introspection - dbus send bus=system path=/ - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - # Allow accessing DBus properties and resolving - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member={Get*,Resolve*,IsNSSSupportAvailable} - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - # Allow receiving anything from the Avahi server - dbus receive bus=system - interface=org.freedesktop.Avahi.Server - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser deleted file mode 100644 index 6a3b1510d..000000000 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=ServiceBrowserNew - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus send bus=system path=/Client@{int}/ServiceBrowser@{int} - interface=org.freedesktop.Avahi.ServiceBrowser - member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} - interface=org.freedesktop.Avahi.ServiceBrowser - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver deleted file mode 100644 index d90e9ca14..000000000 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Service resolving - - abi , - - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=ServiceResolverNew - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus send bus=system path=/Client@{int}/ServiceResolver@{int} - interface=org.freedesktop.Avahi.ServiceResolver - member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} - interface=org.freedesktop.Avahi.ServiceResolver - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser deleted file mode 100644 index 93affdc51..000000000 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Service type browsing - - abi , - - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=ServiceTypeBrowserNew - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus send bus=system path=/Client@{int}/ServiceTypeBrowser@{int} - interface=org.freedesktop.Avahi.ServiceTypeBrowser - member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} - interface=org.freedesktop.Avahi.ServiceTypeBrowser - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager deleted file mode 100644 index 4b5dcc746..000000000 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager +++ /dev/null @@ -1,33 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow for color managed applications to communicate with colord - - abi , - - #aa:dbus common bus=system name=org.freedesktop.ColorManager label="@{p_colord}" - - dbus send bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager - member=GetDevices - peer=(name="@{busname}", label="@{p_colord}"), - - dbus send bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager - member={CreateProfile,CreateDevice,DeleteDevice} - peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), - - dbus receive bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager - member={DeviceAdded,DeviceRemoved} - peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), - - dbus (receive, send) bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager - member={FindDeviceByProperty,FindDeviceById} - peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.UPower b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower deleted file mode 100644 index aa6a61371..000000000 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.UPower +++ /dev/null @@ -1,34 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Can query UPower for power devices, history and statistics. - - abi , - - #aa:dbus common bus=system name=org.freedesktop.UPower label="@{p_upowerd}" - - # Find all devices monitored by UPower - dbus send bus=system path=/org/freedesktop/UPower - interface=org.freedesktop.UPower - member=EnumerateDevices - peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), - - dbus send bus=system path=/org/freedesktop/UPower - interface=org.freedesktop.DBus.Properties - member={GetDisplayDevice,GetCriticalAction} - peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"), - - dbus send bus=system path=/org/freedesktop/UPower/devices/** - interface=org.freedesktop.UPower.Device - member={GetHistory,Refresh} - peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"), - - dbus receive bus=system path=/org/freedesktop/UPower - interface=org.freedesktop.UPower - member={DeviceAdded,DeviceRemoved} - peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.gnome.DisplayManager b/apparmor.d/abstractions/bus/system/org.gnome.DisplayManager deleted file mode 100644 index 4833b1512..000000000 --- a/apparmor.d/abstractions/bus/system/org.gnome.DisplayManager +++ /dev/null @@ -1,16 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=system name=org.gnome.DisplayManager label=gdm - - dbus send bus=system path=/org/gnome/DisplayManager/Manager - interface=org.gnome.DisplayManager.Manager - member=RegisterDisplay - peer=(name="@{busname}", label=gdm), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/own b/apparmor.d/abstractions/bus/system/own deleted file mode 100644 index 2b1130b32..000000000 --- a/apparmor.d/abstractions/bus/system/own +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only -# LOGPROF-SUGGEST: no - -# Do not use it manually, It is automatically included in a profile by the -# `aa:dbus own` directive. - -# Allow owning a name on DBus public bus - - abi , - - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/camera b/apparmor.d/abstractions/camera deleted file mode 100644 index 0f5cff363..000000000 --- a/apparmor.d/abstractions/camera +++ /dev/null @@ -1,35 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allows access to all cameras - - abi , - - # Allow detection of cameras. Leaks plugged in USB device info - @{sys}/bus/usb/devices/ r, - @{sys}/devices/@{pci}/usb@{int}/**/busnum r, - @{sys}/devices/@{pci}/usb@{int}/**/devnum r, - @{sys}/devices/@{pci}/usb@{int}/**/idProduct r, - @{sys}/devices/@{pci}/usb@{int}/**/idVendor r, - @{sys}/devices/@{pci}/usb@{int}/**/interface r, - @{sys}/devices/@{pci}/usb@{int}/**/modalias r, - @{sys}/devices/@{pci}/usb@{int}/**/speed r, - - @{sys}/class/video4linux/ r, - @{sys}/devices/**/video4linux/** r, - @{sys}/devices/**/video4linux/video@{int}/ r, - @{sys}/devices/**/video4linux/video@{int}/uevent r, - - @{run}/udev/data/+usb:* r, # Identifies all USB devices - @{run}/udev/data/c81:@{int} r, # For video4linux - - # VideoCore cameras (shared device with VideoCore/EGL) - /dev/vchiq rw, - - # Access to video /dev devices - /dev/video@{int} rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 28badc6db..e44d8509c 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -2,7 +2,6 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# NEEDS-VARIABLE: att # Common rules for applications sandboxed using bwrap. @@ -10,44 +9,41 @@ # applications (bwrap) that have no way to restrict access depending on the # application being confined. - abi , - include - include + include include include - include + include include include include - include include include include - include + include include include - include include - include include - include - include - include - include include + include dbus bus=accessibility, dbus bus=session, dbus bus=system, - /usr/** rk, + /usr/cache/** r, + /usr/local/** r, /usr/share/** rk, /etc/{,**} r, + / r, /.* r, + /*/ r, + @{bin}/ r, @{lib}/ r, + /usr/local/bin/ r, owner /_@{int}_/ w, owner /@{uuid}/ w, owner /var/cache/ldconfig/{,**} rw, @@ -58,20 +54,17 @@ @{MOUNTDIRS}/ r, @{MOUNTS}/ r, @{MOUNTS}/** rwl, - owner @{HOME}/ r, owner @{HOME}/.var/app/** rmix, - owner @{HOME}/** rwmlk -> @{HOME}/**, - owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore=too-wide - owner @{user_games_dirs}/** rmix, + owner @{HOME}/{,**} rwlk, + owner @{run}/user/@{uid}/{,**} rw, + owner @{user_config_dirs}/** rwkl, + owner @{user_share_dirs}/** rwkl, + owner @{user_games_dirs}/{,**} rm, - #aa:lint ignore=too-wide owner @{tmp}/** rmwk, owner /dev/shm/** rwlk -> /dev/shm/**, - owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, - - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket. @{run}/host/{,**} r, @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket. @{run}/utmp rk, @@ -80,12 +73,8 @@ @{sys}/block/ r, @{sys}/bus/ r, @{sys}/bus/*/devices/ r, - @{sys}/bus/pci/slots/ r, - @{sys}/bus/pci/slots/@{int}-@{int}/address r, - @{sys}/bus/pci/slots/@{int}/address r, @{sys}/class/*/ r, @{sys}/devices/** r, - @{sys}/devices/virtual/dmi/id/bios_version k, @{sys}/fs/cgroup/user.slice/* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/* r, @@ -95,19 +84,16 @@ @{PROC}/ r, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/comm rk, + @{PROC}/@{pid}/comm r, @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/maps r, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/net/** r, @{PROC}/@{pid}/smaps r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, - @{PROC}/@{pid}/status r, @{PROC}/@{pid}/task/@{tid}/stat r, @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/bus/pci/devices r, - @{PROC}/cmdline r, @{PROC}/driver/** r, @{PROC}/locks r, @{PROC}/pressure/cpu r, @@ -118,8 +104,6 @@ @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/sched_autogroup_enabled r, @{PROC}/sys/kernel/yama/ptrace_scope r, - @{PROC}/sys/net/core/bpf_jit_enable r, - @{PROC}/sys/net/core/somaxconn r, @{PROC}/uptime r, @{PROC}/version r, @{PROC}/zoneinfo r, @@ -130,27 +114,20 @@ owner @{PROC}/@{pid}/fd/@{int} rw, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/io r, - owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/net/if_inet6 r, owner @{PROC}/@{pid}/oom_score_adj rw, - owner @{PROC}/@{pid}/pagemap r, - owner @{PROC}/@{pid}/smaps_rollup r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - @{att}/dev/dri/card@{int} rw, - @{att}/dev/dri/renderD128 rw, - @{att}/dev/dri/renderD129 rw, - owner @{att}/dev/shm/@{uuid} r, - + /dev/hidraw@{int} rw, + /dev/input/ r, /dev/ptmx rw, /dev/pts/ptmx rw, /dev/tty rw, - /dev/udmabuf rw, include if exists diff --git a/apparmor.d/abstractions/apt b/apparmor.d/abstractions/common/apt similarity index 71% rename from apparmor.d/abstractions/apt rename to apparmor.d/abstractions/common/apt index 25106ad6e..77c5a0b7e 100644 --- a/apparmor.d/abstractions/apt +++ b/apparmor.d/abstractions/common/apt @@ -3,12 +3,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - /usr/share/dpkg/cputable r, - /usr/share/dpkg/ostable r, /usr/share/dpkg/tupletable r, - /usr/share/dpkg/varianttable r, /etc/apt/apt.conf r, /etc/apt/apt.conf.d/{,*} r, @@ -20,9 +16,6 @@ /etc/apt/sources.list.d/ r, /etc/apt/sources.list.d/*.{sources,list} r, - /etc/apt/trusted.gpg r, - /etc/apt/trusted.gpg.d/{,*} r, - /var/lib/apt/lists/{,**} r, /var/lib/apt/extended_states r, @@ -30,14 +23,11 @@ /var/cache/apt/srcpkgcache.bin r, /var/lib/dpkg/status r, - /var/lib/ubuntu-advantage/apt-esm/{,**} r, #aa:only ubuntu + /var/lib/ubuntu-advantage/apt-esm/{,**} r, owner @{tmp}/#@{int} rw, owner @{tmp}/clearsigned.message.* rw, - #aa:only test - /tmp/autopkgtest.@{rand6}/** rwk, - - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index 2d3ab179f..a73626bb1 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -1,16 +1,13 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# NEEDS-VARIABLE: att -# A minimal set of rules for sandboxed programs using bwrap. +# A minimal set of rules for sandboxed programs using bwrap. # A profile using this abstraction still needs to set: # - the flag: attach_disconnected # - bwrap execution: '@{bin}/bwrap rix,' - abi , - - userns, + # userns, capability net_admin, capability setpcap, @@ -39,27 +36,21 @@ pivot_root oldroot=/newroot/ /newroot/, pivot_root oldroot=/tmp/oldroot/ /tmp/, + owner / r, owner /newroot/{,**} w, owner /tmp/newroot/ w, owner /tmp/oldroot/ w, - @{att}/ r, - @{att}/@{run}/.userns r, - @{PROC}/sys/kernel/overflowgid r, @{PROC}/sys/kernel/overflowuid r, - @{PROC}/sys/user/max_user_namespaces r, - @{PROC}/sys/kernel/seccomp/actions_avail r, + @{PROC}/sys/user/max_user_namespaces rw, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, - - @{att}/@{PROC}/sys/user/max_user_namespaces rw, - owner @{att}/@{PROC}/@{pid}/cgroup r, - owner @{att}/@{PROC}/@{pid}/fd/ r, - owner @{att}/@{PROC}/@{pid}/gid_map rw, - owner @{att}/@{PROC}/@{pid}/mountinfo r, - owner @{att}/@{PROC}/@{pid}/setgroups rw, - owner @{att}/@{PROC}/@{pid}/uid_map rw, + owner @{PROC}/@{pid}/gid_map rw, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/setgroups rw, + owner @{PROC}/@{pid}/uid_map rw, include if exists diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 23f4544a3..2e98c515a 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -2,29 +2,15 @@ # Copyright (C) 2022 Mikhail Morfikov # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# NEEDS-VARIABLE: domain # This abstraction is for chromium based application. Chromium based browsers -# need to use abstractions/app/chromium instead. +# need to use abstractions/chromium instead. -# It works as a *function* and requires a variable to be provided as *arguments* -# and set in the header of the calling profile. Example: -# -# @{domain} = org.chromium.Chromium -# + # userns, - abi , - - userns, - - # Required for dropping into PID namespace. Keep in mind that until the - # process drops this capability it can escape confinement, but once it - # drops CAP_SYS_ADMIN we are ok. - capability sys_admin, - - # All of these are for sanely dropping from root and chrooting capability setgid, # If kernel.unprivileged_userns_clone = 1 capability setuid, # If kernel.unprivileged_userns_clone = 1 + capability sys_admin, capability sys_chroot, capability sys_ptrace, @@ -34,26 +20,19 @@ owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner @{user_share_dirs}/.@{domain}.@{rand6} rw, + owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw, - owner @{tmp}/.@{domain}.@{rand6} rw, - owner @{tmp}/.@{domain}.@{rand6}/ rw, - owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie rw, - owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket rw, - owner @{tmp}/scoped_dir@{rand6}/ rw, - owner @{tmp}/scoped_dir@{rand6}/SingletonCookie rw, - owner @{tmp}/scoped_dir@{rand6}/SingletonSocket rw, - owner @{tmp}/scoped_dir@{rand6}/SS rw, + /tmp/ r, + /var/tmp/ r, + owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/{,**} rw, + owner @{tmp}/scoped_dir*/ rw, + owner @{tmp}/scoped_dir*/SingletonCookie w, + owner @{tmp}/scoped_dir*/SingletonSocket w, + owner @{tmp}/scoped_dir*/SS w, /dev/shm/ r, - owner /dev/shm/.@{domain}.@{rand6} rw, - - @{sys}/devices/system/cpu/kernel_max r, - @{sys}/devices/virtual/tty/tty@{int}/active r, - - # Allow getting the manufacturer and model of the computer where chromium is currently running. - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, + owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/setgroups w, diff --git a/apparmor.d/abstractions/common/debconf b/apparmor.d/abstractions/common/debconf deleted file mode 100644 index 1d9a6d145..000000000 --- a/apparmor.d/abstractions/common/debconf +++ /dev/null @@ -1,28 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only -# LOGPROF-SUGGEST: no - - abi , - - include - include - include - - @{sh_path} rix, - @{bin}/locale ix, - @{bin}/whiptail Px, - - /usr/share/debconf/frontend rix, - /usr/share/debconf/confmodule r, - - /etc/debconf.conf r, - - /var/ r, - /var/cache/ r, - /var/cache/debconf/ r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index dd4976f5e..732129c26 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -1,35 +1,31 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# NEEDS-VARIABLE: name -# NEEDS-VARIABLE: domain -# NEEDS-VARIABLE: lib_dirs -# NEEDS-VARIABLE: config_dirs -# NEEDS-VARIABLE: cache_dirs -# Minimal set of rules for all electron based UI application. It works as a -# *function* and requires some variables to be provided as *arguments* and set +# Minimal set of rules for all electron based UI application. It works as a +# *function* and requires some variables to be provided as *arguments* and set # in the header of the calling profile. Example: # # @{name} = spotify -# @{domain} = org.chromium.chromium -# @{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/ +# @{lib_dirs} = /opt/@{name} # @{config_dirs} = @{user_config_dirs}/@{name} # @{cache_dirs} = @{user_cache_dirs}/@{name} # - abi , - - include - include include include - include include include include - @{bin}/electron rix, + # userns, + + capability setgid, # If kernel.unprivileged_userns_clone = 1 + capability setuid, # If kernel.unprivileged_userns_clone = 1 + capability sys_admin, + capability sys_chroot, + capability sys_ptrace, + @{bin}/electron@{int} rix, @{lib}/electron@{int}/{,**} r, @{lib}/electron@{int}/electron rix, @@ -48,31 +44,47 @@ owner @{cache_dirs}/ rw, owner @{cache_dirs}/** rwlk -> @{cache_dirs}/**, - owner @{user_config_dirs}/electron-flags.conf r, + owner @{HOME}/.pki/ rw, + owner @{HOME}/.pki/nssdb/ rw, + owner @{HOME}/.pki/nssdb/pkcs11.txt rw, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + owner @{user_share_dirs}/.org.chromium.Chromium.* rw, + + owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/ rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonCookie w, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonSocket w, + owner @{tmp}/scoped_dir@{rand6}/ rw, + owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w, + owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w, + owner @{tmp}/scoped_dir@{rand6}/SS w, + + owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + + @{sys}/devices/system/cpu/kernel_max r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/ r, @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/oom_score_adj rw, + owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/stat r, - - deny @{user_share_dirs}/gvfs-metadata/* r, + owner @{PROC}/@{pid}/task/@{tid}/status r, + owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 include if exists diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game deleted file mode 100644 index 2198c8537..000000000 --- a/apparmor.d/abstractions/common/game +++ /dev/null @@ -1,113 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Core set of resources for any games on Linux. Runtimes such as sandboxing, -# wine, proton, game launchers should use this abstraction. - -# This abstraction uses the following tunables: -# - @{XDG_GAMESSTUDIO_DIR}/ for game studio and game engines specific directories -# (Default: @{XDG_GAMESSTUDIO_DIR}="unity3d") -# - @{user_games_dirs}/ for user specific game directories (eg: steam storage dir) - - abi , - - include - include - include - include - include - include - include - include - include - - @{bin}/uname rix, - @{bin}/xdg-settings rPx, - @{browsers_path} rPx, - - @{bin}/env r, - - @{lib}/ r, - / r, - /home/ r, - /usr/ r, - /usr/local/ r, - /usr/local/lib/ r, - - /etc/machine-id r, - /var/lib/dbus/machine-id r, - - owner @{HOME}/ r, - - owner @{user_games_dirs}/ r, - owner @{user_games_dirs}/*/ r, - owner @{user_games_dirs}/*/** rwlk, - - owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, - owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, - - owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, - owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, - - @{tmp}/ r, - owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw, - owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, - owner @{tmp}/#@{int} rw, - owner @{tmp}/AsyncGPUReadbackPlugin_*.log w, - owner @{tmp}/CASESENSITIVETEST@{hex32} rw, - owner @{tmp}/crashes/ rw, - owner @{tmp}/crashes/** rwk, - owner @{tmp}/miles_image_@{rand6} mrw, - owner @{tmp}/runtime-info.txt.@{rand6} rw, - owner @{tmp}/tmp@{rand6}.tmp rw, - owner @{tmp}/tmp@{rand6}@{h}.tmp rw, - owner @{tmp}/tmp@{rand8}.tmp rw, - owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, - - owner /dev/shm/mono.@{int} rw, - owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw, - - @{sys}/ r, - @{sys}/bus/ r, - @{sys}/class/ r, - @{sys}/class/hidraw/ r, - @{sys}/class/input/ r, - @{sys}/devices/ r, - @{sys}/devices/@{pci}/boot_vga r, - @{sys}/devices/@{pci}/net/*/carrier r, - @{sys}/devices/**/input@{int}/ r, - @{sys}/devices/**/input@{int}/**/{vendor,product} r, - @{sys}/devices/**/input/input@{int}/ r, - @{sys}/devices/**/uevent r, - @{sys}/devices/system/ r, - @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r, - @{sys}/devices/system/cpu/cpu@{int}/ r, - @{sys}/devices/virtual/dmi/id/* r, - @{sys}/devices/virtual/net/*/carrier r, - @{sys}/kernel/ r, - - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - - @{PROC}/uptime r, - @{PROC}/version r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/pagemap r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - - /dev/ r, - /dev/hidraw@{int} rw, - /dev/tty rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index 6dcb26860..c93f9bc05 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -4,35 +4,25 @@ # Minimal set of rules for all gnome based UI application. - abi , - include - include include include include + @{open_path} rPx -> child-open-help, + /usr/share/@{profile_name}/{,**} r, - / r, - owner @{user_cache_dirs}/@{profile_name}/ rw, - owner @{user_cache_dirs}/@{profile_name}/** rwlk -> @{user_cache_dirs}/@{profile_name}/**, + owner @{user_cache_dirs}/@{profile_name}/** rwlk, owner @{user_config_dirs}/@{profile_name}/ rw, - owner @{user_config_dirs}/@{profile_name}/** rwlk -> @{user_config_dirs}/@{profile_name}/**, + owner @{user_config_dirs}/@{profile_name}/** rwlk, owner @{user_share_dirs}/@{profile_name}/ rw, - owner @{user_share_dirs}/@{profile_name}/** rwlk -> @{user_share_dirs}/@{profile_name}/**, - - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + owner @{user_share_dirs}/@{profile_name}/** rwlk, owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists diff --git a/apparmor.d/abstractions/common/steam-game b/apparmor.d/abstractions/common/steam-game index 851588220..9c1df7d51 100644 --- a/apparmor.d/abstractions/common/steam-game +++ b/apparmor.d/abstractions/common/steam-game @@ -1,21 +1,46 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# NEEDS-VARIABLE: app_dirs -# NEEDS-VARIABLE: lib_dirs -# NEEDS-VARIABLE: share_dirs - abi , + include + include + include + include + include + include + include - include + @{bin}/uname rix, + @{bin}/xdg-settings rPx, + @{browsers_path} rPx, + @{bin}/env r, + + @{app_dirs}/ r, @{lib_dirs}/ r, + @{lib}/ r, + / r, + /home/ r, + /usr/ r, + /usr/local/ r, + /usr/local/lib/ r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + owner @{HOME}/ r, owner @{HOME}/.steam/steam.pid r, owner @{HOME}/.steam/steam.pipe r, - owner @{app_dirs}/ r, - owner @{app_dirs}/[^S]*/** rwlk, # No access to "SteamLinuxRuntime_sniper" + owner @{user_games_dirs}/ r, + owner @{user_games_dirs}/*/ r, + owner @{user_games_dirs}/*/{,**} rwkl, + + owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, + + owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, owner @{share_dirs}/ r, owner @{share_dirs}/* r, @@ -26,9 +51,23 @@ owner @{share_dirs}/logs/* rwk, owner @{share_dirs}/shader_cache_temp_dir_*/fozpipelinesv@{int}/{,**} rw, owner @{share_dirs}/steamapps/ r, - owner @{share_dirs}/steamapps/appmanifest_* rw, + owner @{share_dirs}/steamapps/common/ r, + owner @{share_dirs}/steamapps/common/[^S]*/** rwlk, owner @{share_dirs}/steamapps/shadercache/{,**} rwk, + @{tmp}/ r, + owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw, + owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, + owner @{tmp}/#@{int} rw, + owner @{tmp}/CASESENSITIVETEST@{hex32} rw, + owner @{tmp}/crashes/ rw, + owner @{tmp}/crashes/** rwk, + owner @{tmp}/miles_image_@{rand6} mrw, + owner @{tmp}/runtime-info.txt.@{rand6} rw, + owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, + + owner /dev/shm/mono.@{int} rw, + owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw, owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw, owner /dev/shm/u@{uid}-Shm_@{hex6} rw, owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, @@ -36,6 +75,53 @@ owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, owner /dev/shm/ValveIPCSHM_@{uid} rw, + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + + @{sys}/ r, + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/hidraw/ r, + @{sys}/class/input/ r, + @{sys}/devices/ r, + @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/net/*/carrier r, + @{sys}/devices/**/input@{int}/ r, + @{sys}/devices/**/input@{int}/**/{vendor,product} r, + @{sys}/devices/**/input@{int}/capabilities/* r, + @{sys}/devices/**/input/input@{int}/ r, + @{sys}/devices/**/uevent r, + @{sys}/devices/system/ r, + @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r, + @{sys}/devices/system/cpu/cpu@{int}/ r, + @{sys}/devices/virtual/dmi/id/* r, + @{sys}/devices/virtual/net/*/carrier r, + @{sys}/kernel/ r, + + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + + @{PROC}/uptime r, + @{PROC}/version r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/pagemap r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + /dev/ r, + /dev/hidraw@{int} rw, + /dev/input/ r, + /dev/input/event@{int} rw, + /dev/tty rw, + /dev/uinput rw, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/systemd b/apparmor.d/abstractions/common/systemd index f4a10076e..0ed3a824b 100644 --- a/apparmor.d/abstractions/common/systemd +++ b/apparmor.d/abstractions/common/systemd @@ -3,12 +3,9 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - ptrace read peer=@{p_systemd}, + ptrace (read) peer=@{p_systemd}, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, - @{sys}/fs/cgroup/system.slice/@{profile_name}.service/ r, @{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw, @{PROC}/1/cgroup r, diff --git a/apparmor.d/abstractions/consoles.d/complete b/apparmor.d/abstractions/consoles.d/complete deleted file mode 100644 index b8b7ad90f..000000000 --- a/apparmor.d/abstractions/consoles.d/complete +++ /dev/null @@ -1,8 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - # There are the common ways to refer to consoles - /dev/tty@{u8} rw, - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/crypto.d/complete b/apparmor.d/abstractions/crypto.d/complete index 8fb84d261..a163af66d 100644 --- a/apparmor.d/abstractions/crypto.d/complete +++ b/apparmor.d/abstractions/crypto.d/complete @@ -4,15 +4,7 @@ include - # FIPS-140-2 versions of some crypto libraries need to access their - # associated integrity verification file, or they will abort. - @{lib}/.lib*.so*.hmac r, - @{lib}/@{multiarch}/.lib*.so*.hmac r, - @{etc_ro}/gnutls/config r, @{etc_ro}/gnutls/pkcs11.conf r, - # Used to determine if Linux is running in FIPS mode - @{PROC}/sys/crypto/fips_enabled r, - # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dbus-accessibility-strict.d/complete b/apparmor.d/abstractions/dbus-accessibility-strict.d/complete deleted file mode 100644 index f71f7d869..000000000 --- a/apparmor.d/abstractions/dbus-accessibility-strict.d/complete +++ /dev/null @@ -1,7 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - include - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dbus-session-strict.d/complete b/apparmor.d/abstractions/dbus-session-strict.d/complete deleted file mode 100644 index 8d82bd277..000000000 --- a/apparmor.d/abstractions/dbus-session-strict.d/complete +++ /dev/null @@ -1,7 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - include - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dbus-strict.d/complete b/apparmor.d/abstractions/dbus-strict.d/complete deleted file mode 100644 index d35c7822a..000000000 --- a/apparmor.d/abstractions/dbus-strict.d/complete +++ /dev/null @@ -1,12 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - - @{run}/dbus/system_bus_socket rw, - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dconf-write b/apparmor.d/abstractions/dconf-write index 72a943527..f25e1c3e6 100644 --- a/apparmor.d/abstractions/dconf-write +++ b/apparmor.d/abstractions/dconf-write @@ -5,15 +5,24 @@ # Permissions for querying dconf settings with write access; use the dconf # abstraction first, and dconf-write only for specific application's profile. - abi , + dbus send bus=session path=/ca/desrt/dconf/Writer/user + interface=ca.desrt.dconf.Writer + member=Change + peer=(name=ca.desrt.dconf), # no peer's labels - include - include + dbus receive bus=session path=/ca/desrt/dconf/Writer/user + interface=ca.desrt.dconf.Writer + member=Notify + peer=(name=:*, label=dconf-service), - owner @{user_config_dirs}/glib-2.0/settings/keyfile w, # When GSETTINGS_BACKEND=keyfile + /usr/share/dconf/profile/gdm r, - owner @{run}/user/@{uid}/dconf/ w, - owner @{run}/user/@{uid}/dconf/user w, + /etc/dconf/** r, + + owner @{user_config_dirs}/dconf/user r, + + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, include if exists diff --git a/apparmor.d/abstractions/dconf.d/complete b/apparmor.d/abstractions/dconf.d/complete deleted file mode 100644 index 1796c7ca0..000000000 --- a/apparmor.d/abstractions/dconf.d/complete +++ /dev/null @@ -1,11 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - /usr/share/dconf/profile/gdm r, - - owner @{user_config_dirs}/glib-2.0/settings/keyfile r, # When GSETTINGS_BACKEND=keyfile - - owner @{run}/user/@{uid}/dconf/ r, - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/deny-sensitive-home b/apparmor.d/abstractions/deny-sensitive-home index 68c013a51..d8e1fdfb8 100644 --- a/apparmor.d/abstractions/deny-sensitive-home +++ b/apparmor.d/abstractions/deny-sensitive-home @@ -11,58 +11,42 @@ # The only legitimate use in this project is for file browser and search engine. - abi , - - # User defined private directories - deny @{HOMEDIRS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk, - deny @{MOUNTS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk, - deny @{user_private_dirs}/{,**} mrxwlk, - - # Files with secret paswords and tokens + deny @{HOME}/.*.bak mrwkl, + deny @{HOME}/.*.swp mrwkl, + deny @{HOME}/.*~ mrwkl, + deny @{HOME}/.*~1~ mrwkl, deny @{HOME}/.*age*{,/{,**}} mrwkl, deny @{HOME}/.*aws*{,/{,**}} mrwkl, deny @{HOME}/.*cert*{,/{,**}} mrwkl, + deny @{HOME}/.*history mrwkl, deny @{HOME}/.*key*{,/{,**}} mrwkl, deny @{HOME}/.*pass*{,/{,**}} mrwkl, deny @{HOME}/.*pki*{,/{,**}} mrwkl, deny @{HOME}/.*private*{,/{,**}} mrwkl, deny @{HOME}/.*secret*{,/{,**}} mrwkl, deny @{HOME}/.*yubi*{,/{,**}} mrwkl, - deny @{HOME}/.aws/{,**} mrwkl, - deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl, - deny @{HOME}/@{XDG_GPG_DIR}/{,**} mrwkl, - deny @{HOME}/@{XDG_SSH_DIR}/{,**} mrwkl, - deny @{run}/user/@{uid}/keyring** mrwkl, - deny @{user_config_dirs}/*-store/{,**} mrwkl, - deny @{user_passwordstore_dirs}/{,**} mrwkl, - deny @{user_share_dirs}/kwalletd/{,**} mrwkl, - - # Privacy violations - deny @{HOME}/.*.bak mrwkl, - deny @{HOME}/.*.swp mrwkl, - deny @{HOME}/.*~ mrwkl, - deny @{HOME}/.*~1~ mrwkl, - deny @{HOME}/.*history mrwkl, - deny @{HOME}/.evolution/{,**} mrwkl, deny @{HOME}/.fetchmail* mrwkl, - deny @{HOME}/.gnome2_private/{,**} mrwkl, - deny @{HOME}/.gnome2/keyrings/{,**} mrwkl, deny @{HOME}/.lesshst* mrwkl, deny @{HOME}/.mozilla/{,**} mrwkl, - deny @{HOME}/.mutt** mrwkl, + deny @{HOME}/.mutt* mrwkl, deny @{HOME}/.thunderbird/{,**} mrwkl, deny @{HOME}/.viminfo* mrwkl, deny @{HOME}/.wget-hsts mrwkl, + deny @{HOME}/@{XDG_GPG_DIR}/{,**} mrwkl, + deny @{HOME}/@{XDG_SSH_DIR}/{,**} mrwkl, + deny @{user_config_dirs}/*-store/{,**} mrwkl, deny @{user_config_dirs}/chromium/{,**} mrwkl, - deny @{user_config_dirs}/evolution/{,**} mrwkl, + deny @{user_password_store_dirs}/{,**} mrwkl, + deny @{user_share_dirs}/kwalletd/{,**} mrwkl, + + # User defined private directories + deny @{user_private_dirs}/{,**} mrxwlk, + deny @{HOMEDIRS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk, + deny @{MOUNTS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk, # Deny executable mapping in writable space as allowed in abstractions/fonts - deny @{HOME}/.{,cache/}fontconfig/ rw, - deny @{HOME}/.{,cache/}fontconfig/** mrwl, - - # special attention to (potentially) executable files - deny @{HOME}/bin wl, - deny @{HOME}/bin/{,**} wl, + deny @{HOME}/.{,cache/}fontconfig/ rw, + deny @{HOME}/.{,cache/}fontconfig/** mrwl, include if exists diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index c4abbd574..befea8bcb 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -7,37 +7,28 @@ # When supported in apparmor, condition will be used in this abstraction to filter # resources specific for supported DE. - abi , - - include - include include - include - include - include - include + include + include include - include - include - include include include - include # if @{DE} == gnome dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + member=Introspect + peer=(name=:*, label=gnome-shell), - @{system_share_dirs}/gvfs/remote-volume-monitors/{,*} r, + /usr/{local/,}share/ r, + /usr/{local/,}share/glib-@{int}.@{int}/schemas/** r, + /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, /etc/gnome/* r, + /etc/xdg/{,*-}mimeapps.list r, - / r, - - owner @{user_share_dirs}/gnome-shell/session.gvdb rw, + /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, # else if @{DE} == kde @@ -45,44 +36,32 @@ @{lib}/kde{,3,4}/plugins/*/ r, @{lib}/kde{,3,4}/plugins/*/*.so mr, - /usr/share/knotifications{5,6}/*.notifyrc r, - - /etc/xdg/baloofilerc r, - /etc/xdg/kcminputrc r, /etc/xdg/kdeglobals r, /etc/xdg/kwinrc r, - owner @{user_cache_dirs}/#@{int} rw, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}* rwlk, - - owner @{user_config_dirs}/baloofilerc r, - owner @{user_config_dirs}/dolphinrc r, - owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kdedefaults/ r, - owner @{user_config_dirs}/kdedefaults/kcminputrc r, owner @{user_config_dirs}/kdedefaults/kdeglobals r, owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, - owner @{user_config_dirs}/session/ rw, - owner @{user_config_dirs}/session/@{profile_name}* rwlk, - owner @{user_config_dirs}/session/#@{int} rw, - owner @{user_config_dirs}/trashrc r, # else if @{DE} == xfce - /usr/share/xfce{,4}/ r, + /usr/share/xfce4/ r, owner @{user_config_dirs}/xfce4/help{,ers}.rc rw, owner @{user_config_dirs}/xfce4/help{,ers}.rc.@{int}.tmp rw, # end - /usr/share/desktop-base/{,**} r, - /usr/share/hwdata/*.ids r, # FIXME: a bit too wide + /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, + owner @{HOME}/.local/ rw, + owner @{user_cache_dirs}/ rw, + owner @{user_config_dirs}/ rw, + owner @{user_share_dirs}/ rw, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/desktop-files b/apparmor.d/abstractions/desktop-files deleted file mode 100644 index 9c0a8b941..000000000 --- a/apparmor.d/abstractions/desktop-files +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2009 Canonical Ltd. -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - @{system_share_dirs}/applications/{,**} r, - @{system_share_dirs}/*ubuntu/applications/{,**} r, - @{system_share_dirs}/gnome/applications/{,**} r, - @{system_share_dirs}/xfce4/applications/{,**} r, - - /etc/gnome/defaults.list r, - /etc/xfce4/defaults.list r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/{,**} r, - - /var/lib/snapd/desktop/applications/{,**} r, - - owner @{user_share_dirs}/applications/{,**} r, - - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/{,**} r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/devices-u2f b/apparmor.d/abstractions/devices-u2f deleted file mode 100644 index c707d66e0..000000000 --- a/apparmor.d/abstractions/devices-u2f +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019 Canonical Ltd -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allows access to Universal 2nd Factor (U2F) devices - - abi , - - @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) - - # Needed for dynamic assignment of U2F devices - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - - @{sys}/devices/**/i2c*/**/report_descriptor r, - @{sys}/devices/**/usb@{int}/**/report_descriptor r, - - # Allow raw access HDI (Human Interface Devices) wich is how U2F devices are exposed - /dev/hidraw@{int} rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/devices-usb b/apparmor.d/abstractions/devices-usb index 3361f10ec..5a2a8b742 100644 --- a/apparmor.d/abstractions/devices-usb +++ b/apparmor.d/abstractions/devices-usb @@ -3,22 +3,24 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Allow raw access to all connected USB devices + /dev/ r, + /dev/bus/usb/ r, + /dev/bus/usb/@{int}/ r, + /dev/bus/usb/@{int}/@{int} rwk, - abi , + @{sys}/class/ r, + @{sys}/class/usbmisc/ r, - include + @{sys}/bus/ r, + @{sys}/bus/usb/ r, + @{sys}/bus/usb/devices/{,**} r, - @{PROC}/tty/drivers r, + @{sys}/devices/**/usb@{int}/{,**} rw, - /dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} wk, - - # Allow access to all ttyUSB devices too - /dev/ttyACM@{int} wk, - /dev/ttyUSB@{int} wk, - - # Allow raw access to USB printers (i.e. for receipt printers in POS systems). - /dev/usb/lp@{int} wk, + # Udev data about usb devices (~equal to content of lsusb -v) + @{run}/udev/data/+usb:* r, + @{run}/udev/data/c16[6,7]:@{int} r, # USB modems + @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters include if exists diff --git a/apparmor.d/abstractions/devices-usb-read b/apparmor.d/abstractions/devices-usb-read deleted file mode 100644 index ea3131d59..000000000 --- a/apparmor.d/abstractions/devices-usb-read +++ /dev/null @@ -1,32 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow detection of usb devices. Leaks plugged in USB device info - - abi , - - @{sys}/class/ r, - @{sys}/class/usbmisc/ r, - - @{sys}/bus/ r, - @{sys}/bus/usb/ r, - @{sys}/bus/usb/devices/ r, - @{sys}/devices/**/usb@{int}/ r, - @{sys}/devices/**/usb@{int}/** r, - - # Udev data about usb devices (~equal to content of lsusb -v) - @{run}/udev/data/+usb:* r, # Identifies all USB devices - @{run}/udev/data/b180:@{int} r, # USB block devices - @{run}/udev/data/c16{6,7}:@{d} r, # ACM USB modems - @{run}/udev/data/c18{0,8,9}:@{int} r, # USB character devices - - /dev/ r, - /dev/bus/usb/ r, - /dev/bus/usb/@{int}/ r, - /dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index e33ec2c3f..10beb258d 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -5,8 +5,6 @@ # The /sys/ entries probably should be tightened - abi , - /dev/ r, /dev/block/ r, /dev/disk/{,*/} r, @@ -20,7 +18,6 @@ @{sys}/devices/@{pci}/host@{int}/** r, @{sys}/devices/@{pci}/usb@{int}/** r, @{sys}/devices/@{pci}/virtio@{int}/** r, - @{sys}/devices/**/host@{int}/** r, # SSD Nvme devices /dev/nvme[0-9]* rk, @@ -44,12 +41,6 @@ @{sys}/devices/virtual/block/loop@{int}/ r, @{sys}/devices/virtual/block/loop@{int}/** r, - # Xen PVH devices - @{sys}/devices/vbd-@{int}/block/** r, - - # Channel subsystem for IBM Z - @{sys}/devices/css@{int}/** r, - # LUKS/LVM (device-mapper) devices /dev/dm-@{int} rk, /dev/mapper/{,*} r, @@ -81,13 +72,8 @@ # CD-ROM /dev/sr@{int} rk, - # MD RAID devices - /dev/md@{int} rk, - @{sys}/devices/virtual/block/md@{int}/ r, - @{sys}/devices/virtual/block/md@{int}/** r, - # Lookup block device by major:minor numbers - # See: https://apparmor.pujol.io/development/internal/#udev-rules + # See: https://apparmor.pujol.io/development/structure/#udev-rules @{sys}/block/ r, @{sys}/class/block/ r, @@ -96,18 +82,17 @@ @{run}/udev/data/b2:@{int} r, # for /dev/fd* @{run}/udev/data/b7:@{int} r, # for /dev/loop* @{run}/udev/data/b8:@{int} r, # for /dev/sd* - @{run}/udev/data/b9:@{int} r, # for /dev/md* @{run}/udev/data/b11:@{int} r, # for /dev/sr* @{run}/udev/data/b43:@{int} r, # for /dev/nbd* @{run}/udev/data/b179:@{int} r, # for /dev/mmcblk* @{run}/udev/data/b230:@{int} r, # for /dev/zvol* - @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 - @{run}/udev/data/b25[0-4]:@{int} r, # to 254 - @{run}/udev/data/b259:@{int} r, # Block Extended Major + @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 to 254 + @{run}/udev/data/b25[0-4]:@{int} r, + @{run}/udev/data/b259:@{int} r, @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+usb:* r, # for disk over usb hub include if exists diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write index a52518042..361b60d82 100644 --- a/apparmor.d/abstractions/disks-write +++ b/apparmor.d/abstractions/disks-write @@ -3,46 +3,96 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , + # The /sys/ entries probably should be tightened - include + /dev/ r, + /dev/block/ r, + /dev/disk/{,*/} r, # Regular disk/partition devices - /dev/{s,v}d[a-z]* w, - /dev/{s,v}d[a-z]*@{int} w, + /dev/{s,v}d[a-z]* rwk, + /dev/{s,v}d[a-z]*@{int} rwk, + @{sys}/devices/@{pci}/ata@{int}/** r, + @{sys}/devices/@{pci}/block/{s,v}d[a-z]/ r, + @{sys}/devices/@{pci}/block/{s,v}d[a-z]/** r, + @{sys}/devices/@{pci}/host@{int}/** r, + @{sys}/devices/@{pci}/usb@{int}/** r, + @{sys}/devices/@{pci}/virtio@{int}/** r, # SSD Nvme devices - /dev/nvme[0-9]* w, + /dev/nvme[0-9]* rwk, + @{sys}/devices/@{pci}/nvme/nvme@{int}/{,**} r, # SD card devices - /dev/mmcblk[0-9]* w, - /dev/mmcblk[0-9]*p@{int} w, + /dev/mmcblk[0-9]* rwk, + /dev/mmcblk[0-9]*p@{int} rwk, + @{sys}/devices/@{pci}/block/mmcblk@{int}/ r, + @{sys}/devices/@{pci}/block/mmcblk@{int}/** r, + @{sys}/devices/@{pci}/mmc@{int}/mmc*/ r, + @{sys}/devices/@{pci}/mmc@{int}/mmc*/** r, + @{sys}/devices/platform/**/block/mmcblk@{int}/ r, + @{sys}/devices/platform/**/block/mmcblk@{int}/** r, + @{sys}/devices/platform/**/mmc@{int}/ r, + @{sys}/devices/platform/**/mmc@{int}/** r, # Loop devices - /dev/loop[0-9]* w, - /dev/loop[0-9]*p@{int} w, + /dev/loop[0-9]* rwk, + /dev/loop[0-9]*p@{int} rwk, + @{sys}/devices/virtual/block/loop@{int}/ r, + @{sys}/devices/virtual/block/loop@{int}/** r, # LUKS/LVM (device-mapper) devices - /dev/dm-@{int} w, - /dev/mapper/{,*} w, + /dev/dm-@{int} rwk, + /dev/mapper/{,*} rw, + @{sys}/devices/virtual/block/dm-@{int}/ r, + @{sys}/devices/virtual/block/dm-@{int}/** r, # ZFS devices - /dev/zd@{int} w, + /dev/zd@{int} rwk, + /dev/*pool/ r, + /dev/zvol/{,*/} r, + @{sys}/devices/virtual/block/zd@{int}/ r, + @{sys}/devices/virtual/block/zd@{int}/** r, # ZRAM devices - /dev/zram@{int} w, + /dev/zram@{int} rwk, + @{sys}/devices/virtual/block/zram@{int}/ r, + @{sys}/devices/virtual/block/zram@{int}/** r, # NBD devices - /dev/nbd* w, + /dev/nbd* rwk, + @{sys}/devices/virtual/block/nbd@{int}/ r, + @{sys}/devices/virtual/block/nbd@{int}/** r, # Floppy disks - /dev/fd@{int} w, + /dev/fd@{int} rwk, + @{sys}/devices/platform/floppy.@{int}/block/fd@{int}/ r, + @{sys}/devices/platform/floppy.@{int}/block/fd@{int}/** r, # CD-ROM - /dev/sr@{int} w, + /dev/sr@{int} rwk, - # MD RAID devices - /dev/md@{int} w, + # Lookup block device by major:minor numbers + # See: https://apparmor.pujol.io/development/structure/#udev-rules + + @{sys}/block/ r, + @{sys}/class/block/ r, + @{sys}/dev/block/ r, + + @{run}/udev/data/b2:@{int} r, # for /dev/fd* + @{run}/udev/data/b7:@{int} r, # for /dev/loop* + @{run}/udev/data/b8:@{int} r, # for /dev/sd* + @{run}/udev/data/b11:@{int} r, # for /dev/sr* + @{run}/udev/data/b43:@{int} r, # for /dev/nbd* + @{run}/udev/data/b179:@{int} r, # for /dev/mmcblk* + @{run}/udev/data/b230:@{int} r, # for /dev/zvol* + @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 to 254 + @{run}/udev/data/b25[0-4]:@{int} r, + @{run}/udev/data/b259:@{int} r, + + @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** + + @{run}/udev/data/+usb:* r, # for disk over usb hub include if exists diff --git a/apparmor.d/abstractions/dri b/apparmor.d/abstractions/dri index 128da00d0..a1eb1cd41 100644 --- a/apparmor.d/abstractions/dri +++ b/apparmor.d/abstractions/dri @@ -3,11 +3,9 @@ # SPDX-License-Identifier: GPL-2.0-only # The Direct Rendering Infrastructure (DRI) is the framework comprising the modern -# Linux graphics stack which allows unprivileged user-space programs to issue +# Linux graphics stack which allows unprivileged user-space programs to issue # commands to graphics hardware without conflicting with other programs. - abi , - @{lib}/dri/** mr, @{lib}/@{multiarch}/dri/** mr, @{lib}/fglrx/dri/** mr, @@ -28,11 +26,8 @@ @{sys}/devices/@{pci}/uevent r, @{sys}/devices/@{pci}/vendor r, - # Allow access to all cards /dev/dri/ r, /dev/dri/card@{int} rw, - - # Video Acceleration API /dev/dri/renderD128 rw, /dev/dri/renderD129 rw, diff --git a/apparmor.d/abstractions/fish b/apparmor.d/abstractions/fish index 65f97f9f2..fe3cab891 100644 --- a/apparmor.d/abstractions/fish +++ b/apparmor.d/abstractions/fish @@ -2,11 +2,9 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction is only required when zshrc is loaded (e.g. interactive shell). +# This abstraction is only required when an interactive shell is started. # Classic shell scripts do not need it. - abi , - /usr/share/fish/{,**} r, /etc/fish/{,**} r, diff --git a/apparmor.d/abstractions/fontconfig-cache-read b/apparmor.d/abstractions/fontconfig-cache-read index 306787378..216075648 100644 --- a/apparmor.d/abstractions/fontconfig-cache-read +++ b/apparmor.d/abstractions/fontconfig-cache-read @@ -9,8 +9,6 @@ # fontconfig cache if some cache files are missing, so if this behavior is desirable, you can use # the "fontconfig-cache-write" abstraction. - abi , - owner @{user_cache_dirs}/fontconfig/ r, deny @{user_cache_dirs}/fontconfig/ w, deny @{user_cache_dirs}/fontconfig/** w, diff --git a/apparmor.d/abstractions/fontconfig-cache-write b/apparmor.d/abstractions/fontconfig-cache-write index 922a15a6a..19fa7c53a 100644 --- a/apparmor.d/abstractions/fontconfig-cache-write +++ b/apparmor.d/abstractions/fontconfig-cache-write @@ -3,8 +3,6 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - owner @{user_cache_dirs}/fontconfig/ rw, owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw, owner @{user_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk, diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete index df445cef5..3e669f4dc 100644 --- a/apparmor.d/abstractions/freedesktop.org.d/complete +++ b/apparmor.d/abstractions/freedesktop.org.d/complete @@ -13,19 +13,14 @@ @{system_share_dirs}/ r, @{system_share_dirs}/mime/ r, - /opt/*/**.{desktop,png} r, + /usr/share/mime/ r, /etc/gnome/defaults.list r, - /etc/xfce4/defaults.list r, + /etc/xfce4/defaults.list r, /var/lib/snapd/desktop/applications/{,**} r, /var/lib/snapd/desktop/icons/{,**} r, owner @{HOME}/.icons/{,**} r, - owner @{user_share_dirs}/#@{int} rw, - owner @{user_share_dirs}/recently-used.xbel rw, - owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl, - owner @{user_share_dirs}/recently-used.xbel.lock rwk, - # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/glibc b/apparmor.d/abstractions/glibc deleted file mode 100644 index 8536470bd..000000000 --- a/apparmor.d/abstractions/glibc +++ /dev/null @@ -1,47 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2002-2009 Novell/SUSE -# Copyright (C) 2009-2011 Canonical Ltd. -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - # Used by Glibc when binding to ephemeral ports - @{etc_ro}/bindresvport.blacklist r, - - # Depending on which Glibc routine uses this file, base may not be the - # best place -- but many profiles require it, and it is quite harmless. - @{PROC}/sys/kernel/ngroups_max r, - - # Glibc's sysconf(3) routine to determine free memory, etc - @{sys}/devices/system/cpu/ r, - @{sys}/devices/system/cpu/online r, - @{sys}/devices/system/cpu/possible r, - @{PROC}/cpuinfo r, - @{PROC}/meminfo r, - @{PROC}/stat r, - - # Glibc's *printf protections read the maps file - owner @{PROC}/@{pid}/auxv r, - owner @{PROC}/@{pid}/maps r, - owner @{PROC}/@{pid}/status r, - - # @{PROC}/@{pid}/map_files/ contains the same info than @{PROC}/@{pid}/maps, - # but in a format that is simpler to manage, because it doesn't require to - # parse the text data inside a file, but just reading the contents of - # a directory. - owner @{PROC}/@{pid}/map_files/ r, - - # Glibc statvfs - @{PROC}/filesystems r, - - # Glibc malloc (man 5 proc) - @{PROC}/sys/vm/overcommit_memory r, - - # Recent glibc uses /dev/full in preference to /dev/null for programs - # that don't have open fds at exec() - /dev/full rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 227377f3a..891e5a573 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -2,39 +2,30 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - include - include include - include - include - include - include - include - include - include - include + include + include include include - include dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + member=Introspect + peer=(name=:*, label=gnome-shell), - /usr/share/desktop-base/{,**} r, - /usr/share/hwdata/*.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, - - @{system_share_dirs}/gvfs/remote-volume-monitors/{,*} r, + /usr/{local/,}share/ r, + /usr/{local/,}share/glib-@{int}.@{int}/schemas/** r, + /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, /etc/gnome/* r, + /etc/xdg/{,*-}mimeapps.list r, - / r, + /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, - owner @{user_share_dirs}/gnome-shell/session.gvdb rw, + owner @{HOME}/.local/ rw, + owner @{user_cache_dirs}/ rw, + owner @{user_config_dirs}/ rw, + owner @{user_share_dirs}/ rw, include if exists diff --git a/apparmor.d/abstractions/gnome.d/complete b/apparmor.d/abstractions/gnome.d/complete index 3d4b47f9f..90f705ac7 100644 --- a/apparmor.d/abstractions/gnome.d/complete +++ b/apparmor.d/abstractions/gnome.d/complete @@ -2,12 +2,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - include + include dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + member=Introspect + peer=(name=:*, label=gnome-shell), /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics index c4edd09b4..9b7954f0d 100644 --- a/apparmor.d/abstractions/graphics +++ b/apparmor.d/abstractions/graphics @@ -2,33 +2,22 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - include include include include - /etc/igfx_user_feature{,_next,_report}.txt w, + /etc/igfx_user_feature{,_next}.txt w, /etc/libva.conf r, @{sys}/bus/pci/devices/ r, - - @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/id r, - @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/level r, - @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/size r, - @{sys}/devices/system/cpu/cpu@{int}/cpu_capacity r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/* r, @{sys}/devices/system/cpu/cpu@{int}/online r, - @{sys}/devices/system/cpu/cpu@{int}/topology/core_cpus r, - @{sys}/devices/system/cpu/cpu@{int}/topology/physical_package_id r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_max_freq r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, + @{sys}/devices/system/cpu/cpu@{int}/topology/* r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/* r, @{sys}/devices/system/cpu/present r, - @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, - @{sys}/devices/system/node/node@{int}/cpumap r, include if exists diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full index de5f865b5..fe2d2001c 100644 --- a/apparmor.d/abstractions/graphics-full +++ b/apparmor.d/abstractions/graphics-full @@ -2,13 +2,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - include include - include /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 + /dev/nvidia-uvm rw, + /dev/nvidia-uvm-tools rw, include if exists diff --git a/apparmor.d/abstractions/gschemas b/apparmor.d/abstractions/gschemas deleted file mode 100644 index 21a4d860c..000000000 --- a/apparmor.d/abstractions/gschemas +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2009 Canonical Ltd. -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - @{system_share_dirs}/ r, - @{system_share_dirs}/glib-2.0/schemas/ r, - @{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 5a14b6f7a..60bac614e 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -3,18 +3,15 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - @{lib}/@{multiarch}/libproxy/*/modules/*.so mr, - @{lib}/@{multiarch}/libvisual-@{version}/*/*.so mr, + @{lib}/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr, @{lib}/frei0r-@{int}/*.so mr, + # FIXME: not compatible with FSP mode due conflicting x modifiers @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rix, @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner rix, @{lib}/gstreamer-1.0/gst-plugin-scanner rix, - /usr/share/gstreamer-1.0/presets/Gst*Enc.prs r, - /etc/openni2/OpenNI.ini r, /tmp/ r, @@ -32,14 +29,14 @@ # If one is blocked the next is used instead. # The orcexec file is placed under /home/user/ also when the /tmp/ dir is mounted with the noexec flag. owner @{run}/user/@{uid}/orcexec.@{rand6} mrw, - owner @{tmp}/orcexec.@{rand6} mrw, + #owner /tmp/orcexec.* mrw, #owner @{HOME}/orcexec.* mrw, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+usb:* r, # For /dev/bus/usb/** @{run}/udev/data/c81:@{int} r, # For video4linux - @{run}/udev/data/c189:@{int} r, # For USB serial converters + @{run}/udev/data/c189:@{int} r, # For USB serial converters @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{sys}/bus/ r, @@ -48,23 +45,13 @@ @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/class/video4linux/ r, - @{sys}/devices/@{pci}/busnum r, - @{sys}/devices/@{pci}/config r, - @{sys}/devices/@{pci}/descriptors r, - @{sys}/devices/@{pci}/devnum r, - @{sys}/devices/@{pci}/numa_node r, - @{sys}/devices/@{pci}/speed r, - @{sys}/devices/@{pci}/uevent r, + @{sys}/devices/@{pci}/{busnum,config,devnum,descriptors,speed,uevent} r, @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/devices/system/node/node@{int}/meminfo r, - @{PROC}/devices r, - /dev/ r, /dev/bus/usb/ r, /dev/dri/ r, - /dev/nvidia-uvm rw, include if exists diff --git a/apparmor.d/abstractions/gtk-strict b/apparmor.d/abstractions/gtk-strict deleted file mode 100644 index 0bf0ab41c..000000000 --- a/apparmor.d/abstractions/gtk-strict +++ /dev/null @@ -1,74 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - include - include - include - include - - @{lib}/{,@{multiarch}/}gtk-2.0/{,**} mr, - @{lib}/{,@{multiarch}/}gtk-3.0/{,**} mr, - @{lib}/{,@{multiarch}/}gtk-4.0/{,**} mr, - - /usr/share/gtksourceview-2.0/{,**} r, - /usr/share/gtksourceview-3.0/{,**} r, - /usr/share/gtksourceview-4/{,**} r, - /usr/share/gtksourceview-5/{,**} r, - - /usr/share/gtk-2.0/ r, - /usr/share/gtk-2.0/gtkrc r, - - /usr/share/gtk-3.0/ r, - /usr/share/gtk-3.0/settings.ini r, - - /usr/share/gtk-4.0/ r, - /usr/share/gtk-4.0/settings.ini r, - - /etc/gtk/gtkrc r, - - /etc/gtk-2.0/ r, - /etc/gtk-2.0/gtkrc r, - - /etc/gtk-3.0/ r, - /etc/gtk-3.0/*.conf r, - /etc/gtk-3.0/settings.ini r, - - /etc/gtk-4.0/ r, - /etc/gtk-4.0/*.conf r, - /etc/gtk-4.0/settings.ini r, - - owner @{HOME}/.gtk r, - owner @{HOME}/.gtkrc r, - owner @{HOME}/.gtkrc-2.0 r, - owner @{HOME}/.gtk-bookmarks r, - - owner @{user_cache_dirs}/gtk-4.0/ rw, - owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/{,*} rw, - owner @{user_cache_dirs}/gtkrc r, - owner @{user_cache_dirs}/gtkrc-2.0 r, - - owner @{user_config_dirs}/gtk-2.0/ rw, - owner @{user_config_dirs}/gtk-2.0/gtkfilechooser.ini* rw, - - owner @{user_config_dirs}/gtk-3.0/ rw, - owner @{user_config_dirs}/gtk-3.0/bookmarks r, - owner @{user_config_dirs}/gtk-3.0/colors.css r, - owner @{user_config_dirs}/gtk-3.0/gtk.css r, - owner @{user_config_dirs}/gtk-3.0/servers r, - owner @{user_config_dirs}/gtk-3.0/settings.ini r, - owner @{user_config_dirs}/gtk-3.0/window_decorations.css r, - - owner @{user_config_dirs}/gtk-4.0/ rw, - owner @{user_config_dirs}/gtk-4.0/bookmarks r, - owner @{user_config_dirs}/gtk-4.0/colors.css r, - owner @{user_config_dirs}/gtk-4.0/gtk.css r, - owner @{user_config_dirs}/gtk-4.0/servers r, - owner @{user_config_dirs}/gtk-4.0/settings.ini r, - owner @{user_config_dirs}/gtk-4.0/window_decorations.css r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 0b69d8ee1..ac702a70f 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -2,9 +2,32 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - include - include - include + dbus send bus=session + interface=org.gtk.Actions + member=DescribeAll + peer=(name=:*), + dbus send bus=session + interface=org.gtk.Actions + member=DescribeAll + peer=(label=gnome-shell), + + dbus receive bus=session + interface=org.gtk.Actions + member=Changed + peer=(name=:*), + dbus receive bus=session + interface=org.gtk.Actions + member=Changed + peer=(label=gnome-shell), + + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-xsettings), + dbus receive bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=gsd-xsettings), @{lib}/{,@{multiarch}/}gtk*/** mr, diff --git a/apparmor.d/abstractions/ibus.d/complete b/apparmor.d/abstractions/ibus.d/complete index 3ecd8c36d..33d034b5a 100644 --- a/apparmor.d/abstractions/ibus.d/complete +++ b/apparmor.d/abstractions/ibus.d/complete @@ -8,7 +8,6 @@ type=stream peer=(addr="@/tmp/ibus/dbus-????????"), - #aa:lint ignore=tunables # abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{user_cache_dirs}) # This should use this, but due to LP: #1856738 we cannot #unix (connect, receive, send) @@ -17,15 +16,11 @@ unix (connect, receive, send) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????"), + unix (connect, send, receive, accept, bind, listen) type=stream addr="@/home/*/.cache/ibus/dbus-????????", - dbus receive bus=session path=/org/freedesktop/IBus - interface=org.freedesktop.DBus.Peer - member=Ping - peer=(name=@{busname}, label=ibus-daemon), - owner @{user_cache_dirs}/ibus/dbus-@{rand8} rw, # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/icons b/apparmor.d/abstractions/icons deleted file mode 100644 index 6a721b837..000000000 --- a/apparmor.d/abstractions/icons +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2009 Canonical Ltd. -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - @{system_share_dirs}/icons/{,**} r, - @{system_share_dirs}/pixmaps/{,**} r, - - /opt/**/share/icons/{,**} r, - /opt/*/**.desktop r, - /opt/*/**/*.png r, - - /var/lib/snapd/desktop/icons/{,**} r, - - owner @{HOME}/.icons/{,**} r, - - owner @{user_share_dirs}/icons/{,**} r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/input b/apparmor.d/abstractions/input deleted file mode 100644 index 57905fd0c..000000000 --- a/apparmor.d/abstractions/input +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Canonical Ltd -# Copyright (C) 2022-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow reading and writing to raw input devices - - abi , - - # network netlink raw, - - # Allow reading for supported event reports for all input devices. See - # https://www.kernel.org/doc/Documentation/input/event-codes.txt - @{sys}/devices/**/input@{int}/capabilities/* r, - - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - - /dev/input/ r, - /dev/input/event@{int} rw, - /dev/input/mice rw, - /dev/input/mouse@{int} rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/java b/apparmor.d/abstractions/java deleted file mode 100644 index 91472d21e..000000000 --- a/apparmor.d/abstractions/java +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - /usr/share/java/{,**} r, - - /etc/java/{,**} r, - /etc/java-*/{,**} r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/kde-open5.d/complete b/apparmor.d/abstractions/kde-open5.d/complete index adeb9a4bb..37038b129 100644 --- a/apparmor.d/abstractions/kde-open5.d/complete +++ b/apparmor.d/abstractions/kde-open5.d/complete @@ -6,6 +6,6 @@ owner @{user_config_dirs}/menus/{,**} r, - owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + owner @{run}/user/@{uid}/kioclient*.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 79e97b23f..c164bd434 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -2,44 +2,29 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - include - include include - include - include - include - include + include include - include - include - include include include - include @{lib}/kde{,3,4}/*.so mr, @{lib}/kde{,3,4}/plugins/*/ r, @{lib}/kde{,3,4}/plugins/*/*.so mr, - /usr/share/desktop-base/{,**} r, - /usr/share/hwdata/*.ids r, + /usr/share/hwdata/pnp.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, - /usr/share/knotifications{5,6}/*.notifyrc r, - /usr/share/kubuntu-default-settings/{,**} r, #aa:only ubuntu + /usr/share/desktop-base/kf{5,6}-settings/kdeglobals r, - /etc/xdg/baloofilerc r, /etc/xdg/kcminputrc r, /etc/xdg/kdeglobals r, /etc/xdg/kwinrc r, - owner @{user_cache_dirs}/#@{int} rw, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}* rwlk, + owner @{HOME}/.local/ rw, + owner @{user_cache_dirs}/ rw, + owner @{user_config_dirs}/ rw, + owner @{user_share_dirs}/ rw, - owner @{user_config_dirs}/baloofilerc r, - owner @{user_config_dirs}/dolphinrc r, owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kdedefaults/ r, owner @{user_config_dirs}/kdedefaults/kcminputrc r, @@ -47,12 +32,6 @@ owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, - owner @{user_config_dirs}/session/ rw, - owner @{user_config_dirs}/session/*_* rwlk, - owner @{user_config_dirs}/session/#@{int} rw, - owner @{user_config_dirs}/trashrc r, - - owner @{user_share_dirs}/#@{int} rw, include if exists diff --git a/apparmor.d/abstractions/ld b/apparmor.d/abstractions/ld deleted file mode 100644 index 21ac745e2..000000000 --- a/apparmor.d/abstractions/ld +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2002-2009 Novell/SUSE -# Copyright (C) 2009-2011 Canonical Ltd. -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - # ld.so.cache and ld are used to load shared libraries. - # As such, they can be used everywhere - - abi , - - /opt/*-linux-uclibc/lib/ld-uClibc*so* mr, - - @{etc_ro}/ld.so.cache mr, - @{etc_ro}/ld.so.conf r, - @{etc_ro}/ld.so.conf.d/ r, - @{etc_ro}/ld.so.conf.d/*.conf r, - @{etc_ro}/ld.so.preload r, - @{etc_ro}/ld-musl-*.path r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/locale b/apparmor.d/abstractions/locale deleted file mode 100644 index 873c303f5..000000000 --- a/apparmor.d/abstractions/locale +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2002-2009 Novell/SUSE -# Copyright (C) 2009-2011 Canonical Ltd. -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - @{etc_ro}/locale.alias r, - @{etc_ro}/locale.conf r, - @{etc_ro}/locale/** r, - @{etc_ro}/localtime r, - @{etc_rw}/localtime r, - - /usr/share/**/locale/** r, - /usr/share/locale-bundle/** r, - /usr/share/locale-langpack/** r, - /usr/share/locale/ r, - /usr/share/locale/** r, - /usr/share/X11/locale/** r, - /usr/share/zoneinfo{,-icu}/ r, - /usr/share/zoneinfo{,-icu}/** r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt deleted file mode 100644 index 913ab3eb3..000000000 --- a/apparmor.d/abstractions/lxqt +++ /dev/null @@ -1,32 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Besanon -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - include - include - include - include - include - include - include - include - include - include - - signal (receive) set=(kill, term) peer=lxqt-session, - - /usr/share/hwdata/pnp.ids r, - /usr/share/icu/@{int}.@{int}/*.dat r, - /usr/share/lxqt/** r, - - owner @{HOME}/.Xdefaults r, - - owner @{user_cache_dirs}/lxqt-notificationd/* r, - - owner @{user_config_dirs}/lxqt/*.conf rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mapping/login b/apparmor.d/abstractions/mapping/login deleted file mode 100644 index 7ccc2d678..000000000 --- a/apparmor.d/abstractions/mapping/login +++ /dev/null @@ -1,41 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Minimal set of rules for login based hat mapping. - - abi , - - include - include - include - include - - capability audit_write, - capability chown, - capability fowner, - capability setgid, - capability setuid, - capability fsetid, - - deny capability net_admin, - - network netlink raw, - - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member=ReleaseSession - peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), - - @{etc_ro}/security/group.conf r, - @{etc_ro}/security/limits.conf r, - @{etc_ro}/security/limits.d/{,*} r, - @{etc_ro}/security/pam_env.conf r, - - @{etc_ro}/login.defs r, - @{etc_ro}/login.defs.d/{,*} r, - @{etc_ro}/security/capability.conf r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mapping/shadow b/apparmor.d/abstractions/mapping/shadow deleted file mode 100644 index 5bf542c17..000000000 --- a/apparmor.d/abstractions/mapping/shadow +++ /dev/null @@ -1,11 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Minimal set of rules for shadow based hat mapping. - - abi , - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mapping/sshd b/apparmor.d/abstractions/mapping/sshd deleted file mode 100644 index 0f7512710..000000000 --- a/apparmor.d/abstractions/mapping/sshd +++ /dev/null @@ -1,58 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Minimal set of rules for sshd based hat mapping. Similar to sshd-session - - abi , - - include - include - include - include - include - - capability audit_write, - capability chown, - capability dac_read_search, - capability fowner, - capability fsetid, - capability kill, - capability setgid, - capability setuid, - capability sys_resource, - - # sshd doesn't require net_admin. libpam-systemd tries to - # use it if available to set the send/receive buffers size, - # but will fall back to a non-privileged version if it fails. - deny capability net_admin, - - network inet stream, - network inet6 stream, - network netlink raw, - - signal receive set=exists peer=@{p_systemd_journald}, - signal receive set=hup peer=@{p_systemd}, - - unix bind type=stream addr=@@{udbus}/bus/sshd-session/system, - unix bind type=stream addr=@@{udbus}/bus/sshd/system, - - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), - - /etc/motd r, - /etc/locale.conf r, - - @{run}/motd.dynamic rw, - @{run}/motd.dynamic.new rw, - - @{PROC}/1/limits r, - - /dev/ptmx rw, - /dev/pts/@{int} k, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mapping/sudo b/apparmor.d/abstractions/mapping/sudo deleted file mode 100644 index 3347a91af..000000000 --- a/apparmor.d/abstractions/mapping/sudo +++ /dev/null @@ -1,20 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Minimal set of rules for su/sudo based hat mapping. - - abi , - - capability audit_write, - capability setgid, - capability setuid, - - network netlink raw, - - @{etc_ro}/login.defs r, - /etc/passwd r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/media-control b/apparmor.d/abstractions/media-control deleted file mode 100644 index 1cdcf66f2..000000000 --- a/apparmor.d/abstractions/media-control +++ /dev/null @@ -1,20 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Canonical Ltd -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allows access to media controller such as microphones, and video capture hardware. -# See: https://www.kernel.org/doc/Documentation/userspace-api/media/mediactl/media-controller-intro.rst - - abi , - - # Control of media devices - /dev/media@{int} rwk, - - # Access to V4L subnodes configuration - # See https://www.kernel.org/doc/html/v4.12/media/uapi/v4l/dev-subdev.html - /dev/v4l-subdev@{int} rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mediakeys b/apparmor.d/abstractions/mediakeys deleted file mode 100644 index d9aafa764..000000000 --- a/apparmor.d/abstractions/mediakeys +++ /dev/null @@ -1,15 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow requesting interest in receiving media key events. This tells Gnome -# settings that our application should be notified when key events we are -# interested in are pressed, and allows us to receive those events. - - abi , - - include - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index 02a48114c..ed3306e42 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -2,28 +2,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - # Fallback location when @{user_cache_dirs} is not available - /var/cache/mesa_shader_cache_db/ rw, - /var/cache/mesa_shader_cache_db/index rw, - /var/cache/mesa_shader_cache_db/marker rw, - /var/cache/mesa_shader_cache_db/part@{int}/ rw, - /var/cache/mesa_shader_cache_db/part@{int}/mesa_cache.db rwk, - /var/cache/mesa_shader_cache_db/part@{int}/mesa_cache.idx rwk, - /var/cache/mesa_shader_cache/ rw, - /var/cache/mesa_shader_cache/@{hex2}/ rw, - /var/cache/mesa_shader_cache/@{hex2}/@{hex38} rw, - /var/cache/mesa_shader_cache/@{hex2}/@{hex38}.tmp rwk, - /var/cache/mesa_shader_cache/index rw, - /var/cache/mesa_shader_cache/marker rw, - # Extra Mesa rules for desktop environments owner @{desktop_cache_dirs}/ w, - owner @{desktop_cache_dirs}/mesa_shader_cache_db/ rw, - owner @{desktop_cache_dirs}/mesa_shader_cache_db/index rw, - owner @{desktop_cache_dirs}/mesa_shader_cache_db/marker rw, - owner @{desktop_cache_dirs}/mesa_shader_cache_db/part@{int}/ rw, - owner @{desktop_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.db rwk, - owner @{desktop_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.idx rwk, owner @{desktop_cache_dirs}/mesa_shader_cache/ rw, owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/ rw, owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex38} rw, @@ -31,17 +11,4 @@ owner @{desktop_cache_dirs}/mesa_shader_cache/index rw, owner @{desktop_cache_dirs}/mesa_shader_cache/marker rw, - owner @{user_cache_dirs}/mesa_shader_cache/marker rw, - - owner @{user_cache_dirs}/mesa_shader_cache_db/ w, - owner @{user_cache_dirs}/mesa_shader_cache_db/index rw, - owner @{user_cache_dirs}/mesa_shader_cache_db/marker rw, - owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/ rw, - owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.db rwk, - owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.idx rwk, - - @{PROC}/sys/dev/xe/observation_paranoid r, - - /dev/udmabuf rw, # In upstream, but not released yet - # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mime b/apparmor.d/abstractions/mime deleted file mode 100644 index 9a70edaf8..000000000 --- a/apparmor.d/abstractions/mime +++ /dev/null @@ -1,22 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2009 Canonical Ltd. -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - @{system_share_dirs}/ r, - @{system_share_dirs}/mime/{,**} r, - - /etc/mime.types r, - /etc/xdg/{,*-}mimeapps.list r, - - /var/cache/gio-@{version}/{,*-}-mimeapps.list r, - - owner @{user_config_dirs}/mimeapps.list r, - - owner @{user_share_dirs}/mime/{,**} r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mpris b/apparmor.d/abstractions/mpris deleted file mode 100644 index f06c8560e..000000000 --- a/apparmor.d/abstractions/mpris +++ /dev/null @@ -1,17 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow operating as an MPRIS player. - - abi , - - include - - # Allow binding to the well-known DBus mpris interface based on the app's name - # See: https://specifications.freedesktop.org/mpris-spec/latest/ - #aa:dbus own bus=session name=org.mpris.MediaPlayer2.@{profile_name} - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/nameservice-strict b/apparmor.d/abstractions/nameservice-strict index 5f49a63d9..b1d474717 100644 --- a/apparmor.d/abstractions/nameservice-strict +++ b/apparmor.d/abstractions/nameservice-strict @@ -6,10 +6,6 @@ # Many programs wish to perform nameservice-like operations, such as looking up # users by name or id, groups by name or id, hosts by name or IP, etc. - abi , - - include - @{etc_ro}/default/nss r, @{etc_ro}/gai.conf r, @{etc_ro}/group r, @@ -35,6 +31,23 @@ @{run}/systemd/resolve/resolv.conf r, @{run}/systemd/resolve/stub-resolv.conf r, + # NSS records from systemd-userdbd.service + # + # Allow User/Group lookups via common VarLink socket APIs. Applications need + # to either consult all of them or the io.systemd.Multiplexer frontend. + # + # https://systemd.io/USER_GROUP_API/ + # https://systemd.io/USER_RECORD/ + # https://www.freedesktop.org/software/systemd/man/nss-systemd.html + # + @{run}/systemd/userdb/ r, + @{run}/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users + @{run}/systemd/userdb/io.systemd.Home rw, # systemd-home dirs + @{run}/systemd/userdb/io.systemd.Machine rw, # systemd-machined + @{run}/systemd/userdb/io.systemd.Multiplexer rw, + @{run}/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS + @{PROC}/sys/kernel/random/boot_id r, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/notifications b/apparmor.d/abstractions/notifications deleted file mode 100644 index 81d5cc94c..000000000 --- a/apparmor.d/abstractions/notifications +++ /dev/null @@ -1,12 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - include - include - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index a14691a9c..6521c9840 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -2,56 +2,33 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - @{bin}/nvidia-modprobe Px -> child-modprobe-nvidia, - /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so{,.*} mr, - /usr/share/nvidia/nvidia-application-profiles-* r, /etc/nvidia/nvidia-application-profiles-* r, /etc/vdpau_wrapper.cfg r, - owner @{HOME}/.nv/ w, + owner @{HOME}/.cache/nvidia/ w, + owner @{HOME}/.cache/nvidia/GLCache/ rw, + owner @{HOME}/.cache/nvidia/GLCache/** rwk, owner @{HOME}/.nv/ComputeCache/ w, owner @{HOME}/.nv/ComputeCache/** rw, owner @{HOME}/.nv/ComputeCache/index rwk, owner @{HOME}/.nv/nvidia-application-profiles-* r, - @{user_cache_dirs}/nvidia/GLCache/@{hex32}/ rw, - owner @{user_cache_dirs}/nvidia/ w, - owner @{user_cache_dirs}/nvidia/GLCache/ rw, - owner @{user_cache_dirs}/nvidia/GLCache/** rwk, - - @{sys}/devices/@{pci}/numa_node r, @{sys}/devices/system/memory/block_size_bytes r, @{sys}/module/nvidia/version r, - @{PROC}/driver/nvidia/capabilities/mig/monitor r, - @{PROC}/driver/nvidia/gpus/@{pci_id}/information r, - @{PROC}/driver/nvidia/params r, - @{PROC}/modules r, - @{PROC}/sys/vm/max_map_count r, - @{PROC}/sys/vm/mmap_min_addr r, - - @{PROC}/@{pid}/cmdline r, + @{PROC}/driver/nvidia/params r, + @{PROC}/sys/vm/max_map_count r, + @{PROC}/sys/vm/mmap_min_addr r, + @{PROC}/modules r, owner @{PROC}/@{pid}/comm r, - owner @{PROC}/@{pid}/task/@{tid}/comm r, - /dev/char/195:@{u8} w, # Nvidia graphics devices - - # Nvidia proprietary modset driver + /dev/char/195:@{int} w, # Nvidia graphics devices /dev/nvidia-modeset rw, - - # Nvidia graphics devices /dev/nvidia@{int} rw, - - # Nvidia's Unified Memory driver - /dev/nvidia-uvm rw, - /dev/nvidia-uvm-tools rw, - - # Nvidia's control device /dev/nvidiactl rw, deny owner @{HOME}/.nv/.local/share/gvfs-metadata/* r, diff --git a/apparmor.d/abstractions/nvidia.d/complete b/apparmor.d/abstractions/nvidia.d/complete index e00385efd..ef9d0c40d 100644 --- a/apparmor.d/abstractions/nvidia.d/complete +++ b/apparmor.d/abstractions/nvidia.d/complete @@ -8,6 +8,6 @@ /etc/nvidia/nvidia-application-profiles* r, - /dev/char/195:@{u8} rw, # Nvidia graphics devices + /dev/char/195:@{int} rw, # Nvidia graphics devices # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/oneapi b/apparmor.d/abstractions/oneapi deleted file mode 100644 index 17225ef03..000000000 --- a/apparmor.d/abstractions/oneapi +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Intel oneAPI compiler libraries - - abi , - - /opt/intel/oneapi/{compiler,lib,mkl}/**/ r, - /opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/openssl.d/complete b/apparmor.d/abstractions/openssl.d/complete deleted file mode 100644 index 600a030e5..000000000 --- a/apparmor.d/abstractions/openssl.d/complete +++ /dev/null @@ -1,7 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - /usr/share/ssl/ r, - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/path b/apparmor.d/abstractions/path deleted file mode 100644 index dee241b29..000000000 --- a/apparmor.d/abstractions/path +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Common directories in $PATH, used by launchers and interactive shells. - - abi , - - @{bin}/ r, - @{bin}/*/ r, - @{sbin}/ r, - @{sbin}/*/ r, - - / r, - /usr/ r, - /usr/local/bin/ r, - /usr/local/sbin/ r, - - @{user_bin_dirs}/ r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/pcscd b/apparmor.d/abstractions/pcscd deleted file mode 100644 index 33a981279..000000000 --- a/apparmor.d/abstractions/pcscd +++ /dev/null @@ -1,19 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023 Canonical Ltd -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allows interacting with PC/SC Smart Card Daemon - - abi , - - # Configuration file for OPENSC - /etc/opensc.conf r, - /etc/opensc/opensc.conf r, - - # Socket for communication between PCSCD and PS/SC API library - @{run}/pcscd/pcscd.comm rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/perl.d/complete b/apparmor.d/abstractions/perl.d/complete deleted file mode 100644 index 0031356a1..000000000 --- a/apparmor.d/abstractions/perl.d/complete +++ /dev/null @@ -1,7 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - @{bin}/perl rix, - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/python.d/complete b/apparmor.d/abstractions/python.d/complete index e372c312c..e6eea6744 100644 --- a/apparmor.d/abstractions/python.d/complete +++ b/apparmor.d/abstractions/python.d/complete @@ -4,12 +4,11 @@ # SPDX-License-Identifier: GPL-2.0-only @{bin}/ r, - @{python_path} rm, + @{bin}/python{2.[4-7],3,3.[0-9],3.1[0-9]} r, - owner @{user_lib_dirs}/@{python_name}/ r, - owner @{user_lib_dirs}/@{python_name}/**.{egg,py,pyi,pth} r, - owner @{user_lib_dirs}/@{python_name}/**.{pyc,so} mr, - owner @{user_lib_dirs}/@{python_name}/{site,dist}-packages/ r, - owner @{user_lib_dirs}/@{python_name}/{site,dist}-packages/**/ r, + owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{pyc,so} mr, + owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth} r, + owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/ r, + owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/**/ r, # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/qt5-shader-cache b/apparmor.d/abstractions/qt5-shader-cache index d40aa3766..4ac0f7f1d 100644 --- a/apparmor.d/abstractions/qt5-shader-cache +++ b/apparmor.d/abstractions/qt5-shader-cache @@ -3,15 +3,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - owner @{user_cache_dirs}/ w, owner @{user_cache_dirs}/qtshadercache/ rw, owner @{user_cache_dirs}/qtshadercache/#@{int} rw, - owner @{user_cache_dirs}/qtshadercache/@{hex} rwl, + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int}, owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/ rw, owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw, - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl, + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int}, include if exists diff --git a/apparmor.d/abstractions/recently-used b/apparmor.d/abstractions/recently-used deleted file mode 100644 index 66a80867b..000000000 --- a/apparmor.d/abstractions/recently-used +++ /dev/null @@ -1,19 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2009 Canonical Ltd. -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - owner @{HOME}/.recently-used.xbel rw, - owner @{HOME}/.recently-used.xbel.@{rand6} rwl, - owner @{HOME}/.recently-used.xbel.lock rwk, - - owner @{user_share_dirs}/#@{int} rw, - owner @{user_share_dirs}/recently-used.xbel rw, - owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl, - owner @{user_share_dirs}/recently-used.xbel.lock rwk, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/screensaver b/apparmor.d/abstractions/screensaver deleted file mode 100644 index 1a9369091..000000000 --- a/apparmor.d/abstractions/screensaver +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow checking status, activating and locking the screensaver - - abi , - - include if exists - include if exists - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/secrets-service b/apparmor.d/abstractions/secrets-service deleted file mode 100644 index 083672cc9..000000000 --- a/apparmor.d/abstractions/secrets-service +++ /dev/null @@ -1,34 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2017 Canonical Ltd -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Provide full access to the secret-service API: -# - https://standards.freedesktop.org/secret-service/) -# -# The secret-service allows managing (add/delete/lock/etc) collections and -# (add/delete/etc) items within collections. The API also has the concept of -# aliases for collections which is typically used to access the default -# collection. While it would be possible for an application developer to use a -# snap-specific collection and mediate by object path, application developers -# are meant to instead to treat collections (typically the default collection) -# as a database of key/value attributes each with an associated secret that -# applications may query. Because AppArmor does not mediate member data, -# typical and recommended usage of the API does not allow for application -# isolation. For details, see: -# - https://standards.freedesktop.org/secret-service/ch03.html -# - - abi , - - include - include - - dbus send bus=session path=/org/gnome/keyring/daemon - interface=org.gnome.keyring.Daemon - member=GetEnvironment - peer=(name=org.gnome.keyring, label=gnome-keyring-daemon), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/shells b/apparmor.d/abstractions/shells index 35d3a580a..b269f2335 100644 --- a/apparmor.d/abstractions/shells +++ b/apparmor.d/abstractions/shells @@ -5,8 +5,6 @@ # This abstraction is only required when an interactive shell is started. # Classic shell scripts do not need it. - abi , - include include include diff --git a/apparmor.d/abstractions/sqlite b/apparmor.d/abstractions/sqlite deleted file mode 100644 index 690417f87..000000000 --- a/apparmor.d/abstractions/sqlite +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# SQlite temporary files (hexadecimal from 12 to 16 characters) - - abi , - - owner /var/tmp/etilqs_@{hex12} rw, - owner /var/tmp/etilqs_@{hex12}@{h} rw, - owner /var/tmp/etilqs_@{hex12}@{hex2} rw, - owner /var/tmp/etilqs_@{hex15} rw, - owner /var/tmp/etilqs_@{hex16} rw, - - owner @{tmp}/etilqs_@{hex12} rw, - owner @{tmp}/etilqs_@{hex12}@{h} rw, - owner @{tmp}/etilqs_@{hex12}@{hex2} rw, - owner @{tmp}/etilqs_@{hex15} rw, - owner @{tmp}/etilqs_@{hex16} rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/themes b/apparmor.d/abstractions/themes deleted file mode 100644 index 13fe70bc6..000000000 --- a/apparmor.d/abstractions/themes +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - /usr/share/themes/{,**} r, - - owner @{HOME}/.themes/{,**} r, - owner @{user_share_dirs}/themes/{,**} r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/thumbnails-cache-read b/apparmor.d/abstractions/thumbnails-cache-read index 22982e1f4..dc164c6ba 100644 --- a/apparmor.d/abstractions/thumbnails-cache-read +++ b/apparmor.d/abstractions/thumbnails-cache-read @@ -3,15 +3,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - owner @{user_cache_dirs}/thumbnails/ r, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/ r, + owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/ r, + owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/*.png r, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png r, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png.@{rand6} r, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/#@{int} r, - owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/ r, - owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/*.png r, include if exists diff --git a/apparmor.d/abstractions/thumbnails-cache-write b/apparmor.d/abstractions/thumbnails-cache-write index e3b559418..01de0407e 100644 --- a/apparmor.d/abstractions/thumbnails-cache-write +++ b/apparmor.d/abstractions/thumbnails-cache-write @@ -3,17 +3,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - include - - owner @{user_cache_dirs}/thumbnails/ w, - owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/ w, - owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png wl, - owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png.@{rand6} wl, - owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/#@{int} w, - owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/ w, - owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/*.png w, + owner @{user_cache_dirs}/thumbnails/ rw, + owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/ rw, + owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/ rw, + owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/*.png rw, + owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png rwl -> @{user_cache_dirs}/thumbnails/{fail,*large,normal}/#@{int}, + owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png.@{rand6} rw, + owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/#@{int} rw, include if exists diff --git a/apparmor.d/abstractions/tpm b/apparmor.d/abstractions/tpm deleted file mode 100644 index ef7b30a2b..000000000 --- a/apparmor.d/abstractions/tpm +++ /dev/null @@ -1,16 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2016-2017 Canonical Ltd -# Copyright (C) 2021-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Communication to the system TPM chip over /dev/tpm@{int} and kernel TPM -# resource manager /dev/tpmrm@{int} - - abi , - - /dev/tpm@{int} rw, - /dev/tpmrm@{int} rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/trash-strict b/apparmor.d/abstractions/trash-strict index a2b024d3e..1f4202818 100644 --- a/apparmor.d/abstractions/trash-strict +++ b/apparmor.d/abstractions/trash-strict @@ -9,8 +9,6 @@ # There is no 'owner' rule on expunged folders because some internally sandboxed # app (using bwrap) run on a different private user. - abi , - owner @{user_config_dirs}/#@{int} rwk, owner @{user_config_dirs}/trashrc rw, owner @{user_config_dirs}/trashrc.* rwl, diff --git a/apparmor.d/abstractions/uim b/apparmor.d/abstractions/uim index 4a40e965e..03ae9e3e8 100644 --- a/apparmor.d/abstractions/uim +++ b/apparmor.d/abstractions/uim @@ -3,15 +3,13 @@ # Copyright (C) 2024 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only - abi , - /usr/share/uim/* r, - + /var/lib/uim/* r, - + owner @{HOME}/.uim.d/customs/* r, owner @{HOME}/.XCompose r, - + owner @{run}/user/@{uid}/uim/socket/uim-helper rw, include if exists diff --git a/apparmor.d/abstractions/uinput b/apparmor.d/abstractions/uinput deleted file mode 100644 index b97d1eb8a..000000000 --- a/apparmor.d/abstractions/uinput +++ /dev/null @@ -1,16 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020 Canonical Ltd -# Copyright (C) 2021-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow write access to the uinput device for emulating input devices from -# userspace for sending input events. - - abi , - - /dev/uinput rw, - /dev/input/uinput rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/upower-observe b/apparmor.d/abstractions/upower-observe deleted file mode 100644 index 67478bb6d..000000000 --- a/apparmor.d/abstractions/upower-observe +++ /dev/null @@ -1,13 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Can query UPower for power devices, history and statistics. - - abi , - - include - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/user-data b/apparmor.d/abstractions/user-data deleted file mode 100644 index 6406b3e84..000000000 --- a/apparmor.d/abstractions/user-data +++ /dev/null @@ -1,49 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Gives access to non-hidden files in user's $HOME. -# Warning: experiemental, only for abi 4+, requires a prompting client. - - abi , - - # Allow accessing the GNOME crypto services prompt APIs as used by - # applications using libgcr (such as pinentry-gnome3) for secure pin - # entry to unlock GPG keys etc. See: - # https://developer.gnome.org/gcr/unstable/GcrPrompt.html - # https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html - # https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711 - dbus send bus=session path=/org/gnome/keyring/Prompter - interface=org.gnome.keyring.internal.Prompter - member={BeginPrompting,PerformPrompt,StopPrompting} - peer=(name="{@{busname}", label=pinentry-*), - dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int} - interface=org.gnome.keyring.internal.Prompter.Callback - member={PromptReady,PromptDone} - peer=(name="{@{busname}", label=pinentry-*), - - # Allow read access to toplevel $HOME & mounts for the user. - prompt owner @{HOME}/ r, - prompt owner @{MOUNTS}/ r, - - # Allow read/write access to all files in @{HOME}, except snap application - # data in @{HOME}/snap and toplevel hidden directories in @{HOME}. - prompt owner @{HOME}/[^s.]** rwlk, - prompt owner @{HOME}/s[^n]** rwlk, - prompt owner @{HOME}/sn[^a]** rwlk, - prompt owner @{HOME}/sna[^p]** rwlk, - prompt owner @{HOME}/snap[^/]** rwlk, - prompt owner @{HOME}/{s,sn,sna}{,/} rwlk, - - # Allow access to mounts (/mnt/*/, /media/*/, @{run}/media/@{user}/*/, gvfs) - # for non-hidden files owned by the user. - prompt owner @{MOUNTS}/[^.]** rwlk, - - # Disallow writes to the well-known directory included in - # the user's PATH on several distributions - audit deny @{HOME}/bin/{,**} wl, - audit deny @{HOME}/bin wl, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/user-dirs b/apparmor.d/abstractions/user-dirs deleted file mode 100644 index 189f8eb38..000000000 --- a/apparmor.d/abstractions/user-dirs +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - /etc/xdg/user-dirs.conf r, - /etc/xdg/user-dirs.defaults r, - - owner @{user_config_dirs}/user-dirs.dirs r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/user-download-strict b/apparmor.d/abstractions/user-download-strict index ab0e05f0a..3feed5cd8 100644 --- a/apparmor.d/abstractions/user-download-strict +++ b/apparmor.d/abstractions/user-download-strict @@ -3,8 +3,6 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - owner @{HOME}/@{XDG_DESKTOP_DIR}/ w, owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ w, diff --git a/apparmor.d/abstractions/user-read b/apparmor.d/abstractions/user-read index bd350186b..4187ab9e2 100644 --- a/apparmor.d/abstractions/user-read +++ b/apparmor.d/abstractions/user-read @@ -4,8 +4,6 @@ # Warning: This abstraction gives unrestricted read access on all non hidden user directories. - abi , - owner @{HOME}/ r, owner @{MOUNTS}/ r, diff --git a/apparmor.d/abstractions/user-read-strict b/apparmor.d/abstractions/user-read-strict index 9626bb0bc..5211b0345 100644 --- a/apparmor.d/abstractions/user-read-strict +++ b/apparmor.d/abstractions/user-read-strict @@ -5,10 +5,7 @@ # This abstraction gives read access on all defined user directories. It should # only be used if access to **ALL** folders is required. - abi , - owner @{HOME}/ r, - owner @{HOME}/[^.]* rk, owner @{MOUNTS}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} rk, diff --git a/apparmor.d/abstractions/user-write-strict b/apparmor.d/abstractions/user-write-strict index 88d52203e..223fc660a 100644 --- a/apparmor.d/abstractions/user-write-strict +++ b/apparmor.d/abstractions/user-write-strict @@ -5,10 +5,7 @@ # This abstraction gives write only access on all defined user directories. It should # only be used if access to **ALL** folders is required. - abi , - owner @{HOME}/ r, - owner @{HOME}/[^.]* wl, owner @{MOUNTS}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} wl, diff --git a/apparmor.d/abstractions/vulkan-strict b/apparmor.d/abstractions/vulkan-strict index d4dd2fae6..fd86f1e81 100644 --- a/apparmor.d/abstractions/vulkan-strict +++ b/apparmor.d/abstractions/vulkan-strict @@ -2,8 +2,6 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - /usr/share/egl/egl_external_platform.d/{,*.json} r, /usr/share/glvnd/egl_vendor.d/{,*.json} r, /usr/share/libdrm/*.ids r, @@ -16,10 +14,7 @@ /etc/vulkan/icd.d/{,*.json} r, /etc/vulkan/implicit_layer.d/{,*.json} r, - owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/.goutputstream-@{rand6} rw, - owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/@{uuid}.@{int} rw, owner @{user_cache_dirs}/radv_builtin_shaders{32,64} r, # Vulkan radv shaders cache - owner @{user_cache_dirs}/radv_builtin_shaders{32,64}@{rand6} w, owner @{user_share_dirs}/vulkan/ rw, owner @{user_share_dirs}/vulkan/implicit_layer.d/ rw, @@ -34,4 +29,5 @@ include if exists + # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/vulkan.d/complete b/apparmor.d/abstractions/vulkan.d/complete index 67f83516e..8e5b68c08 100644 --- a/apparmor.d/abstractions/vulkan.d/complete +++ b/apparmor.d/abstractions/vulkan.d/complete @@ -1,5 +1,4 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only /etc/glvnd/egl_vendor.d/{,*.json} r, diff --git a/apparmor.d/abstractions/wayland.d/complete b/apparmor.d/abstractions/wayland.d/complete index f0c712634..245b9238d 100644 --- a/apparmor.d/abstractions/wayland.d/complete +++ b/apparmor.d/abstractions/wayland.d/complete @@ -9,10 +9,7 @@ owner @{run}/user/@{uid}/wayland-@{int}.lock rwk, owner @{run}/user/@{uid}/wayland-proxy-@{int} rw, - owner /dev/shm/@{uuid} rw, - owner /dev/shm/dunst-@{rand6} rw, - owner /dev/shm/grim-@{rand6} rw, owner /dev/shm/sway* rw, - owner /dev/shm/wlroots-@{rand6} rw, + owner /dev/shm/dunst-@{rand6} rw, # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/webkit b/apparmor.d/abstractions/webkit deleted file mode 100644 index c9a275250..000000000 --- a/apparmor.d/abstractions/webkit +++ /dev/null @@ -1,33 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Minimal set of rules for webkit GTK UI. - - abi , - - mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info, - - @{bin}/xdg-dbus-proxy rix, # TODO: stack me - - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, - - owner /bindfile@{rand6} rw, - owner @{att}/.flatpak-info r, - - owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw, - - owner @{run}/user/@{uid}/.flatpak/ w, - owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw, - - owner @{run}/user/@{uid}/webkitgtk/ w, - owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, - - @{sys}/firmware/acpi/pm_profile r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/wine b/apparmor.d/abstractions/wine deleted file mode 100644 index 145cd763a..000000000 --- a/apparmor.d/abstractions/wine +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Basic set of resources for wine regardless of the installation method (system or through a game launcher). - - abi , - - owner @{user_share_dirs}/applications/wine/ rw, - owner @{user_share_dirs}/applications/wine/**/ rw, - - owner @{att}/@{tmp}/.wine-@{uid}/ rw, - owner @{att}/@{tmp}/.wine-@{uid}/** rwk, - owner @{att}/@{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex}/tmpmap-@{hex8} m, - - owner /dev/shm/wine-@{hex6}-fsync rw, - owner /dev/shm/wine-@{hex6}@{h}-fsync rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index df13363fc..067de9148 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -2,22 +2,22 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , - - include include include - include - include + include include include - include - /usr/share/xfce{,4}/ r, + /usr/share/xfce4/ r, owner @{user_config_dirs}/xfce4/help{,ers}.rc rw, owner @{user_config_dirs}/xfce4/help{,ers}.rc.@{int}.tmp rw, + owner @{HOME}/.local/ rw, + owner @{user_cache_dirs}/ rw, + owner @{user_config_dirs}/ rw, + owner @{user_share_dirs}/ rw, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index 7c734a45b..15711713c 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -3,48 +3,29 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction is only required when zshrc is loaded (e.g. interactive shell). +# This abstraction is only required when an interactive shell is started. # Classic shell scripts do not need it. - abi , - @{lib}/@{multiarch}/zsh/@{int}/zsh/*.so mr, - /usr/local/share/zsh/{,**} r, - /usr/share/oh-my-zsh/{,**} r, - /usr/share/zsh-theme-*/{,**} r, /usr/share/zsh/{,**} r, + /usr/local/share/zsh/{,**} r, /etc/zsh/* r, - owner @{HOME}/.zcompdump-* rw, + owner @{HOME}/.zshrc r, + owner @{HOME}/.zshenv r, owner @{HOME}/.zsh_history rw, owner @{HOME}/.zsh_history.LOCK rwk, - owner @{HOME}/.zsh_history.new rw, - owner @{HOME}/.zshenv r, - owner @{HOME}/.zshrc r, owner @{HOME}/.oh-my-zsh/{,**} r, owner @{HOME}/.oh-my-zsh/log/update.lock/ w, - owner @{user_cache_dirs}/oh-my-zsh/{,**} r, - owner @{user_cache_dirs}/p10k-@{user}/{,**} rw, - owner @{user_cache_dirs}/p10k-dump-@{user}.zsh{,.*} rw, - owner @{user_cache_dirs}/p10k-instant-prompt-@{user}.zsh{,.*} rw, + owner @{HOME}/.zcompdump-* rw, owner @{user_config_dirs}/zsh/.zcompdump-* rw, owner @{user_config_dirs}/zsh/{,**} r, - owner @{user_share_dirs}/zsh/history rw, - owner @{user_share_dirs}/zsh/history.LOCK rwk, - owner @{user_share_dirs}/zsh/history.new rw, - - owner @{tmp}/gitstatus.POWERLEVEL9K.*.fifo rw, - owner @{tmp}/gitstatus.POWERLEVEL9K.*.lock rwk, - - @{PROC}/version r, - owner @{PROC}/@{pid}/loginuid r, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/bwrap b/apparmor.d/groups/_full/bwrap new file mode 100644 index 000000000..e9ad60683 --- /dev/null +++ b/apparmor.d/groups/_full/bwrap @@ -0,0 +1,56 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Default profile for bwrap. + +abi , + +include + +@{exec_path} = @{bin}/bwrap +profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) { + include + include + include + include + include + + capability dac_override, + capability dac_read_search, + capability sys_resource, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + + ptrace peer=bwrap//&bwrap-app, + + signal peer=bwrap//&bwrap-app, + signal (receive) set=(kill), + + @{bin}/** rm, + @{lib}/** rm, + /opt/*/** rm, + /usr/share/*/* rm, + + @{bin}/** Px -> bwrap//&bwrap-app, + @{bin}/xdg-dbus-proxy Px -> bwrap//&xdg-dbus-proxy, + # @{lib}/** Px -> bwrap//&bwrap-app, + /opt/*/** Px -> bwrap//&bwrap-app, + /usr/share/*/* Px -> bwrap//&bwrap-app, + + /usr/.ref rk, + + /bindfile@{rand6} rw, + + owner /var/cache/ w, + + owner @{run}/ld-so-cache-dir/* rw, + + include if exists + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/bwrap-app b/apparmor.d/groups/_full/bwrap-app new file mode 100644 index 000000000..bfe12e560 --- /dev/null +++ b/apparmor.d/groups/_full/bwrap-app @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Default profile for user sandboxed application + +abi , + +include + +profile bwrap-app flags=(attach_disconnected,mediate_deleted) { + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + ptrace peer=bwrap//&bwrap-app, + + signal peer=bwrap//&bwrap-app, + + @{bin}/** rmix, + @{lib}/** rmix, + /opt/*/** rmix, + /usr/share/*/* rmix, + + owner /var/cache/ w, + + include if exists + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default new file mode 100644 index 000000000..8e0a3a535 --- /dev/null +++ b/apparmor.d/groups/_full/default @@ -0,0 +1,127 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Default profile for unconfined programs + +abi , + +include + +@{exec_path} = /** +profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { + include + include + include + include + include + include + include + include + include + include + include + include + include + + capability dac_override, + capability dac_read_search, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink dgram, + network netlink raw, + + signal (receive) set=(hup), + + @{bin}/bwrap rPx -> bwrap, + @{bin}/pipewire-pulse rPx -> systemd//&pipewire-pulse, + @{bin}/pulseaudio rPx -> systemd//&pulseaudio, + @{bin}/su rPx -> default-sudo, + @{bin}/sudo rPx -> default-sudo, + @{bin}/systemctl rix, + @{coreutils_path} rix, + @{shells_path} rix, + + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, + @{bin}/pager rPx -> child-pager, + +# @{open_path} rPx -> child-open, + + audit @{bin}/** Pix, + audit @{lib}/** Pix, + audit /opt/*/** Pix, + audit /usr/share/*/* Pix, + + @{bin}/{,**} r, + @{lib}/{,**} r, + /usr/share/** r, + + /etc/xdg/** r, + + # Full access to user's data + / r, + /*/ r, + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, + @{MOUNTS}/** rwl, + owner @{HOME}/{,**} rwlk, + owner @{run}/user/@{uid}/{,**} rw, + owner @{user_config_dirs}/** rwkl, + owner @{user_share_dirs}/** rwkl, + owner @{tmp}/{,**} rwk, + + owner @{run}/user/@{uid}/{,**} rw, + + @{run}/motd.dynamic.new rw, + + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + + @{sys}/ r, + @{sys}/bus/ r, + @{sys}/bus/pci/devices/ r, + @{sys}/class/ r, + @{sys}/class/drm/ r, + @{sys}/class/hidraw/ r, + @{sys}/class/input/ r, + @{sys}/class/power_supply/ r, + @{sys}/devices/**/input@{int}/ r, + @{sys}/devices/**/input@{int}/capabilities/* r, + @{sys}/devices/**/input/input@{int}/ r, + @{sys}/devices/**/uevent r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/firmware/acpi/pm_profile r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, + + @{PROC}/cmdline r, + @{PROC}/sys/kernel/seccomp/actions_avail r, + @{PROC}/zoneinfo r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/limits r, + owner @{PROC}/@{pid}/loginuid r, + owner @{PROC}/@{pid}/mem r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pids}/cmdline r, + owner @{PROC}/@{pids}/environ r, + owner @{PROC}/@{pids}/task/ r, + + /dev/ r, + /dev/ptmx rwk, + /dev/tty rwk, + owner /dev/tty@{int} rw, + + include if exists + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/default-sudo b/apparmor.d/groups/_full/default-sudo new file mode 100644 index 000000000..36cebc626 --- /dev/null +++ b/apparmor.d/groups/_full/default-sudo @@ -0,0 +1,42 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +profile default-sudo { + include + include + + capability chown, + capability mknod, + capability sys_ptrace, + + network inet dgram, + network inet6 dgram, + + ptrace (read), + + @{bin}/su mr, + + @{bin}/** Px, + @{lib}/** Px, + /opt/*/** Px, + + /var/db/sudo/lectured/ r, + /var/lib/extrausers/shadow r, + /var/lib/sudo/lectured/ r, + owner /var/db/sudo/lectured/@{uid} rw, + owner /var/lib/sudo/lectured/* rw, + + owner @{HOME}/.sudo_as_admin_successful rw, + + @{run}/ r, + @{run}/systemd/sessions/* r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd deleted file mode 100644 index ccdbf338b..000000000 --- a/apparmor.d/groups/_full/sd +++ /dev/null @@ -1,256 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Part of the systemd (as PID 1) profile. - -# sd is a profile for SystemD-executor run as root, it is used to run all services -# files and to encapsulate stacked services profiles (hence the short name). -# It aims at reducing the size of the systemd profile. - -# Only use this profile with a fully configured system. Otherwise it **WILL** -# break your computer. See https://apparmor.pujol.io/full-system-policy/. - -# Distributions and other programs can add rules in the usr/sd.d directory - -abi , - -include - -@{exec_path} = @{bin}/systemd-executor -profile sd flags=(attach_disconnected,mediate_deleted,complain) { - include - include - include - include - include - include - include - include - - userns, - - capability audit_control, - capability audit_write, - capability bpf, - capability chown, - capability dac_override, - capability dac_read_search, - capability fowner, - capability fsetid, - capability kill, - capability linux_immutable, - capability mknod, - capability net_admin, - capability net_bind_service, - capability net_raw, - capability perfmon, - capability setfcap, - capability setgid, - capability setpcap, - capability setuid, - capability sys_admin, - capability sys_nice, - capability sys_ptrace, - capability sys_rawio, - capability sys_resource, - capability sys_time, - capability sys_tty_config, - capability syslog, - - network alg seqpacket, - network bluetooth, - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 raw, - network inet6 stream, - network netlink raw, - network packet dgram, - network packet raw, - network qipcrtr dgram, - - mount -> @{run}/systemd/mount-rootfs/{,**}, - mount -> @{run}/systemd/namespace-@{rand6}/{,**}, - mount options=(rw move) /dev/shm/ -> @{run}/credentials/*/, - mount options=(rw rshared) -> /, - mount options=(rw rslave) -> /, - mount options=(rw rslave) -> /dev/, - mount options=(rw slave) -> @{run}/systemd/incoming/, - mount fstype=tmpfs options=(rw nodev noexec nosuid nosymfollow) tmpfs -> /dev/shm/, - mount fstype=tmpfs options=(rw nodev strictatime) tmpfs -> @{run}/systemd/unit-private-tmp/, - - remount /dev/shm/, - remount @{run}/systemd/mount-rootfs/{,**}, - - umount /, - umount /dev/shm/, - umount @{run}/systemd/mount-rootfs/{,**}, - umount @{run}/systemd/namespace-@{rand6}/{,**}, - - pivot_root oldroot=/run/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, - - change_profile, - - mqueue (read getattr) type=posix /, - - signal peer=sd//&*, - signal receive peer=@{p_systemd}, - signal send, - - ptrace read, - - unix type=dgram peer=(label=@{p_systemd}), - unix type=dgram peer=(label=systemd-timesyncd), - unix type=stream, - - dbus bus=system, - - @{exec_path} mr, - - @{bin}/** mPx, - @{sbin}/** mPx, - @{lib}/** Px, - /etc/cron.*/* Px, - /etc/init.d/* Px, - /etc/update-motd.d/* Px, - /usr/share/*/** Px, - - # Systemd user: systemd --user - @{lib}/systemd/systemd px -> systemd-user, - - # Mount operations from services and systemd - @{bin}/mount Px -> sd-mount, - @{bin}/umount Px -> sd-umount, - - # Unit services using systemctl - @{bin}/systemctl Cx -> systemctl, - - # Unit services - @{bin}/kill Cx -> kill, - - # Used by very basic services, ideally should be replaced by a unit profiles - @{sh_path} ix, - @{bin}/false ix, - @{bin}/true ix, - - # Required due to stacked profiles - @{bin}/find ix, - @{bin}/gzip ix, - @{bin}/install ix, - @{bin}/readlink ix, - @{lib}/colord-sane ix, - @{lib}/systemd/systemd-nsresourcework ix, - @{lib}/systemd/systemd-userwork ix, - @{sbin}/grpck ix, - @{sbin}/pwck ix, - - / r, - @{att}/ r, - @{bin}/{,**} r, - @{lib}/{,**} r, - @{sbin}/{,*} r, - /usr/local/{,**} r, - /usr/share/** r, - /etc/*/ w, - /etc/** rk, - /home/ r, - - @{efi}/ r, - @{efi}/** rw, - - @{att}/var/lib/systemd/*/ r, - - /var/cache/*/ rw, - /var/cache/*/** rwk, - /var/lib/*/ rw, - /var/lib/*/** rwk, - /var/lib/systemd/*/ r, - /var/log/ r, - /var/log/** rw, - /var/log/journal/** rwl -> /var/log/journal/**, - - @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, - @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r, - - @{att}/@{run}/systemd/io.systemd.ManagedOOM rw, - @{att}/@{run}/systemd/notify rw, - @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, - @{att}/@{run}/systemd/userdb/io.systemd.Home rw, - @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, - - @{run}/ rw, - @{run}/* rw, - @{run}/*/ rw, - @{run}/*/* rw, - @{run}/systemd/{,**} rw, - owner @{run}/*/** rw, - - @{run}/udev/**/ r, - @{run}/udev/data/+*:* r, # Identifies all subsystems - @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices - - @{sys}/** r, - @{sys}/fs/bpf/systemd/{,**} w, - @{sys}/firmware/efi/efivars/** w, - @{sys}/fs/cgroup/{,**} w, - - @{PROC}/@{pids}/attr/apparmor/exec w, - @{PROC}/@{pids}/attr/current r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/environ r, - @{PROC}/@{pids}/fd/ r, - @{PROC}/@{pids}/fdinfo/@{int} r, - @{PROC}/@{pids}/gid_map w, - @{PROC}/@{pids}/limits r, - @{PROC}/@{pids}/loginuid rw, - @{PROC}/@{pids}/mountinfo r, - @{PROC}/@{pids}/oom_score_adj rw, - @{PROC}/@{pids}/sessionid r, - @{PROC}/@{pids}/setgroups r, - @{PROC}/@{pids}/setgroups w, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/status r, - @{PROC}/@{pids}/uid_map r, - @{PROC}/@{pids}/uid_map w, - @{PROC}/cmdline r, - @{PROC}/interrupts r, - @{PROC}/irq/@{int}/node r, - @{PROC}/irq/@{int}/smp_affinity r, - @{PROC}/kmsg r, - @{PROC}/modules r, - @{PROC}/pressure/* r, - @{PROC}/swaps r, - @{PROC}/sys/** r, - @{PROC}/sys/kernel/random/write_wakeup_threshold w, - @{PROC}/sys/net/ipv{4,6}/** rw, - @{PROC}/sysvipc/* r, - @{PROC}/version_signature r, - - /dev/** rwk, - - profile systemctl flags=(attach_disconnected,mediate_deleted,complain) { - include - include - - include if exists - include if exists - } - - profile kill flags=(attach_disconnected,mediate_deleted,complain) { - include - - signal send, - - @{bin}/kill mr, - - include if exists - } - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/sd-mount b/apparmor.d/groups/_full/sd-mount deleted file mode 100644 index 1572a8f6d..000000000 --- a/apparmor.d/groups/_full/sd-mount +++ /dev/null @@ -1,71 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Part of the systemd (as PID 1) profile. - -# sd-mount is a subprofile of sd responsible to handle mounting operation. - -# Only use this profile with a fully configured system. Otherwise it **WILL** -# break your computer. See https://apparmor.pujol.io/full-system-policy/. - -# Distributions and other programs can add rules in the usr/sd-mount.d directory - -abi , - -include - -@{exec_path} = @{bin}/mount -profile sd-mount flags=(complain) { - include - include - - capability dac_read_search, - capability sys_admin, - - mount -> @{efi}/, - mount -> @{HOME}/{,**}, - mount -> @{HOMEDIRS}/, - mount -> @{MOUNTDIRS}/, - mount -> @{MOUNTS}/{,**}, - mount fstype=binfmt_misc options=(rw nodev noexec nosuid) binfmt_misc -> @{PROC}/sys/fs/binfmt_misc/, - mount fstype=configfs options=(rw nodev noexec nosuid) configfs -> @{sys}/kernel/config/, - mount fstype=debugfs options=(rw nodev noexec nosuid) debugfs -> @{sys}/kernel/debug/, - mount fstype=fusectl options=(rw nodev noexec nosuid) fusectl -> @{sys}/fs/fuse/connections/, - mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, - mount fstype=mqueue options=(rw nodev noexec nosuid) -> /dev/mqueue/, - mount fstype=squashfs options=(ro nodev) /dev/loop@{int} -> /snap/*/@{int}/, - mount fstype=tmpfs options=(rw nodev noexec nosuid) tmpfs -> @{run}/lock/, - mount fstype=tmpfs options=(rw nodev nosuid strictatime) tmpfs -> /tmp/, - mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/, - - mount options=(rw move) -> @{efi}, - mount options=(rw move) -> @{HOME}/{,**}, - mount options=(rw move) -> @{HOMEDIRS}/, - mount options=(rw move) -> @{MOUNTDIRS}/, - mount options=(rw move) -> @{MOUNTS}/{,**}, - mount options=(rw move) -> @{sys}/fs/fuse/connections/, - mount options=(rw move) -> @{sys}/kernel/config/, - mount options=(rw move) -> @{sys}/kernel/debug/, - mount options=(rw move) -> @{sys}/kernel/tracing/, - mount options=(rw move) -> /dev/hugepages/, - mount options=(rw move) -> /dev/mqueue/, - mount options=(rw move) -> /tmp/, - - @{exec_path} mr, - - /var/lib/snapd/snaps/*.snap r, - - @{run}/ r, - owner @{run}/mount/ rw, - owner @{run}/mount/utab{,.*} rwk, - - @{PROC}/@{pid}/mountinfo r, - - /dev/loop-control rw, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/sd-umount b/apparmor.d/groups/_full/sd-umount deleted file mode 100644 index e5d67f0a9..000000000 --- a/apparmor.d/groups/_full/sd-umount +++ /dev/null @@ -1,34 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Part of the systemd (as PID 1) profile. - -# sd-umount is a subprofile of sd responsible to handle unmounting operation. - -# Only use this profile with a fully configured system. Otherwise it **WILL** -# break your computer. See https://apparmor.pujol.io/full-system-policy/. - -# Distributions and other programs can add rules in the usr/sd-umount.d directory - -abi , - -include - -@{exec_path} = @{bin}/umount -profile sd-umount flags=(complain) { - include - - capability sys_admin, - - umount @{efi}, - - @{exec_path} mr, - - @{PROC}/@{pid}/mountinfo r, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu deleted file mode 100644 index f9c50b65f..000000000 --- a/apparmor.d/groups/_full/sdu +++ /dev/null @@ -1,141 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Part of the systemd-user profile. - -# sdu is a profile for SystemD-executor run as User, it is used to run all services -# files and to encapsulate stacked services profiles (hence the short name). -# It aims at reducing the size of the systemd-user profile. - -# Only use this profile with a fully configured system. Otherwise it **WILL** -# break your computer. See https://apparmor.pujol.io/full-system-policy/. - -# Distributions and other programs can add rules in the usr/sdu.d directory - -abi , - -include - -@{exec_path} = @{bin}/systemd-executor -profile sdu flags=(attach_disconnected,mediate_deleted) { - include - include - include - include - include - include - include - - network netlink raw, - - change_profile, - - ptrace read, - - unix type=dgram peer=(label=@{p_systemd_user}), - - dbus bus=session, - - @{exec_path} mr, - - @{bin}/** mPx, - @{sbin}/** mPx, - @{lib}/** Px, - /etc/cron.*/* Px, - /opt/*/** Px, - /usr/share/*/** Px, - - # Unit services using systemctl - @{bin}/systemctl Cx -> systemctl, - - # Shell based user unit services - @{sh_path} Cx -> shell, - - # Dbus needs to be started without environment scrubbing - @{bin}/dbus-broker px -> dbus-session, - @{bin}/dbus-broker-launch px -> dbus-session, - @{bin}/dbus-daemon px -> dbus-session, - @{lib}/dbus-1.0/dbus-daemon-launch-helper px -> dbus-session, - - / r, - @{bin}/* r, - @{sbin}/* r, - /usr/share/** r, - - owner @{desktop_local_dirs}/ w, - owner @{desktop_local_dirs}/state/ w, - owner @{desktop_local_dirs}/state/wireplumber/{,**} rw, - - owner @{run}/user/@{uid}/pipewire-@{int} rw, - owner @{run}/user/@{uid}/pipewire-@{int}-manager rw, - owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk, - owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, - owner @{run}/user/@{uid}/pulse/pid rw, - - owner @{user_state_dirs}/wireplumber/ rw, - owner @{user_state_dirs}/wireplumber/stream-properties rw, - owner @{user_state_dirs}/wireplumber/stream-properties.@{rand6} rw, - - @{run}/systemd/users/@{uid} r, - @{run}/systemd/users/@{int} r, - - @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) - @{run}/udev/data/c81:@{int} r, # For video4linux - @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - - @{sys}/bus/ r, - @{sys}/bus/media/devices/ r, - @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r, - @{sys}/devices/**/device:*/{,**/}path r, - @{sys}/devices/**/sound/**/pcm_class r, - @{sys}/devices/**/sound/**/uevent r, - @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/meminfo r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/virtual/sound/seq/uevent r, - @{sys}/devices/virtual/sound/timer/uevent r, - - @{sys}/module/apparmor/parameters/enabled r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, - - @{PROC}/pressure/* r, - @{PROC}/sys/fs/nr_open r, - owner @{PROC}/@{pid}/attr/apparmor/exec w, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/oom_score_adj rw, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - - /dev/kmsg w, - - deny capability net_admin, - - profile shell flags=(attach_disconnected,mediate_deleted,complain) { - include - - @{sh_path} mr, - @{bin}/systemctl Px -> sdu//systemctl, - - include if exists - } - - profile systemctl flags=(attach_disconnected,mediate_deleted,complain) { - include - include - - owner @{run}/user/@{uid}/systemd/private rw, - - deny capability net_admin, - - include if exists - include if exists - } - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index d1ee8fd1f..aa1f1729d 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -11,47 +11,13 @@ # Distributions and other programs can add rules in the usr/systemd.d directory -# Overall architecture of the systemd profiles: -# systemd # PID 1, entrypoint, requires "Early policy" -# ├── systemd # To restart itself -# ├── systemd-generators-* # Systemd system and environment generators -# └── sd # Internal service starter and config handler, handles all services -# ├── Px or px, # Any service with profile -# ├── Px -> # Any service without profile defined in the unit file (see systemd/full/systemd) -# ├── &* # Stacked service as defined in the unit file (see systemd/full/systemd) -# ├── sd-mount # Handles all mounts from services -# ├── sd//systemctl # Internal system systemctl -# └── systemd-user # Profile for 'systemd --user' -# ├── systemd-user # To restart itself -# ├── systemd-user-generators-* # Systemd user and environment generators -# └── sdu # Handles all user services -# ├── Px or px, # Any user service with profile -# ├── Px -> # Any user service without profile defined in the unit file (see systemd/full/systemd) -# ├── &* # Stacked user service as defined in the unit file (see systemd/full/systemd) -# └── sdu//systemctl # Internal user systemctl - -# Advantages: -# - Differentiate systemd (PID 1) and `system --user` -# - Keep `systemd` and systemd-user as mininal as possible, and transition to less privileged profiles. -# - Allow the executor profiles to handled stacked profiles. -# - Most additions need to be done in the `sd`/`sdu` profile, not in `systemd`/`systemd-user`. -# - Dedicated `sd-mount` profile for most mount from the unit services. - - -# TODO: rework this to get a controlled environment: -# - No global allow anymore: in high security environments, we must manage the list -# of program/service that can be started by systemd and ensure that they are all -# listed and confined. Programs not listed will not be able to start. -# - Outside common systemd service, the list may have to be automatically -# generated at install time, in `/etc/apparmor.d/usr/systemd.d/exec` - -abi , +abi , include -@{exec_path} = @{lib}/systemd/systemd -profile systemd flags=(attach_disconnected,mediate_deleted,complain) { +profile systemd flags=(attach_disconnected,mediate_deleted) { include + include include include include @@ -66,13 +32,16 @@ profile systemd flags=(attach_disconnected,mediate_deleted,complain) { capability dac_read_search, capability fowner, capability fsetid, - capability kill, + capability mknod, capability net_admin, - capability net_bind_service, capability perfmon, + capability setfcap, + capability setgid, capability setpcap, + capability setuid, capability sys_admin, - capability sys_boot, + capability sys_chroot, + capability sys_nice, capability sys_ptrace, capability sys_resource, capability sys_tty_config, @@ -82,124 +51,190 @@ profile systemd flags=(attach_disconnected,mediate_deleted,complain) { network inet6 dgram, network inet6 stream, network netlink raw, - network vsock stream, mount fstype=autofs systemd-1 -> @{PROC}/sys/fs/binfmt_misc/, - mount fstype=autofs systemd-1 -> @{efi}/, + mount fstype=autofs systemd-1 -> /efi/, + mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, + mount fstype=proc options=(rw nosuid nodev noexec) proc -> @{run}/systemd/namespace-@{rand6}/, + mount fstype=sysfs options=(rw nosuid nodev noexec) sysfs -> @{run}/systemd/namespace-@{rand6}/, + mount fstype=tmpfs tmpfs -> /dev/shm/, mount fstype=tmpfs tmpfs -> /tmp/, + mount fstype=tmpfs options=(rw nosuid nodev noexec strictatime) tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/, + mount fstype=tmpfs options=(rw nosuid nodev noexec) tmpfs -> /dev/shm/, + mount fstype=tmpfs options=(rw nosuid noexec strictatime) tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/, + mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**, + mount options=(rw bind) /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**, + mount options=(rw bind) @{run}/systemd/propagate/*/ -> @{run}/systemd/mount-rootfs/@{run}/systemd/incoming/, + mount options=(rw move) -> @{sys}/fs/fuse/connections/, + mount options=(rw move) -> @{sys}/kernel/config/, + mount options=(rw move) -> @{sys}/kernel/debug/, + mount options=(rw move) -> @{sys}/kernel/tracing/, + mount options=(rw move) -> /dev/hugepages/, + mount options=(rw move) -> /dev/mqueue/, + mount options=(rw move) -> /efi/, + mount options=(rw move) -> /tmp/, + mount options=(rw move) @{run}/systemd/namespace-@{rand6}/{,**} -> @{run}/systemd/mount-rootfs/{,**}, + mount options=(rw rbind) -> @{run}/systemd/mount-rootfs/{,**}, + mount options=(rw rbind) -> @{run}/systemd/unit-root/{,**}, + mount options=(rw rshared) -> /, mount options=(rw rslave) -> /, + mount options=(rw rslave) -> /dev/, + mount options=(rw slave) -> @{run}/systemd/incoming/, remount @{HOME}/{,**}, remount @{HOMEDIRS}/, remount @{MOUNTDIRS}/, remount @{MOUNTS}/{,**}, + remount @{run}/systemd/mount-rootfs/{,**}, + remount @{run}/systemd/unit-root/{,**}, + remount /, remount /snap/{,**}, - remount options=(ro bind nodev noexec nosuid) /dev/mqueue/, - remount options=(ro bind nodev nosuid) /dev/hugepages/, - remount options=(ro bind noexec nosuid) /dev/pts/, - remount options=(ro bind nosuid) /dev/, - remount options=(ro bind) @{efi}/, - remount options=(ro bind) /, + remount options=(ro noexec noatime bind) /var/snap/{,**}, + remount options=(ro nosuid bind) /dev/, + remount options=(ro nosuid nodev bind) /dev/hugepages/, + remount options=(ro nosuid nodev bind) /var/, + remount options=(ro nosuid nodev noexec bind) /boot/, + remount options=(ro nosuid nodev noexec bind) /dev/mqueue/, + remount options=(ro nosuid nodev noexec bind) /efi/, + remount options=(ro nosuid noexec bind) /dev/pts/, + umount /, + umount /dev/shm/, umount @{PROC}/sys/fs/binfmt_misc/, - umount @{run}/credentials/*/, + umount @{run}/systemd/mount-rootfs/{,**}, + umount @{run}/systemd/namespace-@{rand6}/{,**}, + umount @{run}/systemd/unit-root/{,**}, - mqueue (read getattr) type=posix /, + pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, + pivot_root oldroot=@{run}/systemd/unit-root/ @{run}/systemd/unit-root/, - signal send, + change_profile, + + signal (receive) set=(rtmin+23) peer=plymouthd, + signal (receive) set=(term, hup, cont), + signal (send), ptrace (read, readby), - unix type=dgram, - unix type=stream, + unix (send) type=dgram, + + unix (receive) type=dgram addr=none peer=(label=systemd-timesyncd, addr=none), + unix (send, receive, connect) type=stream addr=none peer=(label=plymouthd, addr=@/org/freedesktop/plymouthd), #aa:dbus own bus=system name=org.freedesktop.systemd1 - @{exec_path} mrix, - @{sh_path} mr, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=GetConnectionUnixUser + peer=(name=org.freedesktop.DBus, label=dbus-system), - # Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.) - @{lib}/systemd/systemd-executor mPx -> sd, + @{bin}/systemctl rix, + @{bin}/mount rix, - # Systemd system generators. Profiles must exist - @{lib}/netplan/generate mPx, - @{lib}/systemd/system-environment-generators/* mPx, - @{lib}/systemd/system-generators/* mPx, + @{lib}/systemd/systemd-executor rix, + @{lib}/systemd/systemd rpx -> systemd-user, + + @{bin}/ldconfig rPx -> systemd-service, + @{bin}/mandb rPx -> systemd-service, + @{bin}/savelog rPx -> systemd-service, + @{coreutils_path} rPx -> systemd-service, + @{sh_path} rPx -> systemd-service, + + @{bin}/** Px, + @{lib}/** Px, + /etc/cron.*/* Px, + /etc/init.d/* Px, + /usr/share/*/** Px, + + #aa:stack systemd-networkd systemd-oomd systemd-resolved systemd-timesyncd + @{lib}/systemd/systemd-networkd rPx -> systemd//&systemd-networkd, + @{lib}/systemd/systemd-oomd rPx -> systemd//&systemd-oomd, + @{lib}/systemd/systemd-resolved rPx -> systemd//&systemd-resolved, + @{lib}/systemd/systemd-timesyncd rPx -> systemd//&systemd-timesyncd, + + @{lib}/ r, + / r, + /boot/ r, + /boot/efi/ r, + /efi/ r, + /snap/ r, + /snap/*/@{int}/ r, + /tmp/ r, + /usr/ r, + /var/cache/*/ r, + /var/lib/*/ r, + /var/tmp/ r, - @{etc_ro}/environment r, - @{etc_ro}/environment.d/{,**} r, - /etc/acpi/events/{,**} r, /etc/binfmt.d/{,**} r, /etc/conf.d/{,**} r, - /etc/default/{,**} r, + /etc/credstore.encrypted/{,**} r, + /etc/credstore/{,**} r, + /etc/environment r, + /etc/environment.d/{,**} r, /etc/machine-id r, /etc/modules-load.d/{,**} r, - /etc/networkd-dispatcher/{,**} r, /etc/systemd/{,**} r, - /etc/systemd/system/** w, /etc/udev/hwdb.d/{,**} r, - #aa:only pacman - # It is unclear why this is needed here and not in sd - /etc/pacman.d/gnupg/S.dirmngr w, - /etc/pacman.d/gnupg/S.gpg-agent w, - /etc/pacman.d/gnupg/S.gpg-agent.browser w, - /etc/pacman.d/gnupg/S.gpg-agent.extra w, - /etc/pacman.d/gnupg/S.gpg-agent.ssh w, - /etc/pacman.d/gnupg/S.keyboxd w, - - @{efi}/ r, - /snap/*/@{int}/ r, - - /tmp/ r, - /var/tmp/ r, - owner /tmp/systemd-private-*/{,**} rw, + /var/lib/systemd/{,**} rw, owner /var/tmp/systemd-private-*/{,**} rw, - @{att}/@{run}/systemd/journal/dev-log r, - @{att}/@{run}/systemd/journal/socket r, - @{att}/@{run}/systemd/notify r, + /tmp/namespace-dev-@{rand6}/{,**} rw, + /tmp/systemd-private-*/{,**} rw, @{run}/ rw, - @{run}/* rw, @{run}/*/ rw, @{run}/*/* rw, + @{run}/auditd.pid r, @{run}/credentials/{,**} rw, + @{run}/initctl rw, @{run}/systemd/{,**} rw, - @{run}/udev/data/+module:* r, # Identifies kernel modules loaded by udev + @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+leds:*backlight* r, + + @{run}/udev/data/+module:configfs r, + @{run}/udev/data/+module:fuse r, @{run}/udev/data/c4:@{int} r, # For TTY devices - @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/n@{int} r, @{run}/udev/tags/systemd/ r, - @{sys}/**/uevent r, @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/class/sound/ r, + @{sys}/devices/@{pci}/** r, + @{sys}/devices/**/net/** r, + @{sys}/devices/**/uevent r, + @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/tty/console/active r, - @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw, @{sys}/fs/cgroup/{,**} rw, @{sys}/fs/fuse/connections/ r, @{sys}/fs/pstore/ r, @{sys}/kernel/**/ r, + @{sys}/module/**/uevent r, @{sys}/module/apparmor/parameters/enabled r, - @{sys}/module/vt/parameters/default_utf8 r, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/coredump_filter r, + @{PROC}/@{pid}/environ r, @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/gid_map rw, + @{PROC}/@{pid}/loginuid rw, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/setgroups rw, @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/uid_map rw, @{PROC}/cmdline r, @{PROC}/devices r, @{PROC}/pressure/* r, @@ -207,31 +242,20 @@ profile systemd flags=(attach_disconnected,mediate_deleted,complain) { @{PROC}/sys/fs/binfmt_misc/ r, @{PROC}/sys/fs/nr_open r, @{PROC}/sys/kernel/* r, - @{PROC}/sys/kernel/random/boot_id r, - @{PROC}/sysvipc/msg r, - @{PROC}/sysvipc/sem r, - @{PROC}/sysvipc/shm r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/1/coredump_filter r, - owner @{PROC}/1/fdinfo/@{int} r, - owner @{PROC}/1/gid_map r, - owner @{PROC}/1/oom_score_adj rw, - owner @{PROC}/1/setgroups r, - owner @{PROC}/1/uid_map r, + @{PROC}/sysvipc/{shm,sem,msg} r, + owner @{PROC}/@{pid}/limits r, + owner @{PROC}/@{pid}/oom_score_adj rw, /dev/autofs r, - /dev/dri/card@{int} rw, - /dev/initctl w, - /dev/input/ r, /dev/kmsg w, - /dev/tty rw, - /dev/tty@{int} rw, owner /dev/console rwk, + owner /dev/dri/card@{int} rw, owner /dev/hugepages/ rw, + owner /dev/initctl rw, owner /dev/input/event@{int} rw, owner /dev/mqueue/ rw, owner /dev/rfkill rw, - owner /dev/shm/ r, + owner /dev/shm/ rw, owner /dev/ttyS@{int} rwk, include if exists diff --git a/apparmor.d/groups/_full/systemd-service b/apparmor.d/groups/_full/systemd-service new file mode 100644 index 000000000..3a72cfe7e --- /dev/null +++ b/apparmor.d/groups/_full/systemd-service @@ -0,0 +1,72 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Profile for generic systemd unit services. Only used by tiny systemd services +# that start a shell or use context specific programs. + +# It does not specify an attachment path because it is intended to be used only +# via "Px -> systemd-service" exec transitions from the systemd profile. + +abi , + +include + +profile systemd-service flags=(attach_disconnected) { + include + include + include + + capability chown, + capability fsetid, + + @{bin}/ldconfig rix, + @{bin}/savelog rix, + @{bin}/systemctl rix, + @{bin}/gzip rix, + @{coreutils_path} rix, + @{sh_path} rmix, + + # ifup@.service + @{bin}/ifup rPx, + + # shadow.service + @{bin}/pwck rPx, + @{bin}/grpck rPx, + + @{bin}/grub-editenv rPx, + @{bin}/ibus-daemon rPx, + + @{bin}/* r, + @{lib}/ r, + + /var/cache/ldconfig/{,**} rw, + + /boot/grub/grubenv rw, + /boot/grub/ w, + + /var/log/ r, + /var/log/dmesg rw, + /var/log/dmesg.* rwl -> /var/log/dmesg, + + # man-db.service + /usr/{,local/}share/man/{,**} r, + /etc/manpath.config r, + /var/cache/man/{,**} rwk, + + # snapd.system-shutdown.service + @{run}/initramfs/shutdown rw, + @{run}/initramfs/ rw, + + # cockpit.socket + @{run}/cockpit/@{rand8} rw, + @{run}/cockpit/motd w, + + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + include if exists + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index b3d751be1..f88604124 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -11,12 +11,12 @@ # Distributions and other programs can add rules in the usr/systemd-user.d directory -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd -profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) { +profile systemd-user flags=(attach_disconnected,mediate_deleted) { include include include @@ -25,61 +25,84 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) { network netlink raw, - signal send, + signal (send) set=(term, cont, kill), + signal (receive) set=(hup) peer=@{p_systemd}, - ptrace read, + ptrace (read) peer=@{p_systemd}, - unix type=dgram peer=(label=@{p_sdu}), - - unix bind type=stream addr=@@{udbus}/bus/systemd/bus-system, - unix bind type=stream addr=@@{udbus}/bus/systemd/bus-api-user, + unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-system, + unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-api-user, #aa:dbus own bus=session name=org.freedesktop.systemd1 - @{exec_path} mrix, + @{exec_path} mr, - # Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.) - @{lib}/systemd/systemd-executor mPx -> sdu, + @{bin}/dbus-broker rpx -> dbus-session, + @{bin}/dbus-broker-launch rpx -> dbus-session, + @{bin}/dbus-daemon rpx -> dbus-session, + @{lib}/dbus-1.0/dbus-daemon-launch-helper rpx -> dbus-session, - # Systemd user generators. Profiles must exist - @{lib}/systemd/user-environment-generators/* Px, - @{lib}/systemd/user-generators/* Px, + @{bin}/systemctl rCx -> systemctl, + @{lib}/systemd/systemd-executor rix, + @{sh_path} rix, # Should be handled by default profile? + @{bin}/grep rix, + @{bin}/sleep rix, + + @{bin}/** Px, + @{lib}/** Px, + /opt/*/** Px, + /usr/share/*/** Px, + + #aa:stack pipewire pipewire-media-session pipewire-pulse pulseaudio wireplumber + @{bin}/pipewire rPx -> systemd-user//&pipewire, + @{bin}/pipewire-media-session rPx -> systemd-user//&pipewire-media-session, + @{bin}/pipewire-pulse rPx -> systemd-user//&pipewire-pulse, + @{bin}/pulseaudio rPx -> systemd-user//&pulseaudio, + @{bin}/wireplumber rPx -> systemd-user//&wireplumber, + + /usr/ r, + /usr/share/defaults/**.conf r, - @{etc_ro}/environment r, /etc/systemd/user.conf r, /etc/systemd/user.conf.d/{,**} r, /etc/systemd/user/{,**} r, + / r, + + owner @{HOME}/.local/ w, + owner @{user_config_dirs}/systemd/user/{,**} rw, + @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/ rw, owner @{run}/user/@{uid}/** rwkl, @{run}/mount/utab r, @{run}/systemd/notify w, - @{run}/systemd/oom/io.systemd.ManagedOOM rw, - @{run}/udev/data/+module:* r, # Identifies kernel modules loaded by udev + @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+leds:*backlight* r, + @{run}/udev/data/+module:configfs r, + @{run}/udev/data/+module:fuse r, + @{run}/udev/data/b254:@{int} r, # for /dev/zram* @{run}/udev/data/c4:@{int} r, # For TTY devices @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features - @{run}/udev/data/c116:@{int} r, # for ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/n@{int} r, @{run}/udev/tags/systemd/ r, @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/**/uevent r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r, + @{sys}/module/apparmor/parameters/enabled r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/stat r, @{PROC}/cmdline r, @{PROC}/pressure/* r, @{PROC}/swaps r, @@ -88,25 +111,27 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) { @{PROC}/sys/kernel/overflowgid r, @{PROC}/sys/kernel/overflowuid r, @{PROC}/sys/kernel/pid_max r, - @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/threads-max r, - owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/coredump_filter r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/gid_map r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/oom_score_adj rw, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/uid_map r, owner @{PROC}/@{pids}/fd/ r, + owner @{PROC}/@{pids}/oom_score_adj rw, - deny capability bpf, - deny capability dac_override, - deny capability dac_read_search, - deny capability mknod, - deny capability net_admin, - deny capability perfmon, - deny capability sys_admin, - deny capability sys_boot, - deny capability sys_resource, + /dev/tty rw, + + profile systemctl { + include + include + + include if exists + include if exists + } include if exists include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_akonotes_resource b/apparmor.d/groups/akonadi/akonadi_akonotes_resource index 0471cd8f4..8b9e434a5 100644 --- a/apparmor.d/groups/akonadi/akonadi_akonotes_resource +++ b/apparmor.d/groups/akonadi/akonadi_akonotes_resource @@ -2,25 +2,40 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_akonotes_resource profile akonadi_akonotes_resource @{exec_path} { include + include + include include - include include + include + include @{exec_path} mr, - owner @{user_config_dirs}/akonadi_akonotes_resource_@{int}rc r, + /usr/share/hwdata/*.ids r, + + /etc/xdg/kdeglobals r, + /etc/xdg/kwinrc r, + + owner @{user_cache_dirs}/icon-cache.kcache rw, + + owner @{user_config_dirs}/akonadi_akonotes_resource_[0-9]rc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, owner @{user_share_dirs}/notes/**/ r, + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdedefaults/kwinrc r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kwinrc r, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_archivemail_agent b/apparmor.d/groups/akonadi/akonadi_archivemail_agent index ed72aa21b..5d305062d 100644 --- a/apparmor.d/groups/akonadi/akonadi_archivemail_agent +++ b/apparmor.d/groups/akonadi/akonadi_archivemail_agent @@ -2,22 +2,30 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_archivemail_agent profile akonadi_archivemail_agent @{exec_path} { include + include + include include - include include + include + include @{exec_path} mr, /usr/share/akonadi/plugins/serializer/{,*.desktop} r, + /usr/share/hwdata/*.ids r, /etc/machine-id r, + /etc/xdg/kdeglobals r, + /etc/xdg/kwinrc r, + + owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/akonadi_archivemail_agentrc r, @@ -26,8 +34,12 @@ profile akonadi_archivemail_agent @{exec_path} { owner @{user_config_dirs}/emaildefaults r, owner @{user_config_dirs}/emailidentities.lock rwk, owner @{user_config_dirs}/emailidentities{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdedefaults/kwinrc r, + owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kmail2rc r, - + owner @{user_config_dirs}/kwinrc r, + owner @{user_share_dirs}/akonadi/file_db_data/{,**} r, /dev/tty r, diff --git a/apparmor.d/groups/akonadi/akonadi_birthdays_resource b/apparmor.d/groups/akonadi/akonadi_birthdays_resource index d3bf2074c..a4adaf453 100644 --- a/apparmor.d/groups/akonadi/akonadi_birthdays_resource +++ b/apparmor.d/groups/akonadi/akonadi_birthdays_resource @@ -2,25 +2,39 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_birthdays_resource profile akonadi_birthdays_resource @{exec_path} { include + include + include include - include include + include + include @{exec_path} mr, /usr/share/akonadi/plugins/{,**} r, + /usr/share/hwdata/*.ids r, + /usr/share/icu/@{int}.@{int}/*.dat r, + + /etc/xdg/kdeglobals r, + /etc/xdg/kwinrc r, + + owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/akonadi_birthdays_resourcerc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdedefaults/kwinrc r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kwinrc r, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_contacts_resource b/apparmor.d/groups/akonadi/akonadi_contacts_resource index 58c7443fc..9646d1ca4 100644 --- a/apparmor.d/groups/akonadi/akonadi_contacts_resource +++ b/apparmor.d/groups/akonadi/akonadi_contacts_resource @@ -2,25 +2,40 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_contacts_resource profile akonadi_contacts_resource @{exec_path} { include + include + include include - include include + include + include @{exec_path} mr, /usr/share/akonadi/plugins/serializer/{,*.desktop} r, + /usr/share/hwdata/*.ids r, + /usr/share/icu/@{int}.@{int}/*.dat r, - owner @{user_config_dirs}/akonadi_contacts_resource_@{int}rc r, + /etc/xdg/kdeglobals r, + /etc/xdg/kwinrc r, + + owner @{user_cache_dirs}/icon-cache.kcache rw, + + owner @{user_config_dirs}/akonadi_contacts_resource_[0-9]rc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdedefaults/kwinrc r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kwinrc r, + owner @{user_share_dirs}/contacts/ r, owner @{user_share_dirs}/contacts/*.vcf w, diff --git a/apparmor.d/groups/akonadi/akonadi_control b/apparmor.d/groups/akonadi/akonadi_control index 945cc82b9..444fb5199 100644 --- a/apparmor.d/groups/akonadi/akonadi_control +++ b/apparmor.d/groups/akonadi/akonadi_control @@ -2,16 +2,19 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_control profile akonadi_control @{exec_path} { include + include + include include - include include + include + include @{exec_path} mr, @@ -19,17 +22,24 @@ profile akonadi_control @{exec_path} { @{bin}/akonadiserver rPx, /usr/share/akonadi/{,**} r, + /usr/share/hwdata/*.ids r, + /usr/share/icu/@{int}.@{int}/*.dat r, + /etc/xdg/kdeglobals r, + /etc/xdg/kwinrc r, /etc/machine-id r, + owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/akonadi/{,**} rwl, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal} rwk, owner @{user_share_dirs}/akonadi/{,**} rwl, - + /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_followupreminder_agent b/apparmor.d/groups/akonadi/akonadi_followupreminder_agent index be897ee9e..4c13bcbe0 100644 --- a/apparmor.d/groups/akonadi/akonadi_followupreminder_agent +++ b/apparmor.d/groups/akonadi/akonadi_followupreminder_agent @@ -2,16 +2,19 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_followupreminder_agent profile akonadi_followupreminder_agent @{exec_path} { include + include + include include - include include + include + include network inet dgram, network inet6 dgram, @@ -19,10 +22,22 @@ profile akonadi_followupreminder_agent @{exec_path} { @{exec_path} mr, + /usr/share/hwdata/*.ids r, + /usr/share/icu/@{int}.@{int}/*.dat r, + + /etc/xdg/kdeglobals r, + /etc/xdg/kwinrc r, + + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_config_dirs}/akonadi_followupreminder_agentrc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, - + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdedefaults/kwinrc r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kwinrc r, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_ical_resource b/apparmor.d/groups/akonadi/akonadi_ical_resource index 2a5c95729..fea2fb594 100644 --- a/apparmor.d/groups/akonadi/akonadi_ical_resource +++ b/apparmor.d/groups/akonadi/akonadi_ical_resource @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,19 +10,27 @@ include profile akonadi_ical_resource @{exec_path} { include include - include include + include + include @{exec_path} mr, - owner @{user_cache_dirs}/akonadi_ical_resource_@{int}/{,*} rwl, + /usr/share/hwdata/*.ids r, + /usr/share/icons/{,**} r, + /usr/share/mime/{,**} r, - owner @{user_config_dirs}/akonadi_ical_resource_@{int}rc rwl, + owner @{user_cache_dirs}/akonadi_ical_resource_[0-9]/{,*} rwl, + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_config_dirs}/akonadi_ical_resource_[0-9]rc rwl, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, - + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdedefaults/kwinrc r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kwinrc r, owner @{user_share_dirs}/apps/korganizer/{,**} rw, - + /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_indexing_agent b/apparmor.d/groups/akonadi/akonadi_indexing_agent index 32a332793..9a5cc32f2 100644 --- a/apparmor.d/groups/akonadi/akonadi_indexing_agent +++ b/apparmor.d/groups/akonadi/akonadi_indexing_agent @@ -2,16 +2,19 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_indexing_agent profile akonadi_indexing_agent @{exec_path} { include + include + include include - include include + include + include @{exec_path} mr, @@ -19,8 +22,14 @@ profile akonadi_indexing_agent @{exec_path} { /usr/share/akonadi/plugins/serializer/ r, /usr/share/akonadi/plugins/serializer/*.desktop r, + /usr/share/hwdata/*.ids r, + /usr/share/icu/@{int}.@{int}/*.dat r, /etc/machine-id r, + /etc/xdg/kdeglobals r, + /etc/xdg/kwinrc r, + + owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/akonadi_indexing_agentrc rw, @@ -28,6 +37,10 @@ profile akonadi_indexing_agent @{exec_path} { owner @{user_config_dirs}/akonadi_indexing_agentrc.lock rwk, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdedefaults/kwinrc r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kwinrc r, owner @{user_share_dirs}/akonadi/ rw, owner @{user_share_dirs}/akonadi/** rwlk -> @{user_share_dirs}/akonadi/**, diff --git a/apparmor.d/groups/akonadi/akonadi_maildir_resource b/apparmor.d/groups/akonadi/akonadi_maildir_resource index be9621437..a04ee16bf 100644 --- a/apparmor.d/groups/akonadi/akonadi_maildir_resource +++ b/apparmor.d/groups/akonadi/akonadi_maildir_resource @@ -2,28 +2,40 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_maildir_resource profile akonadi_maildir_resource @{exec_path} { include + include + include include - include include + include + include @{exec_path} mr, /usr/share/akonadi/plugins/serializer/{,*.desktop} r, + /usr/share/hwdata/*.ids r, + /usr/share/icu/@{int}.@{int}/*.dat r, - owner @{user_mail_dirs}/{,**} rw, + /etc/xdg/kdeglobals r, + /etc/xdg/kwinrc r, - owner @{user_config_dirs}/akonadi_maildir_resource_@{int}rc r, + owner @{user_cache_dirs}/icon-cache.kcache rw, + + owner @{user_config_dirs}/akonadi_maildir_resource_[0-9]rc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdedefaults/kwinrc r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kwinrc r, - owner @{user_share_dirs}/akonadi_maildir_resource_@{int}/{,**} rw, + owner @{user_share_dirs}/akonadi_maildir_resource_[0-9]/{,**} rw, owner @{user_share_dirs}/akonadi/{,**} rwk, owner @{user_share_dirs}/local-mail*/{,**} rw, diff --git a/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent b/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent index c353ea819..cc19a136f 100644 --- a/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent +++ b/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent @@ -2,17 +2,20 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_maildispatcher_agent profile akonadi_maildispatcher_agent @{exec_path} { include + include + include include - include include + include include + include network inet dgram, network inet6 dgram, @@ -24,13 +27,24 @@ profile akonadi_maildispatcher_agent @{exec_path} { @{exec_path} mr, /usr/share/akonadi/plugins/{,**} r, + /usr/share/hwdata/*.ids r, + /usr/share/icu/@{int}.@{int}/*.dat r, + /usr/share/knotifications{5,6}/akonadi_maildispatcher_agent.notifyrc r, + /etc/xdg/kdeglobals r, + /etc/xdg/kwinrc r, /etc/machine-id r, + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_config_dirs}/akonadi_maildispatcher_agent.notifyrc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdedefaults/kwinrc r, + owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/ksslcertificatemanager r, + owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/mailtransports r, owner @{user_config_dirs}/specialmailcollectionsrc r, diff --git a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent index d1a2f008f..8d8c30343 100644 --- a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent +++ b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent @@ -2,16 +2,19 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_mailfilter_agent profile akonadi_mailfilter_agent @{exec_path} { include + include + include include - include include + include + include ptrace (read) peer=akonadi_archivemail_agent, @@ -20,7 +23,14 @@ profile akonadi_mailfilter_agent @{exec_path} { /usr/share/akonadi/plugins/serializer/ r, /usr/share/akonadi/plugins/serializer/*.desktop r, + /usr/share/hwdata/*.ids r, + /usr/share/icu/@{int}.@{int}/*.dat r, + /etc/machine-id r, + /etc/xdg/kdeglobals r, + /etc/xdg/kwinrc r, + + owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/agent_config_akonadi_mailfilter_agent r, @@ -33,8 +43,12 @@ profile akonadi_mailfilter_agent @{exec_path} { owner @{user_config_dirs}/emailidentities.lock rwk, owner @{user_config_dirs}/emailidentities* rwl, + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdedefaults/kwinrc r, + owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kmail2rc r, - + owner @{user_config_dirs}/kwinrc r, + owner @{tmp}/#@{int} rw, owner @{tmp}/akonadi_mailfilter_agent.* rwl, diff --git a/apparmor.d/groups/akonadi/akonadi_mailmerge_agent b/apparmor.d/groups/akonadi/akonadi_mailmerge_agent index 2083318e7..fd9012142 100644 --- a/apparmor.d/groups/akonadi/akonadi_mailmerge_agent +++ b/apparmor.d/groups/akonadi/akonadi_mailmerge_agent @@ -2,16 +2,19 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_mailmerge_agent profile akonadi_mailmerge_agent @{exec_path} { include + include + include include - include include + include + include network inet dgram, network inet6 dgram, @@ -20,9 +23,22 @@ profile akonadi_mailmerge_agent @{exec_path} { @{exec_path} mr, + /usr/share/hwdata/*.ids r, + /usr/share/icu/@{int}.@{int}/*.dat r, + + /etc/xdg/kdeglobals r, + /etc/xdg/kwinrc r, + + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdedefaults/kwinrc r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kwinrc r, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_migration_agent b/apparmor.d/groups/akonadi/akonadi_migration_agent index 55fedf4ea..832e5760b 100644 --- a/apparmor.d/groups/akonadi/akonadi_migration_agent +++ b/apparmor.d/groups/akonadi/akonadi_migration_agent @@ -2,25 +2,40 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_migration_agent profile akonadi_migration_agent @{exec_path} { include + include + include include - include include + include + include @{exec_path} mr, + /usr/share/hwdata/*.ids r, + /usr/share/icu/@{int}.@{int}/*.dat r, + + /etc/xdg/kdeglobals r, + /etc/xdg/kwinrc r, + + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_config_dirs}/akonadi-migrationrc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdedefaults/kwinrc r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kwinrc r, owner @{user_share_dirs}/akonadi_migration_agent/{,**} rw, - + /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent b/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent index 28ce1123c..b5a0d7577 100644 --- a/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent +++ b/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,9 +16,12 @@ profile akonadi_newmailnotifier_agent @{exec_path} { @{exec_path} mr, /usr/share/akonadi/plugins/serializer/{,*.desktop} r, + /usr/share/knotifications{5,6}/akonadi_newmailnotifier_agent.notifyrc r, /etc/machine-id r, + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/akonadi_newmailnotifier_agentrc r, owner @{user_config_dirs}/akonadi/ rw, @@ -26,6 +29,7 @@ profile akonadi_newmailnotifier_agent @{exec_path} { owner @{user_config_dirs}/emaildefaults r, owner @{user_config_dirs}/emailidentities.lock rwk, owner @{user_config_dirs}/emailidentities* rwl, + owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kmail2rc r, owner @{user_config_dirs}/specialmailcollectionsrc r, diff --git a/apparmor.d/groups/akonadi/akonadi_notes_agent b/apparmor.d/groups/akonadi/akonadi_notes_agent index 8e8665e40..d2c1fe059 100644 --- a/apparmor.d/groups/akonadi/akonadi_notes_agent +++ b/apparmor.d/groups/akonadi/akonadi_notes_agent @@ -2,16 +2,19 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_notes_agent profile akonadi_notes_agent @{exec_path} { include + include + include include - include include + include + include network inet dgram, network inet6 dgram, @@ -20,9 +23,21 @@ profile akonadi_notes_agent @{exec_path} { @{exec_path} mr, + /usr/share/hwdata/*.ids r, + /usr/share/icu/@{int}.@{int}/*.dat r, + + /etc/xdg/kdeglobals r, + /etc/xdg/kwinrc r, + + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_config_dirs}/akonadi_*_agentrc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdedefaults/kwinrc r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kwinrc r, /dev/tty r, diff --git a/apparmor.d/groups/akonadi/akonadi_sendlater_agent b/apparmor.d/groups/akonadi/akonadi_sendlater_agent index 2053bf298..f640ca86f 100644 --- a/apparmor.d/groups/akonadi/akonadi_sendlater_agent +++ b/apparmor.d/groups/akonadi/akonadi_sendlater_agent @@ -2,16 +2,19 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_sendlater_agent profile akonadi_sendlater_agent @{exec_path} { include + include + include include - include include + include + include network inet dgram, network inet6 dgram, @@ -20,10 +23,23 @@ profile akonadi_sendlater_agent @{exec_path} { @{exec_path} mr, + /usr/share/hwdata/*.ids r, + /usr/share/icu/@{int}.@{int}/*.dat r, + + /etc/xdg/kdeglobals r, + /etc/xdg/kwinrc r, + + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_config_dirs}/akonadi_sendlater_agentrc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdedefaults/kwinrc r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kwinrc r, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent b/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent index 4e0e5820a..cc0807a6b 100644 --- a/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent +++ b/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent @@ -2,23 +2,37 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/akonadi_unifiedmailbox_agent profile akonadi_unifiedmailbox_agent @{exec_path} { include + include + include include - include include + include + include @{exec_path} mr, - owner "@{user_config_dirs}/Unknown Organization/akonadi_unifiedmailbox_agent.conf_changes.dat" r, # see https://bugs.kde.org/show_bug.cgi?id=452565 + /usr/share/hwdata/*.ids r, + /usr/share/icu/@{int}.@{int}/*.dat r, + + /etc/xdg/kdeglobals r, + /etc/xdg/kwinrc r, + + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_config_dirs}/akonadi_unifiedmailbox_agentrc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdedefaults/kwinrc r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kwinrc r, /dev/tty r, diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify deleted file mode 100644 index 07706d052..000000000 --- a/apparmor.d/groups/apparmor/aa-notify +++ /dev/null @@ -1,112 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{sbin}/aa-notify -profile aa-notify @{exec_path} { - include - include - include - include - include - include - include - - capability setgid, - capability setuid, - capability sys_ptrace, - - ptrace read, - - @{exec_path} mr, - - @{bin}/gtk-launch ix, - @{bin}/pkexec Cx -> pkexec, - @{bin}/xdg-mime Px, - @{open_path} Cx -> open, - - @{bin}/ r, - - /usr/share/apparmor/** r, - /usr/share/terminfo/** r, - - @{etc_ro}/inputrc r, - @{etc_ro}/inputrc.keys r, - /etc/apparmor.d/{,**} r, - /etc/apparmor/*.conf r, - - /var/log/audit/audit.log r, - - owner @{HOME}/.inputrc r, - owner @{HOME}/.terminfo/@{int}/dumb r, - - owner @{tmp}/@{word8} rw, - owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, - - @{PROC}/ r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/cmdline r, - - profile open { - include - include - - @{editor_ui_path} rPx -> aa-notify//editor, - - include if exists - } - - profile editor { - include - include - include - include - include - - @{editor_ui_path} rix, - @{open_path} rPx -> child-open-help, - - /etc/apparmor.d/{,**} r, - - owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw, - - owner @{PROC}/@{pid}/mountinfo r, - - deny @{user_share_dirs}/gvfs-metadata/* r, - - include if exists - } - - profile pkexec { - include - include - include - - ptrace read peer=aa-notify, - - @{sbin}/apparmor_parser Px, - @{lib}/@{python_name}/site-packages/apparmor/update_profile.py ix, - - /usr/share/apparmor/** r, - /usr/share/terminfo/** r, - - @{etc_ro}/inputrc r, - @{etc_ro}/inputrc.keys r, - - /etc/apparmor.d/ r, - /etc/apparmor.d/** rw, - /etc/apparmor/* r, - - @{PROC}/@{pid}/mounts r, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apparmor/aa-unconfined b/apparmor.d/groups/apparmor/aa-unconfined deleted file mode 100644 index 7308a5ef0..000000000 --- a/apparmor.d/groups/apparmor/aa-unconfined +++ /dev/null @@ -1,44 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{sbin}/aa-unconfined -profile aa-unconfined @{exec_path} flags=(attach_disconnected) { - include - include - include - - capability dac_read_search, - capability sys_ptrace, - - ptrace read, - - @{exec_path} mr, - - @{bin}/ r, - @{bin}/netstat Px, - @{sbin}/ss Px, - - /usr/share/terminfo/** r, - - /etc/apparmor/logprof.conf r, - @{etc_ro}/inputrc r, - - owner @{tmp}/@{rand8} rw, - owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, - owner /var/tmp/@{rand8} rw, - - @{PROC}/ r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pids}/attr/apparmor/current r, - @{PROC}/@{pids}/attr/current r, - owner @{PROC}/@{pid}/mounts r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/groups/apps/calibre similarity index 53% rename from apparmor.d/profiles-a-f/calibre rename to apparmor.d/groups/apps/calibre index 281d15718..f1b3e9050 100644 --- a/apparmor.d/profiles-a-f/calibre +++ b/apparmor.d/groups/apps/calibre @@ -3,24 +3,27 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/calibre{,-*} @{bin}/calibredb @{bin}/ebook{,-*} +@{exec_path} = @{bin}/calibre{,-parallel,-debug,-server,-smtp,-complete,-customize} +@{exec_path} += @{bin}/calibredb +@{exec_path} += @{bin}/ebook{-viewer,-edit,-device,-meta,-polish,-convert} @{exec_path} += @{bin}/fetch-ebook-metadata -@{exec_path} += @{bin}/lrs2lrf @{bin}/lrf2lrs @{bin}/lrfviewer @{bin}/web2disk +@{exec_path} += @{bin}/lrs2lrf @{bin}/lrf2lrs @{bin}/lrfviewer +@{exec_path} += @{bin}/web2disk profile calibre @{exec_path} { include + include include - include - include - include + include + include + include include include include include - include include include include @@ -33,36 +36,33 @@ profile calibre @{exec_path} { capability sys_ptrace, - network inet dgram, network inet stream, - network inet6 dgram, network inet6 stream, network netlink raw, - # unix (send, receive) type=stream peer=(addr=none, label=xorg), + unix (send, receive) type=stream peer=(addr=none, label=xorg), unix (bind, listen) type=stream addr="@*-calibre-gui.socket", unix (bind) type=stream addr="@calibre-*", @{exec_path} mrix, + @{bin}/python3.@{int} r, + @{bin}/ldconfig{,.real} rix, @{sh_path} rix, - @{python_path} rix, - @{bin}/env r, @{bin}/file rix, @{bin}/uname rix, - @{sbin}/ldconfig{,.real} rix, - @{lib}/{,@{multiarch}/}qt{5,6}{,/libexec/}QtWebEngineProcess rix, + @{lib}/@{multiarch}/qt5/libexec/QtWebEngineProcess rix, @{bin}/pdftoppm rPUx, # (#FIXME#) @{bin}/pdfinfo rPUx, @{bin}/pdftohtml rPUx, - @{open_path} rPx -> child-open, + @{bin}/xdg-open rPx -> child-open, + @{bin}/xdg-mime rPx, /usr/share/calibre/{,**} r, /etc/fstab r, - /etc/httpd/conf/mime.types r, /etc/inputrc r, /etc/magic r, /etc/mime.types r, @@ -70,53 +70,51 @@ profile calibre @{exec_path} { owner @{HOME}/ r, owner "@{HOME}/Calibre Library/{,**}" rw, owner "@{HOME}/Calibre Library/metadata.db" rwk, - - owner @{user_books_dirs}/{,**} rwl, - owner @{user_books_dirs}/Calibre/** rwk, owner @{user_documents_dirs}/{,**} rwl, - owner @{user_documents_dirs}/Calibre/** rwk, + owner @{user_books_dirs}/{,**} rwl, owner @{user_torrents_dirs}/{,**} rwl, - owner @{user_torrents_dirs}/Calibre/** rwk, owner @{user_work_dirs}/{,**} rwl, - owner @{user_work_dirs}/Calibre/** rwk, owner @{user_config_dirs}/calibre/ rw, owner @{user_config_dirs}/calibre/** rwk, owner @{user_share_dirs}/calibre-ebook.com/ rw, - owner @{user_share_dirs}/calibre-ebook.com/** rwk, + owner @{user_share_dirs}/calibre-ebook.com/calibre/ rw, + owner @{user_share_dirs}/calibre-ebook.com/calibre/** rwk, + owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/calibre/ rw, owner @{user_cache_dirs}/calibre/** rwkl -> @{user_cache_dirs}/calibre/**, - owner @{tmp}/@{rand8} rw, - audit owner @{tmp}/@{int}-*/ rw, - audit owner @{tmp}/@{int}-*/** rwl, - audit owner @{tmp}/calibre_@{rand8}_tmp_*/{,**} rw, - audit owner @{tmp}/calibre-@{rand8}/{,**} rw, + owner @{user_cache_dirs}/gstreamer-@{int}/ rw, + owner @{user_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw, + + owner @{tmp}/calibre_*_tmp_*/{,**} rw, + owner @{tmp}/calibre-*/{,**} rw, + owner @{tmp}/@{int}-*/ rw, + owner @{tmp}/@{int}-*/** rwl, owner /dev/shm/#@{int} rw, @{sys}/devices/@{pci}/irq r, - @{PROC}/ r, - @{PROC}/@{pids}/net/route r, - @{PROC}/sys/fs/inotify/max_user_watches r, - @{PROC}/sys/kernel/random/boot_id r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - @{PROC}/vmstat r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/comm r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/oom_{,score_}adj rw, - owner @{PROC}/@{pid}/stat{,m} r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pid}/task/@{tid}/status r, + @{PROC}/ r, + @{PROC}/@{pids}/net/route r, + @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/vmstat r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat{,m} r, + owner @{PROC}/@{pid}/comm r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/status r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + deny owner @{PROC}/@{pid}/cmdline r, + deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, + deny @{PROC}/sys/kernel/random/boot_id r, - /dev/tty r, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/groups/apps/discord similarity index 62% rename from apparmor.d/profiles-a-f/discord rename to apparmor.d/groups/apps/discord index 0991a243e..3c70844c1 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/groups/apps/discord @@ -3,23 +3,20 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{name} = discord -@{domain} = org.chromium.Chromium @{lib_dirs} = /usr/share/@{name} /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{user_config_dirs}/discordptb @{cache_dirs} = @{user_cache_dirs}/@{name} -@{exec_path} = @{bin}/discord{,-ptb} @{lib_dirs}/Discord{,PTB} -profile discord @{exec_path} flags=(attach_disconnected) { +@{exec_path} = @{bin}/discord{,-ptb} @{lib_dirs}/Discord{,PTB} +profile discord @{exec_path} { include include - include include - include include include @@ -35,29 +32,19 @@ profile discord @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/chrome-sandbox rix, @{lib_dirs}/chrome_crashpad_handler rix, - @{bin}/lsb_release rPx, - @{bin}/xdg-mime rPx, - @{open_path} rPx -> child-open-strict, + @{open_path} rPx -> child-open-browsers, - /etc/ r, - /etc/lsb-release r, + /var/lib/dbus/machine-id r, + /etc/machine-id r, - owner @{user_videos_dirs}/{,**} rwl, - owner @{user_pictures_dirs}/{,**} rwl, - - owner @{config_dirs}/@{version}/modules/** m, - - owner "@{tmp}/Discord Crashes/" rw, - owner @{tmp}/discord.sock rw, owner @{tmp}/net-export/ rw, + owner @{tmp}/discord.sock rw, + owner "@{tmp}/Discord Crashes/" rw, + + owner @{config_dirs}/*/modules/** rm, owner @{run}/user/@{uid}/discord-ipc-@{int} rw, - owner @{PROC}/@{pid}/mem r, - owner @{PROC}/@{pid}/task/@{tid}/comm r, - - deny ptrace read, - include if exists } diff --git a/apparmor.d/profiles-a-f/discord-chrome-sandbox b/apparmor.d/groups/apps/discord-chrome-sandbox similarity index 92% rename from apparmor.d/profiles-a-f/discord-chrome-sandbox rename to apparmor.d/groups/apps/discord-chrome-sandbox index 0599fa486..d30a2a57f 100644 --- a/apparmor.d/profiles-a-f/discord-chrome-sandbox +++ b/apparmor.d/groups/apps/discord-chrome-sandbox @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{name} = discord -@{lib_dirs} = /usr/share/@{name} /opt/@{name} +@{lib_dirs} = /usr/share/@{name} /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{user_config_dirs}/discordptb @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/groups/apps/dropbox similarity index 88% rename from apparmor.d/profiles-a-f/dropbox rename to apparmor.d/groups/apps/dropbox index 57487b15c..ddb62bf60 100644 --- a/apparmor.d/profiles-a-f/dropbox +++ b/apparmor.d/groups/apps/dropbox @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,15 +15,11 @@ include @{exec_path} = @{bin}/dropbox profile dropbox @{exec_path} { include - include - include include include include - include include include - include include @{exec_path} mr, @@ -33,14 +29,14 @@ profile dropbox @{exec_path} { @{bin}/readlink rix, @{bin}/dirname rix, @{bin}/uname rix, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, @{bin}/python3.@{int} rix, @{lib}/llvm-[0-9]*/bin/clang rix, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, @{bin}/{,@{multiarch}-}objdump rix, - @{open_path} rPx -> child-open-strict, - @{bin}/lsb_release rPx, + @{bin}/xdg-open rCx -> child-open, + @{bin}/lsb_release rPx -> lsb_release, owner @{HOME}/ r, owner @{config_dirs}/ rw, @@ -62,6 +58,7 @@ profile dropbox @{exec_path} { # Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead owner @{tmp}/dropbox-antifreeze-* rw, owner @{tmp}/#@{int} rw, + owner /var/tmp/etilqs_@{hex16} rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/groups/apps/filezilla similarity index 66% rename from apparmor.d/profiles-a-f/filezilla rename to apparmor.d/groups/apps/filezilla index 16bafb886..29654c955 100644 --- a/apparmor.d/profiles-a-f/filezilla +++ b/apparmor.d/groups/apps/filezilla @@ -3,33 +3,21 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/filezilla profile filezilla @{exec_path} { include - include - include - include - include + include + include include - include - include - include - include + include + include include - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink dgram, - network netlink raw, - - signal send set=(term, kill) peer=fzsftp, - signal send set=(term, kill) peer=fzputtygen, + signal (send) set=(term, kill) peer=fzsftp, @{exec_path} mr, @@ -37,8 +25,7 @@ profile filezilla @{exec_path} { @{bin}/uname rix, @{bin}/fzsftp rPx, # When using SFTP protocol - @{bin}/fzputtygen rPUx, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, /usr/share/filezilla/{,**} r, @@ -59,16 +46,15 @@ profile filezilla @{exec_path} { owner @{user_cache_dirs}/filezilla/ rw, owner @{user_cache_dirs}/filezilla/default_*.png rw, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + /tmp/ r, owner @{tmp}/fz[0-9]temp-@{int}/ rw, owner @{tmp}/fz[0-9]temp-@{int}/fz*-lockfile rwk, owner @{tmp}/fz[0-9]temp-@{int}/empty_file_* rw, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - - /dev/tty rw, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/groups/apps/freetube similarity index 56% rename from apparmor.d/profiles-a-f/freetube rename to apparmor.d/groups/apps/freetube index b820f249c..d59762cfd 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/groups/apps/freetube @@ -3,26 +3,23 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{name} = {F,f}ree{T,t}ube{,-vue} -@{domain} = org.chromium.Chromium -@{lib_dirs} = @{lib}/@{name} /opt/@{name} +@{name} = {F,f}reetube{,-vue} +@{lib_dirs} = @{lib}/@{name} /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} -@{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} -profile freetube @{exec_path} flags=(attach_disconnected) { +@{exec_path} = @{lib_dirs}/@{name} +profile freetube @{exec_path} { include include - include include include - include + include include - include network inet dgram, network inet6 dgram, @@ -30,15 +27,17 @@ profile freetube @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.mpris.MediaPlayer2.freetube path=/org/mpris/MediaPlayer2 - @{exec_path} mrix, - #aa:stack X xdg-settings - @{bin}/xdg-settings rPx -> freetube//&xdg-settings, @{open_path} rPx -> child-open-strict, - deny @{sys}/devices/@{pci}/usb@{int}/** r, + /etc/fstab r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + owner @{run}/user/@{uid}/ r, + + owner /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/groups/apps/freetube-chrome-sandbox b/apparmor.d/groups/apps/freetube-chrome-sandbox new file mode 100644 index 000000000..5dc20400e --- /dev/null +++ b/apparmor.d/groups/apps/freetube-chrome-sandbox @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = {F,f}reetube{,-vue} +@{lib_dirs} = @{lib}/@{name} /opt/@{name} + +@{exec_path} = @{lib_dirs}/chrome-sandbox +profile freetube-chrome-sandbox @{exec_path} { + include + include + + capability sys_admin, + capability setgid, + capability setuid, + capability sys_chroot, + + @{exec_path} mr, + + # Has to be lower "P" + @{lib_dirs}/@{name} rpx, + + @{PROC}/@{pids}/ r, + owner @{PROC}/@{pid}/oom_{,score_}adj r, + deny owner @{PROC}/@{pid}/oom_{,score_}adj w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/groups/apps/signal-desktop similarity index 51% rename from apparmor.d/profiles-s-z/signal-desktop rename to apparmor.d/groups/apps/signal-desktop index 53f3d20b1..6c8525f48 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/groups/apps/signal-desktop @@ -3,29 +3,22 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{name} = signal-desktop{,-beta} -@{domain} = org.chromium.Chromium -@{lib_dirs} = @{lib}/signal-desktop /opt/Signal{,?Beta} -@{config_dirs} = @{user_config_dirs}/Signal{,?Beta} +@{lib_dirs} = @{lib}/signal-desktop "/opt/Signal{, Beta}" +@{config_dirs} = "@{user_config_dirs}/Signal{, Beta}" @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{lib_dirs}/@{name} -profile signal-desktop @{exec_path} flags=(attach_disconnected) { +profile signal-desktop @{exec_path} { include include - include - include - include include - include - include - include + include include - include network inet dgram, network inet6 dgram, @@ -33,18 +26,25 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - ptrace read peer=signal-desktop//&xdg-settings, - @{exec_path} mrix, - @{lib_dirs}/chrome_crashpad_handler rix, + @{bin}/getconf rix, + @{bin}/xdg-settings rPx, + @{lib_dirs}/chrome-sandbox rPx, + @{lib_dirs}/chrome_crashpad_handler rix, - #aa:stack X xdg-settings - @{bin}/xdg-settings rPx -> signal-desktop//&xdg-settings, - @{open_path} rPx -> child-open-strict, + /var/lib/dbus/machine-id r, + /etc/machine-id r, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/inhibit/*.ref rw, + + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r, + + @{PROC}/@{pid}/fd/ r, + @{PROC}/vmstat r, include if exists } diff --git a/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox b/apparmor.d/groups/apps/signal-desktop-chrome-sandbox similarity index 65% rename from apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox rename to apparmor.d/groups/apps/signal-desktop-chrome-sandbox index 51c625d53..8a5083143 100644 --- a/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox +++ b/apparmor.d/groups/apps/signal-desktop-chrome-sandbox @@ -3,14 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{name} = signal-desktop{,-beta} -@{lib_dirs} = @{lib}/signal-desktop /opt/Signal{,?Beta} -@{config_dirs} = @{user_config_dirs}/Signal{,?Beta} -@{cache_dirs} = @{user_cache_dirs}/@{name} +@{lib_dirs} = @{lib}/signal-desktop "/opt/Signal{, Beta}" +@{config_dirs} = "@{user_config_dirs}/Signal{, Beta}" @{exec_path} = @{lib_dirs}/chrome-sandbox profile signal-desktop-chrome-sandbox @{exec_path} { @@ -18,20 +16,17 @@ profile signal-desktop-chrome-sandbox @{exec_path} { capability sys_admin, capability sys_chroot, - capability dac_override, @{exec_path} mr, - @{lib_dirs}/@{name} rPx, + @{lib_dirs}/signal-desktop{,-beta} rPx, @{PROC}/@{pid}/ r, @{PROC}/@{pid}/oom_adj w, @{PROC}/@{pid}/oom_score_adj w, - # Silencer - deny /dev/pts/@{int} rw, # file_inherit - include if exists } + # vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/telegram-desktop b/apparmor.d/groups/apps/telegram-desktop similarity index 58% rename from apparmor.d/profiles-s-z/telegram-desktop rename to apparmor.d/groups/apps/telegram-desktop index c1544af72..be043e150 100644 --- a/apparmor.d/profiles-s-z/telegram-desktop +++ b/apparmor.d/groups/apps/telegram-desktop @@ -3,30 +3,23 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/telegram-desktop @{bin}/Telegram +@{exec_path} = @{bin}/telegram-desktop profile telegram-desktop @{exec_path} { include include - include - include - include + include include - include - include include include - include include include include include - include include - include network inet dgram, network inet6 dgram, @@ -37,25 +30,25 @@ profile telegram-desktop @{exec_path} { @{exec_path} mrix, - @{sh_path} rix, - @{open_path} rPx -> child-open-strict, - @{bin}/systemd-detect-virt rPx, + @{sh_path} rix, - owner @{user_share_dirs}/TelegramDesktop/ rw, - owner @{user_share_dirs}/TelegramDesktop/** rwlk -> @{user_share_dirs}/TelegramDesktop/**, + @{open_path} rPx -> child-open, + + /usr/share/TelegramDesktop/{,**} r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, owner @{user_config_dirs}/autostart/telegramdesktop.desktop rw, - owner @{tmp}/@{hex32}-?@{uuid}? rwk, - audit owner /dev/shm/#@{int} rw, - - @{sys}/kernel/mm/transparent_hugepage/enabled r, + owner @{tmp}/@{hex}-* rwk, + owner @{run}/user/@{uid}/@{hex}-* rwk, + owner /dev/shm/#@{int} rw, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 8581fe724..dcc6303c8 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -3,16 +3,17 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/apt @{bin}/apt-get @{sbin}/aptd +@{exec_path} = @{bin}/apt @{bin}/apt-get @{bin}/aptd profile apt @{exec_path} flags=(attach_disconnected) { include - include + include include include + include include include include @@ -33,24 +34,16 @@ profile apt @{exec_path} flags=(attach_disconnected) { signal (send) peer=apt-methods-*, - unix bind type=stream addr=@@{udbus}/bus/apt-get/system, - unix bind type=stream addr=@@{udbus}/bus/apt/system, - - unix type=stream peer=(label=@{p_snap}), + unix (bind) type=stream addr=@@{hex16}/bus/apt/system, unix (send, receive) type=stream peer=(label=apt-esm-json-hook), unix (send, receive) type=stream peer=(label=snapd), #aa:dbus own bus=system name=org.debian.apt - #aa:dbus talk bus=system name=org.freedesktop.PackageKit label=packagekitd - dbus send bus=system path=/org/freedesktop/PackageKit - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.freedesktop.PackageKit), - dbus send bus=system path=/org/freedesktop/PackageKit - interface=org.freedesktop.PackageKit - member=StateHasChanged - peer=(name=org.freedesktop.PackageKit), + dbus send bus=system path=/org/freedesktop/DBus/Bus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser} + peer=(name=org.freedesktop.DBus, label=dbus-system), dbus send bus=system interface=org.freedesktop.DBus.Introspectable @@ -58,16 +51,15 @@ profile apt @{exec_path} flags=(attach_disconnected) { peer=(name="{:*,org.freedesktop.DBus}"), @{exec_path} mr, - @{python_path} mr, @{bin}/ r, @{sh_path} rix, @{bin}/{,e}grep rix, - @{bin}/cat rix, @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/id rix, + @{bin}/ischroot rix, @{bin}/test rix, @{bin}/touch rix, @@ -80,15 +72,14 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/df rPx, @{bin}/dmesg rPx, @{bin}/dpkg rPx, + @{bin}/dpkg-preconfigure rPx, @{bin}/dpkg-source rcx -> dpkg-source, @{bin}/etckeeper rPx, - @{bin}/ischroot rPx, @{bin}/localepurge rPx, @{bin}/ps rPx, - @{bin}/snap rPx, - @{bin}/systemctl rCx -> systemctl, + @{bin}/snap rPUx, + @{bin}/systemctl rCx -> systemctl, @{bin}/update-command-not-found rPx, - @{sbin}/dpkg-preconfigure rPx, @{lib}/cnf-update-db rPx, @{lib}/needrestart/apt-pinvoke rPx, @{lib}/zsys-system-autosnapshot rPx, @@ -108,10 +99,11 @@ profile apt @{exec_path} flags=(attach_disconnected) { /usr/share/language-tools/language-options rPx, # For editing the sources.list file - @{editor_path} rCx -> editor, + @{bin}/sensible-editor rCx -> editor, + @{bin}/vim.* rCx -> editor, # For changelogs - @{pager_path} rCx -> pager, + @{bin}/sensible-pager rCx -> pager, #aa:only whonix @{lib}/uwt/uwtwrapper rix, @@ -137,9 +129,6 @@ profile apt @{exec_path} flags=(attach_disconnected) { /var/lib/update-notifier/dpkg-run-stamp rw, /var/log/apt/{,**} rw, - /var/log/ubuntu-advantage-apt-hook.log w, - - @{efi}/ r, # For package building @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, @@ -147,15 +136,12 @@ profile apt @{exec_path} flags=(attach_disconnected) { /tmp/ r, /tmp/apt-changelog-*/ w, /tmp/apt-changelog-*/*.changelog w, - /tmp/apt-tmp-index.@{rand6} rw, owner @{tmp}/apt-changelog-*/.apt-acquire-privs-test.* rw, owner @{tmp}/apt-dpkg-install-*/ rw, owner @{tmp}/apt-dpkg-install-*/@{int}-*.deb w, owner @{tmp}/apt.conf.* rw, owner @{tmp}/apt.data.* rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pid}/fd/ r, @@ -163,6 +149,8 @@ profile apt @{exec_path} flags=(attach_disconnected) { /dev/ptmx rw, + @{run}/systemd/inhibit/[0-9]*.ref rw, + profile editor flags=(complain) { include include @@ -174,7 +162,19 @@ profile apt @{exec_path} flags=(attach_disconnected) { profile pager { include - include + include + + capability dac_read_search, + + @{bin}/ r, + @{sh_path} rix, + @{bin}/less rix, + @{bin}/sensible-pager mr, + @{bin}/which{,.debianutils} rix, + + /root/ r, # For shell pwd + + owner @{HOME}/.less* rw, owner @{tmp}/apt-changelog-*/ r, owner @{tmp}/apt-changelog-*/*.changelog r, @@ -188,10 +188,10 @@ profile apt @{exec_path} flags=(attach_disconnected) { include @{bin}/dpkg-source mr, + @{bin}/perl r, @{bin}/bunzip2 rix, @{bin}/chmod rix, - @{bin}/bzip2 rix, @{bin}/gunzip rix, @{bin}/gzip rix, @{bin}/patch rix, @@ -199,7 +199,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/tar rix, @{bin}/xz rix, - /etc/dpkg/origins/* r, + /etc/dpkg/origins/debian r, owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, owner @{HOME}/** rwkl -> @{HOME}/**, diff --git a/apparmor.d/groups/apt/apt-cache b/apparmor.d/groups/apt/apt-cache index afd34f7e5..0c11fbfb2 100644 --- a/apparmor.d/groups/apt/apt-cache +++ b/apparmor.d/groups/apt/apt-cache @@ -3,14 +3,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/apt-cache profile apt-cache @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-cdrom b/apparmor.d/groups/apt/apt-cdrom index 0ce146261..a2268648b 100644 --- a/apparmor.d/groups/apt/apt-cdrom +++ b/apparmor.d/groups/apt/apt-cdrom @@ -3,14 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/apt-cdrom profile apt-cdrom @{exec_path} flags=(complain) { include - include + include include capability dac_read_search, @@ -18,25 +18,26 @@ profile apt-cdrom @{exec_path} flags=(complain) { @{exec_path} mr, @{bin}/dpkg rPx -> child-dpkg, + @{bin}/mount rCx -> mount, @{bin}/umount rCx -> umount, /etc/fstab r, - /etc/apt/sources.list{,.new} rw, - /etc/apt/sources.list~ w, - - /var/lib/apt/lists/** rw, - - /var/lib/apt/cdroms.list{,.new} rw, - /var/lib/apt/cdroms.list~ w, + # Are all of these needed? (#FIXME#) + @{sys}/bus/ r, + @{sys}/bus/*/devices/ r, + @{sys}/class/ r, + @{sys}/class/*/ r, + @{sys}/devices/**/uevent r, + # @{run}/udev/data/* r, # For cd-roms - /media/cdrom@{int}/ r, - /media/cdrom@{int}/**/ r, - /media/cdrom@{int}/.disk/info r, - /media/cdrom@{int}/dists/**/binary-*/Packages{,.gz} r, - /media/cdrom@{int}/dists/**/i18n/Translation-en{,.gz} r, + /media/cdrom[0-9]/ r, + /media/cdrom[0-9]/**/ r, + /media/cdrom[0-9]/.disk/info r, + /media/cdrom[0-9]/dists/**/binary-*/Packages{,.gz} r, + /media/cdrom[0-9]/dists/**/i18n/Translation-en{,.gz} r, # For pendrives @{MOUNTS}/ r, @@ -45,15 +46,16 @@ profile apt-cdrom @{exec_path} flags=(complain) { @{MOUNTS}/dists/**/binary-*/Packages{,.gz} r, @{MOUNTS}/dists/**/i18n/Translation-en{,.gz} r, - # Are all of these needed? (#FIXME#) - @{sys}/bus/ r, - @{sys}/bus/*/devices/ r, - @{sys}/class/ r, - @{sys}/class/*/ r, - @{sys}/devices/**/uevent r, + /var/lib/apt/lists/** rw, owner @{PROC}/@{pid}/fd/ r, + /var/lib/apt/cdroms.list{,.new} rw, + /var/lib/apt/cdroms.list~ w, + + /etc/apt/sources.list{,.new} rw, + /etc/apt/sources.list~ w, + profile mount flags=(complain) { include @@ -61,7 +63,7 @@ profile apt-cdrom @{exec_path} flags=(complain) { /etc/fstab r, - /media/cdrom@{int}/ r, + /media/cdrom[0-9]/ r, include if exists } diff --git a/apparmor.d/groups/apt/apt-config b/apparmor.d/groups/apt/apt-config index 834bcbd8c..48a540043 100644 --- a/apparmor.d/groups/apt/apt-config +++ b/apparmor.d/groups/apt/apt-config @@ -3,14 +3,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/apt-config profile apt-config @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-extracttemplates b/apparmor.d/groups/apt/apt-extracttemplates index 6fbfad65b..f958d2575 100644 --- a/apparmor.d/groups/apt/apt-extracttemplates +++ b/apparmor.d/groups/apt/apt-extracttemplates @@ -3,15 +3,15 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/apt-extracttemplates @{lib}/apt/apt-extracttemplates +@{exec_path} = @{bin}/apt-extracttemplates profile apt-extracttemplates @{exec_path} { include - include include + include capability dac_read_search, diff --git a/apparmor.d/groups/apt/apt-file b/apparmor.d/groups/apt/apt-file index 6551f21a7..bc6e523b4 100644 --- a/apparmor.d/groups/apt/apt-file +++ b/apparmor.d/groups/apt/apt-file @@ -3,17 +3,18 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/apt-file profile apt-file @{exec_path} { include - include + include include @{exec_path} r, + @{bin}/perl r, @{bin}/fgrep rix, @{bin}/{,e}grep rix, diff --git a/apparmor.d/groups/apt/apt-forktracer b/apparmor.d/groups/apt/apt-forktracer index 3eec09d60..ea687173f 100644 --- a/apparmor.d/groups/apt/apt-forktracer +++ b/apparmor.d/groups/apt/apt-forktracer @@ -3,14 +3,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/apt-forktracer profile apt-forktracer @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-ftparchive b/apparmor.d/groups/apt/apt-ftparchive index f7e9b4651..4b8e45799 100644 --- a/apparmor.d/groups/apt/apt-ftparchive +++ b/apparmor.d/groups/apt/apt-ftparchive @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-helper b/apparmor.d/groups/apt/apt-helper index 18b6d7241..d6d4b5d7b 100644 --- a/apparmor.d/groups/apt/apt-helper +++ b/apparmor.d/groups/apt/apt-helper @@ -2,14 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/apt/apt-helper profile apt-helper @{exec_path} { include - include + include @{exec_path} mr, @@ -22,11 +22,9 @@ profile apt-helper @{exec_path} { profile systemctl { include include - + capability net_admin, - ptrace read peer=@{p_systemd}, - include if exists } diff --git a/apparmor.d/groups/apt/apt-key b/apparmor.d/groups/apt/apt-key index 12a7b3a67..2d0f6a664 100644 --- a/apparmor.d/groups/apt/apt-key +++ b/apparmor.d/groups/apt/apt-key @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -78,7 +78,7 @@ profile apt-key @{exec_path} { @{bin}/gpg-connect-agent rix, /usr/share/gnupg/sks-keyservers.netCA.pem r, - + /etc/hosts r, /etc/inputrc r, @@ -96,13 +96,13 @@ profile apt-key @{exec_path} { owner @{tmp}/apt-key-gpghome.*/ rw, owner @{tmp}/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, owner @{tmp}/apt-key-gpghome.*/gpgoutput.{log,err} w, - + owner @{run}/user/@{uid}/gnupg/d.*/ rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - include if exists + include if exists } include if exists diff --git a/apparmor.d/groups/apt/apt-listbugs b/apparmor.d/groups/apt/apt-listbugs index a60457ec8..a04bd459a 100644 --- a/apparmor.d/groups/apt/apt-listbugs +++ b/apparmor.d/groups/apt/apt-listbugs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -23,7 +23,7 @@ profile apt-listbugs @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/ruby@{int}.@{int} rix, + @{bin}/ruby[0-9].@{int} rix, @{sh_path} rix, @{bin}/logname rix, @@ -34,7 +34,7 @@ profile apt-listbugs @{exec_path} { # shared object file): ignored. @{bin}/dpkg-query rpx, - /usr/local/lib/site_ruby/@{d}.@{d}.@{d}/**.rb r, + /usr/local/lib/site_ruby/[0-9].[0-9].[0-9]/**.rb r, /usr/share/rubygems-integration/*/specifications/ r, /usr/share/rubygems-integration/*/specifications/*.gemspec rwk, @@ -53,7 +53,7 @@ profile apt-listbugs @{exec_path} { include include capability dac_read_search, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/groups/apt/apt-listbugs-aptcleanup b/apparmor.d/groups/apt/apt-listbugs-aptcleanup index ccf56a603..3500ead6c 100644 --- a/apparmor.d/groups/apt/apt-listbugs-aptcleanup +++ b/apparmor.d/groups/apt/apt-listbugs-aptcleanup @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-listbugs-migratepins b/apparmor.d/groups/apt/apt-listbugs-migratepins index d7089b76a..f8eca9dfb 100644 --- a/apparmor.d/groups/apt/apt-listbugs-migratepins +++ b/apparmor.d/groups/apt/apt-listbugs-migratepins @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,7 @@ profile apt-listbugs-migratepins @{exec_path} { include @{exec_path} r, - @{bin}/ruby@{int}.@{int} rix, + @{bin}/ruby[0-9].@{int} rix, /usr/share/rubygems-integration/*/specifications/ r, /usr/share/rubygems-integration/*/specifications/*.gemspec rwk, diff --git a/apparmor.d/groups/apt/apt-listbugs-prefclean b/apparmor.d/groups/apt/apt-listbugs-prefclean index 7dc4ea09e..461edace9 100644 --- a/apparmor.d/groups/apt/apt-listbugs-prefclean +++ b/apparmor.d/groups/apt/apt-listbugs-prefclean @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,7 @@ profile apt-listbugs-prefclean @{exec_path} { include @{exec_path} r, - @{bin}/ruby@{int}.@{int} rix, + @{bin}/ruby[0-9].@{int} rix, @{bin}/date rix, @{bin}/cat rix, diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index 0ee42f5a4..8613f2280 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,10 +14,10 @@ profile apt-listchanges @{exec_path} { include include - capability dac_read_search, + #capability sys_tty_config, @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, @{sh_path} rix, @@ -26,11 +26,11 @@ profile apt-listchanges @{exec_path} { # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - @{bin}/dpkg-deb px, - - @{pager_path} Cx -> pager, - @{bin}/dpkg Px -> child-dpkg, - @{sbin}/exim4 Px, # Send results using email + @{bin}/dpkg-deb rpx, + # + @{bin}/sensible-pager rCx -> pager, + # Send results using email + @{bin}/exim4 rPx, /usr/share/apt-listchanges/{,**} r, @@ -50,20 +50,54 @@ profile apt-listchanges @{exec_path} { /var/cache/apt/archives/ r, - /tmp/ r, - owner @{tmp}/@{word8} rw, - owner @{tmp}/apt-listchanges@{word8}/ rw, - owner @{tmp}/apt-listchanges@{word8}/** rw, - owner @{PROC}/@{pid}/fd/ r, + /tmp/ r, + owner @{tmp}/* rw, + owner @{tmp}/apt-listchanges*/ rw, + owner @{tmp}/apt-listchanges*/**/ rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/changelog.gz rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/changelog.Debian*.gz rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/NEWS.Debian.gz rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog.gz rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog/changelog_to_file rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog/simple_changelog rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/*/*-local/debian/changelog rw, + + # The following is needed when apt-listchanges uses debcconf GUI frontends. + include + include + include + include + capability dac_read_search, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/hostname rix, + owner @{PROC}/@{pid}/mounts r, + @{HOME}/.Xauthority r, + + profile pager { include - include + include + capability dac_read_search, + #capability sys_tty_config, + + @{bin}/sensible-pager mr, + + @{bin}/ r, + @{sh_path} rix, + @{bin}/which{,.debianutils} rix, + @{bin}/less rix, + + owner @{HOME}/.less* rw, + + # For shell pwd + /root/ r, + + /tmp/ r, owner @{tmp}/apt-listchanges-tmp*.txt r, - include if exists } include if exists diff --git a/apparmor.d/groups/apt/apt-mark b/apparmor.d/groups/apt/apt-mark index c174267f5..f76159e78 100644 --- a/apparmor.d/groups/apt/apt-mark +++ b/apparmor.d/groups/apt/apt-mark @@ -3,14 +3,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/apt-mark profile apt-mark @{exec_path} { include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-cdrom b/apparmor.d/groups/apt/apt-methods-cdrom index 96ce36a72..222f7540c 100644 --- a/apparmor.d/groups/apt/apt-methods-cdrom +++ b/apparmor.d/groups/apt/apt-methods-cdrom @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,10 +19,10 @@ profile apt-methods-cdrom @{exec_path} { capability setgid, capability setuid, - signal receive peer=apt, - signal receive peer=apt-get, - signal receive peer=aptitude, - signal receive peer=synaptic, + signal (receive) peer=apt, + signal (receive) peer=apt-get, + signal (receive) peer=aptitude, + signal (receive) peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-copy b/apparmor.d/groups/apt/apt-methods-copy index e2878e108..2cd44be7b 100644 --- a/apparmor.d/groups/apt/apt-methods-copy +++ b/apparmor.d/groups/apt/apt-methods-copy @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,10 +20,10 @@ profile apt-methods-copy @{exec_path} { capability setgid, capability setuid, - signal receive peer=apt, - signal receive peer=apt-get, - signal receive peer=aptitude, - signal receive peer=synaptic, + signal (receive) peer=apt, + signal (receive) peer=apt-get, + signal (receive) peer=aptitude, + signal (receive) peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-file b/apparmor.d/groups/apt/apt-methods-file index 781f9714e..ef49d144f 100644 --- a/apparmor.d/groups/apt/apt-methods-file +++ b/apparmor.d/groups/apt/apt-methods-file @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,19 +20,18 @@ profile apt-methods-file @{exec_path} { capability setgid, capability setuid, - signal receive peer=apt-get, - signal receive peer=apt, - signal receive peer=aptitude, - signal receive peer=@{p_packagekitd}, - signal receive peer=synaptic, + signal (receive) peer=apt-get, + signal (receive) peer=apt, + signal (receive) peer=aptitude, + signal (receive) peer=packagekitd, + signal (receive) peer=synaptic, @{exec_path} mr, @{lib}/apt/apt-helper rix, - /etc/apt/apt-mirrors.txt r, - /etc/apt/apt.conf r, /etc/apt/apt.conf.d/{,*} r, + /etc/apt/apt.conf r, /etc/apt/mirrors/* r, /usr/share/dpkg/cputable r, diff --git a/apparmor.d/groups/apt/apt-methods-ftp b/apparmor.d/groups/apt/apt-methods-ftp index e753b4cf8..d57cc71f2 100644 --- a/apparmor.d/groups/apt/apt-methods-ftp +++ b/apparmor.d/groups/apt/apt-methods-ftp @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,10 +19,10 @@ profile apt-methods-ftp @{exec_path} { capability setgid, capability setuid, - signal receive peer=apt, - signal receive peer=apt-get, - signal receive peer=aptitude, - signal receive peer=synaptic, + signal (receive) peer=apt, + signal (receive) peer=apt-get, + signal (receive) peer=aptitude, + signal (receive) peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index 5f3654f6e..e2a7ed2b7 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,12 +20,11 @@ profile apt-methods-gpgv @{exec_path} { capability setgid, capability setuid, - signal receive peer=apt-get, - signal receive peer=apt, - signal receive peer=aptitude, - signal receive peer=@{p_packagekitd}, - signal receive peer=role_*, - signal receive peer=synaptic, + signal (receive) peer=apt-get, + signal (receive) peer=apt, + signal (receive) peer=aptitude, + signal (receive) peer=packagekitd, + signal (receive) peer=synaptic, @{exec_path} mr, @@ -85,7 +84,6 @@ profile apt-methods-gpgv @{exec_path} { owner @{tmp}/apt-key-gpghome.*/ rw, owner @{tmp}/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, owner @{tmp}/apt.{conf,sig,data}.* rw, - owner @{tmp}/apt.@{rand6}.gpg rw, @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 77a418b07..72b39e719 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -3,12 +3,12 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/apt/methods/http{,s} -profile apt-methods-http @{exec_path} flags=(attach_disconnected) { +profile apt-methods-http @{exec_path} { include include include @@ -23,16 +23,14 @@ profile apt-methods-http @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - signal receive peer=@{p_apt_news}, - signal receive peer=@{p_packagekitd}, - signal receive peer=apt-get, - signal receive peer=apt, - signal receive peer=aptitude, - signal receive peer=role_*, - signal receive peer=synaptic, - signal receive peer=ubuntu-advantage, - signal receive peer=unattended-upgrade, - signal receive peer=update-manager, + signal (receive) peer=apt-get, + signal (receive) peer=apt, + signal (receive) peer=aptitude, + signal (receive) peer=packagekitd, + signal (receive) peer=synaptic, + signal (receive) peer=ubuntu-advantage, + signal (receive) peer=unattended-upgrade, + signal (receive) peer=update-manager, ptrace (read), @@ -71,10 +69,7 @@ profile apt-methods-http @{exec_path} flags=(attach_disconnected) { owner @{tmp}/aptitude-root.*/aptitude-download-* rw, owner @{tmp}/apt-changelog-*/*.changelog rw, - @{run}/ubuntu-advantage/aptnews.json rw, - owner @{run}/ubuntu-advantage/apt-news/aptnews.json rw, - - @{run}/systemd/resolve/io.systemd.Resolve rw, + @{run}/ubuntu-advantage/aptnews.json rw, @{PROC}/1/cgroup r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/apt/apt-methods-mirror b/apparmor.d/groups/apt/apt-methods-mirror index 025a1c01b..31656857f 100644 --- a/apparmor.d/groups/apt/apt-methods-mirror +++ b/apparmor.d/groups/apt/apt-methods-mirror @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,15 +20,14 @@ profile apt-methods-mirror @{exec_path} { capability setgid, capability setuid, - signal receive peer=apt-get, - signal receive peer=apt, - signal receive peer=aptitude, - signal receive peer=@{p_packagekitd}, - signal receive peer=synaptic, + signal (receive) peer=apt-get, + signal (receive) peer=apt, + signal (receive) peer=aptitude, + signal (receive) peer=packagekitd, + signal (receive) peer=synaptic, @{exec_path} mr, - /etc/apt/apt-mirrors.txt r, /etc/apt/mirrors/* r, # For shell pwd diff --git a/apparmor.d/groups/apt/apt-methods-rred b/apparmor.d/groups/apt/apt-methods-rred index 1aadac2ec..e5dc4d609 100644 --- a/apparmor.d/groups/apt/apt-methods-rred +++ b/apparmor.d/groups/apt/apt-methods-rred @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,11 +20,11 @@ profile apt-methods-rred @{exec_path} { capability setgid, capability setuid, - signal receive peer=apt, - signal receive peer=apt-get, - signal receive peer=aptitude, - signal receive peer=synaptic, - signal receive set=(int) peer=@{p_packagekitd}, + signal (receive) peer=apt, + signal (receive) peer=apt-get, + signal (receive) peer=aptitude, + signal (receive) peer=synaptic, + signal (receive) set=(int) peer=packagekitd, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-rsh b/apparmor.d/groups/apt/apt-methods-rsh index 1b76551b9..bf51e32f7 100644 --- a/apparmor.d/groups/apt/apt-methods-rsh +++ b/apparmor.d/groups/apt/apt-methods-rsh @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,10 +19,10 @@ profile apt-methods-rsh @{exec_path} { capability setgid, capability setuid, - signal receive peer=apt, - signal receive peer=apt-get, - signal receive peer=aptitude, - signal receive peer=synaptic, + signal (receive) peer=apt, + signal (receive) peer=apt-get, + signal (receive) peer=aptitude, + signal (receive) peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-sqv b/apparmor.d/groups/apt/apt-methods-sqv deleted file mode 100644 index 0dcd7da0d..000000000 --- a/apparmor.d/groups/apt/apt-methods-sqv +++ /dev/null @@ -1,43 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/apt/methods/sqv -profile apt-methods-sqv @{exec_path} { - include - include - include - - # To handle the _apt user - capability setgid, - capability setuid, - - signal receive set=int peer=apt, - signal receive set=int peer=packagekitd, - - @{exec_path} mr, - - @{bin}/sqv ix, - - /usr/share/apt/default-sequoia.config r, - /usr/share/keyrings/debian-archive-keyring.gpg r, - /usr/share/keyrings/debian-archive-keyring.pgp r, - - owner /var/lib/apt/lists/{,**} r, - - owner /tmp/apt.data.@{rand6} rw, - owner /tmp/apt.sig.@{rand6} rw, - owner /tmp/apt.sqverr.@{rand6} rw, - owner /tmp/apt.sqvout.@{rand6} rw, - - @{PROC}/@{pid}/fd/ r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/apt-methods-store b/apparmor.d/groups/apt/apt-methods-store index a6875a432..a3d2ce33a 100644 --- a/apparmor.d/groups/apt/apt-methods-store +++ b/apparmor.d/groups/apt/apt-methods-store @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,12 +20,11 @@ profile apt-methods-store @{exec_path} { capability setgid, capability setuid, - signal receive peer=apt-get, - signal receive peer=apt, - signal receive peer=aptitude, - signal receive peer=@{p_packagekitd}, - signal receive peer=role_*, - signal receive peer=synaptic, + signal (receive) peer=apt-get, + signal (receive) peer=apt, + signal (receive) peer=aptitude, + signal (receive) peer=packagekitd, + signal (receive) peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-overlay b/apparmor.d/groups/apt/apt-overlay index 7f59635eb..fb567a5ef 100644 --- a/apparmor.d/groups/apt/apt-overlay +++ b/apparmor.d/groups/apt/apt-overlay @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,6 +22,7 @@ profile apt-overlay @{exec_path} { owner @{bin}/env r, @{lib}/ruby/{,**} r, + @{lib}/locale/locale-archive r, @{lib}/ruby/gems/3.0.0/specifications/default/*.gemspec rwk, /usr/share/rubygems-integration/{,**} r, @@ -30,6 +31,7 @@ profile apt-overlay @{exec_path} { /root/ r, owner @{PROC}/@{pids}/loginuid r, + owner @{PROC}/@{pids}/maps r, include if exists } diff --git a/apparmor.d/groups/apt/apt-show-versions b/apparmor.d/groups/apt/apt-show-versions index 514b952ff..b060e0a12 100644 --- a/apparmor.d/groups/apt/apt-show-versions +++ b/apparmor.d/groups/apt/apt-show-versions @@ -3,18 +3,19 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/apt-show-versions profile apt-show-versions @{exec_path} { include - include include include + include @{exec_path} r, + @{bin}/perl r, @{sh_path} rix, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/groups/apt/apt-sortpkgs b/apparmor.d/groups/apt/apt-sortpkgs index af5ec2ef0..56162c9d2 100644 --- a/apparmor.d/groups/apt/apt-sortpkgs +++ b/apparmor.d/groups/apt/apt-sortpkgs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily index 4f0d4e36b..7ebb4da0b 100644 --- a/apparmor.d/groups/apt/apt-systemd-daily +++ b/apparmor.d/groups/apt/apt-systemd-daily @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,7 +25,7 @@ profile apt-systemd-daily @{exec_path} { @{bin}/env rix, @{bin}/find rix, @{bin}/flock rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/gzip rix, @{bin}/ls rix, @{bin}/mv rix, @@ -37,7 +37,7 @@ profile apt-systemd-daily @{exec_path} { @{bin}/touch rix, @{bin}/uniq rix, @{bin}/wc rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/xargs rix, @{bin}/apt-config rPx, @@ -59,7 +59,7 @@ profile apt-systemd-daily @{exec_path} { /var/backups/ r, /var/backups/apt.extended_states rw, /var/backups/apt.extended_states.@{int} rw, - /var/backups/apt.extended_states.@{int}.gz rw, + /var/backups/apt.extended_states.@{int}.gz w, /var/cache/apt/ r, /var/cache/apt/archives/ r, diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index b3f411c84..12bd0efb1 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -3,16 +3,16 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/aptitude{,-curses} profile aptitude @{exec_path} flags=(complain) { include - include include include + include # To remove the following errors: # W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory @@ -75,7 +75,7 @@ profile aptitude @{exec_path} flags=(complain) { @{bin}/apt-listbugs rPx, @{bin}/apt-listchanges rPx, @{bin}/apt-show-versions rPx, - @{sbin}/dpkg-preconfigure rPx, + @{bin}/dpkg-preconfigure rPx, @{bin}/debtags rPx, @{bin}/localepurge rPx, @{bin}/appstreamcli rPx, @@ -105,15 +105,15 @@ profile aptitude @{exec_path} flags=(complain) { owner @{user_cache_dirs}/aptitude/ rw, owner @{user_cache_dirs}/aptitude/metadata-download{,-journal} rw, owner @{user_cache_dirs}/aptitude/metadata-download rwk, - @{pager_path} rCx -> pager, + @{bin}/sensible-pager rCx -> pager, # For aptitude-run-state-bundle owner @{tmp}/aptitudebug.*/ r, owner @{tmp}/aptitudebug.*/** rwk, /var/lib/apt-xapian-index/index r, - /var/cache/apt-xapian-index/index.@{int}/*.glass r, - /var/cache/apt-xapian-index/index.@{int}/iamglass r, + /var/cache/apt-xapian-index/index.[0-9]/*.glass r, + /var/cache/apt-xapian-index/index.[0-9]/iamglass r, /var/lib/dpkg/** r, /var/lib/dpkg/lock{,-frontend} rwk, @@ -169,11 +169,22 @@ profile aptitude @{exec_path} flags=(complain) { profile pager { include - include + include + + @{bin}/ r, + @{bin}/sensible-pager mr, + @{sh_path} rix, + + @{bin}/which{,.debianutils} rix, + @{bin}/less rix, + + owner @{HOME}/.less* rw, owner @{tmp}/aptitude-*.@{pid}:*/aptitude-download-* rw, - include if exists + # For shell pwd + /root/ r, + } include if exists diff --git a/apparmor.d/groups/apt/aptitude-changelog-parser b/apparmor.d/groups/apt/aptitude-changelog-parser index cde501bd5..039de3095 100644 --- a/apparmor.d/groups/apt/aptitude-changelog-parser +++ b/apparmor.d/groups/apt/aptitude-changelog-parser @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,6 +13,7 @@ profile aptitude-changelog-parser @{exec_path} { include @{exec_path} r, + @{bin}/perl r, /etc/dpkg/origins/debian r, diff --git a/apparmor.d/groups/apt/aptitude-create-state-bundle b/apparmor.d/groups/apt/aptitude-create-state-bundle index a2f5e2050..a81c3dafb 100644 --- a/apparmor.d/groups/apt/aptitude-create-state-bundle +++ b/apparmor.d/groups/apt/aptitude-create-state-bundle @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,7 +16,7 @@ profile aptitude-create-state-bundle @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/tar rix, @{bin}/bzip2 rix, @{bin}/gzip rix, diff --git a/apparmor.d/groups/apt/aptitude-run-state-bundle b/apparmor.d/groups/apt/aptitude-run-state-bundle index fa3a45315..9119e243c 100644 --- a/apparmor.d/groups/apt/aptitude-run-state-bundle +++ b/apparmor.d/groups/apt/aptitude-run-state-bundle @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index 6d09e34c0..6650ccedf 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,21 +12,18 @@ include @{exec_path} += @{lib}/command-not-found profile command-not-found @{exec_path} { include - include + include include include include - capability dac_read_search, - @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, - @{bin}/lsb_release rPx, - @{bin}/snap rPx, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/snap rPUx, - @{lib}/ r, - @{lib}/@{python_name}/dist-packages/CommandNotFound/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int}@{int} w, + @{lib}/python3/dist-packages/CommandNotFound/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, /usr/share/command-not-found/{,**} r, diff --git a/apparmor.d/groups/apt/deb-systemd-helper b/apparmor.d/groups/apt/deb-systemd-helper deleted file mode 100644 index d6e89f9a0..000000000 --- a/apparmor.d/groups/apt/deb-systemd-helper +++ /dev/null @@ -1,48 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/deb-systemd-helper -profile deb-systemd-helper @{exec_path} { - include - include - include - - @{exec_path} mr, - - @{bin}/systemctl rCx -> systemctl, - - /etc/systemd/system/{,**} rw, - /etc/systemd/user/{,**} rw, - - /var/lib/systemd/deb-systemd-helper-enabled/{,**} rw, - /var/lib/systemd/deb-systemd-helper-masked/{,**} rw, - /var/lib/systemd/deb-systemd-user-helper-enabled/{,**} rw, - - profile systemctl { - include - include - - capability net_admin, - - /etc/ r, - /etc/systemd/ r, - /etc/systemd/system/ r, - /etc/systemd/system/* rw, - /etc/systemd/system/*.wants/ rw, - /etc/systemd/system/*.wants/* rw, - /etc/systemd/user/ r, - /etc/systemd/user/*.wants/ rw, - /etc/systemd/user/*.wants/* rw, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/deb-systemd-invoke b/apparmor.d/groups/apt/deb-systemd-invoke deleted file mode 100644 index 824d3b4dd..000000000 --- a/apparmor.d/groups/apt/deb-systemd-invoke +++ /dev/null @@ -1,31 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/deb-systemd-invoke -profile deb-systemd-invoke @{exec_path} { - include - include - include - - capability net_admin, - capability sys_resource, - - ptrace read peer=@{p_systemd}, - - signal send set=(cont term) peer=systemd-tty-ask-password-agent, - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/systemctl rix, #aa:lint ignore=transition - @{bin}/systemd-tty-ask-password-agent Px, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/debconf-apt-progress b/apparmor.d/groups/apt/debconf-apt-progress index 1d88c829b..31b55a24e 100644 --- a/apparmor.d/groups/apt/debconf-apt-progress +++ b/apparmor.d/groups/apt/debconf-apt-progress @@ -3,19 +3,51 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/debconf-apt-progress profile debconf-apt-progress @{exec_path} flags=(complain) { include - include + include @{exec_path} r, + @{bin}/perl r, @{bin}/apt-get rPx, + # Think what to do about this (#FIXME#) + /usr/share/debconf/frontend rPx, + #/usr/share/debconf/frontend rCx -> frontend, + + + profile frontend flags=(complain) { + include + include + include + include + + /usr/share/debconf/frontend r, + @{bin}/perl r, + + @{bin}/debconf-apt-progress rPx, + + @{sh_path} rix, + @{bin}/stty rix, + @{bin}/locale rix, + + # The following is needed when debconf uses dialog/whiptail frontend. + @{bin}/whiptail rPx, + + /etc/debconf.conf r, + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + /usr/share/debconf/templates/adequate.templates r, + + /etc/shadow r, + + } + include if exists } diff --git a/apparmor.d/groups/apt/debconf-escape b/apparmor.d/groups/apt/debconf-escape deleted file mode 100644 index c64401bb0..000000000 --- a/apparmor.d/groups/apt/debconf-escape +++ /dev/null @@ -1,19 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/debconf-escape -profile debconf-escape @{exec_path} { - include - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend deleted file mode 100644 index 0a7706fe1..000000000 --- a/apparmor.d/groups/apt/debconf-frontend +++ /dev/null @@ -1,74 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /usr/share/debconf/frontend -profile debconf-frontend @{exec_path} flags=(complain) { - include - include - include - include - include - include - - capability dac_read_search, - - @{exec_path} r, - - @{bin}/hostname ix, - @{bin}/lsb_release Px, - @{bin}/stty ix, - @{sbin}/update-secureboot-policy Px, - - # Debconf apps - @{bin}/adequate Px, - @{bin}/debconf-apt-progress Px, - @{bin}/linux-check-removal Px, - @{bin}/ucf Px, - @{sbin}/aspell-autobuildhash Px, - @{sbin}/pam-auth-update Px, - @{lib}/tasksel/tasksel-debconf Px -> tasksel, - /usr/share/debian-security-support/check-support-status.hook Px, - - # Grub - @{lib}/grub/grub-multi-install Px, - /usr/share/grub/grub-check-signatures Px, - - # Package maintainer's scripts - /var/lib/dpkg/info/*.@{dpkg_script_ext} Px, - /var/lib/dpkg/info/*.control r, - /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px -> dpkg-scripts, - - # DKMS scipts - @{lib}/dkms/common.postinst rPUx, - @{lib}/dkms/dkms-* rPUx, - @{lib}/dkms/dkms_* rPUx, - - /etc/libpaper.d/texlive-base rPUx, - - /usr/share/debconf/{,**} r, - - /etc/inputrc r, - /etc/shadow r, - - owner /var/cache/debconf/* rwk, - - owner @{tmp}/file* w, - owner @{tmp}/tmp.@{rand10} rw, - owner @{tmp}/updateppds.@{rand6} rw, - - @{HOME}/.Xauthority r, - - @{run}/user/@{uid}/pk-debconf-socket rw, - - owner @{PROC}/@{pid}/mounts r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/debconf-show b/apparmor.d/groups/apt/debconf-show index ed9cf9094..709e76f1f 100644 --- a/apparmor.d/groups/apt/debconf-show +++ b/apparmor.d/groups/apt/debconf-show @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,6 +14,7 @@ profile debconf-show @{exec_path} { include @{exec_path} r, + @{bin}/perl r, @{bin}/locale rix, diff --git a/apparmor.d/groups/apt/deborphan b/apparmor.d/groups/apt/deborphan index 236069e99..76068b32d 100644 --- a/apparmor.d/groups/apt/deborphan +++ b/apparmor.d/groups/apt/deborphan @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/debsecan b/apparmor.d/groups/apt/debsecan index c67b1dfb5..ab391f72e 100644 --- a/apparmor.d/groups/apt/debsecan +++ b/apparmor.d/groups/apt/debsecan @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,13 +21,13 @@ profile debsecan @{exec_path} { network inet6 stream, @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, @{sh_path} rix, # Send results using email - @{sbin}/exim4 rPx, + @{bin}/exim4 rPx, /etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf r, diff --git a/apparmor.d/groups/apt/debsign b/apparmor.d/groups/apt/debsign index 635076069..7ed318aa7 100644 --- a/apparmor.d/groups/apt/debsign +++ b/apparmor.d/groups/apt/debsign @@ -3,14 +3,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/debsign profile debsign @{exec_path} { include - include @{exec_path} r, @@ -28,13 +27,14 @@ profile debsign @{exec_path} { @{bin}/md5sum rix, @{bin}/mktemp rix, @{bin}/mv rix, + @{bin}/perl rix, @{bin}/rm rix, @{bin}/sed rix, @{bin}/sha{1,256,512}sum rix, @{bin}/stty rix, @{bin}/gpg{,2} rCx -> gpg, - + /etc/devscripts.conf r, owner @{HOME}/.devscripts r, diff --git a/apparmor.d/groups/apt/debsums b/apparmor.d/groups/apt/debsums index 8c0087770..ee371bee8 100644 --- a/apparmor.d/groups/apt/debsums +++ b/apparmor.d/groups/apt/debsums @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,20 +12,28 @@ profile debsums @{exec_path} { include include + # Needed to read files owned by other users than root. capability dac_read_search, @{exec_path} r, @{sh_path} rix, - @{bin}/{m,g,}awk ix, + @{bin}/{m,g,}awk rix, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - @{bin}/dpkg-query px, + @{bin}/dpkg-query rpx, # - @{bin}/dpkg Px -> child-dpkg, - @{bin}/dpkg-divert Px -> child-dpkg-divert, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/dpkg-divert rPx -> child-dpkg-divert, + + /etc/dpkg/dpkg.cfg.d/{,*} r, + /etc/dpkg/dpkg.cfg r, + + /etc/locale.nopurge r, + + /var/lib/dpkg/info/* r, # For shell pwd / r, @@ -37,7 +45,7 @@ profile debsums @{exec_path} { /etc/{,**} r, /var/lib/{,**} r, /opt/{,**} r, - @{efi}/{,**} r, + /boot/{,**} r, /lib*/{,**} r, include if exists diff --git a/apparmor.d/groups/apt/debtags b/apparmor.d/groups/apt/debtags index 53e5964bd..dff64bed3 100644 --- a/apparmor.d/groups/apt/debtags +++ b/apparmor.d/groups/apt/debtags @@ -3,21 +3,21 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/debtags profile debtags @{exec_path} { include - include include + include include #capability sys_tty_config, @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 986c6f188..b8e577833 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,39 +18,49 @@ profile dpkg @{exec_path} { capability fowner, capability fsetid, capability setgid, - capability sys_ptrace, - - ptrace read peer=apt, @{exec_path} mr, - @{sh_path} rix, - @{bin}/cat ix, - @{bin}/deb-systemd-helper Px, - @{bin}/deb-systemd-invoke Px, - @{bin}/rm ix, + @{sh_path} rix, + @{bin}/cat rix, + @{bin}/rm rix, - @{bin}/dpkg-deb px, - @{bin}/dpkg-query px, - @{bin}/dpkg-split px, - @{bin}/systemctl Cx -> systemctl, - @{lib}/needrestart/dpkg-status Px, - @{pager_path} Px -> child-pager, - /usr/share/debian-security-support/check-support-status.hook Px, + @{bin}/deb-systemd-helper rix, + @{bin}/deb-systemd-invoke rix, + @{bin}/dpkg-deb rpx, + @{bin}/dpkg-query rpx, + @{bin}/dpkg-split rPx, + @{bin}/systemctl rCx -> systemctl, + @{lib}/needrestart/dpkg-status rPx, + /usr/share/debian-security-support/check-support-status.hook rPx, + + @{bin}/pager rPx -> child-pager, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, + @{bin}/diff rPx -> child-pager, # Package maintainer's scripts - /var/lib/dpkg/info/*.@{dpkg_script_ext} Px, - /var/lib/dpkg/info/*.control r, - /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, + # Move it to a child profile once more transitions will be available + /var/lib/dpkg/info/*.{config,templates} rPUx, + /var/lib/dpkg/info/*.{preinst,postinst} rPUx, + /var/lib/dpkg/info/*.{prerm,postrm} rPUx, + /var/lib/dpkg/tmp.ci/{config,templates} rPUx, + /var/lib/dpkg/tmp.ci/{preinst,postinst} rPUx, + /var/lib/dpkg/tmp.ci/{prerm,postrm} rPUx, + #/var/lib/dpkg/info/*.{config,templates} rCx -> scripts, + #/var/lib/dpkg/info/*.{preinst,postinst} rCx -> scripts, + #/var/lib/dpkg/info/*.{prerm,postrm} rCx -> scripts, + #/var/lib/dpkg/tmp.ci/{config,templates} rCx -> scripts, + #/var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts, + #/var/lib/dpkg/tmp.ci/{prerm,postrm} rCx -> scripts, # For shell pwd /root/ r, - #aa:lint ignore=too-wide # Install/update packages / r, /*{,/} rw, - @{efi}/** rwl -> @{efi}/**, + /boot/** rwl -> /boot/**, /etc/** rwl -> /etc/**, /opt/** rwl -> /opt/**, /srv/** rwl -> /srv/**, diff --git a/apparmor.d/groups/apt/dpkg-architecture b/apparmor.d/groups/apt/dpkg-architecture index b1a23f222..ce6dfe8d5 100644 --- a/apparmor.d/groups/apt/dpkg-architecture +++ b/apparmor.d/groups/apt/dpkg-architecture @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,9 +16,10 @@ profile dpkg-architecture @{exec_path} { capability dac_read_search, @{exec_path} r, + /usr/bin/perl r, - @{bin}/{,@{multiarch}-}gcc-[0-9]* ix, - @{lib}/llvm-[0-9]*/bin/clang ix, + @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, + @{lib}/llvm-[0-9]*/bin/clang rix, @{bin}/ccache rCx -> ccache, @{bin}/dpkg rPx -> child-dpkg, @@ -27,7 +28,9 @@ profile dpkg-architecture @{exec_path} { /etc/debian_version r, - audit owner @{tmp}/* rw, + # file_inherit + owner @{tmp}/* rw, + profile ccache { include @@ -42,7 +45,6 @@ profile dpkg-architecture @{exec_path} { /etc/debian_version r, - include if exists } include if exists diff --git a/apparmor.d/groups/apt/dpkg-buildflags b/apparmor.d/groups/apt/dpkg-buildflags index 1a4055f77..39271db07 100644 --- a/apparmor.d/groups/apt/dpkg-buildflags +++ b/apparmor.d/groups/apt/dpkg-buildflags @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,14 +13,12 @@ profile dpkg-buildflags @{exec_path} flags=(complain) { include @{exec_path} r, + @{bin}/perl r, - /usr/share/lto-disabled-list/lto-disabled-list r, + /etc/dpkg/origins/debian r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, - /usr/share/dpkg/abitable r, - - /etc/dpkg/origins/* r, owner @{user_config_dirs}/dpkg/buildflags.conf r, diff --git a/apparmor.d/groups/apt/dpkg-checkbuilddeps b/apparmor.d/groups/apt/dpkg-checkbuilddeps index 297a45f84..8c2ff03cf 100644 --- a/apparmor.d/groups/apt/dpkg-checkbuilddeps +++ b/apparmor.d/groups/apt/dpkg-checkbuilddeps @@ -3,29 +3,25 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/dpkg-checkbuilddeps profile dpkg-checkbuilddeps @{exec_path} flags=(complain) { include - include include @{exec_path} r, + @{bin}/perl r, - @{bin}/dpkg rPx, - @{bin}/@{multiarch}gcc-@{int} mrix, - - /usr/share/dpkg/ostable r, - /usr/share/dpkg/cputable r, - /usr/share/dpkg/tupletable r, - - /etc/dpkg/origins/* r, + /etc/dpkg/origins/debian r, /var/lib/dpkg/status r, + /usr/share/dpkg/cputable r, + /usr/share/dpkg/tupletable r, + # For package building owner @{user_build_dirs}/**/debian/control r, diff --git a/apparmor.d/groups/apt/dpkg-db-backup b/apparmor.d/groups/apt/dpkg-db-backup deleted file mode 100644 index 8e99e70c5..000000000 --- a/apparmor.d/groups/apt/dpkg-db-backup +++ /dev/null @@ -1,42 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/dpkg/dpkg-db-backup -profile dpkg-db-backup @{exec_path} { - include - include - include - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/basename rix, - @{bin}/cmp rix, - @{bin}/cp rix, - @{bin}/date rix, - @{bin}/dirname rix, - @{bin}/gzip rix, - @{bin}/mv rix, - @{bin}/rm rix, - @{bin}/savelog rix, - @{bin}/tar rix, - @{bin}/touch rix, - - /usr/share/dpkg/{,**} r, - - /var/lib/dpkg/ r, - /var/lib/dpkg/alternatives/{,*} r, - /var/lib/dpkg/diversions r, - /var/lib/dpkg/statoverride r, - - /var/backups/{,**} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-deb b/apparmor.d/groups/apt/dpkg-deb index 4fedbcd5f..6f9c2600b 100644 --- a/apparmor.d/groups/apt/dpkg-deb +++ b/apparmor.d/groups/apt/dpkg-deb @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/dpkg-divert b/apparmor.d/groups/apt/dpkg-divert index e2d386804..a770662a7 100644 --- a/apparmor.d/groups/apt/dpkg-divert +++ b/apparmor.d/groups/apt/dpkg-divert @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,7 +22,6 @@ profile dpkg-divert @{exec_path} { /var/lib/dpkg/diversions-new rw, /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions, - #aa:lint ignore=too-wide /etc/** rw, include if exists diff --git a/apparmor.d/groups/apt/dpkg-genbuildinfo b/apparmor.d/groups/apt/dpkg-genbuildinfo index b9853ca32..47d7f6ece 100644 --- a/apparmor.d/groups/apt/dpkg-genbuildinfo +++ b/apparmor.d/groups/apt/dpkg-genbuildinfo @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,6 +17,7 @@ profile dpkg-genbuildinfo @{exec_path} { @{exec_path} r, + @{bin}/perl r, /usr/local/bin/ r, /usr/local/etc/ r, /usr/local/include/ r, diff --git a/apparmor.d/groups/apt/dpkg-genchanges b/apparmor.d/groups/apt/dpkg-genchanges index 7c7ad1681..27991261c 100644 --- a/apparmor.d/groups/apt/dpkg-genchanges +++ b/apparmor.d/groups/apt/dpkg-genchanges @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,6 +14,7 @@ profile dpkg-genchanges @{exec_path} flags=(complain) { include @{exec_path} r, + @{bin}/perl r, /etc/dpkg/origins/debian r, diff --git a/apparmor.d/groups/apt/dpkg-maintscript-helper b/apparmor.d/groups/apt/dpkg-maintscript-helper deleted file mode 100644 index aa9232c73..000000000 --- a/apparmor.d/groups/apt/dpkg-maintscript-helper +++ /dev/null @@ -1,41 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/dpkg-maintscript-helper -profile dpkg-maintscript-helper @{exec_path} { - include - include - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/basename rix, - @{bin}/dpkg rCx -> dpkg, - - /usr/share/dpkg/sh/* r, - - profile dpkg { - include - include - include - - capability dac_read_search, - - @{bin}/dpkg mr, - @{bin}/dpkg-query rpx, - - /etc/dpkg/dpkg.cfg r, - /etc/dpkg/dpkg.cfg.d/{,*} r, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 2e32af979..d57d3d42d 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -3,64 +3,46 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/dpkg-preconfigure +@{exec_path} = @{bin}/dpkg-preconfigure profile dpkg-preconfigure @{exec_path} { include include - include include - include + include - capability dac_read_search, + #capability sys_tty_config, @{exec_path} r, + @{bin}/perl r, - @{sh_path} rix, - @{bin}/{,e}grep ix, - @{bin}/{,g,m}awk ix, - @{bin}/cat ix, - @{bin}/debconf-escape Px, - @{bin}/dialog ix, - @{bin}/expr ix, - @{bin}/find ix, - @{bin}/head ix, - @{bin}/locale ix, - @{bin}/readlink ix, - @{bin}/realpath ix, - @{bin}/sed ix, - @{bin}/sort ix, - @{bin}/stty ix, - @{bin}/tr ix, - @{bin}/uniq ix, - @{bin}/which{,.debianutils} rix, + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/{,g,m}awk rix, + @{bin}/cat rix, + @{bin}/dialog rix, + @{bin}/locale rix, + @{bin}/sed rix, + @{bin}/sort rix, + @{bin}/stty rix, + @{bin}/tr rix, - @{bin}/apt-extracttemplates Px, - @{bin}/dpkg Px -> child-dpkg, - @{bin}/findmnt Px, - @{bin}/whiptail Px, - @{lib}/apt/apt-extracttemplates Px, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/apt-extracttemplates rPx, + @{bin}/whiptail rPx, /usr/share/debconf/confmodule r, - /usr/share/dictionaries-common/{,*} r, - /etc/cloud/cloud.cfg.d/90_dpkg.cfg r, /etc/debconf.conf r, /etc/default/grub r, - /etc/default/mdadm r, /etc/inputrc r, - /etc/locale.gen r, - /etc/mdadm/mdadm.conf r, /etc/shadow r, - /etc/ssh/sshd_config r, - /etc/X11/Xwrapper.config r, - /var/lib/locales/supported.d/{,*} r, - - /var/cache/debconf/tmp.ci/ w, + owner @{tmp}/*.template.* rw, + owner @{tmp}/*.config.* rwPUx, /var/lib/dbus/machine-id r, owner /var/cache/debconf/ rw, @@ -70,17 +52,24 @@ profile dpkg-preconfigure @{exec_path} { owner /var/cache/debconf/tmp.ci/*.config.@{rand6} w, owner /var/cache/debconf/tmp.ci/*.passwords.@{rand6} w, owner /var/cache/debconf/tmp.ci/*.template.@{rand6} w, - owner /var/cache/dictionaries-common/flag-wordlist-new w, owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, - owner @{tmp}/*.template.* rw, - owner @{tmp}/*.config.* rwPUx, - @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, @{run}/user/@{uid}/pk-debconf-socket rw, owner @{PROC}/@{pid}/fd/ r, + # The following is needed when dpkg-preconfigure uses debcconf GUI frontends. + include + include + include + include + capability dac_read_search, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/hostname rix, + @{HOME}/.Xauthority r, + owner @{PROC}/@{pid}/mounts r, + include if exists } diff --git a/apparmor.d/groups/apt/dpkg-query b/apparmor.d/groups/apt/dpkg-query index e0f4dbcdf..f8150cc37 100644 --- a/apparmor.d/groups/apt/dpkg-query +++ b/apparmor.d/groups/apt/dpkg-query @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,7 +16,9 @@ profile dpkg-query @{exec_path} { @{sh_path} rix, - @{pager_path} rPx -> child-pager, + @{bin}/pager rPx -> child-pager, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, /var/lib/dpkg/** r, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts deleted file mode 100644 index 2434c9db9..000000000 --- a/apparmor.d/groups/apt/dpkg-scripts +++ /dev/null @@ -1,188 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /var/lib/dpkg/** -profile dpkg-scripts @{exec_path} { - include - include - include - include - - capability chown, - capability dac_read_search, - capability fowner, - capability fsetid, - capability setgid, - capability setuid, - - @{exec_path} mrix, - - # Common program found in maintainer scripts - @{sh_path} rix, - @{coreutils_path} rix, - @{python_path} rix, - @{bin}/run-parts rix, - - @{bin}/envsubst ix, - @{bin}/file ix, - @{bin}/getent ix, - @{bin}/gzip ix, - @{bin}/helpztags ix, - @{bin}/setpriv ix, - @{bin}/tput ix, - @{bin}/zcat ix, - @{lib}/ubuntu-advantage/cloud-id-shim.sh ix, - @{lib}/ubuntu-advantage/postinst-migrations.sh ix, - - @{bin}/dbus-send Cx -> bus, - @{bin}/kmod Cx -> kmod, - @{bin}/dpkg Px -> child-dpkg, - @{bin}/systemctl Cx -> systemctl, - @{sbin}/invoke-rc.d Cx -> rc, - @{sbin}/ldconfig Cx -> ldconfig, - @{sbin}/ldconfig.real Cx -> ldconfig, - @{sbin}/update-rc.d Cx -> rc, - - #aa:lint ignore=too-wide - # Maintainer scripts can legitimately start/restart anything - # PU is only used as a safety fallback. - @{bin}/** PUx, - @{sbin}/** PUx, - @{lib}/** PUx, - /etc/** PUx, - /usr/share/** PUx, - - #aa:lint ignore=too-wide - # Maintainer's scripts can update a lot of files - / r, - /*/ r, - @{bin}/ r, - @{bin}/* w, - @{sbin}/ r, - @{sbin}/* w, - @{lib}/ r, - @{lib}/** wl -> @{lib}/**, - /opt/*/** rw, - - #aa:lint ignore=too-wide - /etc/ r, - /etc/** rw, - /usr/share/*/{,**} rw, - /usr/local/share/*/{,**} rw, - /var/** rw, - @{run}/** rw, - @{efi}/grub/* rw, - - /tmp/fmtutil.@{rand8} rw, - /tmp/grub.@{rand10} rw, - /tmp/sed@{rand6} rw, - /tmp/tmp.@{rand10} rw, - /tmp/updateppds.@{rand6} rw, - - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/mountinfo r, - - profile bus { - include - include - include - - capability dac_read_search, - - dbus send bus=system path=/ - interface=org.freedesktop.DBus - member=ReloadConfig - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - - include if exists - } - - profile kmod { - include - include - - include if exists - } - - profile systemctl { - include - include - - capability net_admin, - capability sys_ptrace, - capability sys_resource, - - signal send set=(cont term) peer=systemd-tty-ask-password-agent, - - ptrace read peer=@{p_systemd}, - - @{bin}/systemd-tty-ask-password-agent Px, - @{pager_path} Px -> child-pager, - - /etc/machine-id r, - - /var/lib/systemd/catalog/database r, - - /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/system.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, - - @{run}/utmp rk, - - include if exists - } - - profile rc { - include - include - include - - @{sbin}/update-rc.d mr, - @{sbin}/invoke-rc.d mr, - - @{coreutils_path} rix, - @{sh_path} rix, - @{bin}/systemctl rPx -> dpkg-scripts//systemctl, - - /etc/ r, - /etc/init.d/* r, - /etc/rc@{c}.d/ r, - /etc/rc@{c}.d/* rw, - /etc/rc@{int}.d/ r, - /etc/rc@{int}.d/* rw, - - include if exists - } - - profile ldconfig { - include - include - - @{sh_path} rix, - @{sbin}/ldconfig mrix, - @{sbin}/ldconfig.real rix, - - @{lib}/ r, - /usr/local/ r, - /usr/local/lib/ r, - - /var/cache/ldconfig/ rw, - owner /var/cache/ldconfig/aux-cache* rw, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-split b/apparmor.d/groups/apt/dpkg-split index e307e9867..551b84c03 100644 --- a/apparmor.d/groups/apt/dpkg-split +++ b/apparmor.d/groups/apt/dpkg-split @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/dpkg-statoverride b/apparmor.d/groups/apt/dpkg-statoverride deleted file mode 100644 index 804e1675b..000000000 --- a/apparmor.d/groups/apt/dpkg-statoverride +++ /dev/null @@ -1,22 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/dpkg-statoverride -profile dpkg-statoverride @{exec_path} flags=(complain) { - include - include - include - - @{exec_path} mr, - - /var/lib/dpkg/statoverride r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-trigger b/apparmor.d/groups/apt/dpkg-trigger index 547123cf2..3aa674d0b 100644 --- a/apparmor.d/groups/apt/dpkg-trigger +++ b/apparmor.d/groups/apt/dpkg-trigger @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apt/dpkg-vendor b/apparmor.d/groups/apt/dpkg-vendor index 70d2199f2..5a786e815 100644 --- a/apparmor.d/groups/apt/dpkg-vendor +++ b/apparmor.d/groups/apt/dpkg-vendor @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,6 +13,7 @@ profile dpkg-vendor @{exec_path} { include @{exec_path} r, + /usr/bin/perl r, /etc/dpkg/origins/* r, diff --git a/apparmor.d/groups/apt/querybts b/apparmor.d/groups/apt/querybts index 87967d164..ba91e898a 100644 --- a/apparmor.d/groups/apt/querybts +++ b/apparmor.d/groups/apt/querybts @@ -3,21 +3,21 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/querybts profile querybts @{exec_path} { include - include - include - include - include include + include + include + include include include include + include network inet dgram, network inet6 dgram, @@ -26,14 +26,14 @@ profile querybts @{exec_path} { network netlink raw, @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, @{sh_path} rix, @{bin}/stty rix, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, - @{open_path} rPx -> child-open-browsers, + @{bin}/xdg-open rCx -> open, @{bin}/dpkg rPx -> child-dpkg, @@ -46,14 +46,41 @@ profile querybts @{exec_path} { /etc/dpkg/origins/ r, /etc/dpkg/origins/debian r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/fd/ r, + /etc/fstab r, /var/lib/dbus/machine-id r, /etc/machine-id r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/fd/ r, + # Allowed apps to open + @{lib}/firefox/firefox rPUx, + + + profile open { + include + include + + @{bin}/xdg-open mr, + + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, + + owner @{HOME}/ r, + + owner @{run}/user/@{uid}/ r, + + # Allowed apps to open + @{lib}/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } include if exists } diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index a6584a23d..e7b8e1d29 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -3,14 +3,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/reportbug profile reportbug @{exec_path} { include - include + include include include include @@ -28,9 +28,9 @@ profile reportbug @{exec_path} { @{exec_path} r, @{bin}/ r, - @{python_path} r, + @{bin}/python3.@{int} r, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, @{bin}/selinuxenabled rix, @{sh_path} rix, @{bin}/aa-enabled rix, @@ -40,15 +40,17 @@ profile reportbug @{exec_path} { @{bin}/stty rix, /usr/share/reportbug/handle_bugscript rix, - @{sbin}/exim4 rPx, + @{bin}/exim4 rPx, @{bin}/apt-cache rPx, @{bin}/debconf-show rPx, @{bin}/debsums rPx, @{bin}/dlocate rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg-query rpx, - @{bin}/lsb_release rPx, - @{pager_path} rPx -> child-pager, + @{bin}/less rPx -> child-pager, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/more rPx -> child-pager, + @{bin}/pager rPx -> child-pager, @{bin}/systemctl rCx -> systemctl, @{lib}/firefox/firefox rPUx, # App allowed to open /usr/share/bug/* rPUx, @@ -57,12 +59,12 @@ profile reportbug @{exec_path} { @{bin}/run-parts rCx -> run-parts, @{open_path} rPx -> child-open, - @{lib}/@{python_name}/dist-packages/pylocales/locales.db rk, + @{lib}/python3/dist-packages/pylocales/locales.db rk, /usr/share/bug/*/{control,presubj} r, - #aa:lint ignore=too-wide /etc/** r, + /etc/reportbug.conf r, owner @{HOME}/ r, # For shell pwd owner @{HOME}/.reportbugrc{,~} rw, @@ -108,7 +110,7 @@ profile reportbug @{exec_path} { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index c48286299..fcfa2ef7c 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -3,118 +3,181 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/synaptic @{bin}/synaptic-pkexec profile synaptic @{exec_path} { include - include include - include + include + include + include + include + include include - capability chown, - capability dac_override, - capability dac_read_search, + # To remove the following errors: + # W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory + # (1: Operation not permitted) + # W: chmod 0700 of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory + # (1: Operation not permitted) + # W: chmod 0600 of file /var/lib/apt/lists/deb.debian.org_debian_dists_sid_InRelease failed - + # Item::QueueURI (1: Operation not permitted) capability fowner, - capability fsetid, - capability kill, - capability net_admin, - capability setgid, - capability setuid, - capability sys_nice, - signal send peer=apt-methods-*, + # To remove the following errors: + # W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory + # (1: Operation not permitted) + # W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory + # (1: Operation not permitted) + capability chown, + + # To remove the following errors: + # E: setgroups 65534 failed - setgroups (1: Operation not permitted) + # E: setegid 65534 failed - setegid (1: Operation not permitted) + # E: seteuid 100 failed - seteuid (1: Operation not permitted) + # E: setgroups 0 failed - setgroups (1: Operation not permitted) + capability setuid, + capability setgid, + + # To remove the following errors: + # W: Problem unlinking the file /var/lib/apt/lists/partial/*_InRelease - + # PrepareFiles (13: Permission denied) + # E: Unable to read /var/lib/apt/lists/partial/ - open (13: Permission denied) + capability dac_read_search, + + # To remove the following errors: + # E: Failed to fetch https://**.deb rename failed, Permission denied + # (/var/cache/apt/archives/partial/*.deb -> /var/cache/apt/archives/*.deb). + # E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing? + capability dac_override, + + # Needed? (##FIXME##) + capability kill, + capability fsetid, + deny capability net_admin, + deny capability sys_nice, + + signal (send) peer=apt-methods-*, @{exec_path} mr, @{sh_path} rix, @{bin}/{,e,f}grep rix, - @{bin}/echo rix, - @{bin}/ionice rix, - @{bin}/nice rix, @{bin}/test rix, + @{bin}/echo rix, - @{bin}/adequate rPx, - @{bin}/appstreamcli rPx, + # For update-apt-xapian-index + @{bin}/nice rix, + @{bin}/ionice rix, + + # When synaptic is run as root, it wants to exec dbus-launch, and hence it creates the two + # following root processes: + # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr + # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session + # + # Should this be allowed? Synaptic works fine without this. + #@{bin}/dbus-launch rCx -> dbus, + #@{bin}/dbus-send rCx -> dbus, + deny @{bin}/dbus-launch rx, + deny @{bin}/dbus-send rx, + deny @{bin}/gdbus rx, + + @{bin}/ps rPx, + @{bin}/dpkg rPx, @{bin}/apt-listbugs rPx, @{bin}/apt-listchanges rPx, @{bin}/apt-show-versions rPx, - @{bin}/deborphan rPx, + @{bin}/dpkg-preconfigure rPx, @{bin}/debtags rPx, - @{bin}/dpkg rPx, - @{sbin}/dpkg-preconfigure rPx, @{bin}/localepurge rPx, - @{bin}/lsb_release rPx, - @{bin}/pkexec rCx -> pkexec, - @{bin}/ps rPx, - @{bin}/software-properties-gtk rPx, - @{bin}/tasksel rPx, - @{bin}/update-apt-xapian-index rPx, + @{bin}/appstreamcli rPx, + @{bin}/adequate rPx, @{bin}/update-command-not-found rPx, /usr/share/command-not-found/cnf-update-db rPx, + @{bin}/update-apt-xapian-index rPx, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/deborphan rPx, + @{bin}/tasksel rPx, + @{bin}/pkexec rPx, + @{bin}/software-properties-gtk rPx, # Methods to use to download packages from the net @{lib}/apt/methods/* rPx, - /usr/share/synaptic/{,**} r, - - /etc/apt/apt.conf.d/99synaptic rw, - - # For editing the sources.list file - /etc/apt/sources.list rwk, - /etc/apt/sources.list.d/ r, - /etc/apt/sources.list.d/*.list rw, - - /etc/fstab r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - - /var/log/apt/eipp.log.xz w, - /var/log/apt/{term,history}.log w, - - /var/cache/apt/ r, - /var/cache/apt/** rwk, - /var/cache/apt-xapian-index/index.@{int}/*.glass r, - /var/cache/apt-xapian-index/index.@{int}/iamglass r, - - /var/lib/apt-xapian-index/index r, - /var/lib/dpkg/** r, - /var/lib/dpkg/lock{,-frontend} rwk, /var/lib/apt/lists/** rw, /var/lib/apt/lists/lock rwk, /var/lib/apt/extended_states{,.*} rw, - # For package building - @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, + /etc/apt/apt.conf.d/99synaptic rw, - owner @{HOME}/.synaptic/ rw, - owner @{HOME}/.synaptic/** rwk, + /var/log/apt/eipp.log.xz w, + /var/log/apt/{term,history}.log w, + + # For editing the sources.list file + /etc/apt/sources.list.d/ r, + /etc/apt/sources.list.d/*.list rw, + /etc/apt/sources.list rwk, + + /var/lib/apt-xapian-index/index r, + /var/cache/apt-xapian-index/index.[0-9]/*.glass r, + /var/cache/apt-xapian-index/index.[0-9]/iamglass r, + + /var/lib/dpkg/** r, + /var/lib/dpkg/lock{,-frontend} rwk, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, /tmp/ r, owner @{tmp}/apt-dpkg-install-*/ rw, owner @{tmp}/apt-dpkg-install-*/@{int}-*.deb w, + /var/cache/apt/ r, + /var/cache/apt/** rwk, + + /usr/share/synaptic/{,**} r, + owner @{HOME}/.synaptic/ rw, + owner @{HOME}/.synaptic/** rwk, @{run}/synaptic.socket w, + @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, - /dev/ptmx rw, + # To remove the following error: + # Internal Error: impossible to fork children. Synaptics is going to stop. Please report. + # errorcode: 2 + /dev/ptmx rw, + + /etc/fstab r, + + # Synaptic is a GUI app started by root, so without "owner" + @{HOME}/.Xauthority r, + + # For package building + @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, + + # file_inherit owner /dev/tty@{int} rw, - deny @{bin}/dbus-launch x, - deny @{bin}/dbus-send x, - deny @{bin}/gdbus x, deny @{user_share_dirs}/gvfs-metadata/{*,} r, - profile pkexec { + profile dbus { include - include + include - include if exists + @{bin}/dbus-launch mr, + @{bin}/dbus-send mr, + @{bin}/dbus-daemon rPUx, + + # for dbus-launch + owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, + + @{HOME}/.Xauthority r, } include if exists diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index d2da77bc3..f5caa7b65 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -3,21 +3,20 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/unattended-upgrade profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { include - include + include include include include include include include - include include capability chown, @@ -30,57 +29,43 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { capability setuid, capability sys_nice, - network inet dgram, - network inet6 dgram, network netlink raw, - signal send peer=apt-methods-http, + signal (send) peer=apt-methods-http, - unix type=stream addr=@@{udbus}/bus/unattended-upgr/system, - - #aa:dbus own bus=system name=com.ubuntu.UnattendedUpgrade + unix type=stream addr=@@{hex16}/bus/unattended-upgr/system, @{exec_path} mr, @{bin}/ r, @{sh_path} rix, - @{python_path} rix, - @{bin}/echo ix, - @{bin}/gdbus ix, - @{bin}/md5sum ix, - @{bin}/tar ix, - @{bin}/test ix, - @{bin}/touch ix, - @{bin}/uname ix, + @{bin}/echo rix, + @{bin}/gdbus rix, + @{bin}/ischroot rix, + @{bin}/python3.@{int} rix, + @{bin}/test rix, + @{bin}/touch rix, + @{bin}/uname rix, - @{bin}/apt-listchanges Px, - @{bin}/df Px, - @{bin}/dmesg Px, - @{bin}/dpkg Px, - @{bin}/dpkg-deb px, - @{bin}/dpkg-divert Px, - @{bin}/etckeeper Px, - @{bin}/ischroot Px, - @{bin}/lsb_release Px, - @{sbin}/dpkg-preconfigure Px, - @{sbin}/on_ac_power Px, - @{sbin}/sendmail Px, - @{lib}/apt/methods/http{,s} Px, - @{lib}/needrestart/apt-pinvoke Px, - @{lib}/update-notifier/update-motd-updates-available Px, - @{lib}/zsys-system-autosnapshot Px, + @{bin}/apt-listchanges rPx, + @{bin}/dpkg rPx, + @{bin}/dpkg-preconfigure rPx, + @{bin}/etckeeper rPx, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/on_ac_power rPx, + @{bin}/sendmail rPUx, + @{lib}/apt/methods/http{,s} rPx, + @{lib}/needrestart/apt-pinvoke rPx, + @{lib}/update-notifier/update-motd-updates-available rPx, + @{lib}/zsys-system-autosnapshot rPx, /usr/share/distro-info/* r, - /usr/share/dbus-1/interfaces/*UnattendedUpgrade*.xml r, - @{etc_ro}/login.defs r, - @{etc_ro}/security/capability.conf r, - /etc/apport/report-ignore/{,**} r, /etc/apt/*.list r, /etc/apt/apt.conf.d/{,**} r, /etc/debian_version r, - /etc/default/{,**} r, + /etc/default/grub.d/* r, /etc/dpkg/origins/{,debian,ubuntu} r, /etc/fwupd/{,**} r, /etc/grub.d/* r, @@ -94,20 +79,14 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/pki/fwupd-metadata/{,**} r, /etc/pki/fwupd/{,**} r, /etc/profile.d/* r, - /etc/ssh/moduli r, - @{etc_ro}/ssh/sshd_config r, - @{etc_ro}/ssh/sshd_config.d/{,*} r, - /etc/ufw/{,**} r, + /etc/security/capability.conf r, /etc/update-manager/{,**} r, - /etc/update-motd.d/{,**} r, - /etc/vim/{,**} r, - /etc/vmware-tools/{,**} r, + /etc/update-motd.d/* r, + /etc/vmware-tools/* r, /var/log/unattended-upgrades/{,**} rw, - /var/crash/*.crash rw, /var/lib/apt/periodic/unattended-upgrades-stamp w, - /var/lib/dpkg/info/{,*} r, /var/lib/dpkg/lock rwk, /var/lib/dpkg/lock-frontend rwk, /var/lib/dpkg/updates/ r, @@ -118,19 +97,16 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /var/lib/apt/lists/ rw, /var/lib/apt/lists/partial/ rw, /var/lib/apt/periodic/ w, - /var/log/apt/*.log* rw, + /var/log/apt/{term,history}.log w, + /var/log/apt/eipp.log.xz w, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/inhibit/[0-9]*.ref rw, owner @{run}/unattended-upgrades.lock rwk, owner @{run}/unattended-upgrades.pid rw, owner @{run}/unattended-upgrades.progress rw, owner @{tmp}/apt-dpkg-install-*/{,*} rw, - @{PROC}/@{pid}/attr/current r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/mounts r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index f7b94d68d..65f8a30d2 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -2,14 +2,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = /usr/share/unattended-upgrades/unattended-upgrade-shutdown profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -18,18 +17,15 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/ischroot Px, - - @{lib}/@{python_name}/**/__pycache__/ w, - @{lib}/@{python_name}/**/__pycache__/**.pyc w, - @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, + @{bin}/ischroot rix, /usr/share/unattended-upgrades/{,*} r, + /etc/apt/apt.conf.d/{,*} r, owner /var/log/unattended-upgrades/*.log* rw, - owner @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/unattended-upgrades.lock rwk, + owner @{run}/systemd/inhibit/[0-9]*.ref rw, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/apt/update-apt-xapian-index b/apparmor.d/groups/apt/update-apt-xapian-index index 6ea4f19fb..80b5d0fab 100644 --- a/apparmor.d/groups/apt/update-apt-xapian-index +++ b/apparmor.d/groups/apt/update-apt-xapian-index @@ -3,28 +3,24 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/update-apt-xapian-index profile update-apt-xapian-index @{exec_path} { include - include - include + include include @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, - @{bin}/dpkg Px -> child-dpkg, + @{bin}/dpkg rPx -> child-dpkg, /usr/share/apt-xapian-index/{,**} r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - /var/cache/apt-xapian-index/ rw, /var/cache/apt-xapian-index/** rwk, @@ -34,9 +30,15 @@ profile update-apt-xapian-index @{exec_path} { /var/cache/apt/ r, /var/cache/apt/** rwk, + owner @{PROC}/@{pid}/fd/ r, + /var/lib/debtags/package-tags r, - owner @{PROC}/@{pid}/fd/ r, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # file_inherit + owner /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/groups/avahi/avahi-autoipd b/apparmor.d/groups/avahi/avahi-autoipd index a6e724214..8d18f1a75 100644 --- a/apparmor.d/groups/avahi/avahi-autoipd +++ b/apparmor.d/groups/avahi/avahi-autoipd @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/avahi/avahi-browse b/apparmor.d/groups/avahi/avahi-browse index 805d54b2b..3c7bfdf05 100644 --- a/apparmor.d/groups/avahi/avahi-browse +++ b/apparmor.d/groups/avahi/avahi-browse @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,10 +11,14 @@ include profile avahi-browse @{exec_path} { include include - include - include + include include + dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} + interface=org.freedesktop.Avahi.ServiceTypeBrowser + member={ItemNew,AllForNow,CacheExhausted} + peer=(name=:*, label=avahi-daemon), + @{exec_path} mr, @{lib}/@{multiarch}/avahi/service-types.db rwk, diff --git a/apparmor.d/groups/avahi/avahi-publish b/apparmor.d/groups/avahi/avahi-publish index 490303443..92f02d6d5 100644 --- a/apparmor.d/groups/avahi/avahi-publish +++ b/apparmor.d/groups/avahi/avahi-publish @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/avahi/avahi-resolve b/apparmor.d/groups/avahi/avahi-resolve index d45cffca3..459bc57da 100644 --- a/apparmor.d/groups/avahi/avahi-resolve +++ b/apparmor.d/groups/avahi/avahi-resolve @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,11 +11,19 @@ include profile avahi-resolve @{exec_path} { include include - include - include - include + include include + dbus send bus=system path=/Client@{int}/AddressResolver@{int} + interface=org.freedesktop.Avahi.AddressResolver + member={Free,HostNameResolverNew} + peer=(name=:*, label=avahi-daemon), + + dbus receive bus=system path=/Client@{int}/AddressResolver@{int} + interface=org.freedesktop.Avahi.AddressResolver + member={Failure,Found} + peer=(name=:*, label=avahi-daemon), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/avahi/avahi-set-host-name b/apparmor.d/groups/avahi/avahi-set-host-name index 45df7ce93..de986c7bc 100644 --- a/apparmor.d/groups/avahi/avahi-set-host-name +++ b/apparmor.d/groups/avahi/avahi-set-host-name @@ -1,17 +1,14 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2022 Jeroen Rijken -# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/avahi-set-host-name profile avahi-set-host-name @{exec_path} { include - include - include include @{exec_path} mr, diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index 4c38e0ce5..a47652600 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -3,24 +3,22 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{name} = brave{,-beta,-dev,-bin} -@{domain} = com.brave.Brave org.chromium.Chromium +@{domain} = com.brave.Brave @{lib_dirs} = /opt/brave{-bin,.com}{,/@{name}} @{config_dirs} = @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} @{cache_dirs} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} @{exec_path} = @{lib_dirs}/@{name} -profile brave @{exec_path} flags=(attach_disconnected) { +profile brave @{exec_path} { include include - # unix (send, receive) type=stream peer=(label=brave//&brave-crashpad-handler), - - signal receive peer=brave//&brave-crashpad-handler, + unix (send, receive) type=stream peer=(label=brave-crashpad-handler), #aa:dbus own bus=session name=org.mpris.MediaPlayer2.brave path=/org/mpris/MediaPlayer2 @@ -36,14 +34,21 @@ profile brave @{exec_path} flags=(attach_disconnected) { /etc/opt/chrome/native-messaging-hosts/* r, owner @{user_config_dirs}/BraveSoftware/ rw, + owner @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/menus/applications-merged/ r, + owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r, owner @{config_dirs}/WidevineCdm/libwidevinecdm.so mrw, owner @{cache_dirs}/BraveSoftware/ rw, owner @{tmp}/net-export/ rw, # For brave://net-export/ + owner @{tmp}/.org.chromium.Chromium.* rwk, + owner @{tmp}/.org.chromium.Chromium*/{,**} rw, + + owner /dev/shm/.org.chromium.Chromium.* rw, + # Silencer - deny /etc/opt/ w, deny /etc/opt/chrome/ w, deny /dev/disk/by-uuid/ r, diff --git a/apparmor.d/groups/browsers/brave-crashpad-handler b/apparmor.d/groups/browsers/brave-crashpad-handler index ae90c734e..2bfe2ff94 100644 --- a/apparmor.d/groups/browsers/brave-crashpad-handler +++ b/apparmor.d/groups/browsers/brave-crashpad-handler @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/brave-sandbox b/apparmor.d/groups/browsers/brave-sandbox index 8ab3dd522..7928b1385 100644 --- a/apparmor.d/groups/browsers/brave-sandbox +++ b/apparmor.d/groups/browsers/brave-sandbox @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/brave-wrapper b/apparmor.d/groups/browsers/brave-wrapper index b4f70689c..f1127d860 100644 --- a/apparmor.d/groups/browsers/brave-wrapper +++ b/apparmor.d/groups/browsers/brave-wrapper @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/chrome b/apparmor.d/groups/browsers/chrome index 9c11f0a4a..93413c25c 100644 --- a/apparmor.d/groups/browsers/chrome +++ b/apparmor.d/groups/browsers/chrome @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,7 @@ include @{cache_dirs} = @{user_cache_dirs}/google-@{name} @{exec_path} = @{lib_dirs}/@{name} -profile chrome @{exec_path} flags=(attach_disconnected) { +profile chrome @{exec_path} { include include diff --git a/apparmor.d/groups/browsers/chrome-crashpad-handler b/apparmor.d/groups/browsers/chrome-crashpad-handler index ea3d7d64a..67c0d0e8d 100644 --- a/apparmor.d/groups/browsers/chrome-crashpad-handler +++ b/apparmor.d/groups/browsers/chrome-crashpad-handler @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/chrome-sandbox b/apparmor.d/groups/browsers/chrome-sandbox index eceec9f89..709f57bc8 100644 --- a/apparmor.d/groups/browsers/chrome-sandbox +++ b/apparmor.d/groups/browsers/chrome-sandbox @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/chrome-wrapper b/apparmor.d/groups/browsers/chrome-wrapper index 709eb79a1..8e9e1ba5d 100644 --- a/apparmor.d/groups/browsers/chrome-wrapper +++ b/apparmor.d/groups/browsers/chrome-wrapper @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/chromium b/apparmor.d/groups/browsers/chromium index 658dee398..eb0d87f4f 100644 --- a/apparmor.d/groups/browsers/chromium +++ b/apparmor.d/groups/browsers/chromium @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{lib_dirs}/@{name} -profile chromium @{exec_path} flags=(attach_disconnected) { +profile chromium @{exec_path} { include include diff --git a/apparmor.d/groups/browsers/chromium-crashpad-handler b/apparmor.d/groups/browsers/chromium-crashpad-handler index 8d6ab2461..2bac71620 100644 --- a/apparmor.d/groups/browsers/chromium-crashpad-handler +++ b/apparmor.d/groups/browsers/chromium-crashpad-handler @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/chromium-sandbox b/apparmor.d/groups/browsers/chromium-sandbox index f32af44ca..b07828e3b 100644 --- a/apparmor.d/groups/browsers/chromium-sandbox +++ b/apparmor.d/groups/browsers/chromium-sandbox @@ -3,12 +3,12 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/chromium/chrome-sandbox -profile chromium-sandbox @{exec_path} flags=(attach_disconnected) { +profile chromium-sandbox @{exec_path} { include capability dac_override, diff --git a/apparmor.d/groups/browsers/chromium-wrapper b/apparmor.d/groups/browsers/chromium-wrapper index d29dcc630..0a5017727 100644 --- a/apparmor.d/groups/browsers/chromium-wrapper +++ b/apparmor.d/groups/browsers/chromium-wrapper @@ -3,15 +3,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/chromium -profile chromium-wrapper @{exec_path} flags=(attach_disconnected) { +profile chromium-wrapper @{exec_path} { include include - include @{exec_path} r, @@ -40,12 +39,14 @@ profile chromium-wrapper @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.xsession-errors w, owner @{tmp}/chromiumargs.@{rand6} rw, + owner @{tmp}/tmp.*/ rw, + owner @{tmp}/tmp.*/** rwk, owner /dev/tty@{int} rw, + /dev/dri/card[0-9] rw, # Silencer deny @{user_share_dirs}/gvfs-metadata/* r, - deny @{user_share_dirs}/gnome-shell/session.gvdb rw, include if exists } diff --git a/apparmor.d/groups/browsers/ephy-profile-migrator b/apparmor.d/groups/browsers/ephy-profile-migrator index e6f8902dd..ec343816d 100644 --- a/apparmor.d/groups/browsers/ephy-profile-migrator +++ b/apparmor.d/groups/browsers/ephy-profile-migrator @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index 45a32868e..be42cb9a0 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,9 +10,9 @@ include profile epiphany @{exec_path} flags=(attach_disconnected) { include include + include include include - include include include include @@ -20,7 +20,6 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { include include include - include capability dac_override, @@ -30,28 +29,34 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info, + @{exec_path} mr, - @{open_path} rPx -> child-open, - @{bin}/bwrap rix, + @{bin}/xdg-dbus-proxy rix, + @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKit{Web,Network}Process rix, - /usr/share/enchant*/{,**} r, - - owner @{HOME}/.ephy-download-@{rand6} rw, - owner @{HOME}/.ephy-web-app-icon-@{rand6} rw, + owner /bindfile@{rand6} rw, + owner /.flatpak-info r, owner @{user_config_dirs}/glib-2.0/ w, owner @{user_config_dirs}/glib-2.0/settings/ w, - owner @{user_share_dirs}/org.gnome.Epiphany.WebApp_@{hex}/{,**} rw, - - owner @{tmp}/ContentRuleList@{rand6} rw, owner @{tmp}/epiphany-*-@{rand6}/{,**} rw, owner @{tmp}/Serialized@{rand9} rw, owner @{tmp}/WebKit-Media-@{rand6} rw, + owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/.flatpak/ w, + owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw, + owner @{run}/user/@{uid}/webkitgtk/ w, + owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/firmware/acpi/pm_profile r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-org.gnome.Epiphany-@{int}.scope/memory.* r, @{PROC}/@{pid}/cgroup r, @@ -59,9 +64,12 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { @{PROC}/zoneinfo r, owner @{PROC}/@{pid}/smaps r, owner @{PROC}/@{pid}/statm r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny @{user_share_dirs}/gvfs-metadata/* r, + /dev/video@{int} rw, + include if exists } diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index f9ba190a3..41ce67746 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{name} = firefox{,-esr,-bin} -@{lib_dirs} = @{lib}/firefox{,-esr,-beta,-devedition,-nightly} /opt/@{name} +@{name} = firefox{,.sh,-esr,-bin} +@{lib_dirs} = @{lib}/@{name} /opt/@{name} @{config_dirs} = @{HOME}/.mozilla/ @{cache_dirs} = @{user_cache_dirs}/mozilla/ @@ -16,43 +16,32 @@ include profile firefox @{exec_path} flags=(attach_disconnected) { include include - include - include - signal send set=(term, kill) peer=firefox//&keepassxc-proxy, - - unix type=seqpacket addr=@gecko-crash-helper-pipe.@{int}, - unix type=seqpacket peer=(label=firefox-crashhelper), + signal (send) set=(term, kill) peer=keepassxc-proxy, #aa:dbus own bus=session name=org.mozilla.firefox #aa:dbus own bus=session name=org.mpris.MediaPlayer2.firefox path=/org/mpris/MediaPlayer2 @{exec_path} mrix, - @{lib_dirs}/crashhelper rPx -> firefox//&firefox-crashhelper, - @{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest, - @{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest, - - @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, @{lib}/mozilla/plugins/ r, - @{lib}/mozilla/plugins/*.so mr, + @{lib}/mozilla/plugins/libvlcplugin.so mr, # Desktop integration @{bin}/gnome-software rPx, - @{bin}/kreadconfig{,5} rPx, + @{bin}/kreadconfig5 rix, @{bin}/plasma-browser-integration-host rPx, - @{bin}/speech-dispatcher rPx, @{bin}/update-mime-database rPx, @{lib}/gvfsd-metadata rPx, @{lib}/mozilla/kmozillahelper rPUx, @{open_path} rPx -> child-open, # Common extensions - @{bin}/browserpass rPx, - @{bin}/keepassxc-proxy rPx -> firefox//&keepassxc-proxy, - @{lib}/browserpass/browserpass-native rPx, /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx, + @{bin}/browserpass rPx, + # As a temporary solution - see issue #128 + @{bin}/keepassxc-proxy rix, owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r, owner @{user_config_dirs}/ibus/bus/ r, @@ -65,15 +54,17 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw, owner @{tmp}/.xfsm-ICE-@{rand6} rw, - owner @{tmp}/@{rand8}.* rw, # file downloads (to anywhere) - owner @{tmp}/@{uuid}.zip{,.tmp} rw, - owner @{tmp}/Mozilla@{uuid}-cachePurge-{@{hex15},@{hex16}} rwk, - owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-{@{hex15},@{hex16}} rwk, - owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/.parentlock k, - owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/{**,} rw, - owner @{tmp}/Mozillato-be-removed-cachePurge-{@{hex15},@{hex16}} rwk, - - owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowsrServer w, + owner @{tmp}/@{rand6}.tmp r, + owner @{tmp}/@{rand8}.txt w, + owner @{tmp}/* w, # file downloads (to anywhere) + owner @{tmp}/Mozilla@{uuid}-cachePurge-??????????????? rwk, + owner @{tmp}/mozilla* rw, + owner @{tmp}/mozilla*/ rw, + owner @{tmp}/mozilla*/* rwk, + owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-??????????????? rwk, + owner @{tmp}/MozillaBackgroundTask-???????????????-removeDirectory/.parentlock k, + owner @{tmp}/MozillaBackgroundTask-???????????????-removeDirectory/{**,} rw, + owner @{tmp}/Mozillato-be-removed-cachePurge-??????????????? rwk, # Silencer deny @{lib_dirs}/** w, diff --git a/apparmor.d/groups/browsers/firefox-crashhelper b/apparmor.d/groups/browsers/firefox-crashhelper deleted file mode 100644 index 8ffdccb67..000000000 --- a/apparmor.d/groups/browsers/firefox-crashhelper +++ /dev/null @@ -1,31 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{name} = firefox{,.sh,-esr,-bin} -@{lib_dirs} = @{lib}/@{name} /opt/@{name} -@{config_dirs} = @{HOME}/.mozilla/ -@{cache_dirs} = @{user_cache_dirs}/mozilla/ - -@{exec_path} = @{lib_dirs}/crashhelper -profile firefox-crashhelper @{exec_path} flags=(attach_disconnected) { - include - - unix type=seqpacket peer=(label=firefox), - - @{exec_path} mr, - - owner "@{config_dirs}/firefox/Crash Reports/" rw, - owner "@{config_dirs}/firefox/Crash Reports/crash_helper_server.log" rw, - - # file_inherit - deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index 8feccaa93..c1afb00e4 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -28,23 +28,19 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - @{exec_path} mrix, - - @{bin}/curl rix, - @{bin}/mv rix, + @{exec_path} mr, @{lib_dirs}/minidump-analyzer rPx, + @{bin}/mv rix, + owner "@{config_dirs}/firefox/Crash Reports/{,**}" rw, owner @{config_dirs}/firefox/*.*/crashes/{,**} rw, owner @{config_dirs}/firefox/*.*/crashes/events/@{uuid} rw, owner @{config_dirs}/firefox/*.*/extensions/*.xpi r, owner @{config_dirs}/firefox/*.*/minidumps/{,**} rw, owner @{config_dirs}/firefox/*.*/minidumps//@{uuid}.{dmp,extra} r, - owner @{config_dirs}/firefox/*.*/prefs.js r, - owner @{config_dirs}/firefox/*.*/storage-sync-v2.sqlite-shm r, owner @{config_dirs}/firefox/*.*/storage/default/* r, - owner @{config_dirs}/firefox/Profile*/*.sqlite-shm r, owner @{cache_dirs}/firefox/*.*/** r, @@ -55,14 +51,8 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { owner /dev/shm/org.mozilla.ipc.@{int}.@{int} r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - /dev/dri/card@{int} rw, /dev/dri/renderD128 rw, - /dev/nvidia@{int} r, - /dev/nvidiactl r, # Silencer deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest index f9470a59b..f2526292b 100644 --- a/apparmor.d/groups/browsers/firefox-glxtest +++ b/apparmor.d/groups/browsers/firefox-glxtest @@ -2,38 +2,29 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{name} = firefox{,-esr,-bin} +@{name} = firefox{,.sh,-esr,-bin} @{lib_dirs} = @{lib}/@{name} /opt/@{name} @{config_dirs} = @{HOME}/.mozilla/ -@{cache_dirs} = @{user_cache_dirs}/mozilla/ @{exec_path} = @{lib_dirs}/glxtest profile firefox-glxtest @{exec_path} flags=(attach_disconnected) { include include include - include include @{exec_path} mr, - / r, - - owner @{cache_dirs}/firefox/*/startupCache/scriptCache-* r, - owner @{cache_dirs}/firefox/*/startupCache/startupCache* r, - owner @{config_dirs}/firefox/*/.parentlock rw, owner @{tmp}/@{name}/.parentlock rw, owner @{PROC}/@{pid}/cmdline r, - deny @{user_share_dirs}/gnome-shell/session.gvdb rw, - include if exists } diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper index ade169f25..d23d94bb8 100644 --- a/apparmor.d/groups/browsers/firefox-kmozillahelper +++ b/apparmor.d/groups/browsers/firefox-kmozillahelper @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,9 +10,8 @@ include profile firefox-kmozillahelper @{exec_path} { include include + include include - include - include include include include @@ -25,21 +24,34 @@ profile firefox-kmozillahelper @{exec_path} { @{lib}/libheif/ r, @{lib}/libheif/*.so* rm, + /usr/share/hwdata/*.ids r, + /usr/share/icu/@{int}.@{int}/*.dat r, + /usr/share/knotifications{5,6}/*.notifyrc r, /usr/share/kservices{5,6}/{,**} r, + /etc/xdg/kdeglobals r, + /etc/xdg/kwinrc r, + /etc/xdg/menus/ r, + /etc/xdg/menus/applications-merged/ r, + owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_cache_dirs}/ksycoca{5,6}_* r, + + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdedefaults/kwinrc r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kdeglobals.@{rand6} rwl, owner @{user_config_dirs}/kmozillahelperrc r, owner @{user_config_dirs}/kmozillahelperrc.@{rand6} rwl, - - owner @{user_share_dirs}/kservices5/ r, - owner @{user_share_dirs}/kservices5/searchproviders/ r, + owner @{user_config_dirs}/kwinrc r, owner @{run}/user/@{uid}/kmozillahelper@{rand6}.@{int}.kioworker.socket wl, owner @{run}/user/@{uid}/xauth_@{rand6} rl, - @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+usb:* r, # For /dev/bus/usb/** @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** diff --git a/apparmor.d/groups/browsers/firefox-minidump-analyzer b/apparmor.d/groups/browsers/firefox-minidump-analyzer index 6e13ee872..08cfc081a 100644 --- a/apparmor.d/groups/browsers/firefox-minidump-analyzer +++ b/apparmor.d/groups/browsers/firefox-minidump-analyzer @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/firefox-pingsender b/apparmor.d/groups/browsers/firefox-pingsender index 4c86af87a..94dacaf2c 100644 --- a/apparmor.d/groups/browsers/firefox-pingsender +++ b/apparmor.d/groups/browsers/firefox-pingsender @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/firefox-plugin-container b/apparmor.d/groups/browsers/firefox-plugin-container index b326d14b4..c7a11b75b 100644 --- a/apparmor.d/groups/browsers/firefox-plugin-container +++ b/apparmor.d/groups/browsers/firefox-plugin-container @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/firefox-vaapitest b/apparmor.d/groups/browsers/firefox-vaapitest index 36069d36f..785a7f547 100644 --- a/apparmor.d/groups/browsers/firefox-vaapitest +++ b/apparmor.d/groups/browsers/firefox-vaapitest @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,7 +25,6 @@ profile firefox-vaapitest @{exec_path} flags=(attach_disconnected) { deny @{config_dirs}/firefox/*/.parentlock rw, deny @{config_dirs}/firefox/*/startupCache/** r, deny @{user_cache_dirs}/mozilla/firefox/*/startupCache/* r, - deny @{user_share_dirs}/gnome-shell/session.gvdb rw, include if exists } diff --git a/apparmor.d/groups/browsers/msedge b/apparmor.d/groups/browsers/msedge index f616df6c6..41f8bb3cc 100644 --- a/apparmor.d/groups/browsers/msedge +++ b/apparmor.d/groups/browsers/msedge @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -26,7 +26,7 @@ profile msedge @{exec_path} { @{lib_dirs}/xdg-mime rix, #-> xdg-mime, @{lib_dirs}/xdg-settings rix, #-> xdg-settings, - + @{lib_dirs}/microsoft-edge{,beta,-dev} rPx, @{lib_dirs}/chrome_crashpad_handler rPx -> msedge//&msedge-crashpad-handler, diff --git a/apparmor.d/groups/browsers/msedge-crashpad-handler b/apparmor.d/groups/browsers/msedge-crashpad-handler index 67e8212ff..9ac6cec22 100644 --- a/apparmor.d/groups/browsers/msedge-crashpad-handler +++ b/apparmor.d/groups/browsers/msedge-crashpad-handler @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/msedge-sandbox b/apparmor.d/groups/browsers/msedge-sandbox index 2d4dcdd3e..6424e7bd0 100644 --- a/apparmor.d/groups/browsers/msedge-sandbox +++ b/apparmor.d/groups/browsers/msedge-sandbox @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/msedge-wrapper b/apparmor.d/groups/browsers/msedge-wrapper index 8268db2e1..5fbb9b8f2 100644 --- a/apparmor.d/groups/browsers/msedge-wrapper +++ b/apparmor.d/groups/browsers/msedge-wrapper @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/opera b/apparmor.d/groups/browsers/opera index 54cc05481..33ce558d3 100644 --- a/apparmor.d/groups/browsers/opera +++ b/apparmor.d/groups/browsers/opera @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/opera-crashreporter b/apparmor.d/groups/browsers/opera-crashreporter index eb67ede59..7b7d6b8d5 100644 --- a/apparmor.d/groups/browsers/opera-crashreporter +++ b/apparmor.d/groups/browsers/opera-crashreporter @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,7 +17,7 @@ profile opera-crashreporter @{exec_path} { include include include - include + include include ptrace (trace, read) peer=opera, diff --git a/apparmor.d/groups/browsers/opera-sandbox b/apparmor.d/groups/browsers/opera-sandbox index bebe0a902..4dc591aa3 100644 --- a/apparmor.d/groups/browsers/opera-sandbox +++ b/apparmor.d/groups/browsers/opera-sandbox @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/torbrowser-launcher b/apparmor.d/groups/browsers/torbrowser-launcher deleted file mode 100644 index 4969a14c3..000000000 --- a/apparmor.d/groups/browsers/torbrowser-launcher +++ /dev/null @@ -1,93 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ - -@{exec_path} = @{bin}/torbrowser-launcher -profile torbrowser-launcher @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - include - - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - - network netlink raw, - - @{exec_path} mrix, - - @{sh_path} rix, - @{bin}/file ix, - @{bin}/gpg{,2} Cx -> gpg, - @{bin}/gpgconf Cx -> gpg, - @{bin}/gpgsm Cx -> gpg, - @{bin}/{,e}grep ix, - @{bin}/sed ix, - @{bin}/tail ix, - - @{lib_dirs}/execdesktop ix, - @{lib_dirs}/start-tor-browser Px, # torbrowser-start - @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/start-tor-browser.desktop ix, - - /usr/share/file/** r, - /usr/share/torbrowser-launcher/{,**} r, - - owner @{user_cache_dirs}/torbrowser/{,**/} rw, - owner @{user_cache_dirs}/torbrowser/download/** rw, - owner @{user_cache_dirs}/torbrowser/torbrowser.gpg rw, - - owner @{user_config_dirs}/torbrowser/{,**/} rw, - owner @{user_config_dirs}/torbrowser/settings.json rw, - - owner @{user_share_dirs}/torbrowser/{,**} rw, - - owner @{PROC}/@{pid}/cmdline r, - - /dev/tty rw, - - profile gpg { - include - - @{bin}/gpg{,2} mr, - @{bin}/gpgconf mr, - @{bin}/gpgsm mr, - - @{bin}/gpg-agent ix, - @{lib}/{,gnupg/}scdaemon ix, - - owner @{HOME}/ r, - owner @{HOME}/@{XDG_GPG_DIR}/ r, - owner @{HOME}/@{XDG_GPG_DIR}/gpg.conf r, - owner @{HOME}/@{XDG_GPG_DIR}/gpgsm.conf r, - - owner @{user_share_dirs}/torbrowser/ r, - owner @{user_share_dirs}/torbrowser/gnupg_homedir/ rw, - owner @{user_share_dirs}/torbrowser/gnupg_homedir/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - - owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/gnupg/ r, - owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw, - owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw, - owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, - - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/browsers/torbrowser-start b/apparmor.d/groups/browsers/torbrowser-start deleted file mode 100644 index ce6a3678c..000000000 --- a/apparmor.d/groups/browsers/torbrowser-start +++ /dev/null @@ -1,56 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ - -@{exec_path} = @{lib_dirs}/start-tor-browser -profile torbrowser-start @{exec_path} { - include - include - - @{exec_path} rm, - - @{sh_path} rix, - @{bin}/cp ix, - @{bin}/dirname ix, - @{bin}/env r, - @{bin}/expr ix, - @{bin}/file ix, - @{bin}/getconf ix, - @{bin}/{,e}grep ix, - @{bin}/id ix, - @{bin}/ln ix, - @{bin}/mkdir ix, - @{bin}/rm ix, - @{bin}/sed ix, - @{bin}/srm ix, - - @{lib_dirs}/abicheck ix, - @{lib_dirs}/firefox{,.real} Px -> torbrowser, - - /usr/share/file/** r, - - /etc/magic r, - - owner @{lib_dirs}/.config/ibus/{,**} rw, - owner @{lib_dirs}/.local/* rw, - owner @{lib_dirs}/sed@{rand6} rw, - owner @{lib_dirs}/TorBrowser/Tor/tor r, - - owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/sed@{rand6} rw, - owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/start-tor-browser.desktop rw, - owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/sed@{rand6} rw, - owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/start-tor-browser.desktop rw, - - owner @{HOME}/.xsession-errors rw, - owner @{HOME}/.tb/tor-browser/* rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/browsers/torbrowser-tor b/apparmor.d/groups/browsers/torbrowser-tor deleted file mode 100644 index 57a49add7..000000000 --- a/apparmor.d/groups/browsers/torbrowser-tor +++ /dev/null @@ -1,51 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ -@{data_dirs} = @{lib_dirs}/TorBrowser/Data/ - -@{exec_path} = @{lib_dirs}/TorBrowser/Tor/tor -profile torbrowser-tor @{exec_path} { - include - include - include - - network inet stream, - network netlink raw, - - @{exec_path} mr, - - @{lib_dirs}/{,**} r, - @{lib_dirs}/TorBrowser/Tor/*.so* m, - @{lib_dirs}/TorBrowser/Tor/PluggableTransports/** mix, - - owner @{data_dirs}/Tor/ rw, - owner @{data_dirs}/Tor/** rw, - owner @{data_dirs}/Tor/lock rwk, - - /tmp/onionshare/** rw, # OnionShare compatibility - - @{PROC}/sys/kernel/random/uuid r, - @{PROC}/sys/net/core/somaxconn r, - - deny /etc/group r, - deny /etc/host.conf r, - deny /etc/hosts r, - deny /etc/machine-id r, - deny /etc/mailcap r, - deny /etc/nsswitch.conf r, - deny /etc/os-release r, - deny /etc/passwd r, - deny /etc/resolv.conf r, - deny /etc/services r, - deny /var/lib/dbus/machine-id r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd index fec6d7897..2b0ac0475 100644 --- a/apparmor.d/groups/bus/at-spi2-registryd +++ b/apparmor.d/groups/bus/at-spi2-registryd @@ -3,24 +3,38 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi2-registryd profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include - include include include - include + include include - signal receive set=term peer=gdm, - signal receive set=hup peer=gdm-session-worker, + signal (receive) set=(term) peer=gdm, - #aa:dbus own bus=accessibility name=org.a11y.atspi - #aa:dbus talk bus=session name=org.a11y.{B,b}us label="@{p_dbus_accessibility}" + #aa:dbus own bus=accessibility name=org.a11y.atspi.{R,r}egistry + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=:*), + dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=:*), + dbus receive bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=:*), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus, label=dbus-accessibility), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -29,6 +43,8 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index c9b9a1538..dc4ded9cd 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,36 +11,22 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include include include - include - include - include + include + include include - include include - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, + signal (receive) set=(term hup kill) peer=dbus-session, + signal (receive) set=(term hup kill) peer=gdm{,-session-worker}, - signal receive set=(term hup kill) peer=dbus-session, - signal receive set=(term hup kill) peer=gdm{,-session-worker}, - signal receive set=(term hup kill) peer=gnome-session-binary, + dbus bus=accessibility, - unix type=stream addr=none peer=(label=xorg, addr=@/tmp/.X11-unix/X0), - - #aa:dbus own bus=accessibility name=org.freedesktop.DBus #aa:dbus own bus=session name=org.a11y.{B,b}us - dbus receive bus=accessibility path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=Hello - peer=(name=@{busname}), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), @{exec_path} mrix, @@ -54,6 +40,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/defaults/at-spi2/{,**} r, /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/machine-id r, /var/lib/dbus/machine-id r, @@ -63,8 +50,6 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.Xauthority r, - owner @{tmp}/xauth_@{rand6} r, - @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/gdm/Xauthority r, @@ -72,14 +57,14 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/module/apparmor/parameters/enabled r, + @{PROC}/@{pid}/attr/apparmor/current r, + @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, - @{PROC}/1/cgroup r, - owner @{PROC}/@{pid}/attr/apparmor/current r, - owner @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/oom_score_adj r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/oom_score_adj r, + + owner /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 27e228e2c..38259afc2 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -4,37 +4,32 @@ # Profile for session dbus, regardless of the dbus implementation used. # It does not specify an attachment path as it would be the same than -# "dbus-system". It is intended to be used only via "Px ->" or via +# "dbus-system". It is intended to be used only via "Px ->" or via # systemd drop-in AppArmorProfile= setting. -abi , +abi , include -@{exec_path} = @{bin}/dbus-run-session @{bin}/dbus-update-activation-environment +@{exec_path} = @{bin}/dbus-run-session @{exec_path} += @{bin}/dbus-broker @{bin}/dbus-broker-launch @{exec_path} += @{bin}/dbus-daemon @{lib}/dbus-1{,.0}/dbus-daemon-launch-helper profile dbus-session flags=(attach_disconnected) { include include include - include include - network unix stream, - unix (send receive) type=stream addr=none peer=(label=gnome-shell, addr=none), - signal (receive) set=(term hup) peer=gdm{,-*}, + signal (receive) set=(term hup) peer=gdm-session-worker, + signal (receive) set=(term hup) peer=gdm-session, + signal (receive) set=(term hup) peer=gdm, signal (send) set=(term hup kill) peer=dbus-accessibility, signal (send) set=(term hup kill) peer=dconf-service, signal (send) set=(term hup kill) peer=xdg-*, - #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} - dbus receive bus=session - interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} - peer=(name="{@{busname},org.freedesktop.DBus}"), + dbus bus=session, @{exec_path} mrix, @@ -43,7 +38,6 @@ profile dbus-session flags=(attach_disconnected) { @{bin}/** PUx, @{lib}/** PUx, - @{user_share_dirs}/*/** PUx, /usr/share/*/** PUx, /etc/dbus-1/{,**} r, @@ -54,14 +48,9 @@ profile dbus-session flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, - # Dbus can receive any user files - owner @{HOME}/** r, - owner @{HOME}/.var/app/*/**/.ref rw, owner @{HOME}/.var/app/*/**/logs/* rw, - owner @{user_share_dirs}/dbus-1/services/{,**} r, - @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/dbus-1/ rw, owner @{run}/user/@{uid}/dbus-1/services/ rw, @@ -70,13 +59,12 @@ profile dbus-session flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/.access rw, @{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/module/apparmor/parameters/enabled r, - + @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/fdinfo/@{int} r, - owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_score_adj r, + owner @{PROC}/@{pid}/mounts r, /dev/ptmx rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index 1b62a1086..f001c27b7 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -4,10 +4,10 @@ # Profile for system dbus, regardless of the dbus implementation used. # It does not specify an attachment path as it would be the same than -# "dbus-session". It is intended to be used only via "Px ->" or via +# "dbus-session". It is intended to be used only via "Px ->" or via # systemd drop-in AppArmorProfile= setting. -abi , +abi , include @@ -15,9 +15,8 @@ include @{exec_path} += @{bin}/dbus-daemon @{lib}/dbus-1{,.0}/dbus-daemon-launch-helper profile dbus-system flags=(attach_disconnected) { include - include include - include + include include capability audit_write, @@ -31,23 +30,13 @@ profile dbus-system flags=(attach_disconnected) { network bluetooth stream, network bluetooth seqpacket, - ptrace read peer=@{p_systemd}, + ptrace (read) peer=@{p_systemd}, - #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus} - dbus receive bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} - peer=(name="{@{busname},org.freedesktop.DBus}"), - - dbus receive bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Activator - member=ActivationFailure - peer=(name=@{busname}, label="@{p_systemd}"), + dbus bus=system, @{exec_path} mrix, @{bin}/** PUx, - @{sbin}/** PUx, @{lib}/** PUx, /usr/share/*/** PUx, @@ -59,40 +48,32 @@ profile dbus-system flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, - @{att}/@{desktop_share_dirs}/icc/ r, - @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, - @{att}/@{user_share_dirs}/icc/ r, - @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r, - - # Dbus can receive any user files - @{HOME}/** r, - - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, + @{desktop_share_dirs}/icc/ r, + @{desktop_share_dirs}/icc/edid-@{hex32}.icc r, + @{user_share_dirs}/icc/ r, + @{user_share_dirs}/icc/edid-@{hex32}.icc r, + @{run}/systemd/inhibit/*.ref rw, @{run}/systemd/notify w, + @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{int} r, @{sys}/kernel/security/apparmor/.access rw, @{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/module/apparmor/parameters/enabled r, - @{PROC}/@{pids}/attr/apparmor/current r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/environ r, - @{PROC}/@{pids}/mounts r, - @{PROC}/@{pids}/oom_score_adj r, - @{PROC}/@{pids}/status r, + @{PROC}/@{pid}/attr/apparmor/current r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/mounts r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_score_adj rw, - @{att}/dev/dri/card@{int} rw, - @{att}/dev/input/event@{int} rw, - @{att}/dev/pts/ptmx rw, + /dev/dri/card@{int} rw, + /dev/input/event@{int} rw, include if exists } diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index b326138d6..b072bcae9 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,7 +10,7 @@ include profile ibus-daemon @{exec_path} flags=(attach_disconnected) { include include - include + include include include @@ -42,7 +42,6 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{lib}/{,ibus/}ibus-* rPUx, - @{lib}/ibus-*/ibus-* rPUx, /usr/share/ibus/{,**} r, /usr/share/ibus-table/{,**} r, @@ -55,7 +54,6 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/fd/ r, - owner @{att}/dev/tty@{int} rw, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index bac225ebc..f45474e45 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,12 +11,13 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { include include include - include include include - signal receive set=kill peer=@{p_systemd_user}, - signal receive set=term peer=ibus-daemon, + signal (receive) set=term peer=ibus-daemon, + + unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon), + unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index 8bdc3c79c..250ffafbd 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -2,16 +2,15 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,ibus/}ibus-engine-simple profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { include - include include - include + include include signal (receive) set=term peer=ibus-daemon, @@ -29,6 +28,8 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/bus/ibus-engine-table b/apparmor.d/groups/bus/ibus-engine-table index abe0d22c0..ea39af4be 100644 --- a/apparmor.d/groups/bus/ibus-engine-table +++ b/apparmor.d/groups/bus/ibus-engine-table @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,7 @@ profile ibus-engine-table @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{python_path} rix, + @{bin}/python3.@{int} rix, /usr/share/ibus-table/engine/{,**} r, /usr/share/ibus-table/tables/ r, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 2fa49e50f..27b7613d5 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -2,14 +2,17 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,ibus/}ibus-extension-gtk3 profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { include + include include + include + include include include include diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index b1f1445b3..66fef2950 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,17 +10,16 @@ include profile ibus-memconf @{exec_path} flags=(attach_disconnected) { include include - include - include + include include include signal (receive) set=(term) peer=ibus-daemon, - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), @{exec_path} mr, @@ -28,6 +27,8 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index 6ea4891a7..9c779eb72 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,21 +14,23 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, - #aa:dbus own bus=session name=org.freedesktop.portal.IBus - #aa:dbus own bus=session name=org.freedesktop.IBus + dbus bind bus=session name=org.freedesktop.portal.IBus, dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/freedesktop/IBus + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=:*, label=ibus-daemon), @{exec_path} mr, - owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw, owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner @{att}/dev/tty@{int} rw, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index ce1c2b108..44bb611fe 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -2,28 +2,29 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,ibus/}ibus-x11 profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include - include + include include + include + include include include include + unix (connect, receive, send) type=stream peer=(label=ibus-daemon), + network inet stream, network inet6 stream, network inet dgram, network inet6 dgram, network netlink raw, - # unix (connect, receive, send) type=stream peer=(label=ibus-daemon), - unix (send receive connect) type=stream addr=none peer=(label=gnome-shell, addr=@/tmp/.X11-unix/X@{int}), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -31,7 +32,6 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw, owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, @@ -40,6 +40,8 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/children/child-dpkg b/apparmor.d/groups/children/child-dpkg index 0a97bacd2..4f65ab28b 100644 --- a/apparmor.d/groups/children/child-dpkg +++ b/apparmor.d/groups/children/child-dpkg @@ -9,12 +9,12 @@ # is invoked from other confined applications, but not when it is used # in regular (unconfined) shell scripts or run directly by the user. -abi , +abi , include @{exec_path} = @{bin}/dpkg -profile child-dpkg flags=(attach_disconnected) { +profile child-dpkg { include include include @@ -43,7 +43,7 @@ profile child-dpkg flags=(attach_disconnected) { /var/lib/dpkg/tmp.ci/md5sums rw, /var/lib/dpkg/triggers/Lock rw, /var/lib/dpkg/updates/* rw, - /var/log/dpkg.log rw, + /var/log/dpkg.log ra, # file_inherit /tmp/#@{int} rw, diff --git a/apparmor.d/groups/children/child-dpkg-divert b/apparmor.d/groups/children/child-dpkg-divert index ddfff5fc2..227b92249 100644 --- a/apparmor.d/groups/children/child-dpkg-divert +++ b/apparmor.d/groups/children/child-dpkg-divert @@ -9,7 +9,7 @@ # it is invoked from other confined applications, but not when it is used # in regular (unconfined) shell scripts or run directly by the user. -abi , +abi , include @@ -22,7 +22,6 @@ profile child-dpkg-divert { /var/lib/dpkg/arch r, /var/lib/dpkg/status r, /var/lib/dpkg/updates/ r, - /var/lib/dpkg/updates/@{int} r, /var/lib/dpkg/triggers/File r, /var/lib/dpkg/triggers/Unincorp r, /var/lib/dpkg/diversions r, diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index 8e991cee7..1812463fc 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -9,10 +9,10 @@ # and load the the nvidia kernel module. # Note: This profile does not specify an attachment path because it is -# intended to be used only via "Px -> child-modprobe-nvidia" exec transitions +# intended to be used only via "Px -> child-modprobe-nvidia" exec transitions # from other profiles. -abi , +abi , include @@ -34,6 +34,8 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/config r, + @{PROC}/sys/kernel/modprobe r, + @{PROC}/devices r, @{PROC}/driver/nvidia/capabilities/mig/config r, @{PROC}/driver/nvidia/capabilities/mig/monitor r, @@ -41,7 +43,7 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { @{PROC}/modules r, owner /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 - owner /dev/char/195:@{u8} w, # Nvidia graphics devices + owner /dev/char/195:@{int} w, # Nvidia graphics devices /dev/nvidia-modeset w, /dev/nvidia-uvm w, @@ -51,20 +53,22 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { owner /dev/nvidia-caps/ w, owner /dev/nvidia-caps/nvidia-cap@{int} w, - deny @{HOME}/.steam/** r, + /dev/tty@{int} rw, profile kmod { include include capability mknod, + # capability sys_module, /etc/nvidia/{current,legacy*,tesla*}/*.conf r, + # @{sys}/module/ipmi_devintf/initstate r, + # @{sys}/module/ipmi_msghandler/initstate r, + # @{sys}/module/{drm,nvidia}/initstate r, @{sys}/module/compression r, - deny @{HOME}/.steam/** r, - include if exists } diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open index 84b1d1ea1..3a10d9273 100644 --- a/apparmor.d/groups/children/child-open +++ b/apparmor.d/groups/children/child-open @@ -15,11 +15,11 @@ # intended to be used only via "Px -> child-open" exec transitions # from other profiles. -abi , +abi , include -profile child-open flags=(attach_disconnected,mediate_deleted) { +profile child-open { include include include diff --git a/apparmor.d/groups/children/child-open-any b/apparmor.d/groups/children/child-open-any deleted file mode 100644 index 446627e85..000000000 --- a/apparmor.d/groups/children/child-open-any +++ /dev/null @@ -1,31 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# This profile is designed to be used in a child profile to limit what -# confined application can invoke via open helper. - -# This version of child-open allows to open any programs. - -abi , - -include - -profile child-open-any flags=(attach_disconnected,mediate_deleted) { - include - include - include - - @{bin}/** PUx, - @{lib}/** PUx, - @{user_bin_dirs}/** PUx, - /opt/*/** PUx, - /usr/local/bin/** PUx, - /usr/share/** PUx, - - include if exists - include if exists -} - -# vim:syntax=apparmor - diff --git a/apparmor.d/groups/children/child-open-browsers b/apparmor.d/groups/children/child-open-browsers index 473276bff..639c32a9b 100644 --- a/apparmor.d/groups/children/child-open-browsers +++ b/apparmor.d/groups/children/child-open-browsers @@ -11,11 +11,11 @@ # intended to be used only via "Px -> child-open-browsers" exec transitions # from other profiles. -abi , +abi , include -profile child-open-browsers flags=(attach_disconnected,mediate_deleted) { +profile child-open-browsers { include include diff --git a/apparmor.d/groups/children/child-open-editor b/apparmor.d/groups/children/child-open-editor deleted file mode 100644 index 16d3dc868..000000000 --- a/apparmor.d/groups/children/child-open-editor +++ /dev/null @@ -1,28 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# This profile is designed to be used in a child profile to limit what -# confined application can invoke via open helper. - -# This version of child-open only allow to open text editor. - -# Note: This profile does not specify an attachment path because it is -# intended to be used only via "Px -> child-open-browsers" exec transitions -# from other profiles. - -abi , - -include - -profile child-open-editor flags=(attach_disconnected,mediate_deleted) { - include - include - - @{editor_ui_path} PUx, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/children/child-open-help b/apparmor.d/groups/children/child-open-help index 1150d16d3..c9c49e142 100644 --- a/apparmor.d/groups/children/child-open-help +++ b/apparmor.d/groups/children/child-open-help @@ -2,16 +2,16 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -profile child-open-help flags=(attach_disconnected,mediate_deleted) { +profile child-open-help { include include @{browsers_path} rPx, - @{help_path} rPx, + @{bin}/yelp rPUx, include if exists include if exists diff --git a/apparmor.d/groups/children/child-open-strict b/apparmor.d/groups/children/child-open-strict index 4296f03af..cea3dc5e0 100644 --- a/apparmor.d/groups/children/child-open-strict +++ b/apparmor.d/groups/children/child-open-strict @@ -7,18 +7,16 @@ # This version of child-open only allow to open browsers & folders. -abi , +abi , include -profile child-open-strict flags=(attach_disconnected,mediate_deleted) { +profile child-open-strict { include include - @{browsers_path} Px, - @{file_explorers_path} Px, - - @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mrix, + @{browsers_path} rPx, + @{file_explorers_path} rPx, include if exists include if exists diff --git a/apparmor.d/groups/children/child-pager b/apparmor.d/groups/children/child-pager index 8e60bce47..cfcc832be 100644 --- a/apparmor.d/groups/children/child-pager +++ b/apparmor.d/groups/children/child-pager @@ -9,13 +9,31 @@ # is invoked from other confined applications, but not when it is used # in regular (unconfined) shell scripts or run directly by the user. -abi , +abi , include -profile child-pager flags=(attach_disconnected) { +@{exec_path} = @{bin}/pager @{bin}/less @{bin}/more +profile child-pager { include - include + include + + capability dac_override, + capability dac_read_search, + + signal (receive) set=(stop, cont, term, kill), + + @{bin}/ r, + @{exec_path} mr, + + @{system_share_dirs}/terminfo/{,**} r, + + owner @{HOME}/ r, + owner @{HOME}/.lesshs* rw, + owner @{HOME}/.terminfo/@{int}/* r, + owner @{user_cache_dirs}/lesshs* rw, + owner @{user_state_dirs}/ r, + owner @{user_state_dirs}/lesshs* rw, include if exists } diff --git a/apparmor.d/groups/children/child-systemctl b/apparmor.d/groups/children/child-systemctl index 6dd9afd4a..d9657a627 100644 --- a/apparmor.d/groups/children/child-systemctl +++ b/apparmor.d/groups/children/child-systemctl @@ -9,7 +9,7 @@ # it is invoked from other confined applications, but not when it is # used in regular (unconfined) shell scripts or run directly by the user. -abi , +abi , include diff --git a/apparmor.d/groups/children/user_confined b/apparmor.d/groups/children/user_confined new file mode 100644 index 000000000..1d07d7c16 --- /dev/null +++ b/apparmor.d/groups/children/user_confined @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow confined users to read, write, lock and link to their own files +# anywhere, and execute from some places. + +abi , + +include + +profile user_confined flags=(complain) { + include + include + include + include + + deny capability sys_ptrace, + + @{bin}/** Pixmr, + + owner /** rwkl, + owner @{HOMEDIRS}/bin/** ixmr, + owner @{user_bin_dirs}/** ixmr, + + @{PROC}/** r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/children/user_default b/apparmor.d/groups/children/user_default new file mode 100644 index 000000000..4b010d22c --- /dev/null +++ b/apparmor.d/groups/children/user_default @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# By default, allow users to read, lock and link to their own files anywhere, +# but only write to files in their home directory. Only allow limited execution +# of files. + +abi , + +include + +profile user_default flags=(complain) { + include + include + include + include + + deny capability sys_ptrace, + + @{bin}/** Pixmr, + + owner /** rkl, + owner @{HOMEDIRS}/ w, + owner @{HOMEDIRS}/** w, + + @{PROC}/** r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/children/user_unconfined b/apparmor.d/groups/children/user_unconfined new file mode 100644 index 000000000..ea40d67bf --- /dev/null +++ b/apparmor.d/groups/children/user_unconfined @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +profile user_unconfined flags=(attach_disconnected,mediate_deleted) { + + capability, + network, + mount, + remount, + umount, + pivot_root, + ptrace, + signal, + dbus, + unix, + file, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index e91f9b419..a1a04dfa3 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -3,16 +3,15 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/cron +@{exec_path} = @{bin}/cron profile cron @{exec_path} flags=(attach_disconnected) { include include include - include include include @@ -25,14 +24,20 @@ profile cron @{exec_path} flags=(attach_disconnected) { network netlink raw, + ptrace (read) peer=unconfined, + @{exec_path} mr, - @{sh_path} rix, - @{sbin}/exim4 rPx, - @{bin}/ionice rix, - @{bin}/nice rix, - @{bin}/run-parts rCx -> run-parts, - @{lib}/sysstat/debian-sa1 rPx, + @{sh_path} rix, + @{bin}/nice rix, + @{bin}/ionice rix, + @{bin}/exim4 rPx, + @{bin}/run-parts rCx -> run-parts, # could even be rix, as long as we are not + # using the run-parts profile we are good + + @{lib}/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx, + @{lib}/sysstat/debian-sa1 rPUx, + /usr/share/rsync/scripts/rrsync rPUx, /etc/cron.d/{,*} r, /etc/crontab r, @@ -52,10 +57,9 @@ profile cron @{exec_path} flags=(attach_disconnected) { owner @{tmp}/#@{int} rw, - @{PROC}/@{pid}/fd/ r, - @{PROC}/1/limits r, - owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/uid_map r, + owner @{PROC}/@{pid}/loginuid rw, + @{PROC}/1/limits r, /dev/tty rw, @@ -69,7 +73,7 @@ profile cron @{exec_path} flags=(attach_disconnected) { owner @{tmp}/#@{int} rw, - include if exists + include if exists } include if exists diff --git a/apparmor.d/groups/cron/cron-anacron b/apparmor.d/groups/cron/cron-anacron index 91c531618..ccce517a9 100644 --- a/apparmor.d/groups/cron/cron-anacron +++ b/apparmor.d/groups/cron/cron-anacron @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,7 @@ profile cron-anacron @{exec_path} { @{exec_path} r, - @{sbin}/anacron rPx, + @{bin}/anacron rPx, @{sh_path} rix, @{bin}/cat rix, @{bin}/date rix, diff --git a/apparmor.d/groups/cron/cron-apport b/apparmor.d/groups/cron/cron-apport index 1579115a7..e521016cb 100644 --- a/apparmor.d/groups/cron/cron-apport +++ b/apparmor.d/groups/cron/cron-apport @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,7 +18,7 @@ profile cron-apport @{exec_path} { / r, /var/crash/ r, - /var/crash/* w, + /var/crash/*.crash w, include if exists } diff --git a/apparmor.d/groups/cron/cron-apt b/apparmor.d/groups/cron/cron-apt index 0d5d5a081..51057f47f 100644 --- a/apparmor.d/groups/cron/cron-apt +++ b/apparmor.d/groups/cron/cron-apt @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -46,7 +46,7 @@ profile cron-apt @{exec_path} { @{bin}/apt-get rPx, @{bin}/apt-file rPx, @{bin}/aptitude{,-curses} rPx, - @{sbin}/exim4 rPx, + @{bin}/exim4 rPx, /usr/share/cron-apt/{,*} r, @@ -70,6 +70,9 @@ profile cron-apt @{exec_path} { /var/log/cron-apt/mail rw, /var/log/cron-apt/lastfullmessage rw, + # For the "ls" command + @{lib}/locale/locale-archive r, + # TMP /tmp/ r, owner @{tmp}/cron-apt.*/ rw, diff --git a/apparmor.d/groups/cron/cron-apt-compat b/apparmor.d/groups/cron/cron-apt-compat index fcf5e4430..5c0c8054a 100644 --- a/apparmor.d/groups/cron/cron-apt-compat +++ b/apparmor.d/groups/cron/cron-apt-compat @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,7 @@ profile cron-apt-compat @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{sbin}/on_ac_power rPx, + @{bin}/on_ac_power rPx, @{bin}/apt-config rPx, @{lib}/apt/apt.systemd.daily rPx, diff --git a/apparmor.d/groups/cron/cron-apt-listbugs b/apparmor.d/groups/cron/cron-apt-listbugs index 1b3f40d87..6415e66b1 100644 --- a/apparmor.d/groups/cron/cron-apt-listbugs +++ b/apparmor.d/groups/cron/cron-apt-listbugs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -33,7 +33,6 @@ profile cron-apt-listbugs @{exec_path} { /var/spool/apt-listbugs/lastprefclean rw, - include if exists } include if exists diff --git a/apparmor.d/groups/cron/cron-apt-show-versions b/apparmor.d/groups/cron/cron-apt-show-versions index 213ed194f..460a98d7e 100644 --- a/apparmor.d/groups/cron/cron-apt-show-versions +++ b/apparmor.d/groups/cron/cron-apt-show-versions @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/cron/cron-apt-xapian-index b/apparmor.d/groups/cron/cron-apt-xapian-index index 15f93efec..335576536 100644 --- a/apparmor.d/groups/cron/cron-apt-xapian-index +++ b/apparmor.d/groups/cron/cron-apt-xapian-index @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,14 +14,15 @@ profile cron-apt-xapian-index @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/{,e}grep rix, + @{bin}/nice rix, @{bin}/ionice rix, @{bin}/ r, @{bin}/update-apt-xapian-index rPx, - @{sbin}/on_ac_power rPx, + @{bin}/on_ac_power rPx, # For shell pwd / r, diff --git a/apparmor.d/groups/cron/cron-aptitude b/apparmor.d/groups/cron/cron-aptitude index 82b33e8ab..5769edadf 100644 --- a/apparmor.d/groups/cron/cron-aptitude +++ b/apparmor.d/groups/cron/cron-aptitude @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,7 +17,7 @@ profile cron-aptitude @{exec_path} { @{bin}/cp rix, @{bin}/date rix, @{bin}/basename rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/dirname rix, @{bin}/rm rix, @{bin}/mv rix, diff --git a/apparmor.d/groups/cron/cron-cracklib b/apparmor.d/groups/cron/cron-cracklib index 9399b6ed4..5bc3aed32 100644 --- a/apparmor.d/groups/cron/cron-cracklib +++ b/apparmor.d/groups/cron/cron-cracklib @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,10 +12,10 @@ profile cron-cracklib @{exec_path} { include @{exec_path} r, - + @{sh_path} rix, @{bin}/logger rix, - @{sbin}/update-cracklib rPx, + @{bin}/update-cracklib rPx, /etc/cracklib/cracklib.conf r, diff --git a/apparmor.d/groups/cron/cron-debsums b/apparmor.d/groups/cron/cron-debsums index 46a3bbe07..6ca80c582 100644 --- a/apparmor.d/groups/cron/cron-debsums +++ b/apparmor.d/groups/cron/cron-debsums @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,13 +14,15 @@ profile cron-debsums @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/debsums rPx, - @{bin}/ionice rix, + @{bin}/true rix, @{bin}/logger rix, @{bin}/sed rix, + @{bin}/{,e}grep rix, + + @{bin}/ionice rix, + + @{bin}/debsums rPx, @{bin}/tee rCx -> tee, - @{bin}/true rix, /etc/ r, /etc/default/debsums r, @@ -29,17 +31,18 @@ profile cron-debsums @{exec_path} { # For shell pwd / r, + profile tee { include include + # Needed to write to /proc/self/fd/3 capability dac_override, @{bin}/tee mr, - owner @{PROC}/@{pid}/fd/@{int} rw, + owner @{PROC}/@{pid}/fd/3 rw, - include if exists } include if exists diff --git a/apparmor.d/groups/cron/cron-debtags b/apparmor.d/groups/cron/cron-debtags index ea9086948..ce32b715e 100644 --- a/apparmor.d/groups/cron/cron-debtags +++ b/apparmor.d/groups/cron/cron-debtags @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,9 +12,9 @@ profile cron-debtags @{exec_path} { include @{exec_path} r, - @{sh_path} rix, - @{bin}/debtags rPx, + + /usr/bin/debtags rPx, include if exists } diff --git a/apparmor.d/groups/cron/cron-dlocate b/apparmor.d/groups/cron/cron-dlocate index 9599b6b4d..fa4b03f8d 100644 --- a/apparmor.d/groups/cron/cron-dlocate +++ b/apparmor.d/groups/cron/cron-dlocate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/cron/cron-etckeeper b/apparmor.d/groups/cron/cron-etckeeper index 2029f8842..36e105eb6 100644 --- a/apparmor.d/groups/cron/cron-etckeeper +++ b/apparmor.d/groups/cron/cron-etckeeper @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,7 @@ profile cron-etckeeper @{exec_path} { include @{exec_path} r, - + @{sh_path} rix, @{bin}/rm rix, @{bin}/find rix, diff --git a/apparmor.d/groups/cron/cron-exim4-base b/apparmor.d/groups/cron/cron-exim4-base index 784dfae19..8fdfb9126 100644 --- a/apparmor.d/groups/cron/cron-exim4-base +++ b/apparmor.d/groups/cron/cron-exim4-base @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -34,13 +34,13 @@ profile cron-exim4-base @{exec_path} { @{bin}/hostname rix, @{bin}/xargs rix, @{bin}/find rix, - @{sbin}/eximstats rix, + @{bin}/eximstats rix, - @{sbin}/exim4 rPx, - @{sbin}/exim_tidydb rix, + @{bin}/exim4 rPx, + @{bin}/exim_tidydb rix, - @{sbin}/start-stop-daemon rix, - @{sbin}/runuser rix, + @{bin}/start-stop-daemon rix, + @{bin}/runuser rix, /etc/default/exim4 r, diff --git a/apparmor.d/groups/cron/cron-ipset-autoban-save b/apparmor.d/groups/cron/cron-ipset-autoban-save index 8b5891eed..6f569d364 100644 --- a/apparmor.d/groups/cron/cron-ipset-autoban-save +++ b/apparmor.d/groups/cron/cron-ipset-autoban-save @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,7 @@ profile cron-ipset-autoban-save @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{sbin}/ipset rix, + @{bin}/ipset rix, /etc/peerblock/autoban rw, diff --git a/apparmor.d/groups/cron/cron-logrotate b/apparmor.d/groups/cron/cron-logrotate index 36044b2f3..723ffe0d8 100644 --- a/apparmor.d/groups/cron/cron-logrotate +++ b/apparmor.d/groups/cron/cron-logrotate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,7 @@ profile cron-logrotate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{sbin}/logrotate rPx, + @{bin}/logrotate rPx, @{bin}/logger rix, diff --git a/apparmor.d/groups/cron/cron-man-db b/apparmor.d/groups/cron/cron-man-db index 709f843e8..941f2ef11 100644 --- a/apparmor.d/groups/cron/cron-man-db +++ b/apparmor.d/groups/cron/cron-man-db @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,7 +20,7 @@ profile cron-man-db @{exec_path} { @{sh_path} rix, @{bin}/{,e}grep rix, - @{sbin}/start-stop-daemon rix, + @{bin}/start-stop-daemon rix, @{bin}/xargs rix, @{bin}/find rix, diff --git a/apparmor.d/groups/cron/cron-mlocate b/apparmor.d/groups/cron/cron-mlocate index f91956bcd..9ee08974a 100644 --- a/apparmor.d/groups/cron/cron-mlocate +++ b/apparmor.d/groups/cron/cron-mlocate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,7 @@ profile cron-mlocate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/true rix, @{bin}/flock rix, @{bin}/nocache rix, @@ -23,7 +23,7 @@ profile cron-mlocate @{exec_path} { @{bin}/nice rix, @{bin}/updatedb.mlocate rPx, - @{sbin}/on_ac_power rPx, + @{bin}/on_ac_power rPx, @{run}/mlocate.daily.lock rwk, diff --git a/apparmor.d/groups/cron/cron-ntp b/apparmor.d/groups/cron/cron-ntp index 7221cc6e1..ebc53dcf2 100644 --- a/apparmor.d/groups/cron/cron-ntp +++ b/apparmor.d/groups/cron/cron-ntp @@ -2,7 +2,7 @@ # Copyright (C) 2024 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,7 @@ profile cron-ntp @{exec_path} { @{sh_path} rix, @{bin}/cat rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/sed rix, include if exists diff --git a/apparmor.d/groups/cron/cron-plocate b/apparmor.d/groups/cron/cron-plocate index 7f52d1a14..bae69e971 100644 --- a/apparmor.d/groups/cron/cron-plocate +++ b/apparmor.d/groups/cron/cron-plocate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,7 @@ profile cron-plocate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/true rix, @{bin}/flock rix, @{bin}/nocache rix, @@ -23,7 +23,7 @@ profile cron-plocate @{exec_path} { @{bin}/nice rix, @{bin}/updatedb.plocate rPx, - @{sbin}/on_ac_power rPx, + @{bin}/on_ac_power rPx, @{run}/plocate.daily.lock rwk, diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest index 44d3a546f..3d25fecff 100644 --- a/apparmor.d/groups/cron/cron-popularity-contest +++ b/apparmor.d/groups/cron/cron-popularity-contest @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,7 +18,7 @@ profile cron-popularity-contest @{exec_path} { @{bin}/cat rix, @{bin}/date rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/logger rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @@ -29,11 +29,11 @@ profile cron-popularity-contest @{exec_path} { # To send reports via TOR @{bin}/torify rix, @{bin}/torsocks rix, - @{sbin}/getcap rix, + @{bin}/getcap rix, /usr/share/popularity-contest/popcon-upload rCx -> popcon-upload, @{bin}/gpg{,2} rCx -> gpg, - @{sbin}/runuser rCx -> runuser, + @{bin}/runuser rCx -> runuser, @{bin}/savelog rCx -> savelog, /usr/share/popularity-contest/ r, @@ -74,7 +74,7 @@ profile cron-popularity-contest @{exec_path} { @{bin}/mv rix, @{bin}/rm rix, @{bin}/touch rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{sh_path} rix, /var/log/ r, @@ -93,7 +93,7 @@ profile cron-popularity-contest @{exec_path} { include include - @{sbin}/runuser mr, + @{bin}/runuser mr, @{sh_path} rix, @{bin}/popularity-contest rPx, @@ -141,6 +141,7 @@ profile cron-popularity-contest @{exec_path} { network inet6 stream, network netlink raw, + @{bin}/perl r, @{bin}/gzip rix, /usr/share/popularity-contest/popcon-upload r, @@ -151,7 +152,7 @@ profile cron-popularity-contest @{exec_path} { owner @{tmp}/#@{int} rw, # file_inherit - include if exists + include if exists } include if exists diff --git a/apparmor.d/groups/cron/cron-sysstat b/apparmor.d/groups/cron/cron-sysstat index 20aaee7e5..064ebc792 100644 --- a/apparmor.d/groups/cron/cron-sysstat +++ b/apparmor.d/groups/cron/cron-sysstat @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,7 @@ profile cron-sysstat @{exec_path} { include @{exec_path} r, - + @{sh_path} rix, @{lib}/sysstat/sa2 rPx, diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index d240454f5..c1fae96e4 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -3,44 +3,35 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/crontab profile crontab @{exec_path} { include - include include include - capability audit_write, - capability chown, - capability dac_read_search, - capability net_admin, capability setgid, capability setuid, - network netlink raw, - @{exec_path} mr, @{sh_path} rix, - @{editor_path} rCx -> editor, - @{etc_ro}/environment r, - @{etc_ro}/security/*.conf r, + # When editing the crontab file + @{bin}/sensible-editor rCx -> editor, + @{bin}/vim.* rCx -> editor, + /etc/cron.{allow,deny} r, - /etc/pam.d/* r, - /var/spool/cron/ r, - /var/spool/cron/** rw, + /var/spool/cron/ r, + /var/spool/cron/crontabs/ rw, + owner /var/spool/cron/crontabs/* rw, - owner @{user_cache_dirs}/crontab/crontab.bak rw, + owner @{tmp}/crontab.*/{,crontab} rw, - @{tmp}/crontab.@{rand6} rw, - @{tmp}/crontab.@{rand6}/ rw, - @{tmp}/crontab.@{rand6}/crontab rwl, profile editor { include @@ -48,13 +39,12 @@ profile crontab @{exec_path} { capability fsetid, + /tmp/ r, + owner @{tmp}/crontab.*/crontab rw, + + # file_inherit /etc/cron.{allow,deny} r, - /tmp/ r, - owner @{tmp}/crontab.@{rand6}/crontab rw, - owner @{tmp}/crontab.@{rand6} rw, - - include if exists } include if exists diff --git a/apparmor.d/groups/cups/ippfind b/apparmor.d/groups/cups/ippfind deleted file mode 100644 index fe4347237..000000000 --- a/apparmor.d/groups/cups/ippfind +++ /dev/null @@ -1,22 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/ippfind -profile ippfind @{exec_path} { - include - include - include - - @{exec_path} mr, - - @{bin}/echo rix, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/cups/print-backends-cups b/apparmor.d/groups/cups/print-backends-cups deleted file mode 100644 index 6ab6007cb..000000000 --- a/apparmor.d/groups/cups/print-backends-cups +++ /dev/null @@ -1,19 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/@{multiarch}/print-backends/cups -profile print-backends-cups @{exec_path} { - include - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/display-manager/lightdm b/apparmor.d/groups/display-manager/lightdm index e0e0bd794..3c66936d0 100644 --- a/apparmor.d/groups/display-manager/lightdm +++ b/apparmor.d/groups/display-manager/lightdm @@ -3,14 +3,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/lightdm profile lightdm @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -37,21 +36,15 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=xfce-session, signal (send) set=(term) peer=xorg, - #aa:dbus own bus=system name=org.freedesktop.DisplayManager - @{exec_path} mrix, - @{sh_path} rix, - @{bin}/{,e,f}grep rix, - @{bin}/df rix, - @{bin}/rm rix, + @{bin}/rm rix, @{bin}/lightdm-*-greeter rPUx, @{bin}/startx rPx, @{bin}/Xorg rPx, @{bin}/plymouth rPx, @{bin}/gnome-keyring-daemon rPx, - @{bin}/lightdm-session rPx, @{lib}/security-misc/* rPx, #aa:only whonix @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, @@ -63,11 +56,11 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xgreeters/{,**} r, - @{etc_ro}/environment r, - @{etc_ro}/security/limits.d/{,*} r, /etc/default/locale r, + /etc/environment r, /etc/lightdm/{,**} r, /etc/machine-id r, + /etc/security/limits.d/{,*} r, /etc/shells r, /var/cache/lightdm/dmrc/*.dmrc* rw, @@ -88,7 +81,6 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/uid_map r, - owner @{PROC}/@{pid}/mountinfo r, /dev/tty@{int} r, diff --git a/apparmor.d/groups/display-manager/lightdm-gtk-greeter b/apparmor.d/groups/display-manager/lightdm-gtk-greeter index e0f5f02f2..60fab17a2 100644 --- a/apparmor.d/groups/display-manager/lightdm-gtk-greeter +++ b/apparmor.d/groups/display-manager/lightdm-gtk-greeter @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,6 +25,7 @@ profile lightdm-gtk-greeter @{exec_path} { @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, /usr/share/backgrounds/xfce/{,**} r, + /usr/share/desktop-base/{,**} r, /usr/share/lightdm/{,**} r, /usr/share/wayland-sessions/{,*.desktop} r, diff --git a/apparmor.d/groups/display-manager/lightdm-session b/apparmor.d/groups/display-manager/lightdm-session deleted file mode 100644 index ea7d62be2..000000000 --- a/apparmor.d/groups/display-manager/lightdm-session +++ /dev/null @@ -1,24 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lightdm-session -profile lightdm-session @{exec_path} { - include - - @{exec_path} mr, - - @{bin}/im-launch rPx, - - @{sh_path} rix, - @{bin}/mktemp rix, - @{bin}/expr rix, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/display-manager/lightdm-xsession b/apparmor.d/groups/display-manager/lightdm-xsession index 5653b42ef..14df741df 100644 --- a/apparmor.d/groups/display-manager/lightdm-xsession +++ b/apparmor.d/groups/display-manager/lightdm-xsession @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -32,7 +32,7 @@ profile lightdm-xsession @{exec_path} { profile systemctl { include include - + owner @{HOME}/.xsession-errors w, include if exists diff --git a/apparmor.d/groups/display-manager/x11-xsession b/apparmor.d/groups/display-manager/x11-xsession index 361a30b26..6d95290c8 100644 --- a/apparmor.d/groups/display-manager/x11-xsession +++ b/apparmor.d/groups/display-manager/x11-xsession @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -34,7 +34,7 @@ profile x11-xsession @{exec_path} { @{bin}/tail rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/dbus-update-activation-environment rCx -> dbus, @@ -68,7 +68,7 @@ profile x11-xsession @{exec_path} { profile ssh-agent { include - + @{bin}/ssh-agent mr, @{sh_path} rix, diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index df17e0d9f..6278d2ac7 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,7 +10,6 @@ include profile xdm-xsession @{exec_path} { include include - include include include include @@ -19,26 +18,22 @@ profile xdm-xsession @{exec_path} { @{shells_path} rix, + @{bin}/checkproc rix, @{bin}/basename rix, @{bin}/cat rix, - @{sbin}/checkproc rix, @{bin}/dirname rix, - @{bin}/fortune rPUx, @{bin}/gpg-agent rPx, @{bin}/gpg-connect-agent rPx, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/locale rix, @{bin}/manpath rix, @{bin}/readlink rix, - @{bin}/realpath rix, @{bin}/sed rix, @{bin}/ssh-agent rix, - @{bin}/tput rix, @{bin}/tr rix, @{bin}/tty rix, @{bin}/uname rix, @{bin}/whoami rix, - @{bin}/xmodmap rPUx, @{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/flatpak rPx, @@ -56,11 +51,11 @@ profile xdm-xsession @{exec_path} { @{etc_ro}/X11/xdm/sys.xsession rix, @{etc_ro}/X11/xinit/xinitrc.d/50-systemd-user.sh rix, @{etc_ro}/X11/xinit/xinitrc.d/xdg-user-dirs.sh rix, - @{HOME}/.xinitrc rPix, # TODO: rCx + @{HOME}/.xinitrc rPix, @{lib}/xinit/xinitrc rix, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mc/mc.sh r, - /usr/share/terminfo/{,**} r, @{etc_ro}/X11/xdm/scripts/{,*} r, @{etc_ro}/X11/xim r, @@ -75,7 +70,6 @@ profile xdm-xsession @{exec_path} { /etc/sysconfig/* r, owner @{HOME}/ r, - owner @{HOME}/@{XDG_GPG_DIR}/gpg-agent.conf r, owner @{user_share_dirs}/sddm/xorg-session.log rw, @@ -106,7 +100,7 @@ profile xdm-xsession @{exec_path} { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/groups/firewall/firewall-applet b/apparmor.d/groups/firewall/firewall-applet deleted file mode 100644 index bd144b7e2..000000000 --- a/apparmor.d/groups/firewall/firewall-applet +++ /dev/null @@ -1,31 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/firewall-applet -profile firewall-applet @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - - @{exec_path} mr, - - @{bin}/ r, - @{python_path} r, - - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/cgroup r, - - owner @{user_config_dirs}/firewall/applet.conf rwkl, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/firewall/firewall-config b/apparmor.d/groups/firewall/firewall-config deleted file mode 100644 index 760a75200..000000000 --- a/apparmor.d/groups/firewall/firewall-config +++ /dev/null @@ -1,29 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/firewall-config -profile firewall-config @{exec_path} { - include - include - include - include - - @{exec_path} mr, - - @{open_path} rPx -> child-open-help, - - /usr/share/firewalld/__pycache__/ rw, - - /usr/share/firewalld/{,**} r, - - owner @{PROC}/@{pid}/mounts r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld deleted file mode 100644 index 57a0baa20..000000000 --- a/apparmor.d/groups/firewall/firewalld +++ /dev/null @@ -1,80 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{sbin}/firewalld -profile firewalld @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - - capability dac_read_search, - capability mknod, - capability net_admin, - capability net_raw, - capability setpcap, - - network inet raw, - network inet6 raw, - network netlink raw, - - #aa:dbus own bus=system name=org.fedoraproject.FirewallD1 - - @{exec_path} mr, - @{python_path} r, - - @{bin}/ r, - @{sbin}/ r, - @{bin}/alts ix, - @{bin}/false ix, - @{bin}/kmod Cx -> kmod, - @{bin}/ebtables-legacy ix, - @{bin}/ebtables-legacy-restore ix, - @{sbin}/ipset ix, - @{sbin}/xtables-legacy-multi ix, - @{sbin}/xtables-nft-multi mix, - - /usr/local/lib/@{python_name}/dist-packages/ r, - - /usr/share/iproute2/{,**} r, - /usr/share/libalternatives/{,**} r, - - /etc/firewalld/{,**} rw, - /etc/iproute2/group r, - /etc/iproute2/rt_realms r, - - /var/lib/ebtables/lock rwk, - - /var/log/firewalld rw, - - @{run}/firewalld/{,*} rw, - @{run}/xtables.lock rwk, - - @{PROC}/sys/net/ipv{4,6}/ip_forward rw, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pids}/net/ip_tables_names r, - - profile kmod flags=(attach_disconnected) { - include - include - - capability sys_module, - - @{sys}/module/compression r, - @{sys}/module/nf_*/initstate r, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/firewall/ufw b/apparmor.d/groups/firewall/ufw deleted file mode 100644 index 39517ee6c..000000000 --- a/apparmor.d/groups/firewall/ufw +++ /dev/null @@ -1,90 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 EricLin -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{sbin}/ufw -profile ufw @{exec_path} flags=(attach_disconnected) { - include - include - include - include - - capability dac_read_search, - capability net_admin, - capability net_raw, - capability sys_ptrace, - - network inet dgram, - network inet raw, - network inet6 dgram, - network inet6 raw, - network netlink raw, - - ptrace read, - - @{exec_path} mr, - - @{python_path} rix, - @{sbin}/ r, - @{bin}/cat rix, - @{bin}/env r, - @{bin}/kmod rCx -> kmod, - @{lib}/ufw/ufw-init rPx, - @{sbin}/sysctl rCx -> sysctl, - @{sbin}/xtables-legacy-multi rix, - @{sbin}/xtables-nft-multi rix, - - /etc/default/ufw rw, - /etc/ufw/ rw, - /etc/ufw/** rwk, - - @{run}/xtables.lock rwk, - owner @{run}/ufw.lock rwk, - - owner @{tmp}/@{word8} rw, - owner @{tmp}/tmp@{word8} rw, - owner /var/tmp/@{word8} rw, - owner /var/tmp/tmp@{word8} rw, - - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/net/ip_tables_names r, - @{PROC}/@{pid}/stat r, - @{PROC}/sys/net/ipv{4,6}/** rw, - @{PROC}/sys/kernel/modprobe r, - - profile kmod flags=(attach_disconnected) { - include - include - - capability sys_module, - - @{sys}/module/compression r, - @{sys}/module/*/initstate r, - - include if exists - } - - profile sysctl { - include - include - - capability net_admin, - - @{sbin}/sysctl mr, - - /etc/ufw/sysctl.conf r, - - @{PROC}/sys/net/ipv{4,6}/** rw, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/firewall/ufw-init b/apparmor.d/groups/firewall/ufw-init deleted file mode 100644 index fcb9d8b6c..000000000 --- a/apparmor.d/groups/firewall/ufw-init +++ /dev/null @@ -1,74 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/ufw/ufw-init -profile ufw-init @{exec_path} { - include - include - - capability dac_override, - capability dac_read_search, - capability net_admin, - capability net_raw, - - network inet dgram, - network inet raw, - network inet6 dgram, - network inet6 raw, - network netlink raw, - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/echo rix, - @{sbin}/sysctl rCx -> sysctl, - @{sbin}/xtables-legacy-multi rix, - @{sbin}/xtables-nft-multi rix, - @{bin}/kmod rCx -> kmod, - - /etc/default/ufw r, - /etc/ufw/* r, - - @{run}/xtables.lock rwk, - - @{PROC}/@{pid}/net/ip_tables_names r, - @{PROC}/sys/kernel/modprobe r, - - profile kmod { - include - include - - capability sys_module, - - @{run}/xtables.lock r, - - @{sys}/module/compression r, - @{sys}/module/x_tables/initstate r, - - include if exists - } - - profile sysctl { - include - include - - capability net_admin, - - @{sbin}/sysctl mr, - - /etc/ufw/sysctl.conf r, - - @{PROC}/sys/net/ipv{4,6}/** rw, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index 85e277198..4f2e8b64c 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,19 +21,24 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { capability sys_nice, capability sys_ptrace, - ptrace read peer=unconfined, + ptrace (read) peer=unconfined, #aa:dbus own bus=system name=org.freedesktop.Accounts + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label=dbus-system), + @{exec_path} mr, - @{sbin}/adduser rPx, + @{bin}/adduser rPx, @{bin}/cat rix, @{bin}/chage rPx, @{bin}/passwd rPx, - @{sbin}/chpasswd rPx, - @{sbin}/userdel rPx, - @{sbin}/usermod rPx, + @{bin}/chpasswd rPx, + @{bin}/userdel rPx, + @{bin}/usermod rPx, @{bin}/locale rPUx, /usr/share/language-tools/language-validate rPx, @@ -53,23 +58,24 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { /etc/shells r, /etc/sysconfig/displaymanager r, - /var/log/wtmp r, - owner /var/lib/AccountsService/ r, owner /var/lib/AccountsService/** rw, @{HOME}/ r, owner @{HOME}/.pam_environment r, - owner @{tmp}/gnome-control-center-user-icon-@{rand6} rw, - - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/loginuid r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/loginuid rw, + @{PROC}/@{pids}/loginuid r, + @{PROC}/@{pids}/cmdline r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/loginuid rw, + + # wtmp.d ? + /var/log/wtmp r, + + owner @{tmp}/gnome-control-center-user-icon-@{rand6} rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index c069b7afd..f20cebeb7 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,11 +11,9 @@ include profile colord @{exec_path} flags=(attach_disconnected) { include include + include include - include - include include - include include network inet dgram, @@ -24,8 +22,12 @@ profile colord @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.ColorManager + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label=dbus-system), + @{exec_path} mrix, - @{lib}/colord-sane ix, /etc/machine-id r, /etc/sane.d/{,**} r, @@ -33,8 +35,11 @@ profile colord @{exec_path} flags=(attach_disconnected) { /etc/udev/hwdb.bin r, /usr/share/color/icc/{,**} r, + /usr/share/mime/mime.cache r, /usr/share/snmp/mibs/{,*} r, + @{system_share_dirs}/mime/mime.cache r, + owner /var/lib/colord/.cache/ rw, owner /var/lib/colord/.cache/** rw, owner /var/lib/colord/{mapping,storage}.db{,-journal} rwk, @@ -44,9 +49,10 @@ profile colord @{exec_path} flags=(attach_disconnected) { owner /var/lib/snmp/mibs/{iana,ietf}/ r, owner /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r, - @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, - @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r, + @{desktop_share_dirs}/icc/edid-*.icc r, + @{user_share_dirs}/icc/edid-*.icc r, + @{run}/systemd/journal/socket rw, @{run}/systemd/sessions/* r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @@ -56,11 +62,9 @@ profile colord @{exec_path} flags=(attach_disconnected) { @{sys}/class/drm/ r, @{sys}/class/video4linux/ r, @{sys}/devices/@{pci}/{vendor,model,type} r, - @{sys}/devices/@{pci}/drm/card@{int}/**/{enabled,edid} r, + @{sys}/devices/@{pci}/drm/card@{int}/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/{enabled,edid} r, @{sys}/devices/@{pci}/uevent r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, @{PROC}/sys/dev/parport/ r, @{PROC}/sys/dev/parport/parport@{int}/base-addr r, diff --git a/apparmor.d/groups/freedesktop/colord-session b/apparmor.d/groups/freedesktop/colord-session index 16c109970..e61063bda 100644 --- a/apparmor.d/groups/freedesktop/colord-session +++ b/apparmor.d/groups/freedesktop/colord-session @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/cpupower b/apparmor.d/groups/freedesktop/cpupower index 2d58faffe..0b1d0ead3 100644 --- a/apparmor.d/groups/freedesktop/cpupower +++ b/apparmor.d/groups/freedesktop/cpupower @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -28,13 +28,19 @@ profile cpupower @{exec_path} { @{sys}/devices/system/cpu/{cpufreq,cpuidle}/** r, @{sys}/devices/system/cpu/cpu@{int}/{cpufreq,cpuidle}/ r, @{sys}/devices/system/cpu/cpu@{int}/{cpufreq,cpuidle}/** r, - @{sys}/devices/system/cpu/cpu@{int}/cpuidle/state@{int}/disable rw, - @{sys}/devices/system/cpu/cpu@{int}/online r, + + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{min,max}_freq rw, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_setspeed rw, + @{sys}/devices/system/cpu/cpu@{int}/cpuidle/state[0-9]/disable rw, + @{sys}/devices/system/cpu/cpu@{int}/topology/{physical_package_id,core_id} r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/* rw, + + @{sys}/devices/system/cpu/cpu@{int}/online r, /dev/cpu/@{int}/msr r, + profile kmod { include include diff --git a/apparmor.d/groups/freedesktop/dconf b/apparmor.d/groups/freedesktop/dconf index 20b453df4..6abd28da3 100644 --- a/apparmor.d/groups/freedesktop/dconf +++ b/apparmor.d/groups/freedesktop/dconf @@ -2,14 +2,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/dconf profile dconf @{exec_path} flags=(attach_disconnected) { include - include include capability sys_nice, diff --git a/apparmor.d/groups/freedesktop/dconf-editor b/apparmor.d/groups/freedesktop/dconf-editor index 3fdbb8b65..00d6553ec 100644 --- a/apparmor.d/groups/freedesktop/dconf-editor +++ b/apparmor.d/groups/freedesktop/dconf-editor @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/dconf-service b/apparmor.d/groups/freedesktop/dconf-service index da950506a..120ff3920 100644 --- a/apparmor.d/groups/freedesktop/dconf-service +++ b/apparmor.d/groups/freedesktop/dconf-service @@ -3,14 +3,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,dconf/}dconf-service profile dconf-service @{exec_path} flags=(attach_disconnected) { include - include include include @@ -39,6 +38,8 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) { @{PROC}/cmdline r, + /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/freedesktop/desktop-file-install b/apparmor.d/groups/freedesktop/desktop-file-install index aa9ccae1b..269a6b39a 100644 --- a/apparmor.d/groups/freedesktop/desktop-file-install +++ b/apparmor.d/groups/freedesktop/desktop-file-install @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/fc-cache b/apparmor.d/groups/freedesktop/fc-cache index 128a4708b..3fbd77be0 100644 --- a/apparmor.d/groups/freedesktop/fc-cache +++ b/apparmor.d/groups/freedesktop/fc-cache @@ -3,7 +3,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -26,8 +26,6 @@ profile fc-cache @{exec_path} { /var/tmp/mkinitramfs_*/{**,} rwl, - owner @{user_cache_dirs}/ w, - # Silencer deny network inet6 stream, deny network inet stream, diff --git a/apparmor.d/groups/freedesktop/fc-list b/apparmor.d/groups/freedesktop/fc-list index 6254b2456..cd31a79de 100644 --- a/apparmor.d/groups/freedesktop/fc-list +++ b/apparmor.d/groups/freedesktop/fc-list @@ -3,14 +3,13 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/fc-list @{bin}/fc-match @{bin}/fc-pattern +@{exec_path} = @{bin}/fc-list profile fc-list @{exec_path} { include - include include include diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 04eeba521..e5d86092a 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,12 +11,9 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { include include include + include include include - include - include - include - include include include include @@ -29,14 +26,23 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.GeoClue2 + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label=dbus-system), + @{exec_path} mr, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /etc/geoclue/{,**} r, /etc/sysconfig/proxy r, /var/lib/nscd/services r, /var/lib/dbus/machine-id r, + @{run}/systemd/journal/socket rw, + @{PROC}/@{pids}/cgroup r, @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, diff --git a/apparmor.d/groups/freedesktop/iio-sensor-proxy b/apparmor.d/groups/freedesktop/iio-sensor-proxy index 1201e1277..c8ab6b2b8 100644 --- a/apparmor.d/groups/freedesktop/iio-sensor-proxy +++ b/apparmor.d/groups/freedesktop/iio-sensor-proxy @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,7 +18,7 @@ profile iio-sensor-proxy @{exec_path} { @{exec_path} mr, - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+platform:* r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/c13:@{int} r, # For /dev/input/* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/freedesktop/pacat b/apparmor.d/groups/freedesktop/pacat deleted file mode 100644 index 8329b7924..000000000 --- a/apparmor.d/groups/freedesktop/pacat +++ /dev/null @@ -1,24 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Roman Beslik -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/pacat -profile pacat @{exec_path} { - include - include - include - - @{exec_path} mr, - - /etc/machine-id r, - - owner @{user_music_dirs}/{,**} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 04b08ecc4..f8385a89b 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,9 +14,8 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { include include include - include - include include + include capability sys_ptrace, @@ -26,6 +25,11 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.pulseaudio.Server + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label=dbus-session), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -40,20 +44,19 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { /etc/pipewire/{,**} r, - / r, - /att/**/ r, - owner @{att}/.flatpak-info r, + / r, + /.flatpak-info r, owner @{user_config_dirs}/pipewire/{,**} r, owner @{tmp}/librnnoise-@{int}.so rm, - @{run}/snapd.socket rw, owner @{run}/user/@{uid}/pipewire-@{int} rw, owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk, owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, owner @{run}/user/@{uid}/pulse/pid rw, + @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, @@ -62,11 +65,13 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/usb@{int}/**/{idVendor,idProduct,removable,uevent} r, @{sys}/devices/**/device:*/**/path r, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,bios_vendor,board_vendor} r, - @{sys}/module/apparmor/parameters/enabled r, + @{sys}/module/apparmor/parameters/enabled r, # deny ? - owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + /dev/media@{int} rw, + /dev/video@{int} rw, + include if exists } diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index 83ee32baa..f316df3b0 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,15 +14,20 @@ profile pipewire-media-session @{exec_path} { include include include - include include include + include network bluetooth raw, network bluetooth seqpacket, network bluetooth stream, network netlink raw, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=GetConnectionUnixProcessID + peer=(name=org.freedesktop.DBus, label=dbus-session), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse index e6e6e59c5..a0026b4e1 100644 --- a/apparmor.d/groups/freedesktop/pipewire-pulse +++ b/apparmor.d/groups/freedesktop/pipewire-pulse @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,21 +11,15 @@ include profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { include include - include - include - include include capability sys_ptrace, - ptrace read, - - #aa:dbus own bus=session name=org.pulseaudio.Server + ptrace (read), @{exec_path} mr, @{bin}/pactl rix, - @{bin}/pipewire mr, /usr/share/pipewire/{,**} r, @@ -34,8 +28,8 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { /var/lib/dbus/machine-id r, /etc/machine-id r, - @{att}/ r, - owner @{att}/.flatpak-info r, + / r, + /.flatpak-info r, owner @{run}/user/@{uid}/pulse/pid w, owner @{tmp}/librnnoise-@{int}.so rm, @@ -44,9 +38,6 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/module/apparmor/parameters/enabled r, - - owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/pkla-admin-identities b/apparmor.d/groups/freedesktop/pkla-admin-identities deleted file mode 100644 index 778dd131c..000000000 --- a/apparmor.d/groups/freedesktop/pkla-admin-identities +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/pkla-admin-identities -profile pkla-admin-identities @{exec_path} { - include - include - - @{exec_path} mr, - - /etc/polkit-1/localauthority.conf.d/{,**} r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/pkla-check-authorization b/apparmor.d/groups/freedesktop/pkla-check-authorization deleted file mode 100644 index ff5b72f71..000000000 --- a/apparmor.d/groups/freedesktop/pkla-check-authorization +++ /dev/null @@ -1,18 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/pkla-check-authorization -profile pkla-check-authorization @{exec_path} { - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/plymouth b/apparmor.d/groups/freedesktop/plymouth index 327eca3e5..278c09aea 100644 --- a/apparmor.d/groups/freedesktop/plymouth +++ b/apparmor.d/groups/freedesktop/plymouth @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/plymouth-set-default-theme b/apparmor.d/groups/freedesktop/plymouth-set-default-theme index da13572e5..e5440d614 100644 --- a/apparmor.d/groups/freedesktop/plymouth-set-default-theme +++ b/apparmor.d/groups/freedesktop/plymouth-set-default-theme @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/plymouth-set-default-theme +@{exec_path} = @{bin}/plymouth-set-default-theme profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) { include include @@ -15,7 +15,7 @@ profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{m,g,}awk rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/plymouth rPx, /usr/share/plymouth/{,**} r, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 0a2390661..16e87a50d 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -2,17 +2,16 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/plymouthd +@{exec_path} = @{bin}/plymouthd profile plymouthd @{exec_path} { include include include include - include capability checkpoint_restore, capability dac_override, @@ -43,7 +42,6 @@ profile plymouthd @{exec_path} { /etc/vconsole.conf r, /var/lib/plymouth/{,**} rw, - /var/log/plymouth-*.log w, @{run}/plymouth/{,**} rw, diff --git a/apparmor.d/groups/polkit/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper similarity index 72% rename from apparmor.d/groups/polkit/polkit-agent-helper rename to apparmor.d/groups/freedesktop/polkit-agent-helper index f761ecf29..d6265589f 100644 --- a/apparmor.d/groups/polkit/polkit-agent-helper +++ b/apparmor.d/groups/freedesktop/polkit-agent-helper @@ -3,13 +3,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] @{exec_path} += @{lib}/polkit-agent-helper-[0-9] -profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { +profile polkit-agent-helper @{exec_path} { include include include @@ -25,22 +25,20 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { network netlink raw, - signal receive set=(term kill) peer=gnome-shell, - signal receive set=(term kill) peer=pkexec, - signal receive set=(term kill) peer=pkttyagent, - signal receive set=(term kill) peer=polkit-*-authentication-agent, - - unix bind type=stream addr=@@{udbus}/bus/polkit-agent-he/system, + signal (receive) set=(term, kill) peer=gnome-shell, + signal (receive) set=(term, kill) peer=pkexec, + signal (receive) set=(term, kill) peer=pkttyagent, + signal (receive) set=(term, kill) peer=polkit-*-authentication-agent, dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=@{busname}, label="@{p_polkitd}"), + peer=(name=:*, label=polkitd), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=AuthenticationAgentResponse2 - peer=(name=@{busname}, label="@{p_polkitd}"), + peer=(name=:*, label=polkitd), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent index bb48d0c5b..71709ed4f 100644 --- a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,19 +12,11 @@ include @{exec_path} += @{lib}/polkit-gnome/polkit-gnome-authentication-agent-1 profile polkit-gnome-authentication-agent @{exec_path} { include - include - include - include include include - signal (send) set=(term) peer=polkit-agent-helper, - @{exec_path} mr, - @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, - @{lib}/polkit-agent-helper-[0-9] rPx, - @{PROC}/@{pid}/cgroup r, include if exists diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 8a08f02d0..7754ee09f 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,8 +11,6 @@ include @{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9] profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,mediate_deleted) { include - include - include include include include @@ -28,25 +26,22 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected, signal (send) set=(term, kill) peer=polkit-agent-helper, - #aa:dbus own bus=session name=org.kde.polkit-kde-authentication-agent-@{int} - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd - @{exec_path} mr, @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, /etc/machine-id r, - /etc/xdg/plasmarc r, /var/lib/dbus/machine-id r, owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, + owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/ rw, owner @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/** rwk, owner link @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/** -> @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/**, owner @{user_cache_dirs}/qtshadercache-*/* r, - + owner @{tmp}/#@{int} rw, owner @{tmp}/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int}, # owner /tmp/xauth_@{rand6} r, diff --git a/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent b/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent index 0dfea7525..762882b74 100644 --- a/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,9 +11,13 @@ include profile polkit-mate-authentication-agent @{exec_path} { include include - include + include + include include - include + include + include + include + include include signal (send) set=(term, kill) peer=polkit-agent-helper, @@ -22,15 +26,19 @@ profile polkit-mate-authentication-agent @{exec_path} { @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, + /usr/share/X11/xkb/** r, + /var/lib/dbus/machine-id r, /etc/machine-id r, + owner @{HOME}/.Xauthority r, + + owner /dev/tty@{int} rw, + @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/freedesktop/polkitd similarity index 68% rename from apparmor.d/groups/polkit/polkitd rename to apparmor.d/groups/freedesktop/polkitd index fa00311cd..2533b1982 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -3,15 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{lib}/polkitd @{lib}/polkit-1/polkitd +@{exec_path} = @{lib}/{,polkit-1/}polkitd profile polkitd @{exec_path} flags=(attach_disconnected) { include include - include include capability setgid, @@ -20,19 +19,18 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { capability sys_ptrace, audit capability net_admin, - ptrace read, + ptrace (read), #aa:dbus own bus=system name=org.freedesktop.PolicyKit1 - dbus send bus=system path=/org/kde/PolicyKit1/AuthenticationAgent - interface=org.freedesktop.PolicyKit1.AuthenticationAgent - member=BeginAuthentication - peer=(name=@{busname}, label=polkit-kde-authentication-agent), + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name=org.freedesktop.DBus, label=dbus-system), @{exec_path} mr, - @{bin}/pkla-check-authorization rPx, - @{bin}/pkla-admin-identities rPx, + @{bin}/pkla-check-authorization rPUx, /etc/machine-id r, @@ -55,19 +53,13 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { /var/lib/polkit{,-1}/localauthority/{,**} r, owner /var/lib/polkit{,-1}/.cache/ rw, - @{att}/@{run}/systemd/notify w, - @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, - @{att}/@{run}/systemd/userdb/io.systemd.Home rw, - @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, - @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/fdinfo/@{int} r, + @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/status r, @{PROC}/@{pids}/task/@{tid}/stat r, @{PROC}/1/environ r, @{PROC}/cmdline r, @@ -75,6 +67,9 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fdinfo/@{int} r, + # Silencer + deny /.cache/ rw, + include if exists } diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 206958062..0bb878ab6 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -4,7 +4,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,21 +14,17 @@ profile pulseaudio @{exec_path} { include include include + include + include include include - include - include - include - include - include include include - include include include + include include include - include include ptrace (trace) peer=@{profile_name}, @@ -51,11 +47,26 @@ profile pulseaudio @{exec_path} { member=Introspect peer=(name=:*, label=gnome-shell), + dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member=Found + peer=(name=:*, label=avahi-daemon), + + dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} + interface=org.freedesktop.Avahi.ServiceBrowser + member=ItemRemove + peer=(name=:*, label=avahi-daemon), + dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects peer=(name=org.bluez), + dbus send bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member={Found,Free} + peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + @{exec_path} mrix, @{lib}/pulse/gsettings-helper rix, @@ -67,15 +78,12 @@ profile pulseaudio @{exec_path} { /etc/pulse/{,**} r, - / r, - owner @{desktop_cache_dirs}/gstreamer-1.0/ rw, owner @{desktop_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - owner @{desktop_config_dirs}/dconf/user r, - owner @{desktop_config_dirs}/pulse/{,**} rw, - owner @{desktop_config_dirs}/pulse/cookie k, + owner @{desktop_config_dirs}/dconf/user r, + owner @{desktop_config_dirs}/pulse/{,**} rw, + owner @{desktop_config_dirs}/pulse/cookie k, - owner @{HOME}/.pulse/{,**} rw, owner @{user_config_dirs}/ w, owner @{user_config_dirs}/pulse/{,**} rw, @@ -94,6 +102,7 @@ profile pulseaudio @{exec_path} { @{sys}/devices/**/sound/**/{uevent,pcm_class} r, @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r, + @{sys}/devices/virtual/video4linux/video@{int}/uevent r, deny @{sys}/module/apparmor/parameters/enabled r, @@ -101,6 +110,9 @@ profile pulseaudio @{exec_path} { owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/cmdline r, + /dev/media@{int} r, + /dev/video@{int} rw, + # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/freedesktop/update-desktop-database b/apparmor.d/groups/freedesktop/update-desktop-database index 90be74ecf..e070bff2f 100644 --- a/apparmor.d/groups/freedesktop/update-desktop-database +++ b/apparmor.d/groups/freedesktop/update-desktop-database @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,7 +11,6 @@ include profile update-desktop-database @{exec_path} flags=(attach_disconnected) { include include - include include capability dac_override, @@ -25,8 +24,6 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) { @{system_share_dirs}/applications/.mimeinfo.cache.* rw, @{system_share_dirs}/applications/mimeinfo.cache w, - /usr/share/byobu/desktop/* r, - /var/lib/snapd/desktop/applications/.mimeinfo.cache.* rw, /var/lib/snapd/desktop/applications/mimeinfo.cache w, diff --git a/apparmor.d/groups/freedesktop/update-mime-database b/apparmor.d/groups/freedesktop/update-mime-database index 9efd9cccc..778af218c 100644 --- a/apparmor.d/groups/freedesktop/update-mime-database +++ b/apparmor.d/groups/freedesktop/update-mime-database @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower index 83652914f..0428aebfc 100644 --- a/apparmor.d/groups/freedesktop/upower +++ b/apparmor.d/groups/freedesktop/upower @@ -3,17 +3,16 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/upower profile upower @{exec_path} { include - include - include - #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}" + # Needed? + audit capability sys_nice, @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 201e49f3c..d57efafc4 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,9 +11,8 @@ include profile upowerd @{exec_path} flags=(attach_disconnected) { include include - include + include include - include include network netlink raw, @@ -28,21 +27,20 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { /var/lib/upower/ r, /var/lib/upower/history-*.dat{,.*} rw, - @{run}/udev/data/ r, # Lists all udev data files - @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) - @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) - @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) + @{run}/udev/data/ r, + @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+i2c:* r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) - @{run}/udev/data/+serio:* r, # for serial mice - @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+power_supply* r, @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c116:@{int} r, # for ALSA - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/inhibit/[0-9]*.ref rw, @{sys}/bus/hid/devices/ r, @{sys}/class/input/ r, @@ -51,13 +49,12 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { @{sys}/class/sound/ r, @{sys}/devices/ r, @{sys}/devices/**/capabilities/* r, - @{sys}/devices/**/leds/**/brightness rw, - @{sys}/devices/**/leds/**/brightness_hw_changed r, - @{sys}/devices/**/leds/**/max_brightness r, @{sys}/devices/**/power_supply/**/* r, @{sys}/devices/**/uevent r, + @{sys}/devices/platform/**/leds/**/brightness rw, + @{sys}/devices/platform/**/leds/**/brightness_hw_changed r, + @{sys}/devices/platform/**/leds/**/max_brightness r, @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/misc/uhid/*/input/input@{int}/name r, /dev/input/event* r, diff --git a/apparmor.d/groups/freedesktop/wmname b/apparmor.d/groups/freedesktop/wmname deleted file mode 100644 index 1d2c7aa23..000000000 --- a/apparmor.d/groups/freedesktop/wmname +++ /dev/null @@ -1,20 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Roman Beslik -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/wmname -profile wmname @{exec_path} { - include - include - - @{exec_path} mr, - owner @{HOME}/.Xauthority r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index 031f03ac4..6a4da425e 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -2,41 +2,33 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-dbus-proxy profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { include - include - include + include include include - include + include + include include include - include - - network unix stream, - - #aa:dbus talk bus=session name=org.freedesktop.portal.Flatpak label=flatpak-portal - #aa:dbus talk bus=session name=org.freedesktop.portal.Request path=/org/freedesktop/portal/desktop label=xdg-desktop-portal + include dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime - member=MakeThread* + member=MakeThreadRealtimeWithPID peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), @{exec_path} mr, - owner @{att}/@{HOME}/.var/app/** r, - owner @{att}/@{HOME}/.var/app/*/.local/share/*/logs/* rw, - owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, + owner @{HOME}/.var/app/*/.local/share/*/logs/* rw, + owner @{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw, - owner @{run}/flatpak/doc/** r, owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw, owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-icon b/apparmor.d/groups/freedesktop/xdg-desktop-icon index a6200a2b2..7379369e1 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-icon +++ b/apparmor.d/groups/freedesktop/xdg-desktop-icon @@ -2,46 +2,15 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-desktop-icon profile xdg-desktop-icon @{exec_path} { include - include - @{exec_path} r, - - @{sh_path} rix, - @{bin}/{,e}grep ix, - @{bin}/basename ix, - @{bin}/cat ix, - @{bin}/chmod ix, - @{bin}/cp ix, - @{bin}/cut ix, - @{bin}/mkdir ix, - @{bin}/readlink ix, - @{bin}/realpath ix, - @{bin}/rm ix, - @{bin}/sed ix, - @{bin}/tr ix, - @{bin}/umask ix, - @{bin}/uname ix, - - # To get DE information - @{bin}/kde{,4}-config ix, - - @{bin}/dbus-send Cx -> bus, - @{bin}/xprop Px, - - profile bus flags=(complain) { - include - include - include - - include if exists - } + @{exec_path} mr, include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-menu b/apparmor.d/groups/freedesktop/xdg-desktop-menu index f86fbedc8..4204c51d1 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-menu +++ b/apparmor.d/groups/freedesktop/xdg-desktop-menu @@ -3,54 +3,44 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-desktop-menu profile xdg-desktop-menu @{exec_path} flags=(complain) { include - include - include include + include @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep ix, - @{bin}/{m,g,}awk ix, - @{bin}/basename ix, - @{bin}/cat ix, - @{bin}/chmod ix, - @{bin}/cp ix, - @{bin}/cut ix, - @{bin}/dirname ix, - @{bin}/ln ix, - @{bin}/mkdir ix, - @{bin}/mktemp ix, - @{bin}/mv ix, - @{bin}/readlink ix, - @{bin}/realpath ix, - @{bin}/rm ix, - @{bin}/sed ix, - @{bin}/touch ix, - @{bin}/tr ix, - @{bin}/umask ix, - @{bin}/uname ix, + @{sh_path} rix, + @{bin}/mkdir rix, + @{bin}/sed rix, + @{bin}/cut rix, + @{bin}/basename rix, + @{bin}/rm rix, + @{bin}/cp rix, + @{bin}/cat rix, + @{bin}/touch rix, + @{bin}/{m,g,}awk rix, + @{bin}/whoami rix, + @{bin}/mv rix, + @{bin}/{,e}grep rix, + @{bin}/readlink rix, - # To get DE information - @{bin}/kde{,4}-config ix, + @{bin}/update-desktop-database rPx, - @{bin}/dbus-send Cx -> bus, - @{bin}/update-desktop-database Px, - @{bin}/xprop Px, + owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu rw, + owner @{user_share_dirs}/applications/chrome-*.desktop rw, + owner @{HOME}/.gnome/apps/chrome-*.desktop rw, - profile bus flags=(complain) { - include - include - include - include if exists - } + /usr/share/applications/*.desktop rw, + /usr/share/*/*.desktop r, + + /usr/share/applications/defaults.list r, + /usr/share/applications/defaults.list.new w, include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index ec2cc86be..65420a2ee 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,45 +17,41 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include include - include - include include - include include include - include - include include capability sys_ptrace, network netlink raw, - ptrace read, - - signal receive set=term peer=gdm, - signal receive set=hup peer=gdm-session-worker, + ptrace (read), #aa:dbus own bus=session name=org.freedesktop.portal.Desktop path=/org/freedesktop/portal/desktop interface={org.freedesktop.DBus.Properties,org.freedesktop{,.impl}.portal.{Settings,Background}} dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime member=MakeThread* - peer=(name=@{busname}), - dbus receive bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.host.portal.Registry - member=Register - peer=(name=@{busname}), - dbus receive bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.portal.NetworkMonitor - member=GetStatus - peer=(name=@{busname}, label=snap.*), + peer=(name=:*), + + dbus receive bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.NetworkManager + member=CheckPermissions + peer=(name=:*, label=NetworkManager), #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Inhibit label=xdg-desktop-portal-gtk - #aa:dbus talk bus=session name=org.freedesktop.FileManager1 label=nautilus - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome - #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal + dbus send bus=session path=/org/freedesktop/portal/documents + interface=org.freedesktop.DBus.Properties + peer=(name=:*, label=xdg-document-portal), + dbus send bus=session path=/org/freedesktop/portal/documents + interface=org.freedesktop.portal.Documents + peer=(name=:*, label=xdg-document-portal), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label=dbus-session), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -66,43 +62,29 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/nautilus rPx, + @{bin}/snap rPUx, - @{bin}/kreadconfig{,5} rPx, - @{lib}/xdg-desktop-portal-validate-icon rPx, - @{open_path} mrPx -> child-open, + @{bin}/kreadconfig5 rPx, + @{lib}/xdg-desktop-portal-validate-icon rPUx, + @{open_path} rPx -> child-open, - / r, - @{att}/.flatpak-info r, - owner /att/**/ r, + / r, + /.flatpak-info r, /usr/share/dconf/profile/gdm r, /usr/share/xdg-desktop-portal/** r, - /usr/share/gdm/greeter-dconf-defaults r, /etc/sysconfig/proxy r, - @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_config_dirs}/dconf/user r, - owner @{gdm_config_dirs}/user-dirs.dirs r, + /var/lib/gdm{,3}/greeter-dconf-defaults r, - # The portal can receive any user file as it is a file chooser for UI app. - owner @{HOME}/** r, + @{user_config_dirs}/kioslaverc r, - @{user_config_dirs}/kioslaverc r, - owner @{user_config_dirs}/xdg-desktop-portal/* r, - owner @{user_share_dirs}/xdg-desktop-portal/{,**} rw, - - owner @{tmp}/icon@{rand6} rw, + owner @{tmp}/icon* rw, owner @{run}/user/@{uid}/.flatpak/{,*/*} r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{PROC}/ r, - @{PROC}/@{pids}/status r, @{PROC}/*/ r, @{PROC}/1/cgroup r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 30b415204..fecaa51b7 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,85 +13,79 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include + include include - include - include + include include include include include include include - include include network unix stream, - signal receive set=term peer=gdm, - signal receive set=(hup term) peer=gdm-session-worker, + signal (receive) set=term peer=gdm, + signal (receive) set=(hup term) peer=gdm-session-worker, #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gnome - #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal - #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell - #aa:dbus talk bus=session name=org.gnome.Settings.GlobalShortcutsProvider label=gnome-control-center-global-shortcuts-provider - #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell - #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label="gvfs-*-volume-monitor" + + dbus send bus=session path=/org/gnome/Shell/Screenshot + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Background member=RunningApplicationsChanged peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), - dbus send bus=session path=/org/gnome/Shell + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Background + member=GetAppState + peer=(name=:*, label=xdg-desktop-portal), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Settings + member=SettingChanged + peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), + + dbus (send, receive) bus=session path=/org/gnome/Mutter/* + interface=org.gnome.Mutter.* + peer=(name=:*, label="{gnome-shell,gsd-xsettings}"), + dbus send bus=session path=/org/gnome/Mutter/* interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=gnome-shell), - dbus receive bus=session path=/org/gnome/Shell - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label="{gnome-shell,gsd-xsettings}"), @{exec_path} mr, / r, @{bin}/ r, @{bin}/* r, - /opt/** r, /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/gdm/greeter/applications/{,**} r, /usr/share/thumbnailers/{,**} r, - owner @{desktop_cache_dirs}/dconf/user r, - owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, - owner @{desktop_config_dirs}/dconf/user r, - owner @{desktop_share_dirs}/applications/{,**} r, owner @{DESKTOP_HOME}/greeter-dconf-defaults r, + owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, owner @{HOME}/ r, - owner @{HOME}/* r, owner @{HOME}/*/{,**} rw, - owner @{MOUNTS}/ r, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, - owner @{tmp}/gtkprint_ppd_@{rand6} rw, - owner @{tmp}/gtkprint@{rand6} r, - owner @{tmp}/xdg-desktop-portal-gnome@{rand6} rw, - - owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{run}/mount/utab r, owner @{PROC}/@{pid}/ r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/status r, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index b7906c5e2..a06b898d3 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -2,65 +2,65 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/xdg-desktop-portal-gtk -profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { +profile xdg-desktop-portal-gtk @{exec_path} { include + include include include + include include include include - include + include + include include - include + include include include include include include - include - include include include + include - signal receive set=term peer=gdm, - signal receive set=hup peer=gdm-session-worker, + unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell), #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gtk - #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Settings label=xdg-desktop-portal - dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Settings peer=(name=:*), + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Settings + member=SettingChanged + peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), + + dbus send bus=session path=/org/gtk/Notifications + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), @{exec_path} mr, - /usr/share/gdm/greeter-dconf-defaults r, - - / r, - owner /att/**/ r, + / r, owner /var/lib/xkb/server-@{int}.xkm rw, - owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} r, - owner @{gdm_config_dirs}/dconf/user r, - owner /var/lib/gdm3/greeter-dconf-defaults r, - owner @{tmp}/runtime-*/xauth_@{rand6} r, @{run}/mount/utab r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - owner @{PROC}/@{pid}/mountinfo r, include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland b/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland deleted file mode 100644 index 876825ee4..000000000 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland +++ /dev/null @@ -1,40 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 odomingao -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/xdg-desktop-portal-hyprland -profile xdg-desktop-portal-hyprland @{exec_path} { - include - include - include - include - include - include - - @{exec_path} mr, - - @{sh_path} ix, - @{bin}/hyprland-share-picker rix, - @{bin}/sleep rix, - @{bin}/slurp rix, - - owner /tmp/hypr/ rw, - owner /tmp/hypr/\#@{int} rwkl, - owner /tmp/hypr/hyprland-share-picker.conf* rwkl, - - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - - owner @{PROC}/@{pid}/cmdline r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index bd5981dcf..a5329097b 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,13 +10,9 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}xdg-desktop-portal-kde profile xdg-desktop-portal-kde @{exec_path} { include - include - include include - include include include - include network inet dgram, network inet6 dgram, @@ -24,43 +20,24 @@ profile xdg-desktop-portal-kde @{exec_path} { network inet6 stream, network netlink raw, - signal send set=term peer=kioworker, - @{exec_path} mr, #aa:exec kioworker - /usr/share/plasma/look-and-feel/** r, - /usr/share/thumbnailers/{,**} r, - - /etc/fstab r, - /etc/xdg/dolphinrc r, - - / r, - - owner @{HOME}/ r, - owner @{desktop_config_dirs}/user-dirs.dirs r, - owner @{user_cache_dirs}/xdg-desktop-portal-kde/{,**} rw, + owner @{user_cache_dirs}/*.kcache r, + owner @{user_cache_dirs}/icon-cache.kcache rw, + + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/autostart/org.kde.*.desktop r, owner @{user_config_dirs}/breezerc r, - owner @{user_config_dirs}/kioslaverc r, - owner @{user_config_dirs}/kservicemenurc r, + owner @{user_config_dirs}/kdeglobals{,.*} rwlk, owner @{user_config_dirs}/xdg-desktop-portal-kderc{,.*} rwlk, - owner @{user_state_dirs}/#@{int} rw, - owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc rw, - owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc.@{rand6} rwlk, - owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc.lock rwk, - - owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/xdg-desktop-portal-kde@{rand6}.*.socket rw, - owner @{PROC}/@{pid}/mountinfo r, - - /dev/shm/ r, /dev/tty r, include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers b/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers index 2fa8cc01f..a76f73b36 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,7 +10,7 @@ include profile xdg-desktop-portal-rewrite-launchers @{exec_path} { include include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon b/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon deleted file mode 100644 index 2c6c37538..000000000 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/xdg-desktop-portal-validate-icon -profile xdg-desktop-portal-validate-icon @{exec_path} flags=(attach_disconnected) { - include - include - include - - capability dac_override, - - @{exec_path} mrix, - - @{bin}/bwrap ix, - - owner @{tmp}/icon@{rand6} r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 84c0fce42..86633e72f 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,9 +11,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { include include include - include include - include include capability sys_admin, @@ -23,15 +21,13 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { mount fstype=fuse.portal -> @{run}/user/@{uid}/doc/, - signal receive set=term peer=gdm, - signal receive set=hup peer=gdm-session-worker, + signal (receive) set=(term) peer=gdm, ptrace (read), unix (send receive) type=stream peer=(label=xdg-document-portal//fusermount), - #aa:dbus own bus=session name=org.freedesktop.portal.{Documents,FileTransfer} path=/org/freedesktop/portal/documents - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store + #aa:dbus own bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -40,17 +36,13 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/flatpak rPx, + @{bin}/flatpak rPUx, @{bin}/fusermount{,3} rCx -> fusermount, - @{bin}/snap rPx, - / r, - owner /att/**/ r, - owner @{att}/.flatpak-info r, + / r, + owner /.flatpak-info r, - owner @{HOME}/ r, - owner @{HOME}/*/{,**} rw, - owner @{MOUNTS}/ r, + owner @{HOME}/** r, owner @{user_share_dirs}/flatpak/db/documents r, owner @{user_share_dirs}/Trash/files/** r, @@ -62,16 +54,15 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, - /dev/fuse rw, + /dev/fuse rw, + owner /dev/tty@{int} rw, - profile fusermount flags=(attach_disconnected) { + profile fusermount { include - include - include + include + capability sys_admin, capability dac_read_search, - capability dac_override, - capability setuid, mount options=(rw, rprivate) -> /, mount options=(rw, rbind) @{run}/user/@{uid}/ -> /, @@ -81,8 +72,17 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { unix (send receive) type=stream peer=(label=xdg-document-portal), + @{bin}/fusermount{,3} mr, + + /etc/fuse{,3}.conf r, + owner @{run}/user/@{uid}/doc/ rw, + @{PROC}/@{pids}/mounts r, + + /dev/fuse rw, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-email b/apparmor.d/groups/freedesktop/xdg-email index cf580ceac..da457a0fe 100644 --- a/apparmor.d/groups/freedesktop/xdg-email +++ b/apparmor.d/groups/freedesktop/xdg-email @@ -3,51 +3,32 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-email profile xdg-email @{exec_path} flags=(complain) { include - include - include @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep ix, - @{bin}/{m,g,}awk ix, - @{bin}/basename ix, - @{bin}/cat ix, - @{bin}/cut ix, - @{bin}/readlink ix, - @{bin}/realpath ix, - @{bin}/sed ix, - @{bin}/tail ix, - @{bin}/tr ix, - @{bin}/uname ix, + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/basename rix, + @{bin}/cut rix, + @{bin}/echo rix, + @{bin}/gio rPx, + @{bin}/kreadconfig5 rPx, + @{bin}/readlink rix, + @{bin}/sed rix, + @{bin}/tail rix, + @{bin}/which{,.debianutils} rix, + @{bin}/xdg-mime rPx, + @{thunderbird_path} rPx, - # To get DE information - @{bin}/kde{,4}-config ix, - @{bin}/gconftool{,-2} ix, - @{bin}/qtxdg-mat ix, - - @{bin}/dbus-send Cx -> bus, - @{bin}/gdbus Cx -> bus, - @{bin}/kreadconfig{,5} Px, - @{bin}/xdg-mime Px, - @{bin}/xprop Px, - @{open_path} Px -> child-open-email, - @{thunderbird_path} Px, - - profile bus flags=(complain) { - include - include - include - - include if exists - } + owner /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-icon-resource b/apparmor.d/groups/freedesktop/xdg-icon-resource index 4f29d38a0..9ece71574 100644 --- a/apparmor.d/groups/freedesktop/xdg-icon-resource +++ b/apparmor.d/groups/freedesktop/xdg-icon-resource @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,43 +11,35 @@ include profile xdg-icon-resource @{exec_path} flags=(attach_disconnected) { include include - include + include @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep ix, - @{bin}/{m,g,}awk ix, - @{bin}/basename ix, - @{bin}/cat ix, - @{bin}/cp ix, - @{bin}/cut ix, - @{bin}/dirname ix, - @{bin}/ln ix, - @{bin}/mkdir ix, - @{bin}/readlink ix, - @{bin}/realpath ix, - @{bin}/rm ix, - @{bin}/sed ix, - @{bin}/touch ix, - @{bin}/tr ix, - @{bin}/umask ix, - @{bin}/uname ix, - @{bin}/whoami ix, + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/whoami rix, + @{bin}/sed rix, + @{bin}/basename rix, + @{bin}/mkdir rix, + @{bin}/cp rix, + @{bin}/rm rix, + @{bin}/readlink rix, + @{bin}/touch rix, - # To get DE information - @{bin}/kde{,4}-config ix, + @{bin}/gtk{,4}-update-icon-cache rPx, - @{bin}/dbus-send Cx -> bus, - @{bin}/gtk{,4}-update-icon-cache Px, - @{bin}/xprop Px, + /usr/share/**/icons/**.png r, + /usr/share/icons/**.png rw, + /usr/share/icons/*/.xdg-icon-resource-dummy rw, + /usr/share/terminfo/** r, - profile bus flags=(complain) { - include - include - include - include if exists - } + owner @{tmp}/.com.google.Chrome.*/chrome-*.png r, + + owner @{user_share_dirs}/icons/**/apps/chrome-*.png rw, + owner @{user_share_dirs}/icons/**/.xdg-icon-resource-dummy rw, + /opt/**/*.png r, + + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index 9e6dbc2e0..badefb819 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -3,75 +3,76 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-mime profile xdg-mime @{exec_path} flags=(attach_disconnected) { include - include include @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep ix, - @{bin}/{m,g,}awk ix, - @{bin}/basename ix, - @{bin}/cat ix, - @{bin}/cut ix, - @{bin}/file ix, - @{bin}/head ix, - @{bin}/mkdir ix, - @{bin}/mv ix, - @{bin}/readlink ix, - @{bin}/realpath ix, - @{bin}/rm ix, - @{bin}/sed ix, - @{bin}/touch ix, - @{bin}/tr ix, - @{bin}/umask ix, - @{bin}/uname ix, + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/cut rix, + @{bin}/file rix, + @{bin}/head rix, + @{bin}/mv rix, + @{bin}/readlink rix, + @{bin}/realpath rix, + @{bin}/sed rix, + @{bin}/tr rix, + @{bin}/uname rix, + @{bin}/which{,.debianutils} rix, - # To query DE information - @{bin}/gio ix, - @{bin}/gnomevfs-info ix, - @{bin}/gvfs-info ix, - @{bin}/kde{,4}-config ix, - @{bin}/kfile ix, - @{bin}/kmimetypefinder{,5} ix, - @{bin}/ktraderclient{,5} ix, - @{bin}/qtpaths ix, - @{bin}/qtxdg-mat ix, + @{bin}/gio rPx, + @{bin}/kbuildsycoca5 rPx, + @{bin}/ktraderclient5 rPUx, + @{bin}/mimetype rPx, + @{bin}/xprop rPx, - @{bin}/dbus-send Cx -> bus, - @{bin}/kbuildsycoca{,5} Px, - @{bin}/mimetype Px, - @{bin}/vendor_perl/mimetype Px, - @{bin}/xprop Px, + /usr/share/terminfo/** r, + owner @{HOME}/.Xauthority r, owner @{user_config_dirs}/mimeapps.list{,.new} rw, - owner @{tmp}/wl-copy-buffer-@{rand6}/stdin r, + owner @{run}/user/@{uid}/ r, - @{PROC}/version r, + @{sys}/devices/platform/**/hwmon/hwmon@{int}/temp* r, + @{sys}/devices/platform/**/hwmon/hwmon@{int}/fan* r, + /dev/dri/card@{int} rw, /dev/tty rw, - # file_inherit - deny /opt/*/** r, - deny owner @{user_config_dirs}/*/** rw, - deny owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, - deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + # When xdg-mime is run as root, it wants to exec dbus-launch, and hence it creates the two + # following root processes: + # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr + # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session + # + # Should this be allowed? Xdg-mime works fine without this. + #@{bin}/dbus-launch rCx -> dbus, + #@{bin}/dbus-send rCx -> dbus, + deny @{bin}/dbus-launch rx, + deny @{bin}/dbus-send rx, - profile bus flags=(complain) { + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + + profile dbus { include - include - include - include + include + + @{bin}/dbus-launch mr, + @{bin}/dbus-send mr, + @{bin}/dbus-daemon rPx, + + @{HOME}/.Xauthority r, + owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, - include if exists } include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-open b/apparmor.d/groups/freedesktop/xdg-open index 7893800d1..e7ee7dc8c 100644 --- a/apparmor.d/groups/freedesktop/xdg-open +++ b/apparmor.d/groups/freedesktop/xdg-open @@ -3,48 +3,58 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-open profile xdg-open @{exec_path} flags=(attach_disconnected) { include - include + include include - include @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep ix, - @{bin}/basename ix, - @{bin}/cat ix, - @{bin}/cut ix, - @{bin}/env ix, - @{bin}/readlink ix, - @{bin}/realpath ix, - @{bin}/sed ix, - @{bin}/tr ix, - @{bin}/uname ix, + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/sed rix, + @{bin}/cut rix, + @{bin}/which{,.debianutils} rix, + @{bin}/cat rix, + @{bin}/uname rix, - # To get DE information - @{bin}/kde{,4}-config ix, + @{bin}/xprop rPx, + @{bin}/xdg-mime rPx, - @{bin}/dbus-send Cx -> bus, - @{bin}/gdbus Cx -> bus, - @{bin}/xprop Px, - @{bin}/xdg-mime Px, - @{open_path} Px -> child-open-any, + @{bin}/exo-open rPx, + @{bin}/gio rPx, + #@{bin}/kde-open5 rPUx, + @{bin}/ktraderclient5 rPUx, - @{PROC}/version r, + @{bin}/dbus-launch rCx -> dbus, + @{bin}/dbus-send rCx -> dbus, - profile bus flags=(attach_disconnected) { + /** r, + owner /** rw, + + # freedesktop.org-strict + owner @{user_share_dirs}/applications/ r, + /usr/share/applications/*.desktop r, + + /dev/tty rw, + + profile dbus { include - include - include + include - include if exists + @{bin}/dbus-launch mr, + @{bin}/dbus-send mr, + @{bin}/dbus-daemon rPx, + + # for dbus-launch + owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, + + @{HOME}/.Xauthority r, } include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 3b15d9688..f698111d4 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -2,22 +2,20 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/xdg-permission-store profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { include - include include include capability sys_nice, - signal receive set=(term hup kill) peer=dbus-session, - signal receive set=(term hup kill) peer=gdm, - signal receive set=(term hup kill) peer=gdm-session-worker, + signal (receive) set=(term hup kill) peer=dbus-session, + signal (receive) set=(term hup kill) peer=gdm, #aa:dbus own bus=session name=org.freedesktop.impl.portal.PermissionStore @@ -43,11 +41,11 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/flatpak/db/ rw, owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/flatpak/db/background rw, - owner @{user_share_dirs}/flatpak/db/desktop-used-apps rw, - owner @{user_share_dirs}/flatpak/db/devices rw, + owner @{user_share_dirs}/flatpak/db/devices r, owner @{user_share_dirs}/flatpak/db/documents rw, owner @{user_share_dirs}/flatpak/db/notifications rw, - owner @{user_share_dirs}/flatpak/db/screencast r, + + /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-screensaver b/apparmor.d/groups/freedesktop/xdg-screensaver index dd7d17118..cee9898b5 100644 --- a/apparmor.d/groups/freedesktop/xdg-screensaver +++ b/apparmor.d/groups/freedesktop/xdg-screensaver @@ -3,54 +3,42 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-screensaver -profile xdg-screensaver @{exec_path} flags=(complain) { +profile xdg-screensaver @{exec_path} { include include - include - include @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep ix, - @{bin}/{m,g,}awk ix, - @{bin}/basename ix, - @{bin}/cat ix, - @{bin}/cut ix, - @{bin}/dirname ix, - @{bin}/kill ix, - @{bin}/ln ix, - @{bin}/lockfile ix, - @{bin}/mktemp ix, - @{bin}/mv ix, - @{bin}/readlink ix, - @{bin}/realpath ix, - @{bin}/rm ix, - @{bin}/sed ix, - @{bin}/uname ix, - @{bin}/xautolock ix, + @{bin}/ r, - @{bin}/dbus-send Cx -> bus, - @{bin}/xprop Px, - @{bin}/xset Px, - @{bin}/ps Px, - @{bin}/hostname Px, + @{sh_path} rix, + @{bin}/mv rix, + @{bin}/{,e}grep rix, + @{bin}/sed rix, + @{bin}/which{,.debianutils} rix, + @{bin}/cat rix, + @{bin}/uname rix, - profile bus flags=(complain) { - include - include - include + @{bin}/xautolock rix, + @{bin}/dbus-send rix, - #aa:dbus talk bus=session name=org.freedesktop.ScreenSaver label=gsd-screensaver-proxy - #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console + @{bin}/xprop rPx, + @{bin}/xdg-mime rPx, + @{bin}/xset rPx, + @{bin}/hostname rix, - include if exists - } + /dev/dri/card@{int} rw, + + owner @{HOME}/ r, + owner @{HOME}/.Xauthority r, + owner @{tmp}/xauth-@{int}-_[0-9] r, + + owner @{run}/user/@{uid}/ r, include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index fd05bcee9..a4d611712 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -3,62 +3,65 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-settings -profile xdg-settings @{exec_path} flags=(attach_disconnected) { +profile xdg-settings @{exec_path} { include include include @{exec_path} r, - @{sh_path} mr, - @{bin}/{,e}grep rix, - @{bin}/basename rix, - @{bin}/cat ix, - @{bin}/cut rix, - @{bin}/head ix, - @{bin}/mkdir ix, - @{bin}/mktemp ix, - @{bin}/mv ix, - @{bin}/readlink ix, - @{bin}/realpath rix, - @{bin}/rm ix, - @{bin}/sed ix, - @{bin}/sleep ix, - @{bin}/sort ix, - @{bin}/touch ix, - @{bin}/tr ix, - @{bin}/uname ix, - @{bin}/wc ix, + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/cut rix, + @{bin}/mktemp rix, + @{bin}/mv rix, + @{bin}/readlink rix, + @{bin}/realpath rix, + @{bin}/sed rix, + @{bin}/sort rix, + @{bin}/uname rix, + @{bin}/wc rix, + @{bin}/which{,.debianutils} rix, - # To set/get DE information - @{bin}/gconftool{,-2} ix, - @{bin}/kde{,4}-config ix, - @{bin}/kwriteconfig{,5,6} ix, - @{bin}/qtxdg-mat ix, + @{bin}/dbus-launch rCx -> dbus, + @{bin}/dbus-send rCx -> dbus, + @{bin}/kreadconfig5 rPx, + @{bin}/xdg-mime rPx, + @{bin}/xprop rPx, - @{bin}/dbus-send Cx -> bus, - @{bin}/kreadconfig{,5} Px, - @{bin}/xdg-mime Px, - @{bin}/xprop Px, + /usr/share/terminfo/** r, - owner @{user_config_dirs}/xfce4/helpers.rc{,.@{rand6}} rw, - owner @{user_share_dirs}/applications/{,**} rw, + /etc/xdg/xfce4/helpers.rc r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, - @{PROC}/version r, + owner @{HOME}/ r, + owner @{HOME}/.Xauthority r, - owner /dev/pts/@{int} rw, + owner @{user_config_dirs}/xfce4/helpers.rc{,.*} rw, - profile bus flags=(complain) { + owner @{run}/user/@{uid}/ r, + + owner @{PROC}/@{pid}/fd/ r, + + profile dbus { include - include - include + include - include if exists + @{bin}/dbus-launch mr, + @{bin}/dbus-send mr, + @{bin}/dbus-daemon rPx, + + owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, + + include if exists } include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-user-dir b/apparmor.d/groups/freedesktop/xdg-user-dir index f963a21b9..fa52d6f52 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dir +++ b/apparmor.d/groups/freedesktop/xdg-user-dir @@ -2,23 +2,23 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-user-dir profile xdg-user-dir @{exec_path} flags=(attach_disconnected) { include - include - include @{exec_path} mr, - @{sh_path} rix, - @{bin}/env rix, + @{sh_path} rix, + @{bin}/env rix, owner @{user_config_dirs}/user-dirs.dirs r, + /dev/tty rw, + # Silencer deny network inet stream, deny network inet6 stream, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index feb1b9bd6..01a289533 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -2,27 +2,21 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-user-dirs-gtk-update profile xdg-user-dirs-gtk-update @{exec_path} { include - include - include - include - include + include @{exec_path} mr, - @{bin}/xdg-user-dirs-update Px, - owner @{user_config_dirs}/gtk-3.0/bookmarks* rw, + owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.locale r, - owner @{tmp}/dirs-@{rand6} rw, - include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-update index 09c66d6ac..4730ca091 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-update @@ -2,18 +2,20 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xdg-user-dirs-update profile xdg-user-dirs-update @{exec_path} { include - include include @{exec_path} mr, + /etc/xdg/user-dirs.conf r, + /etc/xdg/user-dirs.defaults r, + owner @{desktop_config_dirs}/ rw, owner @{desktop_config_dirs}/user-dirs.dirs{,*} rw, owner @{desktop_config_dirs}/user-dirs.locale rw, diff --git a/apparmor.d/groups/freedesktop/xhost b/apparmor.d/groups/freedesktop/xhost index 6032179e4..467a92e03 100644 --- a/apparmor.d/groups/freedesktop/xhost +++ b/apparmor.d/groups/freedesktop/xhost @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xhost -profile xhost @{exec_path} flags=(attach_disconnected) { +profile xhost @{exec_path} { include include include diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp index a99e12b7a..ef719d673 100644 --- a/apparmor.d/groups/freedesktop/xkbcomp +++ b/apparmor.d/groups/freedesktop/xkbcomp @@ -3,21 +3,17 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xkbcomp profile xkbcomp @{exec_path} flags=(attach_disconnected) { include - include - include - include include unix (send,receive) type=stream addr=none peer=(label=gnome-shell), unix (send,receive) type=stream addr=none peer=(label=xwayland), - unix (send,receive) type=stream addr=none peer=(label=kwin_wayland), @{exec_path} mr, @@ -31,7 +27,6 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/xorg/Xorg.@{int}.log w, /var/lib/{gdm{3,},sddm}/.local/share/xorg/Xorg.@{int}.log w, - /var/log/Xorg.@{int}.log w, owner /var/log/lightdm/x-@{int}.log w, owner @{run}/user/@{uid}/server-@{int}.xkm rwk, @@ -41,7 +36,10 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) { /dev/dri/card@{int} rw, /dev/fb@{int} rw, /dev/tty rw, - /dev/input/event@{int} rw, + /dev/tty@{int} rw, + + deny /dev/input/event@{int} rw, + deny /var/log/Xorg.@{int}.log w, include if exists } diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index bfec4405c..9e1625e8e 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -45,16 +45,11 @@ profile xorg @{exec_path} flags=(attach_disconnected) { network netlink raw, - dbus send bus=system path=/org/freedesktop/login1/session/* - interface=org.freedesktop.login1.Session - member=ReleaseControl - peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), - @{exec_path} mrix, @{sh_path} rix, @{bin}/xkbcomp rPx, - @{bin}/pkexec rCx -> pkexec, + @{bin}/pkexec rPx, @{lib}/xorg/ r, @{lib}/xorg/modules/ r, @@ -92,18 +87,31 @@ profile xorg @{exec_path} flags=(attach_disconnected) { owner @{tmp}/server-* rwk, owner @{tmp}/serverauth.* r, - @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{sys}/bus/ r, + @{sys}/bus/pci/devices/ r, + @{sys}/class/ r, + @{sys}/class/{tty,input,drm}/ r, + @{sys}/class/power_supply/ r, + @{sys}/devices/**/{uevent,name,id,config} r, + @{sys}/devices/**/hid r, + @{sys}/devices/**/power_supply/**/{type,online} r, + @{sys}/devices/@{pci}/ r, + @{sys}/devices/@{pci}/backlight/*/{,max_}brightness r, + @{sys}/devices/@{pci}/backlight/*/brightness rw, + @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/platform/ r, + @{sys}/module/i915/{,**} r, + + @{run}/udev/data/+acpi:* r, # for acpi @{run}/udev/data/+dmi* r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) - @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+i2c:* r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+platform:* r, # for ? @{run}/udev/data/+serio:* r, # for touchpad? - @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb:* r, # Identifies all USB devices - + @{run}/udev/data/+usb* r, # for USB mouse and keyboard @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @@ -111,46 +119,19 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* - @{sys}/bus/ r, - @{sys}/bus/pci/devices/ r, - @{sys}/class/ r, - @{sys}/class/{tty,input,drm}/ r, - @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/ r, - @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness r, - @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/backlight/**/brightness rw, - @{sys}/devices/@{pci}/boot_vga r, - @{sys}/devices/@{pci}/resource@{int} rw, - @{sys}/devices/**/{uevent,name,id,config} r, - @{sys}/devices/**/hid r, - @{sys}/devices/**/power_supply/**/{type,online} r, - @{sys}/devices/platform/ r, - @{sys}/module/i915/{,**} r, - @{PROC}/@{pids}/cmdline r, @{PROC}/cmdline r, @{PROC}/ioports r, @{PROC}/mtrr rw, - /dev/ r, - /dev/fb@{int} rw, - @{att}/dev/input/event@{int} rw, - /dev/input/mouse@{int} rw, + /dev/fb[0-9] rw, + /dev/input/event@{int} rw, /dev/shm/#@{int} rw, /dev/shm/shmfd-* rw, /dev/tty rw, /dev/tty@{int} rw, - /dev/udmabuf rw, /dev/vga_arbiter rw, # Graphic card modules - profile pkexec { - include - include - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/freedesktop/xprop b/apparmor.d/groups/freedesktop/xprop index f83afae61..aaa19b998 100644 --- a/apparmor.d/groups/freedesktop/xprop +++ b/apparmor.d/groups/freedesktop/xprop @@ -3,14 +3,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xprop profile xprop @{exec_path} flags=(attach_disconnected) { include - include include include diff --git a/apparmor.d/groups/freedesktop/xrandr b/apparmor.d/groups/freedesktop/xrandr index ed9e7a030..99e07a121 100644 --- a/apparmor.d/groups/freedesktop/xrandr +++ b/apparmor.d/groups/freedesktop/xrandr @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,12 +12,8 @@ profile xrandr @{exec_path} { include include - capability dac_read_search, - @{exec_path} mr, - @{run}/sddm/xauth_@{rand6} r, - owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index 55d069815..9bd897bee 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,7 +19,7 @@ profile xrdb @{exec_path} { @{bin}/{,*-}cpp-[0-9]* rix, @{sh_path} rix, @{bin}/cpp rix, - @{lib}/gcc/@{multiarch}/@{version}/cc1 rix, + @{lib}/gcc/@{multiarch}/@{int}*/cc1 rix, @{lib}/llvm-[0-9]*/bin/clang rix, /usr/include/stdc-predef.h r, diff --git a/apparmor.d/groups/freedesktop/xset b/apparmor.d/groups/freedesktop/xset index 20dc2b1fb..ff09d2b1a 100644 --- a/apparmor.d/groups/freedesktop/xset +++ b/apparmor.d/groups/freedesktop/xset @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/xsetroot b/apparmor.d/groups/freedesktop/xsetroot index c0ddcb359..db5d0a7aa 100644 --- a/apparmor.d/groups/freedesktop/xsetroot +++ b/apparmor.d/groups/freedesktop/xsetroot @@ -3,14 +3,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xsetroot profile xsetroot @{exec_path} { include - include include capability dac_read_search, @@ -19,6 +18,10 @@ profile xsetroot @{exec_path} { @{exec_path} mr, + /usr/share/icons/{,**} r, + + owner @{HOME}/.icons/** r, + owner @{user_share_dirs}/sddm/xorg-session.log w, owner @{user_share_dirs}/sddm/wayland-session.log w, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index a8950dbc6..93a652573 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -2,17 +2,15 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/Xwayland +@{exec_path} = @{bin}/Xwayland profile xwayland @{exec_path} flags=(attach_disconnected) { include - include include include - include include signal (receive) set=(term hup) peer=gdm*, @@ -20,9 +18,6 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup) peer=kwin_wayland, signal (receive) set=(term hup) peer=login, - unix type=stream peer=(label=gnome-shell), - unix type=stream peer=(label=kwin_wayland), - @{exec_path} mrix, @{sh_path} rix, @@ -31,11 +26,6 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { /usr/share/fonts/{,**} r, /usr/share/ghostscript/fonts/{,**} r, - / r, - - owner @{desktop_cache_dirs}/nvidia/GLCache/ rw, - owner @{desktop_cache_dirs}/nvidia/GLCache/** rwk, - owner @{tmp}/server-@{int}.xkm rwk, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, owner @{run}/user/@{uid}/server-@{int}.xkm rw, @@ -43,6 +33,9 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cmdline r, + /dev/tty@{int} rw, + /dev/tty rw, + include if exists } diff --git a/apparmor.d/groups/gnome-extension/batteryhealthchargingctl b/apparmor.d/groups/gnome-extension/batteryhealthchargingctl deleted file mode 100644 index 4b1f7a138..000000000 --- a/apparmor.d/groups/gnome-extension/batteryhealthchargingctl +++ /dev/null @@ -1,39 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/batteryhealthchargingctl{,-@{user}} -@{exec_path} += /usr/local/bin/batteryhealthchargingctl{,-@{user}} -profile batteryhealthchargingctl @{exec_path} { - include - include - - capability dac_read_search, - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/env rix, - @{bin}/cmp rix, - @{bin}/cut rix, - @{bin}/pkaction rix, - @{bin}/sed rix, - @{bin}/sort rix, - - /etc/polkit-1/rules.d/*.batteryhealthcharging.setthreshold-@{user}.rules r, - - @{user_share_dirs}/gnome-shell/extensions/Battery-Health-Charging@maniacx.github.com/resources/** r, - - @{sys}/class/power_supply/ r, - @{sys}/devices/**/power_supply/BAT@{int}/charge_control_end_threshold w, - @{sys}/devices/**/power_supply/BAT@{int}/charge_control_start_threshold w, - @{sys}/devices/**/power_supply/BAT@{int}/charge_types rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/chrome-gnome-shell b/apparmor.d/groups/gnome/chrome-gnome-shell index 944d5e1d5..9063afc57 100644 --- a/apparmor.d/groups/gnome/chrome-gnome-shell +++ b/apparmor.d/groups/gnome/chrome-gnome-shell @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,7 +10,6 @@ include profile chrome-gnome-shell @{exec_path} { include include - include include include include @@ -24,6 +23,8 @@ profile chrome-gnome-shell @{exec_path} { @{exec_path} mr, @{bin}/ r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{PROC}/@{pid}/mounts r, deny @{HOME}/.* r, diff --git a/apparmor.d/groups/gnome/decibels b/apparmor.d/groups/gnome/decibels deleted file mode 100644 index 2bb38dfd5..000000000 --- a/apparmor.d/groups/gnome/decibels +++ /dev/null @@ -1,36 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/decibels @{bin}/org.gnome.Decibels -profile decibels @{exec_path} { - include - include - include - include - include - - @{exec_path} mr, - - @{bin}/gjs-console rix, - - @{open_path} rPx -> child-open-help, - - /usr/share/org.gnome.Decibels/{,**} r, - - owner @{user_music_dirs}/{,**} r, - owner @{user_pictures_dirs}/{,**} r, - owner @{user_torrents_dirs}/{,**} r, - owner @{user_videos_dirs}/{,**} r, - - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index 59b3c5d40..444fc581f 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -2,65 +2,38 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{lib}/deja-dup/deja-dup-monitor +@{exec_path} = @{lib}/deja-dup/deja-dup-monitor profile deja-dup-monitor @{exec_path} { include include include include include - include - include - include + include + include include - include - include - include network netlink raw, #aa:dbus own bus=session name=org.gnome.DejaDup.Monitor - #aa:dbus talk bus=session name=org.gnome.DejaDup interface+=org.gtk.Actions label=deja-dup - - dbus send bus=session path=/org/gnome/DejaDup - interface=org.gtk.Actions - member=Activate - peer=(name=org.gnome.DejaDup), + #aa:dbus talk bus=session name=org.gnome.DejaDup label=deja-dup dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=:*, label=NetworkManager), - dbus send bus=system path=/org/freedesktop/UPower/PowerProfiles - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=power-profiles-daemon), - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, - @{bin}/chrt rix, - @{bin}/ionice rix, - @{bin}/deja-dup Px, - - /usr/share/gvfs/remote-volume-monitors/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /var/tmp/ r, /tmp/ r, - @{run}/mount/utab r, - - owner @{PROC}/@{pid}/mountinfo r, - include if exists } diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider index 2168382e0..ca1213df9 100644 --- a/apparmor.d/groups/gnome/epiphany-search-provider +++ b/apparmor.d/groups/gnome/epiphany-search-provider @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -29,12 +29,10 @@ profile epiphany-search-provider @{exec_path} { @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, owner @{user_cache_dirs}/epiphany/{,**} rwk, - owner @{user_config_dirs}/epiphany/{,**} rw, owner @{user_share_dirs}/epiphany/{,**} rwk, - owner @{tmp}/ContentRuleList-@{rand6} rw, owner @{tmp}/ContentRuleList@{rand6} rw, - owner @{tmp}/SerializedNFA-@{rand6} rw, + owner @{tmp}/Serialized* rw, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/firmware/acpi/pm_profile r, diff --git a/apparmor.d/groups/gnome/epiphany-webapp-provider b/apparmor.d/groups/gnome/epiphany-webapp-provider index c161a5a0c..7dda86245 100644 --- a/apparmor.d/groups/gnome/epiphany-webapp-provider +++ b/apparmor.d/groups/gnome/epiphany-webapp-provider @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 1b9051a4a..de7c3c299 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,11 +11,10 @@ profile evolution-addressbook-factory @{exec_path} { include include include - include + include include - include + include include - include include include include @@ -27,13 +26,10 @@ profile evolution-addressbook-factory @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} - #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookCursor - #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookFactory - #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookView dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* - peer=(name=@{busname}), + peer=(name=:*), dbus send bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* @@ -41,12 +37,12 @@ profile evolution-addressbook-factory @{exec_path} { dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.freedesktop.DBus.Properties - peer=(name=@{busname}, label=evolution-*), + peer=(name=:*, label=evolution-*), dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=@{busname}, label=evolution-source-registry), + peer=(name=:*, label=evolution-source-registry), dbus send bus=session path=/org/gnome/evolution/dataserver/** interface=org.freedesktop.DBus.Properties @@ -55,17 +51,13 @@ profile evolution-addressbook-factory @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - - dbus receive bus=session path=/org/gnome/evolution/dataserver/** - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=obexd), + member=Introspect + peer=(name=:*, label=gnome-shell), @{exec_path} mr, @{exec_path}-subprocess rix, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icu/@{int}.@{int}/*.dat r, owner @{user_share_dirs}/evolution/{,**} rwk, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 501685b22..a4c2c4a92 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -2,14 +2,17 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify profile evolution-alarm-notify @{exec_path} { include + include include + include + include include include include @@ -31,11 +34,10 @@ profile evolution-alarm-notify @{exec_path} { @{exec_path} mr, /usr/share/evolution-data-server/{,**} r, + /usr/share/{,zoneinfo-}icu/{,**} r, /etc/timezone r, - owner @{user_share_dirs}/evolution/datetime-formats.ini r, - include if exists } diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 87cce8fbc..d1ec45ac4 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,10 +12,8 @@ profile evolution-calendar-factory @{exec_path} { include include include - include - include + include include - include include include include @@ -59,6 +57,11 @@ profile evolution-calendar-factory @{exec_path} { member=Complete peer=(name=org.freedesktop.DBus, label=gnome-calendar), + dbus send bus=session path=/org/gtk/vfs/metadata + interface=org.gtk.vfs.Metadata + member=Move + peer=(name=:*, label=gvfsd-metadata), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -67,12 +70,14 @@ profile evolution-calendar-factory @{exec_path} { @{exec_path} mr, @{exec_path}-subprocess rix, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{user_cache_dirs}/evolution/calendar/{,**} rwk, owner @{user_cache_dirs}/evolution/tasks/{,**} rwk, owner @{user_share_dirs}/evolution/calendar/{,**} rwk, - owner @{user_share_dirs}/evolution/memos/system/{,**} rw, - owner @{user_share_dirs}/evolution/tasks/system/{,**} rw, + owner @{user_share_dirs}/evolution/tasks/system/ w, + owner @{user_share_dirs}/evolution/tasks/system/tasks.ics* rw, owner @{user_share_dirs}/gvfs-metadata/{,*} r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 0732646b5..7c97acc2e 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,12 +10,10 @@ include profile evolution-source-registry @{exec_path} { include include - include + include include - include include include - include include network inet stream, @@ -48,6 +46,8 @@ profile evolution-source-registry @{exec_path} { @{exec_path} mr, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{user_cache_dirs}/evolution/{,**} rwk, owner @{user_config_dirs}/evolution/sources/{,*} rw, owner @{user_share_dirs}/evolution/{,**} r, diff --git a/apparmor.d/groups/gnome/evolution-user-prompter b/apparmor.d/groups/gnome/evolution-user-prompter index d1c095abf..560f2bdb0 100644 --- a/apparmor.d/groups/gnome/evolution-user-prompter +++ b/apparmor.d/groups/gnome/evolution-user-prompter @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,8 +10,6 @@ include profile evolution-user-prompter @{exec_path} { include include - include - include #aa:dbus own bus=session name=org.gnome.evolution.dataserver.UserPrompter0 diff --git a/apparmor.d/groups/gnome/gcr-prompter b/apparmor.d/groups/gnome/gcr-prompter index 6bcbd1cc0..7ecb4fb84 100644 --- a/apparmor.d/groups/gnome/gcr-prompter +++ b/apparmor.d/groups/gnome/gcr-prompter @@ -2,14 +2,13 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gcr-prompter profile gcr-prompter @{exec_path} { include - include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gcr-ssh-agent b/apparmor.d/groups/gnome/gcr-ssh-agent index 24e94d9cb..a6f0f22fd 100644 --- a/apparmor.d/groups/gnome/gcr-ssh-agent +++ b/apparmor.d/groups/gnome/gcr-ssh-agent @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 3f958cb7e..2817f668e 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/gdm @{sbin}/gdm3 +@{exec_path} = @{bin}/gdm{3,} profile gdm @{exec_path} flags=(attach_disconnected) { include include @@ -17,11 +17,9 @@ profile gdm @{exec_path} flags=(attach_disconnected) { capability chown, capability dac_override, capability dac_read_search, - capability fowner, capability fsetid, capability kill, capability net_admin, - capability sys_admin, capability sys_nice, capability sys_tty_config, @@ -36,8 +34,13 @@ profile gdm @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.gnome.DisplayManager - #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" - #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser} + peer=(name=org.freedesktop.DBus, label=dbus-system), @{exec_path} mr, @@ -47,7 +50,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{bin}/plymouth rPx, @{bin}/prime-switch rPUx, @{bin}/sleep rix, - @{bin}/systemd-cat rix, + @{bin}/systemd-cat rPx, @{lib}/{,gdm/}gdm-session-worker rPx, /etc/gdm{3,}/PrimeOff/Default rix, @@ -55,7 +58,6 @@ profile gdm @{exec_path} flags=(attach_disconnected) { /usr/share/wayland-sessions/*.desktop r, /usr/share/xsessions/*.desktop r, - /etc/.pwd.lock rwk, /etc/default/locale r, /etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/daemon.conf r, @@ -68,17 +70,18 @@ profile gdm @{exec_path} flags=(attach_disconnected) { /var/log/gdm{3,}/ rw, - @{GDM_HOME}/ rw, - @{GDM_HOME}/** rw, + owner @{GDM_HOME}/block-initial-setup rw, - @{run}/gdm{,3}/ rw, - owner @{run}/gdm{,3}.pid rw, - owner @{run}/gdm{,3}/dbus/ rw, - owner @{run}/gdm{,3}/dbus/dbus-@{rand8} rw, - - @{run}/systemd/seats/seat@{int} r, - @{run}/systemd/sessions/* r, - @{run}/systemd/users/@{uid} r, + @{run}/gdm{3,}/greeter/ rw, + @{run}/systemd/seats/seat@{int} r, + @{run}/systemd/sessions/* r, + @{run}/systemd/users/@{uid} r, + owner @{run}/gdm{3,}.pid rw, + owner @{run}/gdm{3,}/ rw, + owner @{run}/gdm{3,}/custom.conf r, + owner @{run}/gdm{3,}/dbus/ w, + owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w, + owner @{run}/gdm{3,}/gdm.pid rw, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @@ -89,7 +92,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/virtual/tty/tty@{int}/active r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cgroup.events r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cgroup.events r, @{PROC}/@{pid}/cgroup r, @{PROC}/1/environ r, diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index c5e6d4cd5..db1c43d84 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,15 +18,13 @@ profile gdm-generate-config @{exec_path} { capability setgid, capability setuid, - # ptrace read, - @{exec_path} mr, @{sh_path} rix, @{bin}/dconf rix, @{bin}/install rix, - @{bin}/pgrep rCx -> &pgrep, - @{bin}/pkill rCx -> &pgrep, + @{bin}/pgrep rCx -> pgrep, + @{bin}/pkill rix, @{bin}/setpriv rix, @{bin}/setsid rix, @@ -34,7 +32,8 @@ profile gdm-generate-config @{exec_path} { /usr/share/gdm{3,}/{,**} r, /var/lib/ r, - @{GDM_HOME}/ rw, + @{GDM_HOME}/ r, + owner @{GDM_HOME}/ rw, owner @{GDM_HOME}/greeter-dconf-defaults rw, owner @{GDM_HOME}/greeter-dconf-defaults.@{rand6} rw, @@ -42,19 +41,15 @@ profile gdm-generate-config @{exec_path} { @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/status r, - @{PROC}/tty/drivers r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/stat r, @{PROC}/uptime r, profile pgrep { include include - @{bin}/pkill mr, - include if exists } diff --git a/apparmor.d/groups/gnome/gdm-prime-defaut b/apparmor.d/groups/gnome/gdm-prime-defaut deleted file mode 100644 index eea0ee3b3..000000000 --- a/apparmor.d/groups/gnome/gdm-prime-defaut +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /etc/gdm{3,}/{Init,Prime}/Default -profile gdm-prime-defaut @{exec_path} flags=(complain) { - include - - @{exec_path} mr, - - @{sh_path} r, - @{bin}/prime-offload ix, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gdm-runtime-config b/apparmor.d/groups/gnome/gdm-runtime-config index 558f3677c..26ce14234 100644 --- a/apparmor.d/groups/gnome/gdm-runtime-config +++ b/apparmor.d/groups/gnome/gdm-runtime-config @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index 5d2e3e21e..d889a708a 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,15 +11,14 @@ profile gdm-session @{exec_path} { include include include - include - include + include + include - signal receive set=(hup term) peer=gdm-session-worker, - signal receive set=(term) peer=gdm, - signal send set=(term) peer=dbus-session, - signal send set=(term) peer=gnome-session-binary, - signal send set=(term) peer=xorg, - signal send set=term peer=gnome-session, + signal (receive) set=(hup term) peer=gdm-session-worker, + signal (receive) set=(term) peer=gdm, + signal (send) set=(term) peer=dbus-session, + signal (send) set=(term) peer=gnome-session-binary, + signal (send) set=(term) peer=xorg, dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -35,14 +34,21 @@ profile gdm-session @{exec_path} { # only: xorg @{bin}/Xorg rPx, - /etc/gdm{3,}/Prime/Default rPx, + /etc/gdm{3,}/Prime/Default rix, /etc/gdm{3,}/Xsession rPx, /usr/share/gdm{3,}/gdm.schemas r, + /etc/default/locale r, /etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/daemon.conf r, + /etc/locale.conf r, + /etc/sysconfig/console r, /etc/sysconfig/displaymanager r, + /etc/sysconfig/language r, + /etc/sysconfig/mail r, + /etc/sysconfig/proxy r, + /etc/sysconfig/windowmanager r, owner @{gdm_cache_dirs}/gdm/ rw, owner @{gdm_cache_dirs}/gdm/Xauthority rw, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 3bab1b134..48ac848c1 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -29,33 +29,31 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { capability sys_tty_config, network netlink raw, - network unix stream, - signal receive set=term peer=gdm, - signal send set=(hup term) peer=gdm-session, - signal send set=hup peer=at-spi*, - signal send set=hup peer=dbus-accessibility, - signal send set=hup peer=dbus-session, - signal send set=hup peer=dconf-service, - signal send set=hup peer=gjs-console, - signal send set=hup peer=gnome-*, - signal send set=hup peer=gsd-*, - signal send set=hup peer=ibus-*, - signal send set=hup peer=mutter-x11-frames, - signal send set=hup peer=tracker-miner, - signal send set=hup peer=xdg-*, - signal send set=hup peer=xorg, - signal send set=hup peer=xwayland, + signal (receive) set=term peer=gdm, + signal (send) set=(hup term) peer=gdm-session, + signal (send) set=hup peer=at-spi*, + signal (send) set=hup peer=dbus-accessibility, + signal (send) set=hup peer=dbus-session, + signal (send) set=hup peer=dconf-service, + signal (send) set=hup peer=gjs-console, + signal (send) set=hup peer=gnome-*, + signal (send) set=hup peer=gsd-*, + signal (send) set=hup peer=ibus-*, + signal (send) set=hup peer=mutter-x11-frames, + signal (send) set=hup peer=tracker-miner, + signal (send) set=hup peer=xdg-*, + signal (send) set=hup peer=xorg, + signal (send) set=hup peer=xwayland, - unix bind type=stream addr=@@{udbus}/bus/gdm-session-wor/system, + unix (bind) type=stream addr=@@{hex16}/bus/gdm-session-wor/system, - #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" - #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label="@{p_systemd_homed}" + #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={*Session,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + peer=(name=org.freedesktop.login1, label=systemd-logind), @{exec_path} mrix, @@ -78,7 +76,6 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, /etc/default/locale r, - /etc/fscrypt.conf r, /etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/daemon.conf r, /etc/locale.conf r, @@ -95,21 +92,8 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { /var/lib/wtmpdb/ r, /var/lib/wtmpdb/* rwk, - /.fscrypt/policies/ r, - /.fscrypt/protectors/ r, - owner /.fscrypt/protectors/@{hex16} r, - - #aa:lint ignore=tunables - /home/ r, - /home/.fscrypt/policies/ r, - owner /home/.fscrypt/policies/@{hex32} r, - owner /home/.fscrypt/protectors/@{hex16}.link r, - owner @{HOME}/.pam_environment r, - owner @{user_cache_dirs}/ w, - - @{run}/cockpit/active.issue r, @{run}/cockpit/inactive.motd r, owner @{run}/systemd/seats/seat@{int} r, owner @{run}/user/@{uid}/keyring/control rw, @@ -119,17 +103,14 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { owner @{run}/gdm{3,}/dbus/ w, owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w, - @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, @{run}/cockpit/active.motd r, @{run}/faillock/@{user} rwk, - @{run}/fscrypt/ rw, - @{run}/fscrypt/@{uid}.count rwk, @{run}/motd.d/{,*} r, @{run}/systemd/sessions/* r, + @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{uid} r, @{run}/utmp rwk, - @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pids}/cgroup r, @{PROC}/1/limits r, @{PROC}/keys r, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 2882c3d9e..a48958b40 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,7 +11,6 @@ profile gdm-xsession @{exec_path} { include include include - include include include @@ -52,6 +51,7 @@ profile gdm-xsession @{exec_path} { @{etc_ro}/X11/xdm/Xsession rPx, @{lib}/gnome-session-binary rPx, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/im-config/data/{,*} r, /usr/share/im-config/xinputrc.common r, @@ -73,7 +73,7 @@ profile gdm-xsession @{exec_path} { peer=(name=org.freedesktop.systemd1), @{bin}/dbus-update-activation-environment mr, - + owner @{HOME}/.xsession-errors w, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 3652dd6e9..19b33d743 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -3,42 +3,29 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# TODO: Rethink this profile: -# - Access to gio from a profile is handled by child-open-* -# - Direct access should only be needed is some special context and it should not -# require access to that much resources. - -abi , +abi , include @{exec_path} = @{bin}/gio @{exec_path} += @{bin}/gio-launch-desktop @{lib}/gio-launch-desktop -@{exec_path} += @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop +@{exec_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { include include - include - include include include include include include - include - include @{exec_path} mr, @{bin}/gnome-terminal rPUx, @{lib}/gio-launch-desktop rix, - @{lib}/*/** rPx, - @{lib}/* rPx, owner @{HOME}/{,**} rw, - owner @{user_share_dirs}/gvfs-metadata/{,*} r, - owner @{tmp}/wl-copy-buffer-@{rand6}/stdin r, @{run}/mount/utab r, @@ -49,6 +36,7 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { /dev/dri/card@{int} rw, + deny @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists } diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs deleted file mode 100644 index de9d25a14..000000000 --- a/apparmor.d/groups/gnome/gjs +++ /dev/null @@ -1,133 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# GNOME JavaScript interpreter. It is used to run some gnome internal app -# as well as third party extensions. -# -# Therefore, by default, some extension are confined under this profile. To fix -# this, the various programs using gjs must never run gjs as module, they need -# to run it as executable with a specific script. -# -# This currently concerns: -# - gnome-extension-ding (used to not be started as a module) -# - org.gnome.ScreenSaver (simple dbus service) -# - org.gnome.Shell.Extensions (full UI app, requires gnome-strict, graphics, ...) -# - org.gnome.Shell.Notifications (simple dbus service) -# - org.gnome.Shell.Screencast (simple dbus service) - -abi , - -include - -@{exec_path} = @{bin}/gjs-console -profile gjs @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - - # Only needed by org.gnome.Shell.Extensions - include - include - - # Only needed by gnome-extension-ding - include - include - include - include - include - include - include - include - - unix type=stream peer=(label=gnome-shell), - - signal receive set=(term hup) peer=gdm, - - #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions - #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface+=org.gtk.Actions - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus* - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus* - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - - #aa:dbus own bus=session name=org.gnome.Shell.Screencast - #aa:dbus talk bus=session name=org.gnome.Mutter.ScreenCast label=gnome-shell - - #aa:dbus own bus=session name=org.freedesktop.Notifications - #aa:dbus own bus=session name=org.gnome.ScreenSaver - #aa:dbus own bus=session name=org.gnome.Shell.Extensions - #aa:dbus own bus=session name=org.gnome.Shell.Notifications - - @{exec_path} mrix, - - # gnome-extension-ding - @{sh_path} rix, - @{bin}/env rix, - @{bin}/gnome-control-center rPx, - @{bin}/nautilus rPx, - - @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, - @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, - @{lib}/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, - - /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, - @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, - - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/gnome-shell/{,**} r, - /usr/share/xkeyboard-config-2/{,**} r, - /usr/share/thumbnailers/{,**} r, - - owner @{gdm_cache_dirs}/gstreamer-1.0/registry.@{arch}.bin r, - owner @{gdm_config_dirs}/dconf/user r, - owner @{GDM_HOME}/greeter-dconf-defaults r, - - owner @{user_cache_dirs}/gstreamer-1.0/ rw, - owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - - owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, - owner @{user_share_dirs}/nautilus/scripts/ r, - - owner @{user_desktop_dirs}/ r, - owner @{user_templates_dirs}/ r, - - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - - /dev/ r, - /dev/dri/ r, - - deny @{user_share_dirs}/gvfs-metadata/* r, - - profile gstreamer { - include - include - include - include - include - - network (bind create getattr setopt getopt) netlink raw, - - @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner mr, - @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner mr, - @{lib}/gstreamer-1.0/gst-plugin-scanner mr, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console new file mode 100644 index 000000000..0fc2add0e --- /dev/null +++ b/apparmor.d/groups/gnome/gjs-console @@ -0,0 +1,94 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# TODO: GNOME JavaScript interpreter. It is used to run some gnome internal app +# as well as third party extensions. Therefore, by default, some extension are +# confined under this profile. The resulting profile is quite broad. +# This architecture needs to be rethinked. + +abi , + +include + +@{exec_path} = @{bin}/gjs-console +profile gjs-console @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + include + include + include + + network netlink raw, + + signal (receive) set=(term hup) peer=gdm*, + + #aa:dbus own bus=session name=org.freedesktop.Notifications + #aa:dbus own bus=session name=org.gnome.ScreenSaver + #aa:dbus own bus=session name=org.gnome.Shell.Extensions + #aa:dbus own bus=session name=org.gnome.Shell.Notifications + #aa:dbus own bus=session name=org.gnome.Shell.Screencast + + dbus send bus=session path=/org/gnome/Mutter/ScreenCast + interface=org.freedesktop.DBus.Properties + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/Shell + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + dbus send bus=session path=/org/gnome/Shell + interface=org.gnome.Shell.Extensions + member=ListExtensions + peer=(name=:*, label=gnome-shell), + + @{exec_path} mr, + + @{bin}/ r, + @{bin}/* PUx, + @{lib}/** PUx, + + /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, + @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, + + /etc/openni2/OpenNI.ini r, + + /usr/share/dconf/profile/gdm r, + /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/gnome-shell/{,**} r, + /usr/share/icu/@{int}.@{int}/*.dat r, + + owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwl, + owner @{gdm_cache_dirs}/gstreamer-1.0/ rw, + owner @{gdm_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, + owner @{gdm_config_dirs}/dconf/user r, + owner @{GDM_HOME}/greeter-dconf-defaults r, + + /tmp/ r, + /var/tmp/ r, + + owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, + owner @{user_cache_dirs}/gstreamer-1.0/ rw, + owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, + + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + /dev/ r, + /dev/tty rw, + /dev/tty@{int} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gkbd-keyboard-display b/apparmor.d/groups/gnome/gkbd-keyboard-display index 18b11e9be..7b9fc07cd 100644 --- a/apparmor.d/groups/gnome/gkbd-keyboard-display +++ b/apparmor.d/groups/gnome/gkbd-keyboard-display @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes deleted file mode 100644 index cd46dd069..000000000 --- a/apparmor.d/groups/gnome/gnome-boxes +++ /dev/null @@ -1,105 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/gnome-boxes -profile gnome-boxes @{exec_path} { - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, - - @{exec_path} mr, - - @{open_path} rPx -> child-open, - - @{bin}/qemu-img rix, - @{bin}/virsh rCx -> virsh, - @{bin}/virtqemud rPUx, - - /usr/share/ladspa/rdf/{,*} r, - /usr/share/osinfo/{,**} r, - /usr/share/gnome-boxes/{,**} r, - - /etc/qemu/bridge.conf r, - - @{MOUNTS}/ r, - owner @{HOME}/ r, - - # For disk images - owner @{user_img_dirs}/{,**} rw, - owner @{user_vm_dirs}/{,**} rw, - - owner @{user_cache_dirs}/gnome-boxes/ rw, - owner @{user_cache_dirs}/gnome-boxes/** rwk, - owner @{user_cache_dirs}/libvirt/qemu/log/*.log r, - - owner @{user_config_dirs}/gnome-boxes/ rw, - owner @{user_config_dirs}/gnome-boxes/** rwk, - - owner @{user_share_dirs}/gnome-boxes/ rw, - owner @{user_share_dirs}/gnome-boxes/** rwk, - - owner @{tmp}/.goutputstream-@{rand6} rw, - owner @{tmp}/*.iso-@{rand6} rw, - owner @{tmp}/*.svg-@{rand6} rw, - - owner @{run}/user/@{uid}/libvirt/ rw, - owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, - - @{run}/mount/utab r, - - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - - @{sys}/devices/@{pci}/usb@{int}/** r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-dbus*org.gnome.Boxes.slice/*/memory.* r, - - @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, - @{PROC}/zoneinfo r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, - - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - - profile virsh { - include - include - - @{bin}/virsh mr, - @{bin}/pkttyagent r, - - owner @{run}/user/@{uid}/libvirt/ r, - owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, - - @{sys}/devices/system/node/ r, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-browser-connector-host b/apparmor.d/groups/gnome/gnome-browser-connector-host index e95762b6a..09ac8dbad 100644 --- a/apparmor.d/groups/gnome/gnome-browser-connector-host +++ b/apparmor.d/groups/gnome/gnome-browser-connector-host @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,14 +11,15 @@ profile gnome-browser-connector-host @{exec_path} { include include include - include @{exec_path} mr, @{bin}/env rix, - @{python_path} rix, + @{bin}/python3.@{int} rix, - @{lib}/@{python_name}/site-packages/gnome_browser_connector/__pycache__/{,**} rw, + @{lib}/python3.@{int}/site-packages/gnome_browser_connector/__pycache__/{,**} rw, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 4ab9b165f..2ac0e4ca7 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -2,15 +2,14 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gnome-calculator -profile gnome-calculator @{exec_path} flags=(attach_disconnected) { +profile gnome-calculator @{exec_path} { include include - include include # Needed to get currency exchange rates @@ -20,12 +19,8 @@ profile gnome-calculator @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.gnome.Calculator - @{exec_path} mr, - @{open_path} rPx -> child-open-help, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-calculator-search-provider b/apparmor.d/groups/gnome/gnome-calculator-search-provider index 8400f03c1..a0a5f7e6f 100644 --- a/apparmor.d/groups/gnome/gnome-calculator-search-provider +++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,14 +17,12 @@ profile gnome-calculator-search-provider @{exec_path} { signal (send) set=kill peer=unconfined, - #aa:dbus own bus=session name=org.gnome.Calculator.SearchProvider interface+=org.gnome.Shell.SearchProvider2 + #aa:dbus own bus=session name=org.gnome.Calculator.SearchProvider interface=org.gnome.Shell.SearchProvider2 @{exec_path} mrix, @{bin}/* rPUx, - owner @{user_cache_dirs}/gnome-calculator/* r, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 2173e3d62..c74292f4b 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -2,14 +2,16 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gnome-calendar profile gnome-calendar @{exec_path} { include + include include + include include include include @@ -23,28 +25,25 @@ profile gnome-calendar @{exec_path} { #aa:dbus own bus=session name=org.gnome.Calendar - #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" - - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar path=/org/gnome/evolution/dataserver/ label=evolution-calendar-factory + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarFactory label=evolution-calendar-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarView label=evolution-calendar-factory - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source path=/org/gnome/evolution/dataserver/ label=evolution-source-registry - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.SourceManager label=evolution-source-registry - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Subprocess label=evolution-calendar-factory + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source label=evolution-source-registry + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Sources@{int} label=evolution-source-registry #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color - #aa:dbus talk bus=session name=org.gnome.Shell.SearchProvider2 path=/org/gnome/Calendar/SearchProvider label=gnome-shell + #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label=geoclue + + dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=evolution-source-registry), @{exec_path} mr, - @{open_path} rPx -> child-open-help, /usr/share/evolution-data-server/{,**} r, /usr/share/libgweather/Locations.xml r, - owner @{tmp}/pid-@{pid}/*.ics r, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index b5ae5672a..1d3285292 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,12 +11,11 @@ profile gnome-characters @{exec_path} { include include include - include include include include - #aa:dbus own bus=session name=org.gnome.Characters + #aa:dbus own bus=session name=org.gnome.Characters interface=org.gnome.Shell.SearchProvider2 @{exec_path} mr, @@ -24,10 +23,12 @@ profile gnome-characters @{exec_path} { @{open_path} rPx -> child-open-help, + /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/org.gnome.Characters/{,**} r, - /usr/share/xml/iso-codes/{,**} r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/task/@{tid}/stat r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-characters-backgroudservice b/apparmor.d/groups/gnome/gnome-characters-backgroudservice index 4b70cdfa6..6e975a7dd 100644 --- a/apparmor.d/groups/gnome/gnome-characters-backgroudservice +++ b/apparmor.d/groups/gnome/gnome-characters-backgroudservice @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index 92886c887..fbb3942f7 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,19 +10,15 @@ include profile gnome-clocks @{exec_path} { include include - include - include + include + include + include include - include include - network netlink raw, - - #aa:dbus own bus=session name=org.gnome.clocks interface+=org.gtk.Actions - #aa:dbus own bus=session name=org.gnome.clocks.SearchProvider interface+=org.gnome.Shell.SearchProvider2 + #aa:dbus own bus=session name=org.gnome.clocks @{exec_path} mr, - @{open_path} rPx -> child-open-help, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-contacts b/apparmor.d/groups/gnome/gnome-contacts index b6474cf55..fc96424a9 100644 --- a/apparmor.d/groups/gnome/gnome-contacts +++ b/apparmor.d/groups/gnome/gnome-contacts @@ -2,13 +2,15 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gnome-contacts profile gnome-contacts @{exec_path} { include + include + include include include include @@ -24,7 +26,6 @@ profile gnome-contacts @{exec_path} { #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon @{exec_path} mr, - @{open_path} rPx -> child-open-help, owner @{user_cache_dirs}/evolution/addressbook/{,**} r, owner @{user_share_dirs}/folks/relationships.ini r, diff --git a/apparmor.d/groups/gnome/gnome-contacts-search-provider b/apparmor.d/groups/gnome/gnome-contacts-search-provider index 0abc39acd..a0a74f62e 100644 --- a/apparmor.d/groups/gnome/gnome-contacts-search-provider +++ b/apparmor.d/groups/gnome/gnome-contacts-search-provider @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 9f78fb4fd..08ae20d49 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,17 +10,17 @@ include profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include - include + include include include + include include - include + include include include include include include - include include include include @@ -32,71 +32,56 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - signal send set=kill peer=unconfined, - signal send set=kill peer=passwd, + signal (send) set=(kill) peer=unconfined, + signal (send) set=(kill) peer=passwd, + + unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon), + + dbus bus=session, + dbus bus=system, #aa:dbus own bus=session name=org.gnome.Settings - #aa:dbus own bus=session name=org.bluez.obex.Agent1 - #aa:dbus talk bus=session name=org.bluez.AgentManager1 label=bluetoothd - #aa:dbus talk bus=session name=org.bluez.obex label=obexd - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell - #aa:dbus talk bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}" - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label="gsd-*" + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell - #aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences - #aa:dbus talk bus=system name=net.hadess.SwitcherooControl label=switcheroo-control - #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label="@{p_fprintd}" - #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" - #aa:dbus talk bus=system name=org.freedesktop.bolt1 label=boltd - #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord - #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" - #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" - #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" + #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" - #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" - #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd - #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}" - #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} - - dbus send bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=@{busname}, label=NetworkManager), + #aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd @{exec_path} mr, @{bin}/@{shells} rUx, @{bin}/gcm-viewer rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/locale rix, @{bin}/sed rix, - @{bin}/tecla rPx, + @{bin}/tecla rix, @{bin}/bwrap rCx -> bwrap, @{bin}/gkbd-keyboard-display rPx, @{bin}/gnome-software rPx, - @{sbin}/openvpn rPx, + @{bin}/openvpn rPx, @{bin}/passwd rPx, @{bin}/pkexec rCx -> pkexec, @{bin}/software-properties-gtk rPx, - @{sbin}/usermod rPx, - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, + @{bin}/usermod rPx, + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rPx, @{lib}/cups/backend/snmp rPx, @{lib}/gnome-control-center-goa-helper rPx, @{lib}/gnome-control-center-print-renderer rPx, /usr/share/language-tools/language2locale rix, /usr/share/language-tools/language-options rPUx, - @{open_path} rPx -> child-open-any, + @{open_path} rPx -> child-open-browsers, + /opt/**/share/icons/{,**} r, /snap/*/@{int}/**.png r, /usr/share/backgrounds/{,**} r, /usr/share/cups/data/testprint r, + /usr/share/desktop-base/**.{xml,png,svg} r, /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, /usr/share/gnome-background-properties/{,**} r, /usr/share/gnome-bluetooth{-*,}/{,**} r, @@ -109,10 +94,10 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/wallpapers/{,**} r, /usr/share/xml/iso-codes/{,**} r, - @{etc_ro}/security/pwquality.conf r, - @{etc_ro}/security/pwquality.conf.d/{,**} r, /etc/machine-info r, /etc/rygel.conf r, + /etc/security/pwquality.conf r, + /etc/security/pwquality.conf.d/{,**} r, /etc/fstab r, /etc/machine-id r, @@ -122,22 +107,18 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /var/cache/samba/ rw, /var/lib/AccountsService/icons/* r, - / r, - owner @{HOME}/.cat_installer/ca.pem r, owner @{HOME}/.cert/nm-openvpn/*.pem r, owner @{HOME}/.face r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_cache_dirs}/gnome-control-center/{,**} rw, - owner @{user_cache_dirs}/thumbnails/fail/gnome-thumbnail-factory/@{hex32}.png.@{rand6} rw, owner @{user_config_dirs}/background rw, owner @{user_config_dirs}/gnome-control-center/{,**} rw, owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner @{user_config_dirs}/mimeapps.list w, - owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, + owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw, owner @{user_games_dirs}/**.png r, @@ -147,8 +128,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/gnome-remote-desktop/rdp-tls.{crt,key}{,.@{rand6}} rw, owner @{user_share_dirs}/icc/{,edid-*} r, - owner @{tmp}/@{hex12}@{h} rw, - owner @{tmp}/@{rand8} rw, owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, @{run}/samba/ rw, @@ -164,7 +143,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/n@{int} r, @{sys}/bus/ r, @{sys}/class/ r, @@ -174,45 +153,45 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{sys}/devices/platform/**/uevent r, @{sys}/devices/virtual/**/uevent r, @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/temp* r, + @{sys}/devices/virtual/thermal/thermal_zone[0-9]/hwmon[0-9]/temp* r, @{sys}/firmware/acpi/pm_profile r, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, @{PROC}/cmdline r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, @{PROC}/zoneinfo r, - @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/loginuid r, + owner @{PROC}/@{pid}/maps r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/*/comm rw, /dev/ r, + /dev/media@{int} r, + /dev/video@{int} rw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - profile bwrap flags=(attach_disconnected) { + profile bwrap { include include @{bin}/bwrap mr, - + include if exists } profile pkexec { include - include - + + @{bin}/pkexec mr, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index 8b813d260..72f5867a4 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -2,16 +2,19 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gnome-control-center-goa-helper profile gnome-control-center-goa-helper @{exec_path} { include - include + include include include + include + include + include include include include @@ -36,7 +39,7 @@ profile gnome-control-center-goa-helper @{exec_path} { @{exec_path} mr, - @{bin}/bwrap rCx -> bwrap, + @{bin}/bwrap rPUx, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @@ -45,11 +48,9 @@ profile gnome-control-center-goa-helper @{exec_path} { owner @{user_config_dirs}/goa-1.0/accounts.conf r, - owner @{user_cache_dirs}/gnome-control-center-goa-helper/ rw, - owner @{user_cache_dirs}/gnome-control-center-goa-helper/** rwl, + owner @{user_cache_dirs}/gnome-control-center-goa-helper/{,**} rwl, - owner @{user_share_dirs}/gnome-control-center-goa-helper/ rw, - owner @{user_share_dirs}/gnome-control-center-goa-helper/** rwk, + owner @{user_share_dirs}/gnome-control-center-goa-helper/{,**} rwk, owner @{user_share_dirs}/webkitgtk/{,**} rw, owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk, @@ -62,15 +63,6 @@ profile gnome-control-center-goa-helper @{exec_path} { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, - profile bwrap flags=(attach_disconnected,complain) { - include - include - - @{bin}/bwrap mr, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index cbd1f1a75..22784f1d5 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -2,14 +2,16 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gnome-control-center-print-renderer profile gnome-control-center-print-renderer @{exec_path} { include + include include + include include include include @@ -22,7 +24,6 @@ profile gnome-control-center-print-renderer @{exec_path} { / r, owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index 6d24e72c1..b584a8c1a 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,12 +10,14 @@ include profile gnome-control-center-search-provider @{exec_path} { include include - include include include include - #aa:dbus own bus=session name=org.gnome.Settings.SearchProvider interface+=org.gnome.Shell.SearchProvider2 + dbus bind bus=session name=org.gnome.Settings.SearchProvider, + dbus receive bus=session path=/org/gnome/Settings/SearchProvider + interface=org.gnome.Shell.SearchProvider2 + peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers index 8c637920b..bb1f5012a 100644 --- a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers +++ b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -27,9 +27,6 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) { owner @{tmp}/gnome-desktop-thumbnailer.png w, owner @{tmp}/gsf-thumbnailer-@{rand6} rw, - owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw, - owner /dev/shm/lttng-ust-wait-@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index d9959691b..fe743f186 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -2,22 +2,17 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gnome-disk-image-mounter profile gnome-disk-image-mounter @{exec_path} { include - include - include - include include include include - #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd - @{exec_path} mr, # Allow to mount user files diff --git a/apparmor.d/groups/gnome/gnome-disks b/apparmor.d/groups/gnome/gnome-disks index 4d5301262..575668029 100644 --- a/apparmor.d/groups/gnome/gnome-disks +++ b/apparmor.d/groups/gnome/gnome-disks @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gnome-extension b/apparmor.d/groups/gnome/gnome-extension deleted file mode 100644 index e13eca832..000000000 --- a/apparmor.d/groups/gnome/gnome-extension +++ /dev/null @@ -1,29 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# gjs started from gnome-shell should (in theory) only run gnome extensions. - -abi , - -include - -@{exec_path} = @{bin}/gjs-console -profile gnome-extension { - include - include - include - include - include - include - - @{exec_path} mr, - - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 9f848be8e..d8c5a9cfe 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -2,47 +2,52 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{share_dirs} = /usr/share/gnome-shell/extensions/ding@rastersoft.com -@{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/ding@rastersoft.com - -@{exec_path} = @{share_dirs}/app/{ding,createThumbnail}.js +@{exec_path} = /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,app/}ding.js profile gnome-extension-ding @{exec_path} { include include + include include include include + include include - include - include - include - include - include + include + include + include + include + include + include + include include include include - include unix (send,receive) type=stream addr=none peer=(label=gnome-shell), - #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions - #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface+=org.gtk.Actions + #aa:dbus own bus=session name=com.rastersoft.ding interface=org.gtk.Actions + #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface=org.gtk.Actions dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + member=Introspect + peer=(name=org.freedesktop.DBus, label=dbus-session), dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus* - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + peer=(name=org.freedesktop.DBus, label=dbus-session), dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus* - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + peer=(name=org.freedesktop.DBus, label=dbus-system), + + dbus send bus=session path=/org/gtk/vfs/metadata + interface=org.gtk.vfs.Metadata + member=Set + peer=(name=:*, label=gvfsd-metadata), @{exec_path} mr, @@ -52,11 +57,11 @@ profile gnome-extension-ding @{exec_path} { @{bin}/gnome-control-center rPx, @{bin}/nautilus rPx, - @{share_dirs}/{,**} r, + /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,app/}* r, /usr/share/thumbnailers/{,*.thumbnailer} r, - owner @{user_desktop_dirs}/ r, - owner @{user_templates_dirs}/ r, + owner @{HOME}/@{XDG_TEMPLATES_DIR}/ r, + owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, owner @{user_share_dirs}/nautilus/scripts/ r, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 2592eb77e..5808aecad 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -2,34 +2,27 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{share_dirs} = /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io -@{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io +@{share_dirs} = /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/ +@{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/ -@{exec_path} = @{share_dirs}/service/daemon.js @{share_dirs}/gsconnect-preferences +@{exec_path} = @{share_dirs}/service/daemon.js profile gnome-extension-gsconnect @{exec_path} { include include + include include include - include - include - include - include - include - include - include - include include - include + include + include + include include - include include include - include network inet dgram, network inet6 dgram, @@ -37,21 +30,16 @@ profile gnome-extension-gsconnect @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect interface+=org.gtk.{Actions,Menus} - - dbus eavesdrop bus=session, - @{exec_path} mr, - @{sh_path} rix, @{bin}/env rix, @{bin}/gjs-console rix, @{bin}/openssl rix, + @{sh_path} rix, @{bin}/ssh-add rix, - @{bin}/dconf rPx, - @{bin}/ssh-keygen rPx, - @{bin}/xdg-screensaver rPx, + @{bin}/ssh-keygen rPx, + @{bin}/xdg-screensaver rPx, @{lib}/gio/modules/*.so* rm, @{lib}/girepository-1.0/* r, @@ -61,27 +49,28 @@ profile gnome-extension-gsconnect @{exec_path} { @{share_dirs}/{,**} r, @{share_dirs}/gsconnect-preferences rix, + /etc/machine-id r, + owner @{user_cache_dirs}/gsconnect/{,**} rw, + owner @{user_config_dirs}/ r, + owner @{user_config_dirs}/gsconnect/{,**} rw, owner @{user_config_dirs}/mimeapps.list w, owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, - owner @{HOME}/.mozilla/firefox/firefox-mpris/@{word}.png r, + owner @{user_share_dirs}/ r, - owner @{tmp}/.org.chromium.Chromium.@{rand6} r, - - owner @{run}/user/@{uid}/gsconnect/{,**} rw, - owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - owner @{run}/user/@{uid}/keyring/ssh rw, + owner @{run}/user/@{uid}/gsconnect/ w, @{sys}/devices/virtual/dmi/id/chassis_type r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/task/@{tid}/stat r, - deny @{user_share_dirs}/gvfs-metadata/* r, + /dev/shm/ r, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-extension-manager b/apparmor.d/groups/gnome/gnome-extension-manager index 3b23d4ffc..d3ed3794b 100644 --- a/apparmor.d/groups/gnome/gnome-extension-manager +++ b/apparmor.d/groups/gnome/gnome-extension-manager @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -32,7 +32,6 @@ profile gnome-extension-manager @{exec_path} { @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, # Silencer deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app index 0a65c95f2..ffa771be4 100644 --- a/apparmor.d/groups/gnome/gnome-extensions-app +++ b/apparmor.d/groups/gnome/gnome-extensions-app @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,12 +16,13 @@ profile gnome-extensions-app @{exec_path} { @{sh_path} rix, @{bin}/gjs-console rix, - @{open_path} rPx -> child-open-help, /usr/share/gnome-shell/org.gnome.Extensions* r, + /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/terminfo/** r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/task/@{tid}/stat r, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/gnome-firmware b/apparmor.d/groups/gnome/gnome-firmware index 706c16e87..307fc06e3 100644 --- a/apparmor.d/groups/gnome/gnome-firmware +++ b/apparmor.d/groups/gnome/gnome-firmware @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,11 +20,10 @@ profile gnome-firmware @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus talk bus=system name=org.freedesktop.fwupd label="@{p_fwupd}" path=/ - #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/ + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind @{exec_path} mr, - @{open_path} rPx -> child-open-help, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-font-viewer b/apparmor.d/groups/gnome/gnome-font-viewer deleted file mode 100644 index 0895bd7f0..000000000 --- a/apparmor.d/groups/gnome/gnome-font-viewer +++ /dev/null @@ -1,20 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/gnome-font-viewer -profile gnome-font-viewer @{exec_path} { - include - include - - @{exec_path} mr, - @{open_path} rPx -> child-open-help, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 7439e0fb6..c3904d836 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -2,17 +2,20 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gnome-initial-setup profile gnome-initial-setup @{exec_path} { include + include include include + include include include + include include include include @@ -26,12 +29,7 @@ profile gnome-initial-setup @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.gnome.InitialSetup interface+=org.gtk.Actions - - dbus send bus=system path=/com/canonical/UbuntuAdvantage/Manager - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=com.canonical.UbuntuAdvantage), + #aa:dbus own bus=session name=org.gnome.InitialSetup interface=org.gtk.Actions @{exec_path} mr, @@ -43,14 +41,13 @@ profile gnome-initial-setup @{exec_path} { @{bin}/xrandr rPx, @{lib}/gnome-initial-setup-goa-helper rix, - @{lib}/@{multiarch}/ld-linux-*.so* rix, /usr/share/dconf/profile/gdm r, /usr/share/gnome-initial-setup/{,**} r, /usr/share/xml/iso-codes/{,**} r, - @{etc_ro}/security/pwquality.conf r, - @{etc_ro}/security/pwquality.conf.d/{,**} r, + /etc/security/pwquality.conf r, + /etc/security/pwquality.conf.d/{,**} r, /etc/timezone r, /etc/gdm{,3}/custom.conf r, @@ -76,10 +73,6 @@ profile gnome-initial-setup @{exec_path} { @{run}/systemd/sessions/@{int} r, @{run}/systemd/users/@{uid} r, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/gnome-initial-setup-first-login.service/memory.* r, @{sys}/devices/virtual/dmi/id/bios_vendor r, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index e39ef0dc0..722a69fe7 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -3,31 +3,26 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gnome-keyring-daemon profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { include - include include include include include - include + include capability ipc_lock, - signal receive set=(term) peer=gdm, - signal send set=(term) peer=ssh-agent, - - unix type=stream peer=(label=snap.*), + signal (receive) set=(term) peer=gdm, + signal (send) set=(term) peer=ssh-agent, #aa:dbus own bus=session name=org.gnome.keyring #aa:dbus own bus=session name=org.freedesktop.{S,s}ecret{,s} - #aa:dbus own bus=session name=org.freedesktop.impl.portal.Secret path=/org/freedesktop/portal/desktop - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Request path=/org/freedesktop/portal/desktop/ label=xdg-desktop-portal dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -37,13 +32,12 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=GetSession - peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + peer=(name=org.freedesktop.login1, label=systemd-logind), @{exec_path} mr, @{bin}/ssh-add rix, @{bin}/ssh-agent rPx, - @{lib}/gcr-ssh-askpass rPUx, /etc/gcrypt/hwf.deny r, diff --git a/apparmor.d/groups/gnome/gnome-logs b/apparmor.d/groups/gnome/gnome-logs index 5e3ab03bd..ab0a6144f 100644 --- a/apparmor.d/groups/gnome/gnome-logs +++ b/apparmor.d/groups/gnome/gnome-logs @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,6 @@ profile gnome-logs @{exec_path} { include @{exec_path} mr, - @{open_path} rPx -> child-open-help, /etc/machine-id r, diff --git a/apparmor.d/groups/gnome/gnome-maps b/apparmor.d/groups/gnome/gnome-maps index 705857391..36f93215f 100644 --- a/apparmor.d/groups/gnome/gnome-maps +++ b/apparmor.d/groups/gnome/gnome-maps @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,8 +22,6 @@ profile gnome-maps @{exec_path} { @{exec_path} mr, - @{open_path} rPx -> child-open-help, - audit @{bin}/gjs-console rix, owner @{user_pictures_dirs}/** rw, @@ -45,6 +43,7 @@ profile gnome-maps @{exec_path} { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 2f9795ceb..be07256ae 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,7 +17,6 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { include include include - include include network inet stream, @@ -29,13 +28,10 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.freedesktop.Tracker3.Writeback label=tracker-writeback @{exec_path} mr, - - @{open_path} rPx -> child-open-help, - @{bin}/ r, @{bin}/env r, - @{python_path} rix, - @{lib}/@{python_name}/site-packages/gnomemusic/__pycache__/{,**} rw, + @{bin}/python3.@{int} rix, + @{lib}/python3.@{int}/site-packages/gnomemusic/__pycache__/{,**} rw, /usr/share/grilo-plugins/grl-lua-factory/{,*} r, /usr/share/org.gnome.Music/{,**} r, @@ -49,9 +45,10 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/grilo-plugins/ rwk, owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/inhibit/[0-9]*.ref rw, owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw, + owner /var/tmp/etilqs_@{hex16} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gnome/gnome-photos-thumbnailer b/apparmor.d/groups/gnome/gnome-photos-thumbnailer index 31d9b7987..410953e49 100644 --- a/apparmor.d/groups/gnome/gnome-photos-thumbnailer +++ b/apparmor.d/groups/gnome/gnome-photos-thumbnailer @@ -2,18 +2,19 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gnome-photos-thumbnailer profile gnome-photos-thumbnailer @{exec_path} { include - include include @{exec_path} mr, + /usr/share/mime/mime.cache r, + owner @{user_pictures_dirs}/{,**} r, owner @{user_cache_dirs}/babl/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-recipes b/apparmor.d/groups/gnome/gnome-recipes index 900259447..c2e11a805 100644 --- a/apparmor.d/groups/gnome/gnome-recipes +++ b/apparmor.d/groups/gnome/gnome-recipes @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,7 +24,6 @@ profile gnome-recipes @{exec_path} { @{exec_path} mr, @{bin}/tar rix, - @{open_path} rPx -> child-open-help, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index c3631ddb7..dab1f58a9 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,15 +15,11 @@ profile gnome-remote-desktop-daemon @{exec_path} { include include include - include - network inet dgram, network inet stream, - network inet6 dgram, network inet6 stream, - network netlink raw, - #aa:dbus own bus=system name=org.gnome.RemoteDesktop + #aa:dbus own bus=session name=org.gnome.RemoteDesktop.User #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index 257e91c0a..e349d85c1 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -2,36 +2,24 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gnome-session profile gnome-session @{exec_path} { include - include include - include - include include include - signal receive set=term peer=gdm, - signal receive set=term peer=gdm-session, - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mrix, @{shells_path} rix, @{bin}/cat rix, - @{bin}/find rix, - @{bin}/gettext rix, @{bin}/gettext.sh r, - @{bin}/{,e}grep rix, + @{bin}/gettext rix, + @{bin}/grep rix, @{bin}/head rix, @{bin}/id rix, @{bin}/locale rix, @@ -39,13 +27,10 @@ profile gnome-session @{exec_path} { @{bin}/manpath rix, @{bin}/readlink rix, @{bin}/realpath rix, - @{bin}/run-parts rix, @{bin}/sed rix, - @{bin}/tput rix, @{bin}/tr rix, @{bin}/tty rix, - @{bin}/uname rix, - @{bin}/xargs rix, + @{bin}/uname rPx, @{bin}/dpkg-query rpx, @{bin}/flatpak rCx -> flatpak, @@ -70,12 +55,7 @@ profile gnome-session @{exec_path} { /etc/X11/xinit/xinputrc r, /etc/X11/Xsession.d/*im-config_launch r, - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, /dev/tty@{int} rw, @@ -85,7 +65,7 @@ profile gnome-session @{exec_path} { include @{bin}/flatpak mr, - + /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 5359a70df..49ed8285a 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -2,23 +2,26 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gnome-session-binary profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include + include include include + include include + include + include include - include + include include include include include - include network inet stream, network inet6 stream, @@ -26,16 +29,20 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - signal receive set=(term, hup) peer=gdm*, - signal send set=(term) peer=gsd-*, + signal (receive) set=(term, hup) peer=gdm*, + signal (send) set=(term) peer=gsd-*, #aa:dbus own bus=session name=org.gnome.SessionManager - #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member=UpdateActivationEnvironment - peer=(name=org.freedesktop.DBus label="@{p_dbus_session}"), + member={GetConnectionUnixUser,GetConnectionUnixProcessID,UpdateActivationEnvironment} + peer=(name=org.freedesktop.DBus label=dbus-session), + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={CanPowerOff,PowerOff,Reboot} + peer=(name=:*, label=systemd-logind), dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager @@ -44,13 +51,19 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/tput rix, + @{bin}/dbus-daemon rPx -> dbus-session, + @{bin}/env rix, + @{bin}/gnome-session rPx, + @{bin}/gnome-shell rPx, @{bin}/session-migration rPx, - @{lib}/gnome-session-check-* rPx, - @{lib}/gnome-session-failed rix, - @{lib}/gio-launch-desktop rCx -> open, - @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open, + @{lib}/gnome-session-check-accelerated rix, + @{lib}/gnome-session-check-accelerated-gl-helper rix, + @{lib}/gnome-session-check-accelerated-gles-helper rix, + @{lib}/gnome-session-failed rix, + + @{lib}/gio-launch-desktop rCx -> open, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, @@ -58,18 +71,15 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter/autostart/{,*.desktop} r, /usr/share/gnome-session/hardware-compatibility r, /usr/share/gnome-session/sessions/*.session r, - /usr/share/gnome-shell/extensions/ r, /usr/share/gnome-shell/extensions/*/metadata.json r, /usr/share/gnome/autostart/{,*.desktop} r, @{etc_ro}/xdg/autostart/{,*.desktop} r, owner @{gdm_cache_dirs}/gdm/Xauthority r, - owner @{gdm_config_dirs}/ rw, owner @{gdm_config_dirs}/dconf/user rw, owner @{gdm_config_dirs}/gnome-session/ rw, owner @{gdm_config_dirs}/gnome-session/saved-session/ rw, - owner @{gdm_config_dirs}/user-dirs.dirs r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_share_dirs}/applications/{,**} r, @@ -77,10 +87,9 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/gnome-session/ rw, owner @{user_config_dirs}/gnome-session/saved-session/ rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, - + @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/sessions/* r, + @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, owner @{run}/user/@{uid}/ICEauthority rw, @@ -90,10 +99,9 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/{vendor,device} r, - @{PROC}/1/cgroup r, + @{PROC}/@{pid}/cgroup r, @{PROC}/cmdline r, @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, - owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, @@ -103,22 +111,49 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { profile open flags=(attach_disconnected) { include - include - include + include - @{bin}/env rix, - @{sh_path} r, - @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mr, @{lib}/gio-launch-desktop mr, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + @{sh_path} rix, - @{lib}/** PUx, - @{bin}/** PUx, - /opt/*/** PUx, - /usr/share/*/** PUx, - /usr/local/bin/** PUx, - /usr/games/** PUx, + @{bin}/aa-notify rPx, + @{bin}/blueman-applet rPx, + @{bin}/firewall-applet rPx, + @{bin}/gnome-keyring-daemon rPx, + @{bin}/gnome-shell rPx, + @{bin}/gnome-software rPx, + @{bin}/im-launch rPx, + @{bin}/keepassxc rPx, + @{bin}/opensuse-welcome rPx, + @{bin}/parcellite rPUx, + @{bin}/pkcs11-register rPx, + @{bin}/snap rPUx, + @{bin}/snapshot-detect rPUx, + @{bin}/spice-vdagent rPx, + @{bin}/start-pulseaudio-x11 rPx, + @{bin}/ubuntu-report rPx, + @{bin}/update-notifier rPx, + @{bin}/xbrlapi rPx, + @{bin}/xdg-user-dirs-gtk-update rPx, + @{bin}/xdg-user-dirs-update rPx, + @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, + @{lib}/{,gnome-shell/}gnome-shell-overrides-migration.sh rPx, + @{lib}/@{multiarch}/xapps/sn-watcher/xapp-sn-watcher rPUx, + @{lib}/caribou/caribou rPUx, + @{lib}/deja-dup/deja-dup-monitor rPx, + @{lib}/gsd-* rPx, + @{lib}/update-notifier/ubuntu-advantage-notification rPx, + @{lib}/xapps/sn-watcher/* rPUx, + @{thunderbird_path} rPx, + /usr/share/libpam-kwallet-common/pam_kwallet_init rPUx, - /dev/tty rw, + #aa:exec baloo + #aa:exec evolution-alarm-notify + @{lib}/kdeconnectd rPUx, + @{lib}/@{multiarch}/{,libexec/}kdeconnectd rPUx, + + /dev/tty@{int} rw, include if exists include if exists diff --git a/apparmor.d/groups/gnome/gnome-session-check b/apparmor.d/groups/gnome/gnome-session-check deleted file mode 100644 index 44755aef2..000000000 --- a/apparmor.d/groups/gnome/gnome-session-check +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/gnome-session-check-* -profile gnome-session-check @{exec_path} { - include - include - include - - @{exec_path} mr, - - @{lib}/gnome-session-check-accelerated-gl-helper ix, - @{lib}/gnome-session-check-accelerated-gles-helper ix, - - /usr/share/gnome-session/hardware-compatibility r, - - @{PROC}/cmdline r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-session-ctl b/apparmor.d/groups/gnome/gnome-session-ctl index 04c4ce628..220a9cac3 100644 --- a/apparmor.d/groups/gnome/gnome-session-ctl +++ b/apparmor.d/groups/gnome/gnome-session-ctl @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 24c069e72..f1b3ad7a0 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,39 +10,44 @@ include profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + include include include - include include include include + include + include include include include include - include + include + include + include + include include + include include include + include include - include - include - include - include + include + include + include + include + include include include include include include include - include include - include include - include include include - include + include capability sys_nice, capability sys_ptrace, @@ -54,14 +59,16 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix stream, - ptrace read, + ptrace (read), + ptrace (readby) peer=pipewire, - signal receive set=(term, hup) peer=gdm*, - signal send, + signal (receive) set=(term, hup) peer=gdm*, + signal (send), unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), unix (send,receive) type=stream addr=none peer=(label=xkbcomp), unix (send,receive) type=stream addr=none peer=(label=xwayland), + unix (send,receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon), # Owned by gnome-shell @@ -69,65 +76,74 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=org.gnome.Mutter #aa:dbus own bus=session name=org.gnome.Shell - #aa:dbus own bus=session name=com.canonical.{U,u}nity - #aa:dbus own bus=session name=com.canonical.dbusmenu path=/{,com/canonical/dbusmenu} - #aa:dbus own bus=session name=com.canonical.Shell.PermissionPrompting + #aa:dbus own bus=session name=com.canonical.Unity path=/com/canonical/{U,u}nity #aa:dbus own bus=session name=com.rastersoft.dingextension - #aa:dbus own bus=session name=org.ayatana.NotificationItem - #aa:dbus own bus=session name=org.freedesktop.a11y.Manager - #aa:dbus own bus=session name=org.gnome.Shell #aa:dbus own bus=session name=org.gtk.Actions path=/** #aa:dbus own bus=session name=org.gtk.MountOperationHandler #aa:dbus own bus=session name=org.gtk.Notifications - #aa:dbus own bus=session name=org.kde.StatusNotifierItem path=/ #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher - # Talk with gnome-shell - # The strategy with dbus rules in this profile is first to declare all communications - # needed on buses and to limit them only to their profiles in apparmor.d. As such, - # only dbus directive is used for this. Later, some communications could be - # restricted. - - #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" - #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd - #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" - #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" - #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" - #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label="@{p_power_profiles_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding - #aa:dbus talk bus=session name=org.freedesktop.Notifications label=gjs - #aa:dbus talk bus=session name=org.freedesktop.ScreenSaver label=gsd-screensaver-proxy - #aa:dbus talk bus=session name=org.gnome.* label=gnome-* - #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label=* - #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console + #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* - #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + + # System bus + + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.PolicyKit1.Authority + member=RegisterAuthenticationAgent + peer=(name=:*, label=polkitd), + dbus receive bus=system path=/org/freedesktop/PolicyKit1/AuthenticationAgent + interface=org.freedesktop.PolicyKit1.AuthenticationAgent + member=BeginAuthentication + peer=(name=:*, label=polkitd), + + dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager + interface=org.freedesktop.NetworkManager.AgentManager + member={RegisterWithCapabilities,Unregister} + peer=(name=:*, label=NetworkManager), + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames} + peer=(name=org.freedesktop.DBus, label=dbus-system), # Session bus - dbus send bus=session path=/org/gnome/** - peer=(name=org.gnome.*), - + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames} + peer=(name=org.freedesktop.DBus, label=dbus-session), dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + peer=(name=org.freedesktop.DBus, label=dbus-session), dbus send bus=session path=/ interface=org.freedesktop.DBus - member={GetNameOwner,ListNames} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + member={GetConnectionUnixProcessID,GetNameOwner,ListNames} + peer=(name=org.freedesktop.DBus, label=dbus-session), dbus send bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.a11y.atspi.Socket member=Embed peer=(name=org.a11y.atspi.Registry), + dbus send bus=session path=/org/gtk/vfs/** + interface=org.gtk.vfs.* + peer=(name=:*, label=gvfsd*), + + dbus send bus=session path=/org/ayatana/NotificationItem/* + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=:*, label=update-notifier), + dbus receive bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=JobRemoved @@ -151,60 +167,57 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus send bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}), + peer=(name=:*), dbus send bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + peer=(name=org.freedesktop.DBus, label=dbus-session), @{exec_path} mr, @{bin}/unzip rix, - @{bin}/flatpak rPx, - @{bin}/gjs-console rPx -> gnome-extension, + @{bin}/gjs-console rPx, @{bin}/glib-compile-schemas rPx, @{bin}/ibus-daemon rPx, - @{bin}/sensors rPx, - @{bin}/tecla rPx, @{bin}/Xwayland rPx, - @{bin}/nvidia-smi rPx, # FIXME; for extension only - @{lib}/@{multiarch}/glib-2.0/glib-compile-schemas rPx, - @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/mutter-x11-frames rPx, #aa:exec polkit-agent-helper - @{sh_path} rCx -> shell, - @{bin}/pkexec rCx -> pkexec, - @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open, - @{lib}/gio-launch-desktop rCx -> open, - @{python_path} rCx -> python, + @{sh_path} rCx -> shell, + @{lib}/gio-launch-desktop rCx -> open, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, - @{user_share_dirs}/gnome-shell/extensions/*/** rPUx, - /usr/share/gnome-shell/extensions/*/** rPUx, + /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx, - /snap/*/@{uid}/**.@{image_ext} r, - /usr/share/**.@{image_ext} r, + /opt/**/share/icons/{,**} r, + /opt/*/**/*.png r, + /snap/*/@{uid}/**.png r, + /usr/share/{,zoneinfo-}icu/{,**} r, + /usr/share/**.{png,jpg,svg} r, /usr/share/**/icons/{,**} r, /usr/share/backgrounds/{,**} r, /usr/share/byobu/desktop/byobu* r, /usr/share/dconf/profile/gdm r, + /usr/share/desktop-base/** r, /usr/share/desktop-directories/{,*.directory} r, /usr/share/gdm/BuiltInSessions/{,*.desktop} r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter/applications/{,**} r, /usr/share/libgweather/Locations.xml r, - /usr/share/libinput*/{,**} r, + /usr/share/libinput*/ r, + /usr/share/libinput*/{,**/}@{int2}-*.quirks r, + /usr/share/libinput*/libinput/ r, /usr/share/libwacom/{,*.stylus,*.tablet} r, - /usr/share/poppler/{,**} r, /usr/share/wallpapers/** r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xml/iso-codes/{,**} r, @{system_share_dirs}/gnome-shell/{,**} r, + / r, + /.flatpak-info r, /etc/fstab r, /etc/timezone r, - /etc/tpm2-tss/*.json r, /etc/udev/hwdb.bin r, /etc/xdg/menus/gnome-applications.menu r, @@ -213,9 +226,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/**/gnome-shell/{,**} r, /var/lib/flatpak/appstream/**/icons/** r, - owner @{att}/ r, - owner @{att}/.flatpak-info r, - owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_cache_dirs}/ w, owner @{gdm_cache_dirs}/event-sound-cache.tdb.@{hex32}.@{multiarch} rwk, @@ -224,8 +234,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{gdm_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw, owner @{gdm_cache_dirs}/ibus/dbus-@{rand8} rw, owner @{gdm_cache_dirs}/libgweather/ r, - owner @{gdm_cache_dirs}/nvidia/GLCache/ rw, - owner @{gdm_cache_dirs}/nvidia/GLCache/** rwk, owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/ibus/ rw, owner @{gdm_config_dirs}/ibus/bus/ rw, @@ -233,38 +241,29 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{gdm_config_dirs}/pulse/ rw, owner @{gdm_config_dirs}/pulse/client.conf r, owner @{gdm_config_dirs}/pulse/cookie rwk, - owner @{gdm_local_dirs}/ w, - owner @{gdm_share_dirs}/ w, owner @{gdm_share_dirs}/applications/{,**} r, owner @{gdm_share_dirs}/gnome-shell/{,**} rw, owner @{gdm_share_dirs}/icc/ rw, - owner @{gdm_share_dirs}/icc/.goutputstream-@{rand6} rw, owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, + owner @{gdm_share_dirs}/icc/.goutputstream-@{rand6} rw, owner @{HOME}/.face r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, - owner @{HOME}/.mozilla/native-messaging-hosts/ rw, - owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.*.json{,.@{rand6}} rw, - owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw, - owner @{HOME}/.var/app/**.@{image_ext} r, owner @{HOME}/.var/app/**/ r, + owner @{HOME}/.var/app/**.{png,jpg,svg} r, owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, - owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw, + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, - owner @{user_games_dirs}/**.@{image_ext} r, - owner @{user_music_dirs}/**.@{image_ext} r, + owner @{user_games_dirs}/**.{png,jpg,svg} r, + owner @{user_music_dirs}/**.{png,jpg,svg} r, owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw, - owner @{user_config_dirs}/**/NativeMessagingHosts/ rw, - owner @{user_config_dirs}/**/NativeMessagingHosts/org.gnome.shell.*.json{,.@{rand6}} rw, owner @{user_config_dirs}/background r, owner @{user_config_dirs}/ibus/ w, owner @{user_config_dirs}/monitors.xml{,~} rwl, owner @{user_config_dirs}/tiling-assistant/{,**} rw, owner @{user_share_dirs}/backgrounds/{,**} rw, - owner @{user_share_dirs}/dbus-1/services/ r, - owner @{user_share_dirs}/dbus-1/services/org.gnome.Shell.*.service{,.@{rand6}} rw, owner @{user_share_dirs}/desktop-directories/{,**} r, owner @{user_share_dirs}/gnome-shell/{,**} rw, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, @@ -272,60 +271,53 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/icc/ rw, owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, - owner @{user_share_dirs}/icons/**/org.gnome.Shell.*.svg{,.@{rand6}} w, - owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r, + owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r, owner @{user_cache_dirs}/gnome-boxes/*.png r, owner @{user_cache_dirs}/gnome-photos/{,**} r, owner @{user_cache_dirs}/gnome-screenshot/{,**} rw, owner @{user_cache_dirs}/gnome-software/icons/{,**} r, - owner @{user_cache_dirs}/gsconnect/@{hex32} r, owner @{user_cache_dirs}/libgweather/{,**} rw, owner @{user_cache_dirs}/media-art/{,**} r, owner @{user_cache_dirs}/vlc/**/*.jpg r, - owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, @{run}/gdm{3,}/dbus/dbus-@{rand8} rw, - owner @{run}/user/@{uid}/app/*/*.@{rand6} r, owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - owner @{run}/user/@{uid}/snap.*/wayland-cursor-shared-@{rand6} rw, + owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw, owner @{run}/user/@{uid}/systemd/notify rw, - owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + owner /dev/shm/.org.chromium.Chromium.* rw, owner /dev/shm/wayland.mozilla.ipc.@{int} rw, /tmp/.X@{int}-lock rw, /tmp/dbus-@{rand8} rw, - owner @{tmp}/.org.chromium.Chromium.@{rand6} r, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/ r, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/status_icon_@{int}.png r, owner @{tmp}/@{rand6}.shell-extension.zip rw, owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/systemd/users/@{uid} r, @{run}/systemd/seats/seat@{int} r, @{run}/systemd/sessions/ r, @{run}/systemd/sessions/* r, + @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/udev/tags/seat/ r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+platform:* r, @{run}/udev/data/+dmi:id r, # for motherboard info - @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+acpi* r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) - @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+usb* r, # for USB mouse and keyboard + @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* - @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* + @{run}/udev/data/n@{int} r, @{sys}/**/uevent r, @{sys}/bus/ r, @@ -334,9 +326,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/class/net/ r, @{sys}/class/power_supply/ r, @{sys}/devices/@{pci}/boot_vga r, - @{sys}/devices/@{pci}/gpu_busy_percent r, @{sys}/devices/@{pci}/input@{int}/{properties,name} r, - @{sys}/devices/@{pci}/mem_info_vram_* r, @{sys}/devices/@{pci}/net/*/statistics/collisions r, @{sys}/devices/@{pci}/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/@{pci}/net/*/statistics/tx_{bytes,errors,packets} r, @@ -349,9 +339,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/platform/**/input@{int}/{properties,name} r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/net/*/statistics/collisions r, @{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r, @@ -364,8 +351,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{PROC}/ r, @{PROC}/@{pid}/attr/current r, @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/net/* r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/@{tid}/stat r, + @{PROC}/@{pids}/cmdline r, @{PROC}/1/cgroup r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, @@ -375,28 +364,24 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{pid}/cmdline r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - /dev/tty@{int} rw, - @{att}/dev/dri/card@{int} rw, - @{att}/dev/input/event@{int} rw, + /dev/input/event@{int} rw, + /dev/media@{int} rw, + /dev/tty@{int} rw, profile shell flags=(attach_disconnected,mediate_deleted) { include - + capability sys_ptrace, - ptrace read, + ptrace (read), @{sh_path} mr, - - @{bin}/cat rix, - @{bin}/{,e}grep rix, - @{bin}/kmod rPx -> gnome-shell//lsmod, - @{bin}/pmap rix, + + @{bin}/pmap rix, + @{bin}/grep rix, @{sys}/devices/system/node/ r, @@ -409,58 +394,20 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include if exists } - profile lsmod flags=(attach_disconnected,mediate_deleted) { + profile open flags=(attach_disconnected,mediate_deleted) { include - include + include - @{sys}/module/{,**} r, + unix receive type=stream, - include if exists - } - - profile pkexec { - include - include - - ptrace read peer=gnome-shell, - - @{bin}/pkexec mr, - - /usr/local/bin/batteryhealthchargingctl{,-@{user}} rPx, - @{bin}/batteryhealthchargingctl{,-@{user}} rPx, - - include if exists - } - - profile python { - include - include - - # /usr/share/gnome-shell/extensions/{,**} - - include if exists - } - - profile open flags=(attach_disconnected,mediate_deleted,complain) { - include - include - - network inet stream, - network unix stream, - - @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mr, @{lib}/gio-launch-desktop mr, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, - @{lib}/** PUx, - @{bin}/** PUx, - /opt/*/** PUx, - /usr/share/*/** PUx, - /usr/local/bin/** PUx, - /usr/games/** PUx, + @{lib}/* PUx, + /usr/games/* PUx, + /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx, - owner @{user_share_dirs}/gnome-shell/session.gvdb rw, - - owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, + owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 37bb7b374..cc56eff59 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,7 +11,6 @@ profile gnome-shell-calendar-server @{exec_path} { include include include - include include #aa:dbus own bus=session name=org.gnome.Shell.CalendarServer @@ -31,11 +30,14 @@ profile gnome-shell-calendar-server @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect + member=Introspect peer=(name=:*, label=gnome-shell), @{exec_path} mr, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/{,zoneinfo-}icu/{,**} r, + /etc/sysconfig/clock r, /etc/timezone r, diff --git a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer index 56e448fd8..f0e9bf398 100644 --- a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer +++ b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,10 +10,11 @@ include profile gnome-shell-hotplug-sniffer @{exec_path} { include include - include @{exec_path} mr, + /usr/share/mime/mime.cache r, + @{MOUNTS}/**/ r, @{MOUNTS}/** r, diff --git a/apparmor.d/groups/gnome/gnome-shell-overrides-migration b/apparmor.d/groups/gnome/gnome-shell-overrides-migration index 8d5cc4d1d..d041df4de 100644 --- a/apparmor.d/groups/gnome/gnome-shell-overrides-migration +++ b/apparmor.d/groups/gnome/gnome-shell-overrides-migration @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 0b1602fbb..9bdb0cfc0 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -2,21 +2,18 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gnome-software profile gnome-software @{exec_path} { include - include - include - include - include - include + include include + include + include include - include include include @@ -29,22 +26,11 @@ profile gnome-software @{exec_path} { mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, - #aa:dbus own bus=session name=org.freedesktop.PackageKit - #aa:dbus own bus=session name=org.gnome.Software interface+=org.freedesktop.Application - - #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/@{int}_@{hex8} label="@{p_packagekitd}" - - dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=Changed - peer=(name=@{busname}, label=polkitd), - @{exec_path} mr, @{bin}/baobab rPUx, @{bin}/bwrap rPx -> flatpak-app, @{bin}/fusermount{,3} rCx -> fusermount, - @{bin}/gnome-control-center rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, @@ -53,8 +39,6 @@ profile gnome-software @{exec_path} { /usr/share/app-info/{,**} r, /usr/share/appdata/{,**} r, - /usr/share/byobu/desktop/{,**} r, - /usr/share/flatpak/remotes.d/ r, /usr/share/metainfo/{,**} r, /usr/share/swcatalog/{,**} r, /usr/share/xml/iso-codes/{,**} r, @@ -80,34 +64,30 @@ profile gnome-software @{exec_path} { /var/lib/PackageKit/offline-update-competed r, /var/lib/PackageKit/prepared-update r, - /var/lib/swcatalog/** r, + /var/lib/swcatalog/icons/**.png r, + /var/lib/swcatalog/yaml/ r, /var/tmp/flatpak-cache-*/ rw, /var/tmp/flatpak-cache-*/** rwkl, /var/tmp/#@{int} rw, + / r, + owner @{HOME}/.var/app/{,**} rw, - owner @{user_download_dirs}/*.flatpakref r, - owner @{user_cache_dirs}/flatpak/{,**} rwl, + owner @{user_cache_dirs}/gnome-software/{,**} rw, - owner @{user_config_dirs}/flatpak/{,**} r, owner @{user_config_dirs}/pulse/*.conf r, owner @{user_share_dirs}/ r, owner @{user_share_dirs}/flatpak/.changed w, - owner @{user_share_dirs}/flatpak/{app,runtime}/ r, - owner @{user_share_dirs}/flatpak/{app,runtime}/*/ r, - owner @{user_share_dirs}/flatpak/{app,runtime}/*/**/@{hex64}/deploy r, - owner @{user_share_dirs}/flatpak/{app,runtime}/*/**/@{hex64}/metadata r, - owner @{user_share_dirs}/flatpak/{app,runtime}/*/*/ r, - owner @{user_share_dirs}/flatpak/overrides/* r, owner @{user_share_dirs}/flatpak/repo/ rw, owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**, + owner @{user_share_dirs}/gnome-software/{,**} rw, - owner @{tmp}/ostree-gpg-@{rand6}/ rw, - owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, + owner @{tmp}/ostree-gpg-*/ rw, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, owner @{tmp}/#@{int} rw, owner @{run}/user/@{uid}/.dbus-proxy/ rw, @@ -122,23 +102,19 @@ profile gnome-software @{exec_path} { owner /dev/shm/flatpak-com.*/ rw, owner /dev/shm/flatpak-com.*/.flatpak-tmpdir rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/systemd/sessions/@{int} r, - @{run}/systemd/users/@{uid} r, + @{run}/systemd/inhibit/*.ref rw, @{sys}/module/nvidia/version r, @{PROC}/@{pids}/mounts r, - @{PROC}/1/cgroup r, @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, - owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fdinfo/@{int} r, + owner @{PROC}/@{pid}/stat r, /dev/fuse rw, - - deny owner @{user_share_dirs}/gvfs-metadata/* r, - + profile gpg { include @@ -146,38 +122,34 @@ profile gnome-software @{exec_path} { @{bin}/gpgconf mr, @{bin}/gpgsm mr, - @{bin}/gpg-agent rix, - @{bin}/gpg-connect-agent rix, - @{lib}/{,gnupg/}scdaemon rix, - @{HOME}/@{XDG_GPG_DIR}/*.conf r, @{tmp}/ r, - owner @{tmp}/ostree-gpg-@{rand6}/ r, - owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, + owner @{tmp}/ostree-gpg-*/ r, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, - owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/gnupg/ rw, - owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw, - owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw, - owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw, - owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, - - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{run}/user/@{uid}/gnupg/ w, include if exists } profile fusermount { include - include + include - capability setuid, + capability sys_admin, mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, + @{bin}/fusermount{,3} mr, + + /etc/fuse.conf r, + + @{PROC}/@{pids}/mounts r, + + /dev/fuse rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 152b28ff7..126140401 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -2,17 +2,17 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gnome-system-monitor profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { include - include - include - include - include + include + include + include + include include capability sys_ptrace, @@ -21,9 +21,9 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - ptrace read, + ptrace (read), - signal send set=(kill term cont stop), + signal (send) set=(kill term cont stop), #aa:dbus own bus=session name=org.gnome.SystemMonitor @@ -35,12 +35,8 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{bin}/sed rix, @{bin}/tr rix, - /usr/share/byobu/desktop/{,**} r, - /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, - - / r, - - owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, + /usr/share/gnome-system-monitor/{,**} r, + /usr/share/firefox-esr/browser/chrome/icons/default/*.png r, owner @{run}/user/@{uid}/doc/ rw, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, @@ -74,7 +70,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/smaps r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, - @{PROC}/@{pids}/status r, @{PROC}/@{pids}/wchan r, @{PROC}/diskstats r, @{PROC}/vmstat r, @@ -85,7 +80,8 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { profile pkexec { include - include + + @{bin}/pkexec mr, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index fe380dadd..db128da15 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,19 +10,22 @@ include profile gnome-terminal-server @{exec_path} { include include + include include + include include + include include include include - signal send set=(hup) peer=htop, - signal send set=(term hup kill) peer=unconfined, + signal (send) set=(hup) peer=htop, + signal (send) set=(term hup kill) peer=unconfined, - ptrace read peer=htop, - ptrace read peer=unconfined, + ptrace (read) peer=htop, + ptrace (read) peer=unconfined, - #aa:dbus own bus=session name=org.gnome.Terminal interface+=org.gtk.Actions + #aa:dbus own bus=session name=org.gnome.Terminal interface=org.gtk.Actions dbus receive bus=session path=/org/gnome/Terminal/SearchProvider interface=org.gnome.Shell.SearchProvider2 @@ -35,17 +38,17 @@ profile gnome-terminal-server @{exec_path} { @{exec_path} mr, - @{lib}/gnome-terminal-preferences ix, - # The shell is not confined on purpose. - @{bin}/@{shells} Ux, + @{bin}/@{shells} rUx, # Some CLI program can be launched directly from Gnome Shell - @{bin}/htop Px, - @{bin}/micro PUx, - @{bin}/nvtop Px, + @{bin}/htop rPx, + @{bin}/micro rPUx, + @{bin}/nvtop rPx, - @{open_path} Px -> child-open, + @{open_path} rPx -> child-open, + + /usr/share/icu/@{int}.@{int}/*.dat r, /etc/shells r, diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index 8aa950e2c..80ff8310d 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,20 +10,13 @@ include profile gnome-text-editor @{exec_path} { include include - include include include - include include include - #aa:dbus own bus=session name=org.gnome.TextEditor - #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - @{exec_path} mr, - @{open_path} rPx -> child-open-help, - owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/gnome/gnome-tour b/apparmor.d/groups/gnome/gnome-tour index 8ae95f4a0..fc6605232 100644 --- a/apparmor.d/groups/gnome/gnome-tour +++ b/apparmor.d/groups/gnome/gnome-tour @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,6 @@ profile gnome-tour @{exec_path} { include @{exec_path} mr, - @{open_path} rPx -> child-open-help, include if exists } diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index 7f93b7864..a04234cce 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -2,50 +2,43 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gnome-tweaks -profile gnome-tweaks @{exec_path} flags=(attach_disconnected) { +profile gnome-tweaks @{exec_path} { include include - include + include + include include include - network netlink raw, - @{exec_path} mr, @{bin}/ r, - @{bin}/env r, @{bin}/ps rPx, - @{python_path} rix, + @{bin}/python3.@{int} rix, @{open_path} rPx -> child-open-help, - @{lib}/@{python_name}/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w, + @{lib}/python3.@{int}/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w, + + /usr/share/gnome-tweaks/{,**} r, /etc/xdg/autostart/{,**} r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_config_dirs}/autostart/ rw, - owner @{user_config_dirs}/autostart/*.desktop rw, + owner @{user_config_dirs}/autostart/*.desktop r, owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini* rw, owner @{user_share_dirs}/backgrounds/{,**} r, owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r, - - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - - @{sys}/bus/ r, - @{sys}/class/input/ r, - @{sys}/devices/**/uevent r, + owner @{user_share_dirs}/recently-used.xbel* rw, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/gnome/gnome-user-share-webdav b/apparmor.d/groups/gnome/gnome-user-share-webdav deleted file mode 100644 index d54d7476a..000000000 --- a/apparmor.d/groups/gnome/gnome-user-share-webdav +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/gnome-user-share-webdav -profile gnome-user-share-webdav @{exec_path} { - include - include - - #aa:dbus own bus=session name=org.gnome.user-share.webdav - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-weather b/apparmor.d/groups/gnome/gnome-weather index fe2bf69b2..b2851601c 100644 --- a/apparmor.d/groups/gnome/gnome-weather +++ b/apparmor.d/groups/gnome/gnome-weather @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -23,7 +23,6 @@ profile gnome-weather @{exec_path} { @{exec_path} mr, @{bin}/gjs-console rix, - @{open_path} rPx -> child-open-help, /usr/share/org.gnome.Weather/{,**} r, @@ -31,10 +30,9 @@ profile gnome-weather @{exec_path} { @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, - deny owner @{user_share_dirs}/gvfs-metadata/* r, - include if exists } diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index b7c138285..968bf154a 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,6 +12,7 @@ profile goa-daemon @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service index 4509a6159..cf62b5f50 100644 --- a/apparmor.d/groups/gnome/goa-identity-service +++ b/apparmor.d/groups/gnome/goa-identity-service @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,7 +11,7 @@ profile goa-identity-service @{exec_path} { include include include - include + include #aa:dbus own bus=session name=org.gnome.Identity diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index 22aaba164..f9d3804c7 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,10 +10,8 @@ include profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include include - include - include + include include - include signal (receive) set=(term, hup) peer=gdm*, @@ -28,10 +26,13 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, @{gdm_config_dirs}/dconf/user r, @{GDM_HOME}/greeter-dconf-defaults r, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 1a52321b1..5c43cddf4 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -2,30 +2,30 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gsd-color profile gsd-color @{exec_path} flags=(attach_disconnected) { include - include + include include include + include include - include + include + include include include include include - network inet stream, - signal (receive) set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Color - #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" + #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties @@ -42,10 +42,12 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/icc/ rw, - owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, + owner @{gdm_share_dirs}/icc/edid-*.icc rw, owner @{user_share_dirs}/icc/ rw, - owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, + owner @{user_share_dirs}/icc/edid-*.icc rw, + + owner /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index 0364f3f2b..d25b4cdcc 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,19 +10,10 @@ include profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include include - include - include + include include - include - include - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - signal receive set=(term, hup) peer=gdm*, + signal (receive) set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Datetime @@ -35,6 +26,7 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-settings-daemon/datetime/backward r, owner @{GDM_HOME}/greeter-dconf-defaults r, @@ -42,14 +34,10 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/geocode-glib/* r, - @{run}/systemd/sessions/@{int} r, - @{run}/systemd/users/@{uid} r, - - @{PROC}/1/cgroup r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/stat r, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index 00ca93f19..d1e65865f 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,11 +14,10 @@ profile gsd-disk-utility-notify @{exec_path} { include #aa:dbus own bus=session name=org.gnome.Disks.NotificationMonitor - #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect + member=Introspect peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 497462a03..7194b7a2b 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,12 +11,10 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include - include - include - include + include + include include include - include include signal (receive) set=(term, hup) peer=gdm*, @@ -24,10 +22,10 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Housekeeping - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=Subscribe - peer=(name=org.freedesktop.systemd1), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), @{exec_path} mr, @@ -48,6 +46,8 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/cgroup r, owner @{PROC}/@{pids}/mountinfo r, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index be27a873e..c87d6c9be 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -2,25 +2,25 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gsd-keyboard profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include - include + include include include - include - include + include + include + include + include include include include include - network inet stream, - signal (receive) set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Keyboard @@ -37,6 +37,8 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw, owner @{user_share_dirs}/gnome-settings-daemon/{,input-sources*} rw, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index b299ab7ff..1dee19713 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,48 +10,77 @@ include profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include + include include include + include include include + include include - include - include - include + include + include include include include include - include signal (receive) set=(term, hup) peer=gdm*, - network inet stream, network netlink raw, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.MediaKeys - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Rfkill label=gsd-rfkill - #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=PowerOff - peer=(name=@{busname}, label="@{p_systemd_logind}"), + peer=(name=:*, label=systemd-logind), + + dbus send bus=session path=/org/gnome/Shell + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + dbus send bus=session path=/org/gnome/Shell + interface=org.gnome.Shell + member={GrabAccelerators,UngrabAccelerators} + peer=(name=:*, label=gnome-shell), + dbus receive bus=session path=/org/gnome/Shell + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name=:*, label=gnome-shell), + dbus receive bus=session path=/org/gnome/Shell + interface=org.gnome.Shell + member=AcceleratorActivated + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/gnome/SettingsDaemon/Rfkill + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-rfkill), + dbus receive bus=session path=/org/gnome/SettingsDaemon/Rfkill + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=gsd-rfkill), dbus send bus=session path=/ interface=org.freedesktop.DBus member=ListNames - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + peer=(name=org.freedesktop.DBus, label=dbus-session), dbus send bus=session path=/org/gnome/SettingsDaemon/Power interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=@{busname}, label=gsd-power), + peer=(name=:*, label=gsd-power), dbus receive bus=session path=/org/gnome/SettingsDaemon/Power interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=@{busname}, label=gsd-power), + peer=(name=:*, label=gsd-power), + + dbus send bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*), @{exec_path} mr, @@ -64,13 +93,15 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + owner @{user_share_dirs}/recently-used.xbel{,.*} rw, + + @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/udev/data/+sound:card@{int} r, # For sound card @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # For /dev/bus/usb/** - @{sys}/devices/**/usb@{int}/{,**} r, + @{sys}/devices/**/usb[0-9]/{,**} r, @{sys}/devices/@{pci}/sound/**/uevent r, @{sys}/devices/platform/**/uevent r, @{sys}/devices/virtual/**/uevent r, @@ -78,6 +109,8 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index d3ac6b456..03c23744f 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,49 +10,46 @@ include profile gsd-power @{exec_path} flags=(attach_disconnected) { include include + include include include include + include include include include include - include + include + include include - include - include + include + include + include include include include include - include - include - include - network inet stream, network netlink raw, signal (receive) set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Power - #aa:dbus talk bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell - #aa:dbus talk bus=session name=org.gnome.Shell.Brightness label=gnome-shell + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=:*, label=gnome-shell), dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight interface=org.freedesktop.UPower.KbdBacklight member=GetBrightness - peer=(name=@{busname}, label="@{p_upowerd}"), + peer=(name=:*, label=upowerd), dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=@{busname}, label=gsd-xsettings), - - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member=Suspend - peer=(name=@{busname}, label="@{p_systemd_logind}"), + peer=(name=:*, label=gsd-xsettings), @{exec_path} mr, @@ -62,33 +59,34 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, - @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. + @{run}/udev/data/+backlight:* r, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) + @{run}/udev/data/+leds:* r, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/inhibit/[0-9]*.ref rw, @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/backlight/ r, - @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/backlight/**/brightness rw, @{sys}/devices/@{pci}/class r, - @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/backlight/**/brightness rw, + @{sys}/devices/@{pci}/backlight/**/{max_brightness,actual_brightness} r, + @{sys}/devices/@{pci}/backlight/**/{uevent,type} r, @{sys}/devices/@{pci}/drm/card@{int}/**/brightness rw, - @{sys}/devices/**/leds/**/{,max_,actual_}brightness rw, - @{sys}/devices/**/leds/**/{uevent,type,enabled} r, - @{sys}/devices/**/leds/**/brightness_hw_changed r, + @{sys}/devices/@{pci}/drm/card@{int}/**/{max_brightness,actual_brightness} r, + @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type,enabled} r, + + @{sys}/devices/platform/**/leds/*backlight*/uevent r, + @{sys}/devices/platform/**/leds/*backlight*/max_brightness r, + @{sys}/devices/platform/**/leds/*backlight*/brightness rw, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/cgroup r, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 22ec520cb..b684c0c7c 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,34 +11,26 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include include include - include - include - include - include - include + include + include include include network inet stream, network inet6 stream, - signal receive set=(term, hup) peer=gdm*, - signal send set=(hup) peer=gsd-printer, + signal (receive) set=(term, hup) peer=gdm*, + signal (send) set=(hup) peer=gsd-printer, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.PrintNotifications # dbus receive bus=system path=/org/cups/cupsd/Notifier # interface=org.cups.cupsd.Notifier, - dbus receive bus=system path=/org/cups/cupsd/Notifier - interface=org.cups.cupsd.Notifier - member={ServerStarted,PrinterDeleted,PrinterStateChanged,PrinterStopped,PrinterAdded} - peer=(name=@{busname}, label=cups-notifier-dbus), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), @{exec_path} mr, @{lib}/gsd-printer rPx, @@ -46,6 +38,8 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index a768c8d1e..9db9abb09 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,9 +11,7 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) { include include include - include - include - include + include include signal (receive) set=(term, hup) peer=gdm*, @@ -31,6 +29,8 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index 7283c5c00..456361e88 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -2,20 +2,19 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gsd-rfkill profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { include - include include include include include include - include + include signal (receive) set=(term, hup) peer=gdm*, @@ -34,6 +33,8 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features + owner /dev/tty@{int} rw, + /dev/rfkill rw, include if exists diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index ac2f9229d..e0d3dc1b0 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -2,16 +2,15 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gsd-screensaver-proxy profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { include - include include - include + include signal (receive) set=(term, hup) peer=gdm*, @@ -25,6 +24,8 @@ profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 9d432ae13..4ba613fb7 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,10 +12,8 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include - include signal (receive) set=(term, hup) peer=gdm*, @@ -31,15 +29,11 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=:*, label=gnome-shell), - dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/3 - interface=org.freedesktop.NetworkManager.VPN.Connection - member=VpnStateChanged - peer=(name=@{busname}, label=NetworkManager), - @{exec_path} mr, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, @@ -47,8 +41,9 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, - @{PROC}/1/cgroup r, - owner @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cgroup r, + + owner /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 5143b9984..c72c9a8eb 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,13 +10,10 @@ include profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include include - include - include + include include - include include include - include signal (receive) set=(term, hup) peer=gdm*, @@ -31,17 +28,17 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/tpm2-tss/* rk, + /etc/{,opensc/}opensc.conf r, + + owner @{GDM_HOME}/greeter-dconf-defaults r, + owner @{gdm_config_dirs}/dconf/user r, /var/tmp/ r, /tmp/ r, - owner @{GDM_HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3{,.lock} rwk, - owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_config_dirs}/dconf/user r, - - owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3{,.lock} rwk, + owner /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index ff2d30766..ea063aeda 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -2,22 +2,20 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gsd-sound profile gsd-sound @{exec_path} flags=(attach_disconnected) { include - include include include - include - include + include + include include - include - signal receive set=(term, hup) peer=gdm*, + signal (receive) set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Sound @@ -30,6 +28,7 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, @@ -37,6 +36,8 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/sounds/ rw, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index bcdb353a8..4db37cb0a 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,22 +10,14 @@ include profile gsd-usb-protection @{exec_path} { include include - include - include - include include - include - include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + include if exists } diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 3d4f2cb05..9b6e13fdb 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -2,16 +2,18 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gsd-wacom profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include - include + include include - include + include + include + include include include include @@ -30,6 +32,8 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{GDM_HOME}/greeter-dconf-defaults r, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gsd-wwan b/apparmor.d/groups/gnome/gsd-wwan index 3a5ee53df..9c8852055 100644 --- a/apparmor.d/groups/gnome/gsd-wwan +++ b/apparmor.d/groups/gnome/gsd-wwan @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,17 +10,10 @@ include profile gsd-wwan @{exec_path} { include include - include include - include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Wwan - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 20151eec0..4b489c259 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -2,20 +2,22 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gsd-xsettings profile gsd-xsettings @{exec_path} { include + include include include + include include include - include + include include - include + include include include include @@ -31,25 +33,17 @@ profile gsd-xsettings @{exec_path} { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.XSettings #aa:dbus own bus=session name=org.gtk.Settings - #aa:dbus talk bus=session name=org.gnome.Mutter.X11 label=gnome-shell + dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} + interface=org.freedesktop.Accounts.User + member=SetInputSources + peer=(name=:*, label=accounts-daemon), dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetId - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - - dbus receive bus=system path=/org/freedesktop/Accounts - interface=org.freedesktop.Accounts - member={UserAdded,UserDeleted} - peer=(name=@{busname}, label="@{p_accounts_daemon}"), - - dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} - interface=org.freedesktop.Accounts.User - member=SetInputSources - peer=(name=@{busname}, label="@{p_accounts_daemon}"), + peer=(name=org.freedesktop.DBus, label=dbus-session), @{exec_path} mr, - @{sh_path} mr, @{bin}/cat rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index f843d6c14..e756831f2 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,7 +17,7 @@ profile kgx @{exec_path} { capability sys_ptrace, - ptrace read, + ptrace (read), @{exec_path} mr, @@ -25,24 +25,20 @@ profile kgx @{exec_path} { @{bin}/@{shells} rUx, # Some CLI program can be launched directly from Gnome Shell - @{bin}/btop PUx, - @{bin}/htop Px, - @{bin}/micro PUx, - @{bin}/nvtop Px, - @{bin}/nvtop Px, - @{bin}/vim Ux, + @{bin}/htop rPx, + @{bin}/micro rPUx, + @{bin}/nvtop rPx, + @{bin}/vim rUx, - @{open_path} Px -> child-open-help, + @{open_path} rPx -> child-open-help, owner @{tmp}/#@{int} rw, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/status r, @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/ptmx rw, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch deleted file mode 100644 index ea1566757..000000000 --- a/apparmor.d/groups/gnome/localsearch +++ /dev/null @@ -1,80 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/localsearch @{lib}/localsearch-3 -profile localsearch @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - - network netlink raw, - - #aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Files - #aa:dbus own bus=session name=org.freedesktop.LocalSearch3 - - dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint - interface=org.freedesktop.DBus.Peer - member=Ping - peer=(name=@{busname}, label=nautilus), - dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint - interface=org.freedesktop.Tracker3.Endpoint - member=Query - peer=(name=@{busname}, label=nautilus), - - @{exec_path} mr, - - @{lib}/localsearch-extractor-3 ix, # nnp - - /usr/share/localsearch3/{,**} r, - /usr/share/osinfo/{,**} r, - /usr/share/poppler/{,**} r, - - /etc/fstab r, - - # Allow to search user files - owner @{HOME}/ r, - owner @{HOME}/{,**} r, - owner @{MOUNTS}/{,**} r, - owner @{tmp}/*/{,**} r, - - owner @{user_cache_dirs}/tracker3/ rw, - owner @{user_cache_dirs}/tracker3/files/ rw, - owner @{user_cache_dirs}/tracker3/files/** rwk, - - owner @{GDM_HOME}/ r, - owner @{GDM_HOME}/*/ r, - owner @{gdm_cache_dirs}/tracker3/{,**} rwk, - owner @{gdm_config_dirs}/user-dirs.dirs r, - - @{run}/mount/utab r, - - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - - @{PROC}/sys/fs/fanotify/max_user_marks r, - @{PROC}/sys/fs/inotify/max_user_watches r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/localsearch-control b/apparmor.d/groups/gnome/localsearch-control deleted file mode 100644 index 354f85009..000000000 --- a/apparmor.d/groups/gnome/localsearch-control +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/localsearch-control-3 -profile localsearch-control @{exec_path} { - include - include - - #aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Files.Control - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/localsearch-writeback b/apparmor.d/groups/gnome/localsearch-writeback deleted file mode 100644 index 7d50726c0..000000000 --- a/apparmor.d/groups/gnome/localsearch-writeback +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/localsearch-writeback-3 -profile localsearch-writeback @{exec_path} { - include - include - - #aa:dbus own bus=session name=org.freedesktop.LocalSearch3.Writeback - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index ea55ee902..6d53ebf44 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -2,37 +2,22 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/loupe profile loupe @{exec_path} flags=(attach_disconnected) { include - include - include - include include include include include - include include include include - unix type=stream peer=(label=loupe//bwrap), - - signal send set=kill peer=loupe//bwrap, - - #aa:dbus own bus=session name=org.gnome.Loupe interface+=org.freedesktop.Application - - #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - - dbus send bus=system path=/org/freedesktop/hostname1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=@{p_systemd_hostnamed}), + signal (send) set=(kill) peer=loupe//bwrap, @{exec_path} mr, @@ -43,10 +28,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) { / r, - owner @{user_cache_dirs}/glycin/{,**} rw, - - @{run}/mount/utab r, - owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + @{run}/mount/utab r, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @@ -56,8 +38,6 @@ profile loupe @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny @{user_share_dirs}/gvfs-metadata/* r, @@ -65,14 +45,10 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include - unix type=stream peer=(label=loupe), - - signal receive set=kill peer=loupe, + signal (receive) set=(kill) peer=loupe, @{bin}/bwrap mr, - @{lib}/glycin-loaders/*/glycin-* rix, - - owner @{PROC}/@{pid}/fd/ r, + @{lib}/glycin-loaders/*/glycin-image-rs rix, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index d5c83a31b..0a208c6ad 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -2,18 +2,18 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/mutter-x11-frames profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { include - include + include include - include + include + include include - include include include include @@ -26,14 +26,15 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_cache_dirs}//fontconfig/ rw, - owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rwl, + owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r, owner @{gdm_config_dirs}/dconf/user r, @{sys}/devices/@{pci}/boot_vga r, owner @{PROC}/@{pid}/cmdline r, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index c405a3bf8..66f9af691 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -2,21 +2,23 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/nautilus profile nautilus @{exec_path} flags=(attach_disconnected) { include + include include include include + include include include include - include - include + include + include include include include @@ -24,54 +26,38 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include include - mqueue r type=posix /, - - unix type=stream peer=(label=gnome-shell), + # mqueue r type=posix /, + #aa:dbus own bus=session name=org.gnome.Nautilus interface=org.gtk.{Application,Actions} #aa:dbus own bus=session name=org.freedesktop.FileManager1 - #aa:dbus own bus=session name=org.gnome.Nautilus interface+=org.gtk.{Application,Actions} - #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2 - #aa:dbus talk bus=session name=org.freedesktop.Application path=/ label="*" - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome - #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell - #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - dbus send bus=session path=/org/gnome/Mutter/ServiceChannel - interface=org.gnome.Mutter.ServiceChannel - member=OpenWaylandServiceConnection - peer=(name=@{busname}, label=gnome-shell), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Properties + member={GetAll,ListActivatableNames} + peer=(name=org.freedesktop.DBus, label=dbus-session), + + dbus send bus=session path=/org/gtk/Notifications + interface=org.gtk.Notifications + member=AddNotification + peer=(name=org.gtk.Notifications, label=gnome-shell), dbus (send, receive) bus=session path=/org/gtk/Application/CommandLine interface=org.gtk.private.CommandLine member=Print - peer=(name=@{busname}, label=nautilus), - - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + peer=(name=:*, label=nautilus), dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=ListActivatableNames - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + peer=(name=org.freedesktop.DBus, label=dbus-session), dbus send bus=session path=/org/freedesktop/dbus interface=org.freedesktop.DBus member=NameHasOwner - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - - dbus send bus=session - interface=org.freedesktop.Application - member=Open, - - dbus send bus=session path=/org/gnome/Nautilus - interface=org.gtk.Application - member={CommandLine,DescribeAll} - peer=(name=org.gnome.Nautilus, label=nautilus), + peer=(name=org.freedesktop.DBus, label=dbus-session), @{exec_path} mr, @@ -80,12 +66,11 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{bin}/file-roller rPx, @{bin}/firejail rPUx, @{bin}/net rPUx, - - @{bin}/* r, - @{lib}/@{multiarch}/glib-2.0/gio-launch-desktop m, + @{bin}/tracker3 rPUx, @{open_path} rPx -> child-open, + /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/nautilus/{,**} r, /usr/share/poppler/{,**} r, /usr/share/sounds/freedesktop/stereo/*.oga r, @@ -97,7 +82,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { /var/cache/fontconfig/ rw, - #aa:lint ignore=too-wide # Full access to user's data / r, /*/ r, @@ -106,15 +90,12 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{MOUNTDIRS}/ r, @{MOUNTS}/ r, @{MOUNTS}/** rw, - owner @{HOME}/ r, - owner @{HOME}/** rw, - owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/** rw, - owner @{tmp}/ r, - owner @{tmp}/** rw, + owner @{HOME}/{,**} rw, + owner @{run}/user/@{uid}/{,**} rw, + owner @{tmp}/{,**} rw, # Silence non user's data - deny @{efi}/{,**} r, + deny /boot/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, deny /tmp/.* rw, @@ -134,8 +115,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index e1bde2238..ee2de80ce 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -2,23 +2,22 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/org.gnome.NautilusPreviewer -profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { +profile org.gnome.NautilusPreviewer @{exec_path} { include include - include include include include include include - include include include + include network netlink raw, @@ -40,19 +39,18 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.NautilusPreviewer.slice/*/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, - @{PROC}/1/cgroup r, + @{PROC}/@{pid}/cgroup r, @{PROC}/zoneinfo r, - owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm w, owner @{PROC}/@{pid}/task/@{tid}/stat r, + /dev/media@{int} r, + include if exists } diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers deleted file mode 100644 index 6c4fe6f12..000000000 --- a/apparmor.d/groups/gnome/papers +++ /dev/null @@ -1,67 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/papers -profile papers @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - include - - #aa:dbus own bus=session name=org.gnome.Papers interface+=org.freedesktop.Application - - #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - - dbus send bus=session path=/org/freedesktop/portal/desktop/session/1_4509/gtk1155412026 - interface=org.freedesktop.portal.Session - member=Close - peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), - - @{exec_path} mr, - - @{open_path} Cx -> open, - - /usr/share/poppler/{,**} r, - - /etc/passwd r, - - owner @{user_share_dirs}/gvfs-metadata/{,*} r, - - owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, - owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, - owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db-journal rw, - - /tmp/ r, - /var/tmp/ r, - owner @{tmp}/.goutputstream-@{rand6} rw, - owner @{tmp}/papers-@{int}/{,**} rw, - owner @{tmp}/gtkprint_@{rand6} rw, - owner @{tmp}/gtkprint@{rand6} rw, - - @{run}/mount/utab r, - - owner @{PROC}/@{pid}/mountinfo r, - - profile open { - include - include - - @{browsers_path} Px, - @{help_path} Px, - @{bin}/papers Px, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis deleted file mode 100644 index 3195d7f03..000000000 --- a/apparmor.d/groups/gnome/ptyxis +++ /dev/null @@ -1,44 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/ptyxis -profile ptyxis @{exec_path} { - include - include - include - include - - unix type=stream peer=(label=ptyxis-agent), - - #aa:dbus own bus=session name=org.gnome.Ptyxis interface+=org.freedesktop.Application - - @{exec_path} mr, - - @{lib}/ptyxis-agent Px, - @{open_path} Px -> child-open-help, - - /etc/shells r, - - owner @{user_cache_dirs}/org.gnome.Ptyxis/ rw, - owner @{user_cache_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_cache_dirs}/org.gnome.Ptyxis/**, - - owner @{user_config_dirs}/org.gnome.Ptyxis/ rw, - owner @{user_config_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_config_dirs}/org.gnome.Ptyxis/**, - owner @{user_config_dirs}/ubuntu-xdg-terminals.list r, - - owner @{user_share_dirs}/org.gnome.Ptyxis/ rw, - owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**, - - owner /tmp/#@{int} rw, - - /dev/ptmx rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent deleted file mode 100644 index 6418193a6..000000000 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ /dev/null @@ -1,64 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/ptyxis-agent -profile ptyxis-agent @{exec_path} { - include - include - include - include - include - include - include - - signal send set=hup peer=@{p_systemd}, - - ptrace read, - - unix type=stream peer=(label=ptyxis), - - @{exec_path} mr, - - @{bin}/podman Px, - @{bin}/systemd-run Cx -> shell, - - owner @{user_share_dirs}/containers/ w, - owner @{user_share_dirs}/containers/storage/ w, - owner @{user_share_dirs}/containers/storage/overlay-containers/ w, - - @{PROC}/@{pid}/cmdline r, - - /dev/ptmx rw, - - profile shell { - include - include - - signal send, - - unix bind type=stream addr=@@{udbus}/bus/systemd-run/, - - @{bin}/systemd-run mr, - - # The shell is not confined on purpose. - @{bin}/@{shells} Ux, - - # Some CLI program can be launched directly from Gnome Shell - @{bin}/htop Px, - @{bin}/micro PUx, - @{bin}/nvtop Px, - - owner @{run}/user/@{uid}/systemd/private rw, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index c34526ee1..ba23af8a4 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -2,25 +2,29 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/seahorse profile seahorse @{exec_path} { include - include + include include include + include + include include + include include include include - include - include include - #aa:dbus own bus=session name=org.gnome.seahorse.Application interface+=org.gnome.Shell.SearchProvider2 + dbus bind bus=session name=org.gnome.seahorse.Application, + dbus receive bus=session path=/org/gnome/seahorse/Application + interface=org.gnome.Shell.SearchProvider2 + peer=(name=:*), @{exec_path} mr, @@ -32,6 +36,7 @@ profile seahorse @{exec_path} { /etc/pki/trust/blocklist/ r, /etc/gcrypt/hwf.deny r, + /etc/{,opensc/}opensc.conf r, owner @{HOME}/@{XDG_SSH_DIR}/{,**} r, diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index b31532cae..570515cd7 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -2,34 +2,24 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/session-migration profile session-migration @{exec_path} { include - include - include - include - include @{exec_path} mr, - @{sh_path} rix, - @{python_path} rix, - @{bin}/dconf rPx, - @{bin}/gsettings rPx, - /usr/share/session-migration/scripts/* rix, + @{sh_path} rix, + /usr/share/session-migration/scripts/*.sh rix, /usr/share/session-migration/{,**} r, - owner @{gdm_share_dirs}/ w, owner @{gdm_share_dirs}/session_migration-* rw, owner @{user_share_dirs}/session_migration-* rw, - /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/tecla b/apparmor.d/groups/gnome/tecla deleted file mode 100644 index 082c6c925..000000000 --- a/apparmor.d/groups/gnome/tecla +++ /dev/null @@ -1,19 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/tecla -profile tecla @{exec_path} { - include - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index e200ecb42..858d216ac 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,9 +10,9 @@ include profile tracker-extract @{exec_path} flags=(attach_disconnected) { include include - include - include - include + include + include + include include include include @@ -20,7 +20,6 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { include include include - include include network netlink raw, @@ -29,12 +28,18 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Extract - #aa:dbus talk bus=session name=org.freedesktop.Tracker3 label=tracker-miner interface+=org.freedesktop.DBus.Peer + #aa:dbus talk bus=session name=org.freedesktop.Tracker3 label=tracker-miner interface=org.freedesktop.DBus.Peer + + dbus send bus=session path=/org/gtk/vfs/metadata + interface=org.gtk.vfs.Metadata + member={GetTreeFromDevice,Remove} + peer=(name=:*, label=gvfsd-metadata), @{exec_path} mr, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter/applications/*.desktop r, + /usr/share/hwdata/*.ids r, /usr/share/ladspa/rdf/{,**} r, /usr/share/osinfo/{,**} r, /usr/share/poppler/{,**} r, @@ -71,9 +76,11 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + /dev/media@{int} r, + /dev/video@{int} rw, + # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 85b7b0d53..b037db499 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,18 +11,17 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include - include - include - include + include + include + include + include include include include include include - include include - include - include + include network netlink raw, @@ -48,6 +47,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r, /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, + /usr/share/hwdata/*.ids r, /usr/share/ladspa/rdf/{,**} r, /usr/share/osinfo/{,**} r, /usr/share/poppler/{,**} r, @@ -65,6 +65,9 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/applications/ r, + owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{hex16} rw, + # Allow to search user files owner @{HOME}/{,**} r, owner @{MOUNTS}/{,**} r, @@ -82,11 +85,11 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cmdline r, @{PROC}/sys/fs/fanotify/max_user_marks r, @{PROC}/sys/fs/inotify/max_user_watches r, - @{PROC}/sys/vm/mmap_min_addr r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, + /dev/media@{int} rw, + /dev/video@{int} rw, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/gnome/tracker-writeback b/apparmor.d/groups/gnome/tracker-writeback index a5346b463..426b1be60 100644 --- a/apparmor.d/groups/gnome/tracker-writeback +++ b/apparmor.d/groups/gnome/tracker-writeback @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/gnome/tracker-xdg-portal b/apparmor.d/groups/gnome/tracker-xdg-portal deleted file mode 100644 index 20ed6bdce..000000000 --- a/apparmor.d/groups/gnome/tracker-xdg-portal +++ /dev/null @@ -1,22 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/tracker-xdg-portal-3 -profile tracker-xdg-portal @{exec_path} flags=(complain) { - include - include - include - - #aa:dbus own bus=session name=org.freedesktop.portal.Tracker - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index 1f2fc39d3..4da1fe736 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -2,24 +2,18 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/yelp @{bin}/gnome-help -profile yelp @{exec_path} flags=(attach_disconnected) { +profile yelp @{exec_path} { include - include - include include network netlink raw, - #aa:dbus own bus=accessibility name=org.gnome.Yelp - #aa:dbus own bus=session name=org.gnome.Yelp interface+=org.gtk.Actions - @{exec_path} mr, - @{open_path} rPx -> child-open-help, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, @@ -30,14 +24,10 @@ profile yelp @{exec_path} flags=(attach_disconnected) { /etc/xml/{,**} r, - @{sys}/firmware/acpi/pm_profile r, @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.slice/*/memory.* r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.current r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.high r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.max r, + owner @{sys}/fs/cgroup/user.slice/user-1000.slice/user@1000.service/app.slice/*.slice/*/memory.* r, @{PROC}/zoneinfo r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/gpg/dirmngr b/apparmor.d/groups/gpg/dirmngr index 2fbdfb086..d2afa3462 100644 --- a/apparmor.d/groups/gpg/dirmngr +++ b/apparmor.d/groups/gpg/dirmngr @@ -3,14 +3,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/dirmngr profile dirmngr @{exec_path} { include - include include include include @@ -40,13 +39,6 @@ profile dirmngr @{exec_path} { owner @{run}/user/@{uid}/gnupg/S.dirmngr rw, owner @{run}/user/@{uid}/gnupg/d.*/S.dirmngr rw, - # FIXME: Needed by dirmngr@.service - owner /etc/pacman.d/gnupg/ rw, - owner /etc/pacman.d/gnupg/S.dirmngr rw, - owner /etc/pacman.d/gnupg/d.*/S.dirmngr rw, - owner /etc/pacman.d/gnupg/crls.d/ rw, - owner /etc/pacman.d/gnupg/crls.d/DIR.txt rw, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 40c23b660..4fcc8946d 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -28,29 +28,8 @@ profile gpg @{exec_path} { @{bin}/gpgsm rPx, @{lib}/{,gnupg/}scdaemon rPx, - /usr/share/terminfo/** r, - /usr/share/keyrings/** rw, #aa:only apt - /usr/share/pacman/keyrings/** r, #aa:only pacman - /etc/inputrc r, - #aa:only pacman - /etc/pacman.d/gnupg/ rw, - /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, - - #aa:only apt - /etc/apt/trusted.gpg.d/{,*} r, - owner /etc/apt/keyrings/ rw, - owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**, - - owner /var/lib/*/{,.}gnupg/ rw, - owner /var/lib/*/{,.}gnupg/** rwkl -> /var/lib/*/{,.}gnupg/**, - - # TODO: Remove after zypper profile is created - #aa:only zypper - owner /var/tmp/zypp.@{rand6}/ rw, - owner /var/tmp/zypp.@{rand6}/** rwkl -> /var/tmp/zypp.@{rand6}/**, - owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, @@ -60,18 +39,31 @@ profile gpg @{exec_path} { owner @{user_projects_dirs}/**/gnupg/ rw, owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**/gnupg/**, - # TODO: For compatibility with torbrowser profile from upstream. - owner @{user_share_dirs}/torbrowser/gnupg_homedir/ rw, - owner @{user_share_dirs}/torbrowser/gnupg_homedir/** rwkl -> @{user_share_dirs}/torbrowser/gnupg_homedir/**, + #aa:only apt + owner /etc/apt/keyrings/ rw, + owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**, + + #aa:only pacman + owner /etc/pacman.d/gnupg/gpg.conf r, + owner /etc/pacman.d/gnupg/pubring.gpg r, + owner /etc/pacman.d/gnupg/trustdb.gpg r, + + owner /var/lib/*/gnupg/ rw, + owner /var/lib/*/gnupg/** rwkl -> /var/lib/*/gnupg/**, + + owner /var/lib/*/.gnupg/ rw, + owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, + + # TODO: Remove after zypper profile is created + #aa:only zypper + owner /var/tmp/zypp.@{rand6}/ rw, + owner /var/tmp/zypp.@{rand6}/** rwkl -> /var/tmp/zypp.@{rand6}/**, #aa:exclude ubuntu - owner @{tmp}/ostree-gpg-@{rand6}/ r, - owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, + owner @{tmp}/ostree-gpg-*/ r, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, - owner /tmp/@{int}@{int} rw, - - owner @{run}/user/@{uid}/gnupg/d.*/ rw, - owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, + owner @{tmp}/tmp.[a-zA-Z0-9]* rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index 708ccc5f3..336d491b1 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -3,14 +3,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gpg-agent profile gpg-agent @{exec_path} { include - include include signal (receive) peer=pinentry-*, @@ -25,68 +24,63 @@ profile gpg-agent @{exec_path} { /usr/share/gnupg/* r, owner @{HOME}/@{XDG_GPG_DIR}/ rw, - owner @{HOME}/@{XDG_GPG_DIR}/*.conf r, + owner @{HOME}/@{XDG_GPG_DIR}/gpg-agent.conf r, owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw, - owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key{,.tmp} rw, - owner @{HOME}/@{XDG_GPG_DIR}/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key rw, + owner @{HOME}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{HOME}/@{XDG_GPG_DIR}/sshcontrol r, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/ rw, - owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/*.conf r, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/gpg-agent.conf r, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw, - owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key{,.tmp} rw, - owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key rw, + owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/sshcontrol r, owner @{user_projects_dirs}/**/{.,}gnupg/ rw, - owner @{user_projects_dirs}/**/{.,}gnupg/*.conf r, + owner @{user_projects_dirs}/**/{.,}gnupg/gpg-agent.conf r, owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw, - owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key{,.tmp} rw, - owner @{user_projects_dirs}/**/{.,}gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key rw, + owner @{user_projects_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{user_projects_dirs}/**/{.,}gnupg/sshcontrol r, owner @{run}/user/@{uid}/gnupg/ rw, - owner @{run}/user/@{uid}/gnupg/*.conf r, - owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw, - owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r, owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw, - owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/@{hex}.key{,.tmp} rw, - owner @{run}/user/@{uid}/gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/@{hex}.key rw, + owner @{run}/user/@{uid}/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner @{run}/user/@{uid}/gnupg/sshcontrol r, - owner @{tmp}/**/{.,}gnupg/ rw, - owner @{tmp}/**/{.,}gnupg/*.conf r, - owner @{tmp}/**/{.,}gnupg/private-keys-v1.d/ rw, - owner @{tmp}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key{,.tmp} rw, - owner @{tmp}/**/{.,}gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, - owner @{tmp}/**/{.,}gnupg/sshcontrol r, - - #aa:only pacman - owner /etc/pacman.d/gnupg/ rw, - owner /etc/pacman.d/gnupg/*.conf r, - owner /etc/pacman.d/gnupg/private-keys-v1.d/ rw, - owner /etc/pacman.d/gnupg/private-keys-v1.d/@{hex}.key rw, - owner /etc/pacman.d/gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, - owner /etc/pacman.d/gnupg/sshcontrol r, + owner @{user_tmp_dirs}/**/{.,}gnupg/ rw, + owner @{user_tmp_dirs}/**/{.,}gnupg/gpg-agent.conf r, + owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw, + owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key rw, + owner @{user_tmp_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{user_tmp_dirs}/**/{.,}gnupg/sshcontrol r, owner /var/lib/*/.gnupg/ rw, owner /var/lib/*/.gnupg/private-keys-v1.d/ rw, owner /var/lib/*/.gnupg/private-keys-v1.d/@{hex}.key rw, - owner /var/lib/*/.gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner /var/lib/*/.gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner /var/lib/*/.gnupg/sshcontrol r, owner /var/lib/*/gnupg/ rw, owner /var/lib/*/gnupg/private-keys-v1.d/ rw, owner /var/lib/*/gnupg/private-keys-v1.d/@{hex}.key rw, - owner /var/lib/*/gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner /var/lib/*/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, owner /var/lib/*/gnupg/sshcontrol r, - #aa:only zypper owner /var/tmp/zypp.*/ rw, owner /var/tmp/zypp.*/{,*/}private-keys-v1.d/ rw, owner /var/tmp/zypp.*/{,*/}private-keys-v1.d/@{hex}.key rw, owner /var/tmp/zypp.*/{,*/}S.gpg-agent{,.ssh,.browser,.extra} rw, + owner @{tmp}/tmp.*/gnupg/ rw, + owner @{tmp}/tmp.*/gnupg/private-keys-v1.d/ rw, + owner @{tmp}/tmp.*/gnupg/private-keys-v1.d/@{hex}.key rw, + owner @{tmp}/tmp.*/gnupg/{,d.*/}S.gpg-agent rw, + owner @{tmp}/tmp.*/gnupg/sshcontrol r, + @{PROC}/@{pid}/fd/ r, # Silencer diff --git a/apparmor.d/groups/gpg/gpg-connect-agent b/apparmor.d/groups/gpg/gpg-connect-agent index ebea13b56..ae8f90ed5 100644 --- a/apparmor.d/groups/gpg/gpg-connect-agent +++ b/apparmor.d/groups/gpg/gpg-connect-agent @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,17 +18,14 @@ profile gpg-connect-agent @{exec_path} { /etc/inputrc r, - owner @{run}/user/@{uid}/gnupg/ w, + owner @{PROC}/@{pid}/fd/ r, + owner @{run}/user/@{uid}/gnupg/d.*/ rw, - owner @{run}/user/@{uid}/gnupg/S.dirmngr rw, - owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, owner @{tmp}/tmp.*/.#lk0x@{hex}.*.@{pid} rw, owner @{tmp}/tmp.*/.#lk0x@{hex}.*.@{pid}x rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid}, owner @{tmp}/tmp.*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid}, - owner @{PROC}/@{pid}/fd/ r, - include if exists } diff --git a/apparmor.d/groups/gpg/gpgconf b/apparmor.d/groups/gpg/gpgconf index d7f8cb353..9537c60c6 100644 --- a/apparmor.d/groups/gpg/gpgconf +++ b/apparmor.d/groups/gpg/gpgconf @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,11 +22,10 @@ profile gpgconf @{exec_path} { @{bin}/gpg-connect-agent rPx, @{bin}/gpg{,2} rPx, @{bin}/gpgsm rPx, - @{bin}/pinentry{,-*} rPx, + @{bin}/pinentry-* rPx, @{bin}/scdaemon rPx, - @{lib}/{,gnupg/}keyboxd rPUx, @{lib}/{,gnupg/}scdaemon rPx, - @{lib}/{,gnupg/}tpm2daemon rPUx, + @{lib}/keyboxd rPUx, /etc/gcrypt/hwf.deny r, /etc/gnupg/gpgconf.conf r, diff --git a/apparmor.d/groups/gpg/gpgsm b/apparmor.d/groups/gpg/gpgsm index 2ef1a9d4a..5bfa3fdf4 100644 --- a/apparmor.d/groups/gpg/gpgsm +++ b/apparmor.d/groups/gpg/gpgsm @@ -3,14 +3,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gpgsm profile gpgsm @{exec_path} { include - include include capability dac_read_search, @@ -23,11 +22,11 @@ profile gpgsm @{exec_path} { /etc/gcrypt/hwf.deny r, - owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, + deny /usr/bin/.gnupg/ w, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - deny @{bin}/.gnupg/ w, + owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, include if exists } diff --git a/apparmor.d/groups/gpg/keyboxd b/apparmor.d/groups/gpg/keyboxd index 51ec8b134..bf77509fd 100644 --- a/apparmor.d/groups/gpg/keyboxd +++ b/apparmor.d/groups/gpg/keyboxd @@ -2,18 +2,16 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/gnupg/keyboxd profile keyboxd @{exec_path} { include - include @{exec_path} mr, - owner @{HOME}/@{XDG_GPG_DIR}/ w, owner @{HOME}/@{XDG_GPG_DIR}/common.conf r, owner @{HOME}/@{XDG_GPG_DIR}/public-keys.d/ rw, owner @{HOME}/@{XDG_GPG_DIR}/public-keys.d/* rwlk, diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon index 729455f7f..eeb1a618e 100644 --- a/apparmor.d/groups/gpg/scdaemon +++ b/apparmor.d/groups/gpg/scdaemon @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,20 +16,14 @@ profile scdaemon @{exec_path} { network netlink raw, signal (send) peer=gpg-agent, - signal send set=usr2 peer=unconfined, @{exec_path} mr, - #aa:only pacman - owner /etc/pacman.d/gnupg/scdaemon.conf r, - owner /etc/pacman.d/gnupg/S.scdaemon rw, - owner @{HOME}/@{XDG_GPG_DIR}/scdaemon.conf r, - owner @{HOME}/@{XDG_GPG_DIR}/common.conf r, owner @{HOME}/@{XDG_GPG_DIR}/reader_@{int}.status rw, owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, - owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw, + owner @{run}/user/@{uid}/gnupg/d.*/S.scdaemon rw, owner /var/tmp/zypp.*/PublicKey/S.scdaemon w, owner /var/tmp/zypp.*/zypp-general-kr*/S.scdaemon w, diff --git a/apparmor.d/groups/grub/grub-bios-setup b/apparmor.d/groups/grub/grub-bios-setup index b0d606701..44602a4ee 100644 --- a/apparmor.d/groups/grub/grub-bios-setup +++ b/apparmor.d/groups/grub/grub-bios-setup @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-check-signatures b/apparmor.d/groups/grub/grub-check-signatures index f09ba540d..1ab754daf 100644 --- a/apparmor.d/groups/grub/grub-check-signatures +++ b/apparmor.d/groups/grub/grub-check-signatures @@ -2,24 +2,27 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = /usr/share/grub/grub-check-signatures profile grub-check-signatures @{exec_path} { include - include + include @{exec_path} mr, - @{bin}/{m,g,}awk ix, - @{bin}/mktemp ix, - @{bin}/od ix, + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{bin}//mktemp rix, + @{bin}//od rix, - owner @{tmp}/tmp.@{rand10}/ rw, + /usr/share/debconf/frontend rPx, - @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, + /usr/share/debconf/confmodule r, + + owner @{tmp}/tmp.*/ rw, include if exists } diff --git a/apparmor.d/groups/grub/grub-editenv b/apparmor.d/groups/grub/grub-editenv index 29f9bf8f7..414f12909 100644 --- a/apparmor.d/groups/grub/grub-editenv +++ b/apparmor.d/groups/grub/grub-editenv @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,7 @@ profile grub-editenv @{exec_path} { @{exec_path} mr, - @{efi}/grub/grubenv rw, + /boot/grub/grubenv rw, include if exists } diff --git a/apparmor.d/groups/grub/grub-file b/apparmor.d/groups/grub/grub-file index 6551bd553..0c43d739d 100644 --- a/apparmor.d/groups/grub/grub-file +++ b/apparmor.d/groups/grub/grub-file @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-fstest b/apparmor.d/groups/grub/grub-fstest index 3819fe890..c8f4d48a8 100644 --- a/apparmor.d/groups/grub/grub-fstest +++ b/apparmor.d/groups/grub/grub-fstest @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-glue-efi b/apparmor.d/groups/grub/grub-glue-efi index f72664388..0c2d91173 100644 --- a/apparmor.d/groups/grub/grub-glue-efi +++ b/apparmor.d/groups/grub/grub-glue-efi @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index e3ed75334..7902bf02d 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -3,11 +3,11 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/grub-install +@{exec_path} = @{bin}/grub-install profile grub-install @{exec_path} flags=(complain) { include include @@ -19,34 +19,26 @@ profile grub-install @{exec_path} flags=(complain) { @{exec_path} mr, @{sh_path} rix, - @{sbin}/efibootmgr rix, + @{bin}/efibootmgr rix, @{bin}/kmod rPx, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{bin}/udevadm rPx, /usr/share/grub/{,**} r, - /usr/share/locale-langpack/{,**} r, /etc/default/grub.d/{,**} r, /etc/default/grub r, - @{efi}/ r, - @{efi}/EFI/ r, - @{efi}/EFI/*/grubx*.efi rw, - @{efi}/EFI/BOOT/{,**} rw, - @{efi}/EFI/ubuntu/* w, - @{efi}/grub/{,**} rw, + /boot/efi/EFI/ubuntu/* w, + /boot/efi/EFI/BOOT/{,**} rw, + /boot/EFI/*/grubx*.efi rw, + /boot/grub/{,**} rw, - @{sys}/devices/**/hid r, - @{sys}/devices/**/path r, - @{sys}/devices/**/uid r, - @{sys}/firmware/efi/ r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/BootCurrent-@{uuid} r, - @{sys}/firmware/efi/efivars/BootOrder-@{uuid} rw, + @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, @{sys}/firmware/efi/efivars/Timeout-@{uuid} r, - @{sys}/firmware/efi/fw_platform_size r, @{sys}/firmware/efi/w_platform_size r, @{PROC}/devices r, diff --git a/apparmor.d/groups/grub/grub-kbdcomp b/apparmor.d/groups/grub/grub-kbdcomp index 0334bf2f5..7c49e93ec 100644 --- a/apparmor.d/groups/grub/grub-kbdcomp +++ b/apparmor.d/groups/grub/grub-kbdcomp @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-macbless b/apparmor.d/groups/grub/grub-macbless index 17e71a25c..8f73e3807 100644 --- a/apparmor.d/groups/grub/grub-macbless +++ b/apparmor.d/groups/grub/grub-macbless @@ -2,11 +2,11 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/grub-macbless +@{exec_path} = @{bin}/grub-macbless profile grub-macbless @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-menulst2cfg b/apparmor.d/groups/grub/grub-menulst2cfg index cd2d0121d..826de1e1d 100644 --- a/apparmor.d/groups/grub/grub-menulst2cfg +++ b/apparmor.d/groups/grub/grub-menulst2cfg @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 5b62fa30c..d44ffcf3d 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -3,11 +3,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/grub-mkconfig @{sbin}/grub2-mkconfig +@{exec_path} = @{bin}/grub-mkconfig profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { include include @@ -21,25 +21,24 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/{e,f,}grep rix, @{bin}/{m,g,}awk rix, @{bin}/basename rix, - @{sbin}/btrfs rPx, + @{bin}/btrfs rPx, @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cut rix, @{bin}/date rix, @{bin}/dirname rix, - @{sbin}/dmsetup rPx, + @{bin}/dmsetup rPUx, @{bin}/dpkg rPx, @{bin}/find rix, @{bin}/findmnt rPx, @{bin}/gettext rix, - @{bin}/grub-editenv rPx, @{bin}/grub-mkrelpath rPx, - @{sbin}/grub-probe rPx, + @{bin}/grub-probe rPx, @{bin}/grub-script-check rPx, @{bin}/head rix, @{bin}/id rPx, @{bin}/ls rix, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{bin}/mktemp rix, @{bin}/mount rPx, @{bin}/mountpoint rix, @@ -56,16 +55,14 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/tr rix, @{bin}/umount rPx, @{bin}/uname rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{.debianutils,} rix, @{bin}/zfs rPx, @{bin}/zpool rPx, /etc/grub.d/{,**} rix, - @{lib}/grub-customizer/* rix, @{lib}/grub/grub-sort-version rPx, @{lib}/libostree/grub[0-9]-@{int}_ostree rix, - /usr/share/desktop-base/*/grub/* r, /usr/share/grub/{,**} r, /usr/share/terminfo/** r, @@ -81,10 +78,10 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { /.zfs/snapshot/*/etc/fstab r, /.zfs/snapshot/*/etc/machine-id r, - @{efi}/{,**} r, - @{efi}/grub/{,**} rw, + /boot/{,**} r, + /boot/grub/{,**} rw, - /tmp/grub-*.@{rand10}/{,**} rw, + # owner /tmp/** rw, @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, diff --git a/apparmor.d/groups/grub/grub-mkdevicemap b/apparmor.d/groups/grub/grub-mkdevicemap index ca9f3ad3c..0af9aab2d 100644 --- a/apparmor.d/groups/grub/grub-mkdevicemap +++ b/apparmor.d/groups/grub/grub-mkdevicemap @@ -2,24 +2,17 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/grub-mkdevicemap +@{exec_path} = @{bin}/grub-mkdevicemap profile grub-mkdevicemap @{exec_path} { include include - include - - capability sys_admin, @{exec_path} mr, - @{PROC}/devices r, - - /dev/mapper/control rw, - include if exists } diff --git a/apparmor.d/groups/grub/grub-mkfont b/apparmor.d/groups/grub/grub-mkfont index a1e4b1eff..52d719b38 100644 --- a/apparmor.d/groups/grub/grub-mkfont +++ b/apparmor.d/groups/grub/grub-mkfont @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-mkimage b/apparmor.d/groups/grub/grub-mkimage index 54f8dcc80..ac5fef3b4 100644 --- a/apparmor.d/groups/grub/grub-mkimage +++ b/apparmor.d/groups/grub/grub-mkimage @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-mklayout b/apparmor.d/groups/grub/grub-mklayout index 11263914b..616627f35 100644 --- a/apparmor.d/groups/grub/grub-mklayout +++ b/apparmor.d/groups/grub/grub-mklayout @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-mknetdir b/apparmor.d/groups/grub/grub-mknetdir index 10aaa77d4..9bb011422 100644 --- a/apparmor.d/groups/grub/grub-mknetdir +++ b/apparmor.d/groups/grub/grub-mknetdir @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2 b/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2 index 45cefcedf..58b7da49b 100644 --- a/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2 +++ b/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2 @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-mkrelpath b/apparmor.d/groups/grub/grub-mkrelpath index d4508b4c5..22e0b754a 100644 --- a/apparmor.d/groups/grub/grub-mkrelpath +++ b/apparmor.d/groups/grub/grub-mkrelpath @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,12 +21,12 @@ profile grub-mkrelpath @{exec_path} { / r, /usr/share/grub/* r, - @{efi}/ r, - @{efi}/grub/themes/{,**} r, + /boot/ r, + /boot/grub/themes/{,**} r, /tmp/grub-btrfs.*/@snapshots/@{int}/snapshot/boot/ r, /tmp/grub-btrfs.*/@/.snapshots/@{int}/snapshot/boot/ r, - /tmp/grub-btrfs.*/@_backup_*/boot/ r, + /tmp/grub-btrfs.*/@_backup_@{int}/boot/ r, /tmp/grub-btrfs.*/ r, @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/groups/grub/grub-mkrescue b/apparmor.d/groups/grub/grub-mkrescue index dfd9ce031..4eee01abf 100644 --- a/apparmor.d/groups/grub/grub-mkrescue +++ b/apparmor.d/groups/grub/grub-mkrescue @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-mkstandalone b/apparmor.d/groups/grub/grub-mkstandalone index 8cce05fb9..c891fd4bf 100644 --- a/apparmor.d/groups/grub/grub-mkstandalone +++ b/apparmor.d/groups/grub/grub-mkstandalone @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-mount b/apparmor.d/groups/grub/grub-mount index e660069bd..a21f427e8 100644 --- a/apparmor.d/groups/grub/grub-mount +++ b/apparmor.d/groups/grub/grub-mount @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install index d900ec2f6..9cc94f9c1 100644 --- a/apparmor.d/groups/grub/grub-multi-install +++ b/apparmor.d/groups/grub/grub-multi-install @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,7 @@ profile grub-multi-install @{exec_path} { @{exec_path} mr, - @{sbin}/grub-install rPx, + @{bin}/grub-install rPx, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/cat rix, @@ -24,13 +24,14 @@ profile grub-multi-install @{exec_path} { @{bin}/sort rix, @{bin}/touch rix, @{bin}/udevadm rPx, - /usr/share/debconf/frontend rix, + /usr/share/debconf/frontend rPx, - @{lib}/terminfo/x/xterm-256color r, + /usr/lib/terminfo/x/xterm-256color r, /usr/share/debconf/confmodule r, - @{efi}/grub/grub.cfg rw, + /boot/grub/grub.cfg rw, + owner @{PROC}/@{pid}/maps r, owner @{PROC}/@{pid}/mounts r, /dev/disk/by-id/ r, diff --git a/apparmor.d/groups/grub/grub-ntldr-img b/apparmor.d/groups/grub/grub-ntldr-img index 676b16f1b..885384b6d 100644 --- a/apparmor.d/groups/grub/grub-ntldr-img +++ b/apparmor.d/groups/grub/grub-ntldr-img @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index c767d2f02..f0bbf8e41 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -3,40 +3,53 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/grub-probe +@{exec_path} = @{bin}/grub-probe profile grub-probe @{exec_path} { include include include - capability dac_read_search, capability sys_admin, @{exec_path} mr, /{usr/,}{local/,}{s,}bin/zpool rPx, - @{bin}/lsb_release rPx, - @{sbin}/lvm rPx, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lvm rPx, @{bin}/udevadm rPx, /usr/share/grub/* r, / r, - @{efi}/ r, - @{efi}/grub/ r, - @{efi}/grub/themes/{,**} r, + /boot/ r, + /boot/grub/themes/{,**} r, @{PROC}/@{pids}/mountinfo r, @{PROC}/devices r, - /dev/**/ r, - /dev/mapper/control w, - - deny mqueue (read, getattr) type=posix /, + /dev/*vg*/ r, + /dev/bsg/ r, + /dev/bus/ r, + /dev/bus/usb/ r, + /dev/bus/usb/@{int}/ r, + /dev/cpu/ r, + /dev/cpu/@{int}/ r, + /dev/dma_heap/ r, + /dev/dri/ r, + /dev/dri/by-path/ r, + /dev/hugepages/ r, + /dev/input/ r, + /dev/input/by-id/ r, + /dev/input/by-path/ r, + /dev/mapper/control rw, + /dev/mqueue/ r, + /dev/shm/ r, + /dev/snd/ r, + /dev/snd/by-path/ r, include if exists } diff --git a/apparmor.d/groups/grub/grub-reboot b/apparmor.d/groups/grub/grub-reboot index 310b416bf..236a46241 100644 --- a/apparmor.d/groups/grub/grub-reboot +++ b/apparmor.d/groups/grub/grub-reboot @@ -2,11 +2,11 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/grub-reboot +@{exec_path} = @{bin}/grub-reboot profile grub-reboot @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-render-label b/apparmor.d/groups/grub/grub-render-label index 5d7c4cfe0..005823ffa 100644 --- a/apparmor.d/groups/grub/grub-render-label +++ b/apparmor.d/groups/grub/grub-render-label @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/grub-script-check b/apparmor.d/groups/grub/grub-script-check index 9961a778e..9cb595834 100644 --- a/apparmor.d/groups/grub/grub-script-check +++ b/apparmor.d/groups/grub/grub-script-check @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,7 @@ profile grub-script-check @{exec_path} { @{exec_path} mr, - @{efi}/grub/grub* rw, + /boot/grub/grub* rw, include if exists } diff --git a/apparmor.d/groups/grub/grub-set-default b/apparmor.d/groups/grub/grub-set-default index 9e3c96464..729ff11d9 100644 --- a/apparmor.d/groups/grub/grub-set-default +++ b/apparmor.d/groups/grub/grub-set-default @@ -2,11 +2,11 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/grub-set-default +@{exec_path} = @{bin}/grub-set-default profile grub-set-default @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-sort-version b/apparmor.d/groups/grub/grub-sort-version index 6ece8a60b..7f830dc33 100644 --- a/apparmor.d/groups/grub/grub-sort-version +++ b/apparmor.d/groups/grub/grub-sort-version @@ -2,16 +2,14 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/grub/grub-sort-version profile grub-sort-version @{exec_path} { include - include - include - include + include include capability dac_read_search, diff --git a/apparmor.d/groups/grub/grub-syslinux2cfg b/apparmor.d/groups/grub/grub-syslinux2cfg index 584e33268..581ab262b 100644 --- a/apparmor.d/groups/grub/grub-syslinux2cfg +++ b/apparmor.d/groups/grub/grub-syslinux2cfg @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/grub/update-grub b/apparmor.d/groups/grub/update-grub index d4460a3cf..e74f72349 100644 --- a/apparmor.d/groups/grub/update-grub +++ b/apparmor.d/groups/grub/update-grub @@ -2,11 +2,11 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/update-grub +@{exec_path} = @{bin}/update-grub{2,} profile update-grub @{exec_path} { include include @@ -14,9 +14,8 @@ profile update-grub @{exec_path} { capability dac_read_search, @{exec_path} mr, - - @{sh_path} rix, - @{sbin}/grub-mkconfig rPx, + @{sh_path} rix, + @{bin}/grub-mkconfig rPx, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index 32136d710..0b35916b0 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,12 +12,12 @@ profile gvfs-afc-volume-monitor @{exec_path} { include include - #aa:dbus own bus=session name=org.gtk.vfs.AfcVolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.AfcVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + member=Introspect + peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index 017a66e84..66681c8af 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,17 +12,17 @@ profile gvfs-goa-volume-monitor @{exec_path} { include include - #aa:dbus own bus=session name=org.gtk.vfs.GoaVolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.GoaVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + member=Introspect + peer=(name=:*, label=gnome-shell), dbus send bus=session path=/org/gnome/OnlineAccounts interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=@{busname}, label=goa-daemon), + peer=(name=:*, label=goa-daemon), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index ece97e688..5b21c3a6b 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,12 +16,12 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} { network netlink raw, - #aa:dbus own bus=session name=org.gtk.vfs.GPhoto2VolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.GPhoto2VolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + member=Introspect + peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index fd3b38012..dfdf41113 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,12 +15,12 @@ profile gvfs-mtp-volume-monitor @{exec_path} { network netlink raw, - #aa:dbus own bus=session name=org.gtk.vfs.MTPVolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.MTPVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 80f7f86a9..57e6cf476 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,8 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { include include include - include + include + include include include include @@ -29,13 +30,13 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { ptrace (read), - #aa:dbus own bus=session name=org.gtk.vfs.UDisks2VolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.UDisks2VolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), @{exec_path} mr, @@ -52,8 +53,6 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { @{MOUNTS}/**/ r, @{HOME}/**/ r, - owner @{MOUNTS}/autorun.inf r, - owner @{desktop_config_dirs}/dconf/user r, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index e3e3edfae..710abbba1 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,33 +13,28 @@ profile gvfsd @{exec_path} { include include - signal receive set=usr1 peer=pacman, - #aa:dbus own bus=session name=org.gtk.vfs.Daemon #aa:dbus own bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker - # The server side of abstractions/bus/session/org.gtk.vfs.Mountable dbus send bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount - peer=(name=@{busname}, label=gvfsd-*), + peer=(name=:*, label=gvfsd-*), - # The server side of abstractions/bus/session/org.gtk.vfs.Spawner dbus receive bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned - peer=(name=@{busname}, label=gvfsd-*), + peer=(name=:*, label=gvfsd-*), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), @{exec_path} mr, @{sh_path} rix, @{lib}/{,gvfs/}gvfsd-* rpx, - @{bin}/pkexec rCx -> pkexec, /usr/share/gvfs/{,**} r, @@ -48,17 +43,6 @@ profile gvfsd @{exec_path} { owner @{PROC}/@{pid}/fd/ r, - profile pkexec { - include - include - - ptrace read peer=gvfsd, - - @{lib}/{,gvfs/}gvfsd-admin rPx, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index 5a1fd1c82..34e4cdfd6 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -3,45 +3,16 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-admin profile gvfsd-admin @{exec_path} { include - include - include - include - include - include - include - - capability chown, - capability dac_override, - capability dac_read_search, - capability fowner, - capability setuid, - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, - #aa:lint ignore=too-wide - # Full access to system's data, but no write access to sensitive system directories - / r, - /*/ r, - /*/** rw, - deny @{sys}/** w, - deny @{PROC}/** w, - deny @{efi}/** w, - deny /dev/** w, - include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-afc b/apparmor.d/groups/gvfs/gvfsd-afc index da231f469..6054f50b8 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afc +++ b/apparmor.d/groups/gvfs/gvfsd-afc @@ -3,24 +3,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afc profile gvfsd-afc @{exec_path} { include - include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-afp b/apparmor.d/groups/gvfs/gvfsd-afp index db6fe5a48..1ea7c14b8 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afp +++ b/apparmor.d/groups/gvfs/gvfsd-afp @@ -3,24 +3,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afp profile gvfsd-afp @{exec_path} { include - include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-afp-browse b/apparmor.d/groups/gvfs/gvfsd-afp-browse index a39e25785..8baf49101 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afp-browse +++ b/apparmor.d/groups/gvfs/gvfsd-afp-browse @@ -3,24 +3,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afp-browse profile gvfsd-afp-browse @{exec_path} { include - include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-archive b/apparmor.d/groups/gvfs/gvfsd-archive index 68b1e7765..4c860fe45 100644 --- a/apparmor.d/groups/gvfs/gvfsd-archive +++ b/apparmor.d/groups/gvfs/gvfsd-archive @@ -3,27 +3,16 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-archive profile gvfsd-archive @{exec_path} { include - include - include - include - include include include - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, owner @{HOME}/**.{tar,tar.gz,zip} r, diff --git a/apparmor.d/groups/gvfs/gvfsd-burn b/apparmor.d/groups/gvfs/gvfsd-burn index 09062241a..4063141d4 100644 --- a/apparmor.d/groups/gvfs/gvfsd-burn +++ b/apparmor.d/groups/gvfs/gvfsd-burn @@ -3,24 +3,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-burn profile gvfsd-burn @{exec_path} { include - include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-cdda b/apparmor.d/groups/gvfs/gvfsd-cdda index 356f8dcd3..dc69cea53 100644 --- a/apparmor.d/groups/gvfs/gvfsd-cdda +++ b/apparmor.d/groups/gvfs/gvfsd-cdda @@ -3,24 +3,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-cdda profile gvfsd-cdda @{exec_path} { include - include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer index 667b448c4..b1479d780 100644 --- a/apparmor.d/groups/gvfs/gvfsd-computer +++ b/apparmor.d/groups/gvfs/gvfsd-computer @@ -3,26 +3,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-computer profile gvfsd-computer @{exec_path} { include - include - include - include - include - - #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label=gvfs-afc-volume-monitor - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav index b335724cb..bb86dd7db 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dav +++ b/apparmor.d/groups/gvfs/gvfsd-dav @@ -3,17 +3,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-dav profile gvfsd-dav @{exec_path} { include - include - include - include - include include include include @@ -28,13 +24,6 @@ profile gvfsd-dav @{exec_path} { network inet6 dgram, network netlink raw, - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index aad9de3a0..b07cd070b 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,19 +12,25 @@ profile gvfsd-dnssd @{exec_path} { include include include - include - include - include - include - include + include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=:*, label=gvfsd-network), + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-ftp b/apparmor.d/groups/gvfs/gvfsd-ftp index 3b36fc4f1..47b58d639 100644 --- a/apparmor.d/groups/gvfs/gvfsd-ftp +++ b/apparmor.d/groups/gvfs/gvfsd-ftp @@ -3,17 +3,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-ftp profile gvfsd-ftp @{exec_path} { include - include - include - include - include include include include @@ -24,13 +20,6 @@ profile gvfsd-ftp @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index f67068f49..9cd6b77ca 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,46 +11,52 @@ include profile gvfsd-fuse @{exec_path} { include include - include - include - include + include include - capability sys_admin, - mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/, unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount), - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=RegisterFuse + peer=(name=:*, label=gvfsd), - dbus receive bus=session + dbus receive bus=session path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), @{exec_path} mr, @{bin}/fusermount{,3} rCx -> fusermount, - owner @{run}/user/@{uid}/gvfsd-fuse/ rw, - owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} w, - @{PROC}/sys/fs/pipe-max-size r, /dev/fuse rw, profile fusermount { include - include + include - capability setuid, + capability dac_read_search, + capability sys_admin, # To mount anything mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/, umount @{run}/user/@{uid}/**/, unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse), + @{bin}/fusermount{,3} mr, + + /etc/fuse{,3}.conf r, + /etc/machine-id r, + + @{PROC}/@{pid}/mounts r, + + /dev/fuse rw, + include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-google b/apparmor.d/groups/gvfs/gvfsd-google index 819e84c39..b6aa722e7 100644 --- a/apparmor.d/groups/gvfs/gvfsd-google +++ b/apparmor.d/groups/gvfs/gvfsd-google @@ -3,24 +3,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-google profile gvfsd-google @{exec_path} { include - include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-gphoto2 b/apparmor.d/groups/gvfs/gvfsd-gphoto2 index 0544000c0..731bdd204 100644 --- a/apparmor.d/groups/gvfs/gvfsd-gphoto2 +++ b/apparmor.d/groups/gvfs/gvfsd-gphoto2 @@ -3,24 +3,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-gphoto2 profile gvfsd-gphoto2 @{exec_path} { include - include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 2678bde40..a2d02063c 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,11 +11,8 @@ include profile gvfsd-http @{exec_path} { include include - include - include - include include - # include + include include include include @@ -26,16 +23,20 @@ profile gvfsd-http @{exec_path} { network inet6 dgram, network netlink raw, - unix type=stream peer=(label=gnome-shell), - unix type=stream peer=(label=gnome-extension-gsconnect), - #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_http - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=RegisterMount + peer=(name=:*, label=gvfsd), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-localtest b/apparmor.d/groups/gvfs/gvfsd-localtest index d1af3c60c..da0a21386 100644 --- a/apparmor.d/groups/gvfs/gvfsd-localtest +++ b/apparmor.d/groups/gvfs/gvfsd-localtest @@ -3,16 +3,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-localtest profile gvfsd-localtest @{exec_path} { include - include - include - include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index 8565856d9..6237715a8 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,9 +11,6 @@ include profile gvfsd-metadata @{exec_path} { include include - include - include - include include network netlink raw, @@ -21,12 +18,11 @@ profile gvfsd-metadata @{exec_path} { signal (receive) set=(usr1) peer=pacman, #aa:dbus own bus=session name=org.gtk.vfs.Metadata path=/org/gtk/vfs/{m,M}etadata - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + member=Introspect + peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index 8d5ad78c5..d8ea92d1f 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -3,17 +3,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-mtp profile gvfsd-mtp @{exec_path} { include - include - include - include - include include include include @@ -23,18 +19,10 @@ profile gvfsd-mtp @{exec_path} { network netlink raw, - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, - owner @{HOME}/ r, - owner @{HOME}/** rw, - owner @{MOUNTS}/** rw, + owner @{HOME}/{,**} rw, + owner @{MOUNTS}/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index 7874686bc..8fc843290 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,22 +11,39 @@ include profile gvfsd-network @{exec_path} { include include - include - include - include include - include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd), + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member={MountLocation,LookupMount,RegisterMount} + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=:*, label=gvfsd-dnssd), + + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=:*, label=gnome-control-center), @{exec_path} mr, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-nfs b/apparmor.d/groups/gvfs/gvfsd-nfs index aae859d73..0a2ab4d1c 100644 --- a/apparmor.d/groups/gvfs/gvfsd-nfs +++ b/apparmor.d/groups/gvfs/gvfsd-nfs @@ -3,30 +3,19 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-nfs profile gvfsd-nfs @{exec_path} { include - include - include - include - include include network inet stream, network inet6 stream, network netlink raw, - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index ca59d75cd..ab2ea4677 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,27 +11,33 @@ include profile gvfsd-recent @{exec_path} { include include - include - include - include + include + include include include include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=RegisterMount + peer=(name=:*, label=gvfsd), @{exec_path} mr, # Full access to user's data - owner @{HOME}/{,**} r, - owner @{MOUNTS}/{,**} r, + owner @{HOME}/{,**} rw, + owner @{MOUNTS}/{,**} rw, owner @{HOME}/.zshenv r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, @@ -40,7 +46,7 @@ profile gvfsd-recent @{exec_path} { owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{run}/mount/utab r, - + owner @{PROC}/@{pid}/mountinfo r, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp index 862ef88aa..05c8a2bbf 100644 --- a/apparmor.d/groups/gvfs/gvfsd-sftp +++ b/apparmor.d/groups/gvfs/gvfsd-sftp @@ -3,36 +3,22 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-sftp profile gvfsd-sftp @{exec_path} { include - include - include - include - include include include include - include - - #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @{bin}/ssh rPx, owner @{run}/user/@{uid}/gvfsd-sftp/ rw, - owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} w, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb b/apparmor.d/groups/gvfs/gvfsd-smb index 9d99a43af..4eb770986 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb +++ b/apparmor.d/groups/gvfs/gvfsd-smb @@ -3,17 +3,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-smb profile gvfsd-smb @{exec_path} { include - include - include - include - include include include @@ -23,13 +19,6 @@ profile gvfsd-smb @{exec_path} { network inet dgram, network inet6 dgram, - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, /etc/samba/smb.conf r, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index 66099563e..3882e6f1c 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,11 +11,8 @@ include profile gvfsd-smb-browse @{exec_path} { include include - include - include - include + include include - include include network netlink raw, @@ -25,15 +22,21 @@ profile gvfsd-smb-browse @{exec_path} { network inet6 dgram, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_smb_browse - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd), @{exec_path} mr, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /etc/samba/* r, /var/cache/samba/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 070c41a84..d65edb691 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,9 +11,6 @@ include profile gvfsd-trash @{exec_path} { include include - include - include - include include include include @@ -23,12 +20,31 @@ profile gvfsd-trash @{exec_path} { network inet6 stream, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=:*, label="{gnome-shell,nautilus}"), + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=RegisterMount + peer=(name=:*, label=gvfsd), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 4ea39c7d0..b2ff47c91 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -2,40 +2,23 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,gvfs/}gvfsd-wsdd profile gvfsd-wsdd @{exec_path} { include - include - include - include - include - include - include - network inet dgram, # ip=127.0.0.1 peer=(ip=127.0.0.*, port=53), network netlink raw, - #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_wsdd - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, - @{bin}/env mr, + @{bin}/env r, @{bin}/wsdd rPx, - @{run}/avahi-daemon/socket rw, @{run}/mount/utab r, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - owner @{run}/user/@{uid}/gvfsd/wsdd rw, include if exists } diff --git a/apparmor.d/groups/hyprland/hyprctl b/apparmor.d/groups/hyprland/hyprctl deleted file mode 100644 index 96440098e..000000000 --- a/apparmor.d/groups/hyprland/hyprctl +++ /dev/null @@ -1,20 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 odomingao -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/hyprctl -profile hyprctl @{exec_path} { - include - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor - diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland deleted file mode 100644 index cd3270e49..000000000 --- a/apparmor.d/groups/hyprland/hyprland +++ /dev/null @@ -1,76 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 odomingao -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/Hyprland -profile hyprland @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - include - - capability sys_ptrace, - - network netlink raw, - - signal send, - - ptrace read, - - @{exec_path} mr, - - /usr/share/hypr{,land}/{,*} r, - /usr/share/libinput/{,*} r, - - owner @{user_cache_dirs}/hyprland/{,**} rw, - owner @{user_config_dirs}/hypr/** r, - owner @{user_share_dirs}/hyprpm/** mr, - owner @{user_share_dirs}/hyprland/** rw, - - owner @{run}/user/@{uid}/gamescope-* rw, - owner @{run}/user/@{uid}/.hyprpaper_* rw, - owner @{run}/user/@{uid}/.hyprpicker_* rw, - owner @{run}/user/@{uid}/hypr/{,**} rw, - owner @{att}/dev/shm/.org.chromium.Chromium.@{rand6} rw, - - @{run}/systemd/sessions/@{int} r, - - @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) - @{run}/udev/data/+dmi:id r, # for motherboard info - @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) - @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb:* r, # Identifies all USB devices - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* - - @{sys}/bus/ r, - @{sys}/class/input/ r, - @{sys}/devices/@{pci}/boot_vga r, - @{sys}/devices/**/uevent r, - - owner @{PROC}/@{pid}/environ r, - - @{att}/dev/dri/card@{int} rw, - @{att}/dev/input/event@{int} rw, - - /dev/input/event@{int} rw, - /dev/tty r, - owner /dev/tty@{int} rw, - - include if exists -} - -# vim:syntax=apparmor - diff --git a/apparmor.d/groups/hyprland/hyprlock b/apparmor.d/groups/hyprland/hyprlock deleted file mode 100644 index fab1c2a2e..000000000 --- a/apparmor.d/groups/hyprland/hyprlock +++ /dev/null @@ -1,37 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 odomingao -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/hyprlock -profile hyprlock @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - - network netlink raw, - - @{exec_path} mr, - - @{etc_ro}/security/faillock.conf r, - /etc/shells r, - - owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r, - owner @{user_pictures_dirs}/** r, - - owner @{user_config_dirs}/hypr/hyprlock.conf r, - - owner @{run}/faillock/@{user} rwk, - - owner /dev/tty@{int} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/hyprland/hyprpaper b/apparmor.d/groups/hyprland/hyprpaper deleted file mode 100644 index 6d0674d9f..000000000 --- a/apparmor.d/groups/hyprland/hyprpaper +++ /dev/null @@ -1,29 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 odomingao -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/hyprpaper -profile hyprpaper @{exec_path} flags=(attach_disconnected) { - include - include - include - - @{exec_path} mr, - - owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r, - - owner @{user_config_dirs}/hypr/hyprpaper.conf r, - - owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/.hyprpaper* rw, - owner @{run}/user/@{uid}/hypr/*/.hyprpaper.sock w, - owner @{run}/user/@{uid}/hyprpaper.lock rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/hyprland/hyprpicker b/apparmor.d/groups/hyprland/hyprpicker deleted file mode 100644 index 7becc5fb6..000000000 --- a/apparmor.d/groups/hyprland/hyprpicker +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 odomingao -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/hyprpicker -profile hyprpicker @{exec_path} { - include - include - - @{exec_path} mr, - @{bin}/wl-copy Px, - - owner @{run}/user/@{uid}/.hyprpicker* rw, - owner /dev/shm/wlroots-@{rand6} r, - owner /dev/shm/@{uuid} r, - - owner /dev/tty@{int} rw, - - include if exists -} - -# vim:syntax=apparmor - diff --git a/apparmor.d/groups/hyprland/hyprpm b/apparmor.d/groups/hyprland/hyprpm deleted file mode 100644 index 149128b1e..000000000 --- a/apparmor.d/groups/hyprland/hyprpm +++ /dev/null @@ -1,39 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 odomingao -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/hyprpm -profile hyprpm @{exec_path} { - include - include - include - - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - - @{exec_path} mr, - - @{bin}/** rix, - @{lib}/gcc/** rix, - @{lib}/git-core/** rix, - - /usr/include/** r, - /usr/share/git-core/** r, - /usr/share/pkgconfig/** r, - - owner @{HOME}/.gitconfig r, - - owner @{user_share_dirs}/hyprpm/{,**} rw, - - /tmp/hyprpm/** rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/hyprland/pypr b/apparmor.d/groups/hyprland/pypr deleted file mode 100644 index 2f489e055..000000000 --- a/apparmor.d/groups/hyprland/pypr +++ /dev/null @@ -1,30 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 odomingao -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/pypr -profile pypr @{exec_path} flags=(attach_disconnected) { - include - include - include - - signal send set=(term kill), - - ptrace read, - - @{exec_path} mr, - - owner @{user_config_dirs}/hypr/pyprland.toml r, - - owner @{run}/user/@{uid}/hypr/*/.pyprland.sock rw, - - owner /dev/tty@{int} rw, # file_inherit - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index b5e1b4ae8..972173e61 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,9 +10,6 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}DiscoverNotifier profile DiscoverNotifier @{exec_path} { include - include - include - include include include include @@ -25,20 +22,15 @@ profile DiscoverNotifier @{exec_path} { network netlink dgram, network netlink raw, - #aa:dbus own bus=session name=org.kde.discover.notifier - - #aa:dbus talk bus=system name=org.freedesktop.PackageKit label=packagekitd - @{exec_path} mr, @{bin}/apt-config rPx, - @{bin}/plasma-discover rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, - /usr/share/flatpak/remotes.d/{,**} r, + /usr/share/knotifications{5,6}/{,**} r, /usr/share/metainfo/{,**} r, /etc/machine-id r, @@ -47,11 +39,11 @@ profile DiscoverNotifier @{exec_path} { /var/lib/flatpak/{,**} r, /var/cache/swcatalog/cache/ w, - /var/cache/swcatalog/xml/{,**} r, - owner @{user_cache_dirs}/appstream/ rw, - owner @{user_cache_dirs}/appstream/** rw, + owner @{user_cache_dirs}/appstream/ r, + owner @{user_cache_dirs}/appstream/** r, owner @{user_cache_dirs}/flatpak/{,**} rw, + owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/@{int} rw, owner @{user_config_dirs}/breezerc r, @@ -61,9 +53,7 @@ profile DiscoverNotifier @{exec_path} { owner @{user_share_dirs}/flatpak/{,**} rw, - owner @{tmp}/ostree-gpg-@{rand6}/ rw, - owner @{tmp}/ostree-gpg-@{rand6}/pubring.gpg rw, - owner @{tmp}/ostree-gpg-@{rand6}/trustdb.gpg rw, + owner @{tmp}/ostree-gpg-*/ rw, /dev/tty r, @@ -77,8 +67,8 @@ profile DiscoverNotifier @{exec_path} { @{HOME}/@{XDG_GPG_DIR}/*.conf r, @{tmp}/ r, - owner @{tmp}/ostree-gpg-@{rand6}/ r, - owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, + owner @{tmp}/ostree-gpg-*/ r, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, owner @{run}/user/@{uid}/gnupg/ w, diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 29447e22a..0fdfa3919 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,7 @@ profile baloo @{exec_path} { include include include - include + include include include include @@ -25,33 +25,23 @@ profile baloo @{exec_path} { @{lib}/{,kf6/}baloo_file_extractor rix, /usr/share/poppler/{,**} r, + /usr/share/desktop-base/kf5-settings/baloofilerc r, /etc/fstab r, /etc/machine-id r, + /etc/xdg/baloofilerc r, # Allow to search user files owner @{HOME}/{,**} r, owner @{MOUNTS}/{,**} r, owner @{tmp}/*/{,**} r, - owner @{user_cache_dirs}/kcrash-metadata/ w, - owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/baloofilerc rwl, owner @{user_config_dirs}/baloofilerc.lock rwkl, owner @{user_share_dirs}/baloo/{,**} rwk, - @{run}/mount/utab r, - - @{run}/udev/data/+*:* r, # Identifies all subsystems - @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices - - @{sys}/bus/ r, - @{sys}/bus/*/devices/ r, - @{sys}/class/*/ r, - @{sys}/devices/**/uevent r, - owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index 33660a776..1b5d79492 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,8 +10,6 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloorunner profile baloorunner @{exec_path} { include - include - include include include include @@ -20,17 +18,43 @@ profile baloorunner @{exec_path} { @{bin}/* rPx, - # Allow to search user files - owner @{HOME}/{,**} r, - owner @{MOUNTS}/{,**} r, - owner @{tmp}/*/{,**} r, + /etc/xdg/baloofilerc r, + + owner @{user_cache_dirs}/icon-cache.kcache rw, + + owner @{user_config_dirs}/baloofilerc r, owner @{user_share_dirs}/baloo/{,**} rwk, /tmp/ r, - @{run}/udev/data/+*:* r, # Identifies all subsystems - @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+dmi* r, # for motherboard info + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/+leds:* r, + @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+power_supply* r, + @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+sound:card@{int} r, # for sound card + + @{run}/udev/data/c1:@{int} r, # For RAM disk + @{run}/udev/data/c4:@{int} r, # For TTY devices + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices + @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c13:@{int} r, # For /dev/input/* + @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters + @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* + @{run}/udev/data/c89:@{int} r, # For I2C bus interface + @{run}/udev/data/c202:@{int} r, # CPU model-specific registers + @{run}/udev/data/c203:@{int} r, # CPU CPUID information + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 022c0beec..bb5ab9fe5 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,45 +16,32 @@ profile dolphin @{exec_path} { include include include - include include include include include - include network netlink raw, - signal send set=hup peer=@{p_systemd}, - signal send set=term peer=kioworker, - - ptrace read peer=@{p_systemd}, - ptrace read peer=okular, + signal (send) set=(term) peer=kioworker, @{exec_path} mr, - @{lib}/libheif/ r, - @{lib}/libheif/*.so* mr, - @{bin}/ldd rix, - @{bin}/lsb_release rPx, - @{lib}/{,@{multiarch}/}utempter/utempter rPx, @{thunderbird_path} rPx, - #aa:exec kioworker /usr/share/kf5/kmoretools/{,**} r, /usr/share/kio/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, - /usr/share/misc/termcap r, - /usr/share/thumbnailers/{,**} r, /etc/fstab r, - /etc/exports r, /etc/machine-id r, /etc/xdg/arkrc r, /etc/xdg/dolphinrc r, + /etc/xdg/menus/ r, + /etc/xdg/menus/applications-merged/ r, /etc/xdg/ui/ui_standards.rc r, # Full access to user's data @@ -70,7 +57,7 @@ profile dolphin @{exec_path} { owner @{tmp}/{,**} rw, # Silence non user's data - deny @{efi}/{,**} r, + deny /boot/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, deny /tmp/.* rw, @@ -78,46 +65,33 @@ profile dolphin @{exec_path} { owner @{user_share_dirs}/dolphin/ rw, owner @{user_share_dirs}/dolphin/** rwkl -> @{user_share_dirs}/dolphin/#@{int}, - owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk, + owner @{user_share_dirs}/recently-used.xbel{,.*} rwlk, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/dolphinrc rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/dolphinrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/dolphinrc.lock rwk, owner @{user_config_dirs}/kde.org/#@{int} rw, - owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.lock rwk, owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.*} rwlk -> @{user_config_dirs}/kde.org/#@{int}, - owner @{user_config_dirs}/knfsshare.{,.@{rand6}} rwk, - owner @{user_config_dirs}/knfsshare.lock rwk, + owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.lock rwk, + + owner @{user_config_dirs}/session/ rw, + owner @{user_config_dirs}/session/#@{int} rw, + owner @{user_config_dirs}/session/dolphin_* rwlk -> @{user_config_dirs}/session/#@{int}, owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc rwl -> @{user_cache_dirs}/dolphin/qmlcache/#@{int}, owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/dolphin/qmlcache/#@{int}, - owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk -> @{user_state_dirs}/#@{int}, - - owner @{tmp}/dolphin.@{rand6}{,.lock} rwlk, - - @{run}/issue r, @{run}/mount/utab r, - owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + owner @{run}/user/@{uid}/#@{int} rw, - @{run}/udev/data/+*:* r, # Identifies all subsystems - @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices - - @{sys}/bus/ r, - @{sys}/bus/*/devices/ r, - @{sys}/class/*/ r, - @{sys}/devices/**/uevent r, - - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, @{sys}/devices/virtual/block/dm-@{int}/uevent r, - /dev/tty rw, + /dev/tty r, include if exists } diff --git a/apparmor.d/groups/kde/drkonqi b/apparmor.d/groups/kde/drkonqi index e04180ff4..602b087bb 100644 --- a/apparmor.d/groups/kde/drkonqi +++ b/apparmor.d/groups/kde/drkonqi @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,7 +10,6 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}drkonqi profile drkonqi @{exec_path} { include - include include network inet stream, @@ -23,36 +22,13 @@ profile drkonqi @{exec_path} { @{exec_path} mr, - @{bin}/plasmashell r, - @{bin}/lsb_release rPx, - /usr/share/drkonqi/{,**} r, + /usr/share/knotifications{5,6}/*.notifyrc r, - /etc/machine-id r, - - / r, - - owner @{user_cache_dirs}/drkonqi/ rw, - owner @{user_cache_dirs}/drkonqi/** rwlk -> @{user_cache_dirs}/drkonqi/**, owner @{user_cache_dirs}/kcrash-metadata/* w, - owner @{user_config_dirs}/breezerc r, - owner @{user_config_dirs}/drkonqirc r, - - /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/system.journal r, - /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{uid}.journal r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, - /{run,var}/log/journal/remote/ r, - /dev/tty r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, - include if exists } diff --git a/apparmor.d/groups/kde/drkonqi-coredump-cleanup b/apparmor.d/groups/kde/drkonqi-coredump-cleanup index 199dd9c8f..fe2fd0566 100644 --- a/apparmor.d/groups/kde/drkonqi-coredump-cleanup +++ b/apparmor.d/groups/kde/drkonqi-coredump-cleanup @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,8 +14,7 @@ profile drkonqi-coredump-cleanup @{exec_path} { @{exec_path} mr, @{user_cache_dirs}/kcrash-metadata/ r, - owner @{user_cache_dirs}/kcrash-metadata/plasmashell.@{hex32}.@{int4}.ini rw, - owner @{user_cache_dirs}/kcrash-metadata/@{int}.ini rw, + owner @{user_cache_dirs}/kcrash-metadata/plasmashell.@{hex32}.@{int4}.ini w, include if exists } diff --git a/apparmor.d/groups/kde/drkonqi-coredump-processor b/apparmor.d/groups/kde/drkonqi-coredump-processor index 359352383..bfe6ec108 100644 --- a/apparmor.d/groups/kde/drkonqi-coredump-processor +++ b/apparmor.d/groups/kde/drkonqi-coredump-processor @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,7 +10,6 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}drkonqi-coredump-processor profile drkonqi-coredump-processor @{exec_path} { include - include include capability dac_override, @@ -25,9 +24,9 @@ profile drkonqi-coredump-processor @{exec_path} { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/system.journal r, - /{run,var}/log/journal/@{hex32}/system@*.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal r, /{run,var}/log/journal/@{hex32}/user-@{uid}.journal r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@*.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal r, /{run,var}/log/journal/remote/ r, include if exists diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index dbca9fcf5..c1a63931e 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -2,15 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gmenudbusmenuproxy profile gmenudbusmenuproxy @{exec_path} { include - include - include + include include include diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 1fdb4b920..fb6a01c8a 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -2,31 +2,30 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/kaccess profile kaccess @{exec_path} { include - include - include include include include - #aa:dbus own bus=session name=org.kde.kaccess - #aa:dbus talk bus=session name=org.kde.kglobalaccel path=/kglobalaccel label=kglobalacceld - @{exec_path} mr, @{bin}/gsettings rPx, - /etc/machine-id r, + /usr/share/icons/{,**} r, + + owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kaccessrc r, + owner @{user_share_dirs}/mime/generic-icons r, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index 1cc6b41d1..b51d72a91 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,7 +10,6 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kactivitymanagerd profile kactivitymanagerd @{exec_path} { include - include include include include @@ -19,9 +18,6 @@ profile kactivitymanagerd @{exec_path} { include include - #aa:dbus own bus=session name=org.kde.ActivityManager path=/ActivityManager - #aa:dbus own bus=session name=org.kde.runners.activities - @{exec_path} mr, /etc/xdg/menus/{,*/} r, @@ -33,15 +29,21 @@ profile kactivitymanagerd @{exec_path} { owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, + owner @{user_cache_dirs}/ksycoca{5,6}_* r, + owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/breezerc r, + owner @{user_config_dirs}/dolphinrc r, owner @{user_config_dirs}/kactivitymanagerdrc.lock rwk, owner @{user_config_dirs}/kactivitymanagerdrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/libreoffice/**.xcu r, owner @{user_config_dirs}/menus/{,**} r, + owner @{user_config_dirs}/trashrc r, owner @{user_share_dirs}/kactivitymanagerd/{,**} rwlk, owner @{user_share_dirs}/kservices{5,6}/{,**} r, + owner @{user_share_dirs}/recently-used.xbel r, owner @{user_share_dirs}/user-places.xbel r, owner @{run}/user/@{uid}/#@{int} rw, diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac index e9ae78457..daf880cf9 100644 --- a/apparmor.d/groups/kde/kalendarac +++ b/apparmor.d/groups/kde/kalendarac @@ -2,14 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/kalendarac profile kalendarac @{exec_path} { include - include + include include include include @@ -20,12 +20,14 @@ profile kalendarac @{exec_path} { /usr/share/akonadi/firstrun/{,*} r, /usr/share/akonadi/plugins/serializer/{,*.desktop} r, + /usr/share/knotifications{5,6}/{,**} r, /etc/machine-id r, + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/akonadi-firstrunrc r, - owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/akonadiconnectionrc r, owner @{user_config_dirs}/emaildefaults r, owner @{user_config_dirs}/emailidentities r, @@ -34,11 +36,6 @@ profile kalendarac @{exec_path} { owner @{user_config_dirs}/kalendaracrc.lock rwk, owner @{user_config_dirs}/kmail2rc r, - owner @{user_state_dirs}/#@{int} rw, - owner @{user_state_dirs}/kalendaracstaterc rw, - owner @{user_state_dirs}/kalendaracstaterc.@{rand6} rwl, - owner @{user_state_dirs}/kalendaracstaterc.lock rwk, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kauth-backlighthelper b/apparmor.d/groups/kde/kauth-backlighthelper index cc844ce17..0098d81c0 100644 --- a/apparmor.d/groups/kde/kauth-backlighthelper +++ b/apparmor.d/groups/kde/kauth-backlighthelper @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,22 +16,20 @@ profile kauth-backlighthelper @{exec_path} { capability net_admin, - #aa:dbus own bus=system name=org.kde.powerdevil.backlighthelper - @{exec_path} mr, /usr/share/icu/@{int}.@{int}/*.dat r, @{sys}/class/backlight/ r, @{sys}/class/leds/ r, - @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/backlight/**/{max_brightness,actual_brightness} r, + @{sys}/devices/@{pci}/backlight/**/{uevent,type} r, @{sys}/devices/@{pci}/backlight/**/brightness rw, - @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/drm/card@{int}/**/{max_brightness,actual_brightness} r, @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type,enabled} r, @{sys}/devices/@{pci}/drm/card@{int}/**/brightness rw, + @{sys}/devices/@{pci}/intel_backlight/{max_,}brightness rw, + @{sys}/devices/@{pci}/intel_backlight/type r, /dev/tty r, diff --git a/apparmor.d/groups/kde/kauth-chargethresholdhelper b/apparmor.d/groups/kde/kauth-chargethresholdhelper index 119b5508d..29dfe216b 100644 --- a/apparmor.d/groups/kde/kauth-chargethresholdhelper +++ b/apparmor.d/groups/kde/kauth-chargethresholdhelper @@ -2,25 +2,21 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,kf6/}kauth/{,libexec/}chargethresholdhelper profile kauth-chargethresholdhelper @{exec_path} { include - include include - include - - #aa:dbus own bus=system name=org.kde.powerdevil.chargethresholdhelper - #aa:dbus talk bus=system name=org.kde.kf5auth path=/ label=kde-powerdevil @{exec_path} mr, /usr/share/icu/@{int}.@{int}/*.dat r, @{sys}/class/power_supply/ r, + @{sys}/devices/@{pci}/power_supply/** r, @{sys}/devices/**/power_supply/** r, include if exists diff --git a/apparmor.d/groups/kde/kauth-discretegpuhelper b/apparmor.d/groups/kde/kauth-discretegpuhelper index 8fcec5a2c..98e6614b8 100644 --- a/apparmor.d/groups/kde/kauth-discretegpuhelper +++ b/apparmor.d/groups/kde/kauth-discretegpuhelper @@ -2,19 +2,15 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,kf6/}kauth/{,libexec/}discretegpuhelper profile kauth-discretegpuhelper @{exec_path} { include - include - include include - #aa:dbus own bus=system name=org.kde.powerdevil.discretegpuhelper - @{exec_path} mr, /usr/share/icu/@{int}.@{int}/*.dat r, diff --git a/apparmor.d/groups/kde/kauth-fontinst b/apparmor.d/groups/kde/kauth-fontinst index d05975eac..3a9c21b7b 100644 --- a/apparmor.d/groups/kde/kauth-fontinst +++ b/apparmor.d/groups/kde/kauth-fontinst @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/kauth-kded-smart-helper b/apparmor.d/groups/kde/kauth-kded-smart-helper index 2e60e6a0a..fa1345d74 100644 --- a/apparmor.d/groups/kde/kauth-kded-smart-helper +++ b/apparmor.d/groups/kde/kauth-kded-smart-helper @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,18 +15,14 @@ profile kauth-kded-smart-helper @{exec_path} { #aa:dbus own bus=system name=org.kde.kded.smart - dbus receive bus=system path=/ - interface=org.kde.kf5auth - member=performAction - peer=(name=@{busname}, label=kded), dbus send bus=system path=/ interface=org.kde.kf5auth member=remoteSignal - peer=(name=org.freedesktop.DBus, label=kded), + peer=(name=org.freedesktop.DBus, label=kded5), @{exec_path} mr, - @{sbin}/smartctl rPx, + @{bin}/smartctl rPx, /usr/share/icu/@{int}.@{int}/*.dat r, diff --git a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper index afecd8d53..a172c3404 100644 --- a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper +++ b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,7 @@ profile kauth-kinfocenter-dmidecode-helper @{exec_path} { @{exec_path} mr, - @{sbin}/dmidecode rPx, + @{bin}/dmidecode rPx, include if exists } diff --git a/apparmor.d/groups/kde/kbuildsycoca b/apparmor.d/groups/kde/kbuildsycoca5 similarity index 58% rename from apparmor.d/groups/kde/kbuildsycoca rename to apparmor.d/groups/kde/kbuildsycoca5 index db3aed9dc..5bd97e1ac 100644 --- a/apparmor.d/groups/kde/kbuildsycoca +++ b/apparmor.d/groups/kde/kbuildsycoca5 @@ -3,21 +3,24 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/kbuildsycoca{,5} -profile kbuildsycoca @{exec_path} flags=(attach_disconnected) { +@{exec_path} = @{bin}/kbuildsycoca5 +profile kbuildsycoca5 @{exec_path} flags=(attach_disconnected) { include include include @{exec_path} mr, + owner @{user_cache_dirs}/ksycoca5_* rw, + owner link @{user_cache_dirs}/ksycoca5_* -> @{user_cache_dirs}/#@{int}, + /dev/tty r, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index 59f60c285..95fdd6e63 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,11 +10,9 @@ include profile kcminit @{exec_path} { include include - include + include include - #aa:dbus own bus=session name=org.kde.{KCM,kcm}init path=/kcminit - @{exec_path} mr, @{bin}/xrdb rPx, @@ -28,8 +26,6 @@ profile kcminit @{exec_path} { owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/gtkrc-2.0{,.@{rand6}} rwl, owner @{user_config_dirs}/gtkrc{,.@{rand6}} rwl, - owner @{user_config_dirs}/kcminputrc{,.@{rand6}} rwl, - owner @{user_config_dirs}/kcminputrc.lock rwk, owner @{user_config_dirs}/kgammarc r, owner @{user_config_dirs}/touchpadrc r, owner @{user_config_dirs}/touchpadxlibinputrc r, diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index 6a01748fd..bcab6d31b 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,7 @@ profile kconf_update @{exec_path} { include include include - include + include include include include @@ -24,35 +24,68 @@ profile kconf_update @{exec_path} { @{sh_path} rix, @{bin}/{,p}grep rix, - @{python_path} rix, + @{bin}/python3.@{int} rix, @{bin}/qtpaths rix, @{bin}/sed rix, @{bin}/qtchooser rPx, @{lib}/kconf_update_bin/* rix, @{lib}/@{multiarch}/kconf_update_bin/* rix, - @{lib}/qt6/bin/qtpaths rix, /usr/share/kconf_update/*.py rix, /usr/share/kconf_update/*.sh rix, /usr/share/kconf_update/{,**} r, /usr/share/kglobalaccel/org.kde.krunner.desktop r, - /etc/xdg/*rc r, - /etc/xdg/ui/*rc r, + /etc/xdg/konsolerc r, + /etc/xdg/ui/ui_standards.rc r, /etc/machine-id r, /var/lib/dbus/machine-id r, - owner @{HOME}/.gtkrc-@{version} w, + owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_config_dirs}/*rc rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/*rc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/*rc.lock rwk, + owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/akregatorrc.lock rwk, + owner @{user_config_dirs}/akregatorrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/dolphinrc.lock rwk, + owner @{user_config_dirs}/dolphinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/gtk-{3,4}.0/* rwlk -> @{user_config_dirs}/gtk-{3,4}.0/**, + owner @{user_config_dirs}/kactivitymanagerd-statsrc rw, + owner @{user_config_dirs}/kateschemarc.lock rwk, + owner @{user_config_dirs}/kateschemarc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kcminputrc.lock rwk, + owner @{user_config_dirs}/kcminputrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kconf_updaterc.lock rwk, + owner @{user_config_dirs}/kconf_updaterc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kdeglobals.lock rwk, + owner @{user_config_dirs}/kdeglobals{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, + owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/khotkeysrc.lock rwk, + owner @{user_config_dirs}/khotkeysrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kmixrc.lock rwk, + owner @{user_config_dirs}/kmixrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/konsolerc.lock rwk, + owner @{user_config_dirs}/konsolerc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/krunnerrc.lock rwk, + owner @{user_config_dirs}/krunnerrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/krunnerstaterc.lock rwk, + owner @{user_config_dirs}/krunnerstaterc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kscreenlockerrc.lock rwk, + owner @{user_config_dirs}/kscreenlockerrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/ksmserverrc.lock rwk, + owner @{user_config_dirs}/ksmserverrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kwinrc.lock rwk, + owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kwinrulesrc.lock rwk, + owner @{user_config_dirs}/kwinrulesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kxkbrc.lock rwk, + owner @{user_config_dirs}/kxkbrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/plasma-org.kde.plasma.desktop-appletsrc rw, + owner @{user_config_dirs}/plasmashellrc r, owner @{user_config_dirs}/sed@{rand6} rw, owner @{user_config_dirs}/xsettingsd/xsettingsd.conf rw, - owner @{user_config_dirs}/kcmfonts.lock rwk, owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/krunnerstaterc.lock rwk, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 7d6daeda6..960747c21 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,47 +10,32 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}org_kde_powerdevil profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) { include - include - include - include - include - include include include include include - include capability wake_alarm, network netlink raw, - #aa:dbus own bus=system name=org.freedesktop.Policy.Power - #aa:dbus own bus=system name=org.kde.kf5auth path=/ - - #aa:dbus own bus=session name=local.org_kde_powerdevil - #aa:dbus own bus=session name=org.freedesktop.PowerManagement - #aa:dbus own bus=session name=org.kde.Solid.PowerManagement - - #aa:dbus talk bus=session name=org.kde.KWin path=/ label="kwin_{wayland,x11}" - @{exec_path} mrix, @{sh_path} rix, @{bin}/find rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/kcminit rPx, @{bin}/sed rix, - @{bin}/uname rPx, @{bin}/xargs rix, @{lib}/drkonqi rPx, + /usr/share/knotifications{5,6}/*.notifyrc r, + /etc/fstab r, /etc/machine-id r, owner @{HOME}/ r, - owner @{user_cache_dirs}/ddcutil/* r, owner @{user_cache_dirs}/kcrash-metadata/{,*} rw, owner @{user_config_dirs}/#@{int} rw, @@ -60,13 +45,10 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) owner @{user_config_dirs}/powermanagementprofilesrc.lock rwk, owner @{user_config_dirs}/powermanagementprofilesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - - @{run}/mount/utab r, + @{run}/systemd/inhibit/*.ref rw, + @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** owner @{run}/user/@{uid}kcrash_@{int} rw, - @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{sys}/bus/ r, @{sys}/bus/i2c/devices/ r, @{sys}/class/ r, @@ -74,25 +56,20 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{sys}/class/i2c-dev/ r, @{sys}/class/usbmisc/ r, @{sys}/devices/ r, - @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness r, @{sys}/devices/@{pci}/card@{int}/*/dpms r, - @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness r, - @{sys}/devices/@{pci}/drm/card@{int}/**/*_id r, @{sys}/devices/@{pci}/drm/card@{int}/**/dev r, - @{sys}/devices/@{pci}/drm/card@{int}/**/name r, @{sys}/devices/@{pci}/drm/card@{int}/*/dpms r, @{sys}/devices/@{pci}/drm/card@{int}/*/edid r, @{sys}/devices/@{pci}/drm/card@{int}/*/enabled r, @{sys}/devices/@{pci}/drm/card@{int}/*/status r, - @{sys}/devices/@{pci}/i2c-*/{,**/}name r, - @{sys}/devices/@{pci}/i2c-*/**/dev r, + @{sys}/devices/@{pci}/i2c-@{int}/**/dev r, + @{sys}/devices/@{pci}/i2c-@{int}/name r, @{sys}/devices/**/ r, - @{sys}/devices/i2c-*/name r, - @{sys}/devices/platform/**/i2c-*/**/name r, - @{sys}/devices/platform/*/i2c-*/name r, + @{sys}/devices/i2c-@{int}/name r, + @{sys}/devices/platform/**/i2c-@{int}/**/name r, + @{sys}/devices/platform/*/i2c-@{int}/name r, @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, /dev/i2c-@{int} rwk, diff --git a/apparmor.d/groups/kde/kde-systemd-start-condition b/apparmor.d/groups/kde/kde-systemd-start-condition index efec3a8a6..8f368ef73 100644 --- a/apparmor.d/groups/kde/kde-systemd-start-condition +++ b/apparmor.d/groups/kde/kde-systemd-start-condition @@ -2,20 +2,20 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/kde-systemd-start-condition profile kde-systemd-start-condition @{exec_path} { include - include @{exec_path} mr, - owner @{user_config_dirs}/kalendaracrc r, - owner @{user_config_dirs}/kgpgrc r, - owner @{user_config_dirs}/kmixrc r, + /etc/xdg/baloofilerc r, + /usr/share/desktop-base/kf{5,6}-settings/baloofilerc r, + + owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/konquerorrc r, owner @{user_config_dirs}/plasma-welcomerc r, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 678c64e71..6fc974030 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -2,171 +2,144 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/kded5 @{bin}/kded6 profile kded @{exec_path} { include - include #aa:only apt include - include include - include - include - include - include + include include include - include + include + include include - include + include include include - include include capability sys_ptrace, network inet dgram, - network inet stream, network inet6 dgram, - network inet6 stream, - network netlink dgram, network netlink raw, + network netlink dgram, - ptrace read, + ptrace (read), - signal send set=hup peer=xsettingsd, - signal send set=term peer=kioworker, - - # Owned by KDE + signal (send) set=hup peer=xsettingsd, #aa:dbus own bus=system name=com.redhat.NewPrinterNotification - - #aa:dbus own bus=session name=org.gtk.Settings - #aa:dbus own bus=session name=org.kde.DistroReleaseNotifier - #aa:dbus own bus=session name=org.kde.GtkConfig - #aa:dbus own bus=session name=org.kde.kappmenu - #aa:dbus own bus=session name=org.kde.kcookiejar5 - #aa:dbus own bus=session name=org.kde.kded5 - #aa:dbus own bus=session name=org.kde.keyboard - #aa:dbus own bus=session name=org.kde.KeyboardLayouts - #aa:dbus own bus=session name=org.kde.plasmanetworkmanagement - #aa:dbus own bus=session name=org.kde.plasmashell.accentColor - #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher - #aa:dbus own bus=session name=org.kde.Wacom - #aa:dbus own bus=session name=org.kubuntu.NotificationHelper - #aa:dbus own bus=session name=org.kubuntu.restrictedInstall - - # Talk with KDE - #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd - #aa:dbus talk bus=session name=org.kde.NightColor path=/ColorCorrect label="{kwin_wayland,kwin_x11}" - #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/ label="{kglobalacceld,kwin_wayland}" - dbus receive bus=system path=/ interface=org.kde.kf5auth member=remoteSignal - peer=(name=@{busname}, label=kauth-kded-smart-helper), + peer=(name=:*, label=kauth-kded-smart-helper), dbus send bus=system path=/ interface=org.kde.kf5auth member=performAction - peer=(name="{@{busname},org.kde.kded.smart}", label=kauth-kded-smart-helper), + peer=(name="{:*,org.kde.kded.smart}", label=kauth-kded-smart-helper), @{exec_path} mrix, - @{python_path} rix, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/flatpak rPx, @{bin}/kcminit rPx, - @{bin}/lsb_release rPx, @{bin}/pgrep rCx -> pgrep, @{bin}/plasma-welcome rPUx, + @{bin}/python3.@{int} rix, @{bin}/setxkbmap rix, - @{bin}/xmodmap rPUx, @{bin}/xrdb rPx, @{bin}/xsetroot rPx, @{bin}/xsettingsd rPx, @{lib}/drkonqi rPx, - @{lib}/{,@{multiarch}/}utempter/utempter rPx, + #aa:exec utempter #aa:exec kconf_update /usr/share/color-schemes/{,**} r, - /usr/share/distro-info/{,**} r, - /usr/share/distro-release-notifier/{,**} r, /usr/share/kconf_update/ r, /usr/share/kded{5,6}/{,**} r, /usr/share/kf{5,6}/kcookiejar/* r, /usr/share/khotkeys/{,**} r, + /usr/share/knotifications{5,6}/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, - /usr/share/ubuntu-release-upgrader/{,*} r, /etc/fstab r, /etc/xdg/accept-languages.codes r, + /etc/xdg/kcminputrc r, /etc/xdg/kde* r, /etc/xdg/kioslaverc r, /etc/xdg/menus/{,**} r, - /etc/update-manager/{,**} r, /etc/machine-id r, /var/lib/dbus/machine-id r, / r, - @{efi}/ r, - owner /var/lib/update-manager/meta-release-lts rw, - - owner @{HOME}/ r, owner @{HOME}/.gtkrc-2.0 rw, - owner @{HOME}/.var/ w, - owner @{HOME}/.var/app/ w, - owner @{HOME}/.var/app/org.mozilla.firefox/**/ w, - owner @{HOME}/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/org.kde.plasma.browser_integration.json w, - owner @{HOME}/.var/app/org.mozilla.firefox/plasma-browser-integration-host w, - @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int}, + owner @{user_cache_dirs}/#@{int} rw, + owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/plasmashell/ rw, owner @{user_cache_dirs}/plasmashell/** rwlk -> @{user_cache_dirs}/plasmashell/**, - owner @{user_cache_dirs}/update-manager-core/meta-release-lts rw, @{user_config_dirs}/kcookiejarrc.lock rwk, @{user_config_dirs}/kcookiejarrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/*rc rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/*rc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/*rc.lock rwk, + owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/bluedevilglobalrc.lock rwk, + owner @{user_config_dirs}/bluedevilglobalrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl, owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini.lock rk, + owner @{user_config_dirs}/gtkrc{,*} rwlk, + owner @{user_config_dirs}/kcminputrc r, + owner @{user_config_dirs}/kconf_updaterc rw, + owner @{user_config_dirs}/kconf_updaterc.lock rwk, + owner @{user_config_dirs}/kdebugrc r, + owner @{user_config_dirs}/kded{5,6}rc.lock rwk, + owner @{user_config_dirs}/kded{5,6}rc{,.@{rand6}} rwl, owner @{user_config_dirs}/kdedefaults/{,**} r, + owner @{user_config_dirs}/kdeglobals.lock rwk, + owner @{user_config_dirs}/kdeglobals{,.@{rand6}} rwl, + owner @{user_config_dirs}/khotkeysrc.lock rwk, + owner @{user_config_dirs}/khotkeysrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kioslaverc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/ksmserverrc r, + owner @{user_config_dirs}/ktimezonedrc.lock rwk, + owner @{user_config_dirs}/ktimezonedrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kwalletrc r, + owner @{user_config_dirs}/kwinrc.lock rwk, + owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kxkbrc r, owner @{user_config_dirs}/libaccounts-glib/ rw, owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk, owner @{user_config_dirs}/menus/{,**} r, - owner @{user_config_dirs}/plasma* r, + owner @{user_config_dirs}/networkmanagement.notifyrc r, + owner @{user_config_dirs}/plasma-nm r, + owner @{user_config_dirs}/plasma-welcomerc r, + owner @{user_config_dirs}/touchpadrc r, owner @{user_config_dirs}/Trolltech.conf.lock rwk, owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, owner @{user_config_dirs}/xsettingsd/{,**} rw, + owner @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl -> @{user_share_dirs}/kcookiejar/#@{int}, owner @{user_share_dirs}/icc/{,edid-*} r, owner @{user_share_dirs}/kcookiejar/#@{int} rw, owner @{user_share_dirs}/kcookiejar/cookies.lock rwk, - owner @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl -> @{user_share_dirs}/kcookiejar/#@{int}, owner @{user_share_dirs}/kded{5,6}/{,**} rw, owner @{user_share_dirs}/kscreen/{,**} rwl, owner @{user_share_dirs}/kservices{5,6}/{,**} r, owner @{user_share_dirs}/ktp/cache.db rwk, owner @{user_share_dirs}/remoteview/ r, owner @{user_share_dirs}/services5/{,**} r, - owner @{user_share_dirs}/user-places.xbel r, - - owner @{user_state_dirs}/#@{int} rw, - owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk -> @{user_state_dirs}/#@{int}, @{run}/mount/utab r, @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @@ -178,18 +151,12 @@ profile kded @{exec_path} { owner @{tmp}/kded6.@{rand6} rwl -> /tmp/#@{int}, owner @{tmp}/plasma-csd-generator.@{rand6}/{,**} rw, - @{sys}/class/leds/ r, - - @{run}/udev/data/b8:@{int} r, # for /dev/sd* - @{run}/udev/data/b259:@{int} r, # Block Extended Major - @{PROC}/ r, @{PROC}/@{pids}/cmdline/ r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/fdinfo/@{int} r, @{PROC}/@{pids}/fd/info/@{int} r, @{PROC}/sys/fs/inotify/max_user_{instances,watches} r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, @@ -201,6 +168,8 @@ profile kded @{exec_path} { include include + @{PROC}/tty/drivers r, + include if exists } diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index 156bdf928..85ff38d65 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -2,18 +2,15 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/kglobalaccel5 @{lib}/kglobalacceld profile kglobalacceld @{exec_path} { include - include include - #aa:dbus own bus=session name=org.kde.KGlobalAccel path=/kglobalaccel - @{exec_path} mr, @{bin}/kstart rPx, @@ -23,11 +20,8 @@ profile kglobalacceld @{exec_path} { /etc/machine-id r, owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, owner @{user_config_dirs}/kglobalshortcutsrc* rwl, - owner @{user_config_dirs}/khotkeysrc r, - - @{PROC}/sys/kernel/random/boot_id r, + owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, /dev/tty r, diff --git a/apparmor.d/groups/kde/kio_http_cache_cleaner b/apparmor.d/groups/kde/kio_http_cache_cleaner index dc1b28dcc..fa3f494c7 100644 --- a/apparmor.d/groups/kde/kio_http_cache_cleaner +++ b/apparmor.d/groups/kde/kio_http_cache_cleaner @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod index 571581059..7462d6c5b 100644 --- a/apparmor.d/groups/kde/kiod +++ b/apparmor.d/groups/kde/kiod @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,16 +10,19 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kiod{5,6} profile kiod @{exec_path} { include - include include include include - include network netlink raw, @{exec_path} mr, + /usr/share/icons/breeze/index.theme r, + /usr/share/mime/{,**} r, + + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/ksslcertificatemanager rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/ksslcertificatemanager.lock rwk, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 0fc81a764..6dd771859 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,7 +10,6 @@ include @{exec_path} += @{lib}/kf5/kioslave5 @{lib}/@{multiarch}/{,libexec/}kf5/kioslave5 profile kioworker @{exec_path} { include - include include include include @@ -27,13 +26,10 @@ profile kioworker @{exec_path} { network netlink raw, network netlink dgram, - signal receive set=term peer=dolphin, - signal receive set=term peer=firefox-kmozillahelper, - signal receive set=term peer=plasma-discover, - signal receive set=term peer=plasmashell, - signal receive set=term peer=xdg-desktop-portal-kde, - - #aa:dbus talk bus=session name=org.kde.kded5 path=/kded label=kded + signal (receive) set=term peer=dolphin, + signal (receive) set=term peer=firefox-kmozillahelper, + signal (receive) set=term peer=plasma-discover, + signal (receive) set=term peer=plasmashell, @{exec_path} mr, @@ -41,15 +37,13 @@ profile kioworker @{exec_path} { @{lib}/libheif/*.so* rm, @{bin}/wrestool rPUx, - @{bin}/gs{,.bin} rix, #aa:exec kio_http_cache_cleaner - /usr/share/kio_desktop/{,**} r, + /usr/share/kio_desktop/directory.desktop r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes{5,6}/*.desktop r, /usr/share/remoteview/* r, - /usr/share/thumbnailers/{,**} r, /etc/fstab r, /etc/xdg/kioslaverc r, @@ -60,8 +54,6 @@ profile kioworker @{exec_path} { /*/ r, @{bin}/ r, @{bin}/* r, - @{sbin}/ r, - @{sbin}/* r, @{lib}/ r, @{MOUNTDIRS}/ r, @{MOUNTS}/ r, @@ -71,7 +63,7 @@ profile kioworker @{exec_path} { owner @{tmp}/{,**} rw, # Silence non user's data - deny @{efi}/{,**} r, + deny /boot/{,**} r, deny /etc/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, @@ -80,7 +72,9 @@ profile kioworker @{exec_path} { owner @{HOME}/@{XDG_DESKTOP_DIR}/.directory l -> @{HOME}/@{XDG_DESKTOP_DIR}/#@{int}, + owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/kio_http/* rwl, + owner @{user_cache_dirs}/ksycoca{5,6}_* r, owner @{user_config_dirs}/kio_httprc r, owner @{user_config_dirs}/menus/{,**} r, @@ -97,9 +91,7 @@ profile kioworker @{exec_path} { @{run}/mount/utab r, owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kio_*.socket rwl -> @{run}/user/@{uid}/#@{int}, - owner @{run}/user/@{uid}/kioworker*.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 446d8a08d..054731148 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,6 +11,7 @@ include profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + include include include include @@ -21,25 +22,16 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal (send) set=(hup), - #aa:dbus own bus=session name=org.kde.konsole-@{int} - @{exec_path} mr, @{bin}/@{shells} rUx, @{browsers_path} rPx, - @{lib}/libheif/ r, - @{lib}/libheif/** mr, - @{lib}/{,@{multiarch}/}utempter/utempter rPx, - - # Some CLI program can be launched directly from KDE - @{bin}/btop rPUx, - @{bin}/htop rPx, - @{bin}/micro rPUx, - @{bin}/nvtop rPx, - @{bin}/vim rUx, + #aa:exec utempter /usr/share/color-schemes/{,**} r, /usr/share/kf6/{,**} r, + /usr/share/knotifications{5,6}/konsole.notifyrc r, + /usr/share/knotifications{5,6}/plasma_workspace.notifyrc r, /usr/share/konsole/{,**} r, /usr/share/sounds/** r, @@ -50,38 +42,28 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{HOME}/@{XDG_SSH_DIR}/config r, + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_cache_dirs}/ksycoca{5,6}_* r, + owner @{user_config_dirs}/#@{int} rwl, owner @{user_config_dirs}/breezerc r, - owner @{user_config_dirs}/kbookmarkrc r, - owner @{user_config_dirs}/konsole.notifyrc r, - owner @{user_config_dirs}/konsolerc rwl, - owner @{user_config_dirs}/konsolerc.@{rand6} rwl, - owner @{user_config_dirs}/konsolerc.lock rwk, + owner @{user_config_dirs}/konsolerc{,*} rwlk, owner @{user_config_dirs}/konsolesshconfig rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.lock rwk, owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/menus/{,**} r, - owner @{user_config_dirs}/session/** rwlk, owner @{user_share_dirs}/color-schemes/{,**} r, owner @{user_share_dirs}/konsole/ rw, owner @{user_share_dirs}/konsole/** rwlk, owner @{user_share_dirs}/kxmlgui5/konsole/{,**} r, - owner @{user_state_dirs}/#@{int} rw, - owner @{user_state_dirs}/konsolestaterc rw, - owner @{user_state_dirs}/konsolestaterc.@{rand6} rwl -> @{user_state_dirs}/#@{int}, - owner @{user_state_dirs}/konsolestaterc.lock rwk, - owner @{tmp}/#@{int} rw, owner @{tmp}/konsole.@{rand6} rw, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.konsole-@{int}.scope/** rw, - - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/stat r, /dev/ptmx rw, diff --git a/apparmor.d/groups/kde/kreadconfig b/apparmor.d/groups/kde/kreadconfig index 8ad9c4b5b..fc14b9536 100644 --- a/apparmor.d/groups/kde/kreadconfig +++ b/apparmor.d/groups/kde/kreadconfig @@ -2,14 +2,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/kreadconfig{,5} +@{exec_path} = @{bin}/kreadconfig5 profile kreadconfig @{exec_path} { include - include capability dac_read_search, @@ -17,8 +16,14 @@ profile kreadconfig @{exec_path} { @{exec_path} mr, + /usr/share/icu/@{int}.@{int}/*.dat r, + + /etc/xdg/kdeglobals r, /etc/xdg/kioslaverc r, + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdeglobals r, + include if exists } diff --git a/apparmor.d/groups/kde/kscreen_backend_launcher b/apparmor.d/groups/kde/kscreen_backend_launcher index e44ee1f83..94890bacc 100644 --- a/apparmor.d/groups/kde/kscreen_backend_launcher +++ b/apparmor.d/groups/kde/kscreen_backend_launcher @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,13 +10,8 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kscreen_backend_launcher profile kscreen_backend_launcher @{exec_path} { include - include - include include - #aa:dbus own bus=session name=org.kde.KScreen - #aa:dbus talk bus=system name=org.kde.kf5auth path=/ label=kde-powerdevil - @{exec_path} mr, /dev/tty r, diff --git a/apparmor.d/groups/kde/kscreen_osd_service b/apparmor.d/groups/kde/kscreen_osd_service index 8bff3306f..cafd59a67 100644 --- a/apparmor.d/groups/kde/kscreen_osd_service +++ b/apparmor.d/groups/kde/kscreen_osd_service @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index 192d3f957..1884414a9 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,24 +13,24 @@ profile kscreenlocker_greet @{exec_path} { include include include - include include + include + include include include include include include include - include network netlink raw, - ptrace read peer=ksmserver, - signal (receive) set=(term) peer=kwin_wayland, signal (receive) set=(usr1, term) peer=ksmserver, signal (send) peer=kcheckpass, + unix (send,receive) type=stream peer=(label="ksmserver",addr=none), + dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int} interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -41,7 +41,7 @@ profile kscreenlocker_greet @{exec_path} { @{lib}/libheif/ r, @{lib}/libheif/*.so* rm, - @{sbin}/unix_chkpwd rPx, + @{bin}/unix_chkpwd rPx, @{lib}/@{multiarch}/libexec/kcheckpass rPx, /usr/share/plasma/** r, @@ -51,13 +51,12 @@ profile kscreenlocker_greet @{exec_path} { /usr/share/xsessions/{,*.desktop} r, /usr/share/hunspell/* r, - @{etc_ro}/environment r, - @{etc_ro}/login.defs r, - @{etc_ro}/login.defs.d/{,*} r, - @{etc_ro}/security/*.conf r, + /{usr/,}etc/environment r, + /{usr/,}etc/login.defs r, + /{usr/,}etc/login.defs.d/ r, + /{usr/,}etc/security/*.conf r, /etc/fstab r, /etc/machine-id r, - /etc/os-release r, /etc/pam.d/* r, /etc/shells r, /etc/xdg/kscreenlockerrc r, @@ -71,11 +70,10 @@ profile kscreenlocker_greet @{exec_path} { owner @{user_pictures_dirs}/{,**} r, owner @{user_cache_dirs}/ rw, + owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/kscreenlocker_greet/ w, owner @{user_cache_dirs}/kscreenlocker_greet/** rwlk, - owner @{user_cache_dirs}/ksvg-elements rw, - owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int}, - owner @{user_cache_dirs}/ksvg-elements.lock rwlk, + owner @{user_cache_dirs}/ksvg-elements r, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_cache_dirs}/plasma-svgelements-default_v* r, @@ -85,10 +83,8 @@ profile kscreenlocker_greet @{exec_path} { owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kscreenlockerrc r, - owner @{user_config_dirs}/kscreenlockerrc.lock rwk, owner @{user_config_dirs}/ksmserverrc r, owner @{user_config_dirs}/plasmarc r, - owner @{user_config_dirs}/plasmashellrc r, # If one is blocked, the others are probed. deny owner @{HOME}/#@{int} mrw, @@ -101,11 +97,9 @@ profile kscreenlocker_greet @{exec_path} { @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, - @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/loginuid r, - @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 09a228e29..08db56872 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,24 +11,16 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include - include include include include include - signal send set=(usr1,term) peer=kscreenlocker_greet, + signal (send) set=(usr1,term) peer=kscreenlocker-greet, ptrace (read) peer=kbuildsycoca5, - #aa:dbus own bus=session name=org.freedesktop.ScreenSaver - #aa:dbus own bus=session name=org.kde.ksmserver path=/KSMServer - #aa:dbus own bus=session name=org.kde.KSMServerInterface path=/KSMServer - #aa:dbus own bus=session name=org.kde.screensaver - - #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/ label=kglobalacceld - #aa:dbus talk bus=session name=org.kde.KWin.Session path=/Session label=kwin_wayland + unix (send, receive) type=stream peer=(label="kscreenlocker-greet",addr=none), @{exec_path} mr, @@ -39,7 +31,10 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:exec drkonqi #aa:exec kscreenlocker_greet + @{user_bin_dirs}/** rPUx, + /usr/share/color-schemes/{,**} r, + /usr/share/knotifications{5,6}/*.notifyrc r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes{5,6}/{,**} r, @@ -51,27 +46,25 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{HOME}/@{rand6} rw, owner @{HOME}/.Xauthority rw, + owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/fontconfig/*-le64.cache-* r, + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_cache_dirs}/ksycoca{5,6}_* rwlk, owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r, owner @{user_config_dirs}/kscreenlockerrc r, owner @{user_config_dirs}/ksmserverrc rw, owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl, owner @{user_config_dirs}/ksmserverrc.lock rwk, + owner @{user_config_dirs}/menus/ r, + # owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw, owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, - owner @{run}/user/@{uid}/#@{int} rw, - owner @{run}/user/@{uid}/iceauth_@{rand6} wl -> @{run}/user/@{uid}/#@{int}, - owner @{run}/user/@{uid}/iceauth_@{rand6}-c w, - owner @{run}/user/@{uid}/iceauth_@{rand6}-l wl -> @{run}/user/@{uid}/iceauth_@{rand6}-c, - owner @{run}/user/@{uid}/iceauth_@{rand6}-n rw, - owner @{tmp}/@{rand6} rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/inhibit/[0-9]*.ref rw, owner @{run}/user/@{uid}/KSMserver__[0-9] rw, /dev/tty r, diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index 711da6e9d..44d7f6e2a 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -3,28 +3,22 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/ksmserver-logout-greeter @{exec_path} += @{lib}/@{multiarch}/{,libexec/}ksmserver-logout-greeter -profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { +profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) { include - include - include include include + include include include include include - #aa:dbus own bus=session name=org.kde.LogoutPrompt path=/LogoutPrompt - - #aa:dbus talk bus=session name=org.kde.LogoutPrompt path=/Shutdown label=plasma-shutdown - #aa:dbus talk bus=session name=org.kde.KWin label=kwin_wayland - @{exec_path} mr, @{lib}/os-release r, @@ -60,6 +54,7 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected,mediate @{PROC}/sys/dev/i915/perf_stream_paranoid r, owner @{PROC}/@{pid}/exe r, + owner @{PROC}/@{pid}/status r, include if exists } diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index 770625988..463aec245 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -2,34 +2,28 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/ksplashqml profile ksplashqml @{exec_path} { include - include include include include include - ptrace read peer=startplasma, - - #aa:dbus own bus=session name=org.kde.KSplash path=/KSplash - @{exec_path} mr, @{lib}/libheif/ r, @{lib}/libheif/*.so* rm, - /usr/share/color-schemes/* r, /usr/share/plasma/** r, /etc/machine-id r, - /etc/xdg/plasmarc r, + owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/ksplash/ rw, owner @{user_cache_dirs}/ksplash/** rwlk -> @{user_cache_dirs}/ksplash/**, diff --git a/apparmor.d/groups/kde/kstart b/apparmor.d/groups/kde/kstart index 04d084d0c..6aefc1d43 100644 --- a/apparmor.d/groups/kde/kstart +++ b/apparmor.d/groups/kde/kstart @@ -3,13 +3,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/kstart profile kstart @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index 0a685d8e5..5005dde31 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,17 +11,14 @@ include profile kwalletd @{exec_path} { include include - include include include include + include include include include - #aa:dbus own bus=session name=org.freedesktop.secrets - #aa:dbus own bus=session name=org.kde.kwalletd5 - @{exec_path} mr, @{bin}/gpgconf rCx -> gpg, @@ -33,6 +30,8 @@ profile kwalletd @{exec_path} { /etc/machine-id r, /var/lib/dbus/machine-id r, + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kwalletrc r, @@ -42,8 +41,6 @@ profile kwalletd @{exec_path} { owner @{user_share_dirs}/kwalletd/ rw, owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int}, - owner @{run}/user/@{uid}/kwallet{5,6}.socket rw, - owner @{tmp}/kwalletd5.* rw, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/kde/kwalletmanager b/apparmor.d/groups/kde/kwalletmanager index 5ffcafd4f..b1ca562cc 100644 --- a/apparmor.d/groups/kde/kwalletmanager +++ b/apparmor.d/groups/kde/kwalletmanager @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -29,6 +29,7 @@ profile kwalletmanager @{exec_path} { /etc/xdg/ui/ui_standards.rc r, /var/lib/dbus/machine-id r, + owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/kwalletmanager5rc rw, owner @{user_config_dirs}/kwalletmanager5rc.* rwl -> @{user_config_dirs}/#@{int}, @@ -36,11 +37,15 @@ profile kwalletmanager @{exec_path} { owner @{user_config_dirs}/kwalletrc rw, owner @{user_config_dirs}/kwalletrc.* rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwalletrc.lock rwk, + owner @{user_config_dirs}/session/#@{int} rw, + owner @{user_config_dirs}/session/kwalletmanager5_* rwl -> @{user_config_dirs}/session/#@{int}, + owner @{user_config_dirs}/session/kwalletmanager5_*.lock rwk, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/cmdline r, + /dev/shm/ r, /dev/shm/#@{int} rw, include if exists diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 224835ac2..7bed8beca 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -2,16 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/kwin_wayland -profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { +profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { include include - include - include include include include @@ -21,38 +19,25 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { capability sys_nice, capability sys_ptrace, + ptrace (read), + + signal (receive) set=term peer=sddm, + signal (receive) set=(kill, term) peer=kwin_wayland_wrapper, + signal (send) set=(kill, term) peer=xwayland, + network netlink raw, - ptrace read, - - signal receive set=term peer=sddm, - signal receive set=(kill, term) peer=kwin_wayland_wrapper, - signal send set=(kill, term) peer=xwayland, - - unix type=stream peer=(label=xkbcomp), - unix type=stream peer=(label=xwayland), - - #aa:dbus own bus=session name=org.freedesktop.ScreenSaver - #aa:dbus own bus=session name=org.kde.kglobalaccel path=/kglobalaccel - #aa:dbus own bus=session name=org.kde.KWin - #aa:dbus own bus=session name=org.kde.NightColor path=/ColorCorrect - #aa:dbus own bus=session name=org.kde.screensaver - - #aa:dbus talk bus=session name=org.kde.ActivityManager path=/ActivityManager label=kactivitymanagerd - @{exec_path} mr, - /etc/xdg/Xwayland-session.d/00-at-spi Cx -> at-spi, - /etc/xdg/Xwayland-session.d/00-pulseaudio-x11 Cx -> pulseaudio, - /etc/xdg/Xwayland-session.d/10-ibus-x11 Cx -> ibus, #aa:exec kscreenlocker_greet /usr/share/color-schemes/*.colors r, + /usr/share/desktop-base/kf5-settings/{,**} r, /usr/share/desktop-directories/*.directory r, /usr/share/kglobalaccel/{,**} r, + /usr/share/knotifications{5,6}/ksmserver.notifyrc r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,*.desktop} r, - /usr/share/kwin-wayland/{,**} r, /usr/share/kwin/{,**} r, /usr/share/libinput-*/{,**} r, /usr/share/libinput/{,**} r, @@ -60,7 +45,10 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/plasma/desktoptheme/** r, /etc/pipewire/client.conf.d/ r, - /etc/xdg/** r, + /etc/xdg/kscreenlockerrc r, + /etc/xdg/menus/{,applications.menu} r, + /etc/xdg/menus/applications-merged/ r, + /etc/xdg/plasmarc r, /etc/machine-id r, /var/lib/dbus/machine-id r, @@ -83,7 +71,11 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{sddm_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{sddm_config_dirs}/#@{int}, owner @{user_cache_dirs}/ r, + owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/ksvg-elements r, + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_cache_dirs}/ksycoca{5,6}_* r, + owner @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/kwin/ rw, owner @{user_cache_dirs}/kwin/** rwkl -> @{user_cache_dirs}/kwin/**, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, @@ -93,10 +85,10 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/#@{int} rwl, owner @{user_config_dirs}/breezerc r, + owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kdedefaults/* r, owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_config_dirs}/khotkeysrc r, owner @{user_config_dirs}/klaunchrc r, owner @{user_config_dirs}/kscreenlockerrc r, owner @{user_config_dirs}/kwinoutputconfig.json rw, @@ -104,36 +96,29 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwinrulesrc r, owner @{user_config_dirs}/kxkbrc r, - owner @{user_config_dirs}/menus/** r, + owner @{user_config_dirs}/menus/{,applications-merged/} r, owner @{user_config_dirs}/plasmarc r, - owner @{user_config_dirs}/session/* r, + owner @{user_config_dirs}/session/* r, owner @{user_share_dirs}/kscreen/* r, owner @{user_share_dirs}/kwin/scripts/{,**} r, - owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, - - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/inhibit/*.ref rw, @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/class/input/ r, @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+acpi:* r, # for ACPI @{run}/udev/data/+dmi:* r, # for motherboard info - @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+hid:* r, # for HID subsystem @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) - @{run}/udev/data/+serio:* r, # for touchpad + @{run}/udev/data/+platform:* r, # for ? @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+usb:* r, @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @@ -142,58 +127,10 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{PROC}/@{pid}/task/@{tid}/comm rw, - @{att}/dev/input/event@{int} rw, - @{att}/dev/dri/card@{int} rw, - + /dev/input/event@{int} rw, /dev/tty r, /dev/tty@{int} rw, - profile at-spi { - include - include - - @{sh_path} r, - @{bin}/busctl rix, - @{bin}/sed rix, - @{bin}/xprop rPx, - - /etc/xdg/Xwayland-session.d/00-at-spi r, - - /home/ r, - owner @{HOME}/ r, - - include if exists - } - - profile pulseaudio { - include - include - - @{sh_path} rix, - @{bin}/pactl Px, - - /etc/xdg/Xwayland-session.d/00-pulseaudio-x11 r, - - owner @{HOME}/ r, - - include if exists - } - - profile ibus { - include - include - - @{sh_path} r, - @{lib}/{,ibus/}ibus-x11 rPx, - - /etc/xdg/Xwayland-session.d/10-ibus-x11 r, - - /home/ r, - owner @{HOME}/ r, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/kde/kwin_wayland_wrapper b/apparmor.d/groups/kde/kwin_wayland_wrapper index a7ce4c2fe..f28106373 100644 --- a/apparmor.d/groups/kde/kwin_wayland_wrapper +++ b/apparmor.d/groups/kde/kwin_wayland_wrapper @@ -2,21 +2,18 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/kwin_wayland_wrapper profile kwin_wayland_wrapper @{exec_path} { include - include include include signal (send) set=(term, kill) peer=kwin_wayland, - #aa:dbus own bus=session name=org.kde.KWinWrapper - @{exec_path} mr, @{bin}/kwin_wayland rPx, diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index 8cc233ff2..f53e9803b 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -2,20 +2,18 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/kwin_x11 profile kwin_x11 @{exec_path} { include - include include include include include include - include network inet dgram, network inet6 dgram, @@ -23,51 +21,41 @@ profile kwin_x11 @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.kde.KWin - #aa:dbus own bus=session name=org.kde.NightColor path=/ColorCorrect - - #aa:dbus talk bus=session name=org.kde.ActivityManager label=kactivitymanagerd - #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/kglobalaccel label=kglobalacceld - @{exec_path} mrix, @{sh_path} rix, - @{bin}/kdialog rix, @{lib}/kwin_killer_helper rix, #aa:exec drkonqi - /usr/share/kwin-x11/{,**} r, /usr/share/kwin/{,**} r, /usr/share/plasma/desktoptheme/{,**} r, - /usr/share/sounds/*/stereo/*.oga r, /etc/machine-id r, + /etc/xdg/kcminputrc r, /etc/xdg/plasmarc r, owner @{user_cache_dirs}/ r, + owner @{user_cache_dirs}/#@{int} rw, + owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/kcrash-metadata/*.ini rw, - owner @{user_cache_dirs}/ksvg-elements r, owner @{user_cache_dirs}/kwin/{,**} rwl, + owner @{user_cache_dirs}/plasmarc r, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasma-svgelements.lock rwk, - owner @{user_cache_dirs}/plasmarc r, owner @{user_cache_dirs}/session/#@{int} rw, owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/kaccessrc r, - owner @{user_config_dirs}/kdedefaults/plasmarc r, - owner @{user_config_dirs}/kwinoutputconfig.json rw, + owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kwinrc.lock rwk, owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl, owner @{user_config_dirs}/kwinrulesrc r, owner @{user_config_dirs}/kxkbrc r, + owner @{user_config_dirs}/session/kwin_* rwk, owner @{user_config_dirs}/plasmarc r, - - owner @{user_share_dirs}/kwin/scripts/ r, - + owner @{user_config_dirs}/session/#@{int} rw, owner @{tmp}/#@{int} rw, owner @{tmp}/kwin.@{rand6} rwl, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index a2ffad26f..d732ee0f7 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,51 +11,28 @@ include profile okular @{exec_path} { include include - include include - include include include - include include include include - network netlink raw, - - ptrace read peer=@{p_systemd}, - - signal send set=term peer=kioworker, - @{exec_path} mr, @{bin}/ps2pdf rPUx, @{bin}/gpg{,2} rCx -> gpg, - @{bin}/gpgconf rCx -> gpg, + @{bin}/gpgcon rCx -> gpg, @{bin}/gpgsm rCx -> gpg, @{open_path} rPx -> child-open, - #aa:exec kioworker /usr/share/color-schemes/{,**} r, /usr/share/okular/{,**} r, /usr/share/poppler/{,**} r, - /etc/fstab r, - /etc/xdg/dolphinrc r, - - / r, - @{MOUNTS}/ r, - - owner @{user_cache_dirs}/okular/{,**} rw, - owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/KDE/*.conf r, - owner @{user_config_dirs}/kioslaverc r, - owner @{user_config_dirs}/kservicemenurc r, - owner @{user_config_dirs}/kwalletrc r, - owner @{user_config_dirs}/okular-generator-popplerrc r, owner @{user_config_dirs}/okularpartrc rw, owner @{user_config_dirs}/okularpartrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/okularpartrc.lock rwk, @@ -63,39 +40,21 @@ profile okular @{exec_path} { owner @{user_config_dirs}/okularrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/okularrc.lock rwk, - owner @{user_share_dirs}/#@{int} rw, - owner @{user_share_dirs}/kxmlgui{5,6}/okular/{,*} r, owner @{user_share_dirs}/okular/ rw, owner @{user_share_dirs}/okular/** rwlk -> @{user_share_dirs}/okular/**, - owner @{user_share_dirs}/user-places.xbel r, - owner @{user_state_dirs}/#@{int} rw, - owner @{user_state_dirs}/okularstaterc rw, - owner @{user_state_dirs}/okularstaterc.@{rand6} rwlk -> @{user_state_dirs}/#@{int}, - owner @{user_state_dirs}/okularstaterc.lock rwk, + owner @{user_cache_dirs}/okular/{,**} rw, owner @{tmp}/#@{int} rw, - owner @{tmp}/okular.@{rand6} rwl -> /tmp/#@{int}, owner @{tmp}/okular_@{rand6}.ps rwl -> /tmp/#@{int}, - owner @{tmp}/messageviewer_attachment_@{rand6}/{,*} r, # files opened from KMail as mail attachment, - - owner @{run}/user/@{uid}/#@{int} rw, - owner @{run}/user/@{uid}/okular@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, - - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, profile gpg { include - include @{bin}/gpg{,2} mr, - @{bin}/gpgconf mr, + @{bin}/gpgcon mr, @{bin}/gpgsm mr, - owner @{HOME}/@{XDG_GPG_DIR}/*.conf r, - owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/gnupg/ r, diff --git a/apparmor.d/groups/kde/pam_kwallet_init b/apparmor.d/groups/kde/pam_kwallet_init index 764917a1f..b84407863 100644 --- a/apparmor.d/groups/kde/pam_kwallet_init +++ b/apparmor.d/groups/kde/pam_kwallet_init @@ -2,7 +2,7 @@ # Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/plasma-browser-integration-host b/apparmor.d/groups/kde/plasma-browser-integration-host index e17d4c5f1..6270df2f7 100644 --- a/apparmor.d/groups/kde/plasma-browser-integration-host +++ b/apparmor.d/groups/kde/plasma-browser-integration-host @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,10 +21,19 @@ profile plasma-browser-integration-host @{exec_path} { @{exec_path} mr, + /etc/xdg/menus/applications-merged/ r, + /usr/share/kservices{5,6}/{,**} r, + /etc/xdg/menus/ r, /etc/xdg/taskmanagerrulesrc r, + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_cache_dirs}/ksycoca{5,6}_* r, + + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/ r, + owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, diff --git a/apparmor.d/groups/kde/plasma-discover b/apparmor.d/groups/kde/plasma-discover index 1247d0fdf..5d0884026 100644 --- a/apparmor.d/groups/kde/plasma-discover +++ b/apparmor.d/groups/kde/plasma-discover @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -29,7 +29,7 @@ profile plasma-discover @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/kreadconfig{,5} rPx, + @{bin}/kreadconfig5 rPx, @{bin}/gpg rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @@ -38,6 +38,7 @@ profile plasma-discover @{exec_path} { #aa:exec kio_http_cache_cleaner #aa:exec kioworker + /usr/share/knotifications{5,6}/plasma_workspace.notifyrc r, /usr/share/knsrcfiles/{,*} r, /usr/share/kservices{5,6}/{,*} r, /usr/share/kservicetypes5/{,*} r, @@ -64,6 +65,7 @@ profile plasma-discover @{exec_path} { owner @{user_cache_dirs}/appstream/*.xb rw, owner @{user_cache_dirs}/discover/{,**} rwlk, owner @{user_cache_dirs}/flatpak/system-cache/{,**} rw, + owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/kio_http/ w, owner @{user_config_dirs}/ r, @@ -84,8 +86,8 @@ profile plasma-discover @{exec_path} { owner @{tmp}/*.kwinscript rwl -> /tmp/#@{int}, owner @{tmp}/#@{int} rw, owner @{tmp}/discover-@{rand6}/{,**} rw, - owner @{tmp}/ostree-gpg-@{rand6}/ rw, - owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, + owner @{tmp}/ostree-gpg-*/ rw, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, owner @{run}/user/@{uid}/.flatpak-cache rw, owner @{run}/user/@{uid}/.flatpak/{,**} rw, @@ -106,8 +108,8 @@ profile plasma-discover @{exec_path} { @{HOME}/@{XDG_GPG_DIR}/*.conf r, - owner @{tmp}/ostree-gpg-@{rand6}/ r, - owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, + owner @{tmp}/ostree-gpg-*/ r, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, include if exists } diff --git a/apparmor.d/groups/kde/plasma-emojier b/apparmor.d/groups/kde/plasma-emojier index ba00660fc..3862706a9 100644 --- a/apparmor.d/groups/kde/plasma-emojier +++ b/apparmor.d/groups/kde/plasma-emojier @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/plasma_session b/apparmor.d/groups/kde/plasma_session index 5d3812594..6082b579e 100644 --- a/apparmor.d/groups/kde/plasma_session +++ b/apparmor.d/groups/kde/plasma_session @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -33,10 +33,15 @@ profile plasma_session @{exec_path} { #aa:exec polkit-kde-authentication-agent /usr/share/kservices{5,6}/{,**} r, + /usr/share/knotifications{5,6}/{,**} r, /etc/xdg/autostart/ r, /etc/xdg/autostart/*.desktop r, + /etc/xdg/menus/ r, + owner @{user_cache_dirs}/ksycoca{5,6}_* r, + + owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/kdedefaults/ksplashrc r, owner @{user_config_dirs}/plasma-welcomerc r, diff --git a/apparmor.d/groups/kde/plasma_waitforname b/apparmor.d/groups/kde/plasma_waitforname index d32122a8a..c987a4759 100644 --- a/apparmor.d/groups/kde/plasma_waitforname +++ b/apparmor.d/groups/kde/plasma_waitforname @@ -2,16 +2,14 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/plasma_waitforname profile plasma_waitforname @{exec_path} { include - include include - include @{exec_path} mr, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 600d1be48..e4cde431b 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,9 +13,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include - include include - include + include include include include @@ -28,9 +27,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include - include - userns, + # userns, capability sys_ptrace, @@ -41,26 +39,9 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { network netlink dgram, network netlink raw, - ptrace read, + ptrace (read), - signal send, - - #aa:dbus own bus=session name=com.canonical.Unity - #aa:dbus own bus=session name=org.freedesktop.Notifications - #aa:dbus own bus=session name=org.kde.JobViewServer - #aa:dbus own bus=session name=org.kde.klipper - #aa:dbus own bus=session name=org.kde.kuiserver - #aa:dbus own bus=session name=org.kde.plasmashell path=/PlasmaShell - #aa:dbus own bus=session name=org.kde.StatusNotifierHost-@{int} - - #aa:dbus talk bus=session name=org.kde.kdeconnect path=/ label=kdeconnectd - #aa:dbus talk bus=session name=org.kde.KeyboardLayouts path=/Layouts label=kded - #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/kglobalaccel label="{kglobalacceld,kwin_wayland}" - #aa:dbus talk bus=session name=org.kde.KSplash path=/KSplash label=ksplashqml - #aa:dbus talk bus=session name=org.kde.KWin path=/ label="kwin_{wayland,x11}" - #aa:dbus talk bus=session name=org.kde.NightColor path=/ColorCorrect label="kwin_{wayland,x11}" - #aa:dbus talk bus=session name=org.kde.Solid.PowerManagement label=kde-powerdevil - #aa:dbus talk bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher label=kded + signal (send), @{exec_path} mr, @@ -68,19 +49,19 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{lib}/libheif/{,**} mr, @{bin}/dolphin rPx, - @{bin}/ksysguardd rPUx, + @{bin}/ksysguardd rix, @{bin}/plasma-discover rPUx, @{bin}/xrdb rPx, @{lib}/kf{5,6}/kdesu{,d} rix, #aa:exec kioworker - /snap/*/@{uid}/**.@{image_ext} r, - /usr/share/*/icons/{,**} r, /usr/share/akonadi/{,**} r, + /usr/share/desktop-base/{,**} r, /usr/share/desktop-directories/kf5-*.directory r, /usr/share/kf{5,6}/{,**} r, /usr/share/kio/servicemenus/{,*.desktop} r, + /usr/share/knotifications{5,6}/*.notifyrc r, /usr/share/konsole/ r, /usr/share/krunner/{,**} r, /usr/share/kservices{5,6}/{,**} r, @@ -89,16 +70,15 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /usr/share/metainfo/{,**} r, /usr/share/plasma/{,**} r, /usr/share/plasma5support/** r, - /usr/share/qalculate/{,**} r, /usr/share/rider/{,**} r, /usr/share/solid/actions/{,**} r, /usr/share/swcatalog/{,**} r, /usr/share/templates/{,*.desktop} r, - /usr/share/thumbnailers/{,*} r, /usr/share/wallpapers/{,**} r, /etc/appstream.conf r, /etc/fstab r, + /etc/ksysguarddrc r, /etc/machine-id r, /etc/os-release r, /etc/sensors.d/ r, @@ -107,15 +87,9 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /var/lib/AccountsService/icons/* r, - @{MOUNTS}/ r, - @{HOME}/ r, - owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, - owner @{HOME}/.var/app/**.{png,jpg,svg} r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, - owner @{user_games_dirs}/**.{png,jpg,svg} r, - owner @{user_music_dirs}/**.{png,jpg,svg} r, owner @{user_pictures_dirs}/{,**} r, owner @{user_templates_dirs}/ r, @@ -126,10 +100,12 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_cache_dirs}/appstream/*.xb rw, owner @{user_cache_dirs}/bookmarksrunner/ rw, owner @{user_cache_dirs}/bookmarksrunner/** rwkl -> @{user_cache_dirs}/bookmarksrunner/#@{int}, + owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/kcrash-metadata/plasmashell.*.ini w, owner @{user_cache_dirs}/ksvg-elements rw, owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/ksvg-elements.lock rwlk, + owner @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/org.kde.dirmodel-qml.kcache rw, owner @{user_cache_dirs}/plasma_engine_potd/{,**} rw, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, @@ -149,18 +125,18 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_config_dirs}/akonadi/akonadi*rc r, owner @{user_config_dirs}/arkrc r, owner @{user_config_dirs}/baloofileinformationrc r, + owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/breezerc r, + owner @{user_config_dirs}/dolphinrc r, owner @{user_config_dirs}/eventviewsrc r, owner @{user_config_dirs}/kactivitymanagerd* rwkl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kcookiejarrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kdiff3fileitemactionrc r, - owner @{user_config_dirs}/kiorc r, owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/klaunchrc r, owner @{user_config_dirs}/klipperrc r, owner @{user_config_dirs}/kmail2.notifyrc r, - owner @{user_config_dirs}/knfsshare r, owner @{user_config_dirs}/korganizerrc r, owner @{user_config_dirs}/krunnerrc r, owner @{user_config_dirs}/ksmserverrc r, @@ -168,15 +144,15 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_config_dirs}/menus/{,**} r, owner @{user_config_dirs}/networkmanagement.notifyrc r, owner @{user_config_dirs}/plasma* rwlk, + owner @{user_config_dirs}/trashrc r, - owner @{user_share_dirs}/*/sessions/ r, owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/akonadi/search_db/{,**} r, owner @{user_share_dirs}/kactivitymanagerd/resources/database rwk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw, owner @{user_share_dirs}/kio/servicemenus/{,**} r, - owner @{user_share_dirs}/klipper/{,**} rwlk, + owner @{user_share_dirs}/klipper/{,*} rwl, owner @{user_share_dirs}/konsole/ r, owner @{user_share_dirs}/kpeople/persondb rwk, owner @{user_share_dirs}/kpeoplevcard/ r, @@ -190,23 +166,15 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/plasma_icons/*.desktop r, owner @{user_share_dirs}/plasma/{,**} r, owner @{user_share_dirs}/plasmashell/** rwkl -> @{user_share_dirs}/plasmashell/**, - owner @{user_share_dirs}/qalculate/{,**} r, owner @{user_share_dirs}/user-places.xbel{,*} rwl, owner @{user_share_dirs}/wallpapers/{,**} rw, - owner @{user_state_dirs}/#@{int} rw, - owner @{user_state_dirs}/plasma/* r, - owner @{user_state_dirs}/plasmashellstaterc rw, - owner @{user_state_dirs}/plasmashellstaterc.@{rand6} rwl, - owner @{user_state_dirs}/plasmashellstaterc.lock rwk, - /tmp/.mount_nextcl@{rand6}/{,*} r, owner @{tmp}/#@{int} rw, @{run}/mount/utab r, @{run}/user/@{uid}/gvfs/ r, owner @{run}/user/@{uid}/#@{int} rw, - owner @{run}/user/@{uid}/app/*/*.@{rand6} r, owner @{run}/user/@{uid}/kdesud_:@{int} w, owner @{run}/user/@{uid}/plasmashell@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, @@ -216,17 +184,11 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{sys}/devices/platform/** r, @{sys}/devices/@{pci}/name r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/virtual/thermal/**/{name,type} r, @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/ r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, + @{sys}/devices/virtual/thermal/**/{name,type} r, @{PROC}/ r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/stat r, @{PROC}/cmdline r, @{PROC}/diskstats r, @{PROC}/loadavg r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 1b8930f06..8aea34ad4 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,12 +14,12 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include include include - include include capability audit_write, @@ -40,73 +40,65 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { ptrace (trace) peer=@{profile_name}, signal (receive) set=(hup) peer=@{p_systemd}, - signal (send) set=(kill, term) peer=labwc, - signal (send) set=(kill, term) peer=lxqt-session, signal (send) set=(kill, term) peer=startplasma, signal (send) set=(kill, term) peer=xorg, signal (send) set=(kill, term) peer=xsetroot, signal (send) set=(term) peer=kwin_wayland, signal (send) set=(term) peer=sddm-greeter, signal (send) set=(term) peer=startplasma-wayland, - signal (send) set=(term) peer=startlxqtwayland, - unix type=stream addr=@@{udbus}/bus/sddm-helper/system, + dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=kscreenlocker-greet), - #aa:dbus own bus=system name=org.freedesktop.DisplayManager + dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=systemd-logind), - #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label="@{p_systemd_homed}" - #aa:dbus talk bus=system name=org.freedesktop.login1 interface=org.freedesktop.login1.Manager label="@{p_systemd_logind}" + dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.freedesktop.DBus, label=kscreenlocker-greet), @{exec_path} mr, @{lib}/@{multiarch}/sddm/sddm-helper rix, @{lib}/plasma-dbus-run-session-if-needed rix, @{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed rix, - @{lib}/{,sddm/}sddm-helper rix, - @{lib}/{,sddm/}sddm-helper-start-wayland rix, - @{lib}/{,sddm/}sddm-helper-start-x11user rix, + @{lib}/sddm/sddm-helper rix, + @{lib}/sddm/sddm-helper-start-wayland rix, + @{lib}/sddm/sddm-helper-start-x11user rix, @{shells_path} rix, - @{bin}/{,e}grep rix, - @{bin}/basename rix, @{bin}/cat rix, - @{bin}/date rix, - @{bin}/dirname rix, + @{bin}/checkproc rix, @{bin}/disable-paste rix, - @{bin}/id rix, @{bin}/locale rix, @{bin}/manpath rix, @{bin}/mktemp rix, @{bin}/pidof rix, @{bin}/readlink rix, @{bin}/realpath rix, - @{bin}/sed rix, @{bin}/tr rix, @{bin}/tty rix, @{bin}/uname rix, @{bin}/xdm r, @{bin}/xmodmap rix, - @{sbin}/checkproc rix, @{bin}/dbus-run-session rPx -> dbus-session, - @{bin}/dbus-update-activation-environment rPx -> dbus-session, @{bin}/flatpak rPx, @{bin}/gnome-keyring-daemon rPx, - @{bin}/Hyprland rPx, - @{bin}/ksecretd rPUx, @{bin}/kwalletd{5,6} rPx, @{bin}/kwin_wayland rPx, - @{bin}/labwc rPx, @{bin}/sddm-greeter{,-qt6} rPx, - @{bin}/startlxqt rPx, - @{bin}/startlxqtwayland rPx, @{bin}/startplasma-wayland rPx, @{bin}/startplasma-x11 rPx, @{bin}/sway rPUx, @{bin}/systemctl rCx -> systemctl, @{bin}/xauth rCx -> xauth, @{bin}/Xorg rPx, - @{bin}/xrandr rPx, @{bin}/xrdb rPx, @{bin}/xset rPx, @{bin}/xsetroot rPx, @@ -114,12 +106,13 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{etc_ro}/sddm/Xsession rPx, @{etc_ro}/X11/xdm/Xsession rPx, - @{etc_ro}/X11/xdm/Xsetup rix, + /usr/etc/X11/xdm/Xsetup rix, /usr/share/sddm/scripts/wayland-session rix, /usr/share/sddm/scripts/Xsession rix, /usr/share/sddm/scripts/Xsetup rix, /usr/share/sddm/scripts/Xstop rix, + /usr/share/desktop-base/softwaves-theme/login/*.svg r, /usr/share/plasma/desktoptheme/** r, /usr/share/sddm/faces/.*.icon r, /usr/share/sddm/themes/** r, @@ -129,9 +122,9 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { /etc/X11/xinit/xinitrc.d/{,*} r, - @{etc_ro}/environment r, - @{etc_ro}/security/limits.d/{,*.conf} r, - @{etc_ro}/X11/Xmodmap r, + /{usr/,}etc/environment r, + /{usr/,}etc/security/limits.d/{,*.conf} r, + /{usr/,}etc/X11/Xmodmap r, /etc/debuginfod/{,*} r, /etc/manpath.config r, /etc/default/locale r, @@ -179,13 +172,12 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/#@{int} rw, owner @{tmp}/sddm-auth* rw, - @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, - @{run}/faillock/@{user} rwk, @{run}/sddm.pid rw, @{run}/sddm/\{@{uuid}\} rw, @{run}/sddm/#@{int} rw, @{run}/sddm/xauth_@{rand6} rwl -> @{run}/sddm/#@{int}, + @{run}/systemd/sessions/*.ref rw, @{run}/user/@{uid}/xauth_@{rand6} rwl, owner @{run}/sddm/ rw, owner @{run}/user/@{uid}/ r, @@ -207,7 +199,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index 47383bb75..f249d911e 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,33 +13,28 @@ profile sddm-greeter @{exec_path} { include include include - include + include + include include include include include include - include network netlink raw, - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=ListActivatableNames - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - @{exec_path} mr, @{lib}/libheif/ r, @{lib}/libheif/*.so* rm, - /usr/share/endeavouros/backgrounds/** r, - /usr/share/hunspell/** r, + /usr/share/desktop-base/*-theme/login/*.svg r, /usr/share/plasma/desktoptheme/** r, /usr/share/sddm/{,**} r, - /usr/share/wallpapers/{,**} r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xsessions/{,*.desktop} r, + /usr/share/wallpapers/{,**} r, + /usr/share/hunspell/** r, /etc/fstab r, /etc/os-release r, @@ -54,9 +49,8 @@ profile sddm-greeter @{exec_path} { owner @{SDDM_HOME}/#@{int} mrw, owner @{sddm_cache_dirs}/** mrwkl -> @{sddm_cache_dirs}/**, - @{HOME}/.face.icon r, - owner @{user_cache_dirs}/ rw, + owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, owner @{user_cache_dirs}/plasma-svgelements rw, owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rw, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index 0e9290d53..3e566b458 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,11 +25,9 @@ profile sddm-xsession @{exec_path} { @{bin}/chmod rix, @{bin}/csh rix, @{bin}/date rix, - @{bin}/dpkg-query rpx, @{bin}/fish rix, - @{bin}/gettext rix, @{bin}/gettext.sh r, - @{bin}/gpgconf rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, @{bin}/id rix, @{bin}/locale rix, @{bin}/locale-check rix, @@ -42,13 +40,12 @@ profile sddm-xsession @{exec_path} { @{bin}/tcsh rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/tr rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.*} rix, + @{bin}/zsh rix, @{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/flatpak rPx, @{bin}/numlockx rPx, - @{bin}/xbrlapi rPx, @{bin}/xhost rPx, @{bin}/xrdb rPx, /etc/X11/Xsession rPx, @@ -63,9 +60,7 @@ profile sddm-xsession @{exec_path} { @{system_share_dirs}/im-config/data/{,*} r, @{system_share_dirs}/im-config/xinputrc.common r, - @{system_share_dirs}/libdebuginfod-common/debuginfod.sh r, - /etc/debuginfod/{,**} r, /etc/default/{,*} r, /etc/X11/{,**} r, @@ -76,7 +71,7 @@ profile sddm-xsession @{exec_path} { owner @{tmp}/xsess-env-* rw, owner @{tmp}/file* rw, - owner @{tmp}/tmp.@{rand10} rw, + audit owner @{tmp}/tmp.* rw, owner @{PROC}/@{pid}/loginuid r, @@ -95,16 +90,6 @@ profile sddm-xsession @{exec_path} { profile dbus { include - include - - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=UpdateActivationEnvironment - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=SetEnvironment - peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), @{bin}/dbus-update-activation-environment mr, @@ -138,8 +123,6 @@ profile sddm-xsession @{exec_path} { @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{HOME}/.xsession-errors w, - /dev/tty@{int} rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 64e332dc5..e575f3bb2 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,25 +10,18 @@ include profile startplasma @{exec_path} { include include - include - include - include - include include + include signal (receive) set=(hup) peer=@{p_systemd}, signal (receive) set=(term) peer=sddm, - #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" - #aa:dbus talk bus=session name=org.kde.KSplash path=/KSplash label=ksplashqml - @{exec_path} mr, @{sh_path} rix, @{bin}/env rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/kapplymousetheme rPUx, - @{bin}/kdeinit5_shutdown rPUx, @{bin}/ksplashqml rPUx, @{bin}/plasma_session rPx, @{bin}/xrdb rPx, @@ -36,26 +29,33 @@ profile startplasma @{exec_path} { @{lib}/@{multiarch}/libexec/plasma-sourceenv.sh r, - /usr/share/byobu/desktop/{,**} r, /usr/share/color-schemes/{,**} r, /usr/share/desktop-directories/{,**} r, + /usr/share/knotifications{5,6}/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, /usr/share/plasma/{,**} r, + /etc/locale.alias r, /etc/machine-id r, + /etc/xdg/kcminputrc r, /etc/xdg/menus/{,**} r, /etc/xdg/plasma-workspace/env/{,*} r, - /etc/xdg/plasmarc r, + + /var/lib/flatpak/exports/share/mime/ r, @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/#@{int} rwk, owner @{user_cache_dirs}/kcrash-metadata/ rw, owner @{user_cache_dirs}/plasma-svgelements rw, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/gtkrc{,*} rwlk, + owner @{user_config_dirs}/kcminputrc r, owner @{user_config_dirs}/kdedefaults/ rw, owner @{user_config_dirs}/kdedefaults/** rwkl -> @{user_config_dirs}/kdedefaults/**, + owner @{user_config_dirs}/kdeglobals.lock rwk, + owner @{user_config_dirs}/kdeglobals{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/ksplashrc r, owner @{user_config_dirs}/kwinkdeglobalsrc.lock rwk, owner @{user_config_dirs}/menus/{,**} r, @@ -66,7 +66,6 @@ profile startplasma @{exec_path} { owner @{user_config_dirs}/startkderc r, owner @{user_config_dirs}/Trolltech.conf.lock rwk, owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, - owner link @{user_config_dirs}/kdeglobals -> @{user_config_dirs}/#@{int}, owner @{user_share_dirs}/color-schemes/{,**} r, owner @{user_share_dirs}/kservices{5,6}/{,**} r, @@ -78,7 +77,8 @@ profile startplasma @{exec_path} { owner @{run}/user/@{uid}/ r, - @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/maps r, /dev/tty r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index 9558a6528..8de52a49c 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -2,141 +2,80 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/systemsettings profile systemsettings @{exec_path} { include - include include - include - include include include include include - include network netlink raw, - signal send set=term peer=kioworker, - - #aa:dbus own bus=session name=org.kde.internal.KSettingsWidget_kcm_networkmanagement - #aa:dbus own bus=session name=org.kde.systemsettings - @{exec_path} mr, - @{sh_path} rix, - @{bin}/cat rix, - @{bin}/eglinfo rPUx, @{bin}/kcminit rPx, - @{bin}/lspci rPx, - @{bin}/openssl rix, - @{bin}/pactl rPx, - @{bin}/plasma-discover rPx, - @{bin}/plasmashell rPx, - @{bin}/xdpyinfo rPUx, - @{lib}/qt{5,6}/bin/qdbus rPx, - #aa:exec kioworker /usr/share/kcm_networkmanagement/{,**} r, - /usr/share/kcm_recentFiles/{,**} r, /usr/share/kcmkeys/{,*.kksrc} r, /usr/share/kglobalaccel/* r, /usr/share/kinfocenter/{,**} r, - /usr/share/solid/{,**} r, + /usr/share/kinfocenter/{,**} r, /usr/share/kpackage/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, - /usr/share/kwin/{,**} r, /usr/share/kxmlgui5/systemsettings/systemsettingsui.rc r, /usr/share/plasma/{,**} r, /usr/share/sddm/themes/{,**} r, + /usr/share/sddm/themes/{,**} r, /usr/share/systemsettings/{,**} r, - /usr/share/wallpapers/{,**} r, - /usr/share/thumbnailers/{,**} r, /etc/fstab r, /etc/machine-id r, - /etc/xdg/plasmanotifyrc r, + /etc/xdg/menus/{,applications-merged/} r, /etc/xdg/ui/ui_standards.rc r, /var/lib/dbus/machine-id r, - /etc/xdg/* r, - /var/cache/cracklib/cracklib_dict.* r, - /var/cache/samba/ rw, - /var/lib/AccountsService/icons/* r, - /var/lib/flatpak/repo/{,**} r, - - owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, - - owner @{user_cache_dirs}/kcrash-metadata/*.ini rw, - owner @{user_cache_dirs}/kinfocenter/{,**} rwlk, + owner @{user_cache_dirs}/#@{int} rw, + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_cache_dirs}/kinfocenter/{,**} rwl, owner @{user_cache_dirs}/ksvg-elements rw, owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/ksvg-elements.lock rwlk, + owner @{user_cache_dirs}/ksycoca{5,6}_* r, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, - owner @{user_cache_dirs}/plasma-svgelements r, owner @{user_cache_dirs}/systemsettings/ rw, owner @{user_cache_dirs}/systemsettings/** rwlk -> @{user_cache_dirs}/systemsettings/**, - owner @{user_config_dirs}/{P,p}lasma* r, - owner @{user_config_dirs}/*rc r, owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/device_automounter_kcmrc.lock rwk, - owner @{user_config_dirs}/emaildefaults r, + owner @{user_config_dirs}/khotkeysrc r, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/plasmarc r, owner @{user_config_dirs}/kde.org/{,**} rwlk, - owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kinfocenterrc* rwlk, - owner @{user_config_dirs}/libaccounts-glib/ rw, - owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk, - owner @{user_config_dirs}/session/ rw, - owner @{user_config_dirs}/session/** rwlk, owner @{user_config_dirs}/systemsettingsrc.lock rwk, owner @{user_config_dirs}/systemsettingsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - owner @{user_share_dirs}/baloo/index r, - owner @{user_share_dirs}/kactivitymanagerd/resources/database rwk, + owner @{user_share_dirs}/kservices5/{,ServiceMenus/} r, + owner @{user_share_dirs}/kactivitymanagerd/resources/database rk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw, - owner @{user_share_dirs}/kinfocenter/ rw, - owner @{user_share_dirs}/kinfocenter/** rwlk, - owner @{user_share_dirs}/knotifications{5,6}/{,**} r, - owner @{user_share_dirs}/krdpserver/ rw, - owner @{user_share_dirs}/kservices{5,6}/{,ServiceMenus/} r, + owner @{user_share_dirs}/systemsettings/ rw, owner @{user_share_dirs}/systemsettings/** rwlk, - owner @{user_share_dirs}/wallpapers/{,**} r, - - owner @{user_state_dirs}/#@{int} rw, - owner @{user_state_dirs}/systemsettingsstaterc rw, - owner @{user_state_dirs}/systemsettingsstaterc.@{rand6} rwlk, - owner @{user_state_dirs}/systemsettingsstaterc.lock rwlk, - - owner @{run}/user/@{uid}/#@{int} rw, - owner @{run}/user/@{uid}/systemsettings@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, - - @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{sys}/bus/ r, - @{sys}/bus/acpi/devices/ r, @{sys}/bus/cpu/devices/ r, @{sys}/class/ r, - @{sys}/firmware/acpi/pm_profile r, - @{PROC}/interrupts r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - /dev/ r, - /dev/bus/usb/ r, - /dev/input/ r, - /dev/rfkill r, /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/utempter b/apparmor.d/groups/kde/utempter index 309b9c444..1ff12062f 100644 --- a/apparmor.d/groups/kde/utempter +++ b/apparmor.d/groups/kde/utempter @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/kde/wayland-session b/apparmor.d/groups/kde/wayland-session index c07b06815..b9e7cf4fc 100644 --- a/apparmor.d/groups/kde/wayland-session +++ b/apparmor.d/groups/kde/wayland-session @@ -2,44 +2,30 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{etc_ro}/sddm/wayland-session profile wayland-session @{exec_path} { include - include include @{exec_path} mr, - @{shells_path} rix, - @{bin}/cat ix, - @{bin}/dpkg-query px, - @{bin}/gettext ix, - @{bin}/gettext.sh r, - @{bin}/id ix, - @{bin}/locale ix, - @{bin}/locale-check ix, - @{bin}/sed ix, - @{bin}/tr ix, + @{shells_path} rix, + @{bin}/id rix, - @{bin}/startplasma-wayland Px, - @{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed ix, - @{lib}/plasma-dbus-run-session-if-needed ix, + @{lib}/plasma-dbus-run-session-if-needed rix, + @{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed rix, + @{bin}/startplasma-wayland rPx, - /usr/share/im-config/{,**} r, - /usr/share/libdebuginfod-common/debuginfod.sh r, - - /etc/debuginfod/{,**} r, - /etc/default/im-config r, /etc/machine-id r, - /etc/X11/xinit/xinputrc r, - /etc/X11/Xsession.d/*im-config_launch r, owner @{user_share_dirs}/sddm/wayland-session.log rw, + /dev/tty rw, + include if exists } diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index 5c36f579e..a4474a64a 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -2,19 +2,16 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xembedsniproxy profile xembedsniproxy @{exec_path} { include - include include - include include include - include @{exec_path} mr, @@ -23,8 +20,6 @@ profile xembedsniproxy @{exec_path} { owner @{tmp}/xauth_@{rand6} r, - owner @{run}/user/@{uid}/iceauth_@{rand6} r, - @{run}/user/@{uid}/xauth_@{rand6} rl, include if exists diff --git a/apparmor.d/groups/kde/xsettingsd b/apparmor.d/groups/kde/xsettingsd index 1adbf1d9f..7e422a3d0 100644 --- a/apparmor.d/groups/kde/xsettingsd +++ b/apparmor.d/groups/kde/xsettingsd @@ -2,14 +2,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xsettingsd profile xsettingsd @{exec_path} { include - include signal (receive) set=hup peer=kded, diff --git a/apparmor.d/groups/kde/xwaylandvideobridge b/apparmor.d/groups/kde/xwaylandvideobridge index 889018a13..0f6aeb48a 100644 --- a/apparmor.d/groups/kde/xwaylandvideobridge +++ b/apparmor.d/groups/kde/xwaylandvideobridge @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/lxqt/lxqt-about b/apparmor.d/groups/lxqt/lxqt-about deleted file mode 100644 index 8f5830453..000000000 --- a/apparmor.d/groups/lxqt/lxqt-about +++ /dev/null @@ -1,28 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# Copyright (C) 2024 Besanon -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lxqt-about -profile lxqt-about @{exec_path} { - include - include - - @{exec_path} mr, - - /usr/share/desktop-directories/{,**} r, - - /etc/xdg/menus/lxqt-applications.menu r, - - owner /tmp/@{int} r, - - /dev/tty rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-file-associations b/apparmor.d/groups/lxqt/lxqt-config-file-associations deleted file mode 100644 index 4232f1c70..000000000 --- a/apparmor.d/groups/lxqt/lxqt-config-file-associations +++ /dev/null @@ -1,36 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# Copyright (C) 2024 Besanon -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lxqt-config-file-associations -profile lxqt-config-file-associations @{exec_path} { - include - include - include - - @{exec_path} mr, - - /etc/machine-id r, - - owner @{user_config_dirs}/ r, - owner @{user_config_dirs}/mimeapps* rwk, - owner @{user_config_dirs}/lxqt-* rwk, - owner @{user_config_dirs}/lxqt/ r, - owner @{user_config_dirs}/lxqt/#@{int} rwk, - owner @{user_config_dirs}/lxqt/lxqt-config-file-associations.conf.lock rwk, - owner @{user_config_dirs}/lxqt/lxqt-config-file-associations.conf kl -> @{user_config_dirs}/lxqt/#@{int}, - owner @{user_config_dirs}/lxqt/lxqt-config-file-associations.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, - - owner /tmp/#@{int} rwk, - - /dev/tty rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-locale b/apparmor.d/groups/lxqt/lxqt-config-locale deleted file mode 100644 index c7c868c18..000000000 --- a/apparmor.d/groups/lxqt/lxqt-config-locale +++ /dev/null @@ -1,40 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# Copyright (C) 2024 Besanon -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lxqt-config-locale -profile lxqt-config-locale @{exec_path} { - include - include - include - - @{exec_path} mr, - - /etc/machine-id r, - - owner @{user_config_dirs}/lxqt/* r, - owner @{user_config_dirs}/lxqt/#@{int} rw, - owner @{user_config_dirs}/lxqt/lxqt-config.conf.lock rwk, - owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} rw, - owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, - owner @{user_config_dirs}/lxqt/lxqt-config-locale.conf l -> @{user_config_dirs}/lxqt/#@{int}, - owner @{user_config_dirs}/lxqt/lxqt-config-locale.conf.@{rand6} rw, - owner @{user_config_dirs}/lxqt/lxqt-config-locale.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, - owner @{user_config_dirs}/lxqt/lxqt-config-locale.conf.lock rwk, - owner @{user_config_dirs}/lxqt/session.conf.lock rwk, - owner @{user_config_dirs}/lxqt/session.conf.@{rand6} rw, - owner @{user_config_dirs}/lxqt/session.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, - - owner /tmp/@{int} r, - - /dev/tty rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-notificationd b/apparmor.d/groups/lxqt/lxqt-config-notificationd deleted file mode 100644 index 63b2eb673..000000000 --- a/apparmor.d/groups/lxqt/lxqt-config-notificationd +++ /dev/null @@ -1,34 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# Copyright (C) 2024 Besanon -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lxqt-config-notificationd -profile lxqt-config-notificationd @{exec_path} { - include - include - include - - @{exec_path} mr, - - /etc/machine-id r, - - /var/lib/dbus/machine-id r, - - owner @{user_config_dirs}/lxqt/#@{int} rw, - owner @{user_config_dirs}/lxqt/notifications.conf.lock rwk, - owner @{user_config_dirs}/lxqt/notifications.conf.@{rand6} rw, - owner @{user_config_dirs}/lxqt/notifications.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, - - owner /tmp/#@{int} r, - - /dev/tty rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-powermanagement b/apparmor.d/groups/lxqt/lxqt-config-powermanagement deleted file mode 100644 index 4b96ccb36..000000000 --- a/apparmor.d/groups/lxqt/lxqt-config-powermanagement +++ /dev/null @@ -1,43 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# Copyright (C) 2024 Besanon -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lxqt-config-powermanagement -profile lxqt-config-powermanagement @{exec_path} { - include - include - include - include - - @{exec_path} mr, - - /etc/machine-id r, - - owner @{user_config_dirs}/lxqt/#@{int} rw, - owner @{user_config_dirs}/lxqt/lxqt-powermanagement.conf.lock rwk, - owner @{user_config_dirs}/lxqt/lxqt-powermanagement.conf.@{rand6} rw, - owner @{user_config_dirs}/lxqt/lxqt-powermanagement.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, - - @{sys}/class/leds/ r, - @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/backlight/**/brightness rw, - @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/drm/card@{int}/**/brightness rw, - @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, - - owner /tmp/@{int} r, - - /dev/tty rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-printer b/apparmor.d/groups/lxqt/lxqt-config-printer deleted file mode 100644 index f4c38e94d..000000000 --- a/apparmor.d/groups/lxqt/lxqt-config-printer +++ /dev/null @@ -1,24 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# Copyright (C) 2024 Besanon -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lxqt-config-printer -profile lxqt-config-printer @{exec_path} { - include - include - - @{exec_path} mr, - - owner /tmp/@{int} r, - - /dev/tty rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-globalkeysd b/apparmor.d/groups/lxqt/lxqt-globalkeysd deleted file mode 100644 index a9a75aa90..000000000 --- a/apparmor.d/groups/lxqt/lxqt-globalkeysd +++ /dev/null @@ -1,39 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# Copyright (C) 2024 Besanon -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lxqt-globalkeysd -profile lxqt-globalkeysd @{exec_path} { - include - include - include - - @{exec_path} mr, - - @{open_path} rPx -> child-open-help, - @{bin}/screengrab rPx, - @{bin}/lxqt-config-brightness rPx, - - /usr/share/lxqt/globalkeyshortcuts.conf rw, - - /var/lib/dbus/machine-id r, - - owner @{user_config_dirs}/lxqt/ r, - owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.lock wrk, - owner @{user_config_dirs}/lxqt/#@{int} wr, - owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} rw, - owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, - - owner /tmp/@{int} r, - - /dev/tty rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-leave b/apparmor.d/groups/lxqt/lxqt-leave deleted file mode 100644 index e76d81f54..000000000 --- a/apparmor.d/groups/lxqt/lxqt-leave +++ /dev/null @@ -1,24 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# Copyright (C) 2024 Besanon -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lxqt-leave -profile lxqt-leave @{exec_path} { - include - include - - @{exec_path} mr, - - owner /tmp/@{int} r, - - /dev/tty rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-panel b/apparmor.d/groups/lxqt/lxqt-panel deleted file mode 100644 index f817be69d..000000000 --- a/apparmor.d/groups/lxqt/lxqt-panel +++ /dev/null @@ -1,93 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# Copyright (C) 2024 Besanon -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lxqt-panel -profile lxqt-panel @{exec_path} { - include - include - include - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - network packet dgram, - - @{exec_path} mr, - - @{bin}/exo-open rix, - @{lib}/gio-launch-desktop rix, - @{bin}/nm-applet rPx, - @{bin}/nm-connection-editor rPx, - @{bin}/ControlPanel rPx, - - @{bin}/sudo rCx -> root, - - @{lib}/lxqt-panel/*.so mr, # LXQT-Plugins - @{lib}/lxqt-config/*.so mr, # LXQT-Plugins - - /usr/share/desktop-directories/{,**} r, - /usr/share/lxqt/{,**} r, - - /etc/fstab r, - /etc/udev/udev.conf r, - /etc/machine-id r, - /etc/xdg/lxqt-qtxdg.conf r, - /etc/xdg/menus/**.menu r, - /etc/xdg/menus/applications-merged/ r, - /etc/xdg/ui/uistandards.rc r, - - /var/lib/dbus/machine-id r, - - owner @{HOME}/Desktop/*.desktop rw, - owner @{HOME}/Desktop/#@{int} rw, - owner @{HOME}/Desktop/*.desktop l -> @{HOME}/Desktop/#@{int}, - - owner @{user_config_dirs}/menus/*.menu rw, - owner @{user_config_dirs}/menus/applications-merged/ r, - owner @{user_config_dirs}/share/desktop-directories/*.directory r, - owner @{user_config_dirs}/share/gvfs-metadata/{,*} r, - owner @{user_config_dirs}/lxqt/#@{int} rw, - owner @{user_config_dirs}/lxqt/panel.conf rw, - owner @{user_config_dirs}/lxqt/panel.conf.lock rwk, - owner @{user_config_dirs}/lxqt/panel.conf.@{rand6} rw, - owner @{user_config_dirs}/lxqt/panel.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, - owner @{user_config_dirs}/pulse/{,**} rwk, - - @{run}/udev/data/+*:* r, # Identifies all subsystems - @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices - - @{sys}/class/i2c-adapter/ r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, - - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/net/dev r, - owner @{PROC}/@{pid}/mounts r, - - /dev/tty rw, - /dev/tty@{int} rw, - /dev/pts/@{int} rw, - /dev/snd/controlC@{int} rw, - - profile root { - include - include - - @{bin}/lsblk rPx, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-runner b/apparmor.d/groups/lxqt/lxqt-runner deleted file mode 100644 index 5783c1fa0..000000000 --- a/apparmor.d/groups/lxqt/lxqt-runner +++ /dev/null @@ -1,33 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# Copyright (C) 2024 Besanon -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lxqt-runner -profile lxqt-runner @{exec_path} { - include - include - - @{exec_path} mr, - - /usr/share/desktop-directories/ r, - /usr/share/desktop-directories/{,**} r, - - /etc/xdg/menus/lxqt-applications.menu r, - - owner @{user_config_dirs}/lxqt/lxqt-runner.conf.lock rwk, - owner @{user_config_dirs}/lxqt/#@{int} rw, - owner @{user_config_dirs}/lxqt/lxqt-runner.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, - - owner /tmp/@{int} r, - - /dev/tty rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-session b/apparmor.d/groups/lxqt/lxqt-session deleted file mode 100644 index 910ea7c5f..000000000 --- a/apparmor.d/groups/lxqt/lxqt-session +++ /dev/null @@ -1,96 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# Copyright (C) 2024 Besanon -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lxqt-session -profile lxqt-session @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - - network netlink raw, - - signal (send), - signal (receive) set=(kill, term) peer=startlxqt, - signal (receive) set=(kill, term) peer=sddm, - - ptrace (read), - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/sed rix, - @{bin}/readlink rix, - @{bin}/dirname rix, - @{bin}/system-config-printer-applet rPx, - @{bin}/dbus-update-activation-environment rCx -> dbus, - @{bin}/systemctl rCx -> systemctl, - - @{bin}/pavucontrol rPx, - @{lib}/geoclue-2.0/demos/agent rPx, - @{bin}/nm-connection-editor rPx, - @{bin}/nm-applet rPx, - @{bin}/openbox rix, - @{bin}/dconf-editor rPx, - @{bin}/setxkbmap rix, - @{bin}/start-pulseaudio-x11 rPx, - @{bin}/xrdb rPx, - @{bin}/xdg-user-dirs-update rPx, - - /usr/share/ r, - /usr/share/cursors/ r, - /usr/share/backintime/common/* r, - /usr/share/desktop-directories/* r, - /usr/share/system-config-printer/* r, - - /etc/xdg/ r, - /etc/xdg/autostart/ r, - /etc/xdg/autostart/*.desktop r, - /etc/xdg/menus/lxqt-* r, - /etc/xdg/openbox/* r, - /etc/udev/udev.conf r, - - owner @{user_config_dirs}/autostart/ r, - owner @{user_config_dirs}/autostart/*.desktop r, - owner @{user_cache_dirs}/openbox/ rw, - owner @{user_cache_dirs}/openbox/sessions/ rw, - owner @{user_cache_dirs}/openbox/openbox.log rwk, - owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, - owner @{user_config_dirs}/openbox/rc.xml r, - - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - - @{PROC}/ r, - @{PROC}/uptime r, - @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/stat r, - - /dev/tty rw, - - profile systemctl { - include - include - - include if exists - } - profile dbus { - include - include - - @{bin}/dbus-update-activation-environment mr, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/startlxqt b/apparmor.d/groups/lxqt/startlxqt deleted file mode 100644 index 3ae907116..000000000 --- a/apparmor.d/groups/lxqt/startlxqt +++ /dev/null @@ -1,79 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023 Alexandre Pujol -# Copyright (C) 2024 Besanon -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/startlxqt -profile startlxqt @{exec_path} { - include - include - include - include - - signal (receive) set=(term) peer=sddm, - - @{exec_path} mr, - - @{bin}/xrdb rPx, - @{bin}/xsetroot rPx, - @{bin}/xprop rpx, - @{bin}/mkdir rix, - @{sh_path} rix, - @{bin}/lxqt-session rPx, - - @{bin}/systemctl rCx -> systemctl, - @{bin}/dbus-update-activation-environment rCx -> dbus, - - /usr/share/color-schemes/{,**} r, - /usr/share/desktop-directories/{,**} r, - /usr/share/kservices5/{,**} r, - - /etc/machine-id r, - /etc/xdg/menus/{,**} r, - - @{HOME}/ r, - - owner @{user_cache_dirs}/#@{int} rw, - @{user_cache_dirs}/ksycoca5_* rwkl -> @{user_cache_dirs}/#@{int}, - - owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/lxqt/ rw, - owner @{user_config_dirs}/menus/{,**} r, - - owner @{user_share_dirs}/kservices5/{,**} r, - owner @{user_share_dirs}/sddm/wayland-session.log rw, - owner @{user_share_dirs}/sddm/xorg-session.log rw, - - owner /tmp/#@{int} rw, - owner /tmp/startlxqt.@{rand6} rwl -> /tmp/#@{int}, - - owner @{run}/user/@{uid}/ r, - - /dev/tty rw, - /dev/tty@{int} rw, - - include if exists - - profile systemctl flags=(attach_disconnected) { - include - include - - include if exists - } - - profile dbus { - include - - @{bin}/dbus-update-activation-environment mr, - - owner @{HOME}/.xsession-errors w, - - include if exists - } -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 22b94effd..fad5908b4 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/ModemManager +@{exec_path} = @{bin}/ModemManager profile ModemManager @{exec_path} flags=(attach_disconnected) { include include @@ -14,10 +14,9 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { include include include - include + include capability net_admin, - capability sys_admin, network qipcrtr dgram, network netlink raw, @@ -26,20 +25,16 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) - @{run}/udev/data/+pnp:* r, # For Plug and Play devices (legacy hardware, sound cards, etc.) - @{run}/udev/data/+serial*:* r, # For serial devices (modems, serial ports, etc.) - @{run}/udev/data/+usb:* r, # Identifies all USB devices - @{run}/udev/data/+vmbus:* r, # For Hyper-V devices, (network adapters, storage controllers, and other virtual devices) + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+usb:* r, @{run}/udev/data/c16[6,7]:@{int} r, # USB modems @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/n@{int} r, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/inhibit/*.ref rw, @{sys}/bus/ r, @{sys}/bus/usb/devices/ r, @@ -48,8 +43,9 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/tty/ r, @{sys}/class/wwan/ r, - @{sys}/devices/**/net/*/ r, @{sys}/devices/**/uevent r, + @{sys}/devices/@{pci}/revision r, + @{sys}/devices/virtual/net/*/ r, @{sys}/devices/virtual/tty/*/ r, include if exists diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index fca80465d..e5e9b0785 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -2,16 +2,16 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/NetworkManager +@{exec_path} = @{bin}/NetworkManager profile NetworkManager @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -43,58 +43,48 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.NetworkManager - #aa:dbus talk bus=system name=fi.w1.wpa_supplicant1 label=wpa-supplicant - #aa:dbus talk bus=system name=org.fedoraproject.FirewallD1 label=firewalld #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher - #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" - + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=@{busname}), + peer=(name=:*), - dbus receive bus=system path=/org/freedesktop + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesRemoved + peer=(name=:*, label=bluetoothd), + + dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=@{busname}, label=gnome-control-center), + peer=(name=:*, label=bluetoothd), - - dbus receive bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=@{busname}, label=nm-online), - - dbus send bus=system path=/org/freedesktop/nm_dispatcher - interface=org.freedesktop.nm_dispatcher - member=Action2 - peer=(name=org.freedesktop.nm_dispatcher), - - dbus send bus=system path=/uk/org/thekelleys/dnsmasq - interface=org.freedesktop.NetworkManager.dnsmasq - member=SetServersEx - peer=(name=@{busname}, label=dnsmasq), + dbus send bus=system path=/org/fedoraproject/FirewallD1 + interface=org.fedoraproject.FirewallD1.zone + member={changeZoneOfInterface,removeInterface} + peer=(name=org.freedesktop.DBus, label=firewalld), dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member={InterfacesAdded,InterfacesRemoved} - peer=(name=org.freedesktop.DBus), + member=InterfacesAdded + peer=(name=org.freedesktop.DBus, label=nm-online), - dbus receive bus=system path=/ - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=cockpit-bridge), + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label=dbus-system), @{exec_path} mr, @{sh_path} rix, - @{sbin}/nft rix, + @{bin}/nft rix, - @{sbin}/dnsmasq rPx, + @{bin}/dnsmasq rPx, @{bin}/kmod rPx, @{bin}/netconfig rPUx, - @{sbin}/resolvconf rPx, - @{bin}/resolvectl rPx, + @{bin}/resolvconf rPx, @{bin}/systemctl rCx -> systemctl, @{lib}/{,NetworkManager/}nm-daemon-helper rPx, @{lib}/{,NetworkManager/}nm-dhcp-helper rPx, @@ -104,18 +94,11 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/{,NetworkManager/}nm-openvpn-service rPx, @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx, - /usr/share/netplan/netplan.script rPx, - - @{lib}/netplan/@{int2}-network-manager-all.yaml w, + /usr/share/netplan/netplan.script rPx, /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, - /usr/share/iproute2/{,**} r, - - /etc/netplan/ r, - /etc/netplan/90-NM-@{uuid}.yaml r, - - @{att}/ r, + / r, /etc/ r, /etc/iproute2/* r, /etc/machine-id r, @@ -123,7 +106,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { /etc/network/interfaces.d/{,*} r, /etc/NetworkManager/{,**} r, /etc/NetworkManager/system-connections/{,**} w, - @{etc_rw}/netplan/90-NM-@{uuid}.yaml w, @{etc_rw}/resolv.conf rw, @{etc_rw}/resolv.conf.[0-9A-Z]* rw, @@ -136,35 +118,30 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/net/rfkill/ r, @{sys}/class/rfkill/ r, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/systemd/resolve/io.systemd.Resolve rw, - - @{run}/netplan/ r, @{run}/network/ifstate r, @{run}/NetworkManager/{,**} rw, @{run}/nm-*.pid rw, @{run}/nscd/db* rwl, + @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/users/@{uid} r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) - @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power - @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/n@{int} r, - @{sys}/devices/@{pci}/net/*/{,**} r, - @{sys}/devices/@{pci}/usb@{int}/**/net/{,**} r, - @{sys}/devices/**/@{uuid}/net/*/{,**} r, @{sys}/devices/**/uevent r, @{sys}/devices/virtual/net/{,**} r, + @{sys}/devices/@{pci}/net/*/{,**} r, + @{sys}/devices/@{pci}/usb@{int}/**/net/{,**} r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/stat r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/net/** rw, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - /dev/net/tun rw, /dev/rfkill rw, profile systemctl { diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd index 7bcd9efba..e1b039ad8 100644 --- a/apparmor.d/groups/network/dhcpcd +++ b/apparmor.d/groups/network/dhcpcd @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/dhcpcd +@{exec_path} = @{bin}/dhcpcd profile dhcpcd @{exec_path} flags=(attach_disconnected) { include include @@ -27,7 +27,7 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { network inet6 raw, network netlink raw, network packet raw, - + @{exec_path} mr, @{sh_path} rix, @@ -35,21 +35,26 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { @{bin}/chmod rix, @{bin}/cmp rix, @{bin}/mkdir rix, - @{sbin}/resolvconf rPx, @{bin}/rm rix, @{bin}/sed rix, @{lib}/dhcpcd/dhcpcd-run-hooks rix, - /usr/share/dhcpcd/{,**} r, + /var/lib/dhcpcd/*.lease{,6} rw, + /var/lib/dhcpcd/secret rw, /etc/dhcpcd.conf r, /etc/resolv.conf rw, - /var/lib/dhcpcd/** rw, + @{run}/dhcpcd/{.pid,pid} rwk, + @{run}/dhcpcd/{.sock,sock} w, + @{run}/dhcpcd/*.pid wk, + @{run}/dhcpcd/*.sock w, + @{run}/dhcpcd/hook-state/ rw, + @{run}/dhcpcd/hook-state/resolv.conf.*.{dhcp,link} rw, + @{run}/dhcpcd/hook-state/resolv.conf/ rw, + @{run}/dhcpcd/unpriv.sock w, - @{run}/dhcpcd/** rwk, - - @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/n@{int} r, @{sys}/devices/@{pci}/uevent r, @{sys}/devices/virtual/dmi/id/product_uuid r, diff --git a/apparmor.d/groups/network/iwctl b/apparmor.d/groups/network/iwctl index 0b5bd090e..3ccafc80a 100644 --- a/apparmor.d/groups/network/iwctl +++ b/apparmor.d/groups/network/iwctl @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/iwd b/apparmor.d/groups/network/iwd index 13edaaf16..a80a4c37a 100644 --- a/apparmor.d/groups/network/iwd +++ b/apparmor.d/groups/network/iwd @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,27 +21,21 @@ profile iwd @{exec_path} { network netlink raw, network netlink dgram, network alg seqpacket, - network packet dgram, - @{exec_path} mr, - @{sbin}/resolvconf rPx, + @{exec_path} mr, /etc/iwd/{,**} r, /var/lib/iwd/{,**} rw, - @{sys}/devices/@{pci}/ieee80211/phy@{int}/* r, + @{sys}/devices/@{pci}/ieee80211/phy[0-9]/* r, @{sys}/devices/@{pci}/modalias r, @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/arp_* rw, @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/drop_* rw, @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/ndisc_* rw, - @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/accept_ra rw, - @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/optimistic_dad rw, @{PROC}/sys/net/ipv{4,6}/conf/wlp*/arp_* rw, @{PROC}/sys/net/ipv{4,6}/conf/wlp*/drop_* rw, @{PROC}/sys/net/ipv{4,6}/conf/wlp*/ndisc_* rw, - @{PROC}/sys/net/ipv{4,6}/conf/wlp*/accept_ra rw, - @{PROC}/sys/net/ipv{4,6}/conf/wlp*/optimistic_dad rw, /dev/rfkill rw, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index d5c93fc5c..dcdb1738a 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,11 +10,10 @@ include @{exec_path} += /opt/Mullvad*/resources/mullvad-daemon profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { include - include include capability dac_override, - + capability net_admin, capability fowner, capability fsetid, @@ -30,7 +29,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { network netlink raw, network netlink dgram, - mount fstype=cgroup -> @{sys}/fs/cgroup/net_cls/, + mount fstype=cgroup -> /sys/fs/cgroup/net_cls/, @{exec_path} mr, @@ -40,8 +39,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { "/opt/Mullvad VPN/resources/*.so*" mr, "/opt/Mullvad VPN/resources/*" r, - /etc/mullvad-vpn/ rw, - /etc/mullvad-vpn/* r, + /etc/mullvad-vpn/{,*} r, /etc/mullvad-vpn/@{uuid} rw, /etc/mullvad-vpn/*.json rw, @{etc_rw}/resolv.conf rw, @@ -50,25 +48,21 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { owner /var/cache/mullvad-vpn/{,*} rw, owner /var/log/mullvad-vpn/{,*} rw, owner /var/log/private/mullvad-vpn/*.log rw, - - owner @{tmp}/@{uuid} rw, - owner @{tmp}/talpid-openvpn-@{uuid} rw, - - @{run}/NetworkManager/resolv.conf r, + owner @{run}/mullvad-vpn rw, + @{run}/NetworkManager/resolv.conf r, @{sys}/fs/cgroup/net_cls/ w, @{sys}/fs/cgroup/net_cls/mullvad-exclusions/ w, @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw, - @{sys}/fs/cgroup/system.slice/cpu.max r, - @{sys}/fs/cgroup/system.slice/mullvad-daemon.service/cpu.max r, - @{sys}/fs/cgroup/system.slice/mullvad-early-boot-blocking.service/cpu.max r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + owner @{tmp}/@{uuid} rw, + owner @{tmp}/talpid-openvpn-@{uuid} rw, - @{PROC}/@{pid}/cgroup r, - @{PROC}/sys/net/ipv{4,6}/conf/all/arp_ignore rw, - @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, + @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw, /dev/net/tun rw, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 133e4bc00..7533b107c 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -2,13 +2,12 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{name} = Mullvad?VPN -@{domain} = org.chromium.Chromium -@{lib_dirs} = /opt/@{name} +@{name} = Mullvad*VPN +@{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -24,14 +23,16 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { network netlink raw, @{exec_path} mrix, - @{sh_path} rix, + @{sh_path} rix, - @{bin}/gsettings rPx, + @{bin}/gsettings rix, @{open_path} rPx -> child-open-browsers, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + owner @{user_cache_dirs}/dconf/user rw, - @{run}/mullvad-vpn rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/@{name}*.png rw, + + @{run}/systemd/inhibit/*.ref rw, /dev/tty rw, diff --git a/apparmor.d/groups/network/netplan-generate b/apparmor.d/groups/network/netplan-generate deleted file mode 100644 index cea17b81c..000000000 --- a/apparmor.d/groups/network/netplan-generate +++ /dev/null @@ -1,72 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/netplan/generate -profile netplan-generate @{exec_path} flags=(attach_disconnected) { - include - include - include - - capability chown, - - network netlink raw, - - @{exec_path} mr, - - @{bin}/systemctl rCx -> systemctl, - - /etc/netplan/{,*} r, - - @{run}/NetworkManager/ rw, - @{run}/NetworkManager/conf.d/ rw, - @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf rw, - @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf.@{rand6} rw, - @{run}/NetworkManager/conf.d/netplan.conf rw, - @{run}/NetworkManager/conf.d/netplan.conf.@{rand6} rw, - @{run}/NetworkManager/system-connections/ rw, - @{run}/NetworkManager/system-connections/* rw, - - @{run}/systemd/generator/multi-user.target.wants/ w, - @{run}/systemd/generator/multi-user.target.wants/systemd-networkd.service w, - @{run}/systemd/generator/netplan.stamp w, - @{run}/systemd/generator/network-online.target.wants/ w, - @{run}/systemd/generator/network-online.target.wants/systemd-networkd-wait-online.service w, - @{run}/systemd/network/ rw, - @{run}/systemd/network/@{int}-netplan{,-*}.{network,link}{,.@{rand6}} rw, - @{run}/systemd/system/ r, - @{run}/systemd/system/netplan-* rw, - @{run}/systemd/system/systemd-networkd-wait-online.service.d/ rw, - @{run}/systemd/system/systemd-networkd-wait-online.service.d/@{int}-netplan.conf{,.@{rand6}} rw, - @{run}/systemd/system/systemd-networkd.service.wants/ rw, - @{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw, - - @{run}/udev/rules.d/ rw, - @{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw, - - @{run}/netplan/ r, - - @{run}/udev/rules.d/ r, - @{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw, - - @{sys}/devices/**/net/*/address r, - - profile systemctl { - include - include - - capability net_admin, - - @{att}/@{run}/systemd/private rw, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/network/netplan b/apparmor.d/groups/network/netplan.script similarity index 53% rename from apparmor.d/groups/network/netplan rename to apparmor.d/groups/network/netplan.script index a0fad0a93..c9cc3fff7 100644 --- a/apparmor.d/groups/network/netplan +++ b/apparmor.d/groups/network/netplan.script @@ -2,22 +2,19 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = /usr/share/netplan/netplan.script -profile netplan @{exec_path} flags=(attach_disconnected) { +profile netplan.script @{exec_path} flags=(attach_disconnected) { include - include include include - #aa;dbus owb bus=system name=io.netplan.Netplan - @{exec_path} mr, - @{lib}/netplan/generate rPx, + @{lib}/netplan/generate rix, @{bin}/udevadm rCx -> udevadm, @{bin}/systemctl rCx -> systemctl, @@ -25,20 +22,25 @@ profile netplan @{exec_path} flags=(attach_disconnected) { /etc/netplan/{,*} r, - @{run}/netplan/ r, + @{run}/NetworkManager/conf.d/10-globally-managed-devices.conf{,.@{rand6}} rw, + @{run}/NetworkManager/system-connections/ rw, + @{run}/NetworkManager/system-connections/netplan-*.nmconnection{,.@{rand6}} rw, + @{run}/systemd/system/ r, + @{run}/systemd/system/netplan-* rw, + @{run}/systemd/system/systemd-networkd.service.wants/ rw, + @{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw, + @{run}/udev/rules.d/ r, + @{run}/udev/rules.d/90-netplan.rules{,.@{rand6}} rw, profile udevadm { include include - capability net_admin, - - @{att}/@{run}/udev/control rw, - + @{run}/udev/control rw, @{run}/udev/rules.d/90-netplan.rules rw, @{run}/udev/rules.d/90-netplan.rules.@{rand6} rw, - include if exists + include if exists } profile systemctl { @@ -47,14 +49,10 @@ profile netplan @{exec_path} flags=(attach_disconnected) { capability net_admin, - ptrace read peer=@{p_systemd}, - - @{run}/udev/control rw, - - include if exists + include if exists } - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher index 8b4d53b1c..361cf8d3b 100644 --- a/apparmor.d/groups/network/networkd-dispatcher +++ b/apparmor.d/groups/network/networkd-dispatcher @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,18 +16,16 @@ profile networkd-dispatcher @{exec_path} { dbus receive bus=system path=/org/freedesktop/network1{,/link/*} interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label="@{p_systemd_networkd}"), + peer=(name=:*, label=systemd-networkd), @{exec_path} mr, @{bin}/ r, - @{bin}/chronyc rPUx, - @{bin}/ls rix, @{bin}/networkctl rPx, + @{bin}/ls rix, @{bin}/sed rix, @{lib}/networkd-dispatcher/routable.d/postfix rix, - @{lib}/NetworkManager/dispatcher.d/@{int}-chrony-onoffline rix, /etc/networkd-dispatcher/{,**} r, diff --git a/apparmor.d/groups/network/nm-daemon-helper b/apparmor.d/groups/network/nm-daemon-helper index 7d16292f2..f8d262a44 100644 --- a/apparmor.d/groups/network/nm-daemon-helper +++ b/apparmor.d/groups/network/nm-daemon-helper @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/nm-dhcp-helper b/apparmor.d/groups/network/nm-dhcp-helper index 3e232154e..434dce19f 100644 --- a/apparmor.d/groups/network/nm-dhcp-helper +++ b/apparmor.d/groups/network/nm-dhcp-helper @@ -2,14 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,NetworkManager/}nm-dhcp-helper profile nm-dhcp-helper @{exec_path} { include - include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 029a5e39a..9e2904a54 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -4,7 +4,7 @@ # TODO: rethink how the scripts should be managed -abi , +abi , include @@ -26,37 +26,31 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=@{busname}, label=NetworkManager), - - dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} - interface=org.freedesktop.NetworkManager.Settings.Connection - member=GetSettings - peer=(name=@{busname}, label=NetworkManager), + peer=(name=:*, label=NetworkManager), @{exec_path} mr, @{sh_path} rix, + @{bin}/python3.@{int} rix, @{bin}/basename rix, @{bin}/cat rix, - @{bin}/chown rix, @{bin}/chronyc rPUx, + @{bin}/chown rix, @{bin}/date rix, - @{bin}/{m,g,}awk rix, - @{bin}/{,e}grep rix, + @{bin}/gawk rix, + @{bin}/grep rix, @{bin}/id rix, - @{sbin}/invoke-rc.d rCx -> invoke-rc, - @{bin}/logger rix, + @{bin}/invoke-rc.d rCx -> invoke-rc, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/netconfig rPUx, @{bin}/nmcli rix, - @{python_path} rix, @{bin}/readlink rix, @{bin}/rm rix, @{bin}/run-parts rCx -> run-parts, @{bin}/sed rix, @{bin}/systemctl rCx -> systemctl, - @{bin}/systemd-cat rix, + @{bin}/systemd-cat rPx, @{bin}/tr rix, /usr/share/tlp/tlp-readconfs rPUx, @@ -106,7 +100,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { profile invoke-rc { include - @{sbin}/invoke-rc.d rm, + @{bin}/invoke-rc.d rm, @{sh_path} rix, @{bin}/basename rix, @{bin}/ls rix, diff --git a/apparmor.d/groups/network/nm-iface-helper b/apparmor.d/groups/network/nm-iface-helper index c74379698..36fa1ca30 100644 --- a/apparmor.d/groups/network/nm-iface-helper +++ b/apparmor.d/groups/network/nm-iface-helper @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/nm-initrd-generator b/apparmor.d/groups/network/nm-initrd-generator index 611587547..095347370 100644 --- a/apparmor.d/groups/network/nm-initrd-generator +++ b/apparmor.d/groups/network/nm-initrd-generator @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/nm-online b/apparmor.d/groups/network/nm-online index 710d3115b..159b890d1 100644 --- a/apparmor.d/groups/network/nm-online +++ b/apparmor.d/groups/network/nm-online @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,17 +11,16 @@ profile nm-online @{exec_path} { include include include - include dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} interface=org.freedesktop.NetworkManager.Connection.Active member=StateChanged - peer=(name=@{busname}, label=NetworkManager), - + peer=(name=:*, label=NetworkManager), + dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} interface=org.freedesktop.NetworkManager.Settings.Connection member=GetSettings - peer=(name=@{busname}, label=NetworkManager), + peer=(name=:*, label=NetworkManager), @{exec_path} mr, diff --git a/apparmor.d/groups/network/nm-openvpn-auth-dialog b/apparmor.d/groups/network/nm-openvpn-auth-dialog index 87e3e4f40..854614345 100644 --- a/apparmor.d/groups/network/nm-openvpn-auth-dialog +++ b/apparmor.d/groups/network/nm-openvpn-auth-dialog @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/nm-openvpn-service b/apparmor.d/groups/network/nm-openvpn-service index 943386f61..d65aa8f1a 100644 --- a/apparmor.d/groups/network/nm-openvpn-service +++ b/apparmor.d/groups/network/nm-openvpn-service @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,7 +20,7 @@ profile nm-openvpn-service @{exec_path} { @{sh_path} rix, @{bin}/kmod rPx, - @{sbin}/openvpn rPx, + @{bin}/openvpn rPx, @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx, diff --git a/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper b/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper index b2f4ca0e3..130067a76 100644 --- a/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper +++ b/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/nm-priv-helper b/apparmor.d/groups/network/nm-priv-helper index 13a283c52..e07c9f685 100644 --- a/apparmor.d/groups/network/nm-priv-helper +++ b/apparmor.d/groups/network/nm-priv-helper @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index b4da14960..2345d9d2c 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -2,44 +2,28 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/nmcli profile nmcli @{exec_path} { include - include - include capability dac_read_search, capability sys_nice, - #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager - dbus receive bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=InterfacesAdded - peer=(name=@{busname}, label=NetworkManager), - dbus receive bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=InterfacesRemoved - peer=(name=@{busname}, label=NetworkManager), - dbus send bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=@{busname}, label=NetworkManager), - @{exec_path} mr, - @{pager_path} rPx -> child-pager, - - /etc/netplan/* r, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, + @{bin}/pager rPx -> child-pager, owner @{HOME}/.nm-vpngate/*.ovpn r, owner @{HOME}/.cert/nm-openvpn/*.pem rw, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/n@{int} r, @{sys}/devices/virtual/net/{,**} r, @{sys}/devices/@{pci}/net/*/{,**} r, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index 2a513b84e..6bf8c168b 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -18,21 +18,26 @@ # If a user wants to type user/pass interactively, systemd-ask-password is # invoked for that. -abi , +abi , include -@{exec_path} = @{sbin}/openvpn +@{exec_path} = @{bin}/openvpn profile openvpn @{exec_path} flags=(attach_disconnected) { include include - capability dac_override, - capability dac_read_search, - capability net_admin, # create tun - capability setgid, # when user/group are set in a OpenVPN config file + # Needed to remove the following errors: + # ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1) + # Exiting due to fatal error + capability net_admin, + + # These are needed when user/group are set in a OpenVPN config file capability setuid, - capability sys_module, + capability setgid, + + capability dac_read_search, + capability dac_override, network inet dgram, network inet6 dgram, @@ -54,7 +59,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{run}/NetworkManager/nm-openvpn-@{uuid} rw, @{run}/openvpn/*.{pid,status} rw, - @{run}/systemd/journal/dev-log r, + @{run}/systemd/journal/dev-log rw, @{bin}/ip rix, @{bin}/systemd-ask-password rPx, @@ -66,8 +71,6 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/net/route r, - /dev/net/tun rw, - profile update-resolv { include include @@ -82,12 +85,11 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{bin}/cut rix, @{bin}/ip rix, @{bin}/which{,.debianutils} rix, - @{sbin}/xtables-nft-multi rix, + @{bin}/xtables-nft-multi rix, /etc/iproute2/rt_tables r, - /etc/iproute2/rt_tables.d/{,*} r, + /etc/iproute2/rt_tables.d/ r, - include if exists } profile force-user-traffic-via-vpn { @@ -108,7 +110,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{bin}/cut rix, @{bin}/env rix, @{bin}/ip rix, - @{sbin}/nft rix, + @{bin}/nft rix, @{bin}/sed rix, /etc/iproute2/rt_realms r, @@ -119,7 +121,6 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { owner @{PROC}/sys/net/ipv{4,}/route/flush w, - include if exists } include if exists diff --git a/apparmor.d/groups/network/rpcbind b/apparmor.d/groups/network/rpcbind index 0650470ac..049605f97 100644 --- a/apparmor.d/groups/network/rpcbind +++ b/apparmor.d/groups/network/rpcbind @@ -1,27 +1,17 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2023 Jeroen Rijken -# Copyright (C) 2025 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/rpcbind +@{exec_path} = @{bin}/rpcbind profile rpcbind @{exec_path} flags=(complain) { include - include - - capability setgid, - capability setuid, @{exec_path} rm, - /etc/netconfig r, - - @{run}/rpcbind.lock rwkl, - @{run}/rpcbind/*.xdr rwkl, - include if exists } diff --git a/apparmor.d/groups/network/socat b/apparmor.d/groups/network/socat deleted file mode 100644 index 25f975d25..000000000 --- a/apparmor.d/groups/network/socat +++ /dev/null @@ -1,43 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# Copyright (C) 2024 Nishit Majithia (nishitm) -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/socat -profile socat @{exec_path} { - include - include - include - include - - capability chown, - capability dac_override, - capability dac_read_search, - capability fsetid, - capability net_admin, - capability net_bind_service, - capability net_raw, - capability sys_admin, - capability sys_module, - capability sys_resource, - - # Allow creation of network sockets and `socat` uses dccp for some - # fuctionalities that is why it is necessary to allow whole `network` - network, - - @{exec_path} mr, - - @{PROC}/@{pid}/fdinfo/@{int} rw, - @{PROC}/@{pid}/stat r, - - /dev/net/tun rw, - /dev/vsock r, # For bi-directional communication between vms and host/hypervisor - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/network/tailscale b/apparmor.d/groups/network/tailscale index 4e5bba684..5c3b62211 100644 --- a/apparmor.d/groups/network/tailscale +++ b/apparmor.d/groups/network/tailscale @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -27,6 +27,8 @@ profile tailscale @{exec_path} { owner @{run}/tailscale/tailscaled.sock rw, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + @{PROC}/ r, @{PROC}/@{pids}/stat r, @{PROC}/sys/net/core/somaxconn r, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index 8162dff1e..121697da6 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,23 +21,35 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { capability syslog, network inet dgram, - network inet raw, - network inet stream, network inet6 dgram, - network inet6 raw, + network inet stream, network inet6 stream, + network inet raw, + network inet6 raw, network netlink raw, - network packet dgram, ptrace (read), - #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" + dbus send bus=system path=/org/freedesktop/resolve1 + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=org.freedesktop.resolve1, label=systemd-resolved), + + dbus send bus=system path=/org/freedesktop/resolve1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.resolve1, label=systemd-resolved), + + dbus send bus=system path=/org/freedesktop/resolve1 + interface=org.freedesktop.resolve1.Manager + member={FlushCaches,SetLink*} + peer=(name=org.freedesktop.resolve1, label=systemd-resolved), @{exec_path} mr, @{bin}/ip rix, @{bin}/resolvectl rPx, - @{sbin}/xtables-nft-multi rix, + @{bin}/xtables-nft-multi rix, @{bin}/systemctl rCx -> systemctl, @@ -57,6 +69,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { owner @{run}/tailscale/{,**} rw, @{sys}/devices/virtual/dmi/id/{bios_vendor,product_name} r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{PROC}/ r, @{PROC}/@{pid}/mounts r, @@ -79,7 +92,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { capability mknod, capability net_admin, - + network netlink raw, /dev/net/tun rw, diff --git a/apparmor.d/groups/network/wg b/apparmor.d/groups/network/wg index 0b0315e33..783fa41fe 100644 --- a/apparmor.d/groups/network/wg +++ b/apparmor.d/groups/network/wg @@ -2,28 +2,20 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/wg -profile wg @{exec_path} flags=(attach_disconnected) { +profile wg @{exec_path} { include - include capability net_admin, - capability net_bind_service, - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, network netlink raw, @{exec_path} mr, - /etc/wireguard/{,**} rw, - include if exists } diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick index 33de68147..1183a4a5b 100644 --- a/apparmor.d/groups/network/wg-quick +++ b/apparmor.d/groups/network/wg-quick @@ -2,18 +2,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/wg-quick -profile wg-quick @{exec_path} flags=(attach_disconnected) { +profile wg-quick @{exec_path} { include - include - include - include - capability dac_read_search, capability net_admin, network netlink raw, @@ -23,39 +19,30 @@ profile wg-quick @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cat rix, @{bin}/ip rPx, - @{bin}/mv rix, - @{sbin}/nft rix, + @{bin}/nft rix, @{bin}/readlink rix, - @{sbin}/resolvconf rPx, @{bin}/resolvectl rPx, - @{bin}/rm rix, @{bin}/sort rix, @{bin}/stat rix, - @{bin}/sync rix, - @{sbin}/sysctl rCx -> sysctl, + @{bin}/sysctl rix, @{bin}/wg rPx, - @{sbin}/xtables-nft-multi rix, + @{bin}/xtables-nft-multi rix, /usr/share/terminfo/** r, /etc/iproute2/group r, /etc/iproute2/rt_realms r, /etc/resolvconf/interface-order r, - /etc/wireguard/{,**} rw, + /etc/wireguard/*.conf r, @{sys}/module/wireguard r, - @{PROC}/@{pid}/net/ip_tables_names r, + @{PROC}/sys/net/ipv4/conf/all/src_valid_mark w, - profile sysctl flags=(attach_disconnected) { - include + /dev/tty rw, - @{sbin}/sysctl mr, - - @{PROC}/sys/net/ipv4/conf/all/src_valid_mark w, - - include if exists - } + # Force the use as root + deny @{bin}/sudo x, include if exists } diff --git a/apparmor.d/groups/pacman/arch-audit b/apparmor.d/groups/pacman/arch-audit index 7539c1c7f..7ef09601c 100644 --- a/apparmor.d/groups/pacman/arch-audit +++ b/apparmor.d/groups/pacman/arch-audit @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,19 +21,19 @@ profile arch-audit @{exec_path} { network netlink raw, @{exec_path} mr, - + /etc/arch-audit/settings.toml r, /usr/share/terminfo/** r, /var/lib/pacman/local/{,**} r, - @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r, - @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, - owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, + @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r, + @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, + /dev/pts/@{int} rw, include if exists diff --git a/apparmor.d/groups/pacman/archlinux-java b/apparmor.d/groups/pacman/archlinux-java index 38cd95d0a..5a78db048 100644 --- a/apparmor.d/groups/pacman/archlinux-java +++ b/apparmor.d/groups/pacman/archlinux-java @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,14 +14,12 @@ profile archlinux-java @{exec_path} { @{exec_path} mr, - @{sh_path} rix, @{bin}/basename rix, + @{bin}/bash rix, @{bin}/dirname rix, - @{bin}/find rix, @{bin}/id rix, @{bin}/ln rix, @{bin}/readlink rix, - @{bin}/sort rix, @{bin}/unlink rix, @{lib}/jvm/default w, diff --git a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync index 014073443..708d2b585 100644 --- a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync +++ b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -30,7 +30,7 @@ profile archlinux-keyring-wkd-sync @{exec_path} { /etc/pacman.conf r, /etc/pacman.d/*-mirrorlist r, /etc/pacman.d/gnupg/ rw, - /etc/pacman.d/gnupg/** rwlk -> /etc/pacman.d/gnupg/**, + /etc/pacman.d/gnupg/** rwk -> /etc/pacman.d/gnupg/**, /etc/pacman.d/mirrorlist r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index df9af9fef..8aba909e4 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -29,8 +29,8 @@ profile aurpublish @{exec_path} { @{bin}/date rix, @{bin}/gettext rix, @{bin}/git rPx, - @{bin}/gpg{,2} rCx -> gpg, - @{bin}/{,e}grep rix, + @{bin}/gpg{,2} rPx, + @{bin}/grep rix, @{bin}/makepkg rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @@ -47,47 +47,21 @@ profile aurpublish @{exec_path} { /etc/makepkg.conf r, /etc/makepkg.conf.d/{,**} r, - owner @{user_build_dirs}/{,**/} w, - owner @{user_projects_dirs}/** r, + owner @{user_build_dirs}/**/ w, + owner @{user_projects_dirs}/**/ r, owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw, owner @{user_projects_dirs}/**/.SRCINFO rw, + owner @{user_projects_dirs}/**/PKGBUILD r, - owner @{user_cache_dirs}/makepkg/src/** rw, + owner @{user_cache_dirs}/makepkg/src/* rw, owner @{user_config_dirs}/pacman/makepkg.conf r, - owner /tmp/*/src/ w, owner @{tmp}/tmp.@{rand10} rw, + owner @{PROC}/@{pid}/maps r, + /dev/tty rw, - profile gpg { - include - - @{bin}/gpg{,2} mr, - @{bin}/gpgconf mr, - @{bin}/gpg-agent rix, - @{lib}/{,gnupg/}scdaemon rix, - - owner @{HOME}/@{XDG_GPG_DIR}/ rw, - owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - - owner @{user_cache_dirs}/makepkg/src/*.asc r, - - owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/gnupg/ r, - owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw, - owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent rw, - owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent.browser w, - owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent.extra w, - owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent.ssh w, - - owner @{tmp}/tmp.@{rand10} rw, - - owner @{PROC}/@{pid}/fd/ r, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg deleted file mode 100644 index 84136638c..000000000 --- a/apparmor.d/groups/pacman/makepkg +++ /dev/null @@ -1,104 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/makepkg -profile makepkg @{exec_path} { - include - include - include - include - include - include - include - include - include - - network inet stream, - network inet6 stream, - network inet dgram, - network inet6 dgram, - network netlink raw, - - signal send set=winch peer=pacman, - signal send set=winch peer=pacman//systemctl, - - file, - - @{pager_path} Px -> child-pager, - @{bin}/gpg{,2} Cx -> gpg, - @{bin}/gpgconf Cx -> gpg, - @{bin}/gpgsm Cx -> gpg, - @{bin}/lsb_release Px, - @{bin}/sudo Cx -> sudo, - - deny capability sys_ptrace, - deny ptrace read, - - profile gpg { - include - include - include - - network netlink raw, - - @{bin}/gpg{,2} mr, - @{bin}/gpgconf mr, - @{bin}/gpgsm mr, - - @{bin}/dirmngr rix, - @{bin}/gpg-agent rix, - @{bin}/gpg-connect-agent rix, - @{lib}/{,gnupg/}scdaemon rix, - - /etc/pacman.d/gnupg/ r, - /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, - - owner @{user_pkg_dirs}/{,**} rw, - - owner @{HOME}/@{XDG_GPG_DIR}/ rw, - owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - - owner @{user_cache_dirs}/makepkg/src/*.asc r, - - owner @{tmp}/.git_vtag_tmp@{rand6} rw, - owner @{tmp}/tmp.@{rand10} rw, - - owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/gnupg/ r, - owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw, - owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw, - owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw, - owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, - - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/task/@{tid}/comm rw, - - include if exists - } - - profile sudo { - include - include - - capability sys_ptrace, - - ptrace read, - - signal send set=(term winch) peer=pacman, - signal send set=(term winch) peer=pacman//systemctl, - signal send set=(term winch) peer=systemd-tty-ask-password-agent, - - @{bin}/pacman Px, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 165b42c02..b83ea2d3c 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,32 +24,29 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{coreutils_path} rix, - @{bin}/{m,g,}awk rix, @{bin}/bsdtar rix, @{bin}/fc-match rix, @{bin}/findmnt rPx, - @{sbin}/fsck rix, + @{bin}/fsck rix, @{bin}/getent rix, @{bin}/gzip rix, @{bin}/hexdump rix, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, @{bin}/ldd rix, @{bin}/loadkeys rix, - @{bin}/objcopy rix, - @{bin}/objdump rix, @{bin}/tput rix, @{bin}/xz rix, @{bin}/zcat rix, @{bin}/zstd rix, - @{bin}/kmod rPx, + @{bin}/{depmod,insmod} rPx, + @{bin}/{kmod,lsmod} rPx, + @{bin}/{modinfo,rmmod} rPx, + @{bin}/modprobe rPx, @{bin}/plymouth rPx, - @{sbin}/plymouth-set-default-theme rPx, - @{bin}/sbctl rPx, - @{bin}/sync rPx, + @{bin}/plymouth-set-default-theme rPx, @{lib}/initcpio/busybox rix, - @{lib}/initcpio/post/** rix, @{lib}/ld-*.so* rix, /etc/fstab r, @@ -59,7 +56,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /etc/mkinitcpio.conf r, /etc/mkinitcpio.conf.d/{,**} r, /etc/mkinitcpio.d/{,**} r, - /etc/modprobe.d/{,**} r, + /etc/modprobe.d/{,*} r, /etc/os-release r, /etc/plymouth/plymouthd.conf r, /etc/vconsole.conf r, @@ -81,28 +78,19 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { # Manage /boot / r, - @{efi}/ r, - @{efi}/@{hex32}/{,**} rw, - @{efi}/EFI/{,**} rw, - @{efi}/initramfs-*.img* rw, - @{efi}/vmlinuz-* r, + /boot/ r, + /boot/initramfs-*.img* rw, + /boot/vmlinuz-* r, - /usr/share/systemd/bootctl/** r, - - /etc/kernel/** r, - - /tmp/mkinitcpio.@{rand6} rw, - /tmp/mkinitcpio.@{rand6}.tmp rw, - owner @{tmp}/mkinitcpio.@{rand6} rw, - owner @{tmp}/mkinitcpio.@{rand6}/{,**} rwl, - - owner @{run}/initcpio-tmp/mkinitcpio.@{rand6}/{,**} rwl, + # Temp files owner @{run}/initramfs/{,**} rw, owner @{run}/mkinitcpio.@{rand6}/{,**} rwl, + owner @{tmp}/mkinitcpio.@{rand6} rw, + owner @{tmp}/mkinitcpio.@{rand6}/{,**} rwl, + owner @{run}/initcpio-tmp/mkinitcpio.@{rand6}/{,**} rwl, @{sys}/class/block/ r, @{sys}/devices/{,**} r, - @{sys}/firmware/efi/fw_platform_size r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache index d68c0b832..3089b2f3e 100644 --- a/apparmor.d/groups/pacman/paccache +++ b/apparmor.d/groups/pacman/paccache @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,8 +16,8 @@ profile paccache @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} rix, @{bin}/{m,g,}awk rix, + @{bin}/bash rix, @{bin}/cat rix, @{bin}/gettext rix, @{bin}/gpg{,2} rix, @@ -36,14 +36,10 @@ profile paccache @{exec_path} flags=(attach_disconnected) { /etc/pacman.conf r, /etc/pacman.d/{,**} r, - /etc/pacman.d/gnupg/** rwlk -> /etc/pacman.d/gnupg/**, /var/cache/pacman/pkg/{,*} rw, /var/lib/pacman/{,**} r, - @{HOME}/@{XDG_GPG_DIR}/gpg.conf r, - @{HOME}/@{XDG_GPG_DIR}/gpgsm.conf r, - owner @{PROC}/@{pid}/fd/ r, /dev/tty rw, diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index eef992666..417e48504 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,23 +19,23 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/{m,g,}awk ix, - @{bin}/cat ix, - @{bin}/cmp ix, - @{bin}/find ix, - @{bin}/locate ix, - @{bin}/pacman ix, - @{bin}/pacman-conf Px, - @{bin}/pacsort ix, - @{bin}/rm ix, - @{bin}/sed ix, - @{bin}/tput ix, - @{editor_path} Cx -> editor, + @{bin}/{m,g,}awk rix, + @{bin}/cat rix, + @{bin}/cmp rix, + @{bin}/find rix, + @{bin}/locate rix, + @{bin}/pacman rix, + @{bin}/pacman-conf rPx, + @{bin}/pacsort rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/tput rix, + @{bin}/vim rix, # packages files / r, - @{efi}/{,**} r, - /etc/{,**} rw, + /boot/{,**} r, + /etc/{,**} r, /opt/{,**} r, /srv/{,**} r, /usr/{,**} r, @@ -44,15 +44,6 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { /dev/tty rw, /dev/pts/@{int} rw, - profile editor { - include - include - - /etc/** rw, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 41b45c9d0..1f3d9ad8b 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,6 @@ profile pacman @{exec_path} flags=(attach_disconnected) { include include include - include include capability audit_write, @@ -27,7 +26,6 @@ profile pacman @{exec_path} flags=(attach_disconnected) { capability setfcap, capability setgid, capability setuid, - capability sys_admin, capability sys_chroot, capability sys_ptrace, capability sys_resource, @@ -39,65 +37,80 @@ profile pacman @{exec_path} flags=(attach_disconnected) { network netlink raw, network unix stream, - ptrace read, + ptrace (read), - signal send, - signal receive set=(term winch) peer=makepkg//sudo, + signal (send) set=(usr1) peer=gvfsd, @{exec_path} mrix, - # Pacman's keyring - @{bin}/gpg{,2} Cx -> gpg, - @{bin}/gpgconf Cx -> gpg, - @{bin}/gpgsm Cx -> gpg, - - # Common program found in hooks & install scripts - @{sh_path} rix, - @{coreutils_path} rix, - @{bin}/dot ix, - @{bin}/filecap ix, - @{bin}/getent ix, - @{bin}/gettext ix, - @{bin}/gzip ix, - @{bin}/rsync ix, - @{bin}/setfacl ix, - @{bin}/tput ix, - @{bin}/vercmp ix, - @{bin}/which{,.debianutils} ix, - @{bin}/xmlcatalog ix, - @{sbin}/iconvconfig ix, - @{sbin}/iscsi-iname ix, - @{sbin}/setcap ix, - - @{bin}/dbus-send Cx -> bus, - @{bin}/gdbus Cx -> bus, - @{bin}/killall Cx -> pkill, - @{bin}/kmod Cx -> kmod, - @{bin}/pkill Cx -> pkill, - @{bin}/systemctl Cx -> systemctl, - @{sbin}/ldconfig Cx -> ldconfig, - - #aa:lint ignore=too-wide - # Hooks & install scripts can legitimately start/restart anything - # PU is only used as a safety fallback. - @{bin}/** PUx, - @{sbin}/** PUx, - /opt/*/** PUx, - /etc/** PUx, - /usr/share/** PUx, - - @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} Px, - @{lib}/systemd/systemd-* Px, - @{lib}/vlc/vlc-cache-gen Px, - - # For shell pwd, keept as it can annoy users to see error in pacman output - /**/ r, + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, + @{bin}/gpgsm rCx -> gpg, + + # Pacman hooks & install scripts + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/appstreamcli rPx, + @{bin}/arch-audit rPx, + @{bin}/archlinux-java rPx, + @{bin}/bootctl rPx, + @{bin}/cert-sync rPx, + @{bin}/checkrebuild rPUx, + @{bin}/dconf rPx, + @{bin}/dot rix, + @{bin}/fc-cache{,-32} rPx, + @{bin}/filecap rix, + @{bin}/gdbus rix, + @{bin}/gdk-pixbuf-query-loaders rPx, + @{bin}/getent rix, + @{bin}/gettext rix, + @{bin}/ghc-pkg{,-*} rPx, + @{bin}/gio-querymodules rPx, + @{bin}/glib-compile-schemas rPx, + @{bin}/groupadd rPx, + @{bin}/gtk-query-immodules-{2,3}.0 rPx, + @{bin}/gtk{,4}-update-icon-cache rPx, + @{bin}/iconvconfig rix, + @{bin}/install-catalog rPx, + @{bin}/install-info rPx, + @{bin}/iscsi-iname rix, + @{bin}/journalctl rPx, + @{bin}/killall rix, + @{bin}/ldconfig rix, + @{bin}/locale-gen rPx, + @{bin}/mkinitcpio rPx, + @{bin}/needrestart rPx, + @{bin}/pacdiff rPx, + @{bin}/pacman-key rPx, + @{bin}/perl rix, + @{bin}/pkgfile rPUx, + @{bin}/pkill rix, + @{bin}/rsync rix, + @{bin}/sbctl rPx, + @{bin}/setcap rix, + @{bin}/setfacl rix, + @{bin}/sysctl rPx, + @{bin}/systemctl rCx -> systemctl, + @{bin}/systemd-* rPx, + @{bin}/tput rix, + @{bin}/update-ca-trust rPx, + @{bin}/update-desktop-database rPx, + @{bin}/update-grub rPx, + @{bin}/update-mime-database rPx, + @{bin}/vercmp rix, + @{bin}/xmlcatalog rix, + @{lib}/systemd/systemd-* rPx, + @{lib}/vlc/vlc-cache-gen rPx, + /opt/Mullvad*/resources/mullvad-setup rPx, + /usr/share/code-features/patch.py rPx, + /usr/share/code-marketplace/patch.py rPx, + /usr/share/libalpm/scripts/* rPUx, + /usr/share/texmf-dist/scripts/texlive/mktexlsr rPUx, # Install/update packages - #aa:lint ignore=too-wide / r, /*{,/} rw, - @{efi}/** rwl -> @{efi}/**, + /boot/** rwl -> /boot/**, /etc/** rwl -> /etc/**, /opt/** rwl -> /opt/**, /srv/** rwl -> /srv/**, @@ -105,10 +118,11 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /var/** rwlk -> /var/**, # Read packages files - @{user_pkg_dirs}/{,**} r, + @{user_pkg_dirs}/**/ r, + @{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r, owner /var/lib/pacman/{,**} rwl, - owner @{tmp}/alpm_@{rand6}/{,**} rw, + owner @{tmp}/alpm_*/{,**} rw, owner @{tmp}/checkup-db-@{int}/sync/{,*.db*} rw, owner @{tmp}/checkup-db-@{int}/db.lck rw, @@ -119,8 +133,8 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/stat r, + @{PROC}/1/environ r, @{PROC}/sys/kernel/osrelease r, @{PROC}/tty/drivers r, @{PROC}/uptime r, @@ -130,6 +144,11 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /dev/tty@{int} rw, owner /dev/pts/@{int} rw, + # Silencer, + deny @{HOME}/ r, + deny @{HOME}/**/ r, + deny /tmp/ r, + profile gpg { include include @@ -151,7 +170,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/gpg-connect-agent rix, /etc/pacman.d/gnupg/ rw, - /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, + /etc/pacman.d/gnupg/** rwkl, @{HOME}/@{XDG_GPG_DIR}/*.conf r, @@ -166,7 +185,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { include if exists } - profile systemctl flags=(attach_disconnected) { + profile systemctl { include include @@ -174,79 +193,20 @@ profile pacman @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability sys_resource, - ptrace read peer=@{p_systemd}, - - signal send set=cont peer=child-pager, - signal send set=(cont term) peer=systemd-tty-ask-password-agent, - signal receive set=(term winch) peer=makepkg//sudo, - - @{pager_path} rPx -> child-pager, - @{bin}/systemd-tty-ask-password-agent rPx, + @{bin}/pager rPx -> child-pager, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, + @{bin}/diff rPx -> child-pager, /etc/machine-id r, /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/system.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/*.journal* r, include if exists } - profile bus { - include - include - include - - @{bin}/gdbus rix, - - include if exists - } - - profile pkill { - include - include - - @{bin}/killall mr, - @{bin}/pkill mr, - - include if exists - } - - profile kmod { - include - include - - include if exists - } - - profile ldconfig { - include - include - - @{sh_path} rix, - @{sbin}/ldconfig mrix, - - @{lib}/ r, - /usr/local/ r, - /usr/local/lib/ r, - - /opt/cuda/**/@{lib}/ r, - /opt/cuda/**/@{lib}/@{multiarch}/ r, - - /etc/ld.so.cache rw, - /etc/ld.so.cache~ rw, - - /var/cache/ldconfig/ rw, - owner /var/cache/ldconfig/aux-cache* rw, - - include if exists - } - include if exists include if exists } diff --git a/apparmor.d/groups/pacman/pacman-conf b/apparmor.d/groups/pacman/pacman-conf index 4884d248c..ebf99cbff 100644 --- a/apparmor.d/groups/pacman/pacman-conf +++ b/apparmor.d/groups/pacman/pacman-conf @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,7 +16,7 @@ profile pacman-conf @{exec_path} flags=(attach_disconnected) { /etc/pacman.conf r, /etc/pacman.d/mirrorlist r, /etc/pacman.d/*-mirrorlist r, - + /dev/tty@{int} rw, # Inherit Silencer diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code index 3e916efe3..39389f42f 100644 --- a/apparmor.d/groups/pacman/pacman-hook-code +++ b/apparmor.d/groups/pacman/pacman-hook-code @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = /usr/share/code-{features,marketplace}{,-insiders}/patch.py +@{exec_path} = /usr/share/code-{features,marketplace}/patch.py profile pacman-hook-code @{exec_path} { include include @@ -16,13 +16,12 @@ profile pacman-hook-code @{exec_path} { @{exec_path} mr, @{bin}/env r, - @{python_path} rix, + @{bin}/python3.@{int} rix, @{lib}/code/product.json rw, - @{lib}/code/out/vs/code/electron-utility/sharedProcess/sharedProcessMain.js w, - /usr/share/code-{features,marketplace}{,-insiders}/{,*} r, - /usr/share/code-{features,marketplace}{,-insiders}/cache.json rw, + /usr/share/code-{features,marketplace}/{,*} r, + /usr/share/code-{features,marketplace}/cache.json rw, include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-dconf b/apparmor.d/groups/pacman/pacman-hook-dconf index c49eb08e9..91e3b367d 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dconf +++ b/apparmor.d/groups/pacman/pacman-hook-dconf @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,7 @@ profile pacman-hook-dconf @{exec_path} { @{exec_path} mr, - @{sh_path} rix, + @{bin}/bash rix, @{bin}/rm rix, @{bin}/dconf rPx, diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod index 0dae14351..c54523d86 100644 --- a/apparmor.d/groups/pacman/pacman-hook-depmod +++ b/apparmor.d/groups/pacman/pacman-hook-depmod @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,13 +14,14 @@ profile pacman-hook-depmod @{exec_path} { @{exec_path} mr, - @{sh_path} rix, @{bin}/basename rix, + @{bin}/bash rix, + @{bin}/depmod rPx, @{bin}/kmod rPx, @{bin}/rm rix, @{bin}/rmdir rix, - @{lib}/modules/*/{,**} rw, + /usr/lib/modules/*/{,**} rw, /dev/tty rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-dkms b/apparmor.d/groups/pacman/pacman-hook-dkms index a8a54c151..8d0fb58ca 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dkms +++ b/apparmor.d/groups/pacman/pacman-hook-dkms @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,12 +14,10 @@ profile pacman-hook-dkms @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability mknod, - network unix stream, - @{exec_path} mr, @{sh_path} rix, - @{sbin}/dkms rPx, + @{bin}/dkms rPx, @{bin}/kmod rPx, @{bin}/nproc rix, @@ -33,6 +31,7 @@ profile pacman-hook-dkms @{exec_path} flags=(attach_disconnected) { # Inherit Silencer deny network inet stream, deny network inet6 stream, + deny unix (receive) type=stream, include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-fontconfig b/apparmor.d/groups/pacman/pacman-hook-fontconfig index 3b29e01ea..8068d83dc 100644 --- a/apparmor.d/groups/pacman/pacman-hook-fontconfig +++ b/apparmor.d/groups/pacman/pacman-hook-fontconfig @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,7 @@ profile pacman-hook-fontconfig @{exec_path} { @{exec_path} mr, - @{sh_path} rix, + @{bin}/bash rix, @{bin}/ln rix, @{bin}/rm rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-gio b/apparmor.d/groups/pacman/pacman-hook-gio index 17218158e..dcbfe6e28 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gio +++ b/apparmor.d/groups/pacman/pacman-hook-gio @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,14 +14,14 @@ profile pacman-hook-gio @{exec_path} { @{exec_path} mr, - @{sh_path} rix, + @{bin}/bash rix, @{bin}/rmdir rix, @{bin}/gio-querymodules rPx, @{lib}/gio/modules/giomodule.cache{,.[0-9A-Z]*} rw, @{lib}/gtk-{3,4}.0/**/*/ rw, - @{lib}/gio/modules/ rw, + /usr/lib/gio/modules/ rw, /dev/tty rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk b/apparmor.d/groups/pacman/pacman-hook-gtk index e6aa28627..d75527d79 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gtk +++ b/apparmor.d/groups/pacman/pacman-hook-gtk @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,7 @@ profile pacman-hook-gtk @{exec_path} { @{exec_path} mr, - @{sh_path} rix, + @{bin}/bash rix, @{bin}/rm rix, @{bin}/rmdir rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules b/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules index a0be0e39b..aae81662b 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules +++ b/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules @@ -2,14 +2,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = /usr/share/libalpm/scripts/gtk4-querymodules profile pacman-hook-gtk4-querymodules @{exec_path} { include - include capability dac_read_search, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index 48ce25ab2..a182b23ca 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,7 +16,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} rix, + @{bin}/bash rix, @{bin}/cmp rix, @{bin}/compgen rix, @{bin}/env rix, @@ -36,11 +36,10 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { /etc/mkinitcpio.d/*.preset{,.pacsave} rw, / r, - @{efi}/ r, - @{efi}/EFI/boot/boot*.efi rw, - @{efi}/initramfs-*-fallback.img rw, - @{efi}/initramfs-*.img rw, - @{efi}/vmlinuz-* rw, + /boot/ r, + /boot/vmlinuz-* rw, + /boot/initramfs-*.img rw, + /boot/initramfs-*-fallback.img rw, /dev/tty rw, owner /dev/pts/@{int} rw, @@ -55,11 +54,11 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { capability dac_read_search, @{bin}/pacman mr, - + @{bin}/gpg rix, @{bin}/gpgconf rix, @{bin}/gpgsm rix, - + /etc/pacman.conf r, /etc/pacman.d/{,**} r, /etc/pacman.d/gnupg/** rwkl, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove index 6378ca991..8d26de0b4 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,7 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} { @{exec_path} mr, - @{sh_path} rix, + @{bin}/bash rix, @{bin}/cmp rix, @{bin}/mv rix, @{bin}/rm rix, @@ -24,9 +24,9 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} { /usr/share/mkinitcpio/*.preset r, /etc/mkinitcpio.d/*.preset rw, - @{efi}/vmlinuz-* rw, - @{efi}/initramfs-*.img rw, - @{efi}/initramfs-*-fallback.img rw, + /boot/vmlinuz-* rw, + /boot/initramfs-*.img rw, + /boot/initramfs-*-fallback.img rw, /dev/tty rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-perl b/apparmor.d/groups/pacman/pacman-hook-perl index aa2be8b09..894ba266c 100644 --- a/apparmor.d/groups/pacman/pacman-hook-perl +++ b/apparmor.d/groups/pacman/pacman-hook-perl @@ -2,25 +2,26 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = /usr/share/libalpm/scripts/detect-old-perl-modules.sh profile pacman-hook-perl @{exec_path} { include - include capability dac_read_search, capability mknod, @{exec_path} mr, - @{sh_path} rix, + @{bin}/perl rix, + @{bin}/bash rix, @{bin}/find rix, @{bin}/pacman rPx, @{bin}/sed rix, - @{bin}/wc rix, + + @{lib}/perl@{int}/{,**} r, /dev/tty rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index 860fb34ea..f704f5ddb 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,14 +15,13 @@ profile pacman-hook-systemd @{exec_path} { @{exec_path} mr, - @{sh_path} rix, + @{bin}/bash rix, @{bin}/touch rix, @{bin}/journalctl rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/systemd-hwdb rPx, - @{bin}/systemd-notify rPx, @{bin}/systemd-sysusers rPx, @{bin}/systemd-tmpfiles rPx, @{bin}/udevadm rPx, @@ -44,13 +43,6 @@ profile pacman-hook-systemd @{exec_path} { include capability net_admin, - capability sys_resource, - - ptrace read peer=@{p_systemd}, - - signal send set=(cont, term) peer=systemd-tty-ask-password-agent, - - @{bin}/systemd-tty-ask-password-agent Px, include if exists } diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 1e1204c27..0375c7863 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,15 +16,15 @@ profile pacman-key @{exec_path} { @{exec_path} mr, - @{sh_path} rix, @{bin}/{m,g,}awk rix, @{bin}/basename rix, + @{bin}/bash rix, @{bin}/chmod rix, @{bin}/gettext rix, - @{bin}/gpg{,2} rCx -> &gpg, - @{bin}/{,e}grep rix, + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/grep rix, @{bin}/ngettext rix, - @{bin}/pacman-conf rPx -> &pacman-conf, + @{bin}/pacman-conf rPx, @{bin}/touch rix, @{bin}/tput rix, @{bin}/vercmp rix, @@ -34,9 +34,8 @@ profile pacman-key @{exec_path} { /usr/share/pacman/keyrings/{,*} r, /usr/share/terminfo/** r, - /etc/pacman.d/gnupg/ rw, - /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, - + /etc/pacman.d/gnupg/* rw, + /dev/tty rw, profile gpg { @@ -60,16 +59,15 @@ profile pacman-key @{exec_path} { /etc/pacman.d/gnupg/ rw, /etc/pacman.d/gnupg/** rwkl, - @{HOME}/@{XDG_GPG_DIR}/gpg.conf r, + @{HOME}/.gnupg/gpg.conf r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat rw, - /dev/pts/@{int} rw, - /dev/tty@{int} rw, + /dev/pts/@{int} rw, + /dev/tty@{int} rw, - include if exists } include if exists diff --git a/apparmor.d/groups/pacman/reflector b/apparmor.d/groups/pacman/reflector index 119f0d2a1..7b277fb3e 100644 --- a/apparmor.d/groups/pacman/reflector +++ b/apparmor.d/groups/pacman/reflector @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,17 +25,12 @@ profile reflector @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/ r, - @{bin}/rsync ix, /etc/xdg/reflector/reflector.conf r, /etc/pacman.d/mirrorlist rw, - /var/cache/reflector/mirrorstatus.json rw, - owner @{user_cache_dirs}/mirrorstatus.json rw, - - @{tmp}/@{rand8} rw, - @{tmp}/tmp@{rand8}/{,**} rw, + /var/cache/reflector/mirrorstatus.json rw, @{PROC}/1/environ r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/pacman/yay b/apparmor.d/groups/pacman/yay deleted file mode 100644 index 42932cc2e..000000000 --- a/apparmor.d/groups/pacman/yay +++ /dev/null @@ -1,112 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/yay -profile yay @{exec_path} { - include - include - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{exec_path} mr, - - @{editor_path} Cx -> editor, - @{bin}/git Cx -> git, - @{bin}/gpg{,2} Cx -> gpg, - @{bin}/makepkg Px, - @{bin}/pacman Px, - @{bin}/pacman-conf Px, - @{bin}/sudo Cx -> sudo, - - /var/lib/pacman/** r, - - owner @{user_cache_dirs}/yay/ rw, - owner @{user_cache_dirs}/yay/** rwkl -> @{user_cache_dirs}/yay/**, - - owner @{user_config_dirs}/yay/{,**} rw, - - profile git { - include - include - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{bin}/git* mrix, - @{lib}/git{,-core}/git* mrix, - - @{pager_path} rPx -> child-pager, - @{bin}/gpg{2,} rPx -> yay//gpg, - - /usr/share/git{,-core}/{,**} r, - - owner @{user_build_dirs}/**/.git/** r, - owner @{user_pkg_dirs}/**/.git/** r, - owner @{user_projects_dirs}/**/.git/** r, - - owner @{HOME}/.gitconfig r, - owner @{user_cache_dirs}/yay/ rw, - owner @{user_cache_dirs}/yay/** rwlk -> @{user_cache_dirs}/yay/**, - owner @{user_config_dirs}/git/{,*} r, - - include if exists - } - - profile editor { - include - include - - owner @{HOME}/**/ r, # For pwd - - owner @{user_cache_dirs}/yay/*/** rw, - - include if exists - } - - profile gpg { - include - include - - @{bin}/gpg{,2} mr, - @{bin}/gpg-agent rPx, - @{bin}/dirmngr rPx, - - owner @{HOME}/@{XDG_GPG_DIR}/ rw, - owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - - include if exists - } - - profile sudo { - include - include - - capability sys_ptrace, - - ptrace read peer=unconfined, - - @{bin}/pacman Px, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/polkit/pkexec b/apparmor.d/groups/polkit/pkexec deleted file mode 100644 index 8c6d868da..000000000 --- a/apparmor.d/groups/polkit/pkexec +++ /dev/null @@ -1,37 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2022 Mikhail Morfikov -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/pkexec -profile pkexec @{exec_path} { - include - include - - capability sys_nice, - - signal send set=(term, kill) peer=polkit-agent-helper, - - ptrace read, - - @{exec_path} mr, - - @{bin}/* PUx, - @{sbin}/* PUx, - @{lib}/** PUx, - /opt/*/** PUx, - /usr/share/** PUx, - - /etc/default/locale r, - - @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/fd/ r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/procps/free b/apparmor.d/groups/procps/free deleted file mode 100644 index 56075ae1c..000000000 --- a/apparmor.d/groups/procps/free +++ /dev/null @@ -1,19 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/free -profile free @{exec_path} { - include - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/procps/pgrep b/apparmor.d/groups/procps/pgrep deleted file mode 100644 index d10c1e772..000000000 --- a/apparmor.d/groups/procps/pgrep +++ /dev/null @@ -1,20 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/pgrep -profile pgrep @{exec_path} flags=(attach_disconnected) { - include - include - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/procps/pidof b/apparmor.d/groups/procps/pidof deleted file mode 100644 index 3413eb6c3..000000000 --- a/apparmor.d/groups/procps/pidof +++ /dev/null @@ -1,18 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/pidof -profile pidof @{exec_path} { - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/procps/vmstat b/apparmor.d/groups/procps/vmstat deleted file mode 100644 index 1276222a2..000000000 --- a/apparmor.d/groups/procps/vmstat +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/vmstat -profile vmstat @{exec_path} { - include - include - - @{exec_path} mr, - - @{sys}/block/ r, - @{sys}/devices/system/node/ r, - - @{PROC}/diskstats r, - @{PROC}/slabinfo r, - @{PROC}/uptime r, - @{PROC}/vmstat r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap deleted file mode 100644 index 9530b8594..000000000 --- a/apparmor.d/groups/snap/snap +++ /dev/null @@ -1,217 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{bin_dirs} = @{bin}/ /snap/{snapd,core}/{,x}@{int}@{bin} -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} - -@{exec_path} = @{bin_dirs}/snap -profile snap @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - include - - capability chown, - capability dac_override, - capability dac_read_search, - capability setuid, - capability sys_admin, - capability sys_ptrace, - - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, - - ptrace read peer=snap.*, - - unix (send, receive) type=stream peer=(label=apt), - - mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/, - - #aa:dbus own bus=session name=io.snapcraft.Launcher - #aa:dbus own bus=session name=io.snapcraft.SessionAgent - #aa:dbus own bus=session name=io.snapcraft.Settings - - #aa:dbus talk bus=session name=io.snapcraft.PrivilegedDesktopLauncher label=snap.snap-store.* - #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" - #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" - - dbus send bus=session path=/org/freedesktop/portal/documents - interface=org.freedesktop.portal.Documents - member=GetMountPoint - peer=(name=org.freedesktop.portal.Documents, label="{xdg-document-portal,unconfined}"), - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - - @{exec_path} mrix, - - @{sh_path} mr, - @{bin}/mount rix, - @{bin}/getent rix, - - @{bin}/gpg{,2} rCx -> gpg, - @{bin}/systemctl rCx -> systemctl, - @{bin}/systemd-run rCx -> run, # Start snap from the cli - @{bin}/unsquashfs rCx -> unsquashfs, - @{bin}/xdg-settings rCx -> xdg-settings, - - @{bin_dirs}/xdelta3 ix, - @{lib_dirs}/** mr, - @{lib_dirs}/snapd/snap-confine rPx, - @{lib_dirs}/snapd/snap-seccomp rPx, - @{lib_dirs}/snapd/snapd rPx, - - /etc/fstab r, - - /var/lib/snapd/{,**} rwk, - /var/cache/snapd/commands.db rwk, - /var/cache/snapd/names r, - - @{DESKTOP_HOME}/snap/{,**} rw, - /snap/{,**} rw, - - @{HOME}/ r, - @{HOME}/.snap.mkdir-new/ rw, - @{HOME}/.snap/{,**} rw, - @{HOME}/snap/{,**} rw, - - @{user_pkg_dirs}/** r, - - owner @{tmp}/read-file@{int}/unpack/{,**} w, - owner @{tmp}/snapd-auto-import-mount-@{int}/ rw, - - @{run}/user/@{uid}/bus rw, - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, - owner @{run}/user/@{uid}/gdm/Xauthority r, - owner @{run}/user/@{uid}/snapd-session-agent.socket rw, - owner @{run}/user/@{uid}/systemd/notify rw, - - @{run}/mount/utab r, - @{run}/snapd.socket rw, - - @{sys}/fs/cgroup/cgroup.controllers r, - @{sys}/kernel/security/apparmor/features/{,**} r, - - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/cgroups r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/random/uuid r, - @{PROC}/sys/kernel/seccomp/actions_avail r, - @{PROC}/version r, - @{PROC}/@{pid}/attr/apparmor/current r, - owner @{PROC}/@{pid}/mounts r, - - /dev/tty@{int} rw, - /dev/ttyS@{int} rw, - - /apparmor/.null rw, - - # file_inherit, safe to deny - deny owner @{user_share_dirs}/gvfs-metadata/* r, - deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, - - profile gpg { - include - - @{bin}/gpg{,2} mr, - - @{bin}/dirmngr rix, - @{bin}/gpg-agent rix, - @{bin}/gpg-connect-agent rix, - - owner @{HOME}/.snap/gnupg/ rw, - owner @{HOME}/.snap/gnupg/** rwkl, - - include if exists - } - - profile xdg-settings { - include - include - - @{bin}/xdg-settings mr, - - @{sh_path} r, - @{bin}/{,e}grep rix, - @{bin}/basename rix, - @{bin}/cat ix, - @{bin}/cut rix, - @{bin}/head ix, - @{bin}/mkdir ix, - @{bin}/mktemp ix, - @{bin}/mv ix, - @{bin}/readlink ix, - @{bin}/realpath rix, - @{bin}/rm ix, - @{bin}/sed ix, - @{bin}/sleep ix, - @{bin}/sort ix, - @{bin}/touch ix, - @{bin}/tr ix, - @{bin}/uname ix, - @{bin}/wc ix, - - @{bin}/xdg-mime Px, - - include if exists - } - - profile run { - include - - unix bind type=stream addr=@@{udbus}/bus/systemd-run/, - - @{bin}/systemd-run mr, - - owner @{run}/user/@{uid}/systemd/private rw, - - include if exists - } - - profile systemctl { - include - include - include - - capability net_admin, - - network unix stream, - network (send receive) netlink raw, - - @{run}/systemd/notify w, - owner @{run}/user/@{uid}/systemd/notify rw, - owner @{run}/user/@{uid}/systemd/private rw, - - include if exists - } - - profile unsquashfs { - include - - @{bin}/unsquashfs mr, - - /**.snap r, - - owner /tmp/read-file@{int}/unpack/{,**} w, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/ssh/sftp-server b/apparmor.d/groups/ssh/sftp-server index a0fc3e2f8..672d9b5e5 100644 --- a/apparmor.d/groups/ssh/sftp-server +++ b/apparmor.d/groups/ssh/sftp-server @@ -2,11 +2,12 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{lib}/{openssh,ssh}/sftp-server +@{exec_path} = @{lib}/openssh/sftp-server +@{exec_path} += @{lib}/ssh/sftp-server profile sftp-server @{exec_path} { include include diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 0d6826490..d4c948f86 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,58 +11,44 @@ include profile ssh @{exec_path} { include include - include - include include + signal (receive) set=(term) peer=gnome-keyring-daemon, + network inet stream, network inet6 stream, network inet dgram, network inet6 dgram, network netlink raw, - signal receive set=term peer=gnome-keyring-daemon, - signal send set=hup peer=unconfined, - @{exec_path} mrix, - @{bin}/@{shells} rUx, - @{bin}/ssh.hmac r, - - @{lib}/{,ssh/}ssh-sk-helper rix, + @{bin}/{,b,d,rb}ash rix, + @{bin}/{c,k,tc,z}sh rix, @{etc_ro}/ssh/ssh_config r, - @{etc_ro}/ssh/ssh_config.d/{,*} r, @{etc_ro}/ssh/sshd_config r, @{etc_ro}/ssh/sshd_config.d/{,*} r, /etc/machine-id r, - - owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, + /etc/ssh/ssh_config r, + /etc/ssh/ssh_config.d/{,*} r, + + owner @{HOME}/@{XDG_SSH_DIR}/ r, + owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r, + owner @{HOME}/@{XDG_SSH_DIR}/config r, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rwl, owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_*_*_* wl, owner @{user_projects_dirs}/**/ssh/{,*} r, owner @{user_projects_dirs}/**/config r, - owner @{tmp}/krb5cc_* rwk, + owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, - audit owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, - - owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, - owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, owner @{run}/user/@{uid}/keyring/ssh rw, - @{sys}/ r, - @{sys}/bus/ r, - @{sys}/class/ r, - @{sys}/class/hidraw/ r, - @{sys}/class/hidraw/hidraw@{int} r, - owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/fd/ r, - /dev/hidraw@{int} rwk, - include if exists } diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index 9fc2900b4..ec82ea1bc 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,23 +12,21 @@ profile ssh-agent @{exec_path} { include include - signal receive set=term peer=cockpit-bridge, - signal receive set=term peer=cockpit-session, - signal receive set=term peer=gnome-keyring-daemon, + signal (receive) set=term peer=cockpit-bridge, + signal (receive) set=term peer=gnome-keyring-daemon, @{exec_path} mr, @{sh_path} rix, @{bin}/gpg-agent rPx, - @{bin}/im-launch rPx, owner @{HOME}/@{XDG_SSH_DIR}/ rw, owner @{HOME}/@{XDG_SSH_DIR}/* r, owner @{HOME}/.xsession-errors w, owner @{user_projects_dirs}/**/ssh/{,*} r, - owner @{tmp}/ssh-@{rand12}/ rw, - owner @{tmp}/ssh-@{rand12}/agent.@{int} rw, + owner @{tmp}/ssh-*/ rw, + owner @{tmp}/ssh-*/agent.* rw, owner @{run}/user/@{uid}/keyring/.ssh rw, owner @{run}/user/@{uid}/openssh_agent rw, @@ -36,7 +34,6 @@ profile ssh-agent @{exec_path} { owner @{run}/user/@{uid}/gcr/.ssh w, /dev/tty@{int} rw, - /dev/tty rw, include if exists } diff --git a/apparmor.d/groups/ssh/ssh-agent-launch b/apparmor.d/groups/ssh/ssh-agent-launch index 86bd0866f..66e05b5ec 100644 --- a/apparmor.d/groups/ssh/ssh-agent-launch +++ b/apparmor.d/groups/ssh/ssh-agent-launch @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,10 +12,10 @@ profile ssh-agent-launch @{exec_path} { @{exec_path} mr, - @{sh_path} rix, + @{bin}/{,z,ba,da}sh rix, @{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/getopt rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/ssh-agent rPx, /etc/X11/Xsession.options r, @@ -25,14 +25,14 @@ profile ssh-agent-launch @{exec_path} { include dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=UpdateActivationEnvironment - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + interface=org.freedesktop.DBus + member=UpdateActivationEnvironment + peer=(name=org.freedesktop.DBus, label=dbus-session), dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=SetEnvironment - peer=(name=org.freedesktop.systemd1), + interface=org.freedesktop.systemd1.Manager + member=SetEnvironment + peer=(name=org.freedesktop.systemd1), @{bin}/dbus-update-activation-environment mr, diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index 738268b0a..f31ac1195 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -3,11 +3,12 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/ssh-keygen + profile ssh-keygen @{exec_path} { include include @@ -15,16 +16,10 @@ profile ssh-keygen @{exec_path} { @{exec_path} mr, - @{lib}/{,ssh/}ssh-sk-helper rPx -> ssh-sk-helper, - - /etc/ssh/moduli rw, /etc/ssh/ssh_host_*_key* rw, - owner @{HOME}/@{XDG_SSH_DIR}/ rw, - owner @{HOME}/@{XDG_SSH_DIR}/* rwl -> @{HOME}/@{XDG_SSH_DIR}/*, - - owner /tmp/snapd@{int}/*_*{,.pub} w, - owner /tmp/snapd@{int}/*.key{,.pub} w, + owner @{HOME}/@{XDG_SSH_DIR}/ w, + owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} rw, /dev/tty@{int} rw, /dev/ttyS@{int} rw, diff --git a/apparmor.d/groups/ssh/ssh-sk-helper b/apparmor.d/groups/ssh/ssh-sk-helper deleted file mode 100644 index ff9de97c3..000000000 --- a/apparmor.d/groups/ssh/ssh-sk-helper +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 valoq -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/{,ssh/}ssh-sk-helper -profile ssh-sk-helper flags=(complain) { - include - include - - @{exec_path} mr, - - @{sys}/ r, - @{sys}/bus/ r, - @{sys}/class/ r, - @{sys}/class/hidraw/ r, - @{sys}/class/hidraw/hidraw@{int} r, - - /dev/hidraw@{int} rwk, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 633076ad6..1410d090f 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -11,11 +11,11 @@ # If you want real protection disallow SSH access. -abi , +abi , include -@{exec_path} = @{sbin}/sshd +@{exec_path} = @{bin}/sshd profile sshd @{exec_path} flags=(attach_disconnected) { include include @@ -25,14 +25,12 @@ profile sshd @{exec_path} flags=(attach_disconnected) { include include include - include #aa:only RBAC capability audit_write, capability chown, - capability dac_override, capability dac_read_search, + capability dac_override, capability fowner, - capability fsetid, capability kill, capability net_bind_service, capability setgid, @@ -51,33 +49,24 @@ profile sshd @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - unix type=stream peer=(label=sshd-session), + signal (receive) set=(hup) peer=@{p_systemd}, - signal receive set=hup peer=@{p_systemd}, + ptrace (read,trace) peer=@{p_systemd}, - ptrace (read trace) peer=@{p_systemd}, + unix (bind) type=stream addr=@@{hex16}/bus/sshd/system, dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), - - dbus send bus=system path=/org/freedesktop/home1 - interface=org.freedesktop.home1.Manager - member=GetUserRecordByName - peer=(name=org.freedesktop.home1, label="@{p_systemd_homed}"), + peer=(name=org.freedesktop.login1, label=systemd-logind), @{exec_path} mrix, - @{sbin}/sshd.hmac r, - - @{bin}/@{shells} Ux, #aa:exclude RBAC - @{bin}/false ix, - @{sbin}/nologin Px, - @{bin}/passwd Px, - @{lib}/{openssh,ssh}/sftp-server Px, - @{lib}/{openssh,ssh}/sshd-auth Px, - @{lib}/{openssh,ssh}/sshd-session Px, + @{bin}/@{shells} rUx, + @{bin}/false rix, + @{bin}/nologin rPx, + @{bin}/passwd rPx, + @{lib}/openssh/sftp-server rPx, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, @@ -104,20 +93,19 @@ profile sshd @{exec_path} flags=(attach_disconnected) { owner @{user_download_dirs}/{,**} rwl, owner @{user_sync_dirs}/{,**} rwl, - @{HOME}/@{XDG_SSH_DIR}/authorized_keys* r, + owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, owner @{user_cache_dirs}/{,motd*} rw, - @{att}/@{run}/systemd/sessions/@{int}.ref rw, - @{run}/faillock/@{user} rwk, @{run}/motd.d/{,*} r, @{run}/motd.dynamic rw, @{run}/motd.dynamic.new rw, @{run}/systemd/notify w, + @{run}/systemd/sessions/*.ref rw, owner @{run}/sshd{,.init}.pid wl, @{sys}/fs/cgroup/*/user/*/@{int}/ rw, - @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-@{word}.scope/ rw, + @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-*.scope/ rw, @{PROC}/@{pids}/fd/ r, @{PROC}/1/environ r, diff --git a/apparmor.d/groups/ssh/sshd-auth b/apparmor.d/groups/ssh/sshd-auth deleted file mode 100644 index c1601b813..000000000 --- a/apparmor.d/groups/ssh/sshd-auth +++ /dev/null @@ -1,32 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/{openssh,ssh}/sshd-auth -profile sshd-auth @{exec_path} { - include - include - - capability setgid, - capability setuid, - capability sys_chroot, - - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, - - @{exec_path} mr, - @{sbin}/sshd.hmac r, - - /etc/gss/mech.d/{,*} r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/ssh/sshd-session b/apparmor.d/groups/ssh/sshd-session deleted file mode 100644 index ab86f3ad1..000000000 --- a/apparmor.d/groups/ssh/sshd-session +++ /dev/null @@ -1,92 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/{openssh,ssh}/sshd-session -profile sshd-session @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - include - include #aa:only RBAC - - capability audit_write, - capability chown, - capability dac_override, - capability dac_read_search, - capability fowner, - capability fsetid, - capability kill, - capability setgid, - capability setuid, - capability sys_chroot, - capability sys_resource, - - # sshd doesn't require net_admin. libpam-systemd tries to - # use it if available to set the send/receive buffers size, - # but will fall back to a non-privileged version if it fails. - deny capability net_admin, - - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, - - unix type=stream peer=(label=sshd), - - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), - - dbus send bus=system path=/org/freedesktop/home1 - interface=org.freedesktop.home1.Manager - member=GetUserRecordByName - peer=(name=org.freedesktop.home1, label="@{p_systemd_homed}"), - - @{exec_path} mr, - - @{bin}/@{shells} Ux, #aa:exclude RBAC - @{bin}/userdbctl Px, - @{lib}/{openssh,ssh}/sshd-auth Px, - - @{etc_rw}/motd r, - @{etc_rw}/motd.d/{,**} r, - /etc/machine-id r, - /etc/motd r, - - /var/lib/lastlog/ r, - /var/lib/lastlog/lastlog2.db rwk, - /var/lib/lastlog/lastlog2.db-journal rw, - - /var/lib/wtmpdb/ w, - - owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, - - owner @{user_cache_dirs}/{,motd*} rw, - - @{att}/@{run}/systemd/sessions/@{int}.ref w, - - @{run}/cockpit/active.issue r, - @{run}/motd.d/{,*} r, - @{run}/motd.dynamic rw, - @{run}/motd.dynamic.new rw, - - @{PROC}/1/limits r, - owner @{PROC}/@{pid}/loginuid rw, - owner @{PROC}/@{pid}/uid_map r, - - /dev/ptmx rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/ssh/sshfs b/apparmor.d/groups/ssh/sshfs index ee6a2f903..7623cd87a 100644 --- a/apparmor.d/groups/ssh/sshfs +++ b/apparmor.d/groups/ssh/sshfs @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,12 +13,8 @@ profile sshfs @{exec_path} flags=(complain) { mount fstype=fuse.sshfs -> @{HOME}/*/, mount fstype=fuse.sshfs -> @{HOME}/*/*/, - mount fstype=fuse.sshfs -> @{MOUNTDIRS}/, - mount fstype=fuse.sshfs -> @{MOUNTS}/, - mount fstype=fuse.sshfs -> @{MOUNTS}/*/, - mount fstype=fuse.sshfs -> @{MOUNTS}/*/*/, - unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount"), + unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount",addr=none), @{exec_path} mr, @@ -31,24 +27,23 @@ profile sshfs @{exec_path} flags=(complain) { profile fusermount flags=(complain) { include - include + include + + capability sys_admin, mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/, mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/*/, - mount fstype={fuse,fuse.sshfs} -> @{MOUNTDIRS}/, - mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/, - mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/*/, - mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/*/*/, - - umount @{HOME}/*/, - umount @{HOME}/*/*/, - umount @{MOUNTDIRS}/, - umount @{MOUNTS}/, - umount @{MOUNTS}/*/, - umount @{MOUNTS}/*/*/, unix (connect, send, receive) type=stream peer=(label="sshfs",addr=none), + @{bin}/fusermount{,3} mr, + + /etc/fuse.conf r, + + @{PROC}/@{pid}/mounts r, + + /dev/fuse rw, + include if exists } diff --git a/apparmor.d/groups/steam/steam-runtime-steam-remote b/apparmor.d/groups/steam/steam-runtime-steam-remote deleted file mode 100644 index b7d5f2b15..000000000 --- a/apparmor.d/groups/steam/steam-runtime-steam-remote +++ /dev/null @@ -1,28 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{runtime} = SteamLinuxRuntime_{sniper,soldier} -@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation -@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} -@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} -@{app_dirs} = @{share_dirs}/steamapps/common/ - -@{exec_path} = @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote -profile steam-runtime-steam-remote @{exec_path} flags=(attach_disconnected,complain) { - include - - @{exec_path} mr, - - @{runtime_dirs}/** mr, - - owner @{HOME}/.steam/steam.pipe rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery b/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery deleted file mode 100644 index 1af9fe22f..000000000 --- a/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/systemd/system-generators/friendly-recovery -profile systemd-generator-friendly-recovery @{exec_path} flags=(attach_disconnected) { - include - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/cat rix, - - @{PROC}/cmdline r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-import b/apparmor.d/groups/systemd-generators/systemd-generator-import deleted file mode 100644 index de3753aaf..000000000 --- a/apparmor.d/groups/systemd-generators/systemd-generator-import +++ /dev/null @@ -1,31 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/systemd/system-generators/systemd-import-generator -profile systemd-generator-import @{exec_path} flags=(attach_disconnected) { - include - - capability sys_ptrace, - - ptrace read peer=@{p_systemd}, - - @{exec_path} mr, - - / r, - - @{PROC}/@{pid}/cgroup r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - - /dev/kmsg w, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-openvpn b/apparmor.d/groups/systemd-generators/systemd-generator-openvpn deleted file mode 100644 index 780c63d56..000000000 --- a/apparmor.d/groups/systemd-generators/systemd-generator-openvpn +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/systemd/system-generators/openvpn-generator -profile systemd-generator-openvpn @{exec_path} flags=(attach_disconnected) { - include - - @{exec_path} mr, - - @{sh_path} r, - @{bin}/ls ix, - @{bin}/mkdir ix, - - /etc/default/openvpn r, - /etc/openvpn/ r, - - @{run}/systemd/generator/openvpn.service.wants/{,**} w, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-rc-local b/apparmor.d/groups/systemd-generators/systemd-generator-rc-local deleted file mode 100644 index 3e8bec6c5..000000000 --- a/apparmor.d/groups/systemd-generators/systemd-generator-rc-local +++ /dev/null @@ -1,28 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/systemd/system-generators/systemd-rc-local-generator -profile systemd-generator-rc-local @{exec_path} flags=(attach_disconnected) { - include - - ptrace read peer=@{p_systemd}, - - @{exec_path} mr, - - @{PROC}/@{pid}/cgroup r, - @{PROC}/1/cgroup r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - - /dev/kmsg w, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-snapd b/apparmor.d/groups/systemd-generators/systemd-generator-snapd deleted file mode 100644 index 8544a7938..000000000 --- a/apparmor.d/groups/systemd-generators/systemd-generator-snapd +++ /dev/null @@ -1,20 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/systemd/system-generators/snapd-generator -profile systemd-generator-snapd @{exec_path} flags=(attach_disconnected) { - include - - @{exec_path} mr, - - @{PROC}/1/mountinfo r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ssh b/apparmor.d/groups/systemd-generators/systemd-generator-ssh deleted file mode 100644 index 0f6aa11d9..000000000 --- a/apparmor.d/groups/systemd-generators/systemd-generator-ssh +++ /dev/null @@ -1,52 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/systemd/system-generators/systemd-ssh-generator -profile systemd-generator-ssh @{exec_path} flags=(attach_disconnected) { - include - - capability net_admin, - - network vsock stream, - - ptrace read peer=@{p_systemd}, - - @{exec_path} mr, - - @{sbin}/sshd r, - - @{run}/ r, - @{run}/systemd/ r, - @{run}/systemd/generator/ r, - @{run}/systemd/generator/sockets.target.wants/ rw, - @{run}/systemd/generator/sockets.target.wants/*.socket w, - @{run}/systemd/generator/sshd-*.service w, - @{run}/systemd/generator/sshd-*.socket rw, - @{run}/systemd/system/ r, - @{run}/systemd/transient/ r, - - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/firmware/dmi/entries/*/raw r, - - @{PROC}/@{pid}/cgroup r, - @{PROC}/1/cgroup r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - - /dev/kmsg w, - /dev/vsock r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket b/apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket deleted file mode 100644 index f08df7d90..000000000 --- a/apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket +++ /dev/null @@ -1,28 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/systemd/system-generators/sshd-socket-generator -profile systemd-generator-sshd-socket @{exec_path} { - include - include - - network inet dgram, - network inet6 dgram, - network netlink raw, - - @{exec_path} mr, - - @{etc_ro}/ssh/sshd_config r, - @{etc_ro}/ssh/sshd_config.d/{,*} r, - - @{run}/systemd/generator/ssh.socket.d/{,*} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-sysv b/apparmor.d/groups/systemd-generators/systemd-generator-sysv deleted file mode 100644 index fc290fca4..000000000 --- a/apparmor.d/groups/systemd-generators/systemd-generator-sysv +++ /dev/null @@ -1,32 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/systemd/system-generators/systemd-sysv-generator -profile systemd-generator-sysv @{exec_path} flags=(attach_disconnected) { - include - - ptrace read peer=@{p_systemd}, - - @{exec_path} mr, - - /etc/init.d/{,**} r, - /etc/rc@{int}.d/{,**} r, - - @{run}/systemd/generator.late/** w, - - @{PROC}/@{pid}/cgroup r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - - /dev/kmsg w, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 deleted file mode 100644 index ee5d924cc..000000000 --- a/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 +++ /dev/null @@ -1,31 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/systemd/system-generators/systemd-tpm2-generator -profile systemd-generator-tpm2 @{exec_path} flags=(attach_disconnected) { - include - - ptrace read peer=@{p_systemd}, - - @{exec_path} mr, - - @{sys}/class/tpmrm/ r, - @{sys}/devices/**/tpm/tpm@{int}/tpm_version_major r, - - @{PROC}/@{pid}/cgroup r, - @{PROC}/1/cgroup r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - - /dev/kmsg w, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service b/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service deleted file mode 100644 index 1b585c0cc..000000000 --- a/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service +++ /dev/null @@ -1,22 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# /bin/bash -c 'read args <&3; echo "args=$args"; \ -# exec /usr/bin/cloud-init devel hotplug-hook $args; \ -# exit 0' - -abi , - -include - -profile cloud-init-hotplugd.service { - include - - @{sh_path} ix, - @{bin}/cloud-init Px, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/debug-shell.service b/apparmor.d/groups/systemd-service/debug-shell.service deleted file mode 100644 index 9f8e235cf..000000000 --- a/apparmor.d/groups/systemd-service/debug-shell.service +++ /dev/null @@ -1,19 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# ExecStart=/usr/bin/bash - -abi , - -include - -profile debug-shell.service { - include - - all, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/dmesg.service b/apparmor.d/groups/systemd-service/dmesg.service deleted file mode 100644 index 0a46f6ed9..000000000 --- a/apparmor.d/groups/systemd-service/dmesg.service +++ /dev/null @@ -1,63 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# ExecStartPre=-/usr/bin/savelog -m640 -q -p -n -c 5 /var/log/dmesg -# ExecStart=/bin/journalctl --boot 0 --dmesg --output short-monotonic --quiet --no-pager --no-hostname -# ExecStartPost=/bin/chgrp adm /var/log/dmesg -# ExecStartPost=/bin/chmod 0640 /var/log/dmesg - -abi , - -include - -profile dmesg.service flags=(attach_disconnected) { - include - include - - capability chown, - capability fsetid, - capability sys_admin, - - ptrace read peer=@{p_systemd}, - - @{sh_path} r, - @{bin}/basename ix, - @{bin}/chgrp rix, - @{bin}/chmod rix, - @{bin}/chown ix, - @{bin}/date ix, - @{bin}/dirname ix, - @{bin}/gzip ix, - @{bin}/gzip ix, - @{bin}/journalctl r, - @{bin}/ln ix, - @{bin}/mv ix, - @{bin}/rm ix, - @{bin}/savelog rix, - @{bin}/touch ix, - - /etc/machine-id r, - - /var/log/ r, - /var/log/dmesg rw, - /var/log/dmesg.* rwl -> /var/log/dmesg, - - /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/system.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* rw, - /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* rw, - /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* rw, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* rw, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* rw, - - @{PROC}/1/environ r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/random/boot_id r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/grub-common.service b/apparmor.d/groups/systemd-service/grub-common.service deleted file mode 100644 index fc4de5edc..000000000 --- a/apparmor.d/groups/systemd-service/grub-common.service +++ /dev/null @@ -1,28 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# ExecStartPre=/bin/sh -c '[ -s /boot/grub/grubenv ] || rm -f /boot/grub/grubenv; mkdir -p /boot/grub' -# ExecStart=grub-editenv /boot/grub/grubenv unset recordfail -# ExecStartPost=/bin/sh -c 'if grub-editenv /boot/grub/grubenv list | grep -q initrdless_boot_fallback_triggered=1; then echo "grub: GRUB_FORCE_PARTUUID set, initrdless boot paniced, fallback triggered."; fi' - -abi , - -include - -profile grub-common.service { - include - - @{sh_path} rix, - @{bin}/{,e}grep ix, - @{bin}/grub-editenv rix, - @{bin}/mkdir ix, - @{bin}/rm ix, - - @{efi}/grub/ w, - @{efi}/grub/grubenv rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/ldconfig.service b/apparmor.d/groups/systemd-service/ldconfig.service deleted file mode 100644 index f7d193e9e..000000000 --- a/apparmor.d/groups/systemd-service/ldconfig.service +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# /sbin/ldconfig -X - -abi , - -include - -profile ldconfig.service { - include - - @{lib}/ r, - @{sbin}/ldconfig r, - - /var/cache/ldconfig/aux-cache rw, - /var/cache/ldconfig/aux-cache~ rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/man-db.service b/apparmor.d/groups/systemd-service/man-db.service deleted file mode 100644 index c3bfa7c32..000000000 --- a/apparmor.d/groups/systemd-service/man-db.service +++ /dev/null @@ -1,41 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# ExecStart=+/usr/bin/install -d -o man -g man -m 0755 /var/cache/man -# ExecStart=/usr/bin/find /var/cache/man -type f -name *.gz -atime +6 -delete -# ExecStart=/usr/bin/mandb --quiet - -abi , - -include - -profile man-db.service flags=(attach_disconnected) { - include - include - - @{bin}/find ix, - @{bin}/install ix, - @{bin}/mandb r, - - /usr/{,local/}share/man/{,**} r, - - /etc/man_db.conf r, - /etc/manpath.config r, - - /usr/share/man/{,**} r, - /usr/local/man/{,**} r, - /usr/local/share/man/{,**} r, - - /usr/{,share/}man/{,**} r, - /usr/local/{,share/}man/{,**} r, - - /usr/share/**/man/man@{u8}/*.@{int}.gz r, - - owner /var/cache/man/ rw, - owner /var/cache/man/** rwk, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/secureboot-db.service b/apparmor.d/groups/systemd-service/secureboot-db.service deleted file mode 100644 index a951747be..000000000 --- a/apparmor.d/groups/systemd-service/secureboot-db.service +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c -# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f -# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f -# ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose - -abi , - -include - -profile secureboot-db.service flags=(complain) { - include - - @{bin}/chattr ix, - @{bin}/sbkeysync PUx, - - @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, - @{sys}/firmware/efi/efivars/db-@{uuid} rw, - @{sys}/firmware/efi/efivars/dbx-@{uuid} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/shadow.service b/apparmor.d/groups/systemd-service/shadow.service deleted file mode 100644 index 95f780b89..000000000 --- a/apparmor.d/groups/systemd-service/shadow.service +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -profile shadow.service flags=(attach_disconnected) { - include - include - - @{sh_path} rix, - @{sbin}/grpck Px -> &grpck, - @{sbin}/pwck Px -> &pwck, - - /etc/machine-id r, - /etc/shadow r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/snapd.system-shutdown.service b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service deleted file mode 100644 index ce819a791..000000000 --- a/apparmor.d/groups/systemd-service/snapd.system-shutdown.service +++ /dev/null @@ -1,28 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# /bin/mount /run -o remount,exec -# /bin/mkdir -p /run/initramfs -# /bin/cp /usr/lib/snapd/system-shutdown /run/initramfs/shutdown - -abi , - -include - -profile snapd.system-shutdown.service { - include - - @{bin}/cp ix, - @{bin}/mkdir ix, - @{bin}/mount ix, - - @{lib}/snapd/system-shutdown r, - - @{run}/initramfs/ rw, - @{run}/initramfs/shutdown rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/system-update-cleanup.service b/apparmor.d/groups/systemd-service/system-update-cleanup.service deleted file mode 100644 index 4166cb76c..000000000 --- a/apparmor.d/groups/systemd-service/system-update-cleanup.service +++ /dev/null @@ -1,22 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# ExecStart=rm -fv /system-update /etc/system-update - -abi , - -include - -profile system-update-cleanup.service { - include - - @{bin}/rm ix, - - /etc/system-update w, - /system-update w, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/usb_modeswitch.service b/apparmor.d/groups/systemd-service/usb_modeswitch.service deleted file mode 100644 index 00a62c933..000000000 --- a/apparmor.d/groups/systemd-service/usb_modeswitch.service +++ /dev/null @@ -1,17 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -profile usb_modeswitch.service { - include - - @{sbin}/usb_modeswitch_dispatcher ix, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 70a91197f..2bd8c4c78 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -2,39 +2,42 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/bootctl -profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { +profile bootctl @{exec_path} { include include include include - capability linux_immutable, capability mknod, capability net_admin, - capability sys_rawio, - capability sys_resource, - signal send peer=child-pager, + signal (send) peer=child-pager, - ptrace read peer=unconfined, + ptrace (read) peer=unconfined, @{exec_path} mr, - @{pager_path} rPx -> child-pager, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, + @{bin}/pager rPx -> child-pager, - @{efi}/ r, - @{efi}/@{hex32}/ rw, - @{efi}/EFI/{,**} rwl, - @{efi}/loader/ rw, - @{efi}/loader/** rwl -> @{efi}/loader/#@{int}, + /{boot,efi}/ r, + /{boot,efi}/EFI/{,**} r, + /{boot,efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw, + /{boot,efi}/EFI/BOOT/BOOTX64.EFI w, + /{boot,efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw, + /{boot,efi}/EFI/systemd/systemd-boot*.efi w, + /{boot,efi}/loader/.#bootctlrandom-seed@{hex} rw, + /{boot,efi}/loader/.#entries.srel* w, + /{boot,efi}/loader/{,**} r, + /{boot,efi}/loader/entries.srel w, + /{boot,efi}/loader/random-seed w, - /etc/kernel/.#entry-token@{hex16} rw, - /etc/kernel/entry-token rw, /etc/machine-id r, /etc/machine-info r, @@ -42,15 +45,14 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/class/tpmrm/ r, - @{sys}/devices/pnp@{int}/**/tpm/tpm@{int}/tpm_version_major r, @{sys}/devices/virtual/dmi/id/{board_vendor,bios_vendor} r, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, @{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/AuditMode-@{uuid} r, - @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, - @{sys}/firmware/efi/efivars/BootOrder-@{uuid} rw, + @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} r, + @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, @{sys}/firmware/efi/efivars/DeployedMode-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r, @@ -60,15 +62,15 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/firmware/efi/efivars/LoaderFirmwareType-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderImageIdentifier-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r, - @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw, - @{sys}/firmware/efi/efivars/OsIndications-@{uuid} rw, + @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} r, + @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r, @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, @{sys}/firmware/efi/fw_platform_size r, - @{PROC}/sys/kernel/random/poolsize r, - owner @{PROC}/@{pid}/cgroup r, + @{PROC}/sys/kernel/random/poolsize r, + owner @{PROC}/@{pid}/cgroup r, # Inherit silencer deny network inet6 stream, diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index eed7080f8..baf89561d 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -2,15 +2,17 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/busctl -profile busctl @{exec_path} flags=(attach_disconnected) { +profile busctl @{exec_path} { include + include include include + include include include include @@ -18,11 +20,11 @@ profile busctl @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, - ptrace read, + ptrace (read), - unix bind type=stream addr=@@{udbus}/bus/busctl/busctl, + unix (bind) type=stream addr=@@{hex16}/bus/busctl/busctl, - signal send set=cont peer=child-pager, + signal (send) set=(cont) peer=child-pager, dbus eavesdrop bus=accessibility, dbus eavesdrop bus=session, @@ -31,40 +33,20 @@ profile busctl @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Monitoring member=BecomeMonitor - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionCredentials,ListNames,ListActivatableNames} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus.Monitoring - member=BecomeMonitor - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionCredentials,ListNames,ListActivatableNames} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - - dbus send bus=system - interface=org.freedesktop.DBus.Introspectable - member=Introspect, - dbus send bus=system - interface=org.freedesktop.DBus.Properties - member={GetAll,Get}, + peer=(name=org.freedesktop.DBus, label=dbus-system), @{exec_path} mr, - @{pager_path} rPx -> child-pager, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, + @{bin}/pager rPx -> child-pager, - @{PROC}/@{pid}/attr/current r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/loginuid r, - @{PROC}/@{pid}/sessionid r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/loginuid r, + owner @{PROC}/@{pid}/sessionid r, include if exists } diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index 06969ef47..7c4149bee 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -3,16 +3,13 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/coredumpctl profile coredumpctl @{exec_path} flags=(complain) { include - include - include - include include capability dac_read_search, @@ -25,7 +22,9 @@ profile coredumpctl @{exec_path} flags=(complain) { @{bin}/gdb rCx -> gdb, - @{pager_path} rPx -> child-pager, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, + @{bin}/pager rPx -> child-pager, /var/lib/dbus/machine-id r, /etc/machine-id r, @@ -34,7 +33,9 @@ profile coredumpctl @{exec_path} flags=(complain) { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, owner @{tmp}/*.coredump w, owner @{tmp}/core.* w, @@ -63,12 +64,12 @@ profile coredumpctl @{exec_path} flags=(complain) { /etc/inputrc r, /etc/gdb/** r, - + owner /var/tmp/coredump-* rw, @{PROC}/@{pids}/fd/ r, - include if exists + include if exists } include if exists diff --git a/apparmor.d/groups/systemd/homectl b/apparmor.d/groups/systemd/homectl deleted file mode 100644 index 3c962e309..000000000 --- a/apparmor.d/groups/systemd/homectl +++ /dev/null @@ -1,39 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/homectl -profile homectl @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - - capability net_admin, - capability sys_resource, - - signal send peer=child-pager, - - #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" - - @{exec_path} mr, - - @{bin}/pkttyagent rpx, - - @{pager_path} rPx -> child-pager, - - /etc/machine-id r, - - owner @{PROC}/@{pids}/cgroup r, - - /dev/tty rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl index 6b29e260d..47e7f531e 100644 --- a/apparmor.d/groups/systemd/hostnamectl +++ b/apparmor.d/groups/systemd/hostnamectl @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,16 +10,11 @@ include profile hostnamectl @{exec_path} { include include - include include capability net_admin, - #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" - dbus send bus=system path=/org/freedesktop/hostname1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=org.freedesktop.hostname1), + #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index c852b3756..4b5f11810 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,18 +20,14 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_resource, - network netlink raw, - - signal receive set=kill peer=snapd, - signal receive set=term peer=cockpit-bridge, - signal send peer=child-pager, + signal (receive) set=(term) peer=cockpit-bridge, + signal (send) peer=child-pager, @{exec_path} mr, - @{pager_path} rPx -> child-pager, - - @{bin}/* r, - @{sbin}/* r, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, + @{bin}/pager rPx -> child-pager, /var/lib/dbus/machine-id r, /etc/machine-id r, @@ -39,8 +35,6 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { /var/lib/systemd/catalog/database rw, /var/lib/systemd/catalog/.#database* rw, - /var/log/dmesg w, - /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/system.journal* r, @@ -55,7 +49,6 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { @{run}/host/container-manager r, @{run}/systemd/journal/io.systemd.journal rw, - @{run}/systemd/notify rw, @{PROC}/sys/fs/nr_open r, owner @{PROC}/@{pid}/cgroup r, @@ -64,7 +57,7 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { deny network inet stream, deny network inet6 stream, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index 9792fb75f..46f67b325 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -2,35 +2,25 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/localectl -profile localectl @{exec_path} flags=(attach_disconnected) { +profile localectl @{exec_path} { include include - include capability net_admin, - signal send set=cont peer=child-pager, - - #aa:dbus talk bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}" - dbus send bus=system path=/org/freedesktop/locale1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=org.freedesktop.locale1), - @{exec_path} mr, - @{pager_path} rPx -> child-pager, - @{bin}/pkttyagent rPx, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, + @{bin}/pager rPx -> child-pager, /usr/share/kbd/keymaps/{,**} r, - owner @{PROC}/@{pid}/cgroup r, - include if exists } diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl index f516d16db..345957e3f 100644 --- a/apparmor.d/groups/systemd/loginctl +++ b/apparmor.d/groups/systemd/loginctl @@ -2,50 +2,26 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/loginctl -profile loginctl @{exec_path} flags=(attach_disconnected) { +profile loginctl @{exec_path} { include include - include + include + include include - include - include capability net_admin, capability sys_resource, - signal send set=cont peer=child-pager, - - #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" - @{exec_path} mr, - @{pager_path} rPx -> child-pager, - @{bin}/ssh rPx, - - /etc/machine-id r, - - @{run}/log/journal/ r, - - /var/lib/systemd/catalog/database r, - - /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/system.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, - - @{PROC}/sys/fs/nr_open r, - owner @{PROC}/@{pid}/cgroup r, - - /dev/rfkill r, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, + @{bin}/pager rPx -> child-pager, include if exists } diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index a0d1471f9..f570d5eab 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,7 +11,6 @@ include profile networkctl @{exec_path} flags=(attach_disconnected) { include include - include capability net_admin, capability sys_module, @@ -25,24 +24,25 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { ptrace (read) peer=@{p_systemd}, - unix (bind) type=stream addr=@@{udbus}/bus/networkctl/system, + unix (bind) type=stream addr=@@{hex16}/bus/networkctl/system, - #aa:dbus talk bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" - dbus send bus=system path=/org/freedesktop/network1{,/**} + #aa:dbus talk bus=system name=org.freedesktop.network1 label=systemd-networkd + # No label available + dbus send bus=system path=/org/freedesktop/network@{int} interface=org.freedesktop.DBus.Properties member=Get - peer=(name=org.freedesktop.network1), + peer=(name=org.freedesktop.network@{int}), @{exec_path} mr, - @{pager_path} rPx -> child-pager, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, + @{bin}/pager rPx -> child-pager, /etc/udev/hwdb.bin r, /var/lib/dbus/machine-id r, /etc/machine-id r, - owner /var/lib/systemd/network/ r, - # To be able to read logs @{run}/log/ r, /{run,var}/log/journal/ r, @@ -51,23 +51,17 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { /{run,var}/log/journal/@{hex32}/system.journal* r, /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, - @{att}/@{run}/systemd/netif/io.systemd.Network rw, - - @{run}/systemd/netif/links/ r, @{run}/systemd/netif/leases/@{int} r, @{run}/systemd/netif/links/@{int} r, @{run}/systemd/netif/state r, @{run}/systemd/notify w, - @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/n@{int} r, @{sys}/devices/**/net/**/uevent r, - @{PROC}/1/cgroup r, - @{PROC}/cmdline r, - @{PROC}/sys/fs/nr_open r, - @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl deleted file mode 100644 index 3013d8ae6..000000000 --- a/apparmor.d/groups/systemd/resolvectl +++ /dev/null @@ -1,41 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/resolvectl -profile resolvectl @{exec_path} flags=(attach_disconnected) { - include - include - include - include - - capability net_admin, - - network inet raw, - network inet6 raw, - network netlink raw, - - signal send set=cont peer=child-pager, - - unix bind type=stream addr=@@{udbus}/bus/resolvconf/system, - - #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" - - #aa:dbus talk bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" - dbus send bus=system path=/org/freedesktop/network1 - interface=org.freedesktop.network1.Manager - member=SetLinkDNSEx - peer=(name=org.freedesktop.network1), - - @{exec_path} mr, - - @{pager_path} rPx -> child-pager, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-ac-power b/apparmor.d/groups/systemd/systemd-ac-power index 1353547f0..44cbad98c 100644 --- a/apparmor.d/groups/systemd/systemd-ac-power +++ b/apparmor.d/groups/systemd/systemd-ac-power @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 3ae0a7143..deb22cbc1 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,15 +22,15 @@ profile systemd-analyze @{exec_path} { signal (send) peer=child-pager, - unix bind type=stream addr=@@{udbus}/bus/systemd-analyze/system, - #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @{exec_path} mr, @{lib}/systemd/system-environment-generators/* rix, - @{pager_path} rPx -> child-pager, + @{bin}/pager rPx -> child-pager, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, @{bin}/man rPx, /usr/ r, @@ -47,8 +47,7 @@ profile systemd-analyze @{exec_path} { @{run}/systemd/system/ r, @{run}/systemd/transient/ r, @{run}/systemd/userdb/io.systemd.DynamicUser w, - @{run}/udev/data/+*:* r, # Identifies all subsystems - @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + @{run}/udev/data/* r, @{run}/udev/tags/systemd/ r, @{sys}/devices/**/uevent r, @@ -62,7 +61,6 @@ profile systemd-analyze @{exec_path} { @{sys}/firmware/efi/efivars/LoaderTimeExecUSec-@{uuid} r, @{PROC}/swaps r, - @{PROC}/sys/fs/nr_open r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/systemd/systemd-ask-password b/apparmor.d/groups/systemd/systemd-ask-password index 6eec2ee6b..9a5e04306 100644 --- a/apparmor.d/groups/systemd/systemd-ask-password +++ b/apparmor.d/groups/systemd/systemd-ask-password @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-backlight b/apparmor.d/groups/systemd/systemd-backlight index b5a966f37..4a80835ed 100644 --- a/apparmor.d/groups/systemd/systemd-backlight +++ b/apparmor.d/groups/systemd/systemd-backlight @@ -3,12 +3,12 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-backlight -profile systemd-backlight @{exec_path} flags=(attach_disconnected) { +profile systemd-backlight @{exec_path} { include include @@ -18,8 +18,8 @@ profile systemd-backlight @{exec_path} flags=(attach_disconnected) { /var/lib/systemd/backlight/*backlight* rw, - @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. - @{run}/udev/data/+leds:*backlight* r, # For keyboard backlights, mouse LEDs, etc. + @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+leds:*backlight* r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{sys}/bus/ r, @@ -27,20 +27,20 @@ profile systemd-backlight @{exec_path} flags=(attach_disconnected) { @{sys}/class/ r, @{sys}/class/backlight/ r, + @{sys}/devices/@{pci}/*:@{int}.@{int}/**/ r, @{sys}/devices/@{pci}/ r, - @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/backlight/**/{max_brightness,actual_brightness} r, + @{sys}/devices/@{pci}/backlight/**/{uevent,type} r, @{sys}/devices/@{pci}/backlight/**/brightness rw, @{sys}/devices/@{pci}/class r, - @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/drm/card@{int}/**/{max_brightness,actual_brightness} r, + @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type} r, @{sys}/devices/@{pci}/drm/card@{int}/**/brightness rw, @{sys}/devices/@{pci}/uevent r, - @{sys}/devices/**/leds/**/{,max_,actual_}brightness rw, - @{sys}/devices/**/leds/**/{uevent,type,enabled} r, - @{sys}/devices/**/leds/**/brightness_hw_changed r, + + @{sys}/devices/platform/**/leds/*backlight*/brightness rw, + @{sys}/devices/platform/**/leds/*backlight*/max_brightness r, + @{sys}/devices/platform/**/leds/*backlight*/uevent r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-binfmt b/apparmor.d/groups/systemd/systemd-binfmt index 5e3406ea9..8fae04706 100644 --- a/apparmor.d/groups/systemd/systemd-binfmt +++ b/apparmor.d/groups/systemd/systemd-binfmt @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,12 +16,11 @@ profile systemd-binfmt @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/* r, - @{sbin}/* r, # Config file locations /etc/binfmt.d/{,*.conf} r, @{run}/binfmt.d/{,*.conf} r, - @{lib}/binfmt.d/{,*.conf} r, + /usr/lib/binfmt.d/{,*.conf} r, @{PROC}/sys/fs/binfmt_misc/register w, @{PROC}/sys/fs/binfmt_misc/status w, diff --git a/apparmor.d/groups/systemd/systemd-cat b/apparmor.d/groups/systemd/systemd-cat index fd202c181..0ccfd68c0 100644 --- a/apparmor.d/groups/systemd/systemd-cat +++ b/apparmor.d/groups/systemd/systemd-cat @@ -2,20 +2,21 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/systemd-cat profile systemd-cat @{exec_path} { include - include - include capability net_admin, @{exec_path} mr, + @{bin}/cat rix, + @{bin}/echo rix, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-cgls b/apparmor.d/groups/systemd/systemd-cgls index 33191171e..ed7254339 100644 --- a/apparmor.d/groups/systemd/systemd-cgls +++ b/apparmor.d/groups/systemd/systemd-cgls @@ -2,28 +2,21 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/systemd-cgls profile systemd-cgls @{exec_path} { include - include - include - include - capability sys_ptrace, - - ptrace read, - - signal send set=cont peer=child-pager, - - unix bind type=stream addr=@@{udbus}/bus/systemd-cgls/system, + ptrace (read), @{exec_path} mr, - @{pager_path} rPx -> child-pager, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, + @{bin}/pager rPx -> child-pager, @{sys}/fs/cgroup/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-cgtop b/apparmor.d/groups/systemd/systemd-cgtop index 90ecc99f8..9ae69cd69 100644 --- a/apparmor.d/groups/systemd/systemd-cgtop +++ b/apparmor.d/groups/systemd/systemd-cgtop @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,9 @@ profile systemd-cgtop @{exec_path} { @{exec_path} mr, - @{pager_path} rPx -> child-pager, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, + @{bin}/pager rPx -> child-pager, @{sys}/fs/cgroup/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 061b93ffd..1902c6799 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted include include - userns, + # userns, capability dac_override, capability dac_read_search, @@ -33,26 +33,13 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{lib}/** r, / r, @{bin}/* r, - @{sbin}/* r, /opt/** r, - /usr/share/*/** r, - @{user_lib_dirs}/** r, - /snap/*/@{int}/opt/** r, - /snap/*/@{int}/usr/** r, /etc/systemd/coredump.conf r, /etc/systemd/coredump.conf.d/{,**} r, - owner @{HOME}/**.so* r, - /var/lib/systemd/coredump/{,**} rwl, - owner @{run}/user/@{uid}/snap.*/.org.chromium.Chromium.@{rand6} r, - - @{att}/@{run}/systemd/coredump rw, - @{run}/systemd/coredump rw, - - @{PROC}/@{pids}/auxv r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/comm r, @@ -60,11 +47,9 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/fdinfo/@{int} r, @{PROC}/@{pids}/limits r, - @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/ns/ r, @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/setgroups r, include if exists diff --git a/apparmor.d/groups/systemd/systemd-cryptsetup b/apparmor.d/groups/systemd/systemd-cryptsetup index fdddebe03..fba766fe8 100644 --- a/apparmor.d/groups/systemd/systemd-cryptsetup +++ b/apparmor.d/groups/systemd/systemd-cryptsetup @@ -2,17 +2,16 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/systemd-cryptsetup @{lib}/systemd/systemd-cryptsetup -profile systemd-cryptsetup @{exec_path} flags=(attach_disconnected) { +profile systemd-cryptsetup @{exec_path} { include include include - capability dac_read_search, capability ipc_lock, capability net_admin, capability sys_admin, @@ -27,12 +26,10 @@ profile systemd-cryptsetup @{exec_path} flags=(attach_disconnected) { @{run}/cryptsetup/ r, @{run}/cryptsetup/* rwk, @{run}/systemd/ask-password/* rw, - + @{sys}/devices/virtual/bdi/*/read_ahead_kb r, @{sys}/fs/ r, - @{run}/systemd/ask-password/ r, - @{PROC}/devices r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/systemd/systemd-delta b/apparmor.d/groups/systemd/systemd-delta index 311636d95..9ac4e8239 100644 --- a/apparmor.d/groups/systemd/systemd-delta +++ b/apparmor.d/groups/systemd/systemd-delta @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,11 +10,11 @@ include profile systemd-delta @{exec_path} { include - signal send peer=child-pager, + signal (send) peer=child-pager, @{exec_path} mr, - @{pager_path} rPx -> child-pager, + @{bin}/less rPx -> child-pager, /etc/binfmt.d/{,**} r, /etc/modprobe.d/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 9b49c20fc..63e97171c 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,16 +11,16 @@ include profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { include include + include - capability sys_ptrace, + capability net_admin, - ptrace read peer=@{p_systemd}, + network netlink raw, @{exec_path} mr, @{run}/cloud-init/ds-identify.log w, @{run}/host/container-manager r, - @{run}/systemd/container r, @{run}/systemd/notify w, @{sys}/devices/virtual/dmi/id/bios_vendor r, @@ -29,23 +29,6 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/firmware/dmi/entries/*/raw r, - @{sys}/firmware/uv/prot_virt_guest r, - @{sys}/hypervisor/properties/features r, - @{sys}/hypervisor/type r, - - @{PROC}/1/environ r, - @{PROC}/device-tree/ r, - @{PROC}/device-tree/compatible r, - @{PROC}/device-tree/hypervisor/compatible r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sysinfo r, - @{PROC}/xen/capabilities r, - - /dev/cpu/@{int}/msr r, - - deny capability net_admin, - deny capability perfmon, - deny network (send receive) netlink raw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect index 1bbb91858..991a787d2 100644 --- a/apparmor.d/groups/systemd/systemd-dissect +++ b/apparmor.d/groups/systemd/systemd-dissect @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,28 +11,23 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) { include include include - include capability dac_read_search, capability sys_admin, capability sys_resource, - mount -> /tmp/dissect-@{rand6}/, - mount fstype=tmpfs options=(rw nodev) rootfs -> @{run}/systemd/dissect-root/, - mount options=(ro nodev) /dev/loop* -> @{run}/systemd/dissect-root/{,**/}, - mount options=(rw nodev) -> /mnt/*/, - mount options=(rw rshared rslave) -> /, + mount options=(rw, rslave) -> /, + mount options=(rw, nodev) -> /mnt/*/, + mount -> /tmp/dissect-@{rand6}/, - umount @{run}/systemd/dissect-root/, - - signal send set=cont peer=child-pager, - - ptrace read peer=@{p_systemd}, + signal (send) set=(cont) peer=child-pager, @{exec_path} mr, - @{sbin}/fsck rPx, - @{pager_path} rPx -> child-pager, + @{bin}/fsck rPx, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, + @{bin}/pager rPx -> child-pager, # Location of file system OS images @{user_build_dirs}/{,**} r, @@ -42,19 +37,14 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) { owner @{tmp}/dissect-@{rand6}/{,**} rw, - @{run}/systemd/dissect-root/ rw, - @{run}/systemd/dissect-root/** rwlk, - @{sys}/devices/virtual/block/loop@{int}/{,**} r, @{sys}/kernel/uevent_seqnum r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pids}/cgroup r, /dev/btrfs-control rw, /dev/loop-control rwk, - /dev/loop* rwk, - /dev/mapper/control w, + /dev/loop* rwk, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-escape b/apparmor.d/groups/systemd/systemd-escape index 469ccc945..c292c1d96 100644 --- a/apparmor.d/groups/systemd/systemd-escape +++ b/apparmor.d/groups/systemd/systemd-escape @@ -2,14 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/systemd-escape profile systemd-escape @{exec_path} { include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-fsck b/apparmor.d/groups/systemd/systemd-fsck index 4836c9747..2d6326d71 100644 --- a/apparmor.d/groups/systemd/systemd-fsck +++ b/apparmor.d/groups/systemd/systemd-fsck @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-fsck -profile systemd-fsck @{exec_path} flags=(attach_disconnected) { +profile systemd-fsck @{exec_path} { include include include @@ -19,9 +19,9 @@ profile systemd-fsck @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sbin}/e2fsck rPx, - @{sbin}/fsck rPx, - @{sbin}/fsck.* rPx, + @{bin}/e2fsck rPx, + @{bin}/fsck rPx, + @{bin}/fsck.* rPx, owner @{run}/systemd/quotacheck w, owner @{run}/systemd/fsck.progress rw, diff --git a/apparmor.d/groups/systemd/systemd-fsckd b/apparmor.d/groups/systemd/systemd-fsckd index 7abde7c90..9fc59bfe0 100644 --- a/apparmor.d/groups/systemd/systemd-fsckd +++ b/apparmor.d/groups/systemd/systemd-fsckd @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-fsckd -profile systemd-fsckd @{exec_path} flags=(attach_disconnected) { +profile systemd-fsckd @{exec_path} { include include include diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-bless-boot b/apparmor.d/groups/systemd/systemd-generator-bless-boot similarity index 97% rename from apparmor.d/groups/systemd-generators/systemd-generator-bless-boot rename to apparmor.d/groups/systemd/systemd-generator-bless-boot index 32e2aac65..e09b01d5a 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-bless-boot +++ b/apparmor.d/groups/systemd/systemd-generator-bless-boot @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-cloud-init b/apparmor.d/groups/systemd/systemd-generator-cloud-init similarity index 78% rename from apparmor.d/groups/systemd-generators/systemd-generator-cloud-init rename to apparmor.d/groups/systemd/systemd-generator-cloud-init index 698a4fcb9..d57de673b 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-cloud-init +++ b/apparmor.d/groups/systemd/systemd-generator-cloud-init @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,6 @@ profile systemd-generator-cloud-init @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/ln rix, @{bin}/mkdir rix, @{bin}/systemd-detect-virt rPx, @{lib}/cloud-init/ds-identify rPUx, @@ -23,9 +22,6 @@ profile systemd-generator-cloud-init @{exec_path} flags=(attach_disconnected) { @{run}/cloud-init/ w, @{run}/cloud-init/cloud-init-generator.* rw, @{run}/cloud-init/disabled w, - @{run}/cloud-init/enabled w, - @{run}/systemd/generator.early/multi-user.target.wants/ w, - @{run}/systemd/generator.early/multi-user.target.wants/cloud-init.target w, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup b/apparmor.d/groups/systemd/systemd-generator-cryptsetup similarity index 97% rename from apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup rename to apparmor.d/groups/systemd/systemd-generator-cryptsetup index 1979dba1d..e29178fbd 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup +++ b/apparmor.d/groups/systemd/systemd-generator-cryptsetup @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-debug b/apparmor.d/groups/systemd/systemd-generator-debug similarity index 97% rename from apparmor.d/groups/systemd-generators/systemd-generator-debug rename to apparmor.d/groups/systemd/systemd-generator-debug index 4ce9d2974..2d83cc0ba 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-debug +++ b/apparmor.d/groups/systemd/systemd-generator-debug @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify b/apparmor.d/groups/systemd/systemd-generator-ds-identify similarity index 89% rename from apparmor.d/groups/systemd-generators/systemd-generator-ds-identify rename to apparmor.d/groups/systemd/systemd-generator-ds-identify index daa877efe..b88d2387f 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify +++ b/apparmor.d/groups/systemd/systemd-generator-ds-identify @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,16 +12,15 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) { include include - ptrace read peer=@{p_systemd}, + ptrace (read) peer=@{p_systemd}, @{exec_path} mr, @{sh_path} rix, - @{bin}/{,e}grep rix, + @{bin}/blkid rPx, @{bin}/systemd-detect-virt rPx, @{bin}/tr rix, @{bin}/uname rix, - @{sbin}/blkid rPx, /etc/cloud/{,**} r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-environment-arch b/apparmor.d/groups/systemd/systemd-generator-environment-arch similarity index 97% rename from apparmor.d/groups/systemd-generators/systemd-generator-environment-arch rename to apparmor.d/groups/systemd/systemd-generator-environment-arch index 738144547..6311ad9c4 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-environment-arch +++ b/apparmor.d/groups/systemd/systemd-generator-environment-arch @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak b/apparmor.d/groups/systemd/systemd-generator-environment-flatpak similarity index 97% rename from apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak rename to apparmor.d/groups/systemd/systemd-generator-environment-flatpak index a4ba2afe1..e03b70cca 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak +++ b/apparmor.d/groups/systemd/systemd-generator-environment-flatpak @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-fstab b/apparmor.d/groups/systemd/systemd-generator-fstab similarity index 89% rename from apparmor.d/groups/systemd-generators/systemd-generator-fstab rename to apparmor.d/groups/systemd/systemd-generator-fstab index 193ff22af..075c5c6af 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-fstab +++ b/apparmor.d/groups/systemd/systemd-generator-fstab @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,13 +13,12 @@ profile systemd-generator-fstab @{exec_path} { capability dac_override, capability dac_read_search, - capability mknod, @{exec_path} mr, /etc/fstab r, - @{run}/systemd/generator/** rw, + @{run}/systemd/generator/** w, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-getty b/apparmor.d/groups/systemd/systemd-generator-getty similarity index 98% rename from apparmor.d/groups/systemd-generators/systemd-generator-getty rename to apparmor.d/groups/systemd/systemd-generator-getty index 0eadabec8..92b5a4ffa 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-getty +++ b/apparmor.d/groups/systemd/systemd-generator-getty @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto b/apparmor.d/groups/systemd/systemd-generator-gpt-auto similarity index 95% rename from apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto rename to apparmor.d/groups/systemd/systemd-generator-gpt-auto index 4bf0092d0..613380b43 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto +++ b/apparmor.d/groups/systemd/systemd-generator-gpt-auto @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,7 +17,8 @@ profile systemd-generator-gpt-auto @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, / r, - @{efi}/ r, + /boot/ r, + /efi/ r, /etc/fstab r, /usr/ r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume b/apparmor.d/groups/systemd/systemd-generator-hibernate-resume similarity index 97% rename from apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume rename to apparmor.d/groups/systemd/systemd-generator-hibernate-resume index 7c5e9ec80..dbfee2fcd 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume +++ b/apparmor.d/groups/systemd/systemd-generator-hibernate-resume @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-integritysetup b/apparmor.d/groups/systemd/systemd-generator-integritysetup similarity index 97% rename from apparmor.d/groups/systemd-generators/systemd-generator-integritysetup rename to apparmor.d/groups/systemd/systemd-generator-integritysetup index 72ef28061..9eb46a451 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-integritysetup +++ b/apparmor.d/groups/systemd/systemd-generator-integritysetup @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ostree b/apparmor.d/groups/systemd/systemd-generator-ostree similarity index 95% rename from apparmor.d/groups/systemd-generators/systemd-generator-ostree rename to apparmor.d/groups/systemd/systemd-generator-ostree index ce2ecaf43..c38e3690b 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-ostree +++ b/apparmor.d/groups/systemd/systemd-generator-ostree @@ -2,11 +2,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{lib}/systemd/system-generators/ostree-system-generator +@{exec_path} = @{lib}/systemd/system-generators/ostree-system-generator profile systemd-generator-ostree @{exec_path} flags=(attach_disconnected) { include diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-run b/apparmor.d/groups/systemd/systemd-generator-run similarity index 97% rename from apparmor.d/groups/systemd-generators/systemd-generator-run rename to apparmor.d/groups/systemd/systemd-generator-run index 39c8b0fd6..272073edc 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-run +++ b/apparmor.d/groups/systemd/systemd-generator-run @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-system-update b/apparmor.d/groups/systemd/systemd-generator-system-update similarity index 87% rename from apparmor.d/groups/systemd-generators/systemd-generator-system-update rename to apparmor.d/groups/systemd/systemd-generator-system-update index 9767a2e72..f9d09d634 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-system-update +++ b/apparmor.d/groups/systemd/systemd-generator-system-update @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,8 +13,7 @@ profile systemd-generator-system-update @{exec_path} flags=(attach_disconnected) @{exec_path} mr, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/status r, + @{PROC}/@{pid}/cgroup r, include if exists } diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart b/apparmor.d/groups/systemd/systemd-generator-user-autostart similarity index 83% rename from apparmor.d/groups/systemd-generators/systemd-generator-user-autostart rename to apparmor.d/groups/systemd/systemd-generator-user-autostart index ff4c74664..95dab2026 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart +++ b/apparmor.d/groups/systemd/systemd-generator-user-autostart @@ -2,15 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/user-generators/systemd-xdg-autostart-generator -profile systemd-generator-user-autostart @{exec_path} flags=(attach_disconnected) { +profile systemd-generator-user-autostart @{exec_path} { include include - include include capability net_admin, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-user-environment b/apparmor.d/groups/systemd/systemd-generator-user-environment similarity index 85% rename from apparmor.d/groups/systemd-generators/systemd-generator-user-environment rename to apparmor.d/groups/systemd/systemd-generator-user-environment index 27db22078..1abceb364 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-user-environment +++ b/apparmor.d/groups/systemd/systemd-generator-user-environment @@ -2,18 +2,16 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/user-environment-generators/* -profile systemd-generator-user-environment @{exec_path} flags=(attach_disconnected) { +profile systemd-generator-user-environment @{exec_path} { include include include - capability net_admin, - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-veritysetup b/apparmor.d/groups/systemd/systemd-generator-veritysetup similarity index 97% rename from apparmor.d/groups/systemd-generators/systemd-generator-veritysetup rename to apparmor.d/groups/systemd/systemd-generator-veritysetup index 97776312f..a0084a26b 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-veritysetup +++ b/apparmor.d/groups/systemd/systemd-generator-veritysetup @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index c53be3a35..a9f9d7fb1 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,8 +14,6 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { include include - userns, - capability chown, capability dac_override, capability dac_read_search, @@ -26,7 +24,6 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { capability setpcap, capability setuid, capability sys_admin, - capability sys_ptrace, capability sys_resource, network inet dgram, @@ -35,33 +32,22 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { network inet6 raw, network netlink raw, - mount -> @{run}/systemd/user-home-mount/, - mount options=(rw private) -> @{run}/systemd/user-home-mount/, - mount options=(rw rslave) -> @{run}/, - - umount @{run}/systemd/user-home-mount/, - - signal (send receive) set=kill peer=systemd-homed//&systemd-homework, - - ptrace read peer=systemd-homed//&systemd-homework, - - unix bind type=stream addr=@@{udbus}/bus/systemd-homed/system, + mount options=(rw, rslave) -> @{run}/, + mount /dev/dm-@{int} -> @{run}/systemd/user-home-mount/, #aa:dbus own bus=system name=org.freedesktop.home1 - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd @{exec_path} mr, - @{lib}/systemd/systemd-homework rPx -> &systemd-homework, - @{sbin}/mkfs.btrfs rPx, - @{sbin}/mkfs.fat rPx, - @{sbin}/mke2fs rPx, + @{lib}/systemd/systemd-homework rPx, + @{bin}/mkfs.btrfs rPx, + @{bin}/mkfs.fat rPx, + @{bin}/mke2fs rPx, /etc/machine-id r, /etc/systemd/homed.conf r, /etc/skel/{,**} r, - /var/cache/systemd/home/{,**} rw, /var/lib/systemd/home/{,**} rw, / r, @@ -74,7 +60,6 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{run}/systemd/home/{,**} rw, @{run}/systemd/userdb/io.systemd.home r, @{run}/systemd/user-home-mount/{,**} rw, - @{run}/systemd/notify w, @{sys}/bus/ r, @{sys}/fs/ r, @@ -85,12 +70,9 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cgroup r, @{PROC}/devices r, @{PROC}/pressure/* r, - @{PROC}/swaps r, - @{PROC}/sys/fs/nr_open r, @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/uid_map w, /dev/loop-control rwk, diff --git a/apparmor.d/groups/systemd/systemd-homework b/apparmor.d/groups/systemd/systemd-homework index b81c196f8..8dc8a825d 100644 --- a/apparmor.d/groups/systemd/systemd-homework +++ b/apparmor.d/groups/systemd/systemd-homework @@ -2,73 +2,19 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-homework -profile systemd-homework @{exec_path} flags=(attach_disconnected) { +profile systemd-homework @{exec_path} { include - include - include include - - userns, - - capability chown, - capability fowner, - capability fsetid, - capability setfcap, - capability setgid, - capability setuid, - capability sys_admin, - capability sys_resource, - - network netlink raw, - - mount options=(rw rslave) -> @{run}/, - mount -> @{run}/systemd/user-home-mount/, - - umount @{run}/systemd/user-home-mount/, - - signal (send receive) set=kill peer=systemd-homed//&systemd-homework, - - ptrace read peer=systemd-homed//&systemd-homework, + include @{exec_path} mr, - @{sbin}/mkfs.btrfs rPx, - @{sbin}/mkfs.fat rPx, - @{sbin}/mke2fs rPx, - /etc/machine-id r, - /etc/skel/{,**} r, - - /var/cache/systemd/home/{,**} rw, - - @{HOMEDIRS}/ r, - @{HOMEDIRS}/.#homework@{user}.* rw, - @{HOMEDIRS}/@{user}.home rw, - - @{run}/ r, - @{run}/cryptsetup/ r, - @{run}/cryptsetup/* rwk, - @{run}/systemd/user-home-mount/ rw, - @{run}/systemd/user-home-mount/@{user}/{,**} rw, - - @{sys}/fs/ r, - - @{PROC}/devices r, - @{PROC}/swaps r, - @{PROC}/sys/fs/nr_open r, - owner @{PROC}/@{pid}/gid_map w, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/uid_map w, - - /dev/loop-control rwk, - /dev/loop@{int} rw, - /dev/mapper/control rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 8fae34b29..b81b16403 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-hostnamed -profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { +profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { include include include @@ -16,25 +16,26 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { capability sys_admin, # To set a hostname - network unix stream, - - unix (bind) type=stream addr=@@{udbus}/bus/systemd-hostnam/system, + unix (bind) type=stream addr=@@{hex16}/bus/systemd-hostnam/system, #aa:dbus own bus=system name=org.freedesktop.hostname1 + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=GetConnectionUnixUser + peer=(name=org.freedesktop.DBus, label=dbus-system), + @{exec_path} mr, @{etc_rw}/.#hostname* rw, @{etc_rw}/hostname rw, - /etc/.#machine-info@{hex16} rw, /etc/.#machine-info@{rand6} rw, /etc/machine-id r, /etc/machine-info rw, /etc/os-release r, - @{att}/@{run}/systemd/notify rw, - @{run}/systemd/default-hostname rw, + @{run}/systemd/notify rw, @{run}/udev/data/+dmi:* r, # for motherboard info @{sys}/devices/virtual/dmi/id/ r, @@ -44,16 +45,12 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/product_serial r, - @{sys}/devices/virtual/dmi/id/product_uuid r, @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/uevent r, @{sys}/firmware/acpi/pm_profile r, @{sys}/firmware/dmi/entries/*/raw r, - /dev/vsock r, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb index ae64274c6..4ee18fb34 100644 --- a/apparmor.d/groups/systemd/systemd-hwdb +++ b/apparmor.d/groups/systemd/systemd-hwdb @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,11 +16,11 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{exec_path} mr, @{lib}/udev/#@{int} rwl, - @{lib}/udev/.#hwdb.bin{@{hex16},@{rand6}} wl -> @{lib}/udev/#@{int}, + @{lib}/udev/.#hwdb.bin@{hex} wl -> @{lib}/udev/#@{int}, @{lib}/udev/hwdb.bin w, - /etc/udev/.#hwdb.bin{@{hex16},@{rand6}} wl -> /etc/udev/#@{int}, - /etc/udev/hwdb.bin w, + /etc/udev/.#hwdb.bind* rw, + /etc/udev/hwdb.bin rw, /etc/udev/hwdb.d/{,*} r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/systemd/systemd-id128 b/apparmor.d/groups/systemd/systemd-id128 index f0944db26..afa516e39 100644 --- a/apparmor.d/groups/systemd/systemd-id128 +++ b/apparmor.d/groups/systemd/systemd-id128 @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-inhibit b/apparmor.d/groups/systemd/systemd-inhibit index ae475ff48..755cfe5ee 100644 --- a/apparmor.d/groups/systemd/systemd-inhibit +++ b/apparmor.d/groups/systemd/systemd-inhibit @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,13 +14,11 @@ profile systemd-inhibit @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_resource, - signal receive set=term peer=@{p_packagekitd}, - @{exec_path} mr, @{bin}/cat rix, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/inhibit/*.ref rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-initctl b/apparmor.d/groups/systemd/systemd-initctl deleted file mode 100644 index 05f32a7f6..000000000 --- a/apparmor.d/groups/systemd/systemd-initctl +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/systemd/systemd-initctl -profile systemd-initctl @{exec_path} flags=(attach_disconnected) { - include - include - include - - capability net_admin, - - unix type=stream addr=@@{udbus}/bus/systemd-initctl/, - - @{exec_path} mr, - - @{run}/initctl rw, - @{run}/systemd/notify rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index e0a8a2e47..29191a95d 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-journald -profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted) { +profile systemd-journald @{exec_path} { include include include @@ -28,7 +28,7 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted network netlink raw, - ptrace read, + ptrace (read), @{exec_path} mr, @@ -46,25 +46,22 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted @{run}/host/container-manager r, @{run}/utmp rk, - @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) - @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. - @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) - @{run}/udev/data/+ieee80211:* r, # For Wi-Fi devices, such as wireless network cards and access points. + @{run}/udev/data/+acpi:* r, + @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+mdio_bus:* r, # For Management Data Input/Output (Ethernet PHY (physical layer) devices) - @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) - @{run}/udev/data/+scsi:* r, # For SCSI devices. Block-storage for SATA, SAS, USB, iSCSI - @{run}/udev/data/+sdio:* r, # For Secure Digital Input Output devices, such as Wi-Fi, Bluetooth cards, GPS and NFC modules. - @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. - @{run}/udev/data/+usb-serial:* r, # For USB to serial adapters - @{run}/udev/data/+usb:* r, # Identifies all USB devices - @{run}/udev/data/+virtio:* r, # For paravirtualized devices (network interfaces, block devices, console) + @{run}/udev/data/+pci:* r, + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+scsi:* r, + @{run}/udev/data/+sdio:* r, + @{run}/udev/data/+thunderbolt:* r, + @{run}/udev/data/+usb-serial:* r, + @{run}/udev/data/+usb:* r, + @{run}/udev/data/+virtio:* r, @{run}/udev/data/b254:@{int} r, # for /dev/zram* - @{run}/udev/data/b259:@{int} r, # Block Extended Major + @{run}/udev/data/b259:@{int} r, @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c4:@{int} r, # For TTY devices - @{run}/udev/data/b8:@{int} r, # for /dev/sd* @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c108:@{int} r, # For /dev/ppp @{run}/udev/data/c18[8-9]:@{int} r, # USB devices & USB serial converters @@ -82,7 +79,6 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/loginuid r, @{PROC}/@{pids}/sessionid r, - @{PROC}/@{pids}/status r, @{PROC}/pressure/* r, @{PROC}/sys/kernel/hostname r, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index cefab3890..c149f37ee 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,46 +14,27 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { include include - unix bind type=stream addr=@@{udbus}/bus/systemd-localed/system, + unix (bind) type=stream addr=@@{hex16}/bus/systemd-localed/system, #aa:dbus own bus=system name=org.freedesktop.locale1 - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=Reload - peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), @{exec_path} mr, - @{bin}/cat ix, - @{bin}/gzip ix, - @{bin}/localedef ix, - @{bin}/rm ix, - @{bin}/sort ix, - @{sbin}/locale-gen rPx, - - /usr/share/i18n/{,**} r, /usr/share/kbd/keymaps/{,**} r, /usr/share/systemd/*-map r, /usr/share/X11/xkb/{,**} r, - /usr/share/xkeyboard-config-2/{,**} r, - /etc/ r, - /etc/.#locale.conf@{hex16} rw, - /etc/.#locale.gen@{hex16} rw, /etc/.#vconsole.conf* rw, /etc/default/.#locale* rw, /etc/default/keyboard r, /etc/default/locale rw, - /etc/locale.conf rw, - /etc/locale.gen rw, - /etc/nsswitch.conf r, - /etc/passwd r, + /etc/locale.conf r, /etc/vconsole.conf rw, - /etc/X11/xorg.conf.d/ rw, - /etc/X11/xorg.conf.d/.#*.conf@{hex} rw, + /etc/X11/xorg.conf.d/ r, + /etc/X11/xorg.conf.d/.#*.confd* rw, /etc/X11/xorg.conf.d/*.conf rw, - @{att}/@{run}/systemd/notify rw, + @{run}/systemd/notify rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 6b102829d..855d0d58c 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -3,7 +3,7 @@ # Copyright (C) 2024 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,11 +12,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { include include include - include include include include include + include capability chown, capability dac_override, @@ -27,10 +27,9 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { network netlink raw, - mqueue getattr type=posix /, - mqueue r type=posix /, + # mqueue r type=posix /, - unix bind type=stream addr=@@{udbus}/bus/systemd-logind/system, + unix (bind) type=stream addr=@@{hex16}/bus/systemd-logind/system, #aa:dbus own bus=system name=org.freedesktop.login1 @@ -41,6 +40,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(label=ksmserver-logout-greeter), + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetConnectionCredentials} + peer=(name=org.freedesktop.DBus, label=dbus-system), + @{exec_path} mr, /etc/machine-id r, @@ -50,15 +54,15 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { /etc/systemd/sleep.conf.d/{,**} r, / r, - @{efi}/{,**} r, + /boot/{,**} r, + /efi/{,**} r, /swap.img r, /swap/swapfile r, /swapfile r, - /var/lib/systemd/linger/{,@{user}} rw, + /var/lib/systemd/linger/ r, @{run}/.#nologin* rw, - @{run}/credentials/getty@tty@{int}.service/ r, @{run}/host/container-manager r, @{run}/nologin rw, @{run}/utmp rk, @@ -68,15 +72,13 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/udev/tags/uaccess/ r, @{run}/udev/static_node-tags/uaccess/ r, - @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. - @{run}/udev/data/+drivers:* r, # For drivers loaded in the system + @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+drivers:* r, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) - @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) + @{run}/udev/data/+hid:* r, + @{run}/udev/data/+i2c:* r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+wakeup:* r, # For wakeup events (e.g., from sleep or hibernation) @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # For /dev/input/* @@ -89,13 +91,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{att}/@{run}/systemd/notify w, - @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, - @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, - @{run}/systemd/inhibit/ rw, @{run}/systemd/inhibit/.#* rw, - @{run}/systemd/inhibit/@{int}{,.ref} rw, + @{run}/systemd/inhibit/[0-9]*{,.ref} rw, + @{run}/systemd/journal/socket rw, + @{run}/systemd/notify rw, @{run}/systemd/seats/ rw, @{run}/systemd/seats/.#seat* rw, @{run}/systemd/seats/seat@{int} rw, @@ -124,13 +124,12 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{sys}/module/vt/parameters/default_utf8 r, @{sys}/power/{state,resume_offset,resume,disk} r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/fd/ r, - @{PROC}/@{pids}/mountinfo r, - @{PROC}/@{pids}/sessionid r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/status r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/sessionid r, + @{PROC}/@{pid}/stat r, @{PROC}/1/cmdline r, @{PROC}/pressure/* r, @{PROC}/swaps r, @@ -138,12 +137,10 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fdinfo/@{int} r, /dev/dri/card@{int} rw, - @{att}/dev/dri/card@{int} rw, - - /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) - /dev/mqueue/ r, - /dev/tty@{int} rw, - /dev/shm/{,**/} rw, + /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) + /dev/mqueue/ r, + /dev/tty@{int} rw, + owner /dev/shm/{,**/} rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index a2115a926..71c9d0467 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,21 +17,18 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) { capability sys_admin, capability sys_chroot, - ptrace read, + ptrace (read), - mount options=(rw rshared) -> /, mount options=(rw rslave) -> /, umount /etc/machine-id, @{exec_path} mr, - @{att}/ r, / r, /etc/ r, /etc/machine-id rw, /var/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index 520080082..512fdde82 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -2,15 +2,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-machined -profile systemd-machined @{exec_path} flags=(attach_disconnected) { +profile systemd-machined @{exec_path} { include include - include include include @@ -22,7 +21,6 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) { capability kill, capability mknod, capability setgid, - capability setuid, capability sys_admin, capability sys_chroot, capability sys_ptrace, @@ -33,48 +31,24 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - signal send set=rtmin+6 peer=systemd-nspawn, - - ptrace read peer=systemd-nspawn, - - unix type=stream addr=@@{udbus}/bus/systemd-machine/system, - #aa:dbus own bus=system name=org.freedesktop.machine1 #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @{exec_path} mr, + /var/lib/machines/{,**} rw, /etc/machine-id r, - / r, - @{att}/ r, - - owner /var/lib/machines/ rw, - owner /var/lib/machines/** rwk, - - owner @{run}/systemd/nspawn/ w, - owner @{run}/systemd/nspawn/locks/ w, - owner @{run}/systemd/nspawn/locks/** rwk, - @{run}/systemd/machine/{,**} rw, @{run}/systemd/machines/{,**} rw, @{run}/systemd/notify w, @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/gid_map r, - @{PROC}/@{pid}/setgroups r, - @{PROC}/@{pid}/uid_map r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, @{PROC}/pressure/memory r, - /dev/ptmx rw, - /dev/pts/@{int} rw, - /dev/pts/ptmx rw, - /dev/vsock r, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-makefs b/apparmor.d/groups/systemd/systemd-makefs index 74a824411..05ec6dc34 100644 --- a/apparmor.d/groups/systemd/systemd-makefs +++ b/apparmor.d/groups/systemd/systemd-makefs @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,8 +17,8 @@ profile systemd-makefs @{exec_path} { @{exec_path} mr, - @{sbin}/mkfs.* rPx, - @{sbin}/mkswap rPx, + @{bin}/mkfs.* rPx, + @{bin}/mkswap rPx, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-modules-load b/apparmor.d/groups/systemd/systemd-modules-load index 3f778244b..4ecbd0acb 100644 --- a/apparmor.d/groups/systemd/systemd-modules-load +++ b/apparmor.d/groups/systemd/systemd-modules-load @@ -3,17 +3,16 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-modules-load -profile systemd-modules-load @{exec_path} flags=(attach_disconnected) { +profile systemd-modules-load @{exec_path} { include include capability net_admin, - capability perfmon, capability sys_module, @{exec_path} mr, @@ -24,9 +23,6 @@ profile systemd-modules-load @{exec_path} flags=(attach_disconnected) { /etc/modules-load.d/ r, /etc/modules-load.d/*.conf r, - @{run}/modprobe.d/ r, - @{run}/modprobe.d/*.conf r, - @{sys}/devices/@{pci}/config r, @{sys}/module/*/initstate r, @{sys}/module/compression r, diff --git a/apparmor.d/groups/systemd/systemd-mount b/apparmor.d/groups/systemd/systemd-mount index b78de3312..4db3dcacf 100644 --- a/apparmor.d/groups/systemd/systemd-mount +++ b/apparmor.d/groups/systemd/systemd-mount @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,9 @@ profile systemd-mount @{exec_path} { @{exec_path} mr, - @{pager_path} rPx -> child-pager, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, + @{bin}/pager rPx -> child-pager, @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/groups/systemd/systemd-network-generator b/apparmor.d/groups/systemd/systemd-network-generator index ceebbc5c2..cce35fae6 100644 --- a/apparmor.d/groups/systemd/systemd-network-generator +++ b/apparmor.d/groups/systemd/systemd-network-generator @@ -2,12 +2,12 @@ # Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-network-generator -profile systemd-network-generator @{exec_path} flags=(attach_disconnected) { +profile systemd-network-generator @{exec_path} { include include @@ -17,8 +17,6 @@ profile systemd-network-generator @{exec_path} flags=(attach_disconnected) { owner @{run}/systemd/network/{,**} rw, - @{run}/credentials/systemd-network-generator.service/ r, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index ccb6d9629..f0f97433d 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,12 +14,10 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { include include - capability bpf, capability net_admin, capability net_bind_service, capability net_broadcast, capability net_raw, - capability sys_admin, network inet dgram, network inet6 dgram, @@ -29,9 +27,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { network packet dgram, network packet raw, - unix bind type=stream addr=@@{udbus}/bus/systemd-network/bus-api-network, - - signal receive set=usr2 peer=@{p_systemd}, + unix (bind) type=stream addr=@@{hex16}/bus/systemd-network/bus-api-network, #aa:dbus own bus=system name=org.freedesktop.network1 @@ -42,52 +38,40 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.hostname1 member=SetHostname - peer=(name=org.freedesktop.hostname1, label="@{p_systemd_hostnamed}"), + peer=(name=org.freedesktop.hostname1, label=systemd-hostnamed), @{exec_path} mr, /var/lib/dbus/machine-id r, /etc/machine-id r, - /etc/systemd/network.conf r, - /etc/systemd/network/{,**} r, /etc/systemd/networkd.conf r, - /etc/systemd/networkd.conf.d/{,**} r, + /etc/systemd/network/{,**} r, /etc/networkd-dispatcher/carrier.d/{,*} r, - @{att}/ r, - @{att}/@{run}/systemd/notify rw, - - @{run}/mount/utab r, - @{run}/systemd/resolve/resolv.conf r, - - owner @{att}/var/lib/systemd/network/ r, - - owner /var/lib/systemd/network/ rw, - owner /var/lib/systemd/network/** rwk, - @{run}/systemd/network/ r, @{run}/systemd/network/*.network r, - owner @{run}/systemd/netif/** rw, + @{run}/systemd/notify rw, + owner @{run}/systemd/netif/.#state rw, + owner @{run}/systemd/netif/.#state* rw, + owner @{run}/systemd/netif/leases/{,*} rw, + owner @{run}/systemd/netif/links/{,*} rw, + owner @{run}/systemd/netif/lldp/{,*} rw, + owner @{run}/systemd/netif/state rw, - @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/n@{int} r, - @{sys}/devices/@{pci}/ r, @{sys}/devices/@{pci}/rfkill@{int}/* r, @{sys}/devices/**/net/** r, + @{sys}/devices/@{pci}/ r, @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/fs/cgroup/ r, - @{sys}/kernel/btf/vmlinux r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/pressure/* r, - @{PROC}/sys/net/ipv{4,6}/** rw, - @{PROC}/version_signature r, - owner @{PROC}/@{pid}/fdinfo/@{int} r, - owner @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/pressure/* r, + @{PROC}/sys/net/ipv{4,6}/** rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-networkd-wait-online b/apparmor.d/groups/systemd/systemd-networkd-wait-online index c36b5af39..8e9ec3438 100644 --- a/apparmor.d/groups/systemd/systemd-networkd-wait-online +++ b/apparmor.d/groups/systemd/systemd-networkd-wait-online @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-networkd-wait-online -profile systemd-networkd-wait-online @{exec_path} flags=(attach_disconnected) { +profile systemd-networkd-wait-online @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/groups/systemd/systemd-notify b/apparmor.d/groups/systemd/systemd-notify index f62599d28..7be0e88ed 100644 --- a/apparmor.d/groups/systemd/systemd-notify +++ b/apparmor.d/groups/systemd/systemd-notify @@ -2,14 +2,13 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/systemd-notify profile systemd-notify @{exec_path} { include - include capability sys_admin, capability net_admin, diff --git a/apparmor.d/groups/systemd/systemd-nsresourced b/apparmor.d/groups/systemd/systemd-nsresourced deleted file mode 100644 index 97dcb3b05..000000000 --- a/apparmor.d/groups/systemd/systemd-nsresourced +++ /dev/null @@ -1,41 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/systemd/systemd-nsresourced -profile systemd-nsresourced @{exec_path} flags=(attach_disconnected) { - include - include - - capability bpf, - capability perfmon, - capability sys_resource, - - signal receive set=usr2 peer=systemd-nsresourced//&systemd-nsresourcework, - - @{exec_path} mr, - - @{lib}/systemd/systemd-nsresourcework ix, # no new privs - - @{run}/systemd/nsresource/ rw, - @{run}/systemd/nsresource/** rw, - - @{sys}/devices/kprobe/type r, - @{sys}/fs/bpf/ r, - @{sys}/fs/bpf/systemd/ rw, - @{sys}/fs/bpf/systemd/userns-restrict/{,**} rw, - @{sys}/fs/cgroup/system.slice/systemd-nsresourced.service/memory.pressure rw, - @{sys}/kernel/btf/vmlinux r, - @{sys}/kernel/security/lsm r, - - @{PROC}/@{pid}/cgroup r, - @{PROC}/pressure/* r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-nsresourcework b/apparmor.d/groups/systemd/systemd-nsresourcework deleted file mode 100644 index 5b8d53398..000000000 --- a/apparmor.d/groups/systemd/systemd-nsresourcework +++ /dev/null @@ -1,24 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/systemd/systemd-nsresourcework -profile systemd-nsresourcework @{exec_path} { - include - - capability sys_resource, - - signal send set=usr2 peer=systemd-nsresourced, - - @{exec_path} mr, - - @{run}/systemd/nsresource/registry/ r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index ce61dba23..9ebe87c49 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { capability dac_override, capability kill, - unix bind type=stream addr=@@{udbus}/bus/systemd-oomd/bus-api-oom, + unix (bind) type=stream addr=@@{hex16}/bus/systemd-oomd/bus-api-oom, #aa:dbus own bus=system name=org.freedesktop.oom1 @@ -24,11 +24,10 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { /etc/systemd/oomd.conf r, /etc/systemd/oomd.conf.d/{,**} r, - @{att}/@{run}/systemd/notify w, - @{att}/@{run}/systemd/io.systemd.ManagedOOM rw, - - @{run}/systemd/io.system.ManagedOOM rw, - @{run}/systemd/io.systemd.ManagedOOM rw, + @{run}/systemd/io.system.ManagedOOM rw, + @{run}/systemd/io.systemd.ManagedOOM rw, + @{run}/systemd/notify rw, + owner @{run}/systemd/journal/socket w, @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/memory.* r, diff --git a/apparmor.d/groups/systemd/systemd-path b/apparmor.d/groups/systemd/systemd-path index 0d061d845..7ab73f52e 100644 --- a/apparmor.d/groups/systemd/systemd-path +++ b/apparmor.d/groups/systemd/systemd-path @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,10 +10,11 @@ include profile systemd-path @{exec_path} { include include - include @{exec_path} mr, + owner @{user_config_dirs}/user-dirs.dirs r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-portabled b/apparmor.d/groups/systemd/systemd-portabled index bee3df8df..a54c5d8db 100644 --- a/apparmor.d/groups/systemd/systemd-portabled +++ b/apparmor.d/groups/systemd/systemd-portabled @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-random-seed b/apparmor.d/groups/systemd/systemd-random-seed index 86ea02a0d..e9753150c 100644 --- a/apparmor.d/groups/systemd/systemd-random-seed +++ b/apparmor.d/groups/systemd/systemd-random-seed @@ -2,12 +2,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-random-seed -profile systemd-random-seed @{exec_path} flags=(attach_disconnected) { +profile systemd-random-seed @{exec_path} { include include diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index 73213160b..44ab5cfaf 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -2,12 +2,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-remount-fs -profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) { +profile systemd-remount-fs @{exec_path} { include include include @@ -17,19 +17,18 @@ profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) { capability sys_resource, mount options=(rw, remount) -> /, - mount options=(rw, remount) -> @{PROC}/, + mount options=(rw, remount) -> /proc/, @{exec_path} mr, @{bin}/mount rix, - @{etc_ro}/blkid.conf r, - @{etc_ro}/blkid.conf.d/{,**} r, /etc/fstab r, @{run}/host/container-manager r, @{run}/mount/utab rw, - @{run}/mount/utab.* rwk, + @{run}/mount/utab.@{rand6} rw, + @{run}/mount/utab.lock rwk, @{sys}/devices/virtual/block/dm-@{int}/dm/name r, diff --git a/apparmor.d/groups/systemd/systemd-resolve b/apparmor.d/groups/systemd/systemd-resolve new file mode 100644 index 000000000..cfb0732dc --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-resolve @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/resolvectl +@{exec_path} += @{bin}/systemd-resolve +profile systemd-resolve @{exec_path} { + include + + capability mknod, + capability net_admin, + + network netlink raw, + + @{exec_path} mr, + + @{PROC}/ r, + owner @{PROC}/@{pids}/fd/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index 8f4b5bc57..7b2e7ffa9 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -1,8 +1,8 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only +# SPDX-License-Identifier: GPL-3.0-only -abi , +abi , include @@ -31,22 +31,27 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.resolve1 + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label=dbus-system), + @{exec_path} mr, /etc/systemd/resolved.conf r, /etc/systemd/resolved.conf.d/{,*} r, - @{att}/@{run}/systemd/notify w, - - @{run}/systemd/netif/links/* r, - @{run}/systemd/resolve/{,**} rw, + @{run}/systemd/netif/links/* r, + @{run}/systemd/notify rw, + @{run}/systemd/resolve/{,**} rw, + owner @{run}/systemd/journal/socket w, @{PROC}/@{pid}/cgroup r, @{PROC}/pressure/* r, @{PROC}/sys/kernel/hostname r, @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill index 34e7255ab..1ff164b86 100644 --- a/apparmor.d/groups/systemd/systemd-rfkill +++ b/apparmor.d/groups/systemd/systemd-rfkill @@ -3,17 +3,16 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-rfkill -profile systemd-rfkill @{exec_path} flags=(attach_disconnected) { +profile systemd-rfkill @{exec_path} { include include capability net_admin, - capability sys_admin, capability sys_ptrace, network netlink raw, @@ -23,7 +22,7 @@ profile systemd-rfkill @{exec_path} flags=(attach_disconnected) { /var/lib/systemd/rfkill/* rw, @{run}/systemd/notify rw, - @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power + @{run}/udev/data/+rfkill:* r, @{sys}/devices/**/rfkill@{int}/{uevent,name} r, diff --git a/apparmor.d/groups/systemd/systemd-shutdown b/apparmor.d/groups/systemd/systemd-shutdown index e9887c0cb..02abda424 100644 --- a/apparmor.d/groups/systemd/systemd-shutdown +++ b/apparmor.d/groups/systemd/systemd-shutdown @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index a55bf752d..a17c13631 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -2,12 +2,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-sleep -profile systemd-sleep @{exec_path} flags=(attach_disconnected) { +profile systemd-sleep @{exec_path} { include include include @@ -19,8 +19,6 @@ profile systemd-sleep @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} mr, - @{lib}/systemd/system-sleep/grub2.sleep rPx, @{lib}/systemd/system-sleep/hdparm rPx, @{lib}/systemd/system-sleep/nvidia rPx, @@ -33,6 +31,7 @@ profile systemd-sleep @{exec_path} flags=(attach_disconnected) { @{sys}/power/state rw, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-grub b/apparmor.d/groups/systemd/systemd-sleep-grub2 similarity index 88% rename from apparmor.d/groups/systemd/systemd-sleep-grub rename to apparmor.d/groups/systemd/systemd-sleep-grub2 index 38be5772f..e7ae09355 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-grub +++ b/apparmor.d/groups/systemd/systemd-sleep-grub2 @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,11 +14,13 @@ profile systemd-sleep-grub @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/uname rix, /etc/sysconfig/bootloader r, + @{PROC}/@{pid}/maps r, + /dev/tty rw, include if exists diff --git a/apparmor.d/groups/systemd/systemd-sleep-hdparm b/apparmor.d/groups/systemd/systemd-sleep-hdparm index 5b9c51dbe..9a282e7f8 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-hdparm +++ b/apparmor.d/groups/systemd/systemd-sleep-hdparm @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,9 +11,6 @@ profile systemd-sleep-hdparm @{exec_path} { include @{exec_path} mr, - @{sh_path} r, - - @{lib}/pm-utils/power.d/*hdparm-apm ix, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-nvidia b/apparmor.d/groups/systemd/systemd-sleep-nvidia index 2ca5d7474..4ff89f5a7 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-nvidia +++ b/apparmor.d/groups/systemd/systemd-sleep-nvidia @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,7 +11,6 @@ profile systemd-sleep-nvidia @{exec_path} { include include - capability perfmon, capability sys_admin, capability sys_tty_config, diff --git a/apparmor.d/groups/systemd/systemd-sleep-sysstat b/apparmor.d/groups/systemd/systemd-sleep-sysstat index e29a41a7a..d854cd7f7 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-sysstat +++ b/apparmor.d/groups/systemd/systemd-sleep-sysstat @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,9 +12,6 @@ profile systemd-sleep-sysstat @{exec_path} { @{exec_path} mr, - @{lib}/sysstat/sa{1,2} Px, - @{lib}/sysstat/debian-sa{1,2} Px, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-tlp b/apparmor.d/groups/systemd/systemd-sleep-tlp index fc9a51067..1e7d3fe34 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-tlp +++ b/apparmor.d/groups/systemd/systemd-sleep-tlp @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,8 +12,7 @@ profile systemd-sleep-tlp @{exec_path} { @{exec_path} mr, - @{sh_path} rix, - @{sbin}/tlp rPUx, + @{bin}/tlp rPUx, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-upgrades b/apparmor.d/groups/systemd/systemd-sleep-upgrades index c2c107b1f..9d1758e25 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-upgrades +++ b/apparmor.d/groups/systemd/systemd-sleep-upgrades @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,7 +11,6 @@ profile systemd-sleep-upgrades @{exec_path} { include @{exec_path} mr, - @{sh_path} r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-socket-proxyd b/apparmor.d/groups/systemd/systemd-socket-proxyd index 7290e6d0c..0a9c75aa3 100644 --- a/apparmor.d/groups/systemd/systemd-socket-proxyd +++ b/apparmor.d/groups/systemd/systemd-socket-proxyd @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/systemd/systemd-stdio-bridge b/apparmor.d/groups/systemd/systemd-stdio-bridge deleted file mode 100644 index 5f3bc2e36..000000000 --- a/apparmor.d/groups/systemd/systemd-stdio-bridge +++ /dev/null @@ -1,22 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/systemd-stdio-bridge -profile systemd-stdio-bridge @{exec_path} flags=(attach_disconnected) { - include - include - include - - signal send set=term peer=@{p_systemd}, - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-sulogin-shell b/apparmor.d/groups/systemd/systemd-sulogin-shell index 5ccf33219..bb0f082b9 100644 --- a/apparmor.d/groups/systemd/systemd-sulogin-shell +++ b/apparmor.d/groups/systemd/systemd-sulogin-shell @@ -2,12 +2,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-sulogin-shell -profile systemd-sulogin-shell @{exec_path} flags=(attach_disconnected) { +profile systemd-sulogin-shell @{exec_path} { include include @@ -18,7 +18,7 @@ profile systemd-sulogin-shell @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sbin}/sulogin rPx, + @{bin}/sulogin rPx, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sysctl b/apparmor.d/groups/systemd/systemd-sysctl index 87e0ede5c..f209745fc 100644 --- a/apparmor.d/groups/systemd/systemd-sysctl +++ b/apparmor.d/groups/systemd/systemd-sysctl @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,7 +25,7 @@ profile systemd-sysctl @{exec_path} flags=(attach_disconnected) { @{run}/sysctl.d/{,*.conf} r, /etc/sysctl.conf r, /etc/sysctl.d/{,*.conf} r, - @{lib}/sysctl.d/{,*.conf} r, + /usr/lib/sysctl.d/{,*.conf} r, @{PROC}/sys/** rw, diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers index 2d250f63c..18ef93df0 100644 --- a/apparmor.d/groups/systemd/systemd-sysusers +++ b/apparmor.d/groups/systemd/systemd-sysusers @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,16 +16,12 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { capability fsetid, capability net_admin, - signal send set=cont peer=child-pager, - @{exec_path} mr, - @{pager_path} rPx -> child-pager, - # Config file locations - /etc/sysusers.d/{,*.conf} r, - @{run}/sysusers.d/{,*.conf} r, - @{lib}/sysusers.d/{,*.conf} r, + /etc/sysusers.d/*.conf r, + @{run}/sysusers.d/*.conf r, + /usr/lib/sysusers.d/*.conf r, # Where the users can be created, /home/{,*} rw, @@ -44,8 +40,6 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { /etc/.#{group,gshadow}@{hex} rw, /etc/.pwd.lock rwk, - owner @{PROC}/@{pid}/cgroup r, - /dev/tty@{int} rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index b65f2b7af..4d9ae9ce1 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { capability sys_time, - unix bind type=stream addr=@@{udbus}/bus/systemd-timedat/system, + unix (bind) type=stream addr=@@{hex16}/bus/systemd-timedat/system, #aa:dbus own bus=system name=org.freedesktop.timedate1 @@ -23,14 +23,6 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member={DisableUnitFiles,EnableUnitFiles} - peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member={JobRemoved,Reload,StartUnit,StopUnit} - peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), @{exec_path} mr, @@ -43,7 +35,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { /etc/.#timezone* rw, /etc/timezone rw, - @{att}/@{run}/systemd/notify rw, + @{run}/systemd/notify rw, /dev/rtc@{int} r, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index 2ac7f09fb..51fd6358e 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,8 +21,8 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, - unix (bind) type=stream addr=@@{udbus}/bus/systemd-timesyn/bus-api-timesync, - unix (send, receive) type=dgram addr=none peer=(label=@{p_sd}, addr=none), + unix (bind) type=stream addr=@@{hex16}/bus/systemd-timesyn/bus-api-timesync, + unix (send, receive) type=dgram addr=none peer=(label=@{p_systemd}, addr=none), #aa:dbus own bus=system name=org.freedesktop.timesync1 @@ -34,11 +34,11 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { owner /var/lib/systemd/timesync/clock rw, - @{att}/@{run}/systemd/notify rw, - @{run}/resolvconf/*.conf r, @{run}/systemd/netif/state r, + @{run}/systemd/notify rw, @{run}/systemd/timesyncd.conf.d/{,**} r, + owner @{run}/systemd/journal/socket w, owner @{run}/systemd/timesync/synchronized rw, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles index 0e1e404ab..595ccf7da 100644 --- a/apparmor.d/groups/systemd/systemd-tmpfiles +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -30,7 +30,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { # Config file locations /etc/tmpfiles.d/{,*.conf} r, @{run}/tmpfiles.d/{,*.conf} r, - @{lib}/tmpfiles.d/{,*.conf} r, + /usr/lib/tmpfiles.d/{,*.conf} r, @{user_config_dirs}/user-tmpfiles.d/{,*.conf} r, @{run}/user/@{uid}/user-tmpfiles.d/{,*.conf} r, @{user_share_dirs}/user-tmpfiles.d/{,*.conf} r, @@ -42,7 +42,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { /etc/{,**} rw, /home/ rw, /opt/{,**} rw, - @{run}/{,**} rw, + /run/{,**} rw, /srv/{,**} rw, /tmp/{,**} rwk, /usr/{,**} rw, @@ -51,10 +51,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/security/{,**} rw, @{sys}/class/net/ r, - @{sys}/devices/system/cpu/cpufreq/ r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor w, @{sys}/devices/system/cpu/microcode/reload w, - @{sys}/module/pcie_aspm/parameters/policy w, @{PROC}/@{pid}/net/unix r, @{PROC}/1/cmdline r, diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index b318bf3dd..f1da3f8a6 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,32 +13,21 @@ profile systemd-tty-ask-password-agent @{exec_path} { include capability dac_override, - capability dac_read_search, capability net_admin, capability sys_resource, - signal receive set=(term cont winch) peer=@{p_logrotate}, - signal receive set=(term cont winch) peer=*//systemctl, - signal receive set=(term cont winch) peer=deb-systemd-invoke, - signal receive set=(term cont winch) peer=default, - signal receive set=(term cont winch) peer=machinectl, - signal receive set=(term cont winch) peer=makepkg//sudo, - signal receive set=(term cont winch) peer=role_*, - signal receive set=(term cont winch) peer=rpm, + signal (receive) set=(term cont) peer=*//systemctl, + signal (receive) set=(term cont) peer=default, + signal (receive) set=(term cont) peer=logrotate, @{exec_path} mrix, @{run}/systemd/ask-password-block/{,*} rw, @{run}/systemd/ask-password/{,*} rw, - - @{run}/user/@{uid}/ w, - @{run}/user/@{uid}/systemd/ w, - @{run}/user/@{uid}/systemd/ask-password/ rw, - @{run}/utmp rk, @{PROC}/@{pids}/stat r, - + @{sys}/devices/virtual/tty/console/active r, @{sys}/devices/virtual/tty/tty@{int}/active r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index cb9592d47..220cbb54c 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -3,17 +3,16 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/udevadm @{lib}/systemd/systemd-udevd -profile systemd-udevd @{exec_path} flags=(attach_disconnected) { +profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { include - include include include - include + include capability chown, capability dac_override, @@ -22,70 +21,68 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { capability fsetid, capability mknod, capability net_admin, - capability perfmon, capability sys_admin, capability sys_module, capability sys_ptrace, capability sys_rawio, capability sys_resource, - ptrace read, + ptrace (read), network inet dgram, network inet6 dgram, network netlink raw, - unix type=stream addr=@@{udbus}/bus/udevadm/, - @{exec_path} mrix, - @{sh_path} rix, - @{coreutils_path} rix, - @{bin}/logger rix, - @{bin}/ls rix, - @{bin}/mknod rix, - @{bin}/nfsrahead rix, - @{bin}/setfacl rix, - @{bin}/sg_inq rix, - @{bin}/systemd-run rix, # TODO: rCx -> run, - @{bin}/unshare rix, - @{sbin}/ethtool rix, + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/*-print-pci-ids rix, + @{bin}/alsactl rPUx, + @{bin}/ddcutil rPx, + @{bin}/dmsetup rPUx, + @{bin}/ethtool rix, + @{bin}/issue-generator rPx, + @{bin}/kmod rPx, + @{bin}/less rPx -> child-pager, + @{bin}/logger rix, + @{bin}/ls rix, + @{bin}/lvm rPx, + @{bin}/mknod rix, + @{bin}/more rPx -> child-pager, + @{bin}/multipath rPx, + @{bin}/nfsrahead rix, + @{bin}/pager rPx -> child-pager, + @{bin}/perl rix, + @{bin}/setfacl rix, + @{bin}/sg_inq rix, + @{bin}/snap rPUx, + @{bin}/systemctl rCx -> systemctl, + @{bin}/systemd-run rix, + @{bin}/unshare rix, - @{bin}/ddcutil rPx, - @{bin}/kmod rCx -> kmod, - @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, - @{bin}/snap rPx, - @{bin}/systemctl rCx -> systemctl, - @{bin}/vmmouse_detect rPx, - @{pager_path} rPx -> child-pager, - @{sbin}/alsactl rPx, - @{sbin}/dmsetup rPx, - @{sbin}/issue-generator rPx, - @{sbin}/kdump-config rPx, - @{sbin}/lvm rPx, - @{sbin}/multipath rPx, - @{sbin}/u-d-c-print-pci-ids rPx, + @{lib}/crda/* rPUx, + @{lib}/gdm-runtime-config rPx, + @{lib}/nfsrahead rPUx, + @{lib}/open-iscsi/net-interface-handler rPUx, + @{lib}/pm-utils/power.d/* rPUx, + @{lib}/snapd/snap-device-helper rPx, + @{lib}/systemd/systemd-* rPx, + @{lib}/udev/* rPUx, + /usr/share/hplip/config_usb_printer.py rPUx, - @{lib}/crda/* rPUx, - @{lib}/gdm-runtime-config rPx, - @{lib}/nfsrahead rPUx, - @{lib}/open-iscsi/net-interface-handler rPx, - @{lib}/pm-utils/power.d/* rPUx, - @{lib}/snapd/snap-device-helper rPx, - @{lib}/systemd/systemd-* rPx, - @{lib}/udev/* rPUx, - /usr/share/hplip/config_usb_printer.py rPUx, + /etc/console-setup/*.sh rPUx, + /etc/network/cloud-ifupdown-helper rPUx, - /etc/console-setup/*.sh rPUx, - /etc/network/cloud-ifupdown-helper rPUx, + /etc/machine-id r, /etc/default/* r, - /etc/machine-id r, + /etc/nfs.conf rk, /etc/udev/{,**} r, - /etc/udev/.#hwdb.bin{@{hex16},@{rand6}} rw, /etc/udev/hwdb.bin rw, + /etc/udev/.#hwdb.bin* rw, /etc/modprobe.d/ r, /etc/modprobe.d/*.conf r, @@ -93,20 +90,14 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { /etc/systemd/network/ r, /etc/systemd/network/@{int2}-*.link r, - @{run}/credentials/systemd-udev-load-credentials.service/ r, - @{run}/modprobe.d/ r, + @{run}/udev/ rw, + @{run}/udev/** rwk, + @{run}/systemd/network/ r, @{run}/systemd/network/*.link rw, @{run}/systemd/notify rw, - @{run}/systemd/private rw, @{run}/systemd/seats/seat@{int} r, - @{att}/@{run}/systemd/notify w, - @{att}/@{run}/udev/control rw, - - @{run}/udev/ rw, - @{run}/udev/** rwk, - @{sys}/** rw, @{PROC}/@{pid}/mountinfo r, @@ -124,21 +115,6 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { /dev/ rw, /dev/** rwk, - profile kmod flags=(attach_disconnected,complain) { - include - include - - capability sys_module, - - @{sh_path} rix, - @{bin}/kmod ix, - - @{sys}/module/*/initstate r, - @{sys}/module/compression r, - - include if exists - } - profile systemctl flags=(attach_disconnected,complain) { include include @@ -146,6 +122,10 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, + # / r, + + @{PROC}/sys/kernel/cap_last_cap r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-update-done b/apparmor.d/groups/systemd/systemd-update-done index e7a44d01d..046bc3e65 100644 --- a/apparmor.d/groups/systemd/systemd-update-done +++ b/apparmor.d/groups/systemd/systemd-update-done @@ -2,12 +2,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-update-done -profile systemd-update-done @{exec_path} flags=(attach_disconnected) { +profile systemd-update-done @{exec_path} { include capability net_admin, diff --git a/apparmor.d/groups/systemd/systemd-update-utmp b/apparmor.d/groups/systemd/systemd-update-utmp index 82025859b..60227f08a 100644 --- a/apparmor.d/groups/systemd/systemd-update-utmp +++ b/apparmor.d/groups/systemd/systemd-update-utmp @@ -2,12 +2,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-update-utmp -profile systemd-update-utmp @{exec_path} flags=(attach_disconnected) { +profile systemd-update-utmp @{exec_path} { include include include @@ -17,7 +17,7 @@ profile systemd-update-utmp @{exec_path} flags=(attach_disconnected) { network netlink raw, - unix bind type=stream addr=@@{udbus}/bus/systemd-update-/, + unix (bind) type=stream addr=@@{hex16}/bus/systemd-update-/, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index 363b9a32d..38d2d3931 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -2,12 +2,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-user-runtime-dir -profile systemd-user-runtime-dir @{exec_path} flags=(attach_disconnected) { +profile systemd-user-runtime-dir @{exec_path} { include include include @@ -20,12 +20,10 @@ profile systemd-user-runtime-dir @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_admin, - network unix stream, - mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/, umount @{run}/user/@{uid}/, - unix (bind) type=stream addr=@@{udbus}/bus/systemd-user-ru/system, + unix (bind) type=stream addr=@@{hex16}/bus/systemd-user-ru/system, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-user-sessions b/apparmor.d/groups/systemd/systemd-user-sessions index 8de32dfe2..25e5befef 100644 --- a/apparmor.d/groups/systemd/systemd-user-sessions +++ b/apparmor.d/groups/systemd/systemd-user-sessions @@ -2,12 +2,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-user-sessions -profile systemd-user-sessions @{exec_path} flags=(attach_disconnected) { +profile systemd-user-sessions @{exec_path} { include include diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index f9fad3693..f591faf3d 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,16 +25,9 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted) @{lib}/systemd/systemd-userwork rix, - /etc/gshadow r, /etc/shadow r, - /etc/machine-id r, - @{att}/@{run}/systemd/notify w, - @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, - @{att}/@{run}/systemd/userdb/io.systemd.Home rw, - @{att}/@{run}/systemd/userdb/io.systemd.Machine rw, - @{run}/systemd/userdb/{,**} rw, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-userwork b/apparmor.d/groups/systemd/systemd-userwork index 2521c655e..c7e4b6292 100644 --- a/apparmor.d/groups/systemd/systemd-userwork +++ b/apparmor.d/groups/systemd/systemd-userwork @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,7 +18,6 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /etc/gshadow r, /etc/machine-id r, /etc/shadow r, diff --git a/apparmor.d/groups/systemd/systemd-vconsole-setup b/apparmor.d/groups/systemd/systemd-vconsole-setup index 8c99d606c..000bd6957 100644 --- a/apparmor.d/groups/systemd/systemd-vconsole-setup +++ b/apparmor.d/groups/systemd/systemd-vconsole-setup @@ -2,12 +2,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/systemd/systemd-vconsole-setup -profile systemd-vconsole-setup @{exec_path} flags=(attach_disconnected) { +profile systemd-vconsole-setup @{exec_path} { include include include diff --git a/apparmor.d/groups/systemd/userdbctl b/apparmor.d/groups/systemd/userdbctl index fa7c13297..159d1442a 100644 --- a/apparmor.d/groups/systemd/userdbctl +++ b/apparmor.d/groups/systemd/userdbctl @@ -2,35 +2,28 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/userdbctl -profile userdbctl @{exec_path} flags=(attach_disconnected) { +profile userdbctl @{exec_path} { include - include include capability dac_read_search, capability sys_resource, - signal send set=cont peer=child-pager, - @{exec_path} mr, + + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, + @{bin}/pager rPx -> child-pager, - @{pager_path} rPx -> child-pager, - - /etc/gshadow r, /etc/shadow r, + /etc/gshadow r, - /etc/machine-id r, - - @{PROC}/1/cgroup r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/gid_map r, - owner @{PROC}/@{pid}/setgroups r, - owner @{PROC}/@{pid}/uid_map r, + @{PROC}/@{pid}/cgroup r, include if exists } diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator index 193bfc9b6..2e8c20737 100644 --- a/apparmor.d/groups/systemd/zram-generator +++ b/apparmor.d/groups/systemd/zram-generator @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,37 +11,30 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { include include + capability sys_module, + @{exec_path} mr, - @{bin}/kmod rCx -> kmod, + @{bin}/kmod rix, @{bin}/systemd-detect-virt rPx, @{lib}/systemd/systemd-makefs rPx, /etc/systemd/zram-generator.conf r, + /etc/modprobe.d/{,**} r, owner @{run}/systemd/generator/{,*/}var-cache-makepkg.mount rw, owner @{run}/systemd/generator/dev-zram@{int}.swap rw, owner @{run}/systemd/generator/swap.target.wants/{,dev-zram@{int}.swap} rw, owner @{run}/systemd/generator/systemd-zram-setup@zram@{int}.service.d/{,*.conf} rw, - @{sys}/block/zram@{int}/* rw, - @{sys}/devices/virtual/block/zram@{int}/* rw, + @{sys}/block/zram@{int}/{disksize,reset} rw, + @{sys}/devices/virtual/block/zram@{int}/{disksize,reset,comp_algorithm} rw, + @{sys}/module/compression r, @{PROC}/crypto r, owner /dev/pts/@{int} rw, - profile kmod flags=(attach_disconnected) { - include - include - - capability sys_module, - - @{sys}/module/compression r, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/utils/zramctl b/apparmor.d/groups/systemd/zramctl similarity index 55% rename from apparmor.d/groups/utils/zramctl rename to apparmor.d/groups/systemd/zramctl index 29428a96f..0d1632924 100644 --- a/apparmor.d/groups/utils/zramctl +++ b/apparmor.d/groups/systemd/zramctl @@ -2,11 +2,11 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/zramctl +@{exec_path} = @{bin}/zramctl profile zramctl @{exec_path} { include include @@ -14,15 +14,7 @@ profile zramctl @{exec_path} { @{exec_path} mr, @{sys}/devices/virtual/block/zram@{int}/ r, - @{sys}/devices/virtual/block/zram@{int}/comp_algorithm rw, @{sys}/devices/virtual/block/zram@{int}/disksize r, - @{sys}/devices/virtual/block/zram@{int}/disksize w, - @{sys}/devices/virtual/block/zram@{int}/max_comp_streams r, - @{sys}/devices/virtual/block/zram@{int}/mm_stat r, - @{sys}/devices/virtual/block/zram@{int}/reset w, - - @{PROC}/swaps r, - owner @{PROC}/@{pid}/mounts r, /dev/ r, /dev/zram@{int} rw, diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 211dda9cc..bc03772b6 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -2,79 +2,55 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = /usr/share/apport/apport +@{exec_path} = /usr/share/apport/apport profile apport @{exec_path} flags=(attach_disconnected) { include - include + include include - include + include include include capability chown, capability dac_read_search, - capability fowner, capability fsetid, capability setgid, capability setuid, capability sys_ptrace, - ptrace read, + ptrace (read) peer=gnome-shell, + ptrace (read) peer=snap.cups.cupsd, + ptrace (read) peer=tracker-extract, @{exec_path} mr, - @{bin}/{,e,f}grep rix, - @{bin}/dpkg rPx -> &child-dpkg, - @{bin}/dpkg-divert rPx -> &child-dpkg-divert, @{bin}/gdbus rix, - @{bin}/md5sum rix, + @{bin}/{,e,f}grep rix, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/dpkg-divert rPx -> child-dpkg-divert, /usr/share/apport/{,**} r, - @{etc_ro}/login.defs r, /etc/apport/report-ignore/{,**} r, - /etc/dpkg/dpkg.cfg r, - /etc/dpkg/dpkg.cfg.d/{,**} r, - - /var/lib/dpkg/info/ r, - /var/lib/dpkg/info/*.list r, - /var/lib/dpkg/info/*.md5sums r, - /var/lib/dpkg/diversions r, - /var/lib/dpkg/triggers/* r, - /var/lib/dpkg/updates/ r, - - /var/lib/systemd/coredump/*.zst r, /var/crash/ rw, /var/crash/*.@{uid}.crash rw, - owner /var/cache/apt/pkgcache.bin.@{rand6} rw, owner /var/log/apport.log rw, - /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/system.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, - @{run}/apport.lock rwk, - @{run}/log/journal/ r, - @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/stat r, @{PROC}/sys/fs/suid_dumpable w, @{PROC}/sys/kernel/core_pattern w, @{PROC}/sys/kernel/core_pipe_limit w, owner @{PROC}/@{pid}/attr/current r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, include if exists } diff --git a/apparmor.d/groups/ubuntu/apport-checkreports b/apparmor.d/groups/ubuntu/apport-checkreports index 5e39988fd..dec9a5d7d 100644 --- a/apparmor.d/groups/ubuntu/apport-checkreports +++ b/apparmor.d/groups/ubuntu/apport-checkreports @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,15 +14,15 @@ profile apport-checkreports @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{python_path} r, + @{bin}/python3.@{int} r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, /usr/share/apport/ r, - @{etc_ro}/login.defs r, /etc/apt/apt.conf.d/{,**} r, /etc/default/apport r, + /etc/login.defs r, /var/crash/ r, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 6d90cadda..a63f38890 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -2,19 +2,21 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = /usr/share/apport/apport-gtk profile apport-gtk @{exec_path} { include - include include + include include + include + include + include include include - include include include include @@ -27,12 +29,10 @@ profile apport-gtk @{exec_path} { network inet6 stream, network inet dgram, network inet6 dgram, - network netlink raw, @{exec_path} mr, @{sh_path} rix, - @{python_path} rix, @{bin}/{f,}grep rix, @{bin}/apt-cache rPx, @{bin}/cut rix, @@ -41,32 +41,27 @@ profile apport-gtk @{exec_path} { @{bin}/dpkg-query rpx, @{bin}/gdb rCx -> gdb, @{bin}/gsettings rPx, - @{bin}/ischroot rPx, + @{bin}/ischroot rix, @{bin}/journalctl rPx, + @{bin}/killall5 rix, @{bin}/kmod rPx, @{bin}/ldd rix, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{bin}/md5sum rix, - @{bin}/pkexec rCx -> pkexec, - @{bin}/readlink rix, + @{bin}/pkexec rPx, # TODO: rCx or something @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, - @{bin}/uname rix, @{bin}/which{,.debianutils} rix, - @{sbin}/killall5 rix, @{lib}/{,colord/}colord-sane rPx, @{lib}/@{multiarch}/ld*.so* rix, /usr/share/apport/root_info_wrapper rix, - @{bin}/* r, - @{sbin}/* r, - /usr/share/apport/{,**} r, /usr/share/apport/general-hooks/*.py r, /etc/apport/{,**} r, + /etc/cloud/cloud.cfg.d/{,**} r, /etc/bash_completion.d/apport_completion r, - /etc/cloud/{,**} r, /etc/cron.daily/apport r, /etc/default/apport r, /etc/gtk-3.0/settings.ini r, @@ -74,22 +69,19 @@ profile apport-gtk @{exec_path} { /etc/logrotate.d/apport r, /etc/xdg/autostart/*.desktop r, + /var/crash/{,*.@{uid}.crash} rw, /var/lib/dpkg/info/ r, /var/lib/dpkg/info/*.list r, /var/lib/usbutils/*.ids r, /var/lib/dpkg/info/*.md5sums r, /var/log/installer/media-info r, - /var/crash/ rw, - owner /var/crash/*.@{uid}.{crash,upload} rw, + @{run}/snapd.socket rw, - @{run}/cloud-init/cloud.cfg r, - @{run}/snapd.socket rw, - - owner @{tmp}/@{word8} rw, - owner @{tmp}/apport_core_@{rand8} rw, - owner @{tmp}/launchpadlib.cache.@{rand8}/ rw, - owner @{tmp}/tmp@{rand8}/{,**} rw, + /tmp/[a-z0-9]* rw, + /tmp/apport_core_* rw, + /tmp/launchpadlib.cache.[a-z0-9]*/ rw, + /tmp/tmp[a-z0-9]*/{,**} rw, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, @@ -107,14 +99,14 @@ profile apport-gtk @{exec_path} { include @{bin}/gdb mr, - + @{bin}/iconv rix, @{bin}/* r, /usr/share/gcc/python/{,**/}__pycache__/{,**} rw, - /usr/share/gdb/python/{,**/}__pycache__/{,**} rw, /usr/share/gdb/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/{,**} r, /usr/share/terminfo/** r, /usr/share/themes/{,**} r, @@ -128,26 +120,10 @@ profile apport-gtk @{exec_path} { include if exists } - profile pkexec { - include - include - - include if exists - } - profile systemctl { include include - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.systemd1, label=unconfined), - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=GetUnitFileState - peer=(name=org.freedesktop.systemd1, label=unconfined), - include if exists } diff --git a/apparmor.d/groups/ubuntu/apt-esm-hook b/apparmor.d/groups/ubuntu/apt-esm-hook index 2555d0373..c200de4d5 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-hook @@ -2,14 +2,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/ubuntu-advantage/apt-esm-hook profile apt-esm-hook @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook index e8f03807d..54c116677 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-json-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook @@ -2,14 +2,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/ubuntu-advantage/apt-esm-json-hook profile apt-esm-json-hook @{exec_path} { include - include + include include unix (receive, send) type=stream peer=(label=apt), @@ -20,9 +20,10 @@ profile apt-esm-json-hook @{exec_path} { /var/lib/ubuntu-advantage/{,**} r, /var/lib/ubuntu-advantage/apt-esm/{,**} rw, - /var/log/ubuntu-advantage-apt-hook.log w, - @{run}/cloud-init/cloud-id-* r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + @{run}/cloud-init/cloud-id-nocloud r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/ubuntu/apt_news b/apparmor.d/groups/ubuntu/apt_news deleted file mode 100644 index 91c8b29cc..000000000 --- a/apparmor.d/groups/ubuntu/apt_news +++ /dev/null @@ -1,40 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/ubuntu-advantage/apt_news.py -profile apt_news @{exec_path} flags=(attach_disconnected) { - include - include - include - include - - capability chown, - capability fowner, - capability kill, - capability setgid, - capability setuid, - - signal send set=int peer=apt-methods-*, - - @{exec_path} mr, - - @{lib}/apt/methods/* Px, - - /etc/ubuntu-advantage/uaclient.conf r, - - @{run}/ubuntu-advantage/ rw, - @{run}/ubuntu-advantage/apt-news/{,**} rw, - - owner @{run}/ubuntu-advantage/apt-news/** rw, - - @{PROC}/@{pid}/fd/ r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 2b7b2b4ee..a6db303e5 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -2,15 +2,18 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/ubuntu-release-upgrader/check-new-release-gtk profile check-new-release-gtk @{exec_path} { include - include + include + include include + include + include include include include @@ -26,11 +29,11 @@ profile check-new-release-gtk @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx, - @{bin}/ischroot rPx, - @{bin}/lsb_release rPx, + @{bin}/ischroot rix, + @{bin}/lsb_release rPx -> lsb_release, - @{lib}/@{python_name}/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, - @{lib}/@{python_name}/dist-packages/gi/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, + @{lib}/python3/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, + @{lib}/python3/dist-packages/gi/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, /usr/share/distro-info/{,**} r, /usr/share/ubuntu-release-upgrader/{,**} r, diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index a80a4f729..c66587969 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,15 +14,21 @@ profile cron-ubuntu-fan @{exec_path} { @{exec_path} mr, - @{sh_path} rix, - @{sbin}/fanctl rPx, - @{bin}/{,e}grep rix, + @{bin}/{,da,ba}sh rix, + @{bin}/fanctl rix, + @{bin}/flock rix, + @{bin}/grep rix, + @{bin}/id rix, @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/sed rix, + @{bin}/touch rix, /etc/network/fan r, + @{run}/ubuntu-fan/ rw, + @{run}/ubuntu-fan/.lock rwk, + include if exists } diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade index e9c4c9ab3..a2f93f42d 100644 --- a/apparmor.d/groups/ubuntu/do-release-upgrade +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -2,14 +2,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/do-release-upgrade profile do-release-upgrade @{exec_path} { include - include + include include include include @@ -26,8 +26,8 @@ profile do-release-upgrade @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rPx, - @{bin}/lsb_release rPx, + @{bin}/ischroot rix, + @{bin}/lsb_release rPx -> lsb_release, /usr/share/distro-info/*.csv r, /usr/share/ubuntu-release-upgrader/{,**} r, @@ -37,15 +37,10 @@ profile do-release-upgrade @{exec_path} { /var/lib/ubuntu-release-upgrader/release-upgrade-available rw, /var/lib/update-manager/* rw, + /var/cache/apt/pkgcache.bin{,.*} rw, - /var/cache/apt/ rw, - /var/cache/apt/pkgcache.bin rw, - /var/cache/apt/pkgcache.bin.@{rand6} rw, - /var/cache/apt/srcpkgcache.bin rw, - /var/cache/apt/srcpkgcache.bin.@{rand6} rw, - - @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/mountinfo r, include if exists } diff --git a/apparmor.d/groups/ubuntu/fanctl b/apparmor.d/groups/ubuntu/fanctl deleted file mode 100644 index ef278da63..000000000 --- a/apparmor.d/groups/ubuntu/fanctl +++ /dev/null @@ -1,33 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{sbin}/fanctl -profile fanctl @{exec_path} flags=(attach_disconnected) { - include - - network netlink raw, - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/flock ix, - @{bin}/id ix, - @{bin}/touch ix, - @{bin}/mkdir ix, - @{bin}/ip ix, - @{bin}/sed ix, - - /etc/network/fan r, - - @{run}/ubuntu-fan/ rw, - @{run}/ubuntu-fan/.lock rwk, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/hwe-support-status b/apparmor.d/groups/ubuntu/hwe-support-status index c85fb9966..0752e6358 100644 --- a/apparmor.d/groups/ubuntu/hwe-support-status +++ b/apparmor.d/groups/ubuntu/hwe-support-status @@ -2,20 +2,20 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/hwe-support-status profile hwe-support-status @{exec_path} { include - include + include include @{exec_path} mr, @{bin}/dpkg rPx, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, /usr/share/distro-info/{,**} r, diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages index 5e4b09ce3..93059dc34 100644 --- a/apparmor.d/groups/ubuntu/list-oem-metapackages +++ b/apparmor.d/groups/ubuntu/list-oem-metapackages @@ -2,22 +2,22 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/update-notifier/list-oem-metapackages profile list-oem-metapackages @{exec_path} { include - include include + include @{exec_path} mr, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rPx, + @{bin}/ischroot rix, - @{lib}/@{python_name}/dist-packages/UbuntuDrivers/__pycache__/*.cpython-@{int}.pyc.@{int} rw, + @{lib}/python3/dist-packages/UbuntuDrivers/__pycache__/*.cpython-@{int}.pyc.@{int} rw, /etc/machine-id r, diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index fb8eb259e..14f21729f 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -2,19 +2,29 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/update-notifier/livepatch-notification profile livepatch-notification @{exec_path} { include + include include + include + include include - include + include + include @{exec_path} mr, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/icons/{,**} r, + /usr/share/X11/{,**} r, + + @{run}/user/@{uid}/gdm/Xauthority r, + include if exists } diff --git a/apparmor.d/groups/ubuntu/notify-reboot-required b/apparmor.d/groups/ubuntu/notify-reboot-required index ee9e22e21..0c7d008e8 100644 --- a/apparmor.d/groups/ubuntu/notify-reboot-required +++ b/apparmor.d/groups/ubuntu/notify-reboot-required @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/ubuntu/notify-updates-outdated b/apparmor.d/groups/ubuntu/notify-updates-outdated index a42b3ba1c..39ce41c73 100644 --- a/apparmor.d/groups/ubuntu/notify-updates-outdated +++ b/apparmor.d/groups/ubuntu/notify-updates-outdated @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/ubuntu/package-data-downloader b/apparmor.d/groups/ubuntu/package-data-downloader index 1703d27cd..bba0add83 100644 --- a/apparmor.d/groups/ubuntu/package-data-downloader +++ b/apparmor.d/groups/ubuntu/package-data-downloader @@ -2,20 +2,17 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/update-notifier/package-data-downloader profile package-data-downloader @{exec_path} { include - include - include + include include include - capability dac_read_search, - @{exec_path} mr, /var/lib/update-notifier/package-data-downloads/{,**} rw, diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked index 8cf3ed885..6876687e2 100644 --- a/apparmor.d/groups/ubuntu/package-system-locked +++ b/apparmor.d/groups/ubuntu/package-system-locked @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,7 +17,7 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) { network inet dgram, network inet6 dgram, - mqueue (read,getattr) type=posix /, + # mqueue r type=posix /, ptrace (read), diff --git a/apparmor.d/groups/ubuntu/esm_cache b/apparmor.d/groups/ubuntu/pro similarity index 52% rename from apparmor.d/groups/ubuntu/esm_cache rename to apparmor.d/groups/ubuntu/pro index 53238564a..c00b07587 100644 --- a/apparmor.d/groups/ubuntu/esm_cache +++ b/apparmor.d/groups/ubuntu/pro @@ -1,19 +1,20 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol +# Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{lib}/ubuntu-advantage/esm_cache.py -profile esm_cache @{exec_path} { +@{exec_path} = @{bin}/pro +profile pro @{exec_path} { include + include include @{exec_path} mr, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/release-upgrade-motd b/apparmor.d/groups/ubuntu/release-upgrade-motd index b5d7d2885..3130f196e 100644 --- a/apparmor.d/groups/ubuntu/release-upgrade-motd +++ b/apparmor.d/groups/ubuntu/release-upgrade-motd @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,8 +22,6 @@ profile release-upgrade-motd @{exec_path} { /var/lib/ubuntu-release-upgrader/release-upgrade-available rw, - @{run}/motd.dynamic.new w, - /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index 72e016573..2def932dc 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -2,14 +2,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/software-properties/software-properties-dbus profile software-properties-dbus @{exec_path} { include - include + include include include include @@ -19,23 +19,18 @@ profile software-properties-dbus @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), dbus receive bus=system interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=software-properties-gtk), - - dbus receive bus=system path=/ - interface=com.ubuntu.SoftwareProperties - member=Reload - peer=(name=@{busname}, label=software-properties-gtk), + peer=(name=:*, label=software-properties-gtk), @{exec_path} mr, - @{python_path} rix, + @{bin}/python3.@{int} rix, @{bin}/env rix, @{bin}/apt-key rPx, # Changing trusted keys - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, /etc/apt/apt.conf.d/10periodic w, /etc/apt/sources.list{,.save} rw, @@ -44,9 +39,9 @@ profile software-properties-dbus @{exec_path} { /usr/share/distro-info/*.csv r, /usr/share/xml/iso-codes/{,**} r, - owner @{tmp}/@{word8} rw, - owner @{tmp}/tmp@{word8}/ w, # change to 'c' - owner @{tmp}/tmp@{word8}/apt.conf w, + owner @{tmp}/???????? rw, # unconventional '_' tail + owner @{tmp}/tmp????????/ w, # change to 'c' + owner @{tmp}/tmp????????/apt.conf w, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 836adbb55..9db3ec332 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -2,45 +2,65 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/software-properties-gtk -profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { +profile software-properties-gtk @{exec_path} { include - include - include + include + include include include + include include include include include include - #aa:dbus own bus=session name=com.ubuntu.SoftwareProperties + dbus bind bus=session name=com.ubuntu.SoftwareProperties, + dbus (send, receive) bus=system path=/com/ubuntu/SoftwareProperties + interface={com.ubuntu.SoftwareProperties,org.gtk.{Application,Actions}} + peer=(name="{:*,com.ubuntu.SoftwareProperties}", label=software-properties-gtk), + dbus send bus=system path=/ + interface=com.ubuntu.SoftwareProperties + peer=(name=:*, label=software-properties-dbus), - #aa:dbus talk bus=system name=com.canonical.UbuntuAdvantage label=ubuntu-advantage-desktop-daemon - #aa:dbus talk bus=system name=com.ubuntu.SoftwareProperties path=/ label=software-properties-dbus + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*), + + dbus send bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=ubuntu-advantage-desktop-daemon), + + dbus send bus=system path=/com/canonical/UbuntuAdvantage/Manager + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=ubuntu-advantage-desktop-daemon), @{exec_path} mr, @{bin}/ r, - @{sh_path} rix, - @{python_path} r, + @{bin}/python3.@{int} r, + @{bin}/{,da,ba}sh rix, @{bin}/aplay rPx, @{bin}/apt-key rPx, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rPx, - @{bin}/lsb_release rPx, + @{bin}/ischroot rix, + @{bin}/lsb_release rPx -> lsb_release, @{bin}/ubuntu-advantage rPx, /usr/share/distro-info/*.csv r, /usr/share/pixmaps/ r, /usr/share/python-apt/{,**} r, /usr/share/software-properties/{,**} r, + /usr/share/themes/{,**} r, /usr/share/ubuntu-drivers-common/detect/{,**} r, /usr/share/X11/xkb/{,**} r, /usr/share/xml/iso-codes/{,**} r, @@ -53,13 +73,9 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { /var/crash/*software-properties-gtk.@{uid}.crash rw, /var/lib/ubuntu-advantage/status.json r, - owner @{tmp}/@{word8} rw, - owner @{tmp}/tmp@{word8}/ rw, - owner @{tmp}/tmp@{word8}/apt.conf rw, - - /dev/shm/ r, - owner /dev/shm/sem.@{rand6} rwl -> /dev/shm/sem.@{rand6}, - owner /dev/shm/sem.mp-@{rand8} rwl -> /dev/shm/sem.@{rand6}, + owner @{tmp}/???????? rw, + owner @{tmp}/tmp????????/ rw, # change to 'c' + owner @{tmp}/tmp????????/apt.conf rw, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, @@ -74,7 +90,6 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, # Silencer deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 8f673e261..08886b640 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,9 +22,9 @@ profile subiquity-console-conf @{exec_path} { @{exec_path} mr, - @{sh_path} rix, + @{bin}/{,da,ba}sh rix, @{bin}/cat rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/mv rix, @@ -35,10 +35,10 @@ profile subiquity-console-conf @{exec_path} { @{bin}/journalctl rCx -> journalctl, @{bin}/ssh-keygen rPx, - @{sbin}/sshd rPx, + @{bin}/sshd rPx, @{bin}/snap rPUx, - @{lib}/snapd/snap-recovery-chooser rPUx, - /usr/share/netplan/netplan.script rPx, + /usr/lib/snapd/snap-recovery-chooser rPUx, + /usr/share/netplan/netplan.script rPUx, # TODO: rPx, /usr/share/subiquity/{,**} r, /usr/share/subiquity/console-conf-tui rix, @@ -53,13 +53,13 @@ profile subiquity-console-conf @{exec_path} { @{run}/snapd-recovery-chooser-triggered r, @{run}/snapd.socket rw, - @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+acpi:* r, @{run}/udev/data/+dmi:* r, # For motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) + @{run}/udev/data/+leds:* r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+platform:* r, @{run}/udev/data/+sound:card@{int} r, # For sound card @{run}/udev/data/c1:@{int} r, # For RAM disk @@ -74,7 +74,7 @@ profile subiquity-console-conf @{exec_path} { @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/n@{int} r, @{sys}/**/devices/ r, @{sys}/*/*/ r, @@ -109,7 +109,6 @@ profile subiquity-console-conf @{exec_path} { /var/lib/dbus/machine-id r, /etc/machine-id r, - include if exists } include if exists diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index 4ede61bc8..bb5f81b82 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -2,18 +2,18 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/ubuntu-advantage profile ubuntu-advantage @{exec_path} { include - include + include include include include - include + include capability dac_read_search, capability setgid, @@ -29,12 +29,13 @@ profile ubuntu-advantage @{exec_path} { @{exec_path} mr, + @{bin}/ischroot rix, + @{bin}/apt rPx, @{bin}/apt-cache rPx, @{bin}/apt-config rPx, @{bin}/apt-get rPx, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rPx, @{bin}/ps rPx, @{bin}/snap rPUx, @{bin}/systemctl rCx -> systemctl, @@ -52,18 +53,15 @@ profile ubuntu-advantage @{exec_path} { /etc/machine-id r, - owner @{user_cache_dirs}/ubuntu-pro/{,**} rw, - owner @{tmp}/tmp[0-9a-z]*/apt.conf r, owner @{tmp}/[0-9a-z]*{,/} rw, owner @{tmp}/[0-9a-z]*/apt-helper-output rw, @{run}/ubuntu-advantage/{,**} rw, + @{PROC}/version_signature r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mounts r, - @{PROC}/1/cgroup r, - @{PROC}/version_signature r, owner @{PROC}/@{pid}/fd/ r, profile systemctl { @@ -89,7 +87,6 @@ profile ubuntu-advantage @{exec_path} { /dev/kmsg w, - include if exists } include if exists diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon b/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon index 5265a2df3..2e35697c0 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,8 +14,17 @@ profile ubuntu-advantage-desktop-daemon @{exec_path} flags=(attach_disconnected) capability sys_nice, - #aa:dbus own bus=system name=com.canonical.UbuntuAdvantage - #aa:dbus talk bus=system name=com.ubuntu.SoftwareProperties label=software-properties-gtk + dbus bind bus=system name=com.canonical.UbuntuAdvantage, + + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=software-properties-gtk), + + dbus receive bus=system + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=software-properties-gtk), @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index a44e226bc..2f539bac8 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -2,19 +2,27 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/update-notifier/ubuntu-advantage-notification profile ubuntu-advantage-notification @{exec_path} { include + include include + include + include include - include + include + include @{exec_path} mr, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/icons/{,**} r, + /usr/share/X11/xkb/{,**} r, + include if exists } diff --git a/apparmor.d/groups/ubuntu/ubuntu-distro-info b/apparmor.d/groups/ubuntu/ubuntu-distro-info index 6806a4e27..a444aada3 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-distro-info +++ b/apparmor.d/groups/ubuntu/ubuntu-distro-info @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/ubuntu/ubuntu-fan-net b/apparmor.d/groups/ubuntu/ubuntu-fan-net deleted file mode 100644 index ab83ebed4..000000000 --- a/apparmor.d/groups/ubuntu/ubuntu-fan-net +++ /dev/null @@ -1,36 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/ubuntu-fan/fan-net -profile ubuntu-fan-net @{exec_path} { - include - - @{exec_path} mr, - - @{sh_path} mr, - @{bin}/{m,g,}awk ix, - @{bin}/kmod Cx -> kmod, - @{bin}/{,e}grep ix, - @{bin}/networkctl Px, - @{sbin}/fanctl Px, - - profile kmod { - include - include - - capability sys_module, - - @{sys}/module/compression r, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/ubuntu-report b/apparmor.d/groups/ubuntu/ubuntu-report index 65fa3eaa0..5edc9ebd2 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-report +++ b/apparmor.d/groups/ubuntu/ubuntu-report @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,7 +21,9 @@ profile ubuntu-report @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, - owner @{user_cache_dirs}/ubuntu-report/{,*} rw, + owner @{user_cache_dirs}/ubuntu-report/{,*} r, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, include if exists } diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 873f06b67..0ee70c39b 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -2,27 +2,29 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/update-manager profile update-manager @{exec_path} flags=(attach_disconnected) { include - include + include include + include include include + include include include include + include include include include include include include - include network inet dgram, network inet6 dgram, @@ -41,16 +43,16 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/dpkg rPx -> child-dpkg, @{bin}/hwe-support-status rPx, - @{bin}/ischroot rPx, - @{bin}/lsb_release rPx, + @{bin}/ischroot rix, + @{bin}/lsb_release rPx -> lsb_release, @{bin}/snap rPUx, @{bin}/software-properties-gtk rPx, @{bin}/uname rix, @{lib}/apt/methods/http{,s} rPx, - @{lib}/@{python_name}/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, - @{lib}/@{python_name}/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, - @{lib}/@{python_name}/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, + @{lib}/python3/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, + @{lib}/python3/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, + @{lib}/python3/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, /usr/share/distro-info/{,**} r, /usr/share/ubuntu-release-upgrader/{,**} r, @@ -60,7 +62,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { /etc/ubuntu-advantage/uaclient.conf r, /etc/update-manager/{,**} r, - @{efi}/ r, + /boot/ r, /var/lib/dpkg/info/*.list r, /var/lib/dpkg/updates/ r, @@ -68,7 +70,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/update-manager-core/{,**} rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/inhibit/*.ref w, @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot index c244f2902..b0e62994f 100644 --- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot +++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,21 +12,19 @@ profile update-motd-fsck-at-reboot @{exec_path} { @{exec_path} mr, - @{sbin}/dumpe2fs rPx, + @{bin}/dumpe2fs rPx, @{sh_path} rix, @{bin}/{m,g,}awk rix, @{bin}/cat rix, @{bin}/cut rix, @{bin}/date rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/id rix, @{bin}/mount rCx -> mount, @{bin}/stat rix, /var/lib/update-notifier/fsck-at-reboot rw, - @{run}/motd.dynamic.new w, - @{PROC}/uptime r, /dev/tty@{int} rw, @@ -47,7 +45,6 @@ profile update-motd-fsck-at-reboot @{exec_path} { /dev/tty@{int} rw, - include if exists } include if exists diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index 09775cb6f..bf1acfb1b 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -2,14 +2,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/update-notifier/update-motd-updates-available profile update-motd-updates-available @{exec_path} { include - include + include include include include @@ -18,7 +18,7 @@ profile update-motd-updates-available @{exec_path} { @{exec_path} mr, - @{python_path} r, + @{bin}/python3.@{int} r, @{sh_path} rix, @{bin}/apt-config rPx, @@ -26,8 +26,8 @@ profile update-motd-updates-available @{exec_path} { @{bin}/dirname rix, @{bin}/dpkg rPx -> child-dpkg, @{bin}/find rix, - @{bin}/ischroot rPx, - @{bin}/lsb_release rPx, + @{bin}/ischroot rix, + @{bin}/lsb_release rPx -> lsb_release, @{bin}/mktemp rix, @{bin}/mv rix, @{bin}/rm rix, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 06e851b45..999502dbc 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -2,44 +2,58 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/update-notifier profile update-notifier @{exec_path} { include - include include + include include include + include + include include + include include include include - include include - unix (bind) type=stream addr=@@{udbus}/bus/systemd/bus-api-user, + unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-api-user, #aa:dbus talk bus=system name=org.debian.apt label=apt - #aa:dbus talk bus=session name=org.ayatana.NotificationItem interface+=org.kde.StatusNotifierItem label=gnome-shell - dbus receive bus=system path=/com/ubuntu/UnattendedUpgrade/Pending - interface=com.ubuntu.UnattendedUpgrade.Pending - member=Finished - peer=(name=@{busname}, label=unattended-upgrade), + dbus receive bus=session path=/org/ayatana/NotificationItem/software_update_available + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session path=/org/ayatana/NotificationItem/livepatch{,/Menu} + interface=org.freedesktop.DBus.Properties + member=={Get,GetAll} + peer=(name=:*, label=gnome-shell), + dbus receive bus=session path=/org/ayatana/NotificationItem/livepatch/Menu + interface=com.canonical.dbusmenu + member={AboutToShow,GetGroupProperties,GetLayout} + peer=(name=:*, label=gnome-shell), + + dbus send bus=session path=/org/ayatana/NotificationItem/* + interface=org.kde.StatusNotifierItem + peer=(name=org.freedesktop.DBus, label=gnome-shell), @{exec_path} mr, @{sh_path} rix, @{bin}/ionice rix, + @{bin}/ischroot rix, @{bin}/nice rix, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rPx, - @{bin}/lsb_release rPx, - @{bin}/pkexec rCx -> pkexec, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/pkexec rPx, # TODO: rCx or rix to run /usr/lib/update-notifier/package-system-locked @{bin}/snap rPUx, @{bin}/software-properties-gtk rPx, @{bin}/systemctl rCx -> systemctl, @@ -51,9 +65,8 @@ profile update-notifier @{exec_path} { @{lib}/update-notifier/package-system-locked rPx, /usr/share/apport/apport-checkreports rPx, /usr/share/apport/apport-gtk rPx, - @{open_path} Cx -> open, - @{lib}/@{python_name}/dist-packages/{apt,gi}/**/__pycache__/{,**} rw, + @{lib}/python3.@{int}/dist-packages/{apt,gi}/**/__pycache__/{,**} rw, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, @@ -72,23 +85,12 @@ profile update-notifier @{exec_path} { @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pid}/fd/ r, - profile pkexec { - include - include - - ptrace read peer=update-notifier, - - @{lib}/update-notifier/package-system-locked Px, - - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/stat r, - - include if exists - } - profile systemctl { include include + include + + unix (bind) type=stream addr=@@{hex16}/bus/systemctl/system, dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager @@ -98,13 +100,6 @@ profile update-notifier @{exec_path} { include if exists } - profile open { - include - include - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash deleted file mode 100644 index 4926c0b1c..000000000 --- a/apparmor.d/groups/ubuntu/update-notifier-crash +++ /dev/null @@ -1,40 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/update-notifier/update-notifier-crash -profile update-notifier-crash @{exec_path} { - include - include - - @{exec_path} mr, - - @{bin}/{,e}grep ix, - @{bin}/groups Px, - @{bin}/systemctl Cx -> systemctl, - @{bin}/which{,.debianutils} rix, - @{sh_path} mr, - /usr/share/apport/apport-checkreports Px, - - owner @{HOME}/ r, - - profile systemctl { - include - include - - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=GetUnitFileState - peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/fstrim b/apparmor.d/groups/utils/fstrim deleted file mode 100644 index 87bd7fad5..000000000 --- a/apparmor.d/groups/utils/fstrim +++ /dev/null @@ -1,33 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{sbin}/fstrim -profile fstrim @{exec_path} flags=(attach_disconnected) { - include - include - - capability dac_override, - capability sys_admin, - - @{exec_path} mr, - - /etc/fstab r, - - @{HOMEDIRS}/ r, - @{MOUNTDIRS}/ r, - @{MOUNTS}/ r, - / r, - @{efi}/ r, - /var/ r, - - @{PROC}/@{pid}/mountinfo r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/hwclock b/apparmor.d/groups/utils/hwclock deleted file mode 100644 index d1433a605..000000000 --- a/apparmor.d/groups/utils/hwclock +++ /dev/null @@ -1,30 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{sbin}/hwclock -profile hwclock @{exec_path} { - include - include - - capability audit_write, - capability sys_time, - - network netlink raw, - - @{exec_path} mr, - - /etc/adjtime rw, - - @{sys}/devices/pnp@{int}/*/rtc/rtc@{int}/{,*} r, - - /dev/rtc@{int} r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/lsfd b/apparmor.d/groups/utils/lsfd deleted file mode 100644 index 96e497ea6..000000000 --- a/apparmor.d/groups/utils/lsfd +++ /dev/null @@ -1,69 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lsfd -profile lsfd @{exec_path} flags=(attach_disconnected) { - include - include - - capability bpf, - capability checkpoint_restore, - capability dac_read_search, - capability net_admin, - capability sys_admin, - capability sys_chroot, - capability sys_ptrace, - capability sys_resource, - capability syslog, - - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 raw, - network inet6 stream, - network inet6 stream, - network netlink dgram, - network netlink raw, - network packet dgram, - - ptrace read, - ptrace trace, - - mqueue (read create delete getattr) type=posix /.lsfd-mqueue-nodev-test:@{int}, - - @{exec_path} mr, - - / r, - @{att}/ r, - - owner @{att}/.lsfd-mqueue-nodev-test:@{int} rw, - - @{run}/ r, - @{run}/netns/ r, - - @{sys}/kernel/cpu_byteorder r, - - @{PROC}/ r, - @{PROC}/@{pid}/ r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/net/* r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/syscall r, - @{PROC}/@{pid}/task/ r, - @{PROC}/devices r, - @{PROC}/misc r, - @{PROC}/partitions r, - @{PROC}/tty/drivers r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/lsipc b/apparmor.d/groups/utils/lsipc deleted file mode 100644 index 7677a8a03..000000000 --- a/apparmor.d/groups/utils/lsipc +++ /dev/null @@ -1,35 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lsipc -profile lsipc @{exec_path} { - include - include - - @{exec_path} mr, - - @{PROC}/sys/fs/mqueue/msg_max r, - @{PROC}/sys/fs/mqueue/msgsize_max r, - @{PROC}/sys/fs/mqueue/queues_max r, - @{PROC}/sys/kernel/msgmax r, - @{PROC}/sys/kernel/msgmnb r, - @{PROC}/sys/kernel/msgmni r, - @{PROC}/sys/kernel/sem r, - @{PROC}/sys/kernel/shmall r, - @{PROC}/sys/kernel/shmmax r, - @{PROC}/sys/kernel/shmmni r, - @{PROC}/sysvipc/msg r, - @{PROC}/sysvipc/sem r, - @{PROC}/sysvipc/shm r, - - /dev/mqueue/ r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/lslocks b/apparmor.d/groups/utils/lslocks deleted file mode 100644 index 44d2e1d01..000000000 --- a/apparmor.d/groups/utils/lslocks +++ /dev/null @@ -1,35 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lslocks -profile lslocks @{exec_path} flags=(attach_disconnected) { - include - - capability dac_read_search, - capability sys_ptrace, - - ptrace read, - - @{exec_path} mr, - - @{sys}/devices/**/block/** r, - - @{PROC}/ r, - @{PROC}/@{pid}/ r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fdinfo/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/locks r, - owner @{PROC}/@{pid}/ r, - owner @{PROC}/@{pid}/mountinfo r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/lslogins b/apparmor.d/groups/utils/lslogins deleted file mode 100644 index 7393b47c0..000000000 --- a/apparmor.d/groups/utils/lslogins +++ /dev/null @@ -1,33 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lslogins -profile lslogins @{exec_path} { - include - include - include - - @{exec_path} mr, - - /etc/.pwd.lock w, - /etc/.pwd.lock wk, - /etc/login.defs r, - /etc/shadow r, - - /var/log/lastlog r, - /var/log/wtmp rk, - - @{run}/systemd/userdb/ r, - - @{PROC}/ r, - @{PROC}/sys/kernel/random/boot_id r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/lsns b/apparmor.d/groups/utils/lsns deleted file mode 100644 index 7fbf56896..000000000 --- a/apparmor.d/groups/utils/lsns +++ /dev/null @@ -1,44 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lsns -profile lsns @{exec_path} flags=(attach_disconnected) { - include - include - include - - capability net_admin, - capability sys_ptrace, - capability dac_read_search, - - network, - - ptrace read, - ptrace trace, - - @{exec_path} mr, - - @{att}/ r, - - @{run}/*/netns/** r, - @{run}/*/ns/** r, - - @{sys}/devices/**/block/** r, - - @{PROC}/ r, - @{PROC}/@{pid}/ r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mountinfo r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/lsscsi b/apparmor.d/groups/utils/lsscsi deleted file mode 100644 index f0e7b4df2..000000000 --- a/apparmor.d/groups/utils/lsscsi +++ /dev/null @@ -1,24 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lsscsi -profile lsscsi @{exec_path} { - include - include - - @{exec_path} mr, - - / r, - - /dev/ r, - /dev/** r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/uuidd b/apparmor.d/groups/utils/uuidd deleted file mode 100644 index 52f52b4a2..000000000 --- a/apparmor.d/groups/utils/uuidd +++ /dev/null @@ -1,31 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{sbin}/uuidd -profile uuidd @{exec_path} flags=(attach_disconnected) { - include - include - - capability dac_override, - - network inet dgram, - - @{exec_path} mr, - - owner /var/lib/libuuid/clock.txt rwk, - owner /var/lib/libuuid/clock-cont.txt rwk, - - @{att}/@{run}/uuidd/request rw, - - @{run}/uuidd/request rw, - @{run}/uuidd/uuidd.pid rwk, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/virt/cni-bandwidth b/apparmor.d/groups/virt/cni-bandwidth index 3192c7051..21914faf8 100644 --- a/apparmor.d/groups/virt/cni-bandwidth +++ b/apparmor.d/groups/virt/cni-bandwidth @@ -2,14 +2,14 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/cni/bandwidth /opt/cni/bin/bandwidth profile cni-bandwidth @{exec_path} { include - + network inet dgram, network inet6 dgram, network inet stream, @@ -17,6 +17,8 @@ profile cni-bandwidth @{exec_path} { network netlink raw, @{exec_path} mr, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, include if exists } diff --git a/apparmor.d/groups/virt/cni-bridge b/apparmor.d/groups/virt/cni-bridge index 1e27d04a3..37de32ae0 100644 --- a/apparmor.d/groups/virt/cni-bridge +++ b/apparmor.d/groups/virt/cni-bridge @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,6 +12,8 @@ profile cni-bridge @{exec_path} { @{exec_path} mr, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + include if exists } diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico index 9015d2157..7c39a7ad2 100644 --- a/apparmor.d/groups/virt/cni-calico +++ b/apparmor.d/groups/virt/cni-calico @@ -2,14 +2,13 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/cni/calico /opt/cni/bin/calico profile cni-calico @{exec_path} flags=(attach_disconnected) { include - include capability sys_admin, capability net_admin, @@ -26,13 +25,15 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) { @{exec_path}-ipam rix, / r, - + /etc/cni/net.d/{,**} r, - + /var/lib/calico/{,**} r, /var/log/calico/cni/ r, /var/log/calico/cni/*.log rw, - + + /usr/share/mime/globs2 r, + @{run}/calico/ rw, @{run}/calico/ipam.lock rwk, @{run}/netns/cni-@{uuid} r, @@ -40,6 +41,8 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/net/ipv{4,6}/ip_forward rw, @{PROC}/sys/net/ipv{4,6}/{conf,neigh}/cali[0-9a-z]*/* rw, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + include if exists } diff --git a/apparmor.d/groups/virt/cni-firewall b/apparmor.d/groups/virt/cni-firewall index d5171e8dc..866b9dc96 100644 --- a/apparmor.d/groups/virt/cni-firewall +++ b/apparmor.d/groups/virt/cni-firewall @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,6 +12,8 @@ profile cni-firewall @{exec_path} { @{exec_path} mr, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + include if exists } diff --git a/apparmor.d/groups/virt/cni-flannel b/apparmor.d/groups/virt/cni-flannel index 6bdccec8c..05929a64c 100644 --- a/apparmor.d/groups/virt/cni-flannel +++ b/apparmor.d/groups/virt/cni-flannel @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,6 +12,8 @@ profile cni-flannel @{exec_path} flags=(complain,attach_disconnected){ @{exec_path} mr, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + include if exists } diff --git a/apparmor.d/groups/virt/cni-host-local b/apparmor.d/groups/virt/cni-host-local index 5f645ce3f..bf555cfd8 100644 --- a/apparmor.d/groups/virt/cni-host-local +++ b/apparmor.d/groups/virt/cni-host-local @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,6 +12,8 @@ profile cni-host-local @{exec_path} flags=(complain,attach_disconnected){ @{exec_path} mr, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + include if exists } diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback index fd4f50df3..d05a303de 100644 --- a/apparmor.d/groups/virt/cni-loopback +++ b/apparmor.d/groups/virt/cni-loopback @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,6 +21,8 @@ profile cni-loopback @{exec_path} flags=(attach_disconnected) { @{run}/netns/ r, @{run}/netns/cni-@{uuid} rw, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, include if exists } diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap index 0f2692ecf..db29f252c 100644 --- a/apparmor.d/groups/virt/cni-portmap +++ b/apparmor.d/groups/virt/cni-portmap @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,9 +15,11 @@ profile cni-portmap @{exec_path} { network netlink raw, @{exec_path} mr, - @{sbin}/xtables-nft-multi rPx -> cni-xtables-nft, + @{bin}/xtables-nft-multi rPx -> cni-xtables-nft, @{PROC}/sys/net/ipv{4,6}/conf/cali[0-9a-z]*/route_localnet rw, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, include if exists } diff --git a/apparmor.d/groups/virt/cni-tuning b/apparmor.d/groups/virt/cni-tuning index c6cc1f1dc..ee7133b31 100644 --- a/apparmor.d/groups/virt/cni-tuning +++ b/apparmor.d/groups/virt/cni-tuning @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,6 +12,8 @@ profile cni-tuning @{exec_path} { @{exec_path} mr, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + include if exists } diff --git a/apparmor.d/groups/virt/cni-xtables-nft b/apparmor.d/groups/virt/cni-xtables-nft new file mode 100644 index 000000000..d19f875bf --- /dev/null +++ b/apparmor.d/groups/virt/cni-xtables-nft @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xtables-nft-multi +profile cni-xtables-nft { + include + include + include + + capability net_admin, + capability net_raw, + + network inet dgram, + network inet6 dgram, + network inet raw, + network inet6 raw, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + @{bin}/xtables-legacy-multi mr, + + /etc/libnl/classid r, + /etc/iptables/{,**} rw, + /etc/nftables.conf rw, + + @{PROC}/@{pids}/net/ip_tables_names r, +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/virt/cockpit-askpass b/apparmor.d/groups/virt/cockpit-askpass index b46a415ac..daa5cf009 100644 --- a/apparmor.d/groups/virt/cockpit-askpass +++ b/apparmor.d/groups/virt/cockpit-askpass @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index d8c71803d..ad3eee9f6 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -2,19 +2,15 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/cockpit-bridge profile cockpit-bridge @{exec_path} { include - include - include - include - include + include include - include include include @@ -27,83 +23,45 @@ profile cockpit-bridge @{exec_path} { network inet stream, network inet6 dgram, network inet6 stream, - network netlink raw, - ptrace read, + ptrace (read), - signal send set=term peer=cockpit-pcp, - signal send set=term peer=dbus-daemon, - signal send set=term peer=journalctl, - signal send set=term peer=ssh-agent, - signal send set=term peer=unconfined, - signal (send receive) set=term peer=cockpit-bridge//sudo, - - #aa:dbus talk bus=session name=org.libvirt label=libvirt-dbus - #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/** label=packagekitd - #aa:dbus talk bus=system name=org.freedesktop.systemd1 label=@{p_systemd} - #aa:dbus talk bus=system name=org.libvirt label=libvirt-dbus + signal (send) set=term peer=cockpit-pcp, + signal (send) set=term peer=dbus-daemon, + signal (send) set=term peer=journalctl, + signal (send) set=term peer=ssh-agent, + signal (send) set=term peer=sudo, + signal (send) set=term peer=unconfined, @{exec_path} mr, - @{bin}/cat ix, - @{bin}/date ix, - @{bin}/find ix, - @{bin}/ip ix, - @{python_path} ix, - @{bin}/test ix, - @{bin}/file ix, + @{bin}/journalctl rPx, + @{lib}/cockpit/cockpit-pcp rPx, + @{lib}/cockpit/cockpit-ssh rPx, - @{bin}/chage Px, - @{sbin}/dmidecode Px, - @{bin}/findmnt Px, - @{bin}/journalctl Px, - @{bin}/last Px, - @{bin}/lastlog Px, - @{bin}/lscpu Px, - @{bin}/passwd Px, - @{bin}/ssh-agent Px, - @{bin}/sudo Cx -> sudo, - @{bin}/udevadm Cx -> udevadm, - @{bin}/virsh rPUx, - @{bin}/virt-install PUx, # TODO: rPx - @{lib}/cockpit/cockpit-pcp Px, - @{lib}/cockpit/cockpit-ssh Px, - - # The shell is not confined on purpose. - @{bin}/@{shells} Ux, - - /usr/{,local/}share/ r, /usr/share/cockpit/{,**} r, - /usr/share/file/** r, - /usr/share/iproute2/* r, - @{etc_ro}/login.defs r, /etc/cockpit/{,**} r, /etc/httpd/conf/mime.types r, + /etc/login.defs r, /etc/machine-id r, /etc/mime.types r, /etc/motd r, /etc/shadow r, /etc/shells r, - / r, - @{HOME}/ r, - owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw, - owner @{user_share_dirs}/ r, @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* rw, @{run}/utmp r, @{sys}/class/hwmon/ r, - @{sys}/class/net/ r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/fs/cgroup/ r, @{sys}/fs/cgroup/**/ r, @{sys}/fs/cgroup/**/cpu.{stat,weight} r, @{sys}/fs/cgroup/**/memory* r, - @{sys}/kernel/kexec_crash_size r, @{PROC}/ r, @{PROC}/@{pids}/cgroup r, @@ -120,27 +78,6 @@ profile cockpit-bridge @{exec_path} { /dev/ptmx rw, - profile sudo { - include - include - - signal (send receive) set=(cont hup term) peer=cockpit-bridge, - - @{bin}/cockpit-bridge Px, - @{lib}/cockpit/cockpit-askpass Px, - - include if exists - } - - profile udevadm { - include - include - - @{run}/udev/data/n@{int} r, # For network interfaces - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/virt/cockpit-certificate-ensure b/apparmor.d/groups/virt/cockpit-certificate-ensure index 7429b0021..0ef40f4ba 100644 --- a/apparmor.d/groups/virt/cockpit-certificate-ensure +++ b/apparmor.d/groups/virt/cockpit-certificate-ensure @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/virt/cockpit-certificate-helper b/apparmor.d/groups/virt/cockpit-certificate-helper index 303fd074c..042c9cdad 100644 --- a/apparmor.d/groups/virt/cockpit-certificate-helper +++ b/apparmor.d/groups/virt/cockpit-certificate-helper @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,16 +13,15 @@ profile cockpit-certificate-helper @{exec_path} { @{exec_path} mr, - @{sh_path} rix, - @{bin}/chmod rix, - @{bin}/id rix, - @{bin}/mkdir rix, - @{bin}/mv rix, - @{bin}/openssl rix, - @{bin}/rm rix, - @{bin}/sscg rix, - @{bin}/sync rix, - @{bin}/tr rix, + @{sh_path} rix, + @{bin}/chmod rix, + @{bin}/id rix, + @{bin}/mkdir rix, + @{bin}/mv rix, + @{bin}/openssl rix, + @{bin}/rm rix, + @{bin}/sscg rix, + @{bin}/tr rix, /etc/machine-id r, /etc/cockpit/ws-certs.d/* w, diff --git a/apparmor.d/groups/virt/cockpit-desktop b/apparmor.d/groups/virt/cockpit-desktop index bb1ba03bf..d8e7f81de 100644 --- a/apparmor.d/groups/virt/cockpit-desktop +++ b/apparmor.d/groups/virt/cockpit-desktop @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,8 +10,6 @@ include profile cockpit-desktop @{exec_path} { include - userns, - @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/virt/cockpit-pcp b/apparmor.d/groups/virt/cockpit-pcp index 8008fe360..c1afe3fbf 100644 --- a/apparmor.d/groups/virt/cockpit-pcp +++ b/apparmor.d/groups/virt/cockpit-pcp @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index ba51fc8a5..74ddd9e70 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,17 +10,14 @@ include profile cockpit-session @{exec_path} flags=(attach_disconnected) { include include - include include include capability audit_write, - capability chown, capability dac_read_search, capability net_admin, capability setgid, capability setuid, - capability sys_resource, network netlink raw, @@ -29,8 +26,6 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { @{shells_path} rix, @{bin}/cockpit-bridge rPx, @{lib}/cockpit/cockpit-pcp rPx, - @{bin}/ssh-agent rPx, - @{bin}/ssh-add rix, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, @@ -41,21 +36,16 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { /etc/motd.d/ r, /etc/shells r, - @{att}/@{run}/systemd/sessions/*.ref rw, - - @{run}/cockpit/* r, @{run}/faillock/@{user} rwk, - @{run}/motd.d/{,*} r, + @{run}/systemd/sessions/*.ref rw, @{run}/utmp rwk, + @{run}/motd.d/{,*} r, + @{run}/cockpit/active.motd r, /var/log/btmp rw, /var/log/lastlog rw, /var/log/wtmp rwk, - /var/lib/lastlog/ r, - /var/lib/lastlog/lastlog2.db rwk, - /var/lib/lastlog/lastlog2.db-journal rw, - owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/uid_map r, @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/virt/cockpit-ssh b/apparmor.d/groups/virt/cockpit-ssh index e81eb492f..2903d9eb9 100644 --- a/apparmor.d/groups/virt/cockpit-ssh +++ b/apparmor.d/groups/virt/cockpit-ssh @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/virt/cockpit-tls b/apparmor.d/groups/virt/cockpit-tls index 8a345588a..f83ac2c7b 100644 --- a/apparmor.d/groups/virt/cockpit-tls +++ b/apparmor.d/groups/virt/cockpit-tls @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,9 +17,6 @@ profile cockpit-tls @{exec_path} flags=(attach_disconnected) { /etc/cockpit/ws-certs.d/{,**} r, - @{att}/@{run}/cockpit/wsinstance/https@@{hex64}.sock rw, - @{att}/@{run}/cockpit/wsinstance/https-factory.sock rw, - owner @{run}/cockpit/tls/{,**} rw, include if exists diff --git a/apparmor.d/groups/virt/cockpit-update-motd b/apparmor.d/groups/virt/cockpit-update-motd index 1de016aea..eaf340c6b 100644 --- a/apparmor.d/groups/virt/cockpit-update-motd +++ b/apparmor.d/groups/virt/cockpit-update-motd @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -26,10 +26,12 @@ profile cockpit-update-motd @{exec_path} { profile systemctl { include include - + capability net_admin, capability sys_ptrace, + @{PROC}/sys/kernel/cap_last_cap r, + include if exists } diff --git a/apparmor.d/groups/virt/cockpit-ws b/apparmor.d/groups/virt/cockpit-ws index d4fb299fe..589765f35 100644 --- a/apparmor.d/groups/virt/cockpit-ws +++ b/apparmor.d/groups/virt/cockpit-ws @@ -2,28 +2,21 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/cockpit/cockpit-ws -profile cockpit-ws @{exec_path} flags=(attach_disconnected) { +profile cockpit-ws @{exec_path} { include - include - include @{exec_path} mr, - @{sh_path} rix, @{lib}/cockpit/cockpit-session rPx, /usr/share/cockpit/{,**} r, - /etc/cockpit/ws-certs.d/{,**} r, /usr/share/pixmaps/{,**} r, - /usr/share/plymouth/{,**} r, - - @{run}/cockpit/session rw, - @{run}/cockpit/wsinstance/https@@{hex64}.sock r, + /etc/cockpit/ws-certs.d/ r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/virt/cockpit-wsinstance-factory b/apparmor.d/groups/virt/cockpit-wsinstance-factory index 248ca43e8..61e7e8fa1 100644 --- a/apparmor.d/groups/virt/cockpit-wsinstance-factory +++ b/apparmor.d/groups/virt/cockpit-wsinstance-factory @@ -2,32 +2,18 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/cockpit/cockpit-wsinstance-factory profile cockpit-wsinstance-factory @{exec_path} { include - include capability net_admin, - unix bind type=stream addr=@@{udbus}/bus/cockpit-wsinsta/system, - - dbus receive bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=JobRemoved - peer=(name=@{busname}, label="@{p_systemd}"), - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=StartUnit - peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), - @{exec_path} mr, - @{run}/cockpit/wsinstance/https-factory.sock w, - include if exists } diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 95d332a45..f85a3571c 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -3,7 +3,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -46,8 +46,8 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sbin}/apparmor_parser rPx, - @{bin}/containerd-shim-runc-v2 rPx, + @{bin}/apparmor_parser rPx, + @{bin}/containerd-shim-runc-v2 rPUx, @{bin}/kmod rPx, @{bin}/unpigz rPUx, /{usr/,}{local/,}{s,}bin/zfs rPx, @@ -71,7 +71,8 @@ profile containerd @{exec_path} flags=(attach_disconnected) { /var/lib/cni/results/cni-loopback-@{uuid}-lo wl, /var/lib/cni/results/cni-loopback-[0-9a-z]*-lo wl, /var/lib/cni/results/k8s-pod-network-[0-9a-z]*-eth0 wl, - /var/lib/containerd/{,**} rwlk, + /var/lib/containerd/{,**} rwk, + /var/lib/containerd/tmpmounts/containerd-mount@{int}/** l, /var/lib/docker/containerd/{,**} rwk, /var/lib/kubelet/seccomp/{,**} r, /var/lib/security-profiles-operator/{,**} r, @@ -83,24 +84,24 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{run}/docker/containerd/{,**} rwk, @{run}/netns/ w, @{run}/netns/cni-@{uuid} rw, - @{run}/nri/ w, - @{run}/nri/nri.sock rw, @{run}/systemd/notify w, - /tmp/cri-containerd.apparmor.d@{int} rwl, - /tmp/ctd-volume@{int}/{,**} rw, + /tmp/cri-containerd.apparmor.d@{int} rwl, + /tmp/ctd-volume@{int}/{,**} rw, + owner @{tmp}/** rwkl, + owner /var/tmp/** rwkl, @{sys}/fs/cgroup/kubepods/** r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/security/apparmor/profiles r, @{sys}/module/apparmor/parameters/enabled r, - @{PROC}/@{pid}/task/@{tid}/mountinfo r, @{PROC}/@{pid}/task/@{tid}/ns/net rw, @{PROC}/sys/net/core/somaxconn r, - owner @{PROC}/@{pid}/attr/current r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/uid_map r, + owner @{PROC}/@{pids}/attr/current r, + owner @{PROC}/@{pids}/cgroup r, + owner @{PROC}/@{pids}/mountinfo r, + owner @{PROC}/@{pids}/uid_map r, /dev/bsg/ r, /dev/bus/ r, diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 index 04b355a48..c705c0cc8 100644 --- a/apparmor.d/groups/virt/containerd-shim-runc-v2 +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -3,7 +3,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,12 +25,12 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { signal (send) set=kill peer=cri-containerd.apparmor.d, signal (receive) set=kill peer=containerd, - mount -> @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, - umount @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, + mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, + umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, @{exec_path} mrix, - @{sbin}/runc rPx, + @{bin}/runc rPUx, /tmp/runc-process@{int} rw, /tmp/pty@{int}/ rw, @@ -49,15 +49,13 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/{,**} rw, @{sys}/fs/cgroup/kubepods/{,**} rw, @{sys}/kernel/mm/hugepages/ r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{PROC}/@{pid}/task/@{tid}/mountinfo r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/oom_score_adj rw, @{PROC}/sys/net/core/somaxconn r, - @{att}/dev/pts/ptmx rw, - include if exists } diff --git a/apparmor.d/groups/virt/docker-proxy b/apparmor.d/groups/virt/docker-proxy index 9a8cbe379..d549168ee 100644 --- a/apparmor.d/groups/virt/docker-proxy +++ b/apparmor.d/groups/virt/docker-proxy @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,12 +15,13 @@ profile docker-proxy @{exec_path} { network inet stream, network inet6 stream, - network netlink raw, - signal receive set=int peer=dockerd, + signal (receive) set=int peer=dockerd, @{exec_path} mr, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + @{PROC}/sys/net/core/somaxconn r, include if exists diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 0a214ccd1..f552c5289 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/dockerd @{sbin}/dockerd #aa:lint ignore=sbin +@{exec_path} = @{bin}/dockerd profile dockerd @{exec_path} flags=(attach_disconnected) { include include @@ -21,182 +21,82 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { capability kill, capability mknod, capability net_admin, - capability net_bind_service, - capability net_raw, capability setfcap, capability sys_admin, capability sys_chroot, capability sys_ptrace, network inet dgram, - network inet raw, - network inet stream, network inet6 dgram, + network inet stream, network inet6 stream, network netlink raw, - network packet dgram, - mount /tmp/containerd-mount@{int}/, - mount /var/lib/docker/**/, - mount options=(rw bind) -> @{run}/docker/netns/*, - mount options=(rw rprivate) -> /.pivot_root@{int}/, - mount options=(rw rslave) -> /, - - remount /tmp/containerd-mount@{int10}/, - remount /var/lib/docker/**/, + mount /var/lib/docker/overlay2/**/, + mount options=(rw, bind) -> /run/docker/netns/*, + mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder@{int}/, + mount options=(rw, rprivate) -> /.pivot_root@{int}/, + mount options=(rw, rslave) -> /, umount /.pivot_root@{int}/, - umount @{run}/docker/netns/*, - umount /tmp/containerd-mount@{int}/, - umount /var/lib/docker/**/, + umount /run/docker/netns/*, + umount /var/lib/docker/overlay*/**/, - pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root@{int}/ /var/lib/docker/overlay2/**/, - pivot_root oldroot=/var/lib/docker/rootfs/overlayfs/@{hex64}/.pivot_root@{int}/ /var/lib/docker/rootfs/overlayfs/@{hex64}/, - pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root@{int}/ /var/lib/docker/tmp/**/, + pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root@{int}/ /var/lib/docker/overlay2/**/, + pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root@{int}/ /var/lib/docker/tmp/**/, - ptrace read peer=docker-*, - ptrace read peer=runc, - ptrace read peer=unconfined, + ptrace (read) peer=docker-*, + ptrace (read) peer=unconfined, - signal send set=int peer=docker-proxy, - signal send set=kill peer=docker-*, - signal send set=term peer=containerd, + signal (send) set=int peer=docker-proxy, + signal (send) set=kill peer=docker-*, + signal (send) set=term peer=containerd, @{exec_path} mrix, - @{sbin}/apparmor_parser rPx, + @{bin}/apparmor_parser rPx, @{bin}/containerd rPx, - @{bin}/docker-init rCx -> init, - @{lib}/docker/docker-init rCx -> init, + @{bin}/docker-init rix, @{bin}/docker-proxy rPx, - @{bin}/tini-static rCx -> tini, - @{bin}/git rCx -> git, - @{bin}/kmod rCx -> kmod, + @{bin}/kmod rPx, @{bin}/ps rPx, - @{sbin}/runc rUx, - @{bin}/runc rUx, #aa:lint ignore=sbin + @{bin}/runc rUx, @{bin}/unpigz rix, - @{sbin}/xtables-nft-multi rCx -> nft, - @{sbin}/xtables-legacy-multi rCx -> nft, + @{bin}/xtables-nft-multi rix, # Docker needs full access of the containers it manages. # TODO: should be in a sub profile started with pivot_root, not supported yet. - /{,**} rwl, #aa:only apt - - @{att}/@{lib}/containerd/** rw, - @{att}/var/lib/docker/{,**} rwk, - - /etc/docker/{,**} r, - - @{att}/ r, + /{,**} rwl, owner @{lib}/docker/overlay2/*/work/{,**} rw, - owner /var/lib/containerd/** rw, owner /var/lib/docker/{,**} rwk, owner /var/lib/docker/tmp/qemu-check@{int}/check rix, - /tmp/build/ w, - /tmp/containerd-mount@{int}/{,**} rw, - - @{run}/systemd/notify rw, - - @{run}/containerd/containerd.sock rw, - owner @{run}/docker.pid rw, - owner @{run}/docker/ rw, - owner @{run}/docker/** rwlk, - - @{sys}/devices/virtual/net/** r, @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/cpuset.cpus.effective r, @{sys}/fs/cgroup/cpuset.mems.effective r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/security/apparmor/profiles r, @{sys}/module/apparmor/parameters/enabled r, @{PROC}/1/cgroup r, @{PROC}/1/environ r, @{PROC}/cmdline r, - @{PROC}/pressure/cpu r, - @{PROC}/pressure/io r, - @{PROC}/pressure/memory r, @{PROC}/sys/kernel/keys/root_maxkeys r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/threads-max r, @{PROC}/sys/net/bridge/bridge-nf-call-ip*tables r, @{PROC}/sys/net/core/somaxconn r, - @{PROC}/sys/net/ipv{4,6}/conf/*/disable_ipv{4,6} rw, + @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} rw, @{PROC}/sys/net/ipv{4,6}/conf/docker@{int}/accept_ra rw, @{PROC}/sys/net/ipv{4,6}/ip_forward rw, @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r, - owner @{PROC}/@{pid}/attr/current r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/task/@{tid}/mountinfo r, - owner @{PROC}/@{pid}/uid_map r, - - /dev/ r, - /dev/**/ r, - - profile nft flags=(attach_disconnected) { - include - - capability net_admin, - capability net_raw, - - network inet raw, - network inet6 raw, - network netlink raw, - - @{sbin}/xtables-nft-multi rix, - @{sbin}/xtables-legacy-multi rix, - @{bin}/kmod rPx -> dockerd//kmod, - - @{PROC}/@{pid}/net/ip{,6}_tables_names r, - @{PROC}/sys/kernel/modprobe r, - - @{run}/xtables.lock rwk, - - include if exists - } - - profile kmod { - include - include - - capability sys_module, - - @{run}/xtables.lock r, - - @{sys}/module/compression r, - @{sys}/module/*/initstate r, - - include if exists - } - - profile tini { - include - - @{bin}/tini-static mr, - - include if exists - } - - profile init flags=(attach_disconnected) { - include - - @{bin}/docker-init mr, - @{lib}/docker/docker-init mr, - - include if exists - } - - profile git flags=(attach_disconnected) { - include - - @{bin}/git mr, - - include if exists - } + owner @{PROC}/@{pids}/attr/current r, + owner @{PROC}/@{pids}/cgroup r, + owner @{PROC}/@{pids}/fd/ r, + owner @{PROC}/@{pids}/mountinfo r, + owner @{PROC}/@{pids}/net/ip_tables_names r, + owner @{PROC}/@{pids}/uid_map r, include if exists } diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 59c4b9473..5905d4895 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -62,12 +62,13 @@ profile k3s @{exec_path} flags=(attach_disconnected) { @{bin}/systemd-run rix, @{bin}/{nano,emacs,ed} rPUx, @{bin}/vim{,.basic} rPUx, - @{sbin}/xtables-nft-multi rPx -> cni-xtables-nft, + @{bin}/xtables-nft-multi rPx -> cni-xtables-nft, @{lib}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix, /var/lib/rancher/k3s/data/@{hex}/bin/* rix, @{lib}/kubernetes/kubelet-plugins/volume/exec/{,**} r, + /usr/share/mime/globs2 r, /etc/machine-id r, /etc/rancher/{,**} rw, @@ -129,6 +130,7 @@ profile k3s @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/net/ipv{4,6}/conf/default/* rw, @{PROC}/sys/net/bridge/bridge-nf-call-iptables r, @{PROC}/sys/net/netfilter/* rw, + @{PROC}/sys/vm/overcommit_memory rw, @{PROC}/sys/vm/panic_on_oom r, @{sys}/class/net/ r, @@ -158,9 +160,10 @@ profile k3s @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/ r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user-runtime-dir@@{uid}.service/ r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**/} r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{,**/} r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{,**/} r, @{sys}/kernel/mm/hugepages/ r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r, @{sys}/kernel/security/apparmor/profiles r, diff --git a/apparmor.d/groups/virt/kubernetes-pause b/apparmor.d/groups/virt/kubernetes-pause index c762515a4..8172d00fc 100644 --- a/apparmor.d/groups/virt/kubernetes-pause +++ b/apparmor.d/groups/virt/kubernetes-pause @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus index 971cdf55e..75c7d853b 100644 --- a/apparmor.d/groups/virt/libvirt-dbus +++ b/apparmor.d/groups/virt/libvirt-dbus @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/libvirt-dbus +@{exec_path} = @{bin}/libvirt-dbus profile libvirt-dbus @{exec_path} { include include @@ -16,26 +16,18 @@ profile libvirt-dbus @{exec_path} { #aa:dbus own bus=session name=org.libvirt #aa:dbus own bus=system name=org.libvirt - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, - @{sbin}/libvirtd rPx, + @{bin}/libvirtd rPx, @{bin}/virtqemud rPx, /usr/share/dbus-1/interfaces/org.libvirt.*.xml r, owner @{user_cache_dirs}/libvirt/libvirtd.lock rwk, - @{run}/libvirt/libvirt-sock rw, - - @{run}/user/@{uid}/libvirt/ rw, - @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, - @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, - owner @{run}/user/@{uid}/libvirt/libvirt-sock rw, + @{run}/user/@{uid}/libvirt/ rw, + @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, + @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node*/meminfo r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 378449352..376749d9e 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -10,20 +10,17 @@ # Warning: Such a profile is limited as it gives access to a lot of resources. -abi , +abi , include -@{exec_path} = @{sbin}/libvirtd +@{exec_path} = @{bin}/libvirtd profile libvirtd @{exec_path} flags=(attach_disconnected) { include - include - include - include include + include include include - include include capability audit_write, @@ -49,12 +46,12 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { capability sys_pacct, capability sys_ptrace, capability sys_rawio, - capability sys_resource, # Needed for vfio + capability sys_resource, - network inet dgram, network inet stream, - network inet6 dgram, + network inet dgram, network inet6 stream, + network inet6 dgram, network netlink raw, network packet dgram, network packet raw, @@ -71,7 +68,6 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { ptrace (read,trace) peer=@{profile_name}, ptrace (read,trace) peer=dnsmasq, - ptrace (read,trace) peer=gnome-boxes, ptrace (read,trace) peer=libvirt-@{uuid}, ptrace (read,trace) peer=libvirt-dbus, ptrace (read,trace) peer=unconfined, @@ -88,50 +84,45 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper), unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none), unix (send, receive) type=stream addr=none peer=(label=unconfined), - unix (send, receive) type=stream addr=none peer=(label=virt-manager), # Allow changing to our UUID-based named profiles change_profile -> libvirt-@{uuid}, - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, @{lib}/libvirt/libvirt_iohelper rix, @{lib}/libvirt/libvirt_parthelper rix, - @{lib}/{,qemu/}qemu-bridge-helper rPx, - @{lib}/{,qemu/}vhost-user-gpu rPUx, - @{lib}/{,qemu/}virtiofsd rux, # TODO: WIP @{lib}/udev/scsi_id rPUx, @{lib}/xen-*/bin/libxl-save-helper rPUx, @{lib}/xen-*/bin/pygrub rPUx, @{lib}/xen-common/bin/xen-toolstack rPUx, @{lib}/xen/bin/* rPUx, + /{usr/,}{lib,lib64,lib/qemu,libexec}/vhost-user-gpu rPUx, + /{usr/,}{lib,lib64,lib/qemu,libexec}/virtiofsd rux, # TODO: WIP - @{sbin}/dmidecode rPx, - @{sbin}/dnsmasq rPx, - @{bin}/kmod rCx -> kmod, - @{sbin}/lvm rPUx, + /{usr/,}{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, + + @{bin}/dmidecode rPx, + @{bin}/dnsmasq rPx, + @{bin}/kmod rPx, + @{bin}/lvm rPUx, @{bin}/mdevctl rPx, @{bin}/swtpm rPx, @{bin}/swtpm_ioctl rPx, @{bin}/swtpm_setup rPx, @{bin}/udevadm rPx, @{bin}/virtiofsd rux, # TODO: WIP - @{sbin}/virtlogd rPx, + @{bin}/virtlogd rPx, @{sh_path} rix, @{bin}/ip rix, - @{sbin}/nft rix, + @{bin}/nft rix, @{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper @{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper - @{sbin}/tc rix, + @{bin}/tc rix, @{bin}/xmllint rix, - @{sbin}/xtables-nft-multi rix, + @{bin}/xtables-nft-multi rix, @{lib}/libvirt/virt-aa-helper rPx, /etc/libvirt/hooks/** rPUx, @@ -140,8 +131,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /usr/share/edk2*/{,**} rk, /usr/share/hwdata/* r, - /usr/share/iproute2/{,**} r, /usr/share/libvirt/{,**} r, + /usr/share/mime/mime.cache r, /usr/share/misc/pci.ids r, /usr/share/qemu/{,**} r, @@ -152,8 +143,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /etc/xml/catalog r, /var/cache/libvirt/{,**} rw, - /var/lib/libvirt/ rw, - /var/lib/libvirt/** rwk, + /var/lib/libvirt/{,**} rwk, /var/log/swtpm/libvirt/{,**} rw, # User VM images and share @@ -162,23 +152,43 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{user_vm_dirs}/{,**} rwk, @{user_publicshare_dirs}/{,**} rwk, - owner @{user_config_dirs}/libvirt/{,**} rwk, - - owner @{run}/user/@{uid}/libvirt/ rw, - owner @{run}/user/@{uid}/libvirt/** rwk, - - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/libvirt/ rw, @{run}/libvirt/** rwk, @{run}/libvirtd.pid wk, @{run}/lock/LCK.._pts_@{int} rw, + @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/notify w, @{run}/utmp rk, - @{run}/udev/data/+*:* r, # Identifies all subsystems - @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices - @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+dmi:* r, # for motherboard info + @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs + @{run}/udev/data/+hid:* r, + @{run}/udev/data/+input:input@{int} r, # For mouse, keyboard, touchpad + @{run}/udev/data/+leds:* r, + @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+sound:card@{int} r, # For sound card + @{run}/udev/data/+thunderbolt:* r, + @{run}/udev/data/c1:@{int} r, # For RAM disk + @{run}/udev/data/c6:@{int} r, # For parallel printer devices /dev/lp* + @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features + @{run}/udev/data/c13:@{int} r, # For /dev/input/* + @{run}/udev/data/c21:@{int} r, # Generic SCSI access + @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* + @{run}/udev/data/c81:@{int} r, # For video4linux + @{run}/udev/data/c89:@{int} r, # For I2C bus interface + @{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash + @{run}/udev/data/c99:@{int} r, # For raw parallel ports /dev/parport* + @{run}/udev/data/c108:@{int} r, # For /dev/ppp + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c202:@{int} r, # CPU model-specific registers + @{run}/udev/data/c203:@{int} r, # CPU CPUID information + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{run}/udev/data/n@{int} r, @{sys}/bus/[a-z]*/devices/ r, @{sys}/bus/pci/drivers_probe w, @@ -235,7 +245,6 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{PROC}/devices r, @{PROC}/mtrr w, @{PROC}/sys/net/ipv{4,6}/** rw, - @{PROC}/uptime r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, @@ -253,19 +262,12 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /dev/vhost-net rw, # Force the use of virt-aa-helper - audit deny @{sbin}/apparmor_parser rwxl, + audit deny @{bin}/apparmor_parser rwxl, audit deny @{etc_rw}/apparmor.d/libvirt/** wxl, audit deny @{sys}/kernel/security/apparmor/features rwxl, audit deny @{sys}/kernel/security/apparmor/matching rwxl, audit deny @{sys}/kernel/security/apparmor/.* rwxl, - profile kmod { - include - include - - include if exists - } - profile qemu_bridge_helper { include @@ -284,11 +286,9 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /etc/qemu/{,**} r, - @{PROC}/@{pids}/status r, + owner @{PROC}/@{pids}/status r, /dev/net/tun rw, - - include if exists } include if exists diff --git a/apparmor.d/groups/virt/qemu-bridge-helper b/apparmor.d/groups/virt/qemu-bridge-helper deleted file mode 100644 index e462eeca1..000000000 --- a/apparmor.d/groups/virt/qemu-bridge-helper +++ /dev/null @@ -1,35 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/{,qemu/}qemu-bridge-helper -profile qemu-bridge-helper @{exec_path} { - include - - capability net_admin, - capability setpcap, - - network inet stream, - - unix (send, receive) type=stream addr=none peer=(label=libvirtd), - - signal receive set=term peer=libvirtd, - - @{exec_path} mr, - - /etc/qemu/bridge.conf r, - - @{sys}/devices/system/node/ r, - - owner @{PROC}/@{pids}/status r, - - /dev/net/tun rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/virt/virt-aa-helper b/apparmor.d/groups/virt/virt-aa-helper index b49368f07..abbef1f88 100644 --- a/apparmor.d/groups/virt/virt-aa-helper +++ b/apparmor.d/groups/virt/virt-aa-helper @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,36 +19,16 @@ profile virt-aa-helper @{exec_path} { @{exec_path} mr, - @{sbin}/apparmor_parser rPx, + @{bin}/apparmor_parser rPx, - @{etc_rw}/apparmor.d/libvirt/* r, + /etc/apparmor.d/libvirt/* r, @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} rw, - @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid}.files rw, /etc/libnl{,-3}/classid r, # Allow reading libnl's classid file - + # System VM images /var/lib/libvirt/images/{,**} r, - - # Openstack Nova base images & snapshots (LP: #907269 #1244694 #1644507) - /var/lib/nova/images/{,**} r, - /var/lib/nova/instances/_base/{,**} r, - /var/lib/nova/instances/snapshots/{,**} r, - /var/snap/nova-hypervisor/common/instances/_base/{,**} r, - /var/snap/nova-hypervisor/common/instances/snapshots/{,**} r, - - # Eucalyptus disks & loader (LP: #564914 #637544) - /var/lib/eucalyptus/instances/**/disk* r, - /var/lib/eucalyptus/instances/**/loader* r, - - # For uvtool - /var/lib/uvtool/libvirt/images/{,**} r, - - # For multipass - /var/snap/multipass/common/data/multipassd/vault/instances/{,**} r, - - # Common mount directories - @{MOUNTDIRS}/{,**} r, + /var/lib/nova/instances/_base/* r, # User VM images @{user_share_dirs}/ r, @@ -65,6 +45,7 @@ profile virt-aa-helper @{exec_path} { @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/net/psched r, deny @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/status r, # For gl enabled graphics /dev/dri/{,*} r, diff --git a/apparmor.d/groups/virt/virtinterfaced b/apparmor.d/groups/virt/virtinterfaced index 4737dd806..96d135912 100644 --- a/apparmor.d/groups/virt/virtinterfaced +++ b/apparmor.d/groups/virt/virtinterfaced @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,7 +20,7 @@ profile virtinterfaced @{exec_path} flags=(attach_disconnected) { @{lib}/gconv/gconv-modules rm, @{lib}/gconv/gconv-modules.d/{,*} r, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/inhibit/*.ref rw, owner @{run}/user/@{uid}/libvirt/common/system.token rwk, owner @{run}/user/@{uid}/libvirt/interface/ rw, owner @{run}/user/@{uid}/libvirt/interface/run/{,*} rwk, diff --git a/apparmor.d/groups/virt/virtiofsd b/apparmor.d/groups/virt/virtiofsd index ae7ac5fa9..50efd188b 100644 --- a/apparmor.d/groups/virt/virtiofsd +++ b/apparmor.d/groups/virt/virtiofsd @@ -2,15 +2,15 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{lib}/virtiofsd @{lib}/qemu/virtiofsd @{bin}/virtiofsd -profile virtiofsd @{exec_path} flags=(attach_disconnected) { +@{exec_path} = @{lib}/{,qemu/}virtiofsd @{bin}/virtiofsd +profile virtiofsd @{exec_path} { include - userns, + # userns, capability chown, capability dac_override, @@ -31,13 +31,13 @@ profile virtiofsd @{exec_path} flags=(attach_disconnected) { mount options=(rw, rbind) -> @{user_publicshare_dirs}/, mount options=(rw, rbind) -> @{user_vm_dirs}/, - mount options=(rw, rbind) -> @{user_vmshare_dirs}/, + mount options=(rw, rbind) -> @{user_vm_shares}/, umount /, pivot_root @{user_publicshare_dirs}/, # TODO: -> pivoted, pivot_root @{user_vm_dirs}/, - pivot_root @{user_vmshare_dirs}/, + pivot_root @{user_vm_shares}/, signal (receive) set=term peer=libvirtd, @@ -50,7 +50,7 @@ profile virtiofsd @{exec_path} flags=(attach_disconnected) { @{user_publicshare_dirs}/{,**} r, @{user_vm_dirs}/{,**} r, - @{user_vmshare_dirs}/{,**} r, + @{user_vm_shares}/{,**} r, owner @{run}/libvirt/qemu/*.pid rw, diff --git a/apparmor.d/groups/virt/virtlockd b/apparmor.d/groups/virt/virtlockd index ef28e59e9..44c5e20ef 100644 --- a/apparmor.d/groups/virt/virtlockd +++ b/apparmor.d/groups/virt/virtlockd @@ -2,11 +2,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/virtlockd +@{exec_path} = @{bin}/virtlockd profile virtlockd @{exec_path} { include diff --git a/apparmor.d/groups/virt/virtlogd b/apparmor.d/groups/virt/virtlogd index d362ad108..1a3ecb06b 100644 --- a/apparmor.d/groups/virt/virtlogd +++ b/apparmor.d/groups/virt/virtlogd @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/virtlogd +@{exec_path} = @{bin}/virtlogd profile virtlogd @{exec_path} flags=(attach_disconnected) { include include @@ -24,14 +24,12 @@ profile virtlogd @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/libvirt/qemu/log/{,**} rw, owner @{run}/user/@{uid}/common/system.token rw, - owner @{run}/user/@{uid}/libvirt/common/system.token rwk, owner @{run}/user/@{uid}/libvirt/virtlogd.pid rwk, owner @{run}/user/@{uid}/libvirt/virtlogd* w, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/libvirt/common/system.token rwk, @{run}/libvirt/virtlogd-sock rw, + @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/virtlogd.pid rwk, @{sys}/devices/system/node/ r, diff --git a/apparmor.d/groups/virt/virtnetworkd b/apparmor.d/groups/virt/virtnetworkd index 2d7df07b6..a2c02368b 100644 --- a/apparmor.d/groups/virt/virtnetworkd +++ b/apparmor.d/groups/virt/virtnetworkd @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,15 +18,14 @@ profile virtnetworkd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sbin}/dnsmasq rPx, + @{bin}/dnsmasq rPx, - /etc/libvirt/*.conf r, + /etc/libvirt/libvirt.conf r, owner /var/lib/libvirt/dnsmasq/*.macs* rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/libvirt/network/default.pid r, + @{run}/systemd/inhibit/*.ref rw, @{run}/utmp rk, owner @{run}/libvirt/common/system.token rwk, owner @{run}/libvirt/network/{,**} rwk, diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index fb593068e..50b8e4889 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -29,11 +29,11 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { /usr/share/hwdata/*.ids r, /usr/share/pci.ids r, - /etc/libvirt/*.conf r, + /etc/libvirt/libvirt.conf r, + /etc/libvirt/virtnodedevd.conf r, /etc/mdevctl.d/{,**} r, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - + @{run}/systemd/inhibit/*.ref rw, owner @{run}/libvirt/common/system.token rwk, owner @{run}/libvirt/nodedev/ rw, owner @{run}/libvirt/nodedev/driver.pid wk, @@ -44,18 +44,17 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/utmp rk, - @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. - @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. + @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+bluetooth:* r, @{run}/udev/data/+dmi:* r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) + @{run}/udev/data/+leds:* r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) - @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) - @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+rfkill:* r, @{run}/udev/data/+sound:card@{int} r, # For sound card - @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. + @{run}/udev/data/+thunderbolt:* r, @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @@ -63,25 +62,23 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c21:@{int} r, # Generic SCSI access @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* @{run}/udev/data/c81:@{int} r, # For video4linux - @{run}/udev/data/c89:@{int} r, # For I2C bus interface @{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash - @{run}/udev/data/c99:@{int} r, # For raw parallel ports /dev/parport* @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c202:@{int} r, # CPU model-specific registers @{run}/udev/data/c203:@{int} r, # CPU CPUID information @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/n@{int} r, @{sys}/**/ r, - @{sys}/devices/@{pci}/net/{,**} r, - @{sys}/devices/@{pci}/numa_node r, - @{sys}/devices/@{pci}/resource r, - @{sys}/devices/@{pci}/sriov_totalvfs r, @{sys}/devices/@{pci}/vpd r, @{sys}/devices/**/{class,revision,subsystem_vendor,subsystem_device} r, @{sys}/devices/**/{config,device,vendor} r, @{sys}/devices/**/uevent r, + @{sys}/devices/@{pci}/net/{,**} r, + @{sys}/devices/@{pci}/net/*/{duplex,address,speed,operstate} r, + @{sys}/devices/@{pci}/numa_node r, + @{sys}/devices/@{pci}/sriov_totalvfs r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/virtual/dmi/id/{product_name,product_serial,product_uuid,sys_vendor,board_vendor,bios_vendor,bios_date,bios_version,product_version} r, @@ -92,7 +89,6 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/mtrr w, - owner @{PROC}/uptime r, include if exists } diff --git a/apparmor.d/groups/virt/virtsecretd b/apparmor.d/groups/virt/virtsecretd index 9b3e7dda4..cdded1152 100644 --- a/apparmor.d/groups/virt/virtsecretd +++ b/apparmor.d/groups/virt/virtsecretd @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,8 +20,7 @@ profile virtsecretd @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/libvirt/secrets/ rw, owner @{user_config_dirs}/libvirt/secrets/run/{,*} rwk, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - + @{run}/systemd/inhibit/*.ref rw, owner @{run}/user/@{uid}/libvirt/common/system.token rwk, owner @{run}/user/@{uid}/libvirt/secrets/ rw, owner @{run}/user/@{uid}/libvirt/secrets/run/{,*} rwk, diff --git a/apparmor.d/groups/virt/virtstoraged b/apparmor.d/groups/virt/virtstoraged index 00565fcf5..943315a8f 100644 --- a/apparmor.d/groups/virt/virtstoraged +++ b/apparmor.d/groups/virt/virtstoraged @@ -4,7 +4,7 @@ # TODO: Similar with virtqemud. Could be merged? -abi , +abi , include @@ -25,7 +25,7 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) { @{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper @{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper - /etc/libvirt/{,**} r, + /etc/libvirt/libvirt.conf r, # For disk images @{MOUNTS}/ r, @@ -54,8 +54,7 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) { owner @{run}/libvirt/storage/{,**} rwk, owner @{run}/virtstoraged.pid rwk, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - + @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/utmp rwk, @{sys}/devices/system/node/ r, diff --git a/apparmor.d/groups/virt/xtables b/apparmor.d/groups/virt/xtables deleted file mode 100644 index a10b75dde..000000000 --- a/apparmor.d/groups/virt/xtables +++ /dev/null @@ -1,43 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022 Jeroen Rijken -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{sbin}/xtables-nft-multi @{sbin}/xtables-legacy-multi -profile xtables { - include - include - include - - capability net_admin, - capability net_raw, - - network inet dgram, - network inet6 dgram, - network inet raw, - network inet6 raw, - network inet stream, - network inet6 stream, - network netlink raw, - - @{exec_path} mr, - - /usr/share/iproute2/{,**} r, - - /etc/iproute2/{,**} r, - /etc/iptables/{,**} rw, - /etc/libnl/classid r, - /etc/nftables.conf rw, - - @{run}/xtables.lock rwk, - - @{PROC}/@{pids}/net/ip_tables_names r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/whonix/anondate b/apparmor.d/groups/whonix/anondate index 325535cce..cb263922c 100644 --- a/apparmor.d/groups/whonix/anondate +++ b/apparmor.d/groups/whonix/anondate @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,10 +19,10 @@ profile anondate @{exec_path} { @{bin}/cat rix, @{bin}/cp rix, @{bin}/date rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/minimum-unixtime-show rix, @{bin}/rm rix, - @{bin}/systemd-cat rix, + @{bin}/systemd-cat rPx, @{bin}/tee rix, @{bin}/timeout rix, @{bin}/tor-circuit-established-check rix, diff --git a/apparmor.d/groups/whonix/msgcollector b/apparmor.d/groups/whonix/msgcollector index 05b07ec47..0c3038d1e 100644 --- a/apparmor.d/groups/whonix/msgcollector +++ b/apparmor.d/groups/whonix/msgcollector @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/msgcollector-br-add b/apparmor.d/groups/whonix/msgcollector-br-add index 587094df6..be5b7dd69 100644 --- a/apparmor.d/groups/whonix/msgcollector-br-add +++ b/apparmor.d/groups/whonix/msgcollector-br-add @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/msgcollector-generic-gui-message b/apparmor.d/groups/whonix/msgcollector-generic-gui-message index 46b7847ff..8b52e2db7 100644 --- a/apparmor.d/groups/whonix/msgcollector-generic-gui-message +++ b/apparmor.d/groups/whonix/msgcollector-generic-gui-message @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/msgcollector-striphtml b/apparmor.d/groups/whonix/msgcollector-striphtml index 8cf1dec71..1e4e3d9ab 100644 --- a/apparmor.d/groups/whonix/msgcollector-striphtml +++ b/apparmor.d/groups/whonix/msgcollector-striphtml @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/msgdispatcher b/apparmor.d/groups/whonix/msgdispatcher index fd1a9f034..02433106d 100644 --- a/apparmor.d/groups/whonix/msgdispatcher +++ b/apparmor.d/groups/whonix/msgdispatcher @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -39,6 +39,7 @@ profile msgdispatcher @{exec_path} { include include + @{bin}/sudo mr, @{lib}/msgcollector/* rPx, owner @{run}/msgcollector/user/msgdispatcher_x_* r, diff --git a/apparmor.d/groups/whonix/msgdispatcher-autostart b/apparmor.d/groups/whonix/msgdispatcher-autostart index d292e3850..c4dae811e 100644 --- a/apparmor.d/groups/whonix/msgdispatcher-autostart +++ b/apparmor.d/groups/whonix/msgdispatcher-autostart @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/msgdispatcher-delete b/apparmor.d/groups/whonix/msgdispatcher-delete index 2a5839e0c..cf69e77c8 100644 --- a/apparmor.d/groups/whonix/msgdispatcher-delete +++ b/apparmor.d/groups/whonix/msgdispatcher-delete @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/msgdispatcher-dispatch b/apparmor.d/groups/whonix/msgdispatcher-dispatch index 5c2037c56..f42280e1a 100644 --- a/apparmor.d/groups/whonix/msgdispatcher-dispatch +++ b/apparmor.d/groups/whonix/msgdispatcher-dispatch @@ -2,11 +2,11 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{lib}/msgcollector/msgdispatcher_dispatch_x +@{exec_path} = @{lib}/msgcollector/msgdispatcher_dispatch_x profile msgdispatcher-dispatch @{exec_path} { include include diff --git a/apparmor.d/groups/whonix/open-link-confirmation b/apparmor.d/groups/whonix/open-link-confirmation index a6f7ec440..e74d2f26a 100644 --- a/apparmor.d/groups/whonix/open-link-confirmation +++ b/apparmor.d/groups/whonix/open-link-confirmation @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/pam-abort-on-locked-password b/apparmor.d/groups/whonix/pam-abort-on-locked-password index 99ac5616d..79cb70d28 100644 --- a/apparmor.d/groups/whonix/pam-abort-on-locked-password +++ b/apparmor.d/groups/whonix/pam-abort-on-locked-password @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/pam-info b/apparmor.d/groups/whonix/pam-info index 23ab3aeb4..d54cab832 100644 --- a/apparmor.d/groups/whonix/pam-info +++ b/apparmor.d/groups/whonix/pam-info @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,8 +14,8 @@ profile pam-info @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{sbin}/faillock rix, - @{bin}/{,e}grep rix, + @{bin}/faillock rix, + @{bin}/grep rix, @{bin}/str_replace rix, @{bin}/wc rix, @{bin}/whoami rix, diff --git a/apparmor.d/groups/whonix/pam_faillock_not_if_x b/apparmor.d/groups/whonix/pam_faillock_not_if_x index 1934be8d5..c0d05d8a7 100644 --- a/apparmor.d/groups/whonix/pam_faillock_not_if_x +++ b/apparmor.d/groups/whonix/pam_faillock_not_if_x @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/rads b/apparmor.d/groups/whonix/rads index 8bdeb2c13..fdacd13d4 100644 --- a/apparmor.d/groups/whonix/rads +++ b/apparmor.d/groups/whonix/rads @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,8 +19,8 @@ profile rads @{exec_path} { @{bin}/cat rix, @{bin}/chvt rix, @{bin}/free rix, - @{bin}/{m,g,}awk rix, - @{bin}/{,e}grep rix, + @{bin}/gawk rix, + @{bin}/grep rix, @{bin}/mkdir rix, @{bin}/rm rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/whonix/sdwdate b/apparmor.d/groups/whonix/sdwdate index 1e4850e7a..21b457aca 100644 --- a/apparmor.d/groups/whonix/sdwdate +++ b/apparmor.d/groups/whonix/sdwdate @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -30,7 +30,7 @@ profile sdwdate @{exec_path} flags=(attach_disconnected) { @{bin}/touch rix, @{lib}/helper-scripts/* rix, @{bin}/url_to_unixtime rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{lib}/helper-scripts/ r, @{lib}/sdwdate/ r, diff --git a/apparmor.d/groups/whonix/sdwdate-clock-jump b/apparmor.d/groups/whonix/sdwdate-clock-jump index 02b0e866b..f70da1977 100644 --- a/apparmor.d/groups/whonix/sdwdate-clock-jump +++ b/apparmor.d/groups/whonix/sdwdate-clock-jump @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/sdwdate-gui b/apparmor.d/groups/whonix/sdwdate-gui index 84a6fb379..642b14b46 100644 --- a/apparmor.d/groups/whonix/sdwdate-gui +++ b/apparmor.d/groups/whonix/sdwdate-gui @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -28,7 +28,7 @@ profile sdwdate-gui @{exec_path} { @{lib}/sdwdate-gui/log-viewer rix, @{lib}/helper-scripts/* rix, - @{lib}/@{python_name}/dist-packages/sdwdate_gui/__pycache__/ rw, + @{lib}/python3/dist-packages/sdwdate_gui/__pycache__/ rw, @{lib}/sdwdate-gui/ r, diff --git a/apparmor.d/groups/whonix/sdwdate-start b/apparmor.d/groups/whonix/sdwdate-start index 113f7504c..0b952ce19 100644 --- a/apparmor.d/groups/whonix/sdwdate-start +++ b/apparmor.d/groups/whonix/sdwdate-start @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/sdwdate-wrapper b/apparmor.d/groups/whonix/sdwdate-wrapper index 19713faba..fe8390da9 100644 --- a/apparmor.d/groups/whonix/sdwdate-wrapper +++ b/apparmor.d/groups/whonix/sdwdate-wrapper @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/sensible-browser b/apparmor.d/groups/whonix/sensible-browser index 1a6f4e26a..48e2f0f08 100644 --- a/apparmor.d/groups/whonix/sensible-browser +++ b/apparmor.d/groups/whonix/sensible-browser @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/systemcheck-canary b/apparmor.d/groups/whonix/systemcheck-canary index 17bedc43b..d46c227fb 100644 --- a/apparmor.d/groups/whonix/systemcheck-canary +++ b/apparmor.d/groups/whonix/systemcheck-canary @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,9 +12,9 @@ profile systemcheck-canary @{exec_path} { include @{exec_path} mr, - + @{bin}/sleep rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/whoami rix, @{bin}/cat rix, @{bin}/date rix, diff --git a/apparmor.d/groups/whonix/timesanitycheck b/apparmor.d/groups/whonix/timesanitycheck index 73f643099..3ca78981a 100644 --- a/apparmor.d/groups/whonix/timesanitycheck +++ b/apparmor.d/groups/whonix/timesanitycheck @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/tor-bootstrap-check b/apparmor.d/groups/whonix/tor-bootstrap-check index 7829b8318..0795b0b35 100644 --- a/apparmor.d/groups/whonix/tor-bootstrap-check +++ b/apparmor.d/groups/whonix/tor-bootstrap-check @@ -2,11 +2,11 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{lib}/helper-scripts/tor_bootstrap_check.py +@{exec_path} = @{lib}/helper-scripts/tor_bootstrap_check.py profile tor-bootstrap-check @{exec_path} { include include diff --git a/apparmor.d/groups/whonix/tor-consensus-valid-after b/apparmor.d/groups/whonix/tor-consensus-valid-after index f7d806ef1..d6656afe5 100644 --- a/apparmor.d/groups/whonix/tor-consensus-valid-after +++ b/apparmor.d/groups/whonix/tor-consensus-valid-after @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/torbrowser b/apparmor.d/groups/whonix/torbrowser similarity index 69% rename from apparmor.d/groups/browsers/torbrowser rename to apparmor.d/groups/whonix/torbrowser index 5068886c3..0ec13ed51 100644 --- a/apparmor.d/groups/browsers/torbrowser +++ b/apparmor.d/groups/whonix/torbrowser @@ -2,14 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{name} = torbrowser "tor browser" -@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ +@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ @{data_dirs} = @{lib_dirs}/TorBrowser/Data/ -@{config_dirs} = @{data_dirs}/Browser/profile.default/ +@{config_dirs} = @{data_dirs}/Browser/*.default/ @{cache_dirs} = @{data_dirs}/Browser/Caches @{exec_path} = @{lib_dirs}/firefox{,.real} @@ -17,19 +17,10 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { include include - # Uncomment if you want to give the Tor Browser access to the common download directory. - # include - @{exec_path} mrix, - @{lib_dirs}/abicheck ix, - @{lib_dirs}/glxtest Px -> torbrowser//&torbrowser-glxtest, - @{lib_dirs}/updater Px, - @{lib_dirs}/vaapitest Px -> torbrowser//&torbrowser-vaapitest, - - #aa:exclude whonix - @{lib_dirs}/TorBrowser/Tor/PluggableTransports/** Px -> torbrowser-tor, - @{lib_dirs}/TorBrowser/Tor/tor Px -> torbrowser-tor, + @{lib_dirs}/abicheck rix, + @{lib_dirs}/updater rPx, /usr/share/homepage/{,**} r, @@ -42,18 +33,14 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { owner "@{tmp}/Tor Project*" rwk, owner "@{tmp}/Tor Project*/" rw, owner "@{tmp}/Tor Project*/**" rwk, - owner @{tmp}/@{rand8}.* rw, - owner @{tmp}/mozilla_pc@{int}/ rw, - owner @{tmp}/mozilla_pc@{int}/* rwk, # Due to the nature of the browser, we silence much more than for Firefox. - deny capability sys_ptrace, deny network inet dgram, # TOR does not work over UDP deny network inet6 dgram, - deny network inet6 stream, # TOR does not work over IPv6 deny dbus (send receive) bus=session path=/ca/desrt/dconf/Writer/user, deny @{bin}/lsb_release x, deny @{lib_dirs}/crashreporter x, + deny @{lib_dirs}/glxtest x, deny @{lib_dirs}/minidump-analyzer x, deny @{lib_dirs}/pingsender x, deny /usr/share/dconf/** r, @@ -69,7 +56,6 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) { deny /etc/passwd r, deny /etc/resolv.conf r, deny /var/lib/dbus/machine-id r, - deny owner @{HOME}/ r, deny owner @{user_config_dirs}/dconf/user r, deny owner @{user_config_dirs}/gtk-*/{,**} rw, deny owner @{run}/user/@{uid}/dconf/ rw, diff --git a/apparmor.d/groups/browsers/torbrowser-glxtest b/apparmor.d/groups/whonix/torbrowser-glxtest similarity index 64% rename from apparmor.d/groups/browsers/torbrowser-glxtest rename to apparmor.d/groups/whonix/torbrowser-glxtest index 2d8697259..cbc009db1 100644 --- a/apparmor.d/groups/browsers/torbrowser-glxtest +++ b/apparmor.d/groups/whonix/torbrowser-glxtest @@ -2,32 +2,31 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{name} = torbrowser "tor browser" -@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ +@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ @{data_dirs} = @{lib_dirs}/TorBrowser/Data/ -@{config_dirs} = @{data_dirs}/Browser/profile.default/ +@{config_dirs} = @{data_dirs}/Browser/*.default/ @{cache_dirs} = @{data_dirs}/Browser/Caches @{exec_path} = @{lib_dirs}/glxtest -profile torbrowser-glxtest @{exec_path} flags=(attach_disconnected) { +profile torbrowser-glxtest @{exec_path} { include include include - include include @{exec_path} mr, - / r, + owner @{config_dirs}/.parentlock rw, + + owner @{tmp}/@{name}/.parentlock rw, owner @{PROC}/@{pid}/cmdline r, - deny @{config_dirs}/.parentlock rw, - include if exists } diff --git a/apparmor.d/groups/browsers/torbrowser-plugin-container b/apparmor.d/groups/whonix/torbrowser-plugin-container similarity index 77% rename from apparmor.d/groups/browsers/torbrowser-plugin-container rename to apparmor.d/groups/whonix/torbrowser-plugin-container index 88abc411c..9fcb1bd3d 100644 --- a/apparmor.d/groups/browsers/torbrowser-plugin-container +++ b/apparmor.d/groups/whonix/torbrowser-plugin-container @@ -3,14 +3,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{name} = torbrowser "tor browser" -@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ +@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ @{data_dirs} = @{lib_dirs}/TorBrowser/Data/ -@{config_dirs} = @{data_dirs}/Browser/profile.default/ +@{config_dirs} = @{data_dirs}/Browser/*.default/ @{cache_dirs} = @{data_dirs}/Browser/Caches @{exec_path} = @{lib_dirs}/plugin-container diff --git a/apparmor.d/groups/whonix/torbrowser-start b/apparmor.d/groups/whonix/torbrowser-start new file mode 100644 index 000000000..266f8e349 --- /dev/null +++ b/apparmor.d/groups/whonix/torbrowser-start @@ -0,0 +1,51 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ + +@{exec_path} = @{lib_dirs}/start-tor-browser +profile torbrowser-start @{exec_path} { + include + include + + @{exec_path} rm, + + @{sh_path} rix, + @{bin}/cp rix, + @{bin}/dirname rix, + @{bin}/env r, + @{bin}/expr rix, + @{bin}/file rix, + @{bin}/getconf rix, + @{bin}/grep rix, + @{bin}/id rix, + @{bin}/ln rix, + @{bin}/mkdir rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/sh rix, + @{bin}/srm rix, + @{lib_dirs}/abicheck rix, + + @{lib_dirs}/firefox{,.real} rPx, + + /etc/magic r, + + owner @{lib_dirs}/.config/ibus/{,**} rw, + owner @{lib_dirs}/.local/* rw, + owner @{lib_dirs}/sed@{rand6} rw, + owner @{lib_dirs}/start-tor-browser.desktop rw, + owner @{lib_dirs}/TorBrowser/Tor/tor r, + + owner @{HOME}/.xsession-errors rw, + owner @{HOME}/.tb/tor-browser/* rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/browsers/torbrowser-updater b/apparmor.d/groups/whonix/torbrowser-updater similarity index 74% rename from apparmor.d/groups/browsers/torbrowser-updater rename to apparmor.d/groups/whonix/torbrowser-updater index a5c1e7cc3..4f0e16823 100644 --- a/apparmor.d/groups/browsers/torbrowser-updater +++ b/apparmor.d/groups/whonix/torbrowser-updater @@ -2,11 +2,11 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ +@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ @{exec_path} = @{lib_dirs}/updater profile torbrowser-updater @{exec_path} { @@ -16,12 +16,14 @@ profile torbrowser-updater @{exec_path} { @{exec_path} mr, @{lib_dirs}/*.so mr, - @{lib_dirs}/firefox{,.real} Px -> torbrowser, + @{lib_dirs}/firefox{,.real} rPx, owner @{lib_dirs}/{,**} rw, owner @{tmp}/#@{int} rw, + deny owner @{lib_dirs}/Downloads/** rw, + include if exists } diff --git a/apparmor.d/groups/whonix/torbrowser-updater-permission-fix b/apparmor.d/groups/whonix/torbrowser-updater-permission-fix index 90aaca321..39ec37ae3 100644 --- a/apparmor.d/groups/whonix/torbrowser-updater-permission-fix +++ b/apparmor.d/groups/whonix/torbrowser-updater-permission-fix @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/browsers/torbrowser-vaapitest b/apparmor.d/groups/whonix/torbrowser-vaapitest similarity index 58% rename from apparmor.d/groups/browsers/torbrowser-vaapitest rename to apparmor.d/groups/whonix/torbrowser-vaapitest index 37ea80f91..d29d1265a 100644 --- a/apparmor.d/groups/browsers/torbrowser-vaapitest +++ b/apparmor.d/groups/whonix/torbrowser-vaapitest @@ -2,18 +2,18 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{name} = torbrowser "tor browser" -@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/ +@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ @{data_dirs} = @{lib_dirs}/TorBrowser/Data/ -@{config_dirs} = @{data_dirs}/Browser/profile.default/ +@{config_dirs} = @{data_dirs}/Browser/*.default/ @{cache_dirs} = @{data_dirs}/Browser/Caches @{exec_path} = @{lib_dirs}/vaapitest -profile torbrowser-vaapitest @{exec_path} flags=(attach_disconnected) { +profile torbrowser-vaapitest @{exec_path} { include include @@ -21,10 +21,11 @@ profile torbrowser-vaapitest @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - deny @{lib_dirs}/{,browser/}omni.ja r, - deny @{cache_dirs}/profile.default/startupCache/* r, + owner @{tmp}/@{name}/.parentlock rw, + deny @{config_dirs}/.parentlock rw, - deny @{config_dirs}/extensions/*.xpi r, + deny @{config_dirs}/startupCache/** r, + deny @{user_cache_dirs}/startupCache/* r, include if exists } diff --git a/apparmor.d/groups/whonix/torbrowser-wrapper b/apparmor.d/groups/whonix/torbrowser-wrapper index c86d91099..5ae554b40 100644 --- a/apparmor.d/groups/whonix/torbrowser-wrapper +++ b/apparmor.d/groups/whonix/torbrowser-wrapper @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,24 +17,24 @@ profile torbrowser-wrapper @{exec_path} { @{exec_path} rm, @{sh_path} rix, - @{bin}/basename ix, - @{bin}/cp ix, - @{bin}/dirname ix, - @{bin}/{,e}grep ix, - @{bin}/id ix, - @{bin}/mkdir ix, - @{bin}/mktemp ix, - @{bin}/mount ix, - @{bin}/str_replace ix, - @{bin}/sudo Cx -> sudo, - @{bin}/systemctl Cx -> systemctl, - @{bin}/touch ix, - @{bin}/tty ix, - @{bin}/whoami ix, + @{bin}/basename rix, + @{bin}/cp rix, + @{bin}/dirname rix, + @{bin}/grep rix, + @{bin}/id rix, + @{bin}/mkdir rix, + @{bin}/mktemp rix, + @{bin}/mount rix, + @{bin}/str_replace rix, + @{bin}/sudo rCx -> sudo, + @{bin}/systemctl rCx -> systemctl, + @{bin}/touch rix, + @{bin}/tty rix, + @{bin}/whoami rix, - @{lib_dirs}/start-tor-browser Px, # torbrowser-start - @{lib}/msgcollector/msgcollector Px, - @{lib}/open-link-confirmation/open-link-confirmation Px, + @{lib_dirs}/start-tor-browser rPx, + @{lib}/msgcollector/msgcollector rPx, + @{lib}/open-link-confirmation/open-link-confirmation rPx, @{lib}/helper-scripts/* r, @@ -44,11 +44,11 @@ profile torbrowser-wrapper @{exec_path} { owner @{HOME}/.tb/{,**} rw, owner @{HOME}/.xsession-errors rw, - + owner @{tmp}/tmp.@{rand10} rw, owner @{run}/mount/utab r, - + owner @{PROC}/@{pid}/mountinfo r, profile sudo { diff --git a/apparmor.d/groups/whonix/whonix-firewall-edit b/apparmor.d/groups/whonix/whonix-firewall-edit index 28c1d01b4..aeea9cf05 100644 --- a/apparmor.d/groups/whonix/whonix-firewall-edit +++ b/apparmor.d/groups/whonix/whonix-firewall-edit @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/whonix-firewall-restarter b/apparmor.d/groups/whonix/whonix-firewall-restarter index a818e46a6..87a3713d4 100644 --- a/apparmor.d/groups/whonix/whonix-firewall-restarter +++ b/apparmor.d/groups/whonix/whonix-firewall-restarter @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/whonix/whonix-firewalld b/apparmor.d/groups/whonix/whonix-firewalld index 08322714f..53b1dba81 100644 --- a/apparmor.d/groups/whonix/whonix-firewalld +++ b/apparmor.d/groups/whonix/whonix-firewalld @@ -2,12 +2,12 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/whonix_firewall @{lib}/whonix-firewall/reloadfirewall -profile whonix-firewalld @{exec_path} { +profile whonix-firewall @{exec_path} { include include include @@ -29,7 +29,7 @@ profile whonix-firewalld @{exec_path} { @{bin}/rm rix, @{bin}/touch rix, @{bin}/whonix-*-firewall rix, - @{sbin}/xtables-nft-multi rix, + @{bin}/xtables-nft-multi rix, @{bin}/qubesdb-read rPUx, @{bin}/qubesdb-cmd rPUx, @@ -45,7 +45,7 @@ profile whonix-firewalld @{exec_path} { owner @{run}/updatesproxycheck/{,**} rw, owner @{run}/whonix_firewall/{,**} rw, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/xfce/mousepad b/apparmor.d/groups/xfce/mousepad index d8bc79b95..1bcd283fa 100644 --- a/apparmor.d/groups/xfce/mousepad +++ b/apparmor.d/groups/xfce/mousepad @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/ristretto b/apparmor.d/groups/xfce/ristretto index 2aae3f0d3..d9151ca80 100644 --- a/apparmor.d/groups/xfce/ristretto +++ b/apparmor.d/groups/xfce/ristretto @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/startxfce b/apparmor.d/groups/xfce/startxfce index 110da187b..7d8a0165f 100644 --- a/apparmor.d/groups/xfce/startxfce +++ b/apparmor.d/groups/xfce/startxfce @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,7 +19,6 @@ profile startxfce @{exec_path} { @{bin}/mkdir rix, @{bin}/id rix, - @{bin}/xdg-user-dirs-update rPx, @{bin}/xfce4-session rPx, @{bin}/xrdb rPx, @{bin}/systemctl rCx -> systemctl, @@ -28,18 +27,15 @@ profile startxfce @{exec_path} { /etc/X11/xinit/xinitrc.d/{,**} r, /etc/xdg/xfce4/{,**} r, - owner @{HOME}/.Xdefaults r, - profile systemctl flags=(attach_disconnected) { include include - + include if exists } profile dbus { include - include @{bin}/dbus-update-activation-environment mr, diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index 10096bce2..c16365f74 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -2,14 +2,13 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/thunar -profile thunar @{exec_path} flags=(attach_disconnected) { +profile thunar @{exec_path} { include - include include include include @@ -18,10 +17,6 @@ profile thunar @{exec_path} flags=(attach_disconnected) { network netlink raw, - #aa:dbus own bus=session name=org.xfce.Thunar - #aa:dbus own bus=session name=org.xfce.FileManager - #aa:dbus own bus=session name=org.freedesktop.FileManager1 - @{exec_path} mr, @{bin}/thunar-volman rPx, @@ -35,7 +30,6 @@ profile thunar @{exec_path} flags=(attach_disconnected) { /etc/fstab r, /etc/timezone r, - /etc/xdg/{,xdg-xubuntu/}Thunar/{,**} r, # Full access to user's data / r, @@ -49,20 +43,15 @@ profile thunar @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/{,**} rw, owner @{tmp}/{,**} rw, - @{run}/mount/utab r, - - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, - - owner @{PROC}/@{pid}/mountinfo r, - # Silence non user's data - deny @{efi}/{,**} r, + deny /boot/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, deny /tmp/.* rw, deny /tmp/.*/{,**} rw, + owner @{PROC}/@{pid}/mountinfo r, + profile dbus { include include diff --git a/apparmor.d/groups/xfce/thunar-volman b/apparmor.d/groups/xfce/thunar-volman index 41e098548..c49f71458 100644 --- a/apparmor.d/groups/xfce/thunar-volman +++ b/apparmor.d/groups/xfce/thunar-volman @@ -2,14 +2,13 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/thunar-volman profile thunar-volman @{exec_path} { include - include include include diff --git a/apparmor.d/groups/xfce/tumblerd b/apparmor.d/groups/xfce/tumblerd index 3ba81c688..f85e6d4cb 100644 --- a/apparmor.d/groups/xfce/tumblerd +++ b/apparmor.d/groups/xfce/tumblerd @@ -2,37 +2,25 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,@{multiarch}/}tumbler-1/tumblerd profile tumblerd @{exec_path} { include - include - include - include include include include - #aa:dbus own bus=session name=org.freedesktop.thumbnails.Cache1 - #aa:dbus own bus=session name=org.freedesktop.thumbnails.Manager1 - #aa:dbus own bus=session name=org.freedesktop.thumbnails.Thumbnailer1 - @{exec_path} mr, - @{bin}/gdk-pixbuf-thumbnailer rPx, - /usr/share/backgrounds/xfce/{,**} r, /usr/share/thumbnailers/{,**} r, /etc/fstab r, /etc/xdg/tumbler/* r, - owner /tmp/tumbler-@{rand6}.png r, - owner /tmp/tumbler-@{rand6}.??? w, - owner @{PROC}/@{pid}/mountinfo r, /dev/ r, diff --git a/apparmor.d/groups/xfce/xfce-about b/apparmor.d/groups/xfce/xfce-about index 0dae6e060..701e98773 100644 --- a/apparmor.d/groups/xfce/xfce-about +++ b/apparmor.d/groups/xfce/xfce-about @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/xfce-appfinder b/apparmor.d/groups/xfce/xfce-appfinder index 4b574ce5e..c0753acd8 100644 --- a/apparmor.d/groups/xfce/xfce-appfinder +++ b/apparmor.d/groups/xfce/xfce-appfinder @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/xfce-clipman b/apparmor.d/groups/xfce/xfce-clipman deleted file mode 100644 index 270f7266f..000000000 --- a/apparmor.d/groups/xfce/xfce-clipman +++ /dev/null @@ -1,31 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# Copyright (C) 2025 Sighy Brantler -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/xfce4-clipman -profile xfce-clipman @{exec_path} { - include - include - include - include - - @{exec_path} mr, - - /etc/xdg/xfce4/panel/xfce4-clipman-actions.xml r, - - owner @{user_cache_dirs}/xfce4/clipman/ r, - owner @{user_cache_dirs}/xfce4/clipman/* rw, - - owner @{user_config_dirs}/autostart/ r, - owner @{user_config_dirs}/autostart/xfce4-clipman-plugin-autostart.desktop rw, - owner @{user_config_dirs}/autostart/xfce4-clipman-plugin-autostart.desktop.@{rand6} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/xfce/xfce-clipman-settings b/apparmor.d/groups/xfce/xfce-clipman-settings index 021a377b8..499980f17 100644 --- a/apparmor.d/groups/xfce/xfce-clipman-settings +++ b/apparmor.d/groups/xfce/xfce-clipman-settings @@ -2,18 +2,15 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xfce4-clipman-settings profile xfce-clipman-settings @{exec_path} { include - include include - #aa:dbus own bus=session name=org.xfce.clipman.settings - @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/xfce/xfce-dict b/apparmor.d/groups/xfce/xfce-dict index 4b34a3d0b..423c09b4e 100644 --- a/apparmor.d/groups/xfce/xfce-dict +++ b/apparmor.d/groups/xfce/xfce-dict @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/xfce-mime-helper b/apparmor.d/groups/xfce/xfce-mime-helper index b1708e58b..7851cd74e 100644 --- a/apparmor.d/groups/xfce/xfce-mime-helper +++ b/apparmor.d/groups/xfce/xfce-mime-helper @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/xfce/xfce-notifyd b/apparmor.d/groups/xfce/xfce-notifyd index be813a84d..06d2b1df3 100644 --- a/apparmor.d/groups/xfce/xfce-notifyd +++ b/apparmor.d/groups/xfce/xfce-notifyd @@ -3,14 +3,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,@{multiarch}/}xfce4/notifyd/xfce4-notifyd profile xfce-notifyd @{exec_path} { include - include include include include @@ -23,9 +22,6 @@ profile xfce-notifyd @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.xfce.Notifyd - #aa:dbus own bus=session name=org.freedesktop.Notifications - @{exec_path} mr, owner @{user_cache_dirs}/xfce4/notifyd/ rw, diff --git a/apparmor.d/groups/xfce/xfce-panel b/apparmor.d/groups/xfce/xfce-panel index 00c5d8700..0b3530b48 100644 --- a/apparmor.d/groups/xfce/xfce-panel +++ b/apparmor.d/groups/xfce/xfce-panel @@ -2,40 +2,30 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xfce4-panel @{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0 profile xfce-panel @{exec_path} { include - include - include - include - include include include include include include - ptrace (read) peer=xfce-terminal, - - #aa:dbus own bus=session name=org.xfce.Panel - #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher - @{exec_path} mr, @{bin}/exo-open rix, @{bin}/xfce4-mime-helper rix, @{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0 rix, - @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rix, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rix, @{lib}/gio-launch-desktop rix, - @{bin}/sudo rCx -> root, + @{bin}/sudo rCx -> root, /usr/share/desktop-directories/{,**} r, - /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, /usr/share/livecheck/** r, /usr/share/xfce4/{,**} r, @@ -43,27 +33,22 @@ profile xfce-panel @{exec_path} { /etc/machine-id r, /etc/timezone r, /etc/xdg/menus/{,**} r, - /etc/xdg/{,xdg-xubuntu/}xfce4/{,**} r, + /etc/xdg/xfce4/{,**} r, owner @{user_cache_dirs}/xfce4/notifyd/icons/ rw, - owner @{user_cache_dirs}/xfce4-indicator-plugin.log w, owner @{user_config_dirs}/xfce4/panel/{,**} rw, - owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} w, - @{PROC}/cmdline r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, - deny @{user_share_dirs}/gvfs-metadata/{,*} r, - profile root { include include @{bin}/lsblk rPx, - include if exists + include if exists } include if exists diff --git a/apparmor.d/groups/xfce/xfce-power-manager b/apparmor.d/groups/xfce/xfce-power-manager index 11ccca455..d286280f0 100644 --- a/apparmor.d/groups/xfce/xfce-power-manager +++ b/apparmor.d/groups/xfce/xfce-power-manager @@ -2,22 +2,16 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xfce4-power-manager profile xfce-power-manager @{exec_path} flags=(attach_disconnected) { include - include - include - include include include - #aa:dbus own bus=session name=org.xfce.PowerManager - #aa:dbus own bus=session name=org.freedesktop.PowerManagement - @{exec_path} mr, @{bin}/xfpm-power-backlight-helper rPx, @@ -27,7 +21,7 @@ profile xfce-power-manager @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/stat r, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/inhibit/*.ref rw, include if exists } diff --git a/apparmor.d/groups/xfce/xfce-screensaver b/apparmor.d/groups/xfce/xfce-screensaver index e9e19cca5..e441b84b8 100644 --- a/apparmor.d/groups/xfce/xfce-screensaver +++ b/apparmor.d/groups/xfce/xfce-screensaver @@ -2,21 +2,18 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xfce4-screensaver profile xfce-screensaver @{exec_path} flags=(attach_disconnected) { include - include include include include include - #aa:dbus own bus=session name=org.xfce.ScreenSaver - @{exec_path} mr, @{sh_path} rix, @@ -28,7 +25,7 @@ profile xfce-screensaver @{exec_path} flags=(attach_disconnected) { /etc/xdg/menus/xfce4-screensavers.menu r, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/inhibit/*.ref rw, include if exists } diff --git a/apparmor.d/groups/xfce/xfce-sensors b/apparmor.d/groups/xfce/xfce-sensors index c1bd98111..c2eb97c30 100644 --- a/apparmor.d/groups/xfce/xfce-sensors +++ b/apparmor.d/groups/xfce/xfce-sensors @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,7 +16,7 @@ profile xfce-sensors @{exec_path} { @{sys}/class/hwmon/ r, @{sys}/class/power_supply/ r, @{sys}/class/thermal/ r, - @{sys}/devices/@{pci}/i2c-*/{,**/}name r, + @{sys}/devices/@{pci}/i2c-@{int}/name r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/devices/**/hwmon@{int}/**/ r, diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session index be0f5c73d..f2b14b313 100644 --- a/apparmor.d/groups/xfce/xfce-session +++ b/apparmor.d/groups/xfce/xfce-session @@ -2,16 +2,13 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xfce4-session profile xfce-session @{exec_path} flags=(attach_disconnected) { include - include - include - include include include include @@ -19,8 +16,6 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term) peer=lightdm, - #aa:dbus own bus=session name=org.xfce.SessionManager - @{exec_path} mr, @{sh_path} rix, @@ -38,7 +33,6 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { @{lib}/msgcollector/msgdispatcher_xdg_autostart rPx, @{lib}/sdwdate-gui/start-maybe rPx, @{lib}/setup-wizard-dist/setup-dist_check_for_start rPx, - @{lib}/xapps/sn-watcher/xapp-sn-watcher rPUx, /usr/share/kde-power-savings-disable-in-vms/{,**} r, /usr/share/kde-screen-locker-disable-in-vms/{,**} r, @@ -54,21 +48,17 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { /etc/xdg/autostart/*.desktop r, owner @{user_cache_dirs}/sessions/{,**} rw, - owner @{user_config_dirs}/autostart/ r, - owner @{user_config_dirs}/autostart/*.desktop r, owner @{tmp}/.xfsm-ICE-@{rand6} rw, owner @{PROC}/@{pid}/stat r, - @{sys}/class/i2c-adapter/ r, - /dev/tty rw, profile systemctl flags=(attach_disconnected) { include include - + include if exists } diff --git a/apparmor.d/groups/xfce/xfce-terminal b/apparmor.d/groups/xfce/xfce-terminal index 0f8836326..88a042dad 100644 --- a/apparmor.d/groups/xfce/xfce-terminal +++ b/apparmor.d/groups/xfce/xfce-terminal @@ -2,26 +2,18 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xfce4-terminal profile xfce-terminal @{exec_path} { include - include - include - include include include - include include include - signal send, - - #aa:dbus own bus=session name=org.xfce.Terminal5 - @{exec_path} mr, @{open_path} rPx -> child-open-help, @@ -34,10 +26,7 @@ profile xfce-terminal @{exec_path} { @{bin}/micro rPUx, @{bin}/nvtop rPx, - @{editor_path} rPUx, - /usr/share/ r, - /usr/share/desktop-base/profiles/xdg-config/ r, /usr/share/xfce4/ r, /usr/share/xfce4/terminal/{,**} r, @@ -45,7 +34,6 @@ profile xfce-terminal @{exec_path} { /etc/xdg/ r, /etc/xdg/xfce4/ r, - owner @{user_config_dirs}/xfce4/ r, owner @{user_config_dirs}/xfce4/terminal/{,**} r, owner @{tmp}/#@{int} rw, diff --git a/apparmor.d/groups/xfce/xfconfd b/apparmor.d/groups/xfce/xfconfd index 9cd273544..345851278 100644 --- a/apparmor.d/groups/xfce/xfconfd +++ b/apparmor.d/groups/xfce/xfconfd @@ -3,21 +3,18 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,@{multiarch}/}xfce4/xfconf/xfconfd profile xfconfd @{exec_path} { include - include include - #aa:dbus own bus=session name=org.xfce.Xfconf - @{exec_path} mr, - /etc/xdg/{,xdg-xubuntu/}xfce4/xfconf/** r, + /etc/xdg/xfce4/xfconf/** r, owner @{HOME}/ r, diff --git a/apparmor.d/groups/xfce/xfdesktop b/apparmor.d/groups/xfce/xfdesktop index 6bc5ec15c..c01a057e7 100644 --- a/apparmor.d/groups/xfce/xfdesktop +++ b/apparmor.d/groups/xfce/xfdesktop @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,22 +10,14 @@ include profile xfdesktop @{exec_path} { include include - include - include include include include - #aa:dbus own bus=session name=org.xfce.xfdesktop - @{exec_path} mr, @{bin}/xfce4-mime-helper rix, - /etc/xdg/{,xdg-xubuntu/}xfce4/helpers.rc r, - /etc/xdg/menus/{,*.menu} r, - /usr/share/xfce4/helpers/{,*.desktop} r, - /usr/share/desktop-directories/{,*.directory} r, /usr/share/backgrounds/xfce/{,**} r, /etc/fstab r, diff --git a/apparmor.d/groups/xfce/xfpm-power-backlight-helper b/apparmor.d/groups/xfce/xfpm-power-backlight-helper index 236028f2e..a00ebb094 100644 --- a/apparmor.d/groups/xfce/xfpm-power-backlight-helper +++ b/apparmor.d/groups/xfce/xfpm-power-backlight-helper @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,14 +15,14 @@ profile xfpm-power-backlight-helper @{exec_path} { @{sys}/class/backlight/ r, @{sys}/class/leds/ r, - @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/backlight/**/{max_brightness,actual_brightness} r, + @{sys}/devices/@{pci}/backlight/**/{uevent,type} r, @{sys}/devices/@{pci}/backlight/**/brightness rw, - @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/drm/card@{int}/**/{max_brightness,actual_brightness} r, @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type,enabled} r, @{sys}/devices/@{pci}/drm/card@{int}/**/brightness rw, - @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/intel_backlight/{max_,}brightness rw, + @{sys}/devices/@{pci}/intel_backlight/type r, include if exists } diff --git a/apparmor.d/groups/xfce/xfsettingsd b/apparmor.d/groups/xfce/xfsettingsd index d3f88c196..ec46f5448 100644 --- a/apparmor.d/groups/xfce/xfsettingsd +++ b/apparmor.d/groups/xfce/xfsettingsd @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,13 +10,8 @@ include profile xfsettingsd @{exec_path} { include include - include - include - include include - #aa:dbus own bus=session name=org.xfce.SettingsDaemon - @{exec_path} mr, /etc/xdg/autostart/xfsettingsd.desktop r, diff --git a/apparmor.d/groups/xfce/xfwm b/apparmor.d/groups/xfce/xfwm index c41e5254f..27bb23bfd 100644 --- a/apparmor.d/groups/xfce/xfwm +++ b/apparmor.d/groups/xfce/xfwm @@ -2,14 +2,13 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xfwm4 profile xfwm @{exec_path} { include - include include include include diff --git a/apparmor.d/mappings/login/base b/apparmor.d/mappings/login/base deleted file mode 100644 index f74b90418..000000000 --- a/apparmor.d/mappings/login/base +++ /dev/null @@ -1,30 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# It is used by login to run pre login scripts (as root) such as the motd. -# After the login, Apparmor libpam will transition to the roles defined in -# other files under - - @{shells_path} rCx -> shell, - - profile shell flags=(attach_disconnected) { - include - include - include - - @{shells_path} rix, - @{bin}/env rix, - @{bin}/run-parts rix, #aa:only apt - - #aa:only apt - /etc/update-motd.d/ r, - /etc/update-motd.d/* rPx, - /usr/share/landscape/landscape-sysinfo.wrapper rPx, - - @{run}/motd.dynamic.new rw, #aa:only apt - - include if exists - } - -# vim:syntax=apparmor diff --git a/apparmor.d/mappings/sshd/base b/apparmor.d/mappings/sshd/base deleted file mode 100644 index dd9218d9c..000000000 --- a/apparmor.d/mappings/sshd/base +++ /dev/null @@ -1,30 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# It is used by login to run pre login scripts (as root) such as the motd. -# After the login, Apparmor libpam will transition to the roles defined in -# other files under - - @{shells_path} rCx -> shell, - - profile shell flags=(attach_disconnected) { - include - include - include - - @{shells_path} rix, - @{bin}/env rix, - @{bin}/run-parts rix, #aa:only apt - - #aa:only apt - /etc/update-motd.d/ r, - /etc/update-motd.d/* rPx, - /usr/share/landscape/landscape-sysinfo.wrapper rPx, - - @{run}/motd.dynamic.new rw, #aa:only apt - - include if exists - } - -# vim:syntax=apparmor diff --git a/apparmor.d/mappings/sudo/base b/apparmor.d/mappings/sudo/base deleted file mode 100644 index 95e395501..000000000 --- a/apparmor.d/mappings/sudo/base +++ /dev/null @@ -1,30 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# It is used by su/sudo to run pre login scripts (as root) such as the motd. -# After the login, Apparmor libpam will transition to the roles defined in -# other files under - - @{shells_path} rCx -> shell, - - profile shell flags=(attach_disconnected) { - include - include - include - - @{shells_path} rix, - @{bin}/env rix, - @{bin}/run-parts rix, #aa:only apt - - #aa:only apt - /etc/update-motd.d/ r, - /etc/update-motd.d/* rPx, - /usr/share/landscape/landscape-sysinfo.wrapper rPx, - - @{run}/motd.dynamic.new rw, #aa:only apt - - include if exists - } - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apparmor/aa-enabled b/apparmor.d/profiles-a-f/aa-enabled similarity index 96% rename from apparmor.d/groups/apparmor/aa-enabled rename to apparmor.d/profiles-a-f/aa-enabled index fe350b2f6..d5ebe0c10 100644 --- a/apparmor.d/groups/apparmor/aa-enabled +++ b/apparmor.d/profiles-a-f/aa-enabled @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/apparmor/aa-enforce b/apparmor.d/profiles-a-f/aa-enforce similarity index 69% rename from apparmor.d/groups/apparmor/aa-enforce rename to apparmor.d/profiles-a-f/aa-enforce index 1f8368045..a6f3d2b9e 100644 --- a/apparmor.d/groups/apparmor/aa-enforce +++ b/apparmor.d/profiles-a-f/aa-enforce @@ -2,11 +2,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/aa-enforce @{sbin}/aa-complain @{sbin}/aa-audit @{sbin}/aa-disable +@{exec_path} = @{bin}/aa-enforce @{bin}/aa-complain profile aa-enforce @{exec_path} { include include @@ -16,8 +16,8 @@ profile aa-enforce @{exec_path} { @{exec_path} mr, - @{sbin}/ r, - @{sbin}/apparmor_parser rPx, + @{bin}/ r, + @{bin}/apparmor_parser rPx, /usr/share/terminfo/** r, @@ -25,15 +25,11 @@ profile aa-enforce @{exec_path} { /etc/apparmor.d/{,**} rw, @{etc_ro}/inputrc r, - @{etc_ro}/inputrc.keys r, owner /snap/core@{int}/@{int}/etc/apparmor.d/{,**} rw, owner /var/lib/snapd/apparmor/{,**} rw, - owner @{tmp}/@{rand8} rw, - owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, - - @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/fd r, include if exists } diff --git a/apparmor.d/groups/apparmor/aa-log b/apparmor.d/profiles-a-f/aa-log similarity index 55% rename from apparmor.d/groups/apparmor/aa-log rename to apparmor.d/profiles-a-f/aa-log index 1a3e0aeff..6d1f690f6 100644 --- a/apparmor.d/groups/apparmor/aa-log +++ b/apparmor.d/profiles-a-f/aa-log @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,32 +16,23 @@ profile aa-log @{exec_path} { @{exec_path} mr, - @{bin}/journalctl rCx -> journalctl, + @{bin}/journalctl rix, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, /var/log/audit/* r, /var/log/syslog* r, + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/{,*} r, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + @{PROC}/sys/kernel/cap_last_cap r, + /dev/tty@{int} rw, - profile journalctl { - include - include - - capability sys_resource, - - @{bin}/journalctl mr, - - /etc/machine-id r, - /var/lib/dbus/machine-id r, - - /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex32}/{,*} r, - - @{PROC}/sys/kernel/random/boot_id r, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify new file mode 100644 index 000000000..7c65b9be2 --- /dev/null +++ b/apparmor.d/profiles-a-f/aa-notify @@ -0,0 +1,47 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/aa-notify +profile aa-notify @{exec_path} { + include + include + include + include + include + + capability setgid, + capability setuid, + capability sys_ptrace, + + ptrace (read), + + @{exec_path} mr, + + @{bin}/ r, + + /etc/apparmor/*.conf r, + /etc/inputrc r, + /usr/etc/inputrc.keys r, + /usr/share/terminfo/** r, + + /var/log/audit/audit.log r, + + owner @{HOME}/.inputrc r, + owner @{HOME}/.terminfo/@{int}/dumb r, + + owner @{tmp}/@{rand8} rw, + owner @{tmp}/apparmor-bugreport-*.txt rw, + + @{PROC}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/cmdline r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apparmor/aa-status b/apparmor.d/profiles-a-f/aa-status similarity index 79% rename from apparmor.d/groups/apparmor/aa-status rename to apparmor.d/profiles-a-f/aa-status index 9badb78c1..5d5840f6f 100644 --- a/apparmor.d/groups/apparmor/aa-status +++ b/apparmor.d/profiles-a-f/aa-status @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/aa-status @{sbin}/apparmor_status +@{exec_path} = @{bin}/aa-status @{bin}/apparmor_status profile aa-status @{exec_path} { include include @@ -22,8 +22,8 @@ profile aa-status @{exec_path} { @{sys}/module/apparmor/parameters/enabled r, @{PROC}/ r, - @{PROC}/@{pid}/attr/apparmor/current r, - @{PROC}/@{pid}/attr/current r, + @{PROC}/@{pids}/attr/apparmor/current r, + @{PROC}/@{pids}/attr/current r, owner @{PROC}/@{pid}/mounts r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/apparmor/aa-teardown b/apparmor.d/profiles-a-f/aa-teardown similarity index 90% rename from apparmor.d/groups/apparmor/aa-teardown rename to apparmor.d/profiles-a-f/aa-teardown index 059766181..263c7b9af 100644 --- a/apparmor.d/groups/apparmor/aa-teardown +++ b/apparmor.d/profiles-a-f/aa-teardown @@ -2,11 +2,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/aa-teardown +@{exec_path} = @{bin}/aa-teardown profile aa-teardown @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/abook b/apparmor.d/profiles-a-f/abook index 380faac53..f4252aeee 100644 --- a/apparmor.d/profiles-a-f/abook +++ b/apparmor.d/profiles-a-f/abook @@ -2,7 +2,7 @@ # Copyright (C) 2024 Zane Zakraisek # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/acpi b/apparmor.d/profiles-a-f/acpi index 3b42be234..4f6132c25 100644 --- a/apparmor.d/profiles-a-f/acpi +++ b/apparmor.d/profiles-a-f/acpi @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,6 +19,7 @@ profile acpi @{exec_path} flags=(complain) { @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/virtual/thermal/{,**} r, + include if exists } diff --git a/apparmor.d/profiles-a-f/acpi-powerbtn b/apparmor.d/profiles-a-f/acpi-powerbtn index fd1d0af03..9372f46b4 100644 --- a/apparmor.d/profiles-a-f/acpi-powerbtn +++ b/apparmor.d/profiles-a-f/acpi-powerbtn @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,18 +11,20 @@ profile acpi-powerbtn flags=(attach_disconnected) { /etc/acpi/powerbtn-acpi-support.sh r, - @{sh_path} rix, + @{bin}/{ba,da,}sh rix, @{bin}/{e,}grep rix, - @{sbin}/killall5 rix, + @{bin}/dbus-send rix, + @{bin}/killall5 rix, @{bin}/pgrep rix, @{bin}/pinky rix, @{bin}/sed rix, + @{bin}/shutdown rix, /etc/acpi/powerbtn.sh rix, - @{bin}/dbus-send Cx -> bus, - @{bin}/fgconsole Cx -> fgconsole, - @{bin}/ps Px, - @{bin}/systemctl Cx -> systemctl, + @{bin}/systemctl rCx -> systemctl, + @{bin}/ps rPx, + + @{bin}/fgconsole rCx -> fgconsole, /usr/share/acpi-support/** r, @@ -42,21 +44,12 @@ profile acpi-powerbtn flags=(attach_disconnected) { /dev/tty rw, owner /dev/tty@{int} rw, - - include if exists - } - - profile bus flags=(complain) { - include - include - - include if exists } profile systemctl { include include - + include if exists } diff --git a/apparmor.d/profiles-a-f/acpid b/apparmor.d/profiles-a-f/acpid index 4985bca3a..10600e3d7 100644 --- a/apparmor.d/profiles-a-f/acpid +++ b/apparmor.d/profiles-a-f/acpid @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/acpid +@{exec_path} = @{bin}/acpid profile acpid @{exec_path} flags=(attach_disconnected) { include include @@ -26,9 +26,8 @@ profile acpid @{exec_path} flags=(attach_disconnected) { /etc/acpi/{,**} r, /etc/acpi/handler.sh rix, - @{run}/acpid.socket w, owner @{run}/acpid.socket rw, - owner @{run}/acpid.pid rw, + owner @{run}/acpid.pid rw, owner @{PROC}/@{pids}/fd/ r, owner @{PROC}/@{pids}/loginuid r, diff --git a/apparmor.d/profiles-a-f/adb b/apparmor.d/profiles-a-f/adb index 3affe4e7a..13863c03a 100644 --- a/apparmor.d/profiles-a-f/adb +++ b/apparmor.d/profiles-a-f/adb @@ -3,22 +3,20 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/adb @{exec_path} += @{lib}/android-sdk/platform-tools/adb -profile adb @{exec_path} flags=(attach_disconnected) { +profile adb @{exec_path} { include - include include include include network inet stream, network inet6 stream, - network netlink raw, signal (receive) set=(kill) peer=scrcpy, diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index 039518b51..350f070b0 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/adduser +@{exec_path} = @{bin}/add{user,group} profile adduser @{exec_path} { include include @@ -24,6 +24,7 @@ profile adduser @{exec_path} { capability sys_admin, # For logger @{exec_path} r, + @{bin}/perl r, @{sh_path} rix, @{bin}/find rix, @@ -33,12 +34,12 @@ profile adduser @{exec_path} { @{bin}/chage rPx, @{bin}/chfn rPx, @{bin}/gpasswd rPx, - @{sbin}/groupadd rPx, - @{sbin}/groupdel rPx, + @{bin}/groupadd rPx, + @{bin}/groupdel rPx, @{bin}/passwd rPx, - @{sbin}/useradd rPx, - @{sbin}/userdel rPx, - @{sbin}/usermod rPx, + @{bin}/useradd rPx, + @{bin}/userdel rPx, + @{bin}/usermod rPx, /etc/{group,passwd,shadow} r, /etc/adduser.conf r, diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index 7025f9787..fe3e7565f 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,8 +17,9 @@ profile adequate @{exec_path} flags=(complain) { #capability sys_tty_config, @{exec_path} r, + @{bin}/perl r, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, # It wants to ldd all binaries/libs in packages. @{bin}/ldd rCx -> ldd, @@ -54,14 +55,15 @@ profile adequate @{exec_path} flags=(complain) { @{bin}/* mr, /usr/games/* mr, + @{lib}{,x}/** mr, @{lib}/@{multiarch}/** mr, /usr/share/** r, /opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} mr, @{lib}/@{multiarch}/ld-*.so rix, + @{lib}{,x}32/ld-*.so rix, - include if exists } profile frontend flags=(complain) { @@ -71,6 +73,7 @@ profile adequate @{exec_path} flags=(complain) { include /usr/share/debconf/frontend r, + @{bin}/perl r, @{bin}/adequate rPx, @@ -88,14 +91,13 @@ profile adequate @{exec_path} flags=(complain) { include include capability dac_read_search, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, /etc/shadow r, - include if exists } profile pkg-config flags=(complain) { @@ -103,7 +105,6 @@ profile adequate @{exec_path} flags=(complain) { @{bin}/pkg-config mr, - include if exists } include if exists diff --git a/apparmor.d/groups/utils/agetty b/apparmor.d/profiles-a-f/agetty similarity index 76% rename from apparmor.d/groups/utils/agetty rename to apparmor.d/profiles-a-f/agetty index 9ae450196..c15748c6a 100644 --- a/apparmor.d/groups/utils/agetty +++ b/apparmor.d/profiles-a-f/agetty @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/agetty +@{exec_path} = @{bin}/agetty profile agetty @{exec_path} { include include @@ -20,23 +20,20 @@ profile agetty @{exec_path} { network netlink raw, - signal receive set=hup peer=@{p_systemd}, - @{exec_path} mr, @{bin}/login rPx, - @{etc_ro}/login.defs r, - @{etc_ro}/login.defs.d/{,*} r, @{etc_rw}/issue r, /{,usr/}lib/os-release r, /{etc,run,lib,usr/lib}/issue r, /{etc,run,lib,usr/lib}/issue.d/{,*} r, /etc/inittab r, + /etc/login.defs r, + /etc/login.defs.d/ r, /etc/os-release r, + /usr/etc/login.defs r, - @{run}/credentials/getty@tty@{int}.service/ r, - @{run}/credentials/serial-getty@ttyS@{int}.service/ r, owner @{run}/agetty.reload rw, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte index 87908dc9e..80e64558a 100644 --- a/apparmor.d/profiles-a-f/alacarte +++ b/apparmor.d/profiles-a-f/alacarte @@ -2,22 +2,21 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/alacarte -profile alacarte @{exec_path} flags=(attach_disconnected) { +profile alacarte @{exec_path} { include - include include include include @{exec_path} mr, - @{python_path} rix, + @{bin}/python3.@{int} rix, - @{lib}/@{python_name}/site-packages/Alacarte/{,**/}__pycache__/*.cpython-@{int}.*.pyc.@{int} w, + @{lib}/python3.@{int}/site-packages/Alacarte/{,**/}__pycache__/*.cpython-@{int}.*.pyc.@{int} w, /usr/share/alacarte/{,**} r, /usr/share/desktop-directories/{,**} r, @@ -31,12 +30,6 @@ profile alacarte @{exec_path} flags=(attach_disconnected) { owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - - owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mounts r, include if exists diff --git a/apparmor.d/profiles-a-f/alc b/apparmor.d/profiles-a-f/alc deleted file mode 100644 index 232f83860..000000000 --- a/apparmor.d/profiles-a-f/alc +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Roman Beslik -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/alc -profile alc @{exec_path} { - include - include - include - - @{exec_path} mr, - @{user_torrents_dirs}/{,**} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/alcc b/apparmor.d/profiles-a-f/alcc deleted file mode 100644 index c1e7d0602..000000000 --- a/apparmor.d/profiles-a-f/alcc +++ /dev/null @@ -1,20 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Roman Beslik -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/alcc -profile alcc @{exec_path} { - include - include - - @{exec_path} mr, - @{user_torrents_dirs}/{,**} r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/alsactl b/apparmor.d/profiles-a-f/alsactl index adf0d5cd3..bde626660 100644 --- a/apparmor.d/profiles-a-f/alsactl +++ b/apparmor.d/profiles-a-f/alsactl @@ -2,11 +2,11 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/alsactl +@{exec_path} = @{bin}/alsactl profile alsactl @{exec_path} { include include @@ -22,9 +22,6 @@ profile alsactl @{exec_path} { @{run}/lock/card@{int}.lock rwk, owner @{run}/alsa/{,**} rw, - @{sys}/devices/@{pci}/subsystem_device r, - @{sys}/devices/@{pci}/subsystem_vendor r, - include if exists } diff --git a/apparmor.d/profiles-a-f/amixer b/apparmor.d/profiles-a-f/amixer index 85989a7bf..ea2842a74 100644 --- a/apparmor.d/profiles-a-f/amixer +++ b/apparmor.d/profiles-a-f/amixer @@ -3,14 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/amixer profile amixer @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/amule b/apparmor.d/profiles-a-f/amule deleted file mode 100644 index ce600200a..000000000 --- a/apparmor.d/profiles-a-f/amule +++ /dev/null @@ -1,39 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Roman Beslik -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/amule -profile amule @{exec_path} { - include - include - include - include - - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, - - - # Previewing files isn't allowed - # because aMule opens viewers directly instead of via `xdg-open`. - # If aMule uses `xdg-open` in your time, - # uncomment the following line to allow previewing files. - # @{open_path} rPx -> child-open, - - @{exec_path} mr, - @{bin}/uname rix, - @{sh_path} rix, - @{system_share_dirs}/amule/{,**} r, - owner @{HOME}/.aMule/{,**} rwk, - @{user_torrents_dirs}/{,**} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/cron/anacron b/apparmor.d/profiles-a-f/anacron similarity index 73% rename from apparmor.d/groups/cron/anacron rename to apparmor.d/profiles-a-f/anacron index 3acfc14fd..8893f1d70 100644 --- a/apparmor.d/groups/cron/anacron +++ b/apparmor.d/profiles-a-f/anacron @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/anacron +@{exec_path} = @{bin}/anacron profile anacron @{exec_path} { include include @@ -17,7 +17,7 @@ profile anacron @{exec_path} { @{sh_path} rix, @{bin}/run-parts rCx -> run-parts, - @{sbin}/exim4 rPx, + @{bin}/exim4 rPx, / r, /etc/anacrontab r, @@ -26,9 +26,7 @@ profile anacron @{exec_path} { @{HOME}/ r, - @{tmp}/file@{rand6} rw, - /tmp/anacron-@{rand6} rw, - /tmp/anacron-@{rand6}@{c} rw, + /tmp/file* rw, profile run-parts { include @@ -41,10 +39,7 @@ profile anacron @{exec_path} { owner @{tmp}/#@{int} rw, owner @{tmp}/file@{rand6} rw, - /tmp/anacron-@{rand6} rw, - /tmp/anacron-@{rand6}@{c} rw, - - include if exists + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/anyremote b/apparmor.d/profiles-a-f/anyremote index 43ecdb0cd..b9031360f 100644 --- a/apparmor.d/profiles-a-f/anyremote +++ b/apparmor.d/profiles-a-f/anyremote @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -41,18 +41,19 @@ profile anyremote @{exec_path} { @{bin}/tail rix, @{bin}/tr rix, @{bin}/wc rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/convert-im6.q16 rCx -> imagemagic, @{bin}/killall rCx -> killall, @{bin}/pgrep rCx -> pgrep, + @{lib}/qt5/bin/qdbus rCx -> qdbus, + @{bin}/pacmd rPx, @{bin}/pactl rPx, - @{bin}/ps rPx, - @{bin}/qtchooser rPx, @{bin}/wmctrl rPx, - @{lib}/qt{5,6}/bin/qdbus rPx, + @{bin}/qtchooser rPx, + @{bin}/ps rPx, # Players @{bin}/smplayer rPx, @@ -80,10 +81,10 @@ profile anyremote @{exec_path} { @{bin}/convert-im6.q16 mr, /usr/share/anyremote/cfg-data/Icons/common/*.png r, - - /usr/share/ImageMagick-@{int}/*.xml rw, - /etc/ImageMagick-@{int}/*.xml r, - + + /usr/share/ImageMagick-[0-9]/*.xml rw, + /etc/ImageMagick-[0-9]/*.xml r, + owner @{HOME}/.anyRemote/*.png rw, owner @{HOME}/.kde/share/apps/amarok/albumcovers/cache/* r, @@ -127,6 +128,14 @@ profile anyremote @{exec_path} { include if exists } + profile qdbus { + include + + @{lib}/qt5/bin/qdbus mr, + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-a-f/aplay b/apparmor.d/profiles-a-f/aplay index eba042635..0bb417ae2 100644 --- a/apparmor.d/profiles-a-f/aplay +++ b/apparmor.d/profiles-a-f/aplay @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,8 +19,6 @@ profile aplay @{exec_path} flags=(complain) { owner @{HOME}/.Xauthority r, - /dev/snd/controlC@{int} rw, - include if exists } diff --git a/apparmor.d/groups/apparmor/apparmor.systemd b/apparmor.d/profiles-a-f/apparmor.systemd similarity index 75% rename from apparmor.d/groups/apparmor/apparmor.systemd rename to apparmor.d/profiles-a-f/apparmor.systemd index f58512a02..a6d517b2a 100644 --- a/apparmor.d/groups/apparmor/apparmor.systemd +++ b/apparmor.d/profiles-a-f/apparmor.systemd @@ -2,12 +2,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/apparmor/apparmor.systemd -profile apparmor.systemd @{exec_path} { +profile apparmor.systemd @{exec_path} flags=(complain) { include include include @@ -19,14 +19,14 @@ profile apparmor.systemd @{exec_path} { @{sh_path} rix, @{bin}/{,e}grep rix, - @{sbin}/aa-status rPx, - @{sbin}/apparmor_parser rPx, + @{bin}/aa-status rPx, + @{bin}/apparmor_parser rPx, @{bin}/getconf rix, @{bin}/ls rix, @{bin}/sed rix, @{bin}/cat rix, @{bin}/sort rix, - @{sbin}/sysctl rCx -> sysctl, + @{bin}/sysctl rix, @{bin}/systemd-detect-virt rPx, @{bin}/xargs rix, @@ -43,19 +43,10 @@ profile apparmor.systemd @{exec_path} { @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mounts r, @{PROC}/mounts r, + @{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r, /dev/tty rw, - profile sysctl { - include - - @{sbin}/sysctl mr, - - @{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/apparmor/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser similarity index 80% rename from apparmor.d/groups/apparmor/apparmor_parser rename to apparmor.d/profiles-a-f/apparmor_parser index a5769931c..82acd0d0f 100644 --- a/apparmor.d/groups/apparmor/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -2,13 +2,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib} -@{exec_path} = @{sbin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser +@{exec_path} = @{bin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser profile apparmor_parser @{exec_path} flags=(attach_disconnected) { include include @@ -17,7 +17,6 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{lib_dirs}/@{multiarch}/** mr, @{lib_dirs}/snapd/apparmor.d/{,**} r, @{lib_dirs}/snapd/apparmor/{,**} r, @@ -45,9 +44,6 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/mounts r, - deny network netlink raw, # file_inherit - /opt/Mullvad*/resources/apparmor_mullvad r, # FIXME: WTF you thing you are doing mullvad? - include if exists } diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index f2231479d..6b6bad8d8 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,8 +24,6 @@ profile appstreamcli @{exec_path} flags=(complain) { /usr/share/app-info/{,**} r, /usr/share/appdata/ r, - /usr/share/byobu/desktop/{,**} r, - /usr/share/gvfs/remote-volume-monitors/{,**} r, /usr/share/metainfo/ r, /usr/share/metainfo/*.{metainfo,appdata}.xml r, /usr/share/swcatalog/{,**} r, @@ -48,7 +46,7 @@ profile appstreamcli @{exec_path} flags=(complain) { /var/log/cron-apt/temp w, owner /var/cache/app-info/{,**} rw, owner /var/cache/swcatalog/{,**} rw, - + owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/appstream-cache-*.mdb rw, owner @{user_cache_dirs}/appstream/ rw, diff --git a/apparmor.d/profiles-a-f/arandr b/apparmor.d/profiles-a-f/arandr index 77bf1bf96..6baddcf18 100644 --- a/apparmor.d/profiles-a-f/arandr +++ b/apparmor.d/profiles-a-f/arandr @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,7 +19,7 @@ profile arandr @{exec_path} { include @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, @{bin}/xrandr rPx, diff --git a/apparmor.d/profiles-a-f/archivemount b/apparmor.d/profiles-a-f/archivemount index d445df0e2..03836a9dc 100644 --- a/apparmor.d/profiles-a-f/archivemount +++ b/apparmor.d/profiles-a-f/archivemount @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,20 +24,34 @@ profile archivemount @{exec_path} { owner @{HOME}/*/ r, owner @{HOME}/*/*/ r, + mount fstype=fuse.archivemount -> @{HOME}/*/, + mount fstype=fuse.archivemount -> @{HOME}/*/*/, + + /dev/fuse rw, + + profile fusermount { include - include + include + + # To mount anything: + capability sys_admin, + + @{bin}/fusermount{,3} mr, mount fstype={fuse,fuse.archivemount} -> @{HOME}/*/, mount fstype={fuse,fuse.archivemount} -> @{HOME}/*/*/, - umount @{HOME}/*/, - umount @{HOME}/*/*/, + /dev/fuse rw, + /etc/fuse.conf r, + + owner @{HOME}/ r, /**.{tar,tar.gz,zip} r, /**.{TAR,TAR.GZ,ZIP} r, - include if exists + @{PROC}/@{pid}/mounts r, + } include if exists diff --git a/apparmor.d/profiles-a-f/arduino b/apparmor.d/profiles-a-f/arduino index cfac12d42..47d784212 100644 --- a/apparmor.d/profiles-a-f/arduino +++ b/apparmor.d/profiles-a-f/arduino @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -39,7 +39,7 @@ profile arduino @{exec_path} { @{bin}/chmod rix, @{bin}/avrdude rix, - @{open_path} rCx -> child-open, + @{bin}/xdg-open rCx -> open, @{bin}/dpkg-architecture rPx, @{bin}/arduino-builder rPx, @@ -109,6 +109,31 @@ profile arduino @{exec_path} { # Silencer deny /usr/share/arduino/** w, + + profile open { + include + include + + @{bin}/xdg-open mr, + + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, + + owner @{HOME}/ r, + + owner @{run}/user/@{uid}/ r, + + # Allowed apps to open + @{lib}/firefox/firefox rPUx, + @{bin}/spacefm rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + include if exists } diff --git a/apparmor.d/profiles-a-f/arduino-builder b/apparmor.d/profiles-a-f/arduino-builder index 2ef7e37fa..23f8628e5 100644 --- a/apparmor.d/profiles-a-f/arduino-builder +++ b/apparmor.d/profiles-a-f/arduino-builder @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -39,6 +39,8 @@ profile arduino-builder @{exec_path} { owner @{HOME}/Arduino/{,**} r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + /tmp/ r, owner @{tmp}/cc* rw, owner @{tmp}/untitled[0-9]*.tmp/{,**} rw, diff --git a/apparmor.d/profiles-a-f/arduino-ctags b/apparmor.d/profiles-a-f/arduino-ctags index d85a6f3a8..0c3849643 100644 --- a/apparmor.d/profiles-a-f/arduino-ctags +++ b/apparmor.d/profiles-a-f/arduino-ctags @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/aspell b/apparmor.d/profiles-a-f/aspell index 629caca10..c5bd8d4f4 100644 --- a/apparmor.d/profiles-a-f/aspell +++ b/apparmor.d/profiles-a-f/aspell @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,7 +16,7 @@ profile aspell @{exec_path} flags=(complain) { /usr/share/aspell/{,*} r, - @{lib}/aspell/{,*} r, + /usr/lib/aspell/{,*} r, /var/lib/aspell/{,*} r, /var/lib/aspell/*.rws rw, diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash index 14feb75df..078fa0139 100644 --- a/apparmor.d/profiles-a-f/aspell-autobuildhash +++ b/apparmor.d/profiles-a-f/aspell-autobuildhash @@ -3,17 +3,18 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/aspell-autobuildhash +@{exec_path} = @{bin}/aspell-autobuildhash profile aspell-autobuildhash @{exec_path} flags=(complain) { include include include @{exec_path} r, + @{bin}/perl r, @{sh_path} rix, @{bin}/basename rix, @@ -32,8 +33,8 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { /usr/share/aspell/{,*} r, - @{lib}/aspell/{,*} r, - @{lib}/aspell/*.rws rw, + /usr/lib/aspell/{,*} r, + /usr/lib/aspell/*.rws rw, /var/lib/aspell/ r, /var/lib/aspell/* rw, @@ -46,8 +47,9 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { include /usr/share/debconf/frontend r, + @{bin}/perl r, - @{sbin}/aspell-autobuildhash rPx, + @{bin}/aspell-autobuildhash rPx, @{sh_path} rix, @{bin}/stty rix, @@ -62,12 +64,11 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { include include capability dac_read_search, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, - include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/at b/apparmor.d/profiles-a-f/at index 0c309ad72..2da487b9c 100644 --- a/apparmor.d/profiles-a-f/at +++ b/apparmor.d/profiles-a-f/at @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index 783d210fb..b1b54f0fa 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/atd +@{exec_path} = @{bin}/atd profile atd @{exec_path} { include include @@ -20,15 +20,15 @@ profile atd @{exec_path} { capability setuid, capability sys_resource, - signal receive set=hup peer=at, + signal (receive) set=hup peer=at, - ptrace read peer=unconfined, + ptrace (read) peer=unconfined, @{exec_path} mr, @{sh_path} rix, - @{sbin}/sendmail rPUx, - @{sbin}/exim4 rPx, + @{bin}/sendmail rPUx, + @{bin}/exim4 rPx, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/ r, diff --git a/apparmor.d/profiles-a-f/atftpd b/apparmor.d/profiles-a-f/atftpd index 2444bd128..02a0a018b 100644 --- a/apparmor.d/profiles-a-f/atftpd +++ b/apparmor.d/profiles-a-f/atftpd @@ -3,14 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/atftpd profile atftpd @{exec_path} { include - include + include # For libwrap (TCP Wrapper) support include @@ -18,12 +18,6 @@ profile atftpd @{exec_path} { capability setgid, capability setuid, - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, - @{exec_path} mr, # FTP dirs (add "w" if you need write permissions and hence upload files) diff --git a/apparmor.d/profiles-a-f/atool b/apparmor.d/profiles-a-f/atool index 2782aacc0..947245d2a 100644 --- a/apparmor.d/profiles-a-f/atool +++ b/apparmor.d/profiles-a-f/atool @@ -2,7 +2,7 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,7 +11,6 @@ profile atool @{exec_path} { include include include - include include @{exec_path} mr, @@ -19,9 +18,9 @@ profile atool @{exec_path} { @{bin}/7z rix, @{bin}/arc rix, @{bin}/arj rix, + @{bin}/bzip2 rix, + @{bin}/bzip2 rix, @{bin}/bzip rix, - @{bin}/bzip2 rix, - @{bin}/bzip2 rix, @{bin}/compress rix, @{bin}/cpio rix, @{bin}/gunzip rix, @@ -30,9 +29,9 @@ profile atool @{exec_path} { @{bin}/jar rix, @{bin}/lha rix, @{bin}/lrunzip rix, - @{bin}/lrz rix, @{bin}/lrzcat rix, @{bin}/lrzip rix, + @{bin}/lrz rix, @{bin}/lrztar rix, @{bin}/lrzuntar rix, @{bin}/lzip rix, @@ -47,10 +46,6 @@ profile atool @{exec_path} { @{bin}/unzip rix, @{bin}/xz rix, @{bin}/zip rix, - @{lib}/p7zip/7z rix, - - /etc/atool.conf r, - owner @{HOME}/.atoolrc r, include if exists } diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index 55502dd3e..2163346cc 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -3,24 +3,36 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/atril{,-*} profile atril @{exec_path} { include + include include + include + include include include - include + include + include + include include include include + include network netlink raw, - #aa:dbus talk bus=session name=org.mate.atril.Daemon label=atrild + dbus send bus=session path=/org/mate/atril/{,**} + peer=(name=org.freedesktop.DBus, label=atrild), # all interfaces and members + + dbus send bus=session path=/org/mate/atril/Daemon + interface=org.mate.atril.Daemon + member={RegisterDocument,UnregisterDocument} + peer=(name=org.mate.atril.Daemon), # no peer's labels @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/atrild b/apparmor.d/profiles-a-f/atrild index f66f25936..c44686d5a 100644 --- a/apparmor.d/profiles-a-f/atrild +++ b/apparmor.d/profiles-a-f/atrild @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/auditctl b/apparmor.d/profiles-a-f/auditctl index 762273a9f..daaee243f 100644 --- a/apparmor.d/profiles-a-f/auditctl +++ b/apparmor.d/profiles-a-f/auditctl @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/auditctl +@{exec_path} = @{bin}/auditctl profile auditctl @{exec_path} flags=(attach_disconnected) { include diff --git a/apparmor.d/profiles-a-f/auditd b/apparmor.d/profiles-a-f/auditd index 41fb158c0..4e93a5d22 100644 --- a/apparmor.d/profiles-a-f/auditd +++ b/apparmor.d/profiles-a-f/auditd @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/auditd +@{exec_path} = @{bin}/auditd profile auditd @{exec_path} flags=(attach_disconnected) { include include @@ -27,12 +27,10 @@ profile auditd @{exec_path} flags=(attach_disconnected) { /var/log/audit/{,**} rw, - @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, - + @{run}/systemd/journal/dev-log w, owner @{run}/auditd.pid rwl, owner @{run}/auditd.state rw, - @{PROC}/@{pid}/ r, owner @{PROC}/@{pid}/attr/current r, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/oom_score_adj rw, diff --git a/apparmor.d/profiles-a-f/augenrules b/apparmor.d/profiles-a-f/augenrules index 5ae84876b..5f192e8cc 100644 --- a/apparmor.d/profiles-a-f/augenrules +++ b/apparmor.d/profiles-a-f/augenrules @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/augenrules +@{exec_path} = @{bin}/augenrules profile augenrules @{exec_path} flags=(attach_disconnected) { include include @@ -16,7 +16,7 @@ profile augenrules @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{,e,f}grep rix, @{bin}/{,g,m}awk rix, - @{sbin}/auditctl rPx, + @{bin}/auditctl rPx, @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cmp rix, diff --git a/apparmor.d/profiles-a-f/badblocks b/apparmor.d/profiles-a-f/badblocks index ff3a710c3..48b4cc8af 100644 --- a/apparmor.d/profiles-a-f/badblocks +++ b/apparmor.d/profiles-a-f/badblocks @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/badblocks +@{exec_path} = @{bin}/badblocks profile badblocks @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/baobab b/apparmor.d/profiles-a-f/baobab deleted file mode 100644 index 654e40117..000000000 --- a/apparmor.d/profiles-a-f/baobab +++ /dev/null @@ -1,32 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/baobab -profile baobab @{exec_path} { - include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - - @{exec_path} mr, - - @{open_path} rPx -> child-open-help, - - #aa:lint ignore=too-wide - # As a directory tree analyzer it needs full access to the filesystem - / r, - /** r, - - deny @{efi}/{,**} r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/biosdecode b/apparmor.d/profiles-a-f/biosdecode index 87457a129..caf8a50d2 100644 --- a/apparmor.d/profiles-a-f/biosdecode +++ b/apparmor.d/profiles-a-f/biosdecode @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/biosdecode +@{exec_path} = @{bin}/biosdecode profile biosdecode @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/birdtray b/apparmor.d/profiles-a-f/birdtray index 771560c6b..b6314e942 100644 --- a/apparmor.d/profiles-a-f/birdtray +++ b/apparmor.d/profiles-a-f/birdtray @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -40,7 +40,7 @@ profile birdtray @{exec_path} { owner @{HOME}/.thunderbird/*.*/{Imap,}Mail/**/*.msf r, owner @{user_config_dirs}/ulduzsoft/ rw, - owner @{user_config_dirs}/ulduzsoft/* rwkl -> @{user_config_dirs}/ulduzsoft/*, + owner @{user_config_dirs}/ulduzsoft/* rwkl -> /home/morfik/.config/ulduzsoft/*, owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#@{int}, diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate index bff816339..f9db3e96f 100644 --- a/apparmor.d/profiles-a-f/blkdeactivate +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -3,24 +3,22 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/blkdeactivate +@{exec_path} = @{bin}/blkdeactivate profile blkdeactivate @{exec_path} flags=(complain) { include include @{exec_path} rm, - @{sh_path} rix, - @{sbin}/dmsetup rPx, - @{bin}/{,e}grep rix, - @{bin}/touch rix, + @{bin}/dmsetup rPUx, + @{bin}/grep rix, @{bin}/lsblk rPx, - @{sbin}/lvm rPx, - @{sbin}/multipathd rPx, + @{bin}/lvm rPx, + @{bin}/multipathd rPx, @{bin}/sort rix, @{bin}/umount rPx, diff --git a/apparmor.d/groups/utils/blkid b/apparmor.d/profiles-a-f/blkid similarity index 74% rename from apparmor.d/groups/utils/blkid rename to apparmor.d/profiles-a-f/blkid index 4105a7419..ad8134064 100644 --- a/apparmor.d/groups/utils/blkid +++ b/apparmor.d/profiles-a-f/blkid @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/blkid +@{exec_path} = @{bin}/blkid profile blkid @{exec_path} flags=(attach_disconnected) { include include @@ -23,8 +23,6 @@ profile blkid @{exec_path} flags=(attach_disconnected) { @{etc_rw}/blkid.tab{,-@{rand6}} rw, @{etc_rw}/blkid.tab.old rwl -> /etc/blkid.tab, - /.ismount-test-file rw, - # Image files @{user_img_dirs}/{,**} r, @@ -34,20 +32,13 @@ profile blkid @{exec_path} flags=(attach_disconnected) { @{run}/blkid/blkid.tab{,-@{rand6}} rw, @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, - @{PROC}/@{pid}/mounts r, - @{PROC}/partitions r, - @{PROC}/swaps r, + @{run}/cloud-init/ds-identify.log w, # file_inherit - # Other possible location of the cache file - /dev/.blkid.tab.old rwl -> /dev/.blkid.tab, - /dev/.blkid.tab{,-@{rand6}} rw, - /dev/blkid.tab.old rwl -> /dev/blkid.tab, + # For the EVALUATE=scan method + @{PROC}/partitions r, owner /dev/tty@{int} rw, - # file_inherit - deny @{run}/cloud-init/ds-identify.log w, - include if exists } diff --git a/apparmor.d/groups/utils/blockdev b/apparmor.d/profiles-a-f/blockdev similarity index 83% rename from apparmor.d/groups/utils/blockdev rename to apparmor.d/profiles-a-f/blockdev index 0c5e7b17c..1b6cc77cb 100644 --- a/apparmor.d/groups/utils/blockdev +++ b/apparmor.d/profiles-a-f/blockdev @@ -3,14 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/blockdev +@{exec_path} = @{bin}/blockdev profile blockdev @{exec_path} { include - include + include capability sys_admin, diff --git a/apparmor.d/groups/bluetooth/blueman b/apparmor.d/profiles-a-f/blueman similarity index 99% rename from apparmor.d/groups/bluetooth/blueman rename to apparmor.d/profiles-a-f/blueman index 08a553c1d..9ac1c2c2b 100644 --- a/apparmor.d/groups/bluetooth/blueman +++ b/apparmor.d/profiles-a-f/blueman @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/bluetooth/blueman-mechanism b/apparmor.d/profiles-a-f/blueman-mechanism similarity index 86% rename from apparmor.d/groups/bluetooth/blueman-mechanism rename to apparmor.d/profiles-a-f/blueman-mechanism index 9b4800210..152520fad 100644 --- a/apparmor.d/groups/bluetooth/blueman-mechanism +++ b/apparmor.d/profiles-a-f/blueman-mechanism @@ -3,15 +3,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/blueman-mechanism @{lib}/blueman/blueman-mechanism profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { include - include - include include include @@ -37,9 +35,9 @@ profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { /dev/rfkill rw, # For network AP - #@{sbin}/ip rix, - #@{sbin}/xtables-nft-multi rix, - #@{sbin}/dnsmasq rPx, + #@{bin}/ip rix, + #@{bin}/xtables-nft-multi rix, + #@{bin}/dnsmasq rPx, #@{bin}/dhclient rPx, # @{PROC}/sys/net/ipv4/ip_forward w, # @{PROC}/sys/net/ipv4/conf/ r, diff --git a/apparmor.d/groups/bluetooth/blueman-rfcomm-watcher b/apparmor.d/profiles-a-f/blueman-rfcomm-watcher similarity index 83% rename from apparmor.d/groups/bluetooth/blueman-rfcomm-watcher rename to apparmor.d/profiles-a-f/blueman-rfcomm-watcher index 2d52a6e01..a8753ac8f 100644 --- a/apparmor.d/groups/bluetooth/blueman-rfcomm-watcher +++ b/apparmor.d/profiles-a-f/blueman-rfcomm-watcher @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{lib}/blueman-rfcomm-watcher @{lib}/blueman/blueman-rfcomm-watcher +@{exec_path} = @{lib}/blueman-rfcomm-watcher profile blueman-rfcomm-watcher @{exec_path} { include include diff --git a/apparmor.d/groups/bluetooth/bluemoon b/apparmor.d/profiles-a-f/bluemoon similarity index 96% rename from apparmor.d/groups/bluetooth/bluemoon rename to apparmor.d/profiles-a-f/bluemoon index 88cb70621..06f4040f8 100644 --- a/apparmor.d/groups/bluetooth/bluemoon +++ b/apparmor.d/profiles-a-f/bluemoon @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/bluetooth/bluetoothctl b/apparmor.d/profiles-a-f/bluetoothctl similarity index 73% rename from apparmor.d/groups/bluetooth/bluetoothctl rename to apparmor.d/profiles-a-f/bluetoothctl index 0b075581b..603998f2c 100644 --- a/apparmor.d/groups/bluetooth/bluetoothctl +++ b/apparmor.d/profiles-a-f/bluetoothctl @@ -3,24 +3,16 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/bluetoothctl profile bluetoothctl @{exec_path} { include - include - include - - network bluetooth raw, - - #aa:dbus talk bus=system name=org.bluez label="@{p_bluetoothd}" @{exec_path} mr, - /usr/share/terminfo/** r, - /etc/inputrc r, owner @{user_cache_dirs}/ rw, diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/profiles-a-f/bluetoothd similarity index 63% rename from apparmor.d/groups/bluetooth/bluetoothd rename to apparmor.d/profiles-a-f/bluetoothd index 12c8e2e80..75934102b 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/profiles-a-f/bluetoothd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,6 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { include include include - include # Needed for configuring HCI interfaces capability net_admin, @@ -26,15 +25,30 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.bluez - dbus send bus=system path=/{,MediaEndpoint} + dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=@{busname}), + peer=(name=:*, label="{brave,NetworkManager,pulseaudio,upowerd}"), + + dbus send bus=system path=/MediaEndpoint + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=pulseaudio), + + dbus send bus=system path=/MediaEndpoint/{A2DPSink,A2DPSource}/* + interface=org.bluez.MediaEndpoint1 + member=Release + peer=(name=:*, label=pulseaudio), + + dbus send bus=system path=/Profile/{HFPAGProfile,HSPHSProfile} + interface=org.bluez.MediaEndpoint1 + member=Release + peer=(name=:*, label=pulseaudio), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager - member={InterfacesRemoved,InterfacesAdded} - peer=(name=org.freedesktop.DBus), + member=InterfacesRemoved + peer=(name=org.freedesktop.DBus, label="{jwupd,NetworkManager,pulseaudio,upowerd}"), @{exec_path} mr, @@ -46,8 +60,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { @{run}/sdp rw, owner @{run}/systemd/notify w, - - @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard @{sys}/devices/@{pci}/rfkill@{int}/name r, @{sys}/devices/@{pci}/**/{uevent,name} r, @@ -58,6 +71,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/hostname r, /dev/uhid rw, + /dev/uinput rw, /dev/rfkill rw, /dev/hidraw@{int} rw, diff --git a/apparmor.d/profiles-a-f/bmon b/apparmor.d/profiles-a-f/bmon index d29d9fde7..77feb3210 100644 --- a/apparmor.d/profiles-a-f/bmon +++ b/apparmor.d/profiles-a-f/bmon @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/freedesktop/boltd b/apparmor.d/profiles-a-f/boltd similarity index 90% rename from apparmor.d/groups/freedesktop/boltd rename to apparmor.d/profiles-a-f/boltd index 5b72f8427..47c16d1cd 100644 --- a/apparmor.d/groups/freedesktop/boltd +++ b/apparmor.d/profiles-a-f/boltd @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,9 +25,9 @@ profile boltd @{exec_path} flags=(attach_disconnected) { owner @{run}/boltd/{,**} rw, - @{att}/@{run}/systemd/notify w, - - @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. + @{run}/systemd/notify rw, + @{run}/systemd/journal/socket w, + @{run}/udev/data/+thunderbolt:* r, @{sys}/bus/ r, @{sys}/bus/thunderbolt/devices/ r, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 544be3be0..107330419 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,19 +21,15 @@ profile borg @{exec_path} { network inet6 dgram, network netlink raw, - mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/, - mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/*/, - @{exec_path} r, @{bin}/ r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/{,@{multiarch}-}ld.bfd rix, @{bin}/cat rix, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, @{bin}/uname rix, - @{bin}/ip rix, @{bin}/ccache rCx -> ccache, @{bin}/fusermount{,3} rCx -> fusermount, @@ -96,7 +92,10 @@ profile borg @{exec_path} { profile fusermount { include - include + include + include + + capability sys_admin, mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/, mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/*/, @@ -104,8 +103,13 @@ profile borg @{exec_path} { umount @{MOUNTS}/, umount @{MOUNTS}/*/, - @{MOUNTS}/ r, - @{MOUNTS}/*/ r, + @{bin}/fusermount{,3} mr, + + /etc/fuse.conf r, + + @{PROC}/@{pids}/mounts r, + + /dev/fuse rw, include if exists } diff --git a/apparmor.d/profiles-a-f/briar-desktop b/apparmor.d/profiles-a-f/briar-desktop deleted file mode 100644 index 1cfda03d9..000000000 --- a/apparmor.d/profiles-a-f/briar-desktop +++ /dev/null @@ -1,97 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024-2025 Roman Beslik -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/briar-desktop -profile briar-desktop @{exec_path} { - include - include - include - include - include - include - include - - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - - ptrace read peer=briar-desktop-tor, - ptrace read peer=@{profile_name}//jspawnhelper, - - @{exec_path} mr, - - @{lib}/jvm/java*/bin/java rix, - @{lib}/jvm/java*/lib/** rm, - @{lib}/jvm/java*/lib/jspawnhelper Cx -> jspawnhelper, - @{sh_path} mr, - - @{system_share_dirs}/java/briar-desktop.jar r, - - /etc/java*/{,**} r, - /etc/machine-id r, - - owner @{HOME}/.briar/desktop/{,**} rw, - owner @{HOME}/.briar/desktop/db/db.mv.db k, - - owner @{HOME}/.java/{,.userPrefs/{,org/}} w, - owner @{HOME}/.java/.userPrefs/.user.lock.@{user} wk, - owner @{HOME}/.java/.userPrefs/.userRootModFile.@{user} rw, - owner @{HOME}/.java/.userPrefs/{,org/}prefs.{xml,tmp} rw, - owner @{HOME}/.java/.userPrefs/org/briarproject/{,**} rw, - - owner @{HOME}/.skiko/ w, - owner @{HOME}/.skiko/@{hex64}/{,libskiko-*.so,skiko[0-9]*} mrw, - - owner @{user_pictures_dirs}/{,**} r, - - owner @{user_cache_dirs}/JNA/{,**} mrw, - - owner @{tmp}/hsperfdata_@{user}/ rw, - owner @{tmp}/hsperfdata_@{user}/@{pid} rwk, - owner @{tmp}/imageio@{u64}.tmp rw, - owner @{tmp}/jna@{u64}.tmp mrw, - - @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r, - @{sys}/kernel/mm/{hugepages/,transparent_hugepage/enabled} r, - - @{PROC}/cgroups r, - @{PROC}/asound/version r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/coredump_filter rw, - owner @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/net/if_inet6 r, - owner @{PROC}/@{pid}/stat r, - - /dev/tty rw, - /dev/urandom rw, - - deny @{HOME}/ r, - - include if exists - - profile jspawnhelper flags=(attach_disconnected) { - include - - @{sbin}/ldconfig ix, - owner @{HOME}/.briar/desktop/tor/tor Px -> briar-desktop-tor, - - @{system_share_dirs}/java/briar-desktop.jar r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/stat r, - - deny owner @{HOME}/.briar/desktop/db/db.mv.db rw, # file_inherit - deny network inet6 stream, # file_inherit - - include if exists - } -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/briar-desktop-tor b/apparmor.d/profiles-a-f/briar-desktop-tor deleted file mode 100644 index ae818d1df..000000000 --- a/apparmor.d/profiles-a-f/briar-desktop-tor +++ /dev/null @@ -1,86 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024-2025 Roman Beslik -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -profile briar-desktop-tor { - include - - network inet stream, - network inet6 stream, - network netlink raw, - - signal send set=term peer=briar-desktop-tor//lyrebird, - signal send set=term peer=briar-desktop-tor//obfs4proxy, - signal send set=term peer=briar-desktop-tor//snowflake, - - owner @{HOME}/.briar/desktop/tor/.tor/{,**} rw, - owner @{HOME}/.briar/desktop/tor/.tor/lock k, - owner @{HOME}/.briar/desktop/tor/lyrebird Cx -> lyrebird, - owner @{HOME}/.briar/desktop/tor/obfs4proxy Cx -> obfs4proxy, - owner @{HOME}/.briar/desktop/tor/snowflake Cx -> snowflake, - owner @{HOME}/.briar/desktop/tor/tor r, - owner @{HOME}/.briar/desktop/tor/torrc r, - - @{PROC}/sys/kernel/random/uuid r, - - include if exists - - profile lyrebird { - include - include - include - - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, - - signal receive set=term peer=briar-desktop-tor, - - owner @{HOME}/.briar/desktop/tor/lyrebird mr, - @{PROC}/sys/net/core/somaxconn r, - - include if exists - } - - profile obfs4proxy { - include - - network inet stream, - network inet6 stream, - - signal receive set=term peer=briar-desktop-tor, - - owner @{HOME}/.briar/desktop/tor/.tor/pt_state/ w, - owner @{HOME}/.briar/desktop/tor/obfs4proxy mr, - @{PROC}/sys/net/core/somaxconn r, - - include if exists - } - - profile snowflake { - include - include - include - - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, - - signal receive set=term peer=briar-desktop-tor, - - owner @{HOME}/.briar/desktop/tor/snowflake mr, - @{PROC}/sys/net/core/somaxconn r, - - include if exists - } -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index c896e96f8..cfc5d3b0b 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/browserpass @{lib}/browserpass/browserpass-native +@{exec_path} = @{bin}/browserpass profile browserpass @{exec_path} flags=(attach_disconnected) { include include @@ -22,9 +22,11 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.mozilla/firefox/@{rand8}.*/extensions/* r, owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/startupCache/scriptCache-*.bin r, owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/startupCache/startupCache.*.little r, - owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/safebrowsing-updating/google@{d}/goog-phish-proto-@{int}.vlpset rw, + owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/safebrowsing-updating/google[0-9]/goog-phish-proto-@{int}.vlpset rw, owner @{tmp}/mozilla-temp-@{int} r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + owner @{PROC}/@{pid}/mountinfo r, # Inherit Silencer @@ -48,8 +50,8 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner @{user_passwordstore_dirs}/ rw, - owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, + owner @{user_password_store_dirs}/ rw, + owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, owner @{user_projects_dirs}/**/*-store/ rw, owner @{user_projects_dirs}/**/*-store/** rwkl -> @{user_projects_dirs}/**/*-store/**, owner @{user_config_dirs}/*-store/ rw, diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/profiles-a-f/btop index bac8aea75..b6c3556ec 100644 --- a/apparmor.d/profiles-a-f/btop +++ b/apparmor.d/profiles-a-f/btop @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,16 +10,15 @@ include profile btop @{exec_path} { include include + include include - capability kill, - capability perfmon, capability sys_ptrace, network netlink raw, - signal send, - ptrace read, + signal (send), + ptrace (read), @{exec_path} mr, @@ -28,42 +27,33 @@ profile btop @{exec_path} { /etc/fstab r, owner @{user_config_dirs}/btop/{,**} rw, - owner @{user_state_dirs}/btop.log rw, @{sys}/bus/pci/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/ r, - @{sys}/devices/@{pci}/{,**}/ r, + @{sys}/devices/@{pci}/**/stat r, @{sys}/devices/@{pci}/net/*/{,**} r, - @{sys}/devices/@{pci}/nvme/nvme@{int}/ r, - @{sys}/devices/@{pci}/stat r, @{sys}/devices/@{pci}/usb@{int}/**/power_supply/** r, @{sys}/devices/**/hwmon@{int}/{,*} r, @{sys}/devices/**/power_supply/{AC,BAT@{int}}/{,**} r, - @{sys}/devices/*/events/{,*} r, - @{sys}/devices/platform/*/ r, - @{sys}/devices/power/{,**} r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, @{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/devices/virtual/block/dm-@{int}/stat r, @{sys}/devices/virtual/net/{,**} r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,*} r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,} r, - @{PROC} r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/io r, - @{PROC}/@{pids}/mounts r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/statm r, - @{PROC}/@{pids}/task/@{tid}/comm rw, - @{PROC}/devices r, - @{PROC}/driver/nvidia/capabilities/mig/config r, - @{PROC}/driver/nvidia/capabilities/mig/monitor r, - @{PROC}/loadavg r, - @{PROC}/spl/kstat/zfs/arcstats r, - @{PROC}/uptime r, + @{PROC} r, + @{PROC}/@{pid}/statm r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/stat r, + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/monitor r, + @{PROC}/loadavg r, + @{PROC}/spl/kstat/zfs/arcstats r, + @{PROC}/uptime r, + owner @{PROC}/@{pid}/mounts r, /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} rw, diff --git a/apparmor.d/groups/filesystem/btrfs b/apparmor.d/profiles-a-f/btrfs similarity index 87% rename from apparmor.d/groups/filesystem/btrfs rename to apparmor.d/profiles-a-f/btrfs index 40149588d..f056d12ca 100644 --- a/apparmor.d/groups/filesystem/btrfs +++ b/apparmor.d/profiles-a-f/btrfs @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,15 +24,8 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { /var/lib/btrfs/scrub.status.@{uuid}{,_tmp} rwk, / r, + /boot/ r, /.snapshots/ r, - @{efi}/ r, - @{efi}/**/ r, - /home/ r, - /opt/ r, - /root/ r, - /srv/ r, - /usr/local/ r, - /var/ r, @{MOUNTS}/ r, @{MOUNTS}/ext2_saved/ rw, @{MOUNTS}/ext2_saved/image rw, @@ -50,8 +43,10 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, @{run}/snapper-tools-*/ r, @{run}/snapper-tools-@{rand6}/@/.snapshots/@{int}/snapshot r, - - @{sys}/fs/btrfs/@{uuid}/** r, + + @{sys}/fs/btrfs/@{uuid}/exclusive_operation r, + @{sys}/fs/btrfs/@{uuid}/devinfo/@{int}/fsid r, + @{sys}/fs/btrfs/@{uuid}/devinfo/@{int}/scrub_speed_max r, @{PROC}/partitions r, owner @{PROC}/@{pid}/mounts r, @@ -59,6 +54,7 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { /dev/btrfs-control rw, /dev/pts/@{int} rw, /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/filesystem/btrfs-convert b/apparmor.d/profiles-a-f/btrfs-convert similarity index 89% rename from apparmor.d/groups/filesystem/btrfs-convert rename to apparmor.d/profiles-a-f/btrfs-convert index 22715c857..8b443cf6e 100644 --- a/apparmor.d/groups/filesystem/btrfs-convert +++ b/apparmor.d/profiles-a-f/btrfs-convert @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/btrfs-convert +@{exec_path} = @{bin}/btrfs-convert profile btrfs-convert @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/btrfs-find-root b/apparmor.d/profiles-a-f/btrfs-find-root similarity index 89% rename from apparmor.d/groups/filesystem/btrfs-find-root rename to apparmor.d/profiles-a-f/btrfs-find-root index cec2bbb61..03c2d47bd 100644 --- a/apparmor.d/groups/filesystem/btrfs-find-root +++ b/apparmor.d/profiles-a-f/btrfs-find-root @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/btrfs-find-root +@{exec_path} = @{bin}/btrfs-find-root profile btrfs-find-root @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/btrfs-image b/apparmor.d/profiles-a-f/btrfs-image similarity index 90% rename from apparmor.d/groups/filesystem/btrfs-image rename to apparmor.d/profiles-a-f/btrfs-image index 48be7c381..c1508bb09 100644 --- a/apparmor.d/groups/filesystem/btrfs-image +++ b/apparmor.d/profiles-a-f/btrfs-image @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/btrfs-image +@{exec_path} = @{bin}/btrfs-image profile btrfs-image @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/btrfs-map-logical b/apparmor.d/profiles-a-f/btrfs-map-logical similarity index 97% rename from apparmor.d/groups/filesystem/btrfs-map-logical rename to apparmor.d/profiles-a-f/btrfs-map-logical index f871bc946..12d2b09d6 100644 --- a/apparmor.d/groups/filesystem/btrfs-map-logical +++ b/apparmor.d/profiles-a-f/btrfs-map-logical @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/filesystem/btrfs-select-super b/apparmor.d/profiles-a-f/btrfs-select-super similarity index 97% rename from apparmor.d/groups/filesystem/btrfs-select-super rename to apparmor.d/profiles-a-f/btrfs-select-super index 0019aa906..f083363cf 100644 --- a/apparmor.d/groups/filesystem/btrfs-select-super +++ b/apparmor.d/profiles-a-f/btrfs-select-super @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/filesystem/btrfstune b/apparmor.d/profiles-a-f/btrfstune similarity index 92% rename from apparmor.d/groups/filesystem/btrfstune rename to apparmor.d/profiles-a-f/btrfstune index 24a8ef46e..cd8f7adfe 100644 --- a/apparmor.d/groups/filesystem/btrfstune +++ b/apparmor.d/profiles-a-f/btrfstune @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/btrfstune +@{exec_path} = @{bin}/btrfstune profile btrfstune @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/cas b/apparmor.d/profiles-a-f/cas deleted file mode 100644 index d843801ba..000000000 --- a/apparmor.d/profiles-a-f/cas +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Roman Beslik -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/cas -profile cas @{exec_path} { - include - include - - @{exec_path} mr, - - @{system_share_dirs}/cas/{,**} r, - - owner @{HOME}/.aMule/aMule-online-sign.html w, - owner @{HOME}/.aMule/amulesig.dat r, - owner @{HOME}/.aMule/casrc rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cawbird b/apparmor.d/profiles-a-f/cawbird index 0d8c6a000..ee3bab550 100644 --- a/apparmor.d/profiles-a-f/cawbird +++ b/apparmor.d/profiles-a-f/cawbird @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -31,12 +31,8 @@ profile cawbird @{exec_path} { @{sh_path} rix, - @{open_path} rPx -> child-open, - - /usr/share/xml/iso-codes/{,**} r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, + @{bin}/xdg-open rCx -> open, + @{bin}/exo-open rCx -> open, owner @{user_config_dirs}/cawbird/ rw, owner @{user_config_dirs}/cawbird/** rwk, @@ -44,8 +40,36 @@ profile cawbird @{exec_path} { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/cawbird-* rw, + /usr/share/xml/iso-codes/{,**} r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + owner @{PROC}/@{pid}/fd/ r, + profile open { + include + include + + @{bin}/xdg-open mr, + + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, + + owner @{HOME}/ r, + + owner @{run}/user/@{uid}/ r, + + # Allowed apps to open + @{lib}/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + include if exists } diff --git a/apparmor.d/profiles-a-f/cc-remote-login-helper b/apparmor.d/profiles-a-f/cc-remote-login-helper index d8128da74..bc12ec50b 100644 --- a/apparmor.d/profiles-a-f/cc-remote-login-helper +++ b/apparmor.d/profiles-a-f/cc-remote-login-helper @@ -1,8 +1,7 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cctk b/apparmor.d/profiles-a-f/cctk index af7436f39..3795d9836 100644 --- a/apparmor.d/profiles-a-f/cctk +++ b/apparmor.d/profiles-a-f/cctk @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,7 +11,6 @@ profile cctk @{exec_path} { include include - capability dac_read_search, capability mknod, capability sys_admin, capability sys_rawio, diff --git a/apparmor.d/profiles-a-f/ccze b/apparmor.d/profiles-a-f/ccze index 338f71a78..e51310b63 100644 --- a/apparmor.d/profiles-a-f/ccze +++ b/apparmor.d/profiles-a-f/ccze @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cemu b/apparmor.d/profiles-a-f/cemu deleted file mode 100644 index 1201f2476..000000000 --- a/apparmor.d/profiles-a-f/cemu +++ /dev/null @@ -1,51 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 odomingao -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/cemu -profile cemu @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, - - @{exec_path} mr, - - /usr/share/Cemu/{,**} r, - - owner @{user_cache_dirs}/Cemu/{,**} rw, - owner @{user_config_dirs}/Cemu/{,**} rw, - owner @{user_share_dirs}/Cemu/{,**} rw, - - @{sys}/class/ r, - @{sys}/class/input/ r, - @{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/abs r, - @{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/ev r, - @{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/key r, - @{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/rel r, - - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/statm r, - - /dev/input/ r, - /dev/input/event@{int} rw, - /dev/input/js@{int} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/cert-sync b/apparmor.d/profiles-a-f/cert-sync index fa70c395f..e2770bda1 100644 --- a/apparmor.d/profiles-a-f/cert-sync +++ b/apparmor.d/profiles-a-f/cert-sync @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cfdisk b/apparmor.d/profiles-a-f/cfdisk index ee8d277f2..7559b5c84 100644 --- a/apparmor.d/profiles-a-f/cfdisk +++ b/apparmor.d/profiles-a-f/cfdisk @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/cfdisk +@{exec_path} = @{bin}/cfdisk profile cfdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/cgdisk b/apparmor.d/profiles-a-f/cgdisk index 8f3f11af0..f19e70c26 100644 --- a/apparmor.d/profiles-a-f/cgdisk +++ b/apparmor.d/profiles-a-f/cgdisk @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/cgdisk +@{exec_path} = @{bin}/cgdisk profile cgdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/cgrulesengd b/apparmor.d/profiles-a-f/cgrulesengd index 6f31a43d5..6c51eead1 100644 --- a/apparmor.d/profiles-a-f/cgrulesengd +++ b/apparmor.d/profiles-a-f/cgrulesengd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,32 +12,42 @@ profile cgrulesengd @{exec_path} { include include - capability dac_read_search, + # For creating Unix domain sockets/IPC sockets: + # socket(AF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR) = 3 + # ... + # bind(3, {sa_family=AF_NETLINK, nl_pid=13284, nl_groups=0x000001}, 12) = -1 EPERM (Operation + # not permitted) capability net_admin, + + # To remove the following errors: + # readlink("/proc/12/exe", 0x7ffc9fa85cd0, 4096) = -1 EACCES (Permission denied) capability sys_ptrace, + # To be able to read the /proc/ files of all processes in the system. + capability dac_read_search, + network netlink dgram, ptrace (read), @{exec_path} mr, - - /etc/cgconfig.conf r, - /etc/cgconfig.d/{,*} r, - - /etc/cgrules.conf r, - /etc/cgrules.d/{,*} r, - - owner @{run}/cgred.socket w, - - @{sys}/fs/cgroup/** rw, + @{sys}/fs/cgroup/**/tasks w, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/task/ r, - @{PROC}/cgroups r, owner @{PROC}/@{pid}/mounts r, + @{PROC}/cgroups r, + + @{sys}/fs/cgroup/unified/cgroup.controllers r, + + owner @{run}/cgred.socket w, + + /etc/cgconfig.conf r, + /etc/cgrules.conf r, + /etc/cgconfig.d/ r, + include if exists } diff --git a/apparmor.d/groups/shadow/chage b/apparmor.d/profiles-a-f/chage similarity index 95% rename from apparmor.d/groups/shadow/chage rename to apparmor.d/profiles-a-f/chage index 43f34a703..3eaa0efb9 100644 --- a/apparmor.d/groups/shadow/chage +++ b/apparmor.d/profiles-a-f/chage @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,7 +20,7 @@ profile chage @{exec_path} { @{exec_path} mr, - @{etc_ro}/login.defs r, + /etc/login.defs r, /etc/{passwd,shadow} rw, /etc/{passwd,shadow}.@{pid} w, diff --git a/apparmor.d/profiles-a-f/changestool b/apparmor.d/profiles-a-f/changestool index c73243041..9dd650d51 100644 --- a/apparmor.d/profiles-a-f/changestool +++ b/apparmor.d/profiles-a-f/changestool @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -33,7 +33,6 @@ profile changestool @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ r, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/check-bios-nx b/apparmor.d/profiles-a-f/check-bios-nx index c44b6eaa5..877677bca 100644 --- a/apparmor.d/profiles-a-f/check-bios-nx +++ b/apparmor.d/profiles-a-f/check-bios-nx @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/check-bios-nx +@{exec_path} = @{bin}/check-bios-nx profile check-bios-nx @{exec_path} { include include @@ -25,7 +25,7 @@ profile check-bios-nx @{exec_path} { @{bin}/kmod rCx -> kmod, - @{sbin}/rdmsr rPx, + @{bin}/rdmsr rPx, owner @{PROC}/@{pid}/fd/@{int} rw, diff --git a/apparmor.d/profiles-a-f/check-support-status b/apparmor.d/profiles-a-f/check-support-status index 07baedfae..bdd9719d3 100644 --- a/apparmor.d/profiles-a-f/check-support-status +++ b/apparmor.d/profiles-a-f/check-support-status @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -65,15 +65,16 @@ profile check-support-status @{exec_path} { /usr/share/debian-security-support/ r, /usr/share/debian-security-support/* r, + profile debconf-escape { include include @{bin}/debconf-escape r, + @{bin}/perl r, owner @{tmp}/debian-security-support.postinst.*/output r, - include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/check-support-status-hook b/apparmor.d/profiles-a-f/check-support-status-hook index 8101b3008..e0c312423 100644 --- a/apparmor.d/profiles-a-f/check-support-status-hook +++ b/apparmor.d/profiles-a-f/check-support-status-hook @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,10 +24,10 @@ profile check-support-status-hook @{exec_path} { @{bin}/mktemp rix, @{bin}/rm rix, - @{sbin}/adduser rPx, + @{bin}/adduser rPx, @{bin}/check-support-status rPx, @{bin}/debconf-escape rCx -> debconf-escape, - @{sbin}/runuser rCx -> runuser, + @{bin}/runuser rCx -> runuser, # Think what to do about this (#FIXME#) /usr/share/debconf/frontend rPx, @@ -53,11 +53,11 @@ profile check-support-status-hook @{exec_path} { include @{bin}/debconf-escape r, + @{bin}/perl r, /tmp/ r, owner @{tmp}/debian-security-support.postinst.*/output r, - include if exists } profile frontend { @@ -67,6 +67,7 @@ profile check-support-status-hook @{exec_path} { include /usr/share/debconf/frontend r, + @{bin}/perl r, /usr/share/debian-security-support/ r, /usr/share/debian-security-support/check-support-status.hook rPx, @@ -84,12 +85,11 @@ profile check-support-status-hook @{exec_path} { include include capability dac_read_search, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, - include if exists } profile runuser { @@ -111,7 +111,7 @@ profile check-support-status-hook @{exec_path} { # To write records to the kernel auditing log. capability audit_write, - @{sbin}/runuser mr, + @{bin}/runuser mr, @{sh_path} rix, @@ -124,8 +124,6 @@ profile check-support-status-hook @{exec_path} { /tmp/ r, owner @{tmp}/debian-security-support.postinst.*/output w, - - include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/cheese b/apparmor.d/profiles-a-f/cheese deleted file mode 100644 index 33b933be2..000000000 --- a/apparmor.d/profiles-a-f/cheese +++ /dev/null @@ -1,57 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Roman Beslik -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/cheese -profile cheese @{exec_path} { - include - include - include - include - include - include - include - include - include - include - - network netlink raw, - - @{exec_path} mr, - - @{bin}/bwrap Px -> gnome-desktop-thumbnailers, - @{open_path} rPx -> child-open-help, - - @{system_share_dirs}/gnome-video-effects/{,*.effect} r, - @{system_share_dirs}/ladspa/rdf/{,**} r, - @{system_share_dirs}/thumbnailers/{,*.thumbnailer} r, - - /etc/machine-id r, - - owner @{HOME}/ r, # file save dialog - owner @{user_pictures_dirs}/{,**} rw, - owner @{user_videos_dirs}/{,**} rw, - - owner @{user_cache_dirs}/gnome-desktop-thumbnailer/gstreamer-1.0/ r, - - owner @{tmp}/flatpak-seccomp-@{rand6} rw, - owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw, - - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/chfn b/apparmor.d/profiles-a-f/chfn similarity index 86% rename from apparmor.d/groups/utils/chfn rename to apparmor.d/profiles-a-f/chfn index 45b50c7ad..162a08b84 100644 --- a/apparmor.d/groups/utils/chfn +++ b/apparmor.d/profiles-a-f/chfn @@ -3,23 +3,26 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/chfn profile chfn @{exec_path} { include - include - include include include + include include + # To write records to the kernel auditing log. capability audit_write, + + # To set the right permission to the files in the /etc/ dir. capability chown, capability fsetid, - capability net_admin, + + # chfn is a SETUID binary capability setuid, network netlink raw, diff --git a/apparmor.d/groups/shadow/chpasswd b/apparmor.d/profiles-a-f/chpasswd similarity index 73% rename from apparmor.d/groups/shadow/chpasswd rename to apparmor.d/profiles-a-f/chpasswd index 5e84f31b4..1fd84f53c 100644 --- a/apparmor.d/groups/shadow/chpasswd +++ b/apparmor.d/profiles-a-f/chpasswd @@ -2,30 +2,22 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , - include -@{exec_path} = @{sbin}/chpasswd +@{exec_path} = @{bin}/chpasswd profile chpasswd @{exec_path} { include - include include include - capability audit_write, capability chown, capability fsetid, - capability net_admin, capability setuid, - network netlink raw, - @{exec_path} mr, - @{etc_ro}/login.defs r, - /etc/.pwd.lock wk, + /etc/login.defs r, /etc/passwd rw, /etc/passwd.@{int} w, /etc/passwd.lock l -> /etc/passwd.@{int}, @@ -37,11 +29,6 @@ profile chpasswd @{exec_path} { /etc/shadow.lock w, /etc/shadow+ rw, - /etc/pam.d/* r, - /etc/security/pwquality.conf r, - - @{PROC}/@{pid}/loginuid r, - include if exists } diff --git a/apparmor.d/profiles-a-f/chronyd b/apparmor.d/profiles-a-f/chronyd index e4a986c8a..5aa5c5ed2 100644 --- a/apparmor.d/profiles-a-f/chronyd +++ b/apparmor.d/profiles-a-f/chronyd @@ -4,16 +4,14 @@ # Based on https://salsa.debian.org/debian/chrony/-/blob/debian/latest/debian/usr.sbin.chronyd -abi , +abi , include -@{exec_path} = @{sbin}/chronyd +@{exec_path} = @{bin}/chronyd profile chronyd @{exec_path} flags=(attach_disconnected) { include include - include - include capability chown, capability dac_override, @@ -29,15 +27,12 @@ profile chronyd @{exec_path} flags=(attach_disconnected) { network inet dgram, network inet6 dgram, - network inet stream, - network inet6 stream, network netlink raw, @{exec_path} mr, /etc/adjtime r, - /etc/chrony.conf r, - /etc/chrony.keys r, + /etc/chrony.* r, /etc/chrony.d/{,*} r, /etc/chrony/{,**} r, diff --git a/apparmor.d/groups/utils/chsh b/apparmor.d/profiles-a-f/chsh similarity index 79% rename from apparmor.d/groups/utils/chsh rename to apparmor.d/profiles-a-f/chsh index e3581be31..ffcdb5bdf 100644 --- a/apparmor.d/groups/utils/chsh +++ b/apparmor.d/profiles-a-f/chsh @@ -3,40 +3,40 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/chsh profile chsh @{exec_path} { include - include - include - include - include include + include + include + # To write records to the kernel auditing log. capability audit_write, + + # To set the right permission to the files in the /etc/ dir. capability chown, capability fsetid, - capability net_admin, + + # gpasswd is a SETUID binary capability setuid, network netlink raw, - #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" - @{exec_path} mr, + owner @{PROC}/@{pid}/loginuid r, + /etc/shells r, - /etc/.chsh.@{rand6} rw, /etc/passwd rw, /etc/passwd- w, + /etc/passwd+ rw, /etc/passwd.@{pid} w, /etc/passwd.lock wl -> /etc/passwd.@{pid}, - /etc/passwd.OLD wl -> /etc/passwd, - /etc/passwd+ rw, /etc/shadow r, @@ -44,8 +44,6 @@ profile chsh @{exec_path} { # modify the /etc/passwd or /etc/shadow password database. /etc/.pwd.lock rwk, - owner @{PROC}/@{pid}/loginuid r, - include if exists } diff --git a/apparmor.d/profiles-a-f/cider b/apparmor.d/profiles-a-f/cider deleted file mode 100644 index be59811a1..000000000 --- a/apparmor.d/profiles-a-f/cider +++ /dev/null @@ -1,57 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{name} = {C,c}ider sh.cider.genten -@{domain} = sh.cider.genten org.chromium.Chromium -@{lib_dirs} = @{lib}/cider -@{cache_dirs} = @{user_cache_dirs}/@{name} -@{config_dirs} = @{user_config_dirs}/@{name} - -@{exec_path} = @{bin}/{C,c}ider @{lib_dirs}/Cider -profile cider @{exec_path} { - include - include - include - include - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{exec_path} mrix, - - @{lib_dirs}/ r, - @{lib_dirs}/** r, - @{lib_dirs}/libffmpeg.so mr, - @{lib_dirs}/chrome-sandbox rPx, - - @{bin}/xdg-settings rPx, - - owner @{user_config_dirs}/sh.cider.genten/ rw, - owner @{user_config_dirs}/sh.cider.genten/** rwk, - owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/_platform_specific/linux_@{arch}/libwidevinecdm.so mr, - - @{PROC}/ r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/task/ r, - @{PROC}/@{pid}/task/@{tid}/status r, - @{PROC}/sys/fs/inotify/max_user_watches r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/oom_{,score_}adj rw, - owner @{PROC}/@{pid}/statm r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index 263bb5794..4de4543a4 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,14 +24,14 @@ profile claws-mail @{exec_path} flags=(complain) { @{exec_path} mr, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgsm rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @{bin}/orage rPUx, - @{sbin}/exim4 rPUx, + @{bin}/exim4 rPUx, @{bin}/geany rPUx, /usr/share/publicsuffix/*.dafsa r, @@ -66,7 +66,6 @@ profile claws-mail @{exec_path} flags=(complain) { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/cmus b/apparmor.d/profiles-a-f/cmus deleted file mode 100644 index 750fe9345..000000000 --- a/apparmor.d/profiles-a-f/cmus +++ /dev/null @@ -1,36 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 valoq -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/cmus -profile cmus @{exec_path} { - include - include - - @{exec_path} mr, - - /usr/share/cmus/{,**} r, - /usr/share/terminfo/{,**} r, - - /etc/machine-id r, - - / r, - owner @{HOME}/ r, # For pwd - - owner @{user_music_dirs}/{,**} r, - - owner @{user_config_dirs}/ r, - owner @{user_config_dirs}/cmus/{,**} rw, - - owner @{run}/user/@{uid}/cmus-socket w, - - /dev/shm/ r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/code b/apparmor.d/profiles-a-f/code new file mode 100644 index 000000000..393598746 --- /dev/null +++ b/apparmor.d/profiles-a-f/code @@ -0,0 +1,105 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{code_config_dirs} = @{user_config_dirs}/Code* @{HOME}/.vscode{,-oss} + +@{exec_path} = @{lib}/electron@{int}/electron +profile code flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + + capability sys_ptrace, + + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, + + signal (send), + + @{exec_path} mrix, + + @{lib}/code/node_modules.asar.unpacked/**.node rm, + + # Core tools + @{bin}/git rPx, + @{bin}/gpg{,2} rPx, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/rg rix, + @{open_path} rPx -> child-open, + + # The shell is not confined on purpose. + @{bin}/@{shells} rUx, + + # Confine some common tools + @{lib}/code/extensions/git/dist/askpass.sh rPx, + @{lib}/code/extensions/git/dist/git-editor.sh rPx, + + # Do NOT confine most of the extensions + @{bin}/[a-z0-9]* rPUx, + @{code_config_dirs}/extensions/** rPUx, + @{HOME}/.go/bin/* rPUx, + @{lib}/go/bin/* rPUx, + @{bin}/python3.@{int} rUx, + + /etc/shells r, + /etc/lsb-release r, + + owner @{HOME}/@{XDG_SSH_DIR}/config r, + + owner @{code_config_dirs}/** rwkl -> @{code_config_dirs}/**, + + owner @{user_projects_dirs}/ r, + owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, + + owner @{tmp}/@{uuid} rw, + owner @{tmp}/vscode-*/{,**} rw, + owner @{tmp}/vscode-ipc-@{uuid}.sock rw, + + owner @{run}/user/@{uid}/vscode-@{hex}-*-{shared,main}.sock rw, + owner @{run}/user/@{uid}/vscode-git-@{hex}.sock rw, + owner @{run}/user/@{uid}/git-graph-askpass-[a-zA-Z0-9]*.sock rw, + + @{run}/systemd/inhibit/*.ref rw, + + @{sys}/devices/system/cpu/present r, + @{sys}/devices/system/cpu/kernel_max r, + @{sys}/devices/virtual/tty/tty@{int}/active r, + + @{PROC}/ r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/loadavg r, + @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/version r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/comm w, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/oom_score_adj rw, + owner @{PROC}/@{pid}/statm r, + owner @{PROC}/@{pids}/clear_refs w, + owner @{PROC}/@{pids}/task/ r, + owner @{PROC}/@{pids}/task/@{tid}/status r, + + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/code-extension-git-askpass b/apparmor.d/profiles-a-f/code-extension-git-askpass index 674432b2e..6954ca966 100644 --- a/apparmor.d/profiles-a-f/code-extension-git-askpass +++ b/apparmor.d/profiles-a-f/code-extension-git-askpass @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{lib}/code/extensions/git/dist/askpass.sh @{lib}/code/extensions/git/dist/ssh-askpass.sh +@{exec_path} = @{lib}/code/extensions/git/dist/askpass.sh profile code-extension-git-askpass @{exec_path} { include @@ -23,7 +23,7 @@ profile code-extension-git-askpass @{exec_path} { /usr/share/terminfo/** r, - owner @{tmp}/tmp.@{rand10} rw, + owner @{tmp}/tmp.* rw, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/code-extension-git-editor b/apparmor.d/profiles-a-f/code-extension-git-editor index 8e56ac3aa..104e01281 100644 --- a/apparmor.d/profiles-a-f/code-extension-git-editor +++ b/apparmor.d/profiles-a-f/code-extension-git-editor @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/code-wrapper b/apparmor.d/profiles-a-f/code-wrapper new file mode 100644 index 000000000..707164b09 --- /dev/null +++ b/apparmor.d/profiles-a-f/code-wrapper @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/code{,-oss} +profile code-wrapper @{exec_path} { + include + include + + @{exec_path} r, + + @{sh_path} rix, + @{lib}/electron@{int}/electron rPx -> code, + + owner @{user_config_dirs}/code-flags.conf r, + owner @{user_config_dirs}/electron@{int}-flags.conf r, + + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/compton b/apparmor.d/profiles-a-f/compton index a6c7d193f..b27228807 100644 --- a/apparmor.d/profiles-a-f/compton +++ b/apparmor.d/profiles-a-f/compton @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/conky b/apparmor.d/profiles-a-f/conky index 9e4372e1d..1e1b10abc 100644 --- a/apparmor.d/profiles-a-f/conky +++ b/apparmor.d/profiles-a-f/conky @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -104,7 +104,7 @@ profile conky @{exec_path} { deny ptrace (trace, read), # Display the hard disk model name - @{sys}/devices/@{pci}/{usb,ata}@{int}/**/model r, + @{sys}/devices/@{pci}/{usb,ata}[0-9]/**/model r, @{sys}/block/{s,v}d[a-z]/device/model r, # Display the disk write/read speed @{PROC}/diskstats r, @@ -200,7 +200,6 @@ profile conky @{exec_path} { deny @{PROC}/@{pid}/net/route r, deny @{sys}/devices/**/hwmon/**/temp*_input r, - include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/console-setup b/apparmor.d/profiles-a-f/console-setup index aa0a56648..d7b41ff20 100644 --- a/apparmor.d/profiles-a-f/console-setup +++ b/apparmor.d/profiles-a-f/console-setup @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,11 +12,9 @@ profile console-setup @{exec_path} { @{exec_path} mr, - @{sh_path} r, - @{bin}/uname rix, + @{bin}/uname rPx, @{bin}/mkdir rix, - @{run}/console-setup/ rw, @{run}/console-setup/boot_completed w, include if exists diff --git a/apparmor.d/profiles-a-f/console-setup-cached b/apparmor.d/profiles-a-f/console-setup-cached deleted file mode 100644 index 332f05341..000000000 --- a/apparmor.d/profiles-a-f/console-setup-cached +++ /dev/null @@ -1,36 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /etc/console-setup/cached_setup_font.sh /etc/console-setup/cached_setup_terminal.sh -profile console-setup-cached @{exec_path} { - include - include - - capability sys_tty_config, - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/gzip rix, - @{bin}/ls ix, - @{bin}/mkdir ix, - @{bin}/setfont ix, - - /usr/share/consolefonts/{,**} r, - - @{run}/console-setup/ w, - @{run}/console-setup/font-loaded w, - - /dev/ r, - /dev/tty rw, - /dev/tty@{int} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/console-setup-keyboard b/apparmor.d/profiles-a-f/console-setup-keyboard deleted file mode 100644 index 1f4045e2e..000000000 --- a/apparmor.d/profiles-a-f/console-setup-keyboard +++ /dev/null @@ -1,31 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/console-setup/keyboard-setup.sh /etc/console-setup/cached_setup_keyboard.sh -profile console-setup-keyboard @{exec_path} { - include - include - - capability sys_tty_config, - - @{exec_path} mrix, - - @{sh_path} rix, - @{bin}/gzip rix, - @{bin}/kbd_mode rix, - @{bin}/loadkeys rix, - - /etc/console-setup/{,**} r, - - /dev/tty@{int} rw, - /dev/tty rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/convertall b/apparmor.d/profiles-a-f/convertall index 52e80cc54..28a393470 100644 --- a/apparmor.d/profiles-a-f/convertall +++ b/apparmor.d/profiles-a-f/convertall @@ -3,35 +3,42 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/convertall /usr/share/convertall/convertall.py profile convertall @{exec_path} { include - include + include + include + include include - include - include + include + include + include include + include include + include @{exec_path} r, @{sh_path} rix, - @{python_path} rix, - - /usr/share/convertall/{,**} r, - /usr/share/doc/convertall/{,*} r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, + @{bin}/python3.@{int} rix, owner @{HOME}/.convertall rw, deny owner @{PROC}/@{pid}/cmdline r, + /usr/share/convertall/{,**} r, + /usr/share/doc/convertall/{,*} r, + + /usr/share/hwdata/pnp.ids r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + include if exists } diff --git a/apparmor.d/profiles-a-f/cppw-cpgr b/apparmor.d/profiles-a-f/cppw-cpgr index a5b7d8302..9e0aa0ad1 100644 --- a/apparmor.d/profiles-a-f/cppw-cpgr +++ b/apparmor.d/profiles-a-f/cppw-cpgr @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/cpuid b/apparmor.d/profiles-a-f/cpuid index 332c1735c..8df6f750e 100644 --- a/apparmor.d/profiles-a-f/cpuid +++ b/apparmor.d/profiles-a-f/cpuid @@ -3,14 +3,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/cpuid profile cpuid @{exec_path} { include - include capability mknod, diff --git a/apparmor.d/profiles-a-f/cracklib-packer b/apparmor.d/profiles-a-f/cracklib-packer index 4db396fa0..d29bfbbee 100644 --- a/apparmor.d/profiles-a-f/cracklib-packer +++ b/apparmor.d/profiles-a-f/cracklib-packer @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/cracklib-packer +@{exec_path} = @{bin}/cracklib-packer profile cracklib-packer @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/crda b/apparmor.d/profiles-a-f/crda index d3b6cba6f..96fb4c706 100644 --- a/apparmor.d/profiles-a-f/crda +++ b/apparmor.d/profiles-a-f/crda @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/crda +@{exec_path} = @{bin}/crda profile crda @{exec_path} { include diff --git a/apparmor.d/groups/cups/cups-backend-beh b/apparmor.d/profiles-a-f/cups-backend-beh similarity index 91% rename from apparmor.d/groups/cups/cups-backend-beh rename to apparmor.d/profiles-a-f/cups-backend-beh index 1e9fe5b78..5945ac6ea 100644 --- a/apparmor.d/groups/cups/cups-backend-beh +++ b/apparmor.d/profiles-a-f/cups-backend-beh @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,6 @@ profile cups-backend-beh @{exec_path} { @{exec_path} mr, /etc/papersize r, - /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-bluetooth b/apparmor.d/profiles-a-f/cups-backend-bluetooth similarity index 92% rename from apparmor.d/groups/cups/cups-backend-bluetooth rename to apparmor.d/profiles-a-f/cups-backend-bluetooth index 78ffbac77..ba606c7ef 100644 --- a/apparmor.d/groups/cups/cups-backend-bluetooth +++ b/apparmor.d/profiles-a-f/cups-backend-bluetooth @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,6 @@ profile cups-backend-bluetooth @{exec_path} { @{exec_path} mr, /etc/papersize r, - /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-brf b/apparmor.d/profiles-a-f/cups-backend-brf similarity index 92% rename from apparmor.d/groups/cups/cups-backend-brf rename to apparmor.d/profiles-a-f/cups-backend-brf index 6d50b284f..2ea66ba05 100644 --- a/apparmor.d/groups/cups/cups-backend-brf +++ b/apparmor.d/profiles-a-f/cups-backend-brf @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,6 @@ profile cups-backend-brf @{exec_path} { @{exec_path} mr, /etc/papersize r, - /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-dnssd b/apparmor.d/profiles-a-f/cups-backend-dnssd similarity index 80% rename from apparmor.d/groups/cups/cups-backend-dnssd rename to apparmor.d/profiles-a-f/cups-backend-dnssd index 877200660..0bb1a34d1 100644 --- a/apparmor.d/groups/cups/cups-backend-dnssd +++ b/apparmor.d/profiles-a-f/cups-backend-dnssd @@ -2,19 +2,18 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/cups/backend/dnssd profile cups-backend-dnssd @{exec_path} { include - include + include @{exec_path} mr, /etc/papersize r, - /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-hp b/apparmor.d/profiles-a-f/cups-backend-hp similarity index 91% rename from apparmor.d/groups/cups/cups-backend-hp rename to apparmor.d/profiles-a-f/cups-backend-hp index cd9af3d7f..f82ce7e0a 100644 --- a/apparmor.d/groups/cups/cups-backend-hp +++ b/apparmor.d/profiles-a-f/cups-backend-hp @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,6 @@ profile cups-backend-hp @{exec_path} { @{exec_path} mr, /etc/papersize r, - /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-implicitclass b/apparmor.d/profiles-a-f/cups-backend-implicitclass similarity index 92% rename from apparmor.d/groups/cups/cups-backend-implicitclass rename to apparmor.d/profiles-a-f/cups-backend-implicitclass index c71295f83..6a50ec237 100644 --- a/apparmor.d/groups/cups/cups-backend-implicitclass +++ b/apparmor.d/profiles-a-f/cups-backend-implicitclass @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,6 @@ profile cups-backend-implicitclass @{exec_path} { @{exec_path} mr, /etc/papersize r, - /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-ipp b/apparmor.d/profiles-a-f/cups-backend-ipp similarity index 91% rename from apparmor.d/groups/cups/cups-backend-ipp rename to apparmor.d/profiles-a-f/cups-backend-ipp index 8d61f4072..706e1a5ae 100644 --- a/apparmor.d/groups/cups/cups-backend-ipp +++ b/apparmor.d/profiles-a-f/cups-backend-ipp @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,6 @@ profile cups-backend-ipp @{exec_path} { @{exec_path} mr, /etc/papersize r, - /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-lpd b/apparmor.d/profiles-a-f/cups-backend-lpd similarity index 91% rename from apparmor.d/groups/cups/cups-backend-lpd rename to apparmor.d/profiles-a-f/cups-backend-lpd index 89b62b569..077a913a0 100644 --- a/apparmor.d/groups/cups/cups-backend-lpd +++ b/apparmor.d/profiles-a-f/cups-backend-lpd @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,6 @@ profile cups-backend-lpd @{exec_path} { @{exec_path} mr, /etc/papersize r, - /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-mdns b/apparmor.d/profiles-a-f/cups-backend-mdns similarity index 91% rename from apparmor.d/groups/cups/cups-backend-mdns rename to apparmor.d/profiles-a-f/cups-backend-mdns index 9e5dfbe0f..a520e9a19 100644 --- a/apparmor.d/groups/cups/cups-backend-mdns +++ b/apparmor.d/profiles-a-f/cups-backend-mdns @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,6 @@ profile cups-backend-mdns @{exec_path} { @{exec_path} mr, /etc/papersize r, - /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-parallel b/apparmor.d/profiles-a-f/cups-backend-parallel similarity index 91% rename from apparmor.d/groups/cups/cups-backend-parallel rename to apparmor.d/profiles-a-f/cups-backend-parallel index b4340b2ed..fe2e752ef 100644 --- a/apparmor.d/groups/cups/cups-backend-parallel +++ b/apparmor.d/profiles-a-f/cups-backend-parallel @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,6 @@ profile cups-backend-parallel @{exec_path} { @{exec_path} mr, /etc/papersize r, - /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-pdf b/apparmor.d/profiles-a-f/cups-backend-pdf similarity index 91% rename from apparmor.d/groups/cups/cups-backend-pdf rename to apparmor.d/profiles-a-f/cups-backend-pdf index 21da6bf93..efbb2a85d 100644 --- a/apparmor.d/groups/cups/cups-backend-pdf +++ b/apparmor.d/profiles-a-f/cups-backend-pdf @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,28 +14,26 @@ profile cups-backend-pdf @{exec_path} { include capability chown, - capability dac_override, - capability dac_read_search, capability setgid, capability setuid, + capability dac_override, unix peer=(label=cupsd), @{exec_path} mr, - + @{sh_path} rix, @{bin}/cp rix, - @{bin}/gs{,.bin} rix, + @{bin}/gs rix, @{bin}/gsc rix, @{lib}/ghostscript/** mr, /usr/share/ghostscript/{,**} r, + /etc/papersize r, /etc/cups/ r, /etc/cups/cups-pdf.conf r, /etc/cups/ppd/*.ppd r, - /etc/papersize r, - /etc/paperspecs r, /var/log/cups/cups-pdf*_log w, /var/spool/cups-pdf/{,**} rw, diff --git a/apparmor.d/groups/cups/cups-backend-serial b/apparmor.d/profiles-a-f/cups-backend-serial similarity index 92% rename from apparmor.d/groups/cups/cups-backend-serial rename to apparmor.d/profiles-a-f/cups-backend-serial index 26811ab59..e2ec19bce 100644 --- a/apparmor.d/groups/cups/cups-backend-serial +++ b/apparmor.d/profiles-a-f/cups-backend-serial @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,6 @@ profile cups-backend-serial @{exec_path} { @{exec_path} mr, /etc/papersize r, - /etc/paperspecs r, /dev/ttyS@{int} w, diff --git a/apparmor.d/groups/cups/cups-backend-snmp b/apparmor.d/profiles-a-f/cups-backend-snmp similarity index 93% rename from apparmor.d/groups/cups/cups-backend-snmp rename to apparmor.d/profiles-a-f/cups-backend-snmp index 816f6c25b..1532db04b 100644 --- a/apparmor.d/groups/cups/cups-backend-snmp +++ b/apparmor.d/profiles-a-f/cups-backend-snmp @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,10 +16,9 @@ profile cups-backend-snmp @{exec_path} { network netlink raw, @{exec_path} mr, - + /etc/cups/snmp.conf r, /etc/papersize r, - /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-socket b/apparmor.d/profiles-a-f/cups-backend-socket similarity index 91% rename from apparmor.d/groups/cups/cups-backend-socket rename to apparmor.d/profiles-a-f/cups-backend-socket index f8f36a056..338d2e2e6 100644 --- a/apparmor.d/groups/cups/cups-backend-socket +++ b/apparmor.d/profiles-a-f/cups-backend-socket @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,6 @@ profile cups-backend-socket @{exec_path} { @{exec_path} mr, /etc/papersize r, - /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-usb b/apparmor.d/profiles-a-f/cups-backend-usb similarity index 93% rename from apparmor.d/groups/cups/cups-backend-usb rename to apparmor.d/profiles-a-f/cups-backend-usb index 7d9dbd237..e647939f4 100644 --- a/apparmor.d/groups/cups/cups-backend-usb +++ b/apparmor.d/profiles-a-f/cups-backend-usb @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,7 +21,6 @@ profile cups-backend-usb @{exec_path} { /etc/cups/ppd/*.ppd r, /etc/papersize r, - /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/profiles-a-f/cups-browsed similarity index 61% rename from apparmor.d/groups/cups/cups-browsed rename to apparmor.d/profiles-a-f/cups-browsed index ca1dc9630..2abffbe16 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/profiles-a-f/cups-browsed @@ -2,24 +2,23 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/cups-browsed -profile cups-browsed @{exec_path} flags=(attach_disconnected) { +@{exec_path} = @{bin}/cups-browsed +profile cups-browsed @{exec_path} { include include + include include - include - include - include include include include capability net_admin, capability net_bind_service, + capability sys_nice, network inet dgram, network inet6 dgram, @@ -27,30 +26,27 @@ profile cups-browsed @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - #aa:dbus talk bus=system name=org.cups.cupsd.Notifier label=cups-notifier-dbus + dbus receive bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=StateChanged + peer=(name=:*, label=avahi-daemon), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member=CheckPermissions - peer=(name=@{busname}, label=NetworkManager), + peer=(name=:*, label=NetworkManager), @{exec_path} mr, - @{bin}/ippfind rPx, - /usr/share/cups/locale/{,**} r, + /usr/share/locale/{,**} r, /etc/cups/{,**} r, + /var/cache/cups/{,**} rw, /var/log/cups/{,**} rw, - /var/cache/cups/{,**} rw, - owner /var/cache/cups-browsed/{,**} rw, - - owner @{tmp}/@{hex} rw, - @{run}/cups/certs/* r, - @{run}/avahi-daemon/socket rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/groups/cups/cups-notifier-dbus b/apparmor.d/profiles-a-f/cups-notifier-dbus similarity index 90% rename from apparmor.d/groups/cups/cups-notifier-dbus rename to apparmor.d/profiles-a-f/cups-notifier-dbus index fa31b726d..9632ca91d 100644 --- a/apparmor.d/groups/cups/cups-notifier-dbus +++ b/apparmor.d/profiles-a-f/cups-notifier-dbus @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,14 +16,12 @@ profile cups-notifier-dbus @{exec_path} { signal (receive) set=(term) peer=cupsd, - #aa:dbus own bus=system name=org.cups.cupsd.Notifier - @{exec_path} mr, - + owner /var/spool/cups/tmp/cups-dbus-notifier-lockfile rw, owner @{tmp}/cups-dbus-notifier-lockfile rwk, - + include if exists } diff --git a/apparmor.d/groups/cups/cups-notifier-mailto b/apparmor.d/profiles-a-f/cups-notifier-mailto similarity index 95% rename from apparmor.d/groups/cups/cups-notifier-mailto rename to apparmor.d/profiles-a-f/cups-notifier-mailto index e69afb072..aad9f73c3 100644 --- a/apparmor.d/groups/cups/cups-notifier-mailto +++ b/apparmor.d/profiles-a-f/cups-notifier-mailto @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,7 +11,7 @@ profile cups-notifier-mailto @{exec_path} { include @{exec_path} mr, - + include if exists } diff --git a/apparmor.d/groups/cups/cups-notifier-rss b/apparmor.d/profiles-a-f/cups-notifier-rss similarity index 95% rename from apparmor.d/groups/cups/cups-notifier-rss rename to apparmor.d/profiles-a-f/cups-notifier-rss index 993392912..86dfecc9e 100644 --- a/apparmor.d/groups/cups/cups-notifier-rss +++ b/apparmor.d/profiles-a-f/cups-notifier-rss @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,7 +11,7 @@ profile cups-notifier-rss @{exec_path} { include @{exec_path} mr, - + include if exists } diff --git a/apparmor.d/groups/cups/cups-pk-helper-mechanism b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism similarity index 95% rename from apparmor.d/groups/cups/cups-pk-helper-mechanism rename to apparmor.d/profiles-a-f/cups-pk-helper-mechanism index 89d517631..7c67e3e6a 100644 --- a/apparmor.d/groups/cups/cups-pk-helper-mechanism +++ b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -26,7 +26,7 @@ profile cups-pk-helper-mechanism @{exec_path} { /etc/cups/ppd/*.ppd r, - owner @{tmp}/@{int} rw, + owner @{tmp}/[a-z0-9]* rw, @{run}/cups/cups.sock rw, diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/profiles-a-f/cupsd similarity index 86% rename from apparmor.d/groups/cups/cupsd rename to apparmor.d/profiles-a-f/cupsd index ec0bbfd67..9511c7495 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/profiles-a-f/cupsd @@ -2,17 +2,15 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , - include -@{exec_path} = @{sbin}/cupsd +@{exec_path} = @{bin}/cupsd profile cupsd @{exec_path} flags=(attach_disconnected) { include include include - include - include + include + include include include @@ -29,9 +27,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { capability setuid, capability wake_alarm, - network inet dgram, network inet stream, - network inet6 dgram, network inet6 stream, network appletalk dgram, @@ -52,14 +48,14 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cp rix, - @{bin}/{,e}grep rix, - @{bin}/gs{,.bin} rix, + @{bin}/grep rix, + @{bin}/gs rix, @{bin}/gsc rix, @{bin}/hostname rix, @{bin}/ippfind rix, @{bin}/mktemp rix, @{bin}/printenv rix, - @{python_path} rix, + @{bin}/python3.@{int} rix, @{bin}/rm rix, @{bin}/sed rix, @{bin}/smbspool rPx, @@ -92,13 +88,12 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{run}/cups/{,**} rw, @{run}/systemd/notify w, - @{run}/avahi-daemon/socket rw, @{sys}/module/apparmor/parameters/enabled r, @{PROC}/@{pids}/fd/ r, owner @{PROC}/@{pid}/mounts r, - + owner @{tmp}/*_latest_print_info w, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/czkawka-cli b/apparmor.d/profiles-a-f/czkawka-cli index ddbc8b59b..6ad4c553b 100644 --- a/apparmor.d/profiles-a-f/czkawka-cli +++ b/apparmor.d/profiles-a-f/czkawka-cli @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/czkawka-gui b/apparmor.d/profiles-a-f/czkawka-gui index d7bb93f41..68a30c769 100644 --- a/apparmor.d/profiles-a-f/czkawka-gui +++ b/apparmor.d/profiles-a-f/czkawka-gui @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,7 +18,7 @@ profile czkawka-gui @{exec_path} { @{exec_path} mr, - @{open_path} rPx -> child-open, + @{bin}/xdg-open rCx -> open, # Dirs to scan for duplicates #owner @{HOME}/** rw, @@ -38,6 +38,32 @@ profile czkawka-gui @{exec_path} { @{sys}/fs/cgroup/{,**} r, + profile open { + include + include + + @{bin}/xdg-open mr, + + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, + + owner @{HOME}/ r, + + owner @{run}/user/@{uid}/ r, + + # Allowed apps to open + #@{lib}/firefox/firefox rPx, + @{bin}/smplayer rPx, + @{bin}/geany rPx, + @{bin}/viewnior rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + include if exists } diff --git a/apparmor.d/profiles-a-f/ddclient b/apparmor.d/profiles-a-f/ddclient index 0928f0da4..000e61013 100644 --- a/apparmor.d/profiles-a-f/ddclient +++ b/apparmor.d/profiles-a-f/ddclient @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,6 +15,7 @@ profile ddclient @{exec_path} { include @{exec_path} r, + @{bin}/perl r, @{sh_path} rix, @{bin}/logger rix, diff --git a/apparmor.d/profiles-a-f/ddcutil b/apparmor.d/profiles-a-f/ddcutil index d8cb23a5c..ee12dcd5d 100644 --- a/apparmor.d/profiles-a-f/ddcutil +++ b/apparmor.d/profiles-a-f/ddcutil @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,15 +21,14 @@ profile ddcutil @{exec_path} { @{bin}/find rix, @{bin}/sed rix, @{bin}/xargs rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, / r, owner @{user_cache_dirs}/ddcutil/ rw, owner @{user_cache_dirs}/ddcutil/** rwlk, - @{run}/udev/data/+*:* r, # Identifies all subsystems - @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + @{run}/udev/data/* r, @{sys}/ r, @{sys}/bus/ r, diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index 2e7723995..eaf12a933 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -3,26 +3,29 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{domain} = org.chromium.Chromium -@{lib_dirs} = @{lib}/deltachat-desktop @{lib}/deltachat /opt/DeltaChat/ +@{DCD_LIBDIR} = @{lib}/deltachat-desktop +@{DCD_LIBDIR} += @{lib}/deltachat +@{DCD_LIBDIR} += /opt/DeltaChat/ -@{exec_path} = @{bin}/deltachat-desktop @{lib_dirs}/deltachat-desktop +@{exec_path} = /usr/bin/deltachat-desktop +@{exec_path} += /opt/DeltaChat/deltachat-desktop +#@{exec_path} += @{DCD_LIBDIR}/deltachat-desktop profile deltachat-desktop @{exec_path} { include - include include include - include - include - include include + include + include + include include include include + include network inet dgram, network inet6 dgram, @@ -32,18 +35,15 @@ profile deltachat-desktop @{exec_path} { @{exec_path} mrix, - @{lib_dirs}/ r, - @{lib_dirs}/** r, - @{lib_dirs}/libffmpeg.so mr, - @{lib_dirs}/{swiftshader/,}libGLESv2.so mr, - @{lib_dirs}/{swiftshader/,}libEGL.so mr, - @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.node mr, - @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so mr, - @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so.[0-9]* mr, - @{lib_dirs}/chrome-sandbox rPx, - - @{bin}/xdg-settings rPx, - @{open_path} rPx -> child-open-browsers, + @{DCD_LIBDIR}/ r, + @{DCD_LIBDIR}/** r, + @{DCD_LIBDIR}/libffmpeg.so mr, + @{DCD_LIBDIR}/{swiftshader/,}libGLESv2.so mr, + @{DCD_LIBDIR}/{swiftshader/,}libEGL.so mr, + @{DCD_LIBDIR}/resources/app.asar.unpacked/node_modules/**.node mr, + @{DCD_LIBDIR}/resources/app.asar.unpacked/node_modules/**.so mr, + @{DCD_LIBDIR}/resources/app.asar.unpacked/node_modules/**.so.[0-9]* mr, + @{DCD_LIBDIR}/chrome-sandbox rPx, owner @{user_config_dirs}/DeltaChat/ rw, owner @{user_config_dirs}/DeltaChat/** rwk, @@ -53,24 +53,58 @@ profile deltachat-desktop @{exec_path} { owner @{tmp}/@{hex}/db.sqlite rwk, owner @{tmp}/@{hex}/db.sqlite-journal rw, - @{PROC}/ r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/task/ r, - @{PROC}/@{pid}/task/@{tid}/status r, - @{PROC}/sys/fs/inotify/max_user_watches r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/oom_{,score_}adj rw, - owner @{PROC}/@{pid}/statm r, + @{PROC}/ r, + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/task/ r, + @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/@{pids}/stat r, + owner @{PROC}/@{pids}/statm r, + deny owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pids}/oom_{,score_}adj r, + deny owner @{PROC}/@{pids}/oom_{,score_}adj w, + owner @{PROC}/@{pid}/cgroup r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/sys/fs/inotify/max_user_watches r, - /dev/ r, + /dev/ r, # (#FIXME#) deny @{sys}/bus/pci/devices/ r, + deny @{sys}/devices/virtual/tty/tty@{int}/active r, + # no new privs + @{bin}/xdg-settings rPx, + + @{bin}/xdg-open rCx -> open, + + # Allowed apps to open + @{lib}/firefox/firefox rPx, + + + profile open { + include + include + + @{bin}/xdg-open mr, + + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, + + owner @{HOME}/ r, + + owner @{run}/user/@{uid}/ r, + + # Allowed apps to open + @{lib}/firefox/firefox rPx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + include if exists } diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser index 3f749a24b..67e52b376 100644 --- a/apparmor.d/profiles-a-f/deluser +++ b/apparmor.d/profiles-a-f/deluser @@ -3,35 +3,41 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/deluser +@{exec_path} = @{bin}/del{user,group} profile deluser @{exec_path} { include include include include + # The deluser command is issued as root and its task is to delete regular user accounts. It + # optionally can remove user files (via --remove-home or --remove-all-files) or create a backup. + # Because of that, the deluser command needs the following CAPs to be able to do so. capability dac_read_search, capability dac_override, @{exec_path} r, + @{bin}/perl r, - @{sh_path} rix, - @{bin}/crontab rPx, - @{bin}/gpasswd rPx, - @{sbin}/groupdel rPx, - @{bin}/mount rCx -> mount, - @{sbin}/userdel rPx, + @{sh_path} rix, + + @{bin}/userdel rPx, + @{bin}/groupdel rPx, + @{bin}/gpasswd rPx, + + @{bin}/crontab rPx, + + @{bin}/mount rCx -> mount, /etc/adduser.conf r, /etc/deluser.conf r, owner /etc/shadow r, - #aa:lint ignore=too-wide # This is for the "--remove-all-files" flag, which it used to remove all files owned by the user # that's going to be deleted. Basically it scans all the files in the system in each dir and look # for matches. This also includes files required by the "--remove-home" flag as well as the @@ -39,6 +45,7 @@ profile deluser @{exec_path} { / r, /** rw, + profile mount { include @@ -48,7 +55,6 @@ profile deluser @{exec_path} { @{sys}/devices/virtual/block/**/name r, - include if exists } include if exists diff --git a/apparmor.d/groups/utils/df b/apparmor.d/profiles-a-f/df similarity index 88% rename from apparmor.d/groups/utils/df rename to apparmor.d/profiles-a-f/df index baceace65..18b3687e1 100644 --- a/apparmor.d/groups/utils/df +++ b/apparmor.d/profiles-a-f/df @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/df -profile df @{exec_path} flags=(attach_disconnected) { +profile df @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/dfc b/apparmor.d/profiles-a-f/dfc index 65f944638..b4ccf6743 100644 --- a/apparmor.d/profiles-a-f/dfc +++ b/apparmor.d/profiles-a-f/dfc @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,8 +12,9 @@ profile dfc @{exec_path} { include include - capability dac_override, - capability dac_read_search, + capability dac_read_search, + # No visible effect + deny capability dac_override, @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/dhclient b/apparmor.d/profiles-a-f/dhclient index 30d68f6e5..20e45b87f 100644 --- a/apparmor.d/profiles-a-f/dhclient +++ b/apparmor.d/profiles-a-f/dhclient @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index 9d84a4065..4261a8be7 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -3,26 +3,20 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/dhclient-script profile dhclient-script @{exec_path} { include - include + include include capability net_admin, capability sys_admin, audit capability sys_module, - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, - @{exec_path} mr, @{sh_path} mrix, @@ -42,22 +36,22 @@ profile dhclient-script @{exec_path} { @{bin}/ping rPx, @{bin}/printenv rix, @{bin}/readlink rix, - @{sbin}/resolvconf rPx, + @{bin}/resolvconf rPx, @{bin}/rm rix, @{bin}/run-parts rCx -> run-parts, @{bin}/sed rix, - @{sbin}/sysctl rCx -> sysctl, + @{bin}/sysctl rix, @{bin}/tr rix, @{bin}/xxd rix, - @{etc_rw}/resolv.conf rw, - @{etc_rw}/resolv.conf.dhclient-new.@{pid} rw, - @{etc_rw}/samba/dhcp.conf{,.new} rw, /etc/default/ddclient r, /etc/dhcp/{,**} r, /etc/fstab r, /etc/iproute2/rt_tables r, /etc/iproute2/rt_tables.d/{,*} r, + @{etc_rw}/resolv.conf rw, + @{etc_rw}/resolv.conf.dhclient-new.@{pid} rw, + @{etc_rw}/samba/dhcp.conf{,.new} rw, /var/lib/dhcp/dhclient.leases r, /var/lib/samba/dhcp.conf{,.new} rw, @@ -71,16 +65,7 @@ profile dhclient-script @{exec_path} { @{sys}/devices/virtual/dmi/id/board_vendor r, owner @{PROC}/@{pid}/loginuid r, - - profile sysctl { - include - - @{sbin}/sysctl mr, - - @{PROC}/sys/net/ipv6/conf/*/stable_secret w, - - include if exists - } + @{PROC}/sys/net/ipv6/conf/*/stable_secret w, profile run-parts { include @@ -92,7 +77,6 @@ profile dhclient-script @{exec_path} { # file_inherit owner /var/lib/dhcp/dhclient.leases r, - include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/dig b/apparmor.d/profiles-a-f/dig index a8b482788..87b80e3da 100644 --- a/apparmor.d/profiles-a-f/dig +++ b/apparmor.d/profiles-a-f/dig @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -27,9 +27,9 @@ profile dig @{exec_path} { owner @{HOME}/.digrc r, owner @{HOME}/batch_mode.dig r, owner @{HOME}/tsig.key r, - + /tmp/batch_mode.dig r, - + owner @{PROC}/@{pids}/task/@{tid}/comm rw, include if exists diff --git a/apparmor.d/profiles-a-f/dino b/apparmor.d/profiles-a-f/dino deleted file mode 100644 index e2ee5e9b2..000000000 --- a/apparmor.d/profiles-a-f/dino +++ /dev/null @@ -1,53 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/dino{,-im} -profile dino @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - include - include - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{exec_path} mr, - - # Not in a subprofile because of no new privs - @{bin}/gpg{,2} rix, - @{bin}/gpgconf rix, - @{bin}/gpgsm rix, - @{lib}/gnupg/keyboxd rix, - - owner @{HOME}/@{XDG_GPG_DIR}/ rw, - owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - - owner @{user_share_dirs}/dino/ rw, - owner @{user_share_dirs}/dino/** rwk, - - owner @{run}/user/@{uid}/gnupg/ rw, - owner @{run}/user/@{uid}/gnupg/S.keyboxd rw, - - @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mountinfo r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dino-im b/apparmor.d/profiles-a-f/dino-im new file mode 100644 index 000000000..f06989836 --- /dev/null +++ b/apparmor.d/profiles-a-f/dino-im @@ -0,0 +1,54 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/dino-im +profile dino-im @{exec_path} { + include + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + # Needed for GPG/PGP support + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, + @{bin}/gpgsm rCx -> gpg, + + owner @{user_share_dirs}/dino/ rw, + owner @{user_share_dirs}/dino/** rwk, + + owner @{PROC}/@{pid}/fd/ r, + + profile gpg { + include + + @{bin}/gpg{,2} mr, + @{bin}/gpgconf mr, + @{bin}/gpgsm mr, + + owner @{HOME}/.gnupg/ rw, + owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, + + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 8d5ff99b6..03fab4ec9 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -4,11 +4,11 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/dkms +@{exec_path} = @{bin}/dkms profile dkms @{exec_path} flags=(attach_disconnected) { include include @@ -27,40 +27,28 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{coreutils_path} rix, @{bin}/as rix, - @{bin}/bc rix, - @{bin}/clang-@{version} rix, - @{bin}/g++ rix, @{bin}/gcc rix, @{bin}/getconf rix, - @{bin}/hostname rix, - @{bin}/kill rix, @{bin}/kmod rCx -> kmod, @{bin}/ld rix, - @{bin}/ld.lld rix, - @{bin}/llvm-objcopy rix, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{bin}/make rix, @{bin}/objcopy rix, @{bin}/pahole rix, @{bin}/readelf rix, @{bin}/rpm rPUx, @{bin}/strip rix, - @{bin}/xz rix, + @{bin}/update-secureboot-policy rPUx, @{bin}/zstd rix, - @{sbin}/update-secureboot-policy rPUx, - @{lib}/gcc/@{multiarch}/@{version}/* rix, + @{lib}/gcc/@{multiarch}/@{int}*/* rix, @{lib}/linux-kbuild-*/scripts/** rix, @{lib}/linux-kbuild-*/tools/objtool/objtool rix, @{lib}/llvm-[0-9]*/bin/clang rix, - @{lib}/modules/*/build/arch/x86/** rix, - @{lib}/modules/*/build/include/** rix, @{lib}/modules/*/build/scripts/** rix, @{lib}/modules/*/build/tools/** rix, - @{lib}/os-release rix, /var/lib/dkms/**/build/* rix, - /var/lib/dkms/vboxhost/*/build/** rw, /var/lib/dkms/**/configure rix, /var/lib/dkms/**/dkms.postbuild rix, @@ -107,8 +95,6 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, - /dev/pts/@{int} rw, - profile kmod { include include @@ -116,9 +102,9 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{lib}/modules/*/modules.* rw, /var/lib/dkms/**/module/*.ko* r, - owner @{efi}/System.map-* r, + owner /boot/System.map-* r, - owner @{tmp}/tmp.@{rand10} r, + audit owner @{tmp}/tmp.* r, @{sys}/module/compression r, diff --git a/apparmor.d/profiles-a-f/dkms-autoinstaller b/apparmor.d/profiles-a-f/dkms-autoinstaller index 2d799987f..f266791a1 100644 --- a/apparmor.d/profiles-a-f/dkms-autoinstaller +++ b/apparmor.d/profiles-a-f/dkms-autoinstaller @@ -3,7 +3,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,7 @@ profile dkms-autoinstaller @{exec_path} { @{exec_path} rm, @{sh_path} rix, - @{sbin}/dkms rPx, + @{bin}/dkms rPx, @{bin}/echo rix, @{bin}/plymouth rix, @{bin}/readlink rix, @@ -40,7 +40,7 @@ profile dkms-autoinstaller @{exec_path} { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/profiles-a-f/dleyna-renderer-service b/apparmor.d/profiles-a-f/dleyna-renderer-service index 139dfaeaf..d56098048 100644 --- a/apparmor.d/profiles-a-f/dleyna-renderer-service +++ b/apparmor.d/profiles-a-f/dleyna-renderer-service @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/dleyna-server-service b/apparmor.d/profiles-a-f/dleyna-server-service index 552abeadc..f41d250f6 100644 --- a/apparmor.d/profiles-a-f/dleyna-server-service +++ b/apparmor.d/profiles-a-f/dleyna-server-service @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/dlocate b/apparmor.d/profiles-a-f/dlocate index f7d1e915e..e17a72c84 100644 --- a/apparmor.d/profiles-a-f/dlocate +++ b/apparmor.d/profiles-a-f/dlocate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -49,16 +49,16 @@ profile dlocate @{exec_path} { / r, + profile md5sum { include @{bin}/md5sum mr, # For the md5 check - @{efi}/** r, + /boot/** r, /usr/** r, - include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/dmcrypt-get-device b/apparmor.d/profiles-a-f/dmcrypt-get-device index 7d5b8062a..2fa3fc6a9 100644 --- a/apparmor.d/profiles-a-f/dmcrypt-get-device +++ b/apparmor.d/profiles-a-f/dmcrypt-get-device @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/utils/dmesg b/apparmor.d/profiles-a-f/dmesg similarity index 73% rename from apparmor.d/groups/utils/dmesg rename to apparmor.d/profiles-a-f/dmesg index 2976d1316..6dcd5cbb8 100644 --- a/apparmor.d/groups/utils/dmesg +++ b/apparmor.d/profiles-a-f/dmesg @@ -3,27 +3,28 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/dmesg -profile dmesg @{exec_path} flags=(attach_disconnected) { +profile dmesg @{exec_path} { include include capability dac_read_search, - capability sys_admin, capability syslog, @{exec_path} mr, - @{sh_path} rix, - @{pager_path} rPx -> child-pager, + @{sh_path} rix, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, + @{bin}/pager rPx -> child-pager, /usr/share/terminfo/** r, - @{PROC}/sys/kernel/pid_max r, + owner @{PROC}/sys/kernel/pid_max r, /dev/kmsg r, diff --git a/apparmor.d/profiles-a-f/dmeventd b/apparmor.d/profiles-a-f/dmeventd index 984545508..2d904eec0 100644 --- a/apparmor.d/profiles-a-f/dmeventd +++ b/apparmor.d/profiles-a-f/dmeventd @@ -2,11 +2,11 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/dmeventd +@{exec_path} = @{bin}/dmeventd profile dmeventd @{exec_path} flags=(complain) { include diff --git a/apparmor.d/profiles-a-f/dmidecode b/apparmor.d/profiles-a-f/dmidecode index 680d25992..061bc40ac 100644 --- a/apparmor.d/profiles-a-f/dmidecode +++ b/apparmor.d/profiles-a-f/dmidecode @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/dmidecode +@{exec_path} = @{bin}/dmidecode profile dmidecode @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/dmsetup b/apparmor.d/profiles-a-f/dmsetup deleted file mode 100644 index eb9d1dc19..000000000 --- a/apparmor.d/profiles-a-f/dmsetup +++ /dev/null @@ -1,24 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{sbin}/dmsetup -profile dmsetup @{exec_path} { - include - include - include - - capability sys_admin, - - @{exec_path} mr, - - @{PROC}/devices r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dnscrypt-proxy b/apparmor.d/profiles-a-f/dnscrypt-proxy index 5573aaf83..03d47e395 100644 --- a/apparmor.d/profiles-a-f/dnscrypt-proxy +++ b/apparmor.d/profiles-a-f/dnscrypt-proxy @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -27,17 +27,17 @@ profile dnscrypt-proxy @{exec_path} { @{exec_path} mrix, /etc/dnscrypt-proxy/{,**} r, - + owner /etc/dnscrypt-proxy/public-resolvers.md rw, owner /etc/dnscrypt-proxy/public-resolvers.md.minisig rw, owner /etc/dnscrypt-proxy/relays.md rw, owner /etc/dnscrypt-proxy/relays.md.minisig rw, owner /etc/dnscrypt-proxy/sf-*.tmp rw, - + /var/cache/private/dnscrypt-proxy/{,**} r, /var/cache/private/dnscrypt-proxy/public-resolvers.md{,.minisig} rw, /var/cache/private/dnscrypt-proxy/sf-*.tmp rw, - + /var/log/dnscrypt-proxy/ r, /var/log/dnscrypt-proxy/*.log w, /var/log/private/dnscrypt-proxy/ rw, @@ -52,6 +52,8 @@ profile dnscrypt-proxy @{exec_path} { @{PROC}/sys/kernel/hostname r, @{PROC}/sys/net/core/somaxconn r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + include if exists } diff --git a/apparmor.d/profiles-a-f/downloadhelper b/apparmor.d/profiles-a-f/downloadhelper index bb54ca251..05b4085b3 100644 --- a/apparmor.d/profiles-a-f/downloadhelper +++ b/apparmor.d/profiles-a-f/downloadhelper @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/dracut-install b/apparmor.d/profiles-a-f/dracut-install deleted file mode 100644 index e99760a73..000000000 --- a/apparmor.d/profiles-a-f/dracut-install +++ /dev/null @@ -1,29 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/dracut/dracut-install -profile dracut-install @{exec_path} { - include - include - - @{exec_path} mr, - - @{bin}/cp rix, - - /etc/modprobe.d/{,**} r, - - @{sys}/devices/platform/{,**/} r, - @{sys}/devices/platform/**/modalias r, - @{sys}/module/compression r, - - @{PROC}/cmdline r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dring b/apparmor.d/profiles-a-f/dring index 32a914268..8d0045030 100644 --- a/apparmor.d/profiles-a-f/dring +++ b/apparmor.d/profiles-a-f/dring @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/dumpcap b/apparmor.d/profiles-a-f/dumpcap index a1050aa94..e03ad1742 100644 --- a/apparmor.d/profiles-a-f/dumpcap +++ b/apparmor.d/profiles-a-f/dumpcap @@ -3,21 +3,23 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/dumpcap profile dumpcap @{exec_path} { include - include - include include + include + include # To capture packekts capability net_raw, capability net_admin, + signal (receive) peer=wireshark, + network inet dgram, network inet6 dgram, network netlink raw, @@ -25,8 +27,6 @@ profile dumpcap @{exec_path} { network packet raw, network bluetooth raw, - signal (receive) peer=wireshark, - dbus (eavesdrop) bus=session, @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/dumpe2fs b/apparmor.d/profiles-a-f/dumpe2fs index a4184a358..725f725c5 100644 --- a/apparmor.d/profiles-a-f/dumpe2fs +++ b/apparmor.d/profiles-a-f/dumpe2fs @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/dumpe2fs @{sbin}/e2mmpstatus +@{exec_path} = @{bin}/dumpe2fs @{bin}/e2mmpstatus profile dumpe2fs @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/dunst b/apparmor.d/profiles-a-f/dunst index e73e3370c..8fb895029 100644 --- a/apparmor.d/profiles-a-f/dunst +++ b/apparmor.d/profiles-a-f/dunst @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,13 +17,10 @@ profile dunst @{exec_path} { @{exec_path} mr, /etc/xdg/dunst/dunstrc r, - owner @{user_config_dirs}/dunst/dunstrc r, owner @{HOME}/.Xauthority r, - owner /dev/shm/dunst-@{rand6} rw, - include if exists } diff --git a/apparmor.d/profiles-a-f/dunstctl b/apparmor.d/profiles-a-f/dunstctl index 45ec6886c..42276c6c6 100644 --- a/apparmor.d/profiles-a-f/dunstctl +++ b/apparmor.d/profiles-a-f/dunstctl @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,13 +13,12 @@ profile dunstctl @{exec_path} { @{exec_path} mr, - @{bin}/dbus-send Cx -> bus, + @{bin}/dbus-send rCx -> dbus, - profile bus { + profile dbus { include - include - include if exists + @{bin}/dbus-send mr, } include if exists diff --git a/apparmor.d/profiles-a-f/dunstify b/apparmor.d/profiles-a-f/dunstify index c62e87f66..3a8f16c2f 100644 --- a/apparmor.d/profiles-a-f/dunstify +++ b/apparmor.d/profiles-a-f/dunstify @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,8 +13,6 @@ profile dunstify @{exec_path} { @{exec_path} mr, - owner @{PROC}/@{pid}/cgroup r, - # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-a-f/e2fsck b/apparmor.d/profiles-a-f/e2fsck index c120a3590..8ce1ed3c7 100644 --- a/apparmor.d/profiles-a-f/e2fsck +++ b/apparmor.d/profiles-a-f/e2fsck @@ -3,14 +3,13 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/e2fsck @{sbin}/fsck.ext2 @{sbin}/fsck.ext3 @{sbin}/fsck.ext4 +@{exec_path} = @{bin}/e2fsck @{bin}/fsck.ext2 @{bin}/fsck.ext3 @{bin}/fsck.ext4 profile e2fsck @{exec_path} { include - include include include @@ -21,7 +20,7 @@ profile e2fsck @{exec_path} { # To check for badblocks @{sh_path} rix, - @{sbin}/badblocks rPx, + @{bin}/badblocks rPx, /usr/share/file/misc/magic.mgc r, diff --git a/apparmor.d/profiles-a-f/e2image b/apparmor.d/profiles-a-f/e2image index c7238f262..ccb4cc5a4 100644 --- a/apparmor.d/profiles-a-f/e2image +++ b/apparmor.d/profiles-a-f/e2image @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/e2image +@{exec_path} = @{bin}/e2image profile e2image @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/e2scrub b/apparmor.d/profiles-a-f/e2scrub deleted file mode 100644 index 2e7e88487..000000000 --- a/apparmor.d/profiles-a-f/e2scrub +++ /dev/null @@ -1,18 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{sbin}/e2scrub -profile e2scrub @{exec_path} flags=(complain) { - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/e2scrub_all b/apparmor.d/profiles-a-f/e2scrub_all index e5d13f1de..de648cac2 100644 --- a/apparmor.d/profiles-a-f/e2scrub_all +++ b/apparmor.d/profiles-a-f/e2scrub_all @@ -2,24 +2,23 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/e2scrub_all +@{exec_path} = @{bin}/e2scrub_all profile e2scrub_all @{exec_path} flags=(attach_disconnected) { include include include - capability setuid, capability sys_admin, capability sys_rawio, @{exec_path} mr, - @{sh_path} mr, - @{bin}/readlink ix, + @{sh_path} r, + @{bin}/readlink rix, /etc/e2scrub.conf r, diff --git a/apparmor.d/profiles-a-f/earlyoom b/apparmor.d/profiles-a-f/earlyoom deleted file mode 100644 index 01484cdc6..000000000 --- a/apparmor.d/profiles-a-f/earlyoom +++ /dev/null @@ -1,28 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 odomingao -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/earlyoom -profile earlyoom @{exec_path} { - include - - capability kill, - - @{exec_path} mr, - - @{PROC}/ r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/oom_adj r, - @{PROC}/@{pid}/oom_score r, - @{PROC}/@{pid}/oom_score_adj r, - @{PROC}/@{pid}/stat r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/ed2k b/apparmor.d/profiles-a-f/ed2k deleted file mode 100644 index f92e3b74d..000000000 --- a/apparmor.d/profiles-a-f/ed2k +++ /dev/null @@ -1,22 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Roman Beslik -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/ed2k -profile ed2k @{exec_path} { - include - include - - @{exec_path} mr, - - owner @{HOME}/.aMule/ED2KLinks w, - owner @{HOME}/.aMule/ED2KLinks_lock wk, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/edid-decode b/apparmor.d/profiles-a-f/edid-decode index f15d6db6c..8925e5e2d 100644 --- a/apparmor.d/profiles-a-f/edid-decode +++ b/apparmor.d/profiles-a-f/edid-decode @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/utils/eject b/apparmor.d/profiles-a-f/eject similarity index 97% rename from apparmor.d/groups/utils/eject rename to apparmor.d/profiles-a-f/eject index 84168322a..bd467c2be 100644 --- a/apparmor.d/groups/utils/eject +++ b/apparmor.d/profiles-a-f/eject @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index 59cfa3577..1dd15b4b9 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -2,25 +2,24 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{name} = {E,e}lement -@{domain} = org.chromium.Chromium -@{lib_dirs} = @{lib}/@{name} +@{lib_dirs} = @{lib}/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{bin}/element-desktop -profile element-desktop @{exec_path} flags=(attach_disconnected) { +profile element-desktop @{exec_path} { include include - include + include + include include include include - include include network inet dgram, @@ -31,9 +30,8 @@ profile element-desktop @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - #aa:stack X xdg-settings - @{bin}/xdg-settings rPx -> element-desktop//&xdg-settings, - @{open_path} Px -> child-open-strict, + @{sh_path} r, + @{open_path} rPx -> child-open-strict, /usr/share/webapps/element/{,**} r, diff --git a/apparmor.d/profiles-a-f/elinks b/apparmor.d/profiles-a-f/elinks index f833c303d..1909ab896 100644 --- a/apparmor.d/profiles-a-f/elinks +++ b/apparmor.d/profiles-a-f/elinks @@ -2,7 +2,7 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 3e650962f..78fa87937 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -3,15 +3,18 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/engrampa profile engrampa @{exec_path} { include + include include - include + include + include + include include include include @@ -72,7 +75,8 @@ profile engrampa @{exec_path} { owner @{user_share_dirs}/ r, - /tmp/ r, + /tmp/ r, + owner @{tmp}/** rw, @{run}/mount/utab r, diff --git a/apparmor.d/profiles-a-f/etckeeper b/apparmor.d/profiles-a-f/etckeeper index 5c4108094..6f10293c7 100644 --- a/apparmor.d/profiles-a-f/etckeeper +++ b/apparmor.d/profiles-a-f/etckeeper @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -48,7 +48,6 @@ profile etckeeper @{exec_path} { /etc/etckeeper/*.d/* rix, /etc/etckeeper/daily rix, - #aa:lint ignore=too-wide /etc/ rw, /etc/** rwkl -> /etc/**, @@ -74,7 +73,6 @@ profile etckeeper @{exec_path} { owner @{PROC}/@{pid}/fd/ r, - include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 10b5ad4af..73d73eb02 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -2,21 +2,22 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/evince @{lib}/evinced profile evince @{exec_path} { include + include include + include include include - include + include include include include - include include include include @@ -29,7 +30,12 @@ profile evince @{exec_path} { #aa:dbus own bus=session name=org.gnome.evince - #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys + + dbus send bus=session path=/org/gtk/vfs/metadata + interface=org.gtk.vfs.Metadata + member={Set,GetTreeFromDevice} + peer=(name=:*, label=gvfsd-metadata), @{exec_path} rix, @@ -42,14 +48,13 @@ profile evince @{exec_path} { /usr/share/poppler/{,**} r, /usr/share/thumbnailers/{,*} r, + owner @{user_share_dirs}/ r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_config_dirs}/evince/{,*} rw, - owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/*.pdf r, - owner @{tmp}/evince-@{int}/{,**} rw, - owner @{tmp}/gtkprint_@{rand6} rw, - owner @{tmp}/gtkprint@{rand6} rw, + owner @{tmp}/evince-*/{,**} rw, + owner @{tmp}/gtkprint* rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-a-f/evince-previewer b/apparmor.d/profiles-a-f/evince-previewer index dcd28ddc9..7a2b939a6 100644 --- a/apparmor.d/profiles-a-f/evince-previewer +++ b/apparmor.d/profiles-a-f/evince-previewer @@ -2,14 +2,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/evince-previewer profile evince-previewer @{exec_path} { include - include + include include include include diff --git a/apparmor.d/profiles-a-f/evince-thumbnailer b/apparmor.d/profiles-a-f/evince-thumbnailer index 6fbabaf28..d4e63c924 100644 --- a/apparmor.d/profiles-a-f/evince-thumbnailer +++ b/apparmor.d/profiles-a-f/evince-thumbnailer @@ -2,17 +2,17 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/evince-thumbnailer profile evince-thumbnailer @{exec_path} flags=(attach_disconnected) { include - include @{exec_path} mr, + /usr/share/mime/mime.cache r, /usr/share/poppler/{,**} r, owner @{tmp}/gnome-desktop-file-to-thumbnail.pdf r, diff --git a/apparmor.d/profiles-a-f/execute-dcut b/apparmor.d/profiles-a-f/execute-dcut index 817ba6215..9f03de7fc 100644 --- a/apparmor.d/profiles-a-f/execute-dcut +++ b/apparmor.d/profiles-a-f/execute-dcut @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,7 @@ profile execute-dcut @{exec_path} flags=(complain) { include @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, include if exists } diff --git a/apparmor.d/profiles-a-f/execute-dput b/apparmor.d/profiles-a-f/execute-dput index 7161c5900..10edc6164 100644 --- a/apparmor.d/profiles-a-f/execute-dput +++ b/apparmor.d/profiles-a-f/execute-dput @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,7 @@ profile execute-dput @{exec_path} flags=(complain) { @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{sh_path} rix, @{bin}/dpkg rPx -> child-dpkg, @@ -46,7 +46,6 @@ profile execute-dput @{exec_path} flags=(complain) { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/exiftool b/apparmor.d/profiles-a-f/exiftool index fecb1af22..23aac34d4 100644 --- a/apparmor.d/profiles-a-f/exiftool +++ b/apparmor.d/profiles-a-f/exiftool @@ -2,7 +2,7 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,7 +11,6 @@ profile exiftool @{exec_path} { include include include - include @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/exim4 b/apparmor.d/profiles-a-f/exim4 index 3af283014..3dae4cae6 100644 --- a/apparmor.d/profiles-a-f/exim4 +++ b/apparmor.d/profiles-a-f/exim4 @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/exim4 -profile exim4 @{exec_path} flags=(attach_disconnected) { +@{exec_path} = @{bin}/exim4 +profile exim4 @{exec_path} { include include include diff --git a/apparmor.d/profiles-a-f/exo-compose-mail b/apparmor.d/profiles-a-f/exo-compose-mail index e03e35403..990c67b85 100644 --- a/apparmor.d/profiles-a-f/exo-compose-mail +++ b/apparmor.d/profiles-a-f/exo-compose-mail @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,6 +13,7 @@ profile exo-compose-mail @{exec_path} { include @{exec_path} r, + @{bin}/perl r, # Mail clients @{bin}/thunderbird rPx, diff --git a/apparmor.d/profiles-a-f/exo-helper b/apparmor.d/profiles-a-f/exo-helper index b9d7652ee..af38a5fa3 100644 --- a/apparmor.d/profiles-a-f/exo-helper +++ b/apparmor.d/profiles-a-f/exo-helper @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/exo-open b/apparmor.d/profiles-a-f/exo-open index 2c5e86e30..7d265e566 100644 --- a/apparmor.d/profiles-a-f/exo-open +++ b/apparmor.d/profiles-a-f/exo-open @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,10 +19,10 @@ profile exo-open @{exec_path} { @{exec_path} mr, - @{lib}/@{multiarch}/xfce4/exo-@{version}/exo-helper-@{version} rPx, + @{lib}/@{multiarch}/xfce4/exo-[0-9]/exo-helper-[0-9] rPx, # It looks like gio-launch-desktop decides what app should be opened - @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rPx, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-a-f/f3brew b/apparmor.d/profiles-a-f/f3brew index 312512010..8572f369c 100644 --- a/apparmor.d/profiles-a-f/f3brew +++ b/apparmor.d/profiles-a-f/f3brew @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/f3fix b/apparmor.d/profiles-a-f/f3fix index a2cfe43c5..a5d327e72 100644 --- a/apparmor.d/profiles-a-f/f3fix +++ b/apparmor.d/profiles-a-f/f3fix @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,7 +21,7 @@ profile f3fix @{exec_path} { @{sh_path} rix, - @{sbin}/dmidecode rPx, + @{bin}/dmidecode rPx, @{bin}/udevadm rCx -> udevadm, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-a-f/f3probe b/apparmor.d/profiles-a-f/f3probe index d935075eb..c7843c91f 100644 --- a/apparmor.d/profiles-a-f/f3probe +++ b/apparmor.d/profiles-a-f/f3probe @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/f3read b/apparmor.d/profiles-a-f/f3read index 93058cfa9..a25e7e0cc 100644 --- a/apparmor.d/profiles-a-f/f3read +++ b/apparmor.d/profiles-a-f/f3read @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/f3write b/apparmor.d/profiles-a-f/f3write index 25c56778d..25282dff8 100644 --- a/apparmor.d/profiles-a-f/f3write +++ b/apparmor.d/profiles-a-f/f3write @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/fail2ban-client b/apparmor.d/profiles-a-f/fail2ban-client index d432bee94..23fd61125 100644 --- a/apparmor.d/profiles-a-f/fail2ban-client +++ b/apparmor.d/profiles-a-f/fail2ban-client @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,7 @@ profile fail2ban-client @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/ r, - @{python_path} r, + @{bin}/python3.@{int} r, /etc/fail2ban/{,**} r, diff --git a/apparmor.d/profiles-a-f/fail2ban-server b/apparmor.d/profiles-a-f/fail2ban-server index 629208bc6..2706c8e43 100644 --- a/apparmor.d/profiles-a-f/fail2ban-server +++ b/apparmor.d/profiles-a-f/fail2ban-server @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,11 +20,11 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{sbin}/xtables-nft-multi rix, + @{bin}/xtables-nft-multi rix, @{bin}/iptables rix, @{bin}/ r, - @{python_path} r, + @{bin}/python3.@{int} r, /etc/fail2ban/{,**} r, diff --git a/apparmor.d/profiles-a-f/fatlabel b/apparmor.d/profiles-a-f/fatlabel index c8bdedaa3..df95d83c0 100644 --- a/apparmor.d/profiles-a-f/fatlabel +++ b/apparmor.d/profiles-a-f/fatlabel @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/fatlabel +@{exec_path} = @{bin}/fatlabel profile fatlabel @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/fatresize b/apparmor.d/profiles-a-f/fatresize index 6f4c86647..b94e0e49c 100644 --- a/apparmor.d/profiles-a-f/fatresize +++ b/apparmor.d/profiles-a-f/fatresize @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/fatresize +@{exec_path} = @{bin}/fatresize profile fatresize @{exec_path} { include include @@ -21,7 +21,7 @@ profile fatresize @{exec_path} { @{sh_path} rix, - @{sbin}/dmidecode rPx, + @{bin}/dmidecode rPx, @{bin}/udevadm rCx -> udevadm, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-a-f/fdisk b/apparmor.d/profiles-a-f/fdisk index bab152574..815e3bc76 100644 --- a/apparmor.d/profiles-a-f/fdisk +++ b/apparmor.d/profiles-a-f/fdisk @@ -3,17 +3,21 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/fdisk +@{exec_path} = @{bin}/fdisk profile fdisk @{exec_path} { include - include include + # Needed to inform the system of newly created/removed partitions + # ioctl(3, BLKRRPART) = -1 EACCES (Permission denied) capability sys_admin, + + # To remove the following errors: + # kernel: device-mapper: core: fdisk: sending ioctl 5331 to DM device without required privilege. capability sys_rawio, @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/ffmpeg b/apparmor.d/profiles-a-f/ffmpeg index 8633444d8..864becf32 100644 --- a/apparmor.d/profiles-a-f/ffmpeg +++ b/apparmor.d/profiles-a-f/ffmpeg @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -28,7 +28,6 @@ profile ffmpeg @{exec_path} { /var/lib/dbus/machine-id r, owner @{HOME}/.Xauthority r, - owner @{HOME}/.spotdl/** rw, # For spotdl owner @{user_music_dirs}/** rw, owner @{user_videos_dirs}/** rw, @@ -37,7 +36,7 @@ profile ffmpeg @{exec_path} { owner @{tmp}/vidcutter/** rw, # TMP files for apps using ffmpeg @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/meminfo r, + @{sys}/devices/system/node/node[0-9]/meminfo r, include if exists } diff --git a/apparmor.d/profiles-a-f/ffmpegthumbnailer b/apparmor.d/profiles-a-f/ffmpegthumbnailer index acc33199c..5c0d7e2f8 100644 --- a/apparmor.d/profiles-a-f/ffmpegthumbnailer +++ b/apparmor.d/profiles-a-f/ffmpegthumbnailer @@ -2,14 +2,13 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/ffmpegthumbnailer profile ffmpegthumbnailer @{exec_path} { include - include include @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/ffplay b/apparmor.d/profiles-a-f/ffplay index 4152ed49a..0615d1042 100644 --- a/apparmor.d/profiles-a-f/ffplay +++ b/apparmor.d/profiles-a-f/ffplay @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,9 +11,10 @@ include profile ffplay @{exec_path} { include include - include + include include include + include network inet stream, network inet6 stream, @@ -29,7 +30,7 @@ profile ffplay @{exec_path} { owner @{user_videos_dirs}/** rw, @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/meminfo r, + @{sys}/devices/system/node/node[0-9]/meminfo r, include if exists } diff --git a/apparmor.d/profiles-a-f/ffprobe b/apparmor.d/profiles-a-f/ffprobe index 793361489..f5448d7ef 100644 --- a/apparmor.d/profiles-a-f/ffprobe +++ b/apparmor.d/profiles-a-f/ffprobe @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 3d13b813f..4e432e2f1 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -2,35 +2,40 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/file-roller profile file-roller @{exec_path} { include + include + include + include include - include include + include + include + include #aa:dbus own bus=session name=org.gnome.ArchiveManager1 #aa:dbus own bus=session name=org.gnome.FileRoller @{exec_path} mr, - @{open_path} rPx -> child-open-help, - - @{bin}/mv rix, - @{bin}/rm rix, - # Archivers - @{archive_path} rix, - - #aa:lint ignore=too-wide - # Full access to user's data - @{MOUNTS}/** rw, - owner @{HOME}/** rw, - owner @{tmp}/** rw, + @{bin}/7z rix, + @{bin}/ar rix, + @{bin}/bzip2 rix, + @{bin}/cpio rix, + @{bin}/gzip rix, + @{bin}/tar rix, + @{bin}/unrar-nonfree rix, + @{bin}/unzip rix, + @{bin}/xz rix, + @{bin}/zip rix, + @{bin}/zstd rix, + @{lib}/p7zip/7z rix, @{run}/mount/utab r, diff --git a/apparmor.d/groups/cap/filecap b/apparmor.d/profiles-a-f/filecap similarity index 98% rename from apparmor.d/groups/cap/filecap rename to apparmor.d/profiles-a-f/filecap index 6729ebb91..afad4070c 100644 --- a/apparmor.d/groups/cap/filecap +++ b/apparmor.d/profiles-a-f/filecap @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/fileview b/apparmor.d/profiles-a-f/fileview deleted file mode 100644 index 9237f2a98..000000000 --- a/apparmor.d/profiles-a-f/fileview +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Roman Beslik -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/fileview -profile fileview @{exec_path} { - include - include - - @{exec_path} mr, - - # This program parses aMule internal data files like "server.met". - # The paths to these files are given as arguments. - # The following directories are those that users likely want to read. - # However, this program is usable without the permissions below. - owner @{HOME}/.aMule/{,**} r, - @{user_torrents_dirs}/{,**} r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd deleted file mode 100644 index 7ce69ab64..000000000 --- a/apparmor.d/profiles-a-f/finalrd +++ /dev/null @@ -1,82 +0,0 @@ - -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/finalrd -profile finalrd @{exec_path} { - include - include - - capability dac_read_search, - capability sys_admin, - capability sys_chroot, - - remount options=(rw nodev nosuid relatime remount) @{run}/, - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/cp ix, - @{bin}/dirname ix, - @{bin}/env ix, - @{bin}/find ix, - @{bin}/{,e}grep ix, - @{bin}/ln ix, - @{bin}/mkdir ix, - @{bin}/mount ix, - @{bin}/readlink ix, - @{bin}/realpath ix, - @{bin}/rm ix, - @{bin}/run-parts ix, - @{bin}/sed ix, - @{bin}/touch ix, - @{sbin}/ldconfig{,.real} ix, - - @{bin}/ldd Cx -> ldd, - @{bin}/systemd-tmpfiles Px, - @{lib}/@{multiarch}/ld-linux-*so* Cx -> ldd, - @{lib}/systemd/systemd-shutdown Px, - /usr/share/finalrd/*.finalrd ix, - - @{bin}/{,*} r, - @{lib}/{,*} r, - @{sbin}/{,*} r, - - /usr/share/finalrd/{,**} r, - /usr/share/initramfs-tools/hook-functions r, - - /etc/fstab r, - /etc/iscsi/initiatorname.iscsi r, - /etc/iscsi/iscsid.conf r, - - / r, - - @{run}/ r, - @{run}/finalrd-libs.conf rw, - @{run}/initramfs/{,**} rw, - @{run}/mount/ r, - @{run}/mount/utab r, - - @{PROC}/@{pid}/mountinfo r, - - profile ldd { - include - include - include - - @{bin}/* mr, - @{sbin}/* mr, - @{lib}/@{multiarch}/ld-linux-*so* mrix, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/findmnt b/apparmor.d/profiles-a-f/findmnt similarity index 97% rename from apparmor.d/groups/utils/findmnt rename to apparmor.d/profiles-a-f/findmnt index 0c027dc2c..7fb7c9e1b 100644 --- a/apparmor.d/groups/utils/findmnt +++ b/apparmor.d/profiles-a-f/findmnt @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,7 +20,7 @@ profile findmnt @{exec_path} flags=(attach_disconnected,complain) { /etc/fstab r, /etc/mtab r, - + @{PROC}/@{pids}/mountinfo r, # File Inherit diff --git a/apparmor.d/profiles-a-f/firecfg b/apparmor.d/profiles-a-f/firecfg index d8086715a..c470d068a 100644 --- a/apparmor.d/profiles-a-f/firecfg +++ b/apparmor.d/profiles-a-f/firecfg @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,13 +19,11 @@ profile firecfg @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{sbin}/apparmor_parser rPx, - - @{etc_ro}/login.defs r, + @{bin}/apparmor_parser rPx, + /etc/login.defs r, /etc/firejail/firejail.users r, /etc/firejail/firecfg.config r, - /etc/firejail/firecfg.d/{,*} r, /usr/local/bin/ r, /usr/local/bin/* rw, @@ -34,14 +32,10 @@ profile firecfg @{exec_path} flags=(attach_disconnected) { /usr/share/applications/ r, /usr/share/applications/*.desktop r, @{user_share_dirs}/applications/ r, + @{user_share_dirs}/applications/*.desktop rw, - @{user_config_dirs}/firejail/{,*} r, - - /dev/tty rw, - /dev/tty@{int} rw, - owner /dev/pts/@{int} rw, - + /dev/tty rw, include if exists } diff --git a/apparmor.d/profiles-a-f/firewalld b/apparmor.d/profiles-a-f/firewalld new file mode 100644 index 000000000..143719f0d --- /dev/null +++ b/apparmor.d/profiles-a-f/firewalld @@ -0,0 +1,82 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/firewalld +profile firewalld @{exec_path} { + include + include + include + include + include + include + + capability mknod, + capability net_admin, + capability net_raw, + capability setpcap, + + network inet raw, + network inet6 raw, + network netlink raw, + + dbus receive bus=system path=/org/fedoraproject/FirewallD1 + interface=org.fedoraproject.FirewallD1.direct + member=passthrough + peer=(name=:*, label=libvirtd), + + dbus receive bus=system path=/org/fedoraproject/FirewallD1 + interface=org.fedoraproject.FirewallD1.zone + member={changeZoneOfInterface,getZones} + peer=(name=:*, label=libvirtd), + + dbus receive bus=system path=/org/fedoraproject/FirewallD1 + interface=org.fedoraproject.FirewallD1.zone + member={changeZoneOfInterface,removeInterface} + peer=(name=:*, label=libvirtd), + + #aa:dbus own bus=system name=org.fedoraproject.FirewallD1 + + @{exec_path} mr, + + @{bin}/ r, + @{bin}/alts rix, + @{bin}/ebtables-legacy rix, + @{bin}/ebtables-legacy-restore rix, + @{bin}/false rix, + @{bin}/ipset rix, + @{bin}/kmod rPx, + @{bin}/xtables-legacy-multi rix, + @{bin}/xtables-nft-multi rix, + + /usr/local/lib/python3.10/dist-packages/ r, + + /usr/share/libalternatives/ r, + /usr/share/libalternatives/ebtables*/{,*} r, + /usr/share/libalternatives/ip{,4,6}tables*/{,*} r, + + /etc/firewalld/{,**} rw, + /etc/iproute2/group r, + /etc/iproute2/rt_realms r, + + /var/lib/ebtables/lock rwk, + + /var/log/firewalld rw, + + @{run}/firewalld/{,*} rw, + @{run}/xtables.lock rwk, + + @{PROC}/sys/kernel/modprobe r, + @{PROC}/sys/net/ipv{4,6}/ip_forward rw, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pids}/net/ip_tables_names r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/flameshot b/apparmor.d/profiles-a-f/flameshot index f0d042ba8..877e42912 100644 --- a/apparmor.d/profiles-a-f/flameshot +++ b/apparmor.d/profiles-a-f/flameshot @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/profiles-a-f/flatpak similarity index 52% rename from apparmor.d/groups/flatpak/flatpak rename to apparmor.d/profiles-a-f/flatpak index 341db555e..4d3220a08 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/profiles-a-f/flatpak @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,14 +11,14 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain include include include - include + include include include include include include - userns, + # userns, capability dac_override, capability dac_read_search, @@ -35,28 +35,6 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain ptrace (read) peer=flatpak-app, - signal send peer=flatpak-app, - - unix type=seqpacket peer=(label=flatpak-system-helper), - unix type=stream peer=(label=flatpak//fusermount), - - #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" - #aa:dbus talk bus=system name=org.freedesktop.Flatpak.SystemHelper label=flatpak-system-helper - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" - - #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper - #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal - - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=ReloadConfig - peer=(name=org.freedesktop.DBus, label=dbus-session//&unconfined), - - dbus send bus=system path=/org/freedesktop/Flatpak/SystemHelper - interface=org.freedesktop.Flatpak.SystemHelper - member=GetRevokefsFd - peer=(name=org.freedesktop.Flatpak.SystemHelper), - @{exec_path} mr, @{bin}/bwrap rPx -> flatpak-app, @@ -66,54 +44,35 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain @{bin}/gpgsm rCx -> gpg, @{lib}/revokefs-fuse rix, - @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, - @{lib}/polkit-agent-helper-[0-9] rPx, - /usr/share/flatpak/{,**} r, /etc/flatpak/{,**} r, /etc/pulse/client.conf r, - @{att}/ r, + / r, /var/lib/flatpak/{,**} rwlk, /var/tmp/#@{int} rw, /var/tmp/flatpak-cache-@{rand6}/{,**/} r, - owner /var/tmp/flatpak-cache-@{rand6}/ rw, - owner /var/tmp/flatpak-cache-@{rand6}/** rwlk -> /var/tmp/flatpak-cache-@{rand6}/**, + owner /var/tmp/flatpak-cache-@{rand6}/{,**} rwk, owner @{HOME}/.var/ w, owner @{HOME}/.var/app/{,**} rw, - owner @{att}/@{HOME}/.var/app/*/.local/share/*/logs/* rw, - owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, - # Can create dotfile directories for any app - owner @{user_cache_dirs}/*/ w, - owner @{user_config_dirs}/*/ w, - owner @{user_share_dirs}/*/ w, - owner @{user_games_dirs}/{,**/} w, - owner @{user_documents_dirs}/ w, - - @{user_config_dirs}/dconf/user r, owner @{user_cache_dirs}/flatpak/{,**} rw, owner @{user_config_dirs}/pulse/client.conf r, owner @{user_config_dirs}/user-dirs.dirs r, @{user_share_dirs}/flatpak/{,**} r, owner @{user_share_dirs}/ r, - owner @{user_share_dirs}/flatpak/ rw, - owner @{user_share_dirs}/flatpak/** rwlk, + owner @{user_share_dirs}/flatpak/{,**} rwl, - owner @{tmp}/#@{int} rw, - owner @{tmp}/ostree-gpg-@{rand6}/{,**} rw, - owner @{tmp}/remote-summary-sig.@{rand6} rw, - owner @{tmp}/remote-summary.@{rand6} rw, + /tmp/#@{int} rw, owner /dev/shm/flatpak*/{,**} rw, + owner @{tmp}/ostree-gpg-*/{,**} rw, - @{run}/.userns r, - @{att}/@{run}/.userns r, - + @{run}/.userns r, @{run}/user/@{uid}/.dbus-proxy/ w, @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/.dbus-proxy/* rw, @@ -134,7 +93,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain /dev/tty rw, /dev/tty@{int} rw, - deny owner @{user_share_dirs}/gvfs-metadata/* r, + deny @{user_share_dirs}/gvfs-metadata/* r, profile gpg { include @@ -142,34 +101,36 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain capability dac_read_search, - @{bin}/gpg{,2} mr, - @{bin}/gpgconf mr, - @{bin}/gpgsm mr, - @{bin}/gpg-agent rix, - @{lib}/gnupg/scdaemon rix, + @{bin}/gpg{,2} mr, + @{bin}/gpgconf mr, + @{bin}/gpgsm mr, @{HOME}/@{XDG_GPG_DIR}/*.conf r, - owner @{tmp}/ostree-gpg-@{rand6}/ rw, - owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, - - owner @{PROC}/@{pid}/fd/ r, + owner @{tmp}/ostree-gpg-*/ rw, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, include if exists } profile fusermount { include - include + include + include - capability setuid, - - unix type=seqpacket peer=(label=flatpak-system-helper), - unix type=stream peer=(label=flatpak), + capability sys_admin, mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, + @{bin}/fusermount{,3} mr, + + /etc/fuse.conf r, + + @{PROC}/@{pids}/mounts r, + + /dev/fuse rw, + include if exists } diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app similarity index 83% rename from apparmor.d/groups/flatpak/flatpak-app rename to apparmor.d/profiles-a-f/flatpak-app index e6be7ef4f..41d72d143 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/profiles-a-f/flatpak-app @@ -3,11 +3,11 @@ # SPDX-License-Identifier: GPL-2.0-only # Default profile for all flatpak applications. Ideally, this profile should be -# generated by flatpak itself with settings from the flatpak manifest and +# generated by flatpak itself with settings from the flatpak manifest and # fully separated from bwrap. # Note: This profile used to be split in two (flatpak-bwrap & flatpak-app) in order -# to separate bwrap from the sandboxed app itself. It was generating issue with +# to separate bwrap from the sandboxed app itself. It was generating issue with # zypak-sandbox, therefore the profiles have been merged. Meanwhile, to install # some applications, flatpak needs write access to the sandbox content. This is # done through bwrap and therefore in this profile. @@ -15,10 +15,10 @@ # 1. All of this will have to be improved. However, as of today, it is the only # way to not break some (major) flatpak app. # 2. It is not a big deal as flatpak is responsible for the sandbox anyway. -# This this only defence in depth. +# This this only defence in depth. # 3. The main purpose of this profile is to ensure all processes are confined. -abi , +abi , include @@ -39,18 +39,12 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { network inet6 stream, network netlink dgram, network netlink raw, - network unix stream, - ptrace read, + ptrace (read), ptrace trace peer=flatpak-app, - signal receive peer=flatpak, - signal receive set=(int term) peer=flatpak-portal, - signal receive set=(int term) peer=flatpak-session-helper, - - unix type=seqpacket peer=(label=dbus-session), - # unix type=seqpacket peer=(label=unconfined), - unix type=seqpacket peer=(label=xdg-dbus-proxy), + signal (receive) set=(int) peer=flatpak-portal, + signal (receive) set=(int) peer=flatpak-session-helper, @{bin}/** rmix, @{lib}/** rmix, @@ -61,8 +55,6 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/*/**/@{bin}/** rmix, /var/lib/flatpak/app/*/**/@{lib}/** rmix, - @{run}/flatpak/app/*/.org.chromium.Chromium.@{rand6} rm, - @{run}/flatpak/app/*/**so* rm, @{run}/parent/@{bin}/** rmix, @{run}/parent/@{lib}/** rmix, @{run}/parent/app/** rmix, @@ -86,9 +78,9 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/{,**} r, /var/lib/flatpak/exports/** rw, + /var/tmp/etilqs_@{hex16} rw, - owner @{att}/@{HOME}/.var/app/** rwlkmix, - + @{run}/.userns r, @{run}/parent/** r, @{run}/parent/app/.ref rk, @{run}/parent/usr/.ref rk, @@ -96,9 +88,8 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { owner @{run}/flatpak/app/** rw, owner @{run}/flatpak/doc/** rw, owner @{run}/ld-so-cache-dir/* rw, - owner @{run}/user/ r, - - /dev/ntsync r, + owner @{run}/user/@{uid}/*.kioworker.socket r, + owner @{run}/user/@{uid}/#@{int} rwl, include if exists include if exists diff --git a/apparmor.d/groups/flatpak/flatpak-oci-authenticator b/apparmor.d/profiles-a-f/flatpak-oci-authenticator similarity index 97% rename from apparmor.d/groups/flatpak/flatpak-oci-authenticator rename to apparmor.d/profiles-a-f/flatpak-oci-authenticator index be6c7b320..9b379b55d 100644 --- a/apparmor.d/groups/flatpak/flatpak-oci-authenticator +++ b/apparmor.d/profiles-a-f/flatpak-oci-authenticator @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/profiles-a-f/flatpak-portal similarity index 63% rename from apparmor.d/groups/flatpak/flatpak-portal rename to apparmor.d/profiles-a-f/flatpak-portal index 97f9f4911..570a3ea8c 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/profiles-a-f/flatpak-portal @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,9 +10,6 @@ include profile flatpak-portal @{exec_path} flags=(attach_disconnected) { include include - include - include - include include capability sys_ptrace, @@ -25,24 +22,23 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.portal.Flatpak - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, @{bin}/flatpak rPx, + /usr/share/mime/mime.cache r, /usr/share/xdg-desktop-portal/portals/{,*.portal} r, - owner /att/**/ r, - owner @{att}/.flatpak-info r, + /var/lib/flatpak/exports/share/mime/mime.cache r, - owner @{att}/@{HOME}/.var/app/*/.local/share/*/logs/* rw, - owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, + / r, + /.flatpak-info r, + + owner @{HOME}/.var/app/*/**/.ref rw, + owner @{HOME}/.var/app/*/**/logs/* rw, owner @{user_config_dirs}/user-dirs.dirs r, + owner @{user_share_dirs}/mime/mime.cache r, owner @{run}/user/@{uid}/.flatpak/@{int}/* r, owner @{run}/user/@{uid}/.flatpak/@{int}-private/* r, diff --git a/apparmor.d/groups/flatpak/flatpak-session-helper b/apparmor.d/profiles-a-f/flatpak-session-helper similarity index 68% rename from apparmor.d/groups/flatpak/flatpak-session-helper rename to apparmor.d/profiles-a-f/flatpak-session-helper index 8a8f5afb7..d27d0c24a 100644 --- a/apparmor.d/groups/flatpak/flatpak-session-helper +++ b/apparmor.d/profiles-a-f/flatpak-session-helper @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,56 +10,40 @@ include profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { include include - include include include include + include - signal send set=(hup int) peer=user_unconfined, - signal send set=(int) peer=@{p_systemd}, - signal send set=(int) peer=flatpak-app, + signal (send) set=(hup int) peer=user_unconfined, + signal (send) set=(int) peer=@{p_systemd}, + signal (send) set=(int) peer=flatpak-app, #aa:dbus own bus=session name=org.freedesktop.Flatpak - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, @{shells_path} rUx -> user_unconfined, @{bin}/dbus-monitor rPUx, @{bin}/env rix, @{bin}/flatpak rPx, + @{bin}/test rix, @{bin}/getent rix, @{bin}/p11-kit rix, - @{bin}/pkexec rCx -> pkexec, - @{bin}/printenv rix, + @{bin}/pkexec rPx, # TODO: too wide, rCx. @{bin}/ps rPx, - @{bin}/test rix, - @{bin}/touch rix, @{lib}/p11-kit/p11-kit-remote rix, @{lib}/p11-kit/p11-kit-server rix, /var/lib/flatpak/app/*/**/@{bin}/** rPx -> flatpak-app, /var/lib/flatpak/app/*/**/@{lib}/** rPx -> flatpak-app, - owner @{user_config_dirs}/mimeapps.list w, - owner @{run}/user/@{uid}/.flatpak-helper/{,**} rw, owner @{run}/user/@{uid}/.flatpak-helper/pkcs11-flatpak-@{int} rw, - + owner @{PROC}/@{pids}/fd/ r, /dev/ptmx rw, - profile pkexec { - include - include - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/profiles-a-f/flatpak-system-helper similarity index 63% rename from apparmor.d/groups/flatpak/flatpak-system-helper rename to apparmor.d/profiles-a-f/flatpak-system-helper index 0bd74bdcb..81a1231cb 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/profiles-a-f/flatpak-system-helper @@ -2,23 +2,19 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/flatpak-system-helper profile flatpak-system-helper @{exec_path} { include - include - include - include include include include capability chown, capability dac_override, - capability dac_read_search, capability fowner, capability net_admin, capability setgid, @@ -26,15 +22,9 @@ profile flatpak-system-helper @{exec_path} { capability sys_nice, capability sys_ptrace, - ptrace read, - - unix type=seqpacket peer=(label=dbus-system), - unix type=seqpacket peer=(label=flatpak), - unix type=seqpacket peer=(label=flatpak//fusermount), - unix type=seqpacket peer=(label=unconfined), + ptrace (read), #aa:dbus own bus=system name=org.freedesktop.Flatpak.SystemHelper - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon @{exec_path} mr, @@ -47,21 +37,17 @@ profile flatpak-system-helper @{exec_path} { /etc/flatpak/{,**} r, /etc/machine-id r, - /usr/share/flatpak/remotes.d/{,**} r, + /usr/share/mime/mime.cache r, /usr/share/flatpak/triggers/ r, /var/lib/flatpak/{,**} rwkl, /var/tmp/flatpak-cache-*/{,**} rw, owner /{var/,}tmp/#@{int} rw, - owner /{var/,}tmp/ostree-gpg-@{rand6}/ rw, - owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, + owner /{var/,}tmp/ostree-gpg-*/ rw, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, - @{tmp}/remote-summary-sig.@{rand6} r, - @{tmp}/remote-summary.@{rand6} r, - - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/status r, + @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, @@ -76,8 +62,8 @@ profile flatpak-system-helper @{exec_path} { @{lib}/{,gnupg/}scdaemon rix, @{bin}/gpg-agent rix, - owner @{tmp}/ostree-gpg-@{rand6}/ r, - owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, + owner @{tmp}/ostree-gpg-*/ r, + owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/flatpak/flatpak-validate-icon b/apparmor.d/profiles-a-f/flatpak-validate-icon similarity index 96% rename from apparmor.d/groups/flatpak/flatpak-validate-icon rename to apparmor.d/profiles-a-f/flatpak-validate-icon index 41701a5ff..7669bb1e6 100644 --- a/apparmor.d/groups/flatpak/flatpak-validate-icon +++ b/apparmor.d/profiles-a-f/flatpak-validate-icon @@ -2,7 +2,7 @@ # Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate index a07976ce9..8498285d1 100644 --- a/apparmor.d/profiles-a-f/foliate +++ b/apparmor.d/profiles-a-f/foliate @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,6 @@ profile foliate @{exec_path} flags=(attach_disconnected) { include include include - include capability dac_override, @@ -25,23 +24,33 @@ profile foliate @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=com.github.johnfactotum.Foliate - @{exec_path} mr, @{bin}/bwrap rix, @{bin}/gjs-console rix, - @{bin}/speech-dispatcher rPx, - @{open_path} rPx -> child-open-help, + @{bin}/xdg-dbus-proxy rix, + + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, /usr/share/com.github.johnfactotum.Foliate/{,**} r, + owner /bindfile@{rand6} rw, + owner /.flatpak-info r, + owner @{user_books_dirs}/{,**} r, owner @{user_torrents_dirs}/{,**} r, owner @{user_cache_dirs}/com.github.johnfactotum.Foliate/{,**} rwlk, owner @{user_share_dirs}/com.github.johnfactotum.Foliate/{,**} rwlk, + owner @{run}/user/@{uid}/.flatpak/ w, + owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw, + owner @{run}/user/@{uid}/webkitgtk/ w, + owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, + @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-dbus*org.gnome.Nautilus.slice/dbus*org.gnome.Nautilus@*.service/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-com.github.johnfactotum.Foliate-@{int}.scope/memory.* r, @@ -51,7 +60,9 @@ profile foliate @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/smaps r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-a-f/font-manager b/apparmor.d/profiles-a-f/font-manager index 56941f60b..6d7096ad7 100644 --- a/apparmor.d/profiles-a-f/font-manager +++ b/apparmor.d/profiles-a-f/font-manager @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,9 +11,11 @@ include profile font-manager @{exec_path} { include include - include include + include + include include + include include include diff --git a/apparmor.d/profiles-a-f/fping b/apparmor.d/profiles-a-f/fping index ee6213cb5..5d30e4522 100644 --- a/apparmor.d/profiles-a-f/fping +++ b/apparmor.d/profiles-a-f/fping @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 8a5f9c01a..d856867a3 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,6 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { include capability net_admin, - capability sys_admin, capability sys_nice, network netlink raw, @@ -28,12 +27,13 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { /var/lib/fprint/{,**} rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - + @{run}/systemd/journal/socket rw, + @{run}/systemd/inhibit/*.ref w, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/class/hidraw/ r, - @{sys}/devices/**/hidraw/hidraw@{int}/uevent r, + @{sys}/devices/@{pci}/hidraw/hidraw@{int}/uevent r, + @{sys}/devices/virtual/**/hidraw/hidraw@{int}/uevent r, include if exists } diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index a7222a664..c6355c2ff 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,6 @@ profile fractal @{exec_path} flags=(attach_disconnected) { include include include - include include network inet dgram, @@ -22,46 +21,24 @@ profile fractal @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - signal send set=kill peer=fractal//bwrap, - @{exec_path} mr, - @{open_path} rPx -> child-open-help, - @{bin}/bwrap rCx -> bwrap, - - /usr/share/glycin-loaders/{,**} r, - /usr/share/xml/iso-codes/{,**} r, - - owner @{tmp}/.@{rand6} rw, + owner @{tmp}/.@{rand6} rw, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, - owner @{run}/user/@{uid}/fractal/{,**} rw, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/ r, - profile bwrap flags=(attach_disconnected) { - include - include - - signal receive set=kill peer=fractal, - - @{bin}/bwrap mr, - @{lib}/glycin-loaders/*/glycin-* rix, - - owner @{run}/user/@{uid}/fractal/.tmp@{rand6} r, - - owner @{PROC}/@{pid}/fd/ r, - - deny @{user_share_dirs}/gvfs-metadata/* r, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-a-f/freefall b/apparmor.d/profiles-a-f/freefall index 7af1ef8c9..0499beb0a 100644 --- a/apparmor.d/profiles-a-f/freefall +++ b/apparmor.d/profiles-a-f/freefall @@ -2,7 +2,7 @@ # Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-a-f/fritzing b/apparmor.d/profiles-a-f/fritzing index c57323c6a..3e3dde2e9 100644 --- a/apparmor.d/profiles-a-f/fritzing +++ b/apparmor.d/profiles-a-f/fritzing @@ -3,20 +3,23 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/fritzing{,.real} profile fritzing @{exec_path} { include - include - include + include + include + include include - include + include include - include + include + include include + include network inet dgram, network inet6 dgram, @@ -27,25 +30,26 @@ profile fritzing @{exec_path} { @{exec_path} mrix, - /usr/share/fritzing/{,**} r, - /usr/share/hwdata/pnp.ids r, - - /etc/debian_version r, - /etc/fstab r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/Fritzing/ rw, owner @{user_config_dirs}/Fritzing/** rwkl -> @{user_config_dirs}/Fritzing/**, owner @{HOME}/@{XDG_DOCUMENTS_DIR}/Fritzing/ rw, owner @{HOME}/@{XDG_DOCUMENTS_DIR}/Fritzing/** rw, - owner @{run}/lock/LCK..ttyACM[0-9]* rwk, + /usr/share/fritzing/{,**} r, - @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* - @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/c166:@{int} r, # for /dev/ttyACM[0-9]* + /usr/share/hwdata/pnp.ids r, + + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + /etc/debian_version r, @{sys}/bus/ r, @{sys}/class/ r, @@ -53,13 +57,15 @@ profile fritzing @{exec_path} { @{sys}/devices/**/tty*/uevent r, @{sys}/devices/**/tty/**/uevent r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, + @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c166:@{int} r, # for /dev/ttyACM[0-9]* /dev/ttyS@{int} rw, /dev/ttyACM@{int} rw, + owner @{run}/lock/LCK..ttyACM[0-9]* rwk, + include if exists } diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend new file mode 100644 index 000000000..eb90c18d6 --- /dev/null +++ b/apparmor.d/profiles-a-f/frontend @@ -0,0 +1,129 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/debconf/frontend +profile frontend @{exec_path} flags=(complain) { + include + include + include + include + include + include + include + include + + capability dac_read_search, + + @{exec_path} r, + @{bin}/perl r, + + @{sh_path} rix, + @{bin}/hostname rix, + @{bin}/locale rix, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/stty rix, + @{bin}/update-secureboot-policy rPx, + + # debconf apps + @{bin}/adequate rPx, + @{bin}/aspell-autobuildhash rPx, + @{bin}/debconf-apt-progress rPx, + @{bin}/linux-check-removal rPx, + @{bin}/pam-auth-update rPx, + @{bin}/ucf rPx, + @{bin}/whiptail rPx, + @{lib}/tasksel/tasksel-debconf rPx -> tasksel, + /usr/share/debian-security-support/check-support-status.hook rPx, + + # Grub + @{lib}/grub/grub-multi-install rPx, + /usr/share/grub/grub-check-signatures rPx, + + # Run the package maintainer's scripts + # What to do with it? Maintainer scripts can use lots of tools. (#FIXME#) + #/var/lib/dpkg/info/*.{config,templates} rPUx, + #/var/lib/dpkg/info/*.{preinst,postinst} rPUx, + #/var/lib/dpkg/info/*.{prerm,postrm} rPUx, + /var/lib/dpkg/info/*.control r, + #/var/lib/dpkg/tmp.ci/{config,templates} rPUx, + #/var/lib/dpkg/tmp.ci/{preinst,postinst} rPUx, + #/var/lib/dpkg/tmp.ci/{prerm,postrm} rPUx, + /var/lib/dpkg/tmp.ci/control r, + /var/lib/dpkg/info/*.{config,templates} rCx -> scripts, + /var/lib/dpkg/info/*.{preinst,postinst} rCx -> scripts, + /var/lib/dpkg/info/*.{prerm,postrm} rCx -> scripts, + /var/lib/dpkg/tmp.ci/{config,templates} rCx -> scripts, + /var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts, + /var/lib/dpkg/tmp.ci/{prerm,postrm} rCx -> scripts, + + # DKMS scipts + # What to do with it? (#FIXME#) + @{lib}/dkms/common.postinst rPUx, + @{lib}/dkms/dkms-* rPUx, + @{lib}/dkms/dkms_* rPUx, + + /usr/share/debconf/{,**} r, + + /etc/debconf.conf r, + /etc/inputrc r, + /etc/shadow r, + + owner @{tmp}/file* w, + owner /var/cache/debconf/* rwk, + + @{HOME}/.Xauthority r, + + @{run}/user/@{uid}/pk-debconf-socket rw, + + owner @{PROC}/@{pid}/mounts r, + + profile scripts flags=(complain) { + include + include + + capability dac_read_search, + + /var/lib/dpkg/info/*.config r, + /var/lib/dpkg/info/*.{preinst,postinst} r, + /var/lib/dpkg/info/*.{prerm,postrm} r, + /var/lib/dpkg/tmp.ci/config r, + /var/lib/dpkg/tmp.ci/{preinst,postinst} r, + /var/lib/dpkg/tmp.ci/{prerm,postrm} r, + + / r, + + @{bin}/ r, + @{bin}/* rPUx, + + @{lib}/ r, + @{lib}/** rPUx, + + /usr/share/ r, + /usr/share/** rPUx, + + /etc/init.d/ r, + /etc/init.d/* rPUx, + + /etc/ r, + /etc/** rw, + /var/ r, + /var/** rw, + @{sys}/ r, + @{sys}/**/ r, + @{run}/ r, + @{run}/** rw, + /tmp/ r, + owner @{tmp}/** rw, + + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/fsck b/apparmor.d/profiles-a-f/fsck similarity index 90% rename from apparmor.d/groups/utils/fsck rename to apparmor.d/profiles-a-f/fsck index e2537b21c..d04b32e96 100644 --- a/apparmor.d/groups/utils/fsck +++ b/apparmor.d/profiles-a-f/fsck @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/fsck +@{exec_path} = @{bin}/fsck profile fsck @{exec_path} flags=(attach_disconnected) { include include @@ -18,15 +18,15 @@ profile fsck @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sbin}/e2fsck rPx, - @{sbin}/fsck.* rPx, + @{bin}/e2fsck rPx, + @{bin}/fsck.* rPx, /etc/fstab r, # When a mount dir is passed to fsck as an argument. @{HOME}/ r, @{MOUNTS}/ r, - @{efi}/ r, + /boot/ r, @{run}/mount/utab r, @{run}/systemd/fsck.progress rw, diff --git a/apparmor.d/groups/filesystem/fsck.btrfs b/apparmor.d/profiles-a-f/fsck.btrfs similarity index 89% rename from apparmor.d/groups/filesystem/fsck.btrfs rename to apparmor.d/profiles-a-f/fsck.btrfs index 512265788..470b5a3d3 100644 --- a/apparmor.d/groups/filesystem/fsck.btrfs +++ b/apparmor.d/profiles-a-f/fsck.btrfs @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/fsck.btrfs +@{exec_path} = @{bin}/fsck.btrfs profile fsck.btrfs @{exec_path} { include diff --git a/apparmor.d/groups/filesystem/fsck.fat b/apparmor.d/profiles-a-f/fsck.fat similarity index 84% rename from apparmor.d/groups/filesystem/fsck.fat rename to apparmor.d/profiles-a-f/fsck.fat index 0e7df947d..c188574ee 100644 --- a/apparmor.d/groups/filesystem/fsck.fat +++ b/apparmor.d/profiles-a-f/fsck.fat @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/fsck.fat @{sbin}/fsck.msdos @{sbin}/fsck.vfat @{sbin}/dosfsck +@{exec_path} = @{bin}/fsck.fat @{bin}/fsck.msdos @{bin}/fsck.vfat @{bin}/dosfsck profile fsck.fat @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/fuse-overlayfs b/apparmor.d/profiles-a-f/fuse-overlayfs index 91b279d20..643371c60 100644 --- a/apparmor.d/profiles-a-f/fuse-overlayfs +++ b/apparmor.d/profiles-a-f/fuse-overlayfs @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,21 +10,14 @@ include profile fuse-overlayfs @{exec_path} { include - capability chown, + capability sys_admin, capability dac_override, capability dac_read_search, - capability fowner, - capability setfcap, - capability setuid, - capability sys_admin, - - mount fstype=fuse.* options=(rw,nodev,noatime) @{user_share_dirs}/containers/storage/overlay/**/merged/ -> **, - mount fstype=fuse.overlayfs options=(rw,nodev,noatime) fuse-overlayfs -> @{user_share_dirs}/containers/storage/overlay/**/merged/, + capability chown, @{exec_path} mr, - @{bin}/mount rix, - @{bin}/umount rix, + mount fstype=fuse.* options=(rw,nodev,noatime) @{user_share_dirs}/containers/storage/overlay/**/merged/ -> **, owner @{user_share_dirs}/containers/storage/overlay/{,**} rwl, diff --git a/apparmor.d/profiles-a-f/fuseiso b/apparmor.d/profiles-a-f/fuseiso index 75d19a0d5..e4d6cfd99 100644 --- a/apparmor.d/profiles-a-f/fuseiso +++ b/apparmor.d/profiles-a-f/fuseiso @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -36,19 +36,28 @@ profile fuseiso @{exec_path} { profile fusermount { include - include + include + + # To mount anything: + capability sys_admin, + + capability dac_read_search, mount fstype={fuse,fuse.fuseiso} -> @{HOME}/*/, mount fstype={fuse,fuse.fuseiso} -> @{HOME}/*/*/, mount fstype={fuse,fuse.fuseiso} -> @{user_cache_dirs}/**/, - umount @{HOME}/*/, - umount @{HOME}/*/*/, - umount @{user_cache_dirs}/**/, + @{bin}/fusermount{,3} mr, - owner @{user_img_dirs}/{,**} r, # Image files to be mounted + /etc/fuse.conf r, + + # Image files to be mounted + owner @{user_img_dirs}/{,**} r, + + @{PROC}/@{pid}/mounts r, + + /dev/fuse rw, - include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount index a84b85322..6774ffa96 100644 --- a/apparmor.d/profiles-a-f/fusermount +++ b/apparmor.d/profiles-a-f/fusermount @@ -3,14 +3,17 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/fusermount{,3} profile fusermount @{exec_path} { include - include + include + + capability dac_read_search, + capability sys_admin, # Be able to mount ISO images mount fstype={fuse,fuse.*} -> @{HOME}/*/, @@ -20,7 +23,7 @@ profile fusermount @{exec_path} { mount fstype={fuse,fuse.*} -> @{MOUNTS}/*/*/, mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/*/, mount fstype={fuse,fuse.*} -> /var/tmp/flatpak-cache-*/*/, - mount fstype={fuse,fuse.*} -> /tmp/.mount_*@{rand6}/, + mount fstype={fuse,fuse.*} -> /tmp/.mount_nextcl@{rand6}/, umount @{HOME}/*/, umount @{HOME}/*/*/, @@ -30,10 +33,10 @@ profile fusermount @{exec_path} { umount /tmp/.mount_*/, umount @{run}/user/@{uid}/*/, umount /var/tmp/flatpak-cache-*/*/, - umount /tmp/fsa/*/, # fsarchiver @{exec_path} mr, + /etc/fuse.conf r, /etc/machine-id r, /var/tmp/flatpak-cache-*/*/ r, @@ -44,10 +47,12 @@ profile fusermount @{exec_path} { owner @{user_cache_dirs}/**/ rw, - /tmp/.mount_*@{rand6}/ r, - @{run}/user/@{uid}/doc/ r, + @{PROC}/@{pid}/mounts r, + + /dev/fuse rw, + include if exists } diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 65793364d..316f6ebdd 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -3,24 +3,23 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/{,fwupd/}fwupd -profile fwupd @{exec_path} flags=(attach_disconnected,complain) { +profile fwupd @{exec_path} flags=(complain,attach_disconnected) { include include - include + include include include + include + include include - include + include include - include include - include - include capability dac_override, capability dac_read_search, @@ -32,21 +31,19 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { capability sys_rawio, capability syslog, - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, network netlink raw, #aa:dbus own bus=system name=org.freedesktop.fwupd path=/ - #aa:dbus talk bus=system name=org.bluez.GattCharacteristic1 label=bluetoothd - #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd - #aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd - dbus receive bus=system path=/ - interface=org.freedesktop.DBus.ObjectManager - member=InterfacesAdded - peer=(name=@{busname}, label=bluetoothd), + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label=dbus-system), + + dbus send bus=system path=/org/freedesktop/UDisks2/Manager + interface=org.freedesktop.UDisks2.Manager + member=GetBlockDevices + peer=(name=:*, label=udisksd), @{exec_path} mr, @@ -57,62 +54,52 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{bin}/gpgsm rCx -> gpg, /usr/share/fwupd/{,**} r, - /usr/share/hwdata/* r, - /usr/share/libdrm/*.ids r, - /usr/share/misc/*.ids r, + /usr/share/mime/mime.cache r, /etc/fwupd/{,**} rw, /etc/lsb-release r, /etc/pki/fwupd-metadata/{,**} r, /etc/pki/fwupd/{,**} r, + /var/cache/fwupd/{,**} rw, + /var/lib/flatpak/exports/share/mime/mime.cache r, + /var/lib/fwupd/{,**} rw, + /var/lib/fwupd/pending.db rwk, + /var/tmp/etilqs_@{hex16} rw, + + /boot/{,**} r, + /boot/EFI/*/.goutputstream-@{rand6} rw, + /boot/EFI/*/fw/fwupd-*.cap{,.*} rw, + /boot/EFI/*/fwupdx@{int}.efi rw, + @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r, + /etc/machine-id r, /var/lib/dbus/machine-id r, - @{efi}/{,**} r, - @{efi}/EFI/*/.goutputstream-@{rand6} rw, - @{efi}/EFI/*/fw/fwupd-*.cap{,.*} rw, - @{efi}/EFI/*/fwupdx@{int}.efi rw, - @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r, - - @{MOUNTDIRS}/*/{,@{efi}/} r, - @{MOUNTDIRS}/*/{,@{efi}/}EFI/{,**} r, - - owner /var/cache/fwupd/ rw, - owner /var/cache/fwupd/** rwk, - owner /var/lib/fwupd/ rw, - owner /var/lib/fwupd/** rwk, - - @{att}/@{user_cache_dirs}/gnome-software/fwupd/{,**} r, + # In order to get to this file, the attach_disconnected flag has to be set owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r, owner @{user_cache_dirs}/gnome-software/fwupd/{,**} r, @{sys}/**/ r, @{sys}/devices/** r, - @{sys}/**/uevent r, @{sys}/firmware/acpi/** r, @{sys}/firmware/dmi/tables/DMI r, @{sys}/firmware/dmi/tables/smbios_entry_point r, @{sys}/firmware/efi/** r, - @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/BootNext-@{uuid} rw, - @{sys}/firmware/efi/efivars/dbx-@{uuid} rw, + @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/fwupd-* rw, - @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, @{sys}/kernel/security/lockdown r, - @{sys}/kernel/security/tpm@{int}/binary_bios_measurements r, + @{sys}/kernel/security/tpm[0-9]/binary_bios_measurements r, @{sys}/power/mem_sleep r, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/motd.d/ r, @{run}/motd.d/@{int}-fwupd* rw, @{run}/motd.d/fwupd/{,**} rw, @{run}/mount/utab r, - - @{run}/udev/data/+*:* r, # Identifies all subsystems - @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + @{run}/systemd/inhibit/[0-9]*.ref rw, + @{run}/udev/data/* r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/mountinfo r, @@ -126,7 +113,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /dev/bus/usb/ r, /dev/bus/usb/@{int}/@{int} rw, /dev/cpu/@{int}/msr rw, - /dev/dri/card@{int} rw, /dev/drm_dp_aux@{int} rw, /dev/gpiochip@{int} r, /dev/hidraw@{int} rw, @@ -134,9 +120,12 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /dev/mei@{int} rw, /dev/mem r, /dev/mtd@{int} rw, + /dev/sd[a-z]* r, + /dev/tpm@{int} rw, + /dev/tpmrm@{int} rw, /dev/wmi/* r, - profile gpg flags=(attach_disconnected,complain) { + profile gpg flags=(complain) { include include @@ -148,12 +137,11 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{bin}/gpg-agent rix, @{lib}/{,gnupg/}scdaemon rix, - + owner /var/lib/fwupd/gnupg/ rw, owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pids}/fd/ r, include if exists } diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 2d781a734..6064c0ff1 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -3,23 +3,22 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/fwupdmgr -profile fwupdmgr @{exec_path} flags=(attach_disconnected) { +profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { include include include include - include include include capability sys_nice, - signal send, + signal (send), network inet stream, network inet6 stream, @@ -27,26 +26,23 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - #aa:dbus talk bus=system name=org.freedesktop.fwupd label="@{p_fwupd}" path=/ - + #aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/ + @{exec_path} mr, - @{bin}/dbus-launch Cx -> bus, - @{bin}/pkttyagent Px, + @{bin}/dbus-launch rCx -> dbus, + @{bin}/pkttyagent rPx, - /usr/share/terminfo/** r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/inputrc r, /etc/machine-id r, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw, + /var/lib/flatpak/exports/share/mime/mime.cache r, - owner /var/lib/fwupd/ w, - owner /var/lib/fwupd/.cache/ w, - - @{user_cache_dirs}/dconf/user rw, owner @{user_cache_dirs}/ rw, + @{user_cache_dirs}/dconf/user rw, owner @{user_cache_dirs}/fwupd/ rw, owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz{,.*} rw, @@ -56,12 +52,16 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) { /dev/i2c-@{int} rw, /dev/tty rw, - /dev/pts/@{int} rw, - profile bus flags=(attach_disconnected) { + profile dbus { include - include - include if exists + include + + @{bin}/dbus-launch mr, + + owner @{HOME}/.Xauthority r, + + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim index 561e1af61..5888743ef 100644 --- a/apparmor.d/profiles-g-l/gajim +++ b/apparmor.d/profiles-g-l/gajim @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -33,7 +33,7 @@ profile gajim @{exec_path} { @{bin}/ r, @{sh_path} rix, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, @{bin}/uname rix, # To play sounds @@ -73,7 +73,7 @@ profile gajim @{exec_path} { owner @{user_cache_dirs}/gajim/** rwk, owner @{user_cache_dirs}/farstream/ rw, - owner @{user_cache_dirs}/farstream/codecs.audio.@{arch}.cache{,.tmp@{rand6}} rw, + owner @{user_cache_dirs}/farstream/codecs.audio.x86_64.cache{,.tmp@{rand6}} rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, @@ -86,7 +86,7 @@ profile gajim @{exec_path} { # Silencer deny /usr/share/gajim/** w, - deny @{lib}/@{python_name}/dist-packages/** w, + deny /usr/lib/python3/dist-packages/** w, profile ccache { include @@ -100,16 +100,15 @@ profile gajim @{exec_path} { @{bin}/{,@{multiarch}-}ld.bfd rix, @{lib}/gcc/@{multiarch}/@{int}/collect2 rix, - /etc/debian_version r, - - /media/ccache/*/** rw, - owner @{tmp}/cc* rw, owner @{tmp}/tmp* rw, + /media/ccache/*/** rw, + owner @{run}/user/@{uid}/ccache-tmp/ rw, - include if exists + /etc/debian_version r, + } profile gpg { @@ -122,8 +121,8 @@ profile gajim @{exec_path} { @{bin}/gpg-agent rix, @{lib}/{,gnupg/}scdaemon rix, - owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw, - owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.extra,.browser,.ssh} w, + owner @{run}/user/@{uid}/gnupg/d.*/ rw, + owner @{run}/user/@{uid}/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w, owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, @@ -135,7 +134,6 @@ profile gajim @{exec_path} { @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/task/@{tid}/comm rw, - include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/gamemoded b/apparmor.d/profiles-g-l/gamemoded deleted file mode 100644 index eb2d3fc1e..000000000 --- a/apparmor.d/profiles-g-l/gamemoded +++ /dev/null @@ -1,81 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 odomingao -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/gamemoded -profile gamemoded @{exec_path} flags=(attach_disconnected) { - include - - capability sys_ptrace, - - ptrace read, - - @{exec_path} mr, - - @{bin}/pkexec Cx -> pkexec, - @{lib}/gamemode/gpuclockctl Cx -> pkexec, - - /etc/gamemode.ini r, - - owner @{user_config_dirs}/ r, - - @{sys}/devices/@{pci}/vendor r, - @{sys}/devices/@{pci}/power_dpm_force_performance_level r, - @{sys}/devices/system/cpu/{,**} r, - @{sys}/devices/virtual/powercap/{,**} r, - - @{PROC}/sys/kernel/split_lock_mitigate r, - owner @{PROC}/@{pid}/ r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/environ r, - owner @{PROC}/@{pid}/fdinfo/ r, - owner @{PROC}/@{pid}/fdinfo/@{int} r, - owner @{PROC}/@{pid}/task/ r, - - profile pkexec flags=(attach_disconnected) { - include - include - include - - capability audit_write, - capability mknod, - capability setgid, - capability sys_ptrace, - - ptrace read peer=gamemoded, - - network netlink raw, - - @{bin}/pkexec mr, - - @{lib}/gamemode/{,**} r, - @{lib}/gamemode/cpugovctl ix, - @{lib}/gamemode/gpuclockctl ix, - @{lib}/gamemode/procsysctl ix, - - @{etc_ro}/security/limits.d/ r, - @{etc_ro}/security/limits.d/@{int}-gamemode.conf r, - /etc/shells r, - - @{sys}/devices/@{pci}/power_dpm_force_performance_level rw, - @{sys}/devices/@{pci}/vendor r, - @{sys}/devices/system/cpu/ r, - @{sys}/devices/system/cpu/cpu@{int}/cpufreq r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw, - - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/loginuid r, - @{PROC}/@{pid}/stat r, - @{PROC}/sys/kernel/split_lock_mitigate rw, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/ganyremote b/apparmor.d/profiles-g-l/ganyremote index 727bf8cdf..7db7a5cb8 100644 --- a/apparmor.d/profiles-g-l/ganyremote +++ b/apparmor.d/profiles-g-l/ganyremote @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,7 +22,7 @@ profile ganyremote @{exec_path} { network inet6 stream, @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, @{sh_path} rix, @@ -30,7 +30,7 @@ profile ganyremote @{exec_path} { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/id rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/tr rix, @{bin}/{m,g,}awk rix, diff --git a/apparmor.d/profiles-g-l/gconfd b/apparmor.d/profiles-g-l/gconfd index 7ceee1022..5dffe8a0c 100644 --- a/apparmor.d/profiles-g-l/gconfd +++ b/apparmor.d/profiles-g-l/gconfd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gdisk b/apparmor.d/profiles-g-l/gdisk index b49e20570..8c3662ba1 100644 --- a/apparmor.d/profiles-g-l/gdisk +++ b/apparmor.d/profiles-g-l/gdisk @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/gdisk +@{exec_path} = @{bin}/gdisk profile gdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders index 04c9a33f2..a01425bb9 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,10 +18,8 @@ profile gdk-pixbuf-query-loaders @{exec_path} { @{exec_path} mr, - @{lib}/@{multiarch}/gdk-pixbuf-@{version}/@{version}/ w, - @{lib}/@{multiarch}/gdk-pixbuf-@{version}/@{version}/loaders.cache w, - @{lib}/gdk-pixbuf-@{version}/{,*}/loaders.cache.* rw, - @{lib}/gdk-pixbuf-@{version}/@{version}/loaders.cache rw, + @{lib}/gdk-pixbuf-[0-9].@{int}/{,*}/loaders.cache.* rw, + @{lib}/gdk-pixbuf-[0-9].@{int}/*/loaders.cache rw, /usr/share/gvfs/remote-volume-monitors/{,**} r, diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer deleted file mode 100644 index d3df6f5f3..000000000 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer +++ /dev/null @@ -1,18 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/gdk-pixbuf-thumbnailer -profile gdk-pixbuf-thumbnailer @{exec_path} { - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/ghc-pkg b/apparmor.d/profiles-g-l/ghc-pkg index 3ccfdec4a..8fdffbf87 100644 --- a/apparmor.d/profiles-g-l/ghc-pkg +++ b/apparmor.d/profiles-g-l/ghc-pkg @@ -2,11 +2,11 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/ghc-pkg{,-*} @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} +@{exec_path} = @{bin}/ghc-pkg{,-*} profile ghc-pkg @{exec_path} { include include @@ -26,8 +26,6 @@ profile ghc-pkg @{exec_path} { @{sys}/devices/system/node/ r, - @{PROC}/@{pid}/task/@{tid}/comm rw, - include if exists } diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp deleted file mode 100644 index ad324e153..000000000 --- a/apparmor.d/profiles-g-l/gimp +++ /dev/null @@ -1,90 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/gimp{,-*} -profile gimp @{exec_path} { - include - include - include - include - include - include - include - include - include - include - include - - signal (send) set=(term, kill) peer=xsane-gimp, - - #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell - #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - - @{exec_path} mr, - - @{python_path} rix, - @{bin}/env rix, - @{bin}/gimp-debug-tool-3.0 rix, - @{bin}/gimp-script-fu-interpreter-* rix, - @{bin}/gjs-console rix, - @{bin}/lua rix, - @{lib}/gimp/@{version}/extensions/*/* rix, - @{lib}/gimp/*/plug-ins/** rix, - - @{bin}/xsane-gimp rPx, - @{open_path} rPx -> child-open-help, - - @{lib}/gimp/@{version}/plug-ins/python-console/__pycache__/{,*} w, - - /usr/share/gimp/{,**} r, - /usr/share/mypaint-data/{,**} r, - /usr/share/poppler/{,**} r, - /usr/share/xml/iso-codes/{,**} r, - - /etc/fstab r, - /etc/gimp/{,**} r, - - owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, - owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw, - - owner @{user_documents_dirs}/{,**} rw, - owner @{user_pictures_dirs}/{,**} rw, - owner @{user_work_dirs}/{,**} rw, - - owner @{user_cache_dirs}//thumbnails/normal/gimp-thumb* rw, - owner @{user_cache_dirs}/babl/{,**} rw, - owner @{user_cache_dirs}/gegl-*/{,**} r, - owner @{user_cache_dirs}/gegl-*/{,**} r, - owner @{user_cache_dirs}/gimp/{,**} rw, - owner @{user_cache_dirs}/GIMP/{,**} rw, - - owner @{user_config_dirs}/gimp/{,**} rw, - owner @{user_config_dirs}/GIMP/{,**} rw, - - owner @{user_share_dirs}/gegl-*/{,**} r, - owner @{user_share_dirs}/GIMP/{,**} rw, - - owner @{tmp}/gimp/{,**} rw, - - @{run}/mount/utab r, - - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gio-querymodules b/apparmor.d/profiles-g-l/gio-querymodules index 494fef0ab..3520ec06e 100644 --- a/apparmor.d/profiles-g-l/gio-querymodules +++ b/apparmor.d/profiles-g-l/gio-querymodules @@ -2,14 +2,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gio-querymodules profile gio-querymodules @{exec_path} flags=(attach_disconnected) { include - include capability dac_read_search, capability mknod, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 01b491b98..d147d77b0 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,7 @@ include @{exec_path} = @{bin}/git @{bin}/git-* @{exec_path} += @{lib_dirs}/git @{lib_dirs}/git-* @{lib_dirs}/mergetools/* -profile git @{exec_path} flags=(attach_disconnected) { +profile git @{exec_path} { include include include @@ -24,7 +24,7 @@ profile git @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - signal send peer=aurpublish, + signal (send) peer=aurpublish, @{exec_path} mrix, @@ -38,13 +38,11 @@ profile git @{exec_path} flags=(attach_disconnected) { deny /usr/local/games/ r, deny /var/lib/flatpak/exports/bin/ r, deny owner @{HOME}/.go/bin/ r, - deny owner @{HOME}/bin/ r, deny owner @{user_bin_dirs}/ r, # These are needed for "git submodule update" @{sh_path} rix, @{bin}/{,e}grep rix, - @{bin}/alts rix, @{bin}/basename rix, @{bin}/cat rix, @{bin}/date rix, @@ -63,21 +61,23 @@ profile git @{exec_path} flags=(attach_disconnected) { @{bin}/wc rix, @{bin}/whoami rix, - @{pager_path} rPx -> child-pager, + @{bin}/pager rPx -> child-pager, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, - @{bin}/gh rPUx, @{bin}/man rPx, @{bin}/meld rPUx, - @{lib}/code/extensions/git/dist/askpass.sh rPx, - @{lib}/code/extensions/git/dist/git-editor.sh rPx, - /usr/share/aurpublish/*.hook rPx, + @{lib}/code/extensions/git/dist/askpass.sh rPx, + @{lib}/code/extensions/git/dist/git-editor.sh rPx, + /usr/share/aurpublish/*.hook rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/ssh rCx -> ssh, - @{editor_path} rCx -> editor, - + @{bin}/sensible-editor rCx -> editor, + @{bin}/vim rCx -> editor, + @{bin}/vim.* rCx -> editor, + /usr/share/git{,-core}/{,**} r, - /usr/share/libalternatives/{,**} r, /usr/share/terminfo/** r, /etc/gitconfig r, @@ -90,22 +90,27 @@ profile git @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/*/ rw, owner @{user_cache_dirs}/*/** rwkl -> @{user_cache_dirs}/*/**, + owner @{tmp}/** rwkl -> /tmp/**, + owner @{tmp}/**/bin/* rCx -> exec, + owner @{HOME}/.gitconfig* rw, owner @{HOME}/.netrc r, owner @{user_config_dirs}/git/{,*} rw, + owner @{tmp}/git-difftool.*/ rw, # For diffs + owner @{tmp}/git-difftool.*/right/{,**} rw, + owner @{tmp}/git-difftool.*/left/{,**} rw, + owner @{tmp}/* rw, + owner @{tmp}/tmp*/ rw, # For TWRP-device-tree-generator + owner @{tmp}/tmp*/** rwkl -> /tmp/tmp*/**, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature owner @{tmp}/git-commit-msg-.txt rw, # For android studio - owner @{tmp}/git-difftool.*/{,**} rw, # For diffs + deny @{user_share_dirs}/gvfs-metadata/* r, + deny /dev/shm/.org.chromium.Chromium* rw, deny owner @{code_config_dirs}/** rw, - deny owner @{user_share_dirs}/gvfs-metadata/* r, - deny owner @{user_share_dirs}/vulkan/** r, - deny owner @{user_share_dirs}/zed/**/data.mdb rw, - deny /usr/share/nvidia/nvidia-application-profiles-* r, - deny /dev/shm/.org.chromium.Chromium.@{rand6} rw, - profile gpg flags=(attach_disconnected) { + profile gpg { include include @@ -117,16 +122,13 @@ profile git @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.git_vtag_tmp@{rand6} r, - owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, - deny @{user_share_dirs}/gvfs-metadata/* r, include if exists } - profile ssh flags=(attach_disconnected) { + profile ssh { include - include include network inet dgram, @@ -136,20 +138,16 @@ profile git @{exec_path} flags=(attach_disconnected) { network netlink raw, @{bin}/ssh mr, - @{bin}/ksshaskpass ix, - @{lib}/code/extensions/git/dist/ssh-askpass.sh Px, - @{etc_ro}/ssh/ssh_config.d/{,*} r, - @{etc_ro}/ssh/ssh_config r, + /etc/ssh/ssh_config.d/{,*} r, + /etc/ssh/ssh_config r, - owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, - owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl, + owner @{HOME}/@{XDG_SSH_DIR}/* r, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw, - owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_* rwl, + owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl, - owner @{tmp}/git@*:@{int} rwl -> @{tmp}/git@*:@{int}.*, + owner @{tmp}/git@*:@{int} rwl -> /tmp/git@*:@{int}.*, owner @{tmp}/ssh-*/agent.@{int} rw, - owner @{run}/user/@{uid}/keyring/ssh rw, owner @{PROC}/@{pid}/fd/ r, @@ -158,7 +156,7 @@ profile git @{exec_path} flags=(attach_disconnected) { include if exists } - profile exec flags=(attach_disconnected) { + profile exec { include owner @{user_build_dirs}/**/bin/* mr, @@ -166,14 +164,14 @@ profile git @{exec_path} flags=(attach_disconnected) { include if exists } - profile editor flags=(attach_disconnected) { + profile editor { include include - + owner @{user_projects_dirs}/**/ r, owner @{user_projects_dirs}/**/.git/@{int} rw, owner @{user_projects_dirs}/**/.git/*MSG rw, - + # The git repository files owner @{user_build_dirs}/ r, owner @{user_build_dirs}/** rw, diff --git a/apparmor.d/profiles-g-l/gitg b/apparmor.d/profiles-g-l/gitg deleted file mode 100644 index d668fbfd2..000000000 --- a/apparmor.d/profiles-g-l/gitg +++ /dev/null @@ -1,44 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/gitg -profile gitg @{exec_path} { - include - include - include - include - include - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{exec_path} mr, - - /usr/share/gitg/{,**} r, - - owner @{user_projects_dirs}/ rw, - owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, - owner @{user_projects_dirs}/**/.git/hooks/* rix, - - owner @{user_config_dirs}/git/{,*} rw, - - owner @{user_share_dirs}/gitg/{,**} rw, - - @{run}/mount/utab r, - - owner @{PROC}/@{pid}/mountinfo r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index aabde9cef..da5566f9f 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -2,34 +2,26 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{user_cache_dirs}/gitstatus/gitstatusd{,-*} -@{exec_path} += /usr/share/zsh-theme-powerlevel{9,10}k/gitstatus/usrbin/gitstatusd{,-*} +@{exec_path} = /usr/share/zsh-theme-powerlevel[0-9]*k/gitstatus/usrbin/gitstatusd{,-*} profile gitstatusd @{exec_path} { include - include - - signal receive set=term peer=*//shell, - signal receive set=term peer={,vs}code, @{exec_path} mr, owner @{user_projects_dirs}/{,**} r, - owner @{user_projects_dirs}/**/.git/{,**/}.gitstatus.@{rand6}/{,**} rw, + owner @{user_projects_dirs}/**/.git/.gitstatus.@{rand6}/{,**} rw, owner @{HOME}/.gitconfig r, owner @{user_config_dirs}/git/{,*} r, - owner @{tmp}/gitstatus.POWERLEVEL9K.*.fifo r, - # Silencer deny capability dac_read_search, deny capability dac_override, deny owner @{HOME}/.*-store/{,**} r, - deny owner @{user_share_dirs}/zed/**/data.mdb rw, include if exists } diff --git a/apparmor.d/profiles-g-l/glib-compile-resources b/apparmor.d/profiles-g-l/glib-compile-resources index f52aa33d7..45e787840 100644 --- a/apparmor.d/profiles-g-l/glib-compile-resources +++ b/apparmor.d/profiles-g-l/glib-compile-resources @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/glib-compile-schemas b/apparmor.d/profiles-g-l/glib-compile-schemas index 59c56bb12..5463405f9 100644 --- a/apparmor.d/profiles-g-l/glib-compile-schemas +++ b/apparmor.d/profiles-g-l/glib-compile-schemas @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/glib-compile-schemas @{lib}/@{multiarch}/glib-2.0/glib-compile-schemas +@{exec_path} = @{bin}/glib-compile-schemas profile glib-compile-schemas @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/glib-pacrunner b/apparmor.d/profiles-g-l/glib-pacrunner index bf7c7c53a..e3dfec88c 100644 --- a/apparmor.d/profiles-g-l/glib-pacrunner +++ b/apparmor.d/profiles-g-l/glib-pacrunner @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/globaltime b/apparmor.d/profiles-g-l/globaltime index 7f349b650..566f58ee3 100644 --- a/apparmor.d/profiles-g-l/globaltime +++ b/apparmor.d/profiles-g-l/globaltime @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/glxgears b/apparmor.d/profiles-g-l/glxgears index cfd9f0dac..9ad458720 100644 --- a/apparmor.d/profiles-g-l/glxgears +++ b/apparmor.d/profiles-g-l/glxgears @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,7 +25,6 @@ profile glxgears @{exec_path} { @{exec_path} mr, owner @{HOME}/.Xauthority r, - owner @{run}/user/@{uid}/xauth_@{rand6} r, include if exists } diff --git a/apparmor.d/profiles-g-l/glxinfo b/apparmor.d/profiles-g-l/glxinfo index eea7b6050..7defbaf80 100644 --- a/apparmor.d/profiles-g-l/glxinfo +++ b/apparmor.d/profiles-g-l/glxinfo @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gpa b/apparmor.d/profiles-g-l/gpa index 8a9c42443..9ed18534e 100644 --- a/apparmor.d/profiles-g-l/gpa +++ b/apparmor.d/profiles-g-l/gpa @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gparted b/apparmor.d/profiles-g-l/gparted index d74945777..f225b5c06 100644 --- a/apparmor.d/profiles-g-l/gparted +++ b/apparmor.d/profiles-g-l/gparted @@ -3,40 +3,46 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/gparted -profile gparted @{exec_path} flags=(attach_disconnected) { +@{exec_path} = @{bin}/gparted +profile gparted @{exec_path} { include - include - ptrace read, + ptrace (read), @{exec_path} r, - @{bin}/ r, - @{coreutils_path} rix, + @{bin}/ r, @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/cut rix, + @{bin}/id rix, + @{bin}/ls rix, + @{bin}/mkdir rix, + @{bin}/pidof rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/touch rix, - @{sbin}/killall5 rCx -> killall, - @{bin}/systemctl rCx -> systemctl, - @{bin}/udevadm rCx -> udevadm, - - @{bin}/pidof rPx, - @{bin}/pkexec rPx, - @{bin}/ps rPx, - @{bin}/xhost rPx, - - @{sbin}/gpartedbin rPx, + @{bin}/gpartedbin rPx, @{lib}/gparted/gpartedbin rPx, @{lib}/gpartedbin rPx, @{lib}/{,udisks2/}udisks2-inhibit rix, - @{run}/udev/rules.d/ rw, - @{run}/udev/rules.d/@{int}-*.rules rw, + @{run}/udev/rules.d/90-udisks-inhibit.rules rw, + + @{bin}/udevadm rCx -> udevadm, + @{bin}/killall5 rCx -> killall, + + @{bin}/ps rPx, + @{bin}/xhost rPx, + @{bin}/pkexec rPx, + @{bin}/systemctl rCx -> systemctl, # For shell pwd / r, @@ -51,6 +57,7 @@ profile gparted @{exec_path} flags=(attach_disconnected) { # file_inherit owner /dev/tty@{int} rw, + profile udevadm { include include @@ -71,11 +78,13 @@ profile gparted @{exec_path} flags=(attach_disconnected) { ptrace (read), - @{sbin}/killall5 mr, + @{bin}/killall5 mr, - @{PROC}/ r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/cmdline r, + # The /proc/ dir is needed to avoid the following error: + # /proc: Permission denied + @{PROC}/ r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/cmdline r, include if exists } @@ -83,9 +92,7 @@ profile gparted @{exec_path} flags=(attach_disconnected) { profile systemctl { include include - - capability net_admin, - + include if exists } diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 35dc03584..b60e386bb 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -3,20 +3,18 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/gpartedbin @{lib}/{,gparted/}gpartedbin -profile gpartedbin @{exec_path} flags=(attach_disconnected) { +@{exec_path} = @{bin}/gpartedbin @{lib}/{,gparted/}gpartedbin +profile gpartedbin @{exec_path} { include include include include include - include - capability dac_override, capability dac_read_search, capability ipc_lock, capability sys_admin, @@ -30,52 +28,50 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, - @{sbin}/blkid rPx, - @{sbin}/dmidecode rPx, - @{sbin}/hdparm rPx, + @{bin}/blkid rPx, + @{bin}/dmidecode rPx, + @{bin}/hdparm rPx, @{bin}/kmod rPx, @{bin}/mount rCx -> mount, @{bin}/udevadm rCx -> udevadm, @{bin}/umount rCx -> umount, - @{sbin}/btrfs rPx, - @{sbin}/btrfstune rPx, - @{sbin}/dmraid rPUx, - @{sbin}/dmsetup rPUx, - @{sbin}/dumpe2fs rPx, - @{sbin}/e2fsck rPx, - @{sbin}/e2image rPx, - @{sbin}/fsck.* rPUx, - @{sbin}/lvm rPUx, - @{sbin}/mdadm rPUx, - @{sbin}/mke2fs rPx, - @{sbin}/mkfs.* rPUx, - @{sbin}/mkntfs rPx, - @{sbin}/mkswap rPx, + @{bin}/btrfs rPx, + @{bin}/btrfstune rPx, + @{bin}/dmraid rPUx, + @{bin}/dmsetup rPUx, + @{bin}/dumpe2fs rPx, + @{bin}/e2fsck rPx, + @{bin}/e2image rPx, + @{bin}/fsck.btrfs rPx, + @{bin}/fsck.fat rPx, + @{bin}/lvm rPUx, + @{bin}/mdadm rPUx, + @{bin}/mke2fs rPx, + @{bin}/mkfs.* rPx, + @{bin}/mkntfs rPx, + @{bin}/mkswap rPx, @{bin}/mtools rPx, @{bin}/ntfsinfo rPx, - @{sbin}/ntfslabel rPx, - @{sbin}/ntfsresize rPx, - @{sbin}/resize2fs rPx, - @{sbin}/swaplabel rPx, - @{sbin}/swapoff rPx, - @{sbin}/swapon rPx, - @{bin}/tune.* rPUx, - @{sbin}/tune2fs rPx, - @{sbin}/xfs_io rPUx, + @{bin}/ntfslabel rPx, + @{bin}/ntfsresize rPx, + @{bin}/resize2fs rPx, + @{bin}/swaplabel rPx, + @{bin}/swapoff rPx, + @{bin}/swapon rPx, + @{bin}/tune2fs rPx, + @{bin}/xfs_io rPUx, @{open_path} rPx -> child-open, - /etc/fstab r, - @{HOME}/.Xauthority r, owner @{HOME}/*.htm w, owner @{tmp}/gparted-*/ rw, @{run}/mount/utab r, - + @{PROC}/devices r, @{PROC}/partitions r, @{PROC}/swaps r, @@ -92,13 +88,13 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { mount /dev/{s,v}d[a-z]*@{int} -> /tmp/gparted-*/, - mount /dev/{s,v}d[a-z]*@{int} -> @{efi}/, + mount /dev/{s,v}d[a-z]*@{int} -> /boot/, mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/, mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/*/, @{bin}/mount mr, - include if exists + include if exists } profile umount { @@ -108,7 +104,7 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { umount /tmp/gparted-*/, - umount @{efi}/, + umount /boot/, umount @{MOUNTS}/, umount @{MOUNTS}/*/, diff --git a/apparmor.d/groups/shadow/gpasswd b/apparmor.d/profiles-g-l/gpasswd similarity index 96% rename from apparmor.d/groups/shadow/gpasswd rename to apparmor.d/profiles-g-l/gpasswd index ab2d21860..11c1e9767 100644 --- a/apparmor.d/groups/shadow/gpasswd +++ b/apparmor.d/profiles-g-l/gpasswd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -29,7 +29,7 @@ profile gpasswd @{exec_path} { owner @{PROC}/@{pid}/loginuid r, - @{etc_ro}/login.defs r, + /etc/login.defs r, /etc/{group,gshadow} rw, /etc/{group,gshadow}.@{pid} w, diff --git a/apparmor.d/profiles-g-l/gping b/apparmor.d/profiles-g-l/gping index 34a9401a4..956a1781f 100644 --- a/apparmor.d/profiles-g-l/gping +++ b/apparmor.d/profiles-g-l/gping @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gpo b/apparmor.d/profiles-g-l/gpo index 46ff3eec5..97c89a433 100644 --- a/apparmor.d/profiles-g-l/gpo +++ b/apparmor.d/profiles-g-l/gpo @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,11 +11,10 @@ include profile gpo @{exec_path} { include include - include include - include - include + include include + include network inet dgram, network inet6 dgram, @@ -23,12 +22,14 @@ profile gpo @{exec_path} { network inet6 stream, @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, @{sh_path} rix, @{bin}/uname rix, - @{pager_path} rPx -> child-pager, + @{bin}/pager rPx -> child-pager, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, /etc/inputrc r, @@ -37,6 +38,8 @@ profile gpo @{exec_path} { owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, + owner /var/tmp/etilqs_@{hex16} rw, + owner @{PROC}/@{pid}/fd/ r, include if exists diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder index e60034172..10b8492e9 100644 --- a/apparmor.d/profiles-g-l/gpodder +++ b/apparmor.d/profiles-g-l/gpodder @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,6 @@ profile gpodder @{exec_path} { include include include - include include include @@ -25,7 +24,7 @@ profile gpodder @{exec_path} { network netlink raw, @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, @{sh_path} rix, @@ -48,6 +47,8 @@ profile gpodder @{exec_path} { owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, + owner /var/tmp/etilqs_@{hex16} rw, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-g-l/gpodder-migrate2tres b/apparmor.d/profiles-g-l/gpodder-migrate2tres index 55033d107..f8e2c73f4 100644 --- a/apparmor.d/profiles-g-l/gpodder-migrate2tres +++ b/apparmor.d/profiles-g-l/gpodder-migrate2tres @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,7 @@ profile gpodder-migrate2tres @{exec_path} { include @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, @{sh_path} rix, diff --git a/apparmor.d/profiles-g-l/gpu-manager b/apparmor.d/profiles-g-l/gpu-manager index 0ad848c50..4444662fc 100644 --- a/apparmor.d/profiles-g-l/gpu-manager +++ b/apparmor.d/profiles-g-l/gpu-manager @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,16 +16,15 @@ profile gpu-manager @{exec_path} { @{exec_path} mr, - @{sh_path} rix, - @{bin}/{,e}grep rix, + @{sh_path} rix, + @{bin}/grep rix, /etc/modprobe.d/{,**} r, - @{lib}/modprobe.d/{,**} r, + /usr/lib/modprobe.d/{,**} r, /var/lib/ubuntu-drivers-common/* rw, /var/log/gpu-manager.log w, - /var/log/gpu-manager-switch.log w, @{sys}/devices/@{pci}/boot_vga r, @{sys}/module/compression r, diff --git a/apparmor.d/profiles-g-l/grim b/apparmor.d/profiles-g-l/grim deleted file mode 100644 index 5717837ec..000000000 --- a/apparmor.d/profiles-g-l/grim +++ /dev/null @@ -1,24 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 valoq -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/grim -profile grim @{exec_path} { - include - include - include - - @{exec_path} mr, - - owner @{HOME}/@{int8}_**_grim.png w, - - owner /dev/shm/grim-@{rand6} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/shadow/groupadd b/apparmor.d/profiles-g-l/groupadd similarity index 92% rename from apparmor.d/groups/shadow/groupadd rename to apparmor.d/profiles-g-l/groupadd index 2d135007a..4c6e80c59 100644 --- a/apparmor.d/groups/shadow/groupadd +++ b/apparmor.d/profiles-g-l/groupadd @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/groupadd +@{exec_path} = @{bin}/groupadd profile groupadd @{exec_path} { include include @@ -22,7 +22,7 @@ profile groupadd @{exec_path} { @{exec_path} mr, @{bin}/nscd rix, - @{etc_ro}/login.defs r, + /etc/login.defs r, /etc/{group,gshadow} rw, /etc/{group,gshadow}- w, diff --git a/apparmor.d/groups/shadow/groupdel b/apparmor.d/profiles-g-l/groupdel similarity index 93% rename from apparmor.d/groups/shadow/groupdel rename to apparmor.d/profiles-g-l/groupdel index 8f8b28239..a28fb72f7 100644 --- a/apparmor.d/groups/shadow/groupdel +++ b/apparmor.d/profiles-g-l/groupdel @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/groupdel +@{exec_path} = @{bin}/groupdel profile groupdel @{exec_path} { include include @@ -25,7 +25,7 @@ profile groupdel @{exec_path} { @{exec_path} mr, @{bin}/nscd rix, - @{etc_ro}/login.defs r, + /etc/login.defs r, /etc/{group,gshadow} rw, /etc/{group,gshadow}.@{pid} w, diff --git a/apparmor.d/groups/shadow/groupmod b/apparmor.d/profiles-g-l/groupmod similarity index 93% rename from apparmor.d/groups/shadow/groupmod rename to apparmor.d/profiles-g-l/groupmod index 34bf046cd..a37273af6 100644 --- a/apparmor.d/groups/shadow/groupmod +++ b/apparmor.d/profiles-g-l/groupmod @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/groupmod +@{exec_path} = @{bin}/groupmod profile groupmod @{exec_path} { include include @@ -24,7 +24,7 @@ profile groupmod @{exec_path} { @{exec_path} mr, - @{etc_ro}/login.defs r, + /etc/login.defs r, /etc/{passwd,gshadow,group} rw, /etc/{passwd,gshadow,group}.@{pid} w, diff --git a/apparmor.d/profiles-g-l/groups b/apparmor.d/profiles-g-l/groups index 916a73b22..4c0f07d87 100644 --- a/apparmor.d/profiles-g-l/groups +++ b/apparmor.d/profiles-g-l/groups @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/shadow/grpck b/apparmor.d/profiles-g-l/grpck similarity index 92% rename from apparmor.d/groups/shadow/grpck rename to apparmor.d/profiles-g-l/grpck index 1e47307e4..3e42f90c7 100644 --- a/apparmor.d/groups/shadow/grpck +++ b/apparmor.d/profiles-g-l/grpck @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/grpck +@{exec_path} = @{bin}/grpck profile grpck @{exec_path} flags=(attach_disconnected) { include include @@ -18,7 +18,7 @@ profile grpck @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{etc_ro}/login.defs r, + /etc/login.defs r, /etc/{gshadow,group} rw, /etc/{gshadow,group}.@{pid} rw, diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 9b8eca8ee..cd7ce37ce 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -2,20 +2,19 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gsettings -profile gsettings @{exec_path} flags=(attach_disconnected) { +profile gsettings @{exec_path} { include include - include include - include @{exec_path} mr, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, @@ -23,13 +22,7 @@ profile gsettings @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/dconf/user rw, owner @{DESKTOP_HOME}/greeter-dconf-defaults r, - # file_inherit - deny network netlink raw, - deny /etc/nsswitch.conf r, - deny /etc/passwd r, - deny /opt/*/** r, - deny owner @{user_config_dirs}/[^d]*/** rw, # all but dconf - deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/profiles-g-l/gsimplecal b/apparmor.d/profiles-g-l/gsimplecal index b0b743359..ba7ba4da4 100644 --- a/apparmor.d/profiles-g-l/gsimplecal +++ b/apparmor.d/profiles-g-l/gsimplecal @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gsmartcontrol b/apparmor.d/profiles-g-l/gsmartcontrol index 988c547f0..f6f6b300f 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol +++ b/apparmor.d/profiles-g-l/gsmartcontrol @@ -3,38 +3,50 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/gsmartcontrol profile gsmartcontrol @{exec_path} { include - include + include + include + include + include include capability dac_read_search, - capability sys_nice, + + # Needed? + deny capability sys_nice, @{exec_path} mr, - @{bin}/dbus-launch Cx -> bus, - @{bin}/dbus-send Cx -> bus, - @{sbin}/smartctl Px, - @{bin}/xterm Cx -> terminal, + @{bin}/smartctl rPx, + @{bin}/xterm rCx -> terminal, - /etc/fstab r, + # When gsmartcontrol is run as root, it wants to exec dbus-launch, and hence it creates the two + # following root processes: + # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr + # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session + # + # Should this be allowed? Gsmartcontrol works fine without this. + #@{bin}/dbus-launch rCx -> dbus, + #@{bin}/dbus-send rCx -> dbus, + deny @{bin}/dbus-launch rx, + deny @{bin}/dbus-send rx, - /var/lib/dbus/machine-id r, - /etc/machine-id r, + owner @{user_config_dirs}/gsmartcontrol/ rw, + owner @{user_config_dirs}/gsmartcontrol/gsmartcontrol.conf rw, + + # As it's started as root + @{HOME}/.Xauthority r, # For saving SMART raport owner /root/ r, owner /root/**.txt w, - owner @{user_config_dirs}/gsmartcontrol/ rw, - owner @{user_config_dirs}/gsmartcontrol/** rw, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, @@ -43,37 +55,57 @@ profile gsmartcontrol @{exec_path} { owner @{PROC}/scsi/scsi r, owner @{PROC}/scsi/sg/devices r, + /etc/fstab r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + # The Help menu (and links in it) requires access to a web browser. Since gsmartcontrol is run as # root (even when used sudo or gsmartcontrol-root), the web browser will also be run as root and # hence this behavior should be blocked. - deny @{open_path} rx, + deny @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rx, - profile bus flags=(complain) { + + profile dbus { include - include + include - include if exists + @{bin}/dbus-launch mr, + @{bin}/dbus-send mr, + @{bin}/dbus-daemon rPUx, + + # for dbus-launch + owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, + + @{HOME}/.Xauthority r, } profile terminal { include include - include include - include + include - capability fsetid, - capability setgid, capability setuid, + capability setgid, + capability fsetid, @{bin}/xterm mr, - @{sbin}/update-smart-drivedb rPx, + + /usr/sbin/update-smart-drivedb rPx, + + owner @{HOME}/.Xauthority r, + + /etc/shells r, + + /etc/X11/app-defaults/XTerm-color r, + /etc/X11/app-defaults/XTerm r, + /etc/X11/cursors/*.theme r, /usr/include/X11/bitmaps/vlines2 r, /dev/ptmx rw, - include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/gsmartcontrol-root b/apparmor.d/profiles-g-l/gsmartcontrol-root index 4fdb1084b..01b7d22e1 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol-root +++ b/apparmor.d/profiles-g-l/gsmartcontrol-root @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,16 +15,9 @@ profile gsmartcontrol-root @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, - @{bin}/pkexec rCx -> pkexec, - - profile pkexec { - include - include - - include if exists - } + @{bin}/pkexec rPx, include if exists } diff --git a/apparmor.d/profiles-g-l/gssproxy b/apparmor.d/profiles-g-l/gssproxy index 8fa3da0d7..6a16d1dc7 100644 --- a/apparmor.d/profiles-g-l/gssproxy +++ b/apparmor.d/profiles-g-l/gssproxy @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/gtk-query-immodules b/apparmor.d/profiles-g-l/gtk-query-immodules index e6d37db44..e67def6d2 100644 --- a/apparmor.d/profiles-g-l/gtk-query-immodules +++ b/apparmor.d/profiles-g-l/gtk-query-immodules @@ -2,14 +2,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/gtk-query-immodules-* @{lib}/@{multiarch}/libgtk-*/gtk-query-immodules-* +@{exec_path} = @{bin}/gtk-query-immodules-{2,3}.0 profile gtk-query-immodules @{exec_path} { include - include capability dac_override, capability dac_read_search, diff --git a/apparmor.d/profiles-g-l/gtk-update-icon-cache b/apparmor.d/profiles-g-l/gtk-update-icon-cache index b709511e2..a91dc3069 100644 --- a/apparmor.d/profiles-g-l/gtk-update-icon-cache +++ b/apparmor.d/profiles-g-l/gtk-update-icon-cache @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,8 +12,6 @@ profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) { include include - capability fowner, - @{exec_path} mr, @{system_share_dirs}/icons/{,**/} r, diff --git a/apparmor.d/profiles-g-l/gtk-youtube-viewer b/apparmor.d/profiles-g-l/gtk-youtube-viewer index 0b9075bc1..96b114461 100644 --- a/apparmor.d/profiles-g-l/gtk-youtube-viewer +++ b/apparmor.d/profiles-g-l/gtk-youtube-viewer @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,6 +25,7 @@ profile gtk-youtube-viewer @{exec_path} { network netlink raw, @{exec_path} r, + @{bin}/perl r, @{sh_path} rix, @@ -39,7 +40,8 @@ profile gtk-youtube-viewer @{exec_path} { @{lib}/firefox/firefox rPx, - @{open_path} rPx -> child-open, + @{bin}/xdg-open rCx -> open, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, owner @{user_config_dirs}/youtube-viewer/{,*} rw, @@ -89,7 +91,30 @@ profile gtk-youtube-viewer @{exec_path} { # file_inherit owner @{HOME}/.xsession-errors w, - include if exists + } + + profile open { + include + include + + @{bin}/xdg-open mr, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, + + owner @{HOME}/ r, + + owner @{run}/user/@{uid}/ r, + + # Allowed apps to open + @{lib}/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + } include if exists diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index 5d78a90e3..9cadb774a 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,9 @@ profile hardinfo @{exec_path} { include include include - include + include + include + include include include include @@ -38,16 +40,16 @@ profile hardinfo @{exec_path} { @{bin}/locale rix, @{bin}/make rix, @{bin}/perl rix, - @{python_path} rix, - @{sbin}/route rix, - @{bin}/ruby@{int}.@{int} rix, + @{bin}/python3.@{int} rix, + @{bin}/route rix, + @{bin}/ruby[0-9].@{int} rix, @{bin}/strace rix, @{bin}/tr rix, @{bin}/valgrind{,.bin} rix, @{lib}/@{multiarch}/valgrind/memcheck-*-linux rix, - @{bin}/lsb_release rPx, - @{open_path} rPx -> child-open, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/xdg-open rCx -> open, @{bin}/ccache rCx -> ccache, @{bin}/kmod rCx -> kmod, @@ -58,24 +60,10 @@ profile hardinfo @{exec_path} { @{bin}/netstat rPx, @{bin}/qtchooser rPx, - @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/bin/javac rCx -> javac, + @{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/javac rCx -> javac, - /usr/share/gdb/python/ r, - /usr/share/gdb/python/** r, /usr/share/hardinfo/{,**} r, - /etc/fstab r, - /etc/exports r, - /etc/samba/smb.conf r, - - /etc/gdb/gdbinit.d/ r, - - /var/log/wtmp r, - - owner @{HOME}/.hardinfo/ rw, - - owner @{tmp}/#@{int} rw, - @{sys}/class/power_supply/ r, @{sys}/class/thermal/ r, @{sys}/bus/i2c/drivers/eeprom/ r, @@ -90,27 +78,48 @@ profile hardinfo @{exec_path} { @{sys}/devices/@{pci}/hwmon/hwmon@{int}/temp* r, @{sys}/devices/**/power_supply/** r, - @{PROC}/@{pid}/net/arp r, - @{PROC}/@{pid}/net/dev r, - @{PROC}/@{pid}/net/route r, @{PROC}/@{pid}/net/wireless r, - @{PROC}/@{pids}/loginuid r, - @{PROC}/asound/cards r, - @{PROC}/bus/input/devices r, - @{PROC}/dma r, - @{PROC}/iomem r, - @{PROC}/ioports r, - @{PROC}/loadavg r, - @{PROC}/scsi/scsi r, - @{PROC}/sys/kernel/random/entropy_avail r, - @{PROC}/uptime r, + @{PROC}/@{pid}/net/dev r, + @{PROC}/@{pid}/net/arp r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + @{PROC}/@{pids}/loginuid r, + @{PROC}/uptime r, + @{PROC}/loadavg r, + @{PROC}/ioports r, + @{PROC}/iomem r, + @{PROC}/dma r, + @{PROC}/asound/cards r, + @{PROC}/scsi/scsi r, + @{PROC}/bus/input/devices r, + @{PROC}/sys/kernel/random/entropy_avail r, + @{PROC}/@{pids}/net/route r, + /etc/fstab r, + /etc/exports r, + /etc/samba/smb.conf r, + + /etc/gdb/gdbinit.d/ r, + + /usr/share/gdb/python/ r, + /usr/share/gdb/python/** r, + + /var/log/wtmp r, + + owner @{HOME}/.hardinfo/ rw, + + owner @{tmp}/#@{int} rw, + + # Allowed apps to open + @{lib}/firefox/firefox rPUx, + + # Silencer + deny /usr/share/gdb/python/** w, + + # file_inherit owner /dev/tty@{int} rw, - deny /usr/share/gdb/python/** w, profile ccache { include @@ -125,15 +134,15 @@ profile hardinfo @{exec_path} { /etc/debian_version r, - include if exists } profile javac { include include - @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/bin/* mr, - @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/lib/** mr, + @{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/* mr, + + @{lib}/jvm/java-[0-9]*-openjdk-amd64/lib/** mr, /etc/java-[0-9]*-openjdk/** r, @@ -148,7 +157,29 @@ profile hardinfo @{exec_path} { owner @{tmp}/hsperfdata_@{user}/ rw, owner @{tmp}/hsperfdata_@{user}/@{pid} rw, - include if exists + } + + profile open { + include + include + + @{bin}/xdg-open mr, + + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, + + owner @{HOME}/ r, + + owner @{run}/user/@{uid}/ r, + + # Allowed apps to open + @{lib}/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + } profile kmod { diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged index 527629202..ff3870880 100644 --- a/apparmor.d/profiles-g-l/haveged +++ b/apparmor.d/profiles-g-l/haveged @@ -3,13 +3,13 @@ # Copyright (C) 2011-2014 Jérémy Bobbio ; # Copyright (C) 2020 krathalan https://git.sr.ht/~krathalan/apparmor-profiles/ # Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only +# SPDX-License-Identifier: GPL-3.0-only -abi , +abi , include -@{exec_path} = @{sbin}/haveged +@{exec_path} = @{bin}/haveged profile haveged @{exec_path} { include @@ -20,9 +20,10 @@ profile haveged @{exec_path} { @{sys}/devices/system/cpu/cpu@{int}/cache/ r, @{sys}/devices/system/cpu/cpu@{int}/cache/index*/{type,size,level} r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/random/poolsize r, - @{PROC}/sys/kernel/random/write_wakeup_threshold w, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/poolsize r, + @{PROC}/sys/kernel/random/write_wakeup_threshold w, + owner @{PROC}/@{pid}/status r, /dev/random w, diff --git a/apparmor.d/profiles-g-l/hbbr b/apparmor.d/profiles-g-l/hbbr index 09b71b77f..78c15672b 100644 --- a/apparmor.d/profiles-g-l/hbbr +++ b/apparmor.d/profiles-g-l/hbbr @@ -1,12 +1,11 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/hbbr +@{exec_path} = /{,usr/}{,local/}bin/hbbr profile hbbr @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/hbbs b/apparmor.d/profiles-g-l/hbbs index 4e7532724..69ac0cc8c 100644 --- a/apparmor.d/profiles-g-l/hbbs +++ b/apparmor.d/profiles-g-l/hbbs @@ -1,12 +1,11 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/hbbs +@{exec_path} = /{,usr/}{,local/}bin/hbbs profile hbbs @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/hciconfig b/apparmor.d/profiles-g-l/hciconfig index 1bf4c02f8..eb0319c5f 100644 --- a/apparmor.d/profiles-g-l/hciconfig +++ b/apparmor.d/profiles-g-l/hciconfig @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/hddtemp b/apparmor.d/profiles-g-l/hddtemp index 55d2abb5d..e0be907a6 100644 --- a/apparmor.d/profiles-g-l/hddtemp +++ b/apparmor.d/profiles-g-l/hddtemp @@ -3,27 +3,39 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/hddtemp profile hddtemp @{exec_path} { include - include - include - capability sys_admin, + # To remove the following errors: + # /dev/sda: Permission denied capability sys_rawio, + # There's the following error in strace: + # ioctl(3, HDIO_DRIVE_CMD, 0x7ffdfeafc074) = -1 EACCES (Permission denied) + # This should be covered by CAP_SYS_RAWIO instead. + # (see: https://www.kernel.org/doc/Documentation/ioctl/hdio.rst) + # It looks like hddtemp works just fine without it. + deny capability sys_admin, + network inet stream, network inet6 stream, @{exec_path} mr, + # Monitored hard drives + /dev/sd[a-z]* r, + # Database file that allows hddtemp to recognize supported drives /etc/hddtemp.db r, + # Needed when the hddtemp daemon is started in the TCP/IP mode + /etc/gai.conf r, + include if exists } diff --git a/apparmor.d/profiles-g-l/hdparm b/apparmor.d/profiles-g-l/hdparm index 53e520509..f29bc1c20 100644 --- a/apparmor.d/profiles-g-l/hdparm +++ b/apparmor.d/profiles-g-l/hdparm @@ -3,16 +3,16 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/hdparm +@{exec_path} = @{bin}/hdparm profile hdparm @{exec_path} flags=(complain) { include - include include include + include # To remove the following errors: # re-writing sector *: BLKFLSBUF failed: Permission denied diff --git a/apparmor.d/profiles-g-l/hexchat b/apparmor.d/profiles-g-l/hexchat index 064e850c2..aaa550dfc 100644 --- a/apparmor.d/profiles-g-l/hexchat +++ b/apparmor.d/profiles-g-l/hexchat @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/highlight b/apparmor.d/profiles-g-l/highlight index bd375b520..fb90c4475 100644 --- a/apparmor.d/profiles-g-l/highlight +++ b/apparmor.d/profiles-g-l/highlight @@ -2,7 +2,7 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/homebank b/apparmor.d/profiles-g-l/homebank deleted file mode 100644 index 7fbe74040..000000000 --- a/apparmor.d/profiles-g-l/homebank +++ /dev/null @@ -1,24 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/homebank -profile homebank @{exec_path} flags=(attach_disconnected) { - include - include - include - - @{exec_path} mr, - - /usr/share/homebank/{,**} r, - - owner @{user_config_dirs}/homebank/{,**} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/host b/apparmor.d/profiles-g-l/host index ab0cf0cba..5894c85a0 100644 --- a/apparmor.d/profiles-g-l/host +++ b/apparmor.d/profiles-g-l/host @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,15 +18,13 @@ profile host @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - network netlink raw, @{exec_path} mr, - @{sys}/kernel/mm/transparent_hugepage/enabled r, - - @{PROC}/version_signature r, owner @{PROC}/@{pids}/task/@{tid}/comm rw, + @{sys}/kernel/mm/transparent_hugepage/enabled r, + include if exists } diff --git a/apparmor.d/profiles-g-l/hostname b/apparmor.d/profiles-g-l/hostname index 7e87173cc..efda5b4a8 100644 --- a/apparmor.d/profiles-g-l/hostname +++ b/apparmor.d/profiles-g-l/hostname @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/{hostname,domainname,ypdomainname,nisdomainname,nisdomainname} -profile hostname @{exec_path} flags=(attach_disconnected) { +profile hostname @{exec_path} { include include include @@ -16,14 +16,11 @@ profile hostname @{exec_path} flags=(attach_disconnected) { capability sys_admin, network inet dgram, - network inet6 dgram, # network ip=127.0.0.1:53, TODO: abi 4.0 network netlink raw, @{exec_path} mr, - owner /dev/tty@{int} rw, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/profiles-g-l/htop similarity index 93% rename from apparmor.d/groups/procps/htop rename to apparmor.d/profiles-g-l/htop index ef14d9ca9..d06991025 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/profiles-g-l/htop @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,15 +20,14 @@ profile htop @{exec_path} { network netlink raw, - signal send, - signal receive set=hup peer=gnome-terminal-server, + signal (send), + signal (receive) set=(hup) peer=gnome-terminal-server, - ptrace read, + ptrace (read), @{exec_path} mr, @{bin}/lsof rix, - @{bin}/strace rix, /usr/share/terminfo/** r, @@ -39,13 +38,58 @@ profile htop @{exec_path} { owner @{user_config_dirs}/htop/ rw, owner @{user_config_dirs}/htop/* rw, + owner @{PROC}/@{pid}/smaps_rollup r, + + @{PROC}/ r, + @{PROC}/diskstats r, + @{PROC}/loadavg r, + @{PROC}/pressure/cpu r, + @{PROC}/pressure/io r, + @{PROC}/pressure/memory r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/sched_autogroup_enabled r, + @{PROC}/tty/drivers r, + @{PROC}/uptime r, + + @{PROC}/@{pids}/ r, + @{PROC}/@{pids}/attr/current r, + @{PROC}/@{pids}/autogroup rw, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/mounts r, + @{PROC}/@{pids}/net/dev r, + @{PROC}/@{pids}/oom_{,score_}adj r, + @{PROC}/@{pids}/oom_score r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/wchan r, + + @{PROC}/@{pids}/task/ r, + @{PROC}/@{pids}/task/@{tid}/ r, + @{PROC}/@{pids}/task/@{tid}/attr/current r, + @{PROC}/@{pids}/task/@{tid}/cgroup r, + @{PROC}/@{pids}/task/@{tid}/cmdline r, + @{PROC}/@{pids}/task/@{tid}/comm r, + @{PROC}/@{pids}/task/@{tid}/environ r, + @{PROC}/@{pids}/task/@{tid}/io r, + @{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r, + @{PROC}/@{pids}/task/@{tid}/oom_score r, + @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/@{pids}/task/@{tid}/statm r, + @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/@{pids}/task/@{tid}/wchan r, + @{sys}/bus/dax/devices/ r, @{sys}/bus/i2c/devices/ r, @{sys}/bus/soc/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/i2c-*/{,**/}name r, + @{sys}/devices/@{pci}/i2c-@{int}/name r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/devices/**/hwmon@{int}/**/ r, @@ -56,8 +100,8 @@ profile htop @{exec_path} { @{sys}/devices/**/hwmon/**/{name,temp*} r, @{sys}/devices/**/power_supply/**/{uevent,type,online} r, @{sys}/devices/*/name r, - @{sys}/devices/i2c-*/name r, - @{sys}/devices/platform/*/i2c-*/name r, + @{sys}/devices/i2c-@{int}/name r, + @{sys}/devices/platform/*/i2c-@{int}/name r, @{sys}/devices/system/cpu/cpu@{int}/** r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_{cur,min,max}_freq r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, @@ -85,54 +129,8 @@ profile htop @{exec_path} { @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r, - @{PROC}/ r, - @{PROC}/diskstats r, - @{PROC}/loadavg r, - @{PROC}/pressure/cpu r, - @{PROC}/pressure/io r, - @{PROC}/pressure/memory r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/pid_max r, - @{PROC}/sys/kernel/sched_autogroup_enabled r, - @{PROC}/tty/drivers r, - @{PROC}/uptime r, - - @{PROC}/@{pids}/ r, - @{PROC}/@{pids}/attr/current r, - @{PROC}/@{pids}/autogroup rw, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/environ r, - @{PROC}/@{pids}/io r, - @{PROC}/@{pids}/maps r, - @{PROC}/@{pids}/mounts r, - @{PROC}/@{pids}/net/dev r, - @{PROC}/@{pids}/oom_{,score_}adj r, - @{PROC}/@{pids}/oom_score r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/statm r, - @{PROC}/@{pids}/status r, - @{PROC}/@{pids}/wchan r, - - @{PROC}/@{pids}/task/ r, - @{PROC}/@{pids}/task/@{tid}/ r, - @{PROC}/@{pids}/task/@{tid}/attr/current r, - @{PROC}/@{pids}/task/@{tid}/cgroup r, - @{PROC}/@{pids}/task/@{tid}/cmdline r, - @{PROC}/@{pids}/task/@{tid}/comm r, - @{PROC}/@{pids}/task/@{tid}/environ r, - @{PROC}/@{pids}/task/@{tid}/io r, - @{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r, - @{PROC}/@{pids}/task/@{tid}/oom_score r, - @{PROC}/@{pids}/task/@{tid}/stat r, - @{PROC}/@{pids}/task/@{tid}/statm r, - @{PROC}/@{pids}/task/@{tid}/status r, - @{PROC}/@{pids}/task/@{tid}/wchan r, - @{PROC}/cmdline r, owner @{PROC}/@{pid}/cpuset r, - owner @{PROC}/@{pid}/smaps_rollup r, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-g-l/hugeadm b/apparmor.d/profiles-g-l/hugeadm index 95bc7037b..731483cf6 100644 --- a/apparmor.d/profiles-g-l/hugeadm +++ b/apparmor.d/profiles-g-l/hugeadm @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index fd9c3dfa0..fcb585020 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -3,14 +3,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/hugo profile hugo @{exec_path} { include - include include include @@ -27,6 +26,7 @@ profile hugo @{exec_path} { @{lib}/go/bin/go rix, /usr/share/git{,-core}/{,**} r, + /usr/share/mime/{,**} r, /usr/share/terminfo/** r, /etc/mime.types r, @@ -37,17 +37,12 @@ profile hugo @{exec_path} { owner @{user_cache_dirs}/hugo_cache/{,**} rwkl, - owner @{user_config_dirs}/git/*config r, - owner @{user_config_dirs}/go/telemetry/mode r, - owner @{tmp}/hugo_cache/{,**} rwkl, owner @{tmp}/go-codehost-@{int} rw, - @{sys}/kernel/mm/hugepages/ r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{PROC}/sys/net/core/somaxconn r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/mountinfo r, + @{PROC}/sys/net/core/somaxconn r, include if exists } diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 739073201..7c6b87b6c 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,6 +11,7 @@ include profile hw-probe @{exec_path} flags=(attach_disconnected) { include include + include capability sys_admin, @@ -18,12 +19,13 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { network inet6 dgram, @{exec_path} rm, + @{bin}/perl r, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/{m,g,}awk rix, @{bin}/dd rix, - @{sbin}/efibootmgr rix, + @{bin}/efibootmgr rix, @{bin}/efivar rix, @{bin}/find rix, @{bin}/md5sum rix, @@ -33,26 +35,35 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/tar rix, @{bin}/uname rix, - @{bin}/vulkaninfo rPUx, @{bin}/acpi rPx, @{bin}/amixer rPx, @{bin}/aplay rPx, + @{bin}/biosdecode rPx, @{bin}/cpuid rPx, @{bin}/cpupower rPx, @{bin}/curl rCx -> curl, @{bin}/df rPx, + @{bin}/dkms rPx, @{bin}/dmesg rPx, + @{bin}/dmidecode rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/edid-decode rPx, + @{bin}/ethtool rCx -> netconfig, + @{bin}/fdisk rPx, @{bin}/glxgears rPx, @{bin}/glxinfo rPx, @{bin}/hciconfig rPx, + @{bin}/hdparm rPx, + @{bin}/hwinfo rPx, @{bin}/i2cdetect rPx, + @{bin}/ifconfig rCx -> netconfig, @{bin}/inxi rPx, + @{bin}/iw rCx -> netconfig, + @{bin}/iwconfig rCx -> netconfig, @{bin}/journalctl rCx -> journalctl, @{bin}/killall rCx -> killall, - @{bin}/kmod rCx -> kmod, - @{bin}/lsb_release rPx, + @{bin}/kmod rix, + @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsblk rPx, @{bin}/lscpu rPx, @{bin}/lspci rPx, @@ -60,8 +71,10 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/memtester rPx, @{bin}/nmcli rPx, @{bin}/pacman rCx -> pacman, - @{bin}/rpm rCx -> rpm, + @{bin}/rfkill rPx, + @{bin}/rpm rCx -> rpm, @{bin}/sensors rPx, + @{bin}/smartctl rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-analyze rPx, @{bin}/udevadm rCx -> udevadm, @@ -71,23 +84,12 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/xdpyinfo rPx, @{bin}/xinput rPx, @{bin}/xrandr rPx, - @{sbin}/biosdecode rPx, - @{sbin}/dkms rPx, - @{sbin}/dmidecode rPx, - @{sbin}/fdisk rPx, - @{sbin}/hdparm rPx, - @{bin}/boltctl rPUx, - @{sbin}/hwinfo rPx, - @{sbin}/rfkill rPx, - @{sbin}/smartctl rPx, /etc/modprobe.d/{,*.conf} r, - @{efi}/EFI/{,**} r, - owner @{HOME}/HW_PROBE/{,**} rw, - owner @{tmp}/@{rand10}/ rw, + audit owner @{tmp}/*/ rw, owner @{tmp}/*/cpu_perf rw, @{sys}/class/drm/ r, @@ -97,34 +99,19 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/* r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/* r, + @{sys}/module/*/ r, + @{sys}/module/*/{coresize,refcnt} r, + @{sys}/module/*/holders/ r, @{PROC}/bus/input/devices r, @{PROC}/cmdline r, @{PROC}/interrupts r, @{PROC}/ioports r, + @{PROC}/modules r, @{PROC}/scsi/scsi r, /dev/{,**} r, - profile kmod { - include - include - - capability syslog, - - @{sys}/module/{,**} r, - - include if exists - } - - profile curl flags=(attach_disconnected) { - include - - @{bin}/curl mr, - - include if exists - } - profile pacman flags=(attach_disconnected) { include include @@ -172,12 +159,9 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{run}/log/ rw, /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/system.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, owner @{PROC}/@{pid}/stat r, @@ -208,10 +192,35 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { include if exists } + profile netconfig flags=(attach_disconnected) { + include + + # Not needed + deny capability net_admin, + deny capability net_raw, + + network inet dgram, + network inet6 dgram, + network ipx dgram, + network ax25 dgram, + network appletalk dgram, + network netlink raw, + + @{bin}/iw mr, + @{bin}/ifconfig mr, + @{bin}/iwconfig mr, + @{bin}/ethtool mr, + + owner @{PROC}/@{pid}/net/if_inet6 r, + owner @{PROC}/@{pid}/net/dev r, + + include if exists + } + profile systemctl flags=(attach_disconnected) { include include - + include if exists } diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index 314975208..f7953e346 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/hwinfo +@{exec_path} = @{bin}/hwinfo profile hwinfo @{exec_path} { include include @@ -27,10 +27,9 @@ profile hwinfo @{exec_path} { @{bin}/kmod rCx -> kmod, @{bin}/udevadm rCx -> udevadm, - @{sbin}/acpidump rPUx, - @{bin}/lsscsi rPx, + @{bin}/acpidump rPUx, - @{sbin}/dmraid rPUx, + @{bin}/dmraid rPUx, /usr/share/hwinfo/{,**} r, @@ -40,7 +39,7 @@ profile hwinfo @{exec_path} { @{sys}/bus/{,**/} r, @{sys}/class/*/ r, - @{sys}/devices/@{pci}/{,**} r, + @{sys}/devices/@{pci}/** r, @{sys}/devices/**/{modalias,uevent} r, @{sys}/devices/**/input/**/dev r, @{sys}/devices/virtual/net/*/{type,carrier,address} r, @@ -71,12 +70,9 @@ profile hwinfo @{exec_path} { include include - capability sys_module, - owner @{tmp}/hwinfo*.txt rw, @{sys}/devices/@{pci}/drm/card@{int}/ r, - @{sys}/module/compression r, include if exists } diff --git a/apparmor.d/profiles-g-l/hypnotix b/apparmor.d/profiles-g-l/hypnotix index ce1ad519b..3a9a6131d 100644 --- a/apparmor.d/profiles-g-l/hypnotix +++ b/apparmor.d/profiles-g-l/hypnotix @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -31,13 +31,14 @@ profile hypnotix @{exec_path} { network netlink raw, @{exec_path} rix, - @{python_path} r, + @{bin}/python3.@{int} r, @{sh_path} rix, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, @{bin}/mkdir rix, - @{bin}/xdg-screensaver rPx, + @{bin}/xdg-screensaver rCx -> xdg-screensaver, + @{bin}/youtube-dl rPUx, @{bin}/yt-dlp rPUx, @{lib}/firefox/firefox rPx, @@ -62,6 +63,29 @@ profile hypnotix @{exec_path} { # Silencer deny @{lib}/hypnotix/** w, + profile xdg-screensaver { + include + include + + @{bin}/xdg-screensaver mr, + + @{sh_path} rix, + @{bin}/mv rix, + @{bin}/{,e}grep rix, + @{bin}/sed rix, + @{bin}/which{,.debianutils} rix, + @{bin}/xset rix, + @{bin}/xautolock rix, + @{bin}/dbus-send rix, + + owner @{HOME}/.Xauthority r, + + # file_inherit + /dev/dri/card@{int} rw, + network inet stream, + network inet6 stream, + } + include if exists } diff --git a/apparmor.d/profiles-g-l/i2cdetect b/apparmor.d/profiles-g-l/i2cdetect index f101c56e6..f045b489d 100644 --- a/apparmor.d/profiles-g-l/i2cdetect +++ b/apparmor.d/profiles-g-l/i2cdetect @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,13 +13,8 @@ profile i2cdetect @{exec_path} { @{exec_path} mr, - @{sys}/class/i2c-dev/ r, - @{sys}/devices/@{pci}/i2c-*/{,**/}name r, - owner @{PROC}/@{pid}/mounts r, - /dev/i2c-@{int} rw, - include if exists } diff --git a/apparmor.d/profiles-g-l/i3lock b/apparmor.d/profiles-g-l/i3lock index ea72704c1..d2fbdff2c 100644 --- a/apparmor.d/profiles-g-l/i3lock +++ b/apparmor.d/profiles-g-l/i3lock @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/i3lock-fancy b/apparmor.d/profiles-g-l/i3lock-fancy index b192856d2..fce4ff7d4 100644 --- a/apparmor.d/profiles-g-l/i3lock-fancy +++ b/apparmor.d/profiles-g-l/i3lock-fancy @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -52,8 +52,8 @@ profile i3lock-fancy @{exec_path} { @{bin}/import-im6.q16 mr, @{bin}/scrot mr, - /usr/share/ImageMagick-@{int}/*.xml r, - /etc/ImageMagick-@{int}/*.xml r, + /usr/share/ImageMagick-[0-9]/*.xml r, + /etc/ImageMagick-[0-9]/*.xml r, owner @{HOME}/.Xauthority r, @@ -67,7 +67,6 @@ profile i3lock-fancy @{exec_path} { # file_inherit owner /dev/tty@{int} rw, - include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/iceauth b/apparmor.d/profiles-g-l/iceauth index d46374984..66111ff55 100644 --- a/apparmor.d/profiles-g-l/iceauth +++ b/apparmor.d/profiles-g-l/iceauth @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,9 +14,9 @@ profile iceauth @{exec_path} { @{exec_path} mr, owner @{tmp}/.xfsm-ICE-@{rand6} r, - owner @{tmp}/user/@{uid}/.xfsm-ICE-@{rand6} r, + owner @{tmp}/user/@{uid}/.xfsm-ICE-@{rand6} r, - owner @{run}/user/@{uid}/ICEauthority rwl -> @{run}/user/@{uid}/ICEauthority-n, + owner @{run}/user/@{uid}/ICEauthority rl -> @{run}/user/@{uid}/ICEauthority-n, owner @{run}/user/@{uid}/ICEauthority-c w, owner @{run}/user/@{uid}/ICEauthority-l wl -> @{run}/user/@{uid}/ICEauthority-c, owner @{run}/user/@{uid}/ICEauthority-n rw, diff --git a/apparmor.d/profiles-g-l/id b/apparmor.d/profiles-g-l/id index 933e5d712..061313d42 100644 --- a/apparmor.d/profiles-g-l/id +++ b/apparmor.d/profiles-g-l/id @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/id -profile id @{exec_path} flags=(attach_disconnected) { +profile id @{exec_path} { include include include diff --git a/apparmor.d/profiles-g-l/ifconfig b/apparmor.d/profiles-g-l/ifconfig index 48181e130..8dd7eaac0 100644 --- a/apparmor.d/profiles-g-l/ifconfig +++ b/apparmor.d/profiles-g-l/ifconfig @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/ifconfig +@{exec_path} = @{bin}/ifconfig profile ifconfig @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/iftop b/apparmor.d/profiles-g-l/iftop deleted file mode 100644 index 232aff538..000000000 --- a/apparmor.d/profiles-g-l/iftop +++ /dev/null @@ -1,34 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Zane Zakraisek -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/iftop -profile iftop @{exec_path} { - include - include - include - - capability net_raw, - - network inet dgram, - network inet6 dgram, - network netlink raw, - network packet raw, - - @{exec_path} mr, - - /usr/share/terminfo/** r, - - owner @{HOME}/.iftoprc r, - - # When running in promiscuous mode - @{sys}/devices/**/net/*/statistics/* r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index 3c641f8e1..605c26f92 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,7 +20,7 @@ profile ifup @{exec_path} { @{sh_path} rix, @{bin}/ip rix, - @{sbin}/route rix, + @{bin}/route rix, @{bin}/seq rix, @{bin}/sleep rix, @{bin}/wc rix, @@ -32,7 +32,7 @@ profile ifup @{exec_path} { @{bin}/run-parts rCx -> run-parts, @{bin}/kmod rCx -> kmod, - @{sbin}/sysctl rCx -> sysctl, + @{bin}/sysctl rCx -> sysctl, /etc/network/interfaces r, /etc/network/interfaces.d/{,*} r, @@ -85,14 +85,13 @@ profile ifup @{exec_path} { /etc/network/if-up.d/ r, /etc/network/if-up.d/*resolvconf rPUx, - /etc/network/if-up.d/resolved rPUx, + /etc/network/if-up.d/resolved rPUx, /etc/network/if-up.d/chrony rPUx, /etc/network/if-up.d/ethtool rPUx, /etc/network/if-up.d/ifenslave rPUx, /etc/network/if-up.d/openvpn rPUx, /etc/network/if-up.d/wpasupplicant rPUx, - include if exists } profile kmod { @@ -107,10 +106,12 @@ profile ifup @{exec_path} { profile sysctl { include - capability net_admin, - capability sys_admin, +# capability mac_admin, + capability net_admin, + capability sys_admin, +# capability sys_resource, - @{sbin}/sysctl mr, + @{bin}/sysctl mr, @{PROC}/sys/ r, @{PROC}/sys/** r, @@ -118,7 +119,6 @@ profile ifup @{exec_path} { @{PROC}/sys/net/ipv6/conf/*/accept_ra rw, @{PROC}/sys/net/ipv6/conf/*/autoconf rw, - include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/im-launch b/apparmor.d/profiles-g-l/im-launch index 04abb7e0c..5520e990c 100644 --- a/apparmor.d/profiles-g-l/im-launch +++ b/apparmor.d/profiles-g-l/im-launch @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,7 +22,6 @@ profile im-launch @{exec_path} { @{bin}/sed rix, @{bin}/sleep rix, @{bin}/startplasma-x11 rPx, - @{bin}/startxfce4 rPx, @{bin}/true rix, @{bin}/uim-toolbar-gtk3 rPUx, @{bin}/uim-xim rPUx, diff --git a/apparmor.d/profiles-g-l/img2txt b/apparmor.d/profiles-g-l/img2txt index 5529ded9b..41d77339b 100644 --- a/apparmor.d/profiles-g-l/img2txt +++ b/apparmor.d/profiles-g-l/img2txt @@ -2,7 +2,7 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/imv b/apparmor.d/profiles-g-l/imv-wayland similarity index 91% rename from apparmor.d/profiles-g-l/imv rename to apparmor.d/profiles-g-l/imv-wayland index f75e4c957..72eaecc9c 100644 --- a/apparmor.d/profiles-g-l/imv +++ b/apparmor.d/profiles-g-l/imv-wayland @@ -2,7 +2,7 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,7 +25,7 @@ profile imv @{exec_path} { owner @{run}/user/@{uid}/imv-*.sock w, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/initd-kexec b/apparmor.d/profiles-g-l/initd-kexec index 199483f4f..f17356fcc 100644 --- a/apparmor.d/profiles-g-l/initd-kexec +++ b/apparmor.d/profiles-g-l/initd-kexec @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,7 +19,7 @@ profile initd-kexec @{exec_path} { @{bin}/tput rix, @{bin}/echo rix, - @{sbin}/kexec rPx, + @{bin}/kexec rPx, @{bin}/run-parts rCx -> run-parts, @{bin}/systemctl rCx -> systemctl, @@ -41,7 +41,7 @@ profile initd-kexec @{exec_path} { profile systemctl { include include - + capability sys_resource, @{bin}/systemd-tty-ask-password-agent rix, diff --git a/apparmor.d/profiles-g-l/initd-kexec-load b/apparmor.d/profiles-g-l/initd-kexec-load index 522d003f3..d36584ec9 100644 --- a/apparmor.d/profiles-g-l/initd-kexec-load +++ b/apparmor.d/profiles-g-l/initd-kexec-load @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,7 +25,7 @@ profile initd-kexec-load @{exec_path} { @{bin}/readlink rix, @{bin}/tput rix, - @{sbin}/kexec rPx, + @{bin}/kexec rPx, @{bin}/run-parts rCx -> run-parts, @{bin}/systemctl rCx -> systemctl, @@ -36,7 +36,7 @@ profile initd-kexec-load @{exec_path} { @{sys}/kernel/kexec_loaded r, - owner @{efi}/grub/{grub.cfg,grubenv} r, + owner /boot/grub/{grub.cfg,grubenv} r, @{PROC}/cmdline r, @@ -48,7 +48,6 @@ profile initd-kexec-load @{exec_path} { /etc/default/kexec.d/ r, - include if exists } profile systemctl { @@ -75,7 +74,6 @@ profile initd-kexec-load @{exec_path} { owner @{run}/systemd/ask-password/ rw, owner @{run}/systemd/ask-password-block/* rw, - include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/initd-kmod b/apparmor.d/profiles-g-l/initd-kmod index a73ddb8bf..f8f975211 100644 --- a/apparmor.d/profiles-g-l/initd-kmod +++ b/apparmor.d/profiles-g-l/initd-kmod @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/install-catalog b/apparmor.d/profiles-g-l/install-catalog index 6a26d4dea..370cbf154 100644 --- a/apparmor.d/profiles-g-l/install-catalog +++ b/apparmor.d/profiles-g-l/install-catalog @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,7 +16,7 @@ profile install-catalog @{exec_path} { @{sh_path} rix, @{bin}/basename rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/mv rix, @{bin}/rm rix, @{bin}/sed rix, diff --git a/apparmor.d/profiles-g-l/install-info b/apparmor.d/profiles-g-l/install-info index f155339b1..54e40386f 100644 --- a/apparmor.d/profiles-g-l/install-info +++ b/apparmor.d/profiles-g-l/install-info @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/install-printerdriver b/apparmor.d/profiles-g-l/install-printerdriver index facd2fa3b..ddbf2e31c 100644 --- a/apparmor.d/profiles-g-l/install-printerdriver +++ b/apparmor.d/profiles-g-l/install-printerdriver @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,7 +16,7 @@ profile install-printerdriver @{exec_path} flags=(complain) { @{exec_path} mrix, @{sh_path} rix, - @{python_path} r, + @{bin}/python3.@{int} r, /usr/share/system-config-printer/{,**} r, diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index e80875ca2..0dbe03687 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,6 +20,7 @@ profile inxi @{exec_path} { network netlink raw, @{exec_path} r, + @{bin}/perl r, @{bin}/ r, @{sh_path} rix, @@ -43,11 +44,11 @@ profile inxi @{exec_path} { # shared object file): ignored. @{bin}/dpkg-query rpx, - @{sbin}/blockdev rPx, + @{bin}/blockdev rPx, @{bin}/compton rPx, @{bin}/df rPx, @{bin}/dig rPx, - @{sbin}/dmidecode rPx, + @{bin}/dmidecode rPx, @{bin}/glxinfo rPx, @{bin}/hddtemp rPx, @{bin}/lsblk rPx, @@ -56,7 +57,7 @@ profile inxi @{exec_path} { @{bin}/openbox rPx, @{bin}/ps rPx, @{bin}/sensors rPx, - @{sbin}/smartctl rPx, + @{bin}/smartctl rPx, @{bin}/sudo rPx, @{bin}/uptime rPx, @{bin}/who rPx, @@ -152,7 +153,7 @@ profile inxi @{exec_path} { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/profiles-g-l/ioping b/apparmor.d/profiles-g-l/ioping index 0cb507e36..497e5cb1c 100644 --- a/apparmor.d/profiles-g-l/ioping +++ b/apparmor.d/profiles-g-l/ioping @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -35,7 +35,7 @@ profile ioping @{exec_path} { /bin/* r, /sbin/* r, /etc/** r, - @{efi}/** r, + /boot/** r, /opt/** r, /var/** r, @{MOUNTS}/** r, diff --git a/apparmor.d/profiles-g-l/iotop b/apparmor.d/profiles-g-l/iotop index 8ea787ea6..be2738443 100644 --- a/apparmor.d/profiles-g-l/iotop +++ b/apparmor.d/profiles-g-l/iotop @@ -3,35 +3,39 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/iotop profile iotop @{exec_path} { include - include include + include + # Needed? + audit deny capability net_admin, + + # To set processes' priorities capability sys_nice, - network netlink raw, - @{exec_path} r, + @{bin}/python3.@{int} r, + + @{bin}/file rix, @{bin}/ r, - @{bin}/file rix, - @{python_path} r, - - /etc/magic r, @{PROC}/ r, + @{PROC}/vmstat r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/task/ r, @{PROC}/sys/kernel/pid_max r, - @{PROC}/vmstat r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, + + # For file + /etc/magic r, include if exists } diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index 0a27c4b59..7fee79abc 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,31 +20,25 @@ profile ip @{exec_path} flags=(attach_disconnected) { network netlink raw, - mount fstype=sysfs -> @{sys}, - mount options=(rw bind) / -> @{run}/netns/*, - mount options=(rw rbind) @{run}/netns/ -> @{run}/netns/, - mount options=(rw, bind) @{att}/ -> @{run}/netns/*, - mount options=(rw, bind) /etc/netns/*/resolv.conf -> /etc/resolv.conf, - mount options=(rw, rshared) -> @{run}/netns/, - mount options=(rw, rslave) -> /, + mount options=(rw, bind, rshared) -> /{var/,}run/netns/, + mount options=(rw, rslave) -> /, + mount options=(rw, bind) / -> /{var/,}run/netns/*, + mount options=(rw, bind) /etc/netns/firefox/resolv.conf -> /etc/resolv.conf, + mount fstype=sysfs -> /sys/, umount @{run}/netns/*, - umount @{sys}, + umount /sys/, @{exec_path} mrix, + @{sh_path} rix, - # To run command with 'ip netns exec' - @{shells_path} rUx, - @{bin}/sudo rPx, - - @{att}/ r, + / r, /etc/iproute2/{,**} r, /etc/netns/*/ r, /usr/share/iproute2/{,**} r, - @{run}/netns/ r, @{run}/netns/* rw, owner @{run}/netns/ rwk, diff --git a/apparmor.d/profiles-g-l/ipcalc b/apparmor.d/profiles-g-l/ipcalc index c6dfa762a..dd750b8c9 100644 --- a/apparmor.d/profiles-g-l/ipcalc +++ b/apparmor.d/profiles-g-l/ipcalc @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,6 +13,7 @@ profile ipcalc @{exec_path} { include @{exec_path} r, + @{bin}/perl r, include if exists } diff --git a/apparmor.d/profiles-g-l/irqbalance b/apparmor.d/profiles-g-l/irqbalance index 022dc92d5..2226e6dd2 100644 --- a/apparmor.d/profiles-g-l/irqbalance +++ b/apparmor.d/profiles-g-l/irqbalance @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/irqbalance +@{exec_path} = @{bin}/irqbalance profile irqbalance @{exec_path} flags=(attach_disconnected) { include diff --git a/apparmor.d/profiles-g-l/ischroot b/apparmor.d/profiles-g-l/ischroot deleted file mode 100644 index 8c18782f9..000000000 --- a/apparmor.d/profiles-g-l/ischroot +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/ischroot -profile ischroot @{exec_path} flags=(attach_disconnected) { - include - include - - @{exec_path} mr, - - /var/lib/update-notifier/tmp.@{rand10} w, - - @{PROC}/@{pid}/mountinfo r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index 093cd7100..a54b024ad 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -2,38 +2,29 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/issue-generator +@{exec_path} = @{bin}/issue-generator profile issue-generator @{exec_path} { include - include include @{exec_path} mr, - @{sh_path} r, @{bin}/basename rix, @{bin}/cat rix, - @{bin}/chmod rix, @{bin}/cmp rix, - @{bin}/mkdir rix, @{bin}/mktemp rix, - @{bin}/mv rix, @{bin}/rm rix, @{bin}/sort rix, /etc/issue.d/{,**} r, - /etc/sysconfig/issue-generator r, - @{run}/agetty.reload w, - @{run}/issue rw, + @{run}/issue r, @{run}/issue.@{rand10} rw, - @{run}/issue.d/{,**} rw, - - /dev/tty rw, + @{run}/issue.d/{,**} r, include if exists } diff --git a/apparmor.d/profiles-g-l/iw b/apparmor.d/profiles-g-l/iw index 631b0b9d1..3b62c32ba 100644 --- a/apparmor.d/profiles-g-l/iw +++ b/apparmor.d/profiles-g-l/iw @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/iw +@{exec_path} = @{bin}/iw profile iw @{exec_path} { include @@ -21,7 +21,7 @@ profile iw @{exec_path} { @{exec_path} mr, - @{sys}/devices/@{pci}/ieee80211/phy@{int}/index r, + @{sys}/devices/@{pci}/ieee80211/phy[0-9]*/index r, # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-g-l/iwconfig b/apparmor.d/profiles-g-l/iwconfig index ec6b9a46b..62bc16041 100644 --- a/apparmor.d/profiles-g-l/iwconfig +++ b/apparmor.d/profiles-g-l/iwconfig @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/iwconfig +@{exec_path} = @{bin}/iwconfig profile iwconfig @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/iwlist b/apparmor.d/profiles-g-l/iwlist index b89af77b9..ef2a280e0 100644 --- a/apparmor.d/profiles-g-l/iwlist +++ b/apparmor.d/profiles-g-l/iwlist @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/iwlist +@{exec_path} = @{bin}/iwlist profile iwlist @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/jackdbus b/apparmor.d/profiles-g-l/jackdbus index 8326a3e40..ed1094a17 100644 --- a/apparmor.d/profiles-g-l/jackdbus +++ b/apparmor.d/profiles-g-l/jackdbus @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/jami-gnome b/apparmor.d/profiles-g-l/jami-gnome new file mode 100644 index 000000000..9d22933fc --- /dev/null +++ b/apparmor.d/profiles-g-l/jami-gnome @@ -0,0 +1,61 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/jami-gnome +profile jami-gnome @{exec_path} { + include + include + include + include + include + include + include + include + include + include + include + + network netlink raw, + + @{exec_path} mr, + + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, + + /usr/share/ring/{,**} r, + /usr/share/sounds/jami-gnome/{,**} r, + + owner @{user_cache_dirs}/ rw, + owner @{user_cache_dirs}/jami-gnome/ rw, + owner @{user_cache_dirs}/jami-gnome/** rw, + + owner @{user_share_dirs}/jami/ rw, + owner @{user_share_dirs}/jami/** rwkl -> @{user_share_dirs}/jami/, + + owner @{user_config_dirs}/autostart/jami-gnome.desktop w, + + owner @{user_share_dirs}/ r, + owner @{user_share_dirs}/webkitgtk/deviceidhashsalts/1/ r, + owner @{user_share_dirs}/webkitgtk/databases/indexeddb/v0 w, + owner @{user_share_dirs}/webkitgtk/databases/indexeddb/v1/ w, + + @{sys}/firmware/acpi/pm_profile r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/fs/cgroup/** r, + + owner @{PROC}/@{pid}/statm r, + owner @{PROC}/@{pid}/smaps r, + deny owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/cgroup r, + @{PROC}/zoneinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/jdownloader b/apparmor.d/profiles-g-l/jdownloader new file mode 100644 index 000000000..424074da4 --- /dev/null +++ b/apparmor.d/profiles-g-l/jdownloader @@ -0,0 +1,128 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{JD_INSTALLDIR} = /home/*/jd2 + +@{exec_path} = @{JD_INSTALLDIR}/*JDownloader* +profile jdownloader @{exec_path} { + include + include + include + include + include + include + include + + @{exec_path} rix, + + @{bin}/basename rix, + @{bin}/dirname rix, + @{bin}/expr rix, + @{bin}/cut rix, + @{bin}/ls rix, + @{bin}/{,e}grep rix, + @{bin}/find rix, + @{bin}/sed rix, + @{bin}/chmod rix, + + @{bin}/ffmpeg rPx, + + # These are needed when the above tools are in some nonstandard locations + #@{bin}/which{,.debianutils} rix, + #/usr/ r, + #/usr/local/ r, + #@{bin}/ r, + #@{lib}/ r, + + deny /opt/ r, + + owner @{HOME}/ r, + owner @{JD_INSTALLDIR}/ rw, + owner @{JD_INSTALLDIR}/** rwk, + owner @{JD_INSTALLDIR}/jre/bin/java rix, + owner @{JD_INSTALLDIR}/jre/lib/*/jli/libjli.so mrw, + owner @{JD_INSTALLDIR}/jre/lib/*/server/libjvm.so mrw, + owner @{JD_INSTALLDIR}/jre/lib/*/*.so mrw, + owner @{JD_INSTALLDIR}/tmp/jna/jna@{int}.tmp mrw, + owner @{JD_INSTALLDIR}/tmp/7zip/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw, + + owner @{HOME}/.oracle_jre_usage/@{hex}.timestamp rw, + owner @{HOME}/.java/.userPrefs/.user.lock.* rwk, + owner @{HOME}/.java/.userPrefs/com/install4j/installations/prefs.xml rw, + owner @{HOME}/.java/fonts/@{int}/ rw, + owner @{HOME}/.java/fonts/@{int}/fcinfo*.tmp rw, + owner @{HOME}/.java/fonts/@{int}/fcinfo-*.properties rw, + + owner @{HOME}/.install4j rw, + + owner @{tmp}/hsperfdata_@{user}/ rw, + owner @{tmp}/hsperfdata_@{user}/@{pid} rw, + # If the @{JD_INSTALLDIR}/tmp/ dir can't be accessed, the /tmp/ dir will be used instead + owner @{tmp}/SevenZipJBinding-*/ rw, + owner @{tmp}/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw, + # For auto updates + owner @{tmp}/lastChanceSrc@{int}lch rw, + owner @{tmp}/lastChanceDst@{int}.jar rw, + owner @{tmp}/i4j_log_jd2_@{int}.log rw, + owner @{tmp}/install4jError@{int}.log rw, + + owner @{HOME}/.Xauthority r, + + # What's this for? + deny owner @{HOME}/.mozilla/firefox/ r, + deny owner @{HOME}/.mozilla/firefox/*.*/prefs.js r, + + owner @{PROC}/@{pid}/fd/ r, + deny @{PROC}/@{pid}/net/ipv6_route r, + deny @{PROC}/@{pid}/net/if_inet6 r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + deny owner @{PROC}/@{pid}/cmdline r, + deny @{PROC}/asound/version r, + + # For Reconnect -> Share Settings/Get Route + #@{bin}/netstat rix, + #@{bin}/route rix, + #@{bin}/ping rix, + #@{bin}/ip rix, + #@{PROC}/@{pid}/net/route r, + + # To open a web browser for CAPTCHA + @{bin}/xdg-open rCx -> open, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + + + profile open { + include + include + + @{bin}/xdg-open mr, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, + + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, + + owner @{HOME}/ r, + + owner @{run}/user/@{uid}/ r, + + # Allowed apps to open + @{lib}/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/jekyll b/apparmor.d/profiles-g-l/jekyll index d3444fea5..667b9304f 100644 --- a/apparmor.d/profiles-g-l/jekyll +++ b/apparmor.d/profiles-g-l/jekyll @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/jgmenu b/apparmor.d/profiles-g-l/jgmenu index 044eda493..6c7f3c1ff 100644 --- a/apparmor.d/profiles-g-l/jgmenu +++ b/apparmor.d/profiles-g-l/jgmenu @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/jitterentropy-rngd b/apparmor.d/profiles-g-l/jitterentropy-rngd index 49d5c6c57..5b96e0c58 100644 --- a/apparmor.d/profiles-g-l/jitterentropy-rngd +++ b/apparmor.d/profiles-g-l/jitterentropy-rngd @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/jmtpfs b/apparmor.d/profiles-g-l/jmtpfs index 618ac14e7..77127171c 100644 --- a/apparmor.d/profiles-g-l/jmtpfs +++ b/apparmor.d/profiles-g-l/jmtpfs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,7 +18,8 @@ profile jmtpfs @{exec_path} { @{bin}/fusermount{,3} rCx -> fusermount, - /etc/magic r, + owner @{tmp}/tmp* rw, + owner @{tmp}/#@{int} rw, # Mount points owner @{HOME}/*/ r, @@ -26,22 +27,37 @@ profile jmtpfs @{exec_path} { owner @{user_cache_dirs}/*/mtp{,-@{int}}/ rw, - owner @{tmp}/tmp* rw, - owner @{tmp}/#@{int} rw, + mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/, + mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/*/, + mount fstype={fuse,fuse.jmtpfs} -> @{user_cache_dirs}/*/*/, + + /etc/magic r, + + /dev/fuse rw, + profile fusermount { include - include + include + + # To mount anything: + capability sys_admin, + + # + capability dac_read_search, + + @{bin}/fusermount{,3} mr, mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/, mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/*/, mount fstype={fuse,fuse.jmtpfs} -> @{user_cache_dirs}/*/*/, - umount @{HOME}/*/, - umount @{HOME}/*/*/, - umount @{user_cache_dirs}/*/*/, + /etc/fuse.conf r, + + /dev/fuse rw, + + @{PROC}/@{pid}/mounts r, - include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/kanyremote b/apparmor.d/profiles-g-l/kanyremote index 91eb37c58..fef624841 100644 --- a/apparmor.d/profiles-g-l/kanyremote +++ b/apparmor.d/profiles-g-l/kanyremote @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -31,7 +31,7 @@ profile kanyremote @{exec_path} { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/id rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/tr rix, @{bin}/{m,g,}awk rix, @{bin}/head rix, diff --git a/apparmor.d/profiles-g-l/kcheckpass b/apparmor.d/profiles-g-l/kcheckpass index 33bd9c641..9dddbe470 100644 --- a/apparmor.d/profiles-g-l/kcheckpass +++ b/apparmor.d/profiles-g-l/kcheckpass @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/kconfig-hardened-check b/apparmor.d/profiles-g-l/kconfig-hardened-check index 947cfabd1..6858f1b45 100644 --- a/apparmor.d/profiles-g-l/kconfig-hardened-check +++ b/apparmor.d/profiles-g-l/kconfig-hardened-check @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,13 +13,13 @@ profile kconfig-hardened-check @{exec_path} { include @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, # The usual kernel config locations - @{efi}/config-* r, + /boot/config-* r, @{PROC}/config.gz r, # This is for kernels, which are built manually diff --git a/apparmor.d/profiles-g-l/kdestroy b/apparmor.d/profiles-g-l/kdestroy deleted file mode 100644 index ccc0a2b25..000000000 --- a/apparmor.d/profiles-g-l/kdestroy +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Zane Zakraisek -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/kdestroy -profile kdestroy @{exec_path} { - include - include - - #Allow root to destroy other users' creds cache - capability dac_override, - - @{exec_path} mr, - - #Credentials cache - /tmp/krb5cc_* rwk, - /tmp/tkt* rwk, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config deleted file mode 100644 index 75c536612..000000000 --- a/apparmor.d/profiles-g-l/kdump-config +++ /dev/null @@ -1,110 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{sbin}/kdump-config -profile kdump-config @{exec_path} flags=(attach_disconnected) { - include - - capability sys_admin, - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/{,e}grep ix, - @{bin}/basename ix, - @{bin}/cat ix, - @{bin}/cmp ix, - @{bin}/cp ix, - @{bin}/cut ix, - @{bin}/file ix, - @{bin}/find ix, - @{bin}/flock ix, - @{bin}/hexdump ix, - @{bin}/ln ix, - @{bin}/logger ix, - @{bin}/plymouth Px, - @{bin}/readlink ix, - @{bin}/rev ix, - @{bin}/rm ix, - @{bin}/run-parts ix, - @{bin}/sed ix, - @{bin}/systemctl Cx -> systemctl, - @{bin}/uname ix, - @{sbin}/kexec Cx -> kexec, - @{sbin}/sysctl Cx -> sysctl, - - /etc/kernel/postinst.d/kdump-tools rPx, - - /etc/kdump/{,**} r, - /etc/default/kdump-tools r, - /etc/magic r, - - / r, - @{efi}/ r, - - /var/crash/kdump_lock wk, - /var/crash/kexec_cmd w, - /var/lib/kdump/{,**} rw, - - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, - owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, - owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, - - @{sys}/firmware/efi/efivars/ r, - @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, - @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, - @{sys}/kernel/kexec_crash_loaded r, - - @{PROC}/cmdline r, - @{PROC}/iomem r, - - profile systemctl flags=(attach_disconnected) { - include - include - - capability net_admin, - capability sys_ptrace, - - ptrace read peer=@{p_systemd}, - - include if exists - } - - profile sysctl { - include - - @{sbin}/sysctl mr, - - @{PROC}/sys/kernel/panic_on_oops rw, - - include if exists - } - - profile kexec { - include - - capability sys_admin, - capability sys_boot, - - @{sbin}/kexec mr, - - @{efi}/* r, - - owner /var/lib/kdump/* r, - - @{PROC}/iomem r, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kdump-tools-init b/apparmor.d/profiles-g-l/kdump-tools-init deleted file mode 100644 index 7767831a8..000000000 --- a/apparmor.d/profiles-g-l/kdump-tools-init +++ /dev/null @@ -1,40 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /etc/init.d/kdump-tools -profile kdump-tools-init @{exec_path} flags=(attach_disconnected) { - include - - @{exec_path} mr, - @{sh_path} mr, - - @{bin}/cat ix, - @{bin}/plymouth Px, - @{bin}/run-parts ix, - @{bin}/systemctl Cx -> systemctl, - @{sbin}/kdump-config Px, - - /etc/default/kdump-tools r, - - @{PROC}/cmdline r, - - profile systemctl flags=(attach_disconnected) { - include - include - - capability net_admin, - - ptrace read peer=@{p_systemd}, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kdump_mem_estimator b/apparmor.d/profiles-g-l/kdump_mem_estimator deleted file mode 100644 index 5f85af3fe..000000000 --- a/apparmor.d/profiles-g-l/kdump_mem_estimator +++ /dev/null @@ -1,38 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /usr/share/kdump-tools/kdump_mem_estimator -profile kdump_mem_estimator @{exec_path} { - include - - @{exec_path} mr, - - @{sh_path} r, - @{bin}/cat ix, - @{bin}/mkdir ix, - @{bin}/uname ix, - @{bin}/systemctl Cx -> systemctl, - @{bin}/uname ix, - - owner /var/lib/kdump/mem* w, - - profile systemctl { - include - include - - capability net_admin, - - ptrace read peer=@{p_systemd}, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index de95d3c9f..20be091cc 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,6 +18,7 @@ profile keepassxc @{exec_path} { include include include + include include include include @@ -37,26 +38,25 @@ profile keepassxc @{exec_path} { @{lib}/firefox/firefox rPx, @{open_path} rPx -> child-open, + /usr/share/hwdata/pnp.ids r, /usr/share/keepassxc/{,**} r, /etc/fstab r, - @{bin}/ r, - owner @{HOME}/ r, owner @{HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json rw, owner @{HOME}/@{XDG_SSH_DIR}/ r, owner @{HOME}/@{XDG_SSH_DIR}/* r, - owner @{user_passwordstore_dirs}/ r, - owner @{user_passwordstore_dirs}/*.csv rw, - owner @{user_passwordstore_dirs}/*.kdbx* rwl -> @{user_passwordstore_dirs}/#@{int}, - owner @{user_passwordstore_dirs}/#@{int} rw, + owner @{user_password_store_dirs}/ r, + owner @{user_password_store_dirs}/*.csv rw, + owner @{user_password_store_dirs}/*.kdbx* rwl -> @{KP_DB}/#@{int}, + owner @{user_password_store_dirs}/#@{int} rw, owner @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, owner @{user_config_dirs}/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, owner @{user_config_dirs}/google-chrome{,-beta,-unstable}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, - owner @{user_config_dirs}/keepassxcrc r, + owner @{user_config_dirs}/{,kdedefaults/}kdeglobals r, # Database locations owner @{user_cache_dirs}/keepassxc/ rw, @@ -74,7 +74,6 @@ profile keepassxc @{exec_path} { owner @{tmp}/keepassxc-*.socket rw, owner @{tmp}/keepassxc.lock rw, owner @{tmp}/keepassxc.socket rw, - owner @{tmp}/runtime-user/ w, owner @{run}/user/@{pid}/app/ w, owner @{run}/user/@{pid}/app/org.keepassxc.KeePassXC/{,**} rw, @@ -83,17 +82,16 @@ profile keepassxc @{exec_path} { owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w, owner @{run}/user/@{uid}/org.keepassxc.KeePassXC/ w, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/stat r, - @{PROC}/modules r, - @{PROC}/sys/kernel/random/boot_id r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, + @{PROC}/@{pids}/comm r, + @{PROC}/modules r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + deny @{PROC}/sys/kernel/random/boot_id r, + deny owner @{PROC}/@{pid}/cmdline r, /dev/shm/#@{int} rw, /dev/tty rw, - /dev/urandom w, + /dev/urandom rw, owner /dev/tty@{int} rw, # Silencer diff --git a/apparmor.d/profiles-g-l/keepassxc-cli b/apparmor.d/profiles-g-l/keepassxc-cli index c8e189f4e..b1d6e0e86 100644 --- a/apparmor.d/profiles-g-l/keepassxc-cli +++ b/apparmor.d/profiles-g-l/keepassxc-cli @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/keepassxc-proxy b/apparmor.d/profiles-g-l/keepassxc-proxy index 24a30c56c..5e9736108 100644 --- a/apparmor.d/profiles-g-l/keepassxc-proxy +++ b/apparmor.d/profiles-g-l/keepassxc-proxy @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,14 +12,14 @@ profile keepassxc-proxy @{exec_path} { include include + signal (receive) set=(term, kill), + network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, - signal receive set=(term, kill) peer=firefox, - @{exec_path} mr, /usr/share/icons/*/index.theme r, @@ -32,7 +32,7 @@ profile keepassxc-proxy @{exec_path} { # file_inherit deny owner @{run}/user/@{uid}/.[a-zA-Z]*/{,s} rw, deny owner @{run}/user/@{uid}/kpxc_server rw, - deny /dev/shm/org.chromium.@{rand6} rw, + deny /dev/shm/org.chromium.* rw, deny owner /dev/shm/org.mozilla.ipc.@{int}.@{int} rw, deny owner @{HOME}/.mozilla/** rw, deny owner @{user_cache_dirs}/mozilla/** rw, diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel deleted file mode 100644 index c46b5556e..000000000 --- a/apparmor.d/profiles-g-l/kernel +++ /dev/null @@ -1,80 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /etc/kernel/{,header_}postinst.d/* /etc/kernel/postrm.d/* -@{exec_path} += /etc/kernel/preinst.d/* /etc/kernel/prerm.d/* -profile kernel @{exec_path} { - include - include - include - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{,m,g}awk rix, - @{bin}/cat rix, - @{bin}/chmod rix, - @{bin}/cut rix, - @{bin}/dirname rix, - @{bin}/kmod rCx -> kmod, - @{bin}/mv rix, - @{bin}/rm rix, - @{bin}/rmdir rix, - @{bin}/sed rix, - @{bin}/sort rix, - @{bin}/touch rix, - @{bin}/tr rix, - @{bin}/uname rix, - @{bin}/which{,.debianutils} rix, - - @{bin}/apt-config rPx, - @{bin}/bootctl rPx, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/kernel-install rPx, - @{bin}/systemd-detect-virt rPx, - @{bin}/update-alternatives rPx, - @{lib}/dkms/dkms_autoinstaller rPx, - @{sbin}/dkms rPx, - @{sbin}/update-grub rPx, - @{sbin}/update-initramfs rPx, - - @{lib}/modules/*/updates/ w, - @{lib}/modules/*/updates/dkms/ w, - - /etc/kernel/header_postinst.d/* r, - /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r, - - # For shell pwd - / r, - @{efi}/ r, - - /etc/apt/apt.conf.d/ r, - /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, - - @{run}/reboot-required w, - @{run}/reboot-required.pkgs rw, - - @{PROC}/devices r, - @{PROC}/cmdline r, - - profile kmod { - include - include - - capability sys_module, - - @{sys}/module/compression r, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index dede5da41..808528ce7 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,20 +11,21 @@ include profile kernel-install @{exec_path} { include include - include include - capability sys_rawio, - capability sys_resource, - - ptrace read peer=@{p_systemd}, - @{exec_path} r, @{sh_path} rix, - @{coreutils_path} rix, - @{bin}/kmod rCx -> kmod, + @{bin}/mountpoint rix, - @{pager_path} rPx -> child-pager, + @{bin}/sort rix, + @{bin}/rm rix, + @{bin}/mkdir rix, + @{bin}/cp rix, + @{bin}/chown rix, + @{bin}/chmod rix, + @{bin}/basename rix, + + @{bin}/kmod rCx -> kmod, @{lib}/kernel/install.d/ r, @{lib}/kernel/install.d/@{int2}-*.install rix, @@ -35,39 +36,27 @@ profile kernel-install @{exec_path} { @{lib}/os-release r, /etc/kernel/cmdline r, /etc/kernel/tries r, - /etc/kernel/entry-token r, /etc/machine-id r, /etc/os-release r, /var/lib/dbus/machine-id r, @{lib}/modules/*/modules.* w, - / r, - - @{efi}/@{hex32}/** rw, - @{efi}/loader/entries.srel r, - owner @{efi}/{vmlinuz,initrd.img}-* r, - owner @{efi}/loader/ rw, - owner @{efi}/loader/entries/ rw, - owner @{efi}/loader/entries/*.conf w, - - owner /tmp/kernel-install.staging.@{rand6}/{,**} rw, + owner /boot/{vmlinuz,initrd.img}-* r, + owner /boot/[a-f0-9]*/*/ rw, + owner /boot/[a-f0-9]*/*/{linux,initrd} w, + owner /boot/loader/ rw, + owner /boot/loader/entries/ rw, + owner /boot/loader/entries/*.conf w, owner @{tmp}/sh-thd.* rw, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/1/environ r, @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, profile kmod { include include - @{lib}/modules/*/modules.* w, - - @{sys}/module/compression r, - include if exists } diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump deleted file mode 100644 index eb17c5355..000000000 --- a/apparmor.d/profiles-g-l/kernel-postinst-kdump +++ /dev/null @@ -1,62 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /etc/kernel/postinst.d/kdump-tools -profile kernel-postinst-kdump @{exec_path} { - include - - @{exec_path} mr, - - @{sh_path} r, - @{bin}/{,e}grep rix, - @{bin}/{m,g,}awk rix, - @{bin}/cp rix, - @{bin}/du rix, - @{bin}/find rix, - @{bin}/kmod rCx -> kmod, - @{bin}/ischroot rPx, - @{bin}/linux-version rPx, - @{bin}/mkdir rix, - @{bin}/mktemp rix, - @{bin}/mv rix, - @{bin}/rm rix, - @{bin}/sync rix, - @{bin}/cut rix, - @{sbin}/mkinitramfs rPx, - - / r, - - /etc/initramfs-tools/{,**} r, - - owner /var/lib/kdump/** rw, - - owner /tmp/tmp.@{rand10}/ rw, - owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, - - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, - owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, - owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, - - profile kmod { - include - include - - @{sys}/module/*/ r, - @{sys}/module/*/coresize r, - @{sys}/module/*/holders/ r, - @{sys}/module/*/refcnt r, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kerneloops b/apparmor.d/profiles-g-l/kerneloops index 70c8b9460..f3c7e3b37 100644 --- a/apparmor.d/profiles-g-l/kerneloops +++ b/apparmor.d/profiles-g-l/kerneloops @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/kerneloops +@{exec_path} = @{bin}/kerneloops profile kerneloops @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/kerneloops-applet b/apparmor.d/profiles-g-l/kerneloops-applet index d9d556879..e6860c5b9 100644 --- a/apparmor.d/profiles-g-l/kerneloops-applet +++ b/apparmor.d/profiles-g-l/kerneloops-applet @@ -3,17 +3,15 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/kerneloops-applet profile kerneloops-applet @{exec_path} { include - include - include - include include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/kexec b/apparmor.d/profiles-g-l/kexec index 09c414430..dc027eae6 100644 --- a/apparmor.d/profiles-g-l/kexec +++ b/apparmor.d/profiles-g-l/kexec @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/kexec +@{exec_path} = @{bin}/kexec profile kexec @{exec_path} flags=(complain) { include @@ -15,7 +15,7 @@ profile kexec @{exec_path} flags=(complain) { @{exec_path} mr, - owner @{efi}/{initrd.img,vmlinuz}-* r, + owner /boot/{initrd.img,vmlinuz}-* r, @{sys}/firmware/memmap/ r, @{sys}/firmware/memmap/@{int}/{start,end,type} r, diff --git a/apparmor.d/profiles-g-l/kinit b/apparmor.d/profiles-g-l/kinit deleted file mode 100644 index 706a11c10..000000000 --- a/apparmor.d/profiles-g-l/kinit +++ /dev/null @@ -1,33 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Zane Zakraisek -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/kinit -profile kinit @{exec_path} { - include - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{exec_path} mr, - - #User keytab file - /var/lib/krb5/user/@{uid}/client.keytab r, - - #Credentials cache - /tmp/krb5cc_* rwk, - /tmp/tkt* rwk, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/klist b/apparmor.d/profiles-g-l/klist deleted file mode 100644 index f21f34295..000000000 --- a/apparmor.d/profiles-g-l/klist +++ /dev/null @@ -1,30 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Zane Zakraisek -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/klist -profile klist @{exec_path} { - include - include - - #Allow root to list other users' creds cache - capability dac_override, - capability dac_read_search, - - @{exec_path} mr, - - #User keytab file - /var/lib/krb5/user/@{uid}/client.keytab rk, - - #Credentials cache - /tmp/krb5cc_* rk, - /tmp/tkt* rk, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 1d67b5678..ac03c2501 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -3,14 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/{kmod,lsmod,depmod,insmod,rmmod,modinfo,modprobe} profile kmod @{exec_path} flags=(attach_disconnected) { include - include + include include capability dac_read_search, @@ -28,13 +28,17 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{bin}/basename rix, @{bin}/false rix, @{bin}/id rix, - @{sbin}/sysctl rCx -> sysctl, + @{bin}/sysctl rPx, @{bin}/true rix, + @{lib}/modprobe.d/{,*.conf} r, @{lib}/modules/*/modules.* rw, @{run}/modprobe.d/{,*.conf} r, + /etc/depmod.d/{,**} r, + /etc/modprobe.d/{,*.conf} r, + /tmp/**/*.ko{,.zst} r, /usr/src/*/*.ko r, /var/lib/dkms/**/module/*.ko r, @@ -44,7 +48,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) { owner /var/tmp/*modules*/{,**} rw, owner /var/tmp/dracut.*/{,**} rw, - owner @{efi}/System.map-* r, + owner /boot/System.map-* r, owner @{tmp}/mkinitcpio.*/{,**} rw, # For local kernel build @@ -62,23 +66,14 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{sys}/module/{,**} r, + @{PROC}/cmdline r, + @{PROC}/modules r, + /dev/tty@{int} rw, deny @{user_share_dirs}/gvfs-metadata/* r, deny unix (receive) type=stream, - profile sysctl { - include - - @{sbin}/sysctl mr, - - /etc/sysctl.conf r, - /etc/sysctl.d/{,**} r, - @{lib}/sysctl.d/{,**} r, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-g-l/kodi b/apparmor.d/profiles-g-l/kodi index 9d6c9d1c2..3d8800cc7 100644 --- a/apparmor.d/profiles-g-l/kodi +++ b/apparmor.d/profiles-g-l/kodi @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -30,11 +30,11 @@ profile kodi @{exec_path} { @{bin}/df rix, @{bin}/dirname rix, @{bin}/find rix, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, @{bin}/mv rix, @{bin}/uname rix, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, /usr/share/kodi/{,**} r, /usr/share/publicsuffix/* r, @@ -50,8 +50,7 @@ profile kodi @{exec_path} { owner @{HOME}/core w, owner @{HOME}/kodi_crashlog-@{int}_@{int}.log w, - @{run}/udev/data/+*:* r, # Identifies all subsystems - @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + @{run}/udev/data/* r, @{sys}/**/ r, @{sys}/devices/@{pci}/usb@{int}/{bDeviceClass,idProduct,idVendor} r, diff --git a/apparmor.d/profiles-g-l/kodi-xrandr b/apparmor.d/profiles-g-l/kodi-xrandr index 450600d78..932b869b8 100644 --- a/apparmor.d/profiles-g-l/kodi-xrandr +++ b/apparmor.d/profiles-g-l/kodi-xrandr @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/kvm-ok b/apparmor.d/profiles-g-l/kvm-ok index f62e9ddf9..22e087146 100644 --- a/apparmor.d/profiles-g-l/kvm-ok +++ b/apparmor.d/profiles-g-l/kvm-ok @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/kvm-ok +@{exec_path} = @{bin}/kvm-ok profile kvm-ok @{exec_path} { include @@ -20,7 +20,7 @@ profile kvm-ok @{exec_path} { @{bin}/kmod rCx -> kmod, - @{sbin}/rdmsr rPx, + @{bin}/rdmsr rPx, #/proc/cpuinfo r, #/dev/kvm r, diff --git a/apparmor.d/profiles-g-l/labwc b/apparmor.d/profiles-g-l/labwc index ab624f099..8fa7552af 100644 --- a/apparmor.d/profiles-g-l/labwc +++ b/apparmor.d/profiles-g-l/labwc @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -38,11 +38,12 @@ profile labwc @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/**/uevent r, - @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+acpi:* r, # for ? @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs - @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+platform:* r, # for ? @{run}/udev/data/+serio:* r, # for touchpad? @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 47cbb22a2..a9df8a2b3 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -2,14 +2,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/landscape-sysinfo profile landscape-sysinfo @{exec_path} { include - include include include @@ -21,24 +20,19 @@ profile landscape-sysinfo @{exec_path} { network inet6 dgram, network netlink raw, - ptrace read, + ptrace (read), @{exec_path} mr, - @{bin}/who rPx, - - @{lib}/@{python_name}/**/__pycache__/ w, - @{lib}/@{python_name}/**/__pycache__/**.pyc w, - @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, + @{bin}/who rix, /var/log/landscape/{,**} rw, - @{run}/systemd/sessions/{,*} r, @{run}/utmp rwk, @{sys}/class/hwmon/ r, @{sys}/class/thermal/ r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,*} r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper index 056b2d83c..e33195eb1 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper +++ b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper @@ -2,21 +2,15 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = /usr/share/landscape/landscape-sysinfo.wrapper profile landscape-sysinfo.wrapper @{exec_path} { include - include - - capability dac_override, - capability fowner, - capability fsetid, @{exec_path} mr, - @{python_path} mr, @{sh_path} rix, @{bin}/bc rix, @@ -25,16 +19,14 @@ profile landscape-sysinfo.wrapper @{exec_path} { @{bin}/cut rix, @{bin}/date rix, @{bin}/find rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/landscape-sysinfo rPx, / r, /etc/default/locale r, - + /var/lib/landscape/landscape-sysinfo.cache rw, - @{run}/motd.dynamic.new w, - @{PROC}/loadavg r, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-g-l/language-validate b/apparmor.d/profiles-g-l/language-validate index 3d7383aef..e77d997c5 100644 --- a/apparmor.d/profiles-g-l/language-validate +++ b/apparmor.d/profiles-g-l/language-validate @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,9 +15,10 @@ profile language-validate @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{sh_path} rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/locale rix, + /usr/share/locale-langpack/{,*} r, /usr/share/language-tools/{,*} r, include if exists diff --git a/apparmor.d/profiles-g-l/last b/apparmor.d/profiles-g-l/last index ee40f81af..fd0c403a4 100644 --- a/apparmor.d/profiles-g-l/last +++ b/apparmor.d/profiles-g-l/last @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/shadow/lastlog b/apparmor.d/profiles-g-l/lastlog similarity index 92% rename from apparmor.d/groups/shadow/lastlog rename to apparmor.d/profiles-g-l/lastlog index 0cb62819f..3df955097 100644 --- a/apparmor.d/groups/shadow/lastlog +++ b/apparmor.d/profiles-g-l/lastlog @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,9 +17,8 @@ profile lastlog @{exec_path} { @{exec_path} mr, - @{etc_ro}/login.defs r, - /var/log/lastlog r, + /etc/login.defs r, include if exists } diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 7e4feed45..313b34a23 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,22 +11,11 @@ include profile libreoffice @{exec_path} { include include - include include - include - include - include - include - include - include include include include - include - include - include include - include include include include @@ -37,93 +26,67 @@ profile libreoffice @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.libreoffice interface+=org.gtk.Actions + #aa:dbus own bus=session name=org.libreoffice.LibreOfficeIpc0 @{exec_path} mr, @{sh_path} rix, @{bin}/basename rix, @{bin}/dirname rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/ls rix, @{bin}/paperconf rix, @{bin}/sed rix, @{bin}/uname rix, - @{open_path} rPx -> child-open-browsers, + @{open_path} rpx -> child-open-browsers, - @{bin}/gpg rPx, - @{bin}/gpgconf rPx, - @{bin}/gpgsm rPx, + @{bin}/gpgconf rPx, + @{bin}/gpgsm rPx, + @{bin}/gpg rPx, - @{lib}/jvm/java*/bin/java rix, - @{lib}/jvm/java*/lib/** rm, @{lib}/libreoffice/program/javaldx rix, @{lib}/libreoffice/program/oosplash rix, @{lib}/libreoffice/program/soffice.bin rix, - @{lib}/libreoffice/program/xpdfimport rix, + @{lib}/jvm/java*/bin/java rix, + @{lib}/jvm/java*/lib/** rm, - @{lib}/libreoffice/{,**} rm, @{lib}/libreoffice/share/uno_packages/cache/stamp.sys w, - @{lib}/libreoffice/program/{,**/}__pycache__/ w, - @{lib}/libreoffice/share/extensions/{,**/}__pycache__/ w, + @{lib}/libreoffice/{,**} rm, /usr/share/hyphen/{,**} r, /usr/share/libexttextcat/{,**} r, /usr/share/liblangtag/{,**} r, /usr/share/libreoffice/{,**} r, /usr/share/mythes/{,**} r, - /usr/share/thumbnailers/{,**} r, - /etc/cups/ppd/*.ppd r, - /etc/java{,-}{,@{version}}-openjdk/{,**} r, + /etc/java-openjdk/{,**} r, /etc/libreoffice/{,**} r, - /etc/papersize r, /etc/paperspecs r, - /etc/xdg/* r, - - /var/tmp/ r, - owner /var/spool/libreoffice/uno_packages/cache/stamp.sys w, owner @{user_cache_dirs}/libreoffice/{,**} rw, - - owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/libreoffice/ rw, owner @{user_config_dirs}/libreoffice/** rwk, - owner @{user_config_dirs}/plasma_workspace.notifyrc r, - owner @{user_config_dirs}/soffice.*.lock rwk, - owner @{user_config_dirs}/soffice.binrc r, - owner @{user_share_dirs}/#@{int} rw, - owner @{user_share_dirs}/user-places.xbel r, - - @{tmp}/ r, - owner @{tmp}/.java_pid@{int}{,.tmp} rw, - owner @{tmp}/@{hex} rw, owner @{tmp}/@{rand6} rwk, - owner @{tmp}/@{u64} rw, owner @{tmp}/*.tmp/{,**} rwk, + owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} w, + owner @{tmp}/.java_pid@{int}{,.tmp} rw, owner @{tmp}/hsperfdata_@{user}/ rw, owner @{tmp}/hsperfdata_@{user}/@{int} rwk, - owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} rw, - - owner @{run}/user/@{uid}/#@{int} rw, - owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, @{sys}/devices/virtual/block/**/queue/rotational r, @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/transparent_hugepage/enabled r, @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/**/memory.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{int}.slice/user@@{int}.service/app.slice/**/memory.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{int}.slice/user@@{int}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r, @{PROC}/cgroups r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/coredump_filter rw, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, /dev/tty rw, diff --git a/apparmor.d/profiles-g-l/light b/apparmor.d/profiles-g-l/light index 6ce5f2f57..d4ff8a7d7 100644 --- a/apparmor.d/profiles-g-l/light +++ b/apparmor.d/profiles-g-l/light @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -23,14 +23,12 @@ profile light @{exec_path} { @{sys}/class/backlight/ r, @{sys}/class/leds/ r, - @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/backlight/**/brightness rw, - @{sys}/devices/**/leds/**/{,max_,actual_}brightness rw, - @{sys}/devices/**/leds/**/{uevent,type,enabled} r, - @{sys}/devices/**/leds/**/brightness_hw_changed r, + + @{sys}/devices/@{pci}/drm/**/intel_backlight/{,max_}brightness r, + @{sys}/devices/@{pci}/drm/**/intel_backlight/brightness rw, + + @{sys}/devices/@{pci}/backlight/*/{,max_}brightness r, + @{sys}/devices/@{pci}/backlight/*/brightness rw, # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-g-l/light-locker b/apparmor.d/profiles-g-l/light-locker index 60189d911..8e8732c19 100644 --- a/apparmor.d/profiles-g-l/light-locker +++ b/apparmor.d/profiles-g-l/light-locker @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,12 +11,19 @@ include profile light-locker @{exec_path} { include include - include + include + include + include include + include include + include @{exec_path} mr, + @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/cgroup r, + # when locking the screen and switching/closing sessions @{run}/systemd/sessions/* r, @@ -26,9 +33,6 @@ profile light-locker @{exec_path} { @{sys}/devices/@{pci}/subsystem_vendor r, @{sys}/devices/@{pci}/subsystem_device r, - @{PROC}/1/cgroup r, - owner @{PROC}/@{pid}/cgroup r, - # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-g-l/light-locker-command b/apparmor.d/profiles-g-l/light-locker-command index 78e9983b3..21daa1853 100644 --- a/apparmor.d/profiles-g-l/light-locker-command +++ b/apparmor.d/profiles-g-l/light-locker-command @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/lightworks b/apparmor.d/profiles-g-l/lightworks index 6462a0b6c..f2e6c74cf 100644 --- a/apparmor.d/profiles-g-l/lightworks +++ b/apparmor.d/profiles-g-l/lightworks @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/lightworks-ntcardvt b/apparmor.d/profiles-g-l/lightworks-ntcardvt index 941798245..b4dc21398 100644 --- a/apparmor.d/profiles-g-l/lightworks-ntcardvt +++ b/apparmor.d/profiles-g-l/lightworks-ntcardvt @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/linssid b/apparmor.d/profiles-g-l/linssid new file mode 100644 index 000000000..615f51b62 --- /dev/null +++ b/apparmor.d/profiles-g-l/linssid @@ -0,0 +1,113 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/linssid @{bin}/linssid-pkexec +profile linssid @{exec_path} { + include + include + include + include + include + include + include + include + include + include + + # For reading/saving config/log files when linssid is started via pkexec + #capability dac_read_search, + #capability dac_override, + + # Needed? + deny capability sys_admin, + deny capability sys_nice, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/cat rix, + + # When linssid is run as root, it wants to exec dbus-launch, and hence it creates the two + # following root processes: + # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr + # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session + # + # Should this be allowed? Linssid works fine without this. + #@{bin}/dbus-launch rCx -> dbus, + #@{bin}/dbus-send rCx -> dbus, + deny @{bin}/dbus-launch rx, + deny @{bin}/dbus-send rx, + + @{bin}/iw rCx -> iw, + @{bin}/pkexec rPx, + + # For regular run as root user + owner @{HOME}/.linssid.prefs rw, + owner @{HOME}/LinSSID.datalog rw, + # For pkexec + #@{HOME}/.linssid.prefs rw, + #@{HOME}/LinSSID.datalog rw, + + /usr/share/linssid/{,*} r, + + /usr/share/hwdata/pnp.ids r, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/net/wireless r, + owner @{PROC}/@{pid}/cmdline r, + + owner @{tmp}/runtime-root/ rw, + owner @{tmp}/linssid_* rw, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # For shell pwd + /root/ r, + + # file_inherit + owner /dev/tty@{int} rw, + + + profile iw { + include + + capability net_admin, + deny capability sys_module, + + network netlink raw, + + @{bin}/iw mr, + + # file_inherit + owner @{HOME}/.linssid.prefs rw, + owner @{HOME}/LinSSID.datalog rw, + owner @{tmp}/linssid_* rw, + owner /dev/dri/card@{int} rw, + + } + + profile dbus { + include + include + + @{bin}/dbus-launch mr, + @{bin}/dbus-send mr, + @{bin}/dbus-daemon rPUx, + + # for dbus-launch + owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, + + @{HOME}/.Xauthority r, + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index f2895299f..41813c1a1 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -3,20 +3,50 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/linux-check-removal -profile linux-check-removal @{exec_path} { +profile linux-check-removal @{exec_path} flags=(complain) { include - include + include + include - @{exec_path} rmix, + @{exec_path} r, + @{bin}/perl r, - @{bin}/stty rix, + # Think what to do about this (#FIXME#) + /usr/share/debconf/frontend rPx, + #/usr/share/debconf/frontend rCx -> frontend, - /etc/shadow r, + + profile frontend flags=(complain) { + include + include + include + include + + /usr/share/debconf/frontend r, + @{bin}/perl r, + + @{bin}/linux-check-removal rPx, + + @{sh_path} rix, + @{bin}/stty rix, + @{bin}/locale rix, + + # The following is needed when debconf uses dialog/whiptail frontend. + @{bin}/whiptail rPx, + owner @{tmp}/file* w, + + /usr/share/debconf/confmodule r, + + /etc/debconf.conf r, + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + /usr/share/debconf/templates/adequate.templates r, + + } include if exists } diff --git a/apparmor.d/profiles-g-l/linux-update-symlinks b/apparmor.d/profiles-g-l/linux-update-symlinks deleted file mode 100644 index b97a0305b..000000000 --- a/apparmor.d/profiles-g-l/linux-update-symlinks +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/linux-update-symlinks -profile linux-update-symlinks @{exec_path} { - include - include - include - - @{exec_path} mr, - - /etc/kernel-img.conf r, - - @{efi}/ r, - @{efi}/* rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/linux-version b/apparmor.d/profiles-g-l/linux-version index c718b6495..998c48780 100644 --- a/apparmor.d/profiles-g-l/linux-version +++ b/apparmor.d/profiles-g-l/linux-version @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,8 +14,9 @@ profile linux-version @{exec_path} { include @{exec_path} r, + @{bin}/perl r, - @{efi}/ r, + /boot/ r, include if exists } diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq deleted file mode 100644 index ff2ffe6b8..000000000 --- a/apparmor.d/profiles-g-l/linuxqq +++ /dev/null @@ -1,50 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 EricLin -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{name} = QQ -@{domain} = org.chromium.Chromium -@{lib_dirs} = /opt/QQ/ -@{config_dirs} = @{user_config_dirs}/@{name} -@{cache_dirs} = @{user_cache_dirs}/@{name} - -@{exec_path} = @{bin}/linuxqq @{lib_dirs}/qq -profile linuxqq @{exec_path} flags=(attach_disconnected) { - include - include - include - include - - network netlink raw, - network netlink dgram, - network inet stream, - network inet dgram, - network inet6 dgram, - network inet6 stream, - - @{exec_path} mrix, - - @{sh_path} r, - @{bin}/{,e}grep rix, - @{lib_dirs}/chrome_crashpad_handler ix, - @{lib_dirs}/resources/app/{,**} m, - @{open_path} rPx -> child-open-strict, - - /etc/machine-id r, - - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/utmp r, - - owner @{PROC}/@{pid}/loginuid r, - owner @{PROC}/@{pid}/mounts r, - - /dev/tty rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/locale-gen b/apparmor.d/profiles-g-l/locale-gen similarity index 92% rename from apparmor.d/groups/utils/locale-gen rename to apparmor.d/profiles-g-l/locale-gen index 5366f1403..093074d1b 100644 --- a/apparmor.d/groups/utils/locale-gen +++ b/apparmor.d/profiles-g-l/locale-gen @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/locale-gen +@{exec_path} = @{bin}/locale-gen profile locale-gen @{exec_path} { include include @@ -18,7 +18,6 @@ profile locale-gen @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/{e,}grep rix, @{bin}/cat rix, @{bin}/gzip rix, @{bin}/localedef rix, diff --git a/apparmor.d/profiles-g-l/localepurge b/apparmor.d/profiles-g-l/localepurge index f6781f4b1..30018bf00 100644 --- a/apparmor.d/profiles-g-l/localepurge +++ b/apparmor.d/profiles-g-l/localepurge @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/localsend b/apparmor.d/profiles-g-l/localsend deleted file mode 100644 index ad2e23fc6..000000000 --- a/apparmor.d/profiles-g-l/localsend +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/localsend -profile localsend @{exec_path} { - include - include - include - include - include - include - -# --system-talk-name=org.freedesktop.NetworkManager -# - --system-talk-name=org.freedesktop.hostname1 -# --talk-name=org.kde.StatusNotifierWatcher - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/login b/apparmor.d/profiles-g-l/login similarity index 74% rename from apparmor.d/groups/utils/login rename to apparmor.d/profiles-g-l/login index cf9663e8e..c93553030 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/profiles-g-l/login @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,6 @@ profile login @{exec_path} flags=(attach_disconnected) { include include include - include #aa:only RBAC capability audit_write, capability chown, @@ -31,40 +30,39 @@ profile login @{exec_path} flags=(attach_disconnected) { network netlink raw, - signal send set=(hup term), + signal (send) set=(hup term), + + unix type=stream addr=@@{hex16}/bus/login/system, ptrace read, - #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind @{exec_path} mr, - @{shells_path} Ux, #aa:exclude RBAC + @{bin}/@{shells} rUx, @{etc_ro}/environment r, - @{etc_ro}/security/group.conf r, - @{etc_ro}/security/limits.conf r, @{etc_ro}/security/limits.d/{,*} r, - @{etc_ro}/security/pam_env.conf r, /etc/default/locale r, /etc/legal r, /etc/machine-id r, /etc/motd r, /etc/motd.d/ r, + /etc/security/group.conf r, + /etc/security/limits.conf r, + /etc/security/pam_env.conf r, /etc/shells r, - /var/lib/faillock/@{user} rwk, - /var/lib/lastlog/ r, /var/log/btmp{,.@{int}} r, owner @{user_cache_dirs}/motd.legal-displayed rw, - @{att}/@{run}/systemd/sessions/@{int}.ref w, - - @{run}/credentials/getty@tty@{int}.service/ r, - @{run}/faillock/@{user} rwk, @{run}/motd.d/{,*} r, + @{run}/dbus/system_bus_socket rw, + @{run}/faillock/@{user} rwk, @{run}/motd.dynamic{,.new} rw, + @{run}/systemd/sessions/*.ref rw, @{PROC}/@{pids}/cgroup r, @{PROC}/1/limits r, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 781a01a27..6004b8a35 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/logrotate +@{exec_path} = @{bin}/logrotate profile logrotate @{exec_path} flags=(attach_disconnected) { include include @@ -21,8 +21,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { capability setgid, capability setuid, - signal send set=hup, - signal send set=(term cont) peer=systemd-tty-ask-password-agent, + signal (send) set=(hup), + signal (send) set=(term cont) peer=systemd-tty-ask-password-agent, @{exec_path} mr, @@ -30,9 +30,9 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cat rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/gzip rix, - @{sbin}/invoke-rc.d rix, + @{bin}/invoke-rc.d rix, @{bin}/kill rix, @{bin}/ls rix, @{bin}/setfacl rix, @@ -50,7 +50,19 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { @{bin}/squid rPUx, @{bin}/pgrep rCx -> pgrep, - @{bin}/systemctl rCx -> systemctl, + + # no new privs + #@{bin}/systemctl rCx -> systemctl, + @{bin}/systemctl rix, + @{bin}/runlevel rix, + include + ptrace (read), + capability sys_ptrace, + owner @{PROC}/@{pid}/stat r, + @{PROC}/1/environ r, + @{PROC}/1/sched r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, /etc/ r, @{etc_ro}/logrotate.conf rk, @@ -80,22 +92,13 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, - ptrace read peer=@{p_systemd}, - - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=KillUnit - peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), - - @{run}/utmp rk, - include if exists } profile pgrep { include include - + include if exists } diff --git a/apparmor.d/groups/utils/losetup b/apparmor.d/profiles-g-l/losetup similarity index 63% rename from apparmor.d/groups/utils/losetup rename to apparmor.d/profiles-g-l/losetup index 9b32074ba..fb8b448d1 100644 --- a/apparmor.d/groups/utils/losetup +++ b/apparmor.d/profiles-g-l/losetup @@ -2,31 +2,26 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/losetup +@{exec_path} = @{bin}/losetup profile losetup @{exec_path} { include include - include capability dac_override, capability dac_read_search, - unix receive type=stream, + unix (receive) type=stream, @{exec_path} mr, - @{user_img_dirs}/** rw, - @{user_vm_dirs}/** rw, - - @{sys}/block/ r, - @{sys}/devices/virtual/block/loop@{int}/{,**} r, + @{sys}/devices/**/usb[0-9]/{,**} r, /dev/loop-control rw, - /dev/loop@{int} rw, + /dev/loop[0-9]* rw, include if exists } diff --git a/apparmor.d/profiles-g-l/low-memory-monitor b/apparmor.d/profiles-g-l/low-memory-monitor index e2baa4a26..4471dbd2e 100644 --- a/apparmor.d/profiles-g-l/low-memory-monitor +++ b/apparmor.d/profiles-g-l/low-memory-monitor @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/lsb-release b/apparmor.d/profiles-g-l/lsb-release deleted file mode 100644 index 5214632dc..000000000 --- a/apparmor.d/profiles-g-l/lsb-release +++ /dev/null @@ -1,47 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Note: named "lsb-release" to not conflict with upstreamed "lsb_release" that -# does attach @{bin}/lsb_release. - -abi , - -include - -@{exec_path} = @{bin}/lsb_release -profile lsb-release @{exec_path} flags=(attach_disconnected) { - include - include - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/ r, - @{bin}/basename rix, - @{bin}/cat rix, - @{bin}/cut rix, - @{bin}/find rix, - @{bin}/getopt rix, - @{bin}/head rix, - @{bin}/sed rix, - @{bin}/tr rix, - - #aa:only apt - @{bin}/dpkg-query px, - - @{etc_ro}/ r, - @{etc_ro}/*-release r, - @{etc_ro}/lsb-release r, - @{etc_ro}/lsb-release.d/{,*} r, - - # file_inherit - deny /opt/*/** r, - deny owner @{user_config_dirs}/*/** r, - deny owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, - deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/lsblk b/apparmor.d/profiles-g-l/lsblk similarity index 83% rename from apparmor.d/groups/utils/lsblk rename to apparmor.d/profiles-g-l/lsblk index 6fc1d5bb2..56aad52b8 100644 --- a/apparmor.d/groups/utils/lsblk +++ b/apparmor.d/profiles-g-l/lsblk @@ -3,12 +3,12 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/lsblk -profile lsblk @{exec_path} flags=(attach_disconnected) { +profile lsblk @{exec_path} { include include include @@ -27,7 +27,6 @@ profile lsblk @{exec_path} flags=(attach_disconnected) { # File Inherit deny network inet stream, deny network inet6 stream, - deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, include if exists } diff --git a/apparmor.d/groups/utils/lscpu b/apparmor.d/profiles-g-l/lscpu similarity index 98% rename from apparmor.d/groups/utils/lscpu rename to apparmor.d/profiles-g-l/lscpu index caa2b5628..804e67632 100644 --- a/apparmor.d/groups/utils/lscpu +++ b/apparmor.d/profiles-g-l/lscpu @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-g-l/lsinitramfs b/apparmor.d/profiles-g-l/lsinitramfs index 2e3a20ad0..e5b6ff750 100644 --- a/apparmor.d/profiles-g-l/lsinitramfs +++ b/apparmor.d/profiles-g-l/lsinitramfs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/utils/lspci b/apparmor.d/profiles-g-l/lspci similarity index 76% rename from apparmor.d/groups/utils/lspci rename to apparmor.d/profiles-g-l/lspci index c6ac0fdcd..0d6936d22 100644 --- a/apparmor.d/groups/utils/lspci +++ b/apparmor.d/profiles-g-l/lspci @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,14 +13,12 @@ profile lspci @{exec_path} flags=(attach_disconnected) { include include - capability dac_read_search, capability sys_admin, - network inet dgram, - network inet6 dgram, - @{exec_path} mr, + /app/lib/libzypak-preload-host*.so rm, + /usr/share/hwdata/pci.ids r, /usr/share/misc/pci.ids r, /usr/share/misc/pci.ids.gz r, @@ -32,22 +30,17 @@ profile lspci @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.pciids-cache.tmp-*-@{pid} rw, owner @{HOME}/.pciids-cache rw, - owner @{user_cache_dirs}/pci-ids rw, @{sys}/bus/pci/devices/ r, @{sys}/bus/pci/slots/ r, - @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/devices/@{pci}/** r, @{sys}/module/compression r, - @{PROC}/bus/pci/devices r, @{PROC}/cmdline r, @{PROC}/ioports r, - # file_inherit - deny owner @{user_share_dirs}/gvfs-metadata/* r, - deny owner @{user_cache_dirs}/*/** rw, + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists } diff --git a/apparmor.d/groups/usb/lsusb b/apparmor.d/profiles-g-l/lsusb similarity index 70% rename from apparmor.d/groups/usb/lsusb rename to apparmor.d/profiles-g-l/lsusb index a10659292..eadda4785 100644 --- a/apparmor.d/groups/usb/lsusb +++ b/apparmor.d/profiles-g-l/lsusb @@ -3,18 +3,15 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/lsusb @{bin}/lsusb.py +@{exec_path} = @{bin}/lsusb profile lsusb @{exec_path} { include include - include - - capability net_admin, - capability sys_admin, + include network netlink raw, @@ -22,8 +19,6 @@ profile lsusb @{exec_path} { /etc/udev/hwdb.bin r, - /dev/bus/usb/@{int}/@{int} w, - include if exists } diff --git a/apparmor.d/groups/filesystem/lvm b/apparmor.d/profiles-g-l/lvm similarity index 88% rename from apparmor.d/groups/filesystem/lvm rename to apparmor.d/profiles-g-l/lvm index ad4645bff..0bd6ef2e8 100644 --- a/apparmor.d/groups/filesystem/lvm +++ b/apparmor.d/profiles-g-l/lvm @@ -2,11 +2,11 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/lvm +@{exec_path} = @{bin}/lvm profile lvm @{exec_path} flags=(attach_disconnected) { include include @@ -23,14 +23,12 @@ profile lvm @{exec_path} flags=(attach_disconnected) { ptrace (read), - mqueue getattr type=posix /, - mqueue r type=posix /, + # mqueue r type=posix /, @{exec_path} rm, @{etc_rw}/lvm/** rwkl, /etc/multipath.conf r, - /etc/multipath/* r, @{run}/lock/ rw, @{run}/lock/lvm/ rw, @@ -49,7 +47,6 @@ profile lvm @{exec_path} flags=(attach_disconnected) { /dev/**/ r, /dev/mapper/control rw, - /dev/root r, include if exists } diff --git a/apparmor.d/groups/filesystem/lvmconfig b/apparmor.d/profiles-g-l/lvmconfig similarity index 88% rename from apparmor.d/groups/filesystem/lvmconfig rename to apparmor.d/profiles-g-l/lvmconfig index 39224c22f..f38bd6780 100644 --- a/apparmor.d/groups/filesystem/lvmconfig +++ b/apparmor.d/profiles-g-l/lvmconfig @@ -2,11 +2,11 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/lvmconfig +@{exec_path} = @{bin}/lvmconfig profile lvmconfig @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/lvmdump b/apparmor.d/profiles-g-l/lvmdump similarity index 88% rename from apparmor.d/groups/filesystem/lvmdump rename to apparmor.d/profiles-g-l/lvmdump index 5e90ffeee..9dbe000f7 100644 --- a/apparmor.d/groups/filesystem/lvmdump +++ b/apparmor.d/profiles-g-l/lvmdump @@ -2,11 +2,11 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/lvmdump +@{exec_path} = @{bin}/lvmdump profile lvmdump @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/lvmpolld b/apparmor.d/profiles-g-l/lvmpolld similarity index 85% rename from apparmor.d/groups/filesystem/lvmpolld rename to apparmor.d/profiles-g-l/lvmpolld index cce01b0d0..7a4bc90b3 100644 --- a/apparmor.d/groups/filesystem/lvmpolld +++ b/apparmor.d/profiles-g-l/lvmpolld @@ -2,18 +2,18 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/lvmpolld +@{exec_path} = @{bin}/lvmpolld profile lvmpolld @{exec_path} { include include include @{exec_path} rm, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/umount rPx, @{run}/lvmpolld.pid rwk, diff --git a/apparmor.d/profiles-g-l/lxappearance b/apparmor.d/profiles-g-l/lxappearance index a7c3a2177..a400ef80c 100644 --- a/apparmor.d/profiles-g-l/lxappearance +++ b/apparmor.d/profiles-g-l/lxappearance @@ -3,38 +3,66 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/lxappearance profile lxappearance @{exec_path} { include - include + include + include + include + include @{exec_path} mr, - @{bin}/dbus-launch Cx -> bus, - @{bin}/dbus-send Cx -> bus, + # When lxappearance is run as root, it wants to exec dbus-launch, and hence it creates the two + # following root processes: + # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr + # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session + # + # Should this be allowed? Lxappearance works fine without this. + #@{bin}/dbus-launch rCx -> dbus, + #@{bin}/dbus-send rCx -> dbus, + deny @{bin}/dbus-launch rx, + deny @{bin}/dbus-send rx, /usr/share/lxappearance/{,**} r, + owner @{HOME}/.themes/{,**} r, + owner @{HOME}/.icons/{,**} rw, + + owner @{HOME}/.gtkrc-2.0{,.*} rw, + owner @{user_config_dirs}/gtk-3.0/settings.ini{,.*} rw, + + /etc/X11/cursors/*.theme r, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + /etc/fstab r, /etc/machine-id r, /var/lib/dbus/machine-id r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - + # file_inherit owner /dev/tty@{int} rw, - profile bus { - include - include - include if exists + profile dbus { + include + include + + @{bin}/dbus-launch mr, + @{bin}/dbus-send mr, + @{bin}/dbus-daemon rPUx, + + # for dbus-launch + owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, + + @{HOME}/.Xauthority r, } include if exists diff --git a/apparmor.d/profiles-g-l/lynx b/apparmor.d/profiles-g-l/lynx index a9613e7c1..143472569 100644 --- a/apparmor.d/profiles-g-l/lynx +++ b/apparmor.d/profiles-g-l/lynx @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -23,7 +23,7 @@ profile lynx @{exec_path} { @{exec_path} mr, @{sh_path} rix, - + /usr/share/terminfo/{,**} r, /usr/share/doc/lynx-common/** r, @@ -33,7 +33,8 @@ profile lynx @{exec_path} { /etc/mailcap r, /etc/mime.types r, - owner @{tmp}/lynxXXXX*/{,**} rw, + owner @{tmp}/lynxXXXX*/ rw, + owner @{tmp}/lynxXXXX*/*TMP.html{,.gz} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks deleted file mode 100644 index 89a57310f..000000000 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ /dev/null @@ -1,97 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /usr/share/initramfs-tools/hooks/** /etc/initramfs-tools/hooks/** -profile initramfs-hooks @{exec_path} { - include - include - include - include - - @{exec_path} mr, - - @{sh_path} rix, - @{coreutils_path} rix, - @{bin}/cpio ix, - @{bin}/dpkg Px, - @{bin}/fc-cache ix, - @{bin}/ischroot Px, - @{bin}/ldd Cx -> ldd, - @{bin}/plymouth Px, - @{bin}/update-alternatives Px, - @{lib}/dracut/dracut-install Px, - @{lib}/initramfs-tools/bin/busybox ix, - @{lib}/klibc/bin/fstype ix, - @{sbin}/blkid Px, - @{sbin}/cryptsetup PUx, - @{sbin}/dmsetup Px, - @{sbin}/iucode_tool ix, - /usr/share/mdadm/mkconf Px, - - @{bin}/* mr, - @{sbin}/* mr, - @{lib}/ r, - @{lib}/** mr, - - /usr/share/*/initramfs/{,**} r, - /usr/share/initramfs-tools/{,**} r, - /usr/share/plymouth/{,**} r, - - /etc/console-setup/{,**} r, - /etc/cryptsetup-initramfs/{,**} r, - /etc/crypttab r, - /etc/default/* r, - /etc/fstab r, - /etc/iscsi/*.iscsi r, - /etc/lvm/{,**} r, - /etc/mdadm/mdadm.conf r, - /etc/systemd/network/{,**} r, - /etc/udev/{,**} r, - - / r, - @{efi}/config-* r, - - /var/tmp/ r, - /var/tmp/modules_@{rand6} rw, - owner /var/tmp/mkinitramfs_@{rand6} rw, - owner /var/tmp/mkinitramfs_@{rand6}/ rw, - owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, - owner /var/tmp/mkinitramfs-@{rand6} rw, - owner /var/tmp/mkinitramfs-*_@{rand6} rw, - - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, - owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, - owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, - owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, - - @{sys}/firmware/efi/efivars/ r, - - @{PROC}/@{pid}/mounts r, - @{PROC}/cmdline r, - @{PROC}/swaps r, - - profile ldd { - include - include - include - - @{bin}/* mr, - @{sbin}/* mr, - - @{lib}/@{multiarch}/ld-linux-*so* mrix, - @{lib}/ld-linux.so* mr, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/initramfs-scripts b/apparmor.d/profiles-m-r/initramfs-scripts deleted file mode 100644 index d280c145a..000000000 --- a/apparmor.d/profiles-m-r/initramfs-scripts +++ /dev/null @@ -1,56 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /usr/share/initramfs-tools/scripts/** /etc/initramfs-tools/scripts/** -profile initramfs-scripts @{exec_path} { - include - include - - @{exec_path} mr, - - @{sh_path} rix, - @{coreutils_path} rix, - @{sbin}/blkid Px, - @{bin}/dd ix, - @{bin}/debconf-escape Px, - @{bin}/ischroot Px, - @{bin}/ldd Cx -> ldd, - @{bin}/plymouth Px, - @{bin}/update-alternatives Px, - @{lib}/dracut/dracut-install Px, - @{lib}/initramfs-tools/bin/busybox Px, - /usr/share/mdadm/mkconf Px, - - /usr/share/initramfs-tools/{,**} r, - - /etc/cryptsetup-initramfs/{,**} r, - /etc/crypttab r, - /etc/default/console-setup r, - /etc/fstab r, - /etc/initramfs-tools/{,**} r, - /etc/mdadm/mdadm.conf r, - /etc/udev/rules.d/{,**} r, - - /var/tmp/modules_@{rand6} rw, - owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, - - profile ldd { - include - include - - @{bin}/ldd mr, - @{lib}/@{multiarch}/ld-linux-*so* mrix, - @{lib}/ld-linux.so* mr, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/macchanger b/apparmor.d/profiles-m-r/macchanger index c3e0c0556..8f4efc921 100644 --- a/apparmor.d/profiles-m-r/macchanger +++ b/apparmor.d/profiles-m-r/macchanger @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/man b/apparmor.d/profiles-m-r/man index c60325742..aa0195853 100644 --- a/apparmor.d/profiles-m-r/man +++ b/apparmor.d/profiles-m-r/man @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb index 551a6fec0..beeba50e8 100644 --- a/apparmor.d/profiles-m-r/mandb +++ b/apparmor.d/profiles-m-r/mandb @@ -3,12 +3,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/mandb -profile mandb @{exec_path} { +profile mandb @{exec_path} flags=(complain) { include include include @@ -17,11 +17,12 @@ profile mandb @{exec_path} { @{exec_path} mr, - @{bin}/bzip2 rix, - /etc/man_db.conf r, /etc/manpath.config r, + /var/cache/man/ r, + /var/cache/man/** rwk, + /usr/share/man/{,**} r, /usr/local/man/{,**} r, /usr/local/share/man/{,**} r, @@ -29,10 +30,7 @@ profile mandb @{exec_path} { /usr/{,share/}man/{,**} r, /usr/local/{,share/}man/{,**} r, - /usr/share/**/man/man@{u8}/*.@{int}.gz r, - - owner /var/cache/man/ rw, - owner /var/cache/man/** rwk, + /usr/share/**/man/man@{int}/*.@{int}.gz r, owner @{user_share_dirs}/man/** rwk, diff --git a/apparmor.d/profiles-m-r/mate-notification-daemon b/apparmor.d/profiles-m-r/mate-notification-daemon index 19b0c7fba..871434151 100644 --- a/apparmor.d/profiles-m-r/mate-notification-daemon +++ b/apparmor.d/profiles-m-r/mate-notification-daemon @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm deleted file mode 100644 index b0397eb8d..000000000 --- a/apparmor.d/profiles-m-r/mdadm +++ /dev/null @@ -1,57 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# Copyright (C) 2025 Zane Zakraisek -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{sbin}/mdadm -profile mdadm @{exec_path} flags=(attach_disconnected) { - include - include - include - - capability dac_read_search, - capability sys_admin, - capability mknod, - capability net_admin, - - network netlink raw, - - mqueue (read getattr) type=posix /, - - @{exec_path} mr, - - @{sh_path} rix, - @{sbin}/sendmail rPUx, - - /etc/{,mdadm/}mdadm.conf r, - /etc/{,mdadm/}mdadm.conf.d/* r, - - @{run}/initctl r, - @{run}/mdadm/* rwk, - - /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, - - @{sys}/bus/pci/drivers/*/ r, - @{sys}/devices/@{pci}/class r, - @{sys}/devices/@{pci}/device r, - @{sys}/devices/@{pci}/vendor r, - @{sys}/devices/virtual/block/md*/** rw, - @{sys}/module/md_mod/** rw, - - @{PROC}/@{pid}/fd/ r, - @{PROC}/cmdline r, - @{PROC}/kcore r, - @{PROC}/partitions r, - @{PROC}/mdstat rw, - - /dev/**/ r, - /dev/.tmp.md.* rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mdadm-mkconf b/apparmor.d/profiles-m-r/mdadm-mkconf deleted file mode 100644 index 120138905..000000000 --- a/apparmor.d/profiles-m-r/mdadm-mkconf +++ /dev/null @@ -1,33 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /usr/share/mdadm/mkconf -profile mdadm-mkconf @{exec_path} { - include - include - - @{exec_path} mr, - - @{sh_path} r, - @{bin}/date ix, - @{bin}/cat ix, - @{bin}/sed ix, - @{sbin}/mdadm Px, - - /etc/default/mdadm r, - /etc/mdadm/mdadm.conf r, - - / r, - - /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, - /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mdevctl b/apparmor.d/profiles-m-r/mdevctl index 408947c83..a2631c768 100644 --- a/apparmor.d/profiles-m-r/mdevctl +++ b/apparmor.d/profiles-m-r/mdevctl @@ -2,14 +2,13 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/mdevctl profile mdevctl @{exec_path} { include - include @{exec_path} mr, @@ -19,6 +18,8 @@ profile mdevctl @{exec_path} { @{sys}/class/mdev_bus/ r, @{sys}/devices/@{pci}/mdev_supported_types/{,**} r, + @{PROC}/@{pids}/maps r, + include if exists } diff --git a/apparmor.d/profiles-m-r/mediainfo b/apparmor.d/profiles-m-r/mediainfo index c3333b860..bb7c2d59b 100644 --- a/apparmor.d/profiles-m-r/mediainfo +++ b/apparmor.d/profiles-m-r/mediainfo @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mediainfo-gui b/apparmor.d/profiles-m-r/mediainfo-gui index 5a723d002..4648d4ddf 100644 --- a/apparmor.d/profiles-m-r/mediainfo-gui +++ b/apparmor.d/profiles-m-r/mediainfo-gui @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,7 +19,29 @@ profile mediainfo-gui @{exec_path} { @{exec_path} mr, - @{open_path} rPx -> child-open-browsers, + @{bin}/xdg-open rCx -> open, + + + profile open { + include + include + + @{bin}/xdg-open mr, + + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, + + @{lib}/firefox/firefox rPx, + + owner @{HOME}/ r, + owner @{run}/user/@{uid}/ r, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } include if exists } diff --git a/apparmor.d/profiles-m-r/megasync b/apparmor.d/profiles-m-r/megasync index 3796c2b75..236041778 100644 --- a/apparmor.d/profiles-m-r/megasync +++ b/apparmor.d/profiles-m-r/megasync @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/memtester b/apparmor.d/profiles-m-r/memtester index aeb26d004..506892f0e 100644 --- a/apparmor.d/profiles-m-r/memtester +++ b/apparmor.d/profiles-m-r/memtester @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/merkaartor b/apparmor.d/profiles-m-r/merkaartor index e43460210..739d18e2f 100644 --- a/apparmor.d/profiles-m-r/merkaartor +++ b/apparmor.d/profiles-m-r/merkaartor @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/metadata-cleaner b/apparmor.d/profiles-m-r/metadata-cleaner index 808427d85..142ccb78a 100644 --- a/apparmor.d/profiles-m-r/metadata-cleaner +++ b/apparmor.d/profiles-m-r/metadata-cleaner @@ -2,40 +2,46 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/metadata-cleaner profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { include - include + include + include + include include include include include @{exec_path} mr, - @{python_path} rix, + @{bin}/python3.@{int} rix, - @{bin}/bwrap Cx -> bwrap, - @{open_path} Px -> child-open-help, + @{bin}/bwrap rCx -> bwrap, + @{open_path} rPx -> child-open-help, + /usr/share/metadata-cleaner/{,**} r, /usr/share/metadata-cleaner/src/metadatacleaner/{,*/}__pycache__/ w, + /usr/share/poppler/{,**} r, /etc/httpd/conf/mime.types r, /etc/mime.types r, - owner @{tmp}/@{hex64}.* rw, + owner @{tmp}/@{hex64}.png r, + owner @{tmp}/@{hex64}.png w, owner @{tmp}/@{rand8} rw, - owner @{tmp}/tmp@{word8} rw, - owner @{tmp}/tmp@{word8}/{,**} rw, + owner @{tmp}/tmp@{rand4}_*/{,**} rw, + owner @{tmp}/tmp@{rand8}/{,**} rw, @{run}/mount/utab r, - owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/mountinfo r, deny owner @{user_share_dirs}/gvfs-metadata/* r, deny owner @{user_cache_dirs}/thumbnails/** r, @@ -45,7 +51,7 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { include include - signal receive set=(kill) peer=metadata-cleaner, + signal (receive) set=(kill) peer=metadata-cleaner, @{bin}/bwrap mr, @{bin}/vendor_perl/exiftool rix, diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index 32950dbc4..da56703c3 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -3,20 +3,30 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/mimetype @{bin}/*_perl/mimetype +@{exec_path} = @{bin}/mimetype profile mimetype @{exec_path} { include - include include @{exec_path} r, + /usr/bin/perl r, + + /usr/share/mime/**.xml r, + /usr/share/mime/globs r, + /usr/share/mime/aliases r, + /usr/share/mime/magic r, + + owner @{user_share_dirs}/mime/**.xml r, + owner @{user_share_dirs}/mime/globs r, + owner @{user_share_dirs}/mime/aliases r, + owner @{user_share_dirs}/mime/magic r, # To read files - owner /** r, #aa:lint ignore=too-wide + /** r, include if exists } diff --git a/apparmor.d/profiles-m-r/minitube b/apparmor.d/profiles-m-r/minitube index ce8380261..4d4d26655 100644 --- a/apparmor.d/profiles-m-r/minitube +++ b/apparmor.d/profiles-m-r/minitube @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -30,7 +30,9 @@ profile minitube @{exec_path} { @{exec_path} mr, - @{bin}/xdg-screensaver rPx, + # Be able to turn off the screensaver while playing movies + @{bin}/xdg-screensaver rCx -> xdg-screensaver, + @{open_path} rPx -> child-open, /usr/share/minitube/{,**} r, @@ -67,6 +69,31 @@ profile minitube @{exec_path} { /dev/shm/#@{int} rw, owner /dev/tty@{int} rw, + profile xdg-screensaver { + include + include + + @{bin}/xdg-screensaver mr, + + @{sh_path} rix, + @{bin}/mv rix, + @{bin}/{,e}grep rix, + @{bin}/sed rix, + @{bin}/which{,.debianutils} rix, + @{bin}/xset rix, + @{bin}/xautolock rix, + @{bin}/dbus-send rix, + + owner @{HOME}/.Xauthority r, + + # file_inherit + /dev/dri/card@{int} rw, + network inet stream, + network inet6 stream, + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/mission-control b/apparmor.d/profiles-m-r/mission-control index bf6c55093..267fb9d1a 100644 --- a/apparmor.d/profiles-m-r/mission-control +++ b/apparmor.d/profiles-m-r/mission-control @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,22 +10,21 @@ include profile mission-control @{exec_path} flags=(attach_disconnected) { include include - include network netlink raw, @{exec_path} mr, /usr/share/telepathy/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{user_share_dirs}/telepathy/ rw, owner @{user_share_dirs}/telepathy/mission-control/ rw, owner @{user_share_dirs}/telepathy/mission-control/*.cfg* rw, owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal} rwk, - owner @{user_cache_dirs}/.mc_connections rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/inhibit/[0-9]*.ref rw, include if exists } diff --git a/apparmor.d/profiles-m-r/mkcert b/apparmor.d/profiles-m-r/mkcert deleted file mode 100644 index 3ae643e1d..000000000 --- a/apparmor.d/profiles-m-r/mkcert +++ /dev/null @@ -1,43 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/mkcert -profile mkcert @{exec_path} { - include - include - include - include - include - - network netlink raw, - - @{exec_path} mr, - - @{bin}/certutil rix, - @{bin}/rm rix, - @{bin}/sudo rix, - @{bin}/tee rix, - @{bin}/trust rix, - @{bin}/update-ca-trust rPx, - - owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db{,-journal} rwk, - - owner @{HOME}/.pki/ rw, - owner @{HOME}/.pki/nssdb/ rw, - owner @{HOME}/.pki/nssdb/pkcs11.txt rw, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - - owner @{user_share_dirs}/mkcert/{,**} rw, - - owner @{PROC}/@{pids}//cgroup r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/filesystem/mke2fs b/apparmor.d/profiles-m-r/mke2fs similarity index 79% rename from apparmor.d/groups/filesystem/mke2fs rename to apparmor.d/profiles-m-r/mke2fs index 90df8ecb1..038de3c73 100644 --- a/apparmor.d/groups/filesystem/mke2fs +++ b/apparmor.d/profiles-m-r/mke2fs @@ -3,14 +3,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/mke2fs @{sbin}/mkfs.ext2 @{sbin}/mkfs.ext3 @{sbin}/mkfs.ext4 +@{exec_path} = @{bin}/mke2fs @{bin}/mkfs.ext2 @{bin}/mkfs.ext3 @{bin}/mkfs.ext4 profile mke2fs @{exec_path} { include - include include include @@ -20,7 +19,7 @@ profile mke2fs @{exec_path} { # To check for badblocks @{sh_path} rix, - @{sbin}/badblocks rPx, + @{bin}/badblocks rPx, /usr/share/file/misc/magic.mgc r, @@ -35,8 +34,6 @@ profile mke2fs @{exec_path} { owner @{run}/blkid/blkid.tab{,-@{rand6}} rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, - owner @{tmp}/.guestfs-@{uid}/appliance.d.@{rand8}/@{user} rw, - @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/filesystem/mkfs-btrfs b/apparmor.d/profiles-m-r/mkfs-btrfs similarity index 92% rename from apparmor.d/groups/filesystem/mkfs-btrfs rename to apparmor.d/profiles-m-r/mkfs-btrfs index 54c83e559..237fc8006 100644 --- a/apparmor.d/groups/filesystem/mkfs-btrfs +++ b/apparmor.d/profiles-m-r/mkfs-btrfs @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/mkfs.btrfs +@{exec_path} = @{bin}/mkfs.btrfs profile mkfs-btrfs @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/mkfs-fat b/apparmor.d/profiles-m-r/mkfs-fat similarity index 97% rename from apparmor.d/groups/filesystem/mkfs-fat rename to apparmor.d/profiles-m-r/mkfs-fat index 1aba124ae..d7f7a1cc9 100644 --- a/apparmor.d/groups/filesystem/mkfs-fat +++ b/apparmor.d/profiles-m-r/mkfs-fat @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index d94e5aa44..692d79184 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -4,11 +4,11 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/mkinitramfs +@{exec_path} = @{bin}/mkinitramfs profile mkinitramfs @{exec_path} { include include @@ -19,10 +19,11 @@ profile mkinitramfs @{exec_path} { capability fsetid, @{exec_path} r, - @{sh_path} rix, + @{sh_path} rix, - @{bin}/ r, - @{lib}/ r, + @{bin}/ r, + @{lib}/ r, + @{lib}64/ r, @{bin}/{,e}grep rix, @{bin}/basename rix, @@ -33,7 +34,6 @@ profile mkinitramfs @{exec_path} { @{bin}/cpio rix, @{bin}/dirname rix, @{bin}/env rix, - @{bin}/find rix, @{bin}/getopt rix, @{bin}/gzip rix, @{bin}/id rix, @@ -43,43 +43,36 @@ profile mkinitramfs @{exec_path} { @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/readlink rix, - @{bin}/realpath rix, @{bin}/rm rix, @{bin}/rmdir rix, @{bin}/sed rix, @{bin}/sort rix, - @{bin}/stat rix, @{bin}/touch rix, @{bin}/tr rix, @{bin}/tsort rix, - @{bin}/uname rix, - @{bin}/uniq rix, @{bin}/xargs rix, @{bin}/xz rix, @{bin}/zstd rix, @{lib}/dracut/dracut-install rix, - @{sbin}/blkid rPx, + @{bin}/find rCx -> find, @{bin}/kmod rCx -> kmod, - @{sbin}/ldconfig rCx -> ldconfig, + @{bin}/ldconfig rCx -> ldconfig, @{bin}/ldd rCx -> ldd, - @{lib}/@{multiarch}/ld-linux-*so* rCx -> ldd, @{lib}/ld-linux.so* rCx -> ldd, @{bin}/dpkg rPx -> child-dpkg, @{bin}/linux-version rPx, - @{lib}/initramfs-tools/hooks/** rPx, - /etc/initramfs-tools/hooks/** rPx, - /etc/initramfs-tools/scripts/** rPx, - /usr/share/initramfs-tools/hooks/** rPx, - /usr/share/initramfs-tools/scripts/** rPx, + # What to do with it? (#FIXME#) + /usr/share/initramfs-tools/hooks/* rPUx, + /usr/share/initramfs-tools/scripts/*/* rPUx, + /etc/initramfs-tools/hooks/* rPUx, + /etc/initramfs-tools/scripts/*/* rPUx, /usr/share/initramfs-tools/{,**} r, /etc/initramfs-tools/{,**} r, - /etc/xattr.conf r, - # For shell pwd / r, /etc/ r, @@ -87,61 +80,34 @@ profile mkinitramfs @{exec_path} { /etc/modprobe.d/{,*.conf} r, - @{efi}/ r, - owner @{efi}/config-* r, - owner @{efi}/initrd.img-*.new rw, + /boot/ r, + owner /boot/initrd.img-*.new rw, + owner /boot/config-* r, - owner /var/lib/kdump/initramfs-tools/** rw, - owner /var/lib/kdump/initrd.* rw, + /var/tmp/ r, + owner /var/tmp/mkinitramfs_*/ rw, + owner /var/tmp/mkinitramfs_*/** rwl -> /var/tmp/mkinitramfs_*/**, + /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.{order,builtin} rw, + owner /var/tmp/mkinitramfs-* rw, - /var/tmp/ r, - /var/tmp/mkinitramfs_@{rand6}/** w, - /var/tmp/modules_@{rand6} rw, - /var/tmp/mkinitramfs_@{rand6} rw, - /var/tmp/mkinitramfs_@{rand6}/ rw, - /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, - /var/tmp/mkinitramfs-@{rand6} rw, - /var/tmp/mkinitramfs-*_@{rand6} rw, - - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** w, - owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, - owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, - owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, - - @{sys}/bus/ r, - @{sys}/bus/*/drivers/ r, - @{sys}/devices/ r, - @{sys}/devices/**/ r, - @{sys}/devices/**/modalias r, - @{sys}/devices/**/uevent r, - @{sys}/module/compression r, - @{sys}/module/firmware_class/parameters/path r, - @{sys}/class/ r, - @{sys}/class/*/ r, - - @{sys}/bus/platform/drivers/simple-framebuffer/ r, - - @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/fd/ r, @{PROC}/cmdline r, @{PROC}/modules r, - owner @{PROC}/@{pid}/fd/ r, profile ldd { include include include - @{sh_path} rix, + @{bin}/ldd mr, + + @{sh_path} rix, + @{bin}/kmod mr, + @{lib}/initramfs-tools/bin/* mr, + @{lib}/@{multiarch}/ld-*.so* rix, @{lib}/ld-*.so{,.2} rix, - @{bin}/* mr, - @{sbin}/* mr, - @{lib}/** mr, - include if exists } @@ -151,34 +117,55 @@ profile mkinitramfs @{exec_path} { capability sys_chroot, - @{sbin}/ldconfig mr, + @{bin}/ldconfig mr, @{sh_path} rix, - @{sbin}/ldconfig.real rix, + @{bin}/ldconfig.real rix, - owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /var/tmp/mkinitramfs_*/etc/ld.so.conf r, + owner /var/tmp/mkinitramfs_*/etc/ld.so.conf.d/{,*.conf} r, + + owner /var/tmp/mkinitramfs_*/{usr/,}lib{,32,x32}/ r, + owner /var/tmp/mkinitramfs_*/{usr/,}lib/@{multiarch}/ r, + owner /var/tmp/mkinitramfs_*/{usr/,}lib/@{multiarch}/*.so* rw, + owner /var/tmp/mkinitramfs_*/{usr/,}lib{,32,x32}/*.so* rw, + + owner /var/tmp/mkinitramfs_*/etc/ld.so.cache{,~} rw, + + owner /var/tmp/mkinitramfs_*/var/cache/ldconfig/ rw, + owner /var/tmp/mkinitramfs_*/var/cache/ldconfig/aux-cache{,~} rw, include if exists } + profile find { + include + include + + @{bin}/find mr, + + # pwd dir + / r, + /etc/ r, + /root/ r, + + /usr/share/initramfs-tools/scripts/{,**/} r, + /etc/initramfs-tools/scripts/{,**/} r, + + owner /var/tmp/mkinitramfs_*/{,**/} r, + + include if exists + } + profile kmod { include include - owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/ r, - owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/modules.* rw, - owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/updates/{,**} r, - owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/{,**/} r, - owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/**/*.ko* r, - - owner /tmp/tmp.@{rand10}/usr/lib/modules/*/ r, - owner /tmp/tmp.@{rand10}/usr/lib/modules/*/modules.* rw, - owner /tmp/tmp.@{rand10}/usr/lib/modules/*/updates/{,**} r, - owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/{,**/} r, - owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/**/*.ko* r, - - @{sys}/module/compression r, + owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/ r, + owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.* rw, + owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/updates/{,**} r, + owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/kernel/{,**/} r, + owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/kernel/**/*.ko r, include if exists } diff --git a/apparmor.d/groups/filesystem/mkntfs b/apparmor.d/profiles-m-r/mkntfs similarity index 97% rename from apparmor.d/groups/filesystem/mkntfs rename to apparmor.d/profiles-m-r/mkntfs index 5141c5385..ccfa5f4ed 100644 --- a/apparmor.d/groups/filesystem/mkntfs +++ b/apparmor.d/profiles-m-r/mkntfs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mkosi b/apparmor.d/profiles-m-r/mkosi deleted file mode 100644 index f6489a501..000000000 --- a/apparmor.d/profiles-m-r/mkosi +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# This profile is large on purpose: -# - It is required to have a profile for mkosi to allow userns. -# - Mkosi uses a lot of different binaries and scripts inside sandbox. -# - Using the unconfined flag would Pix everything, we do not want that as the -# transitioned profile would have to account for mkosi paths too. - -abi , - -include - -@{exec_path} = @{bin}/mkosi @{user_share_dirs}/pipx/venvs/*/bin/mkosi -profile mkosi @{exec_path} flags=(attach_disconnected,mediate_deleted) { - include - - all, - userns, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/filesystem/mkswap b/apparmor.d/profiles-m-r/mkswap similarity index 92% rename from apparmor.d/groups/filesystem/mkswap rename to apparmor.d/profiles-m-r/mkswap index fa30030f3..4c732c2c6 100644 --- a/apparmor.d/groups/filesystem/mkswap +++ b/apparmor.d/profiles-m-r/mkswap @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/mkswap +@{exec_path} = @{bin}/mkswap profile mkswap @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/mkvmerge b/apparmor.d/profiles-m-r/mkvmerge index a13a22e7ed..22251b87e 100644 --- a/apparmor.d/profiles-m-r/mkvmerge +++ b/apparmor.d/profiles-m-r/mkvmerge @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mkvtoolnix-gui b/apparmor.d/profiles-m-r/mkvtoolnix-gui index 4e0ace19a..595a24666 100644 --- a/apparmor.d/profiles-m-r/mkvtoolnix-gui +++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui @@ -3,22 +3,26 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/mkvtoolnix-gui profile mkvtoolnix-gui @{exec_path} { include - include + include include - include + include + include + include + include include + include include include - include include include + include signal (send) set=(term, kill) peer=mkvmerge, diff --git a/apparmor.d/profiles-m-r/mlocate b/apparmor.d/profiles-m-r/mlocate index f54b2f047..08fdee129 100644 --- a/apparmor.d/profiles-m-r/mlocate +++ b/apparmor.d/profiles-m-r/mlocate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index 90bf73cf3..29125f192 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,9 +17,9 @@ profile modprobed-db @{exec_path} { @{bin}/cat rix, @{bin}/cp rix, @{bin}/cut rix, - @{bin}/{m,g,}awk rix, + @{bin}/gawk rix, @{bin}/getent rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/logname rix, @{bin}/md5sum rix, @{bin}/rm rix, @@ -28,10 +28,9 @@ profile modprobed-db @{exec_path} { @{bin}/uniq rix, @{bin}/wc rix, - /usr/share/modprobed-db/** r, /usr/share/terminfo/** r, - owner @{user_config_dirs}/modprobed-db.conf rw, + owner @{user_config_dirs}/modprobed-db.conf r, owner @{user_config_dirs}/modprobed.db rw, owner @{tmp}/.inmem rw, diff --git a/apparmor.d/profiles-m-r/molly-guard b/apparmor.d/profiles-m-r/molly-guard index 281be7e0d..d75a5092b 100644 --- a/apparmor.d/profiles-m-r/molly-guard +++ b/apparmor.d/profiles-m-r/molly-guard @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -36,7 +36,7 @@ profile molly-guard @{exec_path} { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix index 6cbef400b..cb220a7b6 100644 --- a/apparmor.d/profiles-m-r/monitorix +++ b/apparmor.d/profiles-m-r/monitorix @@ -3,18 +3,17 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/monitorix profile monitorix @{exec_path} { include - include - include - include - include include + include + include + include capability net_admin, capability chown, @@ -29,76 +28,80 @@ profile monitorix @{exec_path} { network inet stream, network inet6 stream, - ptrace read, + ptrace (read), - signal receive set=(hup) peer=logroate, + signal (receive) set=(hup) peer=logroate, @{exec_path} mr, @{sh_path} rix, - @{bin}/{,e}grep ix, - @{bin}/{m,g,}awk ix, - @{bin}/cat ix, - @{bin}/df ix, - @{bin}/free ix, - @{bin}/getconf ix, - @{bin}/ps Px, - @{bin}/sensors Px, - @{bin}/tail ix, - @{bin}/who Px, - @{sbin}/lvm Px, - @{sbin}/ss Px, - @{sbin}/xtables-nft-multi ix, + @{bin}/{,e}grep rix, + @{bin}/df rix, + @{bin}/cat rix, + @{bin}/tail rix, + @{bin}/{m,g,}awk rix, + @{bin}/free rix, + @{bin}/ss rix, + @{bin}/who rix, + @{bin}/lvm rix, + @{bin}/xtables-nft-multi rix, + @{bin}/sensors rix, + @{bin}/getconf rix, + @{bin}/ps rix, - /var/lib/monitorix/www/cgi/monitorix.cgi ix, - - /etc/monitorix/{,**} r, - - /var/lib/monitorix/ rw, - /var/lib/monitorix/** rwk, + /etc/monitorix/monitorix.conf r, + /etc/monitorix/conf.d/ r, + /etc/monitorix/conf.d/@{int2}-*.conf r, /var/log/monitorix w, /var/log/monitorix-* w, - /srv/http/monitorix/ rw, - /srv/http/monitorix/** rwk, + owner @{run}/monitorix.pid w, + + /var/lib/monitorix/*.rrd* rwk, + /var/lib/monitorix/www/** rw, + /var/lib/monitorix/www/cgi/monitorix.cgi rwix, / r, /tmp/ r, + /etc/shadow r, - owner @{run}/monitorix.pid w, + /dev/tty r, @{run}/utmp rk, - @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/i2c-*/{,**/}name r, - @{sys}/class/hwmon/ r, - @{sys}/devices/**/thermal*/{,**} r, - @{sys}/devices/**/hwmon*/{,**} r, - @{PROC}/ r, - @{PROC}/@{pid}/net/dev r, - @{PROC}/@{pid}/net/tcp{,6} r, - @{PROC}/@{pid}/net/udp{,6} r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/fdinfo/ r, - @{PROC}/@{pids}/io r, - @{PROC}/@{pids}/stat r, - @{PROC}/diskstats r, - @{PROC}/interrupts r, - @{PROC}/loadavg r, @{PROC}/swaps r, + @{PROC}/diskstats r, + @{PROC}/loadavg r, + @{PROC}/sys/kernel/random/entropy_avail r, + @{PROC}/uptime r, + @{PROC}/interrupts r, @{PROC}/sys/fs/dentry-state r, @{PROC}/sys/fs/file-nr r, @{PROC}/sys/fs/inode-nr r, @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/pid_max r, - @{PROC}/sys/kernel/random/entropy_avail r, - @{PROC}/uptime r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/net/dev r, owner @{PROC}/@{pid}/net/ip_tables_names r, owner @{PROC}/@{pid}/net/ip6_tables_names r, + @{PROC}/@{pid}/net/udp{,6} r, + @{PROC}/@{pid}/net/tcp{,6} r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/fdinfo/ r, + @{PROC}/@{pids}/io r, + + @{sys}/class/i2c-adapter/ r, + @{sys}/devices/@{pci}/i2c-@{int}/name r, + @{sys}/class/hwmon/ r, + @{sys}/devices/**/thermal*/{,**} r, + @{sys}/devices/**/hwmon*/{,**} r, + + /etc/sensors3.conf r, + /etc/sensors.d/ r, include if exists } diff --git a/apparmor.d/profiles-m-r/mono-sgen b/apparmor.d/profiles-m-r/mono-sgen index bdaafd9c8..e010a83d7 100644 --- a/apparmor.d/profiles-m-r/mono-sgen +++ b/apparmor.d/profiles-m-r/mono-sgen @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/motd b/apparmor.d/profiles-m-r/motd deleted file mode 100644 index de742b2c9..000000000 --- a/apparmor.d/profiles-m-r/motd +++ /dev/null @@ -1,102 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /etc/update-motd.d/* -profile motd @{exec_path} { - include - include - include - - capability net_admin, - - network inet6 stream, - network inet6 stream, - - @{exec_path} mr, - @{bin}/ r, - - @{sh_path} rix, - @{coreutils_path} rix, - @{bin}/cloud-id rix, - @{bin}/systemctl rCx -> systemctl, - @{bin}/hostname rPx, - @{bin}/snap rPx, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/systemd-detect-virt rPx, - @{bin}/wget rCx -> wget, - - @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx, - @{lib}/update-notifier/update-motd-fsck-at-reboot rPx, - @{lib}/update-notifier/update-motd-reboot-required rix, - /usr/share/unattended-upgrades/update-motd-unattended-upgrades rix, - /usr/share/update-notifier/notify-updates-outdated rPx, - - / r, - /etc/cloud/cloud.cfg r, - /etc/cloud/cloud.cfg.d/{,*} r, - /etc/default/motd-news r, - /etc/lsb-release r, - /etc/update-motd.d/* r, - /etc/wgetrc r, - - /var/cache/motd-news rw, - /var/lib/update-notifier/updates-available r, - /var/lib/ubuntu-advantage/messages/motd-esm-announce r, - /var/lib/cloud/instances/nocloud/cloud-config.txt r, - - /tmp/tmp.@{rand10} rw, - - @{run}/cloud-init/cloud.cfg r, - @{run}/motd.d/{,*} r, - @{run}/motd.dynamic.new rw, - @{run}/reboot-required r, - - @{PROC}/@{pids}/mounts r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, - - /dev/tty@{int} rw, - - profile wget { - include - include - include - - capability net_admin, - - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, - - @{bin}/wget mr, - - /etc/wgetrc r, - - /tmp/tmp.@{rand10} rw, - - include if exists - } - - profile systemctl { - include - include - - capability net_admin, - capability sys_ptrace, - - @{run}/systemd/private rw, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/filesystem/mount b/apparmor.d/profiles-m-r/mount similarity index 97% rename from apparmor.d/groups/filesystem/mount rename to apparmor.d/profiles-m-r/mount index f8616cd88..f122b8f27 100644 --- a/apparmor.d/groups/filesystem/mount +++ b/apparmor.d/profiles-m-r/mount @@ -4,7 +4,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,7 +14,7 @@ profile mount @{exec_path} flags=(attach_disconnected) { include include include - + capability chown, capability dac_read_search, capability setgid, @@ -49,6 +49,7 @@ profile mount @{exec_path} flags=(attach_disconnected) { @{MOUNTS}/ rw, @{MOUNTS}/*/ rw, @{MOUNTS}/*/*/ rw, + /media/cdrom[0-9]/ r, # Mount iso/img files owner @{user_img_dirs}/{,**} rwk, diff --git a/apparmor.d/groups/filesystem/mount-cifs b/apparmor.d/profiles-m-r/mount-cifs similarity index 67% rename from apparmor.d/groups/filesystem/mount-cifs rename to apparmor.d/profiles-m-r/mount-cifs index a6c8d01e3..bbadcc7e0 100644 --- a/apparmor.d/groups/filesystem/mount-cifs +++ b/apparmor.d/profiles-m-r/mount-cifs @@ -3,56 +3,46 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/mount.cifs +@{exec_path} = @{bin}/mount.cifs profile mount-cifs @{exec_path} flags=(complain) { include - include include + # To mount anything. capability sys_admin, - capability setpcap, - capability dac_read_search, - network inet dgram, + # (#FIXME#) + capability setpcap, + network inet stream, - network inet6 dgram, network inet6 stream, network netlink raw, - mount fstype=cifs -> @{HOME}/*/, - mount fstype=cifs -> @{HOME}/*/*/, - mount fstype=cifs -> @{MOUNTDIRS}/, - mount fstype=cifs -> @{MOUNTS}/, - mount fstype=cifs -> @{MOUNTS}/*/, - mount fstype=cifs -> @{MOUNTS}/*/*/, - - umount @{HOME}/*/, - umount @{HOME}/*/*/, - umount @{MOUNTDIRS}/, - umount @{MOUNTS}/, - umount @{MOUNTS}/*/, - umount @{MOUNTS}/*/*/, - @{exec_path} mr, @{bin}/systemd-ask-password rPUx, /etc/fstab r, - /etc/sync-credentials r, owner @{HOME}/.smbcredentials r, # Mount points - @{HOME}/*/ r, - @{HOME}/*/*/ r, @{MOUNTDIRS}/ r, @{MOUNTS}/ r, @{MOUNTS}/*/ r, - @{MOUNTS}/*/*/ r, + + # Allow to mount smb/cifs disks only under the /media/ dirs + mount fstype=cifs -> @{MOUNTDIRS}/, + mount fstype=cifs -> @{MOUNTS}/, + mount fstype=cifs -> @{MOUNTS}/*/, + + umount @{MOUNTDIRS}/, + umount @{MOUNTS}/, + umount @{MOUNTS}/*/, include if exists } diff --git a/apparmor.d/groups/filesystem/mount-nfs b/apparmor.d/profiles-m-r/mount-nfs similarity index 94% rename from apparmor.d/groups/filesystem/mount-nfs rename to apparmor.d/profiles-m-r/mount-nfs index f670b62d7..698f350ce 100644 --- a/apparmor.d/groups/filesystem/mount-nfs +++ b/apparmor.d/profiles-m-r/mount-nfs @@ -3,11 +3,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/mount.nfs +@{exec_path} = @{bin}/mount.nfs profile mount-nfs @{exec_path} flags=(complain) { include include @@ -42,7 +42,7 @@ profile mount-nfs @{exec_path} flags=(complain) { @{sh_path} rix, @{bin}/flock rix, - @{sbin}/start-statd rix, + @{bin}/start-statd rix, @{bin}/systemctl rCx -> systemctl, /etc/fstab r, @@ -64,7 +64,7 @@ profile mount-nfs @{exec_path} flags=(complain) { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/groups/filesystem/mount-zfs b/apparmor.d/profiles-m-r/mount-zfs similarity index 98% rename from apparmor.d/groups/filesystem/mount-zfs rename to apparmor.d/profiles-m-r/mount-zfs index 552f96b05..bc47f0a30 100644 --- a/apparmor.d/groups/filesystem/mount-zfs +++ b/apparmor.d/profiles-m-r/mount-zfs @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mpd b/apparmor.d/profiles-m-r/mpd index 89b66253a..14a6c4acf 100644 --- a/apparmor.d/profiles-m-r/mpd +++ b/apparmor.d/profiles-m-r/mpd @@ -4,7 +4,7 @@ # Copyright (C) 2023 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mpris-proxy b/apparmor.d/profiles-m-r/mpris-proxy deleted file mode 100644 index 3a5dfffb6..000000000 --- a/apparmor.d/profiles-m-r/mpris-proxy +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/mpris-proxy -profile mpris-proxy @{exec_path} { - include - include - include - include - - #aa:dbus own bus=session name=org.mpris.MediaPlayer2 - dbus receive bus=session path=/ - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mpsyt b/apparmor.d/profiles-m-r/mpsyt index a66fc287f..46f239fce 100644 --- a/apparmor.d/profiles-m-r/mpsyt +++ b/apparmor.d/profiles-m-r/mpsyt @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,10 +24,10 @@ profile mpsyt @{exec_path} { network netlink raw, @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, @{bin}/tset rix, @{bin}/uname rix, diff --git a/apparmor.d/profiles-m-r/mpv b/apparmor.d/profiles-m-r/mpv index 3d044049e..1629176dd 100644 --- a/apparmor.d/profiles-m-r/mpv +++ b/apparmor.d/profiles-m-r/mpv @@ -3,14 +3,14 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/mpv profile mpv @{exec_path} { include - include + include include include include @@ -32,7 +32,8 @@ profile mpv @{exec_path} { @{exec_path} mr, - @{bin}/xdg-screensaver Px, + @{bin}/xdg-screensaver rCx -> xdg-screensaver, + @{bin}/youtube-dl rPx, @{bin}/yt-dlp rPx, @@ -76,14 +77,34 @@ profile mpv @{exec_path} { @{sys}/devices/**/input/**/uevent r, @{sys}/devices/**/sound/**/capabilities/* r, @{sys}/devices/**/sound/**/uevent r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, /dev/input/event@{int} r, owner /dev/tty@{int} rw, + profile xdg-screensaver { + include + include + + @{bin}/xdg-screensaver mr, + + @{sh_path} rix, + @{bin}/mv rix, + @{bin}/{,e}grep rix, + @{bin}/sed rix, + @{bin}/which{,.debianutils} rix, + @{bin}/xset rix, + @{bin}/xautolock rix, + @{bin}/dbus-send rix, + @{bin}/xscreensaver-command rix, + + owner @{HOME}/.Xauthority r, + + # file_inherit + /dev/dri/card@{int} rw, + network inet stream, + network inet6 stream, + } + include if exists } diff --git a/apparmor.d/groups/filesystem/mtools b/apparmor.d/profiles-m-r/mtools similarity index 98% rename from apparmor.d/groups/filesystem/mtools rename to apparmor.d/profiles-m-r/mtools index 5fea49231..75c95fffd 100644 --- a/apparmor.d/groups/filesystem/mtools +++ b/apparmor.d/profiles-m-r/mtools @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mtr b/apparmor.d/profiles-m-r/mtr index 4ff851662..5b341d8f5 100644 --- a/apparmor.d/profiles-m-r/mtr +++ b/apparmor.d/profiles-m-r/mtr @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mtr-packet b/apparmor.d/profiles-m-r/mtr-packet index d771c58ec..4bf15b7d5 100644 --- a/apparmor.d/profiles-m-r/mtr-packet +++ b/apparmor.d/profiles-m-r/mtr-packet @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/mullvad-setup b/apparmor.d/profiles-m-r/mullvad-setup index bc20a0f9a..db29113ce 100644 --- a/apparmor.d/profiles-m-r/mullvad-setup +++ b/apparmor.d/profiles-m-r/mullvad-setup @@ -2,24 +2,16 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = /opt/Mullvad*/resources/mullvad-setup profile mullvad-setup @{exec_path} { include - include @{exec_path} mr, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - - @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/cgroup r, # File Inherit diff --git a/apparmor.d/profiles-m-r/multipath b/apparmor.d/profiles-m-r/multipath index 588f4b6b1..918e5a0c2 100644 --- a/apparmor.d/profiles-m-r/multipath +++ b/apparmor.d/profiles-m-r/multipath @@ -2,11 +2,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/multipath +@{exec_path} = @{bin}/multipath profile multipath @{exec_path} flags=(attach_disconnected) { include include @@ -27,7 +27,6 @@ profile multipath @{exec_path} flags=(attach_disconnected) { @{sys}/bus/ r, @{sys}/class/ r, - @{sys}/module/*/parameters/multipath r, @{PROC}/devices r, @{PROC}/sys/fs/nr_open r, diff --git a/apparmor.d/profiles-m-r/multipathd b/apparmor.d/profiles-m-r/multipathd index bbb6a87a6..510fb3417 100644 --- a/apparmor.d/profiles-m-r/multipathd +++ b/apparmor.d/profiles-m-r/multipathd @@ -2,11 +2,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/multipathd +@{exec_path} = @{bin}/multipathd profile multipathd @{exec_path} { include include @@ -20,8 +20,7 @@ profile multipathd @{exec_path} { network netlink raw, - unix type=stream peer=(addr="@/org/kernel/linux/storage/multipathd"), - unix type=stream addr=@/org/kernel/linux/storage/multipathd, + unix (send, receive, connect) type=stream peer=(addr="@/org/kernel/linux/storage/multipathd"), @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mumble b/apparmor.d/profiles-m-r/mumble index a85eb6790..879d2b9bf 100644 --- a/apparmor.d/profiles-m-r/mumble +++ b/apparmor.d/profiles-m-r/mumble @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -30,7 +30,7 @@ profile mumble @{exec_path} { @{exec_path} mrix, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{browsers_path} rPx, @{open_path} rPx -> child-open, diff --git a/apparmor.d/profiles-m-r/mumble-overlay b/apparmor.d/profiles-m-r/mumble-overlay index 86792860c..61b287329 100644 --- a/apparmor.d/profiles-m-r/mumble-overlay +++ b/apparmor.d/profiles-m-r/mumble-overlay @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,7 +16,7 @@ profile mumble-overlay @{exec_path} { @{sh_path} rix, @{bin}/file rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/glxgears rPx, diff --git a/apparmor.d/profiles-m-r/murmurd b/apparmor.d/profiles-m-r/murmurd index e0bd8d976..aca74e562 100644 --- a/apparmor.d/profiles-m-r/murmurd +++ b/apparmor.d/profiles-m-r/murmurd @@ -2,15 +2,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , - include @{exec_path} = @{bin}/murmurd profile murmurd @{exec_path} { include include - include + include include include @@ -29,7 +27,7 @@ profile murmurd @{exec_path} { @{exec_path} mr, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, /etc/mumble-server.ini r, diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt index a91aba241..1ed63e68e 100644 --- a/apparmor.d/profiles-m-r/mutt +++ b/apparmor.d/profiles-m-r/mutt @@ -2,7 +2,7 @@ # Copyright (C) 2023 Zane Zakraisek # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -27,18 +27,23 @@ profile mutt @{exec_path} { # There are countless programs that can be executed from the mailcap. # This profile includes only the most basic. @{sh_path} rix, - + @{lib}/{,sendmail/}sendmail rPUx, - @{bin}/ispell rPUx, + @{bin}/ispell rPUx, @{bin}/abook rPUx, @{bin}/mutt_dotlock rix, # Misc mutt scripts @{lib}/mutt/* rix, - + @{bin}/w3m rCx -> html-renderer, @{bin}/lynx rCx -> html-renderer, - @{editor_path} rCx -> editor, - @{pager_path} rCx -> pager, + @{bin}/vim rCx -> editor, + @{bin}/vim.* rCx -> editor, + @{bin}/sensible-editor rCx -> editor, + + @{bin}/less rCx -> pager, + @{bin}/more rCx -> pager, + @{bin}/pager rCx -> pager, @{bin}/gpg{2,} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @@ -62,7 +67,6 @@ profile mutt @{exec_path} { owner @{HOME}/.mutthistory rwk, owner @{HOME}/.muttrc* r, owner @{HOME}/.signature r, # Mutt signature file - owner @{HOME}/ r, # User mbox # Could be a file or dir depending on mbox_type variable @@ -85,21 +89,18 @@ profile mutt @{exec_path} { # Used When viewing attachments owner /{var/,}tmp/* lrw, - + profile html-renderer { include @{bin}/w3m mrix, @{bin}/lynx mrix, - - owner @{HOME}/.w3m/{,**} rw, + + owner @{HOME}/.w3m/* rw, owner @{user_mail_dirs}/{,**} r, owner @{user_mail_dirs}/tmp/{,**} rw, owner /{var/,}tmp/mutt* rw, - owner /tmp/w3m-@{rand6} rw, - owner /tmp/w3m-@{rand6}/{,**} rw, - include if exists } @@ -115,7 +116,21 @@ profile mutt @{exec_path} { profile pager { include - include + include + + @{bin}/less mr, + @{bin}/more mr, + @{bin}/pager mr, + + /usr/share/terminfo/** r, + /usr/share/file/misc/magic.mgc r, + + owner @{HOME}/ r, + owner @{HOME}/.lesshs* rw, + owner @{HOME}/.terminfo/@{int}/* r, + owner @{user_cache_dirs}/lesshs* rw, + owner @{user_state_dirs}/ r, + owner @{user_state_dirs}/lesshs* rw, # This is the file that holds the message owner /{var/,}tmp/mutt* rw, @@ -134,9 +149,9 @@ profile mutt @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - + owner /{var/,}tmp/mutt* lrw, - + include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index a09008ac3..e3222d2ff 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -2,58 +2,64 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/needrestart +@{exec_path} = @{bin}/needrestart profile needrestart @{exec_path} flags=(attach_disconnected) { include - include + include + include + include include + include capability checkpoint_restore, capability dac_read_search, + capability kill, capability sys_ptrace, - ptrace read, + ptrace (read), @{exec_path} mrix, @{sh_path} rix, @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, + @{bin}/locale rix, + @{bin}/python3.@{int} rix, + @{bin}/sed rix, @{bin}/stty rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, - @{bin}/udevadm rCx -> udevadm, - @{bin}/who rPx, - @{lib}/needrestart/* rPx, - @{python_path} rix, - @{sbin}/unix_chkpwd rPx, + @{bin}/udevadm rPx, + @{bin}/unix_chkpwd rPx, + @{bin}/whiptail rPx, + @{bin}/who rix, + @{lib}/needrestart/iucode-scan-versions rPx, + /usr/share/debconf/frontend rix, - @{etc_ro}/needrestart/hook.d/* rPx, - @{etc_ro}/needrestart/notify.d/* rPx, - @{etc_ro}/needrestart/restart.d/* rPx, + @{bin}/networkd-dispatcher r, + @{bin}/gettext.sh r, + /usr/share/needrestart/{,**} r, + /usr/share/unattended-upgrades/unattended-upgrade-shutdown r, + /etc/debconf.conf r, /etc/init.d/* r, /etc/needrestart/{,**} r, + /etc/needrestart/*.d/* rix, /etc/shadow r, / r, - @{efi}/ r, - @{efi}/* r, - /opt/*/** r, - @{bin}/* r, - @{lib}/** r, - @{sbin}/** r, - @{att}/@{lib}/** r, - /usr/share/** r, - /var/lib/*/** r, + /boot/ r, + /boot/intel-ucode.img r, + /boot/vmlinuz* r, - @{run}/systemd/sessions/* r, + owner /var/lib/juju/agents/{,**} r, + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /tmp/@{word10}/ rw, + owner @{run}/sshd.pid r, @{PROC}/ r, @{PROC}/@{pids}/cgroup r, @@ -61,35 +67,20 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/fd/ r, /dev/ r, /dev/**/ r, - deny mqueue type=posix /, - profile systemctl { include include - capability sys_resource, capability net_admin, - signal send set=(cont term) peer=systemd-tty-ask-password-agent, - - @{bin}/systemd-tty-ask-password-agent Px, - include if exists } - profile udevadm { - include - include - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke index b70a49be8..805f69678 100644 --- a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke +++ b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke @@ -2,30 +2,26 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/needrestart/apt-pinvoke -profile needrestart-apt-pinvoke @{exec_path} flags=(attach_disconnected) { +profile needrestart-apt-pinvoke @{exec_path} { include include include include - capability dac_read_search, - @{exec_path} mr, @{sh_path} rix, @{bin}/dbus-send rix, - @{sbin}/needrestart rPx, + @{bin}/needrestart rPx, @{bin}/rm rix, @{run}/needrestart/{,**} rw, - /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, - include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart-dpkg-status b/apparmor.d/profiles-m-r/needrestart-dpkg-status index 3d54f896d..fff97e67c 100644 --- a/apparmor.d/profiles-m-r/needrestart-dpkg-status +++ b/apparmor.d/profiles-m-r/needrestart-dpkg-status @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/needrestart-hook b/apparmor.d/profiles-m-r/needrestart-hook deleted file mode 100644 index c8c9a12c4..000000000 --- a/apparmor.d/profiles-m-r/needrestart-hook +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{etc_ro}/needrestart/hook.d/* -profile needrestart-hook @{exec_path} { - include - include - include - - @{exec_path} mr, - @{sh_path} rix, - - @{bin}/dpkg-query px, - - /tmp/ r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index 3c826cd74..37dd180c3 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,24 +12,21 @@ profile needrestart-iucode-scan-versions @{exec_path} { @{exec_path} mr, + @{bin}/iucode_tool rix, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/bsdtar rix, @{bin}/cat rix, - @{sbin}/iucode_tool rix, /usr/share/misc/ r, - /usr/share/misc/amd-microcode* r, /usr/share/misc/intel-microcode* r, - /etc/default/amd-microcode r, /etc/default/intel-microcode r, /etc/needrestart/iucode.sh r, - @{efi}/amd-ucode.img r, - @{efi}/intel-ucode.img r, - @{efi}/early_ucode.cpio r, - + /boot/intel-ucode.img r, + /boot/early_ucode.cpio r, + @{sys}/devices/system/cpu/cpu@{int}/microcode/processor_flags r, /dev/tty rw, diff --git a/apparmor.d/profiles-m-r/needrestart-notify b/apparmor.d/profiles-m-r/needrestart-notify deleted file mode 100644 index 82465ceb2..000000000 --- a/apparmor.d/profiles-m-r/needrestart-notify +++ /dev/null @@ -1,35 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{etc_ro}/needrestart/notify.d/* -profile needrestart-notify @{exec_path} { - include - include - - capability dac_read_search, - capability sys_ptrace, - - ptrace read, - - @{exec_path} mr, - - @{sh_path} r, - @{bin}/fold ix, - @{bin}/gettext.sh r, - @{bin}/mail Px, - @{bin}/notify-send Px, - @{bin}/sed ix, - - /etc/needrestart/notify.conf r, - - @{PROC}/@{pid}/environ r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-restart b/apparmor.d/profiles-m-r/needrestart-restart deleted file mode 100644 index 964ff1a74..000000000 --- a/apparmor.d/profiles-m-r/needrestart-restart +++ /dev/null @@ -1,33 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{etc_ro}/needrestart/restart.d/* -profile needrestart-restart @{exec_path} { - include - - @{exec_path} mr, - - @{bin}/systemctl Cx -> systemctl, - @{sh_path} r, - - /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, - - profile systemctl { - include - include - - capability net_admin, - capability sys_ptrace, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version deleted file mode 100644 index 3828f9228..000000000 --- a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version +++ /dev/null @@ -1,38 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/needrestart/vmlinuz-get-version -profile needrestart-vmlinuz-get-version @{exec_path} { - include - include - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/bzip2 rix, - @{bin}/{,e}grep rix, - @{bin}/gunzip rix, - @{bin}/gzip rix, - @{bin}/lzop rix, - @{bin}/mktemp rix, - @{bin}/rm rix, - @{bin}/tail rix, - @{bin}/tr rix, - @{bin}/which{,.debianutils} rPx, - @{bin}/xz rix, - - @{efi}/amd-ucode.img r, - @{efi}/intel-ucode.img r, - @{efi}/vmlinuz* r, - - owner @{tmp}/tmp.@{rand10} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nemo b/apparmor.d/profiles-m-r/nemo index c7c9160d7..f28d053cd 100644 --- a/apparmor.d/profiles-m-r/nemo +++ b/apparmor.d/profiles-m-r/nemo @@ -3,44 +3,22 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/nemo profile nemo @{exec_path} { include - include - include include include - include network inet stream, network inet6 stream, @{exec_path} mr, - @{open_path} rPx -> child-open, - - @{bin}/gdk-pixbuf-thumbnailer rPx, - - /usr/share/nemo/** r, - /usr/share/thumbnailers/{,*.thumbnailer} r, - - # Full access to user's data - / r, - /*/ r, - @{bin}/ r, - @{lib}/ r, - @{MOUNTDIRS}/ r, - @{MOUNTS}/ r, - @{MOUNTS}/** rw, - owner @{HOME}/{,**} rw, - owner @{run}/user/@{uid}/{,**} rw, - owner @{tmp}/{,**} rw, - - @{run}/mount/utab r, +# @{lib}/@{multiarch}/nemo/** mrix, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/cap/netcap b/apparmor.d/profiles-m-r/netcap similarity index 98% rename from apparmor.d/groups/cap/netcap rename to apparmor.d/profiles-m-r/netcap index a73dbffe4..d1e5a2852 100644 --- a/apparmor.d/groups/cap/netcap +++ b/apparmor.d/profiles-m-r/netcap @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/nethogs b/apparmor.d/profiles-m-r/nethogs index c1a9f611a..e39e64621 100644 --- a/apparmor.d/profiles-m-r/nethogs +++ b/apparmor.d/profiles-m-r/nethogs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,8 +24,6 @@ profile nethogs @{exec_path} { @{exec_path} mr, - /usr/share/terminfo/** r, - @{PROC}/ r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/profiles-m-r/netstat b/apparmor.d/profiles-m-r/netstat index a23a095e9..039109ea2 100644 --- a/apparmor.d/profiles-m-r/netstat +++ b/apparmor.d/profiles-m-r/netstat @@ -5,7 +5,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,18 +13,12 @@ include profile netstat @{exec_path} { include include - include + include capability dac_read_search, capability sys_ptrace, capability syslog, - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, - ptrace (trace,read), @{exec_path} rmix, diff --git a/apparmor.d/groups/shadow/newgidmap b/apparmor.d/profiles-m-r/newgidmap similarity index 89% rename from apparmor.d/groups/shadow/newgidmap rename to apparmor.d/profiles-m-r/newgidmap index 6fa555504..9398350e1 100644 --- a/apparmor.d/groups/shadow/newgidmap +++ b/apparmor.d/profiles-m-r/newgidmap @@ -3,7 +3,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,8 +18,6 @@ profile newgidmap @{exec_path} { @{exec_path} mr, - @{etc_ro}/login.defs r, - @{etc_ro}/login.defs.d/{,*} r, /etc/subgid r, @{PROC}/@{pids}/ r, diff --git a/apparmor.d/groups/utils/newgrp b/apparmor.d/profiles-m-r/newgrp similarity index 94% rename from apparmor.d/groups/utils/newgrp rename to apparmor.d/profiles-m-r/newgrp index 1452f34fc..1878b9b5e 100644 --- a/apparmor.d/groups/utils/newgrp +++ b/apparmor.d/profiles-m-r/newgrp @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -23,10 +23,10 @@ profile newgrp @{exec_path} { @{bin}/@{shells} rUx, - @{etc_ro}/login.defs r, - /etc/{passwd,group,shadow,gshadow} r, + /etc/login.defs r, + owner @{PROC}/@{pid}/loginuid r, include if exists diff --git a/apparmor.d/groups/shadow/newuidmap b/apparmor.d/profiles-m-r/newuidmap similarity index 89% rename from apparmor.d/groups/shadow/newuidmap rename to apparmor.d/profiles-m-r/newuidmap index 6a53bf5c1..eeba22557 100644 --- a/apparmor.d/groups/shadow/newuidmap +++ b/apparmor.d/profiles-m-r/newuidmap @@ -3,7 +3,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,8 +18,6 @@ profile newuidmap @{exec_path} { @{exec_path} mr, - @{etc_ro}/login.defs r, - @{etc_ro}/login.defs.d/{,*} r, /etc/subuid r, @{PROC}/@{pids}/ r, diff --git a/apparmor.d/groups/filesystem/nfsdcld b/apparmor.d/profiles-m-r/nfsdcld similarity index 91% rename from apparmor.d/groups/filesystem/nfsdcld rename to apparmor.d/profiles-m-r/nfsdcld index 23ecc576e..a02e226c6 100644 --- a/apparmor.d/groups/filesystem/nfsdcld +++ b/apparmor.d/profiles-m-r/nfsdcld @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/nfsdcld +@{exec_path} = @{bin}/nfsdcld profile nfsdcld @{exec_path} { include diff --git a/apparmor.d/groups/firewall/nft b/apparmor.d/profiles-m-r/nft similarity index 79% rename from apparmor.d/groups/firewall/nft rename to apparmor.d/profiles-m-r/nft index 2392829c8..50ee826cf 100644 --- a/apparmor.d/groups/firewall/nft +++ b/apparmor.d/profiles-m-r/nft @@ -3,11 +3,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/nft +@{exec_path} = @{bin}/nft profile nft @{exec_path} { include include @@ -20,11 +20,9 @@ profile nft @{exec_path} { @{exec_path} mr, - /usr/share/iproute2/{,**} r, + owner /etc/iproute2/** r, - /etc/iproute2/** r, - /etc/nftables.conf r, - /etc/nftables/{,**} r, + owner /etc/nftables/**.nft r, @{PROC}/1/environ r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-m-r/nmap b/apparmor.d/profiles-m-r/nmap index 348c3ac0e..0eb1eceba 100644 --- a/apparmor.d/profiles-m-r/nmap +++ b/apparmor.d/profiles-m-r/nmap @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/utils/nologin b/apparmor.d/profiles-m-r/nologin similarity index 90% rename from apparmor.d/groups/utils/nologin rename to apparmor.d/profiles-m-r/nologin index 795a1aa35..fad964b64 100644 --- a/apparmor.d/groups/utils/nologin +++ b/apparmor.d/profiles-m-r/nologin @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/nologin +@{exec_path} = @{bin}/nologin profile nologin @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/nslookup b/apparmor.d/profiles-m-r/nslookup index 41435f2f0..9ee225d9d 100644 --- a/apparmor.d/profiles-m-r/nslookup +++ b/apparmor.d/profiles-m-r/nslookup @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/filesystem/ntfs-3g b/apparmor.d/profiles-m-r/ntfs-3g similarity index 88% rename from apparmor.d/groups/filesystem/ntfs-3g rename to apparmor.d/profiles-m-r/ntfs-3g index e4749177c..e5ae871b6 100644 --- a/apparmor.d/groups/filesystem/ntfs-3g +++ b/apparmor.d/profiles-m-r/ntfs-3g @@ -3,15 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/{low,}ntfs{,-3g} @{exec_path} += @{bin}/mount.{low,}ntfs{,-3g} -profile ntfs-3g @{exec_path} flags=(attach_disconnected) { +profile ntfs-3g @{exec_path} { include - include include include @@ -22,6 +21,15 @@ profile ntfs-3g @{exec_path} flags=(attach_disconnected) { capability setuid, capability sys_admin, + @{exec_path} mr, + + @{bin}/kmod rPx, # To load the fuse kernel module + + # Mount points + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, + @{MOUNTS}/*/ r, + # Allow to mount ntfs disks only under the /media/, /run/media, and /mnt/ dirs mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTDIRS}, mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/, @@ -34,28 +42,16 @@ profile ntfs-3g @{exec_path} flags=(attach_disconnected) { mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/, mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/, - mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> /tmp/fsa/*/, # fsarchiver - umount @{MOUNTDIRS}/, umount @{MOUNTS}/, umount @{MOUNTS}/*/, - @{exec_path} mr, - - @{bin}/kmod rPx, # To load the fuse kernel module - - # Mount points - @{MOUNTDIRS}/ r, - @{MOUNTS}/ r, - @{MOUNTS}/*/ r, - @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/task/@{tid}/status r, @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, /dev/fuse rw, - /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/groups/filesystem/ntfs-3g-probe b/apparmor.d/profiles-m-r/ntfs-3g-probe similarity index 96% rename from apparmor.d/groups/filesystem/ntfs-3g-probe rename to apparmor.d/profiles-m-r/ntfs-3g-probe index 73ba17229..ef870e0f0 100644 --- a/apparmor.d/groups/filesystem/ntfs-3g-probe +++ b/apparmor.d/profiles-m-r/ntfs-3g-probe @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/filesystem/ntfscat b/apparmor.d/profiles-m-r/ntfscat similarity index 97% rename from apparmor.d/groups/filesystem/ntfscat rename to apparmor.d/profiles-m-r/ntfscat index c1d14927b..069a597e9 100644 --- a/apparmor.d/groups/filesystem/ntfscat +++ b/apparmor.d/profiles-m-r/ntfscat @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/filesystem/ntfsclone b/apparmor.d/profiles-m-r/ntfsclone similarity index 92% rename from apparmor.d/groups/filesystem/ntfsclone rename to apparmor.d/profiles-m-r/ntfsclone index c6443bf7a..06fe65684 100644 --- a/apparmor.d/groups/filesystem/ntfsclone +++ b/apparmor.d/profiles-m-r/ntfsclone @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/ntfsclone +@{exec_path} = @{bin}/ntfsclone profile ntfsclone @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/ntfscluster b/apparmor.d/profiles-m-r/ntfscluster similarity index 97% rename from apparmor.d/groups/filesystem/ntfscluster rename to apparmor.d/profiles-m-r/ntfscluster index 80fdf01ce..62aff85c8 100644 --- a/apparmor.d/groups/filesystem/ntfscluster +++ b/apparmor.d/profiles-m-r/ntfscluster @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/filesystem/ntfscmp b/apparmor.d/profiles-m-r/ntfscmp similarity index 97% rename from apparmor.d/groups/filesystem/ntfscmp rename to apparmor.d/profiles-m-r/ntfscmp index db9a723d4..c5ecddc5f 100644 --- a/apparmor.d/groups/filesystem/ntfscmp +++ b/apparmor.d/profiles-m-r/ntfscmp @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/filesystem/ntfscp b/apparmor.d/profiles-m-r/ntfscp similarity index 94% rename from apparmor.d/groups/filesystem/ntfscp rename to apparmor.d/profiles-m-r/ntfscp index f3bc38b6a..3beeb2b7a 100644 --- a/apparmor.d/groups/filesystem/ntfscp +++ b/apparmor.d/profiles-m-r/ntfscp @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/ntfscp +@{exec_path} = @{bin}/ntfscp profile ntfscp @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/ntfsdecrypt b/apparmor.d/profiles-m-r/ntfsdecrypt similarity index 97% rename from apparmor.d/groups/filesystem/ntfsdecrypt rename to apparmor.d/profiles-m-r/ntfsdecrypt index 63f771ed3..e7ffe3188 100644 --- a/apparmor.d/groups/filesystem/ntfsdecrypt +++ b/apparmor.d/profiles-m-r/ntfsdecrypt @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/filesystem/ntfsfallocate b/apparmor.d/profiles-m-r/ntfsfallocate similarity index 97% rename from apparmor.d/groups/filesystem/ntfsfallocate rename to apparmor.d/profiles-m-r/ntfsfallocate index 80654cb7a..670092820 100644 --- a/apparmor.d/groups/filesystem/ntfsfallocate +++ b/apparmor.d/profiles-m-r/ntfsfallocate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/filesystem/ntfsfix b/apparmor.d/profiles-m-r/ntfsfix similarity index 97% rename from apparmor.d/groups/filesystem/ntfsfix rename to apparmor.d/profiles-m-r/ntfsfix index e840ed6c5..179b3b7a9 100644 --- a/apparmor.d/groups/filesystem/ntfsfix +++ b/apparmor.d/profiles-m-r/ntfsfix @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/filesystem/ntfsinfo b/apparmor.d/profiles-m-r/ntfsinfo similarity index 97% rename from apparmor.d/groups/filesystem/ntfsinfo rename to apparmor.d/profiles-m-r/ntfsinfo index 08b5bea43..3156e7004 100644 --- a/apparmor.d/groups/filesystem/ntfsinfo +++ b/apparmor.d/profiles-m-r/ntfsinfo @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/filesystem/ntfslabel b/apparmor.d/profiles-m-r/ntfslabel similarity index 90% rename from apparmor.d/groups/filesystem/ntfslabel rename to apparmor.d/profiles-m-r/ntfslabel index 5d4089a44..6eee15ef8 100644 --- a/apparmor.d/groups/filesystem/ntfslabel +++ b/apparmor.d/profiles-m-r/ntfslabel @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/ntfslabel +@{exec_path} = @{bin}/ntfslabel profile ntfslabel @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/ntfsls b/apparmor.d/profiles-m-r/ntfsls similarity index 97% rename from apparmor.d/groups/filesystem/ntfsls rename to apparmor.d/profiles-m-r/ntfsls index 3badd08b2..56c2c28de 100644 --- a/apparmor.d/groups/filesystem/ntfsls +++ b/apparmor.d/profiles-m-r/ntfsls @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/filesystem/ntfsmove b/apparmor.d/profiles-m-r/ntfsmove similarity index 97% rename from apparmor.d/groups/filesystem/ntfsmove rename to apparmor.d/profiles-m-r/ntfsmove index 4c7ade080..876113c98 100644 --- a/apparmor.d/groups/filesystem/ntfsmove +++ b/apparmor.d/profiles-m-r/ntfsmove @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/filesystem/ntfsrecover b/apparmor.d/profiles-m-r/ntfsrecover similarity index 97% rename from apparmor.d/groups/filesystem/ntfsrecover rename to apparmor.d/profiles-m-r/ntfsrecover index fff3e1b52..43de112c1 100644 --- a/apparmor.d/groups/filesystem/ntfsrecover +++ b/apparmor.d/profiles-m-r/ntfsrecover @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/filesystem/ntfsresize b/apparmor.d/profiles-m-r/ntfsresize similarity index 90% rename from apparmor.d/groups/filesystem/ntfsresize rename to apparmor.d/profiles-m-r/ntfsresize index 3eac37d70..e0e8f58d2 100644 --- a/apparmor.d/groups/filesystem/ntfsresize +++ b/apparmor.d/profiles-m-r/ntfsresize @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/ntfsresize +@{exec_path} = @{bin}/ntfsresize profile ntfsresize @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/ntfssecaudit b/apparmor.d/profiles-m-r/ntfssecaudit similarity index 97% rename from apparmor.d/groups/filesystem/ntfssecaudit rename to apparmor.d/profiles-m-r/ntfssecaudit index a323a898d..ee38f60a0 100644 --- a/apparmor.d/groups/filesystem/ntfssecaudit +++ b/apparmor.d/profiles-m-r/ntfssecaudit @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/filesystem/ntfstruncate b/apparmor.d/profiles-m-r/ntfstruncate similarity index 97% rename from apparmor.d/groups/filesystem/ntfstruncate rename to apparmor.d/profiles-m-r/ntfstruncate index 7f245ee07..c9dec413a 100644 --- a/apparmor.d/groups/filesystem/ntfstruncate +++ b/apparmor.d/profiles-m-r/ntfstruncate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/filesystem/ntfsundelete b/apparmor.d/profiles-m-r/ntfsundelete similarity index 91% rename from apparmor.d/groups/filesystem/ntfsundelete rename to apparmor.d/profiles-m-r/ntfsundelete index 9f68cba7a..a01876961 100644 --- a/apparmor.d/groups/filesystem/ntfsundelete +++ b/apparmor.d/profiles-m-r/ntfsundelete @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/ntfsundelete +@{exec_path} = @{bin}/ntfsundelete profile ntfsundelete @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/ntfsusermap b/apparmor.d/profiles-m-r/ntfsusermap similarity index 97% rename from apparmor.d/groups/filesystem/ntfsusermap rename to apparmor.d/profiles-m-r/ntfsusermap index 0cdfb9f71..acc6e8bbc 100644 --- a/apparmor.d/groups/filesystem/ntfsusermap +++ b/apparmor.d/profiles-m-r/ntfsusermap @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/filesystem/ntfswipe b/apparmor.d/profiles-m-r/ntfswipe similarity index 97% rename from apparmor.d/groups/filesystem/ntfswipe rename to apparmor.d/profiles-m-r/ntfswipe index 9b64136bd..1471e1d27 100644 --- a/apparmor.d/groups/filesystem/ntfswipe +++ b/apparmor.d/profiles-m-r/ntfswipe @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/nullmailer-send b/apparmor.d/profiles-m-r/nullmailer-send index 6f7b8f225..e27e15429 100644 --- a/apparmor.d/profiles-m-r/nullmailer-send +++ b/apparmor.d/profiles-m-r/nullmailer-send @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/numlockx b/apparmor.d/profiles-m-r/numlockx index 5c88ec846..25903ed8b 100644 --- a/apparmor.d/profiles-m-r/numlockx +++ b/apparmor.d/profiles-m-r/numlockx @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/nvidia-detector b/apparmor.d/profiles-m-r/nvidia-detector index d438b598d..b0465ef85 100644 --- a/apparmor.d/profiles-m-r/nvidia-detector +++ b/apparmor.d/profiles-m-r/nvidia-detector @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/nvidia-persistenced b/apparmor.d/profiles-m-r/nvidia-persistenced index 9f44c8f13..33dac3dba 100644 --- a/apparmor.d/profiles-m-r/nvidia-persistenced +++ b/apparmor.d/profiles-m-r/nvidia-persistenced @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/nvidia-settings b/apparmor.d/profiles-m-r/nvidia-settings index 893770a4b..d4bda6123 100644 --- a/apparmor.d/profiles-m-r/nvidia-settings +++ b/apparmor.d/profiles-m-r/nvidia-settings @@ -2,12 +2,12 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/nvidia-settings -profile nvidia-settings @{exec_path} flags=(attach_disconnected) { +profile nvidia-settings @{exec_path} { include include include @@ -17,23 +17,6 @@ profile nvidia-settings @{exec_path} flags=(attach_disconnected) { /usr/share/pixmaps/{,**} r, - owner @{HOME}/.nvidia-settings-rc rw, - - @{sys}/bus/pci/devices/ r, - @{sys}/devices/@{pci}/config r, - @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/cpumap r, - - @{PROC}/devices r, - @{PROC}/driver/nvidia/capabilities/mig/config r, - @{PROC}/driver/nvidia/capabilities/mig/monitor r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - - /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 - /dev/nvidia-caps/ rw, - /dev/nvidia-caps/nvidia-cap@{int} r, - include if exists } diff --git a/apparmor.d/profiles-m-r/nvidia-smi b/apparmor.d/profiles-m-r/nvidia-smi deleted file mode 100644 index eb42bd59b..000000000 --- a/apparmor.d/profiles-m-r/nvidia-smi +++ /dev/null @@ -1,33 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/nvidia-smi -profile nvidia-smi @{exec_path} { - include - include - include - - @{exec_path} mr, - - @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/cpumap r, - - @{PROC}/devices r, - @{PROC}/driver/nvidia/capabilities/mig/config r, - @{PROC}/driver/nvidia/capabilities/mig/monitor r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - - /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 - /dev/nvidia-caps/ rw, - /dev/nvidia-caps/nvidia-cap@{int} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index fc51b5b9e..54c9c5959 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,7 +10,7 @@ include profile nvtop @{exec_path} flags=(attach_disconnected) { include include - include + include include capability sys_ptrace, @@ -23,37 +23,27 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/nvtop/{,**} rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - + @{run}/systemd/inhibit/*.ref r, @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, - @{sys}/devices/@{pci}/ r, - @{sys}/devices/@{pci}/current_link_{speed,width} r, @{sys}/devices/@{pci}/enable r, - @{sys}/devices/@{pci}/hwmon/hwmon@{int}/fan@{int}_{enable,max} r, - @{sys}/devices/@{pci}/hwmon/hwmon@{int}/power@{int}_cap r, - @{sys}/devices/@{pci}/hwmon/hwmon@{int}/pwm@{int} r, - @{sys}/devices/@{pci}/hwmon/hwmon@{int}/pwm@{int}_{enable,max} r, - @{sys}/devices/@{pci}/hwmon/hwmon@{int}/temp@{int}_crit r, - @{sys}/devices/@{pci}/max_link_{speed,width} r, - @{sys}/devices/@{pci}/pcie_bw r, @{sys}/devices/system/node/node@{int}/cpumap r, - @{PROC}/ r, - @{PROC}/@{pid}/ r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fdinfo/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/stat r, - @{PROC}/devices r, - @{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/ r, + @{PROC}/@{pids}/ r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/fdinfo/ r, + @{PROC}/@{pids}/fdinfo/@{int} r, + @{PROC}/@{pids}/stat r, + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r, + /dev/dri/ r, /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} rw, diff --git a/apparmor.d/profiles-m-r/obamenu b/apparmor.d/profiles-m-r/obamenu index 9d9ed2a94..070ac10af 100644 --- a/apparmor.d/profiles-m-r/obamenu +++ b/apparmor.d/profiles-m-r/obamenu @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,7 @@ profile obamenu @{exec_path} { include @{exec_path} r, - @{python_path} rix, + @{bin}/python3.@{int} rix, @{bin}/ r, diff --git a/apparmor.d/profiles-m-r/obconf b/apparmor.d/profiles-m-r/obconf index d283466f5..37e94369e 100644 --- a/apparmor.d/profiles-m-r/obconf +++ b/apparmor.d/profiles-m-r/obconf @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,7 +11,7 @@ include profile obconf @{exec_path} { include include - include + include include include include diff --git a/apparmor.d/groups/bluetooth/obex-folder-listing b/apparmor.d/profiles-m-r/obex-folder-listing similarity index 97% rename from apparmor.d/groups/bluetooth/obex-folder-listing rename to apparmor.d/profiles-m-r/obex-folder-listing index ebbd8ae50..7aa4070c5 100644 --- a/apparmor.d/groups/bluetooth/obex-folder-listing +++ b/apparmor.d/profiles-m-r/obex-folder-listing @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/bluetooth/obexautofs b/apparmor.d/profiles-m-r/obexautofs similarity index 86% rename from apparmor.d/groups/bluetooth/obexautofs rename to apparmor.d/profiles-m-r/obexautofs index 980349086..972829890 100644 --- a/apparmor.d/groups/bluetooth/obexautofs +++ b/apparmor.d/profiles-m-r/obexautofs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -36,13 +36,20 @@ profile obexautofs @{exec_path} { profile fusermount { include - include + include + + capability sys_admin, mount fstype={fuse,fuse.obexautofs} -> @{HOME}/*/, mount fstype={fuse,fuse.obexautofs} -> @{HOME}/*/*/, - umount @{HOME}/*/, - umount @{HOME}/*/*/, + @{bin}/fusermount{,3} mr, + + /etc/fuse.conf r, + + @{PROC}/@{pid}/mounts r, + + /dev/fuse rw, include if exists } diff --git a/apparmor.d/groups/bluetooth/obexctl b/apparmor.d/profiles-m-r/obexctl similarity index 97% rename from apparmor.d/groups/bluetooth/obexctl rename to apparmor.d/profiles-m-r/obexctl index 5cd5853d5..d87243b75 100644 --- a/apparmor.d/groups/bluetooth/obexctl +++ b/apparmor.d/profiles-m-r/obexctl @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/profiles-m-r/obexd similarity index 73% rename from apparmor.d/groups/bluetooth/obexd rename to apparmor.d/profiles-m-r/obexd index 3ea17a4e5..9043489eb 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/profiles-m-r/obexd @@ -3,16 +3,15 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/bluetooth/obexd profile obexd @{exec_path} { include - include include - include + include include network bluetooth stream, @@ -23,12 +22,7 @@ profile obexd @{exec_path} { dbus receive bus=system path=/org/bluez/obex/@{uuid} interface=org.bluez.Profile1 member=Release - peer=(name=:*, label="@{p_bluetoothd}"), - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=bluetoothd), @{exec_path} mr, @@ -37,8 +31,6 @@ profile obexd @{exec_path} { owner @{HOME}/bluetooth/* rw, - @{run}/systemd/users/@{uid} r, - include if exists } diff --git a/apparmor.d/groups/bluetooth/obexfs b/apparmor.d/profiles-m-r/obexfs similarity index 79% rename from apparmor.d/groups/bluetooth/obexfs rename to apparmor.d/profiles-m-r/obexfs index e486349d3..4a746ecf1 100644 --- a/apparmor.d/groups/bluetooth/obexfs +++ b/apparmor.d/profiles-m-r/obexfs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -27,19 +27,27 @@ profile obexfs @{exec_path} { /dev/fuse rw, + profile fusermount { include - include + include + + # To mount anything: + capability sys_admin, network bluetooth stream, + @{bin}/fusermount{,3} mr, + + /etc/fuse.conf r, + + /dev/fuse rw, + mount fstype={fuse,fuse.obexfs} -> @{HOME}/*/, mount fstype={fuse,fuse.obexfs} -> @{HOME}/*/*/, - umount @{HOME}/*/, - umount @{HOME}/*/*/, + @{PROC}/@{pid}/mounts r, - include if exists } include if exists diff --git a/apparmor.d/groups/bluetooth/obexpush-atd b/apparmor.d/profiles-m-r/obexpush-atd similarity index 96% rename from apparmor.d/groups/bluetooth/obexpush-atd rename to apparmor.d/profiles-m-r/obexpush-atd index 2645ec678..17b0a2d37 100644 --- a/apparmor.d/groups/bluetooth/obexpush-atd +++ b/apparmor.d/profiles-m-r/obexpush-atd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/bluetooth/obexpushd b/apparmor.d/profiles-m-r/obexpushd similarity index 97% rename from apparmor.d/groups/bluetooth/obexpushd rename to apparmor.d/profiles-m-r/obexpushd index 44b938401..33a922f41 100644 --- a/apparmor.d/groups/bluetooth/obexpushd +++ b/apparmor.d/profiles-m-r/obexpushd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/obxprop b/apparmor.d/profiles-m-r/obxprop index b0f1c7c27..724f83de7 100644 --- a/apparmor.d/profiles-m-r/obxprop +++ b/apparmor.d/profiles-m-r/obxprop @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/odt2txt b/apparmor.d/profiles-m-r/odt2txt index 065e953f3..0636f6ee8 100644 --- a/apparmor.d/profiles-m-r/odt2txt +++ b/apparmor.d/profiles-m-r/odt2txt @@ -2,14 +2,13 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/odt2txt profile odt2txt @{exec_path} { include - include include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/ollama b/apparmor.d/profiles-m-r/ollama deleted file mode 100644 index 73447e33e..000000000 --- a/apparmor.d/profiles-m-r/ollama +++ /dev/null @@ -1,59 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/ollama -profile ollama @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, - - @{exec_path} mr, - - /tmp/ollama@{int}/runners/*/* mr, - /tmp/ollama@{int}/runners/*/ollama_*_server rix, # TODO: rPx and remove graphics from here. - - /usr/ r, - /usr/local/ r, - /usr/local/lib/ r, - - @{lib}/ r, - - owner /var/lib/ollama/ rw, - owner /var/lib/ollama/** rwlk, - - /tmp/ r, - owner @{tmp}/ollama@{int}/{,**} rw, - owner @{tmp}/ollama@{int}/runners/{,**} mr, - - @{sys}/devices/@{pci}/drm/card@{int}/ r, - @{sys}/devices/@{pci}/drm/card@{int}/*/ r, - @{sys}/devices/@{pci}/mem_info_vram_total r, - @{sys}/devices/@{pci}/mem_info_vram_used r, - @{sys}/devices/@{pci}/numa_node r, - @{sys}/devices/system/node/node@{int}/cpumap r, - @{sys}/devices/virtual/kfd/kfd/topology/nodes/ r, - @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, - @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, - - @{PROC}/devices r, - @{PROC}/sys/net/core/somaxconn r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/task/@{tid}/comm w, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/on-ac-power b/apparmor.d/profiles-m-r/on-ac-power index d6426f717..d9b5a412e 100644 --- a/apparmor.d/profiles-m-r/on-ac-power +++ b/apparmor.d/profiles-m-r/on-ac-power @@ -3,23 +3,21 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/on_ac_power +@{exec_path} = @{bin}/on_ac_power profile on-ac-power @{exec_path} { include @{exec_path} r, @{sh_path} rix, - @{bin}/{,e}grep rix, @{bin}/{m,g,}awk rix, @{bin}/cat rix, @{sys}/class/power_supply/ r, - @{sys}/class/typec/ r, @{sys}/devices/**/power_supply/**/{online,type} r, @{PROC}/pmu/info r, diff --git a/apparmor.d/profiles-m-r/onefetch b/apparmor.d/profiles-m-r/onefetch index ded4a204a..84a68634c 100644 --- a/apparmor.d/profiles-m-r/onefetch +++ b/apparmor.d/profiles-m-r/onefetch @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler b/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler deleted file mode 100644 index 2593b78ac..000000000 --- a/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler +++ /dev/null @@ -1,19 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/open-iscsi/net-interface-handler -profile open-iscsi-net-interface-handler @{exec_path} flags=(complain) { - include - - @{exec_path} mr, - @{sh_path} r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/openbox b/apparmor.d/profiles-m-r/openbox index 899290792..ac0831f05 100644 --- a/apparmor.d/profiles-m-r/openbox +++ b/apparmor.d/profiles-m-r/openbox @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -58,7 +58,7 @@ profile openbox @{exec_path} { @{lib}/@{multiarch}/openbox-xdg-autostart rix, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, # Apps allowed to run @{bin}/* rPUx, @@ -75,7 +75,7 @@ profile openbox @{exec_path} { /etc/xdg/autostart/{,*} r, # Silencer - deny @{lib}/@{python_name}/** w, + deny @{lib}/python3/** w, deny owner @{user_lib_dirs}/python*/site-packages/ r, # file_inherit diff --git a/apparmor.d/profiles-m-r/openbox-session b/apparmor.d/profiles-m-r/openbox-session index 5313ed948..61666f756 100644 --- a/apparmor.d/profiles-m-r/openbox-session +++ b/apparmor.d/profiles-m-r/openbox-session @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/orage b/apparmor.d/profiles-m-r/orage index f87c0fa92..571532b4f 100644 --- a/apparmor.d/profiles-m-r/orage +++ b/apparmor.d/profiles-m-r/orage @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,9 +21,9 @@ profile orage @{exec_path} { @{bin}/globaltime rPx, - @{open_path} rPx -> child-open, - - /etc/fstab r, + @{bin}/xdg-open rCx -> open, + @{bin}/exo-open rCx -> open, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, owner @{user_config_dirs}/orage/ rw, owner @{user_config_dirs}/orage/* rw, @@ -35,8 +35,38 @@ profile orage @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + /etc/fstab r, + + # Allowed apps to open + @{lib}/firefox/firefox rPUx, + + # file_inherit owner /dev/tty@{int} rw, + + profile open { + include + include + + @{bin}/xdg-open mr, + + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, + + owner @{HOME}/ r, + + owner @{run}/user/@{uid}/ r, + + # Allowed apps to open + @{lib}/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + include if exists } diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index f9e5b2058..819c4c9bd 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,40 +10,34 @@ include profile os-prober @{exec_path} flags=(attach_disconnected) { include include - include capability dac_read_search, capability sys_admin, - mount options=(rprivate, rw) -> /, - mount options=(rw, nosuid, nodev) -> /var/lib/os-prober/mount/, - umount /var/lib/os-prober/mount/, - mqueue (read getattr) type=posix /, - @{exec_path} mrix, @{sh_path} rix, @{bin}/{e,f,}grep rix, - @{sbin}/blkid rPx, - @{sbin}/btrfs rPx, + @{bin}/blkid rPx, + @{bin}/btrfs rPx, @{bin}/cat rix, @{bin}/cut rix, - @{sbin}/dmraid rPUx, + @{bin}/dmraid rPUx, @{bin}/find rix, @{bin}/grub-mount rPx, - @{sbin}/grub-probe rPx, + @{bin}/grub-probe rPx, @{bin}/head rix, @{bin}/kmod rPx, @{bin}/logger rix, @{bin}/ls rix, @{bin}/lsblk rPx, - @{sbin}/lvm rPx, + @{bin}/lvm rPx, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/mount rix, - @{sbin}/multipath rPx, + @{bin}/multipath rPx, @{bin}/readlink rix, @{bin}/rm rix, @{bin}/rmdir rix, @@ -51,7 +45,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { @{bin}/udevadm rPx, @{bin}/umount rix, @{bin}/uname rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{lib}/newns rix, @{lib}/os-prober/* rix, @{lib}/os-probes/{,**} rix, @@ -63,14 +57,13 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { @{MOUNTS}/ r, / r, - @{efi}/ r, - @{efi}/EFI/ r, - @{efi}/EFI/**/ r, + /boot/{efi/,} r, + /boot/{efi/,}EFI/ r, + /boot/{efi/,}EFI/*/ r, owner @{tmp}/os-prober.*/{,**} rw, - @{run}/mount/utab r, - + @{sys}/block/ r, @{sys}/devices/@{pci}/block/*/ r, @{sys}/devices/virtual/block/*/ r, diff --git a/apparmor.d/profiles-m-r/ouch b/apparmor.d/profiles-m-r/ouch deleted file mode 100644 index d0bb4a1ed..000000000 --- a/apparmor.d/profiles-m-r/ouch +++ /dev/null @@ -1,34 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 valoq -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/ouch -profile ouch @{exec_path} { - include - include - include - - @{exec_path} mr, - - owner @{HOME}/.tmp@{rand6}/{,**} rw, - owner @{HOME}/.tmp-ouch@{rand6}/{,**} rw, - - owner /tmp/ w, - owner /tmp/.tmp@{rand6}/{,**} rw, - owner /tmp/.tmp-ouch@{rand6}/{,**} rw, - - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, - - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/mountinfo r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index e5b54c34e..b61426196 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -2,18 +2,18 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{lib}/packagekitd profile packagekitd @{exec_path} flags=(attach_disconnected) { include - include #aa:only apt include include include include + include #aa:only apt include include @@ -36,9 +36,13 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { network netlink raw, signal send set=int peer=apt-methods-*, - signal send set=term peer=systemd-inhibit, - #aa:dbus own bus=system name=org.freedesktop.PackageKit path=/** + #aa:dbus own bus=system name=org.freedesktop.PackageKit + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label=dbus-system), @{exec_path} mr, @@ -51,7 +55,8 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/gzip rix, - @{sbin}/ldconfig rix, + @{bin}/ischroot rix, + @{bin}/ldconfig rix, @{bin}/repo2solv rix, @{bin}/tar rix, @{bin}/test rix, @@ -63,8 +68,6 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/fc-cache rPx, @{bin}/glib-compile-schemas rPx, @{bin}/install-info rPx, - @{bin}/ischroot rPx, - @{bin}/rpm rPUx, #aa:only opensuse @{bin}/rpmdb2solv rPUx, #aa:only opensuse @{bin}/systemd-inhibit rPx, @{bin}/update-desktop-database rPx, @@ -74,11 +77,10 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile /usr/share/libalpm/scripts/* rPx, - #aa:lint ignore=too-wide # Install/update packages / r, /*{,/} rw, - @{efi}/** rwl -> @{efi}/**, + /boot/** rwl -> /boot/**, /etc/** rwl -> /etc/**, /opt/** rwl -> /opt/**, /srv/** rwl -> /srv/**, @@ -91,8 +93,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { owner @{tmp}/apt-changelog-@{rand6}/.apt-acquire-privs-test.@{rand6} rw, owner @{tmp}/packagekit* rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - + @{run}/systemd/inhibit/*.ref rw, owner @{run}/systemd/users/@{uid} r, #aa:only opensuse diff --git a/apparmor.d/profiles-m-r/pacmd b/apparmor.d/profiles-m-r/pacmd index 8512c1c67..752c3edd7 100644 --- a/apparmor.d/profiles-m-r/pacmd +++ b/apparmor.d/profiles-m-r/pacmd @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pactl b/apparmor.d/profiles-m-r/pactl index 1e89ef3f2..2f8092a02 100644 --- a/apparmor.d/profiles-m-r/pactl +++ b/apparmor.d/profiles-m-r/pactl @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pagesize b/apparmor.d/profiles-m-r/pagesize index 0ec7c31f6..f6615a71e 100644 --- a/apparmor.d/profiles-m-r/pagesize +++ b/apparmor.d/profiles-m-r/pagesize @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index 947fb2f4e..3d805f24c 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -3,28 +3,64 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/pam-auth-update +@{exec_path} = @{bin}/pam-auth-update profile pam-auth-update @{exec_path} flags=(complain) { include - include + include + include - @{exec_path} mrix, + @{exec_path} mr, + @{bin}/perl r, - @{bin}/cp ix, - @{bin}/md5sum ix, - @{bin}/stty ix, + @{bin}/md5sum rix, + @{bin}/cp rix, - /usr/share/pam{,-configs}/{,*} r, + # Think what to do about this (#FIXME#) + /usr/share/debconf/frontend rPx, + #/usr/share/debconf/frontend rCx -> frontend, /etc/pam.d/* rw, - /etc/shadow r, - - /var/lib/dpkg/info/libpam-runtime.templates r, /var/lib/pam/* rw, + /usr/share/pam{,-configs}/{,*} r, + + + profile frontend flags=(complain) { + include + include + include + include + + /usr/share/debconf/frontend r, + @{bin}/perl r, + + @{bin}/pam-auth-update rPx, + + @{sh_path} rix, + @{bin}/stty rix, + @{bin}/locale rix, + + /etc/debconf.conf r, + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + /usr/share/debconf/templates/adequate.templates r, + + # The following is needed when debconf uses GUI frontends. + include + include + include + include + capability dac_read_search, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/hostname rix, + owner @{PROC}/@{pid}/mounts r, + @{HOME}/.Xauthority r, + + /etc/shadow r, + + } include if exists } diff --git a/apparmor.d/profiles-m-r/pam-tmpdir-helper b/apparmor.d/profiles-m-r/pam-tmpdir-helper index fc767e5b3..983ca7d42 100644 --- a/apparmor.d/profiles-m-r/pam-tmpdir-helper +++ b/apparmor.d/profiles-m-r/pam-tmpdir-helper @@ -2,11 +2,11 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/pam-tmpdir-helper @{lib}/pam-tmpdir/pam-tmpdir-helper +@{exec_path} = @{bin}/pam-tmpdir-helper profile pam-tmpdir-helper @{exec_path} { include include @@ -15,7 +15,7 @@ profile pam-tmpdir-helper @{exec_path} { @{exec_path} mr, - owner /tmp/user/ rw, + owner @{tmp}/user/ rw, owner @{tmp}/ rw, /dev/ptmx rw, diff --git a/apparmor.d/profiles-m-r/pam/mappings b/apparmor.d/profiles-m-r/pam/mappings new file mode 100644 index 000000000..cbcb539ed --- /dev/null +++ b/apparmor.d/profiles-m-r/pam/mappings @@ -0,0 +1,72 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# See more at: https://gitlab.com/apparmor/apparmor/wikis/Pam_apparmor_example + +# This file contains the mappings from users to roles for the binaries +# confined with AppArmor and configured for use with libpam-apparmor. Users +# without a mapping will not be able to login. +# +# The default hat is a confined user. The hat contains only the permissions +# necessary to transition to the user's login shell. All other permissions have +# been moved into the default_user profile. +^DEFAULT { + include + include + + capability dac_override, + capability setgid, + capability setuid, + + /etc/default/su r, + @{etc_ro}/environment r, + + @{shells_path} rPx -> user_default, + + include if exists +} + +# USER is a confined user. The hat contains only the permissions necessary +# to transition to gray's login shell. All other permissions have been +# moved into the confined_user profile. +^USER { + include + include + + capability dac_override, + capability audit_write, + capability setgid, + capability setuid, + + @{shells_path} rPx -> user_confined, + + /etc/default/su r, + @{etc_ro}/environment r, + + include if exists +} + +# Don't confine members whose primary group is 'admin' who are not specifically +# confined. Systems without this special primary group may want to define an +# unconfined 'root' hat in this manner (depending on site policy). +^root { + include + include + include + + capability dac_override, + capability audit_write, + capability setgid, + capability setuid, + + @{shells_path} rUx, + + /etc/default/su r, + @{etc_ro}/environment r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/parted b/apparmor.d/profiles-m-r/parted index 1ae7f5478..9408674f8 100644 --- a/apparmor.d/profiles-m-r/parted +++ b/apparmor.d/profiles-m-r/parted @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/parted +@{exec_path} = @{bin}/parted profile parted @{exec_path} { include include @@ -22,7 +22,7 @@ profile parted @{exec_path} { @{sh_path} rix, @{bin}/udevadm rCx -> udevadm, - @{sbin}/dmidecode rPx, + @{bin}/dmidecode rPx, /etc/inputrc r, diff --git a/apparmor.d/profiles-m-r/partprobe b/apparmor.d/profiles-m-r/partprobe index 79e4b0ffb..9e384c66c 100644 --- a/apparmor.d/profiles-m-r/partprobe +++ b/apparmor.d/profiles-m-r/partprobe @@ -3,14 +3,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/partprobe +@{exec_path} = @{bin}/partprobe profile partprobe @{exec_path} { include - include include capability sys_admin, @@ -23,7 +22,7 @@ profile partprobe @{exec_path} { @{sh_path} rix, @{bin}/udevadm rCx -> udevadm, - @{sbin}/dmidecode rPx, + @{bin}/dmidecode rPx, @{PROC}/devices r, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 30f92c964..724bd8f38 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,52 +15,52 @@ profile pass @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/base64 ix, - @{bin}/basename ix, - @{bin}/cat ix, - @{bin}/cp ix, - @{bin}/diff ix, - @{bin}/dirname ix, - @{bin}/env r, - @{bin}/find ix, - @{bin}/getopt ix, - @{bin}/{,e}grep ix, - @{bin}/head ix, - @{bin}/mkdir ix, - @{bin}/mktemp ix, - @{bin}/mv ix, - @{bin}/rm ix, - @{bin}/rmdir ix, - @{bin}/sed ix, - @{bin}/shred ix, - @{bin}/sleep ix, - @{bin}/sort ix, - @{bin}/tail ix, - @{bin}/touch ix, - @{bin}/tr ix, - @{bin}/tree ix, - @{bin}/tty ix, - @{bin}/which{,.debianutils} rix, + @{bin}/base64 rix, + @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/cp rix, + @{bin}/diff rix, + @{bin}/dirname rix, + @{bin}/env rix, + @{bin}/find rix, + @{bin}/getopt rix, + @{bin}/grep rix, + @{bin}/head rix, + @{bin}/mkdir rix, + @{bin}/mktemp rix, + @{bin}/mv rix, + @{bin}/pkill rix, + @{bin}/rm rix, + @{bin}/rmdir rix, + @{bin}/sed rix, + @{bin}/shred rix, + @{bin}/sleep rix, + @{bin}/sort rix, + @{bin}/tail rix, + @{bin}/touch rix, + @{bin}/tr rix, + @{bin}/tree rix, + @{bin}/tty rix, + @{bin}/which rix, - @{bin}/git Cx -> git, - @{bin}/gpg{2,} Cx -> gpg, - @{bin}/pkill Cx -> pkill, - @{bin}/qdbus Cx -> qdbus, - @{bin}/wl-{copy,paste} Px, - @{bin}/xclip Px, - @{editor_path} Cx -> editor, - @{lib}/git{,-core}/git Cx -> git, + @{bin}/git rCx -> git, + @{lib}/git{,-core}/git rCx -> git, + @{bin}/gpg{2,} rCx -> gpg, + @{bin}/qdbus rCx -> qdbus, + @{bin}/vim{,.*} rCx -> editor, + @{bin}/wl-{copy,paste} rPx, + @{bin}/xclip rPx, # Pass extensions - @{bin}/oathtool ix, # pass-otp - @{python_path} Px -> pass-import, # pass-import, pass-audit - @{bin}/qrencode PUx, # pass-otp - @{bin}/tomb PUx, # pass-tomb + @{bin}/oathtool rix, # pass-otp + @{bin}/python3.@{int} rPx -> pass-import, # pass-import, pass-audit + @{bin}/qrencode rPUx, # pass-otp + @{bin}/tomb rPUx, # pass-tomb /usr/share/terminfo/** r, - owner @{user_passwordstore_dirs}/{,**} rw, - owner /dev/shm/pass.@{rand}/{,*} rw, + owner @{user_password_store_dirs}/{,**} rw, + owner /dev/shm/pass.*/{,*} rw, @{sys}/devices/system/node/ r, @@ -72,15 +72,6 @@ profile pass @{exec_path} { /dev/tty rw, - profile pkill { - include - include - - @{bin}/pkill mr, - - include if exists - } - profile editor { include include @@ -88,9 +79,9 @@ profile pass @{exec_path} { /tmp/ r, - owner @{user_passwordstore_dirs}/{,**/} r, + owner @{user_password_store_dirs}/{,**/} r, - owner /dev/shm/pass.@{rand}/{,*} rw, + owner /dev/shm/pass.*/{,*} rw, deny owner @{HOME}/ r, @@ -112,7 +103,10 @@ profile pass @{exec_path} { @{bin}/git* mrix, @{lib}/git{,-core}/git* mrix, - @{pager_path} rPx -> child-pager, + @{bin}/pager rPx -> child-pager, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, + @{bin}/gpg{2,} rPx -> pass//gpg, /usr/share/git{,-core}/{,**} r, @@ -120,11 +114,11 @@ profile pass @{exec_path} { owner @{HOME}/.gitconfig r, owner @{user_config_dirs}/git/{,*} r, - owner @{user_passwordstore_dirs}/ rw, - owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, + owner @{user_password_store_dirs}/ rw, + owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature - owner /dev/shm/pass.@{rand}/.git_vtag_tmp@{rand6} rw, + owner /dev/shm/pass.*/.git_vtag_tmp@{rand6} rw, include if exists } @@ -142,11 +136,10 @@ profile pass @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner @{user_passwordstore_dirs}/ rw, - owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, - owner /dev/shm/pass.@{rand}/* rw, + owner @{user_password_store_dirs}/ rw, + owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, + owner /dev/shm/pass.*/{,*} rw, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature - owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index 8d55dd156..655804ccc 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,16 +24,16 @@ profile pass-import @{exec_path} { @{bin}/ r, @{bin}/gcc rix, # TODO: Test deny @{bin}/ld rix, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, @{bin}/pass rPx, - @{python_path} rix, + @{bin}/python3.@{int} rix, @{lib}/gcc/**/collect2 rix, @{lib}/python{2.[4-7],3,3.@{int}}/** w, # TODO: Test deny /usr/share/file/misc/magic.mgc r, - owner @{user_passwordstore_dirs}/{,**} rw, + owner @{user_password_store_dirs}/{,**} rw, owner @{tmp}/[a-zA-Z0-9]* rw, diff --git a/apparmor.d/profiles-m-r/passimd b/apparmor.d/profiles-m-r/passimd index c0aafeaf9..8afbac8e5 100644 --- a/apparmor.d/profiles-m-r/passimd +++ b/apparmor.d/profiles-m-r/passimd @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -26,7 +26,9 @@ profile passimd @{exec_path} flags=(attach_disconnected) { /etc/passim.conf r, - owner /var/lib/passim/{,**} rw, + /var/lib/passim/{,**} r, + /var/lib/passim/data/{,**} rw, + owner /var/log/passim/* rw, @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/shadow/passwd b/apparmor.d/profiles-m-r/passwd similarity index 92% rename from apparmor.d/groups/shadow/passwd rename to apparmor.d/profiles-m-r/passwd index 9d81c0bea..f37f5651d 100644 --- a/apparmor.d/groups/shadow/passwd +++ b/apparmor.d/profiles-m-r/passwd @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,7 +21,7 @@ profile passwd @{exec_path} { capability net_admin, capability setuid, - signal receive set=(term kill) peer=gnome-control-center, + signal (receive) set=(term, kill) peer=gnome-control-center, network netlink raw, diff --git a/apparmor.d/profiles-m-r/pavucontrol b/apparmor.d/profiles-m-r/pavucontrol index 596cbacbd..de3782b09 100644 --- a/apparmor.d/profiles-m-r/pavucontrol +++ b/apparmor.d/profiles-m-r/pavucontrol @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pcb-gtk b/apparmor.d/profiles-m-r/pcb-gtk index 2923f70cd..99ad50a64 100644 --- a/apparmor.d/profiles-m-r/pcb-gtk +++ b/apparmor.d/profiles-m-r/pcb-gtk @@ -3,16 +3,20 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/pcb-gtk profile pcb-gtk @{exec_path} { include - include + include + include + include include - include + include + include + include include include @@ -20,7 +24,7 @@ profile pcb-gtk @{exec_path} { /usr/share/pcb/ListLibraryContents.sh rix, - @{sh_path} rix, + @{bin}/dash rix, @{bin}/cat rix, @{bin}/tr rix, diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd index d5bcc4293..085061b15 100644 --- a/apparmor.d/profiles-m-r/pcscd +++ b/apparmor.d/profiles-m-r/pcscd @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/pcscd +@{exec_path} = @{bin}/pcscd profile pcscd @{exec_path} { include include @@ -16,18 +16,17 @@ profile pcscd @{exec_path} { network netlink raw, - ptrace read peer=@{p_systemd_user}, - ptrace read peer=gsd-smartcard, - ptrace read peer=keepassxc, - ptrace read peer=pkcs11-register, - ptrace read peer=rngd, - ptrace read peer=scdaemon, - ptrace read peer=veracrypt, + ptrace (read) peer=gsd-smartcard, + ptrace (read) peer=pkcs11-register, + ptrace (read) peer=rngd, + ptrace (read) peer=scdaemon, @{exec_path} mr, /etc/libccid_Info.plist r, - /etc/reader.conf.d/{,**} r, + /etc/reader.conf.d/ r, + /etc/reader.conf.d/libccidtwin r, + /etc/reader.conf.d/reader.conf r, owner @{run}/pcscd/{,pcscd.pid} rw, diff --git a/apparmor.d/profiles-m-r/pdftotext b/apparmor.d/profiles-m-r/pdftotext index 0394687f7..c122cbdcb 100644 --- a/apparmor.d/profiles-m-r/pdftotext +++ b/apparmor.d/profiles-m-r/pdftotext @@ -2,14 +2,13 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/pdftotext profile pdftotext @{exec_path} { include - include include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/picom b/apparmor.d/profiles-m-r/picom index 7d423f148..124d5c9c3 100644 --- a/apparmor.d/profiles-m-r/picom +++ b/apparmor.d/profiles-m-r/picom @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pidof b/apparmor.d/profiles-m-r/pidof index 76b9942fb..e2ea46e57 100644 --- a/apparmor.d/profiles-m-r/pidof +++ b/apparmor.d/profiles-m-r/pidof @@ -2,14 +2,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/pidof -profile pidof @{exec_path} flags=(attach_disconnected) { +profile pidof @{exec_path} { include - include capability sys_ptrace, @@ -28,7 +27,7 @@ profile pidof @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/osrelease r, @{PROC}/uptime r, - /dev/tty@{int} rw, + owner /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/pinentry b/apparmor.d/profiles-m-r/pinentry index b69fcecaf..c30bc5def 100644 --- a/apparmor.d/profiles-m-r/pinentry +++ b/apparmor.d/profiles-m-r/pinentry @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,6 @@ profile pinentry @{exec_path} { @{bin}/pinentry-* rPx, @{sh_path} rix, - @{bin}/ldd rix, /etc/pinentry/preexec r, diff --git a/apparmor.d/profiles-m-r/pinentry-curses b/apparmor.d/profiles-m-r/pinentry-curses index c14b41027..1fd585f47 100644 --- a/apparmor.d/profiles-m-r/pinentry-curses +++ b/apparmor.d/profiles-m-r/pinentry-curses @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,8 +17,6 @@ profile pinentry-curses @{exec_path} { /usr/share/terminfo/** r, - owner /dev/tty@{int} r, - include if exists } diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3 index b60d929e2..d6fc0abb0 100644 --- a/apparmor.d/profiles-m-r/pinentry-gnome3 +++ b/apparmor.d/profiles-m-r/pinentry-gnome3 @@ -2,19 +2,16 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/pinentry-gnome3 profile pinentry-gnome3 @{exec_path} { include - include - include include - include - signal receive set=int, + signal (receive) set=(int) peer=gpg-agent, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/pinentry-gtk b/apparmor.d/profiles-m-r/pinentry-gtk-2 similarity index 51% rename from apparmor.d/profiles-m-r/pinentry-gtk rename to apparmor.d/profiles-m-r/pinentry-gtk-2 index d07a64a5a..efad3a6f1 100644 --- a/apparmor.d/profiles-m-r/pinentry-gtk +++ b/apparmor.d/profiles-m-r/pinentry-gtk-2 @@ -3,24 +3,25 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/pinentry-gtk{,-2} -profile pinentry-gtk @{exec_path} { +@{exec_path} = @{bin}/pinentry-gtk-2 +profile pinentry-gtk-2 @{exec_path} { include - include + include + include include - include + include @{exec_path} mr, - @{PROC}/@{pid}/cmdline r, + /usr/share/gtk-2.0/gtkrc r, - owner /dev/tty@{int} r, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pinentry-kwallet b/apparmor.d/profiles-m-r/pinentry-kwallet index adff98c53..235c256a7 100644 --- a/apparmor.d/profiles-m-r/pinentry-kwallet +++ b/apparmor.d/profiles-m-r/pinentry-kwallet @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,31 +11,42 @@ include profile pinentry-kwallet @{exec_path} { include include - include + include signal (send) set=(term, kill) peer=gpg-agent, @{exec_path} mr, - @{bin}/date rix, - @{bin}/env rix, - @{bin}/kwalletcli rCx -> kwalletcli, - @{bin}/kwalletcli_getpin rix, - @{bin}/mksh rix, @{bin}/pinentry-* rPx, + @{bin}/kwalletcli_getpin rix, + @{bin}/kwalletcli rCx -> kwalletcli, + + # when wrong PIN is provided + @{bin}/date rix, + + @{bin}/mksh rix, + @{bin}/env rix, + + owner @{HOME}/.Xauthority r, + + /usr/share/hwdata/pnp.ids r, + + profile kwalletcli { include - include @{bin}/kwalletcli mr, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kwalletrc r, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, - owner @{user_config_dirs}/kwalletrc r, + owner @{HOME}/.Xauthority r, + + /usr/share/hwdata/pnp.ids r, - include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/pinentry-qt b/apparmor.d/profiles-m-r/pinentry-qt index 66729769f..947350b8a 100644 --- a/apparmor.d/profiles-m-r/pinentry-qt +++ b/apparmor.d/profiles-m-r/pinentry-qt @@ -3,30 +3,47 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/pinentry-qt profile pinentry-qt @{exec_path} { include - include + include include - include - include + include + include + include + include include include - - ptrace read peer=gpg-agent, + include + include + include @{exec_path} mr, - /etc/machine-id r, + /usr/share/hwdata/pnp.ids r, + /usr/share/icu/@{int}.@{int}/*.dat r, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + /etc/xdg/kdeglobals r, + /etc/xdg/kwinrc r, + + owner @{user_cache_dirs}/#@{int} rw, + owner @{user_cache_dirs}/icon-cache.kcache rw, + + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kwinrc r, owner @{tmp}/xauth_@{rand6} r, owner /dev/shm/#@{int} rw, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/meminfo r, + owner @{PROC}/@{pid}/cmdline r, include if exists diff --git a/apparmor.d/profiles-m-r/pkcs11-register b/apparmor.d/profiles-m-r/pkcs11-register index d775cafe5..c8238688e 100644 --- a/apparmor.d/profiles-m-r/pkcs11-register +++ b/apparmor.d/profiles-m-r/pkcs11-register @@ -2,17 +2,18 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/pkcs11-register profile pkcs11-register @{exec_path} { include - include @{exec_path} mr, + /etc/{,opensc/}opensc.conf r, + owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, owner @{HOME}/.mozilla/firefox/profiles.ini r, owner @{HOME}/.pki/nssdb/pkcs11.txt r, diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec new file mode 100644 index 000000000..923d955af --- /dev/null +++ b/apparmor.d/profiles-m-r/pkexec @@ -0,0 +1,66 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pkexec +profile pkexec @{exec_path} { + include + include + include + include + include + include + + capability audit_write, + capability dac_read_search, + capability net_admin, + capability setgid, # gdbus + capability setuid, # gmain + capability sys_ptrace, + capability sys_resource, + audit deny capability sys_nice, + + network netlink raw, + + signal (send) set=(term, kill) peer=polkit-agent-helper, + + ptrace (read), + + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1.Authority label=polkitd + + @{exec_path} mr, + + # Apps to be run via pkexec + @{bin}/* rPUx, + @{lib}/{,gvfs/}gvfsd-admin rPx, + @{lib}/cc-remote-login-helper rPx, + @{lib}/update-notifier/package-system-locked rPx, + /usr/share/apport/apport-gtk rPx, + #aa:exec polkit-agent-helper + + @{etc_ro}/environment r, + @{etc_ro}/security/limits.d/{,*} r, + /etc/default/locale r, + /etc/shells r, + + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pids}/stat r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/loginuid r, + + # file_inherit + owner /dev/tty@{int} rw, + owner @{HOME}/.xsession-errors w, + + # Silencer + deny @{user_share_dirs}/gvfs-metadata/* r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/polkit/pkttyagent b/apparmor.d/profiles-m-r/pkttyagent similarity index 93% rename from apparmor.d/groups/polkit/pkttyagent rename to apparmor.d/profiles-m-r/pkttyagent index 436447aef..68c85487b 100644 --- a/apparmor.d/groups/polkit/pkttyagent +++ b/apparmor.d/profiles-m-r/pkttyagent @@ -3,7 +3,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,8 +18,8 @@ profile pkttyagent @{exec_path} { capability sys_nice, capability audit_write, - ptrace read, - signal (send, receive), + ptrace (read), + signal (send,receive), @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/plank b/apparmor.d/profiles-m-r/plank index 9619326f2..77bad6788 100644 --- a/apparmor.d/profiles-m-r/plank +++ b/apparmor.d/profiles-m-r/plank @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/plocate b/apparmor.d/profiles-m-r/plocate index 3877f89cd..e66d0c14c 100644 --- a/apparmor.d/profiles-m-r/plocate +++ b/apparmor.d/profiles-m-r/plocate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/plocate-build b/apparmor.d/profiles-m-r/plocate-build index afc322958..5e81be8a3 100644 --- a/apparmor.d/profiles-m-r/plocate-build +++ b/apparmor.d/profiles-m-r/plocate-build @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/pokemmo b/apparmor.d/profiles-m-r/pokemmo deleted file mode 100644 index 324b08f17..000000000 --- a/apparmor.d/profiles-m-r/pokemmo +++ /dev/null @@ -1,98 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 odomingao -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/pokemmo-launcher -profile pokemmo @{exec_path} flags=(attach_disconnected) { - include - include - include # Installer - include - include # Installer - include - include - include - include # Installer - include - - # The installer is a GTK app and requires a few extra abstractions - # GTK/QT/fonts abstractions are unused by the game itself and can - # be removed if this profile is later split into stacked profiles - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{exec_path} mr, - - @{coreutils_path} ix, - @{python_path} ix, - @{sh_path} ix, - - @{bin}/java ix, - @{bin}/perl ix, - @{bin}/which{,.debianutils} ix, - @{lib}/jvm/java-@{int}-openjdk/bin/java ix, - - # Installer - @{bin}/openssl ix, - @{bin}/ps ix, - @{bin}/wget ix, - @{bin}/zenity ix, - @{lib}/jvm/java-@{int}-openjdk/lib/jspawnhelper ix, - - /etc/lsb-release r, # Installer - /etc/java-openjdk/** r, - /etc/timezone r, - /etc/wgetrc r, # Installer - - # Installer - owner @{HOME}/ r, - owner @{HOME}/.java/fonts/** rw, - owner @{HOME}/.wget-hsts rwk, - - owner @{user_config_dirs}/pokemmo/{,**} rw, - owner @{user_share_dirs}/pokemmo/{,**} rw, - - owner /tmp/hsperfdata_user/ rw, - owner /tmp/hsperfdata_user/@{int} rwk, - owner /tmp/libgdxuser/{,**} rw, - owner /tmp/libgdxuser/**/*.so mrw, - owner /tmp/lwjgl_user/{,**} rw, - owner /tmp/lwjgl_user/**/*.so mrwk, - - @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, - - @{PROC}/@{pid}/net/if_inet6 r, - @{PROC}/cgroups r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/coredump_filter rw, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - - # Installer - @{PROC}/ r, - @{PROC}/uptime r, - @{PROC}/sys/kernel/pid_max r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/environ r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/stat r, - - /dev/input/ r, - /dev/input/event@{int} rw, - /dev/input/js@{int} rw, - - /dev/tty rw, - owner /dev/tty@{int} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pollinate b/apparmor.d/profiles-m-r/pollinate deleted file mode 100644 index 5a10cc9e2..000000000 --- a/apparmor.d/profiles-m-r/pollinate +++ /dev/null @@ -1,48 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/pollinate -profile pollinate @{exec_path} { - include - include - - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, - - @{exec_path} mr, - - @{sh_path} rix, - @{coreutils_path} rix, - @{bin}/curl rix, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/dpkg-query rpx, - @{bin}/hostname rix, - @{bin}/logger rix, - @{bin}/systemd-detect-virt rPx, - @{bin}/xxd rix, - - /etc/cloud/build.info r, - /etc/default/pollinate r, - /etc/lsb-release r, - /etc/pollinate/{,**} r, - - owner /var/cache/pollinate/seeded w, - - owner /tmp/pollinate.@{rand12}/{,**} rw, - - @{PROC}/uptime r, - - /dev/urandom w, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/popularity-contest b/apparmor.d/profiles-m-r/popularity-contest index 0bbd727ae..a4b93d5b5 100644 --- a/apparmor.d/profiles-m-r/popularity-contest +++ b/apparmor.d/profiles-m-r/popularity-contest @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,6 +21,7 @@ profile popularity-contest @{exec_path} { ptrace (read), @{exec_path} r, + @{bin}/perl r, @{sh_path} rix, @{bin}/env rix, @@ -41,11 +42,11 @@ profile popularity-contest @{exec_path} { /var/lib/ r, /var/lib/dpkg/info/{,*.list} r, /var/log/ r, - /var/log/popularity-contest.@{int} w, + /var/log/popularity-contest.[0-9]* w, /var/log/popularity-contest.new w, owner @{tmp}/#@{int} rw, - + @{PROC}/ r, include if exists diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index e4e923159..067968258 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,6 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { include include include - include capability dac_read_search, capability net_admin, @@ -28,23 +27,22 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { /var/lib/power-profiles-daemon/{,**} rw, - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) - @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) - @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* + @{run}/udev/data/+platform:* r, @{sys}/bus/ r, @{sys}/bus/platform/devices/ r, @{sys}/class/ r, - @{sys}/class/drm/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/**/status r, + @{sys}/devices/@{pci}/uevent r, @{sys}/devices/**/power_supply/*/scope r, - @{sys}/devices/**/uevent r, + @{sys}/devices/**/power_supply/*/uevent r, + @{sys}/devices/platform/**/uevent r, @{sys}/devices/system/cpu/*_pstate/{no_turbo,turbo_pct} r, + @{sys}/devices/system/cpu/*_pstate/status r, @{sys}/devices/system/cpu/cpu@{int}/power/energy_perf_bias rw, @{sys}/devices/system/cpu/cpufreq/ r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/* rw, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw, @{sys}/firmware/acpi/platform_profile* rw, @{sys}/firmware/acpi/pm_profile* rw, diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail deleted file mode 100644 index 8a6a2982e..000000000 --- a/apparmor.d/profiles-m-r/protonmail +++ /dev/null @@ -1,44 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# Copyright (C) 2024 curiosityseeker -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{name} = proton-mail "Proton Mail" -@{domain} = org.chromium.Chromium -@{lib_dirs} = /opt/@{name} -@{config_dirs} = @{user_config_dirs}/@{name} -@{cache_dirs} = @{user_cache_dirs}/@{name} - -@{exec_path} = @{bin}/proton-mail /opt/proton-mail/Proton* -profile protonmail @{exec_path} flags=(attach_disconnected) { - include - include - include - - network inet stream, - network inet dgram, - network inet6 dgram, - network netlink raw, - - ptrace read peer=protonmail//&xdg-settings, - - @{exec_path} mrix, - - #aa:stack X xdg-settings - @{bin}/xdg-settings rPx -> protonmail//&xdg-settings, - @{open_path} Px -> child-open, - - owner @{user_config_dirs}/ibus/bus/ r, - - @{sys}/devices/@{pci}/boot_vga r, - - owner @{tmp}/gtkprint_ppd_@{rand6} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/protonmail-bridge b/apparmor.d/profiles-m-r/protonmail-bridge index fc8092ef9..3d3878c3e 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge +++ b/apparmor.d/profiles-m-r/protonmail-bridge @@ -2,13 +2,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{config_dirs} = @{user_config_dirs}/protonmail/{,bridge-v3} -@{cache_dirs} = @{user_cache_dirs}/protonmail/{,bridge-v3} "@{user_cache_dirs}/Proton AG/{,Proton Mail Bridge}" -@{share_dirs} = @{user_share_dirs}/protonmail/{,bridge-v3} +@{config_dirs} = @{user_config_dirs}/protonmail/bridge-v3 +@{cache_dirs} = @{user_cache_dirs}/protonmail/bridge-v3 "@{user_cache_dirs}/Proton AG/Proton Mail Bridge" +@{share_dirs} = @{user_share_dirs}/protonmail/bridge-v3 @{exec_path} = @{lib}/protonmail/bridge/bridge-gui profile protonmail-bridge @{exec_path} { diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index a9bd819e3..b7fd0c98a 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -2,22 +2,19 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# To force the use of the Gnome Keyring or Kwallet secret-service, add the +# To force the use of the Gnome Keyring or Kwallet secret-service, add the # following lines in your local/protonmail-bridge-core file: # deny @{bin}/pass x, -# deny owner @{user_passwordstore_dirs}/** r, +# deny owner @{user_password_store_dirs}/** r, -abi , +abi , include @{exec_path} = @{lib}/protonmail/bridge/bridge -profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { +profile protonmail-bridge-core @{exec_path} { include - include include - include - include network inet dgram, network inet6 dgram, @@ -27,16 +24,13 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/pass Cx -> pass, - - @{lib}/protonmail/bridge/bridge-gui ix, + @{bin}/pass rCx -> pass, /etc/lsb-release r, /etc/machine-id r, - /etc/os-release r, - owner @{user_passwordstore_dirs}/docker-credential-helpers/{,**} r, - owner @{user_passwordstore_dirs}/protonmail-credentials/{,**} r, + owner @{user_password_store_dirs}/docker-credential-helpers/{,**} r, + owner @{user_password_store_dirs}/protonmail-credentials/{,**} r, owner @{user_cache_dirs}/protonmail/{,**} rwk, owner @{user_config_dirs}/protonmail/{,**} rwk, @@ -45,12 +39,15 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { owner "@{user_config_dirs}/autostart/Proton Mail Bridge.desktop" rw, owner @{tmp}/bridge@{int} rw, + owner @{tmp}/etilqs_@{hex16} rw, + owner /var/tmp/etilqs_@{hex16} rw, @{PROC}/ r, - @{PROC}/1/cgroup r, @{PROC}/sys/net/core/somaxconn r, + @{PROC}/@{pid}/cgroup r, - deny owner @{user_passwordstore_dirs}/** r, + deny @{bin}/pass x, + deny owner @{user_password_store_dirs}/** r, profile pass { include @@ -72,13 +69,12 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { @{bin}/tail rix, @{bin}/tree rix, @{bin}/tty rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, - owner @{user_passwordstore_dirs}/ r, - owner @{user_passwordstore_dirs}/.gpg-id r, - owner @{user_passwordstore_dirs}/docker-credential-helpers/{,**} rw, - owner @{user_passwordstore_dirs}/protonmail-credentials/{,**} rw, - deny owner @{user_passwordstore_dirs}/**/ r, + owner @{user_password_store_dirs}/ r, + owner @{user_password_store_dirs}/.gpg-id r, + owner @{user_password_store_dirs}/protonmail-credentials/{,**} rw, + deny owner @{user_password_store_dirs}/**/ r, /dev/tty rw, diff --git a/apparmor.d/groups/procps/ps b/apparmor.d/profiles-m-r/ps similarity index 96% rename from apparmor.d/groups/procps/ps rename to apparmor.d/profiles-m-r/ps index 7663cbf5d..bdcd6cee2 100644 --- a/apparmor.d/groups/procps/ps +++ b/apparmor.d/profiles-m-r/ps @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -34,7 +34,6 @@ profile ps @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/loginuid r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, - @{PROC}/@{pids}/status r, @{PROC}/@{pids}/task/ r, @{PROC}/@{pids}/task/@{tid}/cmdline r, @{PROC}/@{pids}/task/@{tid}/stat r, diff --git a/apparmor.d/profiles-m-r/ps-mem b/apparmor.d/profiles-m-r/ps-mem index 08b286b5a..f34992ccb 100644 --- a/apparmor.d/profiles-m-r/ps-mem +++ b/apparmor.d/profiles-m-r/ps-mem @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,7 +17,7 @@ profile ps-mem @{exec_path} { ptrace (read), @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, diff --git a/apparmor.d/groups/cap/pscap b/apparmor.d/profiles-m-r/pscap similarity index 97% rename from apparmor.d/groups/cap/pscap rename to apparmor.d/profiles-m-r/pscap index f4bc2b76e..8a88b26a4 100644 --- a/apparmor.d/groups/cap/pscap +++ b/apparmor.d/profiles-m-r/pscap @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 2ff7b4e71..e764b69f8 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,7 +18,6 @@ profile psi @{exec_path} { include include include - include include include include @@ -35,7 +34,7 @@ profile psi @{exec_path} { @{bin}/aplay rCx -> aplay, @{bin}/gpg{,2} rPx, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{open_path} rPx -> child-open, @{lib}/firefox/firefox rPUx, @@ -47,6 +46,8 @@ profile psi @{exec_path} { /var/lib/dbus/machine-id r, owner @{HOME}/ r, + owner @{user_cache_dirs}/ rw, + owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/psi/{,**} rw, owner @{user_config_dirs}/autostart/psi.desktop rw, owner @{user_config_dirs}/psi/ rw, @@ -55,9 +56,10 @@ profile psi @{exec_path} { owner @{user_share_dirs}/psi/** rwk, owner @{tmp}/#@{int} rw, + owner @{tmp}/etilqs_@{hex16} rw, owner @{tmp}/Psi.* rwl -> /tmp/#@{int}, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/inhibit/[0-9]*.ref rw, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index f72147cc6..d9b1f7fd5 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,7 +18,6 @@ profile psi-plus @{exec_path} { include include include - include include include include @@ -35,7 +34,7 @@ profile psi-plus @{exec_path} { @{bin}/aplay rCx -> aplay, @{bin}/gpg{,2} rPx, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{open_path} rPx -> child-open, @{lib}/firefox/firefox rPUx, @@ -47,6 +46,8 @@ profile psi-plus @{exec_path} { /var/lib/dbus/machine-id r, owner @{HOME}/ r, + owner @{user_cache_dirs}/ rw, + owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/psi+/{,**} rw, owner @{user_config_dirs}/autostart/psi-plus.desktop rw, owner @{user_config_dirs}/psi+/ rw, @@ -55,9 +56,10 @@ profile psi-plus @{exec_path} { owner @{user_share_dirs}/psi+/** rwk, owner @{tmp}/#@{int} rw, + owner @{tmp}/etilqs_@{hex16} rw, owner @{tmp}/Psi+.* rwl -> /tmp/#@{int}, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/inhibit/[0-9]*.ref rw, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/utils/pstree b/apparmor.d/profiles-m-r/pstree similarity index 94% rename from apparmor.d/groups/utils/pstree rename to apparmor.d/profiles-m-r/pstree index 4b75a0364..a2630d212 100644 --- a/apparmor.d/groups/utils/pstree +++ b/apparmor.d/profiles-m-r/pstree @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,8 +18,6 @@ profile pstree @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/terminfo/** r, - @{PROC} r, @{PROC}/@{pids}/attr/current r, @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/profiles-m-r/pulseeffects b/apparmor.d/profiles-m-r/pulseeffects index e57e221dd..0ef899263 100644 --- a/apparmor.d/profiles-m-r/pulseeffects +++ b/apparmor.d/profiles-m-r/pulseeffects @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/shadow/pwck b/apparmor.d/profiles-m-r/pwck similarity index 89% rename from apparmor.d/groups/shadow/pwck rename to apparmor.d/profiles-m-r/pwck index 456a15af4..af459593a 100644 --- a/apparmor.d/groups/shadow/pwck +++ b/apparmor.d/profiles-m-r/pwck @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/pwck +@{exec_path} = @{bin}/pwck profile pwck @{exec_path} flags=(attach_disconnected) { include include @@ -16,8 +16,7 @@ profile pwck @{exec_path} flags=(attach_disconnected) { @{bin}/nscd rix, - @{etc_ro}/login.defs r, - + /etc/login.defs r, /etc/.pwd.lock wk, /etc/passwd rw, /etc/passwd.@{int} rw, diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile deleted file mode 100644 index 105264ec2..000000000 --- a/apparmor.d/profiles-m-r/pycompile +++ /dev/null @@ -1,52 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/py{,3}compile @{bin}/py{,3}clean -profile pycompile @{exec_path} flags=(attach_disconnected,complain) { - include - include - include - include - - capability dac_override, - capability dac_read_search, - - @{exec_path} mr, - @{python_path} rix, - - @{bin}/dpkg rCx -> dpkg, - - @{lib}/@{python_name}/**/__pycache__/ w, - @{lib}/@{python_name}/**/__pycache__/*.pyc w, - @{lib}/@{python_name}/**/__pycache__/*.pyc.* w, - - /usr/share/python3/{,**} r, - - / r, - @{bin}/ r, - - profile dpkg { - include - include - include - - capability dac_read_search, - - @{bin}/dpkg mr, - @{bin}/dpkg-query rpx, - - /etc/dpkg/dpkg.cfg.d/{,*} r, - /etc/dpkg/dpkg.cfg r, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index e0d430443..f9502cf75 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -3,15 +3,17 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/qbittorrent profile qbittorrent @{exec_path} { include + include include include + include include include include @@ -27,7 +29,7 @@ profile qbittorrent @{exec_path} { include include - signal send set=(term, kill) peer=qbittorrent//python, + signal send set=(term, kill) peer=qbittorrent//python3, network inet dgram, network inet6 dgram, @@ -40,7 +42,7 @@ profile qbittorrent @{exec_path} { interface=org.kde.StatusNotifierItem member={NewToolTip,NewIcon} peer=(name=org.freedesktop.DBus), - + dbus receive bus=session path=/StatusNotifierItem interface=org.kde.StatusNotifierItem member=Activate @@ -50,12 +52,12 @@ profile qbittorrent @{exec_path} { interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=:*), - + dbus send bus=session path=/MenuBar interface=com.canonical.dbusmenu member=ItemsPropertiesUpdated peer=(name=org.freedesktop.DBus), - + dbus receive bus=session path=/MenuBar interface=com.canonical.dbusmenu member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event} @@ -66,7 +68,7 @@ profile qbittorrent @{exec_path} { @{exec_path} mr, @{open_path} rPx -> child-open, - @{python_path} rCx -> python, # For "search engine" + @{bin}/python3.@{int} rCx -> python, # For "search engine" # Allowed apps to open @{bin}/ebook-viewer rPx, @@ -83,6 +85,8 @@ profile qbittorrent @{exec_path} { /usr/share/GeoIP/GeoIP.dat r, /usr/share/gvfs/remote-volume-monitors/{,*} r, + owner @{user_cache_dirs}/ rw, + owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/qBittorrent/{,**} rw, owner @{user_config_dirs}/qBittorrent/ rw, @@ -127,13 +131,13 @@ profile qbittorrent @{exec_path} { network inet6 stream, network netlink raw, - @{python_path} r, + @{bin}/python3.@{int} r, - owner @{user_share_dirs}/{,data/}qBittorrent/nova@{int}/{,**} rw, + owner @{user_share_dirs}/{,data/}qBittorrent/nova[0-9]/{,**} rw, owner @{user_torrents_dirs}/** r, - owner /dev/shm/sem.mp-@{word8} rwl -> /dev/shm/@{int}, + owner /dev/shm/sem.mp-???????? rwl -> /dev/shm/@{int}, # unconventional '_' tail owner /dev/shm/* rw, owner @{tmp}/@{int} rw, diff --git a/apparmor.d/profiles-m-r/qbittorrent-nox b/apparmor.d/profiles-m-r/qbittorrent-nox index 5129f203b..87bc84d51 100644 --- a/apparmor.d/profiles-m-r/qbittorrent-nox +++ b/apparmor.d/profiles-m-r/qbittorrent-nox @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -51,7 +51,7 @@ profile qbittorrent-nox @{exec_path} { /dev/disk/by-label/ r, /dev/shm/#@{int} rw, - + deny owner @{user_share_dirs}/data/qBittorrent/ rw, # Old dir, not recommended to use include if exists diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index f8fd84d3f..958706374 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -2,43 +2,46 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/qemu-ga @{bin}/qemu-ga #aa:lint ignore=sbin +@{exec_path} = @{bin}/qemu-ga profile qemu-ga @{exec_path} { include + include + + capability mknod, + capability net_admin, + capability sys_ptrace, + + network inet stream, + network inet6 stream, + network netlink raw, + + ptrace (read) peer=@{p_systemd}, + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={ScheduleShutdown,SetWallMessage} + peer=(name=org.freedesktop.login1, label=systemd-logind), @{exec_path} mr, - @{bin}/systemctl Cx -> systemctl, + @{bin}/systemctl rix, /etc/qemu/qemu-ga.conf r, - owner @{run}/qga.state rw, - owner @{run}/qga.state.@{rand6} rw, + owner @{run}/qga.state* rw, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, - @{PROC}/sys/vm/max_map_count r, + @{PROC}/sys/vm/max_map_count r, + owner @{PROC}/@{pid}/net/dev r, /dev/vport@{int}p@{int} rw, - profile systemctl { - include - include - - capability net_admin, - - unix type=stream addr=@@{udbus}/bus/shutdown/system, - - #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-m-r/qnapi b/apparmor.d/profiles-m-r/qnapi index d02ff9426..911519459 100644 --- a/apparmor.d/profiles-m-r/qnapi +++ b/apparmor.d/profiles-m-r/qnapi @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -55,6 +55,7 @@ profile qnapi @{exec_path} { /tmp/ r, owner @{tmp}/@{hex}.* rw, + owner @{tmp}/** rw, owner @{tmp}/#@{int} rw, owner @{tmp}/QNapi-*-rc wl -> /tmp/#@{int}, owner @{tmp}/QNapi-*-rc.lock rwk, diff --git a/apparmor.d/profiles-m-r/qpdfview b/apparmor.d/profiles-m-r/qpdfview index f743e95b3..e1ff13a92 100644 --- a/apparmor.d/profiles-m-r/qpdfview +++ b/apparmor.d/profiles-m-r/qpdfview @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/qt5ct b/apparmor.d/profiles-m-r/qt5ct index 880476b14..43964d950 100644 --- a/apparmor.d/profiles-m-r/qt5ct +++ b/apparmor.d/profiles-m-r/qt5ct @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -28,6 +28,11 @@ profile qt5ct @{exec_path} { owner @{user_config_dirs}/fontconfig/** rw, owner @{user_config_dirs}/fontconfig/fonts.conf.back rwl -> @{user_config_dirs}/fontconfig/#@{int}, + owner @{user_config_dirs}/kdeglobals r, + + owner @{user_cache_dirs}/ rw, + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{PROC}/@{pid}/cmdline r, /dev/shm/#@{int} rw, diff --git a/apparmor.d/profiles-m-r/qtchooser b/apparmor.d/profiles-m-r/qtchooser index a2485b41d..2202d8c5f 100644 --- a/apparmor.d/profiles-m-r/qtchooser +++ b/apparmor.d/profiles-m-r/qtchooser @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/qtox b/apparmor.d/profiles-m-r/qtox index 4b0d9b79c..e97bcc2ec 100644 --- a/apparmor.d/profiles-m-r/qtox +++ b/apparmor.d/profiles-m-r/qtox @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss index 73b8f7488..1154ff337 100644 --- a/apparmor.d/profiles-m-r/quiterss +++ b/apparmor.d/profiles-m-r/quiterss @@ -3,24 +3,29 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/quiterss profile quiterss @{exec_path} { include - include - include + include + include + include include - include - include - include - include + include + include include - include - include + include + include + include + include include + include + include + include + include network inet dgram, network inet6 dgram, @@ -31,14 +36,9 @@ profile quiterss @{exec_path} { @{exec_path} mr, - @{open_path} rPx -> child-open, + @{bin}/xdg-open rCx -> open, /usr/share/quiterss/** r, - - /etc/fstab r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/QuiteRss/ rw, owner @{user_config_dirs}/QuiteRss/** rwkl -> @{user_config_dirs}/QuiteRss/**, owner @{user_share_dirs}/QuiteRss/ rw, @@ -46,19 +46,55 @@ profile quiterss @{exec_path} { owner @{user_cache_dirs}/QuiteRss/ rw, owner @{user_cache_dirs}/QuiteRss/** rwl -> @{user_cache_dirs}/QuiteRss/**, - owner @{tmp}/qtsingleapp-quiter-@{int}-@{int} rw, - owner @{tmp}/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk, + owner @{PROC}/@{pid}/fd/ r, + deny @{PROC}/sys/kernel/random/boot_id r, + deny owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, - @{PROC}/sys/kernel/random/boot_id r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, + /etc/fstab r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + /usr/share/hwdata/pnp.ids r, /dev/shm/#@{int} rw, + owner @{tmp}/qtsingleapp-quiter-@{int}-@{int} rw, + owner @{tmp}/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk, + owner /var/tmp/etilqs_@{hex16} rw, + + # Allowed apps to open + @{lib}/firefox/firefox rPUx, + + # file_inherit owner /dev/tty@{int} rw, + + profile open { + include + include + + @{bin}/xdg-open mr, + + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, + + owner @{HOME}/ r, + + owner @{run}/user/@{uid}/ r, + + # Allowed apps to open + @{lib}/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + include if exists } diff --git a/apparmor.d/profiles-m-r/rdmsr b/apparmor.d/profiles-m-r/rdmsr index 81f43b3e6..c3a4a8a22 100644 --- a/apparmor.d/profiles-m-r/rdmsr +++ b/apparmor.d/profiles-m-r/rdmsr @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/rdmsr +@{exec_path} = @{bin}/rdmsr profile rdmsr @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 80e58fd7c..dcee35f62 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -2,60 +2,54 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/remmina profile remmina @{exec_path} { include - include - include + include include include + include include - include + include + include include include - include - include + include + include include include - include - include include - include - include + include network inet stream, network inet6 stream, - network inet dgram, - network inet6 dgram, network netlink raw, - #aa:dbus own bus=session name=org.remmina.Remmina interface+=org.gtk.Actions - #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell - #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + #aa:dbus own bus=session name=org.remmina.Remmina - @{exec_path} rm, + dbus (send, receive) bus=session path=/org/ayatana/NotificationItem/remmina_icon{,/**} + peer=(name="{:*,org.freedesktop.DBus}"), # all interfaces and members - @{open_path} rPx -> child-open-browsers, + @{exec_path} r, /usr/share/remmina/{,**} r, /usr/share/themes/{,**} r, - /etc/fstab r, + /etc/timezone r, /etc/ssh/ssh_config r, /etc/ssh/ssh_config.d/{,*} r, - /etc/timezone r, + /etc/gtk-3.0/settings.ini r, - owner @{HOME}/@{XDG_SSH_DIR}/config r, - owner @{HOME}/@{XDG_SSH_DIR}/known_hosts r, + owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, - owner @{user_cache_dirs}/org.remmina.Remmina/{,**} rw, owner @{user_cache_dirs}/remmina/{,**} rw, owner @{user_config_dirs}/autostart/remmina-applet.desktop r, owner @{user_config_dirs}/freerdp/known_hosts2 rwk, + owner @{user_config_dirs}/gtk-3.0/bookmarks r, owner @{user_config_dirs}/remmina/{,**} rw, owner @{user_share_dirs}/remmina/{,**} rw, @@ -64,9 +58,6 @@ profile remmina @{exec_path} { owner @{run}/user/@{uid}/keyring/ssh rw, - @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/meminfo r, - include if exists } diff --git a/apparmor.d/profiles-m-r/repo b/apparmor.d/profiles-m-r/repo index 5ad84fb15..6f3ba2417 100644 --- a/apparmor.d/profiles-m-r/repo +++ b/apparmor.d/profiles-m-r/repo @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -27,7 +27,7 @@ profile repo @{exec_path} { @{bin}/curl rix, @{bin}/env rix, @{bin}/git rix, - @{python_path} rix, + @{bin}/python3.@{int} rix, @{bin}/uname rix, @{lib}/git{,-core}/git* rix, @@ -51,7 +51,7 @@ profile repo @{exec_path} { owner @{tmp}/ssh-*/ rw, owner /dev/shm/* rw, - owner /dev/shm/sem.mp-@{word8} rwl -> /dev/shm/*, + owner /dev/shm/sem.mp-???????? rwl -> /dev/shm/*, # unconventional '_' tail owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-m-r/reprepro b/apparmor.d/profiles-m-r/reprepro index 866b7cbfa..4ef5e6b42 100644 --- a/apparmor.d/profiles-m-r/reprepro +++ b/apparmor.d/profiles-m-r/reprepro @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -55,6 +55,7 @@ profile reprepro @{exec_path} { owner @{user_build_dirs}/pbuilder/result/*.deb r, owner @{user_build_dirs}/pbuilder/result/*.tar.* r, + profile gpg { include @@ -65,7 +66,6 @@ profile reprepro @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/resize2fs b/apparmor.d/profiles-m-r/resize2fs index 38d482326..114846812 100644 --- a/apparmor.d/profiles-m-r/resize2fs +++ b/apparmor.d/profiles-m-r/resize2fs @@ -3,14 +3,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/resize2fs +@{exec_path} = @{bin}/resize2fs profile resize2fs @{exec_path} { include - include include include diff --git a/apparmor.d/profiles-m-r/resolvconf b/apparmor.d/profiles-m-r/resolvconf index 8e39c7620..6dfe82b6e 100644 --- a/apparmor.d/profiles-m-r/resolvconf +++ b/apparmor.d/profiles-m-r/resolvconf @@ -2,11 +2,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/resolvconf +@{exec_path} = @{bin}/resolvconf profile resolvconf @{exec_path} { include include @@ -15,7 +15,6 @@ profile resolvconf @{exec_path} { @{sh_path} rix, @{bin}/cat rix, - @{bin}/cp rix, @{bin}/flock rix, @{bin}/mkdir rix, @{bin}/mv rix, @@ -23,34 +22,19 @@ profile resolvconf @{exec_path} { @{bin}/rm rix, @{bin}/run-parts rix, @{bin}/sed rix, - @{bin}/systemctl rCx -> systemctl, @{lib}/resolvconf/list-records rix, - @{lib}/resolvconf/{,**} r, + /usr/lib/resolvconf/{,**} r, - @{etc_rw}/resolv.conf.bak rw, @{etc_rw}/resolv.conf rw, - /etc/resolvconf.conf r, /etc/resolvconf/{,**} r, /etc/resolvconf/update.d/libc rix, - / r, - owner @{run}/resolvconf/{,**} rw, owner @{run}/resolvconf/run-lock wk, /dev/tty rw, - profile systemctl { - include - include - - capability net_admin, - capability sys_ptrace, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-m-r/rfkill b/apparmor.d/profiles-m-r/rfkill index c65298b27..f64dd20ba 100644 --- a/apparmor.d/profiles-m-r/rfkill +++ b/apparmor.d/profiles-m-r/rfkill @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/rfkill +@{exec_path} = @{bin}/rfkill profile rfkill @{exec_path} { include @@ -15,8 +15,8 @@ profile rfkill @{exec_path} { /dev/rfkill rw, - @{sys}/devices/@{pci}/rfkill@{int}/{name,type} r, - @{sys}/devices/platform/**/rfkill/rfkill@{int}/{name,type} r, + @{sys}/devices/@{pci}/rfkill[0-9]/{name,type} r, + @{sys}/devices/platform/**/rfkill/rfkill[0-9]/{name,type} r, include if exists } diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index 2e548d40c..0f65d8f71 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -3,16 +3,15 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/rngd +@{exec_path} = @{bin}/rngd profile rngd @{exec_path} flags=(attach_disconnected) { include include include - include capability dac_read_search, capability net_admin, @@ -25,6 +24,7 @@ profile rngd @{exec_path} flags=(attach_disconnected) { /etc/conf.d/rngd r, /etc/machine-id r, + /etc/{,opensc/}opensc.conf r, /var/lib/dbus/machine-id r, @{sys}/devices/virtual/misc/hw_random/rng_available r, diff --git a/apparmor.d/profiles-m-r/rpi-imager b/apparmor.d/profiles-m-r/rpi-imager index 7b48d57b1..641217f56 100644 --- a/apparmor.d/profiles-m-r/rpi-imager +++ b/apparmor.d/profiles-m-r/rpi-imager @@ -3,22 +3,29 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/rpi-imager -profile rpi-imager @{exec_path} flags=(complain) { +profile rpi-imager @{exec_path} { include include - include include + include + include include - include + include + include + include + include include + include + include include include include + include #capability sys_admin, # deny capability sys_nice, @@ -35,15 +42,18 @@ profile rpi-imager @{exec_path} flags=(complain) { @{bin}/lsblk rPx, /etc/fstab r, + /etc/X11/cursors/*.theme r, + /usr/share/hwdata/pnp.ids r, + /usr/share/X11/xkb/{,**} r, /etc/machine-id r, /var/lib/dbus/machine-id r, owner "@{user_cache_dirs}/Raspberry Pi/" rw, owner "@{user_cache_dirs}/Raspberry Pi/**" rwl -> "@{user_cache_dirs}/Raspberry Pi/**", - - owner "@{user_config_dirs}/Raspberry Pi/" rw, - owner "@{user_config_dirs}/Raspberry Pi/**" rwlk -> "@{user_config_dirs}/Raspberry Pi/**", + owner "@{user_config_dirs}/Raspberry Pi/{,**}" rw, + owner @{user_cache_dirs}/ rw, + owner @{user_config_dirs}/QtProject.conf r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-m-r/rredtool b/apparmor.d/profiles-m-r/rredtool index 97e96d652..d8024b279 100644 --- a/apparmor.d/profiles-m-r/rredtool +++ b/apparmor.d/profiles-m-r/rredtool @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index c5e5ac051..423e7e41a 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -3,36 +3,37 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/rsyslogd +# Debugging the syslogger can be difficult if it can't write to the file +# that the kernel is logging denials to. In these cases, you can do the +# following: +# watch -n 1 'dmesg | tail -5' + +@{exec_path} = @{bin}/rsyslogd profile rsyslogd @{exec_path} { include - include + include - capability dac_override, - capability dac_read_search, - capability setgid, + capability chown, # For creating new log files and changing their owner/group + capability net_admin, # For remote logs + capability setgid, # For downgrading privileges capability setuid, capability sys_nice, - capability sys_tty_config, capability syslog, - network inet dgram, - network inet6 dgram, - - signal receive set=hup peer=@{p_systemd}, - @{exec_path} mr, - @{sh_path} mr, @{lib}/@{multiarch}/rsyslog/*.so mr, /etc/rsyslog.conf r, /etc/rsyslog.d/{,**} r, + /etc/CA/*.crt r, + /etc/CA/*.key r, + /var/log/** rw, /var/spool/rsyslog/ r, /var/spool/rsyslog/** rw, @@ -45,7 +46,6 @@ profile rsyslogd @{exec_path} { @{PROC}/cmdline r, @{PROC}/kmsg r, @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, include if exists } diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon index 68837a52d..21e715579 100644 --- a/apparmor.d/profiles-m-r/rtkit-daemon +++ b/apparmor.d/profiles-m-r/rtkit-daemon @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -23,6 +23,11 @@ profile rtkit-daemon @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.RealtimeKit1 + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label=dbus-system), + @{exec_path} mr, # When applying policies to processes diff --git a/apparmor.d/profiles-m-r/rtkitctl b/apparmor.d/profiles-m-r/rtkitctl index 733573d6b..d855c0a35 100644 --- a/apparmor.d/profiles-m-r/rtkitctl +++ b/apparmor.d/profiles-m-r/rtkitctl @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/rtkitctl +@{exec_path} = @{bin}/rtkitctl profile rtkitctl @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index e5d44e13a..8fe649ff5 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -4,7 +4,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,12 +14,10 @@ profile run-parts @{exec_path} { include include - capability mknod, - - @{exec_path} mrix, - + @{exec_path} mr, + @{sh_path} rix, - @{sbin}/anacron rix, + @{bin}/anacron rix, @{bin}/cat rix, @{bin}/date rix, @{bin}/nice rix, @@ -31,9 +29,8 @@ profile run-parts @{exec_path} { /etc/ r, /etc/anacrontab r, /etc/conf.d/snapper{,**} r, - /etc/default/* r, - /etc/profile.d/{,**} r, /etc/snapper/configs/root r, + # Crontab /etc/cron.{hourly,daily,weekly,monthly}/ r, @@ -46,6 +43,7 @@ profile run-parts @{exec_path} { /etc/cron.{hourly,daily,weekly,monthly}/aptitude rPx, /etc/cron.{hourly,daily,weekly,monthly}/bsdmainutils rPUx, /etc/cron.{hourly,daily,weekly,monthly}/checksecurity rPUx, + /etc/cron.{hourly,daily,weekly,monthly}/cracklib-runtime rPx, /etc/cron.{hourly,daily,weekly,monthly}/debsums rPx, /etc/cron.{hourly,daily,weekly,monthly}/debtags rPx, /etc/cron.{hourly,daily,weekly,monthly}/dlocate rPx, @@ -58,7 +56,6 @@ profile run-parts @{exec_path} { /etc/cron.{hourly,daily,weekly,monthly}/passwd rPUx, /etc/cron.{hourly,daily,weekly,monthly}/plocate rPx, /etc/cron.{hourly,daily,weekly,monthly}/popularity-contest rPx, - /etc/cron.{hourly,daily,weekly,monthly}/snapper rPUx, /etc/cron.{hourly,daily,weekly,monthly}/spamassassin rPUx, /etc/cron.{hourly,daily,weekly,monthly}/sysstat rPx, /etc/cron.{hourly,daily,weekly,monthly}/tor rPUx, @@ -107,39 +104,140 @@ profile run-parts @{exec_path} { # Motd /etc/update-motd.d/ r, - /etc/update-motd.d/* rPx, + /etc/update-motd.d/* rCx -> motd, + + # Kernel + /etc/kernel/header_postinst.d/ r, + /etc/kernel/header_postinst.d/dkms rCx -> kernel, + + /etc/kernel/postinst.d/ r, + /etc/kernel/postinst.d/apt-auto-removal rCx -> kernel, + /etc/kernel/postinst.d/dkms rCx -> kernel, + /etc/kernel/postinst.d/initramfs-tools rCx -> kernel, + /etc/kernel/postinst.d/unattended-upgrades rCx -> kernel, + /etc/kernel/postinst.d/zz-update-grub rCx -> kernel, + /etc/kernel/postinst.d/zz-shim rCx -> kernel, + /etc/kernel/postinst.d/xx-update-initrd-links rCx -> kernel, - # Kernel - /etc/kernel/{,header_}postinst.d/ r, - /etc/kernel/{,header_}postinst.d/* rPx, /etc/kernel/postrm.d/ r, - /etc/kernel/postrm.d/* rPx, + /etc/kernel/postrm.d/initramfs-tools rCx -> kernel, + /etc/kernel/postrm.d/zz-update-grub rCx -> kernel, + /etc/kernel/preinst.d/ r, - /etc/kernel/preinst.d/* rPx, + /etc/kernel/preinst.d/intel-microcode rCx -> kernel, + /etc/kernel/prerm.d/ r, - /etc/kernel/prerm.d/* rPx, + /etc/kernel/prerm.d/dkms rCx -> kernel, - # Finalrd /usr/share/finalrd/ r, - /usr/share/finalrd/mdadm.finalrd rPUx, - /usr/share/finalrd/open-iscsi.finalrd rPUx, + /usr/share/finalrd/mdadm.finalrd rPUx, + /usr/share/finalrd/open-iscsi.finalrd rPUx, - /usr/share/landscape/landscape-sysinfo.wrapper rPx, - - /root/ r, - - /var/spool/anacron/cron.daily k, + /usr/share/landscape/landscape-sysinfo.wrapper rPUx, owner @{tmp}/#@{int} rw, - owner @{tmp}/$anacron@{rand6} rw, - owner @{tmp}/file@{rand6} rw, - - owner @{sys}/class/power_supply/ r, - - @{run}/motd.dynamic.new w, + owner @{tmp}/$anacron* rw, + owner @{tmp}/file@{rand6} ra, + + owner @{sys}/class/power_supply/ r, /dev/tty@{int} rw, + profile motd { + include + include + + @{sh_path} rix, + @{bin}/{e,}grep rix, + @{bin}/cat rix, + @{bin}/cut rix, + @{bin}/find rix, + @{bin}/head rix, + @{bin}/id rix, + @{bin}/sort rix, + @{bin}/tr rix, + @{bin}/uname rix, + + @{bin}/snap rPUx, + @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx, + @{lib}/update-notifier/update-motd-fsck-at-reboot rPx, + @{lib}/update-notifier/update-motd-reboot-required rix, + /usr/share/unattended-upgrades/update-motd-unattended-upgrades rix, + /usr/share/update-notifier/notify-updates-outdated rPx, + + / r, + /etc/default/motd-news r, + /etc/lsb-release r, + /etc/update-motd.d/* r, + + /var/cache/motd-news rw, + /var/lib/update-notifier/updates-available r, + /var/lib/ubuntu-advantage/messages/motd-esm-announce r, + + @{run}/motd.d/{,*} r, + + @{PROC}/@{pids}/mounts r, + + /dev/tty@{int} rw, + } + + profile kernel { + include + include + include + + capability sys_module, + + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/{,m,g}awk rix, + @{bin}/cat rix, + @{bin}/chmod rix, + @{bin}/cut rix, + @{bin}/dirname rix, + @{bin}/kmod rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/rmdir rix, + @{bin}/sed rix, + @{bin}/sort rix, + @{bin}/touch rix, + @{bin}/tr rix, + @{bin}/uname rix, + @{bin}/which{,.debianutils} rix, + + @{bin}/apt-config rPx, + @{bin}/dkms rPx, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/systemd-detect-virt rPx, + @{bin}/update-alternatives rPx, + @{bin}/update-grub rPUx, + @{bin}/update-initramfs rPx, + @{lib}/dkms/dkms_autoinstaller rPx, + + @{lib}/modules/*/updates/ w, + @{lib}/modules/*/updates/dkms/ w, + + /etc/kernel/header_postinst.d/* r, + /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r, + + # For shell pwd + / r, + /boot/ r, + + /etc/apt/apt.conf.d/ r, + /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, + /etc/modprobe.d/ r, + /etc/modprobe.d/*.conf r, + + @{run}/reboot-required w, + @{run}/reboot-required.pkgs rw, + + @{PROC}/devices r, + @{PROC}/cmdline r, + + } + include if exists } diff --git a/apparmor.d/profiles-m-r/runit-helper b/apparmor.d/profiles-m-r/runit-helper deleted file mode 100644 index 94b3816c9..000000000 --- a/apparmor.d/profiles-m-r/runit-helper +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/runit-helper/runit-helper -profile runit-helper @{exec_path} { - include - - @{exec_path} mr, - - @{bin}/mkdir rix, - - @{run}/runit/ rw, - @{run}/runit/supervise/ w, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/runuser b/apparmor.d/profiles-m-r/runuser index 4bd569955..97100f32a 100644 --- a/apparmor.d/profiles-m-r/runuser +++ b/apparmor.d/profiles-m-r/runuser @@ -3,37 +3,50 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/runuser +@{exec_path} = @{bin}/runuser profile runuser @{exec_path} { include - include include + include include include + # To remove the following errors: + # runuser: cannot set user id: Operation not permitted capability setuid, + + # To remove the following errrors: + # runuser: cannot set groups: Operation not permitted capability setgid, + + # To write records to the kernel auditing log. capability audit_write, + + # Needed? (#FIXME#) capability sys_resource, network netlink raw, @{exec_path} mr, - @{bin}/@{shells} rUx, + # Shells to use + @{bin}/{,b,d,rb}ash rpux, + @{bin}/{c,k,tc,z}sh rpux, + + owner @{PROC}/@{pid}/loginuid r, + @{PROC}/1/limits r, @{etc_ro}/security/limits.d/ r, + /etc/default/runuser r, + # file_inherit owner @{tmp}/debian-security-support.postinst.*/output w, - @{PROC}/1/limits r, - owner @{PROC}/@{pid}/loginuid r, - include if exists } diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk index 3e6791ddc..956aaeaa4 100644 --- a/apparmor.d/profiles-m-r/rustdesk +++ b/apparmor.d/profiles-m-r/rustdesk @@ -1,8 +1,7 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,7 +9,9 @@ include profile rustdesk @{exec_path} { include include + include include + include include include include @@ -33,9 +34,9 @@ profile rustdesk @{exec_path} { @{bin}/curl rix, @{bin}/ls rix, - @{bin}/sudo rCx -> sudo, - @{python_path} rCx -> python, - @{sh_path} rCx -> shell, + @{bin}/sudo rCx -> sudo, + @{bin}/python3.@{int} rPx -> rustdesk_python, + @{sh_path} rPx -> rustdesk_shell, /etc/gdm{,3}/custom.conf r, @@ -58,72 +59,80 @@ profile rustdesk @{exec_path} { profile sudo { include - include include + include @{bin}/rustdesk rPx, - @{python_path} rPx -> rustdesk//python, + @{bin}/python3.@{int} rPx -> rustdesk_python, include if exists } - profile python { - include - include - - capability dac_read_search, - capability dac_override, - - @{python_path} r, - - @{sh_path} rix, - @{bin}/chmod rix, - @{bin}/uname rix, - /usr/share/rustdesk/files/pynput_service.py rix, - - /usr/share/[rR]ust[dD]esk/files/{,**} r, - /tmp/[rR]ust[dD]esk/ w, - /tmp/[rR]ust[dD]esk/pynput_service rw, - - @{run}/user/@{uid}/gdm{,3}/Xauthority r, - - owner @{PROC}/@{pid}/fd/ r, - - # X-tiny - /tmp/.X11-unix/* rw, - owner @{HOME}/.xsession-errors w, - owner @{HOME}/.Xauthority r, - - include if exists - } - - profile shell { - include - - capability dac_override, - capability dac_read_search, - capability sys_ptrace, - - ptrace read, - - @{sh_path} r, - - @{bin}/tr rix, - @{bin}/{,e}grep rix, - @{bin}/tail rix, - @{bin}/xargs rix, - @{bin}/sed rix, - @{bin}/cat rix, - - @{bin}/ps rPx, - - @{PROC}/@{pid}/environ r, - owner @{PROC}/@{pid}/fd/ r, - - include if exists - } - include if exists } +profile rustdesk_pynput_service /usr/share/rustdesk/files/pynput_service.py { + include + + @{exec_path} r, + + include if exists +} + +profile rustdesk_python { + include + include + + capability dac_read_search, + capability dac_override, + + @{bin}/python3.@{int} r, + + @{sh_path} rix, + @{bin}/chmod rix, + @{bin}/uname rPx, + /usr/share/rustdesk/files/pynput_service.py rPx, + + /usr/share/[rR]ust[dD]esk/files/{,**} r, + /tmp/[rR]ust[dD]esk/ w, + /tmp/[rR]ust[dD]esk/pynput_service rw, + + @{run}/user/@{uid}/gdm{,3}/Xauthority r, + + owner @{PROC}/@{pid}/fd/ r, + + # X-tiny + /tmp/.X11-unix/* rw, + owner @{HOME}/.xsession-errors w, + owner @{HOME}/.Xauthority r, + + include if exists +} + +profile rustdesk_shell { + include + + capability sys_ptrace, + capability dac_read_search, + deny capability dac_override, + + ptrace (read), + + @{sh_path} r, + + @{bin}/tr rix, + @{bin}/{,e}grep rix, + @{bin}/tail rix, + @{bin}/xargs rix, + @{bin}/sed rix, + @{bin}/cat rix, + + @{bin}/ps rPx, + + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/environ r, + + include if exists +} + # vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/rustdesk-utils b/apparmor.d/profiles-m-r/rustdesk-utils index fc0c7d9bd..0707f9c8f 100644 --- a/apparmor.d/profiles-m-r/rustdesk-utils +++ b/apparmor.d/profiles-m-r/rustdesk-utils @@ -1,12 +1,11 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/rustdesk-utils +@{exec_path} = /{,usr/}{,local/}bin/rustdesk-utils profile rustdesk-utils @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/YACReader b/apparmor.d/profiles-s-z/YACReader index 3552b6dc0..ccbbb2494 100644 --- a/apparmor.d/profiles-s-z/YACReader +++ b/apparmor.d/profiles-s-z/YACReader @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -37,10 +37,10 @@ profile YACReader @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/YACReader/YACReader/ rw, owner @{user_share_dirs}/YACReader/YACReader/** rwlk, + /dev/shm/ r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/profiles-s-z/YACReaderLibrary b/apparmor.d/profiles-s-z/YACReaderLibrary index e6c231df3..418167345 100644 --- a/apparmor.d/profiles-s-z/YACReaderLibrary +++ b/apparmor.d/profiles-s-z/YACReaderLibrary @@ -2,27 +2,23 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/YACReaderLibrary profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted) { include + include include include include include - include include - include - network inet dgram, network inet stream, - network inet6 dgram, network inet6 stream, network netlink dgram, - network netlink raw, @{exec_path} mr, @@ -33,7 +29,7 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted /etc/machine-id r, - owner @{user_books_dirs}/{,**} rw, + owner @{user_books_dirs}/{,**} r, owner @{user_books_dirs}/**/.yacreaderlibrary/{,**} rwk, owner @{user_cache_dirs}/YACReader/ rw, @@ -47,10 +43,7 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted owner @{tmp}/@{uuid} w, - @{run}/mount/utab r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, include if exists } diff --git a/apparmor.d/profiles-s-z/s3fs b/apparmor.d/profiles-s-z/s3fs index aaf34d49c..d614330d2 100644 --- a/apparmor.d/profiles-s-z/s3fs +++ b/apparmor.d/profiles-s-z/s3fs @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -38,22 +38,33 @@ profile s3fs @{exec_path} { profile fusermount { include - include + include + + capability dac_read_search, + capability sys_admin, network inet stream, network inet6 stream, mount fstype=fuse.s3fs -> @{MOUNTS}/, mount fstype=fuse.s3fs -> @{MOUNTS}/*/, - + umount @{MOUNTS}/, umount @{MOUNTS}/*/, + + @{bin}/fusermount{,3} mr, + + /etc/fuse.conf r, @{MOUNTS}/ r, @{MOUNTS}/*/ r, owner @{tmp}/s3fstmp.* rw, + @{PROC}/@{pids}/mounts r, + + /dev/fuse rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/sanoid b/apparmor.d/profiles-s-z/sanoid index 04ee747bf..aadad6860 100644 --- a/apparmor.d/profiles-s-z/sanoid +++ b/apparmor.d/profiles-s-z/sanoid @@ -2,29 +2,32 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/sanoid +@{exec_path} = /{usr/,}{local/,}{s,}bin/sanoid profile sanoid @{exec_path} flags=(complain) { include include - @{exec_path} mr, + @{exec_path} mr, @{sh_path} rix, @{bin}/perl rix, @{bin}/ps rPx, - @{bin}/zfs rPx, + /{usr/,}{local/,}{s,}bin/zfs rPx, - /usr/share/sanoid/{,**} r, + /etc/sanoid/{*,} r, - /etc/sanoid/{,*} r, + /var/cache/sanoid/snapshots.txt rw, - /var/cache/sanoid/{,**} rw, + /usr/share/sanoid/{**,} r, @{run}/sanoid/ rw, - @{run}/sanoid/** rwk, + @{run}/sanoid/sanoid_cacheupdate.lock rwk, + @{run}/sanoid/sanoid_pruning.lock rwk, + + owner @{tmp}/** rw, include if exists } diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl index a4fdbac88..938ecb638 100644 --- a/apparmor.d/profiles-s-z/sbctl +++ b/apparmor.d/profiles-s-z/sbctl @@ -2,14 +2,13 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/sbctl profile sbctl @{exec_path} { include - include capability dac_read_search, capability linux_immutable, @@ -19,15 +18,11 @@ profile sbctl @{exec_path} { @{bin}/lsblk rPx, /usr/share/secureboot/{,**} rw, - /var/lib/sbctl/{,**} rw, /{boot,efi}/{,**} r, /{boot,efi}/EFI/{,**} rw, /{boot,efi}/vmlinuz-linux* rw, @{lib}/fwupd/efi/{,**} rw, - @{lib}/systemd/boot/efi/systemd-boot*.efi.signed rw, - - @{sys}/devices/virtual/dmi/id/* r, @{sys}/firmware/efi/efivars/db-@{uuid} rw, @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, @@ -35,6 +30,10 @@ profile sbctl @{exec_path} { @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + /dev/pts/@{int} rw, + # File Inherit deny network inet stream, deny network inet6 stream, diff --git a/apparmor.d/profiles-s-z/scrcpy b/apparmor.d/profiles-s-z/scrcpy index 83af575dd..8903fe287 100644 --- a/apparmor.d/profiles-s-z/scrcpy +++ b/apparmor.d/profiles-s-z/scrcpy @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,6 +25,7 @@ profile scrcpy @{exec_path} { @{bin}/adb rPx, /usr/share/scrcpy/{,*} r, + /usr/share/icons/{,**} r, /etc/machine-id r, @@ -33,8 +34,6 @@ profile scrcpy @{exec_path} { owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner @{PROC}/@{pid}/cmdline r, - deny @{user_share_dirs}/gvfs-metadata/* r, include if exists diff --git a/apparmor.d/profiles-s-z/scrot b/apparmor.d/profiles-s-z/scrot index 9573da520..377bb7962 100644 --- a/apparmor.d/profiles-s-z/scrot +++ b/apparmor.d/profiles-s-z/scrot @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/sdcv b/apparmor.d/profiles-s-z/sdcv index 4f6b26e39..cfc6c1b3c 100644 --- a/apparmor.d/profiles-s-z/sdcv +++ b/apparmor.d/profiles-s-z/sdcv @@ -3,7 +3,7 @@ # Copyright (C) 2023 Andy Ramos # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/secure-time-sync b/apparmor.d/profiles-s-z/secure-time-sync index 9c3f6d9df..3ded8b7ae 100644 --- a/apparmor.d/profiles-s-z/secure-time-sync +++ b/apparmor.d/profiles-s-z/secure-time-sync @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -23,7 +23,7 @@ profile secure-time-sync @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/curl rix, @{bin}/date rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/id rPx, @{bin}/sed rix, diff --git a/apparmor.d/profiles-s-z/sensors b/apparmor.d/profiles-s-z/sensors index ca2d43a65..618332bce 100644 --- a/apparmor.d/profiles-s-z/sensors +++ b/apparmor.d/profiles-s-z/sensors @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,12 +18,19 @@ profile sensors @{exec_path} { /etc/sensors.d/{,*} r, /etc/sensors3.conf r, - @{sys}/bus/i2c/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-*/name r, + @{sys}/devices/**/hwmon*/{,**/} r, + @{sys}/devices/**/hwmon*/{in[0-9]_label,in[0-9]_min,in[0-9]_max} r, + @{sys}/devices/**/hwmon*/{name,temp*,*_input} r, + @{sys}/devices/**/hwmon*/**/{name,temp*,*_input} r, + @{sys}/devices/**/hwmon/hwmon@{int}/power@{int}_crit r, + @{sys}/devices/**/hwmon/hwmon@{int}/fan@{int}_{label,max,min} r, + @{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-@{int}/name r, @{sys}/devices/@{pci}/name r, - @{sys}/devices/**/hwmon*/{,**} r, + @{sys}/devices/platform/**/power_supply/**/hwmon@{int}/curr1_max r, + @{sys}/devices/virtual/hwmon/hwmon@{int}/ r, + @{sys}/devices/virtual/hwmon/hwmon@{int}/{name,temp*} r, # file_inherit deny @{PROC}/@{pid}/net/dev r, diff --git a/apparmor.d/profiles-s-z/sensors-detect b/apparmor.d/profiles-s-z/sensors-detect index d21cf6f56..5eececb0b 100644 --- a/apparmor.d/profiles-s-z/sensors-detect +++ b/apparmor.d/profiles-s-z/sensors-detect @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/sensors-detect +@{exec_path} = @{bin}/sensors-detect profile sensors-detect @{exec_path} { include include @@ -15,7 +15,7 @@ profile sensors-detect @{exec_path} { capability syslog, @{exec_path} rm, - + @{bin}/kmod rCx -> kmod, @{bin}/perl r, @{bin}/systemctl rCx -> systemctl, @@ -27,7 +27,7 @@ profile sensors-detect @{exec_path} { @{sys}/bus/pci/devices/ r, @{sys}/class/i2c-adapter/ r, @{sys}/devices/@{pci}/{class,vendor,device} r, - @{sys}/devices/@{pci}/i2c-*/{,**/}name r, + @{sys}/devices/@{pci}/i2c-@{int}/name r, @{sys}/devices/@{pci}/modalias r, @{sys}/devices/virtual/dmi/id/board_{version,vendor,name} r, @{sys}/devices/virtual/dmi/id/chassis_type r, @@ -50,7 +50,7 @@ profile sensors-detect @{exec_path} { include include - include if exists + include if exists } profile systemctl { diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop deleted file mode 100644 index 4fd9dff69..000000000 --- a/apparmor.d/profiles-s-z/session-desktop +++ /dev/null @@ -1,47 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{name} = {S,s}ession -@{domain} = org.chromium.Chromium -@{lib_dirs} = /opt/@{name} -@{config_dirs} = @{user_config_dirs}/@{name} -@{cache_dirs} = @{user_cache_dirs}/@{name} - -@{exec_path} = @{bin}/session-messenger-desktop @{lib_dirs}/session-desktop -profile session-desktop @{exec_path} { - include - include - include - include - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{exec_path} mrix, - - @{lib_dirs}/resources/app.asar.unpacked/ts/webworker/workers/node/**.node mr, - - @{open_path} rPx -> child-open-strict, - - deny / r, - deny @{HOME}/ r, - deny @{HOME}/.pki/{,**} rw, - deny @{user_share_dirs}/gvfs-metadata/* r, - deny @{user_cache_dirs}/thumbnails/** rw, - deny /etc/machine-id r, - deny /var/lib/dbus/machine-id r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/setpci b/apparmor.d/profiles-s-z/setpci index 019e89e23..25fe43065 100644 --- a/apparmor.d/profiles-s-z/setpci +++ b/apparmor.d/profiles-s-z/setpci @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,7 +16,6 @@ profile setpci @{exec_path} flags=(complain) { @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/** r, - @{sys}/devices/@{pci}/config w, include if exists } diff --git a/apparmor.d/profiles-s-z/setvtrgb b/apparmor.d/profiles-s-z/setvtrgb index 7fdfddcbb..79398e82d 100644 --- a/apparmor.d/profiles-s-z/setvtrgb +++ b/apparmor.d/profiles-s-z/setvtrgb @@ -2,11 +2,11 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/setvtrgb +@{exec_path} = @{bin}/setvtrgb profile setvtrgb @{exec_path} { include include @@ -15,8 +15,6 @@ profile setvtrgb @{exec_path} { @{exec_path} mr, - /etc/console-setup/vtrgb r, - /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/profiles-s-z/sfdisk b/apparmor.d/profiles-s-z/sfdisk index 05ab2273f..5b75a27ef 100644 --- a/apparmor.d/profiles-s-z/sfdisk +++ b/apparmor.d/profiles-s-z/sfdisk @@ -3,16 +3,22 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/sfdisk +@{exec_path} = @{bin}/sfdisk profile sfdisk @{exec_path} { include - include include + # Needed to avoid the following error: + # ioctl(3, BLKRRPART) = -1 EACCES (Permission denied) + # + # Checking that no-one is using this disk right now ... FAILED + # This disk is currently in use - repartitioning is probably a bad idea. + # Umount all file systems, and swapoff all swap partitions on this disk. + # Use the --no-reread flag to suppress this check. capability sys_admin, @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/sgdisk b/apparmor.d/profiles-s-z/sgdisk index 4e68816d7..00a8c7a56 100644 --- a/apparmor.d/profiles-s-z/sgdisk +++ b/apparmor.d/profiles-s-z/sgdisk @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/sgdisk +@{exec_path} = @{bin}/sgdisk profile sgdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/simple-scan b/apparmor.d/profiles-s-z/simple-scan deleted file mode 100644 index a005708db..000000000 --- a/apparmor.d/profiles-s-z/simple-scan +++ /dev/null @@ -1,43 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/simple-scan -profile simple-scan @{exec_path} { - include - include - include - include - - network inet dgram, - network inet6 dgram, - network netlink raw, - - @{exec_path} mr, - - @{open_path} rPx -> child-open-help, - - /usr/share/snmp/{,**} r, - - /etc/sane.d/{,**} r, - - @{sys}/bus/scsi/devices/ r, - @{sys}/devices/virtual/dmi/id/board_name r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/board_version r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - - @{PROC}/scsi/scsi r, - - /dev/video@{int} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sing-box b/apparmor.d/profiles-s-z/sing-box index 1890510ae..eb9866b53 100644 --- a/apparmor.d/profiles-s-z/sing-box +++ b/apparmor.d/profiles-s-z/sing-box @@ -4,7 +4,7 @@ # https://github.com/SagerNet/sing-box -abi , +abi , include @@ -12,6 +12,7 @@ include profile sing-box @{exec_path} { include include + include capability net_bind_service, @@ -30,6 +31,8 @@ profile sing-box @{exec_path} { owner @{user_share_dirs}/certmagic/** rw, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + include if exists } diff --git a/apparmor.d/profiles-s-z/slirp4netns b/apparmor.d/profiles-s-z/slirp4netns index ed4dd8d5e..0ec43cc9b 100644 --- a/apparmor.d/profiles-s-z/slirp4netns +++ b/apparmor.d/profiles-s-z/slirp4netns @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,7 +10,7 @@ include profile slirp4netns @{exec_path} flags=(attach_disconnected) { include - userns, + # userns, capability net_admin, capability setpcap, diff --git a/apparmor.d/profiles-s-z/slurp b/apparmor.d/profiles-s-z/slurp deleted file mode 100644 index 740af9b7b..000000000 --- a/apparmor.d/profiles-s-z/slurp +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 valoq -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/slurp -profile slurp @{exec_path} { - include - include - include - - @{exec_path} mr, - - /usr/share/icons/{,**} r, - - # often used in combination with grim screen cature tool - owner /dev/shm/grim-@{rand6} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/smartctl b/apparmor.d/profiles-s-z/smartctl index d025d160b..6487e82e3 100644 --- a/apparmor.d/profiles-s-z/smartctl +++ b/apparmor.d/profiles-s-z/smartctl @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/smartctl +@{exec_path} = @{bin}/smartctl profile smartctl @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/smartd b/apparmor.d/profiles-s-z/smartd index 60a77a782..4548813bf 100644 --- a/apparmor.d/profiles-s-z/smartd +++ b/apparmor.d/profiles-s-z/smartd @@ -4,19 +4,21 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/smartd +@{exec_path} = @{bin}/smartd profile smartd @{exec_path} { include include include - capability net_admin, - capability sys_admin, capability sys_rawio, + capability sys_admin, + + # Needed? + audit capability net_admin, @{exec_path} mr, @@ -39,6 +41,8 @@ profile smartd @{exec_path} { /var/lib/smartmontools/smartd.*.state{,~} rw, /var/lib/smartmontools/attrlog.*.csv rw, + /tmp/tmp.* rw, + @{run}/systemd/notify rw, @{sys}/class/scsi_host/ r, diff --git a/apparmor.d/profiles-s-z/smbspool b/apparmor.d/profiles-s-z/smbspool index a0d9600ad..010226342 100644 --- a/apparmor.d/profiles-s-z/smbspool +++ b/apparmor.d/profiles-s-z/smbspool @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/smplayer b/apparmor.d/profiles-s-z/smplayer index 858c73637..d8de18f20 100644 --- a/apparmor.d/profiles-s-z/smplayer +++ b/apparmor.d/profiles-s-z/smplayer @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,13 +12,22 @@ profile smplayer @{exec_path} { include include include - include + include include - include + include + include + include + include include + include include include include + include + include + + # Needed for hardware decoding + ##include signal (send) set=(term, kill), signal (receive) set=(term, kill), @@ -35,7 +44,7 @@ profile smplayer @{exec_path} { @{bin}/pacmd rPx, @{bin}/smtube rPx, @{bin}/youtube-dl rPx, - @{bin}/{y,}t-dlp rPx, + @{bin}/yt-dlp rPx, /usr/share/hwdata/pnp.ids r, @@ -53,6 +62,8 @@ profile smplayer @{exec_path} { owner @{user_config_dirs}/smplayer/ rw, owner @{user_config_dirs}/smplayer/* rwkl -> @{user_config_dirs}/smplayer/#@{int}, + owner @{user_cache_dirs}/#@{int} rw, + owner @{tmp}/qtsingleapp-smplay-* rw, owner @{tmp}/qtsingleapp-smplay-*-lockfile rwk, owner @{tmp}/smplayer_preview/ rw, @@ -76,4 +87,5 @@ profile smplayer @{exec_path} { include if exists } + # vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/smtube b/apparmor.d/profiles-s-z/smtube index c318328b6..af761d43c 100644 --- a/apparmor.d/profiles-s-z/smtube +++ b/apparmor.d/profiles-s-z/smtube @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -68,11 +68,38 @@ profile smtube @{exec_path} { @{bin}/youtube-dl rPUx, @{bin}/yt-dlp rPUx, - @{open_path} rPx -> child-open, + @{bin}/xdg-open rCx -> open, + + # Allowed apps to open + @{lib}/firefox/firefox rPUx, # file_inherit owner /dev/tty@{int} rw, + + profile open { + include + include + + @{bin}/xdg-open mr, + + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, + + owner @{HOME}/ r, + + owner @{run}/user/@{uid}/ r, + + # Allowed apps to open + @{lib}/firefox/firefox rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + include if exists } diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap new file mode 100644 index 000000000..f59fd9226 --- /dev/null +++ b/apparmor.d/profiles-s-z/snap @@ -0,0 +1,115 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} + +@{exec_path} = @{bin_dirs}/snap +profile snap @{exec_path} { + include + include + include + include + include + include + + capability dac_read_search, + capability setuid, + capability sys_admin, + + network netlink raw, + + unix (send, receive) type=stream peer=(label=apt), + + mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/, + + #aa:dbus own bus=session name=io.snapcraft.Launcher + #aa:dbus own bus=session name=io.snapcraft.Settings + + #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" + + dbus send bus=session path=/org/freedesktop/portal/documents + interface=org.freedesktop.portal.Documents + member=GetMountPoint + peer=(name=org.freedesktop.portal.Documents, label="{xdg-document-portal,unconfined}"), + + @{exec_path} mrix, + + @{bin}/mount rix, + + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/systemctl rCx -> systemctl, + + @{lib_dirs}/snapd/snap-confine rPx, + @{lib_dirs}/snapd/snap-seccomp rPx, + @{lib_dirs}/snapd/snapd rPx, + + /etc/fstab r, + + /var/lib/snapd/{,**} rwk, + /var/cache/snapd/commands.db rwk, + /var/cache/snapd/names r, + + @{DESKTOP_HOME}/snap/{,**} rw, + @{HOME}/snap/{,**} rw, + /snap/{,**} rw, + + owner @{tmp}/snapd-auto-import-mount-@{int}/ rw, + + @{run}/user/@{uid}/bus rw, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, + owner @{run}/user/@{uid}/gdm/Xauthority r, + owner @{run}/user/@{uid}/snapd-session-agent.socket rw, + owner @{run}/user/@{uid}/systemd/notify rw, + + @{run}/mount/utab r, + @{run}/snapd.socket rw, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + @{sys}/kernel/security/apparmor/features/{,**} r, + + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/cgroups r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/random/uuid r, + @{PROC}/sys/kernel/seccomp/actions_avail r, + @{PROC}/version r, + owner @{PROC}/@{pid}/mounts r, + + /dev/tty@{int} rw, + /dev/ttyS@{int} rw, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + profile gpg { + include + + @{bin}/gpg{,2} mr, + + @{bin}/dirmngr rix, + @{bin}/gpg-agent rix, + @{bin}/gpg-connect-agent rix, + + owner @{HOME}/.snap/gnupg/ rw, + owner @{HOME}/.snap/gnupg/** rwkl, + + include if exists + } + + profile systemctl { + include + include + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd b/apparmor.d/profiles-s-z/snap-bootstrap similarity index 50% rename from apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd rename to apparmor.d/profiles-s-z/snap-bootstrap index b18bd6bd5..71a4ad8f2 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd +++ b/apparmor.d/profiles-s-z/snap-bootstrap @@ -2,17 +2,17 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{lib}/systemd/system-environment-generators/snapd-env-generator -profile systemd-generator-environment-snapd @{exec_path} flags=(attach_disconnected) { +@{exec_path} = @{lib}/snapd/snap-bootstrap +profile snap-bootstrap @{exec_path} { include @{exec_path} mr, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/snap/snap-device-helper b/apparmor.d/profiles-s-z/snap-device-helper similarity index 97% rename from apparmor.d/groups/snap/snap-device-helper rename to apparmor.d/profiles-s-z/snap-device-helper index 5a9fded35..ec342d4e2 100644 --- a/apparmor.d/groups/snap/snap-device-helper +++ b/apparmor.d/profiles-s-z/snap-device-helper @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/snap/snap-discard-ns b/apparmor.d/profiles-s-z/snap-discard-ns similarity index 86% rename from apparmor.d/groups/snap/snap-discard-ns rename to apparmor.d/profiles-s-z/snap-discard-ns index 0ccb3f1c7..ab90529b7 100644 --- a/apparmor.d/groups/snap/snap-discard-ns +++ b/apparmor.d/profiles-s-z/snap-discard-ns @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-discard-ns profile snap-discard-ns @{exec_path} { @@ -20,7 +20,6 @@ profile snap-discard-ns @{exec_path} { umount @{run}/snapd/ns/*.mnt, @{exec_path} mr, - @{lib_dirs}/**.so* mr, / r, @{run}/ r, diff --git a/apparmor.d/groups/snap/snap-failure b/apparmor.d/profiles-s-z/snap-failure similarity index 83% rename from apparmor.d/groups/snap/snap-failure rename to apparmor.d/profiles-s-z/snap-failure index bed3a2d12..df8fe47fb 100644 --- a/apparmor.d/groups/snap/snap-failure +++ b/apparmor.d/profiles-s-z/snap-failure @@ -2,30 +2,31 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-failure profile snap-failure @{exec_path} { include @{exec_path} mr, - @{lib_dirs}/**.so* mr, @{bin}/systemctl rCx -> systemctl, @{lib_dirs}/snapd/snapd rPx, /var/lib/snapd/sequence/snapd.json r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + @{PROC}/cmdline r, profile systemctl { include include - + include if exists } diff --git a/apparmor.d/profiles-s-z/snap-repair b/apparmor.d/profiles-s-z/snap-repair new file mode 100644 index 000000000..d5f282ffa --- /dev/null +++ b/apparmor.d/profiles-s-z/snap-repair @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/snapd/snap-repair +profile snap-repair @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/snap/snap-seccomp b/apparmor.d/profiles-s-z/snap-seccomp similarity index 57% rename from apparmor.d/groups/snap/snap-seccomp rename to apparmor.d/profiles-s-z/snap-seccomp index 90c1724be..0da410bca 100644 --- a/apparmor.d/groups/snap/snap-seccomp +++ b/apparmor.d/profiles-s-z/snap-seccomp @@ -2,36 +2,29 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-seccomp -profile snap-seccomp @{exec_path} flags=(attach_disconnected) { +profile snap-seccomp @{exec_path} { include include include - capability dac_read_search, - network netlink raw, @{exec_path} mr, - @{lib_dirs}/**.so* mr, - - @{bin}/getent rix, /var/lib/snapd/seccomp/bpf/{,**} rw, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + owner @{PROC}/@{pids}/mountinfo r, - /apparmor/.null rw, - - # file_inherit, safe to deny - deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, - deny owner @{user_share_dirs}/gvfs-metadata/* r, + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists } diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/profiles-s-z/snap-update-ns similarity index 61% rename from apparmor.d/groups/snap/snap-update-ns rename to apparmor.d/profiles-s-z/snap-update-ns index 5d08a4240..e9315f5c7 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/profiles-s-z/snap-update-ns @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-update-ns profile snap-update-ns @{exec_path} { @@ -18,46 +18,24 @@ profile snap-update-ns @{exec_path} { network netlink raw, - mount -> @{efi}/, + mount -> /boot/, mount -> /snap/**, mount -> /tmp/.snap/**, mount -> /usr/**, mount -> /var/lib/dhcp/, - - umount @{lib}/@{multiarch}/webkit2gtk-@{version}/, umount /snap/**, - umount /tmp/.snap/**, - umount /usr/share/xml/iso-codes/, umount /var/lib/dhcp/, @{exec_path} mr, - @{lib_dirs}/**.so* mr, - - @{lib}/@{multiarch}/webkit2gtk-@{version}/ w, - - /usr/share/xml/ r, - /usr/share/xml/iso-codes/ rw, /var/lib/snapd/mount/{,*} r, / r, /tmp/ r, - @{lib}/ r, - /usr/ r, - /usr/local/ r, - /usr/local/share/ r, - /usr/local/share/doc/ rw, - /usr/local/share/fonts/ rw, - /usr/share/ r, - /usr/share/drirc.d w, - /usr/share/X11/ r, - /usr/share/X11/XErrorDB w, owner /snap/{,**} rw, owner /var/ rw, - owner /var/lib/ rw, - owner /var/lib/snapd/ rw, owner /var/snap/ rw, owner /var/snap/**/ rw, @@ -68,8 +46,8 @@ profile snap-update-ns @{exec_path} { @{sys}/fs/cgroup/{,**/} r, @{sys}/fs/cgroup/system.slice/snap.*.service/cgroup.freeze rw, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.scope/cgroup.freeze rw, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.freeze rw, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{PROC}/@{pids}/cgroup r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/profiles-s-z/snapd similarity index 61% rename from apparmor.d/groups/snap/snapd rename to apparmor.d/profiles-s-z/snapd index 87e535b3f..3892a8ca4 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -2,12 +2,12 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{bin_dirs} = @{bin}/ /snap/{snapd,core}/{,x}@{int}@{bin} -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd profile snapd @{exec_path} { @@ -28,63 +28,57 @@ profile snapd @{exec_path} { capability dac_read_search, capability fowner, capability fsetid, - capability mac_admin, capability net_admin, capability setgid, capability setuid, capability sys_admin, capability sys_ptrace, + capability sys_resource, network inet stream, network inet6 stream, network inet dgram, network inet6 dgram, network netlink raw, - network unix stream, mount fstype=squashfs /dev/loop@{int} -> /tmp/syscheck-mountpoint-@{int}/, umount /tmp/syscheck-mountpoint-@{int}/, umount /snap/*/*/, - ptrace read peer=@{p_systemd}, - ptrace read peer=snap{,.*}, + ptrace (read) peer=snap, + ptrace (read) peer=@{p_systemd}, - signal send set=kill peer=snapd//journalctl, + unix (bind) type=stream addr=@@{hex16}/bus/systemctl/, dbus send bus=system path=/org/freedesktop/ interface=org.freedesktop.login1.Manager member={SetWallMessage,ScheduleShutdown} - peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), - - dbus send bus=system path=/org/freedesktop/timedate1 - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.timedate1), + peer=(name=org.freedesktop.login1, label=systemd-logind), @{exec_path} mrix, - @{sh_path} rix, - @{sbin}/adduser rPx, - @{sbin}/apparmor_parser rPx, - @{bin}/cp rix, - @{bin}/getent rix, - @{sbin}/groupadd rPx, - @{bin}/gzip rix, + @{bin}/adduser rPx, + @{bin}/groupadd rPx, @{bin}/hostnamectl rPx, - @{bin}/journalctl rCx -> journalctl, + @{bin}/ssh-keygen rPx, + @{bin}/useradd rPx, + + @{sh_path} rix, + @{bin}/apparmor_parser rPx, + @{bin}/cp rix, + @{bin}/gzip rix, + @{bin}/journalctl rPx, @{bin}/kmod rPx, @{bin}/mount rix, - @{sbin}/runuser rCx -> runuser, - @{bin}/ssh-keygen rPx, + @{bin}/runuser rCx -> runuser, @{bin}/sync rix, - @{bin}/systemctl rCx -> systemctl, + @{bin}/systemctl rix, @{bin}/systemd-detect-virt rPx, @{bin}/tar rix, @{bin}/udevadm rPx, @{bin}/umount rix, @{bin}/unsquashfs rix, @{bin}/update-desktop-database rPx, - @{sbin}/useradd rPx, @{bin_dirs}/fc-cache-* mr, @{bin_dirs}/snap rPUx, @@ -97,24 +91,21 @@ profile snapd @{exec_path} { @{lib_dirs}/snapd/snap-update-ns rPx, /usr/share/bash-completion/{,**} r, - /usr/share/dbus-1/{system,session}.d/ rw, - /usr/share/dbus-1/{system,session}.d/snapd* rw, + /usr/share/dbus-1/{system,session}.d/{,snapd*} r, /usr/share/dbus-1/services/*snap* r, - /usr/share/polkit-1/actions/{,**} r, - /usr/share/polkit-1/actions/snap.*.policy* rw, + /usr/share/polkit-1/actions/{,**/} r, - @{etc_ro}/environment r, /etc/apparmor.d/*snapd.snap* r, /etc/dbus-1/system.d/{,**/} r, + /etc/environment r, /etc/fstab r, /etc/mime.types r, /etc/modprobe.d/{,**/} r, /etc/modules-load.d/{,**/} r, /etc/modules-load.d/*snap* rw, - /etc/polkit-1/rules.d/{,**/} r, /etc/systemd/system/{,**/} r, /etc/systemd/system/snap* rw, - /etc/systemd/user/{,**/} rw, + /etc/systemd/user/{,**/} r, /etc/systemd/user/**/*snap* rw, /etc/systemd/user/*snap* rw, /etc/udev/rules.d/{,*snap*} rw, @@ -128,14 +119,12 @@ profile snapd @{exec_path} { /var/cache/apparmor/*/snap* rw, /tmp/ r, - /tmp/read-file@{int}/{,**} rw, - /tmp/snapd@{int}/ rw, - /tmp/snapd@{int}/** rw, /tmp/syscheck-mountpoint-@{int}/{,**} rw, /tmp/syscheck-squashfs-@{int} rw, + /tmp/read-file@{int}/{,**} rw, - @{efi}/ r, - @{efi}/grub/grubenv r, + /boot/ r, + /boot/grub/grubenv r, / r, /home/ r, @@ -149,11 +138,9 @@ profile snapd @{exec_path} { @{run}/user/ r, @{run}/user/@{uid}/ r, - @{run}/user/@{uid}/snap.*/{,**} rw, @{run}/user/@{uid}/snapd-session-agent.socket rw, @{run}/user/snap.*/{,**} rw, - @{run}/mount/utab.act rk, @{run}/snapd*.socket rw, @{run}/snapd/{,**} rw, @{run}/snapd/lock/*.lock rwk, @@ -161,15 +148,17 @@ profile snapd @{exec_path} { @{run}/systemd/private rw, @{sys}/fs/cgroup/{,*/} r, - @{sys}/fs/cgroup/*.slice/ r, - @{sys}/fs/cgroup/*.slice/{,**/} r, - @{sys}/fs/cgroup/*.slice/**/cgroup.procs r, - @{sys}/fs/cgroup/cgroup.controllers r, + @{sys}/fs/cgroup/system.slice/{,**/} r, + @{sys}/fs/cgroup/user.slice/ r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r, @{sys}/kernel/kexec_loaded r, - @{sys}/kernel/security/apparmor/.notify r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/security/apparmor/features/{,**} r, @{sys}/kernel/security/apparmor/profiles r, + @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r, + @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/stat r, @@ -182,62 +171,10 @@ profile snapd @{exec_path} { /dev/loop-control rw, - profile systemctl { - include - include - - capability net_admin, - capability sys_resource, - - network netlink raw, - - ptrace read peer=@{p_systemd}, - - /etc/systemd/system/{,**/} r, - /etc/systemd/system/snap* rw, - /etc/systemd/user/{,**/} rw, - /etc/systemd/user/**/*snap* rw, - /etc/systemd/user/*snap* rw, - - @{run}/systemd/notify rw, - - include if exists - } - - profile journalctl { - include - include - - capability net_admin, - capability sys_resource, - - network netlink raw, - - signal receive set=kill peer=snapd, - - @{bin}/journalctl mr, - - /etc/machine-id r, - /var/lib/dbus/machine-id r, - - /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex32}/{,*} r, - - @{run}/systemd/notify w, - - include if exists - } - profile runuser { include - @{sbin}/runuser mr, - - @{sh_path} ix, - @{bin}/gzip ix, - @{bin}/tar ix, - - owner @{HOME}/snap/*/{,**} r, + @{bin}/runuser mr, include if exists } diff --git a/apparmor.d/groups/snap/snapd-aa-prompt-listener b/apparmor.d/profiles-s-z/snapd-aa-prompt-listener similarity index 78% rename from apparmor.d/groups/snap/snapd-aa-prompt-listener rename to apparmor.d/profiles-s-z/snapd-aa-prompt-listener index 37730ba6f..3e3045b80 100644 --- a/apparmor.d/groups/snap/snapd-aa-prompt-listener +++ b/apparmor.d/profiles-s-z/snapd-aa-prompt-listener @@ -2,21 +2,22 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-aa-prompt-listener profile snapd-aa-prompt-listener @{exec_path} { include @{exec_path} mrix, - @{lib_dirs}/**.so* mr, @{lib_dirs}/snapd/info r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + @{PROC}/cmdline r, include if exists diff --git a/apparmor.d/groups/snap/snapd-aa-prompt-ui b/apparmor.d/profiles-s-z/snapd-aa-prompt-ui similarity index 82% rename from apparmor.d/groups/snap/snapd-aa-prompt-ui rename to apparmor.d/profiles-s-z/snapd-aa-prompt-ui index 99dc98efe..d7b9b3713 100644 --- a/apparmor.d/groups/snap/snapd-aa-prompt-ui +++ b/apparmor.d/profiles-s-z/snapd-aa-prompt-ui @@ -2,18 +2,17 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-aa-prompt-ui profile snapd-aa-prompt-ui @{exec_path} { include @{exec_path} mrix, - @{lib_dirs}/**.so* mr, @{lib_dirs}/snapd/info r, diff --git a/apparmor.d/groups/snap/snapd-apparmor b/apparmor.d/profiles-s-z/snapd-apparmor similarity index 77% rename from apparmor.d/groups/snap/snapd-apparmor rename to apparmor.d/profiles-s-z/snapd-apparmor index 47b939fa0..22a9c5faa 100644 --- a/apparmor.d/groups/snap/snapd-apparmor +++ b/apparmor.d/profiles-s-z/snapd-apparmor @@ -2,11 +2,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-apparmor profile snapd-apparmor @{exec_path} { @@ -15,14 +15,15 @@ profile snapd-apparmor @{exec_path} { @{exec_path} mrix, @{bin}/systemd-detect-virt rPx, - @{sbin}/apparmor_parser rPx, + @{bin}/apparmor_parser rPx, - @{lib_dirs}/** mr, @{lib_dirs}/snapd/apparmor_parser rPx -> apparmor_parser, @{lib_dirs}/snapd/info r, /var/lib/snapd/apparmor/profiles/ r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + @{PROC}/cmdline r, include if exists diff --git a/apparmor.d/profiles-s-z/snapd-core-fixup b/apparmor.d/profiles-s-z/snapd-core-fixup new file mode 100644 index 000000000..fffbc4468 --- /dev/null +++ b/apparmor.d/profiles-s-z/snapd-core-fixup @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/snapd/snapd.core-fixup.sh +profile snapd-core-fixup @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/snapshot b/apparmor.d/profiles-s-z/snapshot deleted file mode 100644 index 91ca7cd69..000000000 --- a/apparmor.d/profiles-s-z/snapshot +++ /dev/null @@ -1,31 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only -# vim:syntax=apparmor - -abi , - -include - -@{exec_path} = @{bin}/snapshot -profile snapshot @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - - @{exec_path} mr, - - @{open_path} rPx -> child-open-help, - - owner @{user_pictures_dirs}/Camera/{,**} rw, - owner @{user_videos_dirs}/Camera/{,**} rw, - - @{sys}/devices/virtual/dmi/id/bios_vendor r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spacefm-auth b/apparmor.d/profiles-s-z/spacefm-auth index 60111288f..754908eac 100644 --- a/apparmor.d/profiles-s-z/spacefm-auth +++ b/apparmor.d/profiles-s-z/spacefm-auth @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker new file mode 100644 index 000000000..33c02ce44 --- /dev/null +++ b/apparmor.d/profiles-s-z/spectre-meltdown-checker @@ -0,0 +1,184 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{,usr/}{,local/}bin/spectre-meltdown-checker{,.sh} +profile spectre-meltdown-checker @{exec_path} { + include + include + + # Needed to read the /dev/cpu/@{int}/msr device + capability sys_rawio, + + # Needed to read system logs + capability syslog, + + # Used by readlink + capability sys_ptrace, + ptrace (read), + + @{exec_path} r, + + @{bin}/ r, + @{bin}/{,@{multiarch}-}objdump rix, + @{bin}/{,@{multiarch}-}readelf rix, + @{bin}/{,@{multiarch}-}strings rix, + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/{,g,m}awk rix, + @{bin}/base64 rix, + @{bin}/basename rix, + @{bin}/bunzip2 rix, + @{bin}/cat rix, + @{bin}/ccache rCx -> ccache, + @{bin}/cut rix, + @{bin}/date rix, + @{bin}/dd rix, + @{bin}/dirname rix, + @{bin}/dmesg rix, + @{bin}/find rix, + @{bin}/gunzip rix, + @{bin}/gzip rix, + @{bin}/head rix, + @{bin}/id rix, + @{bin}/iucode_tool rix, + @{bin}/kmod rCx -> kmod, + @{bin}/lzop rix, + @{bin}/mktemp rix, + @{bin}/mount rix, + @{bin}/nproc rix, + @{bin}/od rix, + @{bin}/perl rix, + @{bin}/pgrep rCx -> pgrep, + @{bin}/rdmsr rix, + @{bin}/readlink rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/seq rix, + @{bin}/sort rix, + @{bin}/stat rix, + @{bin}/tail rix, + @{bin}/tr rix, + @{bin}/uname rix, + @{bin}/unzip rix, + @{bin}/xargs rix, + @{bin}/xz rix, + @{bin}/zstd rix, + + # To fetch MCE.db from the MCExtractor project + @{bin}/wget rCx -> mcedb, + @{bin}/sqlite3 rCx -> mcedb, + owner @{tmp}/mcedb-* rw, + owner @{tmp}/smc-* rw, + owner @{tmp}/{,smc-}intelfw-*/ rw, + owner @{tmp}/{,smc-}intelfw-*/fw.zip rw, + owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/ rw, + owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/** rw, + + owner @{HOME}/.mcedb rw, + + /tmp/ r, + owner @{tmp}/{config,kernel}-* rw, + + owner /dev/cpu/@{int}/cpuid r, + owner /dev/cpu/@{int}/msr rw, + owner /dev/kmsg r, + + /boot/ r, + /boot/{config,vmlinuz,System.map}-* r, + + @{sys}/devices/system/cpu/vulnerabilities/* r, + @{sys}/module/kvm_intel/parameters/ept r, + + @{PROC}/ r, + @{PROC}/config.gz r, + @{PROC}/cmdline r, + @{PROC}/kallsyms r, + @{PROC}/modules r, + + # find and denoise + @{PROC}/@{pids}/{status,exe} r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/*/ r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # For shell pwd + /root/ r, + /etc/ r, + + profile ccache { + include + + @{bin}/ccache mr, + + @{lib}/llvm-[0-9]*/bin/clang rix, + @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, + @{bin}/{,@{multiarch}-}g++-[0-9]* rix, + + /media/ccache/*/** rw, + + /etc/debian_version r, + + include if exists + } + + profile pgrep { + include + include + + include if exists + } + + profile mcedb { + include + include + include + include + + deny capability net_admin, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{bin}/wget mr, + @{bin}/sqlite3 mr, + + /etc/wgetrc r, + owner @{HOME}/.wget-hsts rwk, + owner @{HOME}/.mcedb rw, + + /tmp/ r, + owner @{tmp}/{,smc-}mcedb-* rwk, + owner @{tmp}/{,smc-}intelfw-*/fw.zip rw, + + /usr/share/publicsuffix/public_suffix_list.* r, + + include if exists + } + + profile kmod { + include + include + + capability sys_module, + + owner @{sys}/module/cpuid/** r, + owner @{sys}/module/msr/** r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/speech-dispatcher b/apparmor.d/profiles-s-z/speech-dispatcher deleted file mode 100644 index 0267d6889..000000000 --- a/apparmor.d/profiles-s-z/speech-dispatcher +++ /dev/null @@ -1,41 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/speech-dispatcher -profile speech-dispatcher @{exec_path} { - include - include - include - include - include - - network inet stream, - network inet6 stream, - - @{exec_path} mr, - - @{sh_path} ix, - @{lib}/speech-dispatcher-modules/* ix, - @{lib}/speech-dispatcher/** r, - @{lib}/speech-dispatcher/speech-dispatcher-modules/* ix, - - /etc/machine-id r, - /etc/speech-dispatcher/{,**} r, - - owner @{user_config_dirs}/speech-dispatcher/{,**} r, - - owner @{run}/user/@{uid}/speech-dispatcher/ rw, - owner @{run}/user/@{uid}/speech-dispatcher/** rwk, - - owner /dev/shm/sem.@{rand6} rw, - owner /dev/shm/sem.speechd-modules-dummy-@{int} rwl -> /dev/shm/sem.@{rand6}, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/speedtest b/apparmor.d/profiles-s-z/speedtest index 7e9728fc9..511f32a96 100644 --- a/apparmor.d/profiles-s-z/speedtest +++ b/apparmor.d/profiles-s-z/speedtest @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,6 @@ profile speedtest @{exec_path} { include include include - include network inet dgram, network inet6 dgram, @@ -21,16 +20,18 @@ profile speedtest @{exec_path} { network netlink raw, @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, @{bin}/file rix, @{bin}/uname rix, - /etc/magic r, - owner @{PROC}/@{pid}/fd/ r, + /usr/local/lib/python*/dist-packages/ r, + + /etc/magic r, + include if exists } diff --git a/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper b/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper index 58da03738..1847c93d7 100644 --- a/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper +++ b/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -17,7 +17,10 @@ profile spice-client-glib-usb-acl-helper @{exec_path} { @{exec_path} mr, + @{lib}/gconv/gconv-modules r, + owner @{PROC}/@{pid}/stat r, + @{PROC}/sys/kernel/cap_last_cap r, include if exists } diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 2af3f99ae..c2fd27ced 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,17 +11,18 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include include include + include include include + include include include include - include - include - include + include include + include + include include - include dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime @@ -30,21 +31,19 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { dbus receive bus=session path=/ interface=org.freedesktop.DBus.Introspectable - member=Introspect + member=Introspect peer=(name=:*, label=gnome-shell), @{exec_path} mr, owner @{desktop_config_dirs}/user-dirs.dirs r, + owner @{user_config_dirs}/user-dirs.dirs r, @{run}/spice-vdagentd/spice-vdagent-sock rw, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - owner @{PROC}/@{pids}/task/@{tid}/comm rw, - /dev/udmabuf rw, + owner /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index 33957504c..e9a8b6330 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -2,21 +2,21 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/spice-vdagentd +@{exec_path} = @{bin}/spice-vdagentd profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { include include include - include capability sys_nice, @{exec_path} mr, + @{run}/systemd/journal/dev-log w, @{run}/systemd/seats/seat@{int} r, @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, @@ -25,6 +25,7 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cgroup r, + /dev/uinput rw, /dev/vport@{int}p@{int} rw, include if exists diff --git a/apparmor.d/profiles-s-z/spotdl b/apparmor.d/profiles-s-z/spotdl deleted file mode 100644 index be31bb0d0..000000000 --- a/apparmor.d/profiles-s-z/spotdl +++ /dev/null @@ -1,40 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 tpaau-17DB -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/spotdl -profile spotdl @{exec_path} { - include - include - include - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - - @{exec_path} mr, - @{python_path} r, - - @{bin}/ffmpeg rPx, - @{bin}/ffprobe rPx, - - owner @{user_music_dirs}/{,**} rwk, - - owner @{HOME}/.spotdl/** rw, - - owner @{user_cache_dirs}/spotdl/{,**} rw, - owner @{user_config_dirs}/spotdl/{,**} rw, - - owner @{PROC}/@{pid}/fd/ r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index b04432e39..db2e7ebe9 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -3,32 +3,20 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{name} = spotify -@{domain} = org.chromium.Chromium -@{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/ +@{lib_dirs} = /opt/spotify/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} -profile spotify @{exec_path} flags=(attach_disconnected) { +profile spotify @{exec_path} { include include - include - include - include - include - include include - include - include - include - include - include - include network inet dgram, network inet6 dgram, @@ -36,30 +24,16 @@ profile spotify @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell - #aa:dbus talk bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys - - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.portal.Secret - member=RetrieveSecret - peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), - @{exec_path} mrix, - @{sh_path} mr, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{open_path} rPx -> child-open-strict, - /usr/local/lib/spotify-adblock.so mr, - /etc/machine-id r, /etc/spotify-adblock/* r, /var/lib/dbus/machine-id r, - owner @{HOME}/.tmp rw, - owner @{user_music_dirs}/{,**} r, owner @{user_config_dirs}/spotify-adblock/* r, @@ -67,16 +41,18 @@ profile spotify @{exec_path} flags=(attach_disconnected) { owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm, owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm, - owner @{tmp}/.@{domain}.@{rand6}/{,**} rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw, - @{PROC}/@{pid}/net/unix r, - @{PROC}/pressure/* r, - owner @{PROC}/@{pid}/clear_refs w, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{sys}/bus/ r, + @{sys}/bus/*/devices/ r, + + @{PROC}/pressure/* r, /dev/tty rw, deny @{user_share_dirs}/gvfs-metadata/* r, + deny @{sys}/class/*/ r, + deny owner @{PROC}/@{pid}/clear_refs w, include if exists } diff --git a/apparmor.d/profiles-s-z/ss b/apparmor.d/profiles-s-z/ss index 2ce6b6b4d..36f4c988d 100644 --- a/apparmor.d/profiles-s-z/ss +++ b/apparmor.d/profiles-s-z/ss @@ -2,11 +2,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/ss +@{exec_path} = @{bin}/ss profile ss @{exec_path} { include include @@ -16,7 +16,7 @@ profile ss @{exec_path} { capability dac_read_search, capability sys_ptrace, - ptrace read, + ptrace (read), # unconfined, TODO network netlink raw, @@ -24,23 +24,24 @@ profile ss @{exec_path} { /etc/iproute2/{,**} r, - owner @{tmp}/*.ss rw, - owner @{HOME}/*.ss rw, - - @{sys}/fs/cgroup/{,**/} r, + owner @{tmp}/*.ss rw, + owner @{HOME}/*.ss rw, @{PROC} r, - @{PROC}/@{pids}/attr/current r, + @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/stat r, - @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r, - owner @{PROC}/@{pids}/mounts r, - owner @{PROC}/@{pids}/net/raw r, - owner @{PROC}/@{pids}/net/snmp r, + @{PROC}/@{pids}/attr/current r, owner @{PROC}/@{pids}/net/sockstat r, + owner @{PROC}/@{pids}/net/snmp r, + owner @{PROC}/@{pids}/net/unix r, + owner @{PROC}/@{pids}/net/raw r, owner @{PROC}/@{pids}/net/tcp r, owner @{PROC}/@{pids}/net/udp r, - owner @{PROC}/@{pids}/net/unix r, + + # [e]xtended + owner @{PROC}/@{pids}/mounts r, + @{sys}/fs/cgroup/{,**/} r, include if exists } diff --git a/apparmor.d/profiles-s-z/sslocal b/apparmor.d/profiles-s-z/sslocal index b71c97f55..beff6a1e9 100644 --- a/apparmor.d/profiles-s-z/sslocal +++ b/apparmor.d/profiles-s-z/sslocal @@ -1,15 +1,14 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # shadowsocks-rust only: # https://github.com/shadowsocks/shadowsocks-rust -abi , +abi , include -@{exec_path} = @{bin}/sslocal +@{exec_path} = /{,usr/}{,local/}bin/sslocal profile sslocal @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/ssmanager b/apparmor.d/profiles-s-z/ssmanager index 6165d433b..7a89ea8bd 100644 --- a/apparmor.d/profiles-s-z/ssmanager +++ b/apparmor.d/profiles-s-z/ssmanager @@ -1,15 +1,14 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # shadowsocks-rust only: # https://github.com/shadowsocks/shadowsocks-rust -abi , +abi , include -@{exec_path} = @{bin}/ssmanager +@{exec_path} = /{,usr/}{,local/}bin/ssmanager profile ssmanager @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/ssserver b/apparmor.d/profiles-s-z/ssserver index 11ca72434..51dc62837 100644 --- a/apparmor.d/profiles-s-z/ssserver +++ b/apparmor.d/profiles-s-z/ssserver @@ -1,15 +1,14 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # shadowsocks-rust only: # https://github.com/shadowsocks/shadowsocks-rust -abi , +abi , include -@{exec_path} = @{bin}/ssserver +@{exec_path} = /{,usr/}{,local/}bin/ssserver profile ssserver @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/ssservice b/apparmor.d/profiles-s-z/ssservice index 4e4642895..1c62764b2 100644 --- a/apparmor.d/profiles-s-z/ssservice +++ b/apparmor.d/profiles-s-z/ssservice @@ -1,15 +1,14 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # shadowsocks-rust only: # https://github.com/shadowsocks/shadowsocks-rust -abi , +abi , include -@{exec_path} = @{bin}/ssservice +@{exec_path} = /{,usr/}{,local/}bin/ssservice profile ssservice @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/ssurl b/apparmor.d/profiles-s-z/ssurl index 9555a9825..e1c7b9068 100644 --- a/apparmor.d/profiles-s-z/ssurl +++ b/apparmor.d/profiles-s-z/ssurl @@ -1,15 +1,14 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # shadowsocks-rust only: # https://github.com/shadowsocks/shadowsocks-rust -abi , +abi , include -@{exec_path} = @{bin}/ssurl +@{exec_path} = /{,usr/}{,local/}bin/ssurl profile ssurl @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/start-pulseaudio-x11 b/apparmor.d/profiles-s-z/start-pulseaudio-x11 index 85ec45d5c..616b66963 100644 --- a/apparmor.d/profiles-s-z/start-pulseaudio-x11 +++ b/apparmor.d/profiles-s-z/start-pulseaudio-x11 @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/startx b/apparmor.d/profiles-s-z/startx index 34f6d4724..26cf4027f 100644 --- a/apparmor.d/profiles-s-z/startx +++ b/apparmor.d/profiles-s-z/startx @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/profiles-s-z/steam similarity index 73% rename from apparmor.d/groups/steam/steam rename to apparmor.d/profiles-s-z/steam index e3fcb1931..8de447bfe 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/profiles-s-z/steam @@ -17,16 +17,15 @@ # ├── steam-gameoverlayui # Steam game overlay # └── steamerrorreporter # Error reporter -abi , +abi , include -@{domain} = org.chromium.Chromium -@{runtime_name} = sniper soldier -@{runtime} = SteamLinuxRuntime_@{runtime_name} steam-runtime-steamrt +@{arch} = amd64 i386 +@{runtime} = SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation -@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} steamrt64 -@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @{lib_dirs}/steam-runtime-steamrt +@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @{app_dirs} = @{share_dirs}/steamapps/common/ @{exec_path} = @{share_dirs}/steam.sh @@ -41,14 +40,13 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include capability sys_ptrace, network inet dgram, - network inet stream, network inet6 dgram, + network inet stream, network inet6 stream, network netlink raw, network unix, @@ -56,7 +54,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { ptrace read, ptrace trace peer=steam, - signal send peer=steam-game-{native,proton}, + signal send peer=steam-game, signal send peer=steam-launcher, signal send peer=steam//journalctl, signal send peer=steam//web, @@ -67,56 +65,44 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sh_path} rix, @{coreutils_path} rix, - @{open_path} rPx -> child-open, @{bin}/getopt rix, @{bin}/journalctl rPx -> systemctl, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, @{bin}/ldd rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsof rix, @{bin}/lspci rCx -> lspci, - @{bin}/tar rix, @{bin}/which{,.debianutils} rix, @{bin}/xdg-icon-resource rPx, @{bin}/xdg-user-dir rix, - @{bin}/xz rix, - @{bin}/zenity rix, @{lib}/@{multiarch}/ld-*.so* rix, @{lib}/ld-linux.so* rix, + @{open_path} rPx -> child-open, - @{lib_dirs}/** mr, - @{lib_dirs}/*driverquery rix, - @{lib_dirs}/fossilize_replay rpx, # steam-fossilize - @{lib_dirs}/gameoverlayui rpx, # steam-gameoverlayui - @{lib_dirs}/reaper rpx, # steam-runtime - @{lib_dirs}/steam* rix, + @{lib_dirs}/** mr, + @{lib_dirs}/*driverquery rix, + @{lib_dirs}/fossilize_replay rpx, + @{lib_dirs}/gameoverlayui rpx, + @{lib_dirs}/reaper rpx, # steam-runtime + @{lib_dirs}/steam* rix, @{app_dirs}/@{runtime}/*entry-point rpx -> steam-runtime, - @{share_dirs}/linux{32,64}/steamerrorreporter rpx, # steamerrorreporter + @{share_dirs}/linux{32,64}/steamerrorreporter rpx, - @{runtime_dirs}/*entry-point rix, - @{runtime_dirs}/@{arch}/@{bin}/srt-logger rix, - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements rcx -> check, - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-dialog{,-ui} rix, - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-identify-library-abi rix, - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-input-monitor rix, - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launch-* rix, - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-interface-@{int} rix, - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-service rpx, # steam-launcher - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-libcurl-* rix, - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote rix, - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-supervisor rix, - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-system-info rix, - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-urlopen rix, - @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, - @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-logger rix, - @{runtime_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix, - @{runtime_dirs}/pressure-vessel/@{bin}/pv-* rix, - @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, - @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rcx -> web, - @{runtime_dirs}/run{,.sh} rix, - @{runtime_dirs}/setup.sh rix, + @{runtime_dirs}/@{arch}/@{bin}/srt-logger rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements rcx -> check, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-identify-library-abi rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-service rpx, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-supervisor rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-system-info rix, + @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, + @{runtime_dirs}/*entry-point rix, + @{runtime_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix, + @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, + @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rcx -> web, + @{runtime_dirs}/run{,.sh} rix, + @{runtime_dirs}/setup.sh rix, @{lib}/os-release rk, @@ -125,18 +111,16 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { /etc/lsb-release r, /etc/machine-id r, /etc/timezone r, - /var/lib/dbus/machine-id r, - / r, @{bin}/ r, @{lib}/ r, + / r, /etc/ r, /home/ r, /usr/ r, /usr/local/ r, /usr/local/lib/ r, - /var/ r, /var/tmp/ r, @@ -147,7 +131,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{HOME}/.steampid rw, owner @{share_dirs}/ rw, - owner @{share_dirs}/** rwlk -> @{share_dirs}/**, + owner @{share_dirs}/** rwkl -> @{share_dirs}/**, owner @{user_games_dirs}/ rw, owner @{user_games_dirs}/** rwlk -> @{user_games_dirs}/**, @@ -157,7 +141,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/autostart/ r, owner @{user_config_dirs}/cef_user_data/{,**} r, owner @{user_config_dirs}/cef_user_data/Dictionaries/* rw, - owner @{user_config_dirs}/cef_user_data/WidevineCdm/** mrw, + owner @{user_config_dirs}/cef_user_data/WidevineCdm/** rwm, owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw, owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, @@ -166,34 +150,32 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/vulkan/implicit_layer.d/steam*.json rwk, @{tmp}/ r, - owner @{tmp}/#@{int} rw, owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw, owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk, + owner @{tmp}/#@{int} rw, owner @{tmp}/dumps/ rw, owner @{tmp}/dumps/** rwk, owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, owner @{tmp}/glx-icds-@{rand6}/{,**} rw, owner @{tmp}/runtime-info.txt.@{rand6} rwk, + owner @{tmp}/steam@{rand6}/{,**} rw, owner @{tmp}/steam/ rw, owner @{tmp}/steam/** rwk, - owner @{tmp}/steam@{rand6}/{,**} rw, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, - owner @{tmp}/steam@{rand6} rwk, - owner @{att}/dev/shm/ValveIPCSHM_@{uid} rw, owner /dev/shm/fossilize-*-@{int}-@{int} rw, owner /dev/shm/u@{uid}-Shm_@{hex6} rw, owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, owner /dev/shm/u@{uid}-Shm_@{hex8} rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, + owner /dev/shm/ValveIPCSHM_@{uid} rw, owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/srt-fifo.@{rand6}/{,*} rw, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{run}/udev/data/n@{int} r, @{sys}/ r, @{sys}/bus/ r, @@ -203,15 +185,15 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/class/net/ r, @{sys}/class/power_supply/ r, @{sys}/devices/ r, - @{sys}/devices/**/input/input@{int}/ r, - @{sys}/devices/**/input/input@{int}/properties r, + @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/sound/card@{int}/input@{int}/properties r, @{sys}/devices/**/input@{int}/ r, @{sys}/devices/**/input@{int}/capabilities/* r, + @{sys}/devices/**/input/input@{int}/ r, + @{sys}/devices/**/input/input@{int}/properties r, @{sys}/devices/**/power_supply/{AC,BAT@{int},hidpp_battery_@{int}}/{,*} r, @{sys}/devices/**/report_descriptor r, @{sys}/devices/**/uevent r, - @{sys}/devices/@{pci}/boot_vga r, - @{sys}/devices/@{pci}/sound/card@{int}/input@{int}/properties r, @{sys}/devices/system/ r, @{sys}/devices/system/cpu/cpu@{int}/ r, @{sys}/devices/virtual/dmi/id/bios_vendor r, @@ -227,6 +209,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pid}/net/* r, @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/stat r, @{PROC}/1/cgroup r, @{PROC}/locks r, @{PROC}/sys/kernel/sched_autogroup_enabled r, @@ -246,6 +229,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/input/ r, + /dev/uinput w, deny /opt/** r, @@ -253,51 +237,46 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include include include - include - capability dac_override, capability dac_read_search, capability sys_chroot, network inet dgram, - network inet stream, network inet6 dgram, + network inet stream, network inet6 stream, network netlink raw, ptrace trace peer=steam//web, - signal receive set=(cont kill term) peer=steam, + signal receive set=kill peer=steam, unix receive type=stream, + @{bin}/ldconfig rix, @{bin}/getopt rix, @{bin}/gzip rix, - @{sbin}/ldconfig rix, + @{bin}/true rix, @{bin}/localedef rix, @{bin}/readlink rix, - @{bin}/true rix, - @{lib_dirs}/** mr, - @{lib_dirs}/steamwebhelper rix, - @{lib_dirs}/steamwebhelper_sniper_wrap.sh rix, + @{lib_dirs}/** mr, + @{lib_dirs}/steamwebhelper rix, + @{lib_dirs}/steamwebhelper_sniper_wrap.sh rix, - @{runtime_dirs}/pressure-vessel/@{bin}/steam-runtime-launcher-interface-@{int} rix, - @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap mr, + @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap mr, + @{runtime_dirs}/pressure-vessel/@{bin}/steam-runtime-launcher-interface-@{int} rix, @{lib}/pressure-vessel/from-host/** rix, @{run}/host/@{bin}/* rix, @{run}/host/@{lib}/** rix, @{share_dirs}/config/cefdata/WidevineCdm/**/linux_*/libwidevinecdm.so mr, - @{share_dirs}/config/htmlcache/WidevineCdm/**/linux_*/libwidevinecdm.so mr, - @{share_dirs}/linux{32,64}/steamclient.so mr, @{runtime_dirs}/var/tmp-@{rand6}/usr/.ref w, @@ -308,34 +287,37 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{lib}/ r, /usr/local/lib/ r, /var/tmp/ r, - /home/ r, owner /bindfile@{rand6} rw, owner /var/cache/ldconfig/aux-cache* rw, owner /var/pressure-vessel/ldso/* rw, - owner @{HOME}/ r, + owner @{HOME}/.pki/ rw, + owner @{HOME}/.pki/nssdb/ rw, + owner @{HOME}/.pki/nssdb/pkcs11.txt rw, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, owner @{lib_dirs}/.cef-* wk, owner @{share_dirs}/{,**} r, - owner @{share_dirs}/clientui/** k, owner @{share_dirs}/config/** rwk, owner @{share_dirs}/logs/** rwk, + owner @{share_dirs}/clientui/** k, owner @{share_dirs}/public/** k, @{tmp}/ r, - owner @{tmp}/.com.valvesoftware.Steam.@{rand6} rw, - owner @{tmp}/.com.valvesoftware.Steam.@{rand6}/{,**} rw, owner @{tmp}/#@{int} rw, owner @{tmp}/dumps/ rw, owner @{tmp}/dumps/** rwk, + owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, owner @{tmp}/pressure-vessel-*-@{rand6}/ rw, owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**, owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw, - owner /dev/shm/.com.valvesoftware.Steam.@{rand6} rw, + /dev/shm/ r, + owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw, owner /dev/shm/u@{uid}-Shm_@{hex6} rw, owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, @@ -345,17 +327,17 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{run}/pressure-vessel/** r, - @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{sys}/bus/ r, @{sys}/bus/*/devices/ r, @{sys}/class/*/ r, @{sys}/devices/**/report_descriptor r, @{sys}/devices/**/uevent r, - @{sys}/devices/@{pci}/usb@{int}/**/{idVendor,idProduct,interface} r, + @{sys}/devices/system/cpu/kernel_max r, + @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/ r, - @{PROC}/version r, @{PROC}/@{pid}/stat r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, @@ -367,12 +349,9 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/task/@{tid}/comm r, owner @{PROC}/@{pid}/task/@{tid}/status r, - /dev/ r, /dev/hidraw@{int} rw, /dev/tty rw, - @{att}/dev/dri/renderD128 rw, - include if exists } @@ -381,17 +360,15 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - capability dac_override, capability dac_read_search, - capability sys_ptrace, unix receive type=stream, @{bin}/true rix, - @{lib_dirs}/** mr, - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements mr, - @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rix, + @{lib_dirs}/** mr, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements mr, + @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rix, / r, @@ -400,7 +377,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{share_dirs}/ r, - @{PROC}/1/cgroup r, + @{PROC}/@{pid}/cgroup r, include if exists } diff --git a/apparmor.d/groups/steam/steam-fossilize b/apparmor.d/profiles-s-z/steam-fossilize similarity index 90% rename from apparmor.d/groups/steam/steam-fossilize rename to apparmor.d/profiles-s-z/steam-fossilize index a5dd65b7c..b33c90d8b 100644 --- a/apparmor.d/groups/steam/steam-fossilize +++ b/apparmor.d/profiles-s-z/steam-fossilize @@ -2,11 +2,12 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{runtime} = SteamLinuxRuntime_{sniper,soldier} +@{arch} = amd64 i386 +@{runtime} = SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -39,13 +40,11 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) { @{sys}/devices/system/node/node@{int}/cpumap r, - @{PROC}/@{pid}/statm r, + @{PROC}/@{pids}/statm r, @{PROC}/pressure/io r, owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - deny network inet stream, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists diff --git a/apparmor.d/groups/steam/steam-game-native b/apparmor.d/profiles-s-z/steam-game-native similarity index 75% rename from apparmor.d/groups/steam/steam-game-native rename to apparmor.d/profiles-s-z/steam-game-native index ba06d56a4..9453076ea 100644 --- a/apparmor.d/groups/steam/steam-game-native +++ b/apparmor.d/profiles-s-z/steam-game-native @@ -2,11 +2,12 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{runtime} = SteamLinuxRuntime_{sniper,soldier} +@{arch} = amd64 i386 +@{runtime} = SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -18,20 +19,20 @@ profile steam-game-native @{exec_path} flags=(attach_disconnected) { include network inet dgram, - network inet stream, network inet6 dgram, + network inet stream, network inet6 stream, network netlink raw, network unix stream, signal receive peer=steam, - @{exec_path} mrix, + @{exec_path} rmix, - @{sh_path} rix, + @{sh_path} rix, - @{app_dirs}/** mr, - @{lib_dirs}/** mr, + @{app_dirs}/** mr, + @{lib_dirs}/** mr, include if exists } diff --git a/apparmor.d/groups/steam/steam-game-proton b/apparmor.d/profiles-s-z/steam-game-proton similarity index 66% rename from apparmor.d/groups/steam/steam-game-proton rename to apparmor.d/profiles-s-z/steam-game-proton index 1b094c2a3..49a668996 100644 --- a/apparmor.d/groups/steam/steam-game-proton +++ b/apparmor.d/profiles-s-z/steam-game-proton @@ -2,26 +2,24 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{runtime_name} = sniper soldier -@{runtime} = SteamLinuxRuntime_@{runtime_name} +@{arch} = amd64 i386 +@{runtime} = SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @{app_dirs} = @{share_dirs}/steamapps/common/ @{exec_path} = @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap -profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { +profile steam-game-proton @{exec_path} flags=(attach_disconnected) { include include include include - include - capability dac_override, capability dac_read_search, network inet dgram, @@ -31,29 +29,21 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { network unix stream, signal receive peer=steam, - unix, @{exec_path} mr, @{bin}/bwrap mrix, - @{sh_path} rix, - @{bin}/cat rix, - @{bin}/env rix, - @{bin}/chmod rix, - @{bin}/fc-match rix, @{bin}/getopt rix, @{bin}/gzip rix, - @{sbin}/ldconfig rix, - @{bin}/ln rix, + @{bin}/ldconfig rix, @{bin}/localedef rix, - @{bin}/mkdir rix, + @{bin}/python3.@{int} rix, @{bin}/readlink rix, - @{bin}/rm rix, @{bin}/steam-runtime-launcher-interface-@{int} rix, @{bin}/steam-runtime-system-info rix, @{bin}/steam-runtime-urlopen rix, @{bin}/true rix, - @{python_path} rix, + @{bin}/chmod rix, @{open_path} rix, @{lib_dirs}/** mr, @@ -61,17 +51,14 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { @{lib}/pressure-vessel/from-host/@{lib}/** rix, @{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, - # TODO stack with steam ? rpx -> steam-game-proton&//steam, - @{runtime_dirs}/run.sh rix, - @{runtime_dirs}/@{arch}@{bin}/steam-runtime-identify-library-abi rix, - @{runtime_dirs}/@{arch}@{bin}/steam-runtime-launcher-interface-@{int} rix, - @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/run.sh rix, - @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/@{arch}@{bin}/steam-runtime-identify-library-abi rix, - @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/@{arch}@{bin}/steam-runtime-launcher-interface-@{int} rix, + @{app_dirs}/** mr, + @{app_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix, + @{app_dirs}/Proton*/files/@{bin}/* rix, + @{app_dirs}/Proton*/files/@{lib}/** rix, + @{app_dirs}/Proton*/proton rix, + @{app_dirs}/@{runtime}/pressure-vessel/@{bin}/steam-runtime-launcher-interface-@{int} rix, - @{app_dirs}/** mrix, - - @{run}/host/@{sbin}/ldconfig rix, + @{run}/host/@{bin}/ldconfig rix, @{run}/host/@{bin}/localedef rix, @{run}/host/@{lib}/** mr, @@ -85,23 +72,28 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { owner /var/pressure-vessel/** rw, owner /var/cache/ldconfig/aux-cache* rw, - owner "@{app_dirs}/Steamworks Shared/runasadmin.vdf" rw, owner @{app_dirs}/@{runtime}/var/tmp-@{rand6}/usr/.ref rwk, - owner @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/* rw, owner @{app_dirs}/Proton*/** rwkl, owner @{share_dirs}/*.dll r, owner @{share_dirs}/bin/ r, - owner @{share_dirs}/installscriptevalutor_log.txt rw, owner @{share_dirs}/legacycompat/ r, owner @{share_dirs}/legacycompat/** mr, owner @{share_dirs}/steamapps/compatdata/{,**} rwk, + owner @{user_share_dirs}/applications/wine/ rw, + owner @{user_share_dirs}/applications/wine/**/ rw, + + owner @{tmp}/.wine-@{uid}/ rw, + owner @{tmp}/.wine-@{uid}/** rwk, owner @{tmp}/glx-icds-@{rand6}/{,**} w, owner @{tmp}/pressure-vessel-*-@{rand6}/ rw, owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} w, + owner /dev/shm/wine-@{hex6}-fsync rw, + owner /dev/shm/wine-@{hex6}@{h}-fsync rw, + @{run}/host/fonts/{,**} r, @{run}/host/share/{,**} r, @{run}/host/usr/{,**} r, diff --git a/apparmor.d/groups/steam/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui similarity index 91% rename from apparmor.d/groups/steam/steam-gameoverlayui rename to apparmor.d/profiles-s-z/steam-gameoverlayui index 278b47e98..bbe2452e2 100644 --- a/apparmor.d/groups/steam/steam-gameoverlayui +++ b/apparmor.d/profiles-s-z/steam-gameoverlayui @@ -2,11 +2,12 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{runtime} = SteamLinuxRuntime_{sniper,soldier} +@{arch} = amd64 i386 +@{runtime} = SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -17,13 +18,11 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) { include include include - include include network inet stream, network inet6 stream, - - unix, + network unix stream, @{exec_path} mr, @@ -49,8 +48,6 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) { owner @{share_dirs}/resource/{,**} rk, owner @{share_dirs}/userdata/@{int}/{,**} rk, - owner @{att}/dev/shm/ValveIPCSHM_@{uid} rw, - owner /dev/shm/u@{uid}-Shm_@{hex} rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, owner /dev/shm/ValveIPCSHM_@{uid} rw, diff --git a/apparmor.d/groups/steam/steam-launch b/apparmor.d/profiles-s-z/steam-launch similarity index 63% rename from apparmor.d/groups/steam/steam-launch rename to apparmor.d/profiles-s-z/steam-launch index 321c9c9c5..877181b61 100644 --- a/apparmor.d/groups/steam/steam-launch +++ b/apparmor.d/profiles-s-z/steam-launch @@ -2,11 +2,12 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{runtime} = SteamLinuxRuntime_{sniper,soldier} +@{arch} = amd64 i386 +@{runtime} = SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -22,37 +23,20 @@ profile steam-launch @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/cat rix, - @{bin}/cmp rix, @{bin}/cp rix, @{bin}/dirname rix, @{bin}/env rix, @{bin}/id rix, @{bin}/readlink rix, - @{bin}/rm rix, - @{bin}/rmdir rix, @{lib}/steam/steam rix, @{lib}/steam/bin_steam.sh rix, @{share_dirs}/steam.sh rPx, - @{lib_dirs}/** mr, - - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote rPx, - @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/* r, - @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-logger rix, - /usr/ r, /usr/local/ r, owner @{share_dirs}/bootstrap.tar.xz rw, - owner @{share_dirs}/logs/ r, - owner @{share_dirs}/logs/* rwk, - - owner @{run}/user/@{uid}/srt-fifo.@{rand6}/ rw, - owner @{run}/user/@{uid}/srt-fifo.@{rand6}/fifo rw, - - owner @{PROC}/@{pid}/fd/@{int} rw, /dev/tty rw, diff --git a/apparmor.d/groups/steam/steam-launcher b/apparmor.d/profiles-s-z/steam-launcher similarity index 90% rename from apparmor.d/groups/steam/steam-launcher rename to apparmor.d/profiles-s-z/steam-launcher index e73b30d1a..45fa30245 100644 --- a/apparmor.d/groups/steam/steam-launcher +++ b/apparmor.d/profiles-s-z/steam-launcher @@ -2,11 +2,12 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{runtime} = SteamLinuxRuntime_{sniper,soldier} +@{arch} = amd64 i386 +@{runtime} = SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -23,7 +24,7 @@ profile steam-launcher @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{lib_dirs}/** mr, - + include if exists } diff --git a/apparmor.d/groups/steam/steam-runtime b/apparmor.d/profiles-s-z/steam-runtime similarity index 79% rename from apparmor.d/groups/steam/steam-runtime rename to apparmor.d/profiles-s-z/steam-runtime index 543324c0f..5d6d0f856 100644 --- a/apparmor.d/groups/steam/steam-runtime +++ b/apparmor.d/profiles-s-z/steam-runtime @@ -2,12 +2,12 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{runtime_name} = sniper soldier -@{runtime} = SteamLinuxRuntime_@{runtime_name} +@{arch} = amd64 i386 +@{runtime} = SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -22,13 +22,11 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) { include include - network inet stream, - network inet6 stream, network unix stream, @{exec_path} mr, - @{sh_path} rix, + @{sh_path} r, @{bin}/getopt rix, @{bin}/readlink rix, @@ -36,13 +34,15 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/steam-launch-wrapper rix, # Native linux games (steam-game-native) - @{app_dirs}/[^S]*/** rpx -> steam-game-native, # Only for @{app_dirs}/@{runtime}/** + @{app_dirs}/[^S]*/** rpx -> steam-game-native, # Proton games, sandboxed (steam-game-proton) @{app_dirs}/@{runtime}/*entry-point rmix, @{app_dirs}/@{runtime}/pressure-vessel/@{bin}/pressure-vessel-* rix, @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/** mr, - @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, + @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-capsule-capture-libs rix, + @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-detect-platform rix, + @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-inspect-library rix, @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rpx -> steam-game-proton, @{app_dirs}/@{runtime}/run rix, @{bin}/bwrap rpx -> steam-game-proton, @@ -51,20 +51,16 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) { @{lib}/ r, @{lib_dirs}/ r, - owner @{HOME}/ r, owner @{HOME}/.steam/steam.pipe r, owner @{app_dirs}/*/ r, - owner @{app_dirs}/config/config.vdf{,.*} rw, + owner @{app_dirs}/config/config.vdf rw, owner @{app_dirs}/@{runtime}/** r, owner @{app_dirs}/@{runtime}/pressure-vessel/** rwk, - owner @{app_dirs}/@{runtime}/@{runtime_name}_platform_*/** rwk, + owner @{app_dirs}/@{runtime}/sniper_platform_*/** rwk, owner @{app_dirs}/@{runtime}/var/** rwk, owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/pressure-vessel/**, - owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/@{runtime_name}_platform_*/**, - - owner @{share_dirs}/config/config.vdf{,.*} rw, - owner @{share_dirs}/steamapps/appmanifest_* rw, + owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/sniper_platform_*/**, owner @{tmp}/ r, owner @{tmp}/#@{int} rw, @@ -80,7 +76,6 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/stat r, /dev/tty rw, diff --git a/apparmor.d/groups/steam/steamerrorreporter b/apparmor.d/profiles-s-z/steamerrorreporter similarity index 87% rename from apparmor.d/groups/steam/steamerrorreporter rename to apparmor.d/profiles-s-z/steamerrorreporter index d438c604d..3e206e898 100644 --- a/apparmor.d/groups/steam/steamerrorreporter +++ b/apparmor.d/profiles-s-z/steamerrorreporter @@ -2,11 +2,12 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{runtime} = SteamLinuxRuntime_{sniper,soldier} +@{arch} = amd64 i386 +@{runtime} = SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -27,13 +28,15 @@ profile steamerrorreporter @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.steam/steam.pipe r, - owner @{lib_dirs}/{,**} r, + owner @{lib_dirs}/{,**} r, owner @{runtime_dirs}/pinned_libs_{32,64}/ r, owner @{share_dirs}/ r, owner @{tmp}/dumps/ r, owner @{tmp}/dumps/*_log.txt rw, + owner @{PROC}/@{pid}/status r, + include if exists } diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index ae22e1f1d..a790e6b7b 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -3,16 +3,15 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/strawberry -profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { +profile strawberry @{exec_path} { include include include - include include include include @@ -21,7 +20,6 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include @@ -38,12 +36,10 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{exec_path} mr, - @{bin}/strawberry-tagreader rPx -> strawberry//&strawberry-tagreader, + @{bin}/strawberry-tagreader rPx, @{open_path} rPx -> child-open-help, - /etc/fstab r, - /var/lib/dbus/machine-id r, /etc/machine-id r, @@ -54,7 +50,6 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/strawberry/ rw, owner @{user_config_dirs}/strawberry/* rwkl -> @{user_config_dirs}/strawberry/#@{int}, - owner @{user_config_dirs}/strawberryrc r, owner @{user_share_dirs}/strawberry/ rw, owner @{user_share_dirs}/strawberry/** rwk, @@ -69,8 +64,7 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/.*/s rw, owner @{tmp}/*= w, owner @{tmp}/#@{int} rw, - owner @{tmp}/kdsingleapp-*-strawberry w, - owner @{tmp}/kdsingleapp-*-strawberry.lock rwk, + owner @{tmp}/etilqs_@{hex16} rw, owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, owner @{tmp}/strawberry-cover-@{rand6}.jpg rwl -> @{tmp}/#@{int}, owner @{tmp}/strawberry*[0-9] w, diff --git a/apparmor.d/profiles-s-z/strawberry-tagreader b/apparmor.d/profiles-s-z/strawberry-tagreader index 8de73c57c..0e1aced4f 100644 --- a/apparmor.d/profiles-s-z/strawberry-tagreader +++ b/apparmor.d/profiles-s-z/strawberry-tagreader @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/utils/su b/apparmor.d/profiles-s-z/su similarity index 53% rename from apparmor.d/groups/utils/su rename to apparmor.d/profiles-s-z/su index e5293021c..429c48938 100644 --- a/apparmor.d/groups/utils/su +++ b/apparmor.d/profiles-s-z/su @@ -3,33 +3,28 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/su -profile su @{exec_path} flags=(attach_disconnected) { +profile su @{exec_path} { include include include - include #aa:only RBAC capability chown, # pseudo-terminal - signal send set=(term kill), - signal receive set=(int quit term), - signal receive set=(cont hup) peer=sudo, + signal (send) set=(term,kill), + signal (receive) set=(int,quit,term), + signal (receive) set=(cont,hup) peer=sudo, + + unix (bind) type=dgram, @{exec_path} mr, - @{bin}/@{shells} Ux, #aa:exclude RBAC - @{sbin}/nologin Px, - - @{etc_ro}/default/su r, - /etc/default/locale r, - /etc/environment r, - - @{HOME}/.xauth@{rand6} rw, + @{bin}/@{shells} rUx, + @{bin}/nologin rPx, include if exists } diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index b2074ba04..0ba2694bd 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,17 +21,20 @@ profile sudo @{exec_path} flags=(attach_disconnected) { network inet dgram, network inet6 dgram, - ptrace read, + ptrace (read), - signal send set=(winch, hup, term), + signal (send,receive) peer=cockpit-bridge, + signal (send) peer=@{p_systemd}, + signal (send) set=(cont,hup,winch) peer=su, + signal (send) set=(winch) peer=child-pager, + signal (send) set=(winch) peer=journalctl, + signal (send) set=(winch) peer=pacman, @{bin}/@{shells} rUx, @{lib}/** PUx, /opt/*/** PUx, /snap/snapd/@{int}@{bin}/snap rPUx, - /etc/default/locale r, - /var/db/sudo/lectured/ r, owner /var/db/sudo/lectured/@{uid} rw, owner /var/lib/extrausers/shadow r, @@ -41,9 +44,6 @@ profile sudo @{exec_path} flags=(attach_disconnected) { @{run}/ r, @{run}/systemd/sessions/* r, - @{run}/systemd/sessions/?@{int}.ref rw, - - @{sys}/fs/cgroup/*.slice{,/*.slice}/*.service/cgroup.procs r, include if exists } diff --git a/apparmor.d/groups/utils/sulogin b/apparmor.d/profiles-s-z/sulogin similarity index 77% rename from apparmor.d/groups/utils/sulogin rename to apparmor.d/profiles-s-z/sulogin index 2af869dab..3793df043 100644 --- a/apparmor.d/groups/utils/sulogin +++ b/apparmor.d/profiles-s-z/sulogin @@ -2,19 +2,16 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/sulogin +@{exec_path} = @{bin}/sulogin profile sulogin @{exec_path} { include - include include - capability checkpoint_restore, capability sys_admin, - capability sys_tty_config, @{exec_path} mr, @@ -25,6 +22,9 @@ profile sulogin @{exec_path} { @{PROC}/consoles r, + /dev/ r, + /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity deleted file mode 100644 index f812fc570..000000000 --- a/apparmor.d/profiles-s-z/superproductivity +++ /dev/null @@ -1,45 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{name} = super{p,P}roductivity Super?Productivity -@{domain} = org.chromium.Chromium -@{lib_dirs} = /opt/@{name} -@{config_dirs} = @{user_config_dirs}/@{name} -@{cache_dirs} = @{user_cache_dirs}/@{name} - -@{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} -profile superproductivity @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - include - include - include - include - include - - network inet stream, - network inet6 stream, - network inet dgram, - network inet6 dgram, - network netlink raw, - - @{exec_path} mrix, - - @{bin}/speech-dispatcher rPx, - @{open_path} rPx -> child-open-strict, - - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/swaplabel b/apparmor.d/profiles-s-z/swaplabel similarity index 90% rename from apparmor.d/groups/utils/swaplabel rename to apparmor.d/profiles-s-z/swaplabel index 16abf153d..03d2fe8d0 100644 --- a/apparmor.d/groups/utils/swaplabel +++ b/apparmor.d/profiles-s-z/swaplabel @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/swaplabel +@{exec_path} = @{bin}/swaplabel profile swaplabel @{exec_path} { include include diff --git a/apparmor.d/groups/utils/swapon b/apparmor.d/profiles-s-z/swapon similarity index 90% rename from apparmor.d/groups/utils/swapon rename to apparmor.d/profiles-s-z/swapon index dd4aec8e2..31ee2e93a 100644 --- a/apparmor.d/groups/utils/swapon +++ b/apparmor.d/profiles-s-z/swapon @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/swapon @{sbin}/swapoff +@{exec_path} = @{bin}/swapon @{bin}/swapoff profile swapon @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/swayimg b/apparmor.d/profiles-s-z/swayimg deleted file mode 100644 index a3ed158b1..000000000 --- a/apparmor.d/profiles-s-z/swayimg +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 valoq -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/swayimg -profile swayimg @{exec_path} { - include - include - include - include - - @{exec_path} mr, - - owner @{user_config_dirs}/swayimg/** r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index eecb98b28..4cfa8ba96 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,6 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { include capability net_admin, - capability sys_admin, capability sys_nice, network netlink raw, @@ -24,7 +23,7 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* + @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/profiles-s-z/switcherooctl b/apparmor.d/profiles-s-z/switcherooctl index 538931554..9979c9246 100644 --- a/apparmor.d/profiles-s-z/switcherooctl +++ b/apparmor.d/profiles-s-z/switcherooctl @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,7 @@ profile switcherooctl @{exec_path} { include include - #aa:dbus talk bus=system name=net.hadess.SwitcherooControl label=switcheroo-control + #aa:dbus own bus=system name=net.hadess.SwitcherooControl @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/swtpm b/apparmor.d/profiles-s-z/swtpm index 369046b6b..4f6d1b38c 100644 --- a/apparmor.d/profiles-s-z/swtpm +++ b/apparmor.d/profiles-s-z/swtpm @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,10 +14,10 @@ profile swtpm @{exec_path} { @{exec_path} mr, - /var/log/swtpm/libvirt/qemu/*-swtpm.log w, + /var/lib/libvirt/swtpm/@{uuid}/tpm2/.lock wk, + /var/lib/libvirt/swtpm/@{uuid}/tpm2/*.permall rw, - owner /var/lib/libvirt/swtpm/@{uuid}/tpm2/.lock wk, - owner /var/lib/libvirt/swtpm/@{uuid}/tpm2/* rw, + /var/log/swtpm/libvirt/qemu/*-swtpm.log w, /tmp/.swtpm_setup.pidfile.* rw, /tmp/@{int}/.lock rwk, diff --git a/apparmor.d/profiles-s-z/swtpm_ioctl b/apparmor.d/profiles-s-z/swtpm_ioctl index f1e41aa6e..c77810624 100644 --- a/apparmor.d/profiles-s-z/swtpm_ioctl +++ b/apparmor.d/profiles-s-z/swtpm_ioctl @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/swtpm_localca b/apparmor.d/profiles-s-z/swtpm_localca index dbe202581..a9749c91f 100644 --- a/apparmor.d/profiles-s-z/swtpm_localca +++ b/apparmor.d/profiles-s-z/swtpm_localca @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/swtpm_setup b/apparmor.d/profiles-s-z/swtpm_setup index 5795ddfcc..f4b01f0e0 100644 --- a/apparmor.d/profiles-s-z/swtpm_setup +++ b/apparmor.d/profiles-s-z/swtpm_setup @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -21,9 +21,9 @@ profile swtpm_setup @{exec_path} { /var/log/swtpm/{,**} w, /var/lib/libvirt/swtpm/@{uuid}/tpm2/ r, - owner @{tmp}/.swtpm_setup.pidfile.@{rand6} rw, - owner @{tmp}/swtpm_setup.certs.@{rand6}/ w, - owner @{tmp}/swtpm_setup.certs.@{rand6}/*.cert rw, + owner @{tmp}/swtpm_setup.certs.*/ w, + owner @{tmp}/swtpm_setup.certs.*/*.cert rw, + owner @{tmp}/.swtpm_setup.pidfile* rw, include if exists } diff --git a/apparmor.d/groups/utils/sync b/apparmor.d/profiles-s-z/sync similarity index 75% rename from apparmor.d/groups/utils/sync rename to apparmor.d/profiles-s-z/sync index 9b47b4df2..6bdb55732 100644 --- a/apparmor.d/groups/utils/sync +++ b/apparmor.d/profiles-s-z/sync @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,9 +13,6 @@ profile sync @{exec_path} { @{exec_path} mr, - # All paths where sync can be used to flush all write operations on a single file to disk - /{,**} rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid index fc30c5fd6..c90665cdf 100644 --- a/apparmor.d/profiles-s-z/syncoid +++ b/apparmor.d/profiles-s-z/syncoid @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,7 @@ profile syncoid @{exec_path} flags=(complain) { @{exec_path} mr, @{sh_path} rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/mbuffer rix, @{bin}/perl rix, @{bin}/ps rPx, @@ -25,6 +25,10 @@ profile syncoid @{exec_path} flags=(complain) { /etc/mbuffer.rc r, + owner @{tmp}/** rw, + + @{PROC}/@{pids}/maps r, + include if exists } diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index d504b0c15..50b04668b 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -3,17 +3,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/syncthing profile syncthing @{exec_path} { include - include - include include - include include network inet dgram, @@ -27,21 +24,24 @@ profile syncthing @{exec_path} { @{open_path} rPx -> child-open, @{bin}/ip rix, - @{HOME}/ r, - @{HOME}/** rwk, + /usr/share/mime/{,**} r, + + /etc/mime.types r, + + owner @{HOME}/ r, + owner @{HOME}/@{XDG_DATA_DIR}/syncthing/{,**} rwk, + owner @{user_config_dirs}/syncthing/{,**} rwk, + owner @{user_state_dirs}/syncthing/{,**} rwk, /home/ r, @{user_sync_dirs}/{,**} rw, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + @{PROC}/@{pids}/net/route r, - @{PROC}/bus/pci/devices r, - @{PROC}/modules r, - @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/net/core/somaxconn r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/statm r, include if exists } diff --git a/apparmor.d/groups/procps/sysctl b/apparmor.d/profiles-s-z/sysctl similarity index 82% rename from apparmor.d/groups/procps/sysctl rename to apparmor.d/profiles-s-z/sysctl index 9275c7054..4e50430be 100644 --- a/apparmor.d/groups/procps/sysctl +++ b/apparmor.d/profiles-s-z/sysctl @@ -4,27 +4,24 @@ # TODO: Rethink this profile. Should not be called by another profile. -abi , +abi , include -@{exec_path} = @{sbin}/sysctl +@{exec_path} = @{bin}/sysctl profile sysctl @{exec_path} { include include capability net_admin, capability sys_admin, - capability sys_ptrace, capability sys_resource, @{exec_path} mr, /etc/sysctl.conf r, /etc/sysctl.d/{,**} r, - @{lib}/sysctl.d/{,**} r, - - /etc/ufw/sysctl.conf r, # Add support for ufw + /usr/lib/sysctl.d/{,**} r, @{PROC}/sys/ r, @{PROC}/sys/** rw, diff --git a/apparmor.d/profiles-s-z/sysstat-sa b/apparmor.d/profiles-s-z/sysstat-sa deleted file mode 100644 index 9dcc199bc..000000000 --- a/apparmor.d/profiles-s-z/sysstat-sa +++ /dev/null @@ -1,38 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/sysstat/sa{1,2} @{lib}/sysstat/debian-sa{1,2} -profile sysstat-sa @{exec_path} { - include - include - - @{exec_path} mr, - @{bin}/ r, - - @{sh_path} rix, - @{bin}/date ix, - @{bin}/find ix, - @{bin}/{,e}grep ix, - @{bin}/rm ix, - @{bin}/sar.sysstat ix, - @{bin}/xargs ix, - @{lib}/sysstat/sadc Px, - - /etc/sysstat/sysstat r, - - /var/log/sysstat/ r, - /var/log/sysstat/** rw, - - @{tmp}/#@{int} rw, - - @{PROC}/@{pid}/fd/ r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sysstat-sadc b/apparmor.d/profiles-s-z/sysstat-sadc deleted file mode 100644 index 7d9143938..000000000 --- a/apparmor.d/profiles-s-z/sysstat-sadc +++ /dev/null @@ -1,52 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/sysstat/sadc -profile sysstat-sadc @{exec_path} { - include - include - - capability sys_admin, - - @{exec_path} mr, - - /etc/sensors.d/{,**} r, - /etc/sensors3.conf r, - - /var/log/sysstat/{,**} rwk, - - @{sys}/bus/i2c/devices/ r, - @{sys}/class/fc_host/ r, - @{sys}/class/hwmon/ r, - @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/net/*/duplex r, - @{sys}/devices/**/hwmon@{int}/ r, - @{sys}/devices/**/name r, - @{sys}/devices/**/net/*/duplex r, - @{sys}/devices/**/net/*/speed r, - @{sys}/devices/virtual/net/*/duplex r, - @{sys}/devices/virtual/net/*/speed r, - - @{PROC}/@{pid}/net/* r, - @{PROC}/diskstats r, - @{PROC}/loadavg r, - @{PROC}/pressure/cpu r, - @{PROC}/pressure/io r, - @{PROC}/pressure/memory r, - @{PROC}/sys/fs/dentry-state r, - @{PROC}/sys/fs/file-nr r, - @{PROC}/sys/fs/inode-state r, - @{PROC}/sys/kernel/pty/nr r, - @{PROC}/tty/driver/serial r, - @{PROC}/uptime r, - @{PROC}/vmstat r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index 84f6d52d3..ab36047f2 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -28,7 +28,7 @@ profile system-config-printer @{exec_path} flags=(complain) { @{exec_path} mrix, @{sh_path} rix, - @{python_path} r, + @{bin}/python3.@{int} r, @{lib}/cups/*/* rPUx, /usr/share/hplip/query.py rPUx, @@ -46,6 +46,8 @@ profile system-config-printer @{exec_path} flags=(complain) { @{run}/cups/cups.sock rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + owner @{tmp}/* rw, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/system-config-printer-applet b/apparmor.d/profiles-s-z/system-config-printer-applet index 71892b04e..0112b152a 100644 --- a/apparmor.d/profiles-s-z/system-config-printer-applet +++ b/apparmor.d/profiles-s-z/system-config-printer-applet @@ -3,14 +3,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/system-config-printer-applet /usr/share/system-config-printer/applet.py profile system-config-printer-applet @{exec_path} { include - include include include @@ -20,7 +19,7 @@ profile system-config-printer-applet @{exec_path} { @{exec_path} mrix, @{sh_path} rix, - @{python_path} r, + @{bin}/python3.@{int} r, /usr/share/system-config-printer/{,**} r, diff --git a/apparmor.d/profiles-s-z/task b/apparmor.d/profiles-s-z/task index 3cffb0748..bd7f276a8 100644 --- a/apparmor.d/profiles-s-z/task +++ b/apparmor.d/profiles-s-z/task @@ -2,7 +2,7 @@ # Copyright (C) 2024 Zane Zakraisek # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -23,7 +23,10 @@ profile task @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{editor_path} rCx -> editor, + + @{bin}/vim rCx -> editor, + @{bin}/vim.* rCx -> editor, + @{bin}/sensible-editor rCx -> editor, /usr/share/{doc/,}task{warrior,}/** r, @@ -41,7 +44,7 @@ profile task @{exec_path} { include if exists } - + include if exists } diff --git a/apparmor.d/profiles-s-z/tasksel b/apparmor.d/profiles-s-z/tasksel index 8a33649a0..b96200dea 100644 --- a/apparmor.d/profiles-s-z/tasksel +++ b/apparmor.d/profiles-s-z/tasksel @@ -3,38 +3,79 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/tasksel profile tasksel @{exec_path} flags=(complain) { include - include + include @{exec_path} r, + @{bin}/perl r, - @{bin}/tempfile ix, - @{lib}/tasksel/tasksel-debconf ix, - @{lib}/tasksel/tests/* Cx -> tasksel-tests, + @{sh_path} rix, + @{bin}/tempfile rix, + @{lib}/tasksel/tasksel-debconf rix, + + @{lib}/tasksel/tests/* rCx -> tasksel-tests, + + # Think what to do about this (#FIXME#) + /usr/share/debconf/frontend rPx, + #/usr/share/debconf/frontend rCx -> frontend, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - @{bin}/dpkg-query px, + @{bin}/dpkg-query rpx, # - @{bin}/apt-cache Px, - @{bin}/debconf-apt-progress Px, + @{bin}/apt-cache rPx, + + @{bin}/debconf-apt-progress rPx, + + /usr/share/tasksel/** r, + + /usr/share/debconf/confmodule r, + + owner @{tmp}/file* w, - /usr/share/tasksel/{,**} r, profile tasksel-tests flags=(complain) { include - @{sh_path} rix, @{lib}/tasksel/tests/* r, + @{sh_path} rix, + + } + + profile frontend flags=(complain) { + include + include + include + include + + /usr/share/debconf/frontend r, + @{bin}/perl r, + + @{bin}/tasksel rPx, + + @{sh_path} rix, + @{bin}/stty rix, + @{bin}/locale rix, + + # The following is needed when debconf uses dialog/whiptail frontend. + @{bin}/whiptail rPx, + owner @{tmp}/file* w, + + /usr/share/debconf/confmodule r, + + /etc/debconf.conf r, + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + /usr/share/debconf/templates/adequate.templates r, + + /etc/shadow r, - include if exists } include if exists diff --git a/apparmor.d/profiles-s-z/taskwarrior-tui b/apparmor.d/profiles-s-z/taskwarrior-tui index 8a02b8d04..f125c993d 100644 --- a/apparmor.d/profiles-s-z/taskwarrior-tui +++ b/apparmor.d/profiles-s-z/taskwarrior-tui @@ -2,7 +2,7 @@ # Copyright (C) 2024 Zane Zakraisek # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index e8a2533b9..3f9ba6e25 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -2,19 +2,19 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/terminator profile terminator @{exec_path} flags=(attach_disconnected) { include - include + include include + include include include include - include include include @@ -22,19 +22,12 @@ profile terminator @{exec_path} flags=(attach_disconnected) { ptrace, - signal send set=hup peer=unconfined, - #aa:dbus own bus=session name=net.tenshu.Terminator@{hex} - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=StartTransientUnit - peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), - @{exec_path} mr, @{bin}/ r, - @{python_path} rix, + @{bin}/python3.@{int} rix, # The shell is not confined on purpose. @{bin}/@{shells} rUx, diff --git a/apparmor.d/profiles-s-z/texstudio b/apparmor.d/profiles-s-z/texstudio deleted file mode 100644 index 52e9e53e6..000000000 --- a/apparmor.d/profiles-s-z/texstudio +++ /dev/null @@ -1,48 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 valoq -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/texstudio -profile texstudio @{exec_path} { - include - include - include - include - include - include - include - - @{exec_path} mr, - - @{bin}/pdflatex ix, - @{bin}/pdftex ix, - @{bin}/kpsewhich ix, - @{bin}/gsettings ix, - @{bin}/which{,.debianutils} ix, - - /usr/share/texmf-dist/{,**} r, - /usr/share/doc/texstudio/{,**} r, - /usr/share/hunspell/{,**} r, - /usr/share/texstudio/{,**} r, - /usr/share/poppler/{,**} r, - - /etc/texmf/{,**} r, - /etc/machine-id r, - - /var/lib/texmf/{,**} r, - - owner @{user_config_dirs}/texstudio/{,**} rwlk, - owner /tmp/qtsingleapp-TeXstu-** rw, - owner /tmp/qtsingleapp-TeXstu-**-lockfile rwk, - - ## silencer - deny owner /usr/share/hunspell/en_US-large.ign w, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tftp b/apparmor.d/profiles-s-z/tftp index bb0a1c37b..fb848cb1c 100644 --- a/apparmor.d/profiles-s-z/tftp +++ b/apparmor.d/profiles-s-z/tftp @@ -3,22 +3,16 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/tftp profile tftp @{exec_path} { include - include + include include - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, - @{exec_path} mr, include if exists diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index 4c27ee2ca..1e72d45ec 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -4,19 +4,19 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/thermald +@{exec_path} = @{bin}/thermald profile thermald @{exec_path} flags=(attach_disconnected) { include include include - include + include capability sys_boot, - + #aa:dbus own bus=system name=org.freedesktop.thermald @{exec_path} mr, @@ -24,7 +24,8 @@ profile thermald @{exec_path} flags=(attach_disconnected) { /etc/thermald/{,*} r, owner @{run}/thermald/ rw, - owner @{run}/thermald/** rw, + owner @{run}/thermald/thd_preference.conf rw, + owner @{run}/thermald/thd_preference.conf.save w, owner @{run}/thermald/thermald.pid rwk, @{sys}/class/hwmon/ r, @@ -37,7 +38,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) { @{sys}/devices/system/cpu/intel_pstate/no_turbo rw, @{sys}/devices/system/cpu/intel_pstate/status r, - @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness r, + @{sys}/devices/@{pci}/drm/**/intel_backlight/max_brightness r, @{sys}/devices/@{pci}/power_limits/power_limit_@{int}_max_uw r, @{sys}/devices/@{pci}/power_limits/power_limit_@{int}_min_uw r, @{sys}/devices/@{pci}/power_limits/power_limit_@{int}_tmax_us r, diff --git a/apparmor.d/profiles-s-z/thinkfan b/apparmor.d/profiles-s-z/thinkfan index ddf7e1ff2..56a39736e 100644 --- a/apparmor.d/profiles-s-z/thinkfan +++ b/apparmor.d/profiles-s-z/thinkfan @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index da163c2ae..d6553d990 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -3,30 +3,72 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{name} = thunderbird{,-bin} +@{name} = thunderbird{,.sh,-bin} @{lib_dirs} = @{lib}/@{name} @{config_dirs} = @{HOME}/.@{name}/ @{cache_dirs} = @{user_cache_dirs}/@{name}/ @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} -profile thunderbird @{exec_path} flags=(attach_disconnected) { +profile thunderbird @{exec_path} { include - include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include + include include - include + + # userns, + + capability sys_admin, # If kernel.unprivileged_userns_clone = 1 + capability sys_chroot, # If kernel.unprivileged_userns_clone = 1 + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + ptrace peer=@{profile_name}, #aa:dbus own bus=session name=org.mozilla.thunderbird + dbus receive bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={UserAdded,UserRemoved} + peer=(name=:*, label=systemd-logind), + + dbus receive bus=system + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), + @{exec_path} mrix, - @{lib_dirs}/glxtest rPx -> thunderbird//&thunderbird-glxtest, - @{lib_dirs}/vaapitest rPx -> thunderbird//&thunderbird-vaapitest, + @{sh_path} rix, + @{bin}/which.debianutils rix, + + @{lib_dirs}/{,**} r, + @{lib_dirs}/*.so mr, + @{lib_dirs}/glxtest rPx, + @{lib_dirs}/thunderbird-wrapper-helper.sh rix, + @{lib_dirs}/vaapitest rPx, - @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, # GPG integration @@ -35,40 +77,105 @@ profile thunderbird @{exec_path} flags=(attach_disconnected) { @{bin}/gpgsm rPx, # Desktop integration + @{bin}/lsb_release rPx -> lsb_release, @{open_path} rPx -> child-open, - # Extensions - @{bin}/SysTray-X rPUx, + # Allowed apps to open + @{bin}/engrampa rPx, + @{bin}/geany rPx, + @{bin}/qpdfview rPx, + @{bin}/viewnior rPUx, + @{brave_path} rPx, + @{chrome_path} rPx, + @{firefox_path} rPx, + @{opera_path} rPx, + /usr/share/@{name}/{,**} r, + /usr/share/gvfs/remote-volume-monitors/{,*} r, /usr/share/lightning/{,**} r, + /usr/share/mozilla/extensions/{,**} r, + /usr/share/xul-ext/kwallet5/* r, - owner /var/mail/** rwk, + /etc/@{name}/{,**} r, + /etc/fstab r, + /etc/mailcap r, + /etc/mime.types r, + /etc/timezone r, + /etc/xul-ext/kwallet5.js r, + + owner /var/mail/* rwk, + + owner @{HOME}/ r, + + owner @{user_config_dirs}/kwalletrc r, + owner @{user_config_dirs}/mimeapps.list.* rw, owner @{user_mail_dirs}/ rw, owner @{user_mail_dirs}/** rwl -> @{user_mail_dirs}/**, - owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r, - owner @{user_config_dirs}/ibus/bus/ r, - owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner @{user_config_dirs}/kioslaverc r, - owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, + owner @{config_dirs}/ rw, + owner @{user_config_dirs}/gtk-3.0/assets/* r, + owner @{config_dirs}/*/ rw, + owner @{config_dirs}/*/** rwk, + owner @{config_dirs}/installs.ini rw, + owner @{config_dirs}/profiles.ini rw, + owner @{user_cache_dirs}/gtk-3.0/**/*.cache r, + + owner @{cache_dirs}/{,**} rw, + + /tmp/ r, + /var/tmp/ r, + owner @{tmp}/@{name}{,_*}/ rw, + owner @{tmp}/@{name}{,_*}/* rwk, + owner @{tmp}/* rw, + owner @{tmp}/mozilla_*/ rw, + owner @{tmp}/mozilla_*/* rw, owner @{tmp}/MozillaMailnews/ rw, owner @{tmp}/MozillaMailnews/*.msf rw, - owner @{tmp}/nscopy.tmp rw, - owner @{tmp}/nsemail{,-@{int}}.eml rw, - owner @{tmp}/nsma{,-@{int}} rw, - owner @{tmp}/pid-@{pid}/{,**} w, - owner @{tmp}/remote-settings-startup-bundle- rw, + owner @{tmp}/Temp-@{uuid}/ rw, - /dev/urandom w, + @{run}/mount/utab r, + + @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r, + @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, + + @{PROC}/@{pids}/net/arp r, + @{PROC}/@{pids}/net/route r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/environ r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1 + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1 + owner @{PROC}/@{pid}/smaps r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/statm r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 + + /dev/shm/ r, + owner /dev/shm/org.chromium.* rw, + owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw, + owner /dev/shm/wayland.mozilla.ipc.@{int} rw, + + /dev/tty rw, + + # file_inherit + owner /dev/tty@{int} rw, # Silencer - deny capability sys_ptrace, - deny @{lib_dirs}/** w, - deny @{lib_dirs}/crashreporter x, - deny @{lib_dirs}/minidump-analyzer x, deny @{HOME}/.mozilla/** mrwkl, + deny @{config_dirs}/*.*/pepmda/ rw, + deny @{config_dirs}/*.*/pepmda/** rwklmx, + deny @{lib_dirs}/** w, + deny /dev/ r, + deny /dev/urandom w, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists } diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest index 53fdb1ffd..17fda9d56 100644 --- a/apparmor.d/profiles-s-z/thunderbird-glxtest +++ b/apparmor.d/profiles-s-z/thunderbird-glxtest @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,19 +11,14 @@ include @{config_dirs} = @{HOME}/.@{name}/ @{exec_path} = @{lib_dirs}/glxtest -profile thunderbird-glxtest @{exec_path} flags=(attach_disconnected) { +profile thunderbird-glxtest @{exec_path} { include include include - include include - network netlink raw, - @{exec_path} mr, - / r, - owner @{config_dirs}/*/.parentlock rw, owner @{tmp}/thunderbird/.parentlock rw, diff --git a/apparmor.d/profiles-s-z/thunderbird-vaapitest b/apparmor.d/profiles-s-z/thunderbird-vaapitest index c93d14bd7..85c1a08cb 100644 --- a/apparmor.d/profiles-s-z/thunderbird-vaapitest +++ b/apparmor.d/profiles-s-z/thunderbird-vaapitest @@ -2,7 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name}/ @{exec_path} = @{lib_dirs}/vaapitest -profile thunderbird-vaapitest @{exec_path} flags=(attach_disconnected) { +profile thunderbird-vaapitest @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/tint2 b/apparmor.d/profiles-s-z/tint2 index 8b6f0dc45..2e44d0fab 100644 --- a/apparmor.d/profiles-s-z/tint2 +++ b/apparmor.d/profiles-s-z/tint2 @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/tint2conf b/apparmor.d/profiles-s-z/tint2conf index 737bc90f8..776b843a3 100644 --- a/apparmor.d/profiles-s-z/tint2conf +++ b/apparmor.d/profiles-s-z/tint2conf @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp deleted file mode 100644 index 1592d3aee..000000000 --- a/apparmor.d/profiles-s-z/tlp +++ /dev/null @@ -1,120 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# Copyright (C) 2024 Barmogund -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{sbin}/tlp -profile tlp @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - include - include - - capability dac_read_search, - capability sys_nice, - capability sys_rawio, - capability sys_tty_config, - - network netlink raw, - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/cat rix, - @{bin}/chmod rix, - @{bin}/cp rix, - @{sbin}/ethtool rix, - @{bin}/flock rix, - @{bin}/{,e}grep rix, - @{sbin}/hdparm rPx, - @{bin}/head rix, - @{bin}/id rPx, - @{sbin}/iw rPx, - @{bin}/logger rix, - @{bin}/mktemp rix, - @{bin}/readlink rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/sort rix, - @{bin}/systemctl rCx -> systemctl, - @{bin}/touch rix, - @{bin}/tr rix, - @{bin}/udevadm rCx -> udevadm, - @{bin}/uname rix, - @{bin}/timeout rix, - /usr/share/tlp/tlp-readconfs rix, - - / r, - - /etc/tlp.d/ r, - /etc/tlp.d/** rw, - /etc/tlp.conf rw, - - /usr/share/tlp/{,**} r, - - /var/lib/tlp/{,**} rw, - /var/lib/power-profiles-daemon/state.ini rw, - - owner /tmp/tlp-run.conf_tmp@{rand6} rw, - - owner @{run}/tlp/{,**} rw, - owner @{run}/tlp/lock_tlp rwk, - - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) - - @{sys}/bus/pci/devices/ r, - @{sys}/bus/pci/drivers/*/ r, - @{sys}/bus/platform/devices/ r, - @{sys}/class/drm/ r, - @{sys}/class/net/ r, - @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/ r, - @{sys}/devices/@{pci}/{,**/}power/control w, - @{sys}/devices/@{pci}/**/host@{int}/**/link_power_management_policy w, - @{sys}/devices/@{pci}/class r, - @{sys}/devices/**/net/**/uevent r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/devices/virtual/net/**/uevent r, - @{sys}/firmware/acpi/platform_profile* rw, - @{sys}/firmware/acpi/pm_profile* rw, - @{sys}/module/*/parameters/power_save rw, - @{sys}/module/*/parameters/power_save_controller rw, - @{sys}/module/pcie_aspm/parameters/policy rw, - - owner @{PROC}/sys/fs/xfs/xfssyncd_centisecs rw, - owner @{PROC}/sys/kernel/nmi_watchdog rw, - owner @{PROC}/sys/vm/dirty_*_centisecs rw, - owner @{PROC}/sys/vm/laptop_mode rw, - - profile systemctl { - include - include - - capability net_admin, - - include if exists - } - - profile udevadm { - include - include - - @{run}/tlp/lock_tlp rw, # file_inherit - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb deleted file mode 100644 index df4258b8c..000000000 --- a/apparmor.d/profiles-s-z/tomb +++ /dev/null @@ -1,134 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/tomb -profile tomb @{exec_path} { - include - include - include - include - include - include - - capability chown, - capability fowner, - capability sys_ptrace, - capability sys_rawio, - - signal send set=cont peer=gpg, - signal send set=cont peer=pinentry-*, - - ptrace read peer=@{p_systemd_user}, - - @{exec_path} mr, - - @{bin}/{,e,f}grep rix, - @{bin}/{m,g,}awk rix, - @{bin}/basename rix, - @{bin}/cat rix, - @{bin}/chmod rix, - @{bin}/chown rix, - @{bin}/cp rix, - @{bin}/date rix, - @{bin}/dcfldd rix, - @{bin}/dd rix, - @{bin}/df rix, - @{bin}/dirname rix, - @{bin}/env rix, - @{bin}/file rix, - @{bin}/findmnt rix, - @{bin}/getent rix, - @{bin}/gettext rix, - @{bin}/head rix, - @{bin}/hostname rix, - @{bin}/id rix, - @{bin}/kill rix, - @{bin}/locate rix, - @{bin}/ls rix, - @{bin}/lsof rix, - @{bin}/mkdir rix, - @{bin}/mktemp rix, - @{bin}/realpath rix, - @{bin}/recoll rix, - @{bin}/rm rix, - @{bin}/rmdir rix, - @{bin}/sha*sum rix, - @{bin}/shred rix, - @{bin}/sleep rix, - @{bin}/stat rix, - @{bin}/sudo rix, - @{bin}/touch rix, - @{bin}/tr rix, - @{bin}/zsh rix, - @{sbin}/losetup rix, - - @{sbin}/btrfs rPx, - @{sbin}/cryptsetup rPUx, - @{sbin}/e2fsck rPx, - @{sbin}/fsck rPx, - @{bin}/gpg{,2} rPx, - @{bin}/lsblk rPx, - @{sbin}/mkfs.* rPUx, - @{bin}/mount rPx, - @{bin}/pinentry rPx, - @{bin}/pinentry-* rPx, - @{bin}/qrencode rPx, - @{sbin}/resize2fs rPx, - @{bin}/tomb-kdb-pbkdf2 rPUx, - @{sbin}/tune2fs rPx, - @{bin}/umount rCx -> umount, - @{bin}/updatedb.mlocate rPx, - @{sbin}/zramctl rPx, - - /usr/share/file/** r, - /usr/share/terminfo/** r, - - @{MOUNTDIRS}/ rw, - @{MOUNTS}/ rw, - @{MOUNTS}/** w, - @{MOUNTS}/**/ rw, - owner @{MOUNTS}/.{host,last,tty,uid,cleanexit} rw, - - # TODO: access to tomb files and key. - @{user_private_dirs}/**/*tomb* rw, - - /tmp/ r, - owner @{tmp}/@{int} rw, - owner @{tmp}/@{int}@{int} rw, - owner @{tmp}/zsh@{rand6} rw, - owner @{tmp}/zshm@{rand6} rw, - - @{sys}/devices/virtual/block/zram@{int}/backing_dev r, - - @{PROC}/swaps r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - - /dev/loop-control rw, - /dev/loop@{int} rw, - - profile umount { - include - include - - capability dac_read_search, - capability sys_admin, - - umount @{MOUNTS}/{,**/}, - - @{bin}/umount mr, - - owner @{run}/mount/utab r, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/procps/top b/apparmor.d/profiles-s-z/top similarity index 93% rename from apparmor.d/groups/procps/top rename to apparmor.d/profiles-s-z/top index 6a5d272a3..9e4b7c11a 100644 --- a/apparmor.d/groups/procps/top +++ b/apparmor.d/profiles-s-z/top @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,17 +11,17 @@ include profile top @{exec_path} flags=(attach_disconnected) { include include - include include + include capability dac_read_search, capability kill, capability sys_nice, capability sys_ptrace, - signal send, + signal (send), - ptrace read, + ptrace (read), @{exec_path} mr, @@ -36,14 +36,16 @@ profile top @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/ r, @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/devices/system/node/node@{int}/meminfo r, + @{sys}/devices/system/node/node@{int}/cpumap r, @{PROC}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/oom_{,score_}adj r, + @{PROC}/@{pids}/oom_{,score_}adj r, + @{PROC}/@{pids}/oom_score r, @{PROC}/@{pids}/oom_score r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, diff --git a/apparmor.d/profiles-s-z/torify b/apparmor.d/profiles-s-z/torify index c4cb88902..fcc4c9b98 100644 --- a/apparmor.d/profiles-s-z/torify +++ b/apparmor.d/profiles-s-z/torify @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/torsocks b/apparmor.d/profiles-s-z/torsocks index ad258189c..8d75133da 100644 --- a/apparmor.d/profiles-s-z/torsocks +++ b/apparmor.d/profiles-s-z/torsocks @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,7 +19,7 @@ profile torsocks @{exec_path} { @{sh_path} rix, @{bin}/* rPUx, @{lib}/uwt/uwtexec rPUx, - @{sbin}/getcap rix, + @{bin}/getcap rix, /etc/tor/torsocks.conf r, diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem deleted file mode 100644 index d1e429d45..000000000 --- a/apparmor.d/profiles-s-z/totem +++ /dev/null @@ -1,101 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/totem -profile totem @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - include - include - - network netlink raw, - - signal (send) set=(kill) peer=totem//bwrap, - - #aa:dbus own bus=session name=org.mpris.MediaPlayer2.totem - #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus - #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon - #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - - @{exec_path} mr, - - @{bin}/bwrap rCx -> bwrap, - @{open_path} rPx -> child-open-help, - - /usr/share/xml/iso-codes/{,**} r, - /usr/share/grilo-plugins/{,**} r, - /usr/share/thumbnailers/{,**} r, - - owner @{HOME}/ r, - owner @{MOUNTS}/ r, - - owner @{user_music_dirs}/{,**} rw, - owner @{user_pictures_dirs}/{,**} rw, - owner @{user_torrents_dirs}/{,**} rw, - owner @{user_videos_dirs}/{,**} rw, - - owner @{user_cache_dirs}/gnome-desktop-thumbnailer/gstreamer-1.0/{,**} r, - owner @{user_share_dirs}/grilo-plugins/ rw, - owner @{user_share_dirs}/grilo-plugins/** rwlk, - - owner @{tmp}/flatpak-seccomp-@{rand6} rw, - owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw, - - owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r, - owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r, - - @{run}/mount/utab r, - - owner @{PROC}/@{pid}/mountinfo r, - - deny @{user_share_dirs}/gvfs-metadata/* r, - - profile bwrap flags=(attach_disconnected) { - include - include - include - include - include - include - - capability dac_override, - capability sys_ptrace, - - network inet dgram, - network inet6 dgram, - - @{bin}/bwrap mr, - @{bin}/totem-video-thumbnailer rix, - - /usr/share/ladspa/rdf/{,*} r, - - owner @{user_cache_dirs}/gnome-desktop-thumbnailer/{,**} rw, - - owner @{tmp}/flatpak-seccomp-@{rand6} rw, - owner @{tmp}/gnome-desktop-file-to-thumbnail.* rw, - owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw, - owner @{tmp}/gnome-desktop-thumbnailer.png rw, - - @{PROC}/sys/vm/mmap_min_addr r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm w, - - /dev/ r, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tpacpi-bat b/apparmor.d/profiles-s-z/tpacpi-bat index b4666bb96..673f46e32 100644 --- a/apparmor.d/profiles-s-z/tpacpi-bat +++ b/apparmor.d/profiles-s-z/tpacpi-bat @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,6 +13,7 @@ profile tpacpi-bat @{exec_path} { include @{exec_path} mr, + @{bin}/perl r, @{sh_path} rix, @{bin}/cat rix, diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission-gtk similarity index 65% rename from apparmor.d/profiles-s-z/transmission rename to apparmor.d/profiles-s-z/transmission-gtk index 9c4a8e673..40586fa03 100644 --- a/apparmor.d/profiles-s-z/transmission +++ b/apparmor.d/profiles-s-z/transmission-gtk @@ -2,20 +2,17 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/transmission-{gtk,qt} -profile transmission @{exec_path} flags=(attach_disconnected) { +@{exec_path} = @{bin}/transmission-gtk +profile transmission-gtk @{exec_path} { include - include - include include include include include - include include include include @@ -26,29 +23,20 @@ profile transmission @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=com.transmissionbt.Transmission - #aa:dbus own bus=session name=com.transmissionbt.transmission_* - #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - @{exec_path} mr, @{open_path} rPx -> child-open, - /usr/share/transmission/{,**} r, - - owner @{HOME}/ r, - owner @{user_torrents_dirs}/ r, owner @{user_torrents_dirs}/** rw, owner @{user_config_dirs}/transmission/ rw, owner @{user_config_dirs}/transmission/** rwk, + owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/transmission/ rw, owner @{user_cache_dirs}/transmission/** rwk, - owner @{tmp}/tr_session_id_* rwk, - @{run}/mount/utab r, @{PROC}/@{pid}/net/route r, @@ -57,12 +45,10 @@ profile transmission @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny @{user_share_dirs}/gvfs-metadata/* r, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/transmission-qt b/apparmor.d/profiles-s-z/transmission-qt new file mode 100644 index 000000000..bbfe5bff4 --- /dev/null +++ b/apparmor.d/profiles-s-z/transmission-qt @@ -0,0 +1,56 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/transmission-qt +profile transmission-qt @{exec_path} { + include + include + include + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink dgram, + network netlink raw, + + @{exec_path} mr, + + # Torrent files + owner @{user_torrents_dirs}/ r, + owner @{user_torrents_dirs}/** rw, + + owner @{user_config_dirs}/transmission/ rw, + owner @{user_config_dirs}/transmission/** rwk, + + owner @{user_cache_dirs}/ rw, + owner @{user_cache_dirs}/transmission/ rw, + owner @{user_cache_dirs}/transmission/** rwk, + + owner @{tmp}/tr_session_id_* rwk, + + deny owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + @{PROC}/@{pid}/net/route r, + @{PROC}/sys/kernel/random/uuid r, + + /usr/share/hwdata/pnp.ids r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tune2fs b/apparmor.d/profiles-s-z/tune2fs index 6f0fdad94..d9a8c5409 100644 --- a/apparmor.d/profiles-s-z/tune2fs +++ b/apparmor.d/profiles-s-z/tune2fs @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/u-d-c-print-pci-ids b/apparmor.d/profiles-s-z/u-d-c-print-pci-ids deleted file mode 100644 index 2ae7f66ef..000000000 --- a/apparmor.d/profiles-s-z/u-d-c-print-pci-ids +++ /dev/null @@ -1,19 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{sbin}/u-d-c-print-pci-ids -profile u-d-c-print-pci-ids @{exec_path} { - include - - @{exec_path} mr, - @{sh_path} r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf deleted file mode 100644 index 47826d336..000000000 --- a/apparmor.d/profiles-s-z/ucf +++ /dev/null @@ -1,62 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2022 Mikhail Morfikov -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/ucf -profile ucf @{exec_path} { - include - include - include - include - - @{exec_path} rix, - @{sh_path} rix, - - @{bin}/{,e}grep rix, - @{bin}/{m,g,}awk rix, - @{bin}/basename rix, - @{bin}/cat rix, - @{bin}/cp rix, - @{bin}/dirname rix, - @{bin}/getopt rix, - @{bin}/id rix, - @{bin}/md5sum rix, - @{bin}/mkdir rix, - @{bin}/mv rix, - @{bin}/readlink rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/seq rix, - @{bin}/stat rix, - @{bin}/tr rix, - @{bin}/which{,.debianutils} rix, - - @{bin}/dpkg-query rpx, - @{bin}/dpkg-divert rPx, - @{pager_path} rCx -> child-pager, - - # For md5sum - /usr/share/** r, - - # For writing new config files - /etc/** rw, #aa:lint ignore=too-wide - - # For shell pwd - / r, - /root/ r, - - owner /var/lib/ucf/** rw, - - owner /tmp/tmp.@{rand10} r, - - deny capability sys_admin, # optional: no audit - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ucfq b/apparmor.d/profiles-s-z/ucfq deleted file mode 100644 index b6ca3e7b1..000000000 --- a/apparmor.d/profiles-s-z/ucfq +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/ucfq -profile ucfq @{exec_path} { - include - - @{exec_path} mr, - - @{bin}/md5sum rix, - - /etc/ r, - /etc/default/ r, - /etc/default/grub r, - - /var/lib/ucf/* r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ucfr b/apparmor.d/profiles-s-z/ucfr deleted file mode 100644 index 4cc149a28..000000000 --- a/apparmor.d/profiles-s-z/ucfr +++ /dev/null @@ -1,38 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/ucfr -profile ucfr @{exec_path} { - include - include - - @{exec_path} mr, - - @{sh_path} r, - @{bin}/{,e}grep ix, - @{bin}/{m,g,}awk ix, - @{bin}/basename ix, - @{bin}/dirname ix, - @{bin}/getopt ix, - @{bin}/id ix, - @{bin}/readlink ix, - @{bin}/sed ix, - - /usr/share/ucf/{,**} r, - - /etc/ucf.conf r, - - / r, - - /var/lib/ucf/ r, - /var/lib/ucf/registry r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-ata_id b/apparmor.d/profiles-s-z/udev-ata_id deleted file mode 100644 index f12ed105f..000000000 --- a/apparmor.d/profiles-s-z/udev-ata_id +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/udev/ata_id -profile udev-ata_id @{exec_path} { - include - include - - capability sys_rawio, - - @{exec_path} mr, - - /etc/udev/udev.conf r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-bcache-export-cached b/apparmor.d/profiles-s-z/udev-bcache-export-cached deleted file mode 100644 index e42b10c26..000000000 --- a/apparmor.d/profiles-s-z/udev-bcache-export-cached +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/udev/bcache-export-cached -profile udev-bcache-export-cached @{exec_path} { - include - include - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{sbin}/bcache-super-show rix, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-bridge-network-interface b/apparmor.d/profiles-s-z/udev-bridge-network-interface deleted file mode 100644 index 7e3ba52f9..000000000 --- a/apparmor.d/profiles-s-z/udev-bridge-network-interface +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/udev/bridge-network-interface -profile udev-bridge-network-interface @{exec_path} { - include - - @{exec_path} mr, - @{sh_path} r, - - /etc/default/bridge-utils r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-cdrom_id b/apparmor.d/profiles-s-z/udev-cdrom_id deleted file mode 100644 index 552159867..000000000 --- a/apparmor.d/profiles-s-z/udev-cdrom_id +++ /dev/null @@ -1,24 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/udev/cdrom_id -profile udev-cdrom_id @{exec_path} { - include - - capability sys_rawio, - - @{exec_path} mr, - - /etc/udev/udev.conf r, - - /dev/sr@{int} r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-dmi-memory-id b/apparmor.d/profiles-s-z/udev-dmi-memory-id index 1d6580311..ab6a2de77 100644 --- a/apparmor.d/profiles-s-z/udev-dmi-memory-id +++ b/apparmor.d/profiles-s-z/udev-dmi-memory-id @@ -2,11 +2,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{lib}/udev/dmi_memory_id +@{exec_path} = @{lib}/udev/dmi_memory_id profile udev-dmi-memory-id @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/udev-fido_id b/apparmor.d/profiles-s-z/udev-fido_id deleted file mode 100644 index 453e0093a..000000000 --- a/apparmor.d/profiles-s-z/udev-fido_id +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/udev/fido_id -profile udev-fido_id @{exec_path} { - include - include - - @{exec_path} mr, - - /etc/udev/udev.conf r, - /etc/udev/udev.conf.d/{,**} r, - - @{sys}/devices/@{pci}/report_descriptor r, - @{sys}/devices/platform/**/report_descriptor r, - @{sys}/devices/virtual/**/report_descriptor r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-hdparm b/apparmor.d/profiles-s-z/udev-hdparm deleted file mode 100644 index bca98163b..000000000 --- a/apparmor.d/profiles-s-z/udev-hdparm +++ /dev/null @@ -1,28 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/udev/hdparm -profile udev-hdparm @{exec_path} { - include - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/sed rix, - @{bin}/udevadm rPx, - - /etc/hdparm.conf r, - - @{PROC}/cmdline r, - @{PROC}/mdstat r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-probe-bcache b/apparmor.d/profiles-s-z/udev-probe-bcache deleted file mode 100644 index e02e070a8..000000000 --- a/apparmor.d/profiles-s-z/udev-probe-bcache +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/udev/probe-bcache -profile udev-probe-bcache @{exec_path} { - include - include - - capability sys_rawio, - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/filesystem/udiskie b/apparmor.d/profiles-s-z/udiskie similarity index 54% rename from apparmor.d/groups/filesystem/udiskie rename to apparmor.d/profiles-s-z/udiskie index 53b726c23..505017bcd 100644 --- a/apparmor.d/groups/filesystem/udiskie +++ b/apparmor.d/profiles-s-z/udiskie @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,20 +11,22 @@ include profile udiskie @{exec_path} { include include - include + include + include include - include + include + include include - include include + include + include + include @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, - @{open_path} rPx -> child-open, - - /etc/fstab r, + @{bin}/xdg-open rCx -> open, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, @@ -33,9 +35,37 @@ profile udiskie @{exec_path} { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, + /etc/fstab r, + + # Allowed apps to open + @{bin}/spacefm rPx, + # Silencer deny @{lib}/** w, + profile open { + include + include + + @{bin}/xdg-open mr, + + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, + + owner @{HOME}/ r, + + owner @{run}/user/@{uid}/ r, + + # Allowed apps to open + @{bin}/spacefm rPx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + include if exists } diff --git a/apparmor.d/groups/filesystem/udiskie-info b/apparmor.d/profiles-s-z/udiskie-info similarity index 90% rename from apparmor.d/groups/filesystem/udiskie-info rename to apparmor.d/profiles-s-z/udiskie-info index b59b91472..aa359ef56 100644 --- a/apparmor.d/groups/filesystem/udiskie-info +++ b/apparmor.d/profiles-s-z/udiskie-info @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,10 +13,9 @@ profile udiskie-info @{exec_path} { include @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, - @{bin}/ r, - @{sbin}/ r, + /usr/bin/ r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, diff --git a/apparmor.d/groups/filesystem/udiskie-mount b/apparmor.d/profiles-s-z/udiskie-mount similarity index 90% rename from apparmor.d/groups/filesystem/udiskie-mount rename to apparmor.d/profiles-s-z/udiskie-mount index 3ec9e422a..7e72e9713 100644 --- a/apparmor.d/groups/filesystem/udiskie-mount +++ b/apparmor.d/profiles-s-z/udiskie-mount @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,10 +13,9 @@ profile udiskie-mount @{exec_path} { include @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, - @{bin}/ r, - @{sbin}/ r, + /usr/bin/ r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, diff --git a/apparmor.d/groups/filesystem/udiskie-umount b/apparmor.d/profiles-s-z/udiskie-umount similarity index 90% rename from apparmor.d/groups/filesystem/udiskie-umount rename to apparmor.d/profiles-s-z/udiskie-umount index 01271bdc6..8dc30eb9a 100644 --- a/apparmor.d/groups/filesystem/udiskie-umount +++ b/apparmor.d/profiles-s-z/udiskie-umount @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,10 +13,9 @@ profile udiskie-umount @{exec_path} { include @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, - @{bin}/ r, - @{sbin}/ r, + /usr/bin/ r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, diff --git a/apparmor.d/groups/filesystem/udisksctl b/apparmor.d/profiles-s-z/udisksctl similarity index 69% rename from apparmor.d/groups/filesystem/udisksctl rename to apparmor.d/profiles-s-z/udisksctl index 6ae685723..a05cede9c 100644 --- a/apparmor.d/groups/filesystem/udisksctl +++ b/apparmor.d/profiles-s-z/udisksctl @@ -3,23 +3,21 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/udisksctl profile udisksctl @{exec_path} { include - include - include - - #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd @{exec_path} mr, @{sh_path} rix, - @{pager_path} rPx -> child-pager, + @{bin}/pager rPx -> child-pager, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, /dev/tty rw, diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/profiles-s-z/udisksd similarity index 72% rename from apparmor.d/groups/filesystem/udisksd rename to apparmor.d/profiles-s-z/udisksd index 91d4a8569..365044702 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,6 +11,8 @@ include profile udisksd @{exec_path} flags=(attach_disconnected) { include include + include + include include include @@ -19,7 +21,6 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability fowner, capability fsetid, - capability ipc_lock, capability net_admin, capability setgid, capability setuid, @@ -49,8 +50,6 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { mount options=(rw move) -> @{MOUNTS}/, mount options=(rw move) -> @{MOUNTS}/*/, - mount fstype=vfat -> @{efi}/, - # Allow mounting on temporary mount point mount -> @{run}/udisks2/temp-mount-*/, mount / -> @{MOUNTS}/*/, @@ -59,35 +58,36 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { umount @{MOUNTS}/, umount @{MOUNTS}/*/, umount @{run}/udisks2/temp-mount-*/, - umount @{efi}/, umount /media/cdrom@{int}/, - signal receive set=int peer=@{p_systemd}, + signal (receive) set=(int) peer=@{p_systemd}, #aa:dbus own bus=system name=org.freedesktop.UDisks2 - #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label=dbus-system), @{exec_path} mr, @{sh_path} rix, @{bin}/umount rix, - @{sbin}/dmidecode rPx, - @{sbin}/dumpe2fs rPx, + @{bin}/dmidecode rPx, + @{bin}/dumpe2fs rPx, @{bin}/eject rPx, - @{sbin}/fsck.fat rPx, - @{sbin}/lvm rPUx, - @{sbin}/mke2fs rPx, - @{sbin}/mkfs.* rPx, + @{bin}/fsck.fat rPx, + @{bin}/lvm rPUx, + @{bin}/mke2fs rPx, + @{bin}/mkfs.* rPx, @{bin}/mount.exfat-fuse rPUx, @{bin}/ntfs-3g rPx, @{bin}/ntfsfix rPx, - @{sbin}/sfdisk rPx, - @{sbin}/sgdisk rPx, + @{bin}/sfdisk rPx, + @{bin}/sgdisk rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-escape rPx, - @{bin}/xfs_* rPUx, /etc/crypttab r, /etc/fstab r, @@ -103,35 +103,27 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{MOUNTS}/ rw, @{MOUNTS}/*/ rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/ r, @{run}/mount/utab{,.*} rwk, @{run}/udisks2/{,**} rw, @{run}/systemd/seats/seat@{int} r, + @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/cryptsetup/ r, @{run}/cryptsetup/L* rwk, - @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) - @{run}/udev/data/+scsi:* r, # For SCSI devices. Block-storage for SATA, SAS, USB, iSCSI - @{run}/udev/data/+vmbus:* r, # For Hyper-V devices, (network adapters, storage controllers, and other virtual devices) + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+scsi:* r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, @{sys}/bus/pci/slots/ r, - @{sys}/bus/pci/slots/@{int}-@{int}/address r, - @{sys}/bus/pci/slots/@{int}/address r, - @{sys}/bus/scsi/devices/ r, @{sys}/class/ r, @{sys}/class/nvme-subsystem/ r, @{sys}/class/nvme/ r, - @{sys}/devices/@{pci}/{ata,usb,mmc,virtio}@{int}/{,**/}uevent w, - @{sys}/devices/@{pci}/{ata,usb,mmc}@{int}/{,**/}remove rw, - @{sys}/devices/@{pci}/uevent rw, - @{sys}/devices/**/net/*/ r, - @{sys}/devices/**/uevent r, + @{sys}/devices/@{pci}/uevent r, + @{sys}/devices/@{pci}/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w, + @{sys}/devices/@{pci}/{ata,usb,mmc}[0-9]/{,**/}remove rw, @{sys}/devices/virtual/bdi/**/read_ahead_kb r, @{sys}/devices/virtual/block/*/{,**} rw, @{sys}/devices/virtual/block/loop@{int}/uevent rw, diff --git a/apparmor.d/groups/utils/umount b/apparmor.d/profiles-s-z/umount similarity index 98% rename from apparmor.d/groups/utils/umount rename to apparmor.d/profiles-s-z/umount index 66fae00bb..e066dff89 100644 --- a/apparmor.d/groups/utils/umount +++ b/apparmor.d/profiles-s-z/umount @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/filesystem/umount.udisks2 b/apparmor.d/profiles-s-z/umount.udisks2 similarity index 88% rename from apparmor.d/groups/filesystem/umount.udisks2 rename to apparmor.d/profiles-s-z/umount.udisks2 index 752a1d5d3..2a6f7747d 100644 --- a/apparmor.d/groups/filesystem/umount.udisks2 +++ b/apparmor.d/profiles-s-z/umount.udisks2 @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/umount.udisks2 +@{exec_path} = @{bin}/umount.udisks2 profile umount.udisks2 @{exec_path} flags=(complain) { include diff --git a/apparmor.d/groups/utils/uname b/apparmor.d/profiles-s-z/uname similarity index 76% rename from apparmor.d/groups/utils/uname rename to apparmor.d/profiles-s-z/uname index 45a864c23..4dd41a7bf 100644 --- a/apparmor.d/groups/utils/uname +++ b/apparmor.d/profiles-s-z/uname @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -14,11 +14,10 @@ profile uname @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{att}/dev/tty@{int} rw, + /dev/tty@{int} rw, deny network, - deny owner @{user_share_dirs}/gvfs-metadata/* r, - deny owner @{user_share_dirs}/zed/**/data.mdb rw, + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists } diff --git a/apparmor.d/profiles-s-z/unhide-linux b/apparmor.d/profiles-s-z/unhide-linux index 0d543513c..d03561452 100644 --- a/apparmor.d/profiles-s-z/unhide-linux +++ b/apparmor.d/profiles-s-z/unhide-linux @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/unhide-posix b/apparmor.d/profiles-s-z/unhide-posix index 730d1aaa6..1277e299c 100644 --- a/apparmor.d/profiles-s-z/unhide-posix +++ b/apparmor.d/profiles-s-z/unhide-posix @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/unhide-rb b/apparmor.d/profiles-s-z/unhide-rb index ecc19849a..e503f639a 100644 --- a/apparmor.d/profiles-s-z/unhide-rb +++ b/apparmor.d/profiles-s-z/unhide-rb @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/unhide-tcp b/apparmor.d/profiles-s-z/unhide-tcp index 8827bca14..bb54d19b1 100644 --- a/apparmor.d/profiles-s-z/unhide-tcp +++ b/apparmor.d/profiles-s-z/unhide-tcp @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,7 +22,7 @@ profile unhide-tcp @{exec_path} { @{bin}/fuser rix, @{bin}/netstat rix, @{bin}/sed rix, - @{sbin}/ss rix, + @{bin}/ss rix, @{PROC}/@{pids}/net/tcp{,6} r, @{PROC}/@{pids}/net/udp{,6} r, diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd index 7407a9f99..c24da3bab 100644 --- a/apparmor.d/profiles-s-z/unix-chkpwd +++ b/apparmor.d/profiles-s-z/unix-chkpwd @@ -3,18 +3,17 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/unix_chkpwd +@{exec_path} = @{bin}/unix_chkpwd profile unix-chkpwd @{exec_path} { include include include capability audit_write, - capability dac_read_search, # To read shadow with 000 permissions. network netlink raw, diff --git a/apparmor.d/profiles-s-z/unmkinitramfs b/apparmor.d/profiles-s-z/unmkinitramfs index 2d641f994..d5d1cb953 100644 --- a/apparmor.d/profiles-s-z/unmkinitramfs +++ b/apparmor.d/profiles-s-z/unmkinitramfs @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,21 +18,25 @@ profile unmkinitramfs @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{archive_path} rix, @{bin}/{,e}grep rix, + @{bin}/bzip2 rix, @{bin}/cat rix, + @{bin}/cpio rix, @{bin}/dd rix, @{bin}/getopt rix, + @{bin}/gzip rix, @{bin}/lz4cat rix, @{bin}/lzma rix, @{bin}/lzop rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/rm rix, + @{bin}/xz rix, @{bin}/xzcat rix, + @{bin}/zstd rix, - @{efi}/ r, - owner @{efi}/initrd.img-* r, + /boot/ r, + owner /boot/initrd.img-* r, /tmp/ r, owner @{tmp}/initrd.img-* r, /mnt/ r, diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index 8f08b74fa..dfe7725d8 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,8 +12,6 @@ profile update-alternatives @{exec_path} { include include - capability dac_override, - @{exec_path} mr, @{bin}/* w, diff --git a/apparmor.d/profiles-s-z/update-ca-certificates b/apparmor.d/profiles-s-z/update-ca-certificates index df9c08fe4..f08383fba 100644 --- a/apparmor.d/profiles-s-z/update-ca-certificates +++ b/apparmor.d/profiles-s-z/update-ca-certificates @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/update-ca-certificates +@{exec_path} = @{bin}/update-ca-certificates profile update-ca-certificates @{exec_path} { include include @@ -33,7 +33,6 @@ profile update-ca-certificates @{exec_path} { @{bin}/test rix, @{bin}/trust rix, @{bin}/wc rix, - @{bin}/run-parts rix, @{lib}/ca-certificates/update.d/ r, @{lib}/ca-certificates/update.d/* rix, @@ -46,7 +45,7 @@ profile update-ca-certificates @{exec_path} { /etc/ca-certificates.conf r, /etc/ssl/certs/ca-certificates.crt{,.new} rw, /etc/ssl/certs/*.pem rw, - /etc/ssl/certs/@{hex}.@{d} rw, + /etc/ssl/certs/@{hex}.[0-9] rw, /var/lib/ca-certificates/ rwk, /var/lib/ca-certificates/** rw, diff --git a/apparmor.d/profiles-s-z/update-ca-trust b/apparmor.d/profiles-s-z/update-ca-trust index c0f220919..6ebcf7f83 100644 --- a/apparmor.d/profiles-s-z/update-ca-trust +++ b/apparmor.d/profiles-s-z/update-ca-trust @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,9 +24,12 @@ profile update-ca-trust @{exec_path} { / r, /usr/share/p11-kit/modules/{,*} r, - /etc/ca-certificates/extracted/** rw, + /etc/ca-certificates/extracted/{tls,email,objsign}-ca-bundle.pem{,.*} w, + /etc/ca-certificates/extracted/ca-bundle.trust.crt{,.*} w, + /etc/ca-certificates/extracted/cadir/{,*} rw, + /etc/ca-certificates/extracted/edk2-cacerts.bin{,.*} w, /etc/ssl/certs/{,*} rw, - /etc/ssl/certs/java/** rw, + /etc/ssl/certs/java/cacerts{,.*} w, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/update-catalog b/apparmor.d/profiles-s-z/update-catalog deleted file mode 100644 index feac2d3c5..000000000 --- a/apparmor.d/profiles-s-z/update-catalog +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{sbin}/update-catalog -profile update-catalog @{exec_path} { - include - include - - @{exec_path} mr, - - /etc/sgml/ r, - /etc/sgml/* r, - - /var/lib/sgml-base/*catalog rw, - /var/lib/sgml-base/*catalog.new rw, - /var/lib/sgml-base/*catalog.old w, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-command-not-found b/apparmor.d/profiles-s-z/update-command-not-found index 9801f8737..56c215402 100644 --- a/apparmor.d/profiles-s-z/update-command-not-found +++ b/apparmor.d/profiles-s-z/update-command-not-found @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,7 +20,7 @@ profile update-command-not-found @{exec_path} { @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{lib}/ r, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/profiles-s-z/update-cracklib b/apparmor.d/profiles-s-z/update-cracklib index 8f848b0ad..6b4192903 100644 --- a/apparmor.d/profiles-s-z/update-cracklib +++ b/apparmor.d/profiles-s-z/update-cracklib @@ -2,11 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/update-cracklib +@{exec_path} = @{bin}/update-cracklib profile update-cracklib @{exec_path} { include include @@ -16,12 +16,12 @@ profile update-cracklib @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{sbin}/cracklib-format rix, - @{sbin}/cracklib-packer rPx, + @{bin}/cracklib-format rix, + @{bin}/cracklib-packer rPx, @{bin}/env rix, @{bin}/file rix, @{bin}/find rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/gzip rix, @{bin}/install rix, @{bin}/install rix, diff --git a/apparmor.d/profiles-s-z/update-dlocatedb b/apparmor.d/profiles-s-z/update-dlocatedb index e9d92e421..08687c6c8 100644 --- a/apparmor.d/profiles-s-z/update-dlocatedb +++ b/apparmor.d/profiles-s-z/update-dlocatedb @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -26,7 +26,7 @@ profile update-dlocatedb @{exec_path} { /usr/share/dlocate/updatedb rCx -> updatedb, @{bin}/dpkg rPx -> child-dpkg, - owner @{PROC}/@{pid}/fd/@{int} w, + owner @{PROC}/@{pid}/fd/2 w, /var/lib/dlocate/dpkg-list w, @@ -39,6 +39,7 @@ profile update-dlocatedb @{exec_path} { include /usr/share/dlocate/updatedb r, + @{bin}/perl r, /etc/default/dlocate r, @@ -57,7 +58,6 @@ profile update-dlocatedb @{exec_path} { @{bin}/gzip rix, /var/lib/dlocate/dlocatedb.gz rw, - include if exists } include if exists diff --git a/apparmor.d/profiles-s-z/update-info-dir b/apparmor.d/profiles-s-z/update-info-dir deleted file mode 100644 index dc2a0d7aa..000000000 --- a/apparmor.d/profiles-s-z/update-info-dir +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{sbin}/update-info-dir -profile update-info-dir @{exec_path} { - include - include - - @{exec_path} mr, - - @{sh_path} r, - @{bin}/cp ix, - @{bin}/find ix, - @{bin}/install-info Px, - @{bin}/rm ix, - - /etc/environment r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index 50f11caea..fc62d99f2 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -3,11 +3,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/update-initramfs +@{exec_path} = @{bin}/update-initramfs profile update-initramfs @{exec_path} { include include @@ -22,20 +22,17 @@ profile update-initramfs @{exec_path} { @{bin}/cat rix, @{bin}/{m,g,}awk rix, @{bin}/getopt rix, + @{bin}/ischroot rix, @{bin}/ln rix, @{bin}/mv rix, @{bin}/rm rix, @{bin}/sha1sum rix, @{bin}/sync rix, @{bin}/uname rix, - @{bin}/run-parts rix, @{bin}/dpkg-trigger rPx, - @{bin}/ischroot rPx, @{bin}/linux-version rPx, - @{sbin}/mkinitramfs rPx, - - /etc/initramfs/post-update.d/* rPUx, + @{bin}/mkinitramfs rPx, /var/lib/initramfs-tools/* w, @@ -50,9 +47,9 @@ profile update-initramfs @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{efi}/ r, - owner @{efi}/initrd.img-* rw, - owner @{efi}/initrd.img-*.dpkg-bak rwl -> @{efi}/initrd.img-*, + owner /boot/ r, + owner /boot/initrd.img-* rw, + owner /boot/initrd.img-*.dpkg-bak rwl -> /boot/initrd.img-*, include if exists } diff --git a/apparmor.d/profiles-s-z/update-pciids b/apparmor.d/profiles-s-z/update-pciids index 901dae9a0..233ed60be 100644 --- a/apparmor.d/profiles-s-z/update-pciids +++ b/apparmor.d/profiles-s-z/update-pciids @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/update-pciids +@{exec_path} = @{bin}/update-pciids profile update-pciids @{exec_path} { include include @@ -24,7 +24,7 @@ profile update-pciids @{exec_path} { @{bin}/chmod rix, @{bin}/echo rix, @{bin}/cat rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/bunzip2 rix, @{bin}/bzip2 rix, @{bin}/gzip rix, @@ -38,7 +38,7 @@ profile update-pciids @{exec_path} { /usr/share/misc/ r, /usr/share/misc/* rwl -> /usr/share/misc/*, - # For shell pwd + # For shell pwd /root/ r, @@ -62,7 +62,6 @@ profile update-pciids @{exec_path} { /usr/share/misc/pci.ids.new w, /usr/share/misc/pci.ids.gz.new w, - include if exists } include if exists diff --git a/apparmor.d/profiles-s-z/update-secureboot-policy b/apparmor.d/profiles-s-z/update-secureboot-policy index 31a03ef7b..8431fd1e6 100644 --- a/apparmor.d/profiles-s-z/update-secureboot-policy +++ b/apparmor.d/profiles-s-z/update-secureboot-policy @@ -3,28 +3,32 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/update-secureboot-policy +@{exec_path} = @{bin}/update-secureboot-policy profile update-secureboot-policy @{exec_path} { include - include + include @{exec_path} rm, - @{bin}/{,m,g}awk ix, - @{bin}/dpkg-trigger Px, - @{bin}/find ix, - @{bin}/id ix, - @{bin}/od ix, - @{bin}/sort ix, - @{bin}/touch ix, - @{bin}/wc ix, + @{sh_path} rix, + @{bin}/{,m,g}awk rix, + @{bin}/dpkg-trigger rPx, + @{bin}/find rix, + @{bin}/id rix, + @{bin}/od rix, + @{bin}/sort rix, + @{bin}/touch rix, + @{bin}/wc rix, + /usr/share/debconf/frontend rPx, / r, + /usr/share/debconf/confmodule r, + /var/lib/dkms/ r, /var/lib/shim-signed/dkms-list rw, diff --git a/apparmor.d/profiles-s-z/update-shells b/apparmor.d/profiles-s-z/update-shells deleted file mode 100644 index 5922c1a14..000000000 --- a/apparmor.d/profiles-s-z/update-shells +++ /dev/null @@ -1,38 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{sbin}/update-shells -profile update-shells @{exec_path} { - include - - @{exec_path} mr, - - @{sh_path} r, - @{bin}/basename ix, - @{bin}/chmod ix, - @{bin}/chown ix, - @{bin}/dirname ix, - @{bin}/dpkg-realpath rix, - @{bin}/mv ix, - @{bin}/sync ix, - @{bin}/readlink ix, - - /usr/share/debianutils/shells r, - /usr/share/debianutils/shells.d/{,**} r, - /usr/share/dpkg/sh/dpkg-error.sh r, - - /etc/shells r, - /etc/shells.tmp w, - - /var/lib/shells.state r, - /var/lib/shells.state.tmp w, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-smart-drivedb b/apparmor.d/profiles-s-z/update-smart-drivedb index 70b9bc6e2..7140bbd5b 100644 --- a/apparmor.d/profiles-s-z/update-smart-drivedb +++ b/apparmor.d/profiles-s-z/update-smart-drivedb @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/update-smart-drivedb +@{exec_path} = @{bin}/update-smart-drivedb profile update-smart-drivedb @{exec_path} { include include @@ -28,7 +28,7 @@ profile update-smart-drivedb @{exec_path} { @{bin}/cmp rix, @{bin}/ r, - @{sbin}/smartctl rPx, + @{bin}/smartctl rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/wget rCx -> browse, @@ -58,7 +58,6 @@ profile update-smart-drivedb @{exec_path} { owner /var/lib/smartmontools/drivedb/.gnupg.@{int}.tmp/ rw, owner /var/lib/smartmontools/drivedb/.gnupg.@{int}.tmp/** rwkl -> /var/lib/smartmontools/drivedb/.gnupg.@{int}.tmp/**, - include if exists } profile browse { @@ -89,7 +88,6 @@ profile update-smart-drivedb @{exec_path} { /var/lib/smartmontools/drivedb/drivedb.h.new{,.raw.asc} w, - include if exists } include if exists diff --git a/apparmor.d/profiles-s-z/updatedb-mlocate b/apparmor.d/profiles-s-z/updatedb-mlocate index 518a8d7df..9e470d878 100644 --- a/apparmor.d/profiles-s-z/updatedb-mlocate +++ b/apparmor.d/profiles-s-z/updatedb-mlocate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -19,13 +19,13 @@ profile updatedb-mlocate @{exec_path} { @{exec_path} mr, - @{sbin}/on_ac_power rPx, + @{bin}/on_ac_power rPx, # For shell pwd / r, - @{efi}/ r, - @{efi}/**/ r, + /boot/ r, + /boot/**/ r, /home/ r, @{HOME}/ r, @@ -47,7 +47,7 @@ profile updatedb-mlocate @{exec_path} { /srv/**/ r, # Silence the noise - deny @{efi}/ r, + deny /efi/ r, deny /hugepages/ r, deny /lost+found/ r, deny /mnt/ r, diff --git a/apparmor.d/profiles-s-z/updatedb.plocate b/apparmor.d/profiles-s-z/updatedb.plocate index 60aa760d4..67ea546fd 100644 --- a/apparmor.d/profiles-s-z/updatedb.plocate +++ b/apparmor.d/profiles-s-z/updatedb.plocate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/procps/uptime b/apparmor.d/profiles-s-z/uptime similarity index 91% rename from apparmor.d/groups/procps/uptime rename to apparmor.d/profiles-s-z/uptime index 3da204a38..1b28a07da 100644 --- a/apparmor.d/groups/procps/uptime +++ b/apparmor.d/profiles-s-z/uptime @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,8 +15,6 @@ profile uptime @{exec_path} { @{exec_path} mr, - @{run}/systemd/sessions/@{int} r, - @{PROC}/uptime r, @{PROC}/loadavg r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/profiles-s-z/uptimed b/apparmor.d/profiles-s-z/uptimed index 7e978c1dd..a850d7771 100644 --- a/apparmor.d/profiles-s-z/uptimed +++ b/apparmor.d/profiles-s-z/uptimed @@ -2,7 +2,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/usb/usb-devices b/apparmor.d/profiles-s-z/usb-devices similarity index 95% rename from apparmor.d/groups/usb/usb-devices rename to apparmor.d/profiles-s-z/usb-devices index 59ff12feb..94e6526ab 100644 --- a/apparmor.d/groups/usb/usb-devices +++ b/apparmor.d/profiles-s-z/usb-devices @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -22,7 +22,6 @@ profile usb-devices @{exec_path} { @{bin}/{,e}grep rix, @{bin}/basename rix, @{bin}/cat rix, - @{bin}/sed rix, @{bin}/cut rix, @{bin}/find rix, @{bin}/readlink rix, diff --git a/apparmor.d/groups/usb/usbguard b/apparmor.d/profiles-s-z/usbguard similarity index 98% rename from apparmor.d/groups/usb/usbguard rename to apparmor.d/profiles-s-z/usbguard index 798352c89..deb5ef46d 100644 --- a/apparmor.d/groups/usb/usbguard +++ b/apparmor.d/profiles-s-z/usbguard @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/usb/usbguard-applet-qt b/apparmor.d/profiles-s-z/usbguard-applet-qt similarity index 85% rename from apparmor.d/groups/usb/usbguard-applet-qt rename to apparmor.d/profiles-s-z/usbguard-applet-qt index 558b9093c..bc004b86f 100644 --- a/apparmor.d/groups/usb/usbguard-applet-qt +++ b/apparmor.d/profiles-s-z/usbguard-applet-qt @@ -3,28 +3,29 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/usbguard-applet-qt profile usbguard-applet-qt @{exec_path} { include - include - include + include + include + include include + include include - include + include include + include + include # Needed? ptrace (read), @{exec_path} mr, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - owner @{user_config_dirs}/USBGuard/ rw, owner @{user_config_dirs}/USBGuard/* rwkl -> @{user_config_dirs}/USBGuard/#@{int}, @@ -36,6 +37,11 @@ profile usbguard-applet-qt @{exec_path} { owner @{PROC}/@{pid}/cmdline r, + /usr/share/hwdata/pnp.ids r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + include if exists } diff --git a/apparmor.d/groups/usb/usbguard-daemon b/apparmor.d/profiles-s-z/usbguard-daemon similarity index 94% rename from apparmor.d/groups/usb/usbguard-daemon rename to apparmor.d/profiles-s-z/usbguard-daemon index 1fb97459d..d6c05f782 100644 --- a/apparmor.d/groups/usb/usbguard-daemon +++ b/apparmor.d/profiles-s-z/usbguard-daemon @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,8 +24,8 @@ profile usbguard-daemon @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /etc/usbguard/{,**} r, /etc/usbguard/*.conf rw, + /etc/usbguard/IPCAccessControl.d/{,*} r, owner @{run}/usbguard.pid rwk, diff --git a/apparmor.d/groups/usb/usbguard-dbus b/apparmor.d/profiles-s-z/usbguard-dbus similarity index 98% rename from apparmor.d/groups/usb/usbguard-dbus rename to apparmor.d/profiles-s-z/usbguard-dbus index d406d5262..b02524d55 100644 --- a/apparmor.d/groups/usb/usbguard-dbus +++ b/apparmor.d/profiles-s-z/usbguard-dbus @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/usb/usbguard-notifier b/apparmor.d/profiles-s-z/usbguard-notifier similarity index 97% rename from apparmor.d/groups/usb/usbguard-notifier rename to apparmor.d/profiles-s-z/usbguard-notifier index 963fcb2e8..48f88d0aa 100644 --- a/apparmor.d/groups/usb/usbguard-notifier +++ b/apparmor.d/profiles-s-z/usbguard-notifier @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/groups/shadow/useradd b/apparmor.d/profiles-s-z/useradd similarity index 92% rename from apparmor.d/groups/shadow/useradd rename to apparmor.d/profiles-s-z/useradd index b10487cf2..a6094867a 100644 --- a/apparmor.d/groups/shadow/useradd +++ b/apparmor.d/profiles-s-z/useradd @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/useradd +@{exec_path} = @{bin}/useradd profile useradd @{exec_path} { include include @@ -25,12 +25,12 @@ profile useradd @{exec_path} { @{exec_path} mr, @{bin}/nscd rix, - @{sbin}/usermod rPx, + @{bin}/usermod rPx, @{bin}/pam_tally2 rCx -> pam_tally2, /etc/default/useradd r, - @{etc_ro}/login.defs r, + /etc/login.defs r, /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw, /etc/{passwd,shadow,gshadow,group,subuid,subgid}- w, @@ -53,10 +53,9 @@ profile useradd @{exec_path} { # To create user dirs and copy files from /etc/skel/ to them @{HOME}/ rw, - @{HOME}/** wl, - @{HOME}/**/ r, + @{HOME}/.* w, /var/lib/*/{,*} rw, - /etc/skel/{,.**} r, + /etc/skel/{,.*} r, profile pam_tally2 { include diff --git a/apparmor.d/groups/shadow/userdel b/apparmor.d/profiles-s-z/userdel similarity index 95% rename from apparmor.d/groups/shadow/userdel rename to apparmor.d/profiles-s-z/userdel index 589c726d0..6b95a4848 100644 --- a/apparmor.d/groups/shadow/userdel +++ b/apparmor.d/profiles-s-z/userdel @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/userdel +@{exec_path} = @{bin}/userdel profile userdel @{exec_path} flags=(attach_disconnected) { include include @@ -26,7 +26,7 @@ profile userdel @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{etc_ro}/login.defs r, + /etc/login.defs r, /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw, /etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w, diff --git a/apparmor.d/groups/shadow/usermod b/apparmor.d/profiles-s-z/usermod similarity index 95% rename from apparmor.d/groups/shadow/usermod rename to apparmor.d/profiles-s-z/usermod index b59260a25..cfcdc6bdc 100644 --- a/apparmor.d/groups/shadow/usermod +++ b/apparmor.d/profiles-s-z/usermod @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/usermod +@{exec_path} = @{bin}/usermod profile usermod @{exec_path} flags=(attach_disconnected) { include include @@ -28,7 +28,7 @@ profile usermod @{exec_path} flags=(attach_disconnected) { @{bin}/nscd rix, - @{etc_ro}/login.defs r, + /etc/login.defs r, /etc/subuid r, /etc/{passwd,shadow,gshadow,group} rw, diff --git a/apparmor.d/groups/utils/users b/apparmor.d/profiles-s-z/users similarity index 96% rename from apparmor.d/groups/utils/users rename to apparmor.d/profiles-s-z/users index 67d7a83e7..fbad304bf 100644 --- a/apparmor.d/groups/utils/users +++ b/apparmor.d/profiles-s-z/users @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/utmpdump b/apparmor.d/profiles-s-z/utmpdump index 363524355..054bb69ce 100644 --- a/apparmor.d/profiles-s-z/utmpdump +++ b/apparmor.d/profiles-s-z/utmpdump @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/utox b/apparmor.d/profiles-s-z/utox index 483fef619..e5642c263 100644 --- a/apparmor.d/profiles-s-z/utox +++ b/apparmor.d/profiles-s-z/utox @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-m-r/qdbus b/apparmor.d/profiles-s-z/uuidd similarity index 59% rename from apparmor.d/profiles-m-r/qdbus rename to apparmor.d/profiles-s-z/uuidd index 6816079ac..c98d8175f 100644 --- a/apparmor.d/profiles-m-r/qdbus +++ b/apparmor.d/profiles-s-z/uuidd @@ -2,18 +2,17 @@ # Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/qdbus @{lib}/qt{5,6}/bin/qdbus -profile qdbus @{exec_path} { +@{exec_path} = @{bin}/uuidd +profile uuidd @{exec_path} { include - include @{exec_path} mr, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/uuidgen b/apparmor.d/profiles-s-z/uuidgen similarity index 78% rename from apparmor.d/groups/utils/uuidgen rename to apparmor.d/profiles-s-z/uuidgen index c056daaa0..b00ed1f26 100644 --- a/apparmor.d/groups/utils/uuidgen +++ b/apparmor.d/profiles-s-z/uuidgen @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,14 +11,8 @@ profile uuidgen @{exec_path} { include include - network inet dgram, - @{exec_path} mr, - owner /var/lib/libuuid/clock.txt w, - - @{run}/uuidd/request w, - include if exists } diff --git a/apparmor.d/profiles-s-z/uupdate b/apparmor.d/profiles-s-z/uupdate index 88a6cd406..f49441ebf 100644 --- a/apparmor.d/profiles-s-z/uupdate +++ b/apparmor.d/profiles-s-z/uupdate @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -18,7 +18,7 @@ profile uupdate @{exec_path} flags=(complain) { @{sh_path} rix, @{bin}/basename rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/tr rix, @{bin}/{,e}grep rix, @{bin}/getopt rix, @@ -50,7 +50,7 @@ profile uupdate @{exec_path} flags=(complain) { # For package building owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/v2ray b/apparmor.d/profiles-s-z/v2ray deleted file mode 100644 index 046151222..000000000 --- a/apparmor.d/profiles-s-z/v2ray +++ /dev/null @@ -1,31 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 EricLin -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/v2ray -profile v2ray @{exec_path} flags=(attach_disconnected) { - include - include - - network inet dgram, - network inet stream, - network inet raw, - network inet6 dgram, - network inet6 raw, - network netlink raw, - - @{exec_path} mr, - - /etc/v2ray/{,*} r, - /usr/share/v2ray/**.dat r, - - @{PROC}/sys/net/core/somaxconn r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/v4l2-ctl b/apparmor.d/profiles-s-z/v4l2-ctl deleted file mode 100644 index ddb86b9a2..000000000 --- a/apparmor.d/profiles-s-z/v4l2-ctl +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Roman Beslik -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/v4l2-ctl -profile v4l2-ctl @{exec_path} { - include - include - include - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/vcsi b/apparmor.d/profiles-s-z/vcsi index eaf6ca24b..37422840c 100644 --- a/apparmor.d/profiles-s-z/vcsi +++ b/apparmor.d/profiles-s-z/vcsi @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,7 +16,7 @@ profile vcsi @{exec_path} { include @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, @{bin}/ffmpeg rPx, diff --git a/apparmor.d/profiles-s-z/veracrypt b/apparmor.d/profiles-s-z/veracrypt deleted file mode 100644 index b9b92a721..000000000 --- a/apparmor.d/profiles-s-z/veracrypt +++ /dev/null @@ -1,96 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/veracrypt -profile veracrypt @{exec_path} { - include - include - include - include - include - include - include - include - - capability chown, - capability dac_read_search, - capability fsetid, - capability sys_admin, - capability sys_ptrace, - - mount fstype=fuse.veracrypt options=(rw nodev nosuid) veracrypt -> /tmp/.veracrypt_*/, - - @{exec_path} mrix, - - @{sh_path} rix, - @{open_path} rPx -> child-open-help, - @{sbin}/dmsetup rPx, - @{bin}/{,e}grep rix, - @{bin}/kmod rix, - @{sbin}/ldconfig rix, - @{sbin}/losetup rCx -> losetup, - @{bin}/mount rPx, - @{bin}/sudo rix, - @{bin}/umount rCx -> umount, - @{bin}/wc rix, - @{file_explorers_path} rPx, - - /home/ r, - - # Mount points - @{MOUNTS}/ rw, - @{MOUNTS}/*/ rw, - - owner @{HOME}/ r, - owner @{HOME}/.VeraCrypt-lock-@{user} rwk, - - owner @{user_config_dirs}/VeraCrypt/ rw, - owner @{user_config_dirs}/VeraCrypt/** rwk, - - /tmp/.veracrypt_*/ rw, - /tmp/.veracrypt_*/** rwk, - - @{sys}/module/compression r, - @{sys}/module/dm_mod/initstate r, - - @{PROC}/partitions r, - owner @{PROC}/@{pid}/mounts r, - - /dev/fuse rw, - /dev/tty rw, - - profile umount { - include - - capability sys_admin, - - umount /tmp/.veracrypt_*/, - umount @{MOUNTS}/{,*/}, - - @{bin}/umount mr, - - owner @{run}/mount/utab r, - - include if exists - } - - profile losetup { - include - include - - capability sys_rawio, - - @{sbin}/losetup mr, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/vesktop b/apparmor.d/profiles-s-z/vesktop deleted file mode 100644 index 4f4432650..000000000 --- a/apparmor.d/profiles-s-z/vesktop +++ /dev/null @@ -1,52 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 odomingao -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{name} = vesktop -@{domain} = org.chromium.Chromium -@{lib_dirs} = @{lib}/@{name} -@{config_dirs} = @{user_config_dirs}/@{name} -@{cache_dirs} = @{user_cache_dirs}/@{name} - -@{exec_path} = @{bin}/vesktop -profile vesktop @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{exec_path} mr, - - @{bin}/speech-dispatcher rPx, - @{open_path} rPx -> child-open, - - owner @{run}/user/@{uid}/discord-ipc-@{int} rw, - - @{sys}/devices/@{pci}/usb@{int}/**/interface r, - - @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - - owner /dev/ r, - - deny /dev/tty rw, - deny owner /dev/tty@{int} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index 7cf741dc2..226a0dd98 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,10 +25,10 @@ profile vidcutter @{exec_path} { include @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, @{bin}/ffmpeg rPx, @{bin}/ffprobe rPx, diff --git a/apparmor.d/profiles-s-z/vipw-vigr b/apparmor.d/profiles-s-z/vipw-vigr index 396f1e4f8..835267c2d 100644 --- a/apparmor.d/profiles-s-z/vipw-vigr +++ b/apparmor.d/profiles-s-z/vipw-vigr @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,9 +16,11 @@ profile vipw-vigr @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{editor_path} rCx -> editor, - @{etc_ro}/login.defs r, + @{bin}/sensible-editor rCx -> editor, + @{bin}/vim.* rCx -> editor, + + /etc/login.defs r, /etc/{passwd,shadow,gshadow,group}{,.edit} rw, /etc/{passwd,shadow,gshadow,group}.@{pid} rw, @@ -35,6 +37,7 @@ profile vipw-vigr @{exec_path} { # modify the /etc/passwd or /etc/shadow password database. /etc/.pwd.lock rwk, + profile editor { include include @@ -42,8 +45,6 @@ profile vipw-vigr @{exec_path} { capability fsetid, /etc/{passwd,shadow,gshadow,group}.edit rw, - - include if exists } include if exists diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 92dc977d9..9fa13e500 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,18 +12,12 @@ include profile virt-manager @{exec_path} flags=(attach_disconnected) { include include - include - include - include - include - include include include include include include include - include include include include @@ -34,25 +28,25 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.virt-manager.virt-manager - @{exec_path} rix, @{sh_path} rix, - @{python_path} rix, - @{lib}/@{python_name}/site-packages/__pycache__/guestfs.cpython-@{int}.pyc.@{int} w, + @{bin}/python3.@{int} r, + @{lib}/python3.@{int}/site-packages/__pycache__/guestfs.cpython-@{int}.pyc.@{int} w, @{bin}/ r, @{bin}/env rix, @{bin}/getfacl rix, @{bin}/setfacl rix, - @{sbin}/libvirtd rPx, + @{bin}/libvirtd rPx, @{bin}/ssh rPx, @{lib}/spice-client-glib-usb-acl-helper rPx, @{open_path} rPx -> child-open, + /usr/share/gtksourceview-4/{,**} r, + /usr/share/hwdata/*.ids r, /usr/share/ladspa/rdf/{,ladspa.rdfs} r, /usr/share/misc/*.ids r, /usr/share/osinfo/{,**} r, @@ -67,15 +61,15 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { /etc/fstab r, /etc/libnl/classid r, - # System VM images - /var/lib/libvirt/images/{,**} rw, + owner @{HOME}/ r, + owner @{user_cache_dirs}/virt-manager/{,**} rw, # For disk images @{MOUNTS}/ r, @{user_img_dirs}/{,**} r, - owner @{HOME}/ r, - owner @{user_cache_dirs}/virt-manager/{,**} rw, + # System VM images + /var/lib/libvirt/images/{,**} rw, # User VM images owner @{user_share_dirs}/ r, @@ -85,24 +79,21 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, - @{run}/libvirt/libvirt-sock rw, @{run}/mount/utab r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r, @{sys}/devices/virtual/drm/ttm/uevent r, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, @{PROC}/@{pids}/net/route r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, + /dev/media@{int} r, + /dev/video@{int} rw, + # Silence the noise deny /usr/share/virt-manager/{,**} w, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index 05866296d..5d113ba3b 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,10 +11,13 @@ include profile vlc @{exec_path} { include include + include include + include + include + include + include include - include - include include include include @@ -22,11 +25,8 @@ profile vlc @{exec_path} { include include include - include include include - include - include include include @@ -36,9 +36,11 @@ profile vlc @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.mpris.MediaPlayer2.vlc + #aa:dbus talk bus=session name=org.mpris.MediaPlayer2.Player label=unconfined + @{exec_path} mrix, - @{open_path} rPx -> child-open-help, @{bin}/xdg-screensaver rPx, /usr/share/vlc/{,**} r, @@ -46,13 +48,12 @@ profile vlc @{exec_path} { /etc/fstab r, owner @{HOME}/ r, - owner @{MOUNTS}/ r, - owner @{user_music_dirs}/{,**} rw, owner @{user_pictures_dirs}/{,**} rw, owner @{user_torrents_dirs}/{,**} rw, owner @{user_videos_dirs}/{,**} rw, + owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/vlc/ rw, owner @{user_cache_dirs}/vlc/{,**} rw, @@ -72,16 +73,10 @@ profile vlc @{exec_path} { @{run}/mount/utab r, - @{sys}/devices/virtual/dmi/id/board_name r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/board_version r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - /dev/shm/#@{int} rw, /dev/snd/ r, /dev/tty r, + /dev/video@{int} rw, owner /dev/tty@{int} rw, # Silencer diff --git a/apparmor.d/profiles-s-z/vlc-cache-gen b/apparmor.d/profiles-s-z/vlc-cache-gen index 1c089b0f8..b464f1712 100644 --- a/apparmor.d/profiles-s-z/vlc-cache-gen +++ b/apparmor.d/profiles-s-z/vlc-cache-gen @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/vnstat b/apparmor.d/profiles-s-z/vnstat index edce31840..25bdcfb1b 100644 --- a/apparmor.d/profiles-s-z/vnstat +++ b/apparmor.d/profiles-s-z/vnstat @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,16 +12,34 @@ profile vnstat @{exec_path} { include include - capability chown, + # The following rules are needed when adding a new interface to the vnstat database. Usually this + # action is performed as root, but the vnstatd daemon is run as vnstat (user/group), and all the + # database files under /var/lib/vnstat/ are owned by vnstat:vnstat. Because of the above, the + # dac_override CAP is needed to allow writing files in that dir. + # + # If this CAP was denied, then the following error is printed when adding new interfaces: + # + # Error: Exec step failed (8: attempt to write a readonly database): "insert into interface + # (name, active, created, updated, rxcounter, txcounter, rxtotal, txtotal) values ('eth0', 1, + # datetime('now', 'localtime'), datetime('now', 'localtime'), 0, 0, 0, 0)" + # Error: Adding interface "ifb0" to database failed. + # capability dac_override, + # + # Also the vnstat.db file has to have the write permission: + /var/lib/vnstat/vnstat.db w, + /var/lib/vnstat/vnstat.db-journal rw, + # + # This is needed to change the owner:group to vnstat:vnstat of the database file. + capability chown, @{exec_path} mr, - /etc/vnstat.conf r, - + # Many apps/users can query vnstat database, so don't use owner here. /var/lib/vnstat/ r, - /var/lib/vnstat/vnstat.db rwk, - /var/lib/vnstat/vnstat.db-journal rw, + /var/lib/vnstat/vnstat.db rk, + + /etc/vnstat.conf r, @{sys}/class/net/ r, diff --git a/apparmor.d/profiles-s-z/vnstatd b/apparmor.d/profiles-s-z/vnstatd index 1270ecf42..c37c8b6d7 100644 --- a/apparmor.d/profiles-s-z/vnstatd +++ b/apparmor.d/profiles-s-z/vnstatd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/volumeicon b/apparmor.d/profiles-s-z/volumeicon index e354c3cbd..c58381d7d 100644 --- a/apparmor.d/profiles-s-z/volumeicon +++ b/apparmor.d/profiles-s-z/volumeicon @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/vsftpd b/apparmor.d/profiles-s-z/vsftpd index 8fe33af50..aa45b805e 100644 --- a/apparmor.d/profiles-s-z/vsftpd +++ b/apparmor.d/profiles-s-z/vsftpd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,7 @@ profile vsftpd @{exec_path} { include include include - include + include include # To be able to listen on ports < 1024 @@ -41,12 +41,6 @@ profile vsftpd @{exec_path} { capability dac_read_search, # If session_support=YES, vsftpd will also try and update utmp and wtmp - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, - @{exec_path} mr, # To validate allowed users shells diff --git a/apparmor.d/groups/procps/w b/apparmor.d/profiles-s-z/w similarity index 91% rename from apparmor.d/groups/procps/w rename to apparmor.d/profiles-s-z/w index 2445034e9..a3fc8c9e3 100644 --- a/apparmor.d/groups/procps/w +++ b/apparmor.d/profiles-s-z/w @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -16,7 +16,7 @@ profile w @{exec_path} { capability sys_ptrace, - ptrace read, + ptrace (read), @{exec_path} mr, @@ -24,7 +24,7 @@ profile w @{exec_path} { @{sys}/devices/system/node/node@{int}/meminfo r, @{run}/systemd/sessions/ r, - @{run}/systemd/sessions/* r, + @{run}/systemd/sessions/@{int} r, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/profiles-s-z/w3m b/apparmor.d/profiles-s-z/w3m index ade896ea5..5b919ecc0 100644 --- a/apparmor.d/profiles-s-z/w3m +++ b/apparmor.d/profiles-s-z/w3m @@ -1,16 +1,14 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/w3m profile w3m @{exec_path} { include - include include include include @@ -23,20 +21,13 @@ profile w3m @{exec_path} { @{exec_path} mr, - @{sh_path} rix, - @{lib}/w3m/cgi-bin/* rix, - @{lib}/w3m/* rix, - /usr/share/terminfo/{,**} r, - /etc/mime.types r, /etc/w3m/{,**} r, + owner @{HOME}/.w3m/{,**} r, + owner @{user_config_dirs}/w3m/{,**} r, - owner @{HOME}/.w3m/{,**} rw, - - owner @{user_config_dirs}/w3m/{,**} rw, - - owner @{tmp}/w3m-@{rand6}/{,**} rw, + owner /tmp/@{rand6}/{,**} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/wavemon b/apparmor.d/profiles-s-z/wavemon index 6c2fee4df..9ec082580 100644 --- a/apparmor.d/profiles-s-z/wavemon +++ b/apparmor.d/profiles-s-z/wavemon @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/waybar b/apparmor.d/profiles-s-z/waybar deleted file mode 100644 index b8d1d5326..000000000 --- a/apparmor.d/profiles-s-z/waybar +++ /dev/null @@ -1,48 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# Copyright (C) 2024 odomingao -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/waybar -profile waybar @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - - network inet dgram, - network inet6 dgram, - network netlink raw, - - @{exec_path} mr, - - /etc/machine-id r, - - owner @{user_config_dirs}/waybar/{,**} r, - - @{sys}/devices/@{pci}/uevent r, - @{sys}/devices/system/cpu/present r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/virtual/dmi/id/uevent r, - - @{PROC}/@{pid}/net/dev r, - @{PROC}/spl/kstat/zfs/arcstats r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - - /dev/rfkill r, - - owner /dev/tty@{int} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat deleted file mode 100644 index 00fe0a8c5..000000000 --- a/apparmor.d/profiles-s-z/wechat +++ /dev/null @@ -1,46 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 EricLin -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{name} = wechat -@{domain} = org.chromium.Chromium -@{lib_dirs} = /opt/wechat/ -@{config_dirs} = @{user_config_dirs}/@{name} -@{cache_dirs} = @{user_cache_dirs}/@{name} - -@{exec_path} = @{lib_dirs}/wechat -profile wechat @{exec_path} flags=(attach_disconnected) { - include - include - include - include - - network netlink raw, - network netlink dgram, - network inet stream, - network inet dgram, - network inet6 dgram, - network inet6 stream, - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/ip rix, - @{bin}/lsblk Px, - @{bin}/mkdir rix, - @{bin}/xdg-user-dir rix, - @{lib_dirs}/crashpad_handler ix, - @{open_path} Px -> child-open-strict, - - owner @{HOME}/.xwechat/{,**} rwk, - owner @{user_documents_dirs}/xwechat_files/{,**} rwk, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage deleted file mode 100755 index 335860d07..000000000 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ /dev/null @@ -1,82 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 EricLin -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{name} = wechat-appimage -@{domain} = org.chromium.Chromium -@{lib_dirs} = /opt/wechat-appimage/ -@{config_dirs} = @{user_config_dirs}/@{name} -@{cache_dirs} = @{user_cache_dirs}/@{name} - -@{exec_path} = @{bin}/wechat @{lib_dirs}/wechat-appimage.Appimage /tmp/.mount_wechat??????/user/bin/wechat -profile wechat-appimage @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - - network netlink raw, - network netlink dgram, - network inet stream, - network inet dgram, - network inet6 dgram, - network inet6 stream, - - mount fstype=fuse.wechat-appimage.AppImage options=(ro nodev nosuid) -> @{tmp}/.mount_wechat@{word6}/, - - umount @{tmp}/.mount_wechat@{word6}/, - - @{exec_path} r, - - @{sh_path} rix, - @{bin}/dirname rix, - @{bin}/fusermount{,3} Cx -> fusermount, - @{bin}/{m,g,}awk rix, - @{bin}/lsblk Px, - @{bin}/mkdir rix, - @{bin}/readlink rix, - @{bin}/xdg-user-dir rix, - @{bin}/ip rix, - @{lib_dirs}/wechat-appimage.AppImage ix, - @{open_path} Px -> child-open-strict, - - @{bin}/fusermount{,3} Cx -> fusermount, - @{bin}/dirname rix, - @{bin}/readlink rix, - - @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} ix, - @{tmp}/.mount_wechat@{word6}/usr/bin/wechat ix, - @{tmp}/.mount_wechat@{word6}/AppRun ix, - - /etc/machine-id r, - - @{HOME}/.xwechat/{,**} rwk, - - owner @{user_documents_dirs}/xwechat_files/{,**} rwk, - - /dev/fuse rw, - /dev/tty rw, - - profile fusermount { - include - include - - mount fstype=fuse.wechat-appimage.AppImage options=(ro nodev nosuid) -> @{tmp}/.mount_wechat@{word6}/, - - umount @{tmp}/.mount_wechat@{word6}/, - - @{lib_dirs}/wechat-appimage.AppImage r, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal deleted file mode 100644 index 94da6c60e..000000000 --- a/apparmor.d/profiles-s-z/wechat-universal +++ /dev/null @@ -1,60 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 EricLin -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{name} = wechat-universal -@{domain} = org.chromium.Chromium -@{lib_dirs} = /opt/wechat-universal/ -@{config_dirs} = @{user_config_dirs}/@{name} -@{cache_dirs} = @{user_cache_dirs}/@{name} - -@{exec_path} = @{bin}/wechat-universal @{lib_dirs}/wechat -profile wechat-universal @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - - network netlink raw, - network netlink dgram, - network inet stream, - network inet dgram, - network inet6 dgram, - network inet6 stream, - - @{exec_path} mrix, - - @{sh_path} rix, - @{bin}/bwrap rix, - @{bin}/ln ix, - @{bin}/lsblk Px, - @{bin}/mkdir ix, - @{bin}/sed ix, - @{bin}/xdg-user-dir rix, - @{lib_dirs}/crashpad_handler ix, - @{lib}/wechat-appimage.AppImage ix, - @{open_path} Px -> child-open-strict, - - /etc/lsb-release r, - /etc/machine-id r, - - owner @{user_documents_dirs}/WeChat_Data/{,**} rwk, - owner @{HOME}/.xwechat/{,**} rwk, - owner @{HOME}/.sys1og.conf rw, - - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/utmp r, - - @{PROC}/@{pid}/net/route r, - - /dev/tty rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wemeet b/apparmor.d/profiles-s-z/wemeet deleted file mode 100644 index 0b83e44c8..000000000 --- a/apparmor.d/profiles-s-z/wemeet +++ /dev/null @@ -1,64 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 EricLin -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{domain} = org.chromium.Chromium - -@{exec_path} = @{bin}/wemeet -@{exec_path} += /opt/wemeet/bin/wemeetapp -@{exec_path} += /opt/wemeet/bin/QtWebEngineProcess -profile wemeet @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - include - include - include - include - - network netlink raw, - network netlink dgram, - network inet stream, - network inet dgram, - network inet6 dgram, - network inet6 stream, - - @{exec_path} mr, - - @{sh_path} r, - @{bin}/basename rix, - @{bin}/bwrap rix, - @{bin}/id rix, - @{bin}/mkdir rix, - /opt/wemeet/bin/** rix, - - /etc/machine-id r, - /var/cache/ w, - - owner @{user_share_dirs}/wemeetapp/ rw, - owner @{user_share_dirs}/wemeetapp/** rwlk -> @{user_share_dirs}/wemeetapp/**, - - @{PROC}/ r, - @{PROC}/asound/ r, - @{PROC}/@{pid}/net/route r, - @{PROC}/@{pid}/net/wireless r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/statm r, - @{PROC}/sys/fs/inotify/max_user_watches r, - owner @{PROC}/@{pid}/cmdline r, - - /dev/ r, - /dev/tty rw, - /dev/shm/ r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/whatis b/apparmor.d/profiles-s-z/whatis index 3febd0b0b..e99900304 100644 --- a/apparmor.d/profiles-s-z/whatis +++ b/apparmor.d/profiles-s-z/whatis @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,7 +13,7 @@ profile whatis @{exec_path} { include @{exec_path} mr, - @{bin}/{,e}grep rix, + @{bin}/grep rix, /usr/{,**/}man/{,**/}{,whatis} r, diff --git a/apparmor.d/profiles-s-z/whdd b/apparmor.d/profiles-s-z/whdd index 41541ea84..e5e111b8b 100644 --- a/apparmor.d/profiles-s-z/whdd +++ b/apparmor.d/profiles-s-z/whdd @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -25,7 +25,7 @@ profile whdd @{exec_path} { @{bin}/tr rix, # To read SMART attributes - @{sbin}/smartctl rPx, + @{bin}/smartctl rPx, owner @{PROC}/@{pid}/mounts r, @{PROC}/partitions r, diff --git a/apparmor.d/groups/utils/whereis b/apparmor.d/profiles-s-z/whereis similarity index 90% rename from apparmor.d/groups/utils/whereis rename to apparmor.d/profiles-s-z/whereis index 36e457998..330957a62 100644 --- a/apparmor.d/groups/utils/whereis +++ b/apparmor.d/profiles-s-z/whereis @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -15,7 +15,6 @@ profile whereis @{exec_path} { @{exec_path} mr, @{bin}/{,*/} r, - @{sbin}/{,*/} r, @{lib}/ r, @{lib}/go-*/bin/ r, /usr/{local/,}games/ r, @@ -28,10 +27,10 @@ profile whereis @{exec_path} { /usr/src/{**,} r, /opt/ r, - /opt/**/bin/ r, - /opt/**/lib/ r, + /opt/cni/bin/ r, + /opt/containerd/bin/ r, - @{etc_ro}/ r, + /etc/ r, /snap/bin/ r, /var/lib/flatpak/exports/bin/ r, diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which index c4de427ff..32d0945e1 100644 --- a/apparmor.d/profiles-s-z/which +++ b/apparmor.d/profiles-s-z/which @@ -3,11 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/which{,.debianutils} +@{exec_path} = @{bin}/which{.debianutils,} profile which @{exec_path} flags=(attach_disconnected) { include include @@ -17,9 +17,7 @@ profile which @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/ r, - @{sbin}/ r, @{bin}/**/ r, - @{sbin}/**/ r, @{lib}/ r, @{lib}/**/ r, /opt/**/bin/ r, @@ -33,7 +31,6 @@ profile which @{exec_path} flags=(attach_disconnected) { owner /dev/tty@{int} rw, - deny @{user_share_dirs}/gnome-shell/session.gvdb rw, deny @{user_share_dirs}/gvfs-metadata/* r, include if exists diff --git a/apparmor.d/profiles-s-z/whiptail b/apparmor.d/profiles-s-z/whiptail index a42a63312..f2339717a 100644 --- a/apparmor.d/profiles-s-z/whiptail +++ b/apparmor.d/profiles-s-z/whiptail @@ -3,12 +3,12 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/whiptail -profile whiptail @{exec_path} { +profile whiptail @{exec_path} flags=(complain) { include include @@ -16,10 +16,10 @@ profile whiptail @{exec_path} { @{exec_path} mr, - /usr/share/terminfo/** r, - /etc/newt/palette.* r, + owner @{tmp}/gpm* w, + include if exists } diff --git a/apparmor.d/groups/utils/who b/apparmor.d/profiles-s-z/who similarity index 72% rename from apparmor.d/groups/utils/who rename to apparmor.d/profiles-s-z/who index d9ca9e164..bed53e7e6 100644 --- a/apparmor.d/groups/utils/who +++ b/apparmor.d/profiles-s-z/who @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/{,gnu}who +@{exec_path} = @{bin}/who profile who @{exec_path} { include include @@ -18,12 +18,7 @@ profile who @{exec_path} { @{exec_path} mr, - @{run}/systemd/sessions/* r, - - # file_inherit - deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - deny owner @{user_share_dirs}/zed/**/data.mdb rw, include if exists } diff --git a/apparmor.d/profiles-s-z/whoami b/apparmor.d/profiles-s-z/whoami index 3fc9e26b4..3072d7da0 100644 --- a/apparmor.d/profiles-s-z/whoami +++ b/apparmor.d/profiles-s-z/whoami @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/whois b/apparmor.d/profiles-s-z/whois deleted file mode 100644 index a1549db03..000000000 --- a/apparmor.d/profiles-s-z/whois +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 valoq -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/whois -profile whois @{exec_path} { - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{exec_path} mr, - - /etc/whois.conf r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/whoopsie b/apparmor.d/profiles-s-z/whoopsie deleted file mode 100644 index 8a2c83904..000000000 --- a/apparmor.d/profiles-s-z/whoopsie +++ /dev/null @@ -1,43 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/whoopsie -profile whoopsie @{exec_path} { - include - include - include - - capability setgid, - capability setuid, - - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 dgram, - network netlink raw, - - @{exec_path} mr, - - /var/crash/ r, - - /var/lib/whoopsie/ rw, - /var/lib/whoopsie/whoopsie-id rw, - /var/lib/whoopsie/whoopsie-id.@{rand6} rw, - - /var/crash/*.@{uid}.crash r, - owner /var/crash/*.@{uid}.uploaded rw, - - owner @{run}/lock/whoopsie/ rw, - owner @{run}/lock/whoopsie/lock rwk, - - @{sys}/devices/virtual/dmi/id/product_uuid r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/whoopsie-preferences b/apparmor.d/profiles-s-z/whoopsie-preferences deleted file mode 100644 index 3b720d0da..000000000 --- a/apparmor.d/profiles-s-z/whoopsie-preferences +++ /dev/null @@ -1,34 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/whoopsie-preferences -profile whoopsie-preferences @{exec_path} { - include - include - include - - #aa:dbus own bus=system name=com.ubuntu.WhoopsiePreferences - - @{exec_path} mr, - - @{bin}/systemctl Cx -> systemctl, - - /etc/whoopsie w, - /etc/whoopsie.@{rand6} rw, - - profile systemctl { - include - include - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/profiles-s-z/wireplumber similarity index 64% rename from apparmor.d/groups/freedesktop/wireplumber rename to apparmor.d/profiles-s-z/wireplumber index 90eb46dc4..146408bc7 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -2,43 +2,35 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/wireplumber profile wireplumber @{exec_path} { include + include include include include - include include - include - include + include include - include include - include + include network bluetooth raw, network bluetooth seqpacket, network bluetooth stream, network netlink raw, - #aa:dbus own bus=session name=org.freedesktop.ReserveDevice1.Audio@{int} - #aa:dbus own bus=session name=org.pipewire.Telephony + dbus bind bus=session name=org.freedesktop.ReserveDevice1.Audio0, dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), - dbus receive bus=system path=/midi{,server@{int}} - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=@{busname}, label="@{p_bluetoothd}"), - @{exec_path} mr, /opt/intel/oneapi/{compiler,lib,mkl}/**/ r, @@ -49,8 +41,8 @@ profile wireplumber @{exec_path} { /usr/share/wireplumber/{,**} r, owner @{desktop_local_dirs}/ w, - owner @{desktop_state_dirs}/ w, - owner @{desktop_state_dirs}/wireplumber/{,**} rw, + owner @{desktop_local_dirs}/state/ w, + owner @{desktop_local_dirs}/state/wireplumber/{,**} rw, owner @{HOME}/.local/ w, owner @{user_state_dirs}/ w, @@ -58,37 +50,29 @@ profile wireplumber @{exec_path} { owner @{user_config_dirs}/wireplumber/{,**} r, owner @{run}/user/@{uid}/pipewire-@{int} rw, - owner @{run}/user/@{uid}/pipewire-@{int}-manager rw, - - /dev/shm/lttng-ust-wait-@{int} rw, - owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw, - owner /dev/shm/lttng-ust-wait-@{int}-@{int} rw, @{run}/systemd/users/@{uid} r, @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) + @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, @{sys}/bus/media/devices/ r, - @{sys}/devices/**/device:*/{,**/}path r, + @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r, + @{sys}/devices/**/device:*/**/path r, @{sys}/devices/**/sound/**/pcm_class r, @{sys}/devices/**/sound/**/uevent r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{PROC}/1/cgroup r, - @{PROC}/1/status r, - @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/udmabuf rw, + /dev/media@{int} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/wireshark b/apparmor.d/profiles-s-z/wireshark index a07d6bad1..ed8fd0efa 100644 --- a/apparmor.d/profiles-s-z/wireshark +++ b/apparmor.d/profiles-s-z/wireshark @@ -4,13 +4,14 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/wireshark profile wireshark @{exec_path} { include + include include include include diff --git a/apparmor.d/profiles-s-z/wl-copy b/apparmor.d/profiles-s-z/wl-copy index 1b4ae7501..3ea916395 100644 --- a/apparmor.d/profiles-s-z/wl-copy +++ b/apparmor.d/profiles-s-z/wl-copy @@ -2,14 +2,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/wl-{copy,paste} -profile wl-copy @{exec_path} flags=(attach_disconnected) { +profile wl-copy @{exec_path} { include - include @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/wmctrl b/apparmor.d/profiles-s-z/wmctrl index 51feb0071..8d99da352 100644 --- a/apparmor.d/profiles-s-z/wmctrl +++ b/apparmor.d/profiles-s-z/wmctrl @@ -3,14 +3,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/wmctrl profile wmctrl @{exec_path} { include - include @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/wpa-action b/apparmor.d/profiles-s-z/wpa-action index b6764ba0e..3495849e7 100644 --- a/apparmor.d/profiles-s-z/wpa-action +++ b/apparmor.d/profiles-s-z/wpa-action @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/wpa_action +@{exec_path} = @{bin}/wpa_action profile wpa-action @{exec_path} { include @@ -17,7 +17,7 @@ profile wpa-action @{exec_path} { @{exec_path} mr, - @{sbin}/wpa_cli rPx, + @{bin}/wpa_cli rPx, @{sh_path} rix, @{bin}/{,e}grep rix, diff --git a/apparmor.d/profiles-s-z/wpa-cli b/apparmor.d/profiles-s-z/wpa-cli index eb4efeee9..5edd2f177 100644 --- a/apparmor.d/profiles-s-z/wpa-cli +++ b/apparmor.d/profiles-s-z/wpa-cli @@ -3,17 +3,17 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/wpa_cli +@{exec_path} = @{bin}/wpa_cli profile wpa-cli @{exec_path} { include @{exec_path} mr, - @{sbin}/wpa_action rPx, + /{usr/,}{s,}/wpa_action rPx, /etc/inputrc r, @@ -21,7 +21,7 @@ profile wpa-cli @{exec_path} { owner @{HOME}/.wpa_cli_history-@{int}.tmp rw, owner @{run}/wpa_supplicant/ r, - owner @{tmp}/wpa_ctrl_@{pid}-@{d} rw, + owner @{tmp}/wpa_ctrl_@{pid}-[0-9] rw, include if exists } diff --git a/apparmor.d/profiles-s-z/wpa-gui b/apparmor.d/profiles-s-z/wpa-gui index f833c812e..ceefecbf2 100644 --- a/apparmor.d/profiles-s-z/wpa-gui +++ b/apparmor.d/profiles-s-z/wpa-gui @@ -3,21 +3,28 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/wpa_gui profile wpa-gui @{exec_path} { include - include + include include - include + include + include + include + include include + include + include @{exec_path} mr, - owner @{tmp}/wpa_ctrl_@{pid}-@{d} w, + /usr/share/hwdata/pnp.ids r, + + owner @{tmp}/wpa_ctrl_@{pid}-[0-9] w, owner /dev/shm/#@{int} rw, @{run}/wpa_supplicant/ r, diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index b20c6f1b4..f3da61258 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/wpa_supplicant +@{exec_path} = @{bin}/wpa_supplicant profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { include include @@ -42,7 +42,6 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { @{user_config_dirs}/cat_installer/*.pem r, owner @{run}/wpa_supplicant/{,**} rw, - owner @{run}/netplan/* r, @{sys}/devices/@{pci}/ieee*/phy@{int}/name r, diff --git a/apparmor.d/profiles-s-z/wrmsr b/apparmor.d/profiles-s-z/wrmsr index 6ef05cc0f..1ee5bd806 100644 --- a/apparmor.d/profiles-s-z/wrmsr +++ b/apparmor.d/profiles-s-z/wrmsr @@ -3,11 +3,11 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{sbin}/wrmsr +@{exec_path} = @{bin}/wrmsr profile wrmsr @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index b72cff3c4..92b0f360f 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -2,39 +2,29 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/wsdd profile wsdd @{exec_path} { include - include include - include - - # wsdd can create its own chroot as a built-in security mechanism. - # This is used by default in the systemd wsdd-server service. - capability sys_chroot, network inet dgram, - network inet stream, network inet6 dgram, - network inet6 stream, network netlink raw, @{exec_path} mr, @{bin}/env r, - @{python_path} rix, + @{bin}/python3.@{int} rix, /etc/machine-id r, owner /var/lib/libuuid/clock.txt rw, - @{run}/uuidd/request rw, - owner @{run}/user/@{uid}/wsdd w, - owner @{run}/user/@{uid}/*/wsdd w, + owner @{run}/user/@{uid}/gvfsd/wsdd w, include if exists } diff --git a/apparmor.d/profiles-s-z/wttrbar b/apparmor.d/profiles-s-z/wttrbar deleted file mode 100644 index 37933679d..000000000 --- a/apparmor.d/profiles-s-z/wttrbar +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 odomingao -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/wttrbar -profile wttrbar @{exec_path} { - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - - @{exec_path} mr, - - owner /tmp/wttrbar--wttr.in.json rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index 4d2766101..a5ec89fd9 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -28,30 +28,76 @@ profile xarchiver @{exec_path} { @{bin}/cp rix, # Archivers - @{archive_path} rix, + @{bin}/7z rix, + @{lib}/p7zip/7z rix, + @{bin}/unrar-nonfree rix, + @{bin}/zip rix, + @{bin}/unzip rix, + @{bin}/tar rix, + @{bin}/xz rix, + @{bin}/bzip2 rix, + @{bin}/cpio rix, + @{bin}/gzip rix, + @{bin}/zstd rix, + # For deb packages @{bin}/{,@{multiarch}-}ar rix, - @{open_path} rPx -> child-open, - - /etc/fstab r, + @{bin}/xdg-open rCx -> open, owner @{user_config_dirs}/xarchiver/ rw, owner @{user_config_dirs}/xarchiver/xarchiverrc{,.*} rw, owner @{HOME}/.bz2 rw, - #aa:lint ignore=too-wide - # Full access to user's data - @{MOUNTS}/** rw, - owner @{HOME}/** rw, + / r, + /home/ r, + #owner @{HOME}/ r, + #owner @{HOME}/** rw, + @{MOUNTS}/ r, + @{MOUNTS}/** rw, + /tmp/ r, owner @{tmp}/** rw, + owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/fd/ r, + /etc/fstab r, + + # Allowed apps to open + @{bin}/engrampa rPUx, + @{bin}/geany rPUx, + @{bin}/viewnior rPUx, + + # file_inherit owner /dev/tty@{int} rw, + + profile open { + include + include + + @{bin}/xdg-open mr, + + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{bin}/readlink rix, + @{bin}/basename rix, + + owner @{HOME}/ r, + + owner @{run}/user/@{uid}/ r, + + # Allowed apps to open + @{bin}/engrampa rPUx, + @{bin}/geany rPUx, + @{bin}/viewnior rPUx, + + # file_inherit + owner @{HOME}/.xsession-errors w, + + } + include if exists } diff --git a/apparmor.d/profiles-s-z/xauth b/apparmor.d/profiles-s-z/xauth index e1a4199db..f051fdc0c 100644 --- a/apparmor.d/profiles-s-z/xauth +++ b/apparmor.d/profiles-s-z/xauth @@ -3,14 +3,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xauth profile xauth @{exec_path} { include - include include @{exec_path} mr, @@ -36,7 +35,6 @@ profile xauth @{exec_path} { owner @{tmp}/xauth_@{rand6} r, owner @{tmp}/xauth_@{rand6}-c w, owner @{tmp}/xauth_@{rand6}-l wl, - owner @{tmp}/xauth.@{rand10}-c w, owner @{run}/user/@{uid}/xauth_@{rand6} rw, owner @{run}/user/@{uid}/xauth_@{rand6}-c w, diff --git a/apparmor.d/profiles-s-z/xautolock b/apparmor.d/profiles-s-z/xautolock index cb9426583..89de67bd1 100644 --- a/apparmor.d/profiles-s-z/xautolock +++ b/apparmor.d/profiles-s-z/xautolock @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/xbacklight b/apparmor.d/profiles-s-z/xbacklight index b2be0446b..19eb4a9f3 100644 --- a/apparmor.d/profiles-s-z/xbacklight +++ b/apparmor.d/profiles-s-z/xbacklight @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/xbrlapi b/apparmor.d/profiles-s-z/xbrlapi index b2f94975f..dc30114bd 100644 --- a/apparmor.d/profiles-s-z/xbrlapi +++ b/apparmor.d/profiles-s-z/xbrlapi @@ -2,21 +2,20 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xbrlapi profile xbrlapi @{exec_path} flags=(attach_disconnected) { include - include network inet stream, network inet6 stream, @{exec_path} mr, - owner @{HOME}/.xsession-errors w, + /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/xclip b/apparmor.d/profiles-s-z/xclip index cdb68ed70..378e8cae3 100644 --- a/apparmor.d/profiles-s-z/xclip +++ b/apparmor.d/profiles-s-z/xclip @@ -3,20 +3,21 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xclip profile xclip @{exec_path} { include - include include network unix stream, @{exec_path} mr, + deny /dev/tty rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/xdpyinfo b/apparmor.d/profiles-s-z/xdpyinfo index 169851550..902905d09 100644 --- a/apparmor.d/profiles-s-z/xdpyinfo +++ b/apparmor.d/profiles-s-z/xdpyinfo @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/xeyes b/apparmor.d/profiles-s-z/xeyes deleted file mode 100644 index c602e7fce..000000000 --- a/apparmor.d/profiles-s-z/xeyes +++ /dev/null @@ -1,19 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022-2024 Roman Beslik -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/xeyes -profile xeyes @{exec_path} { - include - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit index 9abc02350..521a182ba 100644 --- a/apparmor.d/profiles-s-z/xinit +++ b/apparmor.d/profiles-s-z/xinit @@ -3,14 +3,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @{exec_path} = @{bin}/xinit profile xinit @{exec_path} { include - include include signal (receive) set=(usr1) peer=xorg, @@ -35,7 +34,7 @@ profile xinit @{exec_path} { @{bin}/tail rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, /etc/X11/xinit/xinitrc rix, /etc/X11/xinit/xserverrc rix, diff --git a/apparmor.d/profiles-s-z/xinput b/apparmor.d/profiles-s-z/xinput index c88210cca..18eab6a78 100644 --- a/apparmor.d/profiles-s-z/xinput +++ b/apparmor.d/profiles-s-z/xinput @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include diff --git a/apparmor.d/profiles-s-z/xournalpp b/apparmor.d/profiles-s-z/xournalpp deleted file mode 100644 index 0d6c4d65f..000000000 --- a/apparmor.d/profiles-s-z/xournalpp +++ /dev/null @@ -1,45 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 valoq -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/xournalpp -profile xournalpp @{exec_path} { - include - include - include - include - include - include - include - include - - @{exec_path} mr, - - @{open_path} rPx -> child-open-browsers, - - /usr/share/xournalpp/** r, - - /etc/machine-id r, - /etc/pipewire/jack.conf.d/ r, - - owner @{user_config_dirs}/xournalpp/{,**} rw, - owner @{user_cache_dirs}/xournalpp/{,**} rw, - - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - - /dev/snd/controlC@{int} w, - /dev/snd/pcmC@{int}D@{int}[cp] w, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xray b/apparmor.d/profiles-s-z/xray deleted file mode 100644 index 79c3104dc..000000000 --- a/apparmor.d/profiles-s-z/xray +++ /dev/null @@ -1,32 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 EricLin -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/xray -profile xray @{exec_path} flags=(attach_disconnected) { - include - include - - network inet dgram, - network inet stream, - network inet raw, - network inet6 dgram, - network inet6 raw, - network netlink raw, - - @{exec_path} mr, - - /etc/xray/{,*} r, - /usr/share/xray/**.dat r, - /usr/share/v2ray/**.dat r, - - @{PROC}/sys/net/core/somaxconn r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xsane-gimp b/apparmor.d/profiles-s-z/xsane-gimp deleted file mode 100644 index 4273e803d..000000000 --- a/apparmor.d/profiles-s-z/xsane-gimp +++ /dev/null @@ -1,42 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Roman Beslik -# Copyright (C) 2024-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/xsane-gimp -profile xsane-gimp @{exec_path} { - include - include - include - - network inet dgram, - network inet6 dgram, - network netlink raw, - - signal receive set=(term, kill) peer=gimp, - - @{exec_path} mr, - - @{system_share_dirs}/gimp/{,**} r, - @{system_share_dirs}/sane/xsane/{,**} r, - @{system_share_dirs}/snmp/mibs/{,**} r, - - /etc/sane.d/{,**} r, - - owner @{HOME}/.sane/{,**} rw, - owner @{tmp}/xsane-*-@{rand6} rw, - - @{sys}/bus/scsi/devices/ r, - @{sys}/devices/@{pci}/{model,type,vendor} r, - - @{PROC}/scsi/scsi r, - @{PROC}/sys/dev/parport/{,parport@{int}/{base-addr,irq}} r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xsel b/apparmor.d/profiles-s-z/xsel index 05b93fed9..949aa19f7 100644 --- a/apparmor.d/profiles-s-z/xsel +++ b/apparmor.d/profiles-s-z/xsel @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -11,7 +11,6 @@ include profile xsel @{exec_path} { include include - include @{exec_path} mr, @@ -19,6 +18,9 @@ profile xsel @{exec_path} { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/xsel.log rw, + owner @{HOME}/.Xauthority r, + owner @{tmp}/xauth-@{int}-_[0-9] r, + # file_inherit owner /dev/tty@{int} rw, owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/profiles-s-z/yadifad b/apparmor.d/profiles-s-z/yadifad index 15599fa72..c22e3cdd9 100644 --- a/apparmor.d/profiles-s-z/yadifad +++ b/apparmor.d/profiles-s-z/yadifad @@ -2,8 +2,6 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , - include @{exec_path} = @{bin}/yadifad @@ -23,15 +21,14 @@ profile yadifad @{exec_path} { @{exec_path} mr, - /etc/yadifa/* r, + /etc/yadifa/yadifad.conf r, /var/log/yadifa/{,**} rw, - owner /var/lib/yadifa/ rw, - owner /var/lib/yadifa/** rwk, + owner /var/lib/yadifa/{,**} rw, - owner @{run}/yadifa/ rw, - owner @{run}/yadifa/** rwk, + owner @{run}/yadifa/{,*} rw, + owner @{run}/yadifa/yadifad.pid rwk, include if exists } diff --git a/apparmor.d/profiles-s-z/youtube-dl b/apparmor.d/profiles-s-z/youtube-dl index d0b1c1988..85da6bfe0 100644 --- a/apparmor.d/profiles-s-z/youtube-dl +++ b/apparmor.d/profiles-s-z/youtube-dl @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -13,11 +13,13 @@ profile youtube-dl @{exec_path} { include include include - include + include + include include include include include + include network inet dgram, network inet6 dgram, @@ -28,7 +30,7 @@ profile youtube-dl @{exec_path} { signal (receive) set=(term, kill), @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ffmpeg rPx, @{bin}/ffprobe rPx, @@ -36,7 +38,7 @@ profile youtube-dl @{exec_path} { @{bin}/ r, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, @{bin}/git rix, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, @{bin}/rtmpdump rix, @{bin}/uname rix, @{lib}/git{,-core}/git rix, diff --git a/apparmor.d/profiles-s-z/youtube-viewer b/apparmor.d/profiles-s-z/youtube-viewer index 100ae9985..1c405e8fe 100644 --- a/apparmor.d/profiles-s-z/youtube-viewer +++ b/apparmor.d/profiles-s-z/youtube-viewer @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,6 +24,7 @@ profile youtube-viewer @{exec_path} { network netlink raw, @{exec_path} r, + @{bin}/perl r, @{sh_path} rix, @{bin}/infocmp rix, @@ -31,6 +32,12 @@ profile youtube-viewer @{exec_path} { @{bin}/wget rCx -> wget, + owner @{user_config_dirs}/youtube-viewer/{,*} rw, + owner @{user_cache_dirs}/youtube-viewer/{,*} rw, + owner @{HOME}/Downloads/youtube-viewer/{,*} rw, + + /etc/inputrc r, + # Players @{bin}/mpv rPUx, @{bin}/vlc rPUx, @@ -38,11 +45,6 @@ profile youtube-viewer @{exec_path} { @{bin}/ffmpeg rPUx, - /etc/inputrc r, - - owner @{user_config_dirs}/youtube-viewer/{,*} rw, - owner @{user_cache_dirs}/youtube-viewer/{,*} rw, - owner @{HOME}/Downloads/youtube-viewer/{,*} rw, profile wget { include @@ -60,7 +62,6 @@ profile youtube-viewer @{exec_path} { owner @{HOME}/.wget-hsts r, owner @{HOME}/wget-log{,.@{int}} rw, - include if exists } include if exists diff --git a/apparmor.d/profiles-s-z/yt-dlp b/apparmor.d/profiles-s-z/yt-dlp index ffa78eda3..c71b87efd 100644 --- a/apparmor.d/profiles-s-z/yt-dlp +++ b/apparmor.d/profiles-s-z/yt-dlp @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,7 +24,7 @@ profile yt-dlp @{exec_path} { network netlink raw, @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, @{bin}/file rix, diff --git a/apparmor.d/profiles-s-z/ytdl b/apparmor.d/profiles-s-z/ytdl index a76bf0d89..230e15f80 100644 --- a/apparmor.d/profiles-s-z/ytdl +++ b/apparmor.d/profiles-s-z/ytdl @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -24,10 +24,10 @@ profile ytdl @{exec_path} { signal (receive) set=(term, kill), @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, @{bin}/uname rix, /etc/mime.types r, diff --git a/apparmor.d/profiles-s-z/zathura b/apparmor.d/profiles-s-z/zathura index 5d0d1a745..b055fe31b 100644 --- a/apparmor.d/profiles-s-z/zathura +++ b/apparmor.d/profiles-s-z/zathura @@ -2,11 +2,11 @@ # Copyright (C) 2024 valoq # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include -@{exec_path} = @{bin}/zathura{,-sandbox} +@{exec_path} = @{bin}/zathura profile zathura @{exec_path} { include include @@ -18,13 +18,11 @@ profile zathura @{exec_path} { @{exec_path} mr, /usr/share/file/{,**} r, - /usr/share/poppler/{,**} r, /etc/xdg/{,**} r, /etc/zathurarc r, owner @{user_config_dirs}/zathura/** r, - owner @{user_share_dirs}/zathura/ r, owner @{user_share_dirs}/zathura/** rwk, owner @{tmp}/gtkprint* rw, diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed index 893cead5b..c966ce839 100644 --- a/apparmor.d/profiles-s-z/zed +++ b/apparmor.d/profiles-s-z/zed @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,11 +10,11 @@ include profile zed @{exec_path} { include include - + capability sys_admin, network netlink raw, - + @{exec_path} mr, @{bin}/{m,g,}awk rix, @@ -23,7 +23,7 @@ profile zed @{exec_path} { @{bin}/diff rix, @{bin}/expr rix, @{bin}/flock rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/hostname rix, @{bin}/logger rix, @{bin}/ls rix, @@ -46,10 +46,9 @@ profile zed @{exec_path} { owner @{tmp}/tmp.* rw, @{sys}/bus/pci/slots/ r, - @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/module/zfs/parameters/zfs_zevent_len_max rw, - + @{PROC}/@{pids}/mounts r, owner @{PROC}/@{pids}/fd/ r, @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/profiles-s-z/zenmap b/apparmor.d/profiles-s-z/zenmap index f4dc9fc77..bc4090be8 100644 --- a/apparmor.d/profiles-s-z/zenmap +++ b/apparmor.d/profiles-s-z/zenmap @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,7 +20,7 @@ profile zenmap @{exec_path} { signal (send) set=(term, kill) peer=nmap, @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/nmap rPx, diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs index e28a2e439..9538b9c13 100644 --- a/apparmor.d/profiles-s-z/zfs +++ b/apparmor.d/profiles-s-z/zfs @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -10,13 +10,13 @@ include profile zfs @{exec_path} { include include - + capability sys_admin, capability dac_read_search, mount fstype=zfs, umount fstype=zfs, - + @{exec_path} mr, /etc/zfs/zfs-list.cache/{,*} rwk, diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index e6033d9d2..7d12cf3b7 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -31,7 +31,6 @@ profile zpool @{exec_path} { @{sys}/module/zfs/** r, @{sys}/bus/pci/slots/ r, - @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/zsys-system-autosnapshot b/apparmor.d/profiles-s-z/zsys-system-autosnapshot index 799262482..653690898 100644 --- a/apparmor.d/profiles-s-z/zsys-system-autosnapshot +++ b/apparmor.d/profiles-s-z/zsys-system-autosnapshot @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -12,7 +12,7 @@ profile zsys-system-autosnapshot @{exec_path} flags=(complain) { include @{exec_path} mr, - + @{sh_path} rix, @{bin}/cat rix, @{bin}/cp rix, diff --git a/apparmor.d/profiles-s-z/zsysd b/apparmor.d/profiles-s-z/zsysd index 42181500b..c325e216d 100644 --- a/apparmor.d/profiles-s-z/zsysd +++ b/apparmor.d/profiles-s-z/zsysd @@ -2,7 +2,7 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -abi , +abi , include @@ -20,11 +20,11 @@ profile zsysd @{exec_path} flags=(complain) { /{usr/,}{local/,}{s,}bin/zfs rPx, /{usr/,}{local/,}{s,}bin/zpool rPx, # ALLOWED zsysd exec /usr/sbin/update-grub info="no new privs" comm=zsysd requested_mask=x denied_mask=x error=-1 - @{sbin}/update-grub rPx, + @{bin}/update-grub rPx, /etc/hostid r, /etc/zsys.conf r, - + /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, @{run}/systemd/notify rw, @@ -37,6 +37,8 @@ profile zsysd @{exec_path} flags=(complain) { @{PROC}/cmdline r, @{PROC}/sys/kernel/spl/hostid r, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + /dev/pts/@{int} rw, /dev/zfs rw, diff --git a/apparmor.d/tunables/alias.d/coreutils b/apparmor.d/tunables/alias.d/coreutils deleted file mode 100644 index 9fed4fefc..000000000 --- a/apparmor.d/tunables/alias.d/coreutils +++ /dev/null @@ -1,112 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# In ubuntu 25.10, to make room for the coming rust utils, classic coreutils has -# moved to /usr/bin/gnu* names. To avoid breaking existing profiles, we -# provide aliases for all the coreutils names to their gnu* counterpart. - - alias /{,usr/}bin/dd -> /usr/bin/gnudd, - alias /{,usr/}bin/tee -> /usr/bin/gnutee, - alias /{,usr/}bin/paste -> /usr/bin/gnupaste, - alias /{,usr/}bin/sha256sum -> /usr/bin/gnusha256sum, - alias /{,usr/}bin/env -> /usr/bin/gnuenv, - alias /{,usr/}bin/expr -> /usr/bin/gnuexpr, - alias /{,usr/}bin/sleep -> /usr/bin/gnusleep, - alias /{,usr/}bin/shred -> /usr/bin/gnushred, - alias /{,usr/}bin/dircolors -> /usr/bin/gnudircolors, - alias /{,usr/}bin/nohup -> /usr/bin/gnunohup, - alias /{,usr/}bin/stty -> /usr/bin/gnustty, - alias /{,usr/}bin/sha384sum -> /usr/bin/gnusha384sum, - alias /{,usr/}bin/pr -> /usr/bin/gnupr, - alias /{,usr/}bin/nice -> /usr/bin/gnunice, - alias /{,usr/}bin/basenc -> /usr/bin/gnubasenc, - alias /{,usr/}bin/sha224sum -> /usr/bin/gnusha224sum, - alias /{,usr/}bin/unexpand -> /usr/bin/gnuunexpand, - alias /{,usr/}bin/logname -> /usr/bin/gnulogname, - alias /{,usr/}bin/uniq -> /usr/bin/gnuuniq, - alias /{,usr/}bin/chown -> /usr/bin/gnuchown, - alias /{,usr/}bin/vdir -> /usr/bin/gnuvdir, - alias /{,usr/}bin/printf -> /usr/bin/gnuprintf, - alias /{,usr/}bin/true -> /usr/bin/gnutrue, - alias /{,usr/}bin/groups -> /usr/bin/gnugroups, - alias /{,usr/}bin/printenv -> /usr/bin/gnuprintenv, - alias /{,usr/}bin/truncate -> /usr/bin/gnutruncate, - alias /{,usr/}bin/md5sum -> /usr/bin/gnumd5sum, - alias /{,usr/}bin/pinky -> /usr/bin/gnupinky, - alias /{,usr/}bin/rm -> /usr/bin/gnurm, - alias /{,usr/}bin/cat -> /usr/bin/gnucat, - alias /{,usr/}bin/tac -> /usr/bin/gnutac, - alias /{,usr/}bin/b2sum -> /usr/bin/gnub2sum, - alias /{,usr/}bin/seq -> /usr/bin/gnuseq, - alias /{,usr/}bin/cut -> /usr/bin/gnucut, - alias /{,usr/}bin/csplit -> /usr/bin/gnucsplit, - alias /{,usr/}bin/split -> /usr/bin/gnusplit, - alias /{,usr/}bin/realpath -> /usr/bin/gnurealpath, - alias /{,usr/}bin/ptx -> /usr/bin/gnuptx, - alias /{,usr/}bin/who -> /usr/bin/gnuwho, - alias /{,usr/}bin/whoami -> /usr/bin/gnuwhoami, - alias /{,usr/}bin/cksum -> /usr/bin/gnucksum, - alias /{,usr/}bin/ls -> /usr/bin/gnuls, - alias /{,usr/}bin/runcon -> /usr/bin/gnuruncon, - alias /{,usr/}bin/arch -> /usr/bin/gnuarch, - alias /{,usr/}bin/head -> /usr/bin/gnuhead, - alias /{,usr/}bin/date -> /usr/bin/gnudate, - alias /{,usr/}bin/wc -> /usr/bin/gnuwc, - alias /{,usr/}bin/mktemp -> /usr/bin/gnumktemp, - alias /{,usr/}bin/pathchk -> /usr/bin/gnupathchk, - alias /{,usr/}bin/mkfifo -> /usr/bin/gnumkfifo, - alias /{,usr/}bin/du -> /usr/bin/gnudu, - alias /{,usr/}bin/cp -> /usr/bin/gnucp, - alias /{,usr/}bin/tty -> /usr/bin/gnutty, - alias /{,usr/}bin/sync -> /usr/bin/gnusync, - alias /{,usr/}bin/fold -> /usr/bin/gnufold, - alias /{,usr/}bin/users -> /usr/bin/gnuusers, - alias /{,usr/}bin/dirname -> /usr/bin/gnudirname, - alias /{,usr/}bin/nproc -> /usr/bin/gnunproc, - alias /{,usr/}bin/sort -> /usr/bin/gnusort, - alias /{,usr/}bin/[ -> /usr/bin/gnu[, - alias /{,usr/}bin/base64 -> /usr/bin/gnubase64, - alias /{,usr/}bin/od -> /usr/bin/gnuod, - alias /{,usr/}bin/tr -> /usr/bin/gnutr, - alias /{,usr/}bin/join -> /usr/bin/gnujoin, - alias /{,usr/}bin/sha512sum -> /usr/bin/gnusha512sum, - alias /{,usr/}bin/false -> /usr/bin/gnufalse, - alias /{,usr/}bin/expand -> /usr/bin/gnuexpand, - alias /{,usr/}bin/base32 -> /usr/bin/gnubase32, - alias /{,usr/}bin/chmod -> /usr/bin/gnuchmod, - alias /{,usr/}bin/rmdir -> /usr/bin/gnurmdir, - alias /{,usr/}bin/factor -> /usr/bin/gnufactor, - alias /{,usr/}bin/mknod -> /usr/bin/gnumknod, - alias /{,usr/}bin/chcon -> /usr/bin/gnuchcon, - alias /{,usr/}bin/basename -> /usr/bin/gnubasename, - alias /{,usr/}bin/chgrp -> /usr/bin/gnuchgrp, - alias /{,usr/}bin/sha1sum -> /usr/bin/gnusha1sum, - alias /{,usr/}bin/ln -> /usr/bin/gnuln, - alias /{,usr/}bin/tsort -> /usr/bin/gnutsort, - alias /{,usr/}bin/echo -> /usr/bin/gnuecho, - alias /{,usr/}bin/timeout -> /usr/bin/gnutimeout, - alias /{,usr/}bin/dir -> /usr/bin/gnudir, - alias /{,usr/}bin/numfmt -> /usr/bin/gnunumfmt, - alias /{,usr/}bin/touch -> /usr/bin/gnutouch, - alias /{,usr/}bin/mv -> /usr/bin/gnumv, - alias /{,usr/}bin/sum -> /usr/bin/gnusum, - alias /{,usr/}bin/stat -> /usr/bin/gnustat, - alias /{,usr/}bin/yes -> /usr/bin/gnuyes, - alias /{,usr/}bin/install -> /usr/bin/gnuinstall, - alias /{,usr/}bin/readlink -> /usr/bin/gnureadlink, - alias /{,usr/}bin/pwd -> /usr/bin/gnupwd, - alias /{,usr/}bin/tail -> /usr/bin/gnutail, - alias /{,usr/}bin/stdbuf -> /usr/bin/gnustdbuf, - alias /{,usr/}bin/comm -> /usr/bin/gnucomm, - alias /{,usr/}bin/shuf -> /usr/bin/gnushuf, - alias /{,usr/}bin/uname -> /usr/bin/gnuuname, - alias /{,usr/}bin/test -> /usr/bin/gnutest, - alias /{,usr/}bin/mkdir -> /usr/bin/gnumkdir, - alias /{,usr/}bin/link -> /usr/bin/gnulink, - alias /{,usr/}bin/df -> /usr/bin/gnudf, - alias /{,usr/}bin/unlink -> /usr/bin/gnuunlink, - alias /{,usr/}bin/hostid -> /usr/bin/gnuhostid, - alias /{,usr/}bin/fmt -> /usr/bin/gnufmt, - alias /{,usr/}bin/id -> /usr/bin/gnuid, - alias /{,usr/}bin/nl -> /usr/bin/gnunl, diff --git a/apparmor.d/tunables/home.d/apparmor.d b/apparmor.d/tunables/home.d/apparmor.d index c791f5376..c23a8d956 100644 --- a/apparmor.d/tunables/home.d/apparmor.d +++ b/apparmor.d/tunables/home.d/apparmor.d @@ -11,7 +11,30 @@ # First part, second part in /etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d -# Define the XDG Base Directory +# Extra user personal directories +@{XDG_SCREENSHOTS_DIR}="Pictures/Screenshots" +@{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers" +@{XDG_BOOKS_DIR}="Books" +@{XDG_GAMES_DIR}=".games" +@{XDG_PROJECTS_DIR}="Projects" +@{XDG_WORK_DIR}="Work" +@{XDG_MAIL_DIR}="Mail" ".{m,M}ail" +@{XDG_SYNC_DIR}="Sync" +@{XDG_TORRENTS_DIR}="Torrents" +@{XDG_VM_DIR}=".vm" +@{XDG_VM_SHARES_DIR}="VM_Shares" +@{XDG_IMG_DIR}="images" +@{XDG_GAMESSTUDIO_DIR}="unity3d" + +# User personal keyrings +@{XDG_GPG_DIR}=".gnupg" +@{XDG_SSH_DIR}=".ssh" +@{XDG_PASSWORD_STORE_DIR}=".password-store" + +# User personal private directories +@{XDG_PRIVATE_DIR}=".{p,P}rivate" "{p,P}rivate" + +# Definition of local user configuration directories @{XDG_CACHE_DIR}=".cache" @{XDG_CONFIG_DIR}=".config" @{XDG_DATA_DIR}=".local/share" @@ -19,59 +42,29 @@ @{XDG_BIN_DIR}=".local/bin" @{XDG_LIB_DIR}=".local/lib" -# Define extended user directories not defined in the XDG standard but commonly -# used in profiles -@{XDG_SCREENSHOTS_DIR}="Pictures/Screenshots" -@{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers" -@{XDG_BOOKS_DIR}="Books" -@{XDG_GAMES_DIR}="Games" -@{XDG_PROJECTS_DIR}="Projects" -@{XDG_WORK_DIR}="Work" -@{XDG_MAIL_DIR}="Mail" ".{m,M}ail" -@{XDG_SYNC_DIR}="Sync" -@{XDG_TORRENTS_DIR}="Torrents" -@{XDG_GAMESSTUDIO_DIR}="unity3d" - -# Define user directories for virtual machines, shared folders and disk images -@{XDG_VM_DIR}=".vm" -@{XDG_VMSHARE_DIR}=".vmshare" -@{XDG_IMG_DIR}=".img" - -# Define user build directories and artifacts output -@{XDG_BUILD_DIR}=".build" -@{XDG_PKG_DIR}=".pkg" - -# Define user personal keyrings -@{XDG_GPG_DIR}=".gnupg" -@{XDG_SSH_DIR}=".ssh" -@{XDG_PASSWORDSTORE_DIR}=".password-store" - -# Define user personal private directories -@{XDG_PRIVATE_DIR}=".{p,P}rivate" "{p,P}rivate" - -# Full path of the XDG Base Directory +# Full path of the user configuration directories @{user_cache_dirs}=@{HOME}/@{XDG_CACHE_DIR} @{user_config_dirs}=@{HOME}/@{XDG_CONFIG_DIR} -@{user_state_dirs}=@{HOME}/@{XDG_STATE_DIR} @{user_bin_dirs}=@{HOME}/@{XDG_BIN_DIR} @{user_lib_dirs}=@{HOME}/@{XDG_LIB_DIR} +@{user_state_dirs}=@{HOME}/@{XDG_STATE_DIR} + +# User build directories and output +@{user_build_dirs}="/tmp/build/" +@{user_pkg_dirs}="/tmp/pkg/" +@{user_tmp_dirs}=@{run}/user/@{uid} /tmp/ +@{user_img_dirs}=@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR} # Other user directories @{user_books_dirs}=@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR} @{user_games_dirs}=@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR} -@{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR} +@{user_private_dirs}=@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR} +@{user_password_store_dirs}=@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR} @{user_work_dirs}=@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR} @{user_mail_dirs}=@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR} -@{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/@{XDG_SYNC_DIR} +@{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR} +@{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR} @{user_torrents_dirs}=@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR} @{user_vm_dirs}=@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR} -@{user_vmshare_dirs}=@{HOME}/@{XDG_VMSHARE_DIR} @{MOUNTS}/@{XDG_VMSHARE_DIR} -@{user_img_dirs}=@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR} -@{user_build_dirs}=@{HOME}/@{XDG_BUILD_DIR} @{MOUNTS}/@{XDG_BUILD_DIR} -@{user_pkg_dirs}=@{HOME}/@{XDG_PKG_DIR} @{MOUNTS}/@{XDG_PKG_DIR} -@{user_gpg_dirs}=@{HOME}/@{XDG_GPG_DIR} @{MOUNTS}/@{XDG_GPG_DIR} -@{user_ssh_dirs}=@{HOME}/@{XDG_SSH_DIR} @{MOUNTS}/@{XDG_SSH_DIR} -@{user_passwordstore_dirs}=@{HOME}/@{XDG_PASSWORDSTORE_DIR} @{MOUNTS}/@{XDG_PASSWORDSTORE_DIR} -@{user_private_dirs}=@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR} # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/base b/apparmor.d/tunables/multiarch.d/base deleted file mode 100644 index 9661b1e51..000000000 --- a/apparmor.d/tunables/multiarch.d/base +++ /dev/null @@ -1,93 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Base variables, upstreamed in apparmor 4.1 - -# Any digit -@{d}=[0-9] - -# Any letter -@{l}=[a-zA-Z] - -# Single alphanumeric character -@{c}=[0-9a-zA-Z] - -# Word character: matches any letter, digit or underscore. -@{w}=[a-zA-Z0-9_] - -# Single hexadecimal character -@{h}=[0-9a-fA-F] - -# Integer up to 10 digits (0-9999999999) -@{int}=@{d}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},} - -# hexadecimal, alphanumeric and word up to 64 characters -@{hex}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} -@{rand}=@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},} -@{word}=@{w}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},} - -# Unsigned integer over 8 bits (0...255) -@{u8}=[0-9]{[0-9],} 1[0-9][0-9] 2[0-4][0-9] 25[0-5] - -# Unsigned integer over 16 bits (0...65,535 5 digits) -@{u16}={@{d},[1-9]@{d},[1-9][@{d}@{d},[1-9]@{d}@{d}@{d},[1-6]@{d}@{d}@{d}@{d}} - -# Unsigned integer over 32 bits (0...4,294,967,295 10 digits) -@{u32}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-4]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}} - -# Unsigned integer over 64 bits (0...18,446,744,073,709,551,615 20 digits). -@{u64}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},1@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}} - -# Any x digits characters -@{int2}=@{d}@{d} -@{int4}=@{int2}@{int2} -@{int6}=@{int4}@{int2} -@{int8}=@{int4}@{int4} -@{int9}=@{int8}@{d} -@{int10}=@{int8}@{int2} -@{int12}=@{int8}@{int4} -@{int15}=@{int8}@{int4}@{int2}@{d} -@{int16}=@{int8}@{int8} -@{int32}=@{int16}@{int16} -@{int64}=@{int32}@{int32} - -# Any x hexadecimal characters -@{hex2}=@{h}@{h} -@{hex4}=@{hex2}@{hex2} -@{hex6}=@{hex4}@{hex2} -@{hex8}=@{hex4}@{hex4} -@{hex9}=@{hex8}@{h} -@{hex10}=@{hex8}@{hex2} -@{hex12}=@{hex8}@{hex4} -@{hex15}=@{hex8}@{hex4}@{hex2}@{h} -@{hex16}=@{hex8}@{hex8} -@{hex32}=@{hex16}@{hex16} -@{hex38}=@{hex32}@{hex6} -@{hex64}=@{hex32}@{hex32} - -# Any x alphanumeric characters -@{rand2}=@{c}@{c} -@{rand4}=@{rand2}@{rand2} -@{rand6}=@{rand4}@{rand2} -@{rand8}=@{rand4}@{rand4} -@{rand9}=@{rand8}@{c} -@{rand10}=@{rand8}@{rand2} -@{rand12}=@{rand8}@{rand4} -@{rand15}=@{rand8}@{rand4}@{rand2}@{c} -@{rand16}=@{rand8}@{rand8} -@{rand32}=@{rand16}@{rand16} -@{rand64}=@{rand32}@{rand32} - -# Any x word characters -@{word2}=@{w}@{w} -@{word4}=@{word2}@{word2} -@{word6}=@{word4}@{word2} -@{word8}=@{word4}@{word4} -@{word9}=@{word8}@{w} -@{word10}=@{word8}@{word2} -@{word12}=@{word8}@{word4} -@{word15}=@{word8}@{word4}@{word2}@{w} -@{word16}=@{word8}@{word8} -@{word32}=@{word16}@{word16} -@{word64}=@{word32}@{word32} diff --git a/apparmor.d/tunables/multiarch.d/extensions b/apparmor.d/tunables/multiarch.d/extensions deleted file mode 100644 index d7f7450aa..000000000 --- a/apparmor.d/tunables/multiarch.d/extensions +++ /dev/null @@ -1,651 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# Copyright (C) 2024 odomingao -# SPDX-License-Identifier: GPL-2.0-only - -# Define commonly used extensions - -# All variables that refer to an extension must have the `_ext` suffix. - -# Packages -@{package_ext} = [aA][bB][bB] # abb -@{package_ext} += [aA][pP][kK] # apk -@{package_ext} += [aA][pP][pP][xX] # appx -@{package_ext} += [aA][pP][pP][xX][bB][uU][nN][dD][lL][eE] # appxbundle -@{package_ext} += [cC][rR][xX] # crx -@{package_ext} += [dD][eE][bB] # deb -@{package_ext} += [eE][mM][sS][iI][xX] # emsix -@{package_ext} += [eE][mM][sS][iI][xX][bB][uU][nN][dD][lL][eE] # emsixbundle -@{package_ext} += [jJ][aA][rR] # jar -@{package_ext} += [mM][pP][kK][gG] # mpkg -@{package_ext} += [mM][sS][iI] # msi -@{package_ext} += [mM][sS][iI][xX] # msix -@{package_ext} += [mM][sS][iI][xX][bB][uU][nN][dD][lL][eE] # msixbundle -@{package_ext} += [pP][kK][gG] # pkg -@{package_ext} += [pP][kK][gG].[tT][aA][rR]{,[zZ][sS][tT]} # pkg.tar{,.zst} -@{package_ext} += [rR][pP][mM] # rpm -@{package_ext} += [tT][gG][zZ] # tgz - -# Disk images -@{diskimage_ext} = [aA][dD][fF] # adf -@{diskimage_ext} += [aA][dD][zZ] # adz -@{diskimage_ext} += [bB][wW][tT] # bwt -@{diskimage_ext} += [cC][iI][fF] # cif -@{diskimage_ext} += [cC][uU][eE] # cue -@{diskimage_ext} += [cC][dD][iI] # cdi -@{diskimage_ext} += [bB]5[tT] # b5t -@{diskimage_ext} += [bB]6[tT] # b6t -@{diskimage_ext} += [dD][aA][aA] # daa -@{diskimage_ext} += [dD][mM][gG] # dmg -@{diskimage_ext} += [dD][mM][sS] # dms -@{diskimage_ext} += [dD][sS][kK] # dsk -@{diskimage_ext} += [dD]64 # d64 -@{diskimage_ext} += [iI][sS][oO] # iso -@{diskimage_ext} += [iI][mM][gG] # img -@{diskimage_ext} += [iI][mM][aA] # ima -@{diskimage_ext} += [nN][rR][gG] # nrg -@{diskimage_ext} += [mM][dD][fF] # mdf -@{diskimage_ext} += [mM][dD][sS] # mds -@{diskimage_ext} += [mM][dD][xX] # mdx -@{diskimage_ext} += [pP][aA][rR][tT][iI][mM][gG] # partimg -@{diskimage_ext} += [sS][dD][iI] # sdi -@{diskimage_ext} += [wW][iI][mM] # wim -@{diskimage_ext} += [sS][wW][mM] # swm -@{diskimage_ext} += [eE][sS][dD] # esd - -# Archives -@{archive_ext} = @{diskimage_ext} @{package_ext} -@{archive_ext} += ??_ # ??_ -@{archive_ext} += ?[qQ]? # ?q? -@{archive_ext} += ?[zZ]? # ?z? -@{archive_ext} += [aA] # a -@{archive_ext} += [aA][aA][rR] # aar -@{archive_ext} += [aA][cC][eE] # ace -@{archive_ext} += [aA][fF][aA] # afa -@{archive_ext} += [aA][lL][zZ] # alz -@{archive_ext} += [aA][rR] # ar -@{archive_ext} += [aA][rR][cC] # arc -@{archive_ext} += [aA][rR][jJ] # arj -@{archive_ext} += [bB][aA][hH] # bah -@{archive_ext} += [bB][aA][rR] # bar -@{archive_ext} += [bB][rR] # br -@{archive_ext} += [bB][zZ]2 # bz2 -@{archive_ext} += [bB]1 # b1 -@{archive_ext} += [bB]6[zZ] # b6z -@{archive_ext} += [cC][aA][bB] # cab -@{archive_ext} += [cC][aA][rR] # car -@{archive_ext} += [cC][dD][xX] # cdx -@{archive_ext} += [cC][fF][sS] # cfs -@{archive_ext} += [cC][pP][iI][oO] # cpio -@{archive_ext} += [dD][aA][rR] # dar -@{archive_ext} += [dD][gG][cC] # dgc -@{archive_ext} += [eE][aA][rR] # ear -@{archive_ext} += [gG][cC][aA] # gca -@{archive_ext} += [gG][eE][nN][oO][zZ][iI][pP] # genozip -@{archive_ext} += [gG][zZ] # gz -@{archive_ext} += [hH][aA] # ha -@{archive_ext} += [hH][kK][iI] # hki -@{archive_ext} += [iI][cC][eE] # ice -@{archive_ext} += [iI][oO] # io -@{archive_ext} += [kK][gG][bB] # kgb -@{archive_ext} += [lL][bB][rR] # lbr -@{archive_ext} += [lL][hH][aA] # lha -@{archive_ext} += [lL][pP][aA][qQ]@{int} # lpaq@{int} -@{archive_ext} += [lL][zZ] # lz -@{archive_ext} += [lL][zZ][hH] # lzh -@{archive_ext} += [lL][zZ][mM][aA] # lzma -@{archive_ext} += [lL][zZ][oO] # lzo -@{archive_ext} += [lL][zZ][xX] # lzx -@{archive_ext} += [mM][aA][rR] # mar -@{archive_ext} += [pP][aA][kK] # pak -@{archive_ext} += [pP][aA][qQ]@{int} # paq@{int} -@{archive_ext} += [pP][aA][rR] # par -@{archive_ext} += [pP][aA][rR]2 # par2 -@{archive_ext} += [pP][aA][xX] # pax -@{archive_ext} += [pP][eE][aA] # pea -@{archive_ext} += [pP][hH][aA][rR] # phar -@{archive_ext} += [pP][iI][mM] # pim -@{archive_ext} += [pP][iI][tT] # pit -@{archive_ext} += [pP][kK][aA] # pka -@{archive_ext} += [pP][mM][aA] # pma -@{archive_ext} += [pP][sS][tT] # pst -@{archive_ext} += [qQ][dD][aA] # qda -@{archive_ext} += [rR][aA][rR] # rar -@{archive_ext} += [rR][kK] # rk -@{archive_ext} += [rR][uU][nN] # run -@{archive_ext} += [rR][zZ] # rz -@{archive_ext} += [rR]@{int} # r@{int} -@{archive_ext} += [sS][bB][xX] # sbx -@{archive_ext} += [sS][dD][aA] # sda -@{archive_ext} += [sS][eE][aA] # sea -@{archive_ext} += [sS][eE][nN] # sen -@{archive_ext} += [sS][fF][aA][rR][kK] # sfark -@{archive_ext} += [sS][fF][xX] # sfx -@{archive_ext} += [sS][hH][aA][rR] # shar -@{archive_ext} += [sS][hH][kK] # shk -@{archive_ext} += [sS][iI][tT] # sit -@{archive_ext} += [sS][iI][tT][xX] # sitx -@{archive_ext} += [sS][qQ][sS] # sqs -@{archive_ext} += [sS][zZ] # sz -@{archive_ext} += [sS]7[zZ] # s7z -@{archive_ext} += [tT][aA][rR] # tar -@{archive_ext} += [tT][aA][rR].[bB][zZ]2 # tar.bz2 -@{archive_ext} += [tT][aA][rR].[gG][zZ] # tar.gz -@{archive_ext} += [tT][aA][rR].[lL][zZ] # tar.lz -@{archive_ext} += [tT][aA][rR].[lL][zZ][mM][aA] # tar.lzma -@{archive_ext} += [tT][aA][rR].[xX][zZ] # tar.xz -@{archive_ext} += [tT][aA][rR].[zZ] # tar.z -@{archive_ext} += [tT][aA][rR].[zZ][sS][tT] # tar.zst -@{archive_ext} += [tT][gG][zZ] # tgz -@{archive_ext} += [tT][lL][zZ] # tlz -@{archive_ext} += [tT][xX][zZ] # txz -@{archive_ext} += [uU][cC] # uc -@{archive_ext} += [uU][cC][aA] # uca -@{archive_ext} += [uU][cC][nN] # ucn -@{archive_ext} += [uU][cC]0 # uc0 -@{archive_ext} += [uU][cC]2 # uc2 -@{archive_ext} += [uU][eE]2 # ue2 -@{archive_ext} += [uU][hH][aA] # uha -@{archive_ext} += [uU][rR]2 # ur2 -@{archive_ext} += [wW][aA][rR] # war -@{archive_ext} += [xX][aA][rR] # xar -@{archive_ext} += [xX][pP]3 # xp3 -@{archive_ext} += [xX][zZ] # xz -@{archive_ext} += [yY][zZ]1 # yz1 -@{archive_ext} += [zZ][iI][pP] # zip -@{archive_ext} += [zZ][iI][pP][xX] # zipx -@{archive_ext} += [zZ][oO][oO] # zoo -@{archive_ext} += [zZ][pP][aA][qQ] # zpaq -@{archive_ext} += [zZ][sS][tT] # zst -@{archive_ext} += [zZ][zZ] # zz -@{archive_ext} += 7[zZ] # 7z - -# Audio -@{audio_ext} = [aA][aA][cC] # aac -@{audio_ext} += [aA][aA][lL] # aal -@{audio_ext} += [aA][aA]3 # aa3 -@{audio_ext} += [aA][cC][nN] # acn -@{audio_ext} += [aA][cC]3 # ac3 -@{audio_ext} += [aA][dD][tT][sS] # adts -@{audio_ext} += [aA][iI][fF] # aif -@{audio_ext} += [aA][iI][fF][cC] # aifc -@{audio_ext} += [aA][iI][fF][fF] # aiff -@{audio_ext} += [aA][lL][aA][cC] # alac -@{audio_ext} += [aA][mM][rR] # amr -@{audio_ext} += [aA][sS][sS] # ass -@{audio_ext} += [aA][tT][xX] # atx -@{audio_ext} += [aA][uU] # au -@{audio_ext} += [aA][wW][bB] # awb -@{audio_ext} += [aA][xX][aA] # axa -@{audio_ext} += [dD][lL][sS] # dls -@{audio_ext} += [dD][tT][sS] # dts -@{audio_ext} += [dD][tT][sS][hH][dD] # dtshd -@{audio_ext} += [eE][cC][eE][lL][pP]4800 # ecelp4800 -@{audio_ext} += [eE][cC][eE][lL][pP]7470 # ecelp7470 -@{audio_ext} += [eE][cC][eE][lL][pP]9600 # ecelp9600 -@{audio_ext} += [eE][nN][wW] # enw -@{audio_ext} += [eE][oO][lL] # eol -@{audio_ext} += [eE][vV][bB] # evb -@{audio_ext} += [eE][vV][cC] # evc -@{audio_ext} += [eE][vV][wW] # wvw -@{audio_ext} += [fF][lL][aA][cC] # flac -@{audio_ext} += [kK][aA][rR] # kar -@{audio_ext} += [kK][oO][zZ] # koz -@{audio_ext} += [lL][bB][cC] # lbc -@{audio_ext} += [lL][oO][aA][sS] # loas -@{audio_ext} += [lL][vV][pP] # lvp -@{audio_ext} += [lL]16 # l16 -@{audio_ext} += [mM][eE][dD] # med -@{audio_ext} += [mM][hH][aA][sS] # mhas -@{audio_ext} += [mM][iI][dD] # mid -@{audio_ext} += [mM][iI][dD][iI] # midi -@{audio_ext} += [mM][kK][aA] # mka -@{audio_ext} += [mM][lL][pP] # mlp -@{audio_ext} += [mM][oO][dD] # mod -@{audio_ext} += [mM][pP][gG][aA] # mpga -@{audio_ext} += [mM][pP]1 # mp1 -@{audio_ext} += [mM][pP]2 # mp2 -@{audio_ext} += [mM][pP]3 # mp3 -@{audio_ext} += [mM][tT][mM] # mtm -@{audio_ext} += [mM][uU][lL][tT][iI][tT][rR][aA][cC][kK] # multitrack -@{audio_ext} += [mM][xX][mM][fF] # mxmf -@{audio_ext} += [mM]15 # m15 -@{audio_ext} += [mM]3[uU] # m3u -@{audio_ext} += [mM]4[aA] # m4a -@{audio_ext} += [oO][gG] # og -@{audio_ext} += [oO][gG][aA] # oga -@{audio_ext} += [oO][mM][gG] # omg -@{audio_ext} += [oO][pP][uU][sS] # opus -@{audio_ext} += [pP][lL][jJ] # plj -@{audio_ext} += [pP][sS][iI][dD] # psid -@{audio_ext} += [pP][yY][aA] # pya -@{audio_ext} += [qQ][cC][pP] # qcp -@{audio_ext} += [rR][aA] # ra -@{audio_ext} += [rR][aA][mM] # ram -@{audio_ext} += [rR][iI][pP] # rip -@{audio_ext} += [rR][mM] # rm -@{audio_ext} += [sS][iI][dD] # sid -@{audio_ext} += [sS][mM][pP] # smp -@{audio_ext} += [sS][mM][pP]3 # smp3 -@{audio_ext} += [sS][mM][vV] # smv -@{audio_ext} += [sS][nN][dD] # snd -@{audio_ext} += [sS][oO][fF][aA] # sofa -@{audio_ext} += [sS][pP][xX] # spx -@{audio_ext} += [sS][tT][mM] # stm -@{audio_ext} += [sS]1[mM] # s1m -@{audio_ext} += [sS]3[mM] # s3m -@{audio_ext} += [uU][lL][tT] # ult -@{audio_ext} += [uU][nN][iI] # uni -@{audio_ext} += [uU][vV][aA] # uva -@{audio_ext} += [uU][vV][vV][aA] # uvva -@{audio_ext} += [vV][bB][kK] # vbk -@{audio_ext} += [wW][aA][vV] # wav -@{audio_ext} += [wW][aA][xX] # wax -@{audio_ext} += [wW][mM][aA] # wma -@{audio_ext} += [xX][hH][eE] # xhe -@{audio_ext} += 669 # 669 - -# Lyrics -@{lyrics_ext} = [lL][rR][cC] # lrc -@{lyrics_ext} += [lL][yY][rR][iI][cC] # lyric - -# Videos -@{video_ext} = [aA][sS][xX] # asx -@{video_ext} += [aA][vV][iI] # avi -@{video_ext} += [aA][xX][vV] # axv -@{video_ext} += [bB][iI][kK] # bik -@{video_ext} += [bB][kK]2 # bk2 -@{video_ext} += [dD][vV][bB] # dvb -@{video_ext} += [fF][lL][vV] # flv -@{video_ext} += [fF][vV][tT] # fvt -@{video_ext} += [fF][xX][mM] # fxm -@{video_ext} += [mM][jJ][pP]2 # mjp2 -@{video_ext} += [mM][jJ]2 # mj2 -@{video_ext} += [mM][kK][vV] # mkv -@{video_ext} += [mM][kK]3[dD] # mk3d -@{video_ext} += [mM][oO][vV] # mov -@{video_ext} += [mM][pP][eE] # mpe -@{video_ext} += [mM][pP][eE][gG] # mpeg -@{video_ext} += [mM][pP][gG] # mpg -@{video_ext} += [mM][pP][gG]4 # mpg4 -@{video_ext} += [mM][pP]4 # mp4 -@{video_ext} += [mM][xX][uU] # mxu -@{video_ext} += [mM]1[vV] # m1v -@{video_ext} += [mM]2[vV] # m2v -@{video_ext} += [mM]4[sS] # m4s -@{video_ext} += [mM]4[uU] # m4u -@{video_ext} += [mM]4[vV] # m4v -@{video_ext} += [nN][iI][mM] # nim -@{video_ext} += [oO][gG][vV] # ogv -@{video_ext} += [pP][yY][vV] # pyv -@{video_ext} += [qQ][tT] # qt -@{video_ext} += [sS][mM][kK] # smk -@{video_ext} += [sS][mM][oO] # smo -@{video_ext} += [sS][mM][pP][gG] # smpg -@{video_ext} += [sS][sS][mM][oO][vV] # ssmov -@{video_ext} += [sS][sS][wW][fF] # sswf -@{video_ext} += [sS]1[qQ] # s1q -@{video_ext} += [sS]11 # s11 -@{video_ext} += [sS]14 # s14 -@{video_ext} += [uU][vV][hH] # uvh -@{video_ext} += [uU][vV][mM] # uvm -@{video_ext} += [uU][vV][pP] # uvp -@{video_ext} += [uU][vV][sS] # uvs -@{video_ext} += [uU][vV][uU] # uvu -@{video_ext} += [uU][vV][vV][hH] # uvvh -@{video_ext} += [uU][vV][vV][mM] # uvvm -@{video_ext} += [uU][vV][vV][pP] # uvvp -@{video_ext} += [uU][vV][vV][sS] # uvvs -@{video_ext} += [uU][vV][vV][uU] # uvvu -@{video_ext} += [uU][vV][vV][vV] # uvv -@{video_ext} += [vV][iI][vV] # viv -@{video_ext} += [wW][eE][bB][mM] # webm -@{video_ext} += [wW][mM] # wm -@{video_ext} += [wW][mM][vV] # wmv -@{video_ext} += [wW][mM][xX] # wmx -@{video_ext} += [wW][vV][xX] # wvx -@{video_ext} += [yY][tT] # yt -@{video_ext} += 3[gG][pP] # 3gp -@{video_ext} += 3[gG][pP][pP] # 3gpp -@{video_ext} += 3[gG][pP][pP]2 # 3gpp2 -@{video_ext} += 3[gG]2 # 3g2 - -# Subtitles -@{subtitles_ext} = [aA][qQ][tT] # aqt -@{subtitles_ext} += [aA][sS][sS] # ass -@{subtitles_ext} += [gG][sS][uU][bB] # gsub -@{subtitles_ext} += [uU][sS][fF] # usf -@{subtitles_ext} += [pP][aA][cC] # pac -@{subtitles_ext} += [pP][jJ][sS] # pjs -@{subtitles_ext} += [pP][sS][bB] # psb -@{subtitles_ext} += [rR][tT] # rt -@{subtitles_ext} += [sS][bB][vV] # sbv -@{subtitles_ext} += [sS][mM][iI] # smi -@{subtitles_ext} += [sS][rR][tT] # srt -@{subtitles_ext} += [sS][sS][aA] # ssa -@{subtitles_ext} += [sS][sS][fF] # ssf -@{subtitles_ext} += [sS][tT][lL] # stl -@{subtitles_ext} += [sS][uU][bB] # sub -@{subtitles_ext} += [tT][t][mM][lL] # ttml -@{subtitles_ext} += [tT][t][xX][tT] # ttxt -@{subtitles_ext} += [vV][tT][t] # vtt - -# Images -@{image_ext} = [aA][pP][nN][gG] # apng -@{image_ext} += [aA][vV][cC][iI] # avci -@{image_ext} += [aA][vV][cC][sS] # avcs -@{image_ext} += [aA][vV][iI][fF] # avif -@{image_ext} += [aA][zZ][vV] # azv -@{image_ext} += [bB][mM][pP] # bmp -@{image_ext} += [bB][tT][fF] # btf -@{image_ext} += [bB][tT][iI][fF] # btif -@{image_ext} += [bB]16 # b16 -@{image_ext} += [cC][gG][mM] # cgm -@{image_ext} += [dD][iI][bB] # dib -@{image_ext} += [dD][jJ][vV] # djv -@{image_ext} += [dD][jJ][vV][uU] # djvu -@{image_ext} += [dD][pP][xX] # dpx -@{image_ext} += [dD][rR][lL][eE] # drle -@{image_ext} += [dD][wW][gG] # dwg -@{image_ext} += [dD][xX][fF] # dxf -@{image_ext} += [eE][mM][fF] # emf -@{image_ext} += [eE][xX][rR] # exr -@{image_ext} += [fF][bB][sS] # fbs -@{image_ext} += [fF][iI][tT] # fit -@{image_ext} += [fF][iI][tT][sS] # fits -@{image_ext} += [fF][pP][xX] # fpx -@{image_ext} += [fF][sS][tT] # fst -@{image_ext} += [fF][tT][sS] # fts -@{image_ext} += [gG][iI][fF] # gif -@{image_ext} += [hH][dD][rR] # hdr -@{image_ext} += [hH][eE][iI][cC] # heic -@{image_ext} += [hH][eE][iI][cC][sS][hH][eE][iI][fF] # heics -@{image_ext} += [hH][eE][iI][fF][sS] # heif -@{image_ext} += [hH][eE][jJ]2 # heifs -@{image_ext} += [hH][iI][fF] # hif -@{image_ext} += [hH][sS][jJ]2 # hsj2 -@{image_ext} += [iE][eE][fF] # ief -@{image_ext} += [iI][cC][oO] # ico -@{image_ext} += [jJ][fF][iI][fF] # jfif -@{image_ext} += [jJ][hH][cC] # jhc -@{image_ext} += [jJ][lL][sS] # jls -@{image_ext} += [jJ][pP][eE][gG] # jpeg -@{image_ext} += [jJ][pP][fF] # jpf -@{image_ext} += [jJ][pP][gG] # jpg -@{image_ext} += [jJ][pP][gG][mM] # jpgm -@{image_ext} += [jJ][pP][gG]2 # jpg2 -@{image_ext} += [jJ][pP][hH] # jph -@{image_ext} += [jJ][pP][mM] # jpm -@{image_ext} += [jJ][pP][xX] # jpx -@{image_ext} += [jJ][pP]2 # jp2 -@{image_ext} += [jJ][xX][lL] # jxl -@{image_ext} += [jJ][xX][rR] # jxr -@{image_ext} += [jJ][xX][rR][aA] # jxra -@{image_ext} += [jJ][xX][rR][sS] # jxrs -@{image_ext} += [jJ][xX][sS][cC] # jxsc -@{image_ext} += [jJ][xX][sS][iI] # jxsi -@{image_ext} += [jJ][xX][sS][sS] # jxss -@{image_ext} += [kK][tT][xX] # ktx -@{image_ext} += [kK][tT][xX]2 # ktx2 -@{image_ext} += [mM][dD][iI] # mdi -@{image_ext} += [mM][mM][rR] # mmr -@{image_ext} += [pP][bB][mM] # pbm -@{image_ext} += [pP][cC][xX] # pcx -@{image_ext} += [pP][gG][bB] # pgb -@{image_ext} += [pP][gG][mM] # pgm -@{image_ext} += [pP][nN][gG] # png -@{image_ext} += [pP][nN][mM] # pnm -@{image_ext} += [pP][pP][mM] # ppm -@{image_ext} += [pP][sS][dD] # psd -@{image_ext} += [pP][sS][dD][cC] # psdc -@{image_ext} += [pP][tT][iI] # pti -@{image_ext} += [rR][aA][sS] # ras -@{image_ext} += [rR][gG][bB] # rgb -@{image_ext} += [rR][gG][bB][eE] # rgbe -@{image_ext} += [rR][lL][cC] # rlc -@{image_ext} += [sS][gG][iI] # sgi -@{image_ext} += [sS][gG]1[gG] # s1g -@{image_ext} += [sS][jJ][pP] # sjp -@{image_ext} += [sS][jJ][pP][gG] # sjpg -@{image_ext} += [sS][pP][nN] # spn -@{image_ext} += [sS][pP][nN][gG] # spng -@{image_ext} += [sS][vV][gG] # svg -@{image_ext} += [sS][vV][gG][zZ] # svgz -@{image_ext} += [sS]1[jJ] # s1j -@{image_ext} += [sS]1[nN] # s1n -@{image_ext} += [tT][aA][pP] # tap -@{image_ext} += [tT][gG][aA] # tga -@{image_ext} += [tT][iI][fF] # tif -@{image_ext} += [tT][iI][fF][fF] # tiff -@{image_ext} += [tT]38 # t38 -@{image_ext} += [uU][vV][gG] # uvg -@{image_ext} += [uU][vV][iI] # uvi -@{image_ext} += [uU][vV][vV][gG] # uvvg -@{image_ext} += [uU][vV][vV][iI] # uvvi -@{image_ext} += [vV][bB][mM] # vtf -@{image_ext} += [wW][eE][bB][pP] # webp -@{image_ext} += [wW][mM][fF] # wmf -@{image_ext} += [xX][bB][mM] # xbm -@{image_ext} += [xX][cC][fF] # xcf -@{image_ext} += [xX][iI][fF] # xif -@{image_ext} += [xX][pP][mM] # xpm -@{image_ext} += [xX][wW][dD] # xwd -@{image_ext} += [xX][yY][zZ][eE] # xyze - -# Models -@{model_ext} = [bB][aA][rR][yY] # bary -@{model_ext} += [bB][sS][pP] # bsp -@{model_ext} += [cC][lL][dD] # cld -@{model_ext} += [dD][aA][eE] # dae -@{model_ext} += [dD][oO][rR] # dor -@{model_ext} += [dD][wW][fF] # dwf -@{model_ext} += [gG][lL][bB] # glb -@{model_ext} += [gG][lL][dD] # gld -@{model_ext} += [gG][lL][tT][fF] # gltf -@{model_ext} += [gG][sS][mM] # gsm -@{model_ext} += [gG][tT][wW] # gtw -@{model_ext} += [iI][gG][eE][sS] # iges -@{model_ext} += [iI][gG][sS] # igs -@{model_ext} += [iI][sS][mM] # ism -@{model_ext} += [jJ][tT] # jt -@{model_ext} += [lL][mM][pP] # lmp -@{model_ext} += [mM][eE][sS][hH] # mesh -@{model_ext} += [mM][oO][mM][lL] # moml -@{model_ext} += [mM][sS][hH] # msh -@{model_ext} += [mM][sS][mM] # msm -@{model_ext} += [mM][tT][lL] # mtl -@{model_ext} += [mM][tT][sS] # mts -@{model_ext} += [oO][bB][jJ] # obj -@{model_ext} += [oO][gG][eE][xX] # ogex -@{model_ext} += [pP][yY][oO] # pyo -@{model_ext} += [pP][yY][oO][xX] # pyox -@{model_ext} += [rR][sS][mM] # rsm -@{model_ext} += [sS][iI][lL][oO] # silo -@{model_ext} += [sS][tT][lL] # stl -@{model_ext} += [sS][tT][pP][xX] # stpx -@{model_ext} += [sS][tT][pP][xX][zZ] # stpxz -@{model_ext} += [uU][sS][dD][aA] # usda -@{model_ext} += [uU][sS][dD][zZ] # usdz -@{model_ext} += [uU]3[dD] # u3d -@{model_ext} += [vV][dD][sS] # vds -@{model_ext} += [vV][rR][mM][lL] # vrml -@{model_ext} += [vV][tT][uU] # vtu -@{model_ext} += [wW][iI][nN] # win -@{model_ext} += [wW][rR][lL] # wrl -@{model_ext} += [xX]_[bB] # x_b -@{model_ext} += [xX]_[tT] # x_t -@{model_ext} += [xX][mM][tT]_[bB][iI][nN] # xmt_bin -@{model_ext} += [xX][mM][tT]_[tT][xX][tT] # xmt_txt -@{model_ext} += [xX]3[dD][bB] # x3db -@{model_ext} += [xX]3[dD][vV] # x3dv -@{model_ext} += [xX]3[dD][vV][zZ] # x3dvz - -# Fonts -@{font_ext} = [tT][tT][cC] # ttc -@{font_ext} += [tT][tT][fF] # ttf -@{font_ext} += [oO][tT][fF] # otf -@{font_ext} += [wW][oO][fF] # woff -@{font_ext} += [wW][oO][fF]2 # woff2 - -# Documents -@{document_ext} = [aA][dD][xX] # adx -@{document_ext} += [cC][dD][fF] # cdf -@{document_ext} += [dD][oO][cC] # doc -@{document_ext} += [dD][oO][cC][mM] # docm -@{document_ext} += [dD][oO][cC][xX] # docx -@{document_ext} += [dD][oO][tT] # dot -@{document_ext} += [dD][oO][tT][xX] # dotx -@{document_ext} += [fF][nN][iI] # fni -@{document_ext} += [fF][oO][dD][gG] # fodg -@{document_ext} += [fF][oO][dD][pP] # fodp -@{document_ext} += [fF][oO][dD][sS] # fods -@{document_ext} += [fF][oO][dD][tT] # fodt -@{document_ext} += [iI][nN][fF][oO] # info -@{document_ext} += [lL][aA][tT][eE][xX] # latex -@{document_ext} += [mM][dD][iI] # mdi -@{document_ext} += [oO][dD][bB] # odb -@{document_ext} += [oO][dD][cC] # odc -@{document_ext} += [oO][dD][fF] # odf -@{document_ext} += [oO][dD][gG] # odg -@{document_ext} += [oO][dD][iI] # odi -@{document_ext} += [oO][dD][mM] # odm -@{document_ext} += [oO][dD][pP] # odp -@{document_ext} += [oO][dD][sS] # ods -@{document_ext} += [oO][dD][tT] # odt -@{document_ext} += [oO][tT][cC] # otc -@{document_ext} += [oO][tT][fF] # otf -@{document_ext} += [oO][tT][gG] # otg -@{document_ext} += [oO][tT][hH] # oth -@{document_ext} += [oO][tT][iI] # oti -@{document_ext} += [oO][tT][pP] # otp -@{document_ext} += [oO][tT][sS] # ots -@{document_ext} += [oO][tT][tT] # ott -@{document_ext} += [oO][xX][tT] # oxt -@{document_ext} += [pP][aA][gG][eE][sS] # pages -@{document_ext} += [pP][dD][fF] # pdf -@{document_ext} += [pP][pP][tT][sS] # ppts -@{document_ext} += [pP][pP][tT][xX] # pptx -@{document_ext} += [sS][tT][cC] # stc -@{document_ext} += [sS][tT][dD] # std -@{document_ext} += [sS][tT][iI] # sti -@{document_ext} += [sS][tT][wW] # stw -@{document_ext} += [sS][xX][cC] # sxc -@{document_ext} += [sS][xX][dD] # sxd -@{document_ext} += [sS][xX][gG][sS][xX][iI] # sxgsxi -@{document_ext} += [sS][xX][mM] # sxm -@{document_ext} += [sS][xX][wW] # sxw -@{document_ext} += [tT][eE][xX] # tex -@{document_ext} += [tT][eE][xX][iI] # texi -@{document_ext} += [tT][eE][xX][iI][nN][fF][oO] # texinfo -@{document_ext} += [xX][lL][sS] # xls -@{document_ext} += [xX][lL][sS][bB] # xlsb -@{document_ext} += [xX][lL][sS][mM] # xlsm -@{document_ext} += [xX][lL][sS][xX] # xlsx -@{document_ext} += [xX][oO][dD][pP] # xodp -@{document_ext} += [xX][oO][dD][sS] # xods -@{document_ext} += [xX][oO][dD][tT] # xodt -@{document_ext} += [xX][oO][tT][pP] # xotp -@{document_ext} += [xX][oO][tT][sS] # xots -@{document_ext} += [xX][oO][tT][tT] # xott -@{document_ext} += [xX][pP][sS] # xps - -# Texts -@{text_ext} = [aA][pP][pP][cC][aA][cC][hH][eE] # appcache -@{text_ext} += [aA] # a -@{text_ext} += [aA][bB][cC] # abc -@{text_ext} += [aA][sS][cC] # asc -@{text_ext} += [aA][sS][cC][iI][iI] # ascii -@{text_ext} += [cC] # c -@{text_ext} += [cC][cC] # cc -@{text_ext} += [cC][cC][cC] # ccc -@{text_ext} += [cC][nN][dD] # cnd -@{text_ext} += [cC][oO][nN][fF] # conf -@{text_ext} += [cC][oO][pP][yY][rR][iI][gG][hH][tT] # copyright -@{text_ext} += [cC][qQ][lL] # cql -@{text_ext} += [cC][sS][sS] # css -@{text_ext} += [cC][sS][vV] # csv -@{text_ext} += [cC][sS][vV][sS] # csvs -@{text_ext} += [cC][xX][xX] # cxx -@{text_ext} += [dD][mM][sS] # dms -@{text_ext} += [dD][oO][tT] # dot -@{text_ext} += [dD][sS][cC] # dsc -@{text_ext} += [eE][lL] # el -@{text_ext} += [eE][nN][tT] # ent -@{text_ext} += [eE][tT][xX] # etx -@{text_ext} += [fF][lL][tT] # flt -@{text_ext} += [fF][lL][xX] # flx -@{text_ext} += [fF][lL][yY] # fly -@{text_ext} += [fF]90 # f90 -@{text_ext} += [gG][eE][dD] # ged -@{text_ext} += [gG][fF][fF]3 # gff3 -@{text_ext} += [gG][vV] # gv -@{text_ext} += [hH] # h -@{text_ext} += [hH][aA][nN][sS] # hans -@{text_ext} += [hH][gG][lL] # hgl -@{text_ext} += [hH][hH] # hh -@{text_ext} += [hH][tT][mM] # htm -@{text_ext} += [hH][tT][mM][lL] # html -@{text_ext} += [hH][xX][xX] # hxx -@{text_ext} += [iI][cC][sS] # ics -@{text_ext} += [iI][fF][bB] # ifb -@{text_ext} += [jJ][aA][dD] # jad -@{text_ext} += [jJ][sS] # js -@{text_ext} += [jJ][tT][dD] # jtd -@{text_ext} += [lL][oO][gG] # log -@{text_ext} += [mM][aA][nN][iI][fF][eE][sS][tT] # manifest -@{text_ext} += [mM][aA][rR][kK][dD][oO][wW][nN] # markdown -@{text_ext} += [mM][cC]2 # mc2 -@{text_ext} += [mM][dD] # md -@{text_ext} += [mM][iI][zZ] # miz -@{text_ext} += [mM][jJ][sS] # mjs -@{text_ext} += [mM][pP][fF] # mpf -@{text_ext} += [nN]3 # n3 -@{text_ext} += [pP][mM] # pm -@{text_ext} += [pP][oO][dD] # pod -@{text_ext} += [pP][rR][oO][vV][nN] # provn -@{text_ext} += [rR][nN][gG] # rng -@{text_ext} += [rR][oO][fF][fF] # roff -@{text_ext} += [rR][sS][tT] # rst -@{text_ext} += [rR][tT][xX] # rtx -@{text_ext} += [sS][aA][nN][dD][bB][oO][xX][eE][dD] # sandboxed -@{text_ext} += [sS][gG][mM] # sgm -@{text_ext} += [sS][gG][mM][lL] # sgml -@{text_ext} += [sS][hH][aA][cC][lL][cC] # shaclc -@{text_ext} += [sS][hH][cC] # shc -@{text_ext} += [sS][hH][eE][xX] # shex -@{text_ext} += [sS][iI] # si -@{text_ext} += [sS][lL] # sl -@{text_ext} += [sS][oO][aA] # soa -@{text_ext} += [sS][oO][sS] # sos -@{text_ext} += [sS][pP][dD][xX] # spdx -@{text_ext} += [sS][pP][oO] # spo -@{text_ext} += [sS][pP][oO][tT] # spot -@{text_ext} += [sS][uU][bB] # sub -@{text_ext} += [tT] # t -@{text_ext} += [tT][aA][gG] # tag -@{text_ext} += [tT][eE][xX][tT] # text -@{text_ext} += [tT][rR] # tr -@{text_ext} += [tT][sS] # ts -@{text_ext} += [tT][sS][vV] # tsv -@{text_ext} += [tT][tT][lL] # ttl -@{text_ext} += [tT][xX][tT] # txt -@{text_ext} += [uU][rR][iI] # uri -@{text_ext} += [uU][rR][iI][cC] # uric -@{text_ext} += [uU][rR][iI][sS] # uris -@{text_ext} += [vV][cC][aA][rR][dD] # vcard -@{text_ext} += [vV][cC][fF] # vcf -@{text_ext} += [vV][fF][kK] # vfk -@{text_ext} += [vV][tT][tT] # vtt -@{text_ext} += [wW][gG][sS][lL] # wgsl -@{text_ext} += [wW][mM][lL] # wml -@{text_ext} += [wW][mM][lL][sS] # wmls -@{text_ext} += [xX][mM][lL] # xml -@{text_ext} += [xX][sS][dD] # xsd -@{text_ext} += [zZ][oO][nN][eE] # zone -@{text_ext} += 3[dD][mM] # 3dm -@{text_ext} += 3[dD][mM][lL] # 3dml - -# Dpkg maintainer's scripts -@{dpkg_script_ext} = config templates preinst postinst prerm postrm - -# vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index cca544370..67f32bf8c 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -13,9 +13,6 @@ # Coreutils programs that should not have dedicated profile @{coreutils_path} = @{bin}/@{coreutils} -# Python interpreters -@{python_path} = @{bin}/@{python_name} - # Browsers @{brave_path} = @{brave_lib_dirs}/@{brave_name} @{chrome_path} = @{opera_lib_dirs}/@{chrome_name} @@ -31,48 +28,30 @@ # Emails @{thunderbird_path} = @{bin}/@{thunderbird_name} @{thunderbird_lib_dirs}/@{thunderbird_name} -@{emails_path} = @{thunderbird_path} @{bin}/@{emails_names} +@{emails_path} = @{thunderbird_path} @{bin}/@{emails} # Open -@{open_path} = @{bin}/@{open_names} -@{open_path} += @{lib}/gio-launch-desktop -@{open_path} += @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop - -# Editors -@{editor_path} = @{bin}/@{editor_names} -@{editor_ui_path} = @{bin}/@{editor_ui_names} - -# Pager -@{pager_path} = @{bin}/@{pager_names} +@{open_path} = @{bin}/exo-open @{bin}/xdg-open @{bin}/gio +@{open_path} += @{bin}/gio-launch-desktop @{lib}/gio-launch-desktop +@{open_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop # File explorers -@{file_explorers_path} = @{bin}/@{file_explorers_names} +@{file_explorers_path} = @{bin}/@{file_explorers} # Text editors -@{text_editors_path} = @{bin}/@{text_editors_names} /usr/share/code/{bin/,}code +@{text_editors_path} = @{bin}/@{text_editors} /usr/share/code/{bin/,}code # Document viewers -@{document_viewers_path} = @{bin}/@{document_viewers_names} +@{document_viewers_path} = @{bin}/@{document_viewers} # Image viewers -@{image_viewers_path} = @{bin}/@{image_viewers_names} +@{image_viewers_path} = @{bin}/@{image_viewers} # Archive viewers -@{archive_viewers_path} = @{bin}/@{archive_viewers_names} +@{archive_viewers_path} = @{bin}/@{archive_viewers} # Office suites -@{offices_path} = @{bin}/@{offices_names} @{lib}/libreoffice/program/soffice +@{offices_path} = @{bin}/@{offices} @{lib}/libreoffice/program/soffice -# Help -@{help_path} = @{bin}/@{help_names} - -# Terminal emulator -@{terminal_path} = @{bin}/@{terminal_names} - -# Backup -@{backup_path} = @{bin}/@{backup_names} @{lib}/deja-dup/deja-dup-monitor - -# Archives -@{archive_path} = @{bin}/@{archive_names} @{lib}/p7zip/7z # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index d4fefb0b0..dd9386b09 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -2,78 +2,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Define some variables for some commonly used profile. They may be used in +# Define some variables for some commonly used profile. They may be used in # other profiles peer label. # All variables that refer to a profile name should be prefixed with `p_` # Name of the systemd profiles. Can be `unconfined` or `systemd`, `systemd-user` -@{p_sd}=unconfined -@{p_sdu}=unconfined -@{p_systemd_user}=unconfined @{p_systemd}=unconfined - -# Name of the dbus daemon profiles -@{p_dbus_accessibility}=dbus-accessibility -#aa:only apparmor4.1 -@{p_dbus_system}={dbus-system,unconfined} -@{p_dbus_session}={dbus-session,unconfined} - -#aa:exclude apparmor4.1 -@{p_dbus_system}=dbus-system -@{p_dbus_session}=dbus-session - -@{p_accounts_daemon}=accounts-daemon -@{p_apt_news}=apt_news -@{p_at_spi2_registryd}=at-spi2-registryd -@{p_avahi_daemon}=avahi-daemon -@{p_bluetoothd}=bluetoothd -@{p_colord}=colord -@{p_e2scrub_all}=e2scrub_all -@{p_e2scrub}=e2scrub -@{p_file_roller}=file-roller -@{p_fprintd}=fprintd -@{p_fwupd}=fwupd -@{p_fwupdmgr}=fwupdmgr -@{p_geoclue}=geoclue -@{p_gnome_shell}=gnome-shell -@{p_gsd_media_keys}=gsd-media-keys -@{p_irqbalance}=irqbalance -@{p_logrotate}=logrotate -@{p_ModemManager}=ModemManager -@{p_nm_priv_helper}=nm-priv-helper -@{p_packagekitd}=packagekitd -@{p_pcscd}=pcscd -@{p_polkitd}=polkitd -@{p_power_profiles_daemon}=power-profiles-daemon -@{p_rsyslogd}=rsyslogd -@{p_rtkit_daemon}=rtkit-daemon -@{p_snap}=snap -@{p_systemd_coredump}=systemd-coredump -@{p_systemd_homed}=systemd-homed -@{p_systemd_hostnamed}=systemd-hostnamed -@{p_systemd_importd}=systemd-importd -@{p_systemd_initctl}=systemd-initctl -@{p_systemd_journal_remote}=systemd-journal-remote -@{p_systemd_journald}=systemd-journald -@{p_systemd_localed}=systemd-localed -@{p_systemd_logind}=systemd-logind -@{p_systemd_networkd}=systemd-networkd -@{p_systemd_oomd}=systemd-oomd -@{p_systemd_resolved}=systemd-resolved -@{p_systemd_rfkill}=systemd-rfkill -@{p_systemd_timedated}=systemd-timedated -@{p_systemd_timesyncd}=systemd-timesyncd -@{p_systemd_userdbd}=systemd-userdbd -@{p_upowerd}=upowerd -@{p_xdg_desktop_portal}=xdg-desktop-portal - -# Profiles Patterns -# Fit to an action that can be handled by multiple profiles depending on the software installed and the distribution - -# Notification -@{pp_notification}={plasmashell,gjs-console} -@{pp_app_indicator}={plasmashell,gnome-shell} -@{pp_dbusmenu}={plasmashell,nautilus} +@{p_systemd_user}=unconfined # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index a7cbaf831..a118d0cbe 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -5,39 +5,21 @@ # Define some some commonly used programs. This is not an exhaustive list. # It is meant to label programs to easily provide access in profiles. -# All variables that refer to a program name should have the `_name` suffix. -# variables that refer to a list of progran should have the `_names` suffix. -# @{sh}, @{shells}, and @{coreutils} are the only exceptions. - # Default distribution shells @{sh} = sh bash dash # All interactive shells users may want to use @{shells} = sh zsh bash dash fish rbash ksh tcsh csh -# Coreutils programs that should not have dedicated profile. Also includes findutils and diffutils. +# Coreutils programs that should not have dedicated profile @{coreutils} = {,g,m}awk b2sum base32 base64 basename basenc cat chcon chgrp chmod chown -@{coreutils} += cksum cmp comm cp csplit cut date dd df dir dircolors dirname diff diff3 du echo env expand +@{coreutils} += cksum comm cp csplit cut date dd df dir dircolors dirname diff du echo env expand @{coreutils} += expr factor false find fmt fold {,e,f}grep head hostid id install join link -@{coreutils} += ln locate logname ls md5sum mkdir mkfifo mknod mktemp mv nice nl nohup nproc numfmt +@{coreutils} += ln logname ls md5sum mkdir mkfifo mknod mktemp mv nice nl nohup nproc numfmt @{coreutils} += od paste pathchk pinky pr printenv printf ptx pwd readlink realpath rm rmdir -@{coreutils} += runcon sdiff sed seq sha1sum sha224sum sha256sum sha384sum sha512sum shred shuf sleep -@{coreutils} += sort split stat stdbuf stty sum tac tail tee test timeout touch tr true -@{coreutils} += truncate tsort tty uname unexpand uniq unlink updatedb vdir wc who whoami xargs yes - -# Python interpreters -@{python_version} = 3 3.[0-9] 3.1[0-9] -@{python_name} = python python@{python_version} - -# Open -@{open_names} = exo-open xdg-open gio kde-open gio-launch-desktop - -# Editors -@{editor_names} = sensible-editor vim{,.*} vim-nox11 nvim nano -@{editor_ui_names} = gnome-text-editor gedit mousepad - -# Pager -@{pager_names} = sensible-pager pager less more nvimpager +@{coreutils} += runcon sed seq sha1sum sha224sum sha256sum sha384sum sha512sum shred shuf sleep +@{coreutils} += sort split stat stdbuf stty sum sync tac tail tee test timeout touch tr true +@{coreutils} += truncate tsort tty uname unexpand uniq unlink vdir wc who whoami xargs yes # Browsers @@ -62,41 +44,29 @@ @{torbrowser_name} = torbrowser "tor browser" @{torbrowser_lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ -# Emails +# Emails -@{thunderbird_name} = thunderbird{,-bin} +@{thunderbird_name} = thunderbird{,.sh,-bin} @{thunderbird_lib_dirs} = @{lib}/@{thunderbird_name} -@{emails_names} = evolution geary +@{emails} = evolution geary # File explorers -@{file_explorers_names} = dolphin nautilus thunar +@{file_explorers} = dolphin nautilus thunar # Text editors -@{text_editors_names} = code gedit mousepad gnome-text-editor zeditor zedit zed-cli +@{text_editors} = code gedit mousepad gnome-text-editor # Document viewers -@{document_viewers_names} = evince papers okular *{F,f}oliate YACReader +@{document_viewers} = evince okular *{F,f}oliate YACReader # Image viewers -@{image_viewers_names} = eog loupe ristretto +@{image_viewers} = eog loupe ristretto # Archive viewers -@{archive_viewers_names} = engrampa file-roller xarchiver +@{archive_viewers} = engrampa file-roller xarchiver # Office suites -@{offices_names} = libreoffice soffice wps - -# Help -@{help_names} = yelp - -# Terminal emulator -@{terminal_names} = kgx terminator konsole ptyxis - -# Backup -@{backup_names} = deja-dup borg - -# Archives -@{archive_names} = 7z 7zz ar bzip2 cpio gzip lzip rar tar unrar-nonfree unzip xz zip zstd +@{offices} = libreoffice soffice # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index b29be3f0c..d219c1d4d 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -2,8 +2,70 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# System Paths -# ------------ +# To allow extended personalisation without breaking everything. +# All apparmor profiles should always use the variables defined here. + +# Single hexadecimal character +@{h}=[0-9a-fA-F] + +# Single alphanumeric character +@{c}=[0-9a-zA-Z] + +# Integer up to 10 digits (0-9999999999) +@{int}=[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],} + +# hexadecimal, alphanumeric up to 64 characters +@{hex}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} +@{rand}=@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},} + +# Any x digits characters +@{int2}=[0-9][0-9] +@{int4}=@{int2}@{int2} +@{int6}=@{int4}@{int2} +@{int8}=@{int4}@{int4} +@{int10}=@{int8}@{int2} +@{int16}=@{int8}@{int8} +@{int32}=@{int16}@{int16} +@{int64}=@{int32}@{int32} + +# Any x hexadecimal characters +@{hex2}=@{h}@{h} +@{hex4}=@{hex2}@{hex2} +@{hex6}=@{hex4}@{hex2} +@{hex8}=@{hex4}@{hex4} +@{hex9}=@{hex8}@{h} +@{hex10}=@{hex8}@{hex2} +@{hex16}=@{hex8}@{hex8} +@{hex32}=@{hex16}@{hex16} +@{hex38}=@{hex32}@{hex6} +@{hex64}=@{hex32}@{hex32} + +# Any x alphanumeric characters +@{rand2}=@{c}@{c} +@{rand4}=@{rand2}@{rand2} +@{rand6}=@{rand4}@{rand2} +@{rand8}=@{rand4}@{rand4} +@{rand9}=@{rand8}@{c} +@{rand10}=@{rand8}@{rand2} +@{rand16}=@{rand8}@{rand8} +@{rand32}=@{rand16}@{rand16} +@{rand64}=@{rand64}@{rand64} + +# Universally unique identifier +@{uuid}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h} + +# Username & group valid characters +@{u}=[a-z0-9_] +@{user}=[a-z_]{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},} +@{group}=@{user} + +# Shortcut for PCI device +@{pci_id}=@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h} +@{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h} +@{pci}=@{pci_bus}/**/ + +# hci devices +@{hci_id}=dev_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c} # @{MOUNTDIRS} is a space-separated list of where user mount directories # are stored, for programs that must enumerate all mount directories on a @@ -14,61 +76,17 @@ @{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/ # Common places for binaries and libraries across distributions -@{bin}=/{,usr/}bin -@{sbin}=/{,usr/}sbin #aa:only apt zypper -@{sbin}=/{,usr/}{,s}bin #aa:only pacman +@{bin}=/{,usr/}{,s}bin @{lib}=/{,usr/}lib{,exec,32,64} # Common places for temporary files -# /tmp/user/@{uid}/ is needed when using .... (default on Debian) @{tmp}=/tmp/ /tmp/user/@{uid}/ -# Common places for EFI -@{efi}=/boot/ /efi/ /boot/efi/ - -# System Variables -# ---------------- - -# Common architecture names -@{arch}=x86_64 x64 amd64 i386 i686 - -# Dbus unique name -@{busname}=:1.@{u16} :not.active.yet - -# Unix dbus address prefix -@{udbus}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} - -# Universally unique identifier -@{uuid}=@{hex8}[-_]@{hex4}[-_]@{hex4}[-_]@{hex4}[-_]@{hex12} - -# Username & group valid characters -@{user}=[a-zA-Z_]{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},} -@{group}=@{user} - -# Semantic version -@{version}=@{u16}{.@{u16},}{.@{u16},}{{-,_}@{rand},} - -#aa:only opensuse -# OpenSUSE does not have the same multiarch structure -@{multiarch}+=*-suse-linux* - - -# System Internal -# --------------- - -# Shortcut for PCI device -@{pci_id}=@{hex}:@{hex2}:@{hex2}.@{h} -@{pci_bus}=pci@{hex4}:@{hex2} -@{pci}=@{pci_bus}/**/ - # Udev data dynamic assignment ranges -# See https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt @{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254 @{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511 -# Default attachment path when re-attached path disconnected path is ignored. -# Disabled on abi3 and Ubuntu 25.04+ -# See https://apparmor.pujol.io/development/internal/#re-attached-path -@{att}="" +# OpenSUSE does not have the same multiarch structure +@{multiarch}+=*-suse-linux* #aa:only opensuse # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/system-users b/apparmor.d/tunables/multiarch.d/system-users index 07450efff..885913da3 100644 --- a/apparmor.d/tunables/multiarch.d/system-users +++ b/apparmor.d/tunables/multiarch.d/system-users @@ -5,12 +5,11 @@ # Define some extra paths for some commonly used system user # Full path of the GDM configuration directories -@{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/{,home/}{,gdm-}greeter/ +@{GDM_HOME}=/var/lib/gdm{,3}/ @{gdm_cache_dirs}=@{GDM_HOME}/.cache/ @{gdm_config_dirs}=@{GDM_HOME}/.config/ @{gdm_local_dirs}=@{GDM_HOME}/.local/ @{gdm_share_dirs}=@{GDM_HOME}/.local/share/ -@{gdm_state_dirs}=@{GDM_HOME}/.local/state/ # Full path of the SDDM configuration directories @{SDDM_HOME}=/var/lib/sddm/ @@ -18,7 +17,6 @@ @{sddm_config_dirs}=@{SDDM_HOME}/.config/ @{sddm_local_dirs}=@{SDDM_HOME}/.local/ @{sddm_share_dirs}=@{SDDM_HOME}/.local/share/ -@{sddm_state_dirs}=@{SDDM_HOME}/.local/state/ # Full path of the LIGHTDM configuration directories @{LIGHTDM_HOME}=/var/lib/lightdm/ @@ -26,7 +24,6 @@ @{lightdm_config_dirs}=@{LIGHTDM_HOME}/.config/ @{lightdm_local_dirs}=@{LIGHTDM_HOME}/.local/ @{lightdm_share_dirs}=@{LIGHTDM_HOME}/.local/share/ -@{lightdm_state_dirs}=@{LIGHTDM_HOME}/.local/state/ # Full path of all DE configuration directories @{DESKTOP_HOME}=@{GDM_HOME} @{SDDM_HOME} @{LIGHTDM_HOME} @@ -34,6 +31,5 @@ @{desktop_config_dirs}=@{gdm_config_dirs} @{sddm_config_dirs} @{lightdm_config_dirs} @{desktop_local_dirs}=@{gdm_local_dirs} @{sddm_local_dirs} @{lightdm_local_dirs} @{desktop_share_dirs}=@{gdm_share_dirs} @{sddm_share_dirs} @{lightdm_share_dirs} -@{desktop_state_dirs}=@{gdm_state_dirs} @{sddm_state_dirs} @{lightdm_state_dirs} # vim:syntax=apparmor diff --git a/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d b/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d index 52be8b920..00231cbce 100644 --- a/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d +++ b/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d @@ -14,14 +14,14 @@ @{XDG_DOWNLOAD_DIR}+=".tb/tor-browser/Browser/Downloads" # Other user directories -@{user_desktop_dirs}=@{HOME}/@{XDG_DESKTOP_DIR} @{MOUNTS}/@{XDG_DESKTOP_DIR} -@{user_download_dirs}=@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR} -@{user_templates_dirs}=@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR} -@{user_publicshare_dirs}=@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR} @{user_documents_dirs}=@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR} +@{user_download_dirs}=@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR} @{user_music_dirs}=@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR} @{user_pictures_dirs}=@{HOME}/@{XDG_PICTURES_DIR} @{MOUNTS}/@{XDG_PICTURES_DIR} @{user_videos_dirs}=@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR} +@{user_publicshare_dirs}=@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR} +@{user_templates_dirs}=@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR} +@{user_vm_shares}=@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR} include if exists diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go index ccd6e9cca..184e6d118 100644 --- a/cmd/aa-log/main.go +++ b/cmd/aa-log/main.go @@ -15,15 +15,15 @@ import ( "github.com/roddhjav/apparmor.d/pkg/logs" ) -const usage = `aa-log [-h] [--systemd] [--file file] [--rules | --raw] [--since] [profile] +const usage = `aa-log [-h] [--systemd] [--file file] [--rules | --raw] [profile] - Review AppArmor generated messages in a colorful way. It supports logs from + Review AppArmor generated messages in a colorful way. Supports logs from auditd, systemd, syslog as well as dbus session events. It can be given an optional profile name to filter the output with. - Default logs are read from '/var/log/audit/audit.log'. Other files in - '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' + Default logs are read from '/var/log/audit/audit.log'. Other files in + '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' Options: -h, --help Show this help message and exit. @@ -31,7 +31,6 @@ Options: -s, --systemd Parse systemd logs from journalctl. -r, --rules Convert the log into AppArmor rules. -R, --raw Print the raw log without any formatting. - -S, --since DATE Show entries not older than the specified date. ` @@ -42,7 +41,6 @@ var ( path string systemd bool raw bool - since string ) func aaLog(logger string, path string, profile string) error { @@ -53,9 +51,9 @@ func aaLog(logger string, path string, profile string) error { case "auditd": file, err = logs.GetAuditLogs(path) case "systemd": - file, err = logs.GetJournalctlLogs(path, since, !slices.Contains(logs.LogFiles, path)) + file, err = logs.GetJournalctlLogs(path, !slices.Contains(logs.LogFiles, path)) default: - err = fmt.Errorf("logger %s not supported", logger) + err = fmt.Errorf("Logger %s not supported.", logger) } if err != nil { return err @@ -66,7 +64,7 @@ func aaLog(logger string, path string, profile string) error { return nil } - aaLogs := logs.New(file, profile) + aaLogs := logs.NewApparmorLogs(file, profile) if rules { profiles := aaLogs.ParseToProfiles() for _, p := range profiles { @@ -92,8 +90,6 @@ func init() { flag.BoolVar(&rules, "rules", false, "Convert the log into AppArmor rules.") flag.BoolVar(&raw, "R", false, "Print the raw log without any formatting.") flag.BoolVar(&raw, "raw", false, "Print the raw log without any formatting.") - flag.StringVar(&since, "S", "", "Display logs since the START time.") - flag.StringVar(&since, "since", "", "Display logs since the START time.") } func main() { diff --git a/cmd/aa/main.go b/cmd/aa/main.go index b0737de77..8fa7cce66 100644 --- a/cmd/aa/main.go +++ b/cmd/aa/main.go @@ -8,24 +8,20 @@ import ( "flag" "fmt" "os" - "os/exec" - "regexp" - "slices" "strings" "github.com/roddhjav/apparmor.d/pkg/aa" "github.com/roddhjav/apparmor.d/pkg/logging" "github.com/roddhjav/apparmor.d/pkg/paths" + "github.com/roddhjav/apparmor.d/pkg/util" ) -const usage = `aa [-h] [--lint | --format | --tree | --complain | --enfore] [-s] [-F file] [profiles...] +const usage = `aa [-h] [--lint | --format | --tree] [-s] [-F file] [profiles...] Various AppArmor profiles development tools Options: -h, --help Show this help message and exit. - -e, --enforce Switch the given profile(s) to enforce mode. - -c, --complain Switch the given profile(s) to complain mode. -f, --format Format the AppArmor profiles. -l, --lint Lint the AppArmor profiles. -t, --tree Generate a tree of visited profiles. @@ -36,19 +32,12 @@ Options: // Command line options var ( - help bool - path string - systemd bool - enforce bool - complain bool - lint bool - format bool - tree bool -) - -var ( - regFlags = regexp.MustCompile(`flags=\(([^)]+)\) `) - regProfileHeader = regexp.MustCompile(` {\n`) + help bool + path string + systemd bool + lint bool + format bool + tree bool ) type kind uint8 @@ -72,10 +61,6 @@ func init() { flag.StringVar(&path, "file", "", "Set a logfile or a suffix to the default log file.") flag.BoolVar(&systemd, "s", false, "Parse systemd logs from journalctl.") flag.BoolVar(&systemd, "systemd", false, "Parse systemd logs from journalctl.") - flag.BoolVar(&enforce, "e", false, "Switch the given profile to enforce mode.") - flag.BoolVar(&enforce, "enforce", false, "Switch the given profile to enforce mode.") - flag.BoolVar(&complain, "c", false, "Switch the given profile to complain mode.") - flag.BoolVar(&complain, "complain", false, "Switch the given profile to complain mode.") } func getIndentationLevel(input string) int { @@ -91,10 +76,10 @@ func getIndentationLevel(input string) int { return level } -func parse(kind kind, profile string) (aa.ParaRules, []string, error) { +func parse(kind kind, profile string) ([]aa.Rules, []string, error) { var raw string paragraphs := []string{} - rulesByParagraph := aa.ParaRules{} + rulesByParagraph := []aa.Rules{} switch kind { case isTunable, isProfile: @@ -125,9 +110,12 @@ func formatFile(kind kind, profile string) (string, error) { return "", err } for idx, rules := range rulesByParagraph { + if err := rules.Validate(); err != nil { + return "", err + } aa.IndentationLevel = getIndentationLevel(paragraphs[idx]) rules = rules.Merge().Sort().Format() - fmt.Printf(rules.String() + "\n") + profile = strings.Replace(profile, paragraphs[idx], rules.String()+"\n", -1) } return profile, nil } @@ -151,7 +139,7 @@ func aaFormat(files paths.PathList) error { if !file.Exist() { return nil } - profile, err := file.ReadFileAsString() + profile, err := util.ReadFile(file) if err != nil { return err } @@ -168,95 +156,17 @@ func aaFormat(files paths.PathList) error { return nil } -func aaLint(files paths.PathList) error { - for _, file := range files { - fmt.Printf("wip: %v\n", file) - } - return nil -} - -func setFlag(profile string, flag string) (string, error) { - f := aa.DefaultTunables() - if _, err := f.Parse(profile); err != nil { - return profile, err - } - - flags := f.GetDefaultProfile().Flags - switch flag { - case "enforce": - if len(flags) == 0 || slices.Contains(flags, "enforce") { - return profile, nil // Nothing to do - } - idx := slices.Index(flags, "complain") - if idx == -1 { - return profile, nil // No complain flag, nothing to do - } - flags = slices.Delete(flags, idx, idx+1) - - case "complain": - if slices.Contains(flags, "complain") { - return profile, nil // Nothing to do - } - flags = append(flags, "complain") - - default: - return profile, fmt.Errorf("unknown flag: %s", flag) - } - strFlags := " flags=(" + strings.Join(flags, ",") + ") {\n" - - // Remove all flags definition, then the new flags - profile = regFlags.ReplaceAllLiteralString(profile, "") - if len(flags) > 0 { - profile = regProfileHeader.ReplaceAllLiteralString(profile, strFlags) - } - return profile, nil -} - -func aaSetFlag(files paths.PathList, flag string) error { - for _, file := range files { - profile, err := file.ReadFileAsString() - if err != nil { - return err - } - profile, err = setFlag(profile, flag) - if err != nil { - return err - } - if err = file.WriteFile([]byte(profile)); err != nil { - return err - } - if err = reloadProfile(file); err != nil { - return err - } - } - return nil -} - func aaTree() error { return nil } -func reloadProfile(file *paths.Path) error { - cmd := exec.Command("apparmor_parser", "--replace", file.String()) - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - if err := cmd.Run(); err != nil { - return fmt.Errorf("apparmor_parser failed: %w", err) - } - return nil -} - func pathsFromArgs() (paths.PathList, error) { res := paths.PathList{} for _, arg := range flag.Args() { path := paths.New(arg) switch { case !path.Exist(): - if aa.MagicRoot.Join(arg).Exist() { - res = append(res, aa.MagicRoot.Join(arg)) - } else { - return nil, fmt.Errorf("file %s not found", path) - } + return nil, fmt.Errorf("file %s not found", path) case path.IsDir(): files, err := path.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories(), @@ -284,42 +194,19 @@ func main() { var err error var files paths.PathList switch { - case enforce: - files, err = pathsFromArgs() - if err != nil { - logging.Fatal("%s", err.Error()) - } - err = aaSetFlag(files, "enforce") - - case complain: - files, err = pathsFromArgs() - if err != nil { - logging.Fatal("%s", err.Error()) - } - err = aaSetFlag(files, "complain") - case lint: - files, err = pathsFromArgs() - if err != nil { - logging.Fatal("%s", err.Error()) - } - err = aaLint(files) case format: files, err = pathsFromArgs() if err != nil { - logging.Fatal("%s", err.Error()) + logging.Fatal(err.Error()) } err = aaFormat(files) - case tree: err = aaTree() - - default: - flag.Usage() } if err != nil { - logging.Fatal("%s", err.Error()) + logging.Fatal(err.Error()) } } diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index 455621e5b..c39d4cbbd 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -5,83 +5,92 @@ package main import ( + "flag" + "fmt" + "os" + + "github.com/roddhjav/apparmor.d/pkg/logging" "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" - "github.com/roddhjav/apparmor.d/pkg/prebuild/cli" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild/directive" "github.com/roddhjav/apparmor.d/pkg/prebuild/prepare" ) -// Cli arguments have priority over the settings entered here +const usage = `prebuild [-h] [--full] [--complain | --enforce] + + Prebuild apparmor.d profiles for a given distribution and apply + internal built-in directives. + +Options: + -h, --help Show this help message and exit. + -f, --full Set AppArmor for full system policy. + -c, --complain Set complain flag on all profiles. + -e, --enforce Set enforce flag on all profiles. + --abi4 Convert the profiles to Apparmor abi/4.0. + +` + +var ( + help bool + full bool + complain bool + enforce bool + abi4 bool +) + func init() { - // Define the default ABI - prebuild.ABI = 4 + flag.BoolVar(&help, "h", false, "Show this help message and exit.") + flag.BoolVar(&help, "help", false, "Show this help message and exit.") + flag.BoolVar(&full, "f", false, "Set AppArmor for full system policy.") + flag.BoolVar(&full, "full", false, "Set AppArmor for full system policy.") + flag.BoolVar(&complain, "c", false, "Set complain flag on all profiles.") + flag.BoolVar(&complain, "complain", false, "Set complain flag on all profiles.") + flag.BoolVar(&enforce, "e", false, "Set enforce flag on all profiles.") + flag.BoolVar(&enforce, "enforce", false, "Set enforce flag on all profiles.") + flag.BoolVar(&abi4, "abi4", false, "Convert the profiles to Apparmor abi/4.0.") +} - // Define the default version - prebuild.Version = 4.1 +func aaPrebuild() error { + logging.Step("Building apparmor.d profiles for %s.", cfg.Distribution) - // Define the tasks applied by default - prepare.Register( - "synchronise", // Initialize a new clean apparmor.d build directory - "ignore", // Ignore profiles and files from dist/ignore - "merge", // Merge profiles (from group/, profiles-*-*/) to a unified apparmor.d directory - "configure", // Set distribution specificities - "setflags", // Set flags as definied in dist/flags - "overwrite", // Overwrite dummy upstream profiles - "systemd-default", // Set systemd unit drop in files for dbus profiles - ) - - // Build tasks applied by default - builder.Register( - "userspace", // Resolve variable in profile attachments - "hotfix", // Temporary fix for #74, #80 & #235 - "base-strict", // Use base-strict as base abstraction - ) - - // Matrix of ABI/Apparmor version to integrate with - switch prebuild.Distribution { - case "arch": - - case "ubuntu": - switch prebuild.Release["VERSION_CODENAME"] { - case "jammy": - prebuild.ABI = 3 - prebuild.Version = 3.0 - case "noble": - prebuild.ABI = 4 - prebuild.Version = 4.0 - case "questing": - prebuild.ABI = 4 - prebuild.Version = 5.0 - } - - case "debian": - switch prebuild.Release["VERSION_CODENAME"] { - case "bullseye", "bookworm": - prebuild.ABI = 3 - prebuild.Version = 3.0 - } - - case "whonix": - prebuild.ABI = 3 - prebuild.Version = 3.0 - - // Hide rewritten Whonix profiles - prebuild.Hide += `/etc/apparmor.d/abstractions/base.d/kicksecure - /etc/apparmor.d/home.tor-browser.firefox - /etc/apparmor.d/tunables/homsanitycheck - /etc/apparmor.d/usr.bin.url_e.d/anondist - /etc/apparmor.d/tunables/home.d/live-mode - /etc/apparmor.d/tunables/home.d/qubes-whonix-anondist - /etc/apparmor.d/usr.bin.hexchat - /etc/apparmor.d/usr.bin.sdwdate - /etc/apparmor.d/usr.bin.systemcheck - /etc/apparmor.d/usr.bin.timeto_unixtime - /etc/apparmor.d/whonix-firewall - ` + if full { + prepare.Register("fsp") + builder.Register("fsp") + } else { + prepare.Register("systemd-early") } + + if complain { + builder.Register("complain") + } else if enforce { + builder.Register("enforce") + } + + if abi4 { + builder.Register("abi3") + } + + if err := prebuild.Prepare(); err != nil { + return err + } + return prebuild.Build() } func main() { - cli.Configure() - cli.Prebuild() + flag.Usage = func() { + fmt.Printf("%s%s\n%s\n%s", usage, + cfg.Help("Prepare", prepare.Tasks), + cfg.Help("Build", builder.Builders), + cfg.Usage("Directives", directive.Directives), + ) + } + flag.Parse() + if help { + flag.Usage() + os.Exit(0) + } + if err := aaPrebuild(); err != nil { + logging.Fatal(err.Error()) + } } diff --git a/cmd/prebuild/main_test.go b/cmd/prebuild/main_test.go new file mode 100644 index 000000000..8e80c3ab3 --- /dev/null +++ b/cmd/prebuild/main_test.go @@ -0,0 +1,89 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2023-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package main + +import ( + "os" + "os/exec" + "testing" + + "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild/prepare" +) + +func chdirGitRoot() { + cmd := exec.Command("git", "rev-parse", "--show-toplevel") + out, err := cmd.Output() + if err != nil { + panic(err) + } + root := string(out[0 : len(out)-1]) + if err := os.Chdir(root); err != nil { + panic(err) + } +} + +func Test_AAPrebuild(t *testing.T) { + tests := []struct { + name string + wantErr bool + full bool + complain bool + dist string + }{ + { + name: "Build for Archlinux", + wantErr: false, + full: false, + complain: true, + dist: "arch", + }, + { + name: "Build for Ubuntu", + wantErr: false, + full: true, + complain: false, + dist: "ubuntu", + }, + { + name: "Build for Debian", + wantErr: false, + full: true, + complain: false, + dist: "debian", + }, + { + name: "Build for OpenSUSE Tumbleweed", + wantErr: false, + full: true, + complain: true, + dist: "opensuse", + }, + // { + // name: "Build for Fedora", + // wantErr: true, + // full: false, + // complain: false, + // dist: "fedora", + // }, + } + chdirGitRoot() + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + cfg.Distribution = tt.dist + if tt.full { + prepare.Register("fsp") + builder.Register("fsp") + } + if tt.complain { + builder.Register("complain") + } + if err := aaPrebuild(); (err != nil) != tt.wantErr { + t.Errorf("aaPrebuild() error = %v, wantErr %v", err, tt.wantErr) + } + }) + } +} diff --git a/debian/apparmor.d.hide b/debian/apparmor.d.hide index 8fc1d019d..20725a133 100644 --- a/debian/apparmor.d.hide +++ b/debian/apparmor.d.hide @@ -1 +1 @@ -# This file is generated by "just", all edit will be lost. +# This file is generated by "make", all edit will be lost. diff --git a/debian/apparmor.d.postinst b/debian/apparmor.d.postinst index 840f3196b..4e659173c 100644 --- a/debian/apparmor.d.postinst +++ b/debian/apparmor.d.postinst @@ -7,7 +7,6 @@ set -e #DEBHELPER# -apparmor_parser --purge-cache || true -deb-systemd-invoke reload apparmor.service || true +systemctl is-active -q apparmor && systemctl reload apparmor ||: exit 0 diff --git a/debian/apparmor.d.postrm b/debian/apparmor.d.postrm index 840f3196b..4e659173c 100644 --- a/debian/apparmor.d.postrm +++ b/debian/apparmor.d.postrm @@ -7,7 +7,6 @@ set -e #DEBHELPER# -apparmor_parser --purge-cache || true -deb-systemd-invoke reload apparmor.service || true +systemctl is-active -q apparmor && systemctl reload apparmor ||: exit 0 diff --git a/debian/control b/debian/control index 85c4d3786..3d15800b8 100644 --- a/debian/control +++ b/debian/control @@ -6,18 +6,19 @@ Build-Depends: debhelper (>= 13.4), debhelper-compat (= 13), golang-any, config-package-dev, - just, Homepage: https://github.com/roddhjav/apparmor.d Vcs-Browser: https://github.com/roddhjav/apparmor.d Vcs-Git: https://github.com/roddhjav/apparmor.d.git -Standards-Version: 4.6.0 +Standards-Version: 4.5.0 Rules-Requires-Root: no Package: apparmor.d Architecture: any -Depends: apparmor-profiles +Depends: + apparmor-profiles, + ${shlibs:Depends} Conflicts: apparmor-profiles-extra Provides: apparmor-profiles-extra -Description: Full set of AppArmor profiles (~ 2000 profiles) - apparmor.d is a set of over 2000 AppArmor profiles whose aim is to confine +Description: Full set of AppArmor profiles (~ 1500 profiles) + apparmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes. diff --git a/debian/rules b/debian/rules index d78e652ca..6e7d2d6e4 100755 --- a/debian/rules +++ b/debian/rules @@ -8,10 +8,3 @@ # golang/1.19 compresses debug symbols itself. override_dh_dwz: - -override_dh_auto_build: - just complain - -override_dh_auto_install: - just destdir="${CURDIR}/debian/apparmor.d" install - diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index d60841581..b00b12eca 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -15,7 +15,6 @@ URL: https://github.com/roddhjav/apparmor.d Source0: %{name}-%{version}.tar.gz Requires: apparmor-profiles BuildRequires: distribution-release -BuildRequires: just BuildRequires: golang-packaging BuildRequires: apparmor-profiles @@ -26,14 +25,14 @@ AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most %autosetup %build -just complain +%make_build %install -just destdir="%{buildroot}" install +%make_install %posttrans -apparmor_parser --purge-cache -%restart_on_update apparmor +rm -f /var/cache/apparmor/* 2>/dev/null +systemctl is-active -q apparmor && systemctl reload apparmor ||: %files %license LICENSE @@ -52,6 +51,4 @@ apparmor_parser --purge-cache %dir /usr/share/zsh/site-functions /usr/share/zsh/site-functions/_aa-log.zsh -%doc %{_mandir}/man8/aa-log.8.gz - %changelog diff --git a/dists/build.sh b/dists/build.sh index e33c48695..a566291bd 100644 --- a/dists/build.sh +++ b/dists/build.sh @@ -3,12 +3,12 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Usage: just [ dpkg | pkg | rpm ] +# Usage: make [ dpkg | pkg | rpm ] set -eu -o pipefail readonly COMMAND="$1" -readonly OUTPUT="$PWD/.pkg" +readonly OUTPUT="${PKGDEST:-$PWD}" readonly PKGNAME=apparmor.d VERSION="0.$(git rev-list --count HEAD)" readonly VERSION @@ -16,11 +16,11 @@ readonly VERSION main() { case "$COMMAND" in pkg) - PKGDEST="$OUTPUT" BUILDDIR=/tmp/makepkg makepkg --syncdeps --force --cleanbuild --noconfirm --noprogressbar + PKGDEST="$OUTPUT" makepkg --syncdeps --force --cleanbuild --noconfirm --noprogressbar ;; dpkg) - dch --newversion="$VERSION-1" --urgency=medium --distribution="$(lsb_release -sc)" --controlmaint "Release $VERSION-1" + dch --newversion="$VERSION-1" --urgency=medium --distribution=stable --controlmaint "Release $VERSION-1" dpkg-buildpackage -b -d --no-sign lintian || true mv ../"${PKGNAME}_${VERSION}-1"_*.deb "$OUTPUT" diff --git a/dists/docker.sh b/dists/docker.sh index 45191adb8..500918c5f 100644 --- a/dists/docker.sh +++ b/dists/docker.sh @@ -3,10 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Usage: -# just package ubuntu24 -# just package archlinux -# just package opensuse +# Usage: make package dist= set -eu -o pipefail @@ -15,17 +12,14 @@ readonly PREFIX="builder-" readonly PKGNAME=apparmor.d readonly VOLUME=/tmp/build readonly BUILDIR=/home/build/tmp -readonly OUTDIR=".pkg" -readonly OUTPUT="$PWD/$OUTDIR" -readonly DISTRIBUTION="${1:-}" -readonly RELEASE="${2:-}" +readonly COMMAND="$1" VERSION="0.$(git rev-list --count HEAD)" PACKAGER="$(git config user.name) <$(git config user.email)>" readonly VERSION PACKAGER _start() { local img="$1" - docker start "$img" || return 1 + docker start "$img" } _is_running() { @@ -65,37 +59,33 @@ build_in_docker_makepkg() { --env PKGDEST="$BUILDIR" --env PACKAGER="$PACKAGER" \ --env BUILDDIR=/tmp/build \ "$BASEIMAGE/$dist" - docker exec "$img" sudo pacman -Sy --noconfirm --noprogressbar fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh pkg - mv "$VOLUME/$PKGNAME/$OUTDIR/$PKGNAME"-*.pkg.* "$OUTPUT" + mv "$VOLUME/$PKGNAME"-*.pkg.* . } build_in_docker_dpkg() { - local img dist="$1" target="$1" release="$2" + local dist="$1" target="$1" + local img="$PREFIX$dist" [[ "$dist" == whonix ]] && dist=debian - [[ "$release" == "13" ]] && release=trixie - img="$PREFIX$dist$release" if _exist "$img"; then if ! _is_running "$img"; then _start "$img" fi else - docker pull "$BASEIMAGE/$dist:$release" + docker pull "$BASEIMAGE/$dist" docker run -tid --name "$img" --volume "$VOLUME:$BUILDIR" \ - --env DISTRIBUTION="$target" "$BASEIMAGE/$dist:$release" + --env DISTRIBUTION="$target" "$BASEIMAGE/$dist" docker exec "$img" sudo apt-get update -q - docker exec "$img" sudo apt-get install -y config-package-dev lsb-release libdistro-info-perl - if [[ "$dist" == debian && "$release" == "12" ]]; then - aptopt=(-t bookworm-backports) - fi + docker exec "$img" sudo apt-get install -y config-package-dev rsync + [[ "$dist" == debian ]] && aptopt=(-t bookworm-backports) docker exec "$img" sudo apt-get install -y "${aptopt[@]}" golang-go fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh dpkg - mv "$VOLUME/$PKGNAME/$OUTDIR/${PKGNAME}_${VERSION}-1"_*.* "$OUTPUT" + mv "$VOLUME/$PKGNAME/${PKGNAME}_${VERSION}-1"_*.* . } build_in_docker_rpm() { @@ -110,32 +100,32 @@ build_in_docker_rpm() { docker pull "$BASEIMAGE/$dist" docker run -tid --name "$img" --volume "$VOLUME:$BUILDIR" \ "$BASEIMAGE/$dist" - docker exec "$img" sudo zypper install -y distribution-release golang-packaging apparmor-profiles + docker exec "$img" sudo zypper install -y distribution-release golang-packaging rsync apparmor-profiles fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh rpm - mv "$VOLUME/$PKGNAME/$OUTDIR/$PKGNAME-$VERSION-"*.rpm "$OUTPUT" + mv "$VOLUME/$PKGNAME/$PKGNAME-$VERSION-"*.rpm . } main() { - case "$DISTRIBUTION" in + case "$COMMAND" in archlinux) - build_in_docker_makepkg "$DISTRIBUTION" + # build_in_docker_makepkg "$COMMAND" + PKGDEST=. makepkg -Cf ;; debian | ubuntu | whonix) sync - build_in_docker_dpkg "$DISTRIBUTION" "$RELEASE" + build_in_docker_dpkg "$COMMAND" ;; opensuse) sync - build_in_docker_rpm "$DISTRIBUTION" + build_in_docker_rpm "$COMMAND" ;; *) ;; esac } -mkdir -p "$OUTPUT" main "$@" diff --git a/dists/flags/arch.flags b/dists/flags/arch.flags index 8910bb280..b94fae2c2 100644 --- a/dists/flags/arch.flags +++ b/dists/flags/arch.flags @@ -1,4 +1,15 @@ -aurpublish complain +archlinux-keyring-wkd-sync complain makepkg complain mkinitcpio attach_disconnected,complain pacman attach_disconnected,complain +pacman-conf attach_disconnected,complain +pacman-hook-dconf complain +pacman-hook-depmod complain +pacman-hook-dkms attach_disconnected,complain +pacman-hook-fontconfig complain +pacman-hook-gio complain +pacman-hook-gtk complain +pacman-hook-mkinitcpio attach_disconnected,complain +pacman-hook-perl complain +pacman-hook-systemd attach_disconnected,complain +pacman-key complain diff --git a/dists/flags/debian.flags b/dists/flags/debian.flags index 5e29c0153..b659675b6 100644 --- a/dists/flags/debian.flags +++ b/dists/flags/debian.flags @@ -1,4 +1,3 @@ -apt-helper complain dhclient complain dhclient-script complain dpkg complain diff --git a/dists/flags/main.flags b/dists/flags/main.flags index cd9a0e5a6..1bcf1e7d9 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -1,9 +1,16 @@ # Common profile flags definition for all distributions # File format: one profile by line using the format: ' ' +bwrap attach_disconnected,mediate_deleted,complain +bwrap-app attach_disconnected,mediate_deleted,complain +default attach_disconnected,mediate_deleted,complain +default-sudo attach_disconnected,complain systemd attach_disconnected,mediate_deleted,complain +systemd-service attach_disconnected,complain systemd-user attach_disconnected,mediate_deleted,complain +aa-load complain +acpid attach_disconnected,complain akonadi_akonotes_resource complain akonadi_archivemail_agent complain akonadi_birthdays_resource complain @@ -21,10 +28,14 @@ akonadi_newmailnotifier_agent complain akonadi_notes_agent complain akonadi_sendlater_agent complain akonadi_unifiedmailbox_agent complain +alacarte complain anacron complain -apt-methods-sqv complain +appimagelauncherd complain +apport attach_disconnected,complain +apt-helper complain at complain atd complain +atril-previewer complain auditctl attach_disconnected,complain auditd attach_disconnected,complain augenrules attach_disconnected,complain @@ -35,9 +46,12 @@ avahi-resolve complain avahi-set-host-name complain baloo complain baloorunner complain -calibre complain +busctl complain cc-remote-login-helper complain cctk complain +child-modprobe-nvidia attach_disconnected,complain +child-open complain +chronyd attach_disconnected,complain cockpit-askpass complain cockpit-bridge complain cockpit-certificate-ensure attach_disconnected,complain @@ -46,8 +60,9 @@ cockpit-desktop complain cockpit-session attach_disconnected,complain cockpit-ssh complain cockpit-tls attach_disconnected,complain -cockpit-ws attach_disconnected,complain +cockpit-ws complain cockpit-wsinstance-factory complain +ctop complain cups-backend-beh complain cups-backend-bluetooth complain cups-backend-brf complain @@ -70,27 +85,12 @@ cups-notifier-rss complain cups-pk-helper-mechanism complain cupsd attach_disconnected,complain ddcutil complain -deb-systemd-helper complain -deb-systemd-invoke complain -debconf-escape complain -decibels complain -dino attach_disconnected,complain -discord attach_disconnected,complain -discord-chrome-sandbox complain DiscoverNotifier complain dkms attach_disconnected,complain -dmsetup complain dockerd attach_disconnected,complain dolphin complain downloadhelper complain -dpkg-db-backup complain -dpkg-maintscript-helper complain -dpkg-script-apparmor complain -dpkg-script-kmod complain -dpkg-script-linux complain -dpkg-script-systemd complain -dpkg-scripts complain -dracut-install complain +dpkg-genbuildinfo complain drkonqi complain drkonqi-coredump-cleanup complain drkonqi-coredump-processor complain @@ -102,19 +102,23 @@ evolution-user-prompter complain fail2ban-client attach_disconnected,complain fail2ban-server attach_disconnected,complain fdisk complain -filezilla complain -finalrd complain +file-roller complain +firefox-kmozillahelper complain firewall-applet attach_disconnected,complain firewall-config complain flameshot complain flatpak attach_disconnected,mediate_deleted,complain flatpak-app attach_disconnected,mediate_deleted,complain flatpak-oci-authenticator complain +flatpak-portal attach_disconnected,complain flatpak-session-helper attach_disconnected,complain flatpak-system-helper complain flatpak-validate-icon complain +foliate attach_disconnected,complain +fractal attach_disconnected,complain fuse-overlayfs complain -gdk-pixbuf-thumbnailer complain +fusermount complain +gcr-ssh-agent complain gdm-generate-config complain gdm-runtime-config complain gdm-session attach_disconnected,complain @@ -124,10 +128,19 @@ gnome-browser-connector-host complain gnome-control-center attach_disconnected,complain gnome-control-center-goa-helper complain gnome-disk-image-mounter complain +gnome-disks complain gnome-extension-gsconnect complain gnome-extension-manager complain gnome-initial-setup complain +gnome-music attach_disconnected,complain +gnome-photos-thumbnailer complain gnome-remote-desktop-daemon complain +gnome-session complain +gnome-software complain +gnome-system-monitor attach_disconnected,complain +gnome-terminal-server complain +gnome-text-editor complain +gnome-tweaks complain grub-bios-setup complain grub-editenv complain grub-file complain @@ -157,20 +170,19 @@ grub-set-default complain grub-syslinux2cfg complain gsd-printer attach_disconnected,complain gsd-wwan complain +gsettings complain +gvfs-udisks2-volume-monitor attach_disconnected,complain gvfsd-dav complain gvfsd-wsdd complain hostnamectl complain -hyprctl attach_disconnected,complain -hyprlock attach_disconnected,complain -hyprpaper attach_disconnected,complain -hyprpicker complain -hyprpm complain ibus-engine-table complain -ibus-memconf attach_disconnected,complain +ibus-memconf complain im-launch complain +init-exim4 complain install-info complain iwctl complain iwd complain +jitterentropy-rngd complain kaccess complain kactivitymanagerd complain kalendarac complain @@ -185,20 +197,14 @@ kconf_update complain kde-powerdevil attach_disconnected,mediate_deleted,complain kde-systemd-start-condition complain kded complain -kdestroy complain -kdump_mem_estimator complain -kdump-config attach_disconnected,complain -kdump-tools-init complain,attach_disconnected -kernel complain kernel-install complain -kernel-postinst-kdump complain keyboxd complain kglobalacceld complain -kinit complain +kgx complain kio_http_cache_cleaner complain kiod complain kioworker complain -klist complain +kmod attach_disconnected,complain konsole attach_disconnected,mediate_deleted,complain kscreen_backend_launcher complain kscreen_osd_service complain @@ -216,16 +222,11 @@ libreoffice complain libvirt-dbus complain libvirtd attach_disconnected,complain lightdm attach_disconnected,complain -lightdm-session complain -linux-check-removal complain -linux-update-symlinks complain locale-gen complain localectl complain -localsearch complain -localsearch-control complain -localsearch-writeback complain login attach_disconnected,complain loginctl complain +loupe attach_disconnected,complain low-memory-monitor attach_disconnected,complain lvm attach_disconnected,complain lvmconfig complain @@ -233,31 +234,33 @@ lvmdump complain lvmpolld complain man complain mate-notification-daemon complain -mdadm attach_disconnected,complain -mdadm-mkconf complain +mdevctl complain +metadata-cleaner attach_disconnected,complain +mke2fs complain ModemManager attach_disconnected,complain mount attach_disconnected,complain multipath attach_disconnected,complain multipathd complain -needrestart-hook complain -needrestart-notify complain -needrestart-restart complain -netplan attach_disconnected,complain +netplan complain +netplan.script attach_disconnected,complain networkctl attach_disconnected,complain networkd-dispatcher complain nm-online complain nm-openvpn-service-openvpn-helper complain nm-priv-helper complain +nmap complain nmcli complain nvidia-detector complain nvidia-persistenced complain -ollama attach_disconnected,complain +okular complain os-prober attach_disconnected,complain +package-data-downloader complain +packagekitd attach_disconnected,complain pam_kwallet_init complain -papers complain +pam-tmpdir-helper complain +passim complain passimd attach_disconnected,complain -pkla-admin-identities complain -pkla-check-authorization complain +pidof complain pkttyagent complain plank complain plasma_waitforname complain @@ -268,11 +271,8 @@ plymouth complain plymouth-set-default-theme attach_disconnected,complain plymouthd complain polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted -pollinate complain -ptyxis complain -ptyxis-agent complain -pycompile complain qdbus complain +realmd complain remmina complain run-parts complain runuser complain @@ -283,17 +283,17 @@ secure-time-sync attach_disconnected,complain sftp-server complain sing-box complain slirp4netns attach_disconnected,complain -snap attach_disconnected,complain +snap complain +snap-bootstrap complain snap-device-helper complain snap-discard-ns complain snap-failure complain -snap-seccomp attach_disconnected,complain +snap-repair complain +snap-seccomp complain snap-update-ns complain snapd complain snapd-apparmor complain -snapshot complain -speech-dispatcher complain -sshd-auth complain +snapd-core-fixup complain ssservice complain startplasma complain startx attach_disconnected,complain @@ -302,26 +302,28 @@ steam-fossilize attach_disconnected,complain steam-game-native attach_disconnected,complain steam-game-proton attach_disconnected,complain steam-gameoverlayui attach_disconnected,complain -steam-launch attach_disconnected,complain +steam-launch complain steam-launcher attach_disconnected,complain steam-runtime attach_disconnected,complain steamerrorreporter attach_disconnected,complain -strawberry attach_disconnected,mediate_deleted,complain sulogin complain +switcherooctl complain swtpm complain swtpm_ioctl complain swtpm_localca complain swtpm_setup complain -sysstat-sa complain -sysstat-sadc complain systemd-analyze complain systemd-ask-password complain +systemd-battery-check complain systemd-binfmt attach_disconnected,complain +systemd-bsod complain systemd-cgls complain systemd-cgtop complain -systemd-cryptsetup attach_disconnected,complain +systemd-coredump attach_disconnected,mediate_deleted,complain +systemd-cryptsetup complain systemd-dissect attach_disconnected,complain systemd-escape complain +systemd-firstboot complain systemd-generator-bless-boot attach_disconnected,complain systemd-generator-cloud-init attach_disconnected,complain systemd-generator-cryptsetup attach_disconnected,complain @@ -329,68 +331,41 @@ systemd-generator-debug attach_disconnected,complain systemd-generator-ds-identify attach_disconnected,complain systemd-generator-environment-arch complain systemd-generator-environment-flatpak complain -systemd-generator-environment-snapd attach_disconnected,complain -systemd-generator-friendly-recovery attach_disconnected,complain systemd-generator-fstab attach_disconnected,complain systemd-generator-getty attach_disconnected,complain systemd-generator-gpt-auto attach_disconnected,complain systemd-generator-hibernate-resume attach_disconnected,complain -systemd-generator-import attach_disconnected,complain systemd-generator-integritysetup attach_disconnected,complain -systemd-generator-openvpn attach_disconnected,complain systemd-generator-ostree attach_disconnected,complain -systemd-generator-rc-local attach_disconnected,complain systemd-generator-run attach_disconnected,complain -systemd-generator-snapd attach_disconnected,complain -systemd-generator-ssh attach_disconnected,complain -systemd-generator-sshd-socket attach_disconnected,complain systemd-generator-system-update attach_disconnected,complain -systemd-generator-sysv attach_disconnected,complain -systemd-generator-tpm2 attach_disconnected,complain -systemd-generator-user-autostart attach_disconnected,complain -systemd-generator-user-environment attach_disconnected,complain +systemd-generator-user-autostart complain +systemd-generator-user-environment complain systemd-generator-veritysetup attach_disconnected,complain systemd-homed attach_disconnected,complain systemd-homework complain systemd-inhibit attach_disconnected,complain -systemd-initctl attach_disconnected,complain -systemd-journald attach_disconnected,mediate_deleted systemd-mount complain -systemd-network-generator attach_disconnected,complain -systemd-nsresourced attach_disconnected,complain -systemd-nsresourcework complain +systemd-network-generator complain +systemd-pcrphase complain systemd-portabled complain +systemd-remount-fs complain +systemd-resolve complain systemd-shutdown complain -systemd-sleep-tlp complain systemd-socket-proxyd complain systemd-udevd attach_disconnected,complain -systemd-user-sessions attach_disconnected,complain +systemd-user-sessions complain +systemd-userdbd attach_disconnected,mediate_deleted,complain systemd-userwork attach_disconnected,complain systemsettings complain -telegram-desktop complain -totem attach_disconnected,complain tracker-writeback complain -ucf complain -ucfq complain -ucfr complain -udev-ata_id complain -udev-bcache-export-cached complain -udev-cdrom_id complain udev-dmi-memory-id complain -udev-fido_id complain -udev-hdparm complain -udev-probe-bcache complain udisksctl complain udisksd attach_disconnected,complain -ufw complain -update-catalog complain update-grub complain -update-info-dir complain update-secureboot-policy complain -update-shells complain -userdbctl attach_disconnected,complain +userdbctl complain utempter attach_disconnected,complain -veracrypt complain virt-manager attach_disconnected,complain virtinterfaced attach_disconnected,complain virtiofsd complain,attach_disconnected @@ -399,22 +374,18 @@ virtnetworkd complain,attach_disconnected virtnodedevd attach_disconnected,complain virtsecretd attach_disconnected,complain virtstoraged attach_disconnected,complain -waybar attach_disconnected,complain -wechat attach_disconnected,complain -wechat-appimage attach_disconnected,complain +wg complain wg-quick complain -whoopsie complain -whoopsie-preferences complain wsdd complain xdg-dbus-proxy attach_disconnected,complain xdg-desktop-icon complain xdg-desktop-portal-kde complain xdg-desktop-portal-rewrite-launchers complain -xdg-desktop-portal-validate-icon attach_disconnected,complain xdg-user-dirs-gtk-update complain xdm-xsession complain xembedsniproxy complain xfce-session attach_disconnected,complain xsettingsd complain +xwaylandvideobridge complain zpool complain diff --git a/dists/flags/ubuntu.flags b/dists/flags/ubuntu.flags index 125575ce1..c491729dc 100644 --- a/dists/flags/ubuntu.flags +++ b/dists/flags/ubuntu.flags @@ -1,27 +1,20 @@ -apport attach_disconnected,complain apport-checkreports complain apport-gtk complain -apt_news attach_disconnected,complain apt-esm-hook complain apt-esm-json-hook complain -apt-helper complain check-new-release-gtk complain do-release-upgrade complain -dpkg-genbuildinfo complain -esm_cache complain -fanctl attach_disconnected,complain hwe-support-status complain list-oem-metapackages complain livepatch-notification complain notify-reboot-required complain -package-data-downloader complain package-system-locked attach_disconnected,complain +pro complain release-upgrade-motd complain software-properties-gtk complain ubuntu-advantage complain ubuntu-advantage-notification complain ubuntu-distro-info complain -ubuntu-fan-net attach_disconnected,complain ubuntu-report complain update-manager attach_disconnected,complain update-motd-fsck-at-reboot complain diff --git a/dists/flags/whonix.flags b/dists/flags/whonix.flags index dc984d690..bbb744355 100644 --- a/dists/flags/whonix.flags +++ b/dists/flags/whonix.flags @@ -1,6 +1,4 @@ anondate complain -apt-helper complain -dpkg-genbuildinfo complain msgcollector complain msgcollector-br-add complain msgcollector-generic-gui-message complain @@ -30,10 +28,8 @@ torbrowser-plugin-container complain torbrowser-start complain torbrowser-updater complain torbrowser-updater-permission-fix complain -torbrowser-updater-permission-fix complain torbrowser-vaapitest complain torbrowser-wrapper complain -torbrowser-wrapper complain whonix-firewall-edit complain whonix-firewall-restarter complain whonix-firewalld complain diff --git a/dists/ignore/debian.ignore b/dists/ignore/debian.ignore index bfd8998ae..9843d249a 100644 --- a/dists/ignore/debian.ignore +++ b/dists/ignore/debian.ignore @@ -1,6 +1,6 @@ # Archlinux specific apparmor.d/groups/pacman -share/libalpm +root/usr/share/libalpm # Ubuntu specific definition apparmor.d/groups/ubuntu diff --git a/dists/ignore/main.ignore b/dists/ignore/main.ignore index 0665edf85..0e89a76c5 100644 --- a/dists/ignore/main.ignore +++ b/dists/ignore/main.ignore @@ -2,13 +2,25 @@ # File format: one ignore by line, it can be a profile name or a directory to ignore # Contains profiles and configuration for full system confinement, only included -# when built with 'just fsp' +# when built with 'make full' apparmor.d/groups/_full +# Apps that should be sandboxed +apparmor.d/groups/apps +code +code-wrapper + # Provided by other packages man # Work in progress profiles -apparmor.d/groups/steam -dunst plasma-discover +steam +steam-fossilize +steam-game-native +steam-game-proton +steam-gameoverlayui +steam-launch +steam-launcher +steam-runtime +steamerrorreporter diff --git a/dists/ignore/opensuse.ignore b/dists/ignore/opensuse.ignore index 7f79b77ef..0d393c6c1 100644 --- a/dists/ignore/opensuse.ignore +++ b/dists/ignore/opensuse.ignore @@ -1,6 +1,6 @@ # Archlinux specific apparmor.d/groups/pacman -share/libalpm +root/usr/share/libalpm # Debian specific definition apparmor.d/groups/apt diff --git a/dists/ignore/ubuntu.ignore b/dists/ignore/ubuntu.ignore index eb0df718f..714fa3273 100644 --- a/dists/ignore/ubuntu.ignore +++ b/dists/ignore/ubuntu.ignore @@ -1,6 +1,7 @@ # Archlinux specific apparmor.d/groups/pacman -share/libalpm +root/etc/xdg/autostart/apparmor-notify.desktop +root/usr/share/libalpm # OpenSUSE specific definition apparmor.d/groups/suse diff --git a/dists/ignore/whonix.ignore b/dists/ignore/whonix.ignore index 959f8ce6e..5370a0f95 100644 --- a/dists/ignore/whonix.ignore +++ b/dists/ignore/whonix.ignore @@ -1,6 +1,6 @@ # Archlinux specific definition apparmor.d/groups/pacman -share/libalpm +root/usr/share/libalpm # OpenSUSE specific definition apparmor.d/groups/suse diff --git a/dists/overwrite b/dists/overwrite index 70ee1cc41..bea6d574b 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -1,12 +1,10 @@ -# Apparmor 4.0 and over ships a few profiles that can conflict with apparmor.d -# This file keeps track of them and allow apparmor.d to replace them by our own. +# Apparmor 4.0 ships several profiles that allow userns and are otherwise +# unconfined. This file keeps track of them and allow apparmor.d to replace +# them by our own. # File format: one profile name by line. -# Overwrite unconfined upstream profiles that only allow userns brave chrome -chromium -cockpit-desktop element-desktop epiphany firefox @@ -14,31 +12,11 @@ flatpak foliate loupe msedge -mullvad nautilus opera -os-prober plasmashell -signal-desktop slirp4netns systemd-coredump thunderbird -virtiofsd - -# Overwrite upstreamed profiles, our local version may be more up to date unix-chkpwd - -# Overwrite some profiles recently added in apparmor while being already present in apparmor.d for a while -# They can be multiple justification for keeping our profiles here, or or the contrary using upstream ones: -# - Keep ours: If we/they use abstractions, tunable, rules, and integration with apparmor.d that would break if using the upstream profile -# - Drop ours: when upstream profiles is better (see pkg/prebuild/prepare/configure.go) -fusermount3 -lsblk -lsusb -openvpn -remmina -transmission -wg-quick -systemd-detect-virt # Missing integration with @{p_systemd} -hostname # Has @{bin} denied in header, would conflict with apparmor.d's @{bin} tunables - +virtiofsd diff --git a/dists/ubuntu/abstractions/trash b/dists/ubuntu/abstractions/trash index d9ad01221..aab16b92c 100644 --- a/dists/ubuntu/abstractions/trash +++ b/dists/ubuntu/abstractions/trash @@ -1,4 +1,4 @@ -abi , +abi , # requires diff --git a/docs/abbreviations.md b/docs/abbreviations.md deleted file mode 100644 index 32f567afe..000000000 --- a/docs/abbreviations.md +++ /dev/null @@ -1,5 +0,0 @@ - -*[MAC]: Mandatory Access Control -*[W^X]: Write XOR Execute -*[FSP]: Full System Policy -*[AppArmor tunables]: AppArmor global variables diff --git a/docs/assets/avatar-icon.png b/docs/assets/avatar-icon.png deleted file mode 100644 index 80170da1e..000000000 Binary files a/docs/assets/avatar-icon.png and /dev/null differ diff --git a/docs/assets/stylesheets/extra.css b/docs/assets/stylesheets/extra.css index 8691707db..3b0fc1db6 100644 --- a/docs/assets/stylesheets/extra.css +++ b/docs/assets/stylesheets/extra.css @@ -4,58 +4,9 @@ --md-footer-fg-color--lighter: #b6b6b6; --md-footer-bg-color: transparent; --md-footer-bg-color--dark: transparent; - --pg-purple: #603aa0; - --pg-red: #c0322f; - --pg-orange: #ac2f09; - --pg-teal: #04756a; - --pg-brown: #8d6e62; - --pg-blue: #0e66ae; - --pg-green: #2e7e31; - --pg-blue-gray: #546d78; } [data-md-color-scheme=slate] { --md-footer-bg-color: transparent; --md-footer-bg-color--dark: var(--md-default-bg-color--darkest); - --pg-purple: #af94de; - --pg-red: #ff6c6a; - --pg-orange: #e97b5a; - --pg-teal: #8dc6c1; - --pg-brown: #4b1d0b; - --pg-blue: #74b9f1; - --pg-green: #72cd75; - --pg-blue-gray: #9ab2bc; -} - -/* Badge colors */ -.pg-purple { - color: var(--pg-purple); -} - -.pg-red { - color: var(--pg-red); -} - -.pg-orange { - color: var(--pg-orange); -} - -.pg-teal { - color: var(--pg-teal); -} - -.pg-brown { - color: var(--pg-brown); -} - -.pg-blue { - color: var(--pg-blue); -} - -.pg-green { - color: var(--pg-green); -} - -.pg-blue-gray { - color: var(--pg-blue-gray); -} +} \ No newline at end of file diff --git a/docs/configuration.md b/docs/configuration.md index 5e1c7992f..e784dcb82 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -2,206 +2,107 @@ title: Configuration --- -This project is designed in such a way that it is easy to personalize it to fit any system. -It is mostly done by setting personalized XDG like directories in AppArmor tunables. More advanced configuration can be done by adding your own rules in local profile addition. +## AppArmor + +As there are a lot of rules, it is recommended to enable caching AppArmor profiles. In `/etc/apparmor/parser.conf`, add `write-cache` and `Optimize=compress-fast`. + +```sh +echo 'write-cache' | sudo tee -a /etc/apparmor/parser.conf +echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf +``` + +!!! info + + See [Speed up AppArmor Start] on the Arch Wiki for more information: + [Speed up AppArmor Start]: https://wiki.archlinux.org/title/AppArmor#Speed-up_AppArmor_start_by_caching_profiles + + +## Personal directories !!! danger - You need to ensure that all personal directories you are using are well-defined XDG directory. You may need to edit these variables to your own settings. + You need to ensure that all personal directories you are using are well-defined XDG directory. You may need to edit these variables to your own settings. - This part is vital to ensure that the profiles are correctly configured for your system. It will lead to breakage if not done correctly. +This project is designed in such a way that it is easy to personalize the directories your programs have access by defining a few variables. +The profiles heavily use the (largely extended) XDG directory variables defined in the **[Variables Reference](variables.md)** page. -## Personalize Apparmor +??? note "XDG variables overview" -### Tunables + See **[Variables Reference](variables.md)** page for more. -The profiles heavily use the **largely extended** [XDG directory variables](#xdg-variables). All the variables are list you can append with your own values. + | Description | Name | Value | + |-------------|:----:|---------| + | Desktop | `@{XDG_DESKTOP_DIR}` | `Desktop` | + | Download | `@{XDG_DOWNLOAD_DIR}` | `Downloads` | + | Templates | `@{XDG_TEMPLATES_DIR}` | `Templates` | + | Public | `@{XDG_PUBLICSHARE_DIR}` | `Public` | + | Documents | `@{XDG_DOCUMENTS_DIR}` | `Documents` | + | Music | `@{XDG_MUSIC_DIR}` | `Music` | + | Pictures | `@{XDG_PICTURES_DIR}` | `Pictures` | + | Videos | `@{XDG_VIDEOS_DIR}` | `Videos` | + | Books | `@{XDG_BOOKS_DIR}` | `Books` | + | Projects | `@{XDG_PROJECTS_DIR}` | `Projects` | + | Screenshots | `@{XDG_SCREENSHOTS_DIR}` | `@{XDG_PICTURES_DIR}/Screenshots` | + | Sync | `@{XDG_SYNC_DIR}` | `Sync` | + | Torrents | `@{XDG_TORRENTS_DIR}` | `Torrents` | + | Vm | `@{XDG_VM_DIR}` | `.vm` + | Wallpapers | `@{XDG_WALLPAPERS_DIR}` | `@{XDG_PICTURES_DIR}/Wallpapers` | -1. First create the directory `/etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d`: - ```sh - sudo mkdir -p /etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d - ``` -2. Then create a `local` addition file in it where you define your own personal directories. *Example:* - ```sh - @{XDG_VIDEOS_DIR}+="Films" - @{XDG_MUSIC_DIR}+="Musique" - @{XDG_PICTURES_DIR}+="Images" - @{XDG_BOOKS_DIR}+="BD" "Comics" - @{XDG_PROJECTS_DIR}+="Git" "Papers" - ``` -3. Then restart the AppArmor service to reload the profiles in the kernel: - ```sh - sudo systemctl reload apparmor.service - ``` +You can personalize these values. -### Profile Additions +First create the directory `/etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d`: +``` +sudo mkdir /etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d +``` +Then create a `local` addition file in it where you define your own personal +directories. Example: +```sh +@{XDG_VIDEOS_DIR}+="Films" +@{XDG_MUSIC_DIR}+="Musique" +@{XDG_PICTURES_DIR}+="Images" +@{XDG_BOOKS_DIR}+="BD" "Comics" +@{XDG_PROJECTS_DIR}+="Git" "Papers" +``` -You can extend any profile with your own rules by creating a file in the `/etc/apparmor.d/local/` directory with the name of the profile you want to personalize. +Then restart the AppArmor service to reload the profiles in the kernel: +```sh +sudo systemctl restart apparmor.service +``` -**Example** - -By default, `nautilus` (and any file browser) only allows access to user files. Thus, your cannot browse system files such as `/etc/`, `/srv/`, `/var/`. You can change this behavior by creating a local profile addition file for `nautilus`: - -1. Create the file `/etc/apparmor.d/local/nautilus` and add the following rules in it: - ```sh - /** r, - ``` - You call also restrict this to specific directories: - ```sh - /etc/** r, - /srv/** r, - /var/** r, - ``` -2. Then restart the AppArmor service to reload the profiles in the kernel: - ```sh - sudo systemctl reload apparmor.service - ``` - -### XDG variables - -Please ensure that all personal directories you are using are well-defined XDG directory defined below. If not, personalize the [variables](#tunables) to your own settings. - -??? quote "**User directories**" - -
- - | Description | Name | Default Value(s) | - |-------------|------|---------------| - | Desktop | `@{XDG_DESKTOP_DIR}` | `Desktop` | - | Documents | `@{XDG_DOCUMENTS_DIR}` | `Documents` | - | Downloads | `@{XDG_DOWNLOAD_DIR}` | `Downloads` | - | Music | `@{XDG_MUSIC_DIR}` | `Music` | - | Pictures | `@{XDG_PICTURES_DIR}` | `Pictures` | - | Videos | `@{XDG_VIDEOS_DIR}` | `Videos` | - | Screenshots | `@{XDG_SCREENSHOTS_DIR}` | `@{XDG_PICTURES_DIR}/Screenshots` | - | Wallpapers | `@{XDG_WALLPAPERS_DIR}` | `@{XDG_PICTURES_DIR}/Wallpapers` | - | Books | `@{XDG_BOOKS_DIR}` | `Books` | - | Games | `@{XDG_GAMES_DIR}` | `.games` | - | Templates | `@{XDG_TEMPLATES_DIR}` | `Templates` | - | Public | `@{XDG_PUBLICSHARE_DIR}` | `Public` | - | Projects | `@{XDG_PROJECTS_DIR}` | `Projects` | - | Private | `@{XDG_PRIVATE_DIR}` | `.{p,P}rivate {p,P}rivate` | - | Work | `@{XDG_WORK_DIR}` | `Work` | - | Mail | `@{XDG_MAIL_DIR}` | `Mail .{m,M}ail` | - | Sync | `@{XDG_SYNC_DIR}` | `Sync` | - | Torrents | `@{XDG_TORRENTS_DIR}` | `Torrents` | - | Vm | `@{XDG_VM_DIR}` | `.vm` | - | Vm Shares | `@{XDG_VM_SHARES_DIR}` | `VM_Shares` | - | Disk images | `@{XDG_IMG_DIR}` | `images` | - | Games Studio | `@{XDG_GAMESSTUDIO_DIR}` | `.unity3d` | - -
- -??? quote "**Dotfiles**" - -
- - | Description | Name | Default Value(s) | - |-------------|------|------------------| - | Cache | ` @{XDG_CACHE_DIR}` | `.cache` | - | Config | `@{XDG_CONFIG_DIR}` | `.config` | - | Data | `@{XDG_DATA_DIR}` | `.local/share` | - | State | `@{XDG_STATE_DIR}` | `.local/state` | - | Bin | `@{XDG_BIN_DIR}` | `.local/bin` | - | Lib | `@{XDG_LIB_DIR}` | `.local/lib` | - | GPG | `@{XDG_GPG_DIR}` | `.gnupg` | - | SSH | `@{XDG_SSH_DIR}` | `.ssh` | - | Private | `@{XDG_PRIVATE_DIR}` | `.{p,P}rivate {p,P}rivate` | - | Passwords | `@{XDG_PASSWORD_STORE_DIR}` | `.password-store` | - -
- -??? quote "**Full configuration path**" - -
- - | Description | Name | Default Value(s) | - |-------------|:----:|---------------| - | Cache | `@{user_cache_dirs}` | `@{HOME}/@{XDG_CACHE_DIR}` | - | Config | `@{user_config_dirs}` | `@{HOME}/@{XDG_CONFIG_DIR}` | - | Bin | `@{user_bin_dirs}` | `@{HOME}/@{XDG_BIN_DIR}` | - | Lib | `@{user_lib_dirs}` | `@{HOME}/@{XDG_LIB_DIR}` | - | Share | `@{user_share_dirs}` | ` @{HOME}/@{XDG_DATA_DIR}` | - | State | `@{user_state_dirs}` | ` @{HOME}/@{XDG_STATE_DIR}` | - | Build | `@{user_build_dirs}` | `/tmp/build/` | - | Packages | `@{user_pkg_dirs}` | `/tmp/pkg/` | - -
- -??? quote "**Full user path**" - -
- - | Description | Name | Default Value(s) | - |-------------|:----:|---------------| - | Documents | `@{user_documents_dirs}` | `@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR}` | - | Downloads | `@{user_download_dirs}` | `@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR}` | - | Music | `@{user_music_dirs}` | `@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR}` | - | Pictures | `@{user_pictures_dirs}` | `@{HOME}/@{XDG_PICTURES_DIR} @{MOUNTS}/@{XDG_PICTURES_DIR}` | - | Videos | `@{user_videos_dirs}` | `@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR}` | - | Books | `@{user_books_dirs}` | `@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}` | - | Games | `@{user_games_dirs}` | `@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR}` | - | Private | `@{user_private_dirs}` | `@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR}` | - | Passwords | `@{user_passwordstore_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | - | Work | `@{user_work_dirs}` | `@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR}` | - | Mail | `@{user_mail_dirs}` | `@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR}` | - | Projects | `@{user_projects_dirs}` | `@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}` | - | Public | `@{user_publicshare_dirs}` | `@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR}` | - | Templates | `@{user_templates_dirs}` | `@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR}` | - | Torrents | `@{user_torrents_dirs}` | `@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}` | - | Sync | `@{user_sync_dirs}` | `@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}` | - | Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` | - | Vm Shares | `@{user_vmshare_dirs}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` | - | Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}` | - -
- -System variables can also be personalized, they are defined in the **[Variables Reference](variables.md)** page. - - -## Program Personalization - -### Examples - -All profiles use the variables defined above. Therefore, you can personalize them by setting your own values in `/etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d/local`. +**Examples** - For git support, you may want to add your `GO_PATH` in the `XDG_PROJECTS_DIR`: ```sh @{XDG_PROJECTS_DIR}+="go" ``` - - If you use Keepass, personalize `XDG_PASSWORD_STORE_DIR` with your password directory. Eg: ```sh @{XDG_PASSWORD_STORE_DIR}+="@{HOME}/.keepass/" ``` - - Add pacman integration with your AUR helper. Eg for `yay`: ```sh @{user_pkg_dirs}+=@{user_cache_dirs}/yay/ ``` -### Mount points +## Local profile extensions -Common mount points are defined in the `@{MOUNTS}` variable. If you mount a disk on a different location, you can add it to the `@{MOUNTS}` variable. +You can extend any profile with your own rules by creating a file in the `/etc/apparmor.d/local/` directory with the name of your profile. For example, to extend the `foo` profile, create a file `/etc/apparmor.d/local/foo` and add your rules in it. **Example** -If you mount a disk on `/ssd/`, add the following to `/etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d/local`: -```sh -@{MOUNTS}+=/ssd/ -``` +- `child-open`, a profile that allows other program to open resources (URL, picture, books...) with some predefined GUI application. To allow it to open URLs with Firefox, create the file `/etc/apparmor.d/local/child-open` with: + ```sh + @{bin}/firefox rPx, + ``` - + This is an example, no need to add Firefox into `child-open`, it is already there. -### File browsers +!!! info -All supported file browsers (`nautilus`, `dolphin`, `thunar`) are configured to only access user files. If you want to allow access to system files, you can create a local profile addition file for the file browser you are using. + `rPx` allows transition to the Firefox profile. Use `rPUx` to allow transition to an unconfined state if you do not have the profile for a given program. -### Games -In order to not allow access to user data, game profiles use the `@{XDG_GAMESSTUDIO_DIR}` variable. It may need to be expanded with other game studio directory. The default is `@{XDG_GAMESSTUDIO_DIR}="unity3d"`. - -The `@{XDG_GAMES_DIR}` variable is used to define the game directory such as steam storage directory. If your steam storage is on another drive, you should personalize `@{user_games_dirs}` instead. +Then, reload the AppArmor rules with `sudo systemctl restart AppArmor`. diff --git a/docs/development/abstractions.md b/docs/development/abstractions.md index cd82f5d21..82c7f4b04 100644 --- a/docs/development/abstractions.md +++ b/docs/development/abstractions.md @@ -19,27 +19,6 @@ This project and the official apparmor-profiles project provide a large selectio All of these abstractions can be extended by a system admin by adding rules in a file under `/etc/apparmor.d/.d` where `` is the name of one of these abstractions. -## Architecture - -Abstraction are structured in layers as follows: - -- **Layer 0:** for core atomic functionalities. They cannot include other abstractions. - - E.g.: *this resource uses* `mesa`, `openssl`, `bash-strict`, `gtk`... - -- **Layer 1:** for generic access. Cannot be architecture or device specific. Needs to be agnostic. - - E.g.: *This program needs/has this resource.* `nameservice`, `authentication`, `base`, `shell`, `graphics`, `audio-client`, `desktop`, `kde`, `gnome`... - -- **Layer 2:** for common kind of program. Only present inside `abstraction/common`. Multiple layer 2 can be used alongside with layer 1 and 0 abstractions. - - E.g.: *This program kind is* is a game, an electron app, a gnome app, sandboxed with bwrap app, a systemd app... - -- **Layer 3:** for application. Only present inside `abstraction/app`. The use of a layer 3 abstraction usually means you should not use any other abstractions (but base). Not a strict rule, but a good practice. Mostly used to provide common rules for subprofiles where the subprofiles only need to add rules for the specific use case. - - E.g.: *This program is* `firefox`, `sudo`, `systemctl`, `pgrep`, `editor`, `chromium`... - - ## Application helper Abstraction that aims at including a complete set of rules for a given program. The calling profile only needs to add rules dependant of its use case/program. @@ -64,67 +43,9 @@ A full set of rules for all chromium based browsers. It works as a *function* an If your application requires chromium to run use [`common/chromium`](#commonchromium) or [`common/electron`](#commonelectron) instead. -### **`app/firefox`** - -Similar to `app/chromium` but for Firefox based browsers (and thunderbird). It requires the same *arguments* as `app/chromium`: - - -## Context helper - -These are context helper to be used for in sub profile, they aim at providing a minimal set of rules for a given program. The calling profile only needs to add rules dependant of its use case. - -### **`app/editor`** - -A minimal set of rules for profiles including terminal editor. It is intended to be used in profiles or sub-profiles that need to edit file using the user editor of choice. The following editors are supported: - -- neo vim -- vim -- nano - -```sh - @{editor_path} rCx -> editor, - - profile editor { - include - include - - include if exists _editor> - } -``` - -### **`app/kmod`** - -A minimal set of rules for profiles that need to load kernel modules. It is intended to be used in profiles or sub-profiles that need to load kernel modules for a very specific action: - -```sh - @{bin}/modprobe rCx -> kmod, - - profile kmod { - include - include - - include if exists _kmod> - } -``` - -### **`app/open`** - -Set of rules for `child-open-*` profiles. It should usually not be used directly in a profile. ### **`app/pgrep`** - Minimal set of rules for pgrep/pkill. It is intended to be used in profiles or sub-profiles that need to use `pgrep` or `pkill` for a very specific action: - - ```sh - @{bin}/pgrep rCx -> pgrep, - - profile pgrep { - include - include - - include if exists _pgrep> - } - ``` ### **`app/sudo`** @@ -140,26 +61,9 @@ A minimal set of rules for profiles including internal `sudo`. Interactive sudo } ``` - -### **`app/pkexec`** - -A minimal set of rules for profiles including internal `pkexec`. Like `app/sudo`, it should be used in profiles or sub-profiles that need to elevate their privileges using `pkexec` for a very specific action: - -```sh - @{bin}/pkexec rCx -> pkexec, - - profile pkexec { - include - include - - include if exists _pkexec> - } -``` - ### **`app/systemctl`** -An alternative solution for [child-systemctl](internal.md#children-profiles), when the child profile provides too much/not enough access. This abstraction should be used by a sub profile as follows: - +An alternative solution for [child-systemctl](structure.md#children-profiles), when the child profile provides too much/not enough access. This abstraction should be used by a sub profile as follows: ```sh @{bin}/systemctl rCx -> systemctl, @@ -171,20 +75,6 @@ An alternative solution for [child-systemctl](internal.md#children-profiles), wh } ``` -### **`app/udevadm`** - -A minimal set of rules for profiles including internal `udevadm` as read-only. It is intended to be used in profiles or sub-profiles that need to use `udevadm` for a very specific action: - -```sh - @{bin}/udevadm rCx -> udevadm, - - profile udevadm { - include - include - - include if exists _udevadm> - } -``` ## Common Dependencies @@ -217,14 +107,6 @@ Minimal set of rules for sandboxed programs using `bwrap`. A profile using this A minimal set of rules for chromium based application. Handle access for internal sandbox. -It works as a *function* and requires some variables to be provided as *arguments* and set in the header of the calling profile: - -!!! note "" - - [apparmor.d/profile-s-z/spotify](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/steam/steam#L24-L25) - ``` sh linenums="24" - @{domain} = org.chromium.Chromium - ``` ### **`common/electron`** @@ -235,21 +117,11 @@ A minimal set of rules for all electron based UI applications. It works as a *fu [apparmor.d/profile-s-z/spotify](https://github.com/roddhjav/apparmor.d/blob/7d1380530aa56f31589ccc6a360a8144f3601731/apparmor.d/profiles-s-z/spotify#L10-L13) ``` sh linenums="10" @{name} = spotify - @{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} ``` -### **`common/game`** - -Core set of resources for any games on Linux. Runtimes such as sandboxing, wine, proton, game launchers should use this abstraction. - -This abstraction uses the following tunables: - -- `@{XDG_GAMESSTUDIO_DIR}` for game studio and game engines specific directories (Default: `@{XDG_GAMESSTUDIO_DIR}="unity3d"`) -- `@{user_games_dirs}` for user specific game directories (e.g.: steam storage dir) - ### **`common/systemd`** Common set of rules for internal systemd suite. @@ -326,9 +198,6 @@ Common rules for interactive shell using bash. Common rules for interactive shell using zsh. -### **`fish`** - -Common rules for interactive shell using fish. ## System @@ -344,10 +213,6 @@ Use this abstraction instead of upstream `abstractions/nameservice` as upstream Instead of allowing the run of all software under `@{bin}` or `@{lib}` the purpose of this abstraction is to list all GUI program that can open resources. Ultimately, only sandbox manager program such as `bwrap`, `snap`, `flatpak`, `firejail` should be present here. Until this day, this profile will be a controlled mess. -### **`app-launcher-root`** - -### **`app-launcher-user`** - ## Devices diff --git a/docs/development/build.md b/docs/development/build.md deleted file mode 100644 index b767e4e4e..000000000 --- a/docs/development/build.md +++ /dev/null @@ -1,168 +0,0 @@ ---- -title: Building the profiles ---- - -The profiles in `apparmor.d` must not be used directly. They need to be prebuilt (by running `just complain`). This page documents all possibles prebuild tasks. It is not intended to be read by end user, and it is only targeted at developers and maintainers. - -The build system is fully configurable, general usage can be seen with: -```sh -go run ./cmd/prebuild -h -``` - -``` -aa-prebuild [-h] [--complain | --enforce] [--full] [--server] [--abi 3|4] [--version V] [--file FILE] - - Prebuild apparmor.d profiles for a given distribution and apply - internal built-in directives. - -Options: - -h, --help Show this help message and exit. - -c, --complain Set complain flag on all profiles. - -e, --enforce Set enforce flag on all profiles. - -a, --abi ABI Target apparmor ABI. - -v, --version V Target apparmor version. - -f, --full Set AppArmor for full system policy. - -s, --server Set AppArmor for server. - -b, --buildir DIR Root build directory. - -F, --file Only prebuild a given file. - --debug Enable debug mode. - -Prepare tasks: - configure - Set distribution specificities - setflags - Set flags on some profiles - fsp - Configure AppArmor for full system policy - merge - Merge profiles (from group/, profiles-*-*/) to a unified apparmor.d directory - overwrite - Overwrite dummy upstream profiles - synchronise - Initialize a new clean apparmor.d build directory - ignore - Ignore profiles and files from: - server - Configure AppArmor for server - systemd-default - Configure systemd unit drop in files to a profile for some units - systemd-early - Configure systemd unit drop in files to ensure some service start after apparmor - attach - Configure tunable for re-attached path - -Build tasks: - userspace - Fix: resolve variable in profile attachments - abi3 - Build: convert all profiles from abi 4.0 to abi 3.0 - attach - Feat: re-attach disconnected path - base-strict - Feat: use 'base-strict' as base abstraction - complain - Build: set complain flag on all profiles - debug - Build: debug mode enabled - enforce - Build: all profiles have been enforced - fsp - Feat: prevent unconfined transitions in profile rules - hotfix - Fix: temporary solution for #74, #80 & #235 - stacked-dbus - Fix: resolve peer label variable in dbus rules - -Directive: - #aa:dbus own bus= name= [interface=AARE] [path=AARE] - #aa:dbus talk bus= name= label= [interface=AARE] [path=AARE] - #aa:dbus common bus= name= label= - #aa:exec [P|U|p|u|PU|pu|] profiles... - #aa:only filters... - #aa:exclude filters... - #aa:stack [X] profiles... -``` - -## Prepare Tasks - -### **`synchronise`** - -Initialize a new clean `apparmor.d` build directory in `.build/`. - -*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* - -### **`ignore`** - -Ignore profiles and files as defined in the `dist/ignore` directory. See [workflow](workflow.md#ignore-profiles). - -*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* - -### **`server`** - -Configure AppArmor for server. Desktop related groups and profiles that use desktop abstraction are not included. [hotfix](#hotfix) is also disabled, as it is only needed on desktop system. It is mostly intended to be used on server with FSP enabled. E.g: [the play machine](https://github.com/roddhjav/play). - -*Enable with the `--server` option in the prebuild command.* - -### **`merge`** - -Merge profiles from `apparmor.d/group/`, `apparmor.d/profiles-*-*/` to a unified directory in `.build/apparmor.d` that AppArmor can parse. - -*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* - -### **`configure`** - -Set distribution specificities as defined in [`pkg/prebuild/prepare/configure.go`](https://github.com/roddhjav/apparmor.d/blob/main/pkg/prebuild/prepare/configure.go) - -*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* - -### **`setflags`** - -Set flags on profiles as defined in the [flags manifest](workflow.md#profile-flags). - -*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* - -### **`overwrite`** - -Overwrite (dummy) upstream profiles as defined in `dist/overwrite`. - -*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* - -### **`systemd-default`** - -Install systemd unit drop in files from `systemd/default`. They configure the various dbus daemon to use specific profiles. - -*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* - -### **`systemd-early`** - -Install systemd unit drop in files from `systemd/early` to ensure some services start after AppArmor. THis task will be removed in the future, as it will not be needed any more. - -*Enabled by default. Can be disabled in `pkg/prebuild/cli/cli.go`* - -### **`fsp`** - -Configure AppArmor for full system policy. - -*Enable with the `--full` option in the prebuild command.* - - -## Build Tasks - -### **`abi3`** - -This task will convert all profiles from `abi/4.0` to `abi/3.0`. The rules not supported by `abi/3.0` are commented in the build profiles. - -*Enable with the `--abi 3` option in the prebuild command.* - -### **`complain | enforce`** - -Set or remove the complain flag on all profiles. The `complain` task is enabled by default. When building in enforce mode, it is disabled. Enabling the `enforce` task will enforce **all** profiles including the one set in the [flags manifest](workflow.md#profile-flags). It is intended to be used in specialized system such as a CTF challenge or in (very) high security VM. - -*Enable with the `--complain` or `--enforce` option in the prebuild command.* - -### **`userspace`** - -Resolve variables in profile attachments. It fixes issues with the userland AppArmor tools (aa-enforce, aa-logprof...) that do not support identical variable in the profiles attachments. - -*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* - -### **`attach`** - -This task reattaches disconnected paths. See the [Re-attached path](internal.md#re-attached-path) page. It will: - -- Add the `attach_disconnected.path` flag on all profiles with the `attach_disconnected` flag -- Add the `` abstraction in the profile -- For compatibility, non-disconnected profile will have the `@{att}` variable set to `/` - -*Enabled when abi >= 4.0* - -### **`hotfix`** - -Temporary fix for #74, #80 & #235. Only an issue on Gnome, can be disabled on server. - -*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* - -### **`fsp`** - -Prevent unconfined transitions in profile rules. - -*Enable with the `--full` option in the prebuild command.* diff --git a/docs/development/dbus.md b/docs/development/dbus.md index 165626f24..98b46501c 100644 --- a/docs/development/dbus.md +++ b/docs/development/dbus.md @@ -20,19 +20,12 @@ Default **system**, **session**, and **accessibility** bus access are provided w - `abstractions/bus-session` - `abstractions/bus-accessibility` -Do not use the dbus abstractions from apparmor in this project, they won't work as expected as the dbus daemon is confined. Furthermore, in `apparmor.d` there is no such thing as a strict dbus abstraction (`abstractions/dbus-strict`) as they are strict by default: bus access needs to be explicitly allowed using an interface abstraction or a directive. - ### Interfaces Access to common dbus interfaces is done using the abstractions under **[`abstractions/bus/`](https://github.com/roddhjav/apparmor.d/tree/main/apparmor.d/abstractions/bus)**. They are kept minimal on purpose. The goal is not to give full talk access an interface but to provide a *read-only* like view of it. It may be required to have a look at the dbus interface documentation to check what method can be safely allowed. For more access, simply use the [`aa:dbus talk`](#dbus-directive) directive. -There is a trade of between security and maintenance to make: - -- `aa:dbus talk` will generate less issue as it gives full talk access -- `abstractions/bus/*` will provide more restriction, and possibly more issue. In the future, these rules will be automatically generated from the interface documentation. - ## Dbus Directive We use a special [directive](directives.md) to generate more advanced dbus access. The directive format is on purpose very similar to the AppArmor dbus rule. diff --git a/docs/development/directives.md b/docs/development/directives.md index 841bc6608..9cff8840e 100644 --- a/docs/development/directives.md +++ b/docs/development/directives.md @@ -40,7 +40,6 @@ The `only` and `exclude` directives can be used to filter individual rule or rul - A supported target distribution: `arch`, `debian`, `ubuntu`, `opensuse`, `whonix`. - A supported distribution family: `apt`, `pacman`, `zypper`. - - A supported ABI: `abi3`, `abi4`. **Example** @@ -64,7 +63,7 @@ The `only` and `exclude` directives can be used to filter individual rule or rul ## Exec -The `exec` directive is useful to allow executing transitions to a profile without having to manage the possible long list of profile attachments (it varies depending on the distribution). The directive parses and resolves the attachment variable (`@{exec_path}`) of the target profile and includes it in the current profile. +The `exec` directive is useful to allow executing transitions to a profile without having to manage the possible long list of profile attachments (it varies depending on the distribution). The directives parse and resolve the attachment variable (`@{exec_path}`) of the target profile and includes it in the current profile. **Format** @@ -104,7 +103,7 @@ The `exec` directive is useful to allow executing transitions to a profile witho ## Stack -[Stacked](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking) profiles can be hard to maintain. The *parent* profile needs to manage its own rules as well as always including access from the *child* profile. In most profile using stacking, the *child* profile is often naturally included in the *parent*. However, sometime the child profile is fully different. This directive automatically include the stacked profile rules into the parent profile. +[Stacked](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking) profiles can be hard to maintain. The *parent* profile needs to manage its own rules as well as always include the stacked profile rules. This directive automatically include the stacked profile rules into the parent profile. **Format** @@ -116,9 +115,6 @@ The `exec` directive is useful to allow executing transitions to a profile witho : List a profile **files** to stack at the end of the current profile. -**`[X]`** - -: If `X` is set, the directive will conserve the `x` file rules regardless of the transition. It is not enabled by default as it may conflict with the parent profile. Indeed, automatically adding `Px` and `ix` transition in a profile is a very effective way to have conflict between transitions as you can automatically add rule already present in the profile but with another transition (you would then get the AppArmor error: `profile has merged rule with conflicting x modifiers`). **Example** @@ -140,13 +136,14 @@ The `exec` directive is useful to allow executing transitions to a profile witho include capability dac_override, capability kill, - unix (bind) type=stream addr=@@{udbus}/bus/systemd-oomd/bus-api-oom, + unix (bind) type=stream addr=@@{hex16}/bus/systemd-oomd/bus-api-oom, #aa:dbus own bus=system name=org.freedesktop.oom1 /etc/systemd/oomd.conf r, /etc/systemd/oomd.conf.d/{,**} r, @{run}/systemd/io.system.ManagedOOM rw, @{run}/systemd/io.systemd.ManagedOOM rw, @{run}/systemd/notify rw, + owner @{run}/systemd/journal/socket w, @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/memory.pressure r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.* r, diff --git a/docs/development/guidelines.md b/docs/development/guidelines.md index fad901581..b359576aa 100644 --- a/docs/development/guidelines.md +++ b/docs/development/guidelines.md @@ -11,7 +11,7 @@ The logic behind it is that if a rule is present in a profile, it should only be For example, if a program needs to run executable binaries then the rules allowing it can only be in a specific rule block (just after the `@{exec_path} mr,` rule). It is therefore easy to ensure some profile features such as: * A profile has access to a given resource -* A profile enforces a strict [write xor execute](https://en.wikipedia.org/wiki/W%5EX) (W^X) policy. +* A profile enforces a strict [write xor execute] (W^X) policy. It also improves compatibilities and makes personalization easier thanks to the use of more variables. @@ -78,14 +78,14 @@ The file block should be sorted as follows: The dbus block should be sorted as follows: - The system bus should be sorted *before* the session bus -- The bind rules should be sorted *after* send & receive rules +- The bind rules should be sorted *after* the send & receive rules For DBus, try to determine peer's label when possible. E.g.: ``` dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + peer=(name=org.freedesktop.DBus, label=dbus-session), ``` If there is no predictable label it can be omitted. @@ -115,20 +115,14 @@ If there is no predictable label it can be omitted. /var/lib/dbus/machine-id r, ``` -#### :material-numeric-5-circle: Limit the use of `deny` -: The use of `deny` should be limited to the minimum: +## Additional recommended documentation - - In MAC policies, we only allow access ([Rule :material-numeric-1-circle:](index.md#rule-mandatory-access-control "Mandatory Access Control")) - - `deny` rules are enforced even in complain mode, - - If it works on your machine does not mean it will work on others ([Rule :material-numeric-4-circle:](index.md#rule-distribution-and-devices-agnostic "Distribution and devices agnostic")). - -#### :material-numeric-6-circle: Comments - -: Ensure you only have useful comments. E.g.: - ``` - # Config files for foo - owner @{user_config_dirs}/foo/{,**} r, - ``` - Does not help, and if generalized it would add a lot of complexity to any profiles. +* [The AppArmor Core Policy Reference](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference) +* [The openSUSE Documentation](https://doc.opensuse.org/documentation/leap/security/html/book-security/part-apparmor.html) +* https://documentation.suse.com/sles/12-SP5/html/SLES-all/cha-apparmor-intro.html +* [The AppArmor.d man page](https://man.archlinux.org/man/apparmor.d.5) +* [F**k AppArmor](https://presentations.nordisch.org/apparmor/#/) +* [A Brief Tour of Linux Security Modules](https://www.starlab.io/blog/a-brief-tour-of-linux-security-modules) +[write xor execute]: https://en.wikipedia.org/wiki/W%5EX diff --git a/docs/development/index.md b/docs/development/index.md index f44d86aee..c12226a7a 100644 --- a/docs/development/index.md +++ b/docs/development/index.md @@ -4,38 +4,31 @@ title: Development If you're looking to contribute to `apparmor.d` you can get started by going to the project [GitHub repository](https://github.com/roddhjav/apparmor.d/)! All contributions are welcome no matter how small. In this page you will find all the useful information needed to contribute to the apparmor.d project. -??? info "How to contribute pull requests?" +??? info "How to contribute pull requests" 1. If you don't have git on your machine, [install it](https://help.github.com/articles/set-up-git/). - 1. Fork this repo by clicking on the fork button on the top of the [project GitHub](https://github.com/roddhjav/apparmor.d) page. - 1. [Generate a new SSH key]( https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent) and add it to your GitHub account. - 1. Clone the forked repository and go to the directory: + 2. Fork this repo by clicking on the fork button on the top of the [project GitHub][project] page. + 3. Clone the forked repository and go to the directory: ```sh - git clone git@github.com:your-github-username/apparmor.d.git + git clone https://github.com/your-github-username/apparmor.d.git cd apparmor.d ``` - 1. Create a branch: + 4. Create a branch: ``` git checkout -b my_contribution ``` - 1. Make the changes and commit: + 5. Make the changes and commit: ``` git add git commit -m "A message to sum up my contribution" ``` - 1. Push changes to GitHub: + 6. Push changes to GitHub: ``` git push origin my_contribution ``` - 1. Submit your changes for review: If you go to your repository on GitHub, + 7. Submit your changes for review: If you go to your repository on GitHub, you'll see a Compare & pull request button, fill and submit the pull request. -
- -- :material-arrow-right:   **[See the workflow to write profiles](workflow.md)** - -
- ## Project rules @@ -62,11 +55,48 @@ If you're looking to contribute to `apparmor.d` you can get started by going to your devices or for your use case. -## Recommended documentation +## Add a profile -* [The AppArmor Core Policy Reference](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference) -* [The openSUSE Documentation](https://doc.opensuse.org/documentation/leap/security/html/book-security/part-apparmor.html) -* [SUSE Documentation](https://documentation.suse.com/sles/12-SP5/html/SLES-all/cha-apparmor-intro.html) -* [The AppArmor.d man page](https://man.archlinux.org/man/apparmor.d.5) -* [F**k AppArmor](https://presentations.nordisch.org/apparmor/#/) -* [A Brief Tour of Linux Security Modules](https://www.starlab.io/blog/a-brief-tour-of-linux-security-modules) +!!! danger "Warning" + + Following the [profile guidelines](guidelines.md) is **mandatory** for all new profiles. + + +1. To add a new profile `foo`, add the file `foo` in [`apparmor.d/profile-a-f`][profiles-a-f]. + If your profile is part of a large group of profiles, it can also go in + [`apparmor.d/groups`][groups]. + +2. Write the profile content, the rules depend on the confined program, + Here is the bare minimum for the program `foo`: +``` sh +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 You +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/foo +profile foo @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor +``` + + +3. You can automatically set the `complain` flag on your profile by editing the file [`dists/flags/main.flags`][flags] and add a new line with: `foo complain` + +4. Build & install for your distribution. + + +[project]: https://github.com/roddhjav/apparmor.d + +[flags]: https://github.com/roddhjav/apparmor.d/blob/main/dists/flags/main.flags +[profiles-a-f]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/profiles-a-f +[groups]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups diff --git a/docs/development/install.md b/docs/development/install.md new file mode 100644 index 000000000..74271c13c --- /dev/null +++ b/docs/development/install.md @@ -0,0 +1,55 @@ +--- +title: Installation +--- + +## Development Install + +!!! warning + + Do **not** install this project *"manually"* (with `make`, `sudo make install`). The distribution specific packages are intended to be used in development as they include additional rule to ensure compatibility with upstream. You have been warned! + + See `debian/`, `PKGBUILD` and `dists/apparmor.d.spec`. + + +**:material-docker: Docker** + +For any system with docker installed you can simply build the package with: +```sh +make package dist= +``` +Then you can install the package with `dpkg`, `pacman` or `rpm`. + +**:material-arch: Arch Linux** +```sh +make pkg +``` + +**:material-ubuntu: Ubuntu & :material-debian: Debian** +```sh +make dpkg +``` + +**:simple-suse: openSUSE** +```sh +make rpm +``` + + +## Profile flags + +Flags for all profiles in this project are tracked under the [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory. It is used for profile that are not considered stable. Files in this directory should respect the following format: ` `, flags should be comma separated. + +For instance, to move `adb` in complain mode, edit **[`dists/flags/main.flags`](https://github.com/roddhjav/apparmor.d/blob/main/dists/flags/main.flags)** and add the following line: +```sh +adb complain +``` + +Beware, flags defined in this file overwrite flags in the profile. So you may need to add other flags. Example for `gnome-shell`: +```sh +gnome-shell attach_disconnected,mediate_deleted,complain +``` + + +## Ignore profiles + +It can be handy to not install a profile for a given distribution. Profiles and directories to ignore are tracked under the [`dists/ignore`](https://github.com/roddhjav/apparmor.d/tree/main/dists/ignore) directory. Files in this directory should respect the following format: ``. One ignore by line. It can be a profile name or a directory to ignore (relative to the project root). diff --git a/docs/development/integration.md b/docs/development/integration.md index b5c740f78..f829fb69f 100644 --- a/docs/development/integration.md +++ b/docs/development/integration.md @@ -2,61 +2,147 @@ title: Integration Tests --- -The purpose of integration testing in apparmor.d is to ensure the profiles are not going to break programs found in Linux distributions and Desktop Environment that we support. +!!! danger "Work in Progress" -Although the integration test suite is intended to be run in a [Development VM](vm.md), it is also deployed the GitHub Action pipeline. +The purpose of integration testing in apparmor.d is to ensure the profiles are not going to break programs found in Linux distributions and Desktop Environment that we support. **Workflow** 1. Create a testing VM -2. Run the integration tests against the testing VM -3. Ensure no new logs have been raised +2. Start the VM, do some dev +3. Run the integration tests against the testing VM +4. Ensure no new logs have been raised -## Getting started -**Prepare the test environment:** +## Test Virtual Machines + +The test VMs are built using [`cloud-init`][cloud-init] (when available), [`packer`][packer], and [`vagrant`][vagrant] on Qemu/KVM using Libvirt. No other hypervisor will be targeted for these tests. The files that generate these images can be found in the **[tests/packer](https://github.com/roddhjav/apparmor.d/tree/main/tests/packer)** directory. + +[cloud-init]: https://cloud-init.io/ +[packer]: https://www.packer.io/ +[vagrant]: https://www.vagrantup.com/ + +### Requirements + +* docker +* [packer] +* [vagrant] +* vagrant plugin install vagrant-libvirt + +!!! note + + You may need to edit some settings to fit your setup: + + - The libvirt configuration in `tests/Vagrantfile` + - The default ssh key and ISO directory in `tests/packer/variables.pkr.hcl` + +### Build + +**Build an image** + +To build a VM image for development purpose, run the following from the `tests` directory: + +| Distribution | Flavor | Build command | VM name | +|:------------:|:------:|:-------------:|:-------:| +| Arch Linux | Gnome | `make archlinux flavor=gnome` | `arch-gnome` | +| Arch Linux | KDE | `make archlinux flavor=kde` | `arch-kde` | +| Debian | Server | `make debian flavor=server` | `debian-server` | +| openSUSE | KDE | `make opensuse flavor=kde` | `opensuse-kde` | +| Ubuntu | Server | `make ubuntu flavor=server` | `ubuntu-server` | +| Ubuntu | Desktop | `make ubuntu falvor=desktop` | `ubuntu-desktop` | + +**VM management** + +The development workflow is done through vagrant: + +* Star a VM: `vagran up ` +* Shutdown a VM: `vagrant halt ` +* Reboot a VM: `vagrant reload ` + +The available VM `name` is defined in the `tests/boxes.yml` file + + +### Develop + +**Credentials** + +The admin user is: `user`, its password is: `user`. It has passwordless sudo access. Automatic login is **not** enabled on DE. The root user is not locked. + +**Directories** + +All the images come pre-configured with the latest version of `apparmor.d` installed and running in the VM. apparmor.d is mounted as `/home/user/Projects/apparmor.d` + +**Usage** + +On all images, `aa-update` can be used to rebuild and install the latest version of the profiles. `p`, `pf`, and `pu` are two preconfigured aliases of `ps` that show the security status of processes. `htop` is also configured to show this status. + + +## Tests + +!!! warning + + The test suite is expected to be run in a [VM](#test-virtual-machines) + +### Getting started + +Prepare the test environment: ```sh -just img -just create +cd tests +make falvor= +AA_INTEGRATION=true vagrant up ``` -Example: +Run the integration tests on the test VM: ```sh -just img ubuntu25 desktop -just create ubuntu25 desktop +make integration box= IP= ``` -**Install dependencies for the integration tests** +### Create integration tests + +**Test suite usage** + +Initialise the tests with: ```sh -just tests-init +./aa-test --bootstrap ``` -Example: +List the tests scenarios to be run ```sh -just tests-init ubuntu25 desktop +./aa-test --list ``` -**Run the integration tests** - -It: synchronizes the tests, unmount the shared directory, then run the tests. +Start the tests and collect the results ```sh -just tests-run +./aa-test --run ``` -Example: -```sh -just tests-run ubuntu25 desktop -``` - -Partial tests can also be run. For example the following command will only run the tests in the `tests/integration/apt` directory on the `ubuntu25` `desktop` machine: -```sh -just tests-run ubuntu25 desktop apt -``` - -## Create integration tests - -All integration tests are written in [Bats](https://github.com/bats-core/bats-core) and are located in the `tests/integration` directory. The initial tests have been generated using [tldr page](https://tldr.sh/) with the following command: - -```sh -go run ./tests/cmd --bootstrap +**Tests manifest** + +A basic set of test is generated on initialisation. More tests can be manually written in yaml file. They must have the following structure: + +```yaml +- name: acpi + profiled: true + root: false + require: [] + arguments: {} + tests: + - dsc: Show battery information + cmd: acpi + stdin: [] + - dsc: Show thermal information + cmd: acpi -t + stdin: [] + - dsc: Show cooling device information + cmd: acpi -c + stdin: [] + - dsc: Show thermal information in Fahrenheit + cmd: acpi -tf + stdin: [] + - dsc: Show all information + cmd: acpi -V + stdin: [] + - dsc: Extract information from `/proc` instead of `/sys` + cmd: acpi -p + stdin: [] ``` diff --git a/docs/development/internal.md b/docs/development/internal.md deleted file mode 100644 index c90391b04..000000000 --- a/docs/development/internal.md +++ /dev/null @@ -1,222 +0,0 @@ ---- -title: Internal ---- - -## Profile Context - -These are context helper to be used for in sub profile, they aim at providing a minimal set of rules for a given program. The calling profile only needs to add rules dependant of its use case. - -See [abstractions/app](abstractions.md#context-helper) for more information. - - -## Open Resources - -The standard way to allow opening resources such as URL, pictures, video, in this project is to use one of the `child-open` profile available in the [`children`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children) group. - -**Example:** -```sh -@{open_path} rPx -> child-open, -``` - - -### Manual - -Directly using any of the following: - -- `@{bin}/* PUx,` -- `include ` -- `include ` - -Allow every installed program to be started from the current program with or without profile. This is a very permissive rule and should be avoided if possible. They are however legitimately needed for program launcher. - -### **`child-open`** - -Instead of allowing the ability to run all software in `@{bin}/`, the purpose of this profile is to list all GUI programs that can open resources. Ultimately, only sandbox manager programs such as `bwrap`, `snap`, `flatpak`, `firejail` should be present here. Until this day, this profile will be a controlled mess. - -??? quote "[children/child-open](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children/child-open)" - - ``` aa - # Sandbox managers - @{bin}/bwrap rPUx, - @{bin}/firejail rPUx, - @{bin}/flatpak rPx, - @{bin}/snap rPx, - - # Labelled programs - @{archive_viewers_path} rPUx, - @{browsers_path} rPx, - @{document_viewers_path} rPUx, - @{emails_path} rPUx, - @{file_explorers_path} rPx, - @{help_path} rPx, - @{image_viewers_path} rPUx, - @{offices_path} rPUx, - @{text_editors_path} rPUx, - - # Others - @{bin}/blueman-tray rPx, - @{bin}/discord{,-ptb} rPx, - @{bin}/draw.io rPUx, - @{bin}/dropbox rPx, - @{bin}/element-desktop rPx, - @{bin}/extension-manager rPx, - @{bin}/filezilla rPx, - @{bin}/flameshot rPx, - @{bin}/gimp* rPUx, - @{bin}/gnome-calculator rPUx, - @{bin}/gnome-disk-image-mounter rPx, - @{bin}/gnome-disks rPx, - @{bin}/gnome-software rPx, - @{bin}/gwenview rPUx, - @{bin}/kgx rPx, - @{bin}/qbittorrent rPx, - @{bin}/qpdfview rPx, - @{bin}/smplayer rPx, - @{bin}/steam-runtime rPUx, - @{bin}/telegram-desktop rPx, - @{bin}/transmission-gtk rPx, - @{bin}/viewnior rPUx, - @{bin}/vlc rPUx, - @{bin}/xbrlapi rPx, - - # Backup - @{lib}/deja-dup/deja-dup-monitor rPx, - ``` - -### **`child-open-browsers`** - - This version of child-open only allow to open browsers. - -??? quote "[children/child-open-browsers](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children/child-open-browsers)" - - ``` aa - @{browsers_path} rPx, - ``` - -### **`child-open-help`** - -This version of child-open only allow to open browsers and help programs. - -??? quote "[children/child-open-help](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children/child-open-help)" - - ``` aa - @{browsers_path} rPx, - @{help_path} rPx, - ``` - -### **`child-open-strict`** - -This version of child-open only allow to open browsers & folders: - -??? quote "[children/child-open-strict](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children/child-open-strict)" - - ``` aa - @{browsers_path} Px, - @{file_explorers_path} Px, - ``` - - -!!! warning - - Although needed to not break a program, wrongly used these profiles can lead to confinment escape. - - -## Children profiles - -Usually, a child profile is in the [`children`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children) group. They have the following note: - -!!! quote - - Note: This profile does not specify an attachment path because it is intended to be used only via `"Px -> child-open"` exec transitions from other profiles. - - - -### **`child-modprove-nvidia`** - -Used internally by the `nvidia` abstraction. - -### **`child-pager`** - -Simple access to pagers such as `pager`, `less` and `more`. This profile assumes the pager is reading its data from stdin, not from a file on disk. Supported pagers are: `sensible-pager`, `pager`, `less`, and `more`. -It can be as follows in a profile: -``` - @{pager_path} rPx -> child-pager, -``` - -### **`child-systemctl`** - -Common `systemctl` action. Do not use it too much as most of the time you will need more privilege than what this profile is giving you. - -It is recommended to transition [in a subprofile](abstractions.md#appsystemctl) everything that is not generic and that may require some access (so restart, enable...), while `child-systemctl` can handle the more basic tasks. - - -## Labelled programs - -All common programs are tracked and labelled in the [`apparmor.d/tunables/multiarch.d/programs`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/tunables/multiarch.d/programs) and -[`apparmor.d/tunables/multiarch.d/paths`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/tunables/multiarch.d/paths) files. They can be used in a `child-open` profile or directly in a profile. They are useful to allow opening resources using a kind of program (browsers, image viewer, text editor...), instead of allowing a given program path. - -## Re-attached path - -**[:material-tag-heart-outline: abi/4.0]("Minimum version")** - -The flag `attach_disconnect` control how disconnected paths are handled. It determines if pathnames resolved to be outside the namespace are attached to the root (ie. have the `/` character prepended). -It is a security issue as it allows disconnected paths to alias to other files that exist in the file name. Therefore, it is only provided to work around problems that can arise with sandboxed programs. - -AppAmor 4.0 provides the `attach_disconnect.path` flag allowing to reattach this path to a prefix that is not `/`. When used it provides an important security improvement from AppArmor 3.0. - -**`apparmor.d`** uses `attach_disconnect.path` by **default and automatically** on all profiles with the `attach_disconnect` flag. The attached path is set to `@{att}` a new dynamically generated variable set at build time in the preamble of all profile to be: - -- `@{att}=/att/` for profile with `attach_disconnect` flag. -- `@{att}=/` for other profiles - - -## User Confinement - -[:material-police-badge-outline:{ .pg-red }](../full-system-policy.md "Full System Policy only (FSP)") - -!!! warning "TODO" - - -## No New Privileges - -[**No New Privileges**](https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html) is a flag preventing a newly started program to get more privileges than its parent process. This is a **good thing** for security. And it is commonly used in systemd unit files (when possible). This flag also prevents transitions to other profiles because it could be less restrictive than the parent profile (no `Px` or `Ux` allowed). - -The possible solutions are: - -* The easiest (and unfortunately less secure) workaround is to ensure the programs do not run with no new privileges flag by disabling `NoNewPrivileges` in the systemd unit (or any other [options implying it](https://man.archlinux.org/man/core/systemd/systemd.exec.5.en#SECURITY)). -* Inherit the current confinement (`ix`) -* [Stacking](#stacking) - -## Stacking - -[Stacking](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking) of two or more profile is the strict intersection them. It is a way to ensure that a profile never becomes more permissive than the intersection of all profiles in the stack. It provides several abilities to the policy author: - -- It can be used to ensure that confinement never becomes more permissive. -- To reduce the permissions of a generic profile on a specific task. -- To provide both system level and container and user level policy (when combined with policy namespaces). - -!!! note "" - - [apparmor.d/groups/browsers/chromium](https://github.com/roddhjav/apparmor.d/blob/b51576139b3ed3125aaa3ea4d737a77baac0f00e/apparmor.d/groups/browsers/chromium#L25) - ``` aa linenums="23" - profile chromium @{exec_path} { - ... - @{lib_dirs}/chrome_crashpad_handler rPx -> chromium//&chromium-crashpad-handler, - ... - } - ``` - -## Udev rules - -See the **[kernel docs](https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt)** to check the major block and char numbers used in `/run/udev/data/`. - -Special care must be given as sometimes udev numbers are allocated dynamically by the kernel. Therefore, the full range must be allowed: - -!!! note "" - - [apparmor.d/groups/virt/libvirtd](https://github.com/roddhjav/apparmor.d/blob/b2af7a631a2b8aca7d6bdc8f7ff4fdd5ec94220e/apparmor.d/groups/virt/libvirtd#L188) - ``` aa linenums="179" - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - ``` diff --git a/docs/development/recommendations.md b/docs/development/recommendations.md deleted file mode 100644 index bbe41bc4e..000000000 --- a/docs/development/recommendations.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -title: Recommendations ---- - -## Renaming of profiles - -For security reason, once loaded into the kernel, a profile cannot get fully removed. Therefore, by renaming a profile, you create a second profile with the same attachment. AppArmor will not be able to determine witch one to use leading to breakage. - -A reboot is required to fully remove the profile from the kernel. - - -## Programs to not confine - -Some programs should not be confined by themselves. For example, tools such as `ls`, `rm`, `diff` or `cat` do not have profiles in this project. Let's see why. - -These are general tools that in a general context can legitimately access any file in the system. Therefore, the confinement of such tools by a global profile would at best be minimal at worst be a security theatre. - -It gets even worse. Let's say, we write a profile for `cat`. Such a profile would need access to `/etc/`. We will add the following rule: -```sh - /etc/{,**} rw, -``` - -However, as `/etc` can contain sensitive files, we now want to explicitly prevent access to these sensitive files. Problems: - -1. How do we know the exhaustive list of *sensitive files* in `/etc`? -2. How do we ensure access to these sensitive files is not required? -3. This breaks the principle of mandatory access control. - See the [first rule of this project](index.md#project-rules) which is to only allow - what is required. Here we allow everything and blacklist some paths. - -It creates even more issues when we want to use this profile in other profiles. Let's take the example of `diff`. Using this rule: `@{bin}/diff rPx,` this will restrict access to the very generic and not very confined `diff` profile. Whereas most of the time, we want to restrict `diff` to some specific file in our profile: - -* In `dpkg`, an internal child profile (`rCx -> diff`), allows `diff` to only access etc config files: - -!!! note "" - - [apparmor.d/apparmor.d/groups/apt/dpkg](https://github.com/roddhjav/apparmor.d/blob/accf5538bdfc1598f1cc1588a7118252884df50c/apparmor.d/groups/apt/dpkg#L123) - ``` aa linenums="123" - profile diff { - include - include - - @{bin}/ r, - @{bin}/pager mr, - @{bin}/less mr, - @{bin}/more mr, - @{bin}/diff mr, - - owner @{HOME}/.lesshs* rw, - - # Diff changed config files - /etc/** r, - - # For shell pwd - /root/ r, - - } - ``` - -* As it is a dependency of pass, `diff` inherits the `pass' profile and has the same access as the pass profile, so it will be allowed to diff password files because more than a generic `diff`, it is a `diff` "version" for the pass password manager: - -!!! note "" - - [apparmor.d/apparmor.d/profiles-m-r/pass](https://github.com/roddhjav/apparmor.d/blob/accf5538bdfc1598f1cc1588a7118252884df50c/apparmor.d/profiles-m-r/pass#L20 - ) - ``` aa linenums="20" - @{bin}/diff rix, - ``` - -**What if I still want to protect these programs?** - -You do not protect these programs. *Protect the usage you have of these programs*. In practice, it means that you should put your terminal in a sandbox managed environment with a sandboxing tool such as Toolbox. - -!!! example "To sum up" - - 1. Do not create a profile for programs such as: `rm`, `ls`, `diff`, `cd`, `cat` - 2. Do not create a profile for the shell: `bash`, `sh`, `dash`, `zsh` - 3. Use [Toolbox](https://containertoolbx.org/) diff --git a/docs/development/roadmap.md b/docs/development/roadmap.md deleted file mode 100644 index 379241a49..000000000 --- a/docs/development/roadmap.md +++ /dev/null @@ -1,94 +0,0 @@ ---- -title: Roadmap ---- - -## Toward a stable release - -This is the current list of features that must be implemented to get to a stable release - -- [x] **[Play machine](https://github.com/roddhjav/play)** - -- [ ] **[Sub packages](https://github.com/roddhjav/apparmor.d/issues/464)** - - [x] Move most profiles into groups - - [ ] Provide complain/enforced packages version - - [ ] normal/FSP/server packages variants - -- [ ] **Build system** - - [ ] Continuous release on the main branch, ~2 releases per week - - [ ] Provide packages repo for ubuntu/debian - - [x] Add a `just` target to install the profiles in the right place - - [x] Fully drop the Makefile in favor of `just` - -- [ ] **Tests** - - [x] Tests VM for all supported targets (see [tests/vm](vm.md)) - - [ ] Small integration tests for all core profiles (see [tests/integration](integration.md)) - -- [ ] **Documentation** - - [ ] Initial draft of the security model and goal - - [ ] General documentation improvements - -- [ ] **General improvements** - - [ ] Provide a proper fix for [#74](https://github.com/roddhjav/apparmor.d/issues/74), [#80](https://github.com/roddhjav/apparmor.d/issues/80) & [#235](https://github.com/roddhjav/apparmor.d/issues/235) - -- [ ] **Abstractions** - - [ ] Document all abstractions - - [ ] Split and reorganize some big abs into set of smaller abstractions. - Strictly follow the new abstractions guidelines (layer 0, layer 1, etc.) - - [ ] Abstraction based profiles: - Most of the accesses needed by GUI based application are commons. As such 80-90% of the profile content should be handled by abstractions (internally they will have conditions). - - [ ] Test new interface like abstractions - - notifications - - audio-bluetooth - - secrets-service - - media-keys - - ... - - [ ] Rewrite the desktop abstraction to only contains other abs. No direct rules in it. - - [ ] Rewrite the DE specific abstraction to be a layer 1 abs - -- [ ] **Security improvements** - - [ ] Limit the use of `abstractions/common/systemd` - - [ ] Ensure systemctl restart/stop/reload is always confined and filtered by unit (dbus only) - - [ ] Revisit the usae of `systemd-tty-ask-password-agent` - -## Next features - -- [ ] **Conditions** - - [ ] Integrate the new condition feature in the profiles and restrict them a lot according to the application actually in use. Eg: `Gnome | KDE`, `X11 | Wayland`, etc. - - [ ] Create a new `aa-config` tool, similar to seboolean, to manage various settings, based on conditions. - -- [ ] **User Data** - - [ ] Fully rewrite the way user data is allowed / denied. The current implementation requires too much configuration to be usable by everyone. - - [ ] Add a prompt listener to handle the user data access. - -- [x] **[Full System Policy](https://github.com/roddhjav/apparmor.d/issues/252)** - - [ ] Debug tool to show the profiles transition tree, and ensure no profile is missing - - [x] Remove the `default` profile - -- [ ] **Define roles** - - [ ] Unrestricted shell role without FSP enabled - - [ ] Define the roles when FSP is enabled - -## Done - -**General improvements** - -- [x] The apt/dpkg profiles has been rewritten - -**Abstractions** - -- [x] New `audio-client` and `audio-server` abstractions -- [x] New desktop agnostic `desktop` abstraction for all common access for any GUI app. -- [x] New `graphics` abstraction, hardware-agnostic. Fully replace and restrict the old `opencl` abstractions -- [x] All new abstractions are documented in the [abstractions](abstractions.md) page - -**Dbus** - -- [x] New `dbus-{system,session,accessibility}` profiles. Works regardless of the dbus implementation in use. -- [x] New talk directive: Allow the application to talk to session services. (send to) -- [x] New own directive: Allow the application to own session services under the given name. (receive, send, bind) -- [x] New `bus-{system,session,accessibility}` abstraction to be used in the profiles - -**Directives** - -- [x] Add directive. See the [directive](directives.md) page - diff --git a/docs/development/structure.md b/docs/development/structure.md new file mode 100644 index 000000000..0035b6c90 --- /dev/null +++ b/docs/development/structure.md @@ -0,0 +1,156 @@ +--- +title: Structure +--- + +Description of common structure found across various AppArmor profiles + + +## Programs to not confine + +Some programs should not be confined by themselves. For example, tools such as `ls`, `rm`, `diff` or `cat` do not have profiles in this project. Let's see why. + +These are general tools that in a general context can legitimately access any file in the system. Therefore, the confinement of such tools by a global profile would at best be minimal at worst be a security theater. + +It gets even worse. Let's say, we write a profile for `cat`. Such a profile would need access to `/etc/`. We will add the following rule: +```sh + /etc/{,**} rw, +``` + +However, as `/etc` can contain sensitive files, we now want to explicitly prevent access to these sensitive files. Problems: + +1. How do we know the exhaustive list of *sensitive files* in `/etc`? +2. How do we ensure access to these sensitive files is not required? +3. This breaks the principle of mandatory access control. + See the [first rule of this project](index.md#project-rules) which is to only allow + what is required. Here we allow everything and blacklist some paths. + +It creates even more issues when we want to use this profile in other profiles. Let's take the example of `diff`. Using this rule: `@{bin}/diff rPx,` this will restrict access to the very generic and not very confined `diff` profile. Whereas most of the time, we want to restrict `diff` to some specific file in our profile: + +* In `dpkg`, an internal child profile (`rCx -> diff`), allows `diff` to only access etc config files: + +!!! note "" + + [apparmor.d/apparmor.d/groups/apt/dpkg](https://github.com/roddhjav/apparmor.d/blob/accf5538bdfc1598f1cc1588a7118252884df50c/apparmor.d/groups/apt/dpkg#L123) + ``` aa linenums="123" + profile diff { + include + include + + @{bin}/ r, + @{bin}/pager mr, + @{bin}/less mr, + @{bin}/more mr, + @{bin}/diff mr, + + owner @{HOME}/.lesshs* rw, + + # Diff changed config files + /etc/** r, + + # For shell pwd + /root/ r, + + } + ``` + +* As it is a dependency of pass, `diff` inherits the `pass' profile and has the same access as the pass profile, so it will be allowed to diff password files because more than a generic `diff`, it is a `diff` "version" for the pass password manager: + +!!! note "" + + [apparmor.d/apparmor.d/profiles-m-r/pass](https://github.com/roddhjav/apparmor.d/blob/accf5538bdfc1598f1cc1588a7118252884df50c/apparmor.d/profiles-m-r/pass#L20 + ) + ``` aa linenums="20" + @{bin}/diff rix, + ``` + +**What if I still want to protect these programs?** + +You do not protect these programs. *Protect the usage you have of these programs*. In practice, it means that you should put your terminal in a sandbox managed environment with a sandboxing tool such as Toolbox. + +!!! example "To sum up" + + 1. Do not create a profile for programs such as: `rm`, `ls`, `diff`, `cd`, `cat` + 2. Do not create a profile for the shell: `bash`, `sh`, `dash`, `zsh` + 3. Use [Toolbox]. + +[Toolbox]: https://containertoolbx.org/ + + + +## Abstractions + +This project and the apparmor-profiles official project provide a large selection of abstractions to be included in profiles. They should be used. + +For instance, to allow download directory access, instead of writing: +```sh +owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rw, +``` + +You should write: +```sh +include +``` + + +## Children profiles + +Usually, a child profile is in the [`children`][children] group. They have the following note: + +!!! quote + + Note: This profile does not specify an attachment path because it is intended to be used only via `"Px -> child-open"` exec transitions from other profiles. + +[children]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children + +Here is an overview of the current children profile: + +1. **`child-open`**: To open resources. Instead of allowing the ability to run all software in `@{bin}/`, the purpose of this profile is to list all GUI programs that can open resources. Ultimately, only sandbox manager programs such as `bwrap`, `snap`, `flatpak`, `firejail` should be present here. Until this day, this profile will be a controlled mess. + +2. **`child-pager`**: Simple access to pagers such as `pager`, `less` and `more`. This profile assumes the pager is reading its data from stdin, not from a file on disk. + +3. **`child-systemctl`**: Common `systemctl` action. Do not use it too much as most of the time you will need more privilege than what this profile is giving you. + + +## Browsers + +Chromium based browsers share a similar structure. Therefore, they share the same abstraction: [`abstractions/chromium`][chromium] that includes most of the profile content. + +This abstraction requires the following variables defined in the profile header: +```sh +@{name} = chromium +@{domain} = org.chromium.Chromium +@{lib_dirs} = @{lib}/chromium +@{config_dirs} = @{user_config_dirs}/chromium +@{cache_dirs} = @{user_cache_dirs}/chromium +``` + +If your application requires chromium to run (like electron) use [`abstractions/chromium-common`][chromium-common] instead. + +[chromium]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/abstractions/chromium +[chromium-common]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/abstractions/chromium-common + +## Udev rules + +See the **[kernel docs][kernel]** to check the major block and char numbers used in `/run/udev/data/`. + +Special care must be given as sometimes udev numbers are allocated dynamically by the kernel. Therefore, the full range must be allowed: + +!!! note "" + + [apparmor.d/groups/virt/libvirtd](https://github.com/roddhjav/apparmor.d/blob/b2af7a631a2b8aca7d6bdc8f7ff4fdd5ec94220e/apparmor.d/groups/virt/libvirtd#L188) + ``` aa linenums="179" + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + ``` + +[kernel]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt + + +## No New Privileges + +[**No New Privileges**](https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html) is a flag preventing a newly started program to get more privileges than its parent process. This is a **good thing** for security. And it is commonly used in systemd unit files (when possible). This flag also prevents transitions to other profiles because it could be less restrictive than the parent profile (no `Px` or `Ux` allowed). + +The possible solutions are: + +* The easiest (and unfortunately less secure) workaround is to ensure the programs do not run with no new privileges flag by disabling `NoNewPrivileges` in the systemd unit (or any other [options implying it](https://man.archlinux.org/man/core/systemd/systemd.exec.5.en#SECURITY)). +* Inherit the current confinement (`ix`) +* [Stacking](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking) diff --git a/docs/development/tests.md b/docs/development/tests.md index 4bf421d92..7fcdf1555 100644 --- a/docs/development/tests.md +++ b/docs/development/tests.md @@ -1,37 +1,15 @@ --- -title: Overview +title: Tests suite --- -Misconfigured AppArmor profiles is one of the most effective ways to break someone's system. This section present the various tests applied to the profiles as well as their current stage of deployment. +A full test suite to ensure compatibility across supported distributions and that software is still considered a work in progress. Here is an overview of the current CI jobs: -**Current** +**On Gitlab CI** -- [x] **[Build:](https://gitlab.com/roddhjav/apparmor.d/-/pipelines)** `just complain` - - Build the profiles for all supported distributions. - - All CI jobs validate the profiles syntax and ensure they can be safely loaded into a kernel. - - Ensure the profile entry point (`@{exec_path}`) is defined. +- Packages build for all supported distributions +- Profiles preprocessing verification for all supported distributions +- Go based command linting, coverage, and unit tests -- [x] **[Checks:](https://github.com/roddhjav/apparmor.d/blob/main/tests/check.sh)** `just check` checks basic style of profiles: - - Ensure apparmor.d header & licence - - Ensure 2 spaces indentation - - Ensure local include for profile and subprofiles - - Ensure abi 4 is used - - Ensure modern profile naming - - Ensure `vim:syntax=apparmor` +**On Github Action** -- [x] **[Integration Tests:](integration.md)** `just test-run ` - - Run simple CLI commands to ensure no logs are raised. - - Uses the [bats](https://github.com/bats-core/bats-core) test system. - - Run in the Github Action as well as in all local [test VM](vm.md). - -**Plan** - -For more complex software suite, more integration tests need to be done. The plan is to run existing integration suite from these very software in an environment with `apparmor.d` profiles. - -- [ ] Systemd - - They use mkosi to generate a VM image to run their own integration tests. - - See https://www.codethink.co.uk/articles/2024/systemd-integration-testing-part-1/ - -- [ ] Gnome - - They use openQA to run their integration tests. - - See https://gitlab.gnome.org/GNOME/openqa-tests/ +- Integration test on the ubuntu-latest VM: run a simple list of tasks with all the rules enabled and ensure no new issue has been raised. Github Action is used as it offers direct access to a VM with AppArmor included. diff --git a/docs/development/vm.md b/docs/development/vm.md deleted file mode 100644 index 1091f7d5e..000000000 --- a/docs/development/vm.md +++ /dev/null @@ -1,149 +0,0 @@ ---- -title: Development VM ---- - -To ensure compatibility across distribution, this project ships a wide range of development and tests VM images. - -The test VMs can be built locally using [cloud-init](https://cloud-init.io/), [packer](https://www.packer.io/) on Qemu/KVM using Libvirt. No other hypervisor will be targeted for these tests. The files that generate these images can be found in the **[tests/packer](https://github.com/roddhjav/apparmor.d/tree/main/tests/packer)** directory. -The VMs are fully managed using a [justfile](https://github.com/casey/just) that provides an integration environment helper for `apparmor.d`. - -```sh -$ just -``` - -``` -Available recipes: - help # Show this help message - clean # Remove all build artifacts - - [build] - build # Build the go programs - enforce # Prebuild the profiles in enforced mode - complain # Prebuild the profiles in complain mode - fsp # Prebuild the profiles in FSP mode - fsp-complain # Prebuild the profiles in FSP mode (complain) - fsp-debug # Prebuild the profiles in FSP mode (debug) - - [install] - install # Install prebuild profiles - local +names # Locally install prebuild profiles - dev name # Prebuild, install, and load a dev profile - - [packages] - pkg # Build & install apparmor.d on Arch based systems - dpkg # Build & install apparmor.d on Debian based systems - rpm # Build & install apparmor.d on OpenSUSE based systems - package dist # Build the package in a clean OCI container - - [tests] - tests # Run the unit tests - init # Install dependencies for the integration tests - integration # Run the integration tests - tests-init dist flavor # Install dependencies for the integration tests (machine) - tests-sync dist flavor # Synchronize the integration tests (machine) - tests-resync dist flavor # Re-synchronize the integration tests (machine) - tests-run dist flavor name="" # Run the integration tests (machine) - - [linter] - lint # Run the linters - check # Run style checks on the profiles - - [docs] - man # Generate the man pages - docs # Build the documentation - serve # Serve the documentation - - [vm] - img dist flavor # Build the VM image - create dist flavor # Create the machine - up dist flavor # Start a machine - halt dist flavor # Stops the machine - reboot dist flavor # Reboot the machine - destroy dist flavor # Destroy the machine - ssh dist flavor # Connect to the machine - mount dist flavor # Mount the shared directory on the machine - umount dist flavor # Unmout the shared directory on the machine - list # List the machines - images # List the VM images - available # List the VM images that can be created - -See https://apparmor.pujol.io/development/ for more information. -``` - -## Requirements - -* [docker](https://www.docker.com/) -* [just](https://github.com/casey/just) -* [packer](https://www.packer.io/) -* [libvirt](https://libvirt.org/) -* [qemu](https://www.qemu.org/) - -!!! note - - You may need to edit some settings to fit your setup: - - - The default ssh key and ISO directory in `tests/packer/variables.pkr.hcl` - -## Build - -One can see the available images by running: - -```sh -$ just available -``` - -``` -Distribution Flavor -archlinux gnome -archlinux kde -archlinux server -archlinux xfce -debian12 gnome -debian12 kde -debian12 server -ubuntu24 server -... -``` - -A VM image can be build with: - -```sh -$ just img archlinux gnome -``` - -The image will then be showed in the list of images: - -```sh -$ just images -``` - -``` -Distribution Flavor Size Date -archlinux gnome 3.3G Mar 1 14:49 -``` - -The VM can then be created with: - -```sh -$ just create archlinux gnome -``` - -And connected to with: - -```sh -$ just ssh archlinux gnome -``` - -## Develop - -**Credentials** - -The admin user is: `user`, its password is: `user`. It has passwordless sudo access. Automatic login is **not** enabled on DE. The root user is not locked. - -**Directories** - -All the images come pre-configured with the latest version of `apparmor.d` installed and running in the VM. The apparmor.d project directory is mounted as `/home/user/Projects/apparmor.d` - -**Usage** - -On all images, `aa-update` can be used to rebuild and install the latest version of the profiles. `p`, `pf`, and `pu` are two pre-configured aliases of `ps` that show the security status of processes. `htop` is also configured to show this status. diff --git a/docs/development/workflow.md b/docs/development/workflow.md deleted file mode 100644 index 7cc7c5616..000000000 --- a/docs/development/workflow.md +++ /dev/null @@ -1,195 +0,0 @@ ---- -title: Workflow ---- - -**Workflow to write profiles** - -
- -- :material-file-document:   **[Write a blanck profile](#add-a-blank-profile)** - -
-
- -- :material-download:   **[Install the profile](#individual-profile)** - -
-
- -- :material-test-tube:   **[Profile the program](#program-profiling)** - -
-
- -- :octicons-law-16:   **[Respect the profile guidelines](guidelines.md)** - -
- - -## Add a blank profile - -1. To add a new profile `foo`, add the file `foo` in [`apparmor.d/profile-a-f`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/profiles-a-f). - If your profile is part of a large group of profiles, it can also go in - [`apparmor.d/groups`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups). - -2. Write the profile content, the rules depend on the confined program, - Here is the bare minimum for the program `foo`: -``` sh -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 You -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/foo -profile foo @{exec_path} { - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor -``` - -## Development Install - -It is not recommended installing the full project *"manually"* (with `just complain`, `sudo just install`). The distribution specific packages are intended to be used in development as they include additional rule to ensure compatibility with upstream (see `debian/`, `PKGBUILD` and `dists/apparmor.d.spec`). - -Instead, install an individual profile or the development package, the following way. - -### Development package - -=== ":material-arch: Archlinux" - - ```sh - just pkg - ``` - -=== ":material-ubuntu: Ubuntu" - - ```sh - just dpkg - ``` - -=== ":material-debian: Debian" - - ```sh - just dpkg - ``` - -=== ":simple-suse: openSUSE" - - ```sh - just rpm - ``` - -=== ":material-docker: Docker" - - For any system with docker installed you can simply build the package with: - - ```sh - just package - ``` - - Then you can install the package with `dpkg`, `pacman` or `rpm`. - -### Individual profile - -**Format** - -```sh -just dev -``` - -**Exampe** - -: Testing the profile `pass` - - ``` - just dev pass - ``` - - This: - - - Prebuild the `pass` profile in complain mode to `.build`, - - Install the profile to `/etc/apparmor.d/` - - Load the profile by restarting the AppArmor service. - - -More advanced development, like editing the abstractions or working over multiple profiles at the same time requires installing the full development package. - -For this individual profile installation to work, the full package needs to be installed, regardless of the installation method ([dev](#development-package) or [stable](../install.md)). - -## Program Profiling - -### Workflow - -To discover the access needed by a program, you can use the following tools: - -1. Start the program in *complain* mode, let it initialize itself, then close it. - -1. Run **[`aa-log -r`](../usage.md#apparmor-log)**. It will: - - Convert the logs to AppArmor rules. - - Detect if flags such as `attach_disconnected` are needed. - - Convert all common paths to **[variables](../variables.md)**. - -1. From `aa-log` output, you can: - - Copy the rules to the profile. - - Replace some rules with **[abstractions](abstractions.md)** as 80% of the rules should already be covered by an abstraction. - -1. Then, [update the profile](#individual-profile) and start the program again. Use the program as you would normally do, but also try to run all the features of the program, e.g.: open the help, settings, etc. - -1. Run **[`aa-log`](../usage.md#apparmor-log)**. Stop the program as long as you get over 100 new rules. Add the rules to the profile. - -After 2 or 3 iterations, you should have a working profile. - -### Recommendations - -
- -- :material-function:   **[Use the abstractions](abstractions.md)** -- :simple-files:   **[Learn how to open resources](internal.md#open-resources)** -- :fontawesome-solid-bus-simple:   **[Learn how Dbus rules are handled](dbus.md)** -- :material-sign-direction:   **[Learn about directives `#aa:`](directives.md)** -- :octicons-law-16:   **[Follow the profile guidelines](guidelines.md)** -- :octicons-light-bulb-16:   **[See other recommendations](recommendations.md)** - -
- -!!! danger "Warning" - - Following the [profile guidelines](guidelines.md) is **mandatory** for all profiles. PRs that do not follow the guidelines will not get merged. - -### Tools - -* **[aa-notify](https://wiki.archlinux.org/title/AppArmor#Get_desktop_notification_on_DENIED_actions)** is a tool that will allow you to get notified on every apparmor log. - -* **[aa-logprof](https://man.archlinux.org/man/aa-logprof.8)** is another tool that will help you to generate a profile from logs. However, the logs generated by `aa-logprof` need to be rewritten to comply with the profile [guidelines](guidelines.md). - -* **[aa-complain](https://man.archlinux.org/man/aa-complain.8), aa-enforce** are tools to quickly change the mode of a profile. - - -## Development Settings - -### Profile flags - -Flags for all profiles in this project are tracked under the [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory. It is used for profile that are not considered stable. Files in this directory should respect the following format: ` `, flags should be comma separated. - -For instance, to move `adb` in *complain* mode, edit **[`dists/flags/main.flags`](https://github.com/roddhjav/apparmor.d/blob/main/dists/flags/main.flags)** and add the following line: -```sh -adb complain -``` - -Beware, flags defined in this file overwrite flags in the profile. So you may need to add other flags. Example for `gnome-shell`: -```sh -gnome-shell attach_disconnected,mediate_deleted,complain -``` - - -### Ignore profiles - -It can be handy to not install a profile for a given distribution. Profiles and directories to ignore are tracked under the [`dists/ignore`](https://github.com/roddhjav/apparmor.d/tree/main/dists/ignore) directory. Files in this directory should respect the following format: ``. One ignore by line. It can be a profile name or a directory to ignore (relative to the project root). diff --git a/docs/enforce.md b/docs/enforce.md index 51eec0980..52241859e 100644 --- a/docs/enforce.md +++ b/docs/enforce.md @@ -4,65 +4,37 @@ title: Enforce Mode The default package configuration installs all profiles in *complain* mode. This is a safety measure to ensure you are not going to break your system on initial installation. Once you have tested it, and it works fine, you can easily switch to *enforce* mode. The profiles that are not considered stable are kept in complain mode, they can be tracked in the [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory. -!!! danger +!!! warning - - You **must** test in complain mode first and ensure your system works as expected. - - You **must** regularly check AppArmor log with [`aa-log`](usage.md#apparmor-log) and [report](report.md) issues first. - - When reporting an issue, you **must** ensure the affected profiles are in complain mode. + - Please test in complain mode first and ensure your system boots! + - When reporting an issue, please ensure the affected profiles are in complain mode. -=== ":material-arch: Archlinux" +#### :material-arch: Arch Linux - In the `PKGBUILD`, replace `just complain` by `just enforce`: +In `PKGBUILD`, replace `make` by `make enforce`: +```diff +- make DISTRIBUTION=arch ++ make enforce DISTRIBUTION=arch +``` - ```diff - - just complain - + just enforce - ``` +#### :material-ubuntu: Ubuntu & :material-debian: Debian - Then, build the package with: `just pkg` +In `debian/rules`, add the following lines: -=== ":material-ubuntu: Ubuntu" +```make +override_dh_auto_build: + make enforce +``` - In `debian/rules`, replace `just complain` by `just enforce`: +#### :simple-suse: openSUSE - ```diff - override_dh_auto_build: - - just complain - override_dh_auto_build: - + just enforce - ``` +In `dists/apparmor.d.spec`, replace `%make_build` by `make enforce` +```diff +- %make_build ++ %make_build enforce +``` - Then, build the package with: `just dpkg` +#### Partial install -=== ":material-debian: Debian" - - In `debian/rules`, replace `just complain` by `just enforce`: - - ```diff - override_dh_auto_build: - - just complain - override_dh_auto_build: - + just enforce - ``` - - Then, build the package with: `just dpkg` - -=== ":simple-suse: openSUSE" - - In `dists/apparmor.d.spec`, replace `just complain` by `just enforce`: - - ```diff - %build - - just complain - %build - + just enforce - ``` - - Then, build the package with: `just rpm` - -=== ":material-home: Partial Install" - - Use the `just enforce` command to build instead of `just complain` - -[aur]: https://aur.archlinux.org/packages/apparmor.d-git +Use the `make enforce` command to build instead of `make` diff --git a/docs/full-system-policy.md b/docs/full-system-policy.md index a5ac57f11..2b9f57454 100644 --- a/docs/full-system-policy.md +++ b/docs/full-system-policy.md @@ -27,15 +27,14 @@ Particularly: - Every system application will be **blocked** if they do not have a profile. - Any non-standard system app need to be explicitly profiled and allowed to run. For instance, if you want to use your own proxy or VPN software, you need to ensure it is correctly profiled and allowed to run in the `systemd` profile. - Desktop environment must be explicitly supported, your UI will not start otherwise. Again, it is a **feature**. +- FSP mode will run unknown user application into the `default` profile. It might be enough for your application. If not you have to make a profile for it. - In FSP mode, all sandbox managers **must** have a profile. Then user sandboxed applications (flatpak, snap, etc) will work as expected. -- PID 1 is the last program that should be confined. It does not make sense to confine only PID. All other programs must be confined first. - -## Installation +## Install -This feature is only enabled when the project is built with `just fsp`. [Early policy](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads) load **must** also be enabled. Once `apparmor.d` has been installed in FSP mode, it is required to reboot to apply the changes. +This feature is only enabled when the project is built with `make full`. [Early policy](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads) load **must** also be enabled. Once `apparmor.d` has been installed in FSP mode, it is required to reboot to apply the changes. In `/etc/apparmor/parser.conf` ensure you have: ``` @@ -44,59 +43,35 @@ cache-loc /etc/apparmor/earlypolicy/ Optimize=compress-fast ``` -=== ":material-arch: Archlinux" +**:material-arch: Arch Linux** - In `PKGBUILD`, replace `just complain` by `just fsp-complain`: +In `PKGBUILD`, replace `make` by `make full`: +```diff +- make ++ make full +``` - ```diff - - just complain - + just fsp-complain - ``` +**:material-ubuntu: Ubuntu & :material-debian: Debian** - Then, build the package with: `just pkg` +In `debian/rules`, add the following lines: -=== ":material-ubuntu: Ubuntu" +```make +override_dh_auto_build: + make full +``` - In `debian/rules`, replace `just complain` by `just fsp-complain`: +**:simple-suse: openSUSE** - ```make - override_dh_auto_build: - - just complain - override_dh_auto_build: - + just fsp-complain - ``` +In `dists/apparmor.d.spec`, replace `%make_build` by `make full` +```diff +- %make_build ++ %make_build full +``` - Then, build the package with: `just dpkg` +**Partial install** -=== ":material-debian: Debian" - - In `debian/rules`, replace `just complain` by `just fsp-complain`: +Use the `make full` command to build instead of `make` - ```make - override_dh_auto_build: - - just complain - override_dh_auto_build: - + just fsp-complain - ``` - - Then, build the package with: `just dpkg` - -=== ":simple-suse: openSUSE" - - In `dists/apparmor.d.spec`, replace `just complain` by `just fsp-complain`: - - ```diff - %build - - just complain - %build - + just fsp-complain - ``` - - Then, build the package with: `just rpm` - -=== ":material-home: Partial Install" - - Use the `just fsp-complain` command to build instead of `just complain` ## Structure @@ -138,21 +113,11 @@ To work as intended, userland services started by `systemd --user` **should** ha !!! info - To be allowed to run, additional root or user services may need to add extra rules inside the `usr/systemd.d` or `usr/systemd-user.d` directory. For example, when installing a new privileged service `foo` with [stacking](development/internal.md#no-new-privileges) you may need to add the following to `/etc/apparmor.d/usr/systemd.d/foo`: + To be allowed to run, additional root or user services may need to add extra rules inside the `usr/systemd.d` or `usr/systemd-user.d` directory. For example, when installing a new privileged service `foo` with [stacking](#no-new-privileges) you may need to add the following to `/etc/apparmor.d/usr/systemd.d/foo`: ``` @{lib}/foo rPx -> systemd//&foo, ``` -### Role Based Access Control (RBAC) - -In FSP, interactive shell from the user must be confined. This is done through [pam_apparmor](https://gitlab.com/apparmor/apparmor/-/wikis/pam_apparmor). It provides [Role-based access controls (RBAC)](https://en.wikipedia.org/wiki/Role-based_access_control) that can restrict interactive shell to well-defined role. The role needs to be defined. This project ship with a default set of roles, but you can create your own. The default roles are: - -- **`user`**: This is the default role. It is used for any user that does not have a specific role defined. It has access to the user home directory and other sensitive files. - -- **`admin`**: This role is used for any user that has administrative access. It has access to the system files and directories, but not to the user home directory. - -- **`system`**: This role is used for any user that has system access. It has access to the system files and directories, but not to the user home directory. - ### Fallback In addition to the `systemd` profiles, a full system policy needs to ensure that no programs run in an unconfined state at any time. The fallback profiles consist of a set generic specialized profiles: @@ -164,7 +129,7 @@ In addition to the `systemd` profiles, a full system policy needs to ensure that The main fallback profile (`default`) is not intended to be used by privileged program or service. Such programs **must** have they dedicated profile and would break otherwise. -Additionally, special user access can be setup using PAM rules set such as a random shell interactively opened (as user or as root). +Additionally, special user access can be setup using PAM rules set such as a random shell interactively opened (as user or as root). [apparmor-wiki]: https://gitlab.com/apparmor/apparmor/-/wikis/FullSystemPolicy [full]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/_full diff --git a/docs/index.md b/docs/index.md index 9602207d0..3a9381ccd 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1,111 +1,54 @@ --- title: AppArmor.d -hide: - - toc --- - - +**Presentations** -
-
-
-
- -

apparmor.d

-

Full set of AppArmor policies

-

apparmor.d is a collection of AppArmor profiles designed to restrict the behavior of Linux applications and processes.

-

Its goal is to confine everything, targeting both desktops and servers across all distributions that support AppArmor.

- - Get started - - - - Demo Server - - -
-
-
-
+Building the largest set of AppArmor profiles: + +- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* +- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* + +**Chat** + +A development chat is available on https://matrix.to/#/#apparmor.d:matrix.org diff --git a/docs/install.md b/docs/install.md index a56599c22..8f234872c 100644 --- a/docs/install.md +++ b/docs/install.md @@ -2,23 +2,13 @@ title: Installation --- -## Setup +!!! warning + + To prevent the risk of breaking your system, the default package configuration installs all profiles in complain mode. They can be enforced later. See the [Enforce Mode](enforce.md) page. !!! danger - Do **not** expect this project to work correctly on your desktop if your Desktop Environment (DE) and Display Manager (DM) are not supported. Your DE/DM might not load, and that would be a **feature**. - -Due to the development stage of this project, the default package configuration installs all profiles in **complain** mode. The recommended installation workflow is as-follow: - -1. **[Configure AppArmor](#configure-apparmor)** AppArmor for *apparmor.d*. -1. **[Install](#installation)** *apparmor.d* in the (default) complain mode. -1. **[Configure your personal directories](configuration.md)**. -1. Reboot your system. -1. You **must** check for any AppArmor logs with [`aa-log`](usage.md#apparmor-log). -1. **[Report](https://apparmor.pujol.io/report/)** any raised logs. -1. Use the profiles in *complain* mode for a while (a week), regularly check for new AppArmor logs. -1. Only if there are no logs raised for your daily usage, install it in [enforce mode](enforce.md). - + Do **not** expect this project to work correctly if your Desktop Environment and Display Manager are not supported. Your Desktop Environment or Display Manager might not load, and that would be a feature. ## Requirements @@ -30,184 +20,105 @@ An `AppArmor` supported Linux distribution is required. The default profiles and The following desktop environments are supported: -- [x] :material-gnome: Gnome (GDM) -- [x] :simple-kde: KDE (SDDM) -- [ ] :simple-xfce: XFCE (Lightdm) *(work in progress)* + - [x] :material-gnome: Gnome + - [x] :simple-kde: KDE + - [ ] :simple-xfce: XFCE *(work in progress)* **Build dependency** -* Go >= 1.23 -* [just](https://github.com/casey/just) >= 1.40.0 +* Go >= 1.18 +## :material-arch: Arch Linux -## Configure AppArmor - -As there are a lot of rules (~80k lines), it is recommended to enable fast caching compression of AppArmor profiles. In `/etc/apparmor/parser.conf`, add `write-cache` and `Optimize=compress-fast`: +`apparmor.d-git` is available in the [Arch User Repository][aur]: +``` +yay -S apparmor.d-git # or your preferred AUR install method +``` +Or without an AUR helper: ```sh -echo 'write-cache' | sudo tee -a /etc/apparmor/parser.conf -echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf +git clone https://aur.archlinux.org/apparmor.d-git.git +cd apparmor.d-git +makepkg -si ``` -## Installation +## :material-ubuntu: Ubuntu & :material-debian: Debian -=== ":material-arch: Archlinux" +Build the package from sources: +```sh +sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git +git clone https://github.com/roddhjav/apparmor.d.git +cd apparmor.d +dpkg-buildpackage -b -d --no-sign +sudo dpkg -i ../apparmor.d_*.deb +``` - `apparmor.d-git` is available in the [Arch User Repository][aur]: +!!! tip + If you have `devscripts` installed, you can use the one liner: ```sh - yay -S apparmor.d-git # or your preferred AUR install method + make dpkg ``` - Or without an AUR helper: +!!! note + Debian user may need golang from the backports repository to build: ```sh - git clone https://aur.archlinux.org/apparmor.d-git.git - cd apparmor.d-git - makepkg -si + echo 'deb http://deb.debian.org/debian bookworm-backports main contrib non-free' | sudo tee -a /etc/apt/sources.list + sudo apt update + sudo apt install -t bookworm-backports golang-go ``` -=== ":material-ubuntu: Ubuntu" +!!! warning - Build the package from sources: + **Beware**: do not install a `.deb` made for Debian on Ubuntu, the packages are different. + If your distribution is based on Ubuntu or Debian, you may want to manually set the target distribution by exporting `DISTRIBUTION=debian` if is Debian based, or `DISTRIBUTION=ubuntu` if it is Ubuntu based. + +## :simple-suse: openSUSE + +openSUSE users need to add [cboltz](https://en.opensuse.org/User:Cboltz) repo on OBS +```sh +zypper addrepo https://download.opensuse.org/repositories/home:cboltz/openSUSE_Factory/home:cboltz.repo +zypper refresh +zypper install apparmor.d +``` + + +## Partial install + +For test purposes, you can install specific profiles with the following commands. Abstractions, tunable, and most of the OS dependent post-processing is managed. + +```sh +make +sudo make profile-names... +``` + +!!! warning + + Partial installation is discouraged because profile dependencies are not fetched. To prevent some AppArmor issues, the dependencies are automatically switched to unconfined (`rPx` -> `rPUx`). The installation process warns on the missing profiles so that you can easily install them if desired. (PR is welcome see [#77](https://github.com/roddhjav/apparmor.d/issues/77)) + + For instance, `sudo make pass` gives: ```sh - sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git - git clone https://github.com/roddhjav/apparmor.d.git - cd apparmor.d - dpkg-buildpackage -b -d --no-sign - sudo dpkg -i ../apparmor.d_*.deb + Warning: profile dependencies fallback to unconfined. + @{bin}/wl-{copy,paste} rPx, + @{bin}/xclip rPx, + @{bin}/python3.@{int} rPx -> pass-import, # pass-import + @{bin}/pager rPx -> child-pager, + @{bin}/less rPx -> child-pager, + @{bin}/more rPx -> child-pager, + '.build/apparmor.d/pass' -> '/etc/apparmor.d/pass' ``` - - !!! tip - - If you have `devscripts` installed, you can use the one liner: - - ```sh - just dpkg - ``` - - !!! note - - **Ubuntu 24.04 user will need to:** - - Install [just](https://github.com/casey/just). E.g: - ```sh - pipx install rust-just - ``` - - !!! warning - - **Beware**: do not install a `.deb` made for Debian on Ubuntu as the packages are different. - - If your distribution is based on Ubuntu, you may want to manually set the target distribution by exporting `DISTRIBUTION=ubuntu`. - -=== ":material-debian: Debian" - - Build the package from sources: - - ```sh - sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git - git clone https://github.com/roddhjav/apparmor.d.git - cd apparmor.d - dpkg-buildpackage -b -d --no-sign - sudo dpkg -i ../apparmor.d_*.deb - ``` - - !!! tip - - If you have `devscripts` installed, you can use the one liner: - - ```sh - just dpkg - ``` - - !!! note - - **Debian 12 user will need to:** - - 1. Install Golang from the backports repository: - ```sh - echo 'deb http://deb.debian.org/debian bookworm-backports main contrib non-free' | sudo tee -a /etc/apt/sources.list - sudo apt update - sudo apt install -t bookworm-backports golang-go - ``` - - 2. Install [just](https://github.com/casey/just) locally, and ignore the dependence. E.g: - ```sh - pipx install rust-just - sed '/just/d' -i debian/control - ``` - - !!! warning - - **Beware**: do not install a `.deb` made for Ubuntu on Debian as the packages are different. - - If your distribution is based on Debian, you may want to manually set the target distribution by exporting `DISTRIBUTION=debian`. - -=== ":simple-suse: openSUSE" - - openSUSE users need to add [cboltz](https://en.opensuse.org/User:Cboltz) repo on OBS: - - ```sh - zypper addrepo https://download.opensuse.org/repositories/home:cboltz/openSUSE_Factory/home:cboltz.repo - zypper refresh - zypper install apparmor.d - ``` - -=== ":material-home: Partial" - - For test purposes, you can install specific profiles with the following commands. Abstractions, tunable, and most of the OS dependent post-processing is managed. - - ```sh - just complain - sudo just local profile-names... - ``` - - !!! warning - - Partial installation is discouraged because profile dependencies are not fetched. To prevent some AppArmor issues, the dependencies are automatically switched to unconfined (`rPx` -> `rPUx`). The installation process warns on the missing profiles so that you can easily install them if desired. (PR is welcome see [#77](https://github.com/roddhjav/apparmor.d/issues/77)) - - For instance, `sudo just local pass` gives: - ```sh - Warning: profile dependencies fallback to unconfined. - @{bin}/wl-{copy,paste} rPx, - @{bin}/xclip rPx, - @{python_path} rPx -> pass-import, # pass-import - @{pager_path} rPx -> child-pager, - '.build/apparmor.d/pass' -> '/etc/apparmor.d/pass' - ``` - So, you can install the additional profiles `wl-copy`, `xclip`, `pass-import`, and `child-pager` if desired. + So, you can install the additional profiles `wl-copy`, `xclip`, `pass-import`, and `child-pager` if desired. -[Next: Configure your personal directories](configuration.md){ .md-button .md-button--primary } +## Uninstall - -## Uninstallation - -=== ":material-arch: Archlinux" - - ```sh - sudo pacman -R apparmor.d - ``` - -=== ":material-ubuntu: Ubuntu" - - ```sh - sudo apt purge apparmor.d - ``` - -=== ":material-debian: Debian" - - ```sh - sudo apt purge apparmor.d - ``` - -=== ":simple-suse: openSUSE" - - ```sh - sudo zypper remove apparmor.d - ``` +- :material-arch: Arch Linux `sudo pacman -R apparmor.d` +- :material-ubuntu: Ubuntu & :material-debian: Debian `sudo apt purge apparmor.d` +- :simple-suse: openSUSE `sudo zypper remove apparmor.d` [aur]: https://aur.archlinux.org/packages/apparmor.d-git +[repo]: https://repo.pujol.io/ +[keys]: https://repo.pujol.io/gpgkey diff --git a/docs/issues.md b/docs/issues.md index 2f38f4c5a..d9f28cfe6 100644 --- a/docs/issues.md +++ b/docs/issues.md @@ -2,28 +2,43 @@ title: Known issues --- -!!! info +Known bugs are tracked on the meta issue **[#75](https://github.com/roddhjav/apparmor.d/issues/74)**. - Known bugs are tracked on the meta issue **[#75](https://github.com/roddhjav/apparmor.d/issues/74)**. +!!! info -## Ubuntu + Usually, a profile in complain mode cannot break the program it confines. + However, there are some **major exceptions**: -### Dbus + * `deny` rules are enforced even in complain mode, + * `attach_disconnected` (and `mediate_deleted`) will break the program if they are required and missing in the profile, + * If AppArmor does not find the profile to transition `rPx`. -Ubuntu fully supports dbus mediation with apparmor. If it is a value added by Ubuntu from other distributions, it can also lead to some breakage if you enforce some profiles. *Do not enforce the rules on Ubuntu Desktop.* +### Pacman "could not get current working directory" -Note: Ubuntu server has been more tested and will work without issues with enforced rules. +```sh +$ sudo pacman -Syu +... +error: could not get current working directory +:: Processing package changes... +... +``` -### Snap +This is **a feature, not a bug!** It can safely be ignored. Pacman tries to get your current directory. You will only get this error when you run pacman in your home directory. -Apparmor.d needs to be fully integrated with snap, otherwise your snap applications may not work properly. As of today, it is a work in progress. +According to the Arch Linux guideline, on Arch Linux, packages cannot install files under `/home/`. Therefore, the [`pacman`][pacman] profile purposely does not allow access of your home directory. + +This provides a basic protection against some packages (on the AUR) that may have rogue install script. + +[pacman]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/pacman/pacman -## Complain mode +### Gnome can be very slow to start. -A profile in *complain* mode cannot break the program it confines. However, there are some **major exceptions**: +[Gnome](https://github.com/roddhjav/apparmor.d/issues/80) can be slow to start. This is a known bug, help is very welcome. -1. `deny` rules are enforced even in *complain* mode, -2. `attach_disconnected` (and `mediate_deleted`) will break the program if they are required and missing in the profile, -3. If AppArmor does not find the profile to transition `rPx`. +The complexity is that: +- It works fine without AppArmor +- It works fine on most system (including test VM) +- It seems to be dbus related +- On archlinux, the dbus mediation is not enabled. So, there is nothing special to allow. diff --git a/docs/overview.md b/docs/overview.md deleted file mode 100644 index 20a5a454f..000000000 --- a/docs/overview.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -title: Overview ---- - -!!! danger "Help Wanted" - - This project is still in its early development. Help is very welcome; see [Development](development/index.md) - -**AppArmor.d** is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes. - -### Purpose - -- Confine all root processes such as all `systemd` tools, `bluetooth`, `dbus`, `polkit`, `NetworkManager`, `OpenVPN`, `GDM`, `rtkit`, `colord` -- Confine all Desktop environments -- Confine all user services such as `Pipewire`, `Gvfsd`, `dbus`, `xdg`, `xwayland` -- Confine some *"special"* user applications: web browsers, file managers, etc -- Should not break a normal usage of the confined software - -See the [Concepts](concepts.md)' page for more detail on the architecture. - -### Goals - -- Target both desktops and servers -- Support for all distributions that support AppArmor: - * [:material-arch: Arch Linux](install.md#archlinux) - * [:material-ubuntu: Ubuntu 24.04/22.04](install.md#ubuntu) - * [:material-debian: Debian 12/13](install.md#debian) - * [:simple-suse: openSUSE Tumbleweed](install.md#opensuse) -- Support for all major desktop environments: - - [x] :material-gnome: Gnome (GDM) - - [x] :simple-kde: KDE (SDDM) - - [ ] :simple-xfce: XFCE (Lightdm) *(work in progress)* -- [Fully tested](development/tests.md) - -### Demo - -You want to try this project, or you are curious about the advanced usage and security it can provide without installing it on your machine. You can try it online on my AppArmor play machine at https://play.pujol.io/ - -### Presentations - -Building the largest set of AppArmor profiles: - -- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* -- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* - -Lessons learned while making an AppArmor Play machine: - -- [Linux Security Summit North America (LSS-NA 2025)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2025.sched.com/event/1zalf/lessons-learned-while-making-an-apparmor-play-machine-alexandre-pujol-linagora), [Video](https://www.youtube.com/watch?v=zCSl8honRI0))* - -### Chat - -A development chat is available on https://matrix.to/#/#apparmor.d:matrix.org diff --git a/docs/report.md b/docs/report.md index e82d4e9e7..e13ac9e9f 100644 --- a/docs/report.md +++ b/docs/report.md @@ -11,39 +11,25 @@ When creating [an issue on Github][newissue], please post a link to the [paste] aa-log -R ``` -??? question "No logs with `aa-log`?" - - If the log file is empty, check that Auditd is running: - - ```sh - sudo systemctl status auditd.service - ``` - - If Auditd is disabled aa-log will not have new results, you can enable Auditd with: - - ```sh - sudo systemctl enable auditd.service --now - ``` - -If this command produces nothing, use `-s` to provide all logs since boot time (provided that `journalctl` collected them): +If this command produce nothing, try: ```sh aa-log -s -R ``` -??? question "No logs with `aa-log -s`?" - - On certain distributions/configurations, AppArmor logs in journal could be taken over by *auditd* when it is installed. To overcome this, `systemd-journald-audit.socket` could be enabled: - - ```sh - sudo systemctl enable systemd-journald-audit.socket - ``` - -You can get older logs with: - +If the log file is empty, check that Auditd is running: ```sh -aa-log -R -f +sudo systemctl status auditd.service ``` -Where `` is `1`, `2`, `3` and `4` (the rotated audit log file). + +If Auditd is disabled aa-log will not have new results, you can enable Auditd by doing the following command: +```sh +sudo systemctl enable auditd.service --now +``` + +You can get more logs with: + +1. `aa-log -R -s` that will provide all apparmor logs since boot time (if journalctl collect them) +2. `aa-log -R -f ` where `` is `1`, `2`, `3` and `4` (the rotated audit log file) [newissue]: https://github.com/roddhjav/apparmor.d/issues/new [paste]: https://pastebin.com/ diff --git a/docs/usage.md b/docs/usage.md index 372762998..70eaaa292 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -24,10 +24,9 @@ apparmor module is loaded. ... 30 processes are in complain mode. ... -0 processes are in prompt mode. -0 processes are in kill mode. 0 processes are unconfined but have a profile defined. 0 processes are in mixed mode. +0 processes are in kill mode. ``` You can also list the current processes alongside with their security profile with: @@ -77,9 +76,9 @@ ps (complain) user ps auxZ ## AppArmor Log -Ensure that `Auditd` is installed and running on your system in order to read AppArmor log from `/var/log/audit/audit.log`. Then you can see the log with the provided command `aa-log` allowing you to review AppArmor generated messages in a colourful way. +Ensure that `Auditd` is installed and running on your system in order to read AppArmor log from `/var/log/audit/audit.log`. Then you can see the log with the provided command `aa-log` allowing you to review AppArmor generated messages in a colorful way. -Other AppArmor userspace tools such as `aa-enforce`, `aa-complain`, and `aa-logprof` should work as expected. You can also configure [a desktop notification on denied actions](https://wiki.archlinux.org/title/AppArmor#Get_desktop_notification_on_DENIED_actions). +Other AppArmor userspace tools such as `aa-enforce`, `aa-complain`, and `aa-logprof` should work as expected. ### Basic use @@ -116,15 +115,15 @@ profile dnsmasq { ### Help ``` -aa-log [-h] [--systemd] [--file file] [--rules | --raw] [--since] [profile] +aa-log [-h] [--systemd] [--file file] [--rules | --raw] [profile] - Review AppArmor generated messages in a colorful way. It supports logs from + Review AppArmor generated messages in a colorful way. Supports logs from auditd, systemd, syslog as well as dbus session events. It can be given an optional profile name to filter the output with. - Default logs are read from '/var/log/audit/audit.log'. Other files in - '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' + Default logs are read from '/var/log/audit/audit.log'. Other files in + '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' Options: -h, --help Show this help message and exit. @@ -132,5 +131,4 @@ Options: -s, --systemd Parse systemd logs from journalctl. -r, --rules Convert the log into AppArmor rules. -R, --raw Print the raw log without any formatting. - -S, --since DATE Show entries not older than the specified date. ``` diff --git a/docs/variables.md b/docs/variables.md index 1bcee8f93..a70358263 100644 --- a/docs/variables.md +++ b/docs/variables.md @@ -6,10 +6,8 @@ title: Variables References ### User directories -
- | Description | Name | Default Value(s) | -|-------------|------|------------------| +|-------------|:----:|---------------| | Desktop | `@{XDG_DESKTOP_DIR}` | `Desktop` | | Documents | `@{XDG_DOCUMENTS_DIR}` | `Documents` | | Downloads | `@{XDG_DOWNLOAD_DIR}` | `Downloads` | @@ -28,19 +26,14 @@ title: Variables References | Mail | `@{XDG_MAIL_DIR}` | `Mail .{m,M}ail` | | Sync | `@{XDG_SYNC_DIR}` | `Sync` | | Torrents | `@{XDG_TORRENTS_DIR}` | `Torrents` | -| Vm | `@{XDG_VM_DIR}` | `.vm` | -| Vm Shares | `@{XDG_VMSHARE_DIR}` | `VM_Shares` | +| Vm | `@{XDG_VM_DIR}` | `.vm` +| Vm Shares | `@{XDG_VM_SHARES_DIR}` | `VM_Shares` | Disk images | `@{XDG_IMG_DIR}` | `images` | -| Games Studio | `@{XDG_GAMESSTUDIO_DIR}` | `.unity3d` | - -
### Dotfiles -
- | Description | Name | Default Value(s) | -|-------------|------|------------------| +|-------------|:----:|---------------| | Cache | ` @{XDG_CACHE_DIR}` | `.cache` | | Config | `@{XDG_CONFIG_DIR}` | `.config` | | Data | `@{XDG_DATA_DIR}` | `.local/share` | @@ -51,32 +44,26 @@ title: Variables References | SSH | `@{XDG_SSH_DIR}` | `.ssh` | | Private | `@{XDG_PRIVATE_DIR}` | `.{p,P}rivate {p,P}rivate` | | Passwords | `@{XDG_PASSWORD_STORE_DIR}` | `.password-store` | - -
+| Mail | `@{XDG_MAIL_DIR}` | `Mail .{m,M}ail` | ### Full configuration path -
- | Description | Name | Default Value(s) | -|-------------|------|------------------| +|-------------|:----:|---------------| | Cache | `@{user_cache_dirs}` | `@{HOME}/@{XDG_CACHE_DIR}` | | Config | `@{user_config_dirs}` | `@{HOME}/@{XDG_CONFIG_DIR}` | | Bin | `@{user_bin_dirs}` | `@{HOME}/@{XDG_BIN_DIR}` | | Lib | `@{user_lib_dirs}` | `@{HOME}/@{XDG_LIB_DIR}` | | Share | `@{user_share_dirs}` | ` @{HOME}/@{XDG_DATA_DIR}` | | State | `@{user_state_dirs}` | ` @{HOME}/@{XDG_STATE_DIR}` | -| Build | `@{user_build_dirs}` | `/tmp/build/` | +| Build | `@{user_build_dirs}` | `/tmp/` | | Packages | `@{user_pkg_dirs}` | `/tmp/pkg/` | - -
+| Tmp | `@{user_tmp_dirs}` | `@{run}/user/@{uid} /tmp/` | ### Full user path -
- | Description | Name | Default Value(s) | -|-------------|------|------------------| +|-------------|:----:|---------------| | Documents | `@{user_documents_dirs}` | `@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR}` | | Downloads | `@{user_download_dirs}` | `@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR}` | | Music | `@{user_music_dirs}` | `@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR}` | @@ -85,7 +72,7 @@ title: Variables References | Books | `@{user_books_dirs}` | `@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}` | | Games | `@{user_games_dirs}` | `@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR}` | | Private | `@{user_private_dirs}` | `@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR}` | -| Passwords | `@{user_passwordstore_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | +| Passwords | `@{user_password_store_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | | Work | `@{user_work_dirs}` | `@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR}` | | Mail | `@{user_mail_dirs}` | `@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR}` | | Projects | `@{user_projects_dirs}` | `@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}` | @@ -93,83 +80,44 @@ title: Variables References | Templates | `@{user_templates_dirs}` | `@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR}` | | Torrents | `@{user_torrents_dirs}` | `@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}` | | Sync | `@{user_sync_dirs}` | `@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}` | -| Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` | -| Vm Shares | `@{user_vmshare_dirs}` | `@{HOME}/@{XDG_VMSHARE_DIR} @{MOUNTS}/@{XDG_VMSHARE_DIR}` | -| Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}` | - -
+| Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` +| Vm Shares | `@{user_vm_shares}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` +| Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` | ## System variables -!!! danger +!!! warning Do not modify these variables unless you know what you are doing -#### Base variables - -
+**Helper variables** | Description | Name | Default Value(s) | -|-------------|------|------------------| -| Any digit | `@{d}` | `[0-9]` | -| Any letter | `@{l}` | `[a-zA-Z]` | -| Single alphanumeric character | `@{c}` | `[0-9a-zA-Z]` | -| Word character: matches any letter, digit or underscore. | `@{w}` | `[0-9a-zA-Z_]` | +|-------------|:----:|---------------| +| Integer (up to 10 digits) | `@{int}` | `[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}` | +| Any 6, 8 or 10 characters | `@{rand6}`, `@{rand8}`, `@{rand10}` | | +| Hexadecimal | `@{h}*@{h}` | | +| Universally unique identifier | `@{uuid}` | | +| Current Process id | `@{pid}` | `[0-9]*` | +| Processes ids | `@{pids}` | `[0-9]*` | +| User id | `@{uid}` | `[0-9]*` | +| Thread id | `@{tid}` | `[0-9]*` | | Single hexadecimal character | `@{h}` | `[0-9a-fA-F]` | -| Integer up to 10 digits (0-9999999999) | `@{int}` | `@{d}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}` | -| Unsigned integer over 8 bits (0-255) | `@{u8}` | `[0-9]{[0-9],} 1[0-9][0-9] 2[0-4][0-9] 25[0-5]` | -| Unsigned integer over 16 bits (0-65535, 5 digits) | `@{u16}` | `@{d}{@{d},}{@{d},}{@{d},}{@{d},}` | -| Hexadecimal up to 64 characters | `@{hex}` | | -| Alphanumeric up to 64 characters | `@{rand}` | | -| Word up to 64 characters | `@{word}` | | +| Single alphanumeric character | `@{c}` | `[0-9a-zA-Z]` | +| PCI Devices | `@{pci}` | `@{pci_bus}/**/` | +| PCI Bus | `@{pci_bus}` | `pci@{h}@{h}@{h}@{h}:@{h}@{h}` | +| PCI Id | `@{pci_id}` | `@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h}` | -
- -#### Basic variables of a given length - -
- -| Description | Name | -|-------------|------| -| Any x digits characters | `@{int2}` `@{int4}` `@{int6}` `@{int8}` `@{int9}` `@{int10}` `@{int12}` `@{int15}` `@{int16}` `@{int32}` `@{int64}` | -| Any x hexadecimal characters | `@{hex2}` `@{hex4}` `@{hex6}` `@{hex8}` `@{hex9}` `@{hex10}` `@{hex12}` `@{hex15}` `@{hex16}` `@{hex32}` `@{hex38}` `@{hex64}` | -| Any x alphanumeric characters | `@{rand2}` `@{rand4}` `@{rand6}` `@{rand8}` `@{rand9}` `@{rand10}` `@{rand12}` `@{rand15}` `@{rand16}` `@{rand32}` `@{rand64}` | -| Any x word characters | `@{word2}` `@{word4}` `@{word6}` `@{word8}` `@{word9}` `@{word10}` `@{word12}` `@{word15}` `@{word16}` `@{word32}` `@{word64}` | - -
- -#### System Variables - -
+**System Paths** | Description | Name | Default Value(s) | -|-------------|------|------------------| -| Common architecture names | `@{arch}` | `x86_64 amd64 i386 i686` | -| Dbus unique name | `@{busname}` | `:1.@{u16} :not.active.yet` | -| Universally unique identifier | `@{uuid}` | `@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}` | -| Username valid characters | `@{user}` | `[a-zA-Z_]{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}` | -| Group valid characters | `@{group}` | `@{user}` | -| Semantic version | `@{version}` | `@{int}{.@{int},}{.@{int},}{-@{rand},}` | -| Current Process Id | `@{pid}` | `{[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}` | -| Processes Ids | `@{pids}` | `@{pid}` | -| Thread Id | `@{tid}` | `@{pid}` | -| User Id (equivalent to `@{int}`) | `@{uid}` | `{[0-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]}` | - -
- -#### System Paths - -
- -| Description | Name | Default Value(s) | -|-------------|------|------------------| +|-------------|:----:|---------------| | Root Home | `@{HOMEDIRS}` | `/home/` | | Home directories | `@{HOME}` | `@{HOMEDIRS}/*/ /root/` | -| Root Mountpoints | `@{MOUNTDIRS}` | `/media/ @{run}/media/@{user}/ /mnt/` | -| Mountpoints directories | `@{MOUNTS}` | `@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/` | -| Bin | `@{bin}` | `/{usr/,}bin` | -| Sbin | `@{sbin}` | `/{usr/,}sbin` | +| Root Mountpoints | `@{MOUNTDIRS}` | `/media/ @{run}/media/ /mnt/` | +| Mountpoints directories | `@{MOUNTS}` | `@{MOUNTDIRS}/*/` | +| Bin | `@{bin}` | `/{usr/,}{s,}bin` | | Lib | `@{lib}` | `/{usr/,}lib{,exec,32,64}` | | multi-arch library | `@{multiarch}` | `*-linux-gnu*` | | Proc | `@{PROC}` | `/proc/` | @@ -178,29 +126,13 @@ title: Variables References | System wide share | `@{system_share_dirs}` | `/{usr,usr/local,var/lib/@{flatpak_exports_root}}/share` | | Flatpak export | `@{flatpak_exports_root}` | `{flatpak/exports,flatpak/{app,runtime}/*/*/*/*/export}` | -
- -#### System Internal +**Program paths** | Description | Name | Default Value(s) | -|-------------|------|------------------| -| PCI Devices | `@{pci}` | `@{pci_bus}/**/` | -| PCI Bus | `@{pci_bus}` | `pci@{h}@{h}@{h}@{h}:@{h}@{h}` | -| PCI Id | `@{pci_id}` | `@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h}` | -| HCI devices | `@{hci_id}` | `dev_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}` | -| Udev data dynamic assignment ranges (234 to 254 then 384 to 511) | `@{dynamic}` | `23[4-9] 24[0-9] 25[0-4] 38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1]` | - -#### Program paths - -
- -| Description | Name | Default Value(s) | -|-------------|------|------------------| +|-------------|:----:|---------------| | All the shells | `@{shells}` | `sh zsh bash dash fish rbash ksh tcsh csh` | | Shells path | `@{shells_path}` | `@{bin}/@{shells}` | | Coreutils programs that should not have dedicated profile | `@{coreutils}` | See [tunables/multiarch.d/paths](https://github.com/roddhjav/apparmor.d/blob/c2d88c9bffc626fcf7d9b15b42b50706afb29562/apparmor.d/tunables/multiarch.d/paths#L46) | | Coreutils paths | `@{coreutils_path}` | `@{bin}/@{coreutils}` | -| Launcher paths | `@{open_path}` | `@{bin}/exo-open @{bin}/xdg-open @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop @{lib}/gio-launch-desktop` +| Launcher paths | `@{open_path}` | `@{bin}/exo-open @{bin}/xdg-open @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop @{lib}/gio-launch-desktop` | All browser paths | `@{*_path}` | See [tunables/multiarch.d/paths](https://github.com/roddhjav/apparmor.d/blob/c2d88c9bffc626fcf7d9b15b42b50706afb29562/apparmor.d/tunables/multiarch.d/paths#L11) - -
diff --git a/go.mod b/go.mod index 3bea9f548..bec7213d7 100644 --- a/go.mod +++ b/go.mod @@ -1,3 +1,13 @@ module github.com/roddhjav/apparmor.d -go 1.23.0 +go 1.21 + +require ( + github.com/stretchr/testify v1.9.0 + gopkg.in/yaml.v3 v3.0.1 +) + +require ( + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/pmezard/go-difflib v1.0.0 // indirect +) diff --git a/go.sum b/go.sum index e69de29bb..60ce688a0 100644 --- a/go.sum +++ b/go.sum @@ -0,0 +1,10 @@ +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/mkdocs.yml b/mkdocs.yml index e5244a529..d72fd86b7 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -15,7 +15,7 @@ repo_url: https://github.com/roddhjav/apparmor.d edit_uri: edit/main/docs/ # Copyright -copyright: Copyright © 2021-2025 Alexandre Pujol +copyright: Copyright © 2021-2024 Alexandre Pujol # Configuration theme: @@ -43,10 +43,8 @@ theme: - content.action.edit - content.code.annotate - content.code.copy - - content.tabs.link - content.tooltips - navigation.indexes - - navigation.instant - navigation.sections - navigation.tabs - navigation.top @@ -64,16 +62,11 @@ plugins: - offline: enabled: !ENV [MKDOCS_OFFLINE, true] - git-revision-date-localized: - enabled: !ENV [ENABLED_GIT_REVISION_DATE, true] + enabled: !ENV [ENABLED_GIT_REVISION_DATE, True] enable_creation_date: true fallback_to_build_date: true - minify: minify_html: true - - git-committers: - enabled: !ENV [ENABLED_GIT_REVISION_DATE, true] - token: !ENV [MKDOCS_GIT_COMMITTERS_APIKEY] - repository: roddhjav/apparmor.d - branch: main # Customization extra: @@ -117,9 +110,7 @@ markdown_extensions: user: squidfunk repo: mkdocs-material - pymdownx.smartsymbols - - pymdownx.snippets: - auto_append: - - docs/abbreviations.md + - pymdownx.snippets - pymdownx.superfences: custom_fences: - name: mermaid @@ -127,9 +118,6 @@ markdown_extensions: format: !!python/name:pymdownx.superfences.fence_code_format - pymdownx.tabbed: alternate_style: true - slugify: !!python/object/apply:pymdownx.slugs.slugify - kwds: - case: lower - pymdownx.tasklist: custom_checkbox: true @@ -138,33 +126,28 @@ nav: - Home: - index.md - Getting Started: - - overview.md - concepts.md - install.md - configuration.md - usage.md - - report.md - Advanced: - variables.md - enforce.md - full-system-policy.md - Troubleshooting: - issues.md + - report.md - recovery.md - Development: - development/index.md - - development/roadmap.md - - Profiles: - - development/workflow.md + - Architecture: + - development/install.md - development/guidelines.md + - development/structure.md + - Profile: - development/abstractions.md - - development/internal.md - development/directives.md - development/dbus.md - - development/recommendations.md - - Packages: - - development/build.md - Tests: - development/tests.md - - development/vm.md - development/integration.md diff --git a/pkg/aa/all.go b/pkg/aa/all.go index 21368d320..b3acb5d96 100644 --- a/pkg/aa/all.go +++ b/pkg/aa/all.go @@ -9,23 +9,11 @@ const ( ) type All struct { - Base + RuleBase } func newAll(q Qualifier, rule rule) (Rule, error) { - return &All{Base: newBase(rule)}, nil -} - -func (r *All) Kind() Kind { - return ALL -} - -func (r *All) Constraint() Constraint { - return BlockRule -} - -func (r *All) String() string { - return renderTemplate(r.Kind(), r) + return &All{RuleBase: newBase(rule)}, nil } func (r *All) Validate() error { @@ -38,12 +26,18 @@ func (r *All) Compare(other Rule) int { func (r *All) Merge(other Rule) bool { o, _ := other.(*All) - b := &r.Base - return b.merge(o.Base) // Always merge all rules + b := &r.RuleBase + return b.merge(o.RuleBase) } -func (r *All) Lengths() []int { - return []int{} // No len for all +func (r *All) String() string { + return renderTemplate(r.Kind(), r) } -func (r *All) setPaddings(max []int) {} // No paddings for all +func (r *All) Constraint() constraint { + return blockKind +} + +func (r *All) Kind() Kind { + return ALL +} diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go index 94e232c81..75c009c86 100644 --- a/pkg/aa/apparmor.go +++ b/pkg/aa/apparmor.go @@ -5,39 +5,12 @@ package aa import ( - "strings" - "github.com/roddhjav/apparmor.d/pkg/paths" ) -// MagicRoot is the default Apparmor magic directory: /etc/apparmor.d/. +// Default Apparmor magic directory: /etc/apparmor.d/. var MagicRoot = paths.New("/etc/apparmor.d") -// FileKind represents an AppArmor file kind. -type FileKind uint8 - -const ( - ProfileKind FileKind = iota - AbstractionKind - TunableKind -) - -func KindFromPath(file *paths.Path) FileKind { - dirname := file.Parent().String() - switch { - case strings.Contains(dirname, "abstractions"): - return AbstractionKind - case strings.Contains(dirname, "tunables"): - return TunableKind - case strings.Contains(dirname, "local"): - return AbstractionKind - case strings.Contains(dirname, "mappings"): - return AbstractionKind - default: - return ProfileKind - } -} - // AppArmorProfileFiles represents a full set of apparmor profiles type AppArmorProfileFiles map[string]*AppArmorProfileFile @@ -59,10 +32,7 @@ func NewAppArmorProfile() *AppArmorProfileFile { func DefaultTunables() *AppArmorProfileFile { return &AppArmorProfileFile{ Preamble: Rules{ - &Variable{Name: "arch", Values: []string{"x86_64", "amd64", "i386"}, Define: true}, - &Variable{Name: "bin", Values: []string{"/{,usr/}bin"}, Define: true}, - &Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true}, - &Variable{Name: "dpkg_script_ext", Values: []string{"config", "templates", "preinst", "postinst", "prerm", "postrm"}, Define: true}, + &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true}, &Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true}, &Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true}, &Variable{Name: "int", Values: []string{"[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}"}, Define: true}, @@ -70,15 +40,11 @@ func DefaultTunables() *AppArmorProfileFile { &Variable{Name: "lib", Values: []string{"/{,usr/}lib{,exec,32,64}"}, Define: true}, &Variable{Name: "MOUNTS", Values: []string{"/media/*/", "/run/media/*/*/", "/mnt/*/"}, Define: true}, &Variable{Name: "multiarch", Values: []string{"*-linux-gnu*"}, Define: true}, - &Variable{Name: "rand", Values: []string{"@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}"}, Define: true}, // Up to 10 characters &Variable{Name: "run", Values: []string{"/run/", "/var/run/"}, Define: true}, &Variable{Name: "uid", Values: []string{"{[0-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]}"}, Define: true}, &Variable{Name: "user_cache_dirs", Values: []string{"/home/*/.cache"}, Define: true}, &Variable{Name: "user_config_dirs", Values: []string{"/home/*/.config"}, Define: true}, &Variable{Name: "user_share_dirs", Values: []string{"/home/*/.local/share"}, Define: true}, - &Variable{Name: "user", Values: []string{"[a-zA-Z_]{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}"}, Define: true}, - &Variable{Name: "version", Values: []string{"@{int}{.@{int},}{.@{int},}{-@{rand},}"}, Define: true}, - &Variable{Name: "w", Values: []string{"[a-zA-Z0-9_]"}, Define: true}, }, } } diff --git a/pkg/aa/apparmor_test.go b/pkg/aa/apparmor_test.go index 172cfc2b5..10cf366b4 100644 --- a/pkg/aa/apparmor_test.go +++ b/pkg/aa/apparmor_test.go @@ -10,6 +10,7 @@ import ( "testing" "github.com/roddhjav/apparmor.d/pkg/paths" + "github.com/roddhjav/apparmor.d/pkg/util" ) var ( @@ -20,7 +21,7 @@ var ( // mustReadProfileFile read a file and return its content as a slice of string. // It panics if an error occurs. It removes the last comment line. func mustReadProfileFile(path *paths.Path) string { - res := strings.Split(path.MustReadFileAsString(), "\n") + res := strings.Split(util.MustReadFile(path), "\n") return strings.Join(res[:len(res)-2], "\n") } @@ -39,7 +40,7 @@ func TestAppArmorProfileFile_String(t *testing.T) { name: "foo", f: &AppArmorProfileFile{ Preamble: Rules{ - &Comment{Base: Base{Comment: " Simple test profile for the AppArmorProfileFile.String() method", IsLineRule: true}}, + &Comment{RuleBase: RuleBase{Comment: " Simple test profile for the AppArmorProfileFile.String() method", IsLineRule: true}}, nil, &Abi{IsMagic: true, Path: "abi/4.0"}, &Alias{Path: "/mnt/usr", RewrittenPath: "/usr"}, @@ -65,7 +66,7 @@ func TestAppArmorProfileFile_String(t *testing.T) { &Network{Domain: "inet", Type: "stream"}, &Network{Domain: "inet6", Type: "stream"}, &Mount{ - Base: Base{Comment: " failed perms check"}, + RuleBase: RuleBase{Comment: " failed perms check"}, MountConditions: MountConditions{ FsType: "fuse.portal", Options: []string{"rw", "rbind"}, @@ -107,7 +108,7 @@ func TestAppArmorProfileFile_String(t *testing.T) { }, }}, }, - want: testData.Join("string.aa").MustReadFileAsString(), + want: util.MustReadFile(testData.Join("string.aa")), }, } for _, tt := range tests { @@ -203,15 +204,15 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { name: "aa-status", f: &AppArmorProfileFile{ Preamble: Rules{ - &Comment{Base: Base{Comment: " apparmor.d - Full set of apparmor profiles", IsLineRule: true}}, - &Comment{Base: Base{Comment: " Copyright (C) 2021-2024 Alexandre Pujol ", IsLineRule: true}}, - &Comment{Base: Base{Comment: " SPDX-License-Identifier: GPL-2.0-only", IsLineRule: true}}, + &Comment{RuleBase: RuleBase{Comment: " apparmor.d - Full set of apparmor profiles", IsLineRule: true}}, + &Comment{RuleBase: RuleBase{Comment: " Copyright (C) 2021-2024 Alexandre Pujol ", IsLineRule: true}}, + &Comment{RuleBase: RuleBase{Comment: " SPDX-License-Identifier: GPL-2.0-only", IsLineRule: true}}, nil, - &Abi{IsMagic: true, Path: "abi/4.0"}, + &Abi{IsMagic: true, Path: "abi/3.0"}, &Include{IsMagic: true, Path: "tunables/global"}, &Variable{ Name: "exec_path", Define: true, - Values: []string{"@{sbin}/aa-status", "@{sbin}/apparmor_status"}, + Values: []string{"@{bin}/aa-status", "@{bin}/apparmor_status"}, }, }, Profiles: []*Profile{{ @@ -223,11 +224,11 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { &Include{IfExists: true, IsMagic: true, Path: "local/aa-status"}, &Capability{Names: []string{"dac_read_search"}}, &File{Path: "@{exec_path}", Access: []string{"m", "r"}}, - &File{Path: "@{PROC}/@{pid}/attr/apparmor/current", Access: []string{"r"}}, + &File{Path: "@{PROC}/@{pids}/attr/apparmor/current", Access: []string{"r"}}, &File{Path: "@{PROC}/", Access: []string{"r"}}, &File{Path: "@{sys}/module/apparmor/parameters/enabled", Access: []string{"r"}}, &File{Path: "@{sys}/kernel/security/apparmor/profiles", Access: []string{"r"}}, - &File{Path: "@{PROC}/@{pid}/attr/current", Access: []string{"r"}}, + &File{Path: "@{PROC}/@{pids}/attr/current", Access: []string{"r"}}, &Include{IsMagic: true, Path: "abstractions/consoles"}, &File{Owner: true, Path: "@{PROC}/@{pid}/mounts", Access: []string{"r"}}, &Include{IsMagic: true, Path: "abstractions/base"}, @@ -237,7 +238,7 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { }, }}, }, - want: mustReadProfileFile(intData.Join("groups/apparmor/aa-status")), + want: mustReadProfileFile(intData.Join("profiles-a-f/aa-status")), }, } for _, tt := range tests { diff --git a/pkg/aa/base.go b/pkg/aa/base.go index a712a5899..c05954267 100644 --- a/pkg/aa/base.go +++ b/pkg/aa/base.go @@ -8,16 +8,18 @@ import ( "strings" ) -type Base struct { - Comment string +type RuleBase struct { IsLineRule bool + Comment string NoNewPrivs bool FileInherit bool + Prefix string + Padding string + Suffix string Optional bool - Paddings []string } -func newBase(rule rule) Base { +func newBase(rule rule) RuleBase { comment := "" fileInherit, noNewPrivs, optional := false, false, false @@ -42,7 +44,7 @@ func newBase(rule rule) Base { optional = true comment = strings.Replace(comment, "optional: ", "", 1) } - return Base{ + return RuleBase{ Comment: comment, NoNewPrivs: noNewPrivs, FileInherit: fileInherit, @@ -50,7 +52,7 @@ func newBase(rule rule) Base { } } -func newBaseFromLog(log map[string]string) Base { +func newBaseFromLog(log map[string]string) RuleBase { comment := "" fileInherit, noNewPrivs, optional := false, false, false @@ -68,7 +70,7 @@ func newBaseFromLog(log map[string]string) Base { if log["info"] != "" { comment += " " + log["info"] } - return Base{ + return RuleBase{ IsLineRule: false, Comment: comment, NoNewPrivs: noNewPrivs, @@ -77,42 +79,31 @@ func newBaseFromLog(log map[string]string) Base { } } -func (r Base) Padding(i int) string { - if i >= len(r.Paddings) { - return "" - } - return r.Paddings[i] +func (r RuleBase) Merge(other Rule) bool { + return false } -func (r *Base) merge(other Base) bool { - r.NoNewPrivs = r.NoNewPrivs || other.NoNewPrivs - r.FileInherit = r.FileInherit || other.FileInherit - r.Optional = r.Optional || other.Optional +func (r *RuleBase) merge(other RuleBase) bool { if other.Comment != "" { r.Comment += " " + other.Comment } return true } -func (r Base) addLine(other Rule) bool { - return false -} - type Qualifier struct { - Priority string Audit bool AccessType string } func newQualifierFromLog(log map[string]string) Qualifier { - audit := log["apparmor"] == "AUDIT" + audit := false + if log["apparmor"] == "AUDIT" { + audit = true + } return Qualifier{Audit: audit} } func (r Qualifier) Compare(o Qualifier) int { - if r := compare(r.Priority, o.Priority); r != 0 { - return r - } if r := compare(r.Audit, o.Audit); r != 0 { return r } @@ -120,24 +111,5 @@ func (r Qualifier) Compare(o Qualifier) int { } func (r Qualifier) Equal(o Qualifier) bool { - return r.Priority == o.Priority && r.Audit == o.Audit && r.AccessType == o.AccessType -} - -func (r Qualifier) getLenAudit() int { - return length("audit", r.Audit) -} - -func (r Qualifier) getLenAccess() int { - lenAccess := 0 - if r.AccessType != "" { - lenAccess = length("", r.AccessType) - } - return lenAccess -} - -func (r Qualifier) setPaddings(max []int) []string { - return setPaddings(max, - []string{"audit", ""}, - []any{r.Audit, r.AccessType}, - ) + return r.Audit == o.Audit && r.AccessType == o.AccessType } diff --git a/pkg/aa/blocks.go b/pkg/aa/blocks.go index d0826dfa2..b3ce0ba77 100644 --- a/pkg/aa/blocks.go +++ b/pkg/aa/blocks.go @@ -10,38 +10,28 @@ const ( // Hat represents a single AppArmor hat. type Hat struct { - Base + RuleBase Name string Rules Rules } -func (p *Hat) Kind() Kind { - return HAT +func (r *Hat) Validate() error { + return nil } -func (p *Hat) Constraint() Constraint { - return BlockRule +func (r *Hat) Compare(other Rule) int { + o, _ := other.(*Hat) + return compare(r.Name, o.Name) } func (p *Hat) String() string { return renderTemplate(p.Kind(), p) } -func (p *Hat) Validate() error { - return nil +func (p *Hat) Constraint() constraint { + return blockKind } -func (p *Hat) Compare(other Rule) int { - o, _ := other.(*Hat) - return compare(p.Name, o.Name) +func (p *Hat) Kind() Kind { + return HAT } - -func (p *Hat) Merge(other Rule) bool { - return false // Never merge hat blocks -} - -func (p *Hat) Lengths() []int { - return []int{} // No len for hat -} - -func (p *Hat) setPaddings(max []int) {} // No paddings for hat diff --git a/pkg/aa/capability.go b/pkg/aa/capability.go index a55f8bc9b..f9f083f98 100644 --- a/pkg/aa/capability.go +++ b/pkg/aa/capability.go @@ -26,7 +26,7 @@ func init() { } type Capability struct { - Base + RuleBase Qualifier Names []string } @@ -37,7 +37,7 @@ func newCapability(q Qualifier, rule rule) (Rule, error) { return nil, err } return &Capability{ - Base: newBase(rule), + RuleBase: newBase(rule), Qualifier: q, Names: names, }, nil @@ -45,24 +45,12 @@ func newCapability(q Qualifier, rule rule) (Rule, error) { func newCapabilityFromLog(log map[string]string) Rule { return &Capability{ - Base: newBaseFromLog(log), + RuleBase: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), Names: Must(toValues(CAPABILITY, "name", log["capname"])), } } -func (r *Capability) Kind() Kind { - return CAPABILITY -} - -func (r *Capability) Constraint() Constraint { - return BlockRule -} - -func (r *Capability) String() string { - return renderTemplate(r.Kind(), r) -} - func (r *Capability) Validate() error { if err := validateValues(r.Kind(), "name", r.Names); err != nil { return fmt.Errorf("%s: %w", r, err) @@ -78,20 +66,14 @@ func (r *Capability) Compare(other Rule) int { return r.Qualifier.Compare(o.Qualifier) } -func (r *Capability) Merge(other Rule) bool { - return false // Never merge capabilities +func (r *Capability) String() string { + return renderTemplate(r.Kind(), r) } -func (r *Capability) Lengths() []int { - return []int{ - r.getLenAudit(), - r.getLenAccess(), - length("", r.Names), - } +func (r *Capability) Constraint() constraint { + return blockKind } -func (r *Capability) setPaddings(max []int) { - r.Paddings = append(r.Qualifier.setPaddings(max[:2]), setPaddings( - max[2:], []string{""}, []any{r.Names})..., - ) +func (r *Capability) Kind() Kind { + return CAPABILITY } diff --git a/pkg/aa/change_profile.go b/pkg/aa/change_profile.go index 5334b343c..a6abb8772 100644 --- a/pkg/aa/change_profile.go +++ b/pkg/aa/change_profile.go @@ -18,7 +18,7 @@ func init() { } type ChangeProfile struct { - Base + RuleBase Qualifier ExecMode string Exec string @@ -49,7 +49,7 @@ func newChangeProfile(q Qualifier, rule rule) (Rule, error) { } } return &ChangeProfile{ - Base: newBase(rule), + RuleBase: newBase(rule), Qualifier: q, ExecMode: mode, Exec: exec, @@ -59,7 +59,7 @@ func newChangeProfile(q Qualifier, rule rule) (Rule, error) { func newChangeProfileFromLog(log map[string]string) Rule { return &ChangeProfile{ - Base: newBaseFromLog(log), + RuleBase: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), ExecMode: log["mode"], Exec: log["exec"], @@ -67,18 +67,6 @@ func newChangeProfileFromLog(log map[string]string) Rule { } } -func (r *ChangeProfile) Kind() Kind { - return CHANGEPROFILE -} - -func (r *ChangeProfile) Constraint() Constraint { - return BlockRule -} - -func (r *ChangeProfile) String() string { - return renderTemplate(r.Kind(), r) -} - func (r *ChangeProfile) Validate() error { if err := validateValues(r.Kind(), "mode", []string{r.ExecMode}); err != nil { return fmt.Errorf("%s: %w", r, err) @@ -100,23 +88,14 @@ func (r *ChangeProfile) Compare(other Rule) int { return r.Qualifier.Compare(o.Qualifier) } -func (r *ChangeProfile) Merge(other Rule) bool { - return false // Never merge change_profile +func (r *ChangeProfile) String() string { + return renderTemplate(r.Kind(), r) } -func (r *ChangeProfile) Lengths() []int { - return []int{ - r.getLenAudit(), - r.getLenAccess(), - length("", r.ExecMode), - length("", r.Exec), - length("", r.ProfileName), - } +func (r *ChangeProfile) Constraint() constraint { + return blockKind } -func (r *ChangeProfile) setPaddings(max []int) { - r.Paddings = append(r.Qualifier.setPaddings(max[:2]), setPaddings( - max[2:], []string{"", "", ""}, - []any{r.ExecMode, r.Exec, r.ProfileName})..., - ) +func (r *ChangeProfile) Kind() Kind { + return CHANGEPROFILE } diff --git a/pkg/aa/util.go b/pkg/aa/convert.go similarity index 80% rename from pkg/aa/util.go rename to pkg/aa/convert.go index 523eb99fe..e0889360c 100644 --- a/pkg/aa/util.go +++ b/pkg/aa/convert.go @@ -43,53 +43,6 @@ func merge(kind Kind, key string, a, b []string) []string { return slices.Compact(a) } -func length(prefix string, value any) int { - var res int - switch value := value.(type) { - case bool: - if value { - return len(prefix) + 1 - } - return 0 - case string: - if value != "" { - res = len(value) + len(prefix) + 1 - } - return res - case []string: - for _, v := range value { - lenV := len(v) - if lenV > 0 { - res += lenV + 1 // Space between values - } - } - if len(value) > 1 { - res += 2 // Brackets on slices - } - return res - default: - panic("length: unsupported type") - } -} - -func setPaddings(max []int, prefixes []string, values []any) []string { - if len(max) != len(values) || len(max) != len(prefixes) { - panic("setPaddings: max, prefix, and values must have the same length") - } - res := make([]string, len(max)) - for i, v := range values { - if max[i] == 0 { - res[i] = "" - continue - } - count := max[i] - length(prefixes[i], v) - if count > 0 { - res[i] = strings.Repeat(" ", count) - } - } - return res -} - func compare(a, b any) int { switch a := a.(type) { case int: @@ -148,10 +101,9 @@ func validateValues(kind Kind, key string, values []string) error { func tokenToSlice(token string) []string { res := []string{} - token = strings.Trim(token, "()\n ") + token = strings.Trim(token, "()\n") if strings.ContainsAny(token, ", ") { var sep string - token = strings.ReplaceAll(token, " ", " ") switch { case strings.Contains(token, ","): sep = "," @@ -183,7 +135,7 @@ func toValues(kind Kind, key string, input string) ([]string, error) { continue } if !slices.Contains(req, res[idx]) { - return nil, fmt.Errorf("unrecognized %s for rule %s: %s", key, kind, res[idx]) + return nil, fmt.Errorf("unrecognized %s: %s", key, res[idx]) } } slices.SortFunc(res, func(i, j string) int { diff --git a/pkg/aa/util_test.go b/pkg/aa/convert_test.go similarity index 100% rename from pkg/aa/util_test.go rename to pkg/aa/convert_test.go diff --git a/pkg/aa/data_test.go b/pkg/aa/data_test.go index 28aa703d6..b4e247868 100644 --- a/pkg/aa/data_test.go +++ b/pkg/aa/data_test.go @@ -6,8 +6,8 @@ package aa var ( // Comment - comment1 = &Comment{Base: Base{Comment: "comment", IsLineRule: true}} - comment2 = &Comment{Base: Base{Comment: "another comment", IsLineRule: true}} + comment1 = &Comment{RuleBase: RuleBase{Comment: "comment", IsLineRule: true}} + comment2 = &Comment{RuleBase: RuleBase{Comment: "another comment", IsLineRule: true}} // Abi abi1 = &Abi{IsMagic: true, Path: "abi/4.0"} @@ -28,7 +28,7 @@ var ( // All all1 = &All{} - all2 = &All{Base: Base{Comment: "comment"}} + all2 = &All{RuleBase: RuleBase{Comment: "comment"}} // Rlimit rlimit1 = &Rlimit{Key: "nproc", Op: "<=", Value: "200"} @@ -65,34 +65,8 @@ var ( "denied_mask": "create", "comm": "sddm-greeter", } - network3Log = map[string]string{ - "apparmor": "ALLOWED", - "class": "net", - "operation": "sendmsg", - "info": "failed af match", - "error": "-13", - "profile": "unattended-upgrade", - "comm": "unattended-upgr", - "laddr": "127.0.0.1", - "lport": "57007", - "faddr": "127.0.0.53", - "saddr": "127.0.0.1", - "src": "57007", - "fport": "53", - "sock_type": "dgram", - "protocol": "17", - "requested": "send", - "denied": "send", - } network1 = &Network{Domain: "netlink", Type: "raw", Protocol: "15"} network2 = &Network{Domain: "inet", Type: "dgram"} - network3 = &Network{ - Base: Base{Comment: " failed af match"}, - LocalAddress: LocalAddress{IP: "127.0.0.1", Port: "57007"}, - PeerAddress: PeerAddress{IP: "127.0.0.53", Port: "53", Src: "127.0.0.1"}, - Type: "dgram", - Protocol: "17", - } // Mount mount1Log = map[string]string{ @@ -120,13 +94,13 @@ var ( "flags": "rw, rbind", } mount1 = &Mount{ - Base: Base{Comment: " failed perms check"}, + RuleBase: RuleBase{Comment: " failed perms check"}, MountConditions: MountConditions{FsType: "overlay"}, Source: "overlay", MountPoint: "/var/lib/docker/overlay2/opaque-bug-check1209538631/merged/", } mount2 = &Mount{ - Base: Base{Comment: " failed perms check"}, + RuleBase: RuleBase{Comment: " failed perms check"}, MountConditions: MountConditions{Options: []string{"rw", "rbind"}}, Source: "/oldroot/dev/tty", MountPoint: "/newroot/dev/tty", @@ -264,9 +238,9 @@ var ( PeerLabel: "dbus-daemon", } unix2 = &Unix{ - Base: Base{FileInherit: true}, - Access: []string{"receive"}, - Type: "stream", + RuleBase: RuleBase{FileInherit: true}, + Access: []string{"receive"}, + Type: "stream", } // Dbus @@ -344,10 +318,10 @@ var ( } file1 = &File{Path: "/usr/share/poppler/cMap/Identity-H", Access: []string{"r"}} file2 = &File{ - Base: Base{NoNewPrivs: true}, - Owner: true, - Path: "@{PROC}/4163/cgroup", - Access: []string{"r"}, + RuleBase: RuleBase{NoNewPrivs: true}, + Owner: true, + Path: "@{PROC}/4163/cgroup", + Access: []string{"r"}, } // Link diff --git a/pkg/aa/dbus.go b/pkg/aa/dbus.go index fa4ec7ec4..f34b8e09c 100644 --- a/pkg/aa/dbus.go +++ b/pkg/aa/dbus.go @@ -21,7 +21,7 @@ func init() { } type Dbus struct { - Base + RuleBase Qualifier Access []string Bus string @@ -39,7 +39,7 @@ func newDbus(q Qualifier, rule rule) (Rule, error) { return nil, err } return &Dbus{ - Base: newBase(rule), + RuleBase: newBase(rule), Qualifier: q, Access: accesses, Bus: rule.GetValuesAsString("bus"), @@ -61,7 +61,7 @@ func newDbusFromLog(log map[string]string) Rule { peerName = log["name"] } return &Dbus{ - Base: newBaseFromLog(log), + RuleBase: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), Access: []string{log["mask"]}, Bus: log["bus"], @@ -74,18 +74,6 @@ func newDbusFromLog(log map[string]string) Rule { } } -func (r *Dbus) Kind() Kind { - return DBUS -} - -func (r *Dbus) Constraint() Constraint { - return BlockRule -} - -func (r *Dbus) String() string { - return renderTemplate(r.Kind(), r) -} - func (r *Dbus) Validate() error { if err := validateValues(r.Kind(), "access", r.Access); err != nil { return fmt.Errorf("%s: %w", r, err) @@ -125,21 +113,27 @@ func (r *Dbus) Compare(other Rule) int { func (r *Dbus) Merge(other Rule) bool { o, _ := other.(*Dbus) - if !r.Equal(o.Qualifier) { + if !r.Qualifier.Equal(o.Qualifier) { return false } if r.Bus == o.Bus && r.Name == o.Name && r.Path == o.Path && r.Interface == o.Interface && r.Member == o.Member && r.PeerName == o.PeerName && r.PeerLabel == o.PeerLabel { r.Access = merge(r.Kind(), "access", r.Access, o.Access) - b := &r.Base - return b.merge(o.Base) + b := &r.RuleBase + return b.merge(o.RuleBase) } return false } -func (r *Dbus) Lengths() []int { - return []int{} // No len for dbus +func (r *Dbus) String() string { + return renderTemplate(r.Kind(), r) } -func (r *Dbus) setPaddings(max []int) {} // No paddings for dbus +func (r *Dbus) Constraint() constraint { + return blockKind +} + +func (r *Dbus) Kind() Kind { + return DBUS +} diff --git a/pkg/aa/file.go b/pkg/aa/file.go index 091f9436f..56ae9c499 100644 --- a/pkg/aa/file.go +++ b/pkg/aa/file.go @@ -8,8 +8,6 @@ import ( "fmt" "slices" "strings" - - "github.com/roddhjav/apparmor.d/pkg/util" ) const ( @@ -29,7 +27,7 @@ func init() { } } -func IsOwner(log map[string]string) bool { +func isOwner(log map[string]string) bool { fsuid, hasFsUID := log["fsuid"] ouid, hasOuUID := log["ouid"] isDbus := strings.Contains(log["operation"], "dbus") @@ -40,7 +38,7 @@ func IsOwner(log map[string]string) bool { } type File struct { - Base + RuleBase Qualifier Owner bool Path string @@ -78,7 +76,7 @@ func newFile(q Qualifier, rule rule) (Rule, error) { return nil, err } return &File{ - Base: newBase(rule), + RuleBase: newBase(rule), Qualifier: q, Owner: owner, Path: path, @@ -96,49 +94,16 @@ func newFileFromLog(log map[string]string) Rule { return newLinkFromLog(log) } return &File{ - Base: newBaseFromLog(log), + RuleBase: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), - Owner: IsOwner(log), + Owner: isOwner(log), Path: log["name"], Access: accesses, Target: log["target"], } } -func (r *File) Kind() Kind { - return FILE -} - -func (r *File) Constraint() Constraint { - return BlockRule -} - -func (r *File) String() string { - return renderTemplate(r.Kind(), r) -} - func (r *File) Validate() error { - if r.Path == "" && r.Target == "" && len(r.Access) == 0 { - return nil // rule: `file` or `owner file` - } - if !isAARE(r.Path) { - return fmt.Errorf("'%s' is not a valid AARE", r.Path) - } - if len(r.Access) == 0 { - return fmt.Errorf("missing file access") - } - for _, v := range r.Access { - if v == "" { - continue - } - if !slices.Contains(requirements[r.Kind()]["access"], v) && - !slices.Contains(requirements[r.Kind()]["transition"], v) { - return fmt.Errorf("invalid mode '%s'", v) - } - } - if r.Target != "" && !isAARE(r.Target) { - return fmt.Errorf("'%s' is not a valid AARE", r.Target) - } return nil } @@ -168,55 +133,31 @@ func (r *File) Compare(other Rule) int { func (r *File) Merge(other Rule) bool { o, _ := other.(*File) - if !r.Equal(o.Qualifier) { + if !r.Qualifier.Equal(o.Qualifier) { return false } if r.Owner == o.Owner && r.Path == o.Path && r.Target == o.Target { r.Access = merge(r.Kind(), "access", r.Access, o.Access) - b := &r.Base - return b.merge(o.Base) + b := &r.RuleBase + return b.merge(o.RuleBase) } return false } -func (r *File) Lengths() []int { - // Add padding to align with other transition rule - lenPath := 0 - isTransition := util.Intersect( - append(requirements[FILE]["transition"], "m"), r.Access, - ) - if len(isTransition) > 0 { - lenPath = length("", r.Path) - } - return []int{ - r.getLenAudit(), - r.getLenAccess(), - length("owner", r.Owner), - lenPath, - } +func (r *File) String() string { + return renderTemplate(r.Kind(), r) } -func (r *File) setPaddings(max []int) { - r.Paddings = append(r.Qualifier.setPaddings(max[:2]), setPaddings( - max[2:], []string{"owner", ""}, - []any{r.Owner, r.Path})..., - ) +func (r *File) Constraint() constraint { + return blockKind } -func (r *File) addLine(other Rule) bool { - if other.Kind() != r.Kind() { - return false - } - - letterI := getLetterIn(fileAlphabet, r.Path) - letterJ := getLetterIn(fileAlphabet, other.(*File).Path) - groupI, ok1 := fileAlphabetGroups[letterI] - groupJ, ok2 := fileAlphabetGroups[letterJ] - return letterI != letterJ && (!ok1 || !ok2 || groupI != groupJ) +func (r *File) Kind() Kind { + return FILE } type Link struct { - Base + RuleBase Qualifier Owner bool Subset bool @@ -249,7 +190,7 @@ func newLink(q Qualifier, rule rule) (Rule, error) { } } return &Link{ - Base: newBase(rule), + RuleBase: newBase(rule), Qualifier: q, Owner: owner, Subset: subset, @@ -260,33 +201,15 @@ func newLink(q Qualifier, rule rule) (Rule, error) { func newLinkFromLog(log map[string]string) Rule { return &Link{ - Base: newBaseFromLog(log), + RuleBase: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), - Owner: IsOwner(log), + Owner: isOwner(log), Path: log["name"], Target: log["target"], } } -func (r *Link) Kind() Kind { - return LINK -} - -func (r *Link) Constraint() Constraint { - return BlockRule -} - -func (r *Link) String() string { - return renderTemplate(r.Kind(), r) -} - func (r *Link) Validate() error { - if !isAARE(r.Path) { - return fmt.Errorf("'%s' is not a valid AARE", r.Path) - } - if !isAARE(r.Target) { - return fmt.Errorf("'%s' is not a valid AARE", r.Target) - } return nil } @@ -308,24 +231,14 @@ func (r *Link) Compare(other Rule) int { return r.Qualifier.Compare(o.Qualifier) } -func (r *Link) Merge(other Rule) bool { - return false // Never merge link +func (r *Link) String() string { + return renderTemplate(r.Kind(), r) } -func (r *Link) Lengths() []int { - return []int{ - r.getLenAudit(), - r.getLenAccess(), - length("owner", r.Owner), - length("subset", r.Subset), - length("", r.Path), - length("", r.Target), - } +func (r *Link) Constraint() constraint { + return blockKind } -func (r *Link) setPaddings(max []int) { - r.Paddings = append(r.Qualifier.setPaddings(max[:2]), setPaddings( - max[2:], []string{"owner", "subset", "", ""}, - []any{r.Owner, r.Subset, r.Path, r.Target})..., - ) +func (r *Link) Kind() Kind { + return LINK } diff --git a/pkg/aa/io_uring.go b/pkg/aa/io_uring.go index 76e9e172d..4402f07a9 100644 --- a/pkg/aa/io_uring.go +++ b/pkg/aa/io_uring.go @@ -17,7 +17,7 @@ func init() { } type IOUring struct { - Base + RuleBase Qualifier Access []string Label string @@ -29,7 +29,7 @@ func newIOUring(q Qualifier, rule rule) (Rule, error) { return nil, err } return &IOUring{ - Base: newBase(rule), + RuleBase: newBase(rule), Qualifier: q, Access: accesses, Label: rule.GetValuesAsString("label"), @@ -38,25 +38,13 @@ func newIOUring(q Qualifier, rule rule) (Rule, error) { func newIOUringFromLog(log map[string]string) Rule { return &IOUring{ - Base: newBaseFromLog(log), + RuleBase: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), Access: Must(toAccess(IOURING, log["requested"])), Label: log["label"], } } -func (r *IOUring) Kind() Kind { - return IOURING -} - -func (r *IOUring) Constraint() Constraint { - return BlockRule -} - -func (r *IOUring) String() string { - return renderTemplate(r.Kind(), r) -} - func (r *IOUring) Validate() error { if err := validateValues(r.Kind(), "access", r.Access); err != nil { return fmt.Errorf("%s: %w", r, err) @@ -78,29 +66,25 @@ func (r *IOUring) Compare(other Rule) int { func (r *IOUring) Merge(other Rule) bool { o, _ := other.(*IOUring) - if !r.Equal(o.Qualifier) { + if !r.Qualifier.Equal(o.Qualifier) { return false } if r.Label == o.Label { r.Access = merge(r.Kind(), "access", r.Access, o.Access) - b := &r.Base - return b.merge(o.Base) + b := &r.RuleBase + return b.merge(o.RuleBase) } return false } -func (r *IOUring) Lengths() []int { - return []int{ - r.getLenAudit(), - r.getLenAccess(), - length("", r.Access), - length("label=", r.Label), - } +func (r *IOUring) String() string { + return renderTemplate(r.Kind(), r) } -func (r *IOUring) setPaddings(max []int) { - r.Paddings = append(r.Qualifier.setPaddings(max[:2]), setPaddings( - max[2:], []string{"", "label="}, - []any{r.Access, r.Label})..., - ) +func (r *IOUring) Constraint() constraint { + return blockKind +} + +func (r *IOUring) Kind() Kind { + return IOURING } diff --git a/pkg/aa/mount.go b/pkg/aa/mount.go index 72719414d..272076d07 100644 --- a/pkg/aa/mount.go +++ b/pkg/aa/mount.go @@ -16,20 +16,11 @@ const ( func init() { requirements[MOUNT] = requirement{ - "flags_bind": { - "B", "bind", "R", "rbind", - }, - "flags_change": { - "remount", "unbindable", "shared", "private", "slave", "runbindable", - "rshared", "rprivate", "rslave", "make-unbindable", "make-shared", - "make-private", "make-slave", "make-runbindable", "make-rshared", - "make-rprivate", "make-rslave", - }, "flags": { - "ro", "rw", "acl", "async", "atime", "bind", "dev", "diratime", - "dirsync", "exec", "iversion", "loud", "mand", "move", "noacl", - "noatime", "nodev", "nodiratime", "noexec", "noiversion", "nomand", - "norelatime", "nosuid", "nosymfollow", "nouser", "private", "rbind", "relatime", + "acl", "async", "atime", "ro", "rw", "bind", "rbind", "dev", + "diratime", "dirsync", "exec", "iversion", "loud", "mand", "move", + "noacl", "noatime", "nodev", "nodiratime", "noexec", "noiversion", + "nomand", "norelatime", "nosuid", "nouser", "private", "relatime", "remount", "rprivate", "rshared", "rslave", "runbindable", "shared", "silent", "slave", "strictatime", "suid", "sync", "unbindable", "user", "verbose", @@ -82,23 +73,8 @@ func (m *MountConditions) Merge(other MountConditions) bool { return false } -func (m MountConditions) getLenFsType() int { - return length("fstype=", m.FsType) -} - -func (m MountConditions) getLenOptions() int { - return length("options=", m.Options) -} - -func (m MountConditions) setPaddings(max []int) []string { - return setPaddings(max, - []string{"fstype=", "options="}, - []any{m.FsType, m.Options}, - ) -} - type Mount struct { - Base + RuleBase Qualifier MountConditions Source string @@ -126,7 +102,7 @@ func newMount(q Qualifier, rule rule) (Rule, error) { return nil, err } return &Mount{ - Base: newBase(rule), + RuleBase: newBase(rule), Qualifier: q, MountConditions: conditions, Source: src, @@ -136,7 +112,7 @@ func newMount(q Qualifier, rule rule) (Rule, error) { func newMountFromLog(log map[string]string) Rule { return &Mount{ - Base: newBaseFromLog(log), + RuleBase: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), MountConditions: newMountConditionsFromLog(log), Source: log["srcname"], @@ -144,18 +120,6 @@ func newMountFromLog(log map[string]string) Rule { } } -func (r *Mount) Kind() Kind { - return MOUNT -} - -func (r *Mount) Constraint() Constraint { - return BlockRule -} - -func (r *Mount) String() string { - return renderTemplate(r.Kind(), r) -} - func (r *Mount) Validate() error { if err := r.MountConditions.Validate(); err != nil { return fmt.Errorf("%s: %w", r, err) @@ -181,37 +145,31 @@ func (r *Mount) Merge(other Rule) bool { o, _ := other.(*Mount) mc := &r.MountConditions - if !r.Equal(o.Qualifier) { + if !r.Qualifier.Equal(o.Qualifier) { return false } if r.Source == o.Source && r.MountPoint == o.MountPoint && mc.Merge(o.MountConditions) { - b := &r.Base - return b.merge(o.Base) + b := &r.RuleBase + return b.merge(o.RuleBase) } return false } -func (r *Mount) Lengths() []int { - return []int{ - r.getLenAudit(), - r.getLenAccess(), - r.getLenFsType(), - r.getLenOptions(), - length("", r.Source), - length("", r.MountPoint), - } +func (r *Mount) String() string { + return renderTemplate(r.Kind(), r) } -func (r *Mount) setPaddings(max []int) { - r.Paddings = append(r.Qualifier.setPaddings(max[:2]), r.MountConditions.setPaddings(max[2:4])...) - r.Paddings = append(r.Paddings, - setPaddings(max[4:], []string{"", ""}, []any{r.Source, r.MountPoint})..., - ) +func (r *Mount) Constraint() constraint { + return blockKind +} + +func (r *Mount) Kind() Kind { + return MOUNT } type Umount struct { - Base + RuleBase Qualifier MountConditions MountPoint string @@ -228,7 +186,7 @@ func newUmount(q Qualifier, rule rule) (Rule, error) { return nil, err } return &Umount{ - Base: newBase(rule), + RuleBase: newBase(rule), Qualifier: q, MountConditions: conditions, MountPoint: mount, @@ -237,25 +195,13 @@ func newUmount(q Qualifier, rule rule) (Rule, error) { func newUmountFromLog(log map[string]string) Rule { return &Umount{ - Base: newBaseFromLog(log), + RuleBase: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), MountConditions: newMountConditionsFromLog(log), MountPoint: log["name"], } } -func (r *Umount) Kind() Kind { - return UMOUNT -} - -func (r *Umount) Constraint() Constraint { - return BlockRule -} - -func (r *Umount) String() string { - return renderTemplate(r.Kind(), r) -} - func (r *Umount) Validate() error { if err := r.MountConditions.Validate(); err != nil { return fmt.Errorf("%s: %w", r, err) @@ -278,35 +224,30 @@ func (r *Umount) Merge(other Rule) bool { o, _ := other.(*Umount) mc := &r.MountConditions - if !r.Equal(o.Qualifier) { + if !r.Qualifier.Equal(o.Qualifier) { return false } if r.MountPoint == o.MountPoint && mc.Merge(o.MountConditions) { - b := &r.Base - return b.merge(o.Base) + b := &r.RuleBase + return b.merge(o.RuleBase) } return false } -func (r *Umount) Lengths() []int { - return []int{ - r.getLenAudit(), - r.getLenAccess(), - r.getLenFsType(), - r.getLenOptions(), - length("", r.MountPoint), - } +func (r *Umount) String() string { + return renderTemplate(r.Kind(), r) } -func (r *Umount) setPaddings(max []int) { - r.Paddings = append(r.Qualifier.setPaddings(max[:2]), r.MountConditions.setPaddings(max[2:4])...) - r.Paddings = append(r.Paddings, - setPaddings(max[4:], []string{""}, []any{r.MountPoint})..., - ) +func (r *Umount) Constraint() constraint { + return blockKind +} + +func (r *Umount) Kind() Kind { + return UMOUNT } type Remount struct { - Base + RuleBase Qualifier MountConditions MountPoint string @@ -324,7 +265,7 @@ func newRemount(q Qualifier, rule rule) (Rule, error) { return nil, err } return &Remount{ - Base: newBase(rule), + RuleBase: newBase(rule), Qualifier: q, MountConditions: conditions, MountPoint: mount, @@ -333,25 +274,13 @@ func newRemount(q Qualifier, rule rule) (Rule, error) { func newRemountFromLog(log map[string]string) Rule { return &Remount{ - Base: newBaseFromLog(log), + RuleBase: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), MountConditions: newMountConditionsFromLog(log), MountPoint: log["name"], } } -func (r *Remount) Kind() Kind { - return REMOUNT -} - -func (r *Remount) Constraint() Constraint { - return BlockRule -} - -func (r *Remount) String() string { - return renderTemplate(r.Kind(), r) -} - func (r *Remount) Validate() error { if err := r.MountConditions.Validate(); err != nil { return fmt.Errorf("%s: %w", r, err) @@ -374,29 +303,24 @@ func (r *Remount) Merge(other Rule) bool { o, _ := other.(*Remount) mc := &r.MountConditions - if !r.Equal(o.Qualifier) { + if !r.Qualifier.Equal(o.Qualifier) { return false } if r.MountPoint == o.MountPoint && mc.Merge(o.MountConditions) { - b := &r.Base - return b.merge(o.Base) + b := &r.RuleBase + return b.merge(o.RuleBase) } return false } -func (r *Remount) Lengths() []int { - return []int{ - r.getLenAudit(), - r.getLenAccess(), - r.getLenFsType(), - r.getLenOptions(), - length("", r.MountPoint), - } +func (r *Remount) String() string { + return renderTemplate(r.Kind(), r) } -func (r *Remount) setPaddings(max []int) { - r.Paddings = append(r.Qualifier.setPaddings(max[:2]), r.MountConditions.setPaddings(max[2:4])...) - r.Paddings = append(r.Paddings, - setPaddings(max[4:], []string{""}, []any{r.MountPoint})..., - ) +func (r *Remount) Constraint() constraint { + return blockKind +} + +func (r *Remount) Kind() Kind { + return REMOUNT } diff --git a/pkg/aa/mqueue.go b/pkg/aa/mqueue.go index 12ae4bd59..889dcde6c 100644 --- a/pkg/aa/mqueue.go +++ b/pkg/aa/mqueue.go @@ -23,7 +23,7 @@ func init() { } type Mqueue struct { - Base + RuleBase Qualifier Access []string Type string @@ -47,7 +47,7 @@ func newMqueue(q Qualifier, rule rule) (Rule, error) { return nil, err } return &Mqueue{ - Base: newBase(rule), + RuleBase: newBase(rule), Qualifier: q, Access: accesses, Type: rule.GetValuesAsString("type"), @@ -64,7 +64,7 @@ func newMqueueFromLog(log map[string]string) Rule { mqueueType = "sysv" } return &Mqueue{ - Base: newBaseFromLog(log), + RuleBase: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), Access: Must(toAccess(MQUEUE, log["requested"])), Type: mqueueType, @@ -73,18 +73,6 @@ func newMqueueFromLog(log map[string]string) Rule { } } -func (r *Mqueue) Kind() Kind { - return MQUEUE -} - -func (r *Mqueue) Constraint() Constraint { - return BlockRule -} - -func (r *Mqueue) String() string { - return renderTemplate(r.Kind(), r) -} - func (r *Mqueue) Validate() error { if err := validateValues(r.Kind(), "access", r.Access); err != nil { return fmt.Errorf("%s: %w", r, err) @@ -112,31 +100,25 @@ func (r *Mqueue) Compare(other Rule) int { func (r *Mqueue) Merge(other Rule) bool { o, _ := other.(*Mqueue) - if !r.Equal(o.Qualifier) { + if !r.Qualifier.Equal(o.Qualifier) { return false } if r.Type == o.Type && r.Label == o.Label && r.Name == o.Name { r.Access = merge(r.Kind(), "access", r.Access, o.Access) - b := &r.Base - return b.merge(o.Base) + b := &r.RuleBase + return b.merge(o.RuleBase) } return false } -func (r *Mqueue) Lengths() []int { - return []int{ - r.getLenAudit(), - r.getLenAccess(), - length("", r.Access), - length("type=", r.Type), - length("label=", r.Label), - length("", r.Name), - } +func (r *Mqueue) String() string { + return renderTemplate(r.Kind(), r) } -func (r *Mqueue) setPaddings(max []int) { - r.Paddings = append(r.Qualifier.setPaddings(max[:2]), setPaddings( - max[2:], []string{"", "type=", "label=", ""}, - []any{r.Access, r.Type, r.Label, r.Name})..., - ) +func (r *Mqueue) Constraint() constraint { + return blockKind +} + +func (r *Mqueue) Kind() Kind { + return MQUEUE } diff --git a/pkg/aa/network.go b/pkg/aa/network.go index 15dd4385e..38818de13 100644 --- a/pkg/aa/network.go +++ b/pkg/aa/network.go @@ -33,54 +33,34 @@ func init() { } } -type LocalAddress struct { - IP string - Port string +type AddressExpr struct { + Source string + Destination string + Port string } -func newLocalAddressFromLog(log map[string]string) LocalAddress { - return LocalAddress{ - IP: log["laddr"], - Port: log["lport"], +func newAddressExprFromLog(log map[string]string) AddressExpr { + return AddressExpr{ + Source: log["laddr"], + Destination: log["faddr"], + Port: log["lport"], } } -func (r LocalAddress) Compare(other LocalAddress) int { - if res := compare(r.IP, other.IP); res != 0 { +func (r AddressExpr) Compare(other AddressExpr) int { + if res := compare(r.Source, other.Source); res != 0 { + return res + } + if res := compare(r.Destination, other.Destination); res != 0 { return res } return compare(r.Port, other.Port) } -type PeerAddress struct { - IP string - Port string - Src string -} - -func newPeerAddressFromLog(log map[string]string) PeerAddress { - return PeerAddress{ - IP: log["faddr"], - Port: log["fport"], - Src: log["saddr"], - } -} - -func (r PeerAddress) Compare(other PeerAddress) int { - if res := compare(r.IP, other.IP); res != 0 { - return res - } - if res := compare(r.Port, other.Port); res != 0 { - return res - } - return compare(r.Src, other.Src) -} - type Network struct { - Base + RuleBase Qualifier - LocalAddress - PeerAddress + AddressExpr Domain string Type string Protocol string @@ -100,7 +80,7 @@ func newNetwork(q Qualifier, rule rule) (Rule, error) { } } return &Network{ - Base: newBase(rule), + RuleBase: newBase(rule), Qualifier: q, Domain: domain, Type: nType, @@ -110,28 +90,15 @@ func newNetwork(q Qualifier, rule rule) (Rule, error) { func newNetworkFromLog(log map[string]string) Rule { return &Network{ - Base: newBaseFromLog(log), - Qualifier: newQualifierFromLog(log), - LocalAddress: newLocalAddressFromLog(log), - PeerAddress: newPeerAddressFromLog(log), - Domain: log["family"], - Type: log["sock_type"], - Protocol: log["protocol"], + RuleBase: newBaseFromLog(log), + Qualifier: newQualifierFromLog(log), + AddressExpr: newAddressExprFromLog(log), + Domain: log["family"], + Type: log["sock_type"], + Protocol: log["protocol"], } } -func (r *Network) Kind() Kind { - return NETWORK -} - -func (r *Network) Constraint() Constraint { - return BlockRule -} - -func (r *Network) String() string { - return renderTemplate(r.Kind(), r) -} - func (r *Network) Validate() error { if err := validateValues(r.Kind(), "domains", []string{r.Domain}); err != nil { return fmt.Errorf("%s: %w", r, err) @@ -156,32 +123,20 @@ func (r *Network) Compare(other Rule) int { if res := compare(r.Protocol, o.Protocol); res != 0 { return res } - if res := r.LocalAddress.Compare(o.LocalAddress); res != 0 { - return res - } - if res := r.PeerAddress.Compare(o.PeerAddress); res != 0 { + if res := r.AddressExpr.Compare(o.AddressExpr); res != 0 { return res } return r.Qualifier.Compare(o.Qualifier) } -func (r *Network) Merge(other Rule) bool { - return false // Never merge network +func (r *Network) String() string { + return renderTemplate(r.Kind(), r) } -func (r *Network) Lengths() []int { - return []int{ - r.getLenAudit(), - r.getLenAccess(), - length("", r.Domain), - length("", r.Type), - length("", r.Protocol), - } +func (r *Network) Constraint() constraint { + return blockKind } -func (r *Network) setPaddings(max []int) { - r.Paddings = append(r.Qualifier.setPaddings(max[:2]), setPaddings( - max[2:], []string{"", "", ""}, - []any{r.Domain, r.Type, r.Protocol})..., - ) +func (r *Network) Kind() Kind { + return NETWORK } diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index 3b737abfd..24117700a 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -15,8 +15,6 @@ const ( tokALLOW = "allow" tokAUDIT = "audit" tokDENY = "deny" - tokPROMPT = "prompt" - tokPRIORITY = "priority" tokARROW = "->" tokEQUAL = "=" tokLESS = "<" @@ -189,11 +187,11 @@ func parseParagraph(input string) (Rules, error) { } res = append(res, rrr...) - // for _, r := range res { - // if r.Constraint() == PreambleRule { - // return nil, fmt.Errorf("Rule not allowed in block: %s", r) - // } - // } + for _, r := range res { + if r.Constraint() == preambleKind { + return nil, fmt.Errorf("Rule not allowed in block: %s", r) + } + } return res, nil } @@ -288,7 +286,10 @@ func parseRule(str string) rule { res := make(rule, 0, len(str)/2) tokens := tokenizeRule(str) - inAare := len(tokens) > 0 && (isAARE(tokens[0]) || tokens[0] == tokOWNER) + inAare := false + if len(tokens) > 0 && (isAARE(tokens[0]) || tokens[0] == tokOWNER) { + inAare = true + } for idx, token := range tokens { switch { case token == tokEQUAL, token == tokPLUS+tokEQUAL, token == tokLESS+tokEQUAL: // Variable & Rlimit @@ -494,15 +495,9 @@ func (r rule) String() string { } func isAARE(str string) bool { - if len(str) < 1 { - return false - } - switch str[0] { - case '@', '/', '"': - return true - default: - return false - } + return strings.HasPrefix(str, "@") || + strings.HasPrefix(str, "/") || + strings.HasPrefix(str, "\"") } // Convert a slice of internal rules to a slice of ApparmorRule. @@ -513,7 +508,7 @@ func newRules(rules []rule) (Rules, error) { for _, rule := range rules { if len(rule) == 0 { - return nil, fmt.Errorf("empty rule") + return nil, fmt.Errorf("Empty rule") } owner := false @@ -526,11 +521,7 @@ func newRules(rules []rule) (Rules, error) { rule = rule[1:] goto qualifier // Qualifier - case tokPRIORITY: - q.Priority = rule.GetValues(tokPRIORITY).GetString() - rule = rule[1:] - goto qualifier - case tokALLOW, tokDENY, tokPROMPT: + case tokALLOW, tokDENY: q.AccessType = rule.Get(0) rule = rule[1:] goto qualifier @@ -566,7 +557,7 @@ func newRules(rules []rule) (Rules, error) { // return nil, fmt.Errorf("Unknown rule: %s", rule) } } else { - return nil, fmt.Errorf("unrecognized rule: %s", rule) + return nil, fmt.Errorf("Unrecognized rule: %s", rule) } } } @@ -597,7 +588,7 @@ func (f *AppArmorProfileFile) parsePreamble(preamble string) error { f.Preamble = append(f.Preamble, commaRules...) for _, r := range f.Preamble { - if r.Constraint() == BlockRule { + if r.Constraint() == blockKind { f.Preamble = nil return fmt.Errorf("Rule not allowed in preamble: %s", r) } @@ -608,7 +599,7 @@ func (f *AppArmorProfileFile) parsePreamble(preamble string) error { // Parse an apparmor profile file. // -// Warning: It is purposely an uncomplete basic parser for apparmor profile, +// Warning: It is purposelly an uncomplete basic parser for apparmor profile, // it is only aimed for internal tooling purpose. For "simplicity", it is not // using antlr / participle. It is only used for experimental feature in the // apparmor.d project. @@ -660,9 +651,9 @@ done: return nb, nil } -// ParseRules parses apparmor profile rules by paragraphs -func ParseRules(input string) (ParaRules, []string, error) { - paragraphRules := ParaRules{} +// Parse apparmor profile rules by paragraphs +func ParseRules(input string) ([]Rules, []string, error) { + paragraphRules := []Rules{} paragraphs := []string{} for _, match := range regParagraph.FindAllStringSubmatch(input, -1) { diff --git a/pkg/aa/parse_test.go b/pkg/aa/parse_test.go index 71607fd32..a1016b19b 100644 --- a/pkg/aa/parse_test.go +++ b/pkg/aa/parse_test.go @@ -8,11 +8,13 @@ import ( "reflect" "strings" "testing" + + "github.com/roddhjav/apparmor.d/pkg/util" ) func Test_tokenizeRule(t *testing.T) { inHeader = true - for _, tt := range testParseRules { + for _, tt := range testRules { t.Run(tt.name, func(t *testing.T) { if got := tokenizeRule(tt.raw); !reflect.DeepEqual(got, tt.tokens) { t.Errorf("tokenize() = %v, want %v", got, tt.tokens) @@ -23,7 +25,7 @@ func Test_tokenizeRule(t *testing.T) { func Test_parseRule(t *testing.T) { inHeader = true - for _, tt := range testParseRules { + for _, tt := range testRules { t.Run(tt.name, func(t *testing.T) { if got := parseRule(tt.raw); !reflect.DeepEqual(got, tt.rule) { t.Errorf("parseRule() = %v, want %v", got, tt.rule) @@ -33,7 +35,7 @@ func Test_parseRule(t *testing.T) { } func Test_rule_Getter(t *testing.T) { - for _, tt := range testParseRules { + for _, tt := range testRules { t.Run(tt.name, func(t *testing.T) { if tt.wGetAsMap == nil { tt.wGetAsMap = map[string][]string{} @@ -111,7 +113,7 @@ func Test_parseCommaRules(t *testing.T) { } func Test_newRules(t *testing.T) { - for _, tt := range testParseRules { + for _, tt := range testRules { if tt.wRule == nil { continue } @@ -157,7 +159,7 @@ func Test_AppArmorProfileFile_Parse(t *testing.T) { var ( // Test cases for tokenizeRule, parseRule,rule getters, and newRules - testParseRules = []struct { + testRules = []struct { name string raw string tokens []string @@ -495,7 +497,7 @@ var ( wString: "signal receive set=(cont term winch) peer=at-spi-bus-launcher", wRule: &Signal{ Access: []string{"receive"}, - Set: []string{"cont", "term", "winch"}, + Set: []string{"term", "cont", "winch"}, Peer: "at-spi-bus-launcher", }, }, @@ -753,14 +755,14 @@ var ( @{lib_dirs} = @{lib}/@{name} /opt/@{name} # comment in variable`, want: "\n\n\n", rules: Rules{ - &Comment{Base: Base{IsLineRule: true, Comment: " IsLineRule comment"}}, + &Comment{RuleBase: RuleBase{IsLineRule: true, Comment: " IsLineRule comment"}}, &Include{ - Base: Base{Comment: " comment included"}, - IsMagic: true, Path: "tunables/global", + RuleBase: RuleBase{Comment: " comment included"}, + IsMagic: true, Path: "tunables/global", }, &Variable{ - Base: Base{Comment: " comment in variable"}, - Name: "lib_dirs", Define: true, + RuleBase: RuleBase{Comment: " comment in variable"}, + Name: "lib_dirs", Define: true, Values: []string{"@{lib}/@{name}", "/opt/@{name}"}, }, }, @@ -841,7 +843,7 @@ var ( raw string apparmor *AppArmorProfileFile wParseErr bool - wRules ParaRules + wRules []Rules wParseRulesErr bool }{ { @@ -849,7 +851,7 @@ var ( raw: "", apparmor: &AppArmorProfileFile{}, wParseErr: false, - wRules: ParaRules{}, + wRules: []Rules{}, wParseRulesErr: false, }, { @@ -860,20 +862,20 @@ var ( @{lib_dirs} = @{lib}/@{name} /opt/@{name} # comment in variable`, apparmor: &AppArmorProfileFile{ Preamble: Rules{ - &Comment{Base: Base{IsLineRule: true, Comment: " IsLineRule comment"}}, + &Comment{RuleBase: RuleBase{IsLineRule: true, Comment: " IsLineRule comment"}}, &Include{ - Base: Base{Comment: " comment included"}, - Path: "tunables/global", IsMagic: true, + RuleBase: RuleBase{Comment: " comment included"}, + Path: "tunables/global", IsMagic: true, }, &Variable{ - Base: Base{Comment: " comment in variable"}, - Name: "lib_dirs", Define: true, + RuleBase: RuleBase{Comment: " comment in variable"}, + Name: "lib_dirs", Define: true, Values: []string{"@{lib}/@{name}", "/opt/@{name}"}, }, }, }, wParseErr: false, - wRules: ParaRules{}, + wRules: []Rules{}, wParseRulesErr: false, }, { @@ -891,9 +893,9 @@ var ( `, apparmor: &AppArmorProfileFile{ Preamble: Rules{ - &Comment{Base: Base{IsLineRule: true, Comment: " Simple test"}}, + &Comment{RuleBase: RuleBase{IsLineRule: true, Comment: " Simple test"}}, &Include{IsMagic: true, Path: "tunables/global"}, - &Comment{Base: Base{IsLineRule: true, Comment: " { commented block }"}}, + &Comment{RuleBase: RuleBase{IsLineRule: true, Comment: " { commented block }"}}, &Variable{Name: "name", Values: []string{"{D,d}ummy"}, Define: true}, &Variable{Name: "exec_path", Values: []string{"@{bin}/@{name}"}, Define: true}, &Variable{Name: "exec_path", Values: []string{"@{lib}/@{name}"}}, @@ -912,15 +914,15 @@ var ( }, }, wParseErr: false, - wRules: ParaRules{}, + wRules: []Rules{}, wParseRulesErr: false, }, { name: "string.aa", - raw: testData.Join("string.aa").MustReadFileAsString(), + raw: util.MustReadFile(testData.Join("string.aa")), apparmor: &AppArmorProfileFile{ Preamble: Rules{ - &Comment{Base: Base{Comment: " Simple test profile for the AppArmorProfileFile.String() method", IsLineRule: true}}, + &Comment{RuleBase: RuleBase{Comment: " Simple test profile for the AppArmorProfileFile.String() method", IsLineRule: true}}, &Include{IsMagic: true, Path: "tunables/global"}, &Variable{ Name: "exec_path", Define: true, @@ -941,7 +943,7 @@ var ( }, }, wParseErr: false, - wRules: ParaRules{ + wRules: []Rules{ { &Include{IsMagic: true, Path: "abstractions/base"}, &Include{IsMagic: true, Path: "abstractions/nameservice-strict"}, @@ -959,7 +961,7 @@ var ( }, { &Mount{ - Base: Base{IsLineRule: false, Comment: " failed perms check"}, + RuleBase: RuleBase{IsLineRule: false, Comment: " failed perms check"}, MountConditions: MountConditions{ FsType: "fuse.portal", Options: []string{"rw", "rbind"}, @@ -1015,18 +1017,18 @@ var ( }, { name: "full.aa", - raw: testData.Join("full.aa").MustReadFileAsString(), + raw: util.MustReadFile(testData.Join("full.aa")), apparmor: &AppArmorProfileFile{ Preamble: Rules{ - &Comment{Base: Base{IsLineRule: true, Comment: " Simple test profile with all rules used"}}, + &Comment{RuleBase: RuleBase{IsLineRule: true, Comment: " Simple test profile with all rules used"}}, &Include{ - Base: Base{Comment: " a comment", Optional: true}, - IsMagic: true, Path: "tunables/global", + RuleBase: RuleBase{Comment: " a comment", Optional: true}, + IsMagic: true, Path: "tunables/global", }, &Include{IfExists: true, Path: "/etc/apparmor.d/global/dummy space"}, &Variable{Name: "name", Values: []string{"torbrowser", "\"tor browser\""}, Define: true}, &Variable{ - Base: Base{Comment: " another comment"}, Define: true, + RuleBase: RuleBase{Comment: " another comment"}, Define: true, Name: "lib_dirs", Values: []string{"@{lib}/@{name}", "/opt/@{name}"}, }, &Variable{Name: "config_dirs", Values: []string{"@{HOME}/.mozilla/"}, Define: true}, @@ -1048,7 +1050,7 @@ var ( }, }, wParseErr: false, - wRules: ParaRules{ + wRules: []Rules{ { &Include{IsMagic: true, Path: "abstractions/base"}, &Include{IsMagic: true, Path: "abstractions/nameservice-strict"}, @@ -1121,7 +1123,7 @@ var ( { &Signal{ Access: []string{"receive"}, - Set: []string{"cont", "term", "winch"}, + Set: []string{"term", "cont", "winch"}, Peer: "at-spi-bus-launcher", }, }, @@ -1150,7 +1152,7 @@ var ( }, }, { - &Comment{Base: Base{IsLineRule: true, Comment: " A comment! before a paragraph of rules"}}, + &Comment{RuleBase: RuleBase{IsLineRule: true, Comment: " A comment! before a paragraph of rules"}}, &File{ Path: "\"/opt/Mullvad VPN/resources/*.so*\"", Access: []string{"m", "r"}, diff --git a/pkg/aa/pivot_root.go b/pkg/aa/pivot_root.go index 8632b4490..cfa6833ad 100644 --- a/pkg/aa/pivot_root.go +++ b/pkg/aa/pivot_root.go @@ -9,7 +9,7 @@ import "fmt" const PIVOTROOT Kind = "pivot_root" type PivotRoot struct { - Base + RuleBase Qualifier OldRoot string NewRoot string @@ -32,7 +32,7 @@ func newPivotRoot(q Qualifier, rule rule) (Rule, error) { } } return &PivotRoot{ - Base: newBase(rule), + RuleBase: newBase(rule), Qualifier: q, OldRoot: rule.GetValuesAsString("oldroot"), NewRoot: newroot, @@ -42,7 +42,7 @@ func newPivotRoot(q Qualifier, rule rule) (Rule, error) { func newPivotRootFromLog(log map[string]string) Rule { return &PivotRoot{ - Base: newBaseFromLog(log), + RuleBase: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), OldRoot: log["srcname"], NewRoot: log["name"], @@ -50,18 +50,6 @@ func newPivotRootFromLog(log map[string]string) Rule { } } -func (r *PivotRoot) Kind() Kind { - return PIVOTROOT -} - -func (r *PivotRoot) Constraint() Constraint { - return BlockRule -} - -func (r *PivotRoot) String() string { - return renderTemplate(r.Kind(), r) -} - func (r *PivotRoot) Validate() error { return nil } @@ -80,23 +68,14 @@ func (r *PivotRoot) Compare(other Rule) int { return r.Qualifier.Compare(o.Qualifier) } -func (r *PivotRoot) Merge(other Rule) bool { - return false // Never merge pivot root +func (r *PivotRoot) String() string { + return renderTemplate(r.Kind(), r) } -func (r *PivotRoot) Lengths() []int { - return []int{ - r.getLenAudit(), - r.getLenAccess(), - length("oldroot=", r.OldRoot), - length("", r.NewRoot), - length("", r.TargetProfile), - } +func (r *PivotRoot) Constraint() constraint { + return blockKind } -func (r *PivotRoot) setPaddings(max []int) { - r.Paddings = append(r.Qualifier.setPaddings(max[:2]), setPaddings( - max[2:], []string{"oldroot=", "", ""}, - []any{r.OldRoot, r.NewRoot, r.TargetProfile})..., - ) +func (r *PivotRoot) Kind() Kind { + return PIVOTROOT } diff --git a/pkg/aa/preamble.go b/pkg/aa/preamble.go index 50e7dbef7..4ad65fe97 100644 --- a/pkg/aa/preamble.go +++ b/pkg/aa/preamble.go @@ -20,25 +20,13 @@ const ( ) type Comment struct { - Base + RuleBase } func newComment(rule rule) (Rule, error) { base := newBase(rule) base.IsLineRule = true - return &Comment{Base: base}, nil -} - -func (r *Comment) Kind() Kind { - return COMMENT -} - -func (r *Comment) Constraint() Constraint { - return AnyRule -} - -func (r *Comment) String() string { - return renderTemplate(r.Kind(), r) + return &Comment{RuleBase: base}, nil } func (r *Comment) Validate() error { @@ -49,18 +37,20 @@ func (r *Comment) Compare(other Rule) int { return 0 // Comments are always equal to each other as they are not compared } -func (r *Comment) Merge(other Rule) bool { - return false // Never merge comments +func (r *Comment) String() string { + return renderTemplate(r.Kind(), r) } -func (r *Comment) Lengths() []int { - return []int{} // No len for comments +func (r *Comment) Constraint() constraint { + return anyKind } -func (r *Comment) setPaddings(max []int) {} // No paddings for comments +func (r *Comment) Kind() Kind { + return COMMENT +} type Abi struct { - Base + RuleBase Path string IsMagic bool } @@ -72,33 +62,21 @@ func newAbi(q Qualifier, rule rule) (Rule, error) { } path := rule.Get(0) - switch path[0] { - case '"': + switch { + case path[0] == '"': magic = false - case '<': + case path[0] == '<': magic = true default: return nil, fmt.Errorf("invalid path %s in rule: %s", path, rule) } return &Abi{ - Base: newBase(rule), - Path: strings.Trim(path, "\"<>"), - IsMagic: magic, + RuleBase: newBase(rule), + Path: strings.Trim(path, "\"<>"), + IsMagic: magic, }, nil } -func (r *Abi) Kind() Kind { - return ABI -} - -func (r *Abi) Constraint() Constraint { - return PreambleRule -} - -func (r *Abi) String() string { - return renderTemplate(r.Kind(), r) -} - func (r *Abi) Validate() error { return nil } @@ -111,18 +89,20 @@ func (r *Abi) Compare(other Rule) int { return compare(r.IsMagic, o.IsMagic) } -func (r *Abi) Merge(other Rule) bool { - return false // Never merge abi +func (r *Abi) String() string { + return renderTemplate(r.Kind(), r) } -func (r *Abi) Lengths() []int { - return []int{} // No len for abi +func (r *Abi) Constraint() constraint { + return preambleKind } -func (r *Abi) setPaddings(max []int) {} // No paddings for abi +func (r *Abi) Kind() Kind { + return ABI +} type Alias struct { - Base + RuleBase Path string RewrittenPath string } @@ -135,24 +115,12 @@ func newAlias(q Qualifier, rule rule) (Rule, error) { return nil, fmt.Errorf("invalid alias format, missing %s in: %s", tokARROW, rule) } return &Alias{ - Base: newBase(rule), + RuleBase: newBase(rule), Path: rule.Get(0), RewrittenPath: rule.Get(2), }, nil } -func (r *Alias) Kind() Kind { - return ALIAS -} - -func (r *Alias) Constraint() Constraint { - return PreambleRule -} - -func (r *Alias) String() string { - return renderTemplate(r.Kind(), r) -} - func (r *Alias) Validate() error { return nil } @@ -165,18 +133,20 @@ func (r *Alias) Compare(other Rule) int { return compare(r.RewrittenPath, o.RewrittenPath) } -func (r *Alias) Merge(other Rule) bool { - return false // Never merge alias +func (r *Alias) String() string { + return renderTemplate(r.Kind(), r) } -func (r *Alias) Lengths() []int { - return []int{} // No len for alias +func (r *Alias) Constraint() constraint { + return preambleKind } -func (r *Alias) setPaddings(max []int) {} // No paddings for alias +func (r *Alias) Kind() Kind { + return ALIAS +} type Include struct { - Base + RuleBase IfExists bool Path string IsMagic bool @@ -198,34 +168,22 @@ func newInclude(rule rule) (Rule, error) { } path := r[0] - switch path[0] { - case '"': + switch { + case path[0] == '"': magic = false - case '<': + case path[0] == '<': magic = true default: return nil, fmt.Errorf("invalid path format: %v", path) } return &Include{ - Base: newBase(rule), + RuleBase: newBase(rule), IfExists: ifexists, Path: strings.Trim(path, "\"<>"), IsMagic: magic, }, nil } -func (r *Include) Kind() Kind { - return INCLUDE -} - -func (r *Include) Constraint() Constraint { - return AnyRule -} - -func (r *Include) String() string { - return renderTemplate(r.Kind(), r) -} - func (r *Include) Validate() error { return nil } @@ -248,18 +206,20 @@ func (r *Include) Compare(other Rule) int { return compare(r.IfExists, o.IfExists) } -func (r *Include) Merge(other Rule) bool { - return false // Never merge include +func (r *Include) String() string { + return renderTemplate(r.Kind(), r) } -func (r *Include) Lengths() []int { - return []int{} // No len for include +func (r *Include) Constraint() constraint { + return anyKind } -func (r *Include) setPaddings(max []int) {} // No paddings for include +func (r *Include) Kind() Kind { + return INCLUDE +} type Variable struct { - Base + RuleBase Name string Values []string Define bool @@ -285,29 +245,28 @@ func newVariable(rule rule) (Rule, error) { return nil, fmt.Errorf("invalid operator in variable: %v", rule) } return &Variable{ - Base: newBase(rule), - Name: name, - Values: values, - Define: define, + RuleBase: newBase(rule), + Name: name, + Values: values, + Define: define, }, nil } -func (r *Variable) Kind() Kind { - return VARIABLE -} - -func (r *Variable) Constraint() Constraint { - return PreambleRule -} - -func (r *Variable) String() string { - return renderTemplate(r.Kind(), r) -} - func (r *Variable) Validate() error { return nil } +func (r *Variable) Merge(other Rule) bool { + o, _ := other.(*Variable) + + if r.Name == o.Name && r.Define == o.Define { + r.Values = merge(r.Kind(), "access", r.Values, o.Values) + b := &r.RuleBase + return b.merge(o.RuleBase) + } + return false +} + func (r *Variable) Compare(other Rule) int { o, _ := other.(*Variable) if res := compare(r.Name, o.Name); res != 0 { @@ -319,19 +278,14 @@ func (r *Variable) Compare(other Rule) int { return compare(r.Values, o.Values) } -func (r *Variable) Merge(other Rule) bool { - o, _ := other.(*Variable) - - if r.Name == o.Name && r.Define == o.Define { - r.Values = merge(r.Kind(), "access", r.Values, o.Values) - b := &r.Base - return b.merge(o.Base) - } - return false +func (r *Variable) String() string { + return renderTemplate(r.Kind(), r) } -func (r *Variable) Lengths() []int { - return []int{} // No len for variable +func (r *Variable) Constraint() constraint { + return preambleKind } -func (r *Variable) setPaddings(max []int) {} // No paddings for variable +func (r *Variable) Kind() Kind { + return VARIABLE +} diff --git a/pkg/aa/profile.go b/pkg/aa/profile.go index 5d097cad9..a5ed8a6a5 100644 --- a/pkg/aa/profile.go +++ b/pkg/aa/profile.go @@ -20,17 +20,17 @@ const ( func init() { requirements[PROFILE] = requirement{ tokFLAGS: { - "attach_disconneced.path=", "attach_disconnected", "audit", - "chroot_relative", "complain", "debug", "default_allow", "enforce", - "interruptible", "kill.signal=", "kill", "kill", "mediate_deleted", - "prompt", "unconfined", + "enforce", "complain", "kill", "default_allow", "unconfined", + "prompt", "audit", "mediate_deleted", "attach_disconnected", + "attach_disconneced.path=", "chroot_relative", "debug", + "interruptible", "kill", "kill.signal=", }, } } // Profile represents a single AppArmor profile. type Profile struct { - Base + RuleBase Header Rules Rules } @@ -69,31 +69,31 @@ func newHeader(rule rule) (Header, error) { }, nil } -func (p *Profile) Kind() Kind { - return PROFILE +func (r *Profile) Validate() error { + if err := validateValues(r.Kind(), tokFLAGS, r.Flags); err != nil { + return fmt.Errorf("profile %s: %w", r.Name, err) + } + return r.Rules.Validate() } -func (p *Profile) Constraint() Constraint { - return BlockRule +func (r *Profile) Compare(other Rule) int { + o, _ := other.(*Profile) + if res := compare(r.Name, o.Name); res != 0 { + return res + } + return compare(r.Attachments, o.Attachments) } func (p *Profile) String() string { return renderTemplate(p.Kind(), p) } -func (p *Profile) Validate() error { - if err := validateValues(p.Kind(), tokFLAGS, p.Flags); err != nil { - return fmt.Errorf("profile %s: %w", p.Name, err) - } - return p.Rules.Validate() +func (p *Profile) Constraint() constraint { + return blockKind } -func (p *Profile) Compare(other Rule) int { - o, _ := other.(*Profile) - if res := compare(p.Name, o.Name); res != 0 { - return res - } - return compare(p.Attachments, o.Attachments) +func (p *Profile) Kind() Kind { + return PROFILE } func (p *Profile) Merge(other Rule) bool { @@ -103,12 +103,6 @@ func (p *Profile) Merge(other Rule) bool { return false } -func (p *Profile) Lengths() []int { - return []int{} // No len for profile -} - -func (p *Profile) setPaddings(max []int) {} // No paddings for profile - func (p *Profile) Sort() { p.Rules = p.Rules.Sort() } @@ -139,24 +133,16 @@ func (p *Profile) GetAttachments() string { var ( newLogMap = map[string]func(log map[string]string) Rule{ - // class - "rlimits": newRlimitFromLog, - "namespace": newUsernsFromLog, - "cap": newCapabilityFromLog, - "net": func(log map[string]string) Rule { - if log["family"] == "unix" { - return newUnixFromLog(log) - } else { - return newNetworkFromLog(log) - } - }, - "posix_mqueue": newMqueueFromLog, - "sysv_mqueue": newMqueueFromLog, + "rlimits": newRlimitFromLog, + "cap": newCapabilityFromLog, + "io_uring": newIOUringFromLog, "signal": newSignalFromLog, "ptrace": newPtraceFromLog, + "namespace": newUsernsFromLog, "unix": newUnixFromLog, - "io_uring": newIOUringFromLog, "dbus": newDbusFromLog, + "posix_mqueue": newMqueueFromLog, + "sysv_mqueue": newMqueueFromLog, "mount": func(log map[string]string) Rule { if strings.Contains(log["flags"], "remount") { return newRemountFromLog(log) @@ -164,6 +150,7 @@ var ( newRule := newLogMountMap[log["operation"]] return newRule(log) }, + "net": newNetworkFromLog, "file": func(log map[string]string) Rule { if log["operation"] == "change_onexec" { return newChangeProfileFromLog(log) @@ -171,20 +158,14 @@ var ( return newFileFromLog(log) } }, - // operation - "capable": newCapabilityFromLog, - "chmod": newFileFromLog, - "exec": newFileFromLog, - "getattr": newFileFromLog, - "link": newFileFromLog, - "mkdir": newFileFromLog, - "mknod": newFileFromLog, - "open": newFileFromLog, - "rename_dest": newFileFromLog, - "rename_src": newFileFromLog, - "rmdir": newFileFromLog, - "truncate": newFileFromLog, - "unlink": newFileFromLog, + "exec": newFileFromLog, + "getattr": newFileFromLog, + "mkdir": newFileFromLog, + "mknod": newFileFromLog, + "open": newFileFromLog, + "rename_src": newFileFromLog, + "truncate": newFileFromLog, + "unlink": newFileFromLog, } newLogMountMap = map[string]func(log map[string]string) Rule{ "mount": newMountFromLog, @@ -226,7 +207,7 @@ func (p *Profile) AddRule(log map[string]string) { case strings.Contains(log["operation"], "dbus"): p.Rules = append(p.Rules, newDbusFromLog(log)) default: - fmt.Printf("unknown log type: %s:%v\n", log["operation"], log) + fmt.Printf("unknown log type: %s", log["operation"]) } } } diff --git a/pkg/aa/ptrace.go b/pkg/aa/ptrace.go index 7e0990fe8..2c7f9f225 100644 --- a/pkg/aa/ptrace.go +++ b/pkg/aa/ptrace.go @@ -19,7 +19,7 @@ func init() { } type Ptrace struct { - Base + RuleBase Qualifier Access []string Peer string @@ -31,7 +31,7 @@ func newPtrace(q Qualifier, rule rule) (Rule, error) { return nil, err } return &Ptrace{ - Base: newBase(rule), + RuleBase: newBase(rule), Qualifier: q, Access: accesses, Peer: rule.GetValuesAsString("peer"), @@ -40,25 +40,13 @@ func newPtrace(q Qualifier, rule rule) (Rule, error) { func newPtraceFromLog(log map[string]string) Rule { return &Ptrace{ - Base: newBaseFromLog(log), + RuleBase: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), Access: Must(toAccess(PTRACE, log["requested_mask"])), Peer: log["peer"], } } -func (r *Ptrace) Kind() Kind { - return PTRACE -} - -func (r *Ptrace) Constraint() Constraint { - return BlockRule -} - -func (r *Ptrace) String() string { - return renderTemplate(r.Kind(), r) -} - func (r *Ptrace) Validate() error { if err := validateValues(r.Kind(), "access", r.Access); err != nil { return fmt.Errorf("%s: %w", r, err) @@ -66,6 +54,20 @@ func (r *Ptrace) Validate() error { return nil } +func (r *Ptrace) Merge(other Rule) bool { + o, _ := other.(*Ptrace) + + if !r.Qualifier.Equal(o.Qualifier) { + return false + } + if r.Peer == o.Peer { + r.Access = merge(r.Kind(), "access", r.Access, o.Access) + b := &r.RuleBase + return b.merge(o.RuleBase) + } + return false +} + func (r *Ptrace) Compare(other Rule) int { o, _ := other.(*Ptrace) if res := compare(r.Access, o.Access); res != 0 { @@ -77,32 +79,14 @@ func (r *Ptrace) Compare(other Rule) int { return r.Qualifier.Compare(o.Qualifier) } -func (r *Ptrace) Merge(other Rule) bool { - o, _ := other.(*Ptrace) - - if !r.Equal(o.Qualifier) { - return false - } - if r.Peer == o.Peer { - r.Access = merge(r.Kind(), "access", r.Access, o.Access) - b := &r.Base - return b.merge(o.Base) - } - return false +func (r *Ptrace) String() string { + return renderTemplate(r.Kind(), r) } -func (r *Ptrace) Lengths() []int { - return []int{ - r.getLenAudit(), - r.getLenAccess(), - length("", r.Access), - length("peer=", r.Peer), - } +func (r *Ptrace) Constraint() constraint { + return blockKind } -func (r *Ptrace) setPaddings(max []int) { - r.Paddings = append(r.Qualifier.setPaddings(max[:2]), setPaddings( - max[2:], []string{"", "peer="}, - []any{r.Access, r.Peer})..., - ) +func (r *Ptrace) Kind() Kind { + return PTRACE } diff --git a/pkg/aa/resolve.go b/pkg/aa/resolve.go index 8dc09b2c6..26a03691e 100644 --- a/pkg/aa/resolve.go +++ b/pkg/aa/resolve.go @@ -10,6 +10,7 @@ import ( "strings" "github.com/roddhjav/apparmor.d/pkg/paths" + "github.com/roddhjav/apparmor.d/pkg/util" ) var ( @@ -80,7 +81,7 @@ func (f *AppArmorProfileFile) resolveValues(input string) ([]string, error) { values := []string{} match := regVariableReference.FindStringSubmatch(input) if len(match) == 0 { - return nil, fmt.Errorf("invalid variable reference: %s", input) + return nil, fmt.Errorf("Invalid variable reference: %s", input) } variable := match[0] @@ -105,7 +106,7 @@ func (f *AppArmorProfileFile) resolveValues(input string) ([]string, error) { } if !found { - return nil, fmt.Errorf("variable %s not defined", varname) + return nil, fmt.Errorf("Variable %s not defined", varname) } return values, nil } @@ -113,7 +114,7 @@ func (f *AppArmorProfileFile) resolveValues(input string) ([]string, error) { // resolveInclude resolves all includes defined in the profile preamble func (f *AppArmorProfileFile) resolveInclude(include *Include) error { if include == nil || include.Path == "" { - return fmt.Errorf("invalid include: %v", include) + return fmt.Errorf("Invalid include: %v", include) } _, isCached := includeCache[include] @@ -148,7 +149,7 @@ func (f *AppArmorProfileFile) resolveInclude(include *Include) error { iFile := &AppArmorProfileFile{} for _, file := range files { - raw, err := file.ReadFileAsString() + raw, err := util.ReadFile(file) if err != nil { return err } diff --git a/pkg/aa/resolve_test.go b/pkg/aa/resolve_test.go index 1e4a54fe5..52168cc7a 100644 --- a/pkg/aa/resolve_test.go +++ b/pkg/aa/resolve_test.go @@ -31,7 +31,7 @@ func TestAppArmorProfileFile_resolveInclude(t *testing.T) { Preamble: Rules{ &Alias{Path: "/usr/", RewrittenPath: "/User/"}, &Alias{Path: "/lib/", RewrittenPath: "/Libraries/"}, - &Comment{Base: Base{IsLineRule: true, Comment: " variable declarations for inclusion"}}, + &Comment{RuleBase: RuleBase{IsLineRule: true, Comment: " variable declarations for inclusion"}}, &Variable{ Name: "FOO", Define: true, Values: []string{ @@ -85,7 +85,7 @@ func TestAppArmorProfileFile_resolveValues(t *testing.T) { { name: "simple", input: "@{bin}/foo", - want: []string{"/{,usr/}bin/foo"}, + want: []string{"/{,usr/}{,s}bin/foo"}, }, { name: "double", diff --git a/pkg/aa/rlimit.go b/pkg/aa/rlimit.go index 29c617ff1..959ac4eec 100644 --- a/pkg/aa/rlimit.go +++ b/pkg/aa/rlimit.go @@ -21,7 +21,7 @@ func init() { } type Rlimit struct { - Base + RuleBase Key string Op string Value string @@ -35,34 +35,22 @@ func newRlimit(q Qualifier, rule rule) (Rule, error) { return nil, fmt.Errorf("invalid rlimit format: %s", rule) } return &Rlimit{ - Base: newBase(rule), - Key: rule.Get(1), - Op: rule.Get(2), - Value: rule.Get(3), + RuleBase: newBase(rule), + Key: rule.Get(1), + Op: rule.Get(2), + Value: rule.Get(3), }, nil } func newRlimitFromLog(log map[string]string) Rule { return &Rlimit{ - Base: newBaseFromLog(log), - Key: log["rlimit"], - Op: "<=", - Value: log["value"], + RuleBase: newBaseFromLog(log), + Key: log["key"], + Op: log["op"], + Value: log["value"], } } -func (r *Rlimit) Kind() Kind { - return RLIMIT -} - -func (r *Rlimit) Constraint() Constraint { - return BlockRule -} - -func (r *Rlimit) String() string { - return renderTemplate(r.Kind(), r) -} - func (r *Rlimit) Validate() error { if err := validateValues(r.Kind(), "keys", []string{r.Key}); err != nil { return fmt.Errorf("%s: %w", r, err) @@ -81,21 +69,14 @@ func (r *Rlimit) Compare(other Rule) int { return compare(r.Value, o.Value) } -func (r *Rlimit) Merge(other Rule) bool { - return false // Never merge rlimit +func (r *Rlimit) String() string { + return renderTemplate(r.Kind(), r) } -func (r *Rlimit) Lengths() []int { - return []int{ - length("", r.Key), - length("", r.Op), - length("", r.Value), - } +func (r *Rlimit) Constraint() constraint { + return blockKind } -func (r *Rlimit) setPaddings(max []int) { - r.Paddings = setPaddings( - max, []string{"", "", ""}, - []any{r.Key, r.Op, r.Value}, - ) +func (r *Rlimit) Kind() Kind { + return RLIMIT } diff --git a/pkg/aa/rules.go b/pkg/aa/rules.go index 8e8ed5d95..d216c758b 100644 --- a/pkg/aa/rules.go +++ b/pkg/aa/rules.go @@ -6,16 +6,19 @@ package aa import ( "slices" + "strings" + + "github.com/roddhjav/apparmor.d/pkg/util" ) type requirement map[string][]string -type Constraint uint +type constraint uint const ( - AnyRule Constraint = iota // The rule can be found in either preamble or profile - PreambleRule // The rule can only be found in the preamble - BlockRule // The rule can only be found in a profile + anyKind constraint = iota // The rule can be found in either preamble or profile + preambleKind // The rule can only be found in the preamble + blockKind // The rule can only be found in a profile ) // Kind represents an AppArmor rule kind. @@ -34,16 +37,12 @@ func (k Kind) Tok() string { // Rule generic interface for all AppArmor rules type Rule interface { - Kind() Kind // Kind of the rule - Constraint() Constraint // Where the rule can be found (preamble, profile, any) - String() string // Render the rule as a string - Validate() error // Validate the rule. Return an error if the rule is invalid - Compare(other Rule) int // Compare two rules. Return 0 if they are identical - Merge(other Rule) bool // Merge rules of same kind together. Return true if merged - Padding(i int) string // Padding for rule items at index i - Lengths() []int // Length of each item in the rule - setPaddings(max []int) // Set paddings for each item in the rule - addLine(other Rule) bool // Check either a new line should be added before the rule + Validate() error + Compare(other Rule) int + Merge(other Rule) bool + String() string + Constraint() constraint + Kind() Kind } type Rules []Rule @@ -94,7 +93,7 @@ func (r Rules) Delete(i int) Rules { } func (r Rules) DeleteKind(kind Kind) Rules { - res := make(Rules, 0, len(r)) + res := make(Rules, 0) for _, rule := range r { if rule == nil { continue @@ -106,8 +105,8 @@ func (r Rules) DeleteKind(kind Kind) Rules { return res } -func (r Rules) FilterOut(filter Kind) Rules { - res := make(Rules, 0, len(r)) +func (r Rules) Filter(filter Kind) Rules { + res := make(Rules, 0) for _, rule := range r { if rule == nil { continue @@ -119,21 +118,8 @@ func (r Rules) FilterOut(filter Kind) Rules { return res } -func (r Rules) Filter(filter Kind) Rules { - res := make(Rules, 0, len(r)) - for _, rule := range r { - if rule == nil { - continue - } - if rule.Kind() == filter { - res = append(res, rule) - } - } - return res -} - func (r Rules) GetVariables() []*Variable { - res := make([]*Variable, 0, len(r)) + res := make([]*Variable, 0) for _, rule := range r { switch rule := rule.(type) { case *Variable: @@ -144,7 +130,7 @@ func (r Rules) GetVariables() []*Variable { } func (r Rules) GetIncludes() []*Include { - res := make([]*Include, 0, len(r)) + res := make([]*Include, 0) for _, rule := range r { switch rule := rule.(type) { case *Include: @@ -154,7 +140,8 @@ func (r Rules) GetIncludes() []*Include { return res } -// Merge merge similar rules together: +// Merge merge similar rules together. +// Steps: // - Remove identical rules // - Merge rule access. Eg: for same path, 'r' and 'w' becomes 'rw' // @@ -210,70 +197,90 @@ func (r Rules) Sort() Rules { return r } -// setPaddings set paddings for each element in each rules -func (r *Rules) setPaddings(paddingsIndex map[Kind][]int, paddingsMaxLen map[Kind][]int) { - for kind, index := range paddingsIndex { - if len(index) <= 1 { - continue - } - for _, i := range index { - (*r)[i].setPaddings(paddingsMaxLen[kind]) - } - } -} - -// Format the rules for better readability before printing it. Format supposes -// the rules are merged and sorted. +// Format the rules for better readability before printing it. // Follow: https://apparmor.pujol.io/development/guidelines/#the-file-block func (r Rules) Format() Rules { - // Insert new line between rule of different type/subtype. - for i := len(r) - 1; i >= 0; i-- { - j := i - 1 - if j < 0 || r[j] == nil { - continue - } - if r[i].addLine(r[j]) { - r = r.Insert(i, nil) - } - } + const prefixOwner = " " + suffixMaxlen := 36 + transitions := append(requirements[FILE]["transition"], "m") - // Find max paddings for each element in each rules - paddingsIndex := map[Kind][]int{} - paddingsMaxLen := map[Kind][]int{} + paddingIndex := []int{} + paddingMaxLenght := 0 for i, rule := range r { if rule == nil { - r.setPaddings(paddingsIndex, paddingsMaxLen) - paddingsIndex = map[Kind][]int{} - paddingsMaxLen = map[Kind][]int{} continue } - lengths := rule.Lengths() - paddingsIndex[rule.Kind()] = append(paddingsIndex[rule.Kind()], i) - for idx, length := range lengths { - if _, ok := paddingsMaxLen[rule.Kind()]; !ok { - paddingsMaxLen[rule.Kind()] = make([]int, len(lengths)) + if rule.Kind() == FILE { + rule := r[i].(*File) + + // Add padding to align with other transition rule + isTransition := util.Intersect(transitions, rule.Access) + if len(isTransition) > 0 { + ruleLen := len(rule.Path) + 1 + paddingMaxLenght = max(ruleLen, paddingMaxLenght) + paddingIndex = append(paddingIndex, i) + } + + // Add suffix to align comment on udev/data rule + if rule.Comment != "" && strings.HasPrefix(rule.Path, "@{run}/udev/data/") { + suffixlen := suffixMaxlen - len(rule.Path) + if suffixlen < 0 { + suffixlen = 0 + } + rule.Suffix = strings.Repeat(" ", suffixlen) + } + } + } + if len(paddingIndex) > 1 { + r.setPadding(paddingIndex, paddingMaxLenght) + } + + hasOwnerRule := false + for i := len(r) - 1; i >= 0; i-- { + if r[i] == nil { + hasOwnerRule = false + continue + } + + // File rule + if r[i].Kind() == FILE { + rule := r[i].(*File) + + // Add prefix before rule path to align with other rule + if rule.Owner { + hasOwnerRule = true + } else if hasOwnerRule { + rule.Prefix = prefixOwner + } + + // Do not add new line on executable rule + isTransition := util.Intersect(transitions, rule.Access) + if len(isTransition) > 0 { + continue + } + + // Add a new line between Files rule of different group type + j := i - 1 + if j < 0 || r[j] == nil || r[j].Kind() != FILE { + continue + } + letterI := getLetterIn(fileAlphabet, rule.Path) + letterJ := getLetterIn(fileAlphabet, r[j].(*File).Path) + groupI, ok1 := fileAlphabetGroups[letterI] + groupJ, ok2 := fileAlphabetGroups[letterJ] + if letterI != letterJ && !(ok1 && ok2 && groupI == groupJ) { + hasOwnerRule = false + r = r.Insert(i, nil) } - paddingsMaxLen[rule.Kind()][idx] = max(paddingsMaxLen[rule.Kind()][idx], length) } } - r.setPaddings(paddingsIndex, paddingsMaxLen) return r } -// ParaRules is a slice of Rules grouped by paragraph -type ParaRules []Rules - -func (r ParaRules) Flatten() Rules { - totalLen := 0 - for i := range r { - totalLen += len(r[i]) +// setPadding adds padding to the rule path to align with other rules. +func (r *Rules) setPadding(paddingIndex []int, paddingMaxLenght int) { + for _, i := range paddingIndex { + (*r)[i].(*File).Padding = strings.Repeat(" ", paddingMaxLenght-len((*r)[i].(*File).Path)) } - - res := make(Rules, 0, totalLen) - for i := range r { - res = append(res, r[i]...) - } - - return res } diff --git a/pkg/aa/rule_test.go b/pkg/aa/rules_test.go similarity index 85% rename from pkg/aa/rule_test.go rename to pkg/aa/rules_test.go index ed6e7043d..b3aa67b75 100644 --- a/pkg/aa/rule_test.go +++ b/pkg/aa/rules_test.go @@ -9,7 +9,7 @@ import ( "testing" ) -func TestRule_FromLog(t *testing.T) { +func TestRules_FromLog(t *testing.T) { for _, tt := range testRule { if tt.fromLog == nil { continue @@ -22,17 +22,7 @@ func TestRule_FromLog(t *testing.T) { } } -func TestRule_String(t *testing.T) { - for _, tt := range testRule { - t.Run(tt.name, func(t *testing.T) { - if got := tt.rule.String(); got != tt.wString { - t.Errorf("Rule.String() = %v, want %v", got, tt.wString) - } - }) - } -} - -func TestRule_Validate(t *testing.T) { +func TestRules_Validate(t *testing.T) { for _, tt := range testRule { t.Run(tt.name, func(t *testing.T) { if err := tt.rule.Validate(); (err != nil) != tt.wValidErr { @@ -42,7 +32,7 @@ func TestRule_Validate(t *testing.T) { } } -func TestRule_Compare(t *testing.T) { +func TestCapability_Compare(t *testing.T) { for _, tt := range testRule { t.Run(tt.name, func(t *testing.T) { if got := tt.rule.Compare(tt.other); got != tt.wCompare { @@ -52,7 +42,17 @@ func TestRule_Compare(t *testing.T) { } } -func TestRule_Merge(t *testing.T) { +func TestRules_String(t *testing.T) { + for _, tt := range testRule { + t.Run(tt.name, func(t *testing.T) { + if got := tt.rule.String(); got != tt.wString { + t.Errorf("Rule.String() = %v, want %v", got, tt.wString) + } + }) + } +} + +func TestCapability_Merge(t *testing.T) { for _, tt := range testRule { t.Run(tt.name, func(t *testing.T) { if got := tt.rule.Merge(tt.other); got != tt.wMerge { @@ -124,7 +124,7 @@ var ( wString: "include if exists ", }, { - name: "include-abs", + name: "include/abs", rule: &Include{Path: "/usr/share/apparmor.d/", IsMagic: false}, other: &Include{Path: "/usr/share/apparmor.d/", IsMagic: true}, wCompare: -1, @@ -190,7 +190,7 @@ var ( wString: "capability net_admin,", }, { - name: "capability-multi", + name: "capability/multi", rule: &Capability{Names: []string{"dac_override", "dac_read_search"}}, other: capability2, wCompare: -15, @@ -198,7 +198,7 @@ var ( wString: "capability dac_override dac_read_search,", }, { - name: "capability-all", + name: "capability/all", rule: &Capability{}, other: capability2, wCompare: -1, @@ -216,24 +216,13 @@ var ( wMerge: false, wString: "network netlink raw,", }, - { - name: "network3", - fromLog: newNetworkFromLog, - log: network3Log, - rule: network3, - wValidErr: true, - other: network1, - wCompare: -7, - wMerge: false, - wString: "network dgram ip=127.0.0.1 port=57007 peer=(ip=127.0.0.53, port=53), # failed af match", - }, { name: "mount", fromLog: newMountFromLog, log: mount1Log, rule: mount1, other: mount2, - wCompare: 37, + wCompare: 38, wMerge: false, wString: "mount fstype=overlay overlay -> /var/lib/docker/overlay2/opaque-bug-check1209538631/merged/, # failed perms check", }, @@ -261,7 +250,7 @@ var ( log: pivotroot1Log, rule: pivotroot1, other: pivotroot2, - wCompare: -5, + wCompare: 7, wMerge: false, wString: "pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/,", }, @@ -318,7 +307,7 @@ var ( wString: "signal receive set=kill peer=firefox//&firejail-default,", }, { - name: "ptrace-xdg-document-portal", + name: "ptrace/xdg-document-portal", fromLog: newPtraceFromLog, log: ptrace1Log, rule: ptrace1, @@ -328,7 +317,7 @@ var ( wString: "ptrace read peer=nautilus,", }, { - name: "ptrace-snap-update-ns.firefox", + name: "ptrace/snap-update-ns.firefox", fromLog: newPtraceFromLog, log: ptrace2Log, rule: ptrace2, @@ -366,7 +355,7 @@ var ( wString: "dbus bind bus=session name=org.gnome.evolution.dataserver.Sources5,", }, { - name: "dbus-bind", + name: "dbus/bind", rule: &Dbus{Access: []string{"bind"}, Bus: "session", Name: "org.gnome.*"}, other: dbus2, wCompare: -39, @@ -392,33 +381,31 @@ var ( wString: "/usr/share/poppler/cMap/Identity-H r,", }, { - name: "file-all", + name: "file/empty", rule: &File{}, other: &File{}, wCompare: 0, wMerge: true, - wString: " ,", // FIXME: + wString: " ,", }, { - name: "file-equal", - rule: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, - other: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, - wValidErr: true, - wCompare: 0, - wMerge: true, - wString: "/usr/share/poppler/cMap/Identity-H ,", + name: "file/equal", + rule: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, + other: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, + wCompare: 0, + wMerge: true, + wString: "/usr/share/poppler/cMap/Identity-H ,", }, { - name: "file-owner", - rule: &File{Path: "/usr/share/poppler/cMap/Identity-H", Owner: true}, - other: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, - wCompare: 1, - wValidErr: true, - wMerge: false, - wString: "owner /usr/share/poppler/cMap/Identity-H ,", + name: "file/owner", + rule: &File{Path: "/usr/share/poppler/cMap/Identity-H", Owner: true}, + other: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, + wCompare: 1, + wMerge: false, + wString: "owner /usr/share/poppler/cMap/Identity-H ,", }, { - name: "file-access", + name: "file/access", rule: &File{Path: "/usr/share/poppler/cMap/Identity-H", Access: []string{"r"}}, other: &File{Path: "/usr/share/poppler/cMap/Identity-H", Access: []string{"w"}}, wCompare: -5, @@ -426,13 +413,12 @@ var ( wString: "/usr/share/poppler/cMap/Identity-H r,", }, { - name: "file-close", - rule: &File{Path: "/usr/share/poppler/cMap/"}, - other: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, - wCompare: -10, - wValidErr: true, - wMerge: false, - wString: "/usr/share/poppler/cMap/ ,", + name: "file/close", + rule: &File{Path: "/usr/share/poppler/cMap/"}, + other: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, + wCompare: -10, + wMerge: false, + wString: "/usr/share/poppler/cMap/ ,", }, { name: "link1", diff --git a/pkg/aa/signal.go b/pkg/aa/signal.go index 319e16584..097e8b827 100644 --- a/pkg/aa/signal.go +++ b/pkg/aa/signal.go @@ -16,11 +16,11 @@ func init() { "r", "w", "rw", "read", "write", "send", "receive", }, "set": { - "abrt", "alrm", "bus", "chld", "cont", "emt", "exists", "fpe", "hup", - "ill", "int", "io", "kill", "pipe", "prof", "pwr", "quit", "segv", - "stkflt", "stop", "stp", "sys", "term", "trap", "ttin", "ttou", - "urg", "usr1", "usr2", "vtalrm", "winch", "xcpu", "xfsz", - "rtmin+0", "rtmin+1", "rtmin+2", "rtmin+3", "rtmin+4", + "hup", "int", "quit", "ill", "trap", "abrt", "bus", "fpe", + "kill", "usr1", "segv", "usr2", "pipe", "alrm", "term", "stkflt", + "chld", "cont", "stop", "stp", "ttin", "ttou", "urg", "xcpu", + "xfsz", "vtalrm", "prof", "winch", "io", "pwr", "sys", "emt", + "exists", "rtmin+0", "rtmin+1", "rtmin+2", "rtmin+3", "rtmin+4", "rtmin+5", "rtmin+6", "rtmin+7", "rtmin+8", "rtmin+9", "rtmin+10", "rtmin+11", "rtmin+12", "rtmin+13", "rtmin+14", "rtmin+15", "rtmin+16", "rtmin+17", "rtmin+18", "rtmin+19", "rtmin+20", @@ -32,7 +32,7 @@ func init() { } type Signal struct { - Base + RuleBase Qualifier Access []string Set []string @@ -49,7 +49,7 @@ func newSignal(q Qualifier, rule rule) (Rule, error) { return nil, err } return &Signal{ - Base: newBase(rule), + RuleBase: newBase(rule), Qualifier: q, Access: accesses, Set: set, @@ -59,7 +59,7 @@ func newSignal(q Qualifier, rule rule) (Rule, error) { func newSignalFromLog(log map[string]string) Rule { return &Signal{ - Base: newBaseFromLog(log), + RuleBase: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), Access: Must(toAccess(SIGNAL, log["requested_mask"])), Set: []string{log["signal"]}, @@ -67,18 +67,6 @@ func newSignalFromLog(log map[string]string) Rule { } } -func (r *Signal) Kind() Kind { - return SIGNAL -} - -func (r *Signal) Constraint() Constraint { - return BlockRule -} - -func (r *Signal) String() string { - return renderTemplate(r.Kind(), r) -} - func (r *Signal) Validate() error { if err := validateValues(r.Kind(), "access", r.Access); err != nil { return fmt.Errorf("%s: %w", r, err) @@ -89,6 +77,25 @@ func (r *Signal) Validate() error { return nil } +func (r *Signal) Merge(other Rule) bool { + o, _ := other.(*Signal) + + if !r.Qualifier.Equal(o.Qualifier) { + return false + } + switch { + case r.Peer == o.Peer && compare(r.Set, o.Set) == 0: + r.Access = merge(r.Kind(), "access", r.Access, o.Access) + b := &r.RuleBase + return b.merge(o.RuleBase) + case r.Peer == o.Peer && compare(r.Access, o.Access) == 0: + r.Set = merge(r.Kind(), "set", r.Set, o.Set) + b := &r.RuleBase + return b.merge(o.RuleBase) + } + return false +} + func (r *Signal) Compare(other Rule) int { o, _ := other.(*Signal) if res := compare(r.Access, o.Access); res != 0 { @@ -103,38 +110,14 @@ func (r *Signal) Compare(other Rule) int { return r.Qualifier.Compare(o.Qualifier) } -func (r *Signal) Merge(other Rule) bool { - o, _ := other.(*Signal) - - if !r.Equal(o.Qualifier) { - return false - } - switch { - case r.Peer == o.Peer && compare(r.Set, o.Set) == 0: - r.Access = merge(r.Kind(), "access", r.Access, o.Access) - b := &r.Base - return b.merge(o.Base) - case r.Peer == o.Peer && compare(r.Access, o.Access) == 0: - r.Set = merge(r.Kind(), "set", r.Set, o.Set) - b := &r.Base - return b.merge(o.Base) - } - return false +func (r *Signal) String() string { + return renderTemplate(r.Kind(), r) } -func (r *Signal) Lengths() []int { - return []int{ - r.getLenAudit(), - r.getLenAccess(), - length("", r.Access), - length("set=", r.Set), - length("peer=", r.Peer), - } +func (r *Signal) Constraint() constraint { + return blockKind } -func (r *Signal) setPaddings(max []int) { - r.Paddings = append(r.Qualifier.setPaddings(max[:2]), setPaddings( - max[2:], []string{"", "set=", "peer="}, - []any{r.Access, r.Set, r.Peer})..., - ) +func (r *Signal) Kind() Kind { + return SIGNAL } diff --git a/pkg/aa/template.go b/pkg/aa/template.go index cb00d2f36..18f07bc2e 100644 --- a/pkg/aa/template.go +++ b/pkg/aa/template.go @@ -35,10 +35,17 @@ var ( // The apparmor templates tmpl = generateTemplates([]Kind{ // Global templates - "apparmor", PROFILE, HAT, "rules", + "apparmor", + PROFILE, + HAT, + "rules", // Preamble templates - ABI, ALIAS, INCLUDE, VARIABLE, COMMENT, + ABI, + ALIAS, + INCLUDE, + VARIABLE, + COMMENT, // Rules templates ALL, RLIMIT, USERNS, CAPABILITY, NETWORK, @@ -131,7 +138,7 @@ var ( // The order AARE should be sorted stringAlphabet = []byte( - "!\"#$%&'*(){}[]@+,-./:;<=>?\\^_`|~0123456789abcdefghijklmnopqrstuvwxyz", + "!\"#$%&'*(){}[]+,-./:;<=>?@\\^_`|~0123456789abcdefghijklmnopqrstuvwxyz", ) stringWeights = generateWeights(stringAlphabet) @@ -225,11 +232,11 @@ func cjoin(i any) string { } } -func kindOf(i Rule) string { +func kindOf(i any) string { if i == nil { return "" } - return i.Kind().String() + return i.(Rule).Kind().String() } func setindent(i string) string { diff --git a/pkg/aa/templates/rule/file.j2 b/pkg/aa/templates/rule/file.j2 index 52a41a318..8fc82698b 100644 --- a/pkg/aa/templates/rule/file.j2 +++ b/pkg/aa/templates/rule/file.j2 @@ -7,10 +7,11 @@ {{- if .Owner -}} {{- "owner " -}} {{- end -}} - {{- .Padding 2 -}} {{- .Path -}} {{- " " -}} - {{- .Padding 3 -}} + {{- with .Padding -}} + {{ . }} + {{- end -}} {{- range .Access -}} {{- . -}} {{- end -}} @@ -18,7 +19,9 @@ {{ " -> " }}{{ . }} {{- end -}} {{- "," -}} - {{- .Padding 4 -}} + {{- with .Suffix -}} + {{ . }} + {{- end -}} {{- template "comment" . -}} {{- end -}} @@ -27,18 +30,18 @@ {{- if .Owner -}} {{- "owner " -}} {{- end -}} - {{- .Padding 2 -}} {{- "link " -}} {{- if .Subset -}} {{- "subset " -}} {{- end -}} - {{- .Padding 3 -}} {{- .Path -}} {{- " " -}} {{- with .Target -}} {{ "-> " }}{{ . }} {{- end -}} {{- "," -}} - {{- .Padding 4 -}} + {{- with .Suffix -}} + {{ . }} + {{- end -}} {{- template "comment" . -}} {{- end -}} diff --git a/pkg/aa/templates/rule/io_uring.j2 b/pkg/aa/templates/rule/io_uring.j2 index 2bbaeda59..78e1aa17a 100644 --- a/pkg/aa/templates/rule/io_uring.j2 +++ b/pkg/aa/templates/rule/io_uring.j2 @@ -5,14 +5,12 @@ {{- define "io_uring" -}} {{- template "qualifier" . -}} {{- "io_uring" -}} - {{- with .Access -}} - {{ " " }}{{ cjoin . }} + {{- range .Access -}} + {{ " " }}{{ . }} {{- end -}} - {{- .Padding 2 -}} {{- with .Label -}} {{ " label=" }}{{ . }} {{- end -}} {{- "," -}} - {{- .Padding 3 -}} {{- template "comment" . -}} {{- end -}} diff --git a/pkg/aa/templates/rule/mount.j2 b/pkg/aa/templates/rule/mount.j2 index 31e83567f..c97ead101 100644 --- a/pkg/aa/templates/rule/mount.j2 +++ b/pkg/aa/templates/rule/mount.j2 @@ -8,20 +8,16 @@ {{- with .FsType -}} {{ " fstype=" }}{{ . }} {{- end -}} - {{- .Padding 2 -}} {{- with .Options -}} {{ " options=" }}{{ cjoin . }} {{- end -}} - {{- .Padding 3 -}} {{- with .Source -}} {{ " " }}{{ . }} {{- end -}} - {{- .Padding 4 -}} {{- with .MountPoint -}} {{ " -> " }}{{ . }} {{- end -}} {{- "," -}} - {{- .Padding 5 -}} {{- template "comment" . -}} {{- end -}} @@ -31,16 +27,13 @@ {{- with .FsType -}} {{ " fstype=" }}{{ . }} {{- end -}} - {{- .Padding 2 -}} {{- with .Options -}} {{ " options=" }}{{ cjoin . }} {{- end -}} - {{- .Padding 3 -}} {{- with .MountPoint -}} {{ " " }}{{ . }} {{- end -}} {{- "," -}} - {{- .Padding 4 -}} {{- template "comment" . -}} {{- end -}} @@ -50,15 +43,12 @@ {{- with .FsType -}} {{ " fstype=" }}{{ . }} {{- end -}} - {{- .Padding 2 -}} {{- with .Options -}} {{ " options=" }}{{ cjoin . }} {{- end -}} - {{- .Padding 3 -}} {{- with .MountPoint -}} {{ " " }}{{ . }} {{- end -}} {{- "," -}} - {{- .Padding 4 -}} {{- template "comment" . -}} {{- end -}} diff --git a/pkg/aa/templates/rule/mqueue.j2 b/pkg/aa/templates/rule/mqueue.j2 index 47147be4b..e2df27562 100644 --- a/pkg/aa/templates/rule/mqueue.j2 +++ b/pkg/aa/templates/rule/mqueue.j2 @@ -8,19 +8,15 @@ {{- with .Access -}} {{ " " }}{{ cjoin . }} {{- end -}} - {{- .Padding 2 -}} {{- with .Type -}} {{ " type=" }}{{ . }} {{- end -}} - {{- .Padding 3 -}} {{- with .Label -}} {{ " label=" }}{{ . }} {{- end -}} - {{- .Padding 4 -}} {{- with .Name -}} {{ " " }}{{ . }} {{- end -}} {{- "," -}} - {{- .Padding 5 -}} {{- template "comment" . -}} {{- end -}} diff --git a/pkg/aa/templates/rule/network.j2 b/pkg/aa/templates/rule/network.j2 index 3694442be..6f2503a8b 100644 --- a/pkg/aa/templates/rule/network.j2 +++ b/pkg/aa/templates/rule/network.j2 @@ -15,22 +15,6 @@ {{ " " }}{{ . }} {{- end -}} {{- end -}} - {{- with .LocalAddress.IP -}} - {{ " ip=" }}{{ . }} - {{- end -}} - {{- with .LocalAddress.Port -}} - {{ " port=" }}{{ . }} - {{- end -}} - {{- if and .PeerAddress.IP .PeerAddress.Port -}} - {{ " peer=(ip=" }}{{ .PeerAddress.IP }}{{ ", port="}}{{ .PeerAddress.Port }}{{ ")" }} - {{- else -}} - {{- with .PeerAddress.IP -}} - {{ " peer=(ip=" }}{{ . }}{{ ")" }} - {{- end -}} - {{- with .PeerAddress.Port -}} - {{ " peer=(port=" }}{{ . }}{{ ")" }} - {{- end -}} - {{- end -}} {{- "," -}} {{- template "comment" . -}} {{- end -}} \ No newline at end of file diff --git a/pkg/aa/templates/rule/pivot_root.j2 b/pkg/aa/templates/rule/pivot_root.j2 index 678617ca0..d779e2c11 100644 --- a/pkg/aa/templates/rule/pivot_root.j2 +++ b/pkg/aa/templates/rule/pivot_root.j2 @@ -8,15 +8,12 @@ {{- with .OldRoot -}} {{ " oldroot=" }}{{ . }} {{- end -}} - {{- .Padding 2 -}} {{- with .NewRoot -}} {{ " " }}{{ . }} {{- end -}} - {{- .Padding 3 -}} {{- with .TargetProfile -}} {{ " -> " }}{{ . }} {{- end -}} {{- "," -}} - {{- .Padding 4 -}} {{- template "comment" . -}} {{- end -}} \ No newline at end of file diff --git a/pkg/aa/templates/rule/ptrace.j2 b/pkg/aa/templates/rule/ptrace.j2 index 5f4fe3567..c499890b0 100644 --- a/pkg/aa/templates/rule/ptrace.j2 +++ b/pkg/aa/templates/rule/ptrace.j2 @@ -8,11 +8,9 @@ {{- with .Access -}} {{ " " }}{{ cjoin . }} {{- end -}} - {{- .Padding 2 -}} {{- with .Peer -}} {{ " peer=" }}{{ . }} {{- end -}} {{- "," -}} - {{- .Padding 3 -}} {{- template "comment" . -}} {{- end -}} \ No newline at end of file diff --git a/pkg/aa/templates/rule/qualifier.j2 b/pkg/aa/templates/rule/qualifier.j2 index 69181051a..ed89f63e0 100644 --- a/pkg/aa/templates/rule/qualifier.j2 +++ b/pkg/aa/templates/rule/qualifier.j2 @@ -3,15 +3,13 @@ {{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} {{- define "qualifier" -}} - {{- with .Priority -}} - {{- "priority=" -}}{{ . }}{{ " " }} + {{- with .Prefix -}} + {{ . }} {{- end -}} {{- if .Audit -}} {{- "audit " -}} {{- end -}} - {{- .Padding 0 -}} {{- if eq .AccessType "deny" -}} {{- "deny " -}} {{- end -}} - {{- .Padding 1 -}} {{- end -}} diff --git a/pkg/aa/templates/rule/rlimit.j2 b/pkg/aa/templates/rule/rlimit.j2 index c6996ac28..5061c1c45 100644 --- a/pkg/aa/templates/rule/rlimit.j2 +++ b/pkg/aa/templates/rule/rlimit.j2 @@ -3,15 +3,5 @@ {{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} {{- define "rlimit" -}} - {{- "set rlimit " -}} - {{- .Key -}} - {{- " " -}} - {{- .Padding 2 -}} - {{- .Op -}} - {{- " " -}} - {{- .Padding 3 -}} - {{- .Value -}} - {{- "," -}} - {{- .Padding 4 -}} - {{- template "comment" . -}} -{{- end -}} + {{ "set rlimit " }}{{ .Key }} {{ .Op }} {{ .Value }}{{ "," }}{{ template "comment" . }} +{{- end -}} \ No newline at end of file diff --git a/pkg/aa/templates/rule/signal.j2 b/pkg/aa/templates/rule/signal.j2 index fd2edd99d..b56085d8d 100644 --- a/pkg/aa/templates/rule/signal.j2 +++ b/pkg/aa/templates/rule/signal.j2 @@ -8,15 +8,12 @@ {{- with .Access -}} {{ " " }}{{ cjoin . }} {{- end -}} - {{- .Padding 2 -}} {{- with .Set -}} {{ " set=" }}{{ cjoin . }} {{- end -}} - {{- .Padding 3 -}} {{- with .Peer -}} {{ " peer=" }}{{ . }} {{- end -}} {{- "," -}} - {{- .Padding 4 -}} {{- template "comment" . -}} {{- end -}} \ No newline at end of file diff --git a/pkg/aa/templates/rule/unix.j2 b/pkg/aa/templates/rule/unix.j2 index fae6a5429..531eaaf9e 100644 --- a/pkg/aa/templates/rule/unix.j2 +++ b/pkg/aa/templates/rule/unix.j2 @@ -8,23 +8,18 @@ {{- with .Access -}} {{ " " }}{{ cjoin . }} {{- end -}} - {{- .Padding 2 -}} {{- with .Type -}} {{ " type=" }}{{ . }} {{- end -}} - {{- .Padding 3 -}} {{- with .Protocol -}} {{ " protocol=" }}{{ . }} {{- end -}} - {{- .Padding 4 -}} {{- with .Address -}} {{ " addr=" }}{{ . }} {{- end -}} - {{- .Padding 5 -}} {{- with .Label -}} {{ " label=" }}{{ . }} {{- end -}} - {{- .Padding 6 -}} {{- if and .PeerLabel .PeerAddr -}} {{ " peer=(label=" }}{{ .PeerLabel }}{{ ", addr="}}{{ .PeerAddr }}{{ ")" }} {{- else -}} diff --git a/pkg/aa/unix.go b/pkg/aa/unix.go index 1e8a99298..677330ecb 100644 --- a/pkg/aa/unix.go +++ b/pkg/aa/unix.go @@ -21,7 +21,7 @@ func init() { } type Unix struct { - Base + RuleBase Qualifier Access []string Type string @@ -40,7 +40,7 @@ func newUnix(q Qualifier, rule rule) (Rule, error) { return nil, err } return &Unix{ - Base: newBase(rule), + RuleBase: newBase(rule), Qualifier: q, Access: accesses, Type: rule.GetValuesAsString("type"), @@ -56,7 +56,7 @@ func newUnix(q Qualifier, rule rule) (Rule, error) { func newUnixFromLog(log map[string]string) Rule { return &Unix{ - Base: newBaseFromLog(log), + RuleBase: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), Access: Must(toAccess(UNIX, log["requested_mask"])), Type: log["sock_type"], @@ -70,18 +70,6 @@ func newUnixFromLog(log map[string]string) Rule { } } -func (r *Unix) Kind() Kind { - return UNIX -} - -func (r *Unix) Constraint() Constraint { - return BlockRule -} - -func (r *Unix) String() string { - return renderTemplate(r.Kind(), r) -} - func (r *Unix) Validate() error { if err := validateValues(r.Kind(), "access", r.Access); err != nil { return fmt.Errorf("%s: %w", r, err) @@ -124,34 +112,27 @@ func (r *Unix) Compare(other Rule) int { func (r *Unix) Merge(other Rule) bool { o, _ := other.(*Unix) - if !r.Equal(o.Qualifier) { + if !r.Qualifier.Equal(o.Qualifier) { return false } if r.Type == o.Type && r.Protocol == o.Protocol && r.Address == o.Address && r.Label == o.Label && r.Attr == o.Attr && r.Opt == o.Opt && r.PeerLabel == o.PeerLabel && r.PeerAddr == o.PeerAddr { r.Access = merge(r.Kind(), "access", r.Access, o.Access) - b := &r.Base - return b.merge(o.Base) + b := &r.RuleBase + return b.merge(o.RuleBase) } return false } -func (r *Unix) Lengths() []int { - return []int{ - r.getLenAudit(), - r.getLenAccess(), - length("", r.Access), - length("type=", r.Type), - length("protocol=", r.Protocol), - length("addr=", r.Address), - length("label=", r.Label), - } +func (r *Unix) String() string { + return renderTemplate(r.Kind(), r) } -func (r *Unix) setPaddings(max []int) { - r.Paddings = append(r.Qualifier.setPaddings(max[:2]), setPaddings( - max[2:], []string{"", "type=", "protocol=", "addr=", "label="}, - []any{r.Access, r.Type, r.Protocol, r.Address, r.Label})..., - ) +func (r *Unix) Constraint() constraint { + return blockKind +} + +func (r *Unix) Kind() Kind { + return UNIX } diff --git a/pkg/aa/userns.go b/pkg/aa/userns.go index f4a9815c6..424911f08 100644 --- a/pkg/aa/userns.go +++ b/pkg/aa/userns.go @@ -9,7 +9,7 @@ import "fmt" const USERNS Kind = "userns" type Userns struct { - Base + RuleBase Qualifier Create bool } @@ -28,7 +28,7 @@ func newUserns(q Qualifier, rule rule) (Rule, error) { return nil, fmt.Errorf("invalid userns format: %s", rule) } return &Userns{ - Base: newBase(rule), + RuleBase: newBase(rule), Qualifier: q, Create: create, }, nil @@ -36,24 +36,12 @@ func newUserns(q Qualifier, rule rule) (Rule, error) { func newUsernsFromLog(log map[string]string) Rule { return &Userns{ - Base: newBaseFromLog(log), + RuleBase: newBaseFromLog(log), Qualifier: newQualifierFromLog(log), Create: true, } } -func (r *Userns) Kind() Kind { - return USERNS -} - -func (r *Userns) Constraint() Constraint { - return BlockRule -} - -func (r *Userns) String() string { - return renderTemplate(r.Kind(), r) -} - func (r *Userns) Validate() error { return nil } @@ -68,12 +56,18 @@ func (r *Userns) Compare(other Rule) int { func (r *Userns) Merge(other Rule) bool { o, _ := other.(*Userns) - b := &r.Base - return b.merge(o.Base) // Always merge userns rules + b := &r.RuleBase + return b.merge(o.RuleBase) } -func (r *Userns) Lengths() []int { - return []int{} // No len for userns +func (r *Userns) String() string { + return renderTemplate(r.Kind(), r) } -func (r *Userns) setPaddings(max []int) {} // No paddings for userns +func (r *Userns) Constraint() constraint { + return blockKind +} + +func (r *Userns) Kind() Kind { + return USERNS +} diff --git a/pkg/logging/logging.go b/pkg/logging/logging.go index 642dc8273..e6c91ac93 100644 --- a/pkg/logging/logging.go +++ b/pkg/logging/logging.go @@ -37,7 +37,7 @@ func Print(msg string, a ...interface{}) int { // Println prints a formatted message. Arguments are handled in the manner of fmt.Println. func Println(msg string) int { - n, _ := fmt.Fprintf(os.Stdout, "%s\n", msg) + n, _ := fmt.Fprintf(os.Stdout, msg+"\n") return n } @@ -48,7 +48,7 @@ func Bulletf(msg string, a ...interface{}) string { // Bullet prints a formatted bullet point string func Bullet(msg string, a ...interface{}) int { - return Print("%s", Bulletf(msg, a...)) + return Print(Bulletf(msg, a...)) } // Stepf returns a formatted step string @@ -58,7 +58,7 @@ func Stepf(msg string, a ...interface{}) string { // Step prints a step title func Step(msg string, a ...interface{}) int { - return Print("%s", Stepf(msg, a...)) + return Print(Stepf(msg, a...)) } // Successf returns a formatted success string @@ -68,7 +68,7 @@ func Successf(msg string, a ...interface{}) string { // Success prints a formatted success message to stdout func Success(msg string, a ...interface{}) int { - return Print("%s", Successf(msg, a...)) + return Print(Successf(msg, a...)) } // Warningf returns a formatted warning string @@ -78,12 +78,12 @@ func Warningf(msg string, a ...interface{}) string { // Warning prints a formatted warning message to stdout func Warning(msg string, a ...interface{}) int { - return Print("%s", Warningf(msg, a...)) + return Print(Warningf(msg, a...)) } -// Error returns a formatted error message +// Fatalf returns a formatted error message func Error(msg string, a ...interface{}) int { - return Print("%s", fmt.Sprintf("%s%s%s\n", Indent, errorText, fmt.Sprintf(msg, a...))) + return Print(fmt.Sprintf("%s%s%s\n", Indent, errorText, fmt.Sprintf(msg, a...))) } // Fatalf returns a formatted error message diff --git a/pkg/logging/logging_test.go b/pkg/logging/logging_test.go index eb912595e..ebfe48afd 100644 --- a/pkg/logging/logging_test.go +++ b/pkg/logging/logging_test.go @@ -10,7 +10,7 @@ func TestPrint(t *testing.T) { msg := "Print message" wantN := 13 - gotN := Print("%s", msg) + gotN := Print(msg) if gotN != wantN { t.Errorf("Print() = %v, want %v", gotN, wantN) } @@ -28,7 +28,7 @@ func TestPrintln(t *testing.T) { func TestBulletf(t *testing.T) { msg := "Bullet message" want := "\033[1m â‹… \033[0mBullet message\n" - if got := Bulletf("%s", msg); got != want { + if got := Bulletf(msg); got != want { t.Errorf("Bulletf() = %v, want %v", got, want) } } @@ -36,7 +36,7 @@ func TestBulletf(t *testing.T) { func TestBullet(t *testing.T) { msg := "Bullet message" wantN := 28 - gotN := Bullet("%s", msg) + gotN := Bullet(msg) if gotN != wantN { t.Errorf("Bullet() = %v, want %v", gotN, wantN) } @@ -45,7 +45,7 @@ func TestBullet(t *testing.T) { func TestStepf(t *testing.T) { msg := "Step message" want := "\033[1;32mStep message\033[0m\n" - if got := Stepf("%s", msg); got != want { + if got := Stepf(msg); got != want { t.Errorf("Stepf() = %v, want %v", got, want) } } @@ -53,7 +53,7 @@ func TestStepf(t *testing.T) { func TestStep(t *testing.T) { msg := "Step message" wantN := 24 - gotN := Step("%s", msg) + gotN := Step(msg) if gotN != wantN { t.Errorf("Step() = %v, want %v", gotN, wantN) } @@ -62,7 +62,7 @@ func TestStep(t *testing.T) { func TestSuccessf(t *testing.T) { msg := "Success message" want := "\033[1;32m ✓ \033[0mSuccess message\n" - if got := Successf("%s", msg); got != want { + if got := Successf(msg); got != want { t.Errorf("Successf() = %v, want %v", got, want) } } @@ -70,7 +70,7 @@ func TestSuccessf(t *testing.T) { func TestSuccess(t *testing.T) { msg := "Success message" wantN := 32 - gotN := Success("%s", msg) + gotN := Success(msg) if gotN != wantN { t.Errorf("Success() = %v, want %v", gotN, wantN) } @@ -79,7 +79,7 @@ func TestSuccess(t *testing.T) { func TestWarningf(t *testing.T) { msg := "Warning message" want := "\033[1;33m ‼ \033[0mWarning message\n" - if got := Warningf("%s", msg); got != want { + if got := Warningf(msg); got != want { t.Errorf("Warningf() = %v, want %v", got, want) } } @@ -87,7 +87,7 @@ func TestWarningf(t *testing.T) { func TestWarning(t *testing.T) { msg := "Warning message" wantN := 32 - gotN := Warning("%s", msg) + gotN := Warning(msg) if gotN != wantN { t.Errorf("Warning() = %v, want %v", gotN, wantN) } @@ -96,7 +96,7 @@ func TestWarning(t *testing.T) { func TestError(t *testing.T) { msg := "Error message" wantN := 30 - gotN := Error("%s", msg) + gotN := Error(msg) if gotN != wantN { t.Errorf("Error() = %v, want %v", gotN, wantN) } @@ -105,7 +105,7 @@ func TestError(t *testing.T) { func TestFatalf(t *testing.T) { msg := "Error message" want := "\033[1;31m ✗ Error: \033[0mError message\n" - if got := Fatalf("%s", msg); got != want { + if got := Fatalf(msg); got != want { t.Errorf("Fatalf() = %v, want %v", got, want) } } diff --git a/pkg/logs/loggers.go b/pkg/logs/loggers.go index 53b3fbd3a..78abbd7a2 100644 --- a/pkg/logs/loggers.go +++ b/pkg/logs/loggers.go @@ -63,10 +63,9 @@ func GetAuditLogs(path string) (io.Reader, error) { } // GetJournalctlLogs return a reader with the logs entries from Systemd -func GetJournalctlLogs(path string, since string, useFile bool) (io.Reader, error) { +func GetJournalctlLogs(path string, useFile bool) (io.Reader, error) { var logs []systemdLog var stdout bytes.Buffer - var stderr bytes.Buffer var scanner *bufio.Scanner if useFile { @@ -78,20 +77,14 @@ func GetJournalctlLogs(path string, since string, useFile bool) (io.Reader, erro } else { // journalctl -b -o json -g apparmor -t kernel -t audit -t dbus-daemon --output-fields=MESSAGE > systemd.log args := []string{ - "--grep=apparmor", "--identifier=kernel", - "--identifier=audit", "--identifier=dbus-daemon", + "--boot", "--grep=apparmor", + "--identifier=kernel", "--identifier=audit", "--identifier=dbus-daemon", "--output=json", "--output-fields=MESSAGE", } - if since == "" { - args = append(args, "--boot") - } else { - args = append(args, "--since="+since) - } cmd := exec.Command("journalctl", args...) cmd.Stdout = &stdout - cmd.Stderr = &stderr - if err := cmd.Run(); err != nil && stderr.Len() != 0 { - return nil, fmt.Errorf("journalctl: %s", stderr.String()) + if err := cmd.Run(); err != nil { + return nil, err } scanner = bufio.NewScanner(&stdout) } diff --git a/pkg/logs/loggers_test.go b/pkg/logs/loggers_test.go index 7e0a6002a..15fa1fbc8 100644 --- a/pkg/logs/loggers_test.go +++ b/pkg/logs/loggers_test.go @@ -30,7 +30,7 @@ func TestGetJournalctlLogs(t *testing.T) { "apparmor": "ALLOWED", "label": "gsd-xsettings", "operation": "dbus_method_call", - "name": "@{busname}", + "name": ":*", "mask": "receive", "bus": "session", "path": "/org/gtk/Settings", @@ -49,9 +49,9 @@ func TestGetJournalctlLogs(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - reader, _ := GetJournalctlLogs(tt.path, "", tt.useFile) - if got := New(reader, tt.name); !reflect.DeepEqual(got, tt.want) { - t.Errorf("New() = %v, want %v", got, tt.want) + reader, _ := GetJournalctlLogs(tt.path, tt.useFile) + if got := NewApparmorLogs(reader, tt.name); !reflect.DeepEqual(got, tt.want) { + t.Errorf("NewApparmorLogs() = %v, want %v", got, tt.want) } }) } diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go index b0ae58702..9771bd82c 100644 --- a/pkg/logs/logs.go +++ b/pkg/logs/logs.go @@ -28,14 +28,11 @@ const ( boldYellow = "\033[1;33m" ) -const ( - h = `[0-9a-fA-F]` - d = `[0-9]` -) - var ( quoted bool isAppArmorLogTemplate = regexp.MustCompile(`apparmor=("DENIED"|"ALLOWED"|"AUDIT")`) + _hex = `[0-9a-fA-F]` + _int = `[0-9]` regCleanLogs = util.ToRegexRepl([]string{ // Clean apparmor log file `.*apparmor="`, `apparmor="`, @@ -43,8 +40,8 @@ var ( `\x1d`, " ", // Remove basic rules from abstractions/base - `(?m)^.*/etc/[^/]+\.so.*$`, ``, - `(?m)^.*/usr/(lib|lib32|lib64|libexec)/[^/]+\.so.*$`, ``, + `(?m)^.*/etc/[^/]+so.*$`, ``, + `(?m)^.*/usr/(lib|lib32|lib64|libexec)/[^/]+so.*$`, ``, `(?m)^.*/usr/(lib|lib32|lib64|libexec)/locale/.*$`, ``, `(?m)^.*/usr/share/locale[^/]?/.*$`, ``, `(?m)^.*/usr/share/zoneinfo[^/]?/.*$`, ``, @@ -52,7 +49,7 @@ var ( `(?m)^.*/dev/(u|)random.*$`, ``, }) regResolveLogs = util.ToRegexRepl([]string{ - // Resolve user variables + // Resolve classic user variables `/home/[^/]+/.cache`, `@{user_cache_dirs}`, `/home/[^/]+/.config`, `@{user_config_dirs}`, `/home/[^/]+/.local/share`, `@{user_share_dirs}`, @@ -63,48 +60,40 @@ var ( `/home/[^/]+/.gnupg`, `@{HOME}/@{XDG_GPG_DIR}`, `/home/[^/]+/`, `@{HOME}/`, - // Resolve system variables - `/att/[^/]+/`, `@{att}/`, - `/usr/lib(32|64|exec)`, `@{lib}`, - `/usr/lib`, `@{lib}`, - `/usr/sbin`, `@{sbin}`, - `/usr/bin`, `@{bin}`, - `(x86_64|amd64|i386|i686)`, `@{arch}`, - `@{arch}-*linux-gnu[^/]?`, `@{multiarch}`, + // Resolve classic system variables + `/usr/(lib|lib32|lib64|libexec)`, `@{lib}`, + `/usr/(bin|sbin)`, `@{bin}`, + `x86_64-pc-linux-gnu[^/]?`, `@{multiarch}`, `/usr/etc/`, `@{etc_ro}/`, `/var/run/`, `@{run}/`, `/run/`, `@{run}/`, `user/[0-9]*/`, `user/@{uid}/`, `/tmp/user/@{uid}/`, `@{tmp}/`, `/proc/`, `@{PROC}/`, - `@{PROC}/1/`, `@{PROC}/one/`, // Go does not support lookahead assertions like (?!1\b)d+, so we have to use a workaround `@{PROC}/[0-9]*/`, `@{PROC}/@{pid}/`, - `@{PROC}/one/`, `@{PROC}/1/`, `@{PROC}/@{pid}/task/[0-9]*/`, `@{PROC}/@{pid}/task/@{tid}/`, `/sys/`, `@{sys}/`, `@{PROC}@{sys}/`, `@{PROC}/sys/`, - `pci` + strings.Repeat(h, 4) + `:` + strings.Repeat(h, 2), `@{pci_bus}`, - `@{pci_bus}/[0-9a-f:*./]*/`, `@{pci}/`, - `1000`, `@{uid}`, + `pci` + strings.Repeat(_hex, 4) + `:` + strings.Repeat(_hex, 2), `@{pci_bus}`, + `1000`, `@{pid}`, // Some system glob - `:not.active.yet`, `@{busname}`, // dbus unique bus name - `:1.[0-9]*`, `@{busname}`, // dbus unique bus name + `:1.[0-9]*`, `:*`, // dbus peer name `@{bin}/(|ba|da)sh`, `@{sh_path}`, // collect all shell `@{lib}/modules/[^/]+\/`, `@{lib}/modules/*/`, // strip kernel version numbers from kernel module accesses // int, hex, uuid - strings.Repeat(h, 8) + `[-_]` + strings.Repeat(h, 4) + `[-_]` + strings.Repeat(h, 4) + `[-_]` + strings.Repeat(h, 4) + `[-_]` + strings.Repeat(h, 12), `@{uuid}`, - strings.Repeat(d, 64), `@{int64}`, - strings.Repeat(h, 64), `@{hex64}`, - strings.Repeat(h, 38), `@{hex38}`, - strings.Repeat(d, 32), `@{int32}`, - strings.Repeat(h, 32), `@{hex32}`, - strings.Repeat(d, 16), `@{int16}`, - strings.Repeat(h, 16), `@{hex16}`, - strings.Repeat(d, 10), `@{int10}`, - strings.Repeat(d, 8), `@{int8}`, - strings.Repeat(d, 6), `@{int6}`, + strings.Repeat(_hex, 8) + `[-_]` + strings.Repeat(_hex, 4) + `[-_]` + strings.Repeat(_hex, 4) + `[-_]` + strings.Repeat(_hex, 4) + `[-_]` + strings.Repeat(_hex, 12), `@{uuid}`, + strings.Repeat(_int, 64), `@{int64}`, + strings.Repeat(_hex, 64), `@{hex64}`, + strings.Repeat(_hex, 38), `@{hex38}`, + strings.Repeat(_int, 32), `@{int32}`, + strings.Repeat(_hex, 32), `@{hex32}`, + strings.Repeat(_int, 16), `@{int16}`, + strings.Repeat(_hex, 16), `@{hex16}`, + strings.Repeat(_int, 10), `@{int10}`, + strings.Repeat(_int, 8), `@{int8}`, + strings.Repeat(_int, 6), `@{int6}`, }) ) @@ -127,8 +116,8 @@ func toQuote(str string) string { return str } -// New returns a new ApparmorLogs list of map from a log file -func New(file io.Reader, profile string) AppArmorLogs { +// NewApparmorLogs return a new ApparmorLogs list of map from a log file +func NewApparmorLogs(file io.Reader, profile string) AppArmorLogs { logs := GetApparmorLogs(file, profile) // Parse log into ApparmorLog struct @@ -140,12 +129,7 @@ func New(file io.Reader, profile string) AppArmorLogs { aa := make(AppArmorLog) for _, item := range tmp { - kv := strings.FieldsFunc(item, func(r rune) bool { - if r == '"' { - quoted = !quoted - } - return !quoted && r == '=' - }) + kv := strings.Split(item, "=") if len(kv) >= 2 { key, value := kv[0], kv[1] if slices.Contains(toClean, key) { @@ -202,11 +186,12 @@ func (aaLogs AppArmorLogs) String() string { for _, log := range aaLogs { seen := map[string]bool{"apparmor": true} res.WriteString(state[log["apparmor"]]) - owner := aa.IsOwner(log) + fsuid := log["fsuid"] + ouid := log["ouid"] for _, key := range keys { if item, present := log[key]; present { - if key == "name" && owner { + if key == "name" && fsuid == ouid && !strings.Contains(log["operation"], "dbus") { res.WriteString(template[key] + " owner" + reset) } if temp, present := template[key]; present { diff --git a/pkg/logs/logs_test.go b/pkg/logs/logs_test.go index 376b23f42..aa5865eae 100644 --- a/pkg/logs/logs_test.go +++ b/pkg/logs/logs_test.go @@ -81,7 +81,7 @@ func TestAppArmorEvents(t *testing.T) { want: AppArmorLogs{ { "apparmor": "ALLOWED", - "profile": "@{sbin}/httpd2-prefork//vhost_foo", + "profile": "@{bin}/httpd2-prefork//vhost_foo", "operation": "rename_dest", "name": "@{HOME}/foo.bar.in/httpdocs/apparmor/images/test/image 1.jpg", "comm": "httpd2-prefork", @@ -174,14 +174,14 @@ func TestAppArmorEvents(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { file := strings.NewReader(tt.event) - if got := New(file, ""); !reflect.DeepEqual(got, tt.want) { - t.Errorf("New() = %v, want %v", got, tt.want) + if got := NewApparmorLogs(file, ""); !reflect.DeepEqual(got, tt.want) { + t.Errorf("NewApparmorLogs() = %v, want %v", got, tt.want) } }) } } -func TestNew(t *testing.T) { +func TestNewApparmorLogs(t *testing.T) { tests := []struct { name string path string @@ -208,7 +208,7 @@ func TestNew(t *testing.T) { "apparmor": "DENIED", "profile": "dnsmasq", "operation": "open", - "name": "@{PROC}/1/environ", + "name": "@{PROC}/@{pid}/environ", "comm": "dnsmasq", "requested_mask": "r", "denied_mask": "r", @@ -247,53 +247,12 @@ func TestNew(t *testing.T) { path: filepath.Join(testdata, "audit.log"), want: refPowerProfiles, }, - { - name: "signal-desktop", - path: filepath.Join(testdata, "audit.log"), - want: AppArmorLogs{ - { - "apparmor": "ALLOWED", - "profile": "signal-desktop", - "operation": "open", - "class": "file", - "name": "@{sys}/devices/@{pci}/boot_vga", - "comm": "signal-desktop", - "requested_mask": "r", - "denied_mask": "r", - "fsuid": "1000", - "ouid": "0", - "FSUID": "user", - "OUID": "root", - }, - }, - }, - { - name: "startplasma", - path: filepath.Join(testdata, "audit.log"), - want: AppArmorLogs{ - { - "apparmor": "ALLOWED", - "operation": "link", - "class": "file", - "profile": "startplasma", - "name": "@{user_cache_dirs}/ksycoca5_de_LQ6f0J2qZg4vOKgw2NbXuW7iuVU=.isNSBz", - "target": "@{user_cache_dirs}/#@{int}", - "comm": "startplasma-way", - "denied_mask": "k", - "requested_mask": "k", - "fsuid": "1000", - "ouid": "1000", - "FSUID": "user", - "OUID": "user", - }, - }, - }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { file, _ := os.Open(tt.path) - if got := New(file, tt.name); !reflect.DeepEqual(got, tt.want) { - t.Errorf("New() = %v, want %v", got, tt.want) + if got := NewApparmorLogs(file, tt.name); !reflect.DeepEqual(got, tt.want) { + t.Errorf("NewApparmorLogs() = %v, want %v", got, tt.want) } }) } @@ -344,13 +303,13 @@ func TestAppArmorLogs_ParseToProfiles(t *testing.T) { Header: aa.Header{Name: "kmod"}, Rules: aa.Rules{ &aa.Unix{ - Base: aa.Base{FileInherit: true}, + RuleBase: aa.RuleBase{FileInherit: true}, Access: []string{"send", "receive"}, Type: "stream", Protocol: "0", }, &aa.Unix{ - Base: aa.Base{FileInherit: true}, + RuleBase: aa.RuleBase{FileInherit: true}, Access: []string{"send", "receive"}, Type: "stream", Protocol: "0", diff --git a/pkg/paths/list_test.go b/pkg/paths/list_test.go new file mode 100644 index 000000000..eaafc82ce --- /dev/null +++ b/pkg/paths/list_test.go @@ -0,0 +1,169 @@ +/* + * This file is part of PathsHelper library. + * + * Copyright 2018 Arduino AG (http://www.arduino.cc/) + * + * PathsHelper library is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + * + * As a special exception, you may use this file as part of a free software + * library without restriction. Specifically, if other files instantiate + * templates or use macros or inline functions from this file, or you compile + * this file and link it with other files to produce an executable, this + * file does not by itself cause the resulting executable to be covered by + * the GNU General Public License. This exception does not however + * invalidate any other reasons why the executable file might be covered by + * the GNU General Public License. + */ + +package paths + +import ( + "fmt" + "testing" + + "github.com/stretchr/testify/require" +) + +func TestListConstructors(t *testing.T) { + list0 := NewPathList() + require.Len(t, list0, 0) + + list1 := NewPathList("test") + require.Len(t, list1, 1) + require.Equal(t, "[test]", fmt.Sprintf("%s", list1)) + + list3 := NewPathList("a", "b", "c") + require.Len(t, list3, 3) + require.Equal(t, "[a b c]", fmt.Sprintf("%s", list3)) + + require.False(t, list3.Contains(New("d"))) + require.True(t, list3.Contains(New("a"))) + require.False(t, list3.Contains(New("d/../a"))) + + require.False(t, list3.ContainsEquivalentTo(New("d"))) + require.True(t, list3.ContainsEquivalentTo(New("a"))) + require.True(t, list3.ContainsEquivalentTo(New("d/../a"))) + + list4 := list3.Clone() + require.Equal(t, "[a b c]", fmt.Sprintf("%s", list4)) + list4.AddIfMissing(New("d")) + require.Equal(t, "[a b c d]", fmt.Sprintf("%s", list4)) + list4.AddIfMissing(New("b")) + require.Equal(t, "[a b c d]", fmt.Sprintf("%s", list4)) + list4.AddAllMissing(NewPathList("a", "e", "i", "o", "u")) + require.Equal(t, "[a b c d e i o u]", fmt.Sprintf("%s", list4)) +} + +func TestListSorting(t *testing.T) { + list := NewPathList( + "pointless", + "spare", + "carve", + "unwieldy", + "empty", + "bow", + "tub", + "grease", + "error", + "energetic", + "depend", + "property") + require.Equal(t, "[pointless spare carve unwieldy empty bow tub grease error energetic depend property]", fmt.Sprintf("%s", list)) + list.Sort() + require.Equal(t, "[bow carve depend empty energetic error grease pointless property spare tub unwieldy]", fmt.Sprintf("%s", list)) +} + +func TestListFilters(t *testing.T) { + list := NewPathList( + "aaaa", + "bbbb", + "cccc", + "dddd", + "eeff", + "aaaa/bbbb", + "eeee/ffff", + "gggg/hhhh", + ) + + l1 := list.Clone() + l1.FilterPrefix("a") + require.Equal(t, "[aaaa]", fmt.Sprintf("%s", l1)) + + l2 := list.Clone() + l2.FilterPrefix("b") + require.Equal(t, "[bbbb aaaa/bbbb]", fmt.Sprintf("%s", l2)) + + l3 := list.Clone() + l3.FilterOutPrefix("b") + require.Equal(t, "[aaaa cccc dddd eeff eeee/ffff gggg/hhhh]", fmt.Sprintf("%s", l3)) + + l4 := list.Clone() + l4.FilterPrefix("a", "b") + require.Equal(t, "[aaaa bbbb aaaa/bbbb]", fmt.Sprintf("%s", l4)) + + l5 := list.Clone() + l5.FilterPrefix("test") + require.Equal(t, "[]", fmt.Sprintf("%s", l5)) + + l6 := list.Clone() + l6.FilterOutPrefix("b", "c", "h") + require.Equal(t, "[aaaa dddd eeff eeee/ffff]", fmt.Sprintf("%s", l6)) + + l7 := list.Clone() + l7.FilterSuffix("a") + require.Equal(t, "[aaaa]", fmt.Sprintf("%s", l7)) + + l8 := list.Clone() + l8.FilterSuffix("a", "h") + require.Equal(t, "[aaaa gggg/hhhh]", fmt.Sprintf("%s", l8)) + + l9 := list.Clone() + l9.FilterSuffix("test") + require.Equal(t, "[]", fmt.Sprintf("%s", l9)) + + l10 := list.Clone() + l10.FilterOutSuffix("a") + require.Equal(t, "[bbbb cccc dddd eeff aaaa/bbbb eeee/ffff gggg/hhhh]", fmt.Sprintf("%s", l10)) + + l11 := list.Clone() + l11.FilterOutSuffix("a", "h") + require.Equal(t, "[bbbb cccc dddd eeff aaaa/bbbb eeee/ffff]", fmt.Sprintf("%s", l11)) + + l12 := list.Clone() + l12.FilterOutSuffix("test") + require.Equal(t, "[aaaa bbbb cccc dddd eeff aaaa/bbbb eeee/ffff gggg/hhhh]", fmt.Sprintf("%s", l12)) + + l13 := list.Clone() + l13.FilterOutSuffix() + require.Equal(t, "[aaaa bbbb cccc dddd eeff aaaa/bbbb eeee/ffff gggg/hhhh]", fmt.Sprintf("%s", l13)) + + l14 := list.Clone() + l14.FilterSuffix() + require.Equal(t, "[]", fmt.Sprintf("%s", l14)) + + l15 := list.Clone() + l15.FilterOutPrefix() + require.Equal(t, "[aaaa bbbb cccc dddd eeff aaaa/bbbb eeee/ffff gggg/hhhh]", fmt.Sprintf("%s", l15)) + + l16 := list.Clone() + l16.FilterPrefix() + require.Equal(t, "[]", fmt.Sprintf("%s", l16)) + + l17 := list.Clone() + l17.Filter(func(p *Path) bool { + return p.Base() == "bbbb" + }) + require.Equal(t, "[bbbb aaaa/bbbb]", fmt.Sprintf("%s", l17)) +} diff --git a/pkg/paths/paths.go b/pkg/paths/paths.go index 357b9c2f7..a734d17ed 100644 --- a/pkg/paths/paths.go +++ b/pkg/paths/paths.go @@ -35,12 +35,9 @@ import ( "io/fs" "os" "path/filepath" - "slices" "strings" "syscall" "time" - - "github.com/roddhjav/apparmor.d/pkg/util" ) // Path represents a path @@ -179,7 +176,7 @@ func (p *Path) IsAbs() bool { return filepath.IsAbs(p.path) } -// ToAbs transform the current Path to the corresponding absolute path +// ToAbs transofrm the current Path to the corresponding absolute path func (p *Path) ToAbs() error { abs, err := filepath.Abs(p.path) if err != nil { @@ -363,41 +360,6 @@ func (p *Path) CopyTo(dst *Path) error { return nil } -// CopyTo recursivelly copy all files from a source path to a destination path. -func CopyTo(src *Path, dst *Path) error { - files, err := src.ReadDirRecursiveFiltered(nil, - FilterOutDirectories(), - FilterOutNames("README.md"), - ) - if err != nil { - return err - } - for _, file := range files { - destination, err := file.RelFrom(src) - if err != nil { - return err - } - destination = dst.JoinPath(destination) - if err := destination.Parent().MkdirAll(); err != nil { - return err - } - if err := file.CopyTo(destination); err != nil { - return err - } - } - return nil -} - -// CopyFS copies the file system fsys into the directory dir, -// creating dir if necessary. It is the exivalent of os.CopyFS with Path. -func (p *Path) CopyFS(dst *Path) error { - err := os.CopyFS(dst.String(), os.DirFS(p.String())) - if err != nil { - return fmt.Errorf("copying %s to %s: %s", p, dst, err) - } - return nil -} - // CopyDirTo recursively copies the directory denoted by the current path to // the destination path. The source directory must exist and the destination // directory must NOT exist (no implicit destination name allowed). @@ -498,24 +460,6 @@ func WriteToTempFile(data []byte, dir *Path, prefix string) (res *Path, err erro return New(f.Name()), nil } -// ReadFileAsString read a file and return its content as a string. -func (p *Path) ReadFileAsString() (string, error) { - content, err := p.ReadFile() - if err != nil { - return "", err - } - return string(content), nil -} - -// MustReadFileAsString read a file and return its content as a string. Panic if an error occurs. -func (p *Path) MustReadFileAsString() string { - content, err := p.ReadFile() - if err != nil { - panic(err) - } - return string(content) -} - // ReadFileAsLines reads the file named by filename and returns it as an // array of lines. This function takes care of the newline encoding // differences between different OS @@ -525,37 +469,10 @@ func (p *Path) ReadFileAsLines() ([]string, error) { return nil, err } txt := string(data) - txt = strings.ReplaceAll(txt, "\r\n", "\n") + txt = strings.Replace(txt, "\r\n", "\n", -1) return strings.Split(txt, "\n"), nil } -// MustReadFileAsLines read a file and return its content as a slice of string. Panic if an error occurs. -func (p *Path) MustReadFileAsLines() []string { - lines, err := p.ReadFileAsLines() - if err != nil { - panic(err) - } - return lines -} - -// MustReadFilteredFileAsLines read a file and return its content as a slice of string. -// It filter out comments and empty lines. Panic if an error occurs. -func (p *Path) MustReadFilteredFileAsLines() []string { - data, err := p.ReadFile() - if err != nil { - panic(err) - } - txt := string(data) - txt = strings.ReplaceAll(txt, "\r\n", "\n") - txt = util.Filter(txt) - res := strings.Split(txt, "\n") - if slices.Contains(res, "") { - idx := slices.Index(res, "") - res = slices.Delete(res, idx, idx+1) - } - return res -} - // Truncate create an empty file named by path or if the file already // exist it truncates it (delete all contents) func (p *Path) Truncate() error { @@ -635,14 +552,12 @@ func (p *Path) String() string { // Canonical return a "canonical" Path for the given filename. // The meaning of "canonical" is OS-dependent but the goal of this method // is to always return the same path for a given file (factoring out all the -// possible ambiguities including, for example, relative paths traversal, +// possibile ambiguities including, for example, relative paths traversal, // symlinks, drive volume letter case, etc). func (p *Path) Canonical() *Path { canonical := p.Clone() // https://github.com/golang/go/issues/17084#issuecomment-246645354 - if err := canonical.FollowSymLink(); err != nil { - return nil - } + canonical.FollowSymLink() if absPath, err := canonical.Abs(); err == nil { canonical = absPath } diff --git a/pkg/paths/paths_test.go b/pkg/paths/paths_test.go new file mode 100644 index 000000000..27fde6248 --- /dev/null +++ b/pkg/paths/paths_test.go @@ -0,0 +1,432 @@ +/* + * This file is part of PathsHelper library. + * + * Copyright 2018 Arduino AG (http://www.arduino.cc/) + * + * PathsHelper library is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + * + * As a special exception, you may use this file as part of a free software + * library without restriction. Specifically, if other files instantiate + * templates or use macros or inline functions from this file, or you compile + * this file and link it with other files to produce an executable, this + * file does not by itself cause the resulting executable to be covered by + * the GNU General Public License. This exception does not however + * invalidate any other reasons why the executable file might be covered by + * the GNU General Public License. + */ + +package paths + +import ( + "path/filepath" + "runtime" + "strings" + "testing" + + "github.com/stretchr/testify/require" +) + +func pathEqualsTo(t *testing.T, expected string, actual *Path) { + require.Equal(t, expected, filepath.ToSlash(actual.String())) +} + +func TestPathNew(t *testing.T) { + test1 := New("path") + require.Equal(t, "path", test1.String()) + + test2 := New("path", "path") + require.Equal(t, filepath.Join("path", "path"), test2.String()) + + test3 := New() + require.Nil(t, test3) + + test4 := New("") + require.Nil(t, test4) +} + +func TestPath(t *testing.T) { + testPath := New("testdata", "fileset") + pathEqualsTo(t, "testdata/fileset", testPath) + isDir, err := testPath.IsDirCheck() + require.True(t, isDir) + require.NoError(t, err) + require.True(t, testPath.IsDir()) + require.False(t, testPath.IsNotDir()) + exist, err := testPath.ExistCheck() + require.True(t, exist) + require.NoError(t, err) + require.True(t, testPath.Exist()) + require.False(t, testPath.NotExist()) + + folderPath := testPath.Join("folder") + pathEqualsTo(t, "testdata/fileset/folder", folderPath) + isDir, err = folderPath.IsDirCheck() + require.True(t, isDir) + require.NoError(t, err) + require.True(t, folderPath.IsDir()) + require.False(t, folderPath.IsNotDir()) + + exist, err = folderPath.ExistCheck() + require.True(t, exist) + require.NoError(t, err) + require.True(t, folderPath.Exist()) + require.False(t, folderPath.NotExist()) + + filePath := testPath.Join("file") + pathEqualsTo(t, "testdata/fileset/file", filePath) + isDir, err = filePath.IsDirCheck() + require.False(t, isDir) + require.NoError(t, err) + require.False(t, filePath.IsDir()) + require.True(t, filePath.IsNotDir()) + exist, err = filePath.ExistCheck() + require.True(t, exist) + require.NoError(t, err) + require.True(t, filePath.Exist()) + require.False(t, filePath.NotExist()) + + anotherFilePath := filePath.Join("notexistent") + pathEqualsTo(t, "testdata/fileset/file/notexistent", anotherFilePath) + isDir, err = anotherFilePath.IsDirCheck() + require.False(t, isDir) + require.Error(t, err) + require.False(t, anotherFilePath.IsDir()) + require.False(t, anotherFilePath.IsNotDir()) + exist, err = anotherFilePath.ExistCheck() + require.False(t, exist) + require.NoError(t, err) + require.False(t, anotherFilePath.Exist()) + require.True(t, anotherFilePath.NotExist()) + + list, err := folderPath.ReadDir() + require.NoError(t, err) + require.Len(t, list, 4) + pathEqualsTo(t, "testdata/fileset/folder/.hidden", list[0]) + pathEqualsTo(t, "testdata/fileset/folder/file2", list[1]) + pathEqualsTo(t, "testdata/fileset/folder/file3", list[2]) + pathEqualsTo(t, "testdata/fileset/folder/subfolder", list[3]) + + list2 := list.Clone() + list2.FilterDirs() + require.Len(t, list2, 1) + pathEqualsTo(t, "testdata/fileset/folder/subfolder", list2[0]) + + list2 = list.Clone() + list2.FilterOutHiddenFiles() + require.Len(t, list2, 3) + pathEqualsTo(t, "testdata/fileset/folder/file2", list2[0]) + pathEqualsTo(t, "testdata/fileset/folder/file3", list2[1]) + pathEqualsTo(t, "testdata/fileset/folder/subfolder", list2[2]) + + list2 = list.Clone() + list2.FilterOutPrefix("file") + require.Len(t, list2, 2) + pathEqualsTo(t, "testdata/fileset/folder/.hidden", list2[0]) + pathEqualsTo(t, "testdata/fileset/folder/subfolder", list2[1]) +} + +func TestResetStatCacheWhenFollowingSymlink(t *testing.T) { + testdata := New("testdata", "fileset") + files, err := testdata.ReadDir() + require.NoError(t, err) + for _, file := range files { + if file.Base() == "symlinktofolder" { + err = file.FollowSymLink() + require.NoError(t, err) + isDir, err := file.IsDirCheck() + require.NoError(t, err) + require.True(t, isDir) + break + } + } +} + +func TestIsInsideDir(t *testing.T) { + notInside := func(a, b *Path) { + isInside, err := a.IsInsideDir(b) + require.NoError(t, err) + require.False(t, isInside, "%s is inside %s", a, b) + } + + inside := func(a, b *Path) { + isInside, err := a.IsInsideDir(b) + require.NoError(t, err) + require.True(t, isInside, "%s is inside %s", a, b) + notInside(b, a) + } + + f1 := New("/a/b/c") + f2 := New("/a/b/c/d") + f3 := New("/a/b/c/d/e") + + notInside(f1, f1) + notInside(f1, f2) + inside(f2, f1) + notInside(f1, f3) + inside(f3, f1) + + r1 := New("a/b/c") + r2 := New("a/b/c/d") + r3 := New("a/b/c/d/e") + r4 := New("f/../a/b/c/d/e") + r5 := New("a/b/c/d/e/f/..") + + notInside(r1, r1) + notInside(r1, r2) + inside(r2, r1) + notInside(r1, r3) + inside(r3, r1) + inside(r4, r1) + notInside(r1, r4) + inside(r5, r1) + notInside(r1, r5) + + f4 := New("/home/megabug/aide/arduino-1.8.6/hardware/arduino/avr") + f5 := New("/home/megabug/a15/packages") + notInside(f5, f4) + notInside(f4, f5) + + if runtime.GOOS == "windows" { + f6 := New("C:\\", "A") + f7 := New("C:\\", "A", "B", "C") + f8 := New("E:\\", "A", "B", "C") + inside(f7, f6) + notInside(f8, f6) + } +} + +func TestReadFileAsLines(t *testing.T) { + lines, err := New("testdata/fileset/anotherFile").ReadFileAsLines() + require.NoError(t, err) + require.Len(t, lines, 4) + require.Equal(t, "line 1", lines[0]) + require.Equal(t, "line 2", lines[1]) + require.Equal(t, "", lines[2]) + require.Equal(t, "line 3", lines[3]) +} + +func TestCanonicaTempDir(t *testing.T) { + require.Equal(t, TempDir().String(), TempDir().Canonical().String()) +} + +func TestCopyDir(t *testing.T) { + tmp, err := MkTempDir("", "") + require.NoError(t, err) + defer tmp.RemoveAll() + + src := New("testdata", "fileset") + err = src.CopyDirTo(tmp.Join("dest")) + require.NoError(t, err, "copying dir") + + exist, err := tmp.Join("dest", "folder", "subfolder", "file4").ExistCheck() + require.True(t, exist) + require.NoError(t, err) + + isdir, err := tmp.Join("dest", "folder", "subfolder", "file4").IsDirCheck() + require.False(t, isdir) + require.NoError(t, err) + + err = src.CopyDirTo(tmp.Join("dest")) + require.Error(t, err, "copying dir to already existing") + + err = src.Join("file").CopyDirTo(tmp.Join("dest2")) + require.Error(t, err, "copying file as dir") +} + +func TestParents(t *testing.T) { + parents := New("/a/very/long/path").Parents() + require.Len(t, parents, 5) + pathEqualsTo(t, "/a/very/long/path", parents[0]) + pathEqualsTo(t, "/a/very/long", parents[1]) + pathEqualsTo(t, "/a/very", parents[2]) + pathEqualsTo(t, "/a", parents[3]) + pathEqualsTo(t, "/", parents[4]) + + parents2 := New("a/very/relative/path").Parents() + require.Len(t, parents, 5) + pathEqualsTo(t, "a/very/relative/path", parents2[0]) + pathEqualsTo(t, "a/very/relative", parents2[1]) + pathEqualsTo(t, "a/very", parents2[2]) + pathEqualsTo(t, "a", parents2[3]) + pathEqualsTo(t, ".", parents2[4]) +} + +func TestFilterDirs(t *testing.T) { + testPath := New("testdata", "fileset") + + list, err := testPath.ReadDir() + require.NoError(t, err) + require.Len(t, list, 6) + + pathEqualsTo(t, "testdata/fileset/anotherFile", list[0]) + pathEqualsTo(t, "testdata/fileset/file", list[1]) + pathEqualsTo(t, "testdata/fileset/folder", list[2]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder", list[3]) + pathEqualsTo(t, "testdata/fileset/test.txt", list[4]) + pathEqualsTo(t, "testdata/fileset/test.txt.gz", list[5]) + + list.FilterDirs() + require.Len(t, list, 2) + pathEqualsTo(t, "testdata/fileset/folder", list[0]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder", list[1]) +} + +func TestFilterOutDirs(t *testing.T) { + { + testPath := New("testdata", "fileset") + + list, err := testPath.ReadDir() + require.NoError(t, err) + require.Len(t, list, 6) + + pathEqualsTo(t, "testdata/fileset/anotherFile", list[0]) + pathEqualsTo(t, "testdata/fileset/file", list[1]) + pathEqualsTo(t, "testdata/fileset/folder", list[2]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder", list[3]) + pathEqualsTo(t, "testdata/fileset/test.txt", list[4]) + pathEqualsTo(t, "testdata/fileset/test.txt.gz", list[5]) + + list.FilterOutDirs() + require.Len(t, list, 4) + pathEqualsTo(t, "testdata/fileset/anotherFile", list[0]) + pathEqualsTo(t, "testdata/fileset/file", list[1]) + pathEqualsTo(t, "testdata/fileset/test.txt", list[2]) + pathEqualsTo(t, "testdata/fileset/test.txt.gz", list[3]) + } + + { + list, err := New("testdata", "broken_symlink", "dir_1").ReadDirRecursive() + require.NoError(t, err) + + require.Len(t, list, 7) + pathEqualsTo(t, "testdata/broken_symlink/dir_1/broken_link", list[0]) + pathEqualsTo(t, "testdata/broken_symlink/dir_1/file2", list[1]) + pathEqualsTo(t, "testdata/broken_symlink/dir_1/linked_dir", list[2]) + pathEqualsTo(t, "testdata/broken_symlink/dir_1/linked_dir/file1", list[3]) + pathEqualsTo(t, "testdata/broken_symlink/dir_1/linked_file", list[4]) + pathEqualsTo(t, "testdata/broken_symlink/dir_1/real_dir", list[5]) + pathEqualsTo(t, "testdata/broken_symlink/dir_1/real_dir/file1", list[6]) + + list.FilterOutDirs() + require.Len(t, list, 5) + pathEqualsTo(t, "testdata/broken_symlink/dir_1/broken_link", list[0]) + pathEqualsTo(t, "testdata/broken_symlink/dir_1/file2", list[1]) + pathEqualsTo(t, "testdata/broken_symlink/dir_1/linked_dir/file1", list[2]) + pathEqualsTo(t, "testdata/broken_symlink/dir_1/linked_file", list[3]) + pathEqualsTo(t, "testdata/broken_symlink/dir_1/real_dir/file1", list[4]) + } +} + +func TestEquivalentPaths(t *testing.T) { + wd, err := Getwd() + require.NoError(t, err) + require.True(t, New("file1").EquivalentTo(New("file1", "somethingelse", ".."))) + require.True(t, New("file1", "abc").EquivalentTo(New("file1", "abc", "def", ".."))) + require.True(t, wd.Join("file1").EquivalentTo(New("file1"))) + require.True(t, wd.Join("file1").EquivalentTo(New("file1", "abc", ".."))) + + if runtime.GOOS == "windows" { + q := New("testdata", "fileset", "anotherFile") + r := New("testdata", "fileset", "ANOTHE~1") + require.True(t, q.EquivalentTo(r)) + require.True(t, r.EquivalentTo(q)) + } +} + +func TestCanonicalize(t *testing.T) { + wd, err := Getwd() + require.NoError(t, err) + + p := New("testdata", "fileset", "anotherFile").Canonical() + require.Equal(t, wd.Join("testdata", "fileset", "anotherFile").String(), p.String()) + + p = New("testdata", "fileset", "nonexistentFile").Canonical() + require.Equal(t, wd.Join("testdata", "fileset", "nonexistentFile").String(), p.String()) + + if runtime.GOOS == "windows" { + q := New("testdata", "fileset", "ANOTHE~1").Canonical() + require.Equal(t, wd.Join("testdata", "fileset", "anotherFile").String(), q.String()) + + r := New("c:\\").Canonical() + require.Equal(t, "C:\\", r.String()) + + tmp, err := MkTempDir("", "pref") + require.NoError(t, err) + require.Equal(t, tmp.String(), tmp.Canonical().String()) + } +} + +func TestRelativeTo(t *testing.T) { + res, err := New("/my/abs/path/123/456").RelTo(New("/my/abs/path")) + require.NoError(t, err) + pathEqualsTo(t, "../..", res) + + res, err = New("/my/abs/path").RelTo(New("/my/abs/path/123/456")) + require.NoError(t, err) + pathEqualsTo(t, "123/456", res) + + res, err = New("my/path").RelTo(New("/other/path")) + require.Error(t, err) + require.Nil(t, res) + + res, err = New("/my/abs/path/123/456").RelFrom(New("/my/abs/path")) + pathEqualsTo(t, "123/456", res) + require.NoError(t, err) + + res, err = New("/my/abs/path").RelFrom(New("/my/abs/path/123/456")) + require.NoError(t, err) + pathEqualsTo(t, "../..", res) + + res, err = New("my/path").RelFrom(New("/other/path")) + require.Error(t, err) + require.Nil(t, res) +} + +func TestWriteToTempFile(t *testing.T) { + tmpDir := New("testdata", "fileset", "tmp") + err := tmpDir.MkdirAll() + require.NoError(t, err) + defer tmpDir.RemoveAll() + + tmpData := []byte("test") + tmp, err := WriteToTempFile(tmpData, tmpDir, "prefix") + defer tmp.Remove() + require.NoError(t, err) + require.True(t, strings.HasPrefix(tmp.Base(), "prefix")) + isInside, err := tmp.IsInsideDir(tmpDir) + require.NoError(t, err) + require.True(t, isInside) + data, err := tmp.ReadFile() + require.NoError(t, err) + require.Equal(t, tmpData, data) +} + +func TestCopyToSamePath(t *testing.T) { + tmpDir := New(t.TempDir()) + srcFile := tmpDir.Join("test_file") + dstFile := srcFile + + // create the source file in tmp dir + err := srcFile.WriteFile([]byte("hello")) + require.NoError(t, err) + content, err := srcFile.ReadFile() + require.NoError(t, err) + require.Equal(t, []byte("hello"), content) + + // cannot copy the same file + err = srcFile.CopyTo(dstFile) + require.Error(t, err) + require.Contains(t, err.Error(), "are the same file") +} diff --git a/pkg/paths/process.go b/pkg/paths/process.go index ebfe71343..4c8692866 100644 --- a/pkg/paths/process.go +++ b/pkg/paths/process.go @@ -55,8 +55,7 @@ func NewProcess(extraEnv []string, args ...string) (*Process, error) { cmd: exec.Command(args[0], args[1:]...), } p.cmd.Env = append(os.Environ(), extraEnv...) - tellCommandNotToSpawnShell(p.cmd) // windows specific - tellCommandToStartOnNewProcessGroup(p.cmd) // linux specific + p.TellCommandNotToSpawnShell() // This is required because some tools detects if the program is running // from terminal by looking at the stdin/out bindings. @@ -147,7 +146,7 @@ func (p *Process) Signal(sig os.Signal) error { // actually exited. This only kills the Process itself, not any other processes it may // have started. func (p *Process) Kill() error { - return kill(p.cmd) + return p.cmd.Process.Kill() } // SetDir sets the working directory of the command. If Dir is the empty string, Run diff --git a/pkg/paths/process_linux.go b/pkg/paths/process_others.go similarity index 69% rename from pkg/paths/process_linux.go rename to pkg/paths/process_others.go index 5735a85c3..39bd3e161 100644 --- a/pkg/paths/process_linux.go +++ b/pkg/paths/process_others.go @@ -31,34 +31,8 @@ package paths -import ( - "os/exec" - "syscall" -) +import "os/exec" func tellCommandNotToSpawnShell(_ *exec.Cmd) { // no op } - -func tellCommandToStartOnNewProcessGroup(oscmd *exec.Cmd) { - // https://groups.google.com/g/golang-nuts/c/XoQ3RhFBJl8 - - // Start the process in a new process group. - // This is needed to kill the process and its children - // if we need to kill the process. - if oscmd.SysProcAttr == nil { - oscmd.SysProcAttr = &syscall.SysProcAttr{} - } - oscmd.SysProcAttr.Setpgid = true -} - -func kill(oscmd *exec.Cmd) error { - // https://groups.google.com/g/golang-nuts/c/XoQ3RhFBJl8 - - // Kill the process group - pgid, err := syscall.Getpgid(oscmd.Process.Pid) - if err != nil { - return err - } - return syscall.Kill(-pgid, syscall.SIGKILL) -} diff --git a/pkg/paths/process_test.go b/pkg/paths/process_test.go new file mode 100644 index 000000000..5346dda02 --- /dev/null +++ b/pkg/paths/process_test.go @@ -0,0 +1,56 @@ +// +// This file is part of PathsHelper library. +// +// Copyright 2023 Arduino AG (http://www.arduino.cc/) +// +// PathsHelper library is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; either version 2 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License +// along with this program; if not, write to the Free Software +// Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +// +// As a special exception, you may use this file as part of a free software +// library without restriction. Specifically, if other files instantiate +// templates or use macros or inline functions from this file, or you compile +// this file and link it with other files to produce an executable, this +// file does not by itself cause the resulting executable to be covered by +// the GNU General Public License. This exception does not however +// invalidate any other reasons why the executable file might be covered by +// the GNU General Public License. +// + +package paths + +import ( + "context" + "testing" + "time" + + "github.com/stretchr/testify/require" +) + +func TestProcessWithinContext(t *testing.T) { + // Build `delay` helper inside testdata/delay + builder, err := NewProcess(nil, "go", "build") + require.NoError(t, err) + builder.SetDir("testdata/delay") + require.NoError(t, builder.Run()) + + // Run delay and test if the process is terminated correctly due to context + process, err := NewProcess(nil, "testdata/delay/delay") + require.NoError(t, err) + start := time.Now() + ctx, cancel := context.WithTimeout(context.Background(), 250*time.Millisecond) + err = process.RunWithinContext(ctx) + require.Error(t, err) + require.Less(t, time.Since(start), 500*time.Millisecond) + cancel() +} diff --git a/pkg/paths/readdir_test.go b/pkg/paths/readdir_test.go new file mode 100644 index 000000000..ae25ede97 --- /dev/null +++ b/pkg/paths/readdir_test.go @@ -0,0 +1,343 @@ +/* + * This file is part of PathsHelper library. + * + * Copyright 2018-2022 Arduino AG (http://www.arduino.cc/) + * + * PathsHelper library is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + * + * As a special exception, you may use this file as part of a free software + * library without restriction. Specifically, if other files instantiate + * templates or use macros or inline functions from this file, or you compile + * this file and link it with other files to produce an executable, this + * file does not by itself cause the resulting executable to be covered by + * the GNU General Public License. This exception does not however + * invalidate any other reasons why the executable file might be covered by + * the GNU General Public License. + */ + +package paths + +import ( + "fmt" + "io/fs" + "os" + "runtime" + "testing" + "time" + + "github.com/stretchr/testify/require" +) + +func TestReadDirRecursive(t *testing.T) { + testPath := New("testdata", "fileset") + + list, err := testPath.ReadDirRecursive() + require.NoError(t, err) + require.Len(t, list, 16) + + pathEqualsTo(t, "testdata/fileset/anotherFile", list[0]) + pathEqualsTo(t, "testdata/fileset/file", list[1]) + pathEqualsTo(t, "testdata/fileset/folder", list[2]) + pathEqualsTo(t, "testdata/fileset/folder/.hidden", list[3]) + pathEqualsTo(t, "testdata/fileset/folder/file2", list[4]) + pathEqualsTo(t, "testdata/fileset/folder/file3", list[5]) + pathEqualsTo(t, "testdata/fileset/folder/subfolder", list[6]) + pathEqualsTo(t, "testdata/fileset/folder/subfolder/file4", list[7]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder", list[8]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/.hidden", list[9]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/file2", list[10]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/file3", list[11]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder", list[12]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder/file4", list[13]) + pathEqualsTo(t, "testdata/fileset/test.txt", list[14]) + pathEqualsTo(t, "testdata/fileset/test.txt.gz", list[15]) +} + +func TestReadDirRecursiveSymLinkLoop(t *testing.T) { + // Test symlink loop + tmp, err := MkTempDir("", "") + require.NoError(t, err) + defer tmp.RemoveAll() + + folder := tmp.Join("folder") + err = os.Symlink(tmp.String(), folder.String()) + require.NoError(t, err) + + l, err := tmp.ReadDirRecursive() + require.Error(t, err) + fmt.Println(err) + require.Nil(t, l) + + l, err = tmp.ReadDirRecursiveFiltered(nil) + require.Error(t, err) + fmt.Println(err) + require.Nil(t, l) +} + +func TestReadDirFiltered(t *testing.T) { + folderPath := New("testdata/fileset/folder") + list, err := folderPath.ReadDir() + require.NoError(t, err) + require.Len(t, list, 4) + pathEqualsTo(t, "testdata/fileset/folder/.hidden", list[0]) + pathEqualsTo(t, "testdata/fileset/folder/file2", list[1]) + pathEqualsTo(t, "testdata/fileset/folder/file3", list[2]) + pathEqualsTo(t, "testdata/fileset/folder/subfolder", list[3]) + + list, err = folderPath.ReadDir(FilterDirectories()) + require.NoError(t, err) + require.Len(t, list, 1) + pathEqualsTo(t, "testdata/fileset/folder/subfolder", list[0]) + + list, err = folderPath.ReadDir(FilterOutPrefixes("file")) + require.NoError(t, err) + require.Len(t, list, 2) + pathEqualsTo(t, "testdata/fileset/folder/.hidden", list[0]) + pathEqualsTo(t, "testdata/fileset/folder/subfolder", list[1]) +} + +func TestReadDirRecursiveFiltered(t *testing.T) { + testdata := New("testdata", "fileset") + l, err := testdata.ReadDirRecursiveFiltered(nil) + require.NoError(t, err) + l.Sort() + require.Len(t, l, 16) + pathEqualsTo(t, "testdata/fileset/anotherFile", l[0]) + pathEqualsTo(t, "testdata/fileset/file", l[1]) + pathEqualsTo(t, "testdata/fileset/folder", l[2]) + pathEqualsTo(t, "testdata/fileset/folder/.hidden", l[3]) + pathEqualsTo(t, "testdata/fileset/folder/file2", l[4]) + pathEqualsTo(t, "testdata/fileset/folder/file3", l[5]) + pathEqualsTo(t, "testdata/fileset/folder/subfolder", l[6]) + pathEqualsTo(t, "testdata/fileset/folder/subfolder/file4", l[7]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder", l[8]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/.hidden", l[9]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/file2", l[10]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/file3", l[11]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder", l[12]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder/file4", l[13]) + pathEqualsTo(t, "testdata/fileset/test.txt", l[14]) + pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[15]) + + l, err = testdata.ReadDirRecursiveFiltered(FilterOutDirectories()) + require.NoError(t, err) + l.Sort() + require.Len(t, l, 6) + pathEqualsTo(t, "testdata/fileset/anotherFile", l[0]) + pathEqualsTo(t, "testdata/fileset/file", l[1]) + pathEqualsTo(t, "testdata/fileset/folder", l[2]) // <- this is listed but not traversed + pathEqualsTo(t, "testdata/fileset/symlinktofolder", l[3]) // <- this is listed but not traversed + pathEqualsTo(t, "testdata/fileset/test.txt", l[4]) + pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[5]) + + l, err = testdata.ReadDirRecursiveFiltered(nil, FilterOutDirectories()) + require.NoError(t, err) + l.Sort() + require.Len(t, l, 12) + pathEqualsTo(t, "testdata/fileset/anotherFile", l[0]) + pathEqualsTo(t, "testdata/fileset/file", l[1]) + pathEqualsTo(t, "testdata/fileset/folder/.hidden", l[2]) + pathEqualsTo(t, "testdata/fileset/folder/file2", l[3]) + pathEqualsTo(t, "testdata/fileset/folder/file3", l[4]) + pathEqualsTo(t, "testdata/fileset/folder/subfolder/file4", l[5]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/.hidden", l[6]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/file2", l[7]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/file3", l[8]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder/file4", l[9]) + pathEqualsTo(t, "testdata/fileset/test.txt", l[10]) + pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[11]) + + l, err = testdata.ReadDirRecursiveFiltered(FilterOutDirectories(), FilterOutDirectories()) + require.NoError(t, err) + l.Sort() + require.Len(t, l, 4) + pathEqualsTo(t, "testdata/fileset/anotherFile", l[0]) + pathEqualsTo(t, "testdata/fileset/file", l[1]) + pathEqualsTo(t, "testdata/fileset/test.txt", l[2]) + pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[3]) + + l, err = testdata.ReadDirRecursiveFiltered(FilterOutPrefixes("sub"), FilterOutSuffixes("3")) + require.NoError(t, err) + l.Sort() + require.Len(t, l, 12) + pathEqualsTo(t, "testdata/fileset/anotherFile", l[0]) + pathEqualsTo(t, "testdata/fileset/file", l[1]) + pathEqualsTo(t, "testdata/fileset/folder", l[2]) + pathEqualsTo(t, "testdata/fileset/folder/.hidden", l[3]) + pathEqualsTo(t, "testdata/fileset/folder/file2", l[4]) + pathEqualsTo(t, "testdata/fileset/folder/subfolder", l[5]) // <- subfolder skipped by Prefix("sub") + pathEqualsTo(t, "testdata/fileset/symlinktofolder", l[6]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/.hidden", l[7]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/file2", l[8]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder", l[9]) // <- subfolder skipped by Prefix("sub") + pathEqualsTo(t, "testdata/fileset/test.txt", l[10]) + pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[11]) + + l, err = testdata.ReadDirRecursiveFiltered(FilterOutPrefixes("sub"), AndFilter(FilterOutSuffixes("3"), FilterOutPrefixes("fil"))) + require.NoError(t, err) + l.Sort() + require.Len(t, l, 9) + pathEqualsTo(t, "testdata/fileset/anotherFile", l[0]) + pathEqualsTo(t, "testdata/fileset/folder", l[1]) + pathEqualsTo(t, "testdata/fileset/folder/.hidden", l[2]) + pathEqualsTo(t, "testdata/fileset/folder/subfolder", l[3]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder", l[4]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/.hidden", l[5]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder", l[6]) + pathEqualsTo(t, "testdata/fileset/test.txt", l[7]) + pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[8]) + + l, err = testdata.ReadDirRecursiveFiltered(FilterOutPrefixes("sub"), AndFilter(FilterOutSuffixes("3"), FilterOutPrefixes("fil"), FilterOutSuffixes(".gz"))) + require.NoError(t, err) + l.Sort() + require.Len(t, l, 8) + pathEqualsTo(t, "testdata/fileset/anotherFile", l[0]) + pathEqualsTo(t, "testdata/fileset/folder", l[1]) + pathEqualsTo(t, "testdata/fileset/folder/.hidden", l[2]) + pathEqualsTo(t, "testdata/fileset/folder/subfolder", l[3]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder", l[4]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/.hidden", l[5]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder", l[6]) + pathEqualsTo(t, "testdata/fileset/test.txt", l[7]) + + l, err = testdata.ReadDirRecursiveFiltered(OrFilter(FilterPrefixes("sub"), FilterSuffixes("tofolder"))) + require.NoError(t, err) + l.Sort() + require.Len(t, l, 11) + pathEqualsTo(t, "testdata/fileset/anotherFile", l[0]) + pathEqualsTo(t, "testdata/fileset/file", l[1]) + pathEqualsTo(t, "testdata/fileset/folder", l[2]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder", l[3]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/.hidden", l[4]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/file2", l[5]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/file3", l[6]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder", l[7]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder/file4", l[8]) + pathEqualsTo(t, "testdata/fileset/test.txt", l[9]) + pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[10]) + + l, err = testdata.ReadDirRecursiveFiltered(nil, FilterNames("folder")) + require.NoError(t, err) + l.Sort() + require.Len(t, l, 1) + pathEqualsTo(t, "testdata/fileset/folder", l[0]) + + l, err = testdata.ReadDirRecursiveFiltered(FilterNames("symlinktofolder"), FilterOutNames(".hidden")) + require.NoError(t, err) + require.Len(t, l, 9) + l.Sort() + pathEqualsTo(t, "testdata/fileset/anotherFile", l[0]) + pathEqualsTo(t, "testdata/fileset/file", l[1]) + pathEqualsTo(t, "testdata/fileset/folder", l[2]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder", l[3]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/file2", l[4]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/file3", l[5]) + pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder", l[6]) + pathEqualsTo(t, "testdata/fileset/test.txt", l[7]) + pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[8]) +} + +func TestReadDirRecursiveLoopDetection(t *testing.T) { + loopsPath := New("testdata", "loops") + unbuondedReaddir := func(testdir string) (PathList, error) { + var files PathList + var err error + done := make(chan bool) + go func() { + files, err = loopsPath.Join(testdir).ReadDirRecursive() + done <- true + }() + require.Eventually( + t, + func() bool { + select { + case <-done: + return true + default: + return false + } + }, + 5*time.Second, + 10*time.Millisecond, + "Infinite symlink loop while loading sketch", + ) + return files, err + } + + for _, dir := range []string{"loop_1", "loop_2", "loop_3", "loop_4"} { + l, err := unbuondedReaddir(dir) + require.EqualError(t, err, "directories symlink loop detected", "loop not detected in %s", dir) + require.Nil(t, l) + } + + { + l, err := unbuondedReaddir("regular_1") + require.NoError(t, err) + require.Len(t, l, 4) + l.Sort() + pathEqualsTo(t, "testdata/loops/regular_1/dir1", l[0]) + pathEqualsTo(t, "testdata/loops/regular_1/dir1/file1", l[1]) + pathEqualsTo(t, "testdata/loops/regular_1/dir2", l[2]) + pathEqualsTo(t, "testdata/loops/regular_1/dir2/file1", l[3]) + } + + { + l, err := unbuondedReaddir("regular_2") + require.NoError(t, err) + require.Len(t, l, 6) + l.Sort() + pathEqualsTo(t, "testdata/loops/regular_2/dir1", l[0]) + pathEqualsTo(t, "testdata/loops/regular_2/dir1/file1", l[1]) + pathEqualsTo(t, "testdata/loops/regular_2/dir2", l[2]) + pathEqualsTo(t, "testdata/loops/regular_2/dir2/dir1", l[3]) + pathEqualsTo(t, "testdata/loops/regular_2/dir2/dir1/file1", l[4]) + pathEqualsTo(t, "testdata/loops/regular_2/dir2/file2", l[5]) + } + + { + l, err := unbuondedReaddir("regular_3") + require.NoError(t, err) + require.Len(t, l, 7) + l.Sort() + pathEqualsTo(t, "testdata/loops/regular_3/dir1", l[0]) + pathEqualsTo(t, "testdata/loops/regular_3/dir1/file1", l[1]) + pathEqualsTo(t, "testdata/loops/regular_3/dir2", l[2]) + pathEqualsTo(t, "testdata/loops/regular_3/dir2/dir1", l[3]) + pathEqualsTo(t, "testdata/loops/regular_3/dir2/dir1/file1", l[4]) + pathEqualsTo(t, "testdata/loops/regular_3/dir2/file2", l[5]) + pathEqualsTo(t, "testdata/loops/regular_3/link", l[6]) // broken symlink is reported in files + } + + if runtime.GOOS != "windows" { + dir1 := loopsPath.Join("regular_4_with_permission_error", "dir1") + + l, err := unbuondedReaddir("regular_4_with_permission_error") + require.NoError(t, err) + require.NotEmpty(t, l) + + dir1Stat, err := dir1.Stat() + require.NoError(t, err) + err = dir1.Chmod(fs.FileMode(0)) // Enforce permission error + require.NoError(t, err) + t.Cleanup(func() { + // Restore normal permission after the test + dir1.Chmod(dir1Stat.Mode()) + }) + + l, err = unbuondedReaddir("regular_4_with_permission_error") + require.Error(t, err) + require.Nil(t, l) + } +} diff --git a/pkg/paths/testdata/broken_symlink/dir_1/broken_link b/pkg/paths/testdata/broken_symlink/dir_1/broken_link new file mode 120000 index 000000000..86a410dd1 --- /dev/null +++ b/pkg/paths/testdata/broken_symlink/dir_1/broken_link @@ -0,0 +1 @@ +broken \ No newline at end of file diff --git a/pkg/paths/testdata/broken_symlink/dir_1/file2 b/pkg/paths/testdata/broken_symlink/dir_1/file2 new file mode 100644 index 000000000..e69de29bb diff --git a/pkg/paths/testdata/broken_symlink/dir_1/linked_dir b/pkg/paths/testdata/broken_symlink/dir_1/linked_dir new file mode 120000 index 000000000..4b019049f --- /dev/null +++ b/pkg/paths/testdata/broken_symlink/dir_1/linked_dir @@ -0,0 +1 @@ +real_dir \ No newline at end of file diff --git a/pkg/paths/testdata/broken_symlink/dir_1/linked_file b/pkg/paths/testdata/broken_symlink/dir_1/linked_file new file mode 120000 index 000000000..30d67d467 --- /dev/null +++ b/pkg/paths/testdata/broken_symlink/dir_1/linked_file @@ -0,0 +1 @@ +file2 \ No newline at end of file diff --git a/pkg/paths/testdata/broken_symlink/dir_1/real_dir/file1 b/pkg/paths/testdata/broken_symlink/dir_1/real_dir/file1 new file mode 100644 index 000000000..e69de29bb diff --git a/pkg/paths/testdata/delay/.gitignore b/pkg/paths/testdata/delay/.gitignore new file mode 100644 index 000000000..fd5812a40 --- /dev/null +++ b/pkg/paths/testdata/delay/.gitignore @@ -0,0 +1 @@ +delay* diff --git a/pkg/paths/testdata/delay/main.go b/pkg/paths/testdata/delay/main.go new file mode 100644 index 000000000..fa6030c40 --- /dev/null +++ b/pkg/paths/testdata/delay/main.go @@ -0,0 +1,40 @@ +/* + * This file is part of PathsHelper library. + * + * Copyright 2023 Arduino AG (http://www.arduino.cc/) + * + * PathsHelper library is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + * + * As a special exception, you may use this file as part of a free software + * library without restriction. Specifically, if other files instantiate + * templates or use macros or inline functions from this file, or you compile + * this file and link it with other files to produce an executable, this + * file does not by itself cause the resulting executable to be covered by + * the GNU General Public License. This exception does not however + * invalidate any other reasons why the executable file might be covered by + * the GNU General Public License. + */ + +package main + +import ( + "fmt" + "time" +) + +func main() { + time.Sleep(3 * time.Second) + fmt.Println("Elapsed!") +} diff --git a/pkg/paths/testdata/fileset/anotherFile b/pkg/paths/testdata/fileset/anotherFile new file mode 100644 index 000000000..27649646e --- /dev/null +++ b/pkg/paths/testdata/fileset/anotherFile @@ -0,0 +1,4 @@ +line 1 +line 2 + +line 3 \ No newline at end of file diff --git a/pkg/paths/testdata/fileset/file b/pkg/paths/testdata/fileset/file new file mode 100644 index 000000000..e69de29bb diff --git a/pkg/paths/testdata/fileset/folder/.hidden b/pkg/paths/testdata/fileset/folder/.hidden new file mode 100644 index 000000000..e69de29bb diff --git a/pkg/paths/testdata/fileset/folder/file2 b/pkg/paths/testdata/fileset/folder/file2 new file mode 100644 index 000000000..e69de29bb diff --git a/pkg/paths/testdata/fileset/folder/file3 b/pkg/paths/testdata/fileset/folder/file3 new file mode 100644 index 000000000..e69de29bb diff --git a/pkg/paths/testdata/fileset/folder/subfolder/file4 b/pkg/paths/testdata/fileset/folder/subfolder/file4 new file mode 100644 index 000000000..e69de29bb diff --git a/pkg/paths/testdata/fileset/symlinktofolder b/pkg/paths/testdata/fileset/symlinktofolder new file mode 120000 index 000000000..01196353b --- /dev/null +++ b/pkg/paths/testdata/fileset/symlinktofolder @@ -0,0 +1 @@ +folder \ No newline at end of file diff --git a/pkg/paths/testdata/fileset/test.txt b/pkg/paths/testdata/fileset/test.txt new file mode 100644 index 000000000..d3ded994d --- /dev/null +++ b/pkg/paths/testdata/fileset/test.txt @@ -0,0 +1,20 @@ +Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. + +Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. + +Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. + +Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. + +Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. + +Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. + +Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. + +Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. + +Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. + +Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum. + diff --git a/pkg/paths/testdata/fileset/test.txt.gz b/pkg/paths/testdata/fileset/test.txt.gz new file mode 100644 index 000000000..e75120aef Binary files /dev/null and b/pkg/paths/testdata/fileset/test.txt.gz differ diff --git a/pkg/paths/testdata/loops/loop_1/dir1/loop b/pkg/paths/testdata/loops/loop_1/dir1/loop new file mode 120000 index 000000000..c9f3ab1ea --- /dev/null +++ b/pkg/paths/testdata/loops/loop_1/dir1/loop @@ -0,0 +1 @@ +../dir1 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/loop_2/dir1/loop2 b/pkg/paths/testdata/loops/loop_2/dir1/loop2 new file mode 120000 index 000000000..d014eb492 --- /dev/null +++ b/pkg/paths/testdata/loops/loop_2/dir1/loop2 @@ -0,0 +1 @@ +../dir2 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/loop_2/dir2/loop1 b/pkg/paths/testdata/loops/loop_2/dir2/loop1 new file mode 120000 index 000000000..c9f3ab1ea --- /dev/null +++ b/pkg/paths/testdata/loops/loop_2/dir2/loop1 @@ -0,0 +1 @@ +../dir1 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/loop_3/dir1/loop2 b/pkg/paths/testdata/loops/loop_3/dir1/loop2 new file mode 120000 index 000000000..d014eb492 --- /dev/null +++ b/pkg/paths/testdata/loops/loop_3/dir1/loop2 @@ -0,0 +1 @@ +../dir2 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/loop_3/dir2/dir3/loop2 b/pkg/paths/testdata/loops/loop_3/dir2/dir3/loop2 new file mode 120000 index 000000000..85babfdb0 --- /dev/null +++ b/pkg/paths/testdata/loops/loop_3/dir2/dir3/loop2 @@ -0,0 +1 @@ +../../dir1/ \ No newline at end of file diff --git a/pkg/paths/testdata/loops/loop_4/dir1/dir2/loop2 b/pkg/paths/testdata/loops/loop_4/dir1/dir2/loop2 new file mode 120000 index 000000000..3fd50ca46 --- /dev/null +++ b/pkg/paths/testdata/loops/loop_4/dir1/dir2/loop2 @@ -0,0 +1 @@ +../dir3 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/loop_4/dir1/dir3/dir4/loop1 b/pkg/paths/testdata/loops/loop_4/dir1/dir3/dir4/loop1 new file mode 120000 index 000000000..4f388a669 --- /dev/null +++ b/pkg/paths/testdata/loops/loop_4/dir1/dir3/dir4/loop1 @@ -0,0 +1 @@ +../../../dir1 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/regular_1/dir1/file1 b/pkg/paths/testdata/loops/regular_1/dir1/file1 new file mode 100644 index 000000000..e69de29bb diff --git a/pkg/paths/testdata/loops/regular_1/dir2 b/pkg/paths/testdata/loops/regular_1/dir2 new file mode 120000 index 000000000..df490f837 --- /dev/null +++ b/pkg/paths/testdata/loops/regular_1/dir2 @@ -0,0 +1 @@ +dir1 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/regular_2/dir1/file1 b/pkg/paths/testdata/loops/regular_2/dir1/file1 new file mode 100644 index 000000000..e69de29bb diff --git a/pkg/paths/testdata/loops/regular_2/dir2/dir1 b/pkg/paths/testdata/loops/regular_2/dir2/dir1 new file mode 120000 index 000000000..c9f3ab1ea --- /dev/null +++ b/pkg/paths/testdata/loops/regular_2/dir2/dir1 @@ -0,0 +1 @@ +../dir1 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/regular_2/dir2/file2 b/pkg/paths/testdata/loops/regular_2/dir2/file2 new file mode 100644 index 000000000..e69de29bb diff --git a/pkg/paths/testdata/loops/regular_3/dir1/file1 b/pkg/paths/testdata/loops/regular_3/dir1/file1 new file mode 100644 index 000000000..e69de29bb diff --git a/pkg/paths/testdata/loops/regular_3/dir2/dir1 b/pkg/paths/testdata/loops/regular_3/dir2/dir1 new file mode 120000 index 000000000..c9f3ab1ea --- /dev/null +++ b/pkg/paths/testdata/loops/regular_3/dir2/dir1 @@ -0,0 +1 @@ +../dir1 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/regular_3/dir2/file2 b/pkg/paths/testdata/loops/regular_3/dir2/file2 new file mode 100644 index 000000000..e69de29bb diff --git a/pkg/paths/testdata/loops/regular_3/link b/pkg/paths/testdata/loops/regular_3/link new file mode 120000 index 000000000..86a410dd1 --- /dev/null +++ b/pkg/paths/testdata/loops/regular_3/link @@ -0,0 +1 @@ +broken \ No newline at end of file diff --git a/pkg/paths/testdata/loops/regular_4_with_permission_error/dir1/file1 b/pkg/paths/testdata/loops/regular_4_with_permission_error/dir1/file1 new file mode 100644 index 000000000..e69de29bb diff --git a/pkg/paths/testdata/loops/regular_4_with_permission_error/dir2/dir1 b/pkg/paths/testdata/loops/regular_4_with_permission_error/dir2/dir1 new file mode 120000 index 000000000..c9f3ab1ea --- /dev/null +++ b/pkg/paths/testdata/loops/regular_4_with_permission_error/dir2/dir1 @@ -0,0 +1 @@ +../dir1 \ No newline at end of file diff --git a/pkg/paths/testdata/loops/regular_4_with_permission_error/dir2/file2 b/pkg/paths/testdata/loops/regular_4_with_permission_error/dir2/file2 new file mode 100644 index 000000000..e69de29bb diff --git a/pkg/paths/testdata/loops/regular_4_with_permission_error/link b/pkg/paths/testdata/loops/regular_4_with_permission_error/link new file mode 120000 index 000000000..86a410dd1 --- /dev/null +++ b/pkg/paths/testdata/loops/regular_4_with_permission_error/link @@ -0,0 +1 @@ +broken \ No newline at end of file diff --git a/pkg/prebuild/builder/abi.go b/pkg/prebuild/builder/abi.go index b0052d13f..72b3943d3 100644 --- a/pkg/prebuild/builder/abi.go +++ b/pkg/prebuild/builder/abi.go @@ -5,29 +5,27 @@ package builder import ( - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" "github.com/roddhjav/apparmor.d/pkg/util" ) var ( - regAbi4To3 = util.ToRegexRepl([]string{ - `abi/4.0`, `abi/3.0`, - ` userns,`, ` # userns,`, - ` mqueue`, ` # mqueue`, - ` all`, ` # all`, - ` deny mqueue`, ` # deny mqueue`, + regAbi4To3 = util.ToRegexRepl([]string{ // Currently Abi3 -> Abi4 + `abi/3.0`, `abi/4.0`, + `# userns,`, `userns,`, + `# mqueue`, `mqueue`, }) ) type ABI3 struct { - prebuild.Base + cfg.Base } func init() { RegisterBuilder(&ABI3{ - Base: prebuild.Base{ + Base: cfg.Base{ Keyword: "abi3", - Msg: "Build: convert all profiles from abi 4.0 to abi 3.0", + Msg: "Convert all profiles from abi 4.0 to abi 3.0", }, }) } diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go deleted file mode 100644 index 1ec5e06b1..000000000 --- a/pkg/prebuild/builder/attach.go +++ /dev/null @@ -1,63 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package builder - -import ( - "strings" - - "github.com/roddhjav/apparmor.d/pkg/prebuild" -) - -type ReAttach struct { - prebuild.Base -} - -func init() { - RegisterBuilder(&ReAttach{ - Base: prebuild.Base{ - Keyword: "attach", - Msg: "Feat: re-attach disconnected path", - }, - }) -} - -// Apply will re-attach the disconnected path -// - Add the attach_disconnected.path flag on all frofile with the attach_disconnected flag -// - Replace the base abstraction by attached/base -// - Replace the consoles abstraction by attached/consoles -// - For compatibility, non disconnected profile will have the @{att} variable set to / -func (b ReAttach) Apply(opt *Option, profile string) (string, error) { - var insert string - var origin = "profile " + opt.Name - if opt.File.HasSuffix("attached/base") { - return profile, nil // Do not re-attach twice - } - - if strings.Contains(profile, "attach_disconnected") { - insert = "@{att} = /att/" + opt.Name + "/\n" - profile = strings.ReplaceAll(profile, - "attach_disconnected", - "attach_disconnected,attach_disconnected.path=@{att}", - ) - profile = strings.ReplaceAll(profile, - "include ", - "include ", - ) - profile = strings.ReplaceAll(profile, - "include ", - "include ", - ) - profile = strings.ReplaceAll(profile, - "include ", - "include ", - ) - - } else { - insert = "@{att} = \"\"\n" - - } - - return strings.Replace(profile, origin, insert+origin, 1), nil -} diff --git a/pkg/prebuild/builder/base-strict.go b/pkg/prebuild/builder/base-strict.go deleted file mode 100644 index 29a065629..000000000 --- a/pkg/prebuild/builder/base-strict.go +++ /dev/null @@ -1,32 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package builder - -import ( - "strings" - - "github.com/roddhjav/apparmor.d/pkg/prebuild" -) - -type BaseStrict struct { - prebuild.Base -} - -func init() { - RegisterBuilder(&BaseStrict{ - Base: prebuild.Base{ - Keyword: "base-strict", - Msg: "Feat: use 'base-strict' as base abstraction", - }, - }) -} - -func (b BaseStrict) Apply(opt *Option, profile string) (string, error) { - profile = strings.ReplaceAll(profile, - "include ", - "include ", - ) - return profile, nil -} diff --git a/pkg/prebuild/builder/complain.go b/pkg/prebuild/builder/complain.go index 0d6a48f37..e0f9f26b5 100644 --- a/pkg/prebuild/builder/complain.go +++ b/pkg/prebuild/builder/complain.go @@ -9,23 +9,23 @@ import ( "slices" "strings" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" ) var ( regFlags = regexp.MustCompile(`flags=\(([^)]+)\)`) - regProfileHeader = regexp.MustCompile(` {\n`) + regProfileHeader = regexp.MustCompile(` {`) ) type Complain struct { - prebuild.Base + cfg.Base } func init() { RegisterBuilder(&Complain{ - Base: prebuild.Base{ + Base: cfg.Base{ Keyword: "complain", - Msg: "Build: set complain flag on all profiles", + Msg: "Set complain flag on all profiles", }, }) } @@ -38,12 +38,9 @@ func (b Complain) Apply(opt *Option, profile string) (string, error) { if slices.Contains(flags, "complain") { return profile, nil } - if slices.Contains(flags, "unconfined") { - return profile, nil - } } flags = append(flags, "complain") - strFlags := " flags=(" + strings.Join(flags, ",") + ") {\n" + strFlags := " flags=(" + strings.Join(flags, ",") + ") {" // Remove all flags definition, then set manifest' flags profile = regFlags.ReplaceAllLiteralString(profile, "") diff --git a/pkg/prebuild/builder/core.go b/pkg/prebuild/builder/core.go index bfc1aa025..64046721f 100644 --- a/pkg/prebuild/builder/core.go +++ b/pkg/prebuild/builder/core.go @@ -6,10 +6,9 @@ package builder import ( "fmt" - "strings" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" ) var ( @@ -20,13 +19,13 @@ var ( Builders = map[string]Builder{} ) -// Builder main directive interface +// Main directive interface type Builder interface { - prebuild.BaseInterface + cfg.BaseInterface Apply(opt *Option, profile string) (string, error) } -// Option for a builder +// Builder options type Option struct { Name string File *paths.Path @@ -34,7 +33,7 @@ type Option struct { func NewOption(file *paths.Path) *Option { return &Option{ - Name: strings.TrimSuffix(file.Base(), ".apparmor.d"), + Name: file.Base(), File: file, } } diff --git a/pkg/prebuild/builder/core_test.go b/pkg/prebuild/builder/core_test.go index 6bcf74647..c242259f9 100644 --- a/pkg/prebuild/builder/core_test.go +++ b/pkg/prebuild/builder/core_test.go @@ -8,7 +8,7 @@ import ( "slices" "testing" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" ) func TestBuilder_Apply(t *testing.T) { @@ -23,17 +23,17 @@ func TestBuilder_Apply(t *testing.T) { name: "abi3", b: Builders["abi3"], profile: ` - abi , - profile test { - userns, - mqueue r type=posix /, - }`, - want: ` abi , profile test { # userns, # mqueue r type=posix /, }`, + want: ` + abi , + profile test { + userns, + mqueue r type=posix /, + }`, }, { name: "complain-1", @@ -209,7 +209,7 @@ func TestBuilder_Apply(t *testing.T) { want: ` @{exec_path} = @{bin}/baloo_file @{lib}/{,kf6/}baloo_file @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloo_file - profile baloo /{{,usr/}bin/baloo_file,{,usr/}lib{,exec,32,64}/{,kf6/}baloo_file,{,usr/}lib{,exec,32,64}/*-linux-gnu*/{,libexec/}baloo_file} { + profile baloo /{{,usr/}{,s}bin/baloo_file,{,usr/}lib{,exec,32,64}/{,kf6/}baloo_file,{,usr/}lib{,exec,32,64}/*-linux-gnu*/{,libexec/}baloo_file} { include @{exec_path} mr, @@ -228,83 +228,19 @@ func TestBuilder_Apply(t *testing.T) { include if exists }`, - want: "", - wantErr: true, - }, - { - name: "stacked-dbus-1", - b: Builders["stacked-dbus"], - profile: ` -profile foo { - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + want: ` + profile foo /usr/bin/foo { + include -}`, - want: ` -profile foo { -dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label=dbus-session), -dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label=dbus-session//&unconfined), + /usr/bin/foo mr, -}`, - }, - { - name: "base-strict-1", - b: Builders["base-strict"], - profile: ` -profile foo { - include -}`, - want: ` -profile foo { - include -}`, - }, - { - name: "attach-1", - b: Builders["attach"], - profile: ` -profile attach-1 flags=(attach_disconnected) { - include - include - include -}`, - want: ` -@{att} = /att/attach-1/ -profile attach-1 flags=(attach_disconnected,attach_disconnected.path=@{att}) { - include - include - include -}`, - }, - { - name: "attach-2", - b: Builders["attach"], - profile: ` -profile attach-2 flags=(complain) { - include - include - include -}`, - want: ` -@{att} = "" -profile attach-2 flags=(complain) { - include - include - include -}`, + include if exists + }`, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - opt := &Option{File: prebuild.RootApparmord.Join(tt.name), Name: tt.name} + opt := &Option{File: cfg.RootApparmord.Join(tt.name)} got, err := tt.b.Apply(opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("Builder.Apply() error = %v, wantErr %v", err, tt.wantErr) diff --git a/pkg/prebuild/builder/dev.go b/pkg/prebuild/builder/dev.go new file mode 100644 index 000000000..f8ebdff02 --- /dev/null +++ b/pkg/prebuild/builder/dev.go @@ -0,0 +1,36 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package builder + +import ( + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/util" +) + +var ( + regDev = util.ToRegexRepl([]string{ + `Cx`, `cx`, + `PUx`, `pux`, + `Px`, `px`, + `Ux`, `ux`, + }) +) + +type Dev struct { + cfg.Base +} + +func init() { + RegisterBuilder(&Dev{ + Base: cfg.Base{ + Keyword: "dev", + Msg: "Apply test development changes", + }, + }) +} + +func (b Dev) Apply(opt *Option, profile string) (string, error) { + return regDev.Replace(profile), nil +} diff --git a/pkg/prebuild/builder/enforce.go b/pkg/prebuild/builder/enforce.go index 3d3d218c6..bc25e03dc 100644 --- a/pkg/prebuild/builder/enforce.go +++ b/pkg/prebuild/builder/enforce.go @@ -8,18 +8,18 @@ import ( "slices" "strings" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" ) type Enforce struct { - prebuild.Base + cfg.Base } func init() { RegisterBuilder(&Enforce{ - Base: prebuild.Base{ + Base: cfg.Base{ Keyword: "enforce", - Msg: "Build: all profiles have been enforced", + Msg: "All profiles have been enforced", }, }) } @@ -36,9 +36,9 @@ func (b Enforce) Apply(opt *Option, profile string) (string, error) { return profile, nil } flags = slices.Delete(flags, idx, idx+1) - strFlags := "{\n" + strFlags := "{" if len(flags) >= 1 { - strFlags = " flags=(" + strings.Join(flags, ",") + ") {\n" + strFlags = " flags=(" + strings.Join(flags, ",") + ") {" } // Remove all flags definition, then set new flags diff --git a/pkg/prebuild/builder/fsp.go b/pkg/prebuild/builder/fsp.go index 12dab15cd..003f79525 100644 --- a/pkg/prebuild/builder/fsp.go +++ b/pkg/prebuild/builder/fsp.go @@ -5,25 +5,25 @@ package builder import ( - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" "github.com/roddhjav/apparmor.d/pkg/util" ) var ( regFullSystemPolicy = util.ToRegexRepl([]string{ - `(PU|U)x,`, `Px,`, + `r(PU|U)x,`, `rPx,`, }) ) type FullSystemPolicy struct { - prebuild.Base + cfg.Base } func init() { RegisterBuilder(&FullSystemPolicy{ - Base: prebuild.Base{ + Base: cfg.Base{ Keyword: "fsp", - Msg: "Feat: prevent unconfined transitions in profile rules", + Msg: "Prevent unconfined transitions in profile rules", }, }) } diff --git a/pkg/prebuild/builder/hotfix.go b/pkg/prebuild/builder/hotfix.go deleted file mode 100644 index be8750f26..000000000 --- a/pkg/prebuild/builder/hotfix.go +++ /dev/null @@ -1,36 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package builder - -import ( - "github.com/roddhjav/apparmor.d/pkg/prebuild" - "github.com/roddhjav/apparmor.d/pkg/util" -) - -var ( - regHotfix = util.ToRegexRepl([]string{ - `Cx`, `cx`, - `PUx`, `pux`, - `Px`, `px`, - `Ux`, `ux`, - }) -) - -type Hotfix struct { - prebuild.Base -} - -func init() { - RegisterBuilder(&Hotfix{ - Base: prebuild.Base{ - Keyword: "hotfix", - Msg: "Fix: temporary solution for #74, #80 & #235", - }, - }) -} - -func (b Hotfix) Apply(opt *Option, profile string) (string, error) { - return regHotfix.Replace(profile), nil -} diff --git a/pkg/prebuild/builder/stacked-dbus.go b/pkg/prebuild/builder/stacked-dbus.go deleted file mode 100644 index eca8122c6..000000000 --- a/pkg/prebuild/builder/stacked-dbus.go +++ /dev/null @@ -1,104 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package builder - -import ( - "slices" - "strings" - - "github.com/roddhjav/apparmor.d/pkg/aa" - "github.com/roddhjav/apparmor.d/pkg/prebuild" -) - -var ( - resolve = map[string][]string{ - `"@{p_dbus_system}"`: {"dbus-system", "dbus-system//&unconfined"}, - `"@{p_dbus_session}"`: {"dbus-session", "dbus-session//&unconfined"}, - } -) - -// StackedDbus is a fix for https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 -type StackedDbus struct { - prebuild.Base -} - -func init() { - RegisterBuilder(&StackedDbus{ - Base: prebuild.Base{ - Keyword: "stacked-dbus", - Msg: "Fix: resolve peer label variable in dbus rules", - }, - }) -} - -func parse(kind aa.FileKind, profile string) (aa.ParaRules, []string, error) { - var raw string - paragraphs := []string{} - rulesByParagraph := aa.ParaRules{} - - switch kind { - case aa.ProfileKind: - f := &aa.AppArmorProfileFile{} - nb, err := f.Parse(profile) - if err != nil { - return nil, nil, err - } - lines := strings.Split(profile, "\n") - raw = strings.Join(lines[nb:], "\n") - - case aa.AbstractionKind, aa.TunableKind: - raw = profile - } - - r, par, err := aa.ParseRules(raw) - if err != nil { - return nil, nil, err - } - rulesByParagraph = append(rulesByParagraph, r...) - paragraphs = append(paragraphs, par...) - return rulesByParagraph, paragraphs, nil -} - -func (b StackedDbus) Apply(opt *Option, profile string) (string, error) { - kind := aa.KindFromPath(opt.File) - if kind == aa.TunableKind { - return profile, nil - } - - toResolve := []string{} - for k := range resolve { - toResolve = append(toResolve, k) - } - - rulesByParagraph, paragraphs, err := parse(kind, profile) - if err != nil { - return "", err - } - for idx, rules := range rulesByParagraph { - changed := false - newRules := aa.Rules{} - for _, rule := range rules { - switch rule := rule.(type) { - case *aa.Dbus: - if slices.Contains(toResolve, rule.PeerLabel) { - changed = true - for _, label := range resolve[rule.PeerLabel] { - newRule := *rule - newRule.PeerLabel = label - newRules = append(newRules, &newRule) - } - } else { - newRules = append(newRules, rule) - } - default: - newRules = append(newRules, rule) - } - } - if changed { - profile = strings.ReplaceAll(profile, paragraphs[idx], newRules.String()+"\n") - } - } - return profile, nil -} diff --git a/pkg/prebuild/builder/userspace.go b/pkg/prebuild/builder/userspace.go index 70dff8ec9..9925734c3 100644 --- a/pkg/prebuild/builder/userspace.go +++ b/pkg/prebuild/builder/userspace.go @@ -5,66 +5,49 @@ package builder import ( - "fmt" "regexp" "strings" "github.com/roddhjav/apparmor.d/pkg/aa" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" ) -const tokATTACHMENT = "@{exec_path}" - var ( - regAttachments = regexp.MustCompile(`(profile .* ` + tokATTACHMENT + `)`) + regAttachments = regexp.MustCompile(`(profile .* @{exec_path})`) ) type Userspace struct { - prebuild.Base + cfg.Base } func init() { RegisterBuilder(&Userspace{ - Base: prebuild.Base{ + Base: cfg.Base{ Keyword: "userspace", - Msg: "Fix: resolve variable in profile attachments", + Msg: "Bypass userspace tools restriction", }, }) } func (b Userspace) Apply(opt *Option, profile string) (string, error) { - for _, dir := range []string{"abstractions", "tunables", "local", "mappings"} { - if ok, _ := opt.File.IsInsideDir(prebuild.RootApparmord.Join(dir)); ok { - return profile, nil - } + if ok, _ := opt.File.IsInsideDir(cfg.RootApparmord.Join("abstractions")); ok { + return profile, nil + } + if ok, _ := opt.File.IsInsideDir(cfg.RootApparmord.Join("tunables")); ok { + return profile, nil } f := aa.DefaultTunables() - if prebuild.Distribution == "arch" { - f.Preamble = append(f.Preamble, &aa.Variable{ - Name: "sbin", Values: []string{"/{,usr/}{,s}bin"}, Define: true, - }) - } else { - f.Preamble = append(f.Preamble, &aa.Variable{ - Name: "sbin", Values: []string{"/{,usr/}sbin"}, Define: true, - }) - } - if _, err := f.Parse(profile); err != nil { return "", err } - if len(f.GetDefaultProfile().Attachments) > 0 && - f.GetDefaultProfile().Attachments[0] != tokATTACHMENT { - return "", fmt.Errorf("missing '%s' attachment", tokATTACHMENT) - } if err := f.Resolve(); err != nil { return "", err } - + att := f.GetDefaultProfile().GetAttachments() matches := regAttachments.FindAllString(profile, -1) if len(matches) > 0 { - att := f.GetDefaultProfile().GetAttachments() - strheader := strings.ReplaceAll(matches[0], tokATTACHMENT, att) + strheader := strings.Replace(matches[0], "@{exec_path}", att, -1) return regAttachments.ReplaceAllLiteralString(profile, strheader), nil } return profile, nil diff --git a/pkg/prebuild/core.go b/pkg/prebuild/cfg/core.go similarity index 69% rename from pkg/prebuild/core.go rename to pkg/prebuild/cfg/core.go index 8c2410d10..692f130ad 100644 --- a/pkg/prebuild/core.go +++ b/pkg/prebuild/cfg/core.go @@ -2,27 +2,27 @@ // Copyright (C) 2021-2024 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package prebuild +package cfg import "fmt" type BaseInterface interface { Message() string Name() string - Usage() []string + Usage() string } type Base struct { Msg string Keyword string - Help []string + Help string } func (b Base) Name() string { return b.Keyword } -func (b Base) Usage() []string { +func (b Base) Usage() string { return b.Help } @@ -37,3 +37,11 @@ func Help[T BaseInterface](name string, tasks map[string]T) string { } return res } + +func Usage[T BaseInterface](name string, tasks map[string]T) string { + res := fmt.Sprintf("%s\n", name) + for _, t := range tasks { + res += fmt.Sprintf(" %s\n", t.Usage()) + } + return res +} diff --git a/pkg/prebuild/core_test.go b/pkg/prebuild/cfg/core_test.go similarity index 75% rename from pkg/prebuild/core_test.go rename to pkg/prebuild/cfg/core_test.go index 5abf0a9c1..ff76f9466 100644 --- a/pkg/prebuild/core_test.go +++ b/pkg/prebuild/cfg/core_test.go @@ -2,10 +2,9 @@ // Copyright (C) 2021-2024 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package prebuild +package cfg import ( - "slices" "strings" "testing" ) @@ -18,7 +17,7 @@ func TestBase_Helpers(t *testing.T) { }{ { name: "base", - b: Base{Keyword: "test", Help: []string{"test"}, Msg: "test"}, + b: Base{Keyword: "test", Help: "test", Msg: "test"}, want: "test", }, } @@ -27,7 +26,7 @@ func TestBase_Helpers(t *testing.T) { if got := tt.b.Name(); got != tt.want { t.Errorf("Base.Name() = %v, want %v", got, tt.want) } - if got := tt.b.Usage(); !slices.Equal(got, []string{tt.want}) { + if got := tt.b.Usage(); got != tt.want { t.Errorf("Base.Usage() = %v, want %v", got, tt.want) } if got := tt.b.Message(); got != tt.want { @@ -46,8 +45,8 @@ func TestHelp(t *testing.T) { { name: "one", tasks: map[string]Base{ - "one": {Keyword: "one", Help: []string{"one"}, Msg: "one"}, - "two": {Keyword: "two", Help: []string{"two"}, Msg: "two"}, + "one": {Keyword: "one", Help: "one", Msg: "one"}, + "two": {Keyword: "two", Help: "two", Msg: "two"}, }, want: `one`, }, @@ -57,6 +56,9 @@ func TestHelp(t *testing.T) { if got := Help(tt.name, tt.tasks); !strings.Contains(got, tt.want) { t.Errorf("Help() = %v, want %v", got, tt.want) } + if got := Usage(tt.name, tt.tasks); !strings.Contains(got, tt.want) { + t.Errorf("Usage() = %v, want %v", got, tt.want) + } }) } } diff --git a/pkg/prebuild/directories.go b/pkg/prebuild/cfg/directories.go similarity index 67% rename from pkg/prebuild/directories.go rename to pkg/prebuild/cfg/directories.go index 486a45d14..282aa1ad8 100644 --- a/pkg/prebuild/directories.go +++ b/pkg/prebuild/cfg/directories.go @@ -2,33 +2,15 @@ // Copyright (C) 2021-2024 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package prebuild +package cfg import "github.com/roddhjav/apparmor.d/pkg/paths" var ( - // AppArmor ABI version - ABI = 0 - - // AppArmor version - Version = 4.0 - - // Tells the build we are a downstream project using apparmor.d as dependency - DownStream = false - - // Either or not RBAC is enabled - RBAC = false - - // Either or not we are in test mode - Test = false - - // Pkgname is the name of the package - Pkgname = "apparmor.d" - - // Root is the root directory for the build (default: .build) + // Root is the root directory for the build Root *paths.Path = paths.New(".build") - // RootApparmord is the final built apparmor.d directory (default: .build/apparmor.d) + // RootApparmord is the final built apparmor.d directory RootApparmord *paths.Path = Root.Join("apparmor.d") // DistDir is the directory where the distribution specific files are stored @@ -46,6 +28,11 @@ var ( // DebianDir is the directory where the debian specific files are stored DebianDir *paths.Path = paths.New("debian") + // AppArmor 4.0 contains several profiles that allow userns and are otherwise + // unconfined. Overwriter disables upstream profile in favor of (better) apparmor.d + // counterpart + Overwrite Overwriter = false + // DebianHide is the path to the debian/apparmor.d.hide file DebianHide = DebianHider{path: DebianDir.Join("apparmor.d.hide")} diff --git a/pkg/prebuild/cfg/files.go b/pkg/prebuild/cfg/files.go new file mode 100644 index 000000000..6f81d25bc --- /dev/null +++ b/pkg/prebuild/cfg/files.go @@ -0,0 +1,95 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package cfg + +import ( + "fmt" + "os" + "strings" + + "github.com/roddhjav/apparmor.d/pkg/paths" + "github.com/roddhjav/apparmor.d/pkg/util" +) + +// Default content of debian/apparmor.d.hide. Whonix has special addition. +var Hide = `# This file is generated by "make", all edit will be lost. + +/etc/apparmor.d/usr.bin.firefox +/etc/apparmor.d/usr.sbin.cups-browsed +/etc/apparmor.d/usr.sbin.cupsd +/etc/apparmor.d/usr.sbin.rsyslogd +` + +type Flagger struct{} + +func (f Flagger) Read(name string) map[string][]string { + res := map[string][]string{} + path := FlagDir.Join(name + ".flags") + if !path.Exist() { + return res + } + + lines := util.MustReadFileAsLines(path) + for _, line := range lines { + manifest := strings.Split(line, " ") + profile := manifest[0] + flags := []string{} + if len(manifest) > 1 { + flags = strings.Split(manifest[1], ",") + } + res[profile] = flags + } + return res +} + +type Ignorer struct{} + +func (i Ignorer) Read(name string) []string { + path := IgnoreDir.Join(name + ".ignore") + if !path.Exist() { + return []string{} + } + return util.MustReadFileAsLines(path) +} + +type Overwriter bool + +// Overwrite upstream profile: disable upstream & rename ours +func (o Overwriter) Apply() error { + const ext = ".apparmor.d" + disableDir := RootApparmord.Join("disable") + if err := disableDir.Mkdir(); err != nil { + return err + } + + path := DistDir.Join("overwrite") + if !path.Exist() { + return fmt.Errorf("%s not found", path) + } + for _, name := range util.MustReadFileAsLines(path) { + origin := RootApparmord.Join(name) + dest := RootApparmord.Join(name + ext) + if err := origin.Rename(dest); err != nil { + return err + } + originRel, err := origin.RelFrom(dest) + if err != nil { + return err + } + if err := os.Symlink(originRel.String(), disableDir.Join(name).String()); err != nil { + return err + } + } + return nil +} + +type DebianHider struct { + path *paths.Path +} + +// Initialize the file with content from Hide +func (d DebianHider) Init() error { + return d.path.WriteFile([]byte(Hide)) +} diff --git a/pkg/prebuild/files_test.go b/pkg/prebuild/cfg/files_test.go similarity index 99% rename from pkg/prebuild/files_test.go rename to pkg/prebuild/cfg/files_test.go index 24d621fd6..b4ce13a1c 100644 --- a/pkg/prebuild/files_test.go +++ b/pkg/prebuild/cfg/files_test.go @@ -2,7 +2,7 @@ // Copyright (C) 2021-2024 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package prebuild +package cfg import ( "reflect" diff --git a/pkg/prebuild/os.go b/pkg/prebuild/cfg/os.go similarity index 92% rename from pkg/prebuild/os.go rename to pkg/prebuild/cfg/os.go index 8ef8fb79e..b742a3988 100644 --- a/pkg/prebuild/os.go +++ b/pkg/prebuild/cfg/os.go @@ -2,7 +2,7 @@ // Copyright (C) 2021-2024 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package prebuild +package cfg import ( "os" @@ -67,13 +67,13 @@ func getDistribution() string { if id == "ubuntu" { return id } - idLike := Release["ID_LIKE"] + id_like := Release["ID_LIKE"] for main, based := range supportedDists { - if main == id || main == idLike { + if main == id || main == id_like { return main } else if slices.Contains(based, id) { return main - } else if slices.Contains(based, idLike) { + } else if slices.Contains(based, id_like) { return main } } diff --git a/pkg/prebuild/os_test.go b/pkg/prebuild/cfg/os_test.go similarity index 99% rename from pkg/prebuild/os_test.go rename to pkg/prebuild/cfg/os_test.go index 8f9bd338f..44aef1074 100644 --- a/pkg/prebuild/os_test.go +++ b/pkg/prebuild/cfg/os_test.go @@ -2,7 +2,7 @@ // Copyright (C) 2021-2024 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package prebuild +package cfg import ( "reflect" diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go deleted file mode 100644 index afed5aedf..000000000 --- a/pkg/prebuild/cli/cli.go +++ /dev/null @@ -1,249 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2023-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package cli - -import ( - "flag" - "fmt" - "os" - "slices" - "strings" - - "github.com/roddhjav/apparmor.d/pkg/logging" - "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild" - "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" - "github.com/roddhjav/apparmor.d/pkg/prebuild/directive" - "github.com/roddhjav/apparmor.d/pkg/prebuild/prepare" -) - -const ( - nilABI = 0 - nilVer = 0.0 - usage = `aa-prebuild [-h] [--complain | --enforce] [--full] [--server] [--abi 3|4] [--version V] [--file FILE] - - Prebuild apparmor.d profiles for a given distribution and apply - internal built-in directives. - -Options: - -h, --help Show this help message and exit. - -c, --complain Set complain flag on all profiles. - -e, --enforce Set enforce flag on all profiles. - -a, --abi ABI Target apparmor ABI. - -v, --version V Target apparmor version. - -f, --full Set AppArmor for full system policy. - -s, --server Set AppArmor for server. - -b, --buildir DIR Root build directory. - -F, --file Only prebuild a given file. - --test Enable test mode. - --debug Enable debug mode. -` -) - -var ( - help bool - complain bool - enforce bool - full bool - server bool - debug bool - test bool - abi int - version float64 - file string - buildir string -) - -func init() { - flag.BoolVar(&help, "h", false, "Show this help message and exit.") - flag.BoolVar(&help, "help", false, "Show this help message and exit.") - flag.BoolVar(&full, "f", false, "Set AppArmor for full system policy.") - flag.BoolVar(&full, "full", false, "Set AppArmor for full system policy.") - flag.BoolVar(&server, "s", false, "Set AppArmor for server.") - flag.BoolVar(&server, "server", false, "Set AppArmor for server.") - flag.BoolVar(&complain, "c", false, "Set complain flag on all profiles.") - flag.BoolVar(&complain, "complain", false, "Set complain flag on all profiles.") - flag.BoolVar(&enforce, "e", false, "Set enforce flag on all profiles.") - flag.BoolVar(&enforce, "enforce", false, "Set enforce flag on all profiles.") - flag.IntVar(&abi, "a", nilABI, "Target apparmor ABI.") - flag.IntVar(&abi, "abi", nilABI, "Target apparmor ABI.") - flag.Float64Var(&version, "v", nilVer, "Target apparmor version.") - flag.Float64Var(&version, "version", nilVer, "Target apparmor version.") - flag.StringVar(&file, "F", "", "Only prebuild a given file.") - flag.StringVar(&file, "file", "", "Only prebuild a given file.") - flag.StringVar(&buildir, "b", "", "Root build directory.") - flag.StringVar(&buildir, "buildir", "", "Root build directory.") - flag.BoolVar(&debug, "debug", false, "Enable debug mode.") - flag.BoolVar(&test, "test", false, "Enable test mode.") -} - -func Configure() { - flag.Usage = func() { - fmt.Printf("%s\n%s\n%s\n%s", usage, - prebuild.Help("Prepare", prepare.Tasks), - prebuild.Help("Build", builder.Builders), - directive.Usage(), - ) - } - flag.Parse() - if help { - flag.Usage() - os.Exit(0) - } - - if server { - idx := slices.Index(prepare.Prepares, prepare.Tasks["merge"]) - if idx == -1 { - prepare.Register("server") - } else { - prepare.Prepares = slices.Insert(prepare.Prepares, idx, prepare.Tasks["server"]) - } - - // Remove hotfix task as it is not needed on server - idx = slices.Index(prepare.Prepares, prepare.Tasks["hotfix"]) - if idx != -1 { - prepare.Prepares = slices.Delete(prepare.Prepares, idx, idx+1) - } - } - - if full && paths.New("apparmor.d/groups/_full").Exist() { - prepare.Register("fsp") - builder.Register("fsp") - prebuild.RBAC = true - } else if prebuild.SystemdDir.Exist() { - prepare.Register("systemd-early") - } - - if complain { - builder.Register("complain") - if debug { - builder.Register("debug") - } - if test { - prebuild.Test = true - } - } else if enforce { - builder.Register("enforce") - } - - if abi != nilABI { - prebuild.ABI = abi - } - switch prebuild.ABI { - case 3: - builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0 - case 4: - // Re-attach disconnected path - if prebuild.Distribution == "ubuntu" && prebuild.Version >= 4.1 { - // Ignored on ubuntu 25.04+ due to a memory leak that fully prevent - // profiles compilation with re-attached paths. - // See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730 - - // Use stacked-dbus builder to resolve dbus rules - builder.Register("stacked-dbus") - - } else { - if !prebuild.DownStream { - prepare.Register("attach") - } - builder.Register("attach") - - } - - default: - logging.Fatal("Invalid ABI version: %d", prebuild.ABI) - } - - if version != nilVer { - prebuild.Version = version - } - if buildir != "" { - prebuild.Root = paths.New(buildir) - prebuild.RootApparmord = prebuild.Root.Join("apparmor.d") - } - if file != "" { - sync, _ := prepare.Tasks["synchronise"].(*prepare.Synchronise) - sync.Paths = []string{file} - overwrite, _ := prepare.Tasks["overwrite"].(*prepare.Overwrite) - overwrite.Optional = true - } -} - -func Prebuild() { - logging.Step("Building apparmor.d profiles for %s on ABI%d.", prebuild.Distribution, prebuild.ABI) - if full { - logging.Success("Full system policy enabled") - } - if prebuild.Version != nilVer { - logging.Success("AppArmor version targeted: %.1f", prebuild.Version) - } - if err := Prepare(); err != nil { - logging.Fatal("%s", err.Error()) - } - if err := Build(); err != nil { - logging.Fatal("%s", err.Error()) - } -} - -func Prepare() error { - for _, task := range prepare.Prepares { - msg, err := task.Apply() - if err != nil { - return err - } - if file != "" && task.Name() == "setflags" { - continue - } - logging.Success("%s", task.Message()) - logging.Indent = " " - for _, line := range msg { - if strings.Contains(line, "not found") { - logging.Warning("%s", line) - } else { - logging.Bullet("%s", line) - } - } - logging.Indent = "" - } - return nil -} - -func Build() error { - files, _ := prebuild.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) - for _, file := range files { - if !file.Exist() { - continue - } - profile, err := file.ReadFileAsString() - if err != nil { - return err - } - profile, err = builder.Run(file, profile) - if err != nil { - return err - } - profile, err = directive.Run(file, profile) - if err != nil { - return err - } - if err := file.WriteFile([]byte(profile)); err != nil { - return err - } - } - - logging.Success("Build tasks:") - logging.Indent = " " - for _, task := range builder.Builds { - logging.Bullet("%s", task.Message()) - } - logging.Indent = "" - logging.Success("Directives processed:") - logging.Indent = " " - for _, dir := range directive.Directives { - logging.Bullet("%s%s", directive.Keyword, dir.Name()) - } - logging.Indent = "" - return nil -} diff --git a/pkg/prebuild/directive/core.go b/pkg/prebuild/directive/core.go index cde9470dc..d14dd4861 100644 --- a/pkg/prebuild/directive/core.go +++ b/pkg/prebuild/directive/core.go @@ -10,7 +10,7 @@ import ( "strings" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" ) var ( @@ -20,26 +20,16 @@ var ( // Build the profiles with the following directive applied Directives = map[string]Directive{} - regDirective = regexp.MustCompile(`(?m).*` + Keyword + `([a-z]*)( .*)?`) + regDirective = regexp.MustCompile(`(?m).*` + Keyword + `([a-z]*) (.*)`) ) -// Directive main interface +// Main directive interface type Directive interface { - prebuild.BaseInterface + cfg.BaseInterface Apply(opt *Option, profile string) (string, error) } -func Usage() string { - res := "Directive:\n" - for _, d := range Directives { - for _, h := range d.Usage() { - res += fmt.Sprintf(" %s%s %s\n", Keyword, d.Name(), h) - } - } - return res -} - -// Option for the directive +// Directive options type Option struct { Name string ArgMap map[string]string @@ -71,29 +61,11 @@ func NewOption(file *paths.Path, match []string) *Option { } } -// Clean removes selected directive line from input string. +// Clean the selected directive from profile. // Useful to remove directive text applied on some condition only -func (o *Option) Clean(input string) string { - return strings.Replace(input, o.Raw, o.cleanKeyword(o.Raw), 1) -} - -// cleanKeyword removes the dirextive keywork (#aa:...) from the input string -func (o *Option) cleanKeyword(input string) string { - reg := regexp.MustCompile(`\s*` + Keyword + o.Name + `( .*)?$`) - return reg.ReplaceAllString(input, "") -} - -// IsInline checks if either the directive is in one line or if it is a paragraph -func (o *Option) IsInline() bool { - inline := true - tmp := strings.Split(o.Raw, Keyword) - if len(tmp) >= 1 { - left := strings.TrimSpace(tmp[0]) - if len(left) == 0 { - inline = false - } - } - return inline +func (o *Option) Clean(profile string) string { + reg := regexp.MustCompile(`\s*` + Keyword + o.Name + ` .*$`) + return strings.Replace(profile, o.Raw, reg.ReplaceAllString(o.Raw, ""), 1) } func RegisterDirective(d Directive) { @@ -106,10 +78,7 @@ func Run(file *paths.Path, profile string) (string, error) { opt := NewOption(file, match) drtv, ok := Directives[opt.Name] if !ok { - if opt.Name == "lint" { - continue - } - return "", fmt.Errorf("unknown directive '%s' in %s", opt.Name, opt.File) + return "", fmt.Errorf("Unknown directive '%s' in %s", opt.Name, opt.File) } profile, err = drtv.Apply(opt, profile) if err != nil { diff --git a/pkg/prebuild/directive/core_test.go b/pkg/prebuild/directive/core_test.go index 229dda630..faf39df4b 100644 --- a/pkg/prebuild/directive/core_test.go +++ b/pkg/prebuild/directive/core_test.go @@ -20,7 +20,7 @@ func TestNewOption(t *testing.T) { }{ { name: "dbus", - file: paths.New("dbus"), + file: nil, match: []string{ " #aa:dbus own bus=system name=org.gnome.DisplayManager", "dbus", @@ -34,13 +34,13 @@ func TestNewOption(t *testing.T) { "own": "", }, ArgList: []string{"own", "bus=system", "name=org.gnome.DisplayManager"}, - File: paths.New("dbus"), + File: nil, Raw: " #aa:dbus own bus=system name=org.gnome.DisplayManager", }, }, { name: "only", - file: paths.New("only"), + file: nil, match: []string{ " #aa:only opensuse", "only", @@ -50,7 +50,7 @@ func TestNewOption(t *testing.T) { Name: "only", ArgMap: map[string]string{"opensuse": ""}, ArgList: []string{"opensuse"}, - File: paths.New("only"), + File: nil, Raw: " #aa:only opensuse", }, }, @@ -74,13 +74,13 @@ func TestRun(t *testing.T) { }{ { name: "none", - file: paths.New("dummy"), + file: nil, profile: ` `, want: ` `, }, { name: "present", - file: paths.New("fake-own"), + file: nil, profile: ` #aa:dbus own bus=system name=org.freedesktop.systemd1`, want: dbusOwnSystemd1, }, diff --git a/pkg/prebuild/directive/dbus.go b/pkg/prebuild/directive/dbus.go index 4862597bb..dc7ac16d3 100644 --- a/pkg/prebuild/directive/dbus.go +++ b/pkg/prebuild/directive/dbus.go @@ -18,25 +18,36 @@ import ( "strings" "github.com/roddhjav/apparmor.d/pkg/aa" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" ) +var defaultInterfaces = []string{ + "org.freedesktop.DBus.Properties", + "org.freedesktop.DBus.ObjectManager", +} + type Dbus struct { - prebuild.Base + cfg.Base } func init() { RegisterDirective(&Dbus{ - Base: prebuild.Base{ + Base: cfg.Base{ Keyword: "dbus", Msg: "Dbus directive applied", - Help: []string{ - "own bus= name= [interface=AARE] [path=AARE]", - "talk bus= name= label= [interface=AARE] [path=AARE]", - "common bus= name= label=", - }, - }}, - ) + Help: `#aa:dbus own bus= name= [interface=AARE] [path=AARE] + #aa:dbus talk bus= name= label= [interface=AARE] [path=AARE]`, + }, + }) +} + +func setInterfaces(rules map[string]string) []string { + interfaces := []string{rules["name"]} + if _, present := rules["interface"]; present { + interfaces = append(interfaces, rules["interface"]) + } + interfaces = append(interfaces, defaultInterfaces...) + return interfaces } func (d Dbus) Apply(opt *Option, profile string) (string, error) { @@ -51,8 +62,6 @@ func (d Dbus) Apply(opt *Option, profile string) (string, error) { r = d.own(opt.ArgMap) case "talk": r = d.talk(opt.ArgMap) - case "common": - r = d.common(opt.ArgMap) } aa.IndentationLevel = strings.Count( @@ -61,213 +70,94 @@ func (d Dbus) Apply(opt *Option, profile string) (string, error) { generatedDbus := r.String() lenDbus := len(generatedDbus) generatedDbus = generatedDbus[:lenDbus-1] - profile = strings.ReplaceAll(profile, opt.Raw, generatedDbus) + profile = strings.Replace(profile, opt.Raw, generatedDbus, -1) return profile, nil } func (d Dbus) sanityCheck(opt *Option) (string, error) { if len(opt.ArgList) < 1 { - return "", fmt.Errorf("unknown dbus action: %s in %s", opt.Name, opt.File) + return "", fmt.Errorf("Unknown dbus action: %s in %s", opt.Name, opt.File) } action := opt.ArgList[0] - if action != "own" && action != "talk" && action != "common" { - return "", fmt.Errorf("unknown dbus action: %s in %s", opt.Name, opt.File) + if action != "own" && action != "talk" { + return "", fmt.Errorf("Unknown dbus action: %s in %s", opt.Name, opt.File) } if _, present := opt.ArgMap["name"]; !present { - return "", fmt.Errorf("missing name for 'dbus: %s' in %s", action, opt.File) + return "", fmt.Errorf("Missing name for 'dbus: %s' in %s", action, opt.File) } if _, present := opt.ArgMap["bus"]; !present { - return "", fmt.Errorf("missing bus for '%s' in %s", opt.ArgMap["name"], opt.File) + return "", fmt.Errorf("Missing bus for '%s' in %s", opt.ArgMap["name"], opt.File) } if _, present := opt.ArgMap["label"]; !present && action == "talk" { - return "", fmt.Errorf("missing label for '%s' in %s", opt.ArgMap["name"], opt.File) + return "", fmt.Errorf("Missing label for '%s' in %s", opt.ArgMap["name"], opt.File) } // Set default values if _, present := opt.ArgMap["path"]; !present { - opt.ArgMap["path"] = "/" + strings.ReplaceAll(opt.ArgMap["name"], ".", "/") + "{,/**}" + opt.ArgMap["path"] = "/" + strings.Replace(opt.ArgMap["name"], ".", "/", -1) + "{,/**}" } opt.ArgMap["name"] += "{,.*}" return action, nil } -func getInterfaces(rules map[string]string) []string { - var interfaces []string - if _, present := rules["interface"]; present { - interfaces = []string{rules["interface"]} - } else { - interfaces = []string{rules["name"]} - } - - if _, present := rules["interface+"]; present { - interfaces = append(interfaces, rules["interface+"]) - } - return interfaces -} - func (d Dbus) own(rules map[string]string) aa.Rules { - interfaces := getInterfaces(rules) - - res := aa.Rules{ - &aa.Include{ - IsMagic: true, Path: "abstractions/bus/" + rules["bus"] + "/own", - }, - &aa.Dbus{ - Access: []string{"bind"}, Bus: rules["bus"], Name: rules["name"], - }, - } - - // Interfaces + interfaces := setInterfaces(rules) + res := aa.Rules{} + res = append(res, &aa.Dbus{ + Access: []string{"bind"}, Bus: rules["bus"], Name: rules["name"], + }) for _, iface := range interfaces { - res = append(res, - &aa.Dbus{ - Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], - Interface: iface, - PeerName: `"@{busname}"`, - }, - &aa.Dbus{ - Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], - Interface: iface, - PeerName: `"{@{busname},org.freedesktop.DBus}"`, - }, - ) + res = append(res, &aa.Dbus{ + Access: []string{"receive"}, + Bus: rules["bus"], + Path: rules["path"], + Interface: iface, + PeerName: `":1.@{int}"`, + }) } - - res = append(res, - // DBus.Properties: reply to properties request from anyone - &aa.Dbus{ - Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], - Interface: "org.freedesktop.DBus.Properties", - Member: "{Get,GetAll,Set,PropertiesChanged}", - PeerName: `"{@{busname},org.freedesktop.DBus}"`, - }, - - // DBus.Introspectable: allow clients to introspect the service - &aa.Dbus{ - Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], - Interface: "org.freedesktop.DBus.Introspectable", - Member: "Introspect", - PeerName: `"@{busname}"`, - }, - - // DBus.ObjectManager: allow clients to enumerate sources - &aa.Dbus{ - Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], - Interface: "org.freedesktop.DBus.ObjectManager", - Member: "GetManagedObjects", - PeerName: `"{@{busname},` + rules["name"] + `}"`, - }, - &aa.Dbus{ - Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], - Interface: "org.freedesktop.DBus.ObjectManager", - Member: "{InterfacesAdded,InterfacesRemoved}", - PeerName: `"{@{busname},org.freedesktop.DBus}"`, - }, - ) + for _, iface := range interfaces { + res = append(res, &aa.Dbus{ + Access: []string{"send"}, + Bus: rules["bus"], + Path: rules["path"], + Interface: iface, + PeerName: `"{:1.@{int},org.freedesktop.DBus}"`, + }) + } + res = append(res, &aa.Dbus{ + Access: []string{"receive"}, + Bus: rules["bus"], + Path: rules["path"], + Interface: "org.freedesktop.DBus.Introspectable", + Member: "Introspect", + PeerName: `":1.@{int}"`, + }) return res } func (d Dbus) talk(rules map[string]string) aa.Rules { - interfaces := getInterfaces(rules) - res := aa.Rules{ - &aa.Unix{ - Type: "stream", - Address: "none", - PeerLabel: rules["label"], - PeerAddr: "none", - }, - } - - // Interfaces + interfaces := setInterfaces(rules) + res := aa.Rules{} for _, iface := range interfaces { res = append(res, &aa.Dbus{ - Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], + Access: []string{"send"}, + Bus: rules["bus"], + Path: rules["path"], Interface: iface, - PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + PeerName: `"{:1.@{int},` + rules["name"] + `}"`, + PeerLabel: rules["label"], }) } - - res = append(res, - // DBus.Properties - &aa.Dbus{ - Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], - Interface: "org.freedesktop.DBus.Properties", - Member: "{Get,GetAll,Set,PropertiesChanged}", - PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], - }, - - // DBus.Introspectable - &aa.Dbus{ - Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], - Interface: "org.freedesktop.DBus.Introspectable", - Member: "Introspect", - PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], - }, - - // DBus.ObjectManager: allow clients to enumerate sources - &aa.Dbus{ - Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], - Interface: "org.freedesktop.DBus.ObjectManager", - Member: "GetManagedObjects", - PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], - }, - &aa.Dbus{ - Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], - Interface: "org.freedesktop.DBus.ObjectManager", - Member: "{InterfacesAdded,InterfacesRemoved}", - PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], - }, - ) - return res -} - -func (d Dbus) common(rules map[string]string) aa.Rules { - res := aa.Rules{ - - // DBus.Properties: read all properties from the interface - &aa.Comment{ - Base: aa.Base{ - Comment: " DBus.Properties: read all properties from the interface", - IsLineRule: true, - }, - }, - &aa.Dbus{ - Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], - Interface: "org.freedesktop.DBus.Properties", - Member: "{Get,GetAll}", - PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], - }, - nil, - - // DBus.Properties: receive property changed events - &aa.Comment{ - Base: aa.Base{ - Comment: " DBus.Properties: receive property changed events", - IsLineRule: true, - }, - }, - &aa.Dbus{ - Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], - Interface: "org.freedesktop.DBus.Properties", - Member: "PropertiesChanged", - PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], - }, - nil, - - // DBus.Introspectable: allow clients to introspect the service - &aa.Comment{ - Base: aa.Base{ - Comment: " DBus.Introspectable: allow clients to introspect the service", - IsLineRule: true, - }, - }, - &aa.Dbus{ - Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], - Interface: "org.freedesktop.DBus.Introspectable", - Member: "Introspect", - PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], - }, + for _, iface := range interfaces { + res = append(res, &aa.Dbus{ + Access: []string{"receive"}, + Bus: rules["bus"], + Path: rules["path"], + Interface: iface, + PeerName: `"{:1.@{int},` + rules["name"] + `}"`, + PeerLabel: rules["label"], + }) } return res } diff --git a/pkg/prebuild/directive/dbus_test.go b/pkg/prebuild/directive/dbus_test.go index d6e90bb99..65e55e785 100644 --- a/pkg/prebuild/directive/dbus_test.go +++ b/pkg/prebuild/directive/dbus_test.go @@ -8,31 +8,29 @@ import ( "testing" ) -const dbusOwnSystemd1 = ` include - - dbus bind bus=system name=org.freedesktop.systemd1{,.*}, +const dbusOwnSystemd1 = ` dbus bind bus=system name=org.freedesktop.systemd1{,.*}, dbus receive bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.systemd1{,.*} - peer=(name="@{busname}"), + peer=(name=":1.@{int}"), + dbus receive bus=system path=/org/freedesktop/systemd1{,/**} + interface=org.freedesktop.DBus.Properties + peer=(name=":1.@{int}"), + dbus receive bus=system path=/org/freedesktop/systemd1{,/**} + interface=org.freedesktop.DBus.ObjectManager + peer=(name=":1.@{int}"), dbus send bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.systemd1{,.*} - peer=(name="{@{busname},org.freedesktop.DBus}"), - dbus (send receive) bus=system path=/org/freedesktop/systemd1{,/**} + peer=(name="{:1.@{int},org.freedesktop.DBus}"), + dbus send bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.DBus.Properties - member={Get,GetAll,Set,PropertiesChanged} - peer=(name="{@{busname},org.freedesktop.DBus}"), + peer=(name="{:1.@{int},org.freedesktop.DBus}"), + dbus send bus=system path=/org/freedesktop/systemd1{,/**} + interface=org.freedesktop.DBus.ObjectManager + peer=(name="{:1.@{int},org.freedesktop.DBus}"), dbus receive bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="@{busname}"), - dbus receive bus=system path=/org/freedesktop/systemd1{,/**} - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name="{@{busname},org.freedesktop.systemd1{,.*}}"), - dbus send bus=system path=/org/freedesktop/systemd1{,/**} - interface=org.freedesktop.DBus.ObjectManager - member={InterfacesAdded,InterfacesRemoved} - peer=(name="{@{busname},org.freedesktop.DBus}"),` + peer=(name=":1.@{int}"),` func TestDbus_Apply(t *testing.T) { tests := []struct { @@ -63,47 +61,45 @@ func TestDbus_Apply(t *testing.T) { opt: &Option{ Name: "dbus", ArgMap: map[string]string{ - "bus": "session", - "name": "com.rastersoft.ding", - "interface+": "org.gtk.Actions", - "own": "", + "bus": "session", + "name": "com.rastersoft.dingextension", + "interface": "org.gtk.Actions", + "own": "", }, - ArgList: []string{"own", "bus=session", "name=com.rastersoft.ding", "interface+=org.gtk.Actions"}, + ArgList: []string{"own", "bus=session", "name=com.rastersoft.dingextension", "interface=org.gtk.Actions"}, File: nil, - Raw: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", + Raw: " #aa:dbus own bus=session name=com.rastersoft.dingextension interface=org.gtk.Actions", }, - profile: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", - want: ` include - - dbus bind bus=session name=com.rastersoft.ding{,.*}, - dbus receive bus=session path=/com/rastersoft/ding{,/**} - interface=com.rastersoft.ding{,.*} - peer=(name="@{busname}"), - dbus send bus=session path=/com/rastersoft/ding{,/**} - interface=com.rastersoft.ding{,.*} - peer=(name="{@{busname},org.freedesktop.DBus}"), - dbus receive bus=session path=/com/rastersoft/ding{,/**} + profile: " #aa:dbus own bus=session name=com.rastersoft.dingextension interface=org.gtk.Actions", + want: ` dbus bind bus=session name=com.rastersoft.dingextension{,.*}, + dbus receive bus=session path=/com/rastersoft/dingextension{,/**} + interface=com.rastersoft.dingextension{,.*} + peer=(name=":1.@{int}"), + dbus receive bus=session path=/com/rastersoft/dingextension{,/**} interface=org.gtk.Actions - peer=(name="@{busname}"), - dbus send bus=session path=/com/rastersoft/ding{,/**} - interface=org.gtk.Actions - peer=(name="{@{busname},org.freedesktop.DBus}"), - dbus (send receive) bus=session path=/com/rastersoft/ding{,/**} + peer=(name=":1.@{int}"), + dbus receive bus=session path=/com/rastersoft/dingextension{,/**} interface=org.freedesktop.DBus.Properties - member={Get,GetAll,Set,PropertiesChanged} - peer=(name="{@{busname},org.freedesktop.DBus}"), - dbus receive bus=session path=/com/rastersoft/ding{,/**} + peer=(name=":1.@{int}"), + dbus receive bus=session path=/com/rastersoft/dingextension{,/**} + interface=org.freedesktop.DBus.ObjectManager + peer=(name=":1.@{int}"), + dbus send bus=session path=/com/rastersoft/dingextension{,/**} + interface=com.rastersoft.dingextension{,.*} + peer=(name="{:1.@{int},org.freedesktop.DBus}"), + dbus send bus=session path=/com/rastersoft/dingextension{,/**} + interface=org.gtk.Actions + peer=(name="{:1.@{int},org.freedesktop.DBus}"), + dbus send bus=session path=/com/rastersoft/dingextension{,/**} + interface=org.freedesktop.DBus.Properties + peer=(name="{:1.@{int},org.freedesktop.DBus}"), + dbus send bus=session path=/com/rastersoft/dingextension{,/**} + interface=org.freedesktop.DBus.ObjectManager + peer=(name="{:1.@{int},org.freedesktop.DBus}"), + dbus receive bus=session path=/com/rastersoft/dingextension{,/**} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="@{busname}"), - dbus receive bus=session path=/com/rastersoft/ding{,/**} - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name="{@{busname},com.rastersoft.ding{,.*}}"), - dbus send bus=session path=/com/rastersoft/ding{,/**} - interface=org.freedesktop.DBus.ObjectManager - member={InterfacesAdded,InterfacesRemoved} - peer=(name="{@{busname},org.freedesktop.DBus}"),`, + peer=(name=":1.@{int}"),`, }, { name: "talk", @@ -120,60 +116,24 @@ func TestDbus_Apply(t *testing.T) { Raw: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", }, profile: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", - want: ` unix type=stream addr=none peer=(label=accounts-daemon, addr=none), - - dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} + want: ` dbus send bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.Accounts{,.*} - peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), - dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} - interface=org.freedesktop.DBus.Properties - member={Get,GetAll,Set,PropertiesChanged} - peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), dbus send bus=system path=/org/freedesktop/Accounts{,/**} - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + interface=org.freedesktop.DBus.Properties + peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), dbus send bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + dbus receive bus=system path=/org/freedesktop/Accounts{,/**} + interface=org.freedesktop.Accounts{,.*} + peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + dbus receive bus=system path=/org/freedesktop/Accounts{,/**} + interface=org.freedesktop.DBus.Properties + peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), dbus receive bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.DBus.ObjectManager - member={InterfacesAdded,InterfacesRemoved} - peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon),`, - }, - { - name: "common", - opt: &Option{ - Name: "dbus", - ArgMap: map[string]string{ - "bus": "system", - "name": "net.hadess.PowerProfiles", - "label": "power-profiles-daemon", - "talk": "", - }, - ArgList: []string{"common", "bus=system", "name=net.hadess.PowerProfiles", "power-profiles-daemon"}, - File: nil, - Raw: " #aa:dbus common bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon", - }, - profile: " #aa:dbus common bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon", - want: ` # DBus.Properties: read all properties from the interface - dbus send bus=system path=/net/hadess/PowerProfiles{,/**} - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon), - - # DBus.Properties: receive property changed events - dbus receive bus=system path=/net/hadess/PowerProfiles{,/**} - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon), - - # DBus.Introspectable: allow clients to introspect the service - dbus send bus=system path=/net/hadess/PowerProfiles{,/**} - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon),`, + peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon),`, }, } for _, tt := range tests { diff --git a/pkg/prebuild/directive/exec.go b/pkg/prebuild/directive/exec.go index b348fb46b..dd0d2ed0e 100644 --- a/pkg/prebuild/directive/exec.go +++ b/pkg/prebuild/directive/exec.go @@ -7,32 +7,29 @@ package directive import ( - "fmt" "slices" "strings" "github.com/roddhjav/apparmor.d/pkg/aa" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/util" ) type Exec struct { - prebuild.Base + cfg.Base } func init() { RegisterDirective(&Exec{ - Base: prebuild.Base{ + Base: cfg.Base{ Keyword: "exec", Msg: "Exec directive applied", - Help: []string{"[P|U|p|u|PU|pu|] profiles..."}, + Help: Keyword + `exec [P|U|p|u|PU|pu|] profiles...`, }, }) } func (d Exec) Apply(opt *Option, profileRaw string) (string, error) { - if len(opt.ArgList) == 0 { - return "", fmt.Errorf("no profile to exec") - } transition := "Px" transitions := []string{"P", "U", "p", "u", "PU", "pu"} t := opt.ArgList[0] @@ -43,7 +40,7 @@ func (d Exec) Apply(opt *Option, profileRaw string) (string, error) { rules := aa.Rules{} for name := range opt.ArgMap { - profiletoTransition := prebuild.RootApparmord.Join(name).MustReadFileAsString() + profiletoTransition := util.MustReadFile(cfg.RootApparmord.Join(name)) dstProfile := aa.DefaultTunables() if _, err := dstProfile.Parse(profiletoTransition); err != nil { return "", err @@ -70,5 +67,5 @@ func (d Exec) Apply(opt *Option, profileRaw string) (string, error) { rules = rules.Sort() new := rules.String() new = new[:len(new)-1] - return strings.ReplaceAll(profileRaw, opt.Raw, new), nil + return strings.Replace(profileRaw, opt.Raw, new, -1), nil } diff --git a/pkg/prebuild/directive/exec_test.go b/pkg/prebuild/directive/exec_test.go index 255d9a237..c6d4e32a7 100644 --- a/pkg/prebuild/directive/exec_test.go +++ b/pkg/prebuild/directive/exec_test.go @@ -8,7 +8,7 @@ import ( "testing" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" ) func TestExec_Apply(t *testing.T) { @@ -36,7 +36,7 @@ func TestExec_Apply(t *testing.T) { }, { name: "exec-unconfined", - rootApparmord: paths.New("../../../apparmor.d/groups/polkit/"), + rootApparmord: paths.New("../../../apparmor.d/groups/freedesktop/"), opt: &Option{ Name: "exec", ArgMap: map[string]string{"U": "", "polkit-agent-helper": ""}, @@ -51,7 +51,7 @@ func TestExec_Apply(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - prebuild.RootApparmord = tt.rootApparmord + cfg.RootApparmord = tt.rootApparmord got, err := Directives["exec"].Apply(tt.opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("Exec.Apply() error = %v, wantErr %v", err, tt.wantErr) diff --git a/pkg/prebuild/directive/filter.go b/pkg/prebuild/directive/filter.go index ac632471b..1c90fa760 100644 --- a/pkg/prebuild/directive/filter.go +++ b/pkg/prebuild/directive/filter.go @@ -5,57 +5,40 @@ package directive import ( - "fmt" "regexp" "slices" "strings" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" ) type FilterOnly struct { - prebuild.Base + cfg.Base } type FilterExclude struct { - prebuild.Base + cfg.Base } func init() { RegisterDirective(&FilterOnly{ - Base: prebuild.Base{ + Base: cfg.Base{ Keyword: "only", Msg: "Only directive applied", - Help: []string{"filters..."}, + Help: Keyword + `only filters...`, }, }) RegisterDirective(&FilterExclude{ - Base: prebuild.Base{ + Base: cfg.Base{ Keyword: "exclude", Msg: "Exclude directive applied", - Help: []string{"filters..."}, + Help: Keyword + `exclude filters...`, }, }) } func filterRuleForUs(opt *Option) bool { - if prebuild.RBAC && slices.Contains(opt.ArgList, "RBAC") { - return true - } - - if prebuild.Test && slices.Contains(opt.ArgList, "test") { - return true - } - - abiStr := fmt.Sprintf("abi%d", prebuild.ABI) - if slices.Contains(opt.ArgList, abiStr) { - return true - } - versionStr := fmt.Sprintf("apparmor%.1f", prebuild.Version) - if slices.Contains(opt.ArgList, versionStr) { - return true - } - return slices.Contains(opt.ArgList, prebuild.Distribution) || slices.Contains(opt.ArgList, prebuild.Family) + return slices.Contains(opt.ArgList, cfg.Distribution) || slices.Contains(opt.ArgList, cfg.Family) } func filter(only bool, opt *Option, profile string) (string, error) { @@ -66,8 +49,17 @@ func filter(only bool, opt *Option, profile string) (string, error) { return opt.Clean(profile), nil } - if opt.IsInline() { - profile = strings.ReplaceAll(profile, opt.Raw, "") + inline := true + tmp := strings.Split(opt.Raw, Keyword) + if len(tmp) >= 1 { + left := strings.TrimSpace(tmp[0]) + if len(left) == 0 { + inline = false + } + } + + if inline { + profile = strings.Replace(profile, opt.Raw, "", -1) } else { regRemoveParagraph := regexp.MustCompile(`(?s)` + opt.Raw + `\n.*?\n\n`) profile = regRemoveParagraph.ReplaceAllString(profile, "") diff --git a/pkg/prebuild/directive/filter_test.go b/pkg/prebuild/directive/filter_test.go index ebbd5ef5c..465ba50a5 100644 --- a/pkg/prebuild/directive/filter_test.go +++ b/pkg/prebuild/directive/filter_test.go @@ -7,7 +7,7 @@ package directive import ( "testing" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" ) func TestFilterOnly_Apply(t *testing.T) { @@ -78,8 +78,8 @@ func TestFilterOnly_Apply(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - prebuild.Distribution = tt.dist - prebuild.Family = tt.family + cfg.Distribution = tt.dist + cfg.Family = tt.family got, err := Directives["only"].Apply(tt.opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("FilterOnly.Apply() error = %v, wantErr %v", err, tt.wantErr) @@ -133,8 +133,8 @@ func TestFilterExclude_Apply(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - prebuild.Distribution = tt.dist - prebuild.Family = tt.family + cfg.Distribution = tt.dist + cfg.Family = tt.family got, err := Directives["exclude"].Apply(tt.opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("FilterExclude.Apply() error = %v, wantErr %v", err, tt.wantErr) diff --git a/pkg/prebuild/directive/stack.go b/pkg/prebuild/directive/stack.go index a43849228..e0ab9d84e 100644 --- a/pkg/prebuild/directive/stack.go +++ b/pkg/prebuild/directive/stack.go @@ -7,10 +7,9 @@ package directive import ( "fmt" "regexp" - "slices" "strings" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" "github.com/roddhjav/apparmor.d/pkg/util" ) @@ -20,48 +19,32 @@ var ( regCleanStakedRules = util.ToRegexRepl([]string{ `(?m)^.*include .*$`, ``, // Remove mandatory base abstraction `(?m)^.*@{exec_path}.*$`, ``, // Remove entry point + `(?m)^.*(|P|p)(|U|u)(|i)x,.*$`, ``, // Remove transition rules `(?m)^(?:[\t ]*(?:\r?\n))+`, ``, // Remove empty lines }) ) type Stack struct { - prebuild.Base + cfg.Base } func init() { RegisterDirective(&Stack{ - Base: prebuild.Base{ + Base: cfg.Base{ Keyword: "stack", Msg: "Stack directive applied", - Help: []string{"[X] profiles..."}, + Help: Keyword + `stack profiles...`, }, }) } func (s Stack) Apply(opt *Option, profile string) (string, error) { - if len(opt.ArgList) == 0 { - return "", fmt.Errorf("no profile to stack") - } - t := opt.ArgList[0] - if t != "X" { - regCleanStakedRules = slices.Insert(regCleanStakedRules, 0, - util.ToRegexRepl([]string{ - `(?m)^.*(|P|p)(|U|u)(|i)x,.*$`, ``, // Remove X transition rules - })..., - ) - } else { - delete(opt.ArgMap, t) - } - res := "" for name := range opt.ArgMap { - stackedProfile, err := prebuild.RootApparmord.Join(name).ReadFileAsString() - if err != nil { - return "", fmt.Errorf("%s need to stack: %w", name, err) - } + stackedProfile := util.MustReadFile(cfg.RootApparmord.Join(name)) m := regRules.FindStringSubmatch(stackedProfile) if len(m) < 2 { - return "", fmt.Errorf("no profile found in %s", name) + return "", fmt.Errorf("No profile found in %s", name) } stackedRules := m[1] stackedRules = regCleanStakedRules.Replace(stackedRules) @@ -71,9 +54,9 @@ func (s Stack) Apply(opt *Option, profile string) (string, error) { // Insert the stacked profile at the end of the current profile, remove the stack directive m := regEndOfRules.FindStringSubmatch(profile) if len(m) <= 1 { - return "", fmt.Errorf("no end of rules found in %s", opt.File) + return "", fmt.Errorf("No end of rules found in %s", opt.File) } - profile = strings.ReplaceAll(profile, m[0], res+m[0]) - profile = strings.ReplaceAll(profile, opt.Raw, "") + profile = strings.Replace(profile, m[0], res+m[0], -1) + profile = strings.Replace(profile, opt.Raw, "", -1) return profile, nil } diff --git a/pkg/prebuild/directive/stack_test.go b/pkg/prebuild/directive/stack_test.go index 8f99d6f7a..ef603aae6 100644 --- a/pkg/prebuild/directive/stack_test.go +++ b/pkg/prebuild/directive/stack_test.go @@ -8,7 +8,7 @@ import ( "testing" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" ) func TestStack_Apply(t *testing.T) { @@ -68,7 +68,7 @@ profile parent @{exec_path} { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - prebuild.RootApparmord = tt.rootApparmord + cfg.RootApparmord = tt.rootApparmord got, err := Directives["stack"].Apply(tt.opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("Stack.Apply() error = %v, wantErr %v", err, tt.wantErr) diff --git a/pkg/prebuild/files.go b/pkg/prebuild/files.go deleted file mode 100644 index d9879570b..000000000 --- a/pkg/prebuild/files.go +++ /dev/null @@ -1,64 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package prebuild - -import ( - "strings" - - "github.com/roddhjav/apparmor.d/pkg/paths" -) - -// Hide is the default content of debian/apparmor.d.hide. Whonix has special addition. -var Hide = `# This file is generated by "just", all edit will be lost. - -/etc/apparmor.d/usr.bin.firefox -/etc/apparmor.d/usr.bin.swtpm -/etc/apparmor.d/usr.bin.wsdd -/etc/apparmor.d/usr.libexec.geoclue -/etc/apparmor.d/usr.sbin.cups-browsed -/etc/apparmor.d/usr.sbin.cupsd -/etc/apparmor.d/usr.sbin.rsyslogd -` - -type Flagger struct{} - -func (f Flagger) Read(name string) map[string][]string { - res := map[string][]string{} - path := FlagDir.Join(name + ".flags") - if !path.Exist() { - return res - } - - lines := path.MustReadFilteredFileAsLines() - for _, line := range lines { - manifest := strings.Split(line, " ") - profile := manifest[0] - flags := []string{} - if len(manifest) > 1 { - flags = strings.Split(manifest[1], ",") - } - res[profile] = flags - } - return res -} - -type Ignorer struct{} - -func (i Ignorer) Read(name string) []string { - path := IgnoreDir.Join(name + ".ignore") - if !path.Exist() { - return []string{} - } - return path.MustReadFilteredFileAsLines() -} - -type DebianHider struct { - path *paths.Path -} - -// Init initializes the file with content from Hide -func (d DebianHider) Init() error { - return d.path.WriteFile([]byte(Hide)) -} diff --git a/pkg/prebuild/prebuild.go b/pkg/prebuild/prebuild.go new file mode 100644 index 000000000..30bf5c2e6 --- /dev/null +++ b/pkg/prebuild/prebuild.go @@ -0,0 +1,117 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2023-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package prebuild + +import ( + "strings" + + "github.com/roddhjav/apparmor.d/pkg/logging" + "github.com/roddhjav/apparmor.d/pkg/paths" + "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/prebuild/directive" + "github.com/roddhjav/apparmor.d/pkg/prebuild/prepare" + "github.com/roddhjav/apparmor.d/pkg/util" +) + +func init() { + // Define the tasks applied by default + prepare.Register( + "synchronise", + "ignore", + "merge", + "configure", + "setflags", + "systemd-default", + ) + + // Build tasks applied by default + builder.Register("userspace") + builder.Register("dev") + + switch cfg.Distribution { + case "opensuse": + builder.Register("abi3") + cfg.Overwrite = true + + case "ubuntu": + if cfg.Release["VERSION_CODENAME"] == "noble" { + builder.Register("abi3") + cfg.Overwrite = true + } + + case "whonix": + cfg.Hide += `/etc/apparmor.d/abstractions/base.d/kicksecure +/etc/apparmor.d/home.tor-browser.firefox +/etc/apparmor.d/tunables/homsanitycheck +/etc/apparmor.d/usr.bin.url_e.d/anondist +/etc/apparmor.d/tunables/home.d/live-mode +/etc/apparmor.d/tunables/home.d/qubes-whonix-anondist +/etc/apparmor.d/usr.bin.hexchat +/etc/apparmor.d/usr.bin.sdwdate +/etc/apparmor.d/usr.bin.systemcheck +/etc/apparmor.d/usr.bin.timeto_unixtime +/etc/apparmor.d/whonix-firewall +` + } +} + +func Prepare() error { + for _, task := range prepare.Prepares { + msg, err := task.Apply() + if err != nil { + return err + } + logging.Success("%s", task.Message()) + logging.Indent = " " + for _, line := range msg { + if strings.Contains(line, "not found") { + logging.Warning("%s", line) + } else { + logging.Bullet("%s", line) + } + } + logging.Indent = "" + } + return nil +} + +func Build() error { + files, _ := cfg.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) + for _, file := range files { + if !file.Exist() { + continue + } + profile, err := util.ReadFile(file) + if err != nil { + return err + } + profile, err = builder.Run(file, profile) + if err != nil { + return err + } + profile, err = directive.Run(file, profile) + if err != nil { + return err + } + if err := file.WriteFile([]byte(profile)); err != nil { + return err + } + } + + logging.Success("Build tasks:") + logging.Indent = " " + for _, task := range builder.Builds { + logging.Bullet("%s", task.Message()) + } + logging.Indent = "" + logging.Success("Directives processed:") + logging.Indent = " " + for _, dir := range directive.Directives { + logging.Bullet("%s%s", directive.Keyword, dir.Name()) + } + logging.Indent = "" + return nil +} diff --git a/pkg/prebuild/cli/cli_test.go b/pkg/prebuild/prebuild_test.go similarity index 78% rename from pkg/prebuild/cli/cli_test.go rename to pkg/prebuild/prebuild_test.go index dab310020..db709c315 100644 --- a/pkg/prebuild/cli/cli_test.go +++ b/pkg/prebuild/prebuild_test.go @@ -2,7 +2,7 @@ // Copyright (C) 2023-2024 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only -package cli +package prebuild import ( "os" @@ -10,15 +10,15 @@ import ( "testing" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" "github.com/roddhjav/apparmor.d/pkg/prebuild/prepare" ) func setTestBuildDirectories(name string) { testRoot := paths.New("/tmp/tests") - prebuild.Root = testRoot.Join(name) - prebuild.RootApparmord = prebuild.Root.Join("apparmor.d") + cfg.Root = testRoot.Join(name) + cfg.RootApparmord = cfg.Root.Join("apparmor.d") } func chdirGitRoot() { @@ -33,7 +33,7 @@ func chdirGitRoot() { } } -func Test_Prebuild(t *testing.T) { +func Test_PreBuild(t *testing.T) { tests := []struct { name string wantErr bool @@ -78,27 +78,18 @@ func Test_Prebuild(t *testing.T) { chdirGitRoot() for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - setTestBuildDirectories(tt.dist) - prebuild.Distribution = tt.dist - prepare.Prepares = []prepare.Task{} - prepare.Register( - "synchronise", "ignore", "merge", - "configure", "setflags", "systemd-default", - ) - - if full { + setTestBuildDirectories(tt.name) + cfg.Distribution = tt.dist + if tt.full { prepare.Register("fsp") builder.Register("fsp") - } else { - prepare.Register("systemd-early") } - - if complain { + if tt.complain { builder.Register("complain") - } else if enforce { + } + if tt.enforce { builder.Register("enforce") } - if err := Prepare(); (err != nil) != tt.wantErr { t.Errorf("Prepare() error = %v, wantErr %v", err, tt.wantErr) } diff --git a/pkg/prebuild/prepare/attach.go b/pkg/prebuild/prepare/attach.go deleted file mode 100644 index 4523382d8..000000000 --- a/pkg/prebuild/prepare/attach.go +++ /dev/null @@ -1,37 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2025 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package prepare - -import ( - "strings" - - "github.com/roddhjav/apparmor.d/pkg/prebuild" -) - -type ReAttach struct { - prebuild.Base -} - -func init() { - RegisterTask(&ReAttach{ - Base: prebuild.Base{ - Keyword: "attach", - Msg: "Configure tunable for re-attached path", - }, - }) -} - -func (p ReAttach) Apply() ([]string, error) { - res := []string{} - - // Remove the @{att} tunable that is going to be defined in profile header - path := prebuild.RootApparmord.Join("tunables/multiarch.d/system") - out, err := path.ReadFileAsString() - if err != nil { - return res, err - } - out = strings.ReplaceAll(out, `@{att}=""`, `# @{att}=""`) - return res, path.WriteFile([]byte(out)) -} diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go index 9ca3b14d3..df4daaeb1 100644 --- a/pkg/prebuild/prepare/configure.go +++ b/pkg/prebuild/prepare/configure.go @@ -6,102 +6,62 @@ package prepare import ( "fmt" - "strings" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/util" ) type Configure struct { - prebuild.Base + cfg.Base } func init() { RegisterTask(&Configure{ - Base: prebuild.Base{ + Base: cfg.Base{ Keyword: "configure", Msg: "Set distribution specificities", }, }) } -func removeFiles(files []string) error { - for _, name := range files { - if err := prebuild.RootApparmord.Join(name).RemoveAll(); err != nil { - return err - } - } - return nil -} - func (p Configure) Apply() ([]string, error) { res := []string{} - - switch prebuild.Distribution { + switch cfg.Distribution { case "arch", "opensuse": + if cfg.Overwrite { + if err := cfg.Overwrite.Apply(); err != nil { + return res, err + } + } case "ubuntu": - if err := prebuild.DebianHide.Init(); err != nil { + if err := cfg.DebianHide.Init(); err != nil { return res, err } - if prebuild.Version < 3.0 { - if err := prebuild.DistDir.Join("ubuntu").CopyFS(prebuild.RootApparmord); err != nil { + if cfg.Overwrite { + if err := cfg.Overwrite.Apply(); err != nil { + return res, err + } + } else { + if err := util.CopyTo(cfg.DistDir.Join("ubuntu"), cfg.RootApparmord); err != nil { return res, err } } case "debian", "whonix": - if err := prebuild.DebianHide.Init(); err != nil { + if err := cfg.DebianHide.Init(); err != nil { return res, err } - if prebuild.Version < 4.1 { - // Copy Debian specific abstractions - if err := prebuild.DistDir.Join("ubuntu").CopyFS(prebuild.RootApparmord); err != nil { - return res, err - } + // Copy Debian specific abstractions + if err := util.CopyTo(cfg.DistDir.Join("ubuntu"), cfg.RootApparmord); err != nil { + return res, err } default: - return []string{}, fmt.Errorf("%s is not a supported distribution", prebuild.Distribution) + return []string{}, fmt.Errorf("%s is not a supported distribution", cfg.Distribution) } - - if prebuild.Version >= 4.1 { - remove := []string{ - // Remove files upstreamed in 4.1 - "abstractions/devices-usb-read", - "abstractions/devices-usb", - "abstractions/nameservice-strict", - "tunables/multiarch.d/base", - - // Direct upstream contributed profiles, similar to ours - "wg", - } - if err := removeFiles(remove); err != nil { - return res, err - } - } - if prebuild.Version >= 5.0 { - remove := []string{ - // Direct upstrem contributed profiles, similar to ours - "dig", - "free", - "nslookup", - "who", - } - if err := removeFiles(remove); err != nil { - return res, err - } - - // @{pci_bus} was upstreamed in 5.0 - path := prebuild.RootApparmord.Join("tunables/multiarch.d/system") - out, err := path.ReadFileAsString() - if err != nil { - return res, err - } - out = strings.ReplaceAll(out, "@{pci_bus}=pci@{hex4}:@{hex2}", "") - return res, path.WriteFile([]byte(out)) - } return res, nil } diff --git a/pkg/prebuild/prepare/core.go b/pkg/prebuild/prepare/core.go index 74d7778ed..3daf19d8b 100644 --- a/pkg/prebuild/prepare/core.go +++ b/pkg/prebuild/prepare/core.go @@ -7,7 +7,7 @@ package prepare import ( "fmt" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" ) var ( @@ -18,9 +18,9 @@ var ( Tasks = map[string]Task{} ) -// Task main directive interface +// Main directive interface type Task interface { - prebuild.BaseInterface + cfg.BaseInterface Apply() ([]string, error) } diff --git a/pkg/prebuild/prepare/core_test.go b/pkg/prebuild/prepare/core_test.go index ea18d2cd8..34071ff30 100644 --- a/pkg/prebuild/prepare/core_test.go +++ b/pkg/prebuild/prepare/core_test.go @@ -11,7 +11,7 @@ import ( "testing" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" ) func chdirGitRoot() { @@ -39,7 +39,7 @@ func TestTask_Apply(t *testing.T) { name: "synchronise", task: Tasks["synchronise"], wantErr: false, - wantFiles: paths.PathList{prebuild.RootApparmord.Join("/groups/_full/systemd")}, + wantFiles: paths.PathList{cfg.RootApparmord.Join("/groups/_full/systemd")}, }, { name: "ignore", @@ -51,7 +51,7 @@ func TestTask_Apply(t *testing.T) { name: "merge", task: Tasks["merge"], wantErr: false, - wantFiles: paths.PathList{prebuild.RootApparmord.Join("aa-log")}, + wantFiles: paths.PathList{cfg.RootApparmord.Join("aa-log")}, }, { name: "configure", @@ -64,33 +64,27 @@ func TestTask_Apply(t *testing.T) { wantErr: false, want: "dists/flags/main.flags", }, - { - name: "overwrite", - task: Tasks["overwrite"], - wantErr: false, - wantFiles: paths.PathList{prebuild.RootApparmord.Join("flatpak.apparmor.d")}, - }, { name: "systemd-default", task: Tasks["systemd-default"], wantErr: false, - wantFiles: paths.PathList{prebuild.Root.Join("systemd/system/dbus.service")}, + wantFiles: paths.PathList{cfg.Root.Join("systemd/system/dbus.service")}, }, { name: "systemd-early", task: Tasks["systemd-early"], wantErr: false, - wantFiles: paths.PathList{prebuild.Root.Join("systemd/system/pcscd.service")}, + wantFiles: paths.PathList{cfg.Root.Join("systemd/system/pcscd.service")}, }, { name: "fsp", task: Tasks["fsp"], wantErr: false, - wantFiles: paths.PathList{prebuild.RootApparmord.Join("systemd")}, + wantFiles: paths.PathList{cfg.RootApparmord.Join("systemd")}, }, } chdirGitRoot() - _ = prebuild.Root.RemoveAll() + _ = cfg.Root.RemoveAll() for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { got, err := tt.task.Apply() diff --git a/pkg/prebuild/prepare/flags.go b/pkg/prebuild/prepare/flags.go index 5a851cbe9..cd6c2f54e 100644 --- a/pkg/prebuild/prepare/flags.go +++ b/pkg/prebuild/prepare/flags.go @@ -9,21 +9,22 @@ import ( "regexp" "strings" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/util" ) var ( regFlags = regexp.MustCompile(`flags=\(([^)]+)\)`) - regProfileHeader = regexp.MustCompile(` {\n`) + regProfileHeader = regexp.MustCompile(` {`) ) type SetFlags struct { - prebuild.Base + cfg.Base } func init() { RegisterTask(&SetFlags{ - Base: prebuild.Base{ + Base: cfg.Base{ Keyword: "setflags", Msg: "Set flags on some profiles", }, @@ -32,9 +33,9 @@ func init() { func (p SetFlags) Apply() ([]string, error) { res := []string{} - for _, name := range []string{"main", prebuild.Distribution} { - for profile, flags := range prebuild.Flags.Read(name) { - file := prebuild.RootApparmord.Join(profile) + for _, name := range []string{"main", cfg.Distribution} { + for profile, flags := range cfg.Flags.Read(name) { + file := cfg.RootApparmord.Join(profile) if !file.Exist() { res = append(res, fmt.Sprintf("Profile %s not found, ignoring", profile)) continue @@ -42,8 +43,8 @@ func (p SetFlags) Apply() ([]string, error) { // Overwrite profile flags if len(flags) > 0 { - flagsStr := " flags=(" + strings.Join(flags, ",") + ") {\n" - out, err := file.ReadFileAsString() + flagsStr := " flags=(" + strings.Join(flags, ",") + ") {" + out, err := util.ReadFile(file) if err != nil { return res, err } @@ -56,7 +57,7 @@ func (p SetFlags) Apply() ([]string, error) { } } } - res = append(res, prebuild.FlagDir.Join(name+".flags").String()) + res = append(res, cfg.FlagDir.Join(name+".flags").String()) } return res, nil } diff --git a/pkg/prebuild/prepare/fsp.go b/pkg/prebuild/prepare/fsp.go index f8d3cb17f..ac3e05045 100644 --- a/pkg/prebuild/prepare/fsp.go +++ b/pkg/prebuild/prepare/fsp.go @@ -5,69 +5,20 @@ package prepare import ( - "regexp" + "strings" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild" -) - -var ( - tunables = map[string]string{ - // Set systemd profiles name - "sd": "sd", - "sdu": "sdu", - "systemd_user": "systemd-user", - "systemd": "systemd", - - // With FSP on apparmor 4.1+, the dbus profiles don't get stacked as they - "dbus_system": "dbus-system", - "dbus_session": "dbus-session", - - // Update name of stacked profiles - "apt_news": "", - "colord": "", - "e2scrub_all": "", - "e2scrub": "", - "fprintd": "", - "fwupd": "", - "fwupdmgr": "", - "geoclue": "", - "irqbalance": "", - "logrotate": "", - "ModemManager": "", - "nm_priv_helper": "", - "pcscd": "", - "polkitd": "", - "power_profiles_daemon": "", - "rsyslogd": "", - "systemd_coredump": "", - "systemd_homed": "", - "systemd_hostnamed": "", - "systemd_importd": "", - "systemd_initctl": "", - "systemd_journal_remote": "", - "systemd_journald": "", - "systemd_localed": "", - "systemd_logind": "", - "systemd_machined": "", - "systemd_networkd": "", - "systemd_oomd": "", - "systemd_resolved": "", - "systemd_rfkill": "", - "systemd_timedated": "", - "systemd_timesyncd": "", - "systemd_userdbd": "", - "upowerd": "", - } + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/util" ) type FullSystemPolicy struct { - prebuild.Base + cfg.Base } func init() { RegisterTask(&FullSystemPolicy{ - Base: prebuild.Base{ + Base: cfg.Base{ Keyword: "fsp", Msg: "Configure AppArmor for full system policy", }, @@ -78,28 +29,34 @@ func (p FullSystemPolicy) Apply() ([]string, error) { res := []string{} // Install full system policy profiles - if err := paths.New("apparmor.d/groups/_full/").CopyFS(prebuild.Root.Join("apparmor.d")); err != nil { + if err := util.CopyTo(paths.New("apparmor.d/groups/_full/"), cfg.Root.Join("apparmor.d")); err != nil { return res, err } - // Set profile name for FSP - path := prebuild.RootApparmord.Join("tunables/multiarch.d/profiles") - out, err := path.ReadFileAsString() + // Set systemd profile name + path := cfg.RootApparmord.Join("tunables/multiarch.d/system") + out, err := util.ReadFile(path) if err != nil { return res, err } - for varname, profile := range tunables { - pattern := regexp.MustCompile(`(@\{p_` + varname + `}=)([^\s]+)`) - if profile == "" { - out = pattern.ReplaceAllString(out, `@{p_`+varname+`}={$2,sd//&$2,$2//&sd}`) - } else { - out = pattern.ReplaceAllString(out, `@{p_`+varname+`}=`+profile) - } + out = strings.Replace(out, "@{p_systemd}=unconfined", "@{p_systemd}=systemd", -1) + out = strings.Replace(out, "@{p_systemd_user}=unconfined", "@{p_systemd_user}=systemd-user", -1) + if err := path.WriteFile([]byte(out)); err != nil { + return res, err } + + // Fix conflicting x modifiers in abstractions - FIXME: Temporary solution + path = cfg.RootApparmord.Join("abstractions/gstreamer") + out, err = util.ReadFile(path) + if err != nil { + return res, err + } + regFixConflictX := util.ToRegexRepl([]string{`.*gst-plugin-scanner.*`, ``}) + out = regFixConflictX.Replace(out) if err := path.WriteFile([]byte(out)); err != nil { return res, err } // Set systemd unit drop-in files - return res, paths.CopyTo(prebuild.SystemdDir.Join("full"), prebuild.Root.Join("systemd")) + return res, util.CopyTo(cfg.SystemdDir.Join("full"), cfg.Root.Join("systemd")) } diff --git a/pkg/prebuild/prepare/ignore.go b/pkg/prebuild/prepare/ignore.go index 2aece5174..92a1498a7 100644 --- a/pkg/prebuild/prepare/ignore.go +++ b/pkg/prebuild/prepare/ignore.go @@ -6,16 +6,16 @@ package prepare import ( "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" ) type Ignore struct { - prebuild.Base + cfg.Base } func init() { RegisterTask(&Ignore{ - Base: prebuild.Base{ + Base: cfg.Base{ Keyword: "ignore", Msg: "Ignore profiles and files from:", }, @@ -24,11 +24,11 @@ func init() { func (p Ignore) Apply() ([]string, error) { res := []string{} - for _, name := range []string{"main", prebuild.Distribution} { - for _, ignore := range prebuild.Ignore.Read(name) { - profile := prebuild.Root.Join(ignore) + for _, name := range []string{"main", cfg.Distribution} { + for _, ignore := range cfg.Ignore.Read(name) { + profile := cfg.Root.Join(ignore) if profile.NotExist() { - files, err := prebuild.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterNames(ignore)) + files, err := cfg.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterNames(ignore)) if err != nil { return res, err } @@ -43,7 +43,7 @@ func (p Ignore) Apply() ([]string, error) { } } } - res = append(res, prebuild.IgnoreDir.Join(name+".ignore").String()) + res = append(res, cfg.IgnoreDir.Join(name+".ignore").String()) } return res, nil } diff --git a/pkg/prebuild/prepare/merge.go b/pkg/prebuild/prepare/merge.go index d2c720003..86a2ceade 100644 --- a/pkg/prebuild/prepare/merge.go +++ b/pkg/prebuild/prepare/merge.go @@ -9,18 +9,18 @@ import ( "path/filepath" "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" ) type Merge struct { - prebuild.Base + cfg.Base } func init() { RegisterTask(&Merge{ - Base: prebuild.Base{ + Base: cfg.Base{ Keyword: "merge", - Msg: "Merge profiles (from group/, profiles-*-*/) to a unified apparmor.d directory", + Msg: "Merge all profiles into a unified apparmor.d directory", }, }) } @@ -35,18 +35,18 @@ func (p Merge) Apply() ([]string, error) { idx := 0 for idx < len(dirToMerge)-1 { dirMoved, dirRemoved := dirToMerge[idx], dirToMerge[idx+1] - files, err := filepath.Glob(prebuild.RootApparmord.Join(dirMoved).String()) + files, err := filepath.Glob(cfg.RootApparmord.Join(dirMoved).String()) if err != nil { return res, err } for _, file := range files { - err := os.Rename(file, prebuild.RootApparmord.Join(filepath.Base(file)).String()) + err := os.Rename(file, cfg.RootApparmord.Join(filepath.Base(file)).String()) if err != nil { return res, err } } - files, err = filepath.Glob(prebuild.RootApparmord.Join(dirRemoved).String()) + files, err = filepath.Glob(cfg.RootApparmord.Join(dirRemoved).String()) if err != nil { return []string{}, err } diff --git a/pkg/prebuild/prepare/overwrite.go b/pkg/prebuild/prepare/overwrite.go deleted file mode 100644 index d974b26e4..000000000 --- a/pkg/prebuild/prepare/overwrite.go +++ /dev/null @@ -1,67 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package prepare - -import ( - "fmt" - "os" - - "github.com/roddhjav/apparmor.d/pkg/prebuild" -) - -var ext = "." + prebuild.Pkgname - -type Overwrite struct { - prebuild.Base - Optional bool -} - -func init() { - RegisterTask(&Overwrite{ - Base: prebuild.Base{ - Keyword: "overwrite", - Msg: "Overwrite dummy upstream profiles", - }, - Optional: false, - }) -} - -func (p Overwrite) Apply() ([]string, error) { - res := []string{} - if prebuild.ABI == 3 { - return res, nil - } - - disableDir := prebuild.RootApparmord.Join("disable") - if err := disableDir.Mkdir(); err != nil { - return res, err - } - - path := prebuild.DistDir.Join("overwrite") - if !path.Exist() { - return res, fmt.Errorf("%s not found", path) - } - for _, name := range path.MustReadFilteredFileAsLines() { - origin := prebuild.RootApparmord.Join(name) - dest := prebuild.RootApparmord.Join(name + ext) - if !dest.Exist() && p.Optional { - continue - } - if origin.Exist() { - if err := origin.Rename(dest); err != nil { - return res, err - } - } - originRel, err := origin.RelFrom(dest) - if err != nil { - return res, err - } - if err := os.Symlink(originRel.String(), disableDir.Join(name).String()); err != nil { - return res, err - } - } - - return res, nil -} diff --git a/pkg/prebuild/prepare/server.go b/pkg/prebuild/prepare/server.go deleted file mode 100644 index fb9a1f602..000000000 --- a/pkg/prebuild/prepare/server.go +++ /dev/null @@ -1,108 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package prepare - -import ( - "fmt" - "strings" - - "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild" -) - -var ( - serverIgnorePatterns = []string{ - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - } - serverIgnoreGroups = []string{ - "akonadi", - "avahi", - "bluetooth", - "browsers", - "cosmic", - "cups", - "display-manager", - "flatpak", - "freedesktop", - "gnome", - "gvfs", - "hyprland", - "kde", - "lxqt", - "steam", - "xfce", - "zed", - } -) - -type Server struct { - prebuild.Base -} - -func init() { - RegisterTask(&Server{ - Base: prebuild.Base{ - Keyword: "server", - Msg: "Configure AppArmor for server", - }, - }) -} - -func (p Server) Apply() ([]string, error) { - res := []string{} - - // Ignore desktop related groups - groupNb := 0 - for _, group := range serverIgnoreGroups { - path := prebuild.RootApparmord.Join("groups", group) - if path.IsDir() { - if err := path.RemoveAll(); err != nil { - return res, err - } - groupNb++ - } else { - res = append(res, fmt.Sprintf("Group %s not found, ignoring", path)) - } - } - - // Ignore profiles using a desktop related abstraction - fileNb := 0 - files, _ := prebuild.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) - for _, file := range files { - if !file.Exist() { - continue - } - profile, err := file.ReadFileAsString() - if err != nil { - return res, err - } - for _, pattern := range serverIgnorePatterns { - if strings.Contains(profile, pattern) { - if err := file.RemoveAll(); err != nil { - return res, err - } - fileNb++ - break - } - } - } - - res = append(res, fmt.Sprintf("%d groups ignored", groupNb)) - res = append(res, fmt.Sprintf("%d profiles ignored", fileNb)) - return res, nil -} diff --git a/pkg/prebuild/prepare/synchronise.go b/pkg/prebuild/prepare/synchronise.go index b6c2dbf5b..e2b5dacd6 100644 --- a/pkg/prebuild/prepare/synchronise.go +++ b/pkg/prebuild/prepare/synchronise.go @@ -6,53 +6,35 @@ package prepare import ( "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/util" ) type Synchronise struct { - prebuild.Base - Paths []string // File or directory to sync into the build directory. + cfg.Base } func init() { RegisterTask(&Synchronise{ - Base: prebuild.Base{ + Base: cfg.Base{ Keyword: "synchronise", Msg: "Initialize a new clean apparmor.d build directory", }, - Paths: []string{"apparmor.d", "share"}, }) } func (p Synchronise) Apply() ([]string, error) { res := []string{} - if err := prebuild.Root.Join("systemd").RemoveAll(); err != nil { - return res, err - } - if err := prebuild.RootApparmord.RemoveAll(); err != nil { - return res, err - } - - for _, name := range p.Paths { - src := paths.New(name) - dst := prebuild.Root.Join(name) - if err := dst.RemoveAll(); err != nil { + dirs := paths.PathList{cfg.RootApparmord, cfg.Root.Join("root"), cfg.Root.Join("systemd")} + for _, dir := range dirs { + if err := dir.RemoveAll(); err != nil { return res, err } - - if src.IsDir() { - if err := src.CopyFS(dst); err != nil { - return res, err - } - } else { - if err := dst.Parent().MkdirAll(); err != nil { - return res, err - } - if err := src.CopyTo(dst); err != nil { - return res, err - } + } + for _, name := range []string{"apparmor.d", "root"} { + if err := util.CopyTo(paths.New(name), cfg.Root.Join(name)); err != nil { + return res, err } - res = append(res, dst.String()) } return res, nil } diff --git a/pkg/prebuild/prepare/systemd.go b/pkg/prebuild/prepare/systemd.go index b7646e4bf..5681783ce 100644 --- a/pkg/prebuild/prepare/systemd.go +++ b/pkg/prebuild/prepare/systemd.go @@ -5,27 +5,27 @@ package prepare import ( - "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/pkg/util" ) type SystemdDefault struct { - prebuild.Base + cfg.Base } type SystemdEarly struct { - prebuild.Base + cfg.Base } func init() { RegisterTask(&SystemdDefault{ - Base: prebuild.Base{ + Base: cfg.Base{ Keyword: "systemd-default", Msg: "Configure systemd unit drop in files to a profile for some units", }, }) RegisterTask(&SystemdEarly{ - Base: prebuild.Base{ + Base: cfg.Base{ Keyword: "systemd-early", Msg: "Configure systemd unit drop in files to ensure some service start after apparmor", }, @@ -33,9 +33,9 @@ func init() { } func (p SystemdDefault) Apply() ([]string, error) { - return []string{}, paths.CopyTo(prebuild.SystemdDir.Join("default"), prebuild.Root.Join("systemd")) + return []string{}, util.CopyTo(cfg.SystemdDir.Join("default"), cfg.Root.Join("systemd")) } func (p SystemdEarly) Apply() ([]string, error) { - return []string{}, paths.CopyTo(prebuild.SystemdDir.Join("early"), prebuild.Root.Join("systemd")) + return []string{}, util.CopyTo(cfg.SystemdDir.Join("early"), cfg.Root.Join("systemd")) } diff --git a/pkg/util/slice.go b/pkg/util/slice.go deleted file mode 100644 index defd9703a..000000000 --- a/pkg/util/slice.go +++ /dev/null @@ -1,81 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2023-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package util - -// RemoveDuplicate filter out all duplicates from a slice. Also filter out empty element. -func RemoveDuplicate[T comparable](inlist []T) []T { - var empty T - list := []T{} - seen := map[T]bool{} - seen[empty] = true - for _, item := range inlist { - if _, ok := seen[item]; !ok { - seen[item] = true - list = append(list, item) - } - } - return list -} - -// Intersect returns the intersection between two collections. -// From https://github.com/samber/lo -func Intersect[T comparable](list1 []T, list2 []T) []T { - result := []T{} - seen := map[T]struct{}{} - - for _, elem := range list1 { - seen[elem] = struct{}{} - } - - for _, elem := range list2 { - if _, ok := seen[elem]; ok { - result = append(result, elem) - } - } - - return result -} - -// Flatten returns an array a single level deep. -// From https://github.com/samber/lo -func Flatten[T comparable](collection [][]T) []T { - totalLen := 0 - for i := range collection { - totalLen += len(collection[i]) - } - - result := make([]T, 0, totalLen) - for i := range collection { - result = append(result, collection[i]...) - } - - return result -} - -// Invert creates a map composed of the inverted keys and values. If map -// contains duplicate values, subsequent values overwrite property assignments -// of previous values. -// Play: https://go.dev/play/p/rFQ4rak6iA1 -func Invert[K comparable, V comparable](in map[K]V) map[V]K { - out := make(map[V]K, len(in)) - - for k := range in { - out[in[k]] = k - } - - return out -} - -func InvertFlatten[V comparable](in map[V][]V) map[V]V { - out := make(map[V]V, len(in)) - - for k := range in { - for _, v := range in[k] { - out[v] = k - } - } - - return out -} diff --git a/pkg/util/slice_test.go b/pkg/util/slice_test.go deleted file mode 100644 index 11f05a711..000000000 --- a/pkg/util/slice_test.go +++ /dev/null @@ -1,120 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2023-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package util - -import ( - "reflect" - "testing" -) - -func TestRemoveDuplicate(t *testing.T) { - tests := []struct { - name string - inlist []string - want []string - }{ - { - name: "Duplicate", - inlist: []string{"foo", "bar", "foo", "bar", ""}, - want: []string{"foo", "bar"}, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - if got := RemoveDuplicate(tt.inlist); !reflect.DeepEqual(got, tt.want) { - t.Errorf("RemoveDuplicate() = %v, want %v", got, tt.want) - } - }) - } -} - -func TestIntersect(t *testing.T) { - tests := []struct { - name string - list1 []int - list2 []int - want []int - }{ - { - name: "1", - list1: []int{0, 1, 2, 3, 4, 5}, - list2: []int{0, 2}, - want: []int{0, 2}, - }, - { - name: "2", - list1: []int{0, 1, 2, 3, 4, 5}, - list2: []int{0, 6}, - want: []int{0}, - }, - { - name: "3", - list1: []int{0, 1, 2, 3, 4, 5}, - list2: []int{-1, 6}, - want: []int{}, - }, - { - name: "4", - list1: []int{0, 6}, - list2: []int{0, 1, 2, 3, 4, 5}, - want: []int{0}, - }, - { - name: "5", - list1: []int{0, 6, 0}, - list2: []int{0, 1, 2, 3, 4, 5}, - want: []int{0}, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - if got := Intersect(tt.list1, tt.list2); !reflect.DeepEqual(got, tt.want) { - t.Errorf("Intersect() = %v, want %v", got, tt.want) - } - }) - } -} - -func TestFlatten(t *testing.T) { - tests := []struct { - name string - input [][]int - want []int - }{ - { - name: "1", - input: [][]int{{0, 1}, {2, 3, 4, 5}}, - want: []int{0, 1, 2, 3, 4, 5}, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - if got := Flatten(tt.input); !reflect.DeepEqual(got, tt.want) { - t.Errorf("Intersect() = %v, want %v", got, tt.want) - } - }) - } -} - -func TestInvert(t *testing.T) { - tests := []struct { - name string - input map[string]int - want map[int]string - }{ - { - name: "1", - input: map[string]int{"a": 1, "b": 2}, - want: map[int]string{1: "a", 2: "b"}, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - if got := Invert(tt.input); !reflect.DeepEqual(got, tt.want) { - t.Errorf("Invert() = %v, want %v", got, tt.want) - } - }) - } -} diff --git a/pkg/util/tools.go b/pkg/util/tools.go index 749a97e62..30d5251d6 100644 --- a/pkg/util/tools.go +++ b/pkg/util/tools.go @@ -7,6 +7,10 @@ package util import ( "encoding/hex" "regexp" + "slices" + "strings" + + "github.com/roddhjav/apparmor.d/pkg/paths" ) var ( @@ -63,7 +67,95 @@ func DecodeHexInString(str string) string { return str } +// RemoveDuplicate filter out all duplicates from a slice. Also filter out empty element. +func RemoveDuplicate[T comparable](inlist []T) []T { + var empty T + list := []T{} + seen := map[T]bool{} + seen[empty] = true + for _, item := range inlist { + if _, ok := seen[item]; !ok { + seen[item] = true + list = append(list, item) + } + } + return list +} + +// Intersect returns the intersection between two collections. +// From https://github.com/samber/lo +func Intersect[T comparable](list1 []T, list2 []T) []T { + result := []T{} + seen := map[T]struct{}{} + + for _, elem := range list1 { + seen[elem] = struct{}{} + } + + for _, elem := range list2 { + if _, ok := seen[elem]; ok { + result = append(result, elem) + } + } + + return result +} + +// CopyTo recursivelly copy all files from a source path to a destination path. +func CopyTo(src *paths.Path, dst *paths.Path) error { + files, err := src.ReadDirRecursiveFiltered(nil, + paths.FilterOutDirectories(), + paths.FilterOutNames("README.md"), + ) + if err != nil { + return err + } + for _, file := range files { + destination, err := file.RelFrom(src) + if err != nil { + return err + } + destination = dst.JoinPath(destination) + if err := destination.Parent().MkdirAll(); err != nil { + return err + } + if err := file.CopyTo(destination); err != nil { + return err + } + } + return nil +} + // Filter out comments and empty line from a string func Filter(src string) string { return regFilter.Replace(src) } + +// ReadFile read a file and return its content as a string. +func ReadFile(path *paths.Path) (string, error) { + content, err := path.ReadFile() + if err != nil { + return "", err + } + return string(content), nil +} + +// MustReadFile read a file and return its content as a string. Panic if an error occurs. +func MustReadFile(path *paths.Path) string { + content, err := path.ReadFile() + if err != nil { + panic(err) + } + return string(content) +} + +// MustReadFileAsLines read a file and return its content as a slice of string. +// It panics if an error occurs and filter out comments and empty lines. +func MustReadFileAsLines(path *paths.Path) []string { + res := strings.Split(Filter(MustReadFile(path)), "\n") + if slices.Contains(res, "") { + idx := slices.Index(res, "") + res = slices.Delete(res, idx, idx+1) + } + return res +} diff --git a/pkg/util/tools_test.go b/pkg/util/tools_test.go index e8b2bb837..4d5cade6a 100644 --- a/pkg/util/tools_test.go +++ b/pkg/util/tools_test.go @@ -8,6 +8,8 @@ import ( "reflect" "regexp" "testing" + + "github.com/roddhjav/apparmor.d/pkg/paths" ) func TestDecodeHexInString(t *testing.T) { @@ -36,6 +38,74 @@ func TestDecodeHexInString(t *testing.T) { } } +func TestRemoveDuplicate(t *testing.T) { + tests := []struct { + name string + inlist []string + want []string + }{ + { + name: "Duplicate", + inlist: []string{"foo", "bar", "foo", "bar", ""}, + want: []string{"foo", "bar"}, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := RemoveDuplicate(tt.inlist); !reflect.DeepEqual(got, tt.want) { + t.Errorf("RemoveDuplicate() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestIntersect(t *testing.T) { + tests := []struct { + name string + list1 []int + list2 []int + want []int + }{ + { + name: "1", + list1: []int{0, 1, 2, 3, 4, 5}, + list2: []int{0, 2}, + want: []int{0, 2}, + }, + { + name: "2", + list1: []int{0, 1, 2, 3, 4, 5}, + list2: []int{0, 6}, + want: []int{0}, + }, + { + name: "3", + list1: []int{0, 1, 2, 3, 4, 5}, + list2: []int{-1, 6}, + want: []int{}, + }, + { + name: "4", + list1: []int{0, 6}, + list2: []int{0, 1, 2, 3, 4, 5}, + want: []int{0}, + }, + { + name: "5", + list1: []int{0, 6, 0}, + list2: []int{0, 1, 2, 3, 4, 5}, + want: []int{0}, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := Intersect(tt.list1, tt.list2); !reflect.DeepEqual(got, tt.want) { + t.Errorf("Intersect() = %v, want %v", got, tt.want) + } + }) + } +} + func TestToRegexRepl(t *testing.T) { tests := []struct { name string @@ -88,6 +158,47 @@ func TestRegexReplList_Replace(t *testing.T) { } } +func TestCopyTo(t *testing.T) { + tests := []struct { + name string + src *paths.Path + dst *paths.Path + wantErr bool + }{ + { + name: "default", + src: paths.New("../../apparmor.d/groups/_full/"), + dst: paths.New("/tmp/test/apparmor.d/groups/_full/"), + wantErr: false, + }, + { + name: "issue-source", + src: paths.New("../../apparmor.d/groups/nope/"), + dst: paths.New("/tmp/test/apparmor.d/groups/_full/"), + wantErr: true, + }, + // { + // name: "issue-dest-1", + // src: paths.New("../../apparmor.d/groups/_full/"), + // dst: paths.New("/"), + // wantErr: true, + // }, + // { + // name: "issue-dest-2", + // src: paths.New("../../apparmor.d/groups/_full/"), + // dst: paths.New("/_full/"), + // wantErr: true, + // }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if err := CopyTo(tt.src, tt.dst); (err != nil) != tt.wantErr { + t.Errorf("CopyTo() error = %v, wantErr %v", err, tt.wantErr) + } + }) + } +} + func Test_Filter(t *testing.T) { tests := []struct { name string diff --git a/requirements.txt b/requirements.txt index d30bccf19..8be8158d5 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,5 +1,4 @@ mkdocs -mkdocs-git-committers-plugin-2 mkdocs-git-revision-date-localized-plugin mkdocs-material mkdocs-minify-plugin diff --git a/share/bash-completion/completions/aa-log b/root/usr/share/bash-completion/completions/aa-log similarity index 100% rename from share/bash-completion/completions/aa-log rename to root/usr/share/bash-completion/completions/aa-log diff --git a/share/libalpm/hooks/apparmor.hook b/root/usr/share/libalpm/hooks/apparmor.hook similarity index 100% rename from share/libalpm/hooks/apparmor.hook rename to root/usr/share/libalpm/hooks/apparmor.hook diff --git a/share/zsh/site-functions/_aa-log.zsh b/root/usr/share/zsh/site-functions/_aa-log.zsh similarity index 100% rename from share/zsh/site-functions/_aa-log.zsh rename to root/usr/share/zsh/site-functions/_aa-log.zsh diff --git a/share/man/man8/aa-log.8 b/share/man/man8/aa-log.8 deleted file mode 100644 index 62f40966e..000000000 --- a/share/man/man8/aa-log.8 +++ /dev/null @@ -1,79 +0,0 @@ -.\" Automatically generated by Pandoc 3.1.12.1 -.\" -.TH "aa\-log" "8" "September 2024" "" "" -.SH NAME -aa\-log \[em] Review AppArmor generated messages in a colorful way. -.SH SYNOPSIS -\f[B]aa\-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]] -.SH DESCRIPTION -Review AppArmor generated messages in a colourful way. -Support logs from \f[I]auditd\f[R], \f[I]systemd\f[R], \f[I]syslog\f[R] -as well as \f[I]dbus session\f[R] events. -.PP -It can be given an optional profile name to filter the output with. -.PP -It can be used to generate AppArmor rules from the logs and it therefore -an alternative to \f[CR]aa\-logprof(8)\f[R]. -The generated rules should be manually reviewed and inserted into the -profile. -.PP -Default logs are read from \f[CR]/var/log/audit/audit.log\f[R]. -Other files in \f[CR]/var/log/audit/\f[R] can easily be checked: -\f[B]aa\-log \-f 1\f[R] parses \f[CR]audit.log.1\f[R] -.SH OPTIONS -\f[B]aa\-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]] -.TP -[\f[I]profile\f[R]] -Optional profile name to filter the output with. -.TP -\f[CR]\-\-file\f[R], \f[CR]\-f\f[R] -Set a logfile or a suffix to the default log file. -.TP -\f[CR]\-\-systemd\f[R], \f[CR]\-s\f[R] -Parse systemd logs from journalctl. -Provides all AppArmor logs since the last boot. -.TP -\f[CR]\-\-rules\f[R], \f[CR]\-r\f[R] -Convert the log into AppArmor rules. -.TP -\f[CR]\-\-raw\f[R], \f[CR]\-R\f[R] -Print the raw log without any formatting. -Useful for reporting logs. -.TP -\f[CR]\-\-help\f[R], \f[CR]\-h\f[R] -Print the program usage. -.SH USAGE -To read the AppArmor log from \f[CR]/var/log/audit/audit.log\f[R]: -.IP -.EX -aa\-log -.EE -.PP -To optionally filter a given profile name: -\f[CR]aa\-log \f[R] (your shell will autocomplete the -profile name): -.IP -.EX -$ aa\-log dnsmasq -DENIED dnsmasq open /proc/sys/kernel/osrelease comm=dnsmasq requested_mask=r denied_mask=r -DENIED dnsmasq open /proc/1/environ comm=dnsmasq requested_mask=r denied_mask=r -DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r -.EE -.PP -To generate AppArmor rule: -.IP -.EX -$ aa\-log \-r dnsmasq -profile dnsmasq { - \[at]{PROC}/\[at]{pid}/environ r, - \[at]{PROC}/cmdline r, - \[at]{PROC}/sys/kernel/osrelease r, -} -.EE -.SH SEE ALSO -\f[CR]aa\-logprof(8)\f[R], \f[CR]apparmor(7)\f[R], -\f[CR]apparmor.d(5)\f[R], \f[CR]aa\-genprof(1)\f[R], -\f[CR]aa\-enforce(1)\f[R], \f[CR]aa\-complain(1)\f[R], -\f[CR]aa\-disable(1)\f[R], and https://apparmor.pujol.io. -.SH AUTHORS -aa\-log was written by Alexandre Pujol (alexandre\[at]pujol.io). diff --git a/share/man/man8/aa-log.md b/share/man/man8/aa-log.md deleted file mode 100644 index 0b7fe8afa..000000000 --- a/share/man/man8/aa-log.md +++ /dev/null @@ -1,80 +0,0 @@ -% aa-log(8) -% aa-log was written by Alexandre Pujol (alexandre@pujol.io) -% September 2024 - -# NAME - -aa-log — Review AppArmor generated messages in a colorful way. - -# SYNOPSIS - -**aa-log** [*options…*] [*profile*] - -# DESCRIPTION - -Review AppArmor generated messages in a colourful way. Support logs from *auditd*, *systemd*, *syslog* as well as *dbus session* events. - -It can be given an optional profile name to filter the output with. - -It can be used to generate AppArmor rules from the logs and it therefore an alternative to `aa-logprof(8)`. The generated rules should be manually reviewed and inserted into the profile. - -Default logs are read from `/var/log/audit/audit.log`. Other files in `/var/log/audit/` can easily be checked: **aa-log -f 1** parses `audit.log.1` - -# OPTIONS - -**aa-log** [*options…*] [*profile*] - -[*profile*] - -: Optional profile name to filter the output with. - -`--file`, `-f` - -: Set a logfile or a suffix to the default log file. - -`--systemd`, `-s` - -: Parse systemd logs from journalctl. Provides all AppArmor logs since the last boot. - -`--rules`, `-r` - -: Convert the log into AppArmor rules. - -`--raw`, `-R` - -: Print the raw log without any formatting. Useful for reporting logs. - -`--help`, `-h` - -: Print the program usage. - - -# USAGE - -To read the AppArmor log from `/var/log/audit/audit.log`: -```sh -aa-log -``` - -To optionally filter a given profile name: `aa-log ` (your shell will autocomplete the profile name): -``` -$ aa-log dnsmasq -DENIED dnsmasq open /proc/sys/kernel/osrelease comm=dnsmasq requested_mask=r denied_mask=r -DENIED dnsmasq open /proc/1/environ comm=dnsmasq requested_mask=r denied_mask=r -DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r -``` - -To generate AppArmor rule: -``` -$ aa-log -r dnsmasq -profile dnsmasq { - @{PROC}/@{pid}/environ r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, -} -``` - -# SEE ALSO - -`aa-logprof(8)`, `apparmor(7)`, `apparmor.d(5)`, `aa-genprof(1)`, `aa-enforce(1)`, `aa-complain(1)`, `aa-disable(1)`, and -https://apparmor.pujol.io. diff --git a/systemd/default/system/dbus-broker.service b/systemd/default/system/dbus-broker.service index 899828b40..8d3ed8b73 100644 --- a/systemd/default/system/dbus-broker.service +++ b/systemd/default/system/dbus-broker.service @@ -1,5 +1,2 @@ -[Unit] -After=apparmor.service - [Service] AppArmorProfile=dbus-system diff --git a/systemd/default/system/dbus.service b/systemd/default/system/dbus.service index 899828b40..8d3ed8b73 100644 --- a/systemd/default/system/dbus.service +++ b/systemd/default/system/dbus.service @@ -1,5 +1,2 @@ -[Unit] -After=apparmor.service - [Service] AppArmorProfile=dbus-system diff --git a/systemd/default/user/at-spi-dbus-bus.service b/systemd/default/user/at-spi-dbus-bus.service new file mode 100644 index 000000000..9c1fad533 --- /dev/null +++ b/systemd/default/user/at-spi-dbus-bus.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=dbus-accessibility diff --git a/systemd/default/user/org.freedesktop.IBus.session.GNOME.service b/systemd/default/user/org.freedesktop.IBus.session.GNOME.service new file mode 100644 index 000000000..818d5cdf3 --- /dev/null +++ b/systemd/default/user/org.freedesktop.IBus.session.GNOME.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=ibus-daemon diff --git a/systemd/full/system/ModemManager.service b/systemd/full/system/ModemManager.service index 2d1593f19..03d352890 100644 --- a/systemd/full/system/ModemManager.service +++ b/systemd/full/system/ModemManager.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&ModemManager +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/apport-coredump-hook@.service b/systemd/full/system/apport-coredump-hook@.service deleted file mode 100644 index 73bbc99d8..000000000 --- a/systemd/full/system/apport-coredump-hook@.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&apport \ No newline at end of file diff --git a/systemd/full/system/apt-news.service b/systemd/full/system/apt-news.service deleted file mode 100644 index d7bf885dd..000000000 --- a/systemd/full/system/apt-news.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&apt_news diff --git a/systemd/full/system/archlinux-keyring-wkd-sync.service b/systemd/full/system/archlinux-keyring-wkd-sync.service index b88768556..03d352890 100644 --- a/systemd/full/system/archlinux-keyring-wkd-sync.service +++ b/systemd/full/system/archlinux-keyring-wkd-sync.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&archlinux-keyring-wkd-sync +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/bluetooth.service b/systemd/full/system/bluetooth.service index 5cccff422..03d352890 100644 --- a/systemd/full/system/bluetooth.service +++ b/systemd/full/system/bluetooth.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&bluetoothd \ No newline at end of file +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/cloud-init-hotplugd.service b/systemd/full/system/cloud-init-hotplugd.service deleted file mode 100644 index a2a121fc3..000000000 --- a/systemd/full/system/cloud-init-hotplugd.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&cloud-init-hotplugd.service diff --git a/systemd/full/system/colord.service b/systemd/full/system/colord.service deleted file mode 100644 index 9a64fbc26..000000000 --- a/systemd/full/system/colord.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&colord diff --git a/systemd/full/system/dbus-org.freedesktop.hostname1.service b/systemd/full/system/dbus-org.freedesktop.hostname1.service index 6d078aea9..03d352890 100644 --- a/systemd/full/system/dbus-org.freedesktop.hostname1.service +++ b/systemd/full/system/dbus-org.freedesktop.hostname1.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&systemd-hostnamed \ No newline at end of file +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.import1.service b/systemd/full/system/dbus-org.freedesktop.import1.service index 0ab519541..03d352890 100644 --- a/systemd/full/system/dbus-org.freedesktop.import1.service +++ b/systemd/full/system/dbus-org.freedesktop.import1.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&systemd-importd \ No newline at end of file +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.locale1.service b/systemd/full/system/dbus-org.freedesktop.locale1.service index 276595080..03d352890 100644 --- a/systemd/full/system/dbus-org.freedesktop.locale1.service +++ b/systemd/full/system/dbus-org.freedesktop.locale1.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&systemd-localed \ No newline at end of file +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.login1.service b/systemd/full/system/dbus-org.freedesktop.login1.service index c5728915c..03d352890 100644 --- a/systemd/full/system/dbus-org.freedesktop.login1.service +++ b/systemd/full/system/dbus-org.freedesktop.login1.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&systemd-logind \ No newline at end of file +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.machine1.service b/systemd/full/system/dbus-org.freedesktop.machine1.service index 315b1b230..03d352890 100644 --- a/systemd/full/system/dbus-org.freedesktop.machine1.service +++ b/systemd/full/system/dbus-org.freedesktop.machine1.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&systemd-machined \ No newline at end of file +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.timedate1.service b/systemd/full/system/dbus-org.freedesktop.timedate1.service index ab04c5a45..03d352890 100644 --- a/systemd/full/system/dbus-org.freedesktop.timedate1.service +++ b/systemd/full/system/dbus-org.freedesktop.timedate1.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&systemd-timedated \ No newline at end of file +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/debug-shell.service b/systemd/full/system/debug-shell.service deleted file mode 100644 index f895f7941..000000000 --- a/systemd/full/system/debug-shell.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=debug-shell.service \ No newline at end of file diff --git a/systemd/full/system/dmesg.service b/systemd/full/system/dmesg.service deleted file mode 100644 index d4647117b..000000000 --- a/systemd/full/system/dmesg.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=dmesg.service \ No newline at end of file diff --git a/systemd/full/system/e2scrub@.service b/systemd/full/system/e2scrub@.service index 7340b7610..03d352890 100644 --- a/systemd/full/system/e2scrub@.service +++ b/systemd/full/system/e2scrub@.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&e2scrub \ No newline at end of file +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/e2scrub_reap.service b/systemd/full/system/e2scrub_reap.service index b903d2f0a..03d352890 100644 --- a/systemd/full/system/e2scrub_reap.service +++ b/systemd/full/system/e2scrub_reap.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&e2scrub_all \ No newline at end of file +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/fprintd.service b/systemd/full/system/fprintd.service index 5f1f063fa..03d352890 100644 --- a/systemd/full/system/fprintd.service +++ b/systemd/full/system/fprintd.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&fprintd \ No newline at end of file +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/fwupd-refresh.service b/systemd/full/system/fwupd-refresh.service index acd28a5a4..fa215b3f0 100644 --- a/systemd/full/system/fwupd-refresh.service +++ b/systemd/full/system/fwupd-refresh.service @@ -1,2 +1,4 @@ [Service] -AppArmorProfile=&fwupdmgr \ No newline at end of file +ProtectKernelModules=no +RestrictRealtime=no +ProtectKernelModules=no diff --git a/systemd/full/system/fwupd.service b/systemd/full/system/fwupd.service deleted file mode 100644 index 5054a73d6..000000000 --- a/systemd/full/system/fwupd.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&fwupd \ No newline at end of file diff --git a/systemd/full/system/geoclue.service b/systemd/full/system/geoclue.service index 2c10e32f5..4ba897659 100644 --- a/systemd/full/system/geoclue.service +++ b/systemd/full/system/geoclue.service @@ -1,2 +1,6 @@ [Service] -AppArmorProfile=&geoclue \ No newline at end of file +NoNewPrivileges=no +MemoryDenyWriteExecute=no +ProtectKernelTunables=no +ProtectKernelModules=no +RestrictRealtime=no diff --git a/systemd/full/system/grub-common.service b/systemd/full/system/grub-common.service deleted file mode 100644 index 8520aea76..000000000 --- a/systemd/full/system/grub-common.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=grub-common.service \ No newline at end of file diff --git a/systemd/full/system/irqbalance.service b/systemd/full/system/irqbalance.service index eab67fa44..03d352890 100644 --- a/systemd/full/system/irqbalance.service +++ b/systemd/full/system/irqbalance.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&irqbalance \ No newline at end of file +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/ldconfig.service b/systemd/full/system/ldconfig.service deleted file mode 100644 index 1b2a9c287..000000000 --- a/systemd/full/system/ldconfig.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=ldconfig.service \ No newline at end of file diff --git a/systemd/full/system/logrotate.service b/systemd/full/system/logrotate.service deleted file mode 100644 index bc984e025..000000000 --- a/systemd/full/system/logrotate.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&logrotate \ No newline at end of file diff --git a/systemd/full/system/low-memory-monitor.service b/systemd/full/system/low-memory-monitor.service new file mode 100644 index 000000000..dabf76f3a --- /dev/null +++ b/systemd/full/system/low-memory-monitor.service @@ -0,0 +1,3 @@ +[Service] +NoNewPrivileges=no + diff --git a/systemd/full/system/man-db.service b/systemd/full/system/man-db.service deleted file mode 100644 index d3a78dd80..000000000 --- a/systemd/full/system/man-db.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=man-db.service \ No newline at end of file diff --git a/systemd/full/system/nm-priv-helper.service b/systemd/full/system/nm-priv-helper.service index 53f99edd0..03d352890 100644 --- a/systemd/full/system/nm-priv-helper.service +++ b/systemd/full/system/nm-priv-helper.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&nm-priv-helper +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/paccache.service b/systemd/full/system/paccache.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/paccache.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/passim.service b/systemd/full/system/passim.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/passim.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/pcscd.service b/systemd/full/system/pcscd.service deleted file mode 100644 index 8d39f3f26..000000000 --- a/systemd/full/system/pcscd.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&pcscd diff --git a/systemd/full/system/polkit.service b/systemd/full/system/polkit.service index b21a28baa..03d352890 100644 --- a/systemd/full/system/polkit.service +++ b/systemd/full/system/polkit.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&polkitd +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/power-profiles-daemon.service b/systemd/full/system/power-profiles-daemon.service deleted file mode 100644 index 45c5ed93b..000000000 --- a/systemd/full/system/power-profiles-daemon.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&power-profiles-daemon \ No newline at end of file diff --git a/systemd/full/system/reflector.service b/systemd/full/system/reflector.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/reflector.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/rngd.service b/systemd/full/system/rngd.service index c52a85d0c..03d352890 100644 --- a/systemd/full/system/rngd.service +++ b/systemd/full/system/rngd.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&rngd +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/rsyslog.service b/systemd/full/system/rsyslog.service deleted file mode 100644 index 6b49a73f0..000000000 --- a/systemd/full/system/rsyslog.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&rsyslogd diff --git a/systemd/full/system/secureboot-db.service b/systemd/full/system/secureboot-db.service deleted file mode 100644 index 722781b8a..000000000 --- a/systemd/full/system/secureboot-db.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=secureboot-db.service diff --git a/systemd/full/system/shadow.service b/systemd/full/system/shadow.service index 52d2f644c..dabf76f3a 100644 --- a/systemd/full/system/shadow.service +++ b/systemd/full/system/shadow.service @@ -1,2 +1,3 @@ [Service] -AppArmorProfile=&shadow.service +NoNewPrivileges=no + diff --git a/systemd/full/system/snapd.system-shutdown.service b/systemd/full/system/snapd.system-shutdown.service deleted file mode 100644 index 7953d522a..000000000 --- a/systemd/full/system/snapd.system-shutdown.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=snapd.system-shutdown.service \ No newline at end of file diff --git a/systemd/full/system/system-update-cleanup.service b/systemd/full/system/system-update-cleanup.service deleted file mode 100644 index 24c914f77..000000000 --- a/systemd/full/system/system-update-cleanup.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=system-update-cleanup.service \ No newline at end of file diff --git a/systemd/full/system/systemd-coredump@.service b/systemd/full/system/systemd-coredump@.service deleted file mode 100644 index d13624709..000000000 --- a/systemd/full/system/systemd-coredump@.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&systemd-coredump diff --git a/systemd/full/system/systemd-homed.service b/systemd/full/system/systemd-homed.service index 65d4ae62e..03d352890 100644 --- a/systemd/full/system/systemd-homed.service +++ b/systemd/full/system/systemd-homed.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&systemd-homed +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-hostnamed.service b/systemd/full/system/systemd-hostnamed.service index 6d078aea9..03d352890 100644 --- a/systemd/full/system/systemd-hostnamed.service +++ b/systemd/full/system/systemd-hostnamed.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&systemd-hostnamed \ No newline at end of file +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-initctl.service b/systemd/full/system/systemd-initctl.service deleted file mode 100644 index e44c8767f..000000000 --- a/systemd/full/system/systemd-initctl.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&systemd-initctl \ No newline at end of file diff --git a/systemd/full/system/systemd-journal-remote.service b/systemd/full/system/systemd-journal-remote.service deleted file mode 100644 index e08cf75a9..000000000 --- a/systemd/full/system/systemd-journal-remote.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&systemd-journal-remote \ No newline at end of file diff --git a/systemd/full/system/systemd-journald.service b/systemd/full/system/systemd-journald.service index 48f5a0156..0316a67c8 100644 --- a/systemd/full/system/systemd-journald.service +++ b/systemd/full/system/systemd-journald.service @@ -1,2 +1,3 @@ [Service] -AppArmorProfile=&systemd-journald \ No newline at end of file +NoNewPrivileges=no +ProtectClock=no \ No newline at end of file diff --git a/systemd/full/system/systemd-journald@.service b/systemd/full/system/systemd-journald@.service index 48f5a0156..0316a67c8 100644 --- a/systemd/full/system/systemd-journald@.service +++ b/systemd/full/system/systemd-journald@.service @@ -1,2 +1,3 @@ [Service] -AppArmorProfile=&systemd-journald \ No newline at end of file +NoNewPrivileges=no +ProtectClock=no \ No newline at end of file diff --git a/systemd/full/system/systemd-localed.service b/systemd/full/system/systemd-localed.service index 276595080..03d352890 100644 --- a/systemd/full/system/systemd-localed.service +++ b/systemd/full/system/systemd-localed.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&systemd-localed \ No newline at end of file +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-logind.service b/systemd/full/system/systemd-logind.service index c5728915c..0316a67c8 100644 --- a/systemd/full/system/systemd-logind.service +++ b/systemd/full/system/systemd-logind.service @@ -1,2 +1,3 @@ [Service] -AppArmorProfile=&systemd-logind \ No newline at end of file +NoNewPrivileges=no +ProtectClock=no \ No newline at end of file diff --git a/systemd/full/system/systemd-machined.service b/systemd/full/system/systemd-machined.service index 315b1b230..03d352890 100644 --- a/systemd/full/system/systemd-machined.service +++ b/systemd/full/system/systemd-machined.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&systemd-machined \ No newline at end of file +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-networkd.service b/systemd/full/system/systemd-networkd.service index 3f4b60849..03d352890 100644 --- a/systemd/full/system/systemd-networkd.service +++ b/systemd/full/system/systemd-networkd.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&systemd-networkd +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-nsresourced.service b/systemd/full/system/systemd-nsresourced.service deleted file mode 100644 index 2dc668b80..000000000 --- a/systemd/full/system/systemd-nsresourced.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&systemd-nsresourced diff --git a/systemd/full/system/systemd-oomd.service b/systemd/full/system/systemd-oomd.service deleted file mode 100644 index c384626ee..000000000 --- a/systemd/full/system/systemd-oomd.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&systemd-oomd diff --git a/systemd/full/system/systemd-resolved.service b/systemd/full/system/systemd-resolved.service index fd36871e4..03d352890 100644 --- a/systemd/full/system/systemd-resolved.service +++ b/systemd/full/system/systemd-resolved.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&systemd-resolved +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-rfkill.service b/systemd/full/system/systemd-rfkill.service deleted file mode 100644 index 4abf222d5..000000000 --- a/systemd/full/system/systemd-rfkill.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&systemd-rfkill diff --git a/systemd/full/system/systemd-timedated.service b/systemd/full/system/systemd-timedated.service index 78dd0193d..03d352890 100644 --- a/systemd/full/system/systemd-timedated.service +++ b/systemd/full/system/systemd-timedated.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&systemd-timedated +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-timesyncd.service b/systemd/full/system/systemd-timesyncd.service deleted file mode 100644 index 0cd6fefbf..000000000 --- a/systemd/full/system/systemd-timesyncd.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&systemd-timesyncd diff --git a/systemd/full/system/systemd-userdbd.service b/systemd/full/system/systemd-userdbd.service index d3771658d..03d352890 100644 --- a/systemd/full/system/systemd-userdbd.service +++ b/systemd/full/system/systemd-userdbd.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&systemd-userdbd +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/upower.service b/systemd/full/system/upower.service index 082e8f0fa..03d352890 100644 --- a/systemd/full/system/upower.service +++ b/systemd/full/system/upower.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&upowerd +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/usb_modeswitch@.service b/systemd/full/system/usb_modeswitch@.service deleted file mode 100644 index 0eca1db25..000000000 --- a/systemd/full/system/usb_modeswitch@.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=usb_modeswitch.service \ No newline at end of file diff --git a/systemd/full/user/filter-chain.service b/systemd/full/user/filter-chain.service deleted file mode 100644 index 4dd212f51..000000000 --- a/systemd/full/user/filter-chain.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&pipewire \ No newline at end of file diff --git a/systemd/full/user/pipewire-media-session.service b/systemd/full/user/pipewire-media-session.service new file mode 100644 index 000000000..c392e82fe --- /dev/null +++ b/systemd/full/user/pipewire-media-session.service @@ -0,0 +1,5 @@ +[Service] +NoNewPrivileges=no +MemoryDenyWriteExecute=no +LockPersonality=no +RestrictNamespaces=no diff --git a/systemd/full/user/pipewire-pulse.service b/systemd/full/user/pipewire-pulse.service deleted file mode 100644 index 1d35a493e..000000000 --- a/systemd/full/user/pipewire-pulse.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&pipewire-pulse \ No newline at end of file diff --git a/systemd/full/user/pipewire.service b/systemd/full/user/pipewire.service deleted file mode 100644 index 4dd212f51..000000000 --- a/systemd/full/user/pipewire.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&pipewire \ No newline at end of file diff --git a/systemd/full/user/wireplumber.service b/systemd/full/user/wireplumber.service deleted file mode 100644 index c47175f40..000000000 --- a/systemd/full/user/wireplumber.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&wireplumber \ No newline at end of file diff --git a/systemd/full/user/wireplumber@.service b/systemd/full/user/wireplumber@.service deleted file mode 100644 index c47175f40..000000000 --- a/systemd/full/user/wireplumber@.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&wireplumber \ No newline at end of file diff --git a/tests/Makefile b/tests/Makefile new file mode 100644 index 000000000..de4a15f78 --- /dev/null +++ b/tests/Makefile @@ -0,0 +1,28 @@ +#!/usr/bin/make -f +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Usage: +# make archlinux flavor=gnome +# vagrant up arch-gnome +# vagrant ssh archl-gnome + +# Build variables +flavor ?= +disk ?= 10G + +VERSION := 0.$(shell git rev-list --count HEAD) +BASE = archlinux debian ubuntu opensuse fedora + +.PHONY: ${BASE} lint + +$(BASE): + @make --directory=../ package dist=${@} + @packer build -force -var version=${VERSION} \ + -var disk_size=${disk} -var flavor="${flavor}" \ + -only=qemu.${@}-${flavor} packer/ + +lint: + @packer fmt --check packer/ + @packer validate --syntax-only packer/ diff --git a/tests/Vagrantfile b/tests/Vagrantfile new file mode 100644 index 000000000..fce3a3f0d --- /dev/null +++ b/tests/Vagrantfile @@ -0,0 +1,62 @@ +# -*- mode: ruby -*- +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +require 'yaml' + +machines = YAML.load_file(File.join(File.dirname(__FILE__), 'boxes.yml')) +default = machines['defaults'] + +Vagrant.require_version '>= 2.0.0' + +Vagrant.configure("2") do |config| + + config.ssh.keys_only = true + config.ssh.insert_key = false + config.ssh.private_key_path = [ '~/.ssh/id_ed25519' ] + config.ssh.username = 'user' + + machines['boxes'].each do |instance| + + # Configure the VMs per details in boxes.yml + config.vm.define instance['name'] do |srv| + srv.vm.box = instance['box'] + srv.vm.box_check_update = false + srv.vm.post_up_message = instance.to_yaml + srv.vm.synced_folder '.', '/vagrant', disabled: true + if !ENV['AA_INTEGRATION'] + srv.vm.synced_folder '../', '/home/user/Projects/apparmor.d', type: 'virtiofs', mount: false + end + + # Configure Libvirt provider + srv.vm.provider 'libvirt' do |libvirt| + libvirt.driver = 'kvm' + libvirt.default_prefix = 'aa-' + libvirt.connect_via_ssh = false + libvirt.storage_pool_name = 'ssd' + libvirt.memory = instance.fetch('ram', default['ram']) + libvirt.cpus = instance.fetch('cpu', default['cpu']) + libvirt.cpu_mode = 'host-passthrough' + libvirt.machine_type = 'q35' + libvirt.video_type = 'virtio' + libvirt.graphics_type = 'spice' + libvirt.sound_type = 'ich9' + libvirt.tpm_model = 'tpm-crb' + libvirt.tpm_type = 'emulator' + libvirt.tpm_version = '2.0' + libvirt.random model: 'random' + libvirt.memorybacking 'source', type: 'memfd' + libvirt.memorybacking 'access', mode: 'shared' + libvirt.channel type: 'unix', target_name: 'org.qemu.guest_agent.0', target_type: 'virtio' + (1..2).each do + libvirt.redirdev :type => "spicevmc" + end + if instance.fetch('uefi', default['uefi']) + libvirt.loader = '/usr/share/edk2-ovmf/x64/OVMF_CODE.fd' + end + end + + end + end +end diff --git a/tests/boxes.yml b/tests/boxes.yml new file mode 100644 index 000000000..9846342c5 --- /dev/null +++ b/tests/boxes.yml @@ -0,0 +1,43 @@ +--- + +defaults: + uefi: true + ram: '6144' + cpu: '6' + +boxes: + - name: arch-gnome + box: aa-archlinux-gnome + uefi: false + + - name: arch-kde + box: aa-archlinux-kde + uefi: false + + - name: arch-server + box: aa-archlinux-server + uefi: false + + - name: ubuntu-desktop + box: aa-ubuntu-desktop + + - name: ubuntu-desktop24 + box: aa-ubuntu-desktop24 + + - name: ubuntu-server + box: aa-ubuntu-server + + - name: ubuntu-server24 + box: aa-ubuntu-server24 + + - name: debian-server + box: aa-debian-server + + - name: debian-gnome + box: aa-debian-gnome + + - name: debian-kde + box: aa-debian-kde + + - name: opensuse-kde + box: aa-opensuse-kde diff --git a/tests/check.sh b/tests/check.sh deleted file mode 100644 index b54bc157a..000000000 --- a/tests/check.sh +++ /dev/null @@ -1,633 +0,0 @@ -#!/usr/bin/env bash -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Usage: just check -# shellcheck disable=SC2044 - -set -eu -o pipefail - -RES=$(mktemp) -echo "false" >"$RES" -MAX_JOBS=$(nproc) -APPARMORD=${CHECK_APPARMORD:-apparmor.d} -SBIN_LIST=${CHECK_SBIN_LIST:-tests/sbin.list} -declare WITH_CHECK -declare _check_is_disabled -declare _check_is_disabled_global -_FILE_IGNORE_ALL=false -readonly APPARMORD SBIN_LIST RES MAX_JOBS -readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" -_msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } -_warn() { - local name="$1" file="$2" - shift 2 - printf '%bwarning%b %s(%b%s%b): %s\n' "$fgYellow" "$reset" "$name" "$fgWhite" "$file" "$reset" "$*" -} -_err() { - local name="$1" file="$2" - shift 2 - printf ' %berror%b %s(%b%s%b): %s\n' "$fgRed" "$reset" "$name" "$fgWhite" "$file" "$reset" "$*" - echo "true" >"$RES" -} - -_in_array() { - local item needle="$1" - shift - for item in "$@"; do - if [[ "${item}" == "${needle}" ]]; then - return 0 - fi - done - return 1 -} - -_is_enabled() { - local check="$1" - if _in_array "$check" "${WITH_CHECK[@]}"; then - if [[ -n "${_check_is_disabled_global+x}" && ${#_check_is_disabled_global[@]} -gt 0 ]]; then - if _in_array "$check" "${_check_is_disabled_global[@]}"; then - return 1 - fi - fi - if [[ -z "${_check_is_disabled+x}" || ${#_check_is_disabled[@]} -eq 0 ]]; then - return 0 - fi - if _in_array "$check" "${_check_is_disabled[@]}"; then - return 1 - fi - return 0 - fi - return 1 -} - -_wait() { - local -n job=$1 - job=$((job + 1)) - if ((job >= MAX_JOBS)); then - wait -n - job=$((job - 1)) - fi -} - -_IGNORE_LINT_BLOCK=false -readonly _IGNORE_LINT="#aa:lint ignore" -_ignore_lint() { - local checks line="$1" - - if [[ "$line" =~ ^[[:space:]]*$_IGNORE_LINT=.*$ ]]; then - # Start of an ignore block (or file-wide if in header) - checks="${line#*"$_IGNORE_LINT="}" - read -ra _parsed <<<"${checks//,/ }" - if (( line_number <= 10 )); then - # Treat as file-wide ignore - _check_is_disabled_global=("${_parsed[@]}") - _FILE_IGNORE_ALL=true - _IGNORE_LINT_BLOCK=false - return 0 - fi - _IGNORE_LINT_BLOCK=true - _check_is_disabled=("${_parsed[@]}") - - elif [[ $_IGNORE_LINT_BLOCK == true && "$line" =~ ^[[:space:]]*$ ]]; then - # New paragraph, end of block - _IGNORE_LINT_BLOCK=false - _check_is_disabled=() - - elif [[ $_IGNORE_LINT_BLOCK == true ]]; then - # Nothing to do, we are in a block/paragraph - return 0 - - elif [[ "$line" == *"$_IGNORE_LINT="* ]]; then - # Inline ignore (or file-wide if in header) - checks="${line#*"$_IGNORE_LINT="}" - read -ra _parsed <<<"${checks//,/ }" - if (( line_number <= 10 )); then - _check_is_disabled_global=("${_parsed[@]}") - _FILE_IGNORE_ALL=true - return 0 - fi - _check_is_disabled=("${_parsed[@]}") - - else - # Do not clear if file-wide ignore is set - if ! $_FILE_IGNORE_ALL; then - _check_is_disabled=() - fi - fi -} - -_check() { - local file="$1" - line_number=0 - _FILE_IGNORE_ALL=false - _check_is_disabled_global=() - - while IFS= read -r line; do - line_number=$((line_number + 1)) - _ignore_lint "$line" - - # Style check - if [[ $line_number -lt 10 ]]; then - _check_header - fi - _check_tabs - _check_trailing - _check_indentation - _check_vim - _check_udev - - # The following checks do not apply to commented lines - [[ "$line" =~ ^[[:space:]]*# ]] && continue - if [[ "$line" =~ ,[[:space:]]*# ]]; then - line="${line%%#*}" - fi - - # Rules checks - _check_abstractions - _check_directory_mark - _check_equivalent - _check_too_wide - _check_transition - _check_useless - _check_tunables - - # Guidelines check - _check_abi - _check_include - _check_profile - _check_subprofiles - - done <"$file" - - # Results - _res_abi - _res_include - _res_profile - _res_subprofiles - _res_header - _res_vim -} - -# Rules checks: security, compatibility, and rule issues - -readonly ABS="abstractions" -readonly ABS_DANGEROUS=(dbus dbus-session dbus-system dbus-accessibility user-tmp) -declare -A ABS_DEPRECATED=( - ["nameservice"]="nameservice-strict" - ["bash"]="shell" - ["X"]="X-strict" - ["dbus-accessibility-strict"]="bus-accessibility" - ["dbus-network-manager-strict"]="bus/org.freedesktop.NetworkManager" - ["dbus-session-strict"]="bus-session" - ["dbus-system-strict"]="bus-system" - ["gnome"]="gnome-strict" - ["kde"]="kde-strict" -) -_check_abstractions() { - _is_enabled abstractions || return 0 - - local absname - for absname in "${ABS_DANGEROUS[@]}"; do - if [[ "$line" == *"<$ABS/$absname>"* ]]; then - _err abstractions "$file:$line_number" "dangerous abstraction '<$ABS/$absname>'" - fi - done - for absname in "${!ABS_DEPRECATED[@]}"; do - if [[ "$line" == *"<$ABS/$absname>"* ]]; then - _err abstractions "$file:$line_number" "deprecated abstraction '<$ABS/$absname>', use '<$ABS/${ABS_DEPRECATED[$absname]}>' instead" - fi - done - if [[ "$line" == *"<$ABS/ubuntu-"*">"* ]]; then - _err abstractions "$file:$line_number" "deprecated, ubuntu only abstraction '<$ABS/$absname>'" - fi -} - -readonly DIRECTORIES=('@{HOME}' '@{MOUNTS}' '@{bin}' '@{sbin}' '@{lib}' '@{tmp}' '_dirs}' '_DIR}') -_check_directory_mark() { - _is_enabled directory-mark || return 0 - for pattern in "${DIRECTORIES[@]}"; do - if [[ "$line" == *"$pattern"* ]]; then - [[ "$line" == *'='* ]] && continue - if [[ ! "$line" == *"$pattern/"* ]]; then - _err directory-mark "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'" - fi - fi - done -} - -declare -A EQUIVALENTS=( - ["awk"]="{m,g,}awk" - ["gawk"]="{m,g,}awk" - ["grep"]="{,e}grep" - ["gs"]="gs{,.bin}" - ["which"]="which{,.debianutils}" -) -_check_equivalent() { - _is_enabled equivalent || return 0 - local prgmname - for prgmname in "${!EQUIVALENTS[@]}"; do - if [[ "$line" == *"/$prgmname "* ]]; then - if [[ ! "$line" == *"${EQUIVALENTS[$prgmname]}"* ]]; then - _err equivalent "$file:$line_number" "missing equivalent program: '@{bin}/$prgmname' instead of '@{bin}/${EQUIVALENTS[$prgmname]}'" - fi - fi - done -} - -readonly TOOWIDE=('/**' '/tmp/**' '/var/tmp/**' '@{tmp}/**' '/etc/**' '/dev/shm/**' '@{run}/user/@{uid}/**') -_check_too_wide() { - _is_enabled too-wide || return 0 - for pattern in "${TOOWIDE[@]}"; do - if [[ "$line" == *" $pattern "* ]]; then - _warn too-wide "$file:$line_number" "rule too wide: '$pattern'" - fi - done -} - -readonly TRANSITION_MUST_CI=( # Must transition to 'ix' or 'Cx' - chgrp chmod chown cp find head install link ln ls mkdir mktemp mv rm rmdir - sed shred stat tail tee test timeout touch truncate unlink -) -readonly TRANSITION_MUST_PC=( # Must transition to 'Px' - ischroot who -) -readonly TRANSITION_MUST_C=( # Must transition to 'Cx' - sysctl kmod pgrep pkill pkexec sudo systemctl udevadm - fusermount fusermount3 fusermount{,3} - nvim vim sensible-editor -) -_check_transition() { - _is_enabled transition || return 0 - for prgmname in "${!TRANSITION_MUST_CI[@]}"; do - if [[ "$line" =~ "/${TRANSITION_MUST_CI[$prgmname]} ".*([uU]x|[pP][uU]x|[pP]x) ]]; then - _err transition "$file:$line_number" \ - "@{bin}/${TRANSITION_MUST_CI[$prgmname]} should be used inherited: 'ix' | 'Cx'" - fi - done - for prgmname in "${!TRANSITION_MUST_PC[@]}"; do - if [[ "$line" =~ "/${TRANSITION_MUST_PC[$prgmname]} ".*(Pix|ix) ]]; then - _err transition "$file:$line_number" \ - "@{bin}/${TRANSITION_MUST_PC[$prgmname]} should transition to another (sub)profile with 'Px' or 'Cx'" - fi - done - for prgmname in "${!TRANSITION_MUST_C[@]}"; do - if [[ "$line" =~ "/${TRANSITION_MUST_C[$prgmname]} ".*([pP]ix|[uU]x|[pP][uU]x|ix) ]]; then - _warn transition "$file:$line_number" \ - "@{bin}/${TRANSITION_MUST_C[$prgmname]} should transition to a subprofile with 'Cx'" - fi - done -} - -readonly USELESS=( - 'ptrace readby' - '/usr/share/locale/' - '@{sys}/devices/system/cpu/online' - '@{sys}/devices/system/cpu/possible' - '@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size' - '@{PROC}/@{pid}/auxv' '@{PROC}/@{pid}/maps' '@{PROC}/@{pid}/status' '@{PROC}/cpuinfo' - '@{PROC}/filesystems' '@{PROC}/meminfo' '@{PROC}/stat' - '@{PROC}/sys/kernel/cap_last_cap' '@{PROC}/sys/kernel/ngroups_max' - '@{PROC}/sys/kernel/version' '@{PROC}/sys/vm/overcommit_memory' - '/dev/full' '/dev/zero' -) -_check_useless() { - _is_enabled useless || return 0 - for rule in "${!USELESS[@]}"; do - if [[ "$line" == *"${USELESS[$rule]}"* ]]; then - _err useless "$file:$line_number" "rule already included in the base abstraction, remove it" - fi - done -} - -declare -A TUNABLES=( - # User variables - ["(@\{HOME\}/|/home/[^/]+/).cache"]="@{user_cache_dirs}" - ["(@\{HOME\}/|/home/[^/]+/).config"]="@{user_config_dirs}" - ["(@\{HOME\}/|/home/[^/]+/).local/share"]="@{user_share_dirs}" - ["(@\{HOME\}/|/home/[^/]+/).local/state"]="@{user_state_dirs}" - ["(@\{HOME\}/|/home/[^/]+/).local/bin"]="@{user_bin_dirs}" - ["(@\{HOME\}/|/home/[^/]+/).local/lib"]="@{user_lib_dirs}" - ["(@\{HOME\}/|/home/[^/]+/).ssh"]="@{HOME}/@{XDG_SSH_DIR}" - ["(@\{HOME\}/|/home/[^/]+/).gnupg"]="@{HOME}/@{XDG_GPG_DIR}" - ["/home/[^/]+/"]="@{HOME}/" - - # System variables - ["/usr/lib(|32|64|exec)"]='@{lib}' - ["/usr/sbin"]='@{sbin}' - ["/usr/bin"]='@{bin}' - ["(x86_64|amd64|i386|i686)"]='@{arch}' - ["(@\{arch\}|x86_64|amd64|i386|i686)-*linux-gnu[^/]?"]='@{multiarch}' - ["/usr/etc/"]='@{etc_ro}/' - ["/boot/(|efi/)"]="@{efi}/" - ["/efi/"]="@{efi}/" - ["/var/run/"]='@{run}/' - ["/run/"]='@{run}/' - ["user/[0-9]*/"]='user/@{uid}/' - ["/tmp/user/[^/]+/"]='@{tmp}/' - ["/sys/"]='@{sys}/' - ["/proc/"]='@{PROC}/' - ["1000"]="@{uid}" - - # Some system glob - [":not.active.yet"]="@{busname}" - [":1.[0-9]*"]="@{busname}" - ["(@\{bin\}|/usr/bin)/(|ba|da)sh "]="@{sh_path}" - ["@\{lib\}/modules/[^/*]+/"]="@{lib}/modules/*/" -) -_check_tunables() { - _is_enabled tunables || return 0 - for pattern in "${!TUNABLES[@]}"; do - rpattern="$pattern" - [[ "$rpattern" == /* ]] && rpattern=" $rpattern" - if [[ "$line" =~ $rpattern ]]; then - match="${BASH_REMATCH[0]}" - _err tunables "$file:$line_number" "variable '${TUNABLES[$pattern]}' must be used instead of: $match" - fi - done -} - -# Guidelines check: https://apparmor.pujol.io/development/guidelines/ - -RES_ABI=false -readonly ABI_SYNTAX='abi ,' -_check_abi() { - _is_enabled abi || return 0 - if [[ "$line" == *"$ABI_SYNTAX" ]]; then - RES_ABI=true - fi -} -_res_abi() { - _is_enabled abi || return 0 - if ! $RES_ABI; then - _err abi "$file" "missing 'abi ,'" - fi -} - -RES_INCLUDE=false -_check_include() { - _is_enabled include || return 0 - if [[ "$line" == *"${include}"* ]]; then - RES_INCLUDE=true - fi -} -_res_include() { - _is_enabled include || return 0 - if ! $RES_INCLUDE; then - _err include "$file" "missing '$include'" - fi -} - -RES_PROFILE=false -_check_profile() { - _is_enabled profile || return 0 - if [[ "$line" =~ ^"profile $name" ]]; then - RES_PROFILE=true - fi -} -_res_profile() { - _is_enabled profile || return 0 - if ! $RES_PROFILE; then - _err profile "$file" "missing profile name: 'profile $name'" - fi -} - -# Style check - -readonly HEADERS=( - "# apparmor.d - Full set of apparmor profiles" - "# Copyright (C) " - "# SPDX-License-Identifier: GPL-2.0-only" -) -_RES_HEADER=(false false false) -_check_header() { - _is_enabled header || return 0 - for idx in "${!HEADERS[@]}"; do - if [[ "$line" == "${HEADERS[$idx]}"* ]]; then - _RES_HEADER[idx]=true - break - fi - done -} -_res_header() { - _is_enabled header || return 0 - for idx in "${!_RES_HEADER[@]}"; do - if ${_RES_HEADER[$idx]}; then - continue - fi - _err header "$file" "missing header: '${HEADERS[$idx]}'" - done -} - -_check_tabs() { - _is_enabled tabs || return 0 - if [[ "$line" =~ $'\t' ]]; then - _err tabs "$file:$line_number" "tabs are not allowed" - fi -} - -_check_trailing() { - _is_enabled trailing || return 0 - if [[ "$line" =~ [[:space:]]+$ ]]; then - _err trailing "$file:$line_number" "line has trailing whitespace" - fi -} - -_CHECK_IN_PROFILE=false -_CHECK_FIRST_LINE_AFTER_PROFILE=true -_check_indentation() { - _is_enabled indentation || return 0 - if [[ "$line" =~ ^profile ]]; then - _CHECK_IN_PROFILE=true - _CHECK_FIRST_LINE_AFTER_PROFILE=true - - elif $_CHECK_IN_PROFILE; then - if $_CHECK_FIRST_LINE_AFTER_PROFILE; then - local leading_spaces="${line%%[! ]*}" - local num_spaces=${#leading_spaces} - if ((num_spaces != 2)); then - _err indentation "$file:$line_number" "profile must have a two-space indentation" - fi - _CHECK_FIRST_LINE_AFTER_PROFILE=false - - else - local leading_spaces="${line%%[! ]*}" - local num_spaces=${#leading_spaces} - - if ((num_spaces % 2 != 0)); then - ok=false - for offset in 5 11; do - num_spaces=$((num_spaces - offset)) - if ((num_spaces < 0)); then - break - fi - if ((num_spaces % 2 == 0)); then - ok=true - break - fi - done - - if ! $ok; then - _err indentation "$file:$line_number" "invalid indentation" - fi - fi - fi - fi -} - -_CHEK_IN_SUBPROFILE=false -declare -A _RES_SUBPROFILES -_check_subprofiles() { - _is_enabled subprofiles || return 0 - if [[ "$line" =~ ^(' ')+'profile '(.*)' {' ]]; then - indentation="${BASH_REMATCH[1]}" - subprofile="${BASH_REMATCH[2]}" - subprofile="${subprofile%% *}" - include="${indentation}include if exists " - _RES_SUBPROFILES["$subprofile"]="$name//$subprofile does not contain '$include'" - _CHEK_IN_SUBPROFILE=true - elif $_CHEK_IN_SUBPROFILE; then - if [[ "$line" == *"$include" ]]; then - _RES_SUBPROFILES["$subprofile"]=true - fi - fi -} -_res_subprofiles() { - _is_enabled subprofiles || return 0 - for msg in "${_RES_SUBPROFILES[@]}"; do - if [[ $msg == true ]]; then - continue - fi - _err subprofiles "$file" "$msg" - done -} - -readonly VIM_SYNTAX="# vim:syntax=apparmor" -RES_VIM=false -_check_vim() { - _is_enabled vim || return 0 - if [[ "$line" =~ ^"$VIM_SYNTAX" ]]; then - RES_VIM=true - fi -} -_res_vim() { - _is_enabled vim || return 0 - if ! $RES_VIM; then - _err vim "$file" "missing vim syntax: '$VIM_SYNTAX'" - fi -} - -_check_udev() { - _is_enabled udev || return 0 - if [[ "$line" == *"@{run}/udev/data/"* ]]; then - if [[ "$line" != *"#"* ]]; then - _err udev "$file:$line_number" "udev data path without a description comment" - fi - fi -} - -check_sbin() { - local file name jobs - mapfile -t sbin <"$SBIN_LIST" - _msg "Ensuring '@{bin} and '@{sbin}' are correctly used in profiles" - - jobs=0 - for name in "${sbin[@]}"; do - ( - mapfile -t files < <( - grep --line-number --recursive -P "(^|[[:space:]])@{bin}/$name([[:space:]]|$)(?!.*$_IGNORE_LINT=sbin)" "$APPARMORD" | - cut -d: -f1,2 - ) - for file in "${files[@]}"; do - _err sbin "$file" "contains '@{bin}/$name' instead of '@{sbin}/$name'" - done - ) & - _wait jobs - done - wait - - local pattern='[[:alnum:]_.-]+' # Pattern for valid file names - jobs=0 - mapfile -t files < <(grep --line-number --recursive -E "(^|[[:space:]])@{sbin}/$pattern([[:space:]]|$)" "$APPARMORD" | cut -d: -f1,2) - for file in "${files[@]}"; do - ( - while read -r match; do - name="${match/\@\{sbin\}\//}" - if ! _in_array "$name" "${sbin[@]}"; then - _err bin "$file" "contains '@{sbin}/$name' but it is not in sbin.list" - fi - done < <(grep --only-matching -E "@\{sbin\}/$pattern" "${file%%:*}") - ) & - _wait jobs - done - wait -} - -check_profiles() { - _msg "Checking profiles" - mapfile -t files < <( - find "$APPARMORD" \( -path "$APPARMORD/abstractions" -o -path "$APPARMORD/local" -o -path "$APPARMORD/tunables" -o -path "$APPARMORD/mappings" \) \ - -prune -o -type f -print - ) - jobs=0 - WITH_CHECK=( - abstractions directory-mark equivalent too-wide useless transition tunables - abi include profile header tabs trailing indentation subprofiles vim udev - ) - for file in "${files[@]}"; do - ( - name="$(basename "$file")" - name="${name/.apparmor.d/}" - include="include if exists " - _check "$file" - ) & - _wait jobs - done - wait -} - -check_abstractions() { - _msg "Checking abstractions" - mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true) - jobs=0 - WITH_CHECK=( - abstractions directory-mark equivalent too-wide tunables - abi include header tabs trailing indentation vim udev - ) - for file in "${files[@]}"; do - ( - name="$(basename "$file")" - absdir="${file/${APPARMORD}\//}" - include="include if exists <${absdir}.d>" - _check "$file" - ) & - _wait jobs - done - wait - - mapfile -t files < <( - find "$APPARMORD/abstractions" -type f -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true - find "$APPARMORD/mappings" -type f 2>/dev/null || true - ) - # shellcheck disable=SC2034 - jobs=0 - WITH_CHECK=( - abstractions directory-mark equivalent too-wide tunables - header tabs trailing indentation vim udev - ) - for file in "${files[@]}"; do - _check "$file" & - _wait jobs - done - wait -} - -check_sbin -check_profiles -check_abstractions - -FAIL=$(cat "$RES") -if [[ "$FAIL" == "true" ]]; then - exit 1 -fi diff --git a/tests/cloud-init/archlinux-cosmic.user-data.yml b/tests/cloud-init/archlinux-cosmic.user-data.yml deleted file mode 100644 index 9ed6c1d92..000000000 --- a/tests/cloud-init/archlinux-cosmic.user-data.yml +++ /dev/null @@ -1,57 +0,0 @@ -#cloud-config - -packages: - # Install core packages - - apparmor - - base-devel - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - just - - git - - htop - - man - - pass - - python-notify2 - - vim - - wget - - # Install basic services - - networkmanager - - cups - - cups-pdf - - system-config-printer - - # Install Applications - - firefox - - chromium - - terminator - - # Install Graphical Interface - - cosmic - -runcmd: - # Regenerate grub.cfg - - grub-mkconfig -o /boot/grub/grub.cfg - - # Remove swapfile - - swapoff -a - - rm -rf /swap/ - - sed -e "/swap/d" -i /etc/fstab - - # Enable core services - - systemctl enable apparmor - - systemctl enable auditd - - systemctl enable cosmic-greeter - - systemctl enable NetworkManager - - systemctl enable rngd - - systemctl enable avahi-daemon - - systemctl enable systemd-timesyncd.service - -write_files: - - *grub-enable-apparmor # Enable AppArmor in kernel parameters - - *setup-bash-aliases # Set some bash aliases - - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-gnome.user-data.yml b/tests/cloud-init/archlinux-gnome.user-data.yml deleted file mode 100644 index d33f685b6..000000000 --- a/tests/cloud-init/archlinux-gnome.user-data.yml +++ /dev/null @@ -1,26 +0,0 @@ -#cloud-config - -packages: *gnome-packages - -runcmd: - # Regenerate grub.cfg - - grub-mkconfig -o /boot/grub/grub.cfg - - # Remove swapfile - - swapoff -a - - rm -rf /swap/ - - sed -e "/swap/d" -i /etc/fstab - - # Enable core services - - systemctl enable apparmor - - systemctl enable auditd - - systemctl enable gdm - - systemctl enable NetworkManager - - systemctl enable rngd - - systemctl enable avahi-daemon - - systemctl enable systemd-timesyncd.service - -write_files: - - *grub-enable-apparmor # Enable AppArmor in kernel parameters - - *setup-bash-aliases # Set some bash aliases - - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-kde.user-data.yml b/tests/cloud-init/archlinux-kde.user-data.yml deleted file mode 100644 index cb4c4d3b0..000000000 --- a/tests/cloud-init/archlinux-kde.user-data.yml +++ /dev/null @@ -1,26 +0,0 @@ -#cloud-config - -packages: *kde-packages - -runcmd: - # Regenerate grub.cfg - - grub-mkconfig -o /boot/grub/grub.cfg - - # Remove swapfile - - swapoff -a - - rm -rf /swap/ - - sed -e "/swap/d" -i /etc/fstab - - # Enable core services - - systemctl enable apparmor - - systemctl enable auditd - - systemctl enable sddm - - systemctl enable NetworkManager - - systemctl enable rngd - - systemctl enable avahi-daemon - - systemctl enable systemd-timesyncd.service - -write_files: - - *grub-enable-apparmor # Enable AppArmor in kernel parameters - - *setup-bash-aliases # Set some bash aliases - - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-lxqt.user-data.yml b/tests/cloud-init/archlinux-lxqt.user-data.yml deleted file mode 100644 index 208f7dab5..000000000 --- a/tests/cloud-init/archlinux-lxqt.user-data.yml +++ /dev/null @@ -1,28 +0,0 @@ -#cloud-config - -packages: *lxqt-packages - -# lxqt-wayland-session kwin - -runcmd: - # Regenerate grub.cfg - - grub-mkconfig -o /boot/grub/grub.cfg - - # Remove swapfile - - swapoff -a - - rm -rf /swap/ - - sed -e "/swap/d" -i /etc/fstab - - # Enable core services - - systemctl enable apparmor - - systemctl enable auditd - - systemctl enable sddm - - systemctl enable NetworkManager - - systemctl enable rngd - - systemctl enable avahi-daemon - - systemctl enable systemd-timesyncd.service - -write_files: - - *grub-enable-apparmor # Enable AppArmor in kernel parameters - - *setup-bash-aliases # Set some bash aliases - - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-server.user-data.yml b/tests/cloud-init/archlinux-server.user-data.yml deleted file mode 100644 index 2b3567171..000000000 --- a/tests/cloud-init/archlinux-server.user-data.yml +++ /dev/null @@ -1,24 +0,0 @@ -#cloud-config - -packages: *core-packages - -runcmd: - # Regenerate grub.cfg - - grub-mkconfig -o /boot/grub/grub.cfg - - # Remove swapfile - - swapoff -a - - rm -rf /swap/ - - sed -e "/swap/d" -i /etc/fstab - - # Enable core services - - systemctl enable apparmor - - systemctl enable auditd - - systemctl enable rngd - - systemctl enable systemd-timesyncd.service - -write_files: - - *grub-enable-apparmor # Enable AppArmor in kernel parameters - - *setup-bash-aliases # Set some bash aliases - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/archlinux-xfce.user-data.yml b/tests/cloud-init/archlinux-xfce.user-data.yml deleted file mode 100644 index afba57519..000000000 --- a/tests/cloud-init/archlinux-xfce.user-data.yml +++ /dev/null @@ -1,26 +0,0 @@ -#cloud-config - -packages: *xfce-packages - -runcmd: - # Regenerate grub.cfg - - grub-mkconfig -o /boot/grub/grub.cfg - - # Remove swapfile - - swapoff -a - - rm -rf /swap/ - - sed -e "/swap/d" -i /etc/fstab - - # Enable core services - - systemctl enable apparmor - - systemctl enable auditd - - systemctl enable lightdm.service - - systemctl enable NetworkManager - - systemctl enable rngd - - systemctl enable avahi-daemon - - systemctl enable systemd-timesyncd.service - -write_files: - - *grub-enable-apparmor # Enable AppArmor in kernel parameters - - *setup-bash-aliases # Set some bash aliases - - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux.yml b/tests/cloud-init/archlinux.yml deleted file mode 100644 index 629de7d02..000000000 --- a/tests/cloud-init/archlinux.yml +++ /dev/null @@ -1,170 +0,0 @@ -#cloud-config - -core-packages: &core-packages - - apparmor - - base-devel - - bash-completion - - docker - - git - - htop - - just - - man - - pass - - python-notify2 - - qemu-guest-agent - - rng-tools - - spice-vdagent - - vim - - wget - -gnome-packages: &gnome-packages - # Core packages for Archlinux - - apparmor - - base-devel - - bash-completion - - docker - - git - - htop - - just - - man - - pass - - python-notify2 - - qemu-guest-agent - - rng-tools - - spice-vdagent - - vim - - wget - - # Desktop packages for Archlinux - - networkmanager - - cups - - cups-pdf - - system-config-printer - - chromium - - firefox - - spice-vdagent - - terminator - - # Install Graphical Interface - - alacarte - - gnome - - gnome-extra - - ptyxis - - seahorse - -kde-packages: &kde-packages - # Core packages for Archlinux - - apparmor - - base-devel - - bash-completion - - docker - - git - - htop - - just - - man - - pass - - python-notify2 - - qemu-guest-agent - - rng-tools - - spice-vdagent - - vim - - wget - - # Desktop packages for Archlinux - - networkmanager - - cups - - cups-pdf - - system-config-printer - - chromium - - firefox - - spice-vdagent - - terminator - - # Install Graphical Interface - - plasma-meta - - sddm - - ark - - dolphin - - konsole - - okular - -lxqt-packages: &lxqt-packages - # Core packages for Archlinux - - apparmor - - base-devel - - bash-completion - - docker - - git - - htop - - just - - man - - pass - - python-notify2 - - qemu-guest-agent - - rng-tools - - spice-vdagent - - vim - - wget - - # Desktop packages for Archlinux - - networkmanager - - cups - - cups-pdf - - system-config-printer - - chromium - - firefox - - spice-vdagent - - terminator - - # Install Graphical Interface - - lxqt - - breeze-icons - - sddm - -xfce-packages: &xfce-packages - # Core packages for Archlinux - - apparmor - - base-devel - - bash-completion - - docker - - git - - htop - - just - - man - - pass - - python-notify2 - - qemu-guest-agent - - rng-tools - - spice-vdagent - - vim - - wget - - # Desktop packages for Archlinux - - networkmanager - - cups - - cups-pdf - - system-config-printer - - chromium - - firefox - - spice-vdagent - - terminator - - # Install Graphical Interface - - xfce4 - - xfce4-goodies - - lightdm - - lightdm-gtk-greeter - -# Enable AppArmor in kernel parameters -grub-enable-apparmor: &grub-enable-apparmor - path: /etc/default/grub - append: true - content: | - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" - -# Set some bash aliases -setup-bash-aliases: &setup-bash-aliases - path: /etc/skel/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases diff --git a/tests/cloud-init/common.yml b/tests/cloud-init/common.yml deleted file mode 100644 index 2048e5368..000000000 --- a/tests/cloud-init/common.yml +++ /dev/null @@ -1,39 +0,0 @@ -#cloud-config - -hostname: ${hostname} - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false - -# Mount shared directory -shared-directory: &shared-directory - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - -# Network configuration for server -systemd-netword: &systemd-netword - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 diff --git a/tests/cloud-init/debian.yml b/tests/cloud-init/debian.yml deleted file mode 100644 index b96bb5880..000000000 --- a/tests/cloud-init/debian.yml +++ /dev/null @@ -1,97 +0,0 @@ -#cloud-config - -# Core packages for Debian -core-packages: &core-packages - - apparmor-profiles - - apparmor-utils - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - docker.io - - htop - - just - - libpam-apparmor - - lintian - - qemu-guest-agent - - rsync - - systemd-container - - systemd-coredump - - systemd-homed - - systemd-oomd - - unattended-upgrades - - vim - -gnome-packages: &gnome-packages - # Core packages for Debian - - apparmor-profiles - - apparmor-utils - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - docker.io - - htop - - just - - libpam-apparmor - - lintian - - qemu-guest-agent - - rsync - - systemd-container - - systemd-coredump - - systemd-homed - - systemd-oomd - - unattended-upgrades - - vim - - # Gnome packages for Debian - - spice-vdagent - - task-gnome-desktop - - terminator - - loupe - - ptyxis - -kde-packages: &kde-packages - # Core packages for Debian - - apparmor-profiles - - apparmor-utils - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - docker.io - - htop - - just - - libpam-apparmor - - lintian - - qemu-guest-agent - - rsync - - systemd-container - - systemd-coredump - - systemd-homed - - systemd-oomd - - unattended-upgrades - - vim - - # KDE packages for Debian - - spice-vdagent - - task-kde-desktop - - plasma-workspace-wayland - - terminator - -debian12-runcmd: &debian12-runcmd - - apt-get update -y - - apt-get install -y -t bookworm-backports golang-go - -debian13-runcmd: &debian13-runcmd - - apt-get update -y - - apt-get install -y golang-go - -# Add backports repository -debian12-backports: &debian12-backports - path: /etc/apt/sources.list - append: true - content: deb http://deb.debian.org/debian bookworm-backports main contrib non-free diff --git a/tests/cloud-init/debian12-gnome.user-data.yml b/tests/cloud-init/debian12-gnome.user-data.yml deleted file mode 100644 index fbb3d1232..000000000 --- a/tests/cloud-init/debian12-gnome.user-data.yml +++ /dev/null @@ -1,10 +0,0 @@ -#cloud-config - -packages: *gnome-packages - -runcmd: *debian12-runcmd - -write_files: - - *debian12-backports # Add backports repository - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/debian12-server.user-data.yml b/tests/cloud-init/debian12-server.user-data.yml deleted file mode 100644 index cec721285..000000000 --- a/tests/cloud-init/debian12-server.user-data.yml +++ /dev/null @@ -1,10 +0,0 @@ -#cloud-config - -packages: *core-packages - -runcmd: *debian12-runcmd - -write_files: - - *debian12-backports # Add backports repository - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/debian13-gnome.user-data.yml b/tests/cloud-init/debian13-gnome.user-data.yml deleted file mode 100644 index 0d5adfe17..000000000 --- a/tests/cloud-init/debian13-gnome.user-data.yml +++ /dev/null @@ -1,9 +0,0 @@ -#cloud-config - -packages: *gnome-packages - -runcmd: *debian13-runcmd - -write_files: - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/debian13-kde.user-data.yml b/tests/cloud-init/debian13-kde.user-data.yml deleted file mode 100644 index 5a4d33bf5..000000000 --- a/tests/cloud-init/debian13-kde.user-data.yml +++ /dev/null @@ -1,9 +0,0 @@ -#cloud-config - -packages: *kde-packages - -runcmd: *debian13-runcmd - -write_files: - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/debian13-server.user-data.yml b/tests/cloud-init/debian13-server.user-data.yml deleted file mode 100644 index 692548770..000000000 --- a/tests/cloud-init/debian13-server.user-data.yml +++ /dev/null @@ -1,9 +0,0 @@ -#cloud-config - -packages: *core-packages - -runcmd: *debian13-runcmd - -write_files: - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/opensuse-gnome.user-data.yml b/tests/cloud-init/opensuse-gnome.user-data.yml deleted file mode 100644 index b59d66af3..000000000 --- a/tests/cloud-init/opensuse-gnome.user-data.yml +++ /dev/null @@ -1,22 +0,0 @@ -#cloud-config - -packages: *gnome-packages - -runcmd: - # Replace SELinux by AppArmor in kernel parameters - - sed -i 's/security=selinux selinux=1/apparmor=1 apparmor.debug=1/g' /etc/default/grub - - # Regenerate grub.cfg - - grub2-mkconfig -o /boot/grub2/grub.cfg - - # Ensure auditd is enabled - - systemctl enable systemd-journald-audit.socket - -write_files: - - *shared-directory # Setup shared directory - - - path: /etc/sysconfig/displaymanager - append: true - content: | - DISPLAYMANAGER="gdm" - diff --git a/tests/cloud-init/opensuse-kde.user-data.yml b/tests/cloud-init/opensuse-kde.user-data.yml deleted file mode 100644 index 2058846dd..000000000 --- a/tests/cloud-init/opensuse-kde.user-data.yml +++ /dev/null @@ -1,18 +0,0 @@ -#cloud-config - -packages: *kde-packages - -# apparmor.debug=1 -runcmd: - # Replace SELinux by AppArmor in kernel parameters - - sed -i 's/security=selinux selinux=1/apparmor=1/g' /etc/default/grub - - # Regenerate grub.cfg - - grub2-mkconfig -o /boot/grub2/grub.cfg - -write_files: - - *shared-directory # Setup shared directory - - path: /etc/sysconfig/displaymanager - append: true - content: | - DISPLAYMANAGER="sddm" diff --git a/tests/cloud-init/opensuse-server.user-data.yml b/tests/cloud-init/opensuse-server.user-data.yml deleted file mode 100644 index b6d35cd68..000000000 --- a/tests/cloud-init/opensuse-server.user-data.yml +++ /dev/null @@ -1,14 +0,0 @@ -#cloud-config - -packages: *core-packages - -runcmd: - # Replace SELinux by AppArmor in kernel parameters - - sed -i 's/security=selinux selinux=1/apparmor=1 apparmor.debug=1/g' /etc/default/grub - - # Regenerate grub.cfg - - grub2-mkconfig -o /boot/grub2/grub.cfg - -write_files: - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/opensuse.yml b/tests/cloud-init/opensuse.yml deleted file mode 100644 index ab0954c6a..000000000 --- a/tests/cloud-init/opensuse.yml +++ /dev/null @@ -1,70 +0,0 @@ -#cloud-config - -# Core packages for OpenSUSE -core-packages: &core-packages - - pattern:apparmor - - apparmor-profiles - - bash-completion - - distribution-release - - docker - - git - - go - - golang-packaging - - htop - - just - - rpmbuild - - rsync - - systemd-container - - systemd-homed - - vim - -gnome-packages: &gnome-packages - # Core packages for OpenSUSE - - pattern:apparmor - - apparmor-profiles - - bash-completion - - distribution-release - - docker - - git - - go - - golang-packaging - - htop - - just - - rpmbuild - - rsync - - systemd-container - - systemd-homed - - vim - - # Gnome packages for OpenSUSE - - pattern:gnome - - gdm - - spice-vdagent - - terminator - - loupe - - ptyxis - -kde-packages: &kde-packages - # Core packages for OpenSUSE - - pattern:apparmor - - apparmor-profiles - - bash-completion - - distribution-release - - docker - - git - - go - - golang-packaging - - htop - - just - - rpmbuild - - rsync - - systemd-container - - systemd-homed - - vim - - # KDE packages for OpenSUSE - - pattern:kde_plasma - - pattern:kde - - sddm - - spice-vdagent - - terminator diff --git a/tests/cloud-init/ubuntu.yml b/tests/cloud-init/ubuntu.yml deleted file mode 100644 index 1f3563750..000000000 --- a/tests/cloud-init/ubuntu.yml +++ /dev/null @@ -1,114 +0,0 @@ -#cloud-config - -core-packages: &core-packages - - apparmor-profiles - - apparmor-utils - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - docker.io - - golang-go - - htop - - just - - libpam-apparmor - - lintian - - qemu-guest-agent - - rsync - - systemd-container - - systemd-coredump - - systemd-homed - - systemd-oomd - - unattended-upgrades - - vim - -desktop-packages: &desktop-packages - # Core packages for Ubuntu - - apparmor-profiles - - apparmor-utils - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - docker.io - - golang-go - - htop - - just - - libpam-apparmor - - lintian - - qemu-guest-agent - - rsync - - systemd-container - - systemd-coredump - - systemd-homed - - systemd-oomd - - unattended-upgrades - - vim - - # Desktop packages for Ubuntu - - spice-vdagent - - terminator - - ubuntu-desktop - - loupe - - ptyxis - -kubuntu-packages: &kubuntu-packages - # Core packages for Ubuntu - - apparmor-profiles - - apparmor-utils - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - docker.io - - golang-go - - htop - - just - - libpam-apparmor - - lintian - - qemu-guest-agent - - rsync - - systemd-container - - systemd-coredump - - systemd-homed - - systemd-oomd - - unattended-upgrades - - vim - - # Desktop packages for Ubuntu - - spice-vdagent - - terminator - - kubuntu-desktop - - plasma-workspace-wayland - -desktop-runcmd: &desktop-runcmd - # Add missing snap packages - - snap install snap-store - - snap install snapd-desktop-integration - - snap install --edge desktop-security-center - - # Remove default filesystem and related tools not used with the suggested - # storage layout. These may yet be required if different partitioning schemes - # are used. - - apt-get -y purge btrfs-progs xfsprogs - - # Remove other packages present by default in Ubuntu Server but not - # normally present in Ubuntu Desktop. - - >- - apt-get -y purge - byobu dmeventd finalrd gawk kpartx landscape-common lxd-agent-loader - mdadm motd-news-config ncurses-term open-iscsi open-vm-tools - screen sg3-utils sosreport ssh-import-id sssd tmux - - # Finally, remove things only installed as dependencies of other things - # we have already removed. - - apt-get -y autoremove - - # Ensure systemd-networkd is disabled - - systemctl disable systemd-networkd-wait-online.service - - # Ensure auditd is enabled - - systemctl enable systemd-journald-audit.socket diff --git a/tests/cloud-init/ubuntu24-desktop.user-data.yml b/tests/cloud-init/ubuntu24-desktop.user-data.yml deleted file mode 100644 index 7f4183d49..000000000 --- a/tests/cloud-init/ubuntu24-desktop.user-data.yml +++ /dev/null @@ -1,8 +0,0 @@ -#cloud-config - -packages: *desktop-packages - -runcmd: *desktop-runcmd - -write_files: - - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/ubuntu24-kubuntu.user-data.yml b/tests/cloud-init/ubuntu24-kubuntu.user-data.yml deleted file mode 100644 index bea74af3a..000000000 --- a/tests/cloud-init/ubuntu24-kubuntu.user-data.yml +++ /dev/null @@ -1,9 +0,0 @@ -#cloud-config - -packages: *kubuntu-packages - -runcmd: *desktop-runcmd - -write_files: - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/ubuntu24-server.user-data.yml b/tests/cloud-init/ubuntu24-server.user-data.yml deleted file mode 100644 index 98b78ec80..000000000 --- a/tests/cloud-init/ubuntu24-server.user-data.yml +++ /dev/null @@ -1,7 +0,0 @@ -#cloud-config - -packages: *core-packages - -write_files: - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/ubuntu25-desktop.user-data.yml b/tests/cloud-init/ubuntu25-desktop.user-data.yml deleted file mode 100644 index 7f4183d49..000000000 --- a/tests/cloud-init/ubuntu25-desktop.user-data.yml +++ /dev/null @@ -1,8 +0,0 @@ -#cloud-config - -packages: *desktop-packages - -runcmd: *desktop-runcmd - -write_files: - - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/ubuntu25-kubuntu.user-data.yml b/tests/cloud-init/ubuntu25-kubuntu.user-data.yml deleted file mode 100644 index bea74af3a..000000000 --- a/tests/cloud-init/ubuntu25-kubuntu.user-data.yml +++ /dev/null @@ -1,9 +0,0 @@ -#cloud-config - -packages: *kubuntu-packages - -runcmd: *desktop-runcmd - -write_files: - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/ubuntu25-server.user-data.yml b/tests/cloud-init/ubuntu25-server.user-data.yml deleted file mode 100644 index 98b78ec80..000000000 --- a/tests/cloud-init/ubuntu25-server.user-data.yml +++ /dev/null @@ -1,7 +0,0 @@ -#cloud-config - -packages: *core-packages - -write_files: - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server diff --git a/tests/cmd/main.go b/tests/cmd/main.go index e7e620b00..de1d27561 100644 --- a/tests/cmd/main.go +++ b/tests/cmd/main.go @@ -8,88 +8,171 @@ import ( "flag" "fmt" "os" + "os/exec" + "strings" + "github.com/roddhjav/apparmor.d/pkg/aa" "github.com/roddhjav/apparmor.d/pkg/logging" "github.com/roddhjav/apparmor.d/pkg/paths" + bcfg "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg" + "github.com/roddhjav/apparmor.d/tests/integration" ) -const usage = `aa-test [-h] --bootstrap +const usage = `aa-test [-h] [--bootstrap | --run | --list] Integration tests manager tool for apparmor.d Options: -h, --help Show this help message and exit. - -b, --bootstrap Download tests using tldr pages and generate Bats tests. + -b, --bootstrap Bootstrap tests using tldr pages. + -r, --run Run a predefined list of tests. + -l, --list List the configured tests. + -f, --file FILE Set a tests file. Default: tests/tests.yml + -d, --deps Install tests dependencies. + -D, --dryrun Do not do the action, list it. ` var ( help bool bootstrap bool + run bool + list bool + deps bool + dryRun bool + cfg Config ) +type Config struct { + TldrDir *paths.Path // Default: tests/tldr + ScenariosDir *paths.Path // Default: tests + TldrFile *paths.Path // Default: tests/tldr.yml + TestsFile *paths.Path // Default: tests/tests.yml + SettingsFile *paths.Path // Default: tests/settings.yml + Profiles paths.PathList // List of profiles +} + +func NewConfig() Config { + cfg := Config{ + TldrDir: paths.New("tests/tldr"), + ScenariosDir: paths.New("tests/"), + Profiles: paths.PathList{}, + } + cfg.TldrFile = cfg.ScenariosDir.Join("tldr.yml") + cfg.TestsFile = cfg.ScenariosDir.Join("tests.yml") + cfg.SettingsFile = cfg.ScenariosDir.Join("settings.yml") + return cfg +} + +func LoadTestSuite() (*integration.TestSuite, error) { + tSuite := integration.NewTestSuite() + if err := tSuite.ReadTests(cfg.TestsFile); err != nil { + return tSuite, err + } + if err := tSuite.ReadSettings(cfg.SettingsFile); err != nil { + return tSuite, err + } + return tSuite, nil +} + func init() { + cfg = NewConfig() + files, _ := aa.MagicRoot.ReadDir(paths.FilterOutDirectories()) + for _, path := range files { + cfg.Profiles.Add(path) + } + flag.BoolVar(&help, "h", false, "Show this help message and exit.") flag.BoolVar(&help, "help", false, "Show this help message and exit.") - flag.BoolVar(&bootstrap, "b", false, "Download tests using tldr pages and generate Bats tests.") - flag.BoolVar(&bootstrap, "bootstrap", false, "Download tests using tldr pages and generate Bats tests.") + flag.BoolVar(&bootstrap, "b", false, "Bootstrap tests using tldr pages.") + flag.BoolVar(&bootstrap, "bootstrap", false, "Bootstrap tests using tldr pages.") + flag.BoolVar(&run, "r", false, "Run a predefined list of tests.") + flag.BoolVar(&run, "run", false, "Run a predefined list of tests.") + flag.BoolVar(&list, "l", false, "List the tests to run.") + flag.BoolVar(&list, "list", false, "List the tests to run.") + flag.BoolVar(&deps, "d", false, "Install tests dependencies.") + flag.BoolVar(&deps, "deps", false, "Install tests dependencies.") + flag.BoolVar(&dryRun, "D", false, "Do not do the action, list it.") + flag.BoolVar(&dryRun, "dryrun", false, "Do not do the action, list it.") } -type Config struct { - TestsDir *paths.Path // Default: tests - TldrDir *paths.Path // Default: tests/tldr - TldrFile *paths.Path // Default: tests/tldr.yml - TestsFile *paths.Path // Default: tests/tests.yml - BatsDir *paths.Path // Default: tests/bats_dirty -} - -func NewConfig() *Config { - testsDir := paths.New("tests") - cfg := Config{ - TestsDir: testsDir, - TldrDir: testsDir.Join("tldr"), - TldrFile: testsDir.Join("tldr.yml"), - TestsFile: testsDir.Join("tldr.yml"), - BatsDir: testsDir.Join("bats_dirty"), - } - return &cfg -} - -func run() error { - logging.Step("Bootstraping tests") - cfg := NewConfig() - - tldr := NewTldr(cfg.TldrDir) +func testDownload() error { + tldr := integration.NewTldr(cfg.TldrDir) if err := tldr.Download(); err != nil { return err } - tests, err := tldr.Parse() + tSuite, err := tldr.Parse() if err != nil { return err } - if err := cfg.BatsDir.RemoveAll(); err != nil { + // Default bootstraped scenarios file + if err := tSuite.Write(cfg.TldrFile); err != nil { return err } - if err := cfg.BatsDir.MkdirAll(); err != nil { - return err + logging.Bullet("Default scenarios saved: %s", cfg.TldrFile) + logging.Bullet("Number of tests found %d", len(tSuite.Tests)) + return nil +} + +func testDeps(dryRun bool) error { + tSuite, err := LoadTestSuite() + if err != nil { + return nil } - if err := cfg.BatsDir.Join("profiled").MkdirAll(); err != nil { - return err + + deps := tSuite.GetDependencies() + switch bcfg.Distribution { + case "arch": + arg := []string{"pacman", "-Sy", "--noconfirm"} + arg = append(arg, deps...) + cmd := exec.Command("sudo", arg...) + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + if dryRun { + fmt.Println(strings.Join(cmd.Args, " ")) + } else { + return cmd.Run() + } + default: } - if err := cfg.BatsDir.Join("unprofiled").MkdirAll(); err != nil { - return err + return nil +} + +func testRun(dryRun bool) error { + // Warning: There is no guarantee that the tests are not destructive + if dryRun { + logging.Step("List tests") + } else { + logging.Step("Run tests") } - for _, test := range tests { - if err := test.Write(cfg.BatsDir); err != nil { + + tSuite, err := LoadTestSuite() + if err != nil { + return nil + } + integration.Arguments = tSuite.Arguments + integration.Ignore = tSuite.Ignore + integration.Profiles = cfg.Profiles + nbCmd := 0 + nbTest := 0 + for _, test := range tSuite.Tests { + ran, nb, err := test.Run(dryRun) + nbTest += ran + nbCmd += nb + if err != nil { return err } } - logging.Bullet("Bats tests directory: %s", cfg.BatsDir) - logging.Bullet("Number of profiles with tests found %d", len(tests)) - logging.Bullet("Number of programs without profile found %d", len(tests)) + if dryRun { + logging.Bullet("Number of tests to run %d", nbTest) + logging.Bullet("Number of test commands to run %d", nbCmd) + } else { + logging.Success("Number of tests ran %d", nbTest) + logging.Success("Number of test command to ran %d", nbCmd) + } return nil } @@ -101,13 +184,19 @@ func main() { os.Exit(0) } - if !bootstrap { + var err error + if bootstrap { + logging.Step("Bootstraping tests") + err = testDownload() + } else if run || list { + err = testRun(list) + } else if deps { + err = testDeps(dryRun) + } else { flag.Usage() os.Exit(1) } - - err := run() if err != nil { - logging.Fatal("%s", err.Error()) + logging.Fatal(err.Error()) } } diff --git a/tests/cmd/tests.go b/tests/cmd/tests.go deleted file mode 100644 index 1c5f55aee..000000000 --- a/tests/cmd/tests.go +++ /dev/null @@ -1,109 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2023-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package main - -import ( - "html/template" - "os/exec" - "slices" - "strings" - - "github.com/roddhjav/apparmor.d/pkg/aa" - "github.com/roddhjav/apparmor.d/pkg/paths" -) - -const tmplTest = `#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load common -{{ $name := .Name -}} -{{ range .Commands }} -@test "{{ $name }}: {{ .Description }}" { - {{ .Cmd }} -} -{{ end }} -` - -var ( - Profiles = getProfiles() // List of profiles in apparmor.d - tmpl = template.Must(template.New("bats").Parse(tmplTest)) -) - -type Tests []Test - -// Filter returns a new list of tests with only the ones that have a profile -func (t Tests) Filter() Tests { - for i := len(t) - 1; i >= 0; i-- { - if !t[i].HasProfile() { - t = slices.Delete(t, i, i+1) - } - } - return t -} - -// Test represents of a list of tests for a given program -type Test struct { - Name string - Commands []Command -} - -// Command is a command line to run as part of a test -type Command struct { - Description string - Cmd string -} - -// HasProfile returns true if the program in the scenario is profiled in apparmor.d -func (t Test) HasProfile() bool { - return slices.Contains(Profiles, t.Name) -} - -// IsInstalled returns true if the program in the scenario is installed on the system -func (t Test) IsInstalled() bool { - if _, err := exec.LookPath(t.Name); err != nil { - return false - } - return true -} - -func (t Test) Write(dir *paths.Path) error { - dstDir := dir.Join("profiled") - if !t.HasProfile() { - dstDir = dir.Join("unprofiled") - } - path := dstDir.Join(t.Name + ".bats") - - if paths.New("tests/bats").Join(t.Name + ".bats").Exist() { - path = dstDir.Join("00." + t.Name + ".bats") - } - content := renderBatsFile(t) - if err := path.WriteFile([]byte(content)); err != nil { - return err - } - return nil -} - -func renderBatsFile(data any) string { - var res strings.Builder - err := tmpl.Execute(&res, data) - if err != nil { - panic(err) - } - return res.String() -} - -func getProfiles() []string { - p := []string{} - files, err := aa.MagicRoot.ReadDir(paths.FilterOutDirectories()) - if err != nil { - panic(err) - } - for _, path := range files { - p = append(p, path.Base()) - } - return p -} diff --git a/tests/cmd/tldr.go b/tests/cmd/tldr.go deleted file mode 100644 index ec98fa8b4..000000000 --- a/tests/cmd/tldr.go +++ /dev/null @@ -1,140 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2023-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package main - -import ( - "archive/tar" - "compress/gzip" - "fmt" - "io" - "net/http" - "path/filepath" - "strings" - - "github.com/roddhjav/apparmor.d/pkg/paths" -) - -type Tldr struct { - URL string // Tldr download url - Dir *paths.Path // Tldr cache directory - Ignore []string // List of ignored software -} - -func NewTldr(dir *paths.Path) Tldr { - return Tldr{ - URL: "https://github.com/tldr-pages/tldr/archive/refs/heads/main.tar.gz", - Dir: dir, - } -} - -// Download and extract the tldr pages into the cache directory -func (t Tldr) Download() error { - gzPath := t.Dir.Parent().Join("tldr.tar.gz") - if !gzPath.Exist() { - resp, err := http.Get(t.URL) - if err != nil { - return fmt.Errorf("downloading %s: %w", t.URL, err) - } - defer resp.Body.Close() - - out, err := gzPath.Create() - if err != nil { - return err - } - defer out.Close() - - if _, err := io.Copy(out, resp.Body); err != nil { - return err - } - } - - pages := []string{"tldr-main/pages/linux", "tldr-main/pages/common"} - return extratTo(gzPath, t.Dir, pages) -} - -// Parse the tldr pages and return a list of tests -func (t Tldr) Parse() (Tests, error) { - tests := make(Tests, 0) - files, _ := t.Dir.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) - for _, path := range files { - content, err := path.ReadFile() - if err != nil { - return nil, err - } - raw := string(content) - t := Test{ - Name: strings.TrimSuffix(path.Base(), ".md"), - Commands: []Command{}, - } - rawTests := strings.Split(raw, "\n-")[1:] - for _, test := range rawTests { - res := strings.Split(test, "\n") - dsc := strings.ReplaceAll(strings.Trim(res[0], " "), ":", "") - cmd := strings.Trim(strings.Trim(res[2], "`"), " ") - t.Commands = append(t.Commands, Command{ - Description: dsc, - Cmd: cmd, - }) - } - tests = append(tests, t) - } - return tests, nil -} - -// Either or not to extract the file -func toExtrat(name string, subfolders []string) bool { - for _, subfolder := range subfolders { - if strings.HasPrefix(name, subfolder) { - return true - } - } - return false -} - -// Extract part of an archive to a destination directory -func extratTo(src *paths.Path, dst *paths.Path, subfolders []string) error { - gzIn, err := src.Open() - if err != nil { - return fmt.Errorf("opening %s: %w", src, err) - } - defer gzIn.Close() - - in, err := gzip.NewReader(gzIn) - if err != nil { - return fmt.Errorf("decoding %s: %w", src, err) - } - defer in.Close() - - if err := dst.MkdirAll(); err != nil { - return fmt.Errorf("creating %s: %w", src, err) - } - - tarIn := tar.NewReader(in) - for { - header, err := tarIn.Next() - if err == io.EOF { - break - } - if err != nil { - return err - } - - if header.Typeflag == tar.TypeReg { - if !toExtrat(header.Name, subfolders) { - continue - } - path := dst.Join(filepath.Base(header.Name)) - file, err := path.Create() - if err != nil { - return fmt.Errorf("creating %s: %w", file.Name(), err) - } - if _, err := io.Copy(file, tarIn); err != nil { - return fmt.Errorf("extracting %s: %w", file.Name(), err) - } - file.Close() - } - } - return nil -} diff --git a/tests/github.local b/tests/github.local deleted file mode 100644 index b4119bc56..000000000 --- a/tests/github.local +++ /dev/null @@ -1,9 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Local tunables addition for bats integration tests on Github Action - -@{p_dbus_system}+=unconfined -@{p_dbus_session}+=unconfined -@{p_dbus_accessibility}+=unconfined diff --git a/tests/integration/apparmor/aa-enforce.bats b/tests/integration/apparmor/aa-enforce.bats deleted file mode 100644 index 7bc0e740b..000000000 --- a/tests/integration/apparmor/aa-enforce.bats +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -setup_file() { - skip -} - -@test "aa-enforce: Disable profile" { - sudo aa-disable pass -} - -@test "aa-enforce: Enforce a profile" { - sudo aa-enforce pass -} - -@test "aa-enforce: Complain a profile" { - sudo aa-complain pass -} - -@test "aa-enforce: Audit a profile" { - sudo aa-audit pass -} diff --git a/tests/integration/apparmor/aa-status.bats b/tests/integration/apparmor/aa-status.bats deleted file mode 100644 index e7e0fc3d5..000000000 --- a/tests/integration/apparmor/aa-status.bats +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "aa-status: Check status" { - sudo aa-status -} - -@test "aa-status: Display the number of loaded policies" { - sudo aa-status --profiled -} - -@test "aa-status: Display the number of loaded enforicing policies" { - sudo aa-status --enforced -} - -@test "aa-status: Display the number of loaded non-enforcing policies" { - sudo aa-status --complaining -} - -@test "aa-status: Display the number of loaded enforcing policies that kill tasks" { - sudo aa-status --kill -} diff --git a/tests/integration/apt/apt.bats b/tests/integration/apt/apt.bats deleted file mode 100644 index 3f13d4ea4..000000000 --- a/tests/integration/apt/apt.bats +++ /dev/null @@ -1,54 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "apt: Update the list of available packages and versions" { - sudo apt update -} - -@test "apt: Search for a given package" { - apt search apparmor -} - -@test "apt: Show information for a package" { - apt show apparmor -} - -@test "apt: Install a package, or update it to the latest available version" { - sudo apt install -y pass -} - -@test "apt: Remove a package and its configuration files" { - sudo apt purge -y pass -} - -@test "apt: Upgrade all installed packages to their newest available versions" { - sudo apt upgrade -y -} - -@test "apt: Upgrade installed packages, but remove obsolete packages and install additional packages to meet new dependencies" { - sudo apt dist-upgrade -y -} - -@test "apt: Clean the local repository - removing package files (.deb) from interrupted downloads that can no longer be downloaded" { - sudo apt autoclean -y -} - -@test "apt: Remove all packages that are no longer needed" { - sudo apt autoremove -y -} - -@test "apt: List all packages" { - apt list -} - -@test "apt: List installed packages" { - apt list --installed -} - -@test "apt: Print a cow easter egg" { - apt moo -} diff --git a/tests/integration/apt/dpkg-query.bats b/tests/integration/apt/dpkg-query.bats deleted file mode 100644 index 39259e0a0..000000000 --- a/tests/integration/apt/dpkg-query.bats +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "dpkg-query: List all installed packages" { - dpkg-query --list -} - -@test "dpkg-query: List installed packages matching a pattern" { - dpkg-query --list 'libc6*' -} - -@test "dpkg-query: List all files installed by a package" { - dpkg-query --listfiles libc6 -} - -@test "dpkg-query: Show information about a package" { - dpkg-query --status libc6 -} - -@test "dpkg-query: Search for packages that own files matching a pattern" { - dpkg-query --search /etc/ld.so.conf.d -} - diff --git a/tests/integration/apt/dpkg-reconfigure.bats b/tests/integration/apt/dpkg-reconfigure.bats deleted file mode 100644 index f6aec98ea..000000000 --- a/tests/integration/apt/dpkg-reconfigure.bats +++ /dev/null @@ -1,12 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "dpkg-reconfigure: Reconfigure one or more packages" { - sudo apt install -y pass - sudo dpkg-reconfigure pass -} - diff --git a/tests/integration/apt/dpkg.bats b/tests/integration/apt/dpkg.bats deleted file mode 100644 index 6a0e735b4..000000000 --- a/tests/integration/apt/dpkg.bats +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "dpkg: Remove a package" { - sudo apt install -y pass - sudo dpkg -r pass -} - -@test "dpkg: List installed packages" { - dpkg -l apparmor -} - -@test "dpkg: List a package's contents" { - dpkg -L apparmor.d -} - -@test "dpkg: Find out which package owns a file" { - dpkg -S /etc/apparmor/parser.conf -} - -@test "dpkg: Purge an installed or already removed package, including configuration" { - sudo dpkg -P pass -} diff --git a/tests/integration/common.bash b/tests/integration/common.bash deleted file mode 100644 index 7a012191b..000000000 --- a/tests/integration/common.bash +++ /dev/null @@ -1,136 +0,0 @@ -#!/usr/bin/env bash -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -export BATS_LIB_PATH=${BATS_LIB_PATH:-/usr/lib/bats} -load "$BATS_LIB_PATH/bats-support/load" - -export SYSTEMD_PAGER= - -# Ignore the profile not managed by apparmor.d -IGNORE=(php-fpm snapd/snap-confine snap.vault.vaultd) - -# User password for sudo commands -export PASSWORD=${PASSWORD:-user} - -export XDG_CACHE_DIR=".cache" -export XDG_CONFIG_DIR=".config" -export XDG_DATA_DIR=".local/share" -export XDG_STATE_DIR=".local/state" -export XDG_BIN_DIR=".local/bin" -export XDG_LIB_DIR=".local/lib" - -# Define extended user directories not defined in the XDG standard but commonly -# used in profiles -export XDG_SCREENSHOTS_DIR="Pictures/Screenshots" -export XDG_WALLPAPERS_DIR="Pictures/Wallpapers" -export XDG_BOOKS_DIR="Books" -export XDG_GAMES_DIR="Games" -export XDG_PROJECTS_DIR="Projects" -export XDG_WORK_DIR="Work" -export XDG_MAIL_DIR="Mail" -export XDG_SYNC_DIR="Sync" -export XDG_TORRENTS_DIR="Torrents" -export XDG_GAMESSTUDIO_DIR="unity3d" - -# Define user directories for virtual machines, shared folders and disk images -export XDG_VM_DIR=".vm" -export XDG_VMSHARE_DIR=".vmshare" -export XDG_IMG_DIR=".img" - -# Define user build directories and artifacts output -export XDG_BUILD_DIR=".build" -export XDG_PKG_DIR=".pkg" - -# Define user personal keyrings -export XDG_GPG_DIR=".gnupg" -export XDG_SSH_DIR=".ssh" -export XDG_PASSWORDSTORE_DIR=".password-store" - -# Define user personal private directories -export XDG_PRIVATE_DIR=".private" - -# Full path of the XDG Base Directory -export user_cache_dirs=$HOME/$XDG_CACHE_DIR -export user_config_dirs=$HOME/$XDG_CONFIG_DIR -export user_state_dirs=$HOME/$XDG_STATE_DIR -export user_bin_dirs=$HOME/$XDG_BIN_DIR -export user_lib_dirs=$HOME/$XDG_LIB_DIR - -# Other user directories -export user_desktop_dirs=$HOME/$XDG_DESKTOP_DIR -export user_download_dirs=$HOME/$XDG_DOWNLOAD_DIR -export user_templates_dirs=$HOME/$XDG_TEMPLATES_DIR -export user_publicshare_dirs=$HOME/$XDG_PUBLICSHARE_DIR -export user_documents_dirs=$HOME/$XDG_DOCUMENTS_DIR -export user_music_dirs=$HOME/$XDG_MUSIC_DIR -export user_pictures_dirs=$HOME/$XDG_PICTURES_DIR -export user_videos_dirs=$HOME/$XDG_VIDEOS_DIR -export user_books_dirs=$HOME/$XDG_BOOKS_DIR -export user_games_dirs=$HOME/$XDG_GAMES_DIR -export user_projects_dirs=$HOME/$XDG_PROJECTS_DIR -export user_work_dirs=$HOME/$XDG_WORK_DIR -export user_mail_dirs=$HOME/$XDG_MAIL_DIR -export user_sync_dirs=$HOME/$XDG_SYNC_DIR -export user_torrents_dirs=$HOME/$XDG_TORRENTS_DIR -export user_vm_dirs=$HOME/$XDG_VM_DIR -export user_vmshare_dirs=$HOME/$XDG_VMSHARE_DIR -export user_img_dirs=$HOME/$XDG_IMG_DIR -export user_build_dirs=$HOME/$XDG_BUILD_DIR -export user_pkg_dirs=$HOME/$XDG_PKG_DIR -export user_gpg_dirs=$HOME/$XDG_GPG_DIR -export user_ssh_dirs=$HOME/$XDG_SSH_DIR -export user_passwordstore_dirs=$HOME/$XDG_PASSWORDSTORE_DIR -export user_private_dirs=$HOME/$XDG_PRIVATE_DIR - -_START="$(date +%s)" -PROGRAM="$(basename "$BATS_TEST_FILENAME")" -PROGRAM="${PROGRAM%.*}" -export _START PROGRAM - -skip_if_not_installed() { - if ! which "$PROGRAM" &>/dev/null; then - skip "$PROGRAM is not installed" - fi -} - -aa_setup() { - aa_start - skip_if_not_installed -} - -aa_start() { - _START=$(date +%s) -} - -aa_check() { - local now duration logs - - now=$(date +%s) - duration=$((now - _START + 1)) - logs=$(aa-log --raw --systemd --since "-${duration}s") - for profile in "${IGNORE[@]}"; do - logs=$(echo "$logs" | grep -v "$profile") - done - - aa_start - if [[ -n "$logs" ]]; then - fail "profile $PROGRAM raised logs: $logs" - fi -} - -_timeout() { - local duration="2s" - timeout --preserve-status --kill-after="$duration" "$duration" "$@" -} - -# Bats setup and teardown hooks - -setup_file() { - aa_setup -} - -teardown() { - aa_check -} diff --git a/tests/integration/cpuid.bats b/tests/integration/cpuid.bats deleted file mode 100644 index 0fe2da6ac..000000000 --- a/tests/integration/cpuid.bats +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load common - -@test "cpuid: Display information for all CPUs" { - cpuid -} - -@test "cpuid: Display information only for the current CPU" { - cpuid -1 -} - -@test "cpuid: Display raw hex information with no decoding" { - cpuid -r -} diff --git a/tests/integration/dfc.bats b/tests/integration/dfc.bats deleted file mode 100644 index 56871f16c..000000000 --- a/tests/integration/dfc.bats +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load common - -@test "dfc: Display filesystems and their disk usage in human-readable form with colors and graphs" { - dfc -} - -@test "dfc: Display all filesystems including pseudo, duplicate and inaccessible filesystems" { - dfc -a -} - -@test "dfc: Display filesystems without color" { - dfc -c never -} - -@test "dfc: Display filesystems containing "ext" in the filesystem type" { - dfc -t ext -} diff --git a/tests/integration/fc-cache.bats b/tests/integration/fc-cache.bats deleted file mode 100644 index 05b8f1930..000000000 --- a/tests/integration/fc-cache.bats +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load common - -@test "fc-cache: Generate font cache files" { - fc-cache -} - -@test "fc-cache: Force a rebuild of all font cache files, without checking if cache is up-to-date" { - fc-cache -f -} - -@test "fc-cache: Erase font cache files, then generate new font cache files" { - fc-cache -r -} diff --git a/tests/integration/fc-list.bats b/tests/integration/fc-list.bats deleted file mode 100644 index 12b1df2ca..000000000 --- a/tests/integration/fc-list.bats +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load common - -@test "fc-list: Return a list of installed fonts in your system" { - fc-list -} - -@test "fc-match: Return a sorted list of best matching fonts" { - fc-match -s 'DejaVu Serif' -} - -@test "fc-pattern: Display default information about a font" { - fc-pattern --default 'DejaVu Serif' -} - -@test "fc-pattern: Display configuration information about a font" { - fc-pattern --config 'DejaVu Serif' -} diff --git a/tests/integration/flatpak.bats b/tests/integration/flatpak.bats deleted file mode 100644 index b61024d06..000000000 --- a/tests/integration/flatpak.bats +++ /dev/null @@ -1,47 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load common - -@test "flatpak: Add a new remote repository (by URL)" { - sudo flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo -} - -@test "flatpak: List all remote repositories" { - flatpak remotes -} - -@test "flatpak: Search for an application in a remote repository" { - sudo flatpak search vim - sudo flatpak search org.freedesktop.Platform -} - -@test "flatpak: Install an application from a remote source" { - sudo flatpak install --noninteractive org.vim.Vim -} - -@test "flatpak: List installed applications, ignoring runtimes" { - flatpak list --app -} - -@test "flatpak: Show information about an installed application" { - flatpak info org.vim.Vim -} - -# @test "flatpak: Run an installed application" { -# _timeout flatpak run org.vim.Vim -# } - -@test "flatpak: Update all installed applications and runtimes" { - sudo flatpak update --noninteractive -} - -@test "flatpak: Remove an installed application" { - sudo flatpak remove --noninteractive org.vim.Vim -} - -@test "flatpak: Remove all unused applications" { - sudo flatpak remove --noninteractive --unused -} diff --git a/tests/integration/fwupdmgr.bats b/tests/integration/fwupdmgr.bats deleted file mode 100644 index 332a63743..000000000 --- a/tests/integration/fwupdmgr.bats +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load common - -@test "fwupdmgr: Display all devices detected by fwupd" { - fwupdmgr get-devices -} - -@test "fwupdmgr: Download the latest firmware metadata from LVFS" { - fwupdmgr refresh || true -} - -@test "fwupdmgr: List the updates available for devices on your system" { - fwupdmgr get-updates || true -} - -@test "fwupdmgr: Install firmware updates" { - fwupdmgr update || true -} - diff --git a/tests/integration/gpg/gpgconf.bats b/tests/integration/gpg/gpgconf.bats deleted file mode 100644 index 41627dc67..000000000 --- a/tests/integration/gpg/gpgconf.bats +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "gpgconf: List all components" { - gpgconf --list-components -} - -@test "gpgconf: List the directories used by gpgconf" { - gpgconf --list-dirs -} - -@test "gpgconf: List all options of a component" { - gpgconf --list-options gpg - gpgconf --list-options gpgsm - gpgconf --list-options gpg-agent - gpgconf --list-options scdaemon || true - gpgconf --list-options dirmngr -} - -@test "gpgconf: List programs and test whether they are runnable" { - gpgconf --check-programs || true -} - -@test "gpgconf: Reload a component" { - gpgconf --reload gpg - gpgconf --reload gpgsm - gpgconf --reload gpg-agent - gpgconf --reload scdaemon || true - gpgconf --reload dirmngr -} diff --git a/tests/integration/hostname.bats b/tests/integration/hostname.bats deleted file mode 100644 index 35008bd79..000000000 --- a/tests/integration/hostname.bats +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load common - -@test "hostname: Show current host name" { - hostname -} - -@test "hostname: Show the network address of the host name" { - hostname -i -} - -@test "hostname: Show all network addresses of the host" { - hostname -I -} - -@test "hostname: Show the FQDN (Fully Qualified Domain Name)" { - hostname --fqdn -} - -@test "hostname: Set current host name" { - name=$(hostname) - sudo hostname "new-$(hostname)" - sudo hostname "$name" -} - diff --git a/tests/integration/id.bats b/tests/integration/id.bats deleted file mode 100644 index a09def4a9..000000000 --- a/tests/integration/id.bats +++ /dev/null @@ -1,30 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load common - -@test "id: Display current user's ID (UID), group ID (GID) and groups to which they belong" { - id -} - -@test "id: Display the current user identity" { - id -un -} - -@test "id: Display the current user identity as a number" { - id -u -} - -@test "id: Display the current primary group identity" { - id -gn -} - -@test "id: Display the current primary group identity as a number" { - id -g -} - -@test "id: Display an arbitrary user ID (UID), group ID (GID) and groups to which they belong" { - id root -} diff --git a/tests/integration/ip.bats b/tests/integration/ip.bats deleted file mode 100644 index 585d11b2d..000000000 --- a/tests/integration/ip.bats +++ /dev/null @@ -1,42 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load common - -@test "ip-address: List network interfaces and their associated IP addresses" { - ip address -} - -@test "ip-address: Filter to show only active network interfaces" { - ip address show up -} - -@test "ip-route: Display the routing table" { - ip route -} - -@test "ip-route-get: Print route to a destination" { - ip route get 1.1.1.1 -} - -@test "ip link: Show information about all network interfaces" { - ip link -} - -@test "ip neighbour: Display the neighbour/ARP table entries" { - ip neighbour -} - -@test "ip rule: Display the routing policy" { - ip rule show - ip rule list -} - -@test "ip: Manage network namespace" { - sudo ip netns add foo - sudo ip netns list - sudo ip netns exec foo bash -c "pwd" - sudo ip netns delete foo -} diff --git a/tests/integration/needrestart.bats b/tests/integration/needrestart.bats deleted file mode 100644 index 4676b36af..000000000 --- a/tests/integration/needrestart.bats +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load common - -@test "needrestart: List outdated processes" { - needrestart -} - -@test "needrestart: Interactively restart services" { - sudo needrestart -} - -@test "needrestart: List outdated processes in verbose mode" { - needrestart -v -} - -@test "needrestart: Check if the kernel is outdated" { - needrestart -k -} - -@test "needrestart: Check if the CPU microcode is outdated" { - needrestart -w -} - -@test "needrestart: List outdated processes in batch mode" { - needrestart -b -} - -@test "needrestart: Display help" { - needrestart --help -} diff --git a/tests/integration/pacman/paccache.bats b/tests/integration/pacman/paccache.bats deleted file mode 100644 index b2e1369e2..000000000 --- a/tests/integration/pacman/paccache.bats +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "paccache: Perform a dry-run and show the number of candidate packages for deletion" { - sudo paccache -d -} - -@test "paccache: Move candidate packages to a directory instead of deleting them" { - sudo paccache -m "$USER_BUILD_DIRS" -} - -@test "paccache: Remove all but the 3 most recent package versions from the `pacman` cache" { - sudo paccache -r -} - -@test "paccache: Set the number of package versions to keep" { - sudo paccache -rk 3 -} diff --git a/tests/integration/pacman/pacman-key.bats b/tests/integration/pacman/pacman-key.bats deleted file mode 100644 index 82e34a379..000000000 --- a/tests/integration/pacman/pacman-key.bats +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "pacman-key: Initialize the 'pacman' keyring" { - sudo pacman-key --init -} - -@test "pacman-key: Add the default Arch Linux keys" { - sudo pacman-key --populate -} - -@test "pacman-key: List keys from the public keyring" { - pacman-key --list-keys -} - -@test "pacman-key: Receive a key from a key server" { - sudo pacman-key --recv-keys 06A26D531D56C42D66805049C5469996F0DF68EC -} - -@test "pacman-key: Print the fingerprint of a specific key" { - pacman-key --finger 06A26D531D56C42D66805049C5469996F0DF68EC -} - -@test "pacman-key: Sign an imported key locally" { - sudo pacman-key --lsign-key 06A26D531D56C42D66805049C5469996F0DF68EC -} - -@test "pacman-key: Remove a specific key" { - sudo pacman-key --delete 06A26D531D56C42D66805049C5469996F0DF68EC -} diff --git a/tests/integration/pacman/pacman.bats b/tests/integration/pacman/pacman.bats deleted file mode 100644 index 575a65bc1..000000000 --- a/tests/integration/pacman/pacman.bats +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "pacman: Synchronize and update all packages" { - sudo pacman -Syu --noconfirm -} - -@test "pacman: Install a new package" { - sudo pacman -S --noconfirm pass pass-otp -} - -@test "pacman: Remove a package and its dependencies" { - sudo pacman -Rs --noconfirm pass-otp -} - -@test "pacman: List installed packages and versions" { - pacman -Q -} - -@test "pacman: List only the explicitly installed packages and versions" { - pacman -Qe -} - -@test "pacman: List orphan packages (installed as dependencies but not actually required by any package)" { - pacman -Qtdq -} - -@test "pacman: Empty the entire 'pacman' cache" { - sudo pacman -Scc --noconfirm -} diff --git a/tests/integration/paths.go b/tests/integration/paths.go new file mode 100644 index 000000000..8d4a1cc9c --- /dev/null +++ b/tests/integration/paths.go @@ -0,0 +1,72 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2023-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package integration + +import ( + "archive/tar" + "compress/gzip" + "fmt" + "io" + "path/filepath" + "strings" + + "github.com/roddhjav/apparmor.d/pkg/paths" +) + +// Either or not to extract the file +func toExtrat(name string, subfolders []string) bool { + for _, subfolder := range subfolders { + if strings.HasPrefix(name, subfolder) { + return true + } + } + return false +} + +// Extract part of an archive to a destination directory +func extratTo(src *paths.Path, dst *paths.Path, subfolders []string) error { + gzIn, err := src.Open() + if err != nil { + return fmt.Errorf("opening %s: %w", src, err) + } + defer gzIn.Close() + + in, err := gzip.NewReader(gzIn) + if err != nil { + return fmt.Errorf("decoding %s: %w", src, err) + } + defer in.Close() + + if err := dst.MkdirAll(); err != nil { + return fmt.Errorf("creating %s: %w", src, err) + } + + tarIn := tar.NewReader(in) + for { + header, err := tarIn.Next() + if err == io.EOF { + break + } + if err != nil { + return err + } + + if header.Typeflag == tar.TypeReg { + if !toExtrat(header.Name, subfolders) { + continue + } + path := dst.Join(filepath.Base(header.Name)) + file, err := path.Create() + if err != nil { + return fmt.Errorf("creating %s: %w", file.Name(), err) + } + if _, err := io.Copy(file, tarIn); err != nil { + return fmt.Errorf("extracting %s: %w", file.Name(), err) + } + file.Close() + } + } + return nil +} diff --git a/tests/integration/procps/free.bats b/tests/integration/procps/free.bats deleted file mode 100644 index dcc216bfa..000000000 --- a/tests/integration/procps/free.bats +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "free: Display system memory" { - free -} - -@test "free: Display memory in GB" { - free -g -} - -@test "free: Display memory in human-readable units" { - free -h -} diff --git a/tests/integration/procps/pgrep.bats b/tests/integration/procps/pgrep.bats deleted file mode 100644 index 9fd6b92f8..000000000 --- a/tests/integration/procps/pgrep.bats +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "pgrep: Return PIDs of any running processes with a matching command string" { - pgrep systemd -} - -@test "pgrep: Search for processes including their command-line options" { - pgrep --full 'systemd' -} - -@test "pgrep: Search for processes run by a specific user" { - pgrep --euid root systemd-udevd -} - diff --git a/tests/integration/procps/pidof.bats b/tests/integration/procps/pidof.bats deleted file mode 100644 index ec20cbe86..000000000 --- a/tests/integration/procps/pidof.bats +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "pidof: List all process IDs with given name" { - pidof systemd - pidof bash -} - -@test "pidof: List a single process ID with given name" { - pidof -s bash -} - -@test "pidof: List process IDs including scripts with given name" { - pidof -x bash -} diff --git a/tests/integration/procps/ps.bats b/tests/integration/procps/ps.bats deleted file mode 100644 index a27bdf98d..000000000 --- a/tests/integration/procps/ps.bats +++ /dev/null @@ -1,30 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "ps: List all running processes" { - ps aux -} - -@test "ps: List all running processes including the full command string" { - ps auxww -} - -@test "ps: List all processes of the current user in extra full format" { - ps --user "$(id -u)" -F -} - -@test "ps: List all processes of the current user as a tree" { - ps --user "$(id -u)" -f -} - -@test "ps: Get the parent PID of a process" { - ps -o ppid= -p 1 -} - -@test "ps: Sort processes by memory consumption" { - ps auxww --sort size -} diff --git a/tests/integration/procps/sysctl.bats b/tests/integration/procps/sysctl.bats deleted file mode 100644 index 66720c434..000000000 --- a/tests/integration/procps/sysctl.bats +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "sysctl: Show all available variables and their values" { - sysctl -a -} - -@test "sysctl: Set a changeable kernel state variable" { - sudo sysctl -w vm.panic_on_oom=0 -} - -@test "sysctl: Get currently open file handlers" { - sysctl fs.file-nr -} - -@test "sysctl: Get limit for simultaneous open files" { - sysctl fs.file-max -} - -@test "sysctl: Apply changes from '/etc/sysctl.conf'" { - sudo sysctl -p -} diff --git a/tests/integration/procps/uptime.bats b/tests/integration/procps/uptime.bats deleted file mode 100644 index 7d9361d5a..000000000 --- a/tests/integration/procps/uptime.bats +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "uptime: Print current time, uptime, number of logged-in users and other information" { - uptime -} - -@test "uptime: Show only the amount of time the system has been booted for" { - uptime --pretty -} - -@test "uptime: Print the date and time the system booted up at" { - uptime --since -} diff --git a/tests/integration/procps/vmstat.bats b/tests/integration/procps/vmstat.bats deleted file mode 100644 index e5900a324..000000000 --- a/tests/integration/procps/vmstat.bats +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "vmstat: Display virtual memory statistics" { - vmstat - vmstat --active - vmstat --forks -} - -@test "vmstat: Display disk statistics" { - vmstat --disk - vmstat --disk-sum -} - -@test "vmstat: Display slabinfo" { - sudo vmstat --slabs -} - -@test "vmstat: Display reports every second for 3 times" { - vmstat 1 3 -} diff --git a/tests/integration/procps/w.bats b/tests/integration/procps/w.bats deleted file mode 100644 index 3ee1fe218..000000000 --- a/tests/integration/procps/w.bats +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "w: Display information about all users who are currently logged in" { - w -} - -@test "w: Display information about a specific user" { - w root -} - -@test "w: Display information without including the header, the login, JCPU and PCPU columns" { - w --no-header - w --short -} diff --git a/tests/integration/scenario.go b/tests/integration/scenario.go new file mode 100644 index 000000000..53758fb42 --- /dev/null +++ b/tests/integration/scenario.go @@ -0,0 +1,141 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2023-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +// TODO: +// - Finish templating +// - Provide a large selection of resources: files, disks, http server... for automatic test on them +// - Expand support for interactive program (stdin and Control-D) +// - Properlly log the test result +// - Dbus integration + +package integration + +import ( + "bytes" + "fmt" + "io" + "os/exec" + "strings" + + "github.com/roddhjav/apparmor.d/pkg/logging" + "github.com/roddhjav/apparmor.d/pkg/paths" +) + +var ( + Ignore []string // Do not run some scenarios + Arguments map[string]string // Common arguments used across all scenarios + Profiles paths.PathList // List of profiles in apparmor.d +) + +// Test represents of a list of tests for a given program +type Test struct { + Name string `yaml:"name"` + Root bool `yaml:"root"` // Run the test as user or as root + Dependencies []string `yaml:"require"` // Packages required for the tests to run "$(pacman -Qqo Scenario.Name)" + Arguments map[string]string `yaml:"arguments"` // Arguments to pass to the program, specific to this scenario + Commands []Command `yaml:"tests"` +} + +// Command is a command line to run as part of a test +type Command struct { + Description string `yaml:"dsc"` + Cmd string `yaml:"cmd"` + Stdin []string `yaml:"stdin"` +} + +func NewTest() *Test { + return &Test{ + Name: "", + Root: false, + Dependencies: []string{}, + Arguments: map[string]string{}, + Commands: []Command{}, + } +} + +// HasProfile returns true if the program in the scenario is profiled in apparmor.d +func (t *Test) HasProfile() bool { + for _, path := range Profiles { + if t.Name == path.Base() { + return true + } + } + return false +} + +// IsInstalled returns true if the program in the scenario is installed on the system +func (t *Test) IsInstalled() bool { + if _, err := exec.LookPath(t.Name); err != nil { + return false + } + return true +} + +func (t *Test) resolve(in string) string { + res := in + for key, value := range t.Arguments { + res = strings.ReplaceAll(res, "{{ "+key+" }}", value) + } + return res +} + +// mergeArguments merge the arguments of the scenario with the global arguments +// Test arguments have priority over global arguments +func (t *Test) mergeArguments(args map[string]string) { + if len(t.Arguments) == 0 { + t.Arguments = map[string]string{} + } + for key, value := range args { + t.Arguments[key] = value + } +} + +// Run the scenarios tests +func (t *Test) Run(dryRun bool) (ran int, nb int, err error) { + nb = 0 + if t.HasProfile() && t.IsInstalled() { + logging.Step("%s", t.Name) + t.mergeArguments(Arguments) + for _, test := range t.Commands { + cmd := t.resolve(test.Cmd) + if !strings.Contains(cmd, "{{") { + nb++ + if dryRun { + logging.Bullet(cmd) + } else { + cmdErr := t.run(cmd, strings.Join(test.Stdin, "\n")) + if cmdErr != nil { + logging.Error("%v", cmdErr) + } else { + logging.Success(cmd) + } + } + } + } + return 1, nb, err + } + return 0, nb, err +} + +func (t *Test) run(cmdline string, in string) error { + var testErr bytes.Buffer + + // Running the command in a shell ensure it does not run confined under the sudo profile. + // The shell is run unconfined and therefore the cmdline can be confined without no-new-privs issue. + sufix := " &" // TODO: we need a goroutine here + cmd := exec.Command("sh", "-c", cmdline+sufix) + if t.Root { + cmd = exec.Command("sudo", "sh", "-c", cmdline+sufix) + } + + stderr := io.MultiWriter(Stderr, &testErr) + cmd.Stdin = strings.NewReader(in) + cmd.Stdout = Stdout + cmd.Stderr = stderr + err := cmd.Run() + if testErr.Len() > 0 { + return fmt.Errorf("%s", testErr.String()) + } + return err +} diff --git a/tests/integration/shadow/groupadd.bats b/tests/integration/shadow/groupadd.bats deleted file mode 100644 index 3d07619b2..000000000 --- a/tests/integration/shadow/groupadd.bats +++ /dev/null @@ -1,32 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "groupadd: Create a new group" { - sudo groupadd user2 -} - -@test "groupadd: Create a new system group" { - sudo groupadd --system system2 -} - -@test "groupadd: Create a new group with the specific groupid" { - sudo groupadd --gid 3000 user3 -} - -@test "groupmod: Change the group name" { - sudo groupmod --new-name user22 user2 -} - -@test "groupmod: Change the group ID" { - sudo groupmod --gid 2222 user22 -} - -@test "groupdel: Delete newly created group" { - sudo groupdel user22 - sudo groupdel system2 - sudo groupdel user3 -} diff --git a/tests/integration/shadow/groups.bats b/tests/integration/shadow/groups.bats deleted file mode 100644 index f932e9129..000000000 --- a/tests/integration/shadow/groups.bats +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "groups: Print group memberships for the current user" { - groups -} - -@test "groups: Print group memberships for a list of users" { - groups root -} - diff --git a/tests/integration/snap.bats b/tests/integration/snap.bats deleted file mode 100644 index a670a9ece..000000000 --- a/tests/integration/snap.bats +++ /dev/null @@ -1,55 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load common - -@test "snap: Search for a package" { - snap find vim -} - -@test "snap: Install a package" { - sudo snap install vault -} - -@test "snap: Update a package to another channel (track, risk, or branch)" { - sudo snap refresh vault --channel=edge -} - -@test "snap: Update all packages" { - sudo snap refresh -} - -@test "snap: Display basic information about installed snap software" { - sudo snap list -} - -@test "snap: lists information about the services" { - sudo snap services - sudo snap services vault -} - -@test "snap: starts, and optionally enables, the given services" { - sudo snap start --enable vault -} - -@test "snap: logs of the given services" { - sudo snap logs vault || true -} - -@test "snap: restarts the given services" { - sudo snap restart vault -} - -@test "snap: stops, and optionally disables, the given services" { - sudo snap stop --disable vault -} - -@test "snap: Uninstall a package" { - sudo snap remove vault -} - -@test "snap: Check for recent snap changes in the system" { - sudo snap changes -} diff --git a/tests/integration/suite.go b/tests/integration/suite.go new file mode 100644 index 000000000..abb08cfdf --- /dev/null +++ b/tests/integration/suite.go @@ -0,0 +1,114 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2023-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package integration + +import ( + "os" + + "github.com/roddhjav/apparmor.d/pkg/logs" + "github.com/roddhjav/apparmor.d/pkg/paths" + "github.com/roddhjav/apparmor.d/pkg/util" + "gopkg.in/yaml.v3" +) + +var ( + // Integration tests standard output + Stdout *os.File + + // Integration tests standard error output + Stderr *os.File + + stdoutPath = paths.New("tests/out.log") + stderrPath = paths.New("tests/err.log") +) + +// TestSuite is the apparmod.d integration tests to run +type TestSuite struct { + Tests []Test // List of tests to run + Ignore []string // Do not run some tests + Arguments map[string]string // Common arguments used across all tests +} + +// NewScenarios returns a new list of scenarios +func NewTestSuite() *TestSuite { + var err error + Stdout, err = stdoutPath.Create() + if err != nil { + panic(err) + } + Stderr, err = stderrPath.Create() + if err != nil { + panic(err) + } + return &TestSuite{ + Tests: []Test{}, + Ignore: []string{}, + Arguments: map[string]string{}, + } +} + +// Write export the list of scenarios to a file +func (t *TestSuite) Write(path *paths.Path) error { + jsonString, err := yaml.Marshal(&t.Tests) + if err != nil { + return err + } + + path = path.Clean() + file, err := path.Create() + if err != nil { + return err + } + defer file.Close() + + // Cleanup a bit + res := string(jsonString) + regClean := util.ToRegexRepl([]string{ + "- name:", "\n- name:", + `(?m)^.*stdin: \[\].*$`, ``, + `{{`, `{{ `, + `}}`, ` }}`, + }) + res = regClean.Replace(res) + _, err = file.WriteString("---\n" + res) + return err +} + +// ReadTests import the tests from a file +func (t *TestSuite) ReadTests(path *paths.Path) error { + content, _ := path.ReadFile() + return yaml.Unmarshal(content, &t.Tests) +} + +// ReadSettings import the common argument and ignore list from a file +func (t *TestSuite) ReadSettings(path *paths.Path) error { + type temp struct { + Arguments map[string]string `yaml:"arguments"` + Ignore []string `yaml:"ignore"` + } + tmp := temp{} + content, _ := path.ReadFile() + if err := yaml.Unmarshal(content, &tmp); err != nil { + return err + } + t.Arguments = tmp.Arguments + t.Ignore = tmp.Ignore + return nil +} + +// Results returns a sum up of the apparmor logs raised by the scenarios +func (t *TestSuite) Results() string { + file, _ := logs.GetAuditLogs(logs.LogFiles[0]) + aaLogs := logs.NewApparmorLogs(file, "") + return aaLogs.String() +} + +func (t *TestSuite) GetDependencies() []string { + res := []string{} + for _, test := range t.Tests { + res = append(res, test.Dependencies...) + } + return res +} diff --git a/tests/integration/systemd/bootctl.bats b/tests/integration/systemd/bootctl.bats deleted file mode 100644 index 2dfb39a7f..000000000 --- a/tests/integration/systemd/bootctl.bats +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "bootctl: Show information about the system firmware and the bootloaders" { - sudo bootctl status -} - -@test "bootctl: Show all available bootloader entries" { - sudo bootctl list -} - -@test "bootctl: Install 'systemd-boot' into the EFI system partition" { - sudo bootctl install -} - -@test "bootctl: Remove all installed versions of 'systemd-boot' from the EFI system partition" { - sudo bootctl remove -} diff --git a/tests/integration/systemd/busctl.bats b/tests/integration/systemd/busctl.bats deleted file mode 100644 index ef3e973e9..000000000 --- a/tests/integration/systemd/busctl.bats +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "busctl: Show all peers on the bus, by their service names" { - busctl list -} - -@test "busctl: Show process information and credentials of a bus service, a process, or the owner of the bus (if no parameter is specified)" { - busctl status 1 - busctl status org.freedesktop.DBus -} - -@test "busctl: Show an object tree of one or more services (or all services if no service is specified)" { - busctl tree org.freedesktop.DBus -} - -@test "busctl: Show interfaces, methods, properties and signals of the specified object on the specified service" { - busctl introspect org.freedesktop.login1 /org/freedesktop/login1 -} - -@test "busctl: Retrieve the current value of one or more object properties" { - busctl get-property org.freedesktop.login1 /org/freedesktop/login1 org.freedesktop.login1.Manager Docked -} diff --git a/tests/integration/systemd/homectl.bats b/tests/integration/systemd/homectl.bats deleted file mode 100644 index bb3b38227..000000000 --- a/tests/integration/systemd/homectl.bats +++ /dev/null @@ -1,44 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -setup_file() { - sudo systemctl start systemd-homed - skip - aa_setup -} - -@test "homectl: Display help" { - homectl --no-pager --help -} - -@test "homectl: Create a user account and their associated home directory" { - printf "user2\nuser2" | sudo homectl create user2 -} - -@test "homectl: List user accounts and their associated home directories" { - homectl list -} - -@test "homectl: Change the password for a specific user" { - sudo homectl passwd user2 -} - -@test "homectl: Run a shell or a command with access to a specific home directory" { - sudo homectl with user2 -- ls -al /home/user2 -} - -@test "homectl: Lock or unlock a specific home directory" { - sudo homectl lock user2 -} - -@test "homectl: Change the disk space assigned to a specific home directory to 100 GiB" { - sudo homectl resize user2 1G -} - -@test "homectl: Remove a specific user and the associated home directory" { - sudo homectl remove user2 -} diff --git a/tests/integration/systemd/hostnamectl.bats b/tests/integration/systemd/hostnamectl.bats deleted file mode 100644 index 38924920a..000000000 --- a/tests/integration/systemd/hostnamectl.bats +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "hostnamectl: Get the hostname of the computer" { - hostnamectl -} - -@test "hostnamectl: Get the location of the computer" { - hostnamectl location -} - -@test "hostnamectl: Set the hostname of the computer" { - name=$(hostnamectl hostname) - sudo hostnamectl set-hostname "new" - sudo hostnamectl set-hostname "$name" -} diff --git a/tests/integration/systemd/journalctl.bats b/tests/integration/systemd/journalctl.bats deleted file mode 100644 index 9eeb7c9fe..000000000 --- a/tests/integration/systemd/journalctl.bats +++ /dev/null @@ -1,30 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "journalctl: Show all messages with priority level 3 (errors) from this boot" { - sudo journalctl -b --priority=3 -} - -@test "journalctl: Show only the last N lines of the journal" { - sudo journalctl --lines 100 -} - -@test "journalctl: Show all messages by a specific [u]nit" { - sudo journalctl --unit apparmor.service -} - -@test "journalctl: Show all messages by a specific process" { - sudo journalctl _PID=1 -} - -@test "journalctl: Show all messages by a specific executable" { - sudo journalctl /usr/bin/bootctl -} - -@test "journalctl: Delete journal logs which are older than 10 seconds" { - sudo journalctl --vacuum-time=10s -} diff --git a/tests/integration/systemd/localectl.bats b/tests/integration/systemd/localectl.bats deleted file mode 100644 index 71dfd2e06..000000000 --- a/tests/integration/systemd/localectl.bats +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "localectl: Show the current settings of the system locale and keyboard mapping" { - localectl -} - -@test "localectl: List available locales" { - localectl list-locales -} - -@test "localectl: Set a system locale variable" { - sudo localectl set-locale LANG=en_US.UTF-8 -} - -@test "localectl: List available keymaps" { - localectl list-keymaps || true -} - -@test "localectl: Set the system keyboard mapping for the console and X11" { - sudo localectl set-keymap uk || true -} - diff --git a/tests/integration/systemd/machinectl.bats b/tests/integration/systemd/machinectl.bats deleted file mode 100644 index 18771ae72..000000000 --- a/tests/integration/systemd/machinectl.bats +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "importctl: Import an image as a machine" { - sudo importctl pull-tar --force --class=machine -N https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64-root.tar.xz noble || true -} - -@test "machinectl: Display a list of available images" { - sudo machinectl list-images -} - -@test "machinectl: Start a machine as a service using systemd-nspawn" { - sudo machinectl start noble || true -} - -@test "machinectl: Display a list of running machines" { - sudo machinectl list -} - -@test "machinectl: Stop a running machine" { - sudo machinectl stop noble || true -} diff --git a/tests/integration/systemd/networkctl.bats b/tests/integration/systemd/networkctl.bats deleted file mode 100644 index 81418ba01..000000000 --- a/tests/integration/systemd/networkctl.bats +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "networkctl: List existing links with their status" { - sudo networkctl list -} - -@test "networkctl: Show an overall network status" { - sudo networkctl status -} - -@test "networkctl: Reload configuration files (.netdev and .network)" { - sudo networkctl reload -} diff --git a/tests/integration/systemd/systemd-ac-power.bats b/tests/integration/systemd/systemd-ac-power.bats deleted file mode 100644 index 65779b617..000000000 --- a/tests/integration/systemd/systemd-ac-power.bats +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "systemd-ac-power: Report whether we are connected to an external power source." { - systemd-ac-power || true -} - -@test "systemd-ac-power: Check if battery is discharging and low" { - systemd-ac-power --low || true -} - diff --git a/tests/integration/systemd/systemd-analyze.bats b/tests/integration/systemd/systemd-analyze.bats deleted file mode 100644 index b36abb62d..000000000 --- a/tests/integration/systemd/systemd-analyze.bats +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "systemd-analyze: List all running units, ordered by the time they took to initialize" { - systemd-analyze --no-pager blame -} - -@test "systemd-analyze: Print a tree of the time-critical chain of units" { - systemd-analyze --no-pager critical-chain -} - -@test "systemd-analyze: Show security scores of running units" { - systemd-analyze --no-pager security -} diff --git a/tests/integration/systemd/systemd-cat.bats b/tests/integration/systemd/systemd-cat.bats deleted file mode 100644 index 9d796ff07..000000000 --- a/tests/integration/systemd/systemd-cat.bats +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "systemd-cat: Write the output of the specified command to the journal (both output streams are captured)" { - systemd-cat pwd -} - -@test "systemd-cat: Write the output of a pipeline to the journal (`stderr` stays connected to the terminal)" { - echo apparmor.d-test-suite | systemd-cat -} diff --git a/tests/integration/systemd/systemd-cgls.bats b/tests/integration/systemd/systemd-cgls.bats deleted file mode 100644 index a0822a516..000000000 --- a/tests/integration/systemd/systemd-cgls.bats +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "systemd-cgls: Display the whole control group hierarchy on your system" { - systemd-cgls --no-pager -} - -@test "systemd-cgls: Display a control group tree of a specific resource controller" { - systemd-cgls --no-pager io -} - -@test "systemd-cgls: Display the control group hierarchy of one or more systemd units" { - systemd-cgls --no-pager --unit systemd-logind -} diff --git a/tests/integration/systemd/systemd-detect-virt.bats b/tests/integration/systemd/systemd-detect-virt.bats deleted file mode 100644 index bb2b2a659..000000000 --- a/tests/integration/systemd/systemd-detect-virt.bats +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "systemd-detect-virt: List detectable virtualization technologies" { - systemd-detect-virt --list -} - -@test "systemd-detect-virt: Detect virtualization, print the result and return a zero status code when running in a VM or a container, and a non-zero code otherwise" { - systemd-detect-virt || true -} - -@test "systemd-detect-virt: Silently check without printing anything" { - systemd-detect-virt --quiet || true -} - -@test "systemd-detect-virt: Only detect hardware virtualization" { - systemd-detect-virt --vm || true -} - diff --git a/tests/integration/systemd/systemd-id128.bats b/tests/integration/systemd/systemd-id128.bats deleted file mode 100644 index 68e48d9a4..000000000 --- a/tests/integration/systemd/systemd-id128.bats +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "systemd-id128: Generate a new random identifier" { - systemd-id128 new -} - -@test "systemd-id128: Print the identifier of the current machine" { - systemd-id128 machine-id -} - -@test "systemd-id128: Print the identifier of the current boot" { - systemd-id128 boot-id -} - -@test "systemd-id128: Generate a new random identifier and print it as a UUID (five groups of digits separated by hyphens)" { - systemd-id128 new --uuid -} - diff --git a/tests/integration/systemd/systemd-sysusers.bats b/tests/integration/systemd/systemd-sysusers.bats deleted file mode 100644 index 7fff472ee..000000000 --- a/tests/integration/systemd/systemd-sysusers.bats +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "systemd-sysusers: Print the contents of all configuration files (before each file, its name is printed as a comment)" { - systemd-sysusers --cat-config -} - -@test "systemd-sysusers: Process configuration files and print what would be done without actually doing anything" { - systemd-sysusers --dry-run -} - -@test "systemd-sysusers: Create users and groups from all configuration file" { - sudo systemd-sysusers -} diff --git a/tests/integration/systemd/userdbctl.bats b/tests/integration/systemd/userdbctl.bats deleted file mode 100644 index eda5f5b09..000000000 --- a/tests/integration/systemd/userdbctl.bats +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "userdbctl: List all known user records" { - userdbctl --no-pager user -} - -@test "userdbctl: Show details of a specific user" { - userdbctl --no-pager user "$USER" -} - -@test "userdbctl: List all known groups" { - userdbctl --no-pager group -} - -@test "userdbctl: Show details of a specific group" { - sudo userdbctl --no-pager group "$USER" -} - -@test "userdbctl: List all services currently providing user/group definitions to the system" { - userdbctl --no-pager services -} - diff --git a/tests/integration/tldr.go b/tests/integration/tldr.go new file mode 100644 index 000000000..fb879d15e --- /dev/null +++ b/tests/integration/tldr.go @@ -0,0 +1,89 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2023-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package integration + +import ( + "fmt" + "io" + "net/http" + "strings" + + "github.com/roddhjav/apparmor.d/pkg/paths" +) + +type Tldr struct { + Url string // Tldr download url + Dir *paths.Path // Tldr cache directory + Ignore []string // List of ignored software +} + +func NewTldr(dir *paths.Path) Tldr { + return Tldr{ + Url: "https://github.com/tldr-pages/tldr/archive/refs/heads/main.tar.gz", + Dir: dir, + } +} + +// Download and extract the tldr pages into the cache directory +func (t Tldr) Download() error { + gzPath := t.Dir.Parent().Join("tldr.tar.gz") + if !gzPath.Exist() { + resp, err := http.Get(t.Url) + if err != nil { + return fmt.Errorf("downloading %s: %w", t.Url, err) + } + defer resp.Body.Close() + + out, err := gzPath.Create() + if err != nil { + return err + } + defer out.Close() + + if _, err := io.Copy(out, resp.Body); err != nil { + return err + } + } + + pages := []string{"tldr-main/pages/linux", "tldr-main/pages/common"} + return extratTo(gzPath, t.Dir, pages) +} + +// Parse the tldr pages and return a list of scenarios +func (t Tldr) Parse() (*TestSuite, error) { + testSuite := NewTestSuite() + files, _ := t.Dir.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) + for _, path := range files { + content, err := path.ReadFile() + if err != nil { + return nil, err + } + raw := string(content) + t := &Test{ + Name: strings.TrimSuffix(path.Base(), ".md"), + Root: false, + Arguments: map[string]string{}, + Commands: []Command{}, + } + if strings.Contains(raw, "sudo") { + t.Root = true + } + rawTests := strings.Split(raw, "\n-")[1:] + for _, test := range rawTests { + res := strings.Split(test, "\n") + dsc := strings.ReplaceAll(strings.Trim(res[0], " "), ":", "") + cmd := strings.Trim(strings.Trim(res[2], "`"), " ") + if t.Root { + cmd = strings.ReplaceAll(cmd, "sudo ", "") + } + t.Commands = append(t.Commands, Command{ + Description: dsc, + Cmd: cmd, + }) + } + testSuite.Tests = append(testSuite.Tests, *t) + } + return testSuite, nil +} diff --git a/tests/integration/tlp.bats b/tests/integration/tlp.bats deleted file mode 100644 index b9a9530fc..000000000 --- a/tests/integration/tlp.bats +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load common - -@test "tlp: Apply settings (according to the actual power source)" { - sudo tlp start -} - -@test "tlp: Apply battery settings (ignoring the actual power source)" { - sudo tlp bat -} - -@test "tlp: Apply AC settings (ignoring the actual power source)" { - sudo tlp ac -} - -@test "tlp: Apply Disk settings" { - sudo tlp diskid -} diff --git a/tests/integration/uname.bats b/tests/integration/uname.bats deleted file mode 100644 index 8723b9fe8..000000000 --- a/tests/integration/uname.bats +++ /dev/null @@ -1,39 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load common - -@test "uname: Print all information" { - uname --all -} - -@test "uname: Print the current kernel name" { - uname --kernel-name -} - -@test "uname: Print the current network node host name" { - uname --nodename -} - -@test "uname: Print the current kernel release" { - uname --kernel-release -} - -@test "uname: Print the current kernel version" { - uname --kernel-version -} - -@test "uname: Print the current machine hardware name" { - uname --machine -} - -@test "uname: Print the current processor type" { - uname --processor -} - -@test "uname: Print the current operating system name" { - uname --operating-system -} - diff --git a/tests/integration/upower.bats b/tests/integration/upower.bats deleted file mode 100644 index 3917621b8..000000000 --- a/tests/integration/upower.bats +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load common - -@test "upower: Display power and battery information" { - upower --dump -} - -@test "upower: List all power devices" { - upower --enumerate -} - -@test "upower: Display version" { - upower --version -} - diff --git a/tests/integration/uptime.bats b/tests/integration/uptime.bats deleted file mode 100644 index 7b64e8d2c..000000000 --- a/tests/integration/uptime.bats +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load common - -@test "uptime: Print current time, uptime, number of logged-in users and other information" { - uptime -} - -@test "uptime: Show only the amount of time the system has been booted for" { - uptime --pretty -} - -@test "uptime: Print the date and time the system booted up at" { - uptime --since -} - -@test "uptime: Display version" { - uptime --version -} - diff --git a/tests/integration/usb/lsusb.bats b/tests/integration/usb/lsusb.bats deleted file mode 100644 index 85bee2fd6..000000000 --- a/tests/integration/usb/lsusb.bats +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "lsusb: List all the USB devices available" { - lsusb || true -} - -@test "lsusb: List the USB hierarchy as a tree" { - lsusb -t || true -} - -@test "lsusb: List verbose information about USB devices" { - lsusb --verbose || true -} diff --git a/tests/integration/useradd.bats b/tests/integration/useradd.bats deleted file mode 100644 index 5ac024f15..000000000 --- a/tests/integration/useradd.bats +++ /dev/null @@ -1,32 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load common - -@test "useradd: Create a new user with the specified shell" { - sudo useradd --shell /bin/bash --create-home user2 -} - -@test "useradd: Create a new user with the specified user ID" { - sudo useradd --uid 3000 user3 -} - -@test "useradd: Create a new user belonging to additional groups (mind the lack of whitespace)" { - sudo useradd --groups adm user4 -} - -@test "useradd: Create a new system user without the home directory" { - sudo useradd --system sys2 -} - -@test "userdel: Remove a user" { - sudo userdel user3 - sudo userdel user4 - sudo userdel sys2 -} - -@test "userdel: Remove a user along with the home directory and mail spool" { - sudo userdel --remove user2 -} diff --git a/tests/integration/utils/blkid.bats b/tests/integration/utils/blkid.bats deleted file mode 100644 index 625f5f9bb..000000000 --- a/tests/integration/utils/blkid.bats +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "blkid: List all partitions" { - sudo blkid -} - -@test "blkid: List all partitions in a table, including current mountpoints" { - sudo blkid -o list -} diff --git a/tests/integration/utils/chsh.bats b/tests/integration/utils/chsh.bats deleted file mode 100644 index a23799def..000000000 --- a/tests/integration/utils/chsh.bats +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "chsh: list available shells" { - chsh --list-shells || true -} - -@test "chsh: Set a specific login shell for the current user" { - echo "$PASSWORD" | chsh --shell /usr/bin/bash || true -} - -# bats test_tags=chsh -@test "chsh: Set a login shell for a specific user" { - sudo chsh --shell /usr/bin/sh root || true -} diff --git a/tests/integration/utils/df.bats b/tests/integration/utils/df.bats deleted file mode 100644 index c15a32d5f..000000000 --- a/tests/integration/utils/df.bats +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "df: Display all filesystems and their disk usage" { - df -} - -@test "df: Display all filesystems and their disk usage in human-readable form" { - df -h -} - -@test "df: Display the filesystem and its disk usage containing the given file or directory" { - df /etc/apparmor.d/ -} - -@test "df: Include statistics on the number of free inodes" { - df --inodes -} - -@test "df: Display filesystem types" { - df --print-type -} diff --git a/tests/integration/utils/dmesg.bats b/tests/integration/utils/dmesg.bats deleted file mode 100644 index f2880666d..000000000 --- a/tests/integration/utils/dmesg.bats +++ /dev/null @@ -1,30 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "dmesg: Show kernel messages" { - sudo dmesg -} - -@test "dmesg: Show kernel error messages" { - sudo dmesg --level err -} - -@test "dmesg: Show how much physical memory is available on this system" { - sudo dmesg | grep -i memory -} - -@test "dmesg: Show kernel messages with a timestamp (available in kernels 3.5.0 and newer)" { - sudo dmesg -T -} - -@test "dmesg: Show kernel messages in human-readable form (available in kernels 3.5.0 and newer)" { - sudo dmesg -H -} - -@test "dmesg: Colorize output (available in kernels 3.5.0 and newer)" { - sudo dmesg -L -} diff --git a/tests/integration/utils/eject.bats b/tests/integration/utils/eject.bats deleted file mode 100644 index c4c2a3e0d..000000000 --- a/tests/integration/utils/eject.bats +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "eject: Display the default device" { - eject -d || true -} - -@test "eject: Eject the default device" { - eject || true -} diff --git a/tests/integration/utils/fstrim.bats b/tests/integration/utils/fstrim.bats deleted file mode 100644 index dff1083e2..000000000 --- a/tests/integration/utils/fstrim.bats +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "fstrim: Trim unused blocks on all mounted partitions that support it" { - sudo fstrim --all -} - -@test "fstrim: Trim unused blocks on a specified partition" { - sudo fstrim --verbose / -} diff --git a/tests/integration/utils/hwclock.bats b/tests/integration/utils/hwclock.bats deleted file mode 100644 index a3dcdc31a..000000000 --- a/tests/integration/utils/hwclock.bats +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "hwclock: Display the current time as reported by the hardware clock" { - sudo hwclock || true -} - -@test "hwclock: Write the current software clock time to the hardware clock (sometimes used during system setup)" { - sudo hwclock --systohc || true -} - -@test "hwclock: Write the current hardware clock time to the software clock" { - sudo hwclock --hctosys || true -} - diff --git a/tests/integration/utils/lsblk.bats b/tests/integration/utils/lsblk.bats deleted file mode 100644 index 4093526a9..000000000 --- a/tests/integration/utils/lsblk.bats +++ /dev/null @@ -1,38 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "lsblk: List all storage devices in a tree-like format" { - lsblk -} - -@test "lsblk: Also list empty devices" { - lsblk -a -} - -@test "lsblk: Print the SIZE column in bytes rather than in a human-readable format" { - lsblk -b -} - -@test "lsblk: Output info about filesystems" { - lsblk -f -} - -@test "lsblk: Use ASCII characters for tree formatting" { - lsblk -i -} - -@test "lsblk: Output info about block-device topology" { - lsblk -t -} - -@test "lsblk: Exclude the devices specified by the comma-separated list of major device numbers" { - lsblk -e 1 -} - -@test "lsblk: Display a customized summary using a comma-separated list of columns" { - lsblk --output NAME,SERIAL,MODEL,TRAN,TYPE,SIZE,FSTYPE,MOUNTPOINT -} diff --git a/tests/integration/utils/lscpu.bats b/tests/integration/utils/lscpu.bats deleted file mode 100644 index eb60d890d..000000000 --- a/tests/integration/utils/lscpu.bats +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "lscpu: Display information about all CPUs" { - lscpu -} - -@test "lscpu: Display information in a table" { - lscpu --extended -} - -@test "lscpu: Display only information about offline CPUs in a table" { - lscpu --extended --offline -} diff --git a/tests/integration/utils/lsfd.bats b/tests/integration/utils/lsfd.bats deleted file mode 100644 index bf0c4de0c..000000000 --- a/tests/integration/utils/lsfd.bats +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "lsfd: List all open file descriptors" { - lsfd -} - -@test "lsfd: List all files kept open by a specific program" { - sudo lsfd --filter 'PID == 1' -} - -@test "lsfd: List open IPv4 or IPv6 sockets" { - sudo lsfd -i4 - sudo lsfd -i6 -} diff --git a/tests/integration/utils/lsipc.bats b/tests/integration/utils/lsipc.bats deleted file mode 100644 index a18126982..000000000 --- a/tests/integration/utils/lsipc.bats +++ /dev/null @@ -1,16 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "lsipc: Show information about all active IPC facilities" { - lsipc -} - -@test "lsipc: Show information about active shared memory segments, message queues or sempahore sets" { - lsipc --shmems - lsipc --queues - lsipc --semaphores -} diff --git a/tests/integration/utils/lslocks.bats b/tests/integration/utils/lslocks.bats deleted file mode 100644 index 042834cae..000000000 --- a/tests/integration/utils/lslocks.bats +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "lslocks: List all local system locks" { - sudo lslocks -} - -@test "lslocks: List locks producing a raw output (no columns), and without column headers" { - sudo lslocks --raw --noheadings -} - -@test "lslocks: List locks by PID input" { - sudo lslocks --pid "$(sudo lslocks --raw --noheadings --output PID | head -1)" -} - -@test "lslocks: List locks with JSON output to stdout" { - lslocks --json -} diff --git a/tests/integration/utils/lslogins.bats b/tests/integration/utils/lslogins.bats deleted file mode 100644 index aa2df69b4..000000000 --- a/tests/integration/utils/lslogins.bats +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "lslogins: Display users in the system" { - lslogins - sudo lslogins -} - -@test "lslogins: Display user accounts" { - lslogins --user-accs -} - -@test "lslogins: Display last logins" { - lslogins --last -} - -@test "lslogins: Display system accounts" { - lslogins --system-accs -} - -@test "lslogins: Display supplementary groups" { - lslogins --supp-groups -} diff --git a/tests/integration/utils/lsns.bats b/tests/integration/utils/lsns.bats deleted file mode 100644 index c7e6563e2..000000000 --- a/tests/integration/utils/lsns.bats +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "lsns: List all namespaces" { - lsns - sudo lsns -} - -@test "lsns: List namespaces in JSON format" { - sudo lsns --json -} - -@test "lsns: List namespaces associated with the specified process" { - sudo lsns --task 1 -} - -@test "lsns: List the specified type of namespaces only" { - sudo lsns --type mnt - sudo lsns --type net - sudo lsns --type ipc - sudo lsns --type user - sudo lsns --type pid - sudo lsns --type uts - sudo lsns --type cgroup - sudo lsns --type time -} - diff --git a/tests/integration/utils/lspci.bats b/tests/integration/utils/lspci.bats deleted file mode 100644 index facf379a9..000000000 --- a/tests/integration/utils/lspci.bats +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "lspci: Show a brief list of devices" { - lspci - sudo lspci -} - -@test "lspci: Display additional info" { - lspci -v -} - -@test "lspci: Display drivers and modules handling each device" { - lspci -k -} - -@test "lspci: Show a specific device" { - lspci -s 00:00.0 -} - -@test "lspci: Query the PCI ID database for unknown ID's via DNS" { - sudo lspci -q -} - -@test "lspci: Dump info in a readable form" { - lspci -vm -} diff --git a/tests/integration/utils/pstree.bats b/tests/integration/utils/pstree.bats deleted file mode 100644 index 1fc43c76c..000000000 --- a/tests/integration/utils/pstree.bats +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "pstree: Display a tree of processes" { - pstree -} - -@test "pstree: Display a tree of processes with PIDs" { - pstree -p -} - -@test "pstree: Display all process trees rooted at processes owned by specified user" { - pstree root -} - diff --git a/tests/integration/utils/sync.bats b/tests/integration/utils/sync.bats deleted file mode 100644 index 03cc4730f..000000000 --- a/tests/integration/utils/sync.bats +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "sync: Flush all pending write operations on all disks" { - sync -} - -@test "sync: Flush all pending write operations on a single file to disk" { - sudo sync / -} diff --git a/tests/integration/utils/users.bats b/tests/integration/utils/users.bats deleted file mode 100644 index 885121a58..000000000 --- a/tests/integration/utils/users.bats +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "users: Print logged in usernames" { - users -} - -@test "users: Print logged in usernames according to a given file" { - users /var/log/wmtp -} - diff --git a/tests/integration/utils/uuidd.bats b/tests/integration/utils/uuidd.bats deleted file mode 100644 index d3ab28cc0..000000000 --- a/tests/integration/utils/uuidd.bats +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "uuidd: Generate a random UUID" { - uuidd --random -} - -@test "uuidd: Generate a bulk number of random UUIDs" { - uuidd --random --uuids 10 -} - -@test "uuidd: Generate a time-based UUID, based on the current time and MAC address of the system" { - uuidd --time -} diff --git a/tests/integration/utils/uuidgen.bats b/tests/integration/utils/uuidgen.bats deleted file mode 100644 index 838be5cbc..000000000 --- a/tests/integration/utils/uuidgen.bats +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "uuidgen: Create a random UUIDv4" { - uuidgen --random -} - -@test "uuidgen: Create a UUIDv1 based on the current time" { - uuidgen --time -} diff --git a/tests/integration/utils/who.bats b/tests/integration/utils/who.bats deleted file mode 100644 index b69fc2dd1..000000000 --- a/tests/integration/utils/who.bats +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "who: Display the username, line, and time of all currently logged-in sessions" { - who -} - -@test "who: Display all available information" { - who -a -} - -@test "who: Display all available information with table headers" { - who -a -H -} - diff --git a/tests/integration/utils/zramctl.bats b/tests/integration/utils/zramctl.bats deleted file mode 100644 index 41a3c1f51..000000000 --- a/tests/integration/utils/zramctl.bats +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "zramctl: Check if zram is enabled; enable it if needed" { - lsmod | grep -i zram || sudo modprobe zram || true -} - -@test "zramctl: Find and initialize the next free zram device to a 1 GB virtual drive using LZ4 compression" { - sudo zramctl --find --size 1GB --algorithm lz4 || true -} - -@test "zramctl: List currently initialized devices" { - sudo zramctl || true -} diff --git a/tests/integration/whois.bats b/tests/integration/whois.bats deleted file mode 100644 index fd1cba5fa..000000000 --- a/tests/integration/whois.bats +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load common - -@test "whois: Get information about a domain name" { - whois google.fr -} - -@test "whois: Get information about an IP address" { - whois 8.8.8.8 -} - -@test "whois: Get abuse contact for an IP address" { - whois -b 8.8.8.8 -} - diff --git a/tests/packer/archlinux.pkr.hcl b/tests/packer/archlinux.pkr.hcl new file mode 100644 index 000000000..c445b632a --- /dev/null +++ b/tests/packer/archlinux.pkr.hcl @@ -0,0 +1,111 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +source "qemu" "archlinux-server" { + disk_image = true + iso_url = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2" + iso_checksum = "file:https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2.SHA256" + iso_target_path = "${var.iso_dir}/archlinux-cloudimg-amd64.img" + cpu_model = "host" + cpus = 6 + memory = 4096 + disk_size = "10G" + accelerator = "kvm" + headless = true + ssh_username = var.username + ssh_password = var.password + ssh_port = 22 + ssh_wait_timeout = "1000s" + disk_compression = true + disk_detect_zeroes = "unmap" + disk_discard = "unmap" + output_directory = var.output + vm_name = "${var.prefix}${source.name}.qcow2" + boot_wait = "10s" + shutdown_command = "echo ${var.password} | sudo -S shutdown -hP now" + cd_label = "cidata" + cd_content = { + "meta-data" = "" + "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", + { + username = "${var.username}" + password = "${var.password}" + ssh_key = file("${var.ssh_publickey}") + hostname = "${var.prefix}${source.name}" + } + ) + } +} + +source "qemu" "archlinux-gnome" { + disk_image = true + iso_url = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2" + iso_checksum = "file:https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2.SHA256" + iso_target_path = "${var.iso_dir}/archlinux-cloudimg-amd64.img" + cpu_model = "host" + cpus = 6 + memory = 4096 + disk_size = var.disk_size + accelerator = "kvm" + headless = true + ssh_username = var.username + ssh_password = var.password + ssh_port = 22 + ssh_wait_timeout = "1000s" + disk_compression = true + disk_detect_zeroes = "unmap" + disk_discard = "unmap" + output_directory = var.output + vm_name = "${var.prefix}${source.name}.qcow2" + boot_wait = "10s" + shutdown_command = "echo ${var.password} | sudo -S shutdown -hP now" + cd_label = "cidata" + cd_content = { + "meta-data" = "" + "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", + { + username = "${var.username}" + password = "${var.password}" + ssh_key = file("${var.ssh_publickey}") + hostname = "${var.prefix}${source.name}" + } + ) + } +} + +source "qemu" "archlinux-kde" { + disk_image = true + iso_url = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2" + iso_checksum = "file:https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2.SHA256" + iso_target_path = "${var.iso_dir}/archlinux-cloudimg-amd64.img" + cpu_model = "host" + cpus = 6 + memory = 4096 + disk_size = var.disk_size + accelerator = "kvm" + headless = true + ssh_username = var.username + ssh_password = var.password + ssh_port = 22 + ssh_wait_timeout = "1000s" + disk_compression = true + disk_detect_zeroes = "unmap" + disk_discard = "unmap" + output_directory = var.output + vm_name = "${var.prefix}${source.name}.qcow2" + boot_wait = "10s" + shutdown_command = "echo ${var.password} | sudo -S shutdown -hP now" + cd_label = "cidata" + cd_content = { + "meta-data" = "" + "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", + { + username = "${var.username}" + password = "${var.password}" + ssh_key = file("${var.ssh_publickey}") + hostname = "${var.prefix}${source.name}" + } + ) + } +} diff --git a/tests/packer/builds.pkr.hcl b/tests/packer/builds.pkr.hcl index 98e923fd9..c37e768ac 100644 --- a/tests/packer/builds.pkr.hcl +++ b/tests/packer/builds.pkr.hcl @@ -2,91 +2,75 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -locals { - name = "${var.prefix}${var.dist}-${var.flavor}" -} - -source "qemu" "default" { - disk_image = true - iso_url = var.DM[var.dist].img_url - iso_checksum = "file:${var.DM[var.dist].img_checksum}" - iso_target_path = pathexpand("${var.iso_dir}/${basename("${var.DM[var.dist].img_url}")}") - cpu_model = "host" - cpus = var.cpus - memory = var.ram - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = pathexpand(var.output_dir) - vm_name = "${local.name}.qcow2" - boot_wait = "10s" - firmware = pathexpand(var.firmware) - shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = format("%s\n%s\n%s", - templatefile("${path.cwd}/tests/cloud-init/common.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${local.name}" - } - ), - file("${path.cwd}/tests/cloud-init/${regex_replace(var.dist, "[0-9]*$", "")}.yml"), - file("${path.cwd}/tests/cloud-init/${var.dist}-${var.flavor}.user-data.yml") - ) - } -} - build { sources = [ - "source.qemu.default", + "source.qemu.archlinux-gnome", + "source.qemu.archlinux-kde", + "source.qemu.archlinux-server", + "source.qemu.debian-gnome", + "source.qemu.debian-kde", + "source.qemu.debian-server", + "source.qemu.opensuse-gnome", + "source.qemu.opensuse-kde", + "source.qemu.ubuntu-desktop", + "source.qemu.ubuntu-desktop24", + "source.qemu.ubuntu-server", + "source.qemu.ubuntu-server24", ] - # Upload artifacts + # Upload local files provisioner "file" { - destination = "/tmp/" - sources = [ - "${path.cwd}/tests/packer/src/", - "${path.cwd}/tests/packer/init.sh", - "${path.cwd}/tests/packer/clean.sh", - "${path.cwd}/.pkg/", + destination = "/tmp" + sources = ["${path.cwd}/packer/src"] + } + + provisioner "file" { + only = ["qemu.archlinux-gnome", "qemu.archlinux-kde", "qemu.archlinux-server"] + destination = "/tmp/src/" + sources = ["${path.cwd}/../apparmor.d-${var.version}-1-x86_64.pkg.tar.zst"] + } + + provisioner "file" { + only = ["qemu.opensuse-*"] + destination = "/tmp/src/" + sources = ["${path.cwd}/../apparmor.d-${var.version}-1.x86_64.rpm"] + } + + provisioner "file" { + only = ["qemu.debian-server", "qemu.debian-gnome", "qemu.debian-kde", "qemu.ubuntu-server", "qemu.ubuntu-server24", "qemu.ubuntu-desktop", "qemu.ubuntu-desktop24"] + destination = "/tmp/src/" + sources = ["${path.cwd}/../apparmor.d_${var.version}-1_amd64.deb"] + } + + # Wait for cloud-init to finish + provisioner "shell" { + except = ["qemu.opensuse-*"] + execute_command = "echo '${var.password}' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'" + inline = [ + "while [ ! -f /var/lib/cloud/instance/boot-finished ]; do echo 'Waiting for Cloud-Init...'; sleep 20; done", + "cloud-init clean", # Remove logs and artifacts so cloud-init can re-run ] } - # Full system provisioning + # Install local files and config provisioner "shell" { + script = "${path.cwd}/packer/init/init.sh" execute_command = "echo '${var.password}' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'" - inline = [ - # Wait for cloud-init to finish - "while [ ! -f /var/lib/cloud/instance/boot-finished ]; do echo 'Waiting for Cloud-Init...'; sleep 20; done", + } - # Ensure cloud-init is successful - "cloud-init status || cloud-init collect-logs --tarfile /root/cloud-init.tar.gz", + # Minimize the image + provisioner "shell" { + script = "${path.cwd}/packer/init/clean.sh" + execute_command = "echo '${var.password}' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'" + } - # Remove logs and artifacts so cloud-init can re-run - "cloud-init clean || true", - - # Install local files and config - "bash /tmp/init.sh", - - # Minimize the image - "bash /tmp/clean.sh", - ] + post-processor "vagrant" { + output = "${var.base_dir}/packer_${var.prefix}${source.name}.box" } post-processor "shell-local" { inline = [ - "mv ${var.output_dir}/${local.name}.qcow2 ${var.base_dir}/${local.name}.qcow2", + "vagrant box add --force --name ${var.prefix}${source.name} ${var.base_dir}/packer_${var.prefix}${source.name}.box" ] } diff --git a/tests/packer/debian.pkr.hcl b/tests/packer/debian.pkr.hcl new file mode 100644 index 000000000..38f33116f --- /dev/null +++ b/tests/packer/debian.pkr.hcl @@ -0,0 +1,114 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +source "qemu" "debian-server" { + disk_image = true + iso_url = "https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/debian-${var.release.debian.version}-genericcloud-amd64.qcow2" + iso_checksum = "file:https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/SHA512SUMS" + iso_target_path = "${var.iso_dir}/debian-cloudimg-amd64.img" + cpu_model = "host" + cpus = 4 + memory = 2048 + disk_size = var.disk_size + accelerator = "kvm" + headless = true + ssh_username = var.username + ssh_password = var.password + ssh_port = 22 + ssh_wait_timeout = "1000s" + disk_compression = true + disk_detect_zeroes = "unmap" + disk_discard = "unmap" + output_directory = "${var.output}/" + vm_name = "${var.prefix}${source.name}.qcow2" + boot_wait = "10s" + firmware = var.firmware + shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" + cd_label = "cidata" + cd_content = { + "meta-data" = "" + "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", + { + username = "${var.username}" + password = "${var.password}" + ssh_key = file("${var.ssh_publickey}") + hostname = "${var.prefix}${source.name}" + } + ) + } +} + +source "qemu" "debian-gnome" { + disk_image = true + iso_url = "https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/debian-${var.release.debian.version}-genericcloud-amd64.qcow2" + iso_checksum = "file:https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/SHA512SUMS" + iso_target_path = "${var.iso_dir}/debian-cloudimg-amd64.img" + cpu_model = "host" + cpus = 4 + memory = 2048 + disk_size = var.disk_size + accelerator = "kvm" + headless = true + ssh_username = var.username + ssh_password = var.password + ssh_port = 22 + ssh_wait_timeout = "1000s" + disk_compression = true + disk_detect_zeroes = "unmap" + disk_discard = "unmap" + output_directory = "${var.output}/" + vm_name = "${var.prefix}${source.name}.qcow2" + boot_wait = "10s" + firmware = var.firmware + shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" + cd_label = "cidata" + cd_content = { + "meta-data" = "" + "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", + { + username = "${var.username}" + password = "${var.password}" + ssh_key = file("${var.ssh_publickey}") + hostname = "${var.prefix}${source.name}" + } + ) + } +} + +source "qemu" "debian-kde" { + disk_image = true + iso_url = "https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/debian-${var.release.debian.version}-genericcloud-amd64.qcow2" + iso_checksum = "file:https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/SHA512SUMS" + iso_target_path = "${var.iso_dir}/debian-cloudimg-amd64.img" + cpu_model = "host" + cpus = 4 + memory = 2048 + disk_size = var.disk_size + accelerator = "kvm" + headless = true + ssh_username = var.username + ssh_password = var.password + ssh_port = 22 + ssh_wait_timeout = "1000s" + disk_compression = true + disk_detect_zeroes = "unmap" + disk_discard = "unmap" + output_directory = "${var.output}/" + vm_name = "${var.prefix}${source.name}.qcow2" + boot_wait = "10s" + firmware = var.firmware + shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" + cd_label = "cidata" + cd_content = { + "meta-data" = "" + "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", + { + username = "${var.username}" + password = "${var.password}" + ssh_key = file("${var.ssh_publickey}") + hostname = "${var.prefix}${source.name}" + } + ) + } +} diff --git a/tests/packer/init/archlinux-gnome.user-data.yml b/tests/packer/init/archlinux-gnome.user-data.yml new file mode 100644 index 000000000..855bc58ea --- /dev/null +++ b/tests/packer/init/archlinux-gnome.user-data.yml @@ -0,0 +1,92 @@ +#cloud-config + +hostname: ${hostname} +locale: en_IE +keyboard: + layout: ie + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false +packages: + # Install core packages + - apparmor + - base-devel + - firewalld + - qemu-guest-agent + - rng-tools + - spice-vdagent + + # Install usefull core packages + - bash-completion + - git + - htop + - man + - pass + - python-notify2 + - vim + - wget + + # Install basic services + - networkmanager + - cups + - cups-pdf + - system-config-printer + + # Install Graphical Interface + - gnome + - gnome-extra + - seahorse + - alacarte + + # Install Applications + - firefox + - chromium + - terminator + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable gdm + - systemctl enable NetworkManager + - systemctl enable rngd + - systemctl enable avahi-daemon + - systemctl enable systemd-timesyncd.service + +write_files: + # Enable AppArmor in kernel parameters + - path: /etc/default/grub + append: true + content: | + GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf" + + # Set some bash aliases + - path: /etc/skel/.bashrc + append: true + content: | + [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases + + # Setup shared directory + - path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 diff --git a/tests/packer/init/archlinux-kde.user-data.yml b/tests/packer/init/archlinux-kde.user-data.yml new file mode 100644 index 000000000..a85ca16d4 --- /dev/null +++ b/tests/packer/init/archlinux-kde.user-data.yml @@ -0,0 +1,94 @@ +#cloud-config + +hostname: ${hostname} +locale: en_IE +keyboard: + layout: ie + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false +packages: + # Install core packages + - apparmor + - base-devel + - firewalld + - qemu-guest-agent + - rng-tools + - spice-vdagent + + # Install usefull core packages + - bash-completion + - git + - htop + - man + - pass + - python-notify2 + - vim + - wget + + # Install basic services + - networkmanager + - cups + - cups-pdf + - system-config-printer + + # Install Graphical Interface + - plasma-meta + - sddm + - ark + - dolphin + - konsole + - okular + + # Install Applications + - firefox + - chromium + - terminator + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable sddm + - systemctl enable NetworkManager + - systemctl enable rngd + - systemctl enable avahi-daemon + - systemctl enable systemd-timesyncd.service + +write_files: + # Enable AppArmor in kernel parameters + - path: /etc/default/grub + append: true + content: | + GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf" + + # Set some bash aliases + - path: /etc/skel/.bashrc + append: true + content: | + [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases + + # Setup shared directory + - path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 diff --git a/tests/packer/init/archlinux-server.user-data.yml b/tests/packer/init/archlinux-server.user-data.yml new file mode 100644 index 000000000..034cd22d6 --- /dev/null +++ b/tests/packer/init/archlinux-server.user-data.yml @@ -0,0 +1,85 @@ +#cloud-config + +hostname: ${hostname} +locale: en_IE +keyboard: + layout: ie + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false +packages: + # Install core packages + - apparmor + - base-devel + - qemu-guest-agent + - rng-tools + - spice-vdagent + + # Install usefull core packages + - bash-completion + - git + - htop + - man + - pass + - python-notify2 + - vim + - wget + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable rngd + - systemctl enable systemd-timesyncd.service + +write_files: + # Enable AppArmor in kernel parameters + - path: /etc/default/grub + append: true + content: | + GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf" + + # Set some bash aliases + - path: /etc/skel/.bashrc + append: true + content: | + [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases + + # Setup shared directory + - path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + + # Network configuration + - path: /etc/systemd/network/20-wired.network + owner: "root:root" + permissions: "0644" + content: | + [Match] + Name=en* + + [Network] + DHCP=yes + + [DHCPv4] + RouteMetric=10 diff --git a/tests/packer/clean.sh b/tests/packer/init/clean.sh similarity index 83% rename from tests/packer/clean.sh rename to tests/packer/init/clean.sh index 23c587d4f..2e1e7b551 100644 --- a/tests/packer/clean.sh +++ b/tests/packer/init/clean.sh @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -set -eu -o pipefail +set -u # shellcheck source=/dev/null _lsb_release() { @@ -46,26 +46,40 @@ _sshdgenkeys() { _EOF } -clean_apt() { - _msg "Cleaning the apt cache" +clean_debian() { + _msg "Apt clean configuration" + + _msg "Full system upgrade" + apt-get update -y + apt-get -qq -y --no-install-recommends upgrade + apt-get -qq -y --no-install-recommends dist-upgrade + + _msg "Clean the apt cache" apt-get -y autoremove --purge apt-get -y autoclean apt-get -y clean } -clean_pacman() { - _msg "Cleaning pacman cache" +clean_arch() { + _msg "Pacman clean configuration" + + pacman -Syu --noconfirm + pacman -Qdtq | while IFS='' read -r pkg; do + pacman -Rsccn --noconfirm "$pkg" + done pacman -Scc --noconfirm } -clean_zypper() { - _msg "Cleaning zypper cache" - zypper clean --all +clean_opensuse() { + _msg "zypper clean configuration" + + zypper update -y + zypper clean -y } # Make the image as impersonal as possible. impersonalize() { - _msg "Making the image as impersonal as possible." + _msg "Make the image as impersonal as possible." # Remove remaining pkg file, docs and caches dirs=( @@ -131,6 +145,10 @@ trim() { truncate --size=0 /swap/swapfile fi + # _msg "Fill root filesystem with 0 to reduce box size" + # dd if=/dev/zero of=/EMPTY bs=1M || true + # rm -f /EMPTY + # Block until the empty file has been removed, otherwise, Packer will # try to kill the box while the disk is still full and that is bad. sync @@ -141,16 +159,16 @@ main() { begin=$(_diskused) case "$DISTRIBUTION" in debian | ubuntu) - clean_apt + clean_debian _sshdgenkeys ;; opensuse*) - clean_zypper + clean_opensuse ;; arch) - clean_pacman + clean_arch ;; esac impersonalize diff --git a/tests/packer/init/debian-gnome.user-data.yml b/tests/packer/init/debian-gnome.user-data.yml new file mode 100644 index 000000000..0e2571883 --- /dev/null +++ b/tests/packer/init/debian-gnome.user-data.yml @@ -0,0 +1,63 @@ +#cloud-config + +hostname: ${hostname} +locale: en_IE +keyboard: + layout: ie + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false +packages: + - apparmor-profiles + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - htop + - qemu-guest-agent + - spice-vdagent + - rsync + - vim + - task-gnome-desktop + +runcmd: + - apt-get update -y + - apt-get install -y -t bookworm-backports golang-go + +write_files: + # Add backports repository + - path: /etc/apt/sources.list + append: true + content: deb http://deb.debian.org/debian bookworm-backports main contrib non-free + + # Setup shared directory + - path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + + # Network configuration + - path: /etc/systemd/network/20-wired.network + owner: "root:root" + permissions: "0644" + content: | + [Match] + Name=en* + + [Network] + DHCP=yes + + [DHCPv4] + RouteMetric=10 diff --git a/tests/cloud-init/debian12-kde.user-data.yml b/tests/packer/init/debian-kde.user-data.yml similarity index 65% rename from tests/cloud-init/debian12-kde.user-data.yml rename to tests/packer/init/debian-kde.user-data.yml index 451068db1..a608e9b0b 100644 --- a/tests/cloud-init/debian12-kde.user-data.yml +++ b/tests/packer/init/debian-kde.user-data.yml @@ -1,5 +1,23 @@ #cloud-config +hostname: ${hostname} +locale: en_IE +keyboard: + layout: ie + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false packages: - apparmor-profiles - auditd @@ -9,8 +27,8 @@ packages: - devscripts - htop - qemu-guest-agent - - rsync - spice-vdagent + - rsync - vim - task-kde-desktop diff --git a/tests/packer/init/debian-server.user-data.yml b/tests/packer/init/debian-server.user-data.yml new file mode 100644 index 000000000..5f4fe526e --- /dev/null +++ b/tests/packer/init/debian-server.user-data.yml @@ -0,0 +1,61 @@ +#cloud-config + +hostname: ${hostname} +locale: en_IE +keyboard: + layout: ie + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false +packages: + - apparmor-profiles + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - htop + - qemu-guest-agent + - rsync + - vim + +runcmd: + - apt-get update -y + - apt-get install -y -t bookworm-backports golang-go + +write_files: + # Add backports repository + - path: /etc/apt/sources.list + append: true + content: deb http://deb.debian.org/debian bookworm-backports main contrib non-free + + # Setup shared directory + - path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + + # Network configuration + - path: /etc/systemd/network/20-wired.network + owner: "root:root" + permissions: "0644" + content: | + [Match] + Name=en* + + [Network] + DHCP=yes + + [DHCPv4] + RouteMetric=10 diff --git a/tests/packer/init.sh b/tests/packer/init/init.sh similarity index 52% rename from tests/packer/init.sh rename to tests/packer/init/init.sh index 44a86220f..6a80b1993 100644 --- a/tests/packer/init.sh +++ b/tests/packer/init/init.sh @@ -3,39 +3,39 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -set -eux -o pipefail +set -eu -# shellcheck source=/dev/null -source /etc/os-release || exit 1 -readonly SRC=/tmp/ +_lsb_release() { + # shellcheck source=/dev/null + . /etc/os-release + echo "$ID" +} +DISTRIBUTION="$(_lsb_release)" +readonly SRC=/tmp/src +readonly DISTRIBUTION main() { install -dm0750 -o "$SUDO_USER" -g "$SUDO_USER" "/home/$SUDO_USER/Projects/" "/home/$SUDO_USER/Projects/apparmor.d" "/home/$SUDO_USER/.config/" install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/.bash_aliases "/home/$SUDO_USER/.bash_aliases" + install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/monitors.xml "/home/$SUDO_USER/.config/monitors.xml" install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/htoprc "/home/$SUDO_USER/.config/htop/htoprc" - install -Dm0644 $SRC/parser.conf /etc/apparmor/parser.conf install -Dm0644 $SRC/site.local /etc/apparmor.d/tunables/multiarch.d/site.local install -Dm0755 $SRC/aa-update /usr/bin/aa-update - install -Dm0755 $SRC/aa-clean /usr/bin/aa-clean + install -Dm0755 $SRC/aa-log-clean /usr/bin/aa-log-clean + cat $SRC/parser.conf >>/etc/apparmor/parser.conf chown -R "$SUDO_USER:$SUDO_USER" "/home/$SUDO_USER/.config/" - - case "$ID" in - arch) - rm -f $SRC/*.sig # Ignore signature files - rm -f $SRC/*enforced* # Ignore enforced package - pacman --noconfirm -U $SRC/*.pkg.tar.zst || true - ;; - + case "$DISTRIBUTION" in + arch) pacman --noconfirm -U $SRC/*.pkg.tar.zst ;; debian | ubuntu) - # Do not install apparmor.d on the current development version - if [[ $VERSION_ID != "25.10" ]]; then - dpkg -i $SRC/*.deb || true - fi + apt-get update -y + apt-get install -y apparmor-profiles build-essential config-package-dev \ + debhelper devscripts htop rsync vim + dpkg -i $SRC/*.deb ;; opensuse*) - mv "/home/$SUDO_USER/.bash_aliases" "/home/$SUDO_USER/.alias" - rpm -i $SRC/*.rpm || true + zypper install -y bash-completion git go htop make rsync vim + sudo rpm -i $SRC/*.rpm ;; esac diff --git a/tests/packer/init/opensuse-kde.user-data.yml b/tests/packer/init/opensuse-kde.user-data.yml new file mode 100644 index 000000000..6c1c7cfff --- /dev/null +++ b/tests/packer/init/opensuse-kde.user-data.yml @@ -0,0 +1,41 @@ +#cloud-config + +hostname: ${hostname} +locale: en_IE +keyboard: + layout: ie + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false +packages: + - bash-completion + - git + - go + - htop + - make + - rsync + - vim + +write_files: + # Set some bash aliases + - path: /home/${username}/.bashrc + append: true + content: | + [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases + + # Setup shared directory + - path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 diff --git a/tests/packer/init/ubuntu-desktop.user-data.yml b/tests/packer/init/ubuntu-desktop.user-data.yml new file mode 100644 index 000000000..30a82279a --- /dev/null +++ b/tests/packer/init/ubuntu-desktop.user-data.yml @@ -0,0 +1,83 @@ +#cloud-config + +# Based on https://github.com/canonical/autoinstall-desktop + +hostname: ${hostname} +locale: en_IE +keyboard: + layout: ie + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false +packages: + - ubuntu-desktop + - linux-generic-hwe-22.04 + - qemu-guest-agent + - spice-vdagent + - terminator + - apparmor-profiles + - build-essential + - config-package-dev + - debhelper + - devscripts + - golang-go + - rsync + +snap: + commands: + - install firefox + - install gtk-common-themes + - install snap-store + - install snapd-desktop-integration + +runcmd: + # Remove default filesystem and related tools not used with the suggested + # storage layout. These may yet be required if different partitioning schemes + # are used. + - apt-get -y purge btrfs-progs cryptsetup* lvm2 xfsprogs + + # Remove other packages present by default in Ubuntu Server but not + # normally present in Ubuntu Desktop. + - >- + apt-get -y purge + ubuntu-server ubuntu-server-minimal netplan.io cloud-init + binutils byobu curl dmeventd finalrd gawk + kpartx mdadm ncurses-term needrestart open-iscsi + sg3-utils ssh-import-id sssd thin-provisioning-tools tmux + sosreport screen open-vm-tools motd-news-config lxd-agent-loader + landscape-common fonts-ubuntu-console ethtool + + # Finally, remove things only installed as dependencies of other things + # we have already removed. + - apt-get -y autoremove + +write_files: + # Setup shared directory + - path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + + - path: /etc/systemd/network/20-wired.network + owner: "root:root" + permissions: "0644" + content: | + [Match] + Name=en* + + [Network] + DHCP=yes + + [DHCPv4] + RouteMetric=10 diff --git a/tests/packer/init/ubuntu-desktop24.user-data.yml b/tests/packer/init/ubuntu-desktop24.user-data.yml new file mode 100644 index 000000000..30a82279a --- /dev/null +++ b/tests/packer/init/ubuntu-desktop24.user-data.yml @@ -0,0 +1,83 @@ +#cloud-config + +# Based on https://github.com/canonical/autoinstall-desktop + +hostname: ${hostname} +locale: en_IE +keyboard: + layout: ie + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false +packages: + - ubuntu-desktop + - linux-generic-hwe-22.04 + - qemu-guest-agent + - spice-vdagent + - terminator + - apparmor-profiles + - build-essential + - config-package-dev + - debhelper + - devscripts + - golang-go + - rsync + +snap: + commands: + - install firefox + - install gtk-common-themes + - install snap-store + - install snapd-desktop-integration + +runcmd: + # Remove default filesystem and related tools not used with the suggested + # storage layout. These may yet be required if different partitioning schemes + # are used. + - apt-get -y purge btrfs-progs cryptsetup* lvm2 xfsprogs + + # Remove other packages present by default in Ubuntu Server but not + # normally present in Ubuntu Desktop. + - >- + apt-get -y purge + ubuntu-server ubuntu-server-minimal netplan.io cloud-init + binutils byobu curl dmeventd finalrd gawk + kpartx mdadm ncurses-term needrestart open-iscsi + sg3-utils ssh-import-id sssd thin-provisioning-tools tmux + sosreport screen open-vm-tools motd-news-config lxd-agent-loader + landscape-common fonts-ubuntu-console ethtool + + # Finally, remove things only installed as dependencies of other things + # we have already removed. + - apt-get -y autoremove + +write_files: + # Setup shared directory + - path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + + - path: /etc/systemd/network/20-wired.network + owner: "root:root" + permissions: "0644" + content: | + [Match] + Name=en* + + [Network] + DHCP=yes + + [DHCPv4] + RouteMetric=10 diff --git a/tests/packer/init/ubuntu-server.user-data.yml b/tests/packer/init/ubuntu-server.user-data.yml new file mode 100644 index 000000000..5e6d853ba --- /dev/null +++ b/tests/packer/init/ubuntu-server.user-data.yml @@ -0,0 +1,53 @@ +#cloud-config + +hostname: ${hostname} +locale: en_IE +keyboard: + layout: ie + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false +packages: + - apparmor-profiles + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - golang-go + - htop + - qemu-guest-agent + - rsync + - vim + +write_files: + # Setup shared directory + - path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + + # Network configuration + - path: /etc/systemd/network/20-wired.network + owner: "root:root" + permissions: "0644" + content: | + [Match] + Name=en* + + [Network] + DHCP=yes + + [DHCPv4] + RouteMetric=10 diff --git a/tests/packer/main.pkr.hcl b/tests/packer/main.pkr.hcl index d2b1a6dbf..ee13e8f92 100644 --- a/tests/packer/main.pkr.hcl +++ b/tests/packer/main.pkr.hcl @@ -8,5 +8,9 @@ packer { source = "github.com/hashicorp/qemu" version = "~> 1" } + vagrant = { + source = "github.com/hashicorp/vagrant" + version = "~> 1" + } } } diff --git a/tests/packer/opensuse.pkr.hcl b/tests/packer/opensuse.pkr.hcl new file mode 100644 index 000000000..de9bafacb --- /dev/null +++ b/tests/packer/opensuse.pkr.hcl @@ -0,0 +1,45 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# TODO: Fully automate the creation of the base image +# To save some dev time, 'base_opensuse_kde' is manually created from the opensuse iso with: +# - KDE +# - username/password defined in the variables +# - cloud-init installed and enabled + +source "qemu" "opensuse-kde" { + disk_image = true + iso_url = "${var.iso_dir}/base_opensuse_kde.qcow2" + iso_checksum = "sha256:62a174725bdf26981d15969e53461b89359f7763450cbfd3e258d4035731279b" + iso_target_path = "${var.iso_dir}/base_opensuse_kde.qcow2" + cpus = 6 + memory = 4096 + disk_size = var.disk_size + accelerator = "kvm" + headless = false + ssh_username = var.username + ssh_password = var.password + ssh_port = 22 + ssh_wait_timeout = "1000s" + disk_compression = true + disk_detect_zeroes = "unmap" + disk_discard = "unmap" + output_directory = "${var.iso_dir}/packer/" + vm_name = "${var.prefix}${source.name}.qcow2" + boot_wait = "10s" + firmware = var.firmware + shutdown_command = "echo ${var.password} | sudo shutdown -hP now" + cd_label = "cidata" + cd_content = { + "meta-data" = "" + "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", + { + username = "${var.username}" + password = "${var.password}" + ssh_key = file("${var.ssh_publickey}") + hostname = "${var.prefix}${source.name}" + } + ) + } +} diff --git a/tests/packer/src/.bash_aliases b/tests/packer/src/.bash_aliases index 2580556fd..27e05bf80 100644 --- a/tests/packer/src/.bash_aliases +++ b/tests/packer/src/.bash_aliases @@ -8,6 +8,7 @@ for nb in $(seq "$1"); do done } +alias sudo='sudo -E' alias aa-log='sudo aa-log' alias aa-status='sudo aa-status' alias c='clear' diff --git a/tests/packer/src/aa-clean b/tests/packer/src/aa-clean deleted file mode 100644 index a01b9d77e..000000000 --- a/tests/packer/src/aa-clean +++ /dev/null @@ -1,4 +0,0 @@ -#!/usr/bin/env bash -set -eu -o pipefail -rm -vf /var/log/audit/* /var/log/syslog* -touch /var/log/audit/audit.log /var/log/syslog diff --git a/tests/packer/src/aa-log-clean b/tests/packer/src/aa-log-clean new file mode 100644 index 000000000..9f3ebd818 --- /dev/null +++ b/tests/packer/src/aa-log-clean @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +set -eu +rm -rf /var/log/audit/* +touch /var/log/audit/audit.log diff --git a/tests/packer/src/aa-update b/tests/packer/src/aa-update index bdbd6ed00..747d0101b 100644 --- a/tests/packer/src/aa-update +++ b/tests/packer/src/aa-update @@ -1,7 +1,7 @@ #!/usr/bin/env bash -set -eu -o pipefail +set -eu -export BUILDDIR=/tmp/build/ +export BUILDDIR=/tmp/build/ PKGDEST=/tmp/pkg # shellcheck source=/dev/null _lsb_release() { @@ -13,15 +13,13 @@ DISTRIBUTION="$(_lsb_release)" cd "$HOME/Projects/apparmor.d" case "$DISTRIBUTION" in arch) - just pkg + make pkg ;; debian | ubuntu | whonix) sudo rm -rf debian/.debhelper/ - just dpkg + make dpkg sudo rm -rf debian/.debhelper/ ;; -opensuse*) - just rpm - ;; +opensuse*) make rpm ;; *) ;; esac diff --git a/tests/packer/src/monitors.xml b/tests/packer/src/monitors.xml new file mode 100644 index 000000000..b17136584 --- /dev/null +++ b/tests/packer/src/monitors.xml @@ -0,0 +1,23 @@ + + + + 0 + 0 + 1 + yes + + + Virtual-1 + RHT + QEMU Monitor + 0x00000000 + + + 1920 + 1080 + 60 + + + + + diff --git a/tests/packer/src/parser.conf b/tests/packer/src/parser.conf index 8651efad1..be8c42560 100644 --- a/tests/packer/src/parser.conf +++ b/tests/packer/src/parser.conf @@ -1,9 +1,4 @@ -# Turn creating/updating of the cache on by default + write-cache - -# Enable early policy loads to confine systemd, and services that can not depend -# on the apparmor unit. -cache-loc=/etc/apparmor/earlypolicy/ - -# Adjust compression +cache-loc /etc/apparmor/earlypolicy/ Optimize=compress-fast diff --git a/tests/packer/ubuntu.pkr.hcl b/tests/packer/ubuntu.pkr.hcl new file mode 100644 index 000000000..344a8bf43 --- /dev/null +++ b/tests/packer/ubuntu.pkr.hcl @@ -0,0 +1,151 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +source "qemu" "ubuntu-server" { + disk_image = true + iso_url = "https://cloud-images.ubuntu.com/${var.release.ubuntu.codename}/current/${var.release.ubuntu.codename}-server-cloudimg-amd64.img" + iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu.codename}/current/SHA256SUMS" + iso_target_path = "${var.iso_dir}/ubuntu-cloudimg-amd64.img" + cpu_model = "host" + cpus = 4 + memory = 2048 + disk_size = var.disk_size + accelerator = "kvm" + headless = true + ssh_username = var.username + ssh_password = var.password + ssh_port = 22 + ssh_wait_timeout = "1000s" + disk_compression = true + disk_detect_zeroes = "unmap" + disk_discard = "unmap" + output_directory = "${var.output}/" + vm_name = "${var.prefix}${source.name}.qcow2" + boot_wait = "10s" + firmware = var.firmware + shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" + cd_label = "cidata" + cd_content = { + "meta-data" = "" + "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", + { + username = "${var.username}" + password = "${var.password}" + ssh_key = file("${var.ssh_publickey}") + hostname = "${var.prefix}${source.name}" + } + ) + } +} + +source "qemu" "ubuntu-server24" { + disk_image = true + iso_url = "https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/${var.release.ubuntu24.codename}-server-cloudimg-amd64.img" + iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/SHA256SUMS" + iso_target_path = "${var.iso_dir}/ubuntu-${var.release.ubuntu24.codename}-cloudimg-amd64.img" + cpu_model = "host" + cpus = 4 + memory = 2048 + disk_size = var.disk_size + accelerator = "kvm" + headless = true + ssh_username = var.username + ssh_password = var.password + ssh_port = 22 + ssh_wait_timeout = "1000s" + disk_compression = true + disk_detect_zeroes = "unmap" + disk_discard = "unmap" + output_directory = "${var.output}/" + vm_name = "${var.prefix}${source.name}.qcow2" + boot_wait = "10s" + firmware = var.firmware + shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" + cd_label = "cidata" + cd_content = { + "meta-data" = "" + "user-data" = templatefile("${path.cwd}/packer/init/ubuntu-server.user-data.yml", + { + username = "${var.username}" + password = "${var.password}" + ssh_key = file("${var.ssh_publickey}") + hostname = "${var.prefix}${source.name}" + } + ) + } +} + +source "qemu" "ubuntu-desktop" { + disk_image = true + iso_url = "https://cloud-images.ubuntu.com/${var.release.ubuntu.codename}/current/${var.release.ubuntu.codename}-server-cloudimg-amd64.img" + iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu.codename}/current/SHA256SUMS" + iso_target_path = "${var.iso_dir}/ubuntu-cloudimg-amd64.img" + cpu_model = "host" + cpus = 6 + memory = 4096 + disk_size = var.disk_size + accelerator = "kvm" + headless = true + ssh_username = var.username + ssh_password = var.password + ssh_port = 22 + ssh_wait_timeout = "10000s" + disk_compression = true + disk_detect_zeroes = "unmap" + disk_discard = "unmap" + output_directory = "${var.output}/" + vm_name = "${var.prefix}${source.name}.qcow2" + boot_wait = "10s" + firmware = var.firmware + shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" + cd_label = "cidata" + cd_content = { + "meta-data" = "" + "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", + { + username = "${var.username}" + password = "${var.password}" + ssh_key = file("${var.ssh_publickey}") + hostname = "${var.prefix}${source.name}" + } + ) + } +} + +source "qemu" "ubuntu-desktop24" { + disk_image = true + iso_url = "https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/${var.release.ubuntu24.codename}-server-cloudimg-amd64.img" + iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/SHA256SUMS" + iso_target_path = "${var.iso_dir}/ubuntu-${var.release.ubuntu24.codename}-cloudimg-amd64.img" + cpu_model = "host" + cpus = 6 + memory = 4096 + disk_size = var.disk_size + accelerator = "kvm" + headless = false + ssh_username = var.username + ssh_password = var.password + ssh_port = 22 + ssh_wait_timeout = "10000s" + disk_compression = true + disk_detect_zeroes = "unmap" + disk_discard = "unmap" + output_directory = "${var.output}/" + vm_name = "${var.prefix}${source.name}.qcow2" + boot_wait = "10s" + firmware = var.firmware + shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" + cd_label = "cidata" + cd_content = { + "meta-data" = "" + "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml", + { + username = "${var.username}" + password = "${var.password}" + ssh_key = file("${var.ssh_publickey}") + hostname = "${var.prefix}${source.name}" + } + ) + } +} diff --git a/tests/packer/variables.pkr.hcl b/tests/packer/variables.pkr.hcl index a44f98412..5a1cc17e8 100644 --- a/tests/packer/variables.pkr.hcl +++ b/tests/packer/variables.pkr.hcl @@ -16,16 +16,16 @@ variable "password" { default = "user" } -variable "cpus" { - description = "Default CPU of the VM" +variable "ssh_publickey" { + description = "Path to the ssh public key" type = string - default = "6" + default = "~/.ssh/id_ed25519.pub" } -variable "ram" { - description = "Default RAM of the VM" +variable "ssh_privatekey" { + description = "Path to the ssh private key" type = string - default = "4096" + default = "~/.ssh/id_ed25519" } variable "disk_size" { @@ -34,34 +34,28 @@ variable "disk_size" { default = "40G" } -variable "ssh_publickey" { - description = "Path to the ssh public key" - type = string - default = "~/.ssh/id_ed25519.pub" -} - variable "iso_dir" { description = "Original ISO file directory" type = string - default = "~/.libvirt/iso" + default = "/var/lib/libvirt/images" } variable "base_dir" { description = "Final packer image output directory" type = string - default = "~/.libvirt/base" -} - -variable "output_dir" { - description = "Output build directory" - type = string - default = "~/.libvirt/base/packer" + default = "/var/lib/libvirt/images" } variable "firmware" { description = "Path to the UEFI firmware" type = string - default = "/usr/share/edk2/x64/OVMF.4m.fd" + default = "/usr/share/edk2-ovmf/x64/OVMF_CODE.fd" +} + +variable "output" { + description = "Output build directory" + type = string + default = "/tmp/packer" } variable "prefix" { @@ -70,10 +64,10 @@ variable "prefix" { default = "aa-" } -variable "dist" { - description = "Distribution to target" +variable "version" { + description = "apparmor.d version" type = string - default = "ubuntu24" + default = "0.001" } variable "flavor" { @@ -82,40 +76,28 @@ variable "flavor" { default = "" } -variable "DM" { - description = "Distribution Metadata to use" +variable "release" { + description = "Distribution metadata to use" type = map(object({ - img_url = string - img_checksum = string + codename = string + version = string })) default = { - "archlinux" : { - img_url = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2" - img_checksum = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2.SHA256" - }, - "debian12" : { - img_url = "https://cdimage.debian.org/images/cloud/bookworm/latest/debian-12-genericcloud-amd64.qcow2" - img_checksum = "https://cdimage.debian.org/images/cloud/bookworm/latest/SHA512SUMS" - } - "debian13" : { - img_url = "https://cdimage.debian.org/images/cloud/trixie/latest/debian-13-genericcloud-amd64.qcow2" - img_checksum = "https://cdimage.debian.org/images/cloud/trixie/latest/SHA512SUMS" - } - "ubuntu22" : { - img_url = "https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img" - img_checksum = "https://cloud-images.ubuntu.com/jammy/current/SHA256SUMS" + "ubuntu" : { + codename = "jammy", + version = "22.04.2", }, "ubuntu24" : { - img_url = "https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img" - img_checksum = "https://cloud-images.ubuntu.com/noble/current/SHA256SUMS" - }, - "ubuntu25" : { - img_url = "https://cloud-images.ubuntu.com/plucky/current/plucky-server-cloudimg-amd64.img" - img_checksum = "https://cloud-images.ubuntu.com/plucky/current/SHA256SUMS" + codename = "noble", + version = "24.04", }, + "debian" : { + codename = "bookworm", + version = "12", + } "opensuse" : { - img_url = "https://download.opensuse.org/tumbleweed/appliances/openSUSE-Tumbleweed-Minimal-VM.x86_64-Cloud.qcow2" - img_checksum = "https://download.opensuse.org/tumbleweed/appliances/openSUSE-Tumbleweed-Minimal-VM.x86_64-Cloud.qcow2.sha256" + codename = "tumbleweed", + version = "", } } } diff --git a/tests/profile_check.py b/tests/profile_check.py deleted file mode 100644 index 9b61e6367..000000000 --- a/tests/profile_check.py +++ /dev/null @@ -1,480 +0,0 @@ -#!/usr/bin/env python3 -# SPDX-License-Identifier: GPL-2.0-only - -# KNOWN ISSUES: -# No guards for file type - expects AppArmor -# Diffirent suggestions for single line are mutually exclusive -# Suggestion could point to changed profile name, based on other suggestion - -import sys -import argparse -import pathlib -import shlex -import json -from copy import deepcopy - -try: - from apparmor.regex import * - from apparmor.aa import is_skippable_file - from apparmor.rule.file import FileRule, FileRuleset - from apparmor.common import convert_regexp - try: - from apparmor.rule.variable import separate_vars - except ImportError: - from apparmor.aa import separate_vars - - LIBAPPARMOR = True - -except ImportError: - LIBAPPARMOR = False - -def sanitizeProfileName(name): - - if name.startswith('/') or name.startswith('@{'): - name = pathlib.Path(name).stem - - if ' ' in name: - name = re.sub(r'\s+', '-', name) - - return name - -def makeLocalIdentity(nestingStacker_): - - newStacker = [] - for i in nestingStacker_: - i = sanitizeProfileName(i) - newStacker.append(i) - - identity = '_'.join(newStacker) # separate each (sub)profile identity with underscores - - return identity - -def getCurrentProfile(stacker): - - if stacker: - profile = stacker[-1] - else: - profile = None - - return profile - -def handleFileMessages(l, file, profile, lineNum): - - wholeFileAccessProfiles = ( -# '', - ) - suggestOwner = ( # TODO: switch to AARE - r'^@{HOME}/', - r'^/home/\w+/', - r'^@{run}/user/@{uid}/', - r'^/run/user/\d+/', - r'^@{tmp}/', - r'^/tmp/', - r'^/var/tmp/', - r'^/dev/shm/', - ) - - lG = l.groupdict() - reason_ = None - if lG.get('path'): - if lG.get('path').startswith('/**') and profile not in wholeFileAccessProfiles: # false positives - severity_ = 'ERROR' - reason_ = 'Whole filesystem access is too broad' - suggestion_ = None - - for r in suggestOwner: - if re.match(r, lG.get('path')) and not lG.get('owner'): - indentRe = re.match(r'^\s+', l.group()) - if indentRe: - indent = indentRe.group() - else: - indent = '' - - severity_ = 'NOTICE' - reason_ = "'owner' is likely required" - suggestion_ = indent + 'owner ' + l.group().lstrip() - break - - elif lG.get('bare_file') and profile not in wholeFileAccessProfiles: - severity_ = 'ERROR' - reason_ = 'Whole filesystem access is too broad' - suggestion_ = None - - if reason_: # something matched - msg = {'filename': file, - 'profile': profile, - 'severity': severity_, - 'line': lineNum, - 'reason': reason_, - 'suggestion': suggestion_} - else: - msg = None - - return msg - -def readApparmorFile(fullpath): - '''AA file could contain multiple AA profiles''' - headers = ( - '# apparmor.d - Full set of apparmor profiles', - '# Copyright (C) ', - '# SPDX-License-Identifier: GPL-2.0-only', - ) - - file_data = {} - fileVars = {} - nestingStacker = [] - duplicateProfilesCounter = [] - localExists = {} - localExists_eol = {} - messages = [] - exceptionMsg = None - line = None - gotAbi = False - gotHeaders = {} - gotAttach = False - isAfterProfileStart = False - lastLineNum = None - try: - with open(fullpath, 'r') as f: - for n,line in enumerate(f, start=1): - if isAfterProfileStart: - isAfterProfileStart = False - expectedIndent = len(nestingStacker) * ' ' - indentRe = re.match(r'^\s+', line) - if indentRe: - indent = indentRe.group() - else: - indent = '' - - if indent != expectedIndent: - spacesCount = len(nestingStacker) * 2 - nestingCount = len(nestingStacker) - messages.append({'filename': fullpath, - 'profile': getCurrentProfile(nestingStacker), - 'severity': 'WARNING', - 'line': n, - 'reason': f"Expected {spacesCount} spaces for {nestingCount} nesting", - 'suggestion': f"{expectedIndent}{line.lstrip()}"}) - - if line.endswith(' \n'): - messages.append({'filename': fullpath, - 'profile': getCurrentProfile(nestingStacker), - 'severity': 'WARNING', - 'line': n, - 'reason': "Redundant trailing whitespace", - 'suggestion': line.rstrip()}) - - if '\t' in line: - messages.append({'filename': fullpath, - 'profile': getCurrentProfile(nestingStacker), - 'severity': 'WARNING', - 'line': n, - 'reason': "Tabs are not allowed", - 'suggestion': line.replace('\t', ' ')}) - - if len(gotHeaders) < 3 and not nestingStacker: - for nH,i in enumerate(headers): - if line.startswith(i): - gotHeaders[nH] = True - - if RE_ABI.search(line): - gotAbi = line - - elif RE_PROFILE_START.search(line) or RE_PROFILE_HAT_DEF.search(line): - isAfterProfileStart = True - m = parse_profile_start_line(line, fullpath) - if m.get('profile'): - nestingStacker.append(m.get('profile')) # set early - - if m.get('attachment') == '@{exec_path}' and not gotAttach: # can be only singular - gotAttach = True - - profileMsg = {'filename': fullpath, - 'profile': getCurrentProfile(nestingStacker), - 'severity': 'WARNING', - 'line': n, - 'reason': "A short named profile must be defined", - 'suggestion': None} - if m.get('plainprofile'): - messages.append(profileMsg) - elif m.get('namedprofile'): - if m.get('namedprofile').startswith('/'): - messages.append(profileMsg) - - if m.get('flags'): - m['flags'] = set(shlex.split(m.pop('flags').replace(',', ''))) - if 'complain' in m['flags']: - messages.append({'filename': fullpath, - 'profile': getCurrentProfile(nestingStacker), - 'severity': 'WARNING', - 'line': n, - 'reason': "'complain' flag must be defined in 'dists/flags'", - 'suggestion': None}) - else: - m['flags'] = set() - - if m.get('profile'): - duplicateProfilesCounter.append(m.get('profile')) - profileIdentity = '//'.join(nestingStacker) - file_data[profileIdentity] = m - - elif RE_PROFILE_VARIABLE.search(line): - lineV = RE_PROFILE_VARIABLE.search(line).groups() - - name = strip_quotes(lineV[0]) - operation = lineV[1] - val = separate_vars(lineV[2]) - if fileVars.get(name): - fileVars[name].update(set(val)) - if operation == '=': - messages.append({'filename': fullpath, - 'profile': getCurrentProfile(nestingStacker), - 'severity': 'DEGRADED', - 'line': n, - 'reason': "Tunable must be appended with '+='", - 'suggestion': None}) - else: - fileVars[name] = set(val) - if operation == '+=': - messages.append({'filename': fullpath, - 'profile': getCurrentProfile(nestingStacker), - 'severity': 'DEGRADED', - 'line': n, - 'reason': "Tunable must be defined with '='", - 'suggestion': None}) - - elif RE_INCLUDE.search(line): - if nestingStacker: - profileIdentity = '//'.join(nestingStacker) - localIdentity = makeLocalIdentity(nestingStacker) - localValue = f'include if exists ' # commented out will also match - if localValue in line: - localExists[profileIdentity] = localValue - - # Handle file entries - elif RE_PROFILE_FILE_ENTRY.search(line): - lineF = RE_PROFILE_FILE_ENTRY.search(line) - fileMsg = handleFileMessages(lineF, fullpath, getCurrentProfile(nestingStacker), n) - if fileMsg: - messages.append(fileMsg) - - elif RE_PROFILE_END.search(line): - if getCurrentProfile(nestingStacker): - if not nestingStacker: - messages.append({'filename': fullpath, - 'profile': None, - 'severity': 'DEGRADED', - 'line': n, - 'reason': "Unbalanced parenthesis?", # not fully covered - 'suggestion': None}) - else: - profileIdentity = '//'.join(nestingStacker) - localExists_eol[profileIdentity] = n - del nestingStacker[-1] # remove last - - lastLineNum = n - - except PermissionError: - exceptionMsg = 'Unable to read the file (PermissionError)' - - except UnicodeDecodeError: - exceptionMsg = 'Unable to read the file (UnicodeDecodeError)' - - except FileNotFoundError: - exceptionMsg = 'No such file or directory (FileNotFoundError)' - - if exceptionMsg: - messages.append({'filename': fullpath, - 'profile': None, - 'severity': 'NOTICE', - 'line': None, - 'reason': exceptionMsg, - 'suggestion': None}) - - # Ensure proper header is present - if len(gotHeaders) < 3: - combinedHeader = '\n'.join(headers) - messages.append({'filename': fullpath, - 'profile': None, - 'severity': 'WARNING', - 'line': 1, - 'reason': 'No proper header', - 'suggestion': combinedHeader}) - - # Ensure ABI is present - changeAbi = False - abi = 'abi ,' - if gotAbi: - if gotAbi.strip() != abi: - changeAbi = True - else: - changeAbi = True - - if changeAbi: - messages.append({'filename': fullpath, - 'profile': None, - 'severity': 'WARNING', - 'line': None, - 'reason': 'ABI is required', - 'suggestion': abi}) - - # Ensure singular '@{exec_path}' - if not gotAttach: - messages.append({'filename': fullpath, - 'profile': None, - 'severity': 'WARNING', - 'line': None, - 'reason': "'@{exec_path}' must be defined as main path attachment", - 'suggestion': None}) - - # Ensure trailing vim syntax - if line: - trailingSyntax = '# vim:syntax=apparmor\n' - if line != trailingSyntax: - messages.append({'filename': fullpath, - 'profile': None, - 'severity': 'WARNING', - 'line': lastLineNum, - 'reason': 'No trailing syntax hint', - 'suggestion': trailingSyntax}) - - # Assign variables to profile attachments as paths and assign filenames - for p,d in deepcopy(file_data).items(): - file_data[p]['filename'] = fullpath - attachment = d.get('attachment') - if attachment: - if attachment.startswith('@{'): - if fileVars.get(attachment): - file_data[p]['attach_paths'] = fileVars[attachment] # incoming set - else: - messages.append({'filename': fullpath, - 'profile': p, - 'severity': 'ERROR', - 'line': None, - 'reason': f"Unknown global variable as profile attachment: {attachment}", - 'suggestion': None}) - - else: - if isinstance(file_data[p].get('attachment'), set): - raise ValueError("Expecting 'str' or 'None', not 'set'") - file_data[p]['attach_paths'] = {file_data[p]['attachment']} - - # Check if profile block does not have corresponding 'local' include - for p,d in file_data.items(): - if not localExists.get(p): # not found previously - if '//' in p: - identity = p.split('//') - else: - identity = [p] - - localIdentity = makeLocalIdentity(identity) - filename = file_data[p]['filename'] - messages.append({'filename': filename, - 'profile': p, - 'severity': 'WARNING', - 'line': localExists_eol.get(p), # None? Unbalanced parenthesis? - 'reason': "The (sub)profile block does not have expected 'local' include", - 'suggestion': f'include if exists '}) - - # Track multiple definitions inside single file - for profile in duplicateProfilesCounter: - counter = duplicateProfilesCounter.count(profile) - if counter >= 2: - messages.append({'filename': fullpath, - 'profile': profile, - 'severity': 'DEGRADED', - 'line': None, - 'reason': "Profile has been defined {counter} times in the same file", - 'suggestion': None}) - - return (messages, file_data) - -def findAllProfileFilenames(profile_dir): - - profiles = set() - for path in pathlib.Path(profile_dir).iterdir(): - if path.is_file() and not is_skippable_file(path): - profiles.add(path.resolve()) - - # Not default, dig deeper - if not profiles: - nestedDirs = ( - 'groups', - 'profiles-a-f', - 'profiles-g-l', - 'profiles-m-r', - 'profiles-s-z', - ) - for d in nestedDirs: - dirpath = pathlib.Path(pathlib.Path(profile_dir).resolve(), pathlib.Path(d)) - for p in dirpath.rglob("*"): - if p.is_file(): - profiles.add(p) - - return profiles - -def handleArgs(): - """DEGRADED are purposed for fatal errors - when the profile set will fail to load entirely""" - - allSeverities = ['DEBUG', 'NOTICE', 'WARNING', 'ERROR', 'CRITICAL', 'DEGRADED'] - aaRoot = '/etc/apparmor.d' - - parser = argparse.ArgumentParser() - parser.add_argument('-d', '--aa-root-dir', action='store', - default=aaRoot, - help='Target different AppArmor root directory rather than default') - parser.add_argument('-p', '--profile', action='append', - help='Handle only specified profile') -# parser.add_argument('-s', '--severity', action='append', -# choices=allSeverities, -# help='Handle only specified severity event') - - args = parser.parse_args() - -# if not args.severity: -# args.severity = allSeverities - - return args - -def main(argv): - - args = handleArgs() - - messages = [] - - profile_dir = args.aa_root_dir - if not args.profile: - profiles = findAllProfileFilenames(profile_dir) - else: - profiles = set() - for p in args.profile: - absolutePath = pathlib.Path(p).resolve() - profiles.add(absolutePath) - - profile_data = {} - for path in sorted(profiles): - if not is_skippable_file(path): - readApparmorFile_Out = readApparmorFile(path) - profilesInFile = readApparmorFile_Out[1] - messages.extend(readApparmorFile_Out[0]) - profile_data.update(profilesInFile) - - for m in messages: - if m.get('suggestion'): - if m['suggestion'].endswith('\n'): - m['suggestion'] = m.get('suggestion').removesuffix('\n') - m['filename'] = str(m.get('filename')) - print(json.dumps(m, indent=2)) - - if messages: - sys.exit(1) - - return None - -if __name__ == '__main__': - - if not LIBAPPARMOR: - raise ImportError(f"""Can't find 'python3-apparmor' package! Install with: -$ sudo apt install python3-apparmor""") - - main(sys.argv) diff --git a/tests/requirements.sh b/tests/requirements.sh deleted file mode 100644 index 0801ff27d..000000000 --- a/tests/requirements.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/usr/bin/env bash -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Dependencies for the bats integration tests - -set -eu -o pipefail - -# shellcheck source=/dev/null -_lsb_release() { - . /etc/os-release || exit 1 - echo "$ID" -} -DISTRIBUTION="$(_lsb_release)" - -case "$DISTRIBUTION" in -arch) - sudo pacman -Syu --noconfirm \ - bats bats-support \ - pacman-contrib tlp flatpak networkmanager - ;; -debian | ubuntu | whonix) - sudo apt update -y - sudo apt install -y \ - bats bats-support \ - cpuid dfc systemd-boot systemd-userdbd systemd-homed systemd-container tlp \ - network-manager systemd-container flatpak util-linux-extra - ;; -opensuse*) - ;; -*) ;; -esac diff --git a/tests/sbin.list b/tests/sbin.list deleted file mode 100644 index 16073f0d2..000000000 --- a/tests/sbin.list +++ /dev/null @@ -1,884 +0,0 @@ -a2enmod -a2query -aa-audit -aa-autodep -aa-cleanprof -aa-complain -aa-decode -aa-disable -aa-enforce -aa-genprof -aa-load -aa-logprof -aa-mergeprof -aa-notify -aa-remove-unknown -aa-status -aa-teardown -aa-unconfined -aa-update-browser -accessdb -acpi_genl -acpid -acpidump -add-shell -addgnupghome -addpart -adduser -agetty -alsa -alsa-info -alsa-info.sh -alsa-init -alsabat-test -alsactl -anacron -apache2 -apache2ctl -apparmor_parser -apparmor_status -applygnupgdefaults -aptd -argdist-bpfcc -arp -arpd -aspell-autobuildhash -atd -audisp-af_unix -audisp-filter -audisp-syslog -audit -auditctl -auditd -augenrules -aureport -ausearch -autodep -automount -autrace -avahi-daemon -avahi-dnsconfd -badblocks -bashreadline-bpfcc -bashreadline.bt -bcache-super-show -bindsnoop-bpfcc -biolatency-bpfcc -biolatency-kp.bt -biolatency.bt -biolatpcts-bpfcc -biopattern-bpfcc -biosdecode -biosnoop-bpfcc -biosnoop.bt -biostacks.bt -biotop-bpfcc -bitesize-bpfcc -bitesize.bt -blkdeactivate -blkdiscard -blkid -blkmapd -blkpr -blkzone -blockdev -blogctl -blogd -blogger -bpflist-bpfcc -bpftool -brctl -bridge -brltty-setup -btrfs -btrfs-convert -btrfs-find-root -btrfs-image -btrfsdist-bpfcc -btrfsslower-bpfcc -btrfstune -cachestat-bpfcc -cachetop-bpfcc -capable-bpfcc -capable.bt -capsh -cfdisk -cgdisk -chat -chcpu -check_forensic -check_mail_queue -check-bios-nx -checkproc -chgpasswd -chkstat-polkit -chmem -chpasswd -chronyd -chroot -cifs.idmap -cifs.upcall -cobjnew-bpfcc -coldreboot -compactsnoop-bpfcc -complain -config.postfix -cppw -cpudist-bpfcc -cpuunclaimed-bpfcc -cpuwalk.bt -cracklib-check -cracklib-format -cracklib-packer -cracklib-unpacker -cracklib-update -crda -create-cracklib-dict -criticalstat-bpfcc -cron -cryptdisks_start -cryptdisks_stop -cryptsetup -ctrlaltdel -cups-browsed -cups-genppd.5.3 -cups-genppdupdate -cupsaccept -cupsctl -cupsd -cupsfilter -dbslower-bpfcc -dbstat-bpfcc -dcb -dcsnoop-bpfcc -dcsnoop.bt -dcstat-bpfcc -ddns-confgen -deadlock-bpfcc -debugfs -decode -delpart -deluser -devlink -dhcpcd -dirtop-bpfcc -disable -dkms -dmevent_tool -dmeventd -dmfilemapd -dmidecode -dmraid -dmsetup -dnsmasq -dockerd -dosfsck -dosfslabel -dpkg-preconfigure -dpkg-reconfigure -drsnoop-bpfcc -dump.exfat -dump.f2fs -dumpe2fs -e2freefrag -e2fsck -e2image -e2label -e2mmpstatus -e2scrub -e2scrub_all -e2undo -e4crypt -e4defrag -eapol_test -ec_access -efibootdump -efibootmgr -enforce -ephemeral-disk-warning -escapesrc -ethtool -eventlogadm -execsnoop-bpfcc -execsnoop.bt -exfat2img -exfatlabel -exicyclog -exigrep -exim_checkaccess -exim_convert4r4 -exim_dbmbuild -exim_dumpdb -exim_fixdb -exim_id_update -exim_lock -exim_msgdate -exim_tidydb -exim4 -eximstats -exinext -exipick -exiqgrep -exiqsumm -exitsnoop-bpfcc -exiwhat -ext4dist-bpfcc -ext4slower-bpfcc -f2fsslower-bpfcc -faillock -fanatic -fancontrol -fanctl -fatlabel -fatresize -fbtest -fdformat -fdisk -filefrag -filegone-bpfcc -filelife-bpfcc -fileslower-bpfcc -filetop-bpfcc -findfs -firewalld -fixparts -flushb -fonts-config -fsadm -fsck -fsck. -fsck.btrfs -fsck.cramfs -fsck.exfat -fsck.ext2 -fsck.ext3 -fsck.ext4 -fsck.fat -fsck.minix -fsck.msdos -fsck.reiserfs -fsck.vfat -fsck.xfs -fsfreeze -fstab-decode -fstrim -funccount-bpfcc -funcinterval-bpfcc -funclatency-bpfcc -funcslower-bpfcc -g13-syshelp -gdisk -gdm -gdm3 -genccode -gencmn -genl -gennorm2 -genprof -gensprep -getcap -gethostlatency-bpfcc -gethostlatency.bt -getpcaps -getsysinfo -getweb -gnome-menus-blacklist -gpart -gparted -gpartedbin -gpm -groupadd -groupdel -groupmems -groupmod -grpck -grpconv -grpunconv -grub-install -grub-macbless -grub-mkconfig -grub-mkdevicemap -grub-probe -grub-reboot -grub-set-default -grub2-bios-setup -grub2-check-default -grub2-install -grub2-macbless -grub2-mkconfig -grub2-ofpathname -grub2-once -grub2-probe -grub2-reboot -grub2-set-default -grub2-sparc64-setup -grub2-switch-to-blscfg -hardirqs-bpfcc -haveged -hc-ifscan -hdparm -httxt2dbm -hv_fcopy_daemon -hv_get_dhcp_info -hv_get_dns_info -hv_kvp_daemon -hv_set_ifconfig -hv_vss_daemon -hwclock -hwinfo -iconvconfig -icupkg -ifconfig -ifrename -ifstat -import-openSUSE-build-key -inject-bpfcc -inputattach -install_acx100_firmware -install_intersil_firmware -install-sgmlcatalog -installkernel -integritysetup -invoke-rc.d -ip6tables-legacy-batch -ipmaddr -ipp-usb -ippevepcl -ippeveprinter -ippeveps -ipset -iptables-apply -iptables-legacy-batch -iptunnel -irqbalance -irqbalance-ui -isadump -isaset -iscsi_discovery -iscsi-iname -iscsiadm -iscsid -iscsistart -isosize -ispell-autobuildhash -isserial -issue-generator -iucode_tool -iw -iwconfig -iwevent -iwgetid -iwlist -iwpriv -iwspy -javacalls-bpfcc -javaflow-bpfcc -javagc-bpfcc -javaobjnew-bpfcc -javastat-bpfcc -javathreads-bpfcc -kbdrate -kbdsettings -kdump-config -kerneloops -kexec -kexec-bootloader -kexec-load-kernel -key.dns_resolver -killall5 -killproc -killsnoop-bpfcc -killsnoop.bt -klockstat-bpfcc -klogd -kpartx -kvm-ok -kvmexit-bpfcc -ldattach -ldconfig -ldconfig.real -libguestfs-make-fixed-appliance -libgvc6-config-update -libvirt-dbus -libvirtd -llcstat-bpfcc -lnstat -loads.bt -locale-gen -logprof -logrotate -logrotate-all -logsave -losetup -lpadmin -lpc -lpinfo -lpmove -lsvmbus -luksformat -lvm -lvm_import_vdo -lvmconfig -lvmdump -lvmpolld -lwepgen -lxc -lxd -make-bcache -make-ssl-cert -mariadbd -mcelog -mdadm -mdflush-bpfcc -mdflush.bt -mdmon -memleak-bpfcc -mii-tool -mk_isdnhwdb -mkdict -mkdosfs -mke2fs -mkfs -mkfs. -mkfs.bfs -mkfs.btrfs -mkfs.cramfs -mkfs.exfat -mkfs.ext2 -mkfs.ext3 -mkfs.ext4 -mkfs.f2fs -mkfs.fat -mkfs.minix -mkfs.xfs -mkhomedir_helper -mkill -mkinitramfs -mklost+found -mkntfs -mkpostfixcert -mkreiserfs -mksubvolume -mkswap -ModemManager -mount.cifs -mount.ddi -mount.fuse -mount.fuse3 -mount.lowntfs-3g -mount.nfs -mount.nfs4 -mount.ntfs -mount.ntfs-3g -mount.smb3 -mountsnoop-bpfcc -mountstats -mpathpersist -multipath -multipathc -multipathd -mysqld -mysqld_qslower-bpfcc -nameif -naptime.bt -needrestart -netqtop-bpfcc -NetworkManager -newusers -nfnl_osf -nfsconf -nfsdcld -nfsdist-bpfcc -nfsidmap -nfsiostat -nfsslower-bpfcc -nfsstat -nft -nginx -nmbd -nodegc-bpfcc -nodestat-bpfcc -nologin -notify -nss-mdns-config -nstat -ntfsclone -ntfscp -ntfslabel -ntfsresize -ntfsundelete -nvme -offcputime-bpfcc -offwaketime-bpfcc -on_ac_power -oomkill-bpfcc -oomkill.bt -openconnect -opensnoop-bpfcc -opensnoop.bt -openvpn -overlayroot-chroot -ownership -pam_extrausers_chkpwd -pam_extrausers_update -pam_getenv -pam_namespace_helper -pam_timestamp_check -pam-auth-update -pam-config -paperconfig -parted -partprobe -partx -pbl -pccardctl -pcscd -pdata_tools -perlcalls-bpfcc -perlflow-bpfcc -perlstat-bpfcc -pg_updatedicts -php-fpm8.3 -phpcalls-bpfcc -phpenmod -phpflow-bpfcc -phpquery -phpstat-bpfcc -pidpersec-bpfcc -pidpersec.bt -pivot_root -plipconfig -pluginviewer -plymouth-set-default-theme -plymouthd -postalias -postcat -postconf -postdrop -postfix -postkick -postlock -postlog -postmap -postmulti -postqueue -postsuper -posttls-finger -ppchcalls-bpfcc -pppd -pppdump -pppoe-discovery -pppstats -pptp -pptpsetup -profile-bpfcc -pwck -pwconv -pwhistory_helper -pwmconfig -pwunconv -pythoncalls-bpfcc -pythonflow-bpfcc -pythongc-bpfcc -pythonstat-bpfcc -qemu-ga -qmqp-source -qshape -rarp -rcfirewalld -rcopenvpn -rcpcscd -rcxdm -rcxvnc -rdma -rdmaucma-bpfcc -rdmsr -readahead-bpfcc -readprofile -realm -regdbdump -remove-default-ispell -remove-default-wordlist -remove-shell -request-key -reset-trace-bpfcc -resize2fs -resizepart -resolvconf -rfkill -rmt-tar -rndc -rndc-confgen -rngd -route -routel -rpc.gssd -rpc.idmapd -rpc.statd -rpc.svcgssd -rpcbind -rpcctl -rpcdebug -rpmconfigcheck -rsyncd -rsyslogd -rtacct -rtcwake -rtkitctl -rtmon -rubycalls-bpfcc -rubyflow-bpfcc -rubygc-bpfcc -rubyobjnew-bpfcc -rubystat-bpfcc -runc -runqlat-bpfcc -runqlat.bt -runqlen-bpfcc -runqlen.bt -runqslower-bpfcc -runuser -rvmtab -saned -sasldblistusers2 -saslpasswd2 -save_y2logs -schema2ldif -select-default-ispell -select-default-wordlist -sendmail -sensors-detect -service -set_polkit_default_privs -setcap -setuids.bt -setup-nsssysinit.sh -setvesablank -setvtrgb -sfdisk -sgdisk -shadowconfig -shim-install -shmsnoop-bpfcc -showconsole -showmount -skdump -sktest -slabratetop-bpfcc -slattach -sm-notify -smart_agetty -smartctl -smartd -smbd -smtp-sink -smtp-source -snapperd -snmpd -snmptrapd -sofdsnoop-bpfcc -softirqs-bpfcc -solisten-bpfcc -spice-vdagentd -split-logfile -ss -sshd -sshd-gen-keys-start -sshd.hmac -ssllatency.bt -sslsniff-bpfcc -sslsnoop.bt -sssd -stackcount-bpfcc -start-statd -start-stop-daemon -startproc -statsnoop-bpfcc -statsnoop.bt -status -sudo_logsrvd -sudo_sendlog -sulogin -swapin.bt -swaplabel -swapoff -swapon -switch_root -sync-available -syncsnoop-bpfcc -syncsnoop.bt -sysconf_addword -syscount-bpfcc -syscount.bt -sysctl -syslog2eximlog -sysusers2shadow -tarcat -tc -tclcalls-bpfcc -tclflow-bpfcc -tclobjnew-bpfcc -tclstat-bpfcc -tcpaccept-bpfcc -tcpaccept.bt -tcpcong-bpfcc -tcpconnect-bpfcc -tcpconnect.bt -tcpconnlat-bpfcc -tcpdrop-bpfcc -tcpdrop.bt -tcplife-bpfcc -tcplife.bt -tcpretrans-bpfcc -tcpretrans.bt -tcprtt-bpfcc -tcpstates-bpfcc -tcpsubnet-bpfcc -tcpsynbl-bpfcc -tcpsynbl.bt -tcptop-bpfcc -tcptracer-bpfcc -tcptraceroute.db -thermald -threadsnoop-bpfcc -threadsnoop.bt -tipc -tlp -tplist-bpfcc -trace-bpfcc -tsig-keygen -ttysnoop-bpfcc -tune.exfat -tune2fs -tuned -tuned-adm -tunelp -u-d-c-print-pci-ids -ucalls -uflow -ufw -ugc -umount.nfs -umount.nfs4 -umount.udisks2 -unbound -unconfined -undump.bt -unix_chkpwd -unix_update -unix2_chkpwd -uobjnew -update-ca-certificates -update-catalog -update-cracklib -update-default-ispell -update-default-wordlist -update-dictcommon-aspell -update-dictcommon-hunspell -update-exim4.conf -update-exim4.conf.template -update-fonts-alias -update-fonts-dir -update-fonts-scale -update-grub -update-grub-gfxpayload -update-gsfontmap -update-icon-caches -update-ieee-data -update-inetd -update-info-dir -update-initramfs -update-java-alternatives -update-language -update-locale -update-mime -update-passwd -update-pciids -update-rc.d -update-secureboot-policy -update-shells -update-smart-drivedb -update-texmf -update-texmf-config -update-tl-stacked-conffile -update-xmlcatalog -upgrade-from-grub-legacy -usb_modeswitch -usb_modeswitch_dispatcher -usbmuxd -useradd -userdel -usermod -ustat -uthreads -uuidd -validlocale -vconfig -vcstime -vdpa -veritysetup -vfscount-bpfcc -vfscount.bt -vfsstat-bpfcc -vfsstat.bt -vhangup -vipw -virt-what -virt-what-cvm -virtiostat-bpfcc -virtlockd -virtlogd -visudo -vmcore-dmesg -vncsession -vpddecode -vpnc -vpnc-disconnect -wakeuptime-bpfcc -wipefs -wiper.sh -wpa_action -wpa_cli -wpa_passphrase -wpa_supplicant -wqlat-bpfcc -writeback.bt -wrmsr -xfs_admin -xfs_bmap -xfs_copy -xfs_db -xfs_estimate -xfs_freeze -xfs_fsr -xfs_growfs -xfs_info -xfs_io -xfs_logprint -xfs_mdrestore -xfs_metadump -xfs_mkfile -xfs_ncheck -xfs_property -xfs_protofile -xfs_quota -xfs_repair -xfs_rtcp -xfs_scrub -xfs_scrub_all -xfs_spaceman -xfsdist-bpfcc -xfsdist.bt -xfsslower-bpfcc -xkbctrl -xtables-legacy-multi -xtables-nft-multi -yast2 -zdump -zerofree -zfsdist-bpfcc -zfsslower-bpfcc -zic -zramctl -zypp-refresh -zypper-log diff --git a/tests/testdata/logs/audit.log b/tests/testdata/logs/audit.log index 11b8770d2..0680d2a7a 100644 --- a/tests/testdata/logs/audit.log +++ b/tests/testdata/logs/audit.log @@ -53,6 +53,4 @@ profile="sddm-greeter" operation="setsockopt" class="net" comm="sddm-greeter" f type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="capable" class="cap" profile="xorg" pid=16195 comm="Xorg.bin" capability=17 capname="sys_rawio" type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="getattr" class="file" profile="pacman//null-/usr/share/code-features/patch.py" name="/etc/ld.so.preload" pid=18817 comm="patch.py" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="capable" class="cap" info="optional: no audit" error=-1 profile="pacman" comm="killall" capability=19 capname="sys_ptrace" -apparmor="ALLOWED" operation="open" class="file" profile="signal-desktop" name="/sys/devices/pci0000:00/0000:00:02.0/boot_vga" comm="signal-desktop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 FSUID="user" OUID="root" -apparmor="ALLOWED" operation="link" class="file" profile="startplasma" name="@{user_cache_dirs}/ksycoca5_de_LQ6f0J2qZg4vOKgw2NbXuW7iuVU=.isNSBz" comm="startplasma-way" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000 target="@{user_cache_dirs}/#@{int}" FSUID="user" OUID="user"